Sunday, December 28, 2008


In case anyone was wondering:

No, I'm not dead.
Yes, I do intend to continue to post.
No, I don't intend to do so before the first Monday of 2009.

So happy new year to all, and I'll be back in about a week.

-William Morriss

Sunday, December 14, 2008

Self Inflicted Wounds

Massive data security breaches get lots of headlines, which makes sense, since big numbers (e.g., 94 million records stolen) are an easy way to capture attention. Similarly, security breaches also come with a built in and easily understandable storyline - hackers from somewhere breached the (usually poorly implemented or obsolete) defenses of some large company, exposing large numbers of innocent consumers to an increased risk of losing money due to various forms of fraud. However, while security breaches generate easy headlines and narratives, it's important to remember that, totally independent of hackers, companies can get in trouble for improperly collecting or exploiting user data.

The newest object lesson on this point is Sony, which has agreed to pay a $1,000,000 penalty to settle charges that it violated the Children's Online Privacy Protection Act and section 5 of the FTC act (FTC press release here, via this story from Computer World). The upshot of the complaint filed by the FTC was that Sony knowingly obtained personal information from at least 30,000 children without their parents' consent (alleged COPPA violation) and falsely stated that it restricted children under the age of 13 from participating in Sony's online activities (alleged FTC act violation). Thus, it was Sony's websites functioning for their intended purpose, not hackers, that hurt Sony in this case.

So how can companies avoid being in the position to pay seven figure settlements? My recommendation is to talk to a lawyer in the area who knows what he/she is doing, and to have that lawyer stay in contact with the marketing people who are responsible for the design and operation of a website. The staying in contact part can be particularly important. For example, as shown in the Gateway Learning case, even if a company is acting properly when an information collection program is first launched, changes made later on (e.g., starting to sell consumer data in violation of a privacy policy that said consumer data would not be sold) can expose a company to liability. My guess is that something similar happened with Sony, where the lawyers were probably consulted early in the process, but, later on, changes were made which weren't run by the lawyers first. Hopefully, settlements like Sony's will provide an incentive for other companies not to follow that same path.

Monday, December 8, 2008

Too Much Protection for Computer Security

Generally, I find that my posts advocate additional protections for data privacy, and argue that people don't pay enough attention to security. This is post is the exception, where I unequivocally state that people should not be criminally liable for violating a website's terms of service, even if such a violation may technically be prohibited by the computer fraud and abuse act. As is admirably laid out in this post in the Wired threat level blog, the consequences of attaching criminal liability to a terms of service violation would be severe. However, while that post, which argues that a criminal conviction based on a terms of service violation is likely to be overturned, I'm not so sure. The computer fraud and abuse act can be analogized, roughly, to a criminal trespass statute. While I doubt that Congress intended to make random terms of service violations criminal acts when it passed the CFAA, in the real world criminal trespass can be based on entry onto the land of another in violation of restrictions placed on entry by the owner (see ORC 2911.21(A)(2)). Thus, it wouldn't be such a stretch to imagine that the application of the CFAA to a terms of service violation will be upheld. True, I think it would be a bad result, but it would be a result that would not be outside the realm of the possible.