Sunday, February 28, 2010

Creepiest Privacy Violation of 2009?

Imagine your child's school offered him or her a free laptop to do homework. That'd be pretty cool, right? Now, imagine that the school administrators used a built in web cam to surreptitiously take pictures of your children. According to the complaint filed in Robins v. Lower Merion School District, that's exactly what happened in one Pennsylvania school district (actually, it's even creepier than that, if the allegations set forth here are true). The complaint alleges violations of (among other things) the electronic communications privacy act, the stored communications act, the computer fraud and abuse act, and the fourth amendment (since the school administrators were acting on behalf of the state when they were allegedly violating the student's privacy rights).

Of course, the school officials are denying any wrongdoing, and claim they have been unfairly portrayed (see here). That could be true. After all, there's a reason we have trials, and it makes sense not to rush to judgment until after both sides have been able to have their proverbial day in court. However, while I don't want to rush to judgment, I can make a few comments at least on the legal theories in the case. First, while I understand the plaintiff's argument, that taking surreptitious web cam pictures violated the stored communications act and electronic communications privacy acts, I still don't know how good a fit those acts are for this particular (alleged) crime. After all, while the hypothetical communications (i.e., web cam images) were illicit, they weren't intercepted or accessed by anyone other than their intended recipients. Instead, I think the computer fraud and abuse act arguments seem a bit more natural. For the computer fraud and abuse act, I can't imagine how taking surreptitious pictures over a web cam doesn't exceed unauthorized access to a protected computer. I think the fourth amendment claim is also a good fit. While students have a lessened right to privacy in the school, there must still be a reasonable suspicion of illegal activity before school authorities can perform a search (a more detailed, and better, explanation of the relevant precedent can be found here). Further, the alleged monitoring wasn't limited to school hours, but also caught students while they were at home and, according to the complaint, "in various stages of dress or undress."

Again, all of the allegations in the complaint are just that - allegations. Until the defendants have a chance to answer, and the case is actually tried, they are presumed innocent (or, in this case, not liable). However, at least from the face of the complaint, it appears as though there could have been some serious privacy violations (potentially supporting claims under at least the fourth amendments and the computer fraud and abuse act).

(via Bruce Schneier)

Sunday, February 21, 2010

Google Buzz Lawsuit

In a completely unsurprising development, a class action lawsuit has been filed on behalf of all Gmail users who were linked to Google Buzz (story here). The complaint alleges that Google unlawfully shared users' personal data without their permission, and cites the electronic communications privacy act, the computer fraud and abuse act, the stored communications act, as well as California statutory and common law.

At this point, Google hasn't answered (or even been served with) the complaint, so we don't know how they'll defend against the suit. However, the complaint is available online (e.g., here). From my brief perusal, there are a couple of points about it that look a bit odd. For example:

The lawsuit alleges (paragraph 17) that
Google Buzz "posted" to Buzz any information that was previously posted to certain other Google websites, including but not limited to Picasa, Google Reader, and Twitter.
Why Twitter is considered a Google website it something of a mystery, especially since Buzz is seen (e.g., here) as an attempt to compete with (among others) Twitter.

The lawsuit was filed in the 9th circuit (specifically, California), which has adopted an interpretation of the electronic communications privacy act which makes it relatively difficult to apply that act to email communications (see, e.g., here).

The lawsuit alleges violation of the computer fraud and abuse act, which is a little odd because that act is generally focused on unauthorized access to protected computers, rather than on unauthorized access to third party data.

Anyway, I suspect that, oddities in the complaint notwithstanding, the Buzz lawsuit will go the way of the Beacon lawsuit before it. That is, it will be settled with the individual class members getting nothing but whatever warm feeling comes from having been part of a lawsuit.* However, while it lasts, the lawsuit could be interesting (especially if Google fights at all), and might provide an incentive for Google to pay a bit more attention to privacy going forward.

*Of course, the settlement hasn't been finalized yet. The terms of the settlement, as well as other information on the Beacon case, can be found here.

Sunday, February 14, 2010

Google Buzz

On the 13th, Lawyers, Guns and Money, a blog I read regularly, posted the following complaint (originally posted at Fugitivus a blog which is not open to the public) regarding Google Buzz:

I use my private Gmail account to email my boyfriend and my mother. There’s a BIG drop-off between them and my other “most frequent” contacts. You know who my third most frequent contact is? My abusive ex-husband.

Which is why it’s SO EXCITING, Google, that you AUTOMATICALLY allowed all my most frequent contacts access to my Reader, including all the comments I’ve made on Reader items, usually shared with my boyfriend, who I had NO REASON to hide my current location or workplace from, and never did.

My other most frequent contacts? Other friends of Flint’s.

Oh, also, people who email my ANONYMOUS blog account, which gets forwarded to my personal account. They are frequent contacts as well. Most of them, they are nice people. Some of them are probably nice but a little unbalanced and scary. A minority of them — but the minority that emails me the most, thus becoming FREQUENT — are psychotic men who think I deserve to be raped because I keep a blog about how I do not deserve to be raped, and this apparently causes the Hulk rage.

F--- you, Google. My privacy concerns are not trite. They are linked to my actual physical safety, and I will now have to spend the next few days maintaining that safety by continually knocking down followers as they pop up. A few days is how long I expect it will take before you either knock this shit off, or I delete every Google account I have ever had and use Bing out of f---ing spite.

F--- you, Google. You have destroyed over ten years of my goodwill and adoration, just so you could try and out-MySpace MySpace.

As a note, while the concerns expressed in the above complaint are personal to the author, they are no means limited to that one individual. Depending on the study, either one in five or one in four women are victims of a completed or attempted rape (see here) at some point in their lives, and 70 percent of the perpetrators are "intimates, other relatives, friends or acquaintances" (source) who might show up as being a contact for the victim.

Of course, the problems with Google Buzz aren't limited to rape victims (see, e.g., Google Buzz: Privacy Nightmare). Instead, they're just one more example of how, when communication is commoditized, it will eventually be made publicly available.

Monday, February 1, 2010

How to Discuss Open WiFi

As reported in this article from C|NET, Cathy Paradiso, a technical recruiter who works out of her home near Pueblo, Colo., was recently threatened with having her internet access discontinued based on allegations of copyright infringement that ultimately proved unfounded. According to the article, Ms. Paradiso had an unsecured wireless network, and someone took advantage of her connection to download various television shows and movies.

Anyway, on its own, this isn't that big a deal. Certainly, it isn't that big a deal in the ongoing story of copyright infringement accusations and open WiFi (my thought is that this story about an Ohio county which had its free WiFi shut down over a copyright infringement complaint is much more noteworthy). However, something about the reporting on Ms. Paradiso's predicament rubbed me the wrong way. After noting that cutting off internet for someone who works from home is essentially the same as destroying that person's business, the article asked
is it right to penalize someone for not being tech-savvy enough to properly secure a wireless network?

To me, that's entirely the wrong question. Whether someone has open WiFi isn't just a matter of tech savvy. After all, even Bruce Schneier, who is probably the web's best known expert on computer security has advocated for open WiFi, saying that people who maintain open WiFi make the world a better place, by making a valuable resource more easily available to more people. While Mr. Schneier's analysis of the costs and benefits of leaving WiFi open might not convince everyone that open WiFi is the way to go, it certainly disproves the idea that leaving WiFi open is something that only the technically unsavy would do, and that policies should be built around the idea that leaving WiFi open is somehow a less legitimate choice than the alternative.

So, how would I like to have seen the article deal with the open WiFi issue? I think treating it as a real issue, with real policy consequences would have been a better way to go. For example, instead of assuming open WiFi is bad, it could have explained why the problems with open WiFi (e.g., making it harder to police copyright violations) outweigh the benefits (e.g., broader access to valuable resources). Or, in the alternative, it could have explained that open WiFi is valuable, and then discussed policies which would help foster it (for example, stripping ISPs who go after people with open WiFi of their protections under section 512 of the DMCA, under the theory that those providers are no longer acting as passive conduits, and so shouldn't be protected as if they were). Either way, it would have been a great deal more informative and interesting than simply treating open WiFi as something that happens only by mistake.

Data Security Deadline Looms

The following legal update is posted on behalf of my colleague Jane Shea.

Despite the temporary relief provided by the six-month extension to June 1, 2010 of the Identity Theft Red Flags regulations deadline, businesses that are located in Massachusetts, or who have customers or employees that are domiciled in Massachusetts, find that they must maintain their focus on data security for another reason – the Massachusetts data privacy regulations compliance deadline is March 1, 2010.

Like the Red Flags regulations, the Massachusetts law deadline has been extended multiple times since its first deadline of January 1, 2009. In addition, the implementing regulations were twice revised in response to feedback received from affected businesses concerning the strict encryption requirements and the "one size fits all" mandate for the written security program that the original regulations imposed.

The Massachusetts Data Security Law (MGL Chapter 93H) and its implementing Regulations (201 CMR 17.00) (the "Massachusetts Regulations") apply to anyone engaged in commerce, and specifically, those who "store" personal information, in addition to those who receive, maintain, process, or otherwise have access to such information. The Massachusetts Regulations apply to the personal information of Massachusetts residents, whether they are customers or employees. Thus, the reach of the Massachusetts Regulations is not limited to businesses located or operating in Massachusetts. There are no exceptions or exemptions, so that both for-profit and non-profit organizations located inside and outside of Massachusetts must comply.

"Personal information" is defined as a Massachusetts resident's first name and last name, or first initial and last name, combined with one or more of "(a) Social Security Number, (b) drivers license or state-issued identification number, or (c) financial account or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account." Publicly available information is not included provided it has been lawfully obtained.

The requirements of the Massachusetts Regulations are comparable to the FTC's Safeguards Rule. This Rule requires financial institutions subject to the federal Gramm-Leach-Bliley Act to maintain the security of their customers' personal financial information by evaluating security risks and adopting a written security program, and to oversee service providers' practices with respect to such personal information. Similarly, the Massachusetts Regulations impose a duty on every person that owns or licenses personal information to develop, implement, and maintain a written comprehensive information security program (WISP). The recent revisions permit the business to take a risk-based approach to information security, much like the federal Safeguards Rule's approach. The WISP must address the administrative, technical, and physical safeguards utilized. However, the size and scope of the business, as well as its resources, and the nature and quantity of data collected or stored, may be taken into account in developing the WISP.

The original version of the Massachusetts Regulations imposed specific technical computer security elements. The revised version retained the specific listing of these elements as guidance only, by adding a standard of technical feasibility, so that the requirements are technology neutral.

Finally, the Massachusetts Regulations require businesses to oversee service providers, with the requirements revised to be consistent with federal law. Thus, a business is required to perform reasonable due diligence in selecting a service provider to determine that it uses appropriate security measures to protect personal information, and to contractually require such measures of their service providers.

As noted above, the deadline for compliance is March 1, 2010. The law is enforced by the Massachusetts Attorney General. Businesses with customers or employees in Massachusetts need to prepare and finalize a WISP, after reviewing and evaluating their information security operations and procedures. The suggested elements of a WISP are included in the Massachusetts Regulations, but as the revisions to the Regulations make clear, these are not intended to be a rigid template. The Regulations now recognize that the nature and operations of the businesses that are subject to the law vary considerably, and like the Identity Theft Red Flag Program requirements, each WISP will be unique based upon the particular business. Additionally, businesses subject to the Massachusetts Regulations need to review their outsourcing contracts that affect personal information to determine compliance with the Regulations by their service providers. The deadline for updating service provider contracts is March 1, 2012.