Thursday, April 29, 2010

FTC TO CREATE GUIDELINES FOR INTERNET PRIVACY

After over a year of silence by the FTC concerning Internet privacy, the Commission has responded to the increasingly loud outcry by privacy advocates and legislators. Earlier this week, the FTC announced that it plans to create guidelines on Internet privacy. A spokeswoman for the FTC stated that the FTC is “examining how social networks collect and share data as part of a project to develop a comprehensive framework governing privacy going forward.” The guidelines will provide a framework for how social networks and others collect, use and share personal data.

The catalyst for this step appeared to be a letter sent by Senator Charles Schumer (D-N.Y.), along with fellow Democratic senators Franken (Minn.), Bennet (Colo.), and Begich (Alaska), to the CEO of Facebook, Mark Zuckerberg, in response to Facebooks’s announcement that it would make data from its users available to third parties unless Facebook users opted out. Schumer’s letter requested Zuckerberg to reverse the policy and expressed concern that the federal government had not stepped up to protect the consumer from misuse of personal information. It called for the FTC to adopt consumer enforcement rules, and to step up consumer protection enforcement. See this Washington Post article.


Specifically, the senators requested Facebook to use an “opt-in” method, as opposed to the “opt-out” method announced by Facebook. Facebook has been pushing the envelope on sharing the personal data of its users for months now, and it was simply a matter of time before it reached the tipping point. With each new step taken by Facebook, privacy advocates denounced the moves more strongly, and criticized the FTC for failing to respond to complaints over Facebook’s changes, as well as the mishap by Google when it launched its own social networking site, Buzz. One thing is certain – this battle will continue to be waged aggressively on both sides. For Facebook, there are millions of dollars in revenue at stake. For the privacy advocates, Facebook is aiming to make itself the center of the internet, without regard to users’ privacy rights or the ability to control their personal data. The FTC has been under increasing pressure to impose a European-style opt in” standard in connection with the use of personal data by social networking sites. CDD FTC Complaint If past experience is any indication, however, it will be months before we know definitively whether the FTC will choose to move in that direction.

(Posted on behalf of Jane Shea)

Sunday, April 25, 2010

Distinguishing Quon and Stengart

A few weeks ago, I posted about Stengart v. Loving Care Agency, a case where the New Jersey Supreme Court held that employees can send emails to their attorneys on company computers without waiving attorney-client privilege. About a week later, the Supreme Court of the United States heard oral arguments in City of Ontario v. Quon, a case where, from the oral arguments, it looks like the Supreme Court will hold that an employer can read messages sent to an employee on a company pager. The question is, will any meaningful part of the employee protections from Stengart survive the probable employer friendly ruling of Quon?

After re-reading the decision in Stengart, and the oral arguments in Quon, I think that, when the ruling in Quon is handed down, it will likely be distinguishable from Stengart, leaving the employee protections in that case fully intact. The critical question for whether Quon will undermine Stengart is whether Quon will state that employers can abrogate an employee's reasonable expectation of privacy with a policy stating that all communications made using company equipment are non-confidential, and will be monitored. Stengart, as I mentioned in my last post, stated that, even if such a policy did exist, it would be unenforceable (at least with respect to emails which would otherwise be covered by the attorney-client privilege). By contrast, the oral arguments in Quon indicated that the US Supreme Court was at least open to the possibility that employers would use a "no-privacy policy" to eliminate whatever privacy expectations their employees would otherwise have. If the Supreme Court does decide Quon on the theory that such a "no-privacy policy" could eliminate the employee's expectation of privacy, it would cut the heart out of the Stengart decision.

However, while I still think it is likely that the Supreme Court will issue an employer friendly ruling in Quon, it doesn't necessarily have to do so based on the theory that a "no-privacy policy" can eliminate an expectation of privacy. As mentioned by Justice Kennedy (see page 12 of the transcript), the city had two arguments it could prevail on:
One, that it's -- there is no reasonable expectation of privacy [this would be the no-privacy policy argument]; [two]even if there were, that this was a reasonable search [meaning that the no-privacy policy wouldn't have to be effective for the city to win].

Further, Justice Scalia seemed to indicate that the second of those rationales would be an easier way for the Court to find in favor the city (see page 24 of the transcript). As a result, when the decision in Quon does come out, I think there is a good chance that it will be possible to distinguish that decision from Stengart by pointing out that Quon was (once the hypothetical decision comes out) was decided based on the reasonableness of the employer's actions, rather than based on the effectiveness of the employer's no-privacy policy.

Of course, it's also possible that the Supreme Court will hold that the no-privacy policy in Quon eliminated the employee's reasonable expectation of privacy. If that happens, there are still a number of grounds on which the two cases can likely be distinguished. For example, Stengart was decided based on New Jersey common law, while Quon was a fourth amendment case. However, I find that distinction analytically unsatisfying, since Stengart made clear that the analysis under the common law was similar to that under the fourth amendment, and didn't turn on any distinction between them. It's also possible that the cases could be distinguished based on the fact that the communications in Quon were personal messages, while those in Stengart were messages from an attorney about a case. While this is slightly more satisfying, since courts have traditionally been highly protective of the privilege, it seems a bit odd that a reasonable expectation of privacy would turn on the content of a message.

In any case, it's possible that all this prognostication is beside the point. The Supreme Court hasn't ruled in City of Ontario v. Quon, and, until it does, there's no real way to know what impact it will have on Stengart. However, given the above, even once it does, I think there's a good chance that it'll leave the employee protections of Stengart mostly intact.

Tuesday, April 20, 2010

City of Ontario v. Quon

Yesterday, the Supreme Court heard oral arguments in City of Ontario v. Quon (transcript here), a case which addressed the ability of government employers to read personal text messages sent using government pagers. The background: Jeff Quon was a SWAT Sergeant who used a department issued pager to exchange text messages with his wife and girlfriend. After Quon repeatedly exceeded the department's 25,000 character/month limit, an audit was conducted which revealed Quon's personal text messages. Quon sued, claiming that he had a reasonable expectation of privacy in his personal text messages, and that reading the messages as part of the audit was an unreasonable search. The district court disagreed, the Ninth Circuit court of appeals reversed, and the Supreme Court accepted cert.

There were a couple of factual issues in the case, such as whether the police department's policy regarding personal communications covered text messages, and whether that policy had been modified by a later staff meeting where a Lieutenant had said that he wouldn't audit the messages as long as the individual employees paid for any overages. However, as described in the Scotuswiki (which did a pretty good job of summarizing the case and arguments), at oral argument, the Supreme Court seemed to be minimizing those factual issues, and coming down pretty squarely against Sergeant Quon. The Scotuswiki cited Justice Ginsburg as indicative of the court's apparent leanings. My preference would have been Justice Scalia, for this characteristically blunt exchange

JUSTICE SCALIA: I guess we don't decide our -- our Fourth Amendment privacy cases on the basis of whether there -- there was an absolute guarantee of privacy from everybody. I think -- I think those cases say that if you think it can be made public by anybody, you don't -- you don't really have a right of privacy. So when the -- when the filthy-minded police chief listens in, it's a very bad thing, but it's not offending your right of privacy. You expected somebody else could listen in, if not him.
MR. RICHLAND [representing the City of Ontario]: I think that's correct, Justice Scalia.
JUSTICE SCALIA: I think it is.
(emphasis added)
Of course, whether you focus on Scalia, or Ginsburg, or one of the other Justices, the result looks the same - the Supreme Court is likely to decide that, at least for SWAT personnel using government issued pagers, employers are allowed to audit text messages by reading them, even if some of those text messages are personal.

Sunday, April 18, 2010

Yahoo Fights for Privacy; Ultimate Result Inconclusive

Via this story from Wired.com, Yahoo has "prevailed" in its efforts to resist a court order to turn over emails based on an assertion that the emails were "relevant and material to an ongoing criminal investigation," rather than on a warrant. Technically, at least in the legal sense, Yahoo actually prevailed. Federal prosecutors, who had requested the emails as part of their investigation into a sealed criminal case, dropped their request, meaning that Yahoo prevailed on whether it would have to turn the particular requested emails over in this case. However, in a broader sense, Yahoo's "victory" is an empty one, and could arguably be treated as worse than a clear loss. The reason is that the heart of Yahoo's dispute with the prosecutors was interpretation of the stored communications act. As I mentioned previously (see here), this law has been the subject of substantial controversy, and a definitive ruling could have helped clarify the situation. As it is though, the cloud of uncertainty remains, leaving future litigants in the same situation of potentially having to defy a court order when prosecutors request emails that are arguably material, but which can't be obtained with a warrant.

Wednesday, April 14, 2010

Personal Emails on Company Computers

In December of 2007, Marina Stengart was employed as the Executive Director for Nursing at Loving Care Agency Inc., a company which provides home-care nursing and health services. Sadly, Ms. Stengart's relationship with Loving Care soured, and she left Loving Care and sued for, among other things, harassment based on gender, religion and national origin. However, before she left, Ms. Stengart used a laptop computer provided by the company to exchange emails with her attorney. When she left, she returned the laptop to Loving Care, and they were able to retrieve and read those emails by examining her computer's cache.

Not surprisingly, her lawyer went berserk (which, when a lawyer does it, is called applying for an order to show cause) and said that Loving Care's attorney should have treated the emails as privileged and returned them once they were discovered. Loving Care's attorney disagreed, and, on March 30, the New Jersey Supreme Court issued a comprehensive opinion (which can be found here) stating that Loving Care's attorney should have treated the emails as privileged and remanding to the trial court to determine an appropriate sanction.

Some interesting points from the opinion:

1) The Court said that Loving Care's policy regarding personal emails received on company machines was not entirely clear. However
Because of the important policy concerns underlying the attorney-client privilege, even a more clearly written company manual -- that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee's attorney-client communications, if accessed on a personal, password protected e-mail account using the company's computer system -- would not be enforceable.


2) The fact that Ms. Stengart was technically unsophisticated and didn't know that her computer automatically cached documents contributed to her having a reasonable subjective expectation of privacy in the emails. If she had been more technically savvy, the Court may not have decided the emails were protected (though, given the policy considerations surrounding the privilege, I wouldn't bet on it).

3) Even though it wasn't searching for privileged materials, once it found that it had emails that were potentially privileged, Loving Care's law firm had a duty not to read them, and to report them to Stengart's lawyer. Because Loving Care's firm didn't do that, they could be disqualified and/or forced to pay Stengart's costs (or face whatever other sanctions the trial court deems appropriate).

An interesting case, and a result I'm sure was an unpleasant surprise to Loving Care.

via this article from Computer World.

Internet Giants’ Online Advertising Practices Challenged

Just as one might wonder whether the FTC had decided to choose its battles and allow the online behavioral marketing dog to continue its nap, the dog has been awakened with a loud boom. Targeted behavioral advertising practices have been in the crosshairs of privacy advocates for several years, and the privacy advocates have finally pulled the trigger. The Center for Digital Democracy (CDD) and two other public interest groups filed a complaint with the Federal Trade Commission last week challenging the tracking and profiling practices used by Internet companies such as Google, Yahoo and Microsoft. Specifically, the complainants ask the Internet companies to acknowledge that the software “cookies” they embed in a Web browser collects data about a person’s online movements that should be considered personally identifiable information, even though the cookies don’t have a person’s name attached to them.

The privacy groups claim they are not calling for an outright ban of behavioral advertising. Instead they seek a balance between what they term the “Wild West” of data collection in the world of online advertising, and privacy controls such as notice and consent. Specifically, CDD, U.S. PIRG and World Privacy Forum called on the FTC to investigate the internet companies using its Section 5 authority for conduct that constitutes unfair and deceptive practices, and to issue an injunction against the unfettered use of what they claim is personal information collected by the companies. A full copy of the complaint can be found here.

The use of targeted behavioral advertising has been a controversial practice for several years, with privacy advocates sounding the alarms, and advertisers pushing for self-regulation. Following the release by the FTC of the FTC Staff Report: Self Regulatory Principles for Online Behavioral Advertising in February, 2009, various industry associations released the Self-Regulatory Principles for Online Behavioral Advertising in July, 2009. In the Conclusion to its Report, the FTC stated that it would continue to evaluate the industry’s efforts at self-regulation, monitor the marketplace and conduct investigations to determine whether there have been violations of Section 5, and meet with industry representatives and consumer protection groups to keep pace with changes. There has been no official word from the FTC in response to the industry’s publication of its Self-Regulatory Principles.

One can only surmise that the consumer protection groups simply got tired of waiting. How the FTC proceeds in response to the complaint will reveal how forcefully the FTC intends to address the online behavioral marketing phenomenom going forward.

Sunday, April 11, 2010

Microsoft v. Waledac

This is a site that all lawyers working in the area of computer security should be aware of and visit. It's a page which contains all the pleadings from Microsoft's current case against John Does 1-27 (aka the "Waledac" botnet). This page is important for two reasons. First, Microsoft's efforts against the botnet are on the cutting edge of legal efforts to shut down hacking operations, and so should be seen as examples of legal theories that can be used in that area. Second, it has some interesting (and probably useful) examples of rhetoric and explanations which can be used to sway a (presumably) technologically unsavvy judge to your side. For example, on pages 3-9 of the PDF of Microsoft's motion for a temporary restraining order against the botnet, there is a non-technical tutorial on what a botnet is, and how issuing the TRO would shut it down, complete with pictures. Similarly, in making the arguments in support of the TRO, Microsoft repeatedly seeks to establish the harm the botnet is causing by explaining how it harms Microsoft's customers. E.g.:
Once customers' computers are infected and become part of the botnet, they are unaware of that fact and may not have the technical resources to solve the problem, allowing their computers to be misused indefinitely. Thus, extrajudicial, technical attempts to remedy the problem alone are insufficient and the injury caused to customers continues.

While this might not be the most relevant argument legally (after all, one is generally not allowed to bring suit based on injuries to third parties) from an emotional standpoint, it almost certainly made the judge more likely to grant Microsoft's requested relief.*

In any case, there's too much there to succinctly summarize here. Further, there's no reason to want to read a summary. The information is valuable enough to be worth the time to read in the original.

*Yes, I am aware that harm to third parties can be used to establish that issuing an injunction is in the public interest. However, Microsoft invoked its customers' interests essentially everywhere, not only when arguing that the public interest would be served by granting a TRO.

Sunday, April 4, 2010

Cloud Computing: Good for Privacy?

In general, cloud computing is not good for privacy. For documents stored on the cloud, not only is there the same risk of hacking that is present for all electronic documents, but there's also a risk that the cloud service provider will accidentally share your data with other clients or users who don't have your permission to see it (see, e.g., Google Privacy Blunder Shares Your Docs Without Permission). However, now, a group of technology companies is coming together to try and address some of the concerns related to cloud computing with a positive change in the law. As described in this article, the group, calling itself the Digital Due Process Initiative, is pressing for the law regarding access to electronically stored information to be clarified, and the protections for that information to be strengthened.

To my mind, this is a positive development. The law on what protections are afforded to electronic communications is not at all clear, as there is currently a split between the First Circuit's decision in U.S. v. Councilman and the Ninth Circuit's decision in Konop v. Hawaiian Airlines on the question of when (and if) the protections of the wiretap act apply to email (see here). While clarifying that (and preferably strengthening existing law) won't eliminate problems that could be caused by cloud service providers accidentally sharing data, if the coalition succeeds, it would change cloud computing from a phenomenon which is almost wholly destructive of privacy, to one which could have beneficial effects, at least in terms of lobbying and raising people's awareness of the issues.