Vogel Internet, Information Technology, and e-Discovery Blog : Texas Internet, Information Technology, eCommerce, & E-Discovery Lawyer & Attorney Peter S. Vogel : Gardere Wynne Sewell Law Firm : Dallas TX

There is an epidemic of violent crime when stealing cells and tablets since the manufacturers apparently do little to protect these devices if stolen.  On May 10, 2013 the New York Attorney General Eric T. Schneiderman sent letters to Apple, Google/Motorola, Microsoft, and Samsung “seeking information about their efforts to protect customers from the rise in violent street crimes known as Apple Picking.”

The AG Schneiderman’s press released stated that “recent study found that lost and stolen cell phones cost consumers over $30 billion last year” and went to say that these vendors:

…have a responsibility to their customers to fulfill their promises to ensure safety and security. This is a multi-billion dollar industry that produces some of the most popular and technologically advanced consumer electronic products in the world. Surely we can work together to find solutions that lead to a reduction in violent street crime targeting consumers.

Here are some examples cited in the letter to Tim Cook CEO of Apple:

• On April 19, 2012, a 26-year-old chef at the Museum of Modern Art was killed for his iPhone on his way home to the Bronx.
• In April 2012, twenty-year-old Alex Herald was stabbed during an iPhone theft.
• In September 2012, in three separate incidents, women were violently attacked for Apple and Samsung devices.
• In February 2013, three people were stabbed on a subway platform in Queens in a fight over an iPhone.
• Earlier this month, a woman was mugged at gunpoint in Crown Heights for her Android device.

This alarming information from New York hopefully this will help get public attention to improve the technology for when cells and tablets are stolen. We all need to stay tuned.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The FBI wants Congress to pass laws that would force Facebook, Google, and others to intercept Internet online communications when they occur or penalize those companies who do not comply. The Washington Post reported that the FBI:

…concerns that it is unable to tap the Internet communications of terrorists and other criminals, the task force’s proposal would penalize companies that failed to heed wiretap orders — court authorizations for the government to intercept suspects’ communications.

Andrew Weissmann, the FBI’s general counsel, recently said:

We don’t have the ability to go to court and say, ‘We need a court order to effectuate the intercept.’ Other countries have that. Most people assume that’s what you’re getting when you go to a court.

The FBI’s proposal would supplement CALEA (1994 Communications Assistance for Law Enforcement Act) which became less effective in “2010, when Google began end-to-end encryption of its e-mail and text messages after its networks were hacked. Facebook followed suit. That made it more difficult for the FBI to intercept e-mail by serving a court order on the Internet service provider, whose pipes would carry the encrypted traffic.”

The proposed law should make clear that “CALEA extends to Internet phone calls conducted between two computer users without going through a central company server — what is sometimes called “peer-to-peer” communication.” If passed in the current form under the new law:

…a court could levy a series of escalating fines, starting at tens of thousands of dollars, on firms that fail to comply with wiretap orders, according to persons who spoke on the condition of anonymity to discuss internal deliberations. A company that does not comply with an order within a certain period would face an automatic judicial inquiry, which could lead to fines. After 90 days, fines that remain unpaid would double daily.

Leslie Harris President of the Center for Democracy & Technology opposes the propose law:

What the FBI is proposing sounds benign, but it comes with such onerous penalties that it would force developers to seek pre-approval from the FBI. No one is going to want to face fines that double every day, so they will go to the FBI and work it out in advance, diverting resources, slowing innovation, and resulting in less secure products.

Clearly laws from 20 years ago need to be updated to how the Internet communications work today, and it will be interesting to see the debate in Congress.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Apple users' privacy may be at risk, as Apple finally revealed to Wired that Siri data is kept for 2 years even though that is not mentioned on Apple’s FAQs about Siri. In March 2012 the American Civil Liberties Union raised the issue about Siri privacy and claimed that the Apple Privacy Policy was unclear but Siri did collect “User Data” including the following:

• The names of your address book contacts, their nicknames, and their relationship with you (for example, “my dad”, or “work”)
• Your first name and nickname
• Labels you assign to your email accounts (for example, “My Home Email”)
• Names of songs and playlists in your collection

More than a year later, on April 19, 2013 an Apple spokesperson responded to Wired that Apple “may keep anonymized Siri data for up to two years,” but Apple:

…takes steps to ensure that the data is anonymized and only collects the Siri voice clips in order to improve Siri itself.
…If a user turns Siri off, both identifiers are deleted immediately along with any associated data.”

Wired went to explain:

Here’s what happens. Whenever you speak into Apple’s voice activated personal digital assistant, it ships it off to Apple’s data farm for analysis. Apple generates a random numbers to represent the user and it associates the voice files with that number. This number — not your Apple user ID or email address — represents you as far as Siri’s back-end voice analysis system is concerned.

Once the voice recording is six months old, Apple “disassociates” your user number from the clip, deleting the number from the voice file. But it keeps these disassociated files for up to 18 more months for testing and product improvement purposes.

Since the Apple Siri privacy policy is unclear about how Apple maintains and uses Siri data this information about keeping data for 2 years is likely a surprise to everyone. Apple’s lack of candor about privacy should concern everyone given the scope of Apple’s products.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A new feature on Google called Interactive Account Manager now allows Google users to selected trusted contacts to receive data from many Google services. On April 11, 2013 posted a blog entitled “Plan your digital afterlife with Inactive Account Manager.” Amusingly enough Google admits the title for the new service “not a great name” but does allow Google users to:

• choose to have your data deleted — after three, six, nine or 12 months of inactivity.
• select trusted contacts to receive data from some or all of the following services: +1s; Blogger; Contacts and Circles; Drive; Gmail; Google+ Profiles, Pages and Streams; Picasa Web Albums; Google Voice and YouTube.

However before Google takes any action Google will “first warn you by sending a text message to your cellphone and email to the secondary address you’ve provided.”

Facebook allows accounts to be memorialized, but not to allow access to accounts by loved ones.

Google’s new Inactive Account Manager appears to be unique, but brought about because many families have been denied access to Internet and Social Media content after their loved ones die since no such digital afterlife had been planned before.

ABC News reported in February 2013 that a proposed bill in New Hampshire that “would allow control of someone's Facebook, Twitter, and other accounts such as Gmail to be passed to the executor of their estate after death.”  Also ABC reported that:

Five other states, including Oklahoma, Idaho, Rhode Island, Indiana and Connecticut, have established legislation regulating one's digital presence after death. Rhode Island and Connecticut were first, but their bills were limited in scope to email accounts, excluding social networking sites.

Surely we will see more new laws for Internet Wills and more such services for digital afterlife from other Internet and Social Media sites.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Secret offshore banks accounts and shell companies were disclosed with a data leak of an estimated value of TRILLIONS of dollars. The 2.5 million files were released by the International Consortium of Investigative Journalists (ICIJ) which is “an active global network of 160 reporters in more than 60 countries who collaborate on in-depth investigative stories.” The key findings from ICIJ were as follows:

• Government officials and their families and associates in Azerbaijan, Russia, Canada, Pakistan, the Philippines, Thailand, Mongolia and other countries have embraced the use of covert companies and bank accounts.
• The mega-rich use complex offshore structures to own mansions, yachts, art masterpieces and other assets, gaining tax advantages and anonymity not available to average people.
• Many of the world’s top’s banks – including UBS, Clariden and Deutsche Bank – have aggressively worked to provide their customers with secrecy-cloaked companies in the British Virgin Islands and other offshore hideaways.
• A well-paid industry of accountants, middlemen and other operatives has helped offshore patrons shroud their identities and business interests, providing shelter in many cases to money laundering or other misconduct.
• Ponzi schemers and other large-scale fraudsters routinely use offshore havens to pull off their shell games and move their ill-gotten gains.

The NY Times reported that the data was:

...mainly from the British Virgin Islands, the Cook Islands and Singapore, disclose proprietary information about more than 120,000 offshore companies and trusts and nearly 130,000 individuals and agents, including the wealthiest people in more than 170 countries.

The secrecy of the ownership of these monies is not illegal in those countries, but now that this information has been leaked it is possible that government tax authorities around the world may start investigations for tax fraud. Stay Tuned!
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Google’s March 2012 Privacy Policy has never been well-received in the EU, and after waiting for Google to change its Privacy Policy the EU now plans to take action. The CNIL (Commission nationale de l’informatique et des libertés) announced on April 2, 2013 that 6 EU states have launched coordinated enforcement actions. These 6 EU states are France, Germany, Italy, the Netherlands, Spain, and the United-Kingdom, but each EU state must pursue their own action and seek fines.

CNIL is the French data protection agency which “…is responsible for ensuring that information technology remains at the service of citizens, and does not jeopardize human identity or breach human rights, privacy or individual or public liberties.”

In October 2012 the CNIL sent a letter which included this statement about the Google’s response to the EU’s inquiry:

Google’s answers have not demonstrated that your company endorses the key data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object. Indeed, the Privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data.

The letter included these three legal issues:

• Firstly, the investigation showed that Google provides insufficient information to its users (including passive users), especially on the purposes and the categories of data being processed.
• Secondly, the investigation confirmed our concerns about the combination of data across services.
• Finally, Google failed to provide retention periods for the personal data it processes.

However in the April 2nd announcement the CNIL stated that “Google has not implemented any significant compliance measures.” It will be interesting to see the outcome and its impact on Google and privacy.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

World-wide law enforcement agencies requested information regarding 137,424 Microsoft and Skype accounts in 2012 based 75,378 requests for customer information. Microsoft’s General Counsel Brad Smith blogged that the Microsoft’s first Law Enforcement Report includes customer requests for:

 Skype, Hotmail, Outlook.com, SkyDrive, Xbox LIVE, Microsoft Account, and Office 365.

In an effort of transparency the Report disclosed that approximately 79.8% of requests to Microsoft resulted in the disclosure of only non-content information and Microsoft requires “…a valid subpoena or equivalent document before we will consider releasing non-content data…” Microsoft describes non-content data as:

…basic subscriber information, such as the e-mail address, name, location and IP address captured at the time of registration.

Otherwise Microsoft reported that “only 2.1 percent, or 1,558 requests, resulted in the disclosure of customer content.  Microsoft defined customer content as:

…what our customers create, communicate, and store on or through our services such as the words in an e-mail exchanged between friends or business colleagues or the photographs and documents stored on SkyDrive or in other cloud offerings such as O365 and Azure. We require an order or warrant from law enforcement before we will consider disclosing content to law enforcement.

So it seems that the privacy laws are doing a lot to protect Internet users, and it will be interesting to see if reports from other Internet companies regarding how they react to requests from law enforcement agencies.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Following the cheating scandal at Harvard which forced 70 students to leave, apparently Harvard administrators secretly search the email accounts of resident deans to determine who leaked the cheating scandal.  The New York Times reported:

Several Harvard faculty members speculated that the administration had felt free to search the e-mail accounts because it regarded the resident deans as regular employees, not faculty members; Harvard’s policies on electronic privacy give more protection to faculty members.

The New York Times report included these comments from Law Professor  Charles Ogletree:

In Quon v City  of Ontario the US Supreme Court ruled 9-0 that if the employee uses a company issued device they  should not expect any privacy under the Constitution. Also an employee should not expect privacy if they use their employer's email system in the US, so why should Harvard employees expect privacy with their email?

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A New York State Judge recently ruled that a cell phone user has no reasonable expectation of privacy and the 4th Amendment right of privacy was not violated by the police’s pinging the GPS device in the defendant’s cell phone. Judge John L. DeMarco decision and order in the case of The People of State of New York v. Devonte Moorer included the following:

People are not so oblivious that they are not aware that cell phones purchased today come with GPS technology which can pinpoint the location of the phone at any given time so long as it is turned on and the GPS technology has not been deactivated or disabled,…That technology also enables a person to be mobile and have constant access to and use of his cell phone.

The New York Law Journal reported that “the case involved the fatal stabbing of Calvin Reid in Rochester on June 26, 2011, and authorities' efforts to track down suspect Devonte Moorer and collect evidence linking him to the slaying. Reid's fatal stabbing on a Rochester street corner was also captured on a security camera.”

Given the use of cell and tablets with GPS devices surely we will see more court rulings like Judge DeMarco's and it will be interesting to see what, if any, appellate rulings interpret this case.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

FTC Chair Jon Liebowitz is resigning after 4 years during which he “pushed for online privacy protections and sought to restrain unfair competition,” but as the New York Times reported he “stumbled in an attempt to rein in the Internet search practices of Google”:

Competitors, advertisers and some consumer advocates had complained that Google manipulated the results of its Internet searches to give top priority to results that featured companies in which it held an interest, while punishing those that were a competitive threat.

The Washington Post speculates that the new Chair could be “other Democrats on the commission, Julie Brill and Edith Ramirez,” but Chair's departure:

...will create at least a temporary partisan split, with two Democrats, two Republicans and one seat empty until President Obama can gain confirmation for a nominee. Such 2-2 divides on the five-member commission are not uncommon during transitions, but they can make it difficult to chart a forceful path for the FTC.

No one knows about the future of the FTC, but given its role to manage privacy on the Internet in the US it will be interesting to see who is selected, and also to watch the confirmation process to see what the Senate is concerned about.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The FTC reported that 80% of apps used by children contained the ability to access the Internet (compared to 62% in 2011) and 13% had the ability to access user geo-location (compared to 10.5% in 2011). The New York Times reported:

Several hundred of the most popular educational and gaming mobile apps for children fail to give parents basic explanations about what kinds of personal information the apps collect from children, who can see that data and what they use it for…

The FTC’s 2012 Report is entitled Mobile Apps for Kids: Disclosures Still Not Making the Grade is a follow-up to a similar report in 2011 and concludes by calling “on everyone involved in the mobile app marketplace – app stores, app developers, and third-parties that interact with the apps – to follow the three key principles laid out in the FTC’s Privacy Report:”

(1) adopting a “privacy by- design” approach to minimize risks to personal information;

(2) providing consumers with simpler and more streamlined choices about relevant data practices; and,

(3) providing consumers with greater transparency about how data is collected, used, and shared.

Of greatest relevance to the findings in this report, industry participants must work together to develop accurate disclosures regarding what data is collected through kids’ apps, how it will be used, who it will be shared with, and whether the apps contain interactive features such as advertising, the ability to make in-app purchases, and links to social media.

This information about the invasion of children’s privacy with apps is alarming and clearly the needs to be better regulated by our government.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Washington Post reported that during a federal investigation regarding a landfill owner, apparently two federal prosecutors used aliases to posted anonymous comments. Fred Heebe (he landfill owner under investigation) filed a defamation lawsuit based on the anonymous postings and hired a former FBI agent to find the posters. The former FBI agent James R. Fitzgerald (who helped find the Unabomber in 1996) analyzed 598 anonymous postings. The trail of postings led to former US attorney Sal Perricone. The Washington Post went on to say:

Perricone admitted posting the derogatory information and making similar attacks on attorneys, defendants, police officials and judges. He resigned and remains under investigation by the Justice Department.

Heebe filed a second lawsuit against another prosecutor Jan Mann: 

The suit accused her of anonymously posting disparaging comments about Heebe on the Times-Picayune Web site, in some cases coordinating her comments with Perricone’s.

As a result of these revelations, after 11 years as the chief prosecutor, Jim Letten resigned as the US attorney for the Eastern District of Louisiana in New Orleans.

It’s hard to image that prosecutors would anonymously post critical comments of individuals under investigation, but given the facts we may now see revelations about other such anonymous postings by prosecutors in other jurisdictions.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Headlines abound with scandals which have started with innocent, or not, emails and texts between people that ruin careers and destroy businesses. Every lawsuit has emails that amaze jurors including the recent Apple jury verdict against Samsung where the jury considered "…emails that went back and forth from Samsung execs about the Apple features that they should incorporate into their devices…”

To learn more about privacy of emails you may want to read my eCommerce Times monthly column entitled “If You Believe Your Internet Content and Webmail are Private, Read This...”

Email and texts will continue to be problems since most people say things in emails and texts that they would never say face to face or put in writing on paper.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The 27 heads of European data agencies complained that Google’s failed to respond adequately to charges that Google’s new Privacy Policy effective on March 1, 2012 violated the EU privacy laws which are referred to as the 1995 Data Directive  –“Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.“

The October 16, 2012 letter from the Article 29 Data Protection Working Party included this statement about the Google’s response to the EU’s inquiry:

Google’s answers have not demonstrated that your company endorses the key data protection principles of purpose limitation, data quality, data minimization, proportionality and right to object. Indeed, the Privacy policy suggests the absence of any limit concerning the scope of the collection and the potential uses of the personal data.

The letter included these three legal issues:

• Firstly, the investigation showed that Google provides insufficient information to its users (including passive users), especially on the purposes and the categories of data being processed.
• Secondly, the investigation confirmed our concerns about the combination of data across services.
• Finally, Google failed to provide retention periods for the personal data it processes.

In September 2012 Netmarketshare reported that Google accounts for about 85% of all searches world wide the impact of potential fines for privacy violations by the EU based on its revenue may be significant. In addition to possible fines Google may be subject to criminal charges for violating EU privacy laws.

What do you think about Google’s position regarding its new privacy policies?
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Pew Research reported that cell users are very concerned about their privacy and including the fact that about one third reported that their cells have been lost or stolen which obviously increases awareness of loss of privacy. Since Pew reported earlier this year that 88% of US adults have cell devices this updated report on cell privacy helps explain how users are acting to protect themselves.

The September 2012 Pew report includes these important findings:

• 54% of app users have decided to not install a cell phone app when they discovered how much personal information they would need to share in order to use it
• 30% of app users have uninstalled an app that was already on their cell phone because they learned it was collecting personal information that they didn’t wish to share

Also the Pew report included these details regarding these steps that cell users take to protect their privacy:

• 41% of cell owners back up the photos, contacts, and other files on their phone so they have a copy in case their phone is ever broken or lost
• 32% of cell owners have cleared the browsing history or search history on their phone
• 19% of cell owners have turned off the location tracking feature on their cell phone because they were concerned that other individuals or companies could access that information

Given all of the concerns around BYOD (Bring Your Own Device) this Pew report should help companies be more informed about cell usage.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Computerworld reported that a hacker group published what it “claims is about 1 million unique device identifier numbers (UDIDs) for Apple devices that it said it accessed earlier this year from a computer belonging to an FBI agent.” The report went on to explain that “Apple's UDIDs are a set of alphanumeric characters used to uniquely identify an iPhone or iPad. The numbers are designed to let application developers track how many users have downloaded their application and to gather other information for data analytics.”

A member of AntiSec, a splinter of the Anonymous hacking collective, claims it culled more than 12 million UDIDs and personal data from the FBI, and published 1 million to prove its work. A consultant at Sophos, said there is no way of knowing yet whether the hackers are telling the truth. "We don't have any way of confirming the source of the data, or what else might have been taken, but it does appear that the files do contain at least some genuine Apple UDIDs."

The FBI has no comment on this report. But if this report is true, the big question is - why does the FBI have millions of Apple UDIDs?
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a case of first impression, Twitter is challenging a New York Criminal Court’s order to produce information through a subpoena, without first obtaining a warrant, asserting a violation of the defendant’s rights under the First and Fourth Amendments of the Constitution. In the case of People v Harris, Malcolm Harris is being prosecuted for disorderly conduct in connection with the Occupy Wall Street protest in October 2011.

To learn more about the case please review Stephen Vogel’s IP, Media, Etc blog posted earlier this month entitled “Case Over Tweets Scores Twitter a Win and Positive Press.”

The American Civil Liberties Union and the Electronic Freedom Foundation filed an Amicus brief in support of Twitter appealing these April 20 and June 30, 2012 rulings regarding Mr. Harris’ account “@destructuremal” to produce: 

his personal email address andalso the content of all tweets, the date, time and the IP address that corresponds to each time he used Twitter over a three-and-a-half month period, and the duration of teach of Harris’ Twitter sessions.

Protection for Social Media usage under the Constitution remains an interesting challenge, and how this case plays out may have a significant impact for Social Media for years to come.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

GPS location data on cell phone accounts for virtually every adult in the US based on Pew Research recent report that an astonishing 88% of US adults have cell phones. Whether a search warrant will be required for GPS data appears to be changing very quickly. 

With the support of the American Civil Liberties Union and the Electronic Frontier Foundation, on August 22, 2012 the California legislature passed the Location Privacy Act which includes these provisions:

• no government entity shall obtain the location information of an electronic device without a warrant issued by an officer of the court.
• guards against abuses of long-term monitoring of an electronic device by limiting search warrants for location information to a timeframe no longer than is necessary, and not to exceed 30 days.

It is interesting how quickly California passed this new bill given the fact that the ruling that no warrant was required for DEA tracking of GPS data of a drug suspect which was issued only 8 days earlier in US v. Skinner on August 14, 2012!
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Privacy is not mentioned in the recent announcements by many large retailers for use of mobile apps for credit and debit card purchases. However, consumers’ GPS data linked to mobile devices will likely lead to less privacy.

In early August, 2012 the New York Times reported that Starbucks teamed up with the mobile payment startup Square will begin processing credit and debit card transactions this fall. 

Shortly after Starbuck’s announcement the Merchant Customer Exchange (MCX) was created to offer “consumers a customer-focused, versatile and seamlessly integrated mobile-commerce platform” and the “application will be available through virtually any smartphone.”

This is a major announcement by retailers in the US since MCX started with these major retailers companies:

7-Eleven, Inc.; Alon Brands; Best Buy Co., Inc.; CVS/pharmacy; Darden Restaurants; HMSHost; Hy-Vee, Inc.; Lowe's; Michaels Stores, Inc.; Publix Super Markets, Inc.; Sears Holdings; Shell Oil Products US; Sunoco, Inc.; Target Corp. and Wal-Mart Stores, Inc.

Although mobile purchases may be appealing to many consumers, surely the loss of personal privacy increases. Just consider the recent court ruling upholding warrantless tracking of cell GPS data. It is likely that consumers making mobile purchases will learn the hard way that they have no privacy!
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

No warrant was required to track a drug dealer's GPS locations from cell phones since the defendant “did not have a reasonable expectation of privacy in the data emanating from his cell phone that showed its location.” On August 14, 2012 Justice John Rogers of the US 6th Circuit Court of Appeals upheld a conviction in US v Skinner based on GPS location data that the DEA used to follow Skinner who drove around the US in a motorhome filled with over 1,100 pounds of marijuana:

When criminals use modern technological devices to carry out criminal acts and to reduce the possibility of detection, they can hardly complain when the police take advantage of the inherent characteristics of those very devices to catch them.

The Skinner case is different than the US v. Jones case decided earlier this year where the US Supreme Court ruled 9-0 that a GPS tracking device could not be attached to a suspect’s vehicle without a warrant.

Surely we will see more cases where cell GPS data will be used in cases whether criminal or civil.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Google announced a pilot test which allows Google to provide Gmail results in normal search queries, including this example: "So if you’re planning a biking trip to Tahoe, you might see relevant emails from friends about the best bike trails, or great places to eat on the right hand side of the results page."

The Washington Post reported:

…the feature would cull information from users’ inboxes for relevant queries. A search for “my flights,” for example, would pull flight confirmation e-mails and match that information against Google’s existing flight tracking search feature. Searches related to other things, such as plans for the weekend, would also showcase e-mails related to that subject on the right-hand column of Google’s search results.

One only need review Google’s Privacy Policy to see that Gmail users have little privacy, however few users ever bother. This integration of Gmail and Google Search may force users to rethink what level of privacy they really have.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Daily news headlines regularly report lax, or no, security for cloud data. In the past few weeks two very high profile businesses reported cloud breaches – Apple’s iCloud and Dropbox. It is no coincidence that my August column for eCommerce Times is entitled “The Cloud Privacy Illusion,” which of course I welcome you to review.

The Washington Post reported the Apple iCloud breach of security occurred when “the attacker was able to call Apple and convince a customer service employee that he was” the owner of the account.

The breach of Dropbox’s system was more sophisticated, but not much. gigaom.com reported:

Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. …  A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses.

Businesses need to be mindful of cloud data protection as highlighted by the myriad of laws that make access to cloud data so easy, and as Apple and Dropbox has learned the hard way.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Google confessed to U.K. officials that Google still has Street View unprotected wifi data collected before 2010 in spite claims that such data had been destroyed. On July 27, 2012 Peter Fleischer (Google's global privacy counsel) sent a letter to Steve Eckersley (head of enforcement) at the Information Commissioner's Office (ICO) and admitted the following:

Google has recently confirmed that it still has in its possession a small portion of payload data collected by our Street View vehicles in the U.K. Google apologizes for the error.

In conducting that review, we have determined that we continue to have payload data from the U.K. and other countries. We are in the process of notifying the relevant authorities in those countries.

In response Mr. Eckersley wrote back that Google should never have collected the unprotected wifi data to begin with.

PC Magazine reported that those other countries are U.K., Ireland, France, Belgium, the Netherlands, Norway, Sweden, Finland, Switzerland, Austria, and Australia.

As a result of Google's admission to the ICO, the French counterpart to ICO, C.N.I.L. has now demanded Google report about the Street View wifi data. The New York Times reported that:

The C.N.I.L. fined the company €100,000, or $120,000, in March 2011 for collecting private e-mail messages, computer passwords and other personal data as its cars took pictures for Google’s Street View feature, a case that prompted privacy investigations around the world.

Clearly collection of unprotected wifi data has become a serious mess for Google, and it appears that this episode is far from over.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

All drivers want to save money on auto insurance, however the cost of personal privacy may be at stake with these new discount programs. A recent report in the Wall Street Journal described how State Farm and Progressive now offer discounts to drivers who allow access to on-board devices, some of which includes GPS data from General Motor's OnStar and Ford's telematics.

To learn more details about privacy you may be interested to read my July eCommerce Times article entitled “The High Privacy Price of Auto Insurance Monitoring Discounts.”

Many people do not realize how they freely give up their personal privacy and perhaps this new use of auto data usage will be a wake-up call!
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Law enforcement agencies got text messages and caller location (GPS data) 1.3 million times in 2011, which was the first public report of such information. The New York Times reported that a request from US Congress led to this public disclosure. The New York Times reported that:

AT&T alone now responds to an average of more than 700 requests a day, with about 230 of them regarded as emergencies that do not require the normal court orders and subpoena. That is roughly triple the number it fielded in 2007, the company said.

The New York Times article went to say that search warrants are not always obtained:

Under federal law, the carriers said they generally required a search warrant, a court order or a formal subpoena to release information about a subscriber. But in cases that law enforcement officials deem an emergency, a less formal request is often enough. Moreover, rapid technological changes in cellphones have blurred the lines on what is legally required to get data — particularly the use of GPS systems to identify the location of phones.

An important message about the cell data is that we will likely see more challenges to personal privacy in civil litigation over the use of text messages and GPS location, even though based on this report to Congress, criminal prosecutors are using text messages and GPS location quite freely.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Laws around the world allow governments free access to data on the Cloud which may come as a surprise to many, but Mutual Legal Assistance Treaties (MLATs) facilitate cooperation across international boundaries. On May 23, 2012 Hogan Lovells published a White Paper entitled “A Global Reality: Government Access to Data in the Cloud” which includes this summary of conclusions:

On the fundamental question of governmental access to data in the Cloud, we conclude, based on the research underlying this White Paper, that it is not possible to isolate data in the Cloud from governmental access based on the physical location of the Cloud service provider or its facilities. Government’s ability to access data in the Cloud extends across borders. And it is incorrect to assume that the United States government’s access to data in the Cloud is greater than that of other advanced economies.

The White Paper makes this observation that the US Patriot Act, which many think is pretty tough:

…our survey finds that even European countries with strict privacy laws also have anti-terrorism laws that allow expedited government access to Cloud data. As one observer put it, France's anti-terrorism laws make the Patriot Act look "namby-pamby" by comparison.

The analysis of the MLATs in the White Paper continues with details about the following countries: US, Australia, Canada, Denmark, France, Germany, Ireland, Japan, Spain, and the United Kingdom.

More businesses should be aware of these privacy laws to avoid false expectations about privacy on the Cloud!
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The NY Times reported that Spokeo was “compiling and selling people’s personal information for use by potential employers in screening job applicants.” For the first time ever, the Federal Trade Commission (FTC) charged and assessed a fine for use of personal Internet data in violation of the Fair Credit Reporting Act. Spokeo confessed that it violated federal laws by “furnishing a consumer report to any person who does not have permissible purpose to receive the consumer report…” 

Between 2008 to 2010 Spokeo sold “coherent people profiles” that could include:

an individual’s address,
phone number,
marital status,
approximate age,
e-mail address,
hobbies,
ethnicity,
religion,
participation on social media sites,
photos,
and other information.

Spokeo founder and President Harrison Tang admitted the FTC charges and signed the Consent Order with the FTC.

This fine and confession by Spokeo are significant as they indicates social media sites must comply with federal privacy laws, and the that the FTC is being vigilant to protect consumers.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Please join me at 1pm CDT on June 14, 2012 for my online speech entitled “Privacy – Social Media, Internet & BYOD” which is FREE (including ethics credit!), all you have to do is register at Virtual LEGALTECH (please use "Privacy614" as your code when you register).   Here's the description of my speech:

The Internet has transformed the practice of law, but few lawyers understand how privacy laws impact them and their clients. This presentation will highlight specific ethical considerations for the practice of law regarding attorney-client privilege. All clients and lawyers rely on Social Media as a means of sharing information and communicating, but with little consideration of the privacy laws. Today’s label to describe employees use of their personal cell phones, tablets, and laptops is BYOD (Bring Your Own Device). Since employees conduct company business on these personal devices with little concern for legal implications BYOD is fraught with a myriad of complex legal issues, including attorney-client privilege.

The daylong program sponsored by ALM includes speeches on eDiscovery and a panel of IT leaders, so I encourage you to watch other speeches of interest. Actually this Virtual LEGALTECH will be online for the next year, so please listen in at your convenience.

My Virtual LEGALTECH presentation includes 236 PowerPoint slides during the 1 hour speech. This may seem like a lot of PowerPoint slides, but I set the “world land speed record” when I used 250 slides for my webcast for the TexasBarCLE (State Bar of Texas) which recorded in April 2012 entitled “Internet & Social Media Privacy Law.”

Needless to say I use PowerPoint in a most unique manner while trying to be bullet free!
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Myspace agreed to 20 years of US government oversight of privacy, just like Facebook did in 2011 and Google did in 2010. On May 8, 2012 the Federal Trade Commission (FTC) released a statement about its settlement with Myspace dislosing the following mispresentations which were violations of federal privacy laws :

• Myspace provided advertisers with the Friend ID of users who were viewing particular pages on the site.
• Advertisers could use the Friend ID to locate a user's Myspace profile to obtain personal information publicly available on the profile and, in most instances, the user's full name.
• Advertisers also could combine the user's real name and other personal information with additional information to link broader web-browsing activity to a specific individual.
• Myspace certified that it complied with the U.S.-EU Safe Harbor Framework…, including the requirements that consumers be given notice of how their information will be used and the choice to opt out.

As part of the settlement agreed “… to implement a comprehensive privacy program, and …regular, independent privacy assessments for the next 20 years.” TheFTC solicits public comments:

The agreement will be subject to public comment for 30 days, … through June 8, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit written comments electronically or in paper form by following the instructions in the "Invitation To Comment" part of the "Supplementary Information" section. Comments can be filed electronically at this link. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580.

Myspace’s confession is not a big surprise given that Facebook and Google entered into similar agreements in the past 2 years.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Google was fined $25,000 for not cooperating with an investigation regarding Google’s collection of unencrypted wifi data when taking Street View pictures from 2006-10, but the Federal Communications Commission (FCC) reported that Google did not violate any US laws. The FCC’s Report included this conclusion regarding alleged violations of Section 705(a) of the federal Wiretrap Act:

…the Bureau has found no evidence that Google accessed or did anything with such encrypted communications….we do not find sufficient evidence that Google has violated Section 705(a).

When Google’s wifi data collection became news in 2010 Google confessed that the wifi information collected was: 

WiFi networks broadcast information that identifies the network and how that network operates. That includes SSID data (i.e. the network name) and MAC address (a unique number given to a device like a WiFi router). Networks also send information to other computers that are using the network, called payload data, but Google does not collect or store payload data.

Since 2010 there has been much controversy about Google’s wifi collection, but the FCC’s vindication does not overcome Google’s alleged violation of EU laws.

I find Street View feature of Google Maps one of the greatest Interest services available since it allows anyone to see the world up close and personal. This is how Google describes Street View:

Google Maps with Street View lets you explore places around the world through 360-degree street-level imagery. You can explore world landmarks, view natural wonders, navigate a trip, go inside restaurants and small businesses.

It is interesting that Google created such a firestorm about collecting unencrypted wifi data while taking pictures which helped transform information on the Internet.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

CISPA would permit “Internet companies such as Google and Facebook to collect and share a wide range of user data with the government” as reported by Computerworld. Now the White House is raising concerns about CISPA. Caitlin Hayden (spokeswoman for the White House's National Security Council) in an interview with the Hill said:

The nation's critical infrastructure cyber vulnerabilities will not be addressed by information sharing alone… information sharing provisions must include robust safeguards to preserve the privacy and civil liberties of our citizens…

Computerworld reported:

…there's nothing in the language of the bill that would prohibit companies from monitoring private email messages, chat messages and Facebook postings simply by claiming a cybersecurity purpose to the monitoring. They can then share that information with any other entity, including the Department of Homeland Security and the National Security Agency, without judicial oversight. The bill affords Internet companies a great deal of immunity for conducting such information monitoring and sharing.

Clearly we all need to stay tuned to what Congress does with the proposed CISPA legislation. What do you think?
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

After headlines about job applicants required to provide Facebook passwords two Senators requested an investigation of violation of federal laws. US Senators Chuck Schumer (New York) and Richard Blumenthal (Connecticut) issued a press release requesting that the US Equal Employment Opportunity Commission and Department of Justice:

…launch a federal investigation into a new disturbing trend of employers demanding job applicants turn over their user names and passwords for social networking and email websites to gain access to personal information like private photos, email messages, and biographical data that is otherwise deemed private.

The Senators specifically asked the Attorney General to determine if job interviewers’ requests for the Facebook passwords of interviewees violates the Stored Communication Act  or the Computer Fraud and Abuse Act.

At the same time Facebook claims that such disclosures “violate Facebook’s Statement of Rights and Responsibilities to share or solicit a Facebook password.” Facebook went on to say:

We don’t think employers should be asking prospective employees to provide their passwords because we don’t think it’s the right thing to do. But it also may cause problems for the employers that they are not anticipating. For example, if an employer sees on Facebook that someone is a member of a protected group (e.g. over a certain age, etc.) that employer may open themselves up to claims of discrimination if they don’t hire that person.

Clearly we will see more about disclosure of Social Media passwords. What do you think?
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Since 92% of adults use search engines every day means that they share volumes of information with Google, who dominates searching, 66.4% in the US and 80% in the EU. No one was surprised when Pew Research reported that 92% of adults search daily, but what Google does with our personal information changed on March 1, 2012 when Google simplified its Privacy Policy.

To learn more about challenges to Google’s new Privacy Policies, I encourage you to read my column in eCommerce Times entitled “Google's New Privacy Policy vs. the World.” 

Let me know what you think about your privacy when you use Google!
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A group of nine scientists and doctors recently sued the US government claiming that their personal Gmail accounts were under federal surveillance which led to harassment or dismissal for Food & Drug Administration (FDA) employees who were whistleblowers. The Washington Post reported that the FDA:

…secretly monitored the personal e-mail of a group of its own scientists and doctors after they warned Congress that the agency was approving medical devices that they believed posed unacceptable risks to patients.

However apparently the FDA told employees that they should not expect privacy: 

FDA computers post a warning, visible when users log on, that they should have “no reasonable expectation of privacy” in any data passing through or stored on the system, and that the government may intercept any such data at any time for any lawful government purpose.

Notwithstanding the FDA warnings about no privacy, the FDA whistleblowers admitted that they accessed their Gmail accounts from government computers. Under the 2009 ruling from the US Supreme Court, employees using employer’s computers are not entitled to privacy under the Constitution (City of Ontario v. Quon). However the FDA whistleblowers claim that the FDA should not able to monitor emails not sent or received using government computers.

On March 5, 2012 Senator Charles Grassley (Committee on the Judiciary) and Representative Darrell Issa (Chair of the Committee on Oversight and Government Reform) sent a letter to the Office of Management and Budget demanding an explanation to Congress why the FDA “secretly monitored personal email accounts of …the FDA nine.” Further, the letter states that:

…FDA may have intercepted passwords to the personal e-mail accounts of its employees for the purpose of logging in to search for archived messages to and from Congress and OSC [Office of Special Counsel – where whistleblower complaints are filed]. In the absence of a subpoena, such an activity would violate the Stored Communications Act.

This will be an interesting lawsuit to follow since it not only challenges the City of Ontario case about employee privacy, but also if the FDA violated the Stored Communications Act.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

 Although Google claims its new Privacy Policy helps simplify privacy, the EU claims otherwise and specifically that the new Privacy Policy “makes it impossible to understand which purposes, personal data, recipients or access rights are relevant to the use of a specific service.”  

The EU gave the lead to investigate Google’s new Privacy Policy to the French Commission nationale de l’informatique et des libertés (CNIL). CNIL states that it “is responsible for ensuring that information technology remains at the service of citizens, and does not jeopardize human identity or breach human rights, privacy or individual or public liberties.”  

On February 27, 2012 CNIL sent a letter to Google CEO Larry Page (which was follow-up to a February 3rd letter) complaining that Google failed to properly consult EU authorities about the new Google Privacy Policies and that the:

…preliminary analysis shows that Google’s new policy does not meet the requirements of the European Directive of Data Protection (95/46/CE), especially regarding information provided to data subject.  

The CNIL highlighted the significance of Google’s penetration in the EU with the following statistics about Google’s usage: 

-more than 80% of the European search engine market,
-around 30% of the European smartphones market,
-40% of the global online video market and
-more than 40% of the global online advertisement market

Apparently Google has chosen to ignore the EU’s warnings and surely we will see more headlines soon.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Privacy is a hot topic for users of Facebook, Google, and other Social Media sites, so the White House has proposed the following Bill of Rights for legislative consideration:

1. INDIVIDUAL CONTROL: Consumers have a right to exercise control over what personal
data companies collect from them and how they use it.

2. TRANSPARENCY: Consumers have a right to easily understandable and accessible information about privacy and security practices.

3. RESPECT FOR CONTEXT: Consumers have a right to expect that companies will collect,
use, and disclose personal data in ways that are consistent with the context in which
consumers provide the data.

4. SECURITY: Consumers have a right to secure and responsible handling of personal data.

5. ACCESS AND ACCURACY: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.

6. FOCUSED COLLECTION: Consumers have a right to reasonable limits on the personal data that companies collect and retain.

7. ACCOUNTABILITY: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

In 2011 more adult Social Media users were proactive in protecting their privacy by deleting people from as friends, deleting comments from their profiles, and removing their names from photos tagged to identify them as reported from a recent Pew Research Report entitled “Privacy management on social media.”

Internet Privacy will continue to great interest and concern, but since this is an election year it’s difficult to know how the proposed Bill of Rights will fare on the political arena.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Path confessed that it took users’ address book data without permission when the app loaded and admits it “made a mistake.”  Path's app runs on the iPhone and Android and according to Path's Story:

Path dreamed up and realized the Smart Journal–a journal that’s with you everywhere you go, posts entries without your effort, combines photo, video, music, people, places, and text, and most importantly, includes your loved ones.

As part of its confession Path declared that it deleted all data it illicitedly collected.  On Path’s About page it claims that its app accounts for “two million people sharing life with close friend and family over the world.” Ironically Path makes the following statement about describing “What is Path’s Privacy Policy?”:

At Path, we respect and value our users' right to privacy. We want you to feel safe and secure as you share your life with the people you love.

In spite of Path’s confession that it took users’ address books without permission, if you take the time to review Path’s Privacy Policy does not say that Path takes users' address book data rather states:

We actively collect certain information you voluntarily provide to us, such as when you create an account and profile, send us an email or post information or other content to our site.

No surprise that Path's Terms of Use make no mention of collecting users' address book data.

Actually it’s easy for apps to collection personal information since so few individuals bother to read Terms of Service or Privacy Policies where users might learn how their personal data is used.

Surely Path’s story is not unique and other apps collect information without disclosing their business practices to users. So stay tuned for more government regulation.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Electronic Privacy Information Center (EPIC) filed a Motion to enjoin Google from implementing new ToS and Privacy Policies on March 1, 2012. On February 8, 2012 EPIC filed a Motion for Temporary relief against the Federal Trade Commission (FTC) to enforce Google’s March 2011 Agreement Containing Consent Order which included the FTC's oversight on Google’s Privacy Policies for 20 years. EPIC’s Motion comes on the heels of the EU’s request that Google slow down the implementation of the new ToS and Privacy Policies.

EPIC Motion claims that Google's new ToS and Privacy Policies violate the FTC Consent Order and includes the following claims:

Users will no longer be able to keep personal information they provide to use the Google email service for simply that service; Google will be able to combine the user information provided for email with other Google services, including the Google social network service.

Based on the March 1, 2012 date for the new Google ToS and Privacy Policies, EPIC reported that the court accelerated the briefing schedule so that the FTC must respond on February 17, 2012 and the EPIC file its reply by February 21, 2012. 

As a result of this fast track for EPIC’s Motion it is likely we will have a ruling by the court before March 1, 2012.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Privacy continues to be hot news, just look at Facebook’s S-1 disclosures in its Initial Public Offering (IPO) which among a myriad of “Risk Factors” includes this statement about privacy laws:

Our business is subject to complex and evolving U.S. and foreign laws and regulations regarding privacy, data protection, and other matters. Many of these laws and regulations are subject to change and uncertain interpretation, and could harm our business;

As well, Facebook confessed there is risk for their IPO regarding the privacy of the 845 million users with this statement:

…there are changes in user sentiment about the quality or usefulness of our products or concerns related to PRIVACY and sharing, safety, security, or other factors.

For more discussion about privacy issues, please read my recent eCommerce Times column entitled “GPS, Privacy and the Supreme Court” which expands my blog about the 9-0 ruling from the Supreme Court in Jones v. US.

Privacy issues will continue to be in the headlines, so stay tuned for more blogs.
 

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

EU officials announced that the new Google Privacy Policies may not insure compliance with EU laws and asked Google to halt these changes pending an investigation of the implications of personal data protection. Google’s new Privacy Policies are scheduled to go into effect on March 1, 2012 and the New York Times reported that EU authorities wrote to Larry Page (Google CEO): “call for a pause in the interests of ensuring that there can be no misunderstanding about Google’s commitments to information rights of their users and E.U. citizens.”

In the Meantime – EU Proposes Changes to its 1995 Privacy Law

The current Privacy law went into effect in 1995 and the origins of the law began in 1989 because of social concerns about privacy on mainframes, long before Social Media took off with Facebook, Google, Wikipedia, and the rest. So as you may image in 1989 let along 1995 there was no way the EU could have foreseen the evolution of the Internet and Social Media.

As my good friend Erika Morphy recently reported for eCommerce Times that “Europe appears poised to enact strict new privacy regulations geared to protect consumer data, but the debate is far from over. Representatives of businesses, particularly e-commerce companies, are descending on Brussels to plead their case.” 

In particular Facebook and other Social Media sites are concerned about the EU’s new plans for privacy that restrict Internet sites more strictly than ever before and require the Internet business to assume more responsibilities for protecting individuals. The new EU law includes a new concept referred to as “right to be forgotten” which would surely impact the large Social Media sites.

So was Google trying to change its Privacy Policies before the EU modified its 1995 Privacy laws? What do you think?
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

GPS data about an alleged drug dealer’s location obtained from a GPS device attached to his car without a warrant, violated the defendant’s Fourth Amendment guarantee of privacy. In US v. Jones the US Supreme Court ruled 9-0 that prosecutors could not use the ill-gotten GPS data. However the Court, in its opinion, included a broader reference to GPS data from wireless devices:

… cell phones and other wireless devices now permit wireless carriers to track and record the location of users—and as of June 2011, it has been reported, there were more than 322 million wireless devices in use in the United States.

So even though the Court ruled against using location data obtained without a warrant in a criminal case, it also effectively acknowledged that wireless GPS data may be the next area of privacy concern. 

However when parties voluntarily provide information to Internet sites, their expectation of privacy is different. As Justice Sotomayor stated:

People disclose the phone numbers that they dial or text to their cellular providers, the URLS that they visit and the e-mail addresses with which they correspond to their Internet service providers, and the books, groceries and medications they purchase to online retailers . . . I for one doubt that people would accept without complaint the warrantless disclosure to the Government of a list of every Web site they had visited in the last week, or month, or year.

So the Supreme Court likely has more to say about privacy protection as it relates to GPS and Internet data.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

My video interview about business risks concerning Internet Privacy Policies is very timely since Google just announced a radical change in its Privacy Policies. You are welcome to view the video interview “Privacy Policies: What You Don't Know Can Hurt You” thanks to my friends at Financial Management Network (& parent SmartPros Ltd.).

Of course Privacy Policies is a common topic for me as my October 2011 monthly Technology Law column at eCommerce Times was entitled “Shore Up Your Privacy Policy Before Disaster Strikes” and included discussion about:

• What Type of Information Do Privacy Policies Protect? - Personally Identifiable Information (PII)
• Website Privacy Regulation – US (FTC), EU, Canada, and Japan
• What Should Your Privacy Policy Contain? - consider your visitors' expectations
• Aggregate Data - DoubleClick
• Consider Subscribing to Privacy Standards – TRUSTe, Better Business Bureau, Online Privacy Alliance, and CPA WebTrust Program.

Stay tuned for more blogs on Internet Privacy since it is core to business and consumer utilization of the Internet.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Since WikiLeaks’ addresses were provided to Twitter, a Judge ruled that it was no longer private since the “information has already been disclosed.” On January 4, 2012 US District Judge Liam O’Grady ordered Twitter to produce WikiLeaks records as reported by Bloomberg:

Litigation of these issues has already denied the government lawful access to potential evidence for more than a year…. The public interest therefore weighs strongly against further delay.

Who do you follow on Twitter?

On Jan. 1, I found that these Twitter names had hordes of followers: @ladygaga had 17,554,645, @Starbucks had 1,927,255, and @noahkravitz had 24,273 which anyone on Twitter can view. Please read my January column in eCommerce Times about Twitter followers in the PhoneDog v. Kravitz case entitled “New Legal Challenge - Who Owns Followers on Twitter?”

Clearly Twitter information appears to not be so private or secret.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

BYOD has created new challenges for those employers who encourage their employees to buy their own cell phones, tablet devices, and/or computers. After a recent discussion about BYOD my good friend Galen Gruman (Executive Editor of InfoWorld for Features) posted an InfoWorld blog “Lost in BYOD's uncharted legal waters” which includes many important legal and business issues.

Before posting the blog Galen wrote an excellent 29 page report called the “BYOD and Mobile Strategy Deep Dive” which has the following summary:

iPhones, iPads, Androids, and more are joining your business's suite of technology tools, driven by user demand and need. Most companies have opened up their networks to such devices, but big questions remain on how to do so securely, how to manage the new breed of devices to ensure compliance and information security while not unduly burdening users.

A 2010 US Supreme Court 9-0 ruling declared that employees are not entitled to privacy if they use an employer’s issued device, so what level of privacy is there for BYODs? Will employees using BYODs be entitled to privacy if they are conducting business for their employers? Or will the employees using BYODs be entitled to privacy if the employer reimburses the employee for the cost(s) of the BYOD? 

Interesting questions and in the future the Courts will let us know….so stay tuned.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A Judge in Boston sealed the court records after a brief hearing challenging the District Attorney’s subpoena to Twitter to get the identity of certain accounts. The American Civil Liberties Union challenged the subpoena and was very disappointed in the sealing of the records.  

The New York Times reported: 

The police in Boston and the Suffolk County district attorney issued the subpoena in an effort to get information about the Twitter account @P0isAn0N and other activity on the social network related to the Occupy Boston protests. The owner of the @P0isAn0N account had also linked to personal information about Boston police officers that had been stolen in a hacking attack. 

However the subpoena also requested of the identity of Guido Fawkes, well-known British blogger named Paul Staines who by all accounts was not involved with Occupy Boston. Whoever issued the subpoena apparently did not understand the difference between hashtag and an account. Here’s the list of names in the subpoena:

Guido Fawkes
@p0isAn0N
@OccupyBoston
#BostonPD
#d0xcak3

Since Twitter lost a similar battle over anonymity over WikiLeaks it will be interesting to see how this court action plays out.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

 Earlier this week Carrier IQ representatives met with officials at the FTC, FCC, and with the staff of a number of Senators. For more details about Carrier IQ please read my eCommerce Times column “Carrier IQ and the US' Escalating Privacy Risk Level.”

The Washington Post reported that Carrier IQ Andrew Coward (senior vice president for marketing) said “This week Carrier IQ sought meetings with the FTC and FCC to educate the two agencies . . . and answer any and all question”…but he was “not aware of an official investigation.” As well, the scope of the privacy controversy has enlarged. In addition to class action lawsuits against Carrier IQ other class-actions have been filed against AT&T, Sprint Nextel, Apple, T-Mobile USA, HTC, Samsung, and Motorola.

Stay tuned for more about Carrier IQ and privacy.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Google has a team of 60 engineers, & Microsoft has 40 people, fully devoted to avoiding violation of privacy laws in the US and around the world. At a recent legal seminar executives from Google and Microsoft described how many resources they devote to privacy law compliance.

Google’s senior privacy attorney Keith Enright said that the Google team of 60 engineers “work on developing products and then the legal team steps in to examine them.” As well, Google employs Anne Toth (former Yahoo! Chief Trust Officer) to oversee privacy for Google+. 

In addition to the 40 Microsoft employees dedicated to privacy full time, Microsoft also has another 400 people who spend time on privacy law compliance.

Although the US privacy laws are generally managed by the Federal Trade Commission (FTC), there is not a single privacy law like the 1995 EU Data Directive. However a recent NY Times report indicated that it may be time to harmonize the privacy laws in the EU since the now very old 1995 privacy laws do not seem to apply well as the Internet and Social Media in 2011. 

No surprise that Google and Microsoft want to avoid the sort of problems that led to the FTC’s 20 year monitoring of Google for its failure to manage privacy with its Social Media Buzz, and the FTC’s proposed 20 year monitoring of privacy compliance of Facebook.

What is your organization doing to comply with privacy laws? When was the last time you look at the privacy policies on your website?
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A researcher recently found that Carrier IQ software is secretly installed on most modern Android, BlackBerry, and Nokia phones. Android developer’s Trevor Eckert’s 17 minute video demonstrates how that Carrier IQ software is loaded on his phone, cannot be disabled, tracks every keystroke, and sends the data to Carrier IQ.  After receiving this massive data from millions of cell users, Carrier IQ "correlates and aggregates the data for near real-time system monitoring and business intelligence" for phone carriers and manufacturers ostensibily to improve quality.

Eckert demonstrated that Carrier IQ software was logging and potentially transmitting the sensitive information of consumers, including:

• when they turn their phones on;
  
• when they turn their phones off;
  
• the phone numbers they dial;
  
• the contents of text messages they receive;
  
• the URLs of the websites they visit;
  
• the contents of their online search queries—even when those searches are encrypted; and
  
• the location of the customer using the smartphone—even when the customer has expressly denied permission for an app that is currently running to access his or her location.

As a result Representative Edward Markey (D-Mass.), co-Chair of the Congressional Bi-Partisan Privacy Caucus, sent a letter to the Federal Trade Commission  asking what is being done to investigate.

In addition to Representative Markey’s letter, Senator Al Franken (chairman of the Subcommittee on Privacy, Technology, and the Law) sent his own letter to Carrier IQ which included the following:

I am very concerned by recent reports that your company's software - pre-installed on smartphones used by millions of Americans - is logging and may be transmitting extraordinarily sensitive information from consumers' phones ... It also appears that an average user would have no way to know that this software is running - and that when the user finds out, he or she will have no reasonable means to remove or stop it. ... These actions may violate federal privacy laws, including the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act. This is potentially a very serious matter.

Senator Franken requested that Carrier IQ answer by December 14, 2011.

On December 1, 2011 Carrier IQ issued a press release in which Carrier IQ stated that consumer’s privacy is protected:

Consumers have a trusted relationship with operators and expect their personal information and privacy to be respected. As a condition of its contracts with operators, Carrier IQ operates exclusively within that framework and under the laws of the applicable jurisdiction. The data we gather is transmitted over an encrypted channel and secured within our customers’ networks or in our audited and customer-approved facilities.

Actually Carrier IQ claimed that “Our software makes your phone better by delivering intelligence on the performance of mobile devices and networks to help the operators provide optimal service efficiency.”

This is alarming news and it seems to me we all expect our government to step in to protect consumers’ privacy which seems has been seriously compromised! 

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

After the US government filed charges that Facebook violated US privacy law, Facebook finally confessed that it failed to protect the privacy of its 800 million active users. The Federal Trade Commission (FTC) welcomes the public to submit comments on the settlement through December 30, 2011.

Under the proposed consent order, which does not include any fines, Facebook is:

barred from making misrepresentations about the privacy or security of consumers' personal information;

required to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences;

required to prevent anyone from accessing a user's material more than 30 days after the user has deleted his or her account;

required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers' information; and

required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers' information is protected.

The Facebook user community surely welcomes these commitments to comply with privacy laws, and it’s good to see that FTC will monitor Facebook’s privacy compliance for the next 20 years. The 20 year privacy monitoring is similar to the FTC’s agreement for Google to protect privacy after Google’s social media disaster with Buzz.

However, time will tell if the FTC can really police social media privacy, so it would be wise for social media users to protect their own privacy.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

US citizens expect the Department of Homeland Security (DHS) to protect the country from potential threats, but the recent announcement that DHS will monitor Twitter & Facebook will surely cause privacy advocates great concern. Social Media has been used extensively in the government uprisings world-wide and DHS is now drawing up guidelines to monitor Social Media. Undersecretary of the DHS Caryn Wagner told an audience at the National Symposium on Homeland Security and Defense in Colorado Springs:

We're still trying to figure out how you use things like Twitter as a source…How do you establish trends and how do you then capture that in an intelligence product?

The DHS guidelines may cast a pall over Social Media and impact how Social Media is used and surely the Electronic Frontier Foundation (EFF) and Electronic Privacy Information Center (EPIC) will keep a close eye. As a matter of fact, EPIC posted a recent report from Carnegie Mellon University that found that “privacy tools designed to protect consumers from online behavioral advertising are ineffective because they are difficult for users to understand and to configure.”

Everyone needs to stay tuned to see how this unfolds.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Today everybody carries GPS devices in their phones (and tablets), but few people consider that our personal privacy may be compromised as a result. In November the US Supreme Court will hear argument (US v. Jones) as to whether the drug suspect’s Constitutional right to privacy was violated since a GPS device was attached to his vehicle without a warrant. As a matter of fact, Roger L. Easton, the principle inventor of GPS technology, has joined the Electronic Frontier Foundation to urge the Supreme Court to require warrants before using GPS tracking systems.

GPS data is retained by phone service providers and may become a larger part of litigation (and eDiscovery) which will allow parties in litigation to track parties’ location at specific times.

Our personal privacy may be a stake if the Supreme Court writes a broad opinion about how much personal privacy we can expect from GPS data since our phones (and tablets) contain GPS devices.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

My eCommerce Times column for October is entitled “Shore Up Your Privacy Policy Before Disaster Strikes” and I encourage you to read it. Actually it was published the same day as my blog that more than 7.5 million children under 13 are on Facebook. Since the Federal Trade Commission regulates Internet privacy in the US and particularly the 1998 Children’s Online Privacy Protection Act , it’s only a matter of time before we can expect some action.

Facebook’s latest user statistics are that more than 75% of Facebook users are outside the US.  So it seems likely that the EU, Japan, Canada, and many other countries will inquire about what Facebook intends to do about children using Facebook!

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The June 2011 issue of Consumer Reports included an article that Facebook has more than 7.5 million children as users which apparently is violating the 1998 Children’s Online Privacy Protection Act (COPPA) which precludes children under 13 from using websites and in particular to join Facebook. The Consumer Reports article stated that:

• Of the 20 million minors who actively used Facebook in the past year, 7.5 million—or more than one-third—were younger than 13 and not supposed to be able to use the site.
• Among young users, more than 5 million were 10 and under, and their accounts were largely unsupervised by their parents.
• One million children were harassed, threatened, or subjected to other forms of cyberbullying on the site in the past year.

These facts reinforce the fact that it is impossible to know who is actually using the Internet websites as highlighted by one of my most favorite New Yorker cartoons from 1993 where two dogs are sitting in front of a computer and one dog says to the other “On the Internet nobody knows you’re a dog.”

COPPA was enacted to protect children under 13, but if children under 13 lie about their age what is Facebook (or any other site) to do? This is a most perplexing problem and hopefully we can solve this problem to protect children.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A report in the Financial Times that Alibaba might take over Yahoo! has raised privacy fears. Jack Ma's (Alibaba founder & former Google employee) recent comment about the prospect that Alibaba was interested in Yahoo! set off privacy group alarms as reported by the Financial Times:

"Lawmakers should oppose a deal where the data of Americans come under the control of a foreign company with links to the Chinese government,” said Jeff Chester, head of the Center for Digital Democracy. “Instead of stealthfully spying on Google users, which Chinese officials have been alleged to have done, an Alibaba takeover of Yahoo would sanction the surveillance of millions of Americans."

Ironically Yahoo! uses Microsoft's Bing these days for it search engine....so this privacy concern is much larger than it seems on the surface. As well Alibaba is the most popular search engine in China, and with Google's departure it seems that Alibaba is as strong as ever notwithstanding that Bing has entered the Chinese search engine market.

This will be of great interest to follow for the search engine wars and privacy concerns!

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Effective in December 2011 OnStar GPS navigation-and-emergency-services company will collect vehicle data for those customers who terminate their agreements.

The 10 page OnStar Privacy Statement states that:

Unless the Data Connection to your Vehicle is deactivated, data about your Vehicle will continue to be collected even if you do not have a Plan. It is important that you convey this to other drivers, occupants, or subsequent owners of your Vehicle. You may deactivate the Data Connection to your Vehicle at any time by contacting an OnStar Advisor.

In addition to GPS location data the Privacy Statement goes on to specify what information OnStar collects:

• your contact information, (including your name, address, telephone number and email address);
• your billing information (including your credit card number);
• information about the purchase or lease of your Vehicle, such as the vehicle identification number (VIN), make, model, year and date of purchase or lease and selling/preferred dealer; and
• other information that you voluntarily provide to us (such as your language preference, your license plate number and/or your emergency contact information).

It will be interesting to see how many OnStar customers will allow this tracking when their contracts end. GPS data intrudes on personal privacy whether it’s an iPhone, iPad, or OnStar device. But do people really think about their GPS privacy?
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Google’s Eric Schmidt said in a recent interview that Google+ users should be not be anonymous since it would be better “if we had an accurate notion that you were a real person as opposed to a dog, or a fake person, or a spammer.” Schmidt’s comments thoughts reinforce one of my favorite New Yorker cartoons from 1993 with two dogs sitting in front of a computer with one saying to the other “on the Internet nobody knows you’re a dog!”

Schmidt’s interview is posted at Google+  which now has an estimated 25 million users also included these thoughts:

But my general rule is that is people have a lot of free time and people on the Internet, there are people who do really really evil and wrong things on the Internet, and it would be useful if we had strong identity so we could weed them out. I’m not suggesting eliminating them, what I’m suggesting is if we knew their identity was accurate, we could rank them. Think of them like an identity rank.

Since we really have no clue who is using the Internet and Social Media whether a dog or an evil person maybe Eric Schmidt is right that forcing people to identify themselves would be better. But in his interview included the following:

But we want people to stand for something, we want people to be willing to express themselves. There are obviously people for which using their real name is not appropriate, and it’s completely optional, and if you’re one of those people don’t do it.

Clearly the debate about anonymity will continue, so stay tuned.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A new lawsuit against Google for Internet location tracking highlights my recent eCommerce Times column that Internet privacy may not be possible. The new class action lawsuit brought by Jon Pessano and others asserts that Google uses its location marketing database to generate billions of dollars in location based ad revenue.

The lawsuit is based in part on the reports that Apple and Google confessed that they tracked locations of iPhone, iPads, and Android devices. However until the court in Tampa, Florida certifies the plaintiffs’ class the lawsuit will not proceed, but if the class is certified this will be one very interesting case to follow.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Two recent Pennsylvania State Court rulings only make things more confusing as Social Media privacy disputes become more prevalent.

Bucks County Common Pleas Court Judge Albert J. Cepparulo ruled in Piccolo v. Paterson denied a motion to require the Piccolo to accept Patterson as a Facebook friend. In this case Piccolo was injured in an auto accident in which Paterson admitted liability for the accident. When Paterson learned that Piccolo regularly posted updates and photos to her private Facebook page, Paterson asked the Judge to order Piccolo to allow her to be a Facebook friend so Paterson could view updates and photos. The ruling protected Piccolo’s private Facebook updates and photos.

Paterson relied on another Pennsylvania case of McMillen v. Hummingbird Speedway Inc. in Jefferson County Common Pleas Court where McMillen was ordered to provide his Facebook and MySpace users names and passwords. Also the Judge John Henry Foradora,, and “shall not take steps to delete or alter existing information and posts on his MySpace or Facebook account.” McMillen’s lawsuit “alleged substantial injuries, including possible permanent impairment, loss and impairment of general health, strength, and vitality, and inability to enjoy certain pleasures of life.” So when Hummingbird discovered that McMillen’s Facebook and MySpace pages showed that McMillen was posting travel pictures from many locations the Judge concluded that McMillen was not entitled to privacy for his Facebook and MySpace postings.

Stay tuned for more court ruling on Social Media postings!

• Email This
• Print
• Comments
• Trackbacks
• Share Link

While a Michigan couple was married the husband and wife shared a computer and the husband had access to his wife’s email password…. but according to the Detroit Free Press he ex-husband has now been charged with a felony for looking at his ex-wife's emails. 

Should it be a crime or divorce court dispute for the husband to view his wife’s gmail?

My February 2011 Technology Law Column in the eCommerce Times has the complete story, including the comments of nationally recognized criminal defense lawyer Barry Sorrels (the current President of the Dallas Bar Association). 

Barry and I were interviewed on Fox News about this case and he “wondered if this "type of matter was the highest and best use of the criminal justice system.... There are more serious matters."

What do you think?

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

My recent interview about "Internet Privacy" by CNN’s anchor Brooke Baldwin was very timely since the next day the Department of Commerce called for the creation of a Federal Office to Guide Online Privacy and published a white paper entitled: “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.” Although the proposed the new proposed Privacy Office would be part of the Department of Commerce the proposal was that the Federal Trade Commission (FTC) should be responsible for enforcement. Since Internet privacy is front page news because of a myriad of Internet sites, the FTC continues to keep an eye on protecting US citizens while at the same time the EU is also evaluating its 1995 Data Directive. In the US emails are generally private to employers, but in the EU (Canada, Japan, and other countries) emails are generally private to employees. So as the Internet and Social Media expand world-wide communications, which laws apply to email and text communications are still unclear. Stay tuned.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A recent NY Times report is critical of the daily use of the military’s use social security numbers  (SSN)and birthdates, and how poorly Personal Identifiable Information (PII) is managed. Army intelligence officer turned West Point professor Lt. Col. Gregory Conti co-authored a report entitled “The Military’s Cultural Disregard for Personal Information” published at smallwarsjournal.com starts “Identity theft is not simply an inconvenience; it can lead to long-term financial and legal difficulties for individuals and families.” The report includes more than a dozen examples of misuse of PII including:

Social Security numbers and dates of birth are exposed to foreign customs officials when traveling on official orders.

Social Security numbers are exposed, all or in part, to contracted transportation companies and truck drivers during military moves.

Some military organizations use portions of Social Security numbers in email addresses and as computer user names.

Until recently, a Service Academy Alumni Association published books listing all graduate’s dates of birth. Copies are available on Ebay.

Service members, and their family members, frequently provide their Security number-laden military identification card to merchants, clerks, and night club bouncers for military discounts or as proof of age.

Service members in Iraq, Afghanistan, and other foreign countries must show their military identification card to locally contracted, foreign national security guards to gain entrance.

When I was in the Army Reserves 40 years ago the use of SSN was common place including our uniforms, and no one seemed concerned about identity theft. But in our Social Media world of 2010 clearly the US military needs to do something to help our troops and their families….sooner rather than later. This is a serious problem.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

The Electronic Privacy Information Center (EPIC) issued its second annual privacy report card with lower grades of “C for consumer data protection efforts and a D on civil liberties.” Mark Rotenberg, executive director of EPIC said "Our bottom-line assessment is that with respect to privacy, things are getting worse.” The EPIC is pleased that President Obama’s first Cyber Czar Howard Schmidt (who was appointed in December 2009) is working with privacy groups. EPIC’s report is critical of the Federal Trade Commission (FTC) which is now reevaluating US privacy laws in the wake of Google’s Buzz disaster and alleged privacy violations by Facebook. Clearly everyone needs to keep an eye on how the Obama administration manages privacy, and now that the Democrats do not control both houses of Congress it will be interesting to see how law makers deal with privacy.

New Congress and Privacy

As matter of fact after the November 2, 2010 election the Washington Post reported  that “Rep. Joe L. Barton (Tex.), ranking GOP member of the House Energy and Commerce Committee, signaled the legislative push in a statement about his correspondence with Facebook executives on privacy issues…I want the Internet economy to prosper, but it can't unless the people's right to privacy means more than a right to hear excuses after the damage is done.” Reports of data breaches continue and merely needs to check out the FBI’s websites of Cyber Crime Stories which clearly impact us all. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Facebook now offers users the ability to download all of their content in a simple zip file format, but this doesn’t solve privacy concerns. Sure it’s nice to be able to download all the content, but in the meantime Facebook still stores lots of valuable information about users.

Let’s see a show of hands- how many of you have ever taken the time read Facebook’s Privacy Policy? … not many hands were raised which I find is the norm.

In the meantime here’s what Facebook says about site activity information:

We keep track of some of the actions you take on Facebook, such as adding connections (including joining a group or adding a friend), creating a photo album, sending a gift, poking another user, indicating you “like” a post, attending an event, or connecting with an application. In some cases you are also taking an action when you provide information or content to us. For example, if you share a video, in addition to storing the actual content you uploaded, we might log the fact that you shared it.

eMarketer.com July 2010 estimates are that the advertising revenue for Facebook in 2010 is $1.28 billion which is about a 50% increase from the 2009 revenue of $665 million. It doesn’t take rocket science to see that Facebook monetizes users’ data and so it’s hard to image that there is any real privacy on Facebook at all since Facebook sells information about everyone and what they do on Facebook.

What about Terms of Service and Privacy Policies?

Generally courts around the world enforce Terms of Service and Privacy Policies, but I continue to be amazed that so few people ever read these contracts that legally bind them to websites, and particularly Social Media sites. As part of my Law of eCommerce class I regularly review Terms of Service and Privacy Policies during each semester, and I find it fascinating that like businesses have such different business views….take a look at Google and Bing’s Terms of Service and see how differently they bind their users even though they are in the same search engine business. For instance, Google does not require users to indemnify Google for claims brought against Google, but Bing does require users to indemnify Bing (Microsoft) if a claim is made against Bing based on the user’s actions.

Think about Terms of Service and Privacy Policies

Often I find that my clients merely copy Terms of Service and Privacy Policies for their websites without taking into account that they may be in the software development and licensing business, but since they are not IBM, it’s not a good idea to just copy IBM’s Terms of Service and Privacy Policy as if they will properly protect themselves. One should use good judgment about how to bind users contractually to websites, and make sure the Terms of Service and Privacy Policies are consistent with the way their conduct their businesses.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Proposed laws to ease wiretaps on the Internet are now being considered by the US Senate Judiciary Committee, but with widespread pushback from privacy groups. Federal officials have long relied on the wiretap laws to monitor criminals and terrorists, however as we all know fewer and fewer individuals are using phones any more. Rather everyone uses emails, texts, and posting information on Social Media sites. Since 1994 phone and broadband services have provided intercept capabilities based on the Communications Assistance to Law Enforcement Act, and the New York Times reported about the proposed new laws:

Essentially, officials want Congress to require all services that enable communications — including encrypted e-mail transmitters like BlackBerry, social networking Web sites like Facebook and software that allows direct “peer to peer” messaging like Skype — to be technically capable of complying if served with a wiretap order. The mandate would include being able to intercept and unscramble encrypted messages.

Since there are so many privacy issues at stake on these proposed laws there will be a great deal of debate in Congress, and in the meantime cyber security in the US and the world continues to be a major concern for all.

Cyber Attack: Malware Infects more than 45,000 computer Systems

A recent report in the Washington Post speculated that either a country, or well-funded private group was behind Stuxnet which is was “the first malicious computer code specifically created to take over systems that control the inner workings of industrial plants.” The consequences of such malware is potential catastrophic physical or property damage or loss. When we hear about these types of cyber attacks we have to consider how to protect the ourselves how to balance the personal privacy.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A recent report that the White House wants the FBI to have access to an individual’s Internet activity may help with investigation of terrorism or intelligence, but what about our expectation of privacy? Notwithstanding all of Mark Zuckerberg’s recent comments about privacy, last winter Zuckerberg he told a live audience that if he were to ‘create Facebook again today, user information would by default be public.’ Also Google CEO Eric Schmidt admitted in a CNBC interview that under the US Patriot Act that Google would turn over user information (which Google maintains for 18 months) without question. So maybe we have less privacy than we may think, but in the name of national security alone does it make sense for the White House/FBI to not even both getting a federal judge to issue a subpoena?

COMPANY PRIVACY: Social Engineer Defcon Contest

At the annual Defcon meetings (July 30-August 1) in Las Vegas there was a 3 day contest to see which Social Engineer could get the most company data from 30 companies. The FBI is not too happy, but after consulting lawyers from the Electronic Frontier Foundation the following contest rules were created:

Each Social Engineer is sent via email a dossier with the name and URL of their target company chosen from the pool of submitted names.

Pre-Defcon you are allowed to gather any type of information you can glean from the WWW, their websites, Google searches and by using other passive information gathering techniques. You are prohibited from calling, emailing or contacting the company in any way before the Defcon event. We will be monitoring this and points will be deducted for “cheating”.

The goal is to gather points for the information obtained and plan a realistic and appropriate attack vector. The point system will be revealed during the Defcon event. All information should be stored in a professional looking report. 1 week prior to Defcon you will submit your dossiers for review to the judging panel.

Stay tuned to see how successful the Social Engineers were in getting information from these 30 companies. How easy will it be to get information? We all know the answer, pretty easy!
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Ontario, CA Police Department (OPD) did not violate the 4th Amendment by reviewing text messages sent from a work pager. Apparently the OPD’s warrantless audit found Officer Quon had sent or received 456 messages, but only 57 were work-related. The OPD Computer Policy included the following provisions that the OPD “reserves the right to monitor and log all network activity including e-mail and Internet use, with or without notice. Users should have no expectation of privacy or confidentiality when using these resources.” The Court ruled that the “warrantless review of Quon’s pager transcript was reasonable … because it was motivated by a legitimate work-related purpose, and because it was not excessive in scope.” Today so many employees use cell phones and PDA provided by employers that surely the Supreme Court’s ruling will impact all employees, not just government employees.

Privacy Ruling in California Court

The Supreme Court ruling in the Quon case should also impact the May 26, 2010 ruling where US District Judge Margaret Morrow ruled that messages posted on Facebook and MySpace may not be subpoenaed. Based on the Supreme Court ruling in Quon, employees who post private messages on social media using their work computers, cell phones, or PDAs may not be able to claim privacy communications. The ruling in the Quon case is one more reason for Congress to review the 1986 Stored Communications Act given the use of social media communications. Stay tuned on how the Quon ruling will impact all businesses.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A Judge ruled that Facebook wall postings and MySpace comments may not be subpoenaed based on the 1986 Stored Communications Act which is the same statute before the US Supreme Court in Quon v. Arch Wireless. US District Judge Margaret Morrow’s May 26, 2010 37 page Order in Buckley H. Crispin v. Christian Audigier, Inc. et al reversed a ruling from an US Magistrate Judge that defendants in a copyright infringement case could not subpoena private message on Facebook MySpace. This ruling is particularly interesting since the April 7, 2010 White House Order that all postings on blogs and social media sites are public meetings under federal law. Clearly courts will be vexed by these complex issues as social media continues to grow and change communications. It is any wonder that the 1986 Stored Communications Act may need to be updated or totally replaced since clearly the courts and the White are not in synch?

Yahoo! Plans its Social Media

With 280 million email users it’s no wonder that Yahoo! will launch its social media services to allow exchange of comments, pictures, and the like. Given all the current issues with Facebook privacy and Google’s Buzz it’s no wonder that Yahoo! head of privacy claimed that “ We’ve been watching and trying to be thoughtful about our approach.” Clearly we will all be watching to see the impact of Yahoo! entry into social media, particularly as Yahoo! search engine decline in popularity in the US. Will email traffic overcome the lack of search engine traffic?

More Google Wi-Fi Woes – Now Canada

Recent reports now indicate that the Privacy Commissioner of Canada started an investigation about Google collection of Wi-Fi network data. Since Germany, France, Italy, and the Czech Republic are investigating Canada’s entry into the fray is no surprise. Google’s defense that other companies including Skyhook and organizations like the German Fraunhofer Institute does not seem to be much help at this juncture. The outcome of the Wi-Fi privacy issues may also impact Google maps which are tied together.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

To the surprise of many Google confirmed that since 2006 its Street View Cars captured WiFi network information in addition to Street View Photos. Google uses this WiFi network information to improve location-based services like search and maps. Specifically Google confessed that the WiFi information collected was:

WiFi networks broadcast information that identifies the network and how that network operates. That includes SSID data (i.e. the network name) and MAC address (a unique number given to a device like a WiFi router). Networks also send information to other computers that are using the network, called payload data, but Google does not collect or store payload data.

Not surprising that Google claims that its collection and use of the WiFi data was legal, done by other companies including Skyhook and organizations like the German Fraunhofer Institute. Around the world a number of privacy groups have been unhappy about Google Street View Photos and now new privacy concerns issues abound regarding Google’s collection of WiFi network data.

Destruction of Google’s Irish WiFi Data

Even though Google claim it is completely legal on May 14, 2010 the Irish Data Protection Authority asked Google to delete its WiFi network data collected in Ireland. So on May 16th the destruction of this WiFi network data was confirmed by a third party consultant. However one might wonder how the consultant could confirm that all the data was actually destroyed without reviewing Google computer networks, which is probably impossible to do.

Germany and Australia Want Answers

German prosecutors are investigating whether Google violated privacy laws and Google posted a blog that the Data Protection Authority in Hamburg, German requested an audit of Google’s WiFi data.  Also privacy groups in Australia want Google to know more. Clearly Google’s collection and use of private WiFi network information helps us better understand how little privacy we all have.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

A report that a number of privacy groups filed a complaint with the FTC to investigate includes this quote “Internet ad exchanges… are basically markets for eyeballs on the Web. Advertisers bid against each other in real-time for the ability to direct a message at a single Web surfer. The trades take 50 milliseconds to complete.” The April 8, 2010 complaint was filed by the Center for Digital Democracy, US PIRG, and the World Privacy Forum against Google, Yahoo, PubMatic, TARGUSinfo, MediaMath, eXelate, Rubicon Project, AppNexus, Rocket Fuel, and others. Among other allegations in the complaint is a “massive and stealth data collection apparatus.” How much privacy to we really have?

Privacy in Social Media

Seems like an interesting overlap with my recent blog about the fact that the FTC is already dealing with EPIC’s complaint that Google’s new Buzz significantly breached “consumers' expectations of privacy” at the same time that Google acquired Social Media Optimization company Aardvark. Since it is the job of the FTC to protect consumer privacy it will be interesting to see how both of these disputes evolve.

Hearst Said to Be in Talks for Web-Marketing Agency iCrossing

More interesting news is that Hearst might take over iCrossing.  iCrossing is one of the leading Search Engine Optimization (SEO) companies with a who’s who customer list including: Adobe, Bank of America, BMW, Epson, Fairmont Hotels, Mary Kay, MasterCard, Office Depot, and Toyota. Hearst is:

“one of the nation's largest diversified media companies. Its major interests include magazine, newspaper and business publishing, cable networks, television and radio broadcasting, internet businesses, TV production and distribution, newspaper features distribution and real estate.”

So the addition of SEO power for Hearst will make an interesting future for everyone. Not to mention the impact on Social Media Optimization that Google and others possess we can expect the FTC investigations to prove very interesting.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

For purposes of dealing with web 2.0 the White House Memo released on April 7, 2010 about social media specifically states that “interactive meeting tools—including but not limited to public conference calls, webinars, blogs, discussion boards, forums, message boards, chat sessions, social networks, and online communities—to be equivalent to in-person public meetings.” The White House Memo is a follow-up to President Obama’s January 21, 2009 (day after the President was sworn-in) “calling for the establishment of ‘a system of transparency, public participation, and collaboration.’” Fascinating development that blogs, Facebook, LinkedIn, Twitter, MySpace, Yelp, and the like are public meetings which means that one should expect little privacy from use of these online services.

Majority of Government Agencies Use Social Networks

This report states that a majority of government agencies now use social networks is hardly a news flash, but put in context of the White House’s Memo that use of social networks are public meetings may change the public view of how they communicate. Of the 400+ million Facebook members of an estimated 70% are outside the US, and one may wonder how communications across international borders impacts the declaration that social media is public meetings.

Yelp and the Business of Extortion 2.0

This recently filed class action suit accuses Yelp of extortion to get bad comments removed from Yelp and lower rankings by reviewers. It remains to be seen whether this case will succeed, but if Yelp is considered a public meeting by the White House it makes one wonder how extortion fits in. Not to mention that the 50 million a day of tweets on Twitter are considered public meetings, even though at least 14,000 are followers of a Doonesbury’s cartoon character Roland Hedley! Web 2.0 is definitely taking us in interesting directions!

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A recent report that Web 2.0 (Facebook, Twiter, MySapce, et al) continues to encourage friends to share private information at an alarming rate is hardly a surprise. Research at a number of universities demonstrates that things are probably worse than most people image. For instance, the 2009 paper entitled “Predicting Social Security numbers from public data” from Carnegie Mellon explained how easy it is to predict patterns of data that leads to accurate predictions of Social Security numbers (SSNs) and birth dates from public data. Cyber thieves are taking advantage of the personal information on the Internet as we are well aware.

Electronic Health Records (EHRs)

To make matters more interesting the expansion of EHRs over the next four years will expose more personal medical information on the Internet. The US deadline of 2015 implementing all EHRs may sound great to some, but we should be concerned about how well that personal information is protected. Actually the EHRs may make the personal information a bigger target to cyber thieves. Recent warning about cyber threats from the FBI and DHS should make us all uneasy.

SSNs Used for Personal Identification

As many of us remember for many years health insurance companies used SSNs for their insureds’ account numbers and a number of states used SSNs for drivers’ license numbers.  So there are millions of historic records on US citizens that include SSNs. As a matter of fact, millions of Internet court records include divorce decrees, motions, and affidavits with SSNs, drivers’ license numbers, credit card numbers, and bank account numbers. Many states now limit posting of this personal information on the Internet, but records from the past abound with personal information. Given our open government view of open records laws which sprang forth after Watergate in 1972 most people think government and court records should be open, but a hidden danger lurks in protecting personal information within those court records.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a recent interview Mark Zukerberg “told a live audience …that if he were to create Facebook again today, user information would by default be public, not private as it was for years until the company changed dramatically in December.” Without question Facebook and social networking have changed Internet users’ perceptions of what should be private and not.

Google CEO Schmidt Comments about Privacy
 

The Electronic Frontier Foundation recently reported:
 

When asked during an interview for CNBC's recent "Inside the Mind of Google" special about whether users should be sharing information with Google as if it were a "trusted friend," Schmidt responded, "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."
 

Schmidt went to say that under the US Patriot Act the US government may obtain information from Google which they routinely retain. Many Google users are unaware that Google retains each and every search for 18 months. So I guess his advice should make people stop and think.

Privacy – What Do Law Students Think?

When I first started teaching the Law of e Commerce at SMU Dedman School of Law in 2000 privacy was a very important and hot topic. A few years ago the CyberProf listserv did an informal survey of those of us who teach the Law of eCommerce and/or the Internet regarding how our students felt about privacy in 2000 and in 2008. Not much of a surprise that law students in 2008 seemed to care a lot less about privacy. My guess is that social networking, Facebook, MySpace, Twitter, texting, et al have been the big drivers of this change in attitude regarding privacy.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a 5-4 ruling the Ohio Supreme Court now requires a search warrant to search cell phone content which the American Civil Liberties Union of Ohio calls a landmark decision as this appears to be a case of first impression. The defendant’s cell phone was searched without a warrant after he was arrested on drug charges based on a police sting operation. At trial the defendant claimed a violation of the 4th Amendment that although the police had the right to take his cell, the police did not have the right to search the contents of the cell. A decision to appeal to the US Supreme Court is pending.

US Supreme Court Agrees to Consider Text Messages

This week the Supreme Court agreed to consider the privacy claims of police officers text messages in City of Ontario v. Quon. The question before the Supreme Court is whether the city employees are entitled to privacy of the text messages stored at Arch Wireless’ servers since the city provided the text services to the officers as part of their jobs. Each officer received 25,000 characters a month as an allowance and the officers paid for any overages. The city paid no attention to the text messages until it discovered that officer Jeff Quon (who paid for characters above the allowance) had sent sexually explicit messages that were clearly personal and not business related. The question in this case is also a claim of violation of the 4th Amendment.

Web 2.0 Communications

Given what people post on social networking sites like Facebook, MySpace, and LinkedIn it is a wonder that many folks expect much privacy today. Courts will continue to be confronted with perplexing issues regarding the use of the Internet and this will never be less complex, but as I  blogged this week Judges in Florida should not be social network friends with lawyers who appear before them in cases even though lawyers may contribute to their election campaigns. As web 2.0 expands one easily images that the courts will have to reconsider how the 1789 written Constitution applies.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Behavior Advertising

A recent privacy blog discussed the February 2009 Federal Trade Commission Staff Report entitled “Self-Regulatory Principles For Online Behavioral Advertising,” and the opt-out questions posed by Congress are at the heart of whether new Internet privacy laws are required. The Internet economy, and certainly Google is chief example, are dependent upon the current behavioral advertising model and surely will be impacted by a change in the privacy laws in the US.

eMail Surveillance

Most US citizens believe that their emails are private. However employee privacy regarding emails in the workplace (not personal webmail) may be misplaced since in the US emails are private to employers and in the EU, Canada, and other countries emails are private to the employees. Nevertheless there are more questions being asked in Congress about how many e-mails are being collected in the name of security. The recent report that National Security Agency exceed its authority by intercepting emails and phone calls continues to be debated in Congress. Given President Obama’s cybersecurity agenda it will be interesting to see how the US congress can reconcile the expectation of personal privacy and need for Internet security. These debates will continue as the Internet evolves. Stay tuned for more.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

After a three-year study a panel (of former military leaders and IT professionals) from the National Academy of Sciences reported that the US has no clear military policies for cyberattacks. Notwithstanding a recent blog about the NSA exceeding its authority to intercept email, we are not much safer from cyberattacks. One would have to live under a rock to have not noticed the significant number of system breaches. As a matter of fact as pointed out in other blogs, LexisNexis just warned 32,000 individuals about data breaches that personal information may have been improperly accessed in a credit card scheme as far back as 2004.

Proposed Federal Legislation to Update FISMA

The US Congress will be considering an update to FISMA (the Federal Information Security Management Act) called the "U.S. Information and Communications Enhancement Act of 2009." This proposed Act will create hacker squads to test defenses of agency networks, and the agencies will be required to show how they can effectively detect and respond to cyberattacks. Currently there are only about five federal agencies who conduct this type of testing.

Cyberattacks From Within

A former Sysadmin (System Administrator) recently pled guilty to a charge of cyber extortion by threatening his former employer and faces up to five years in prison and a fine of $250,000. After the Sysadmin was terminated last year he complained about the severance and threatened to cause extensive damage to his former employer’s systems. Apparently he left many back doors in the systems he managed that allowed him to enter and cause havoc, which of course as a Sysadmin he had the authority to do so.

How Safe Should We Feel?

Hopefully the US should get control of cyber security because it seems patently obvious to the most casual observer that at this time the US is extremely vulnerable. Maybe spending the US should $19 Billion on cyber security rather than on Electronic Health Records (EHR) since the US is so dependent on the use of the Internet today, and the US’s dependence on the Internet will only increase. Cyber safety is more critical than EHR.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

A report that the National Security Agency (NSA) exceeded its authority by intercepting emails and phone calls of Americans make some people feel safer, and others wary. Many speculate that these massive email and phone call interceptions are systematic and intentional. For instance the Electronic Privacy Information Center (EPIC) and Electronic Frontier Foundation (EFF) have been following NSA’s activities for some time and are alarmed at NSA’s actions.

US Patriot Act

In the wake of September 11 terrorist attacks on October 26, 2001 President Bush signed the US Patriot Act after passing both houses of Congress in less than one day. The US Patriot Act gave the federal government unparalleled power to search emails and private communications without many checks and balances in the name of protection from terrorists. The US Patriot Act was renewed in 2005 substantially without major change. Congress and US citizens want certain protections, but EPIC and EFF are concerned that the US Patriot Act is too broad.

Increased in Criminal Data Breaches

Reports that there have been a significant increase in data breaches by organized crime is hardly surprise, but it seems that NSA’s efforts in searching emails and phone calls have not really paid off to make our Internet a safer place in which to conduct business. Last year there were more than 100 confirmed data breaches involving roughly 285 million consumer records, most of which occurred from sites overseas. There needs to be a balance between safety from bad guys and protection of civil liberties.
 

• Email This
• Print
• Comments
• Trackbacks (1)
• Share Link

A video about personal information was recorded in October, 2008 and was posted on WatchIT’s website  which is one of many educational programs available.  Please take a look to see which programs can help your business.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Facebook claims to have more than 120 million active members and it is the 4th most trafficked site in the world. Of course there are many other popular social network sites including LinkedIn and MySpace to name a few, and only to make things more interesting a recent report indicates that more than half of MySpace visitors are 35 or older. Not much of a surprise that more mature individuals are getting into social networking as the Internet evolves.

What about the Content?

The terms of use vary between Facebook and other social network sites, but one common provision in the terms of use is that the users grant these sites a worldwide license to the user content that is irrevocable, perpetual, non-exclusive, transferrable, royalty free to use, copy, or just anything they want. Facebook also limits its liability to the amount of monies paid (if any) or $1000. Even users of Google Apps grant Google a license to their content.

Web Universal ID?

Facebook recently announced Facebook Connect which is an Universal ID that will allow its users to only logon once and then navigate to third party sites. Not much of a surprise that Google, Yahoo!, and MySpace are also developing similar technology. However, it seems that either few individuals don’t care or understand that they are providing Facebook, MySpace, Google, and the all the rest with licenses to their personal content. Regardless of what users understand the growth of the social networking websites will be based on increased data from their users’ content which will generate more online advertising revenues.
 

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

A recent a Google announcement of Wiki services in Google to improve the search experience and allow users to rank search results has a number of individuals questioning exactly what’s going on. Just like most wiki projects, this project did not in a straight line. Apparently this new service came from a Google Wiki Search Team rather than Google Labs.

How does the new Google Wiki work?

The new Google Wiki will allow users to conduct searches, and then permits them to reorder or delete certain results. That way when users return for future visits to Google they get their search results in the order they want. Only the user has access to their own search results with its Google Wiki reorganization, so they can keep this private.

What’s really going on?

Some skeptics complain that Google’s run out of ideas and that they are fixing something that wasn’t broken. Maybe, but perhaps there’s more method to this madness – since users’ can control the priority of their search results, won’t Google have even more powerful advertising data about users? Google users are more likely to spend more time on Google, which can only help Google’s business. Privacy of personal information should be a major concern to Google users since Google will have a personal insight about search priority of search results, not to mention the deleted search results. Stay tuned for future developments!
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

While most IT professionals are well aware of the evolution of Internet 2.0 computing services which offer on-line applications and large storage, in many ways this seems like an evolution of time-sharing from the 1960s when the likes of General Electric offered remote computing services to dumb terminals. Now Cloud Computing is one of the hot buzz words describing Software as a Service (SaaS) (sort of an updated term for ASPs- Application Service Providers) coupled with large amounts of storage. Major players are offering these services including IBM’s Blue Cloud,  Amazon’s S3, Google’s Apps, and Salesforce’s CRM. These Cloud Computing services allow users to collaboratively work on projects over the Internet using proprietary and open source applications. 

Collaboration is Great

One of the great benefits of using Cloud Computing like wiki tools is allowing collaboration, and many large companies including IBM, Microsoft, and Oracle use collaboration tools to develop new technologies. It is hard to believe that Wikipedia started in 2001 and now has more than 2.5 million English articles since it reached a major milestone of 1 million articles in March of 2006. Clearly there are many other wiki success stories, but yet still skeptics about the accuracy and authenticity of the content.

How Secure is the Data?

Virtually no one reads the Click Agreement terms or Terms of Service when accessing Internet sites, downloading software, or registering on a website, nor do business people generally consult their attorneys about these Click Agreement terms or Terms of Service. So is any wonder that the vendors generally provide the services “as is,” without warranties and limit their liability and damages, and make jurisdiction and venue as inconvenient as possible to the user? Probably not, but when there are service outages that even the Service Level Agreements offer a reimbursement for down time, but not consequential damages. Another major concern is privacy of data since such laws such as HIPAA and the EU Data Directive restrict use of certain person information, and yet depending on how the Cloud Computing provider operates, these data privacy issues can be lost.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Congressional hearings reveal that Internet companies routinely track behavior of visitors to websites, and as a result Congress is considering legislation to help personal privacy. Currently the Federal Trade Commission allows for self-regulation by websites, and websites need not have privacy policies, but if there are privacy policies the FTC expects adherence. Otherwise the FTC levies fines.
 

Unfortunately few Internet users ever bother to review the Privacy Policies of the websites that they visit, because if they did perhaps Congress would not be so shocked. Google and other major players retain data on visitors for 18 months, and even the EU recently was considering restricting the data retention to only 12 months (not that the 6 months additional data would change the fact that the ISPs were capturing information for their own purposes). Since the federal government allowed Google to purchase DoubleClick clearly everyone was aware of where Google was headed but to take advantage and use personal information about the Internet traffic.
 

Tracking information about web traffic is not bad, but when personal identifiable information is compromised consumers react. A number of major players submitted letters to the House Committee including AOL, Charter Communications, Earthlink, Time Warner Cable, and Yahoo! to name a few.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link