Ephemerallaw

Can't Prohibit Sale of Violent Games

2011-06-28T05:22:00.001-07:00

In this 7-2 opinion, the Supreme Court has struck down a California ban on sales of violent video games to minors. The result isn't at all surprising, though I'm guessing it will come as a shock to people like Roger "video games can never be art" Ebert. A few choice passages:

“‘From 1791 to the present,’ . . . the First Amendment has ‘permitted restrictions upon the content of speech in a few limited areas,’ and has never ‘include[d] a freedom to disregard these traditional limitations.’” United States v. Stevens, 559 U. S. ___, ___ (2010) (slip op., at 5) (quoting R. A. V. v. St. Paul, 505 U. S. 377, 382–383 (1992)). These limited areas—such as obscenity, Roth v. United States, 354 U. S. 476, 483 (1957), incitement, Brandenburg v. Ohio, 395 U. S. 444, 447–449 (1969) (per curiam), and fighting words, Chaplinsky v. New Hampshire, 315 U. S. 568, 572 (1942)—represent “well-defined and narrowly limited classes of speech, the prevention and punishment of which have never been thought to raise any Constitutional problem,” id., at 571–572.

NOTE: the above passage doesn't break any new ground. I just love it when the Supreme Court explains that the obscenity exception is well-defined and narrowly limited.

JUSTICE ALITO has done considerable independent research to identify, see post, at 14–15, nn. 13–18, video games in which “the violence is astounding,” post, at 14.

Yeah, researching...that's what he was doing...researching...

[in a footnote addressing studies purporting to link violent behavior and violent video games] 7One study, for example, found that children who had just finished playing violent video games were more likely to fill in the blank letter in “explo_e” with a “d” (so that it reads “explode”) than with an “r” (“explore”). App. 496, 506 (internal quotation marks omitted). The prevention of this phenomenon, which might have been anticipated with common sense, is not a compelling state interest.

Finally, another choice Scalia quote eviscerating California's purported rationale for the law:

California claims that the Act is justified in aid of pa-rental authority: By requiring that the purchase of violent video games can be made only by adults, the Act ensures that parents can decide what games are appropriate. At the outset, we note our doubts that punishing third partiesfor conveying protected speech to children just in casetheir parents disapprove of that speech is a proper gov-ernmental means of aiding parental authority. Accepting that position would largely vitiate the rule that “only inrelatively narrow and well-defined circumstances may government bar public dissemination of protected materi-als to [minors].” Erznoznik, 422 U. S., at 212–213.

All in all, a decision I agree with, and a nice way to end the term.

Root Cause of Privacy Furor: EULAs

2011-04-22T12:37:00.000-07:00

People really care about the fact that their smartphones gather location data. It reached the frontpage of MSNBC.com with this article. It also inspired a flood of righteous indignation from Washington. From the article:

Why were Apple consumers never affirmatively informed of the collection and retention of their location data in this manner? Why did Apple not seek affirmative consent before doing so?

-Al Franken (D-Minn)

Collecting, storing and disclosing a consumer's location for commercial purposes without their express permission is unacceptable and would violate current law. That's why I am requesting responses to these questions to better understand Apple’s data collection and storage policies to make certain sensitive information can't be left behind for others to follow.

-Edward Markey (D-Mass)

It seems surprising that a large company like Apple wouldn't have tried to get consent from users to collect this location information, especially since it's so trivial to include it in the EULA which everyone agrees to anyway.

Oh, wait... (from the iPhone EULA, updated 5/8/09, available here)

(b) Location Data. Apple and its partners and licensees may provide certain services through your iPhone that rely upon location information. To provide these services, where available, Apple and its partners and licensees may transmit, collect, maintain, process and use your location data, including the real-time geographic location of your iPhone. The location data collected by Apple is collected in a form that does not personally identify you and may be used by Apple and its partners and licensees to provide location-based products and services. By using any location-based services on your iPhone, you agree and consent to Apple's and its partners' and licensees' transmission, collection, maintenance, processing and use of your location data to provide such products and services. You may withdraw this consent at any time by not using the location-based features or by turning off the Location Services setting on your iPhone. Not using these features will not impact the non location-based functionality of your iPhone. When using third party applications or services on the iPhone that use or provide locaiton data, you are subject to and should review such third party's terms and privacy policy on use of location data by such third party applications or services.

(emphasis in original)

I wonder how many of those Senators read the EULA before pontificating about Apple not getting consent for collecting location data. I wonder how many consumers who have privacy concerns about their location actually read the EULA before agreeing to it. My guess is that the answer to both questions is none. That isn't to say that there isn't a real problem. After all, I think there is a big conflict between EULAs and privacy, and that that conflict is a matter of significant public concern.

But unless there's more to the story than is currently being reported, the problem isn't that people's privacy rights have been violated, it's that they were inadvertently thrown away.

Data privacy legislation introduced

2011-04-13T09:27:00.000-07:00

Per Wired.com, Senators Kerry and McCain have proposed legislation that would give web users the right not to be tracked while on line (the text of the bill can be found here). While this sounds like a step forward for consumer privacy, the legislation has not been well received by privacy advocates. According to the article:

The ACLU and others would prefer what is being touted as a “universal opt-out” in which consumers could one-stop shop and end all tracking by using a national registry of sorts. The Federal Trade Commission suggested such legislation in December.

“Consumers need strong baseline safeguards to protect them from the sophisticated data profiling and targeting practices that are now rampant online and with mobile devices. We cannot support the bill at this time,” Consumer Watchdog, Center for Digital Democracy, Consumer Action Privacy Rights Clearinghouse and Privacy Times wrote McCain and Kerry on Tuesday.

While I have concerns about the proposed legislation, I don't know that I agree with the sentiments expressed by quoted advocacy organizations. True, the bill could do more for privacy. However, the U.S. has generally been slow to enact laws protecting privacy, so letting the perfect be the enemy of the good in this case doesn't seem to make sense. Also, the bill (at least as proposed) does do more than prevent tracking. For example, for example, section 101 requires the FTC to make rules requiring covered entities to establish security measures to protect the data they do collect and section 202(A)(4) requires the FTC to make rules enabling individuals to correct information stored about them. There are also provisions requiring covered entities to design their products with privacy in mind (section 103) and to minimize the data they collect (section 301). These are all potentially helpful provisions, and the fact that they weren't mentioned indicates to me that the bill might not be getting all the credit it deserves.

With that having been said, I do have two problems with the bill that (if anyone were interested in my opinion) would stop me from supporting it. First, as mentioned in the Wired article, it preempts potentially more stringent state laws (section 405). This is a significant problem, as states are generally well ahead of the federal government on privacy issues. Second, it specifically states that it does not create any kind of private right of action (section 406). This is also a significant issue, since giving people the right to sue would likely result in much more vigorous enforcement of the law than simply relying on the FTC.

The bottom line for me is that, while the legislation includes a number of privacy protective features, its incompatibility with stronger state laws, as well as its lack of a private right of action mean that, if passed, it probably wouldn't help (and might even hurt) consumer privacy rights.

Geolocation Bill Seeks to Unify Fourth Amendment Protections

2011-03-30T05:21:00.000-07:00

The following guest post is provided by Sonya Ziaja, J.D. Sonya is the co-owner of Ziaja Consulting LLC, a California based consulting group. She writes regularly for LegalMatch's Law Blog and Ziaja Consulting's blog, Shark. Laser. Blawg.

Senator Ron Wyden (D-Oregon) is in the process of crafting a bill to place legal limitations on the use of geolocation technologies.

Geolocation is commonplace nowadays. People play geolocation games (Foursquare, etc.). And geolocation technologies are encouraged to protect public safety (FCC’s Enhanced 911 rule). To some extent we are comfortable with broadcasting our location, which is well and good so long as doing so is harmless. There is, however, a less carefree side to geolocation--especially where it comes into conflict with the protections of the fourth amendment against unreasonable searches.

Over the past few years, law enforcement has increasing relied on geolocation techniques to track citizens without first obtaining a warrant. Doing so is at least questionably constitutional, if not outright illegal. Law enforcement makes use of both cell phone tracking and secretly tagging vehicles with GPS devices, all without court authorization.

The courts are split on the fourth amendment issues this issue raises. The Ninth Circuit in US v. Pineda-Moreno, for example, held that surreptitiously tagging a vehicle with a GPS device does not require a warrant because it is a substitute for “following a car on a public street, that is unequivocally not a search within the meaning of the [fourth] amendment.” The D.C. Circuit, however, takes the opposite view. In US v. Maynard, the D.C. Circuit held that a warrant is constitutionally necessary before police attach a GPS device to a suspect’s car. The court also specifically rejected the automobile exception argument, stating that

the automobile exception permits the police to search a car without a warrant if they have reason to believe it contains contraband; the exception does not authorize them to install a tracking device on a car without the approval of a neutral magistrate.

A recent case highlights the split. Earlier this March, a twenty-year old college student from San Jose, California brought suit against the FBI for secretly tagging his car without a warrant. Not surprisingly, he has decided to file in Washington D.C., rather than in California.

This circuit split is part of the impetus behind Senator Wyden’s bill--the Geolocational Privacy and Surveillance Act, or GPS Act. The bill aims to clarify the law, addressing multiple forms of geolocation, covering both information gained through cell phone use and covertly tagging vehicles. The hope is that the bill will create a uniform policy that protects both privacy and public safety.

To balance privacy and safety, the bill provides exemptions for emergency cases--for example in cases of national security of when the user’s life is at risk--when police would not need to obtain a warrant. These exemptions have been the most contentious aspect of the bill. Paul Wormelli, executive of the Integrated Justice Information Systems Institute, has been particularly vocal about his concerns that the bill’s exceptions are too vague and would have a chilling effect on officers.

The bill is still in the early stages, however, and has not been formally introduced in the Senate. The language may need clarifying, but at the moment, the GPS bill looks to be our best bet to address the constitutional issues raised by widespread use of geolocation technologies.

Use of the Stored Communications Act to Get Email Without a Warrant Violates Fourth Amendment

2011-01-20T17:09:00.001-08:00

Most modern email services allow people to keep messages indefinitely, and provide their users with enough space that doing so is actually an option. As a result, many people use their email accounts as a long term data archive, storing messages going back years.

So what does this have to do with privacy? Well, the stored communications act was written back in the days when email was much more akin to a mailbox. Because of this, it treats old email in a manner which is similar to how one might treat abandoned mail, and provides a mechanism in 18 U.S.C. 2703(d) to allow the government to get access to it without a warrant.

Actually, it provided a mechanism to allow the government to get access without a warrant. That changed with the case of U.S. v. Warshak, which found the government's use of section 2703(d) to obtain incriminating emails without a warrant violated the fourth amendment.

The facts of the case are extreme, and make for entertaining reading. The main defendant, Steven Warshak, owned Berkeley Premium Neutraceuticals, the company behind the once ubiquitous commercials for Enzyte. According to the opinion, Warshak had owned a number of other businesses. However, Berkeley stood out, both because of the success of Enzyte, and because of its extremely slimy business practices. A sample:

in November 2003, Berkeley hired a company called West to handle “sales calls that were from . . . Avlimil or Enzyte advertisements.” During the calls, West’s representatives asked customers if they wanted to be enrolled in the auto-ship program, and over 80% of customers declined. When Warshak learned what was happening, he issued instructions to “take those customers, even if they decline[d], even if they said no to the Auto-Ship program, go ahead and put them on the Auto-Ship program.” A subsequent email between Berkeley employees indicated that “all [West] customers, whether they know it or not, are going on [auto-ship].” As a result, numerous telephone orders resulted in unauthorized continuity shipments.

Those practices eventually led to a 112 count indictment, and the government obtaining thousands of incriminating emails from Warshak's service provider without a warrant under section 2703(d) of the stored communications act. After his conviction, Warshak appealed to the Sixth Circuit court of appeals arguing (among other things) that the emails were obtained in violation of the 4th amendment, and therefore should have been excluded as evidence.

While the Sixth Circuit upheld Warshak's conviction, it agreed that the warrantless search of Warshak's emails violated the fourth amendment. First, it established that Warshak had a subjective expectations that his emails would remain private. Indeed, the court said the very fact that the emails contained so much incriminating information was evidence that Warshak saw them as private correspondence. Next, the court asked whether the expectation of privacy in emails was one society was prepared to recognize as reasonable. To answer, the court addressed the heavy reliance of modern society on email, and analogized it to other types of communication that were traditionally protected under the fourth amendment. In the end, it concluded that

because they did not obtain a warrant, the government agents violated the Fourth Amendment when they obtained the contents of Warshak’s emails. Moreover, to the extent that the SCA purports to permit the government to obtain such emails warrantlessly, the SCA is unconstitutional.

The decision didn't do much for Warshak. The court also held that the government had been relying in good faith on the act, and so the emails shouldn't be excluded. However, it will help everyone else down the line, because the good faith rule can't be used to justify actions that are clearly inconsistent with the court's holding.

DJ Hero

2010-11-23T04:39:00.000-08:00

I got an anonymous comment to my last post on the TSA's new security procedures saying that there has to be something we can do, rather than just submitting to whatever is advanced under the name of security. As it happens, there are several things that people can do to react to the TSA's new procedures.

The most well publicized protest is probably National Opt Out Day (warning - page includes naked picture taken with TSA's new scanners), wherein people will opt for being groped by a TSA agent to slow down processing of fliers on November 24 - the busiest flying day of the year. If that's your cup of tea, then it's certainly your right to opt out of the scanning (which you might want to do anyway, for both health and privacy reasons). For me though, I'm not at all interested in being groped by the TSA, even for the noble purpose of protest.

If you're more interested in an ineffectual protest with a touch of humor, you can try radiation shielding undergarments, or a bill or rights luggage tag (all of which are described in this article). My guess is that the bill of rights tag would just be ignored (much like the actual bill of rights), and that the metal undergarments would result in a referral for one of the TSA's special enhanced pat downs. Still, if you want to make a statement, those are another way to do it.

As a lawyer, my first thought was a declaratory judgment action seeking to preliminarily and permanently enjoin the TSA from implementing the new security measures. My next thought was that that was so obvious that someone must have already done it. However, a quick Google search didn't turn up much more than this thread, so maybe that's still available. The problem with this approach is that these types of DJ actions are really hard to win, and you may get bumped on procedural grounds before the judge ever reaches the merits of the case.

In the end though, my guess is that what will be necessary to reverse these new procedures is people (finally) taking a stand for privacy, and bringing enough bad press to the TSA and pressure on their elected representatives, that the TSA's current policies become radioactive. I'm not thrilled that we've reached that point, but it is a free country, and if our elected representatives make enough intrusive laws, sometimes the only way to respond is by replacing them with people who aren't so keen to invade people's privacy.

Fighting the TSA

2010-11-14T09:05:00.000-08:00

The Internet is currently burning up with a story about a man who would rather not fly than submit to the TSA's intrusive screening procedures, and how the TSA reacted to him. To make a long story short, once he decided to leave the security area and ask for a ticket refund, a TSA agent told him he had to return to the security area or would be subject to a civil fine of up to $10,000. A normal person's reaction to reading this story might be outrage at this sort of petty tyranny. As a lawyer, my first reaction was to question whether the threat was real. That is, is this a case of abuse of power by a misguided TSA employee acting outside his authority, or is it a case of abuse of power by a misguided TSA employee enforcing an egregiously bad law?

After about an hour of searching, I strongly suspect that this is a case of abuse of power by a misguided TSA employee acting outside his authority, though I have not been able to convince myself of that fact, and so the normal disclaimers about nothing on this blog being legal advice should go at least double for this post.

The reason I strongly suspect that this is a case of abuse of power by a misguided TSA employee acting outside his authority is that the regulations on penalties and prohibitions mostly focus on making sure that you can't get certain things into secure areas. For example, 49 C.F.R. 1540.107 says that no one can enter the sterile area or board an aircraft without going through a screening. However, in this case, the putative flyer wasn't trying to get into the sterile area or an aircraft without going through a screening - he made a conscious decision to avoid a screening by not entering the sterile area or boarding an aircraft. Similarly, 49 C.F.R. 1540.109 prohibits threatening, interfering with, assaulting or intimidating screening personnel. However, in this case, the putative flyer wasn't interfering at all. Indeed, the screening personnel could have done their jobs more easily if they had simply let him leave the airport. Because there is no evidence that leaving the airport had any adverse effect on security, or on the ability of the screening personnel to screen other passengers, it seems to fall outside of the general scope of the regulations, and so I suspect that the threat of a $10,000 civil penalty was not supported by law.

However, the reason I haven't been able to convince myself of the fact that a civil penalty couldn't have been imposed is that the relevant law is more than a little bit difficult to wade through, and the regs have previously been applied in ways that seem patently unjust. In terms of difficulty wading through the regs, I will give one example: 49 U.S.C. 46301(a)(5):

(A) An individual (except an airman serving as an airman) or small business concern is liable to the Government for a civil penalty of not more than $10,000 for violating—
(i) chapter 401 (except sections 40103 (a) and (d), 40105, 40106 (b), 40116, and 40117), section 44502 (b) or (c), chapter 447section 44502 (b) or (c), chapter 447 (except sections 44717–44723), or chapter 449 (except sections 44902, 44903 (d), 44904, and 44907–44909) of this title; or
(ii) a regulation prescribed or order issued under any provision to which clause (i) applies.

And that's just one example. As a lawyer, I can wade through that, cross checking sections, examining applicability to a given situation, etc. However, as a human being, I don't do that sort of thing for fun, and no one is paying me to write this blog. In terms of unjust application of the regs in the past, I refer readers to Rendon v. TSA an unhappy case where a civil fine imposed for asking some rather profane (but not unreasonable) questions about security procedures was upheld under the prohibition on interfering with screening personnel. While I think imposing a fine for trying to leave an airport is even worse than the situation in Rendon, given the result in Rendon, it wouldn't surprise me terribly if a fine, in fact, were imposed.

So what will happen in this particular case? Probably nothing. I doubt the TSA will seek penalties, given that the whole incident was video taped, and a trial would only lead to bad press and the possibility of their powers being curtailed. In the end, my guess is the whole thing will blow over, the TSA will keep their current security policies in place, and most people (e.g., me) who can't afford to skip flights just because we might not want to be molested by the TSA will end up being subjected to whatever form of invasive screening the TSA thinks is warranted without any realistic avenue for recourse.

I know I've written this post before

2010-10-01T04:56:00.000-07:00

Here's the wired headline: Scribd Facebook Instant Personalization Is a Privacy Nightmare. The article is about what you'd expect. There are complaints about automatically generated spam emails to your automatically created friends and confusing or non-existent opportunities to opt out. There's a Scribd PR person explaining how privacy is really very important to the company. There's the author suggesting that one way to fix the problem is to delete your Scribd profile, but characterizing that as extreme. I'm not 100% sure why I read the article. True, I don't use Scribd, and have never run across this particular feature. However, just seeing Facebook in the title gave me a pretty good idea what to expect. Someone in marketing wants to take advantage of the tremendous amount of data on Facebook (and get in on the whole "social media" bandwagon) and so they make it really easy to share data, and relatively difficult not to so do.

So what should people do instead of this? Well, there's always the possibility of not integrating with Facebook. Frankly, regardless of what they've been forced to do by public pressure, I will always distrust a company who's CEO famously doesn't believe in privacy. In the event that you must integrate with Facebook, you could always try little things like opt in rather than opt out participation, not automatically spamming Facebook friends, and sending making sure it's clear for someone how to opt out if they decide they don't like the program. There are also guidelines for interactive and behavioral advertising put out by organizations like the FTC and the IAB (though I consider those to be a bit outside the scope of this post). Whatever you do though, if you're going to move into the world of social media, you need to do it with your eyes open, or your company is likely to be integrated with Facebook in a headline that also includes unpleasant words like "nightmare" or "disaster."

July/August Privacy Catch Up

2010-08-23T05:33:00.000-07:00

So...the blog has been uncharacteristically quiet for the last month or so. This is not because nothing privacy related has happened in the legal world. For example, the FBI and federal prosecutors announced that they will not be filing criminal charges related to the Lower Merion Spy Cam Scandal (link here), something I wrote about hereas possibly being the creepiest privacy violation of 2009. Also, it turns out that the millimeter wave scanners used to see through clothes to catch those ever-elusive terrorists can store and transmit images, despite assurances from the TSA that that was not the case (link. In more positive news, the appeals court for the District of Columbia circuit has rejected a claim by the government that round the clock warrantless GPS surveillance is ok (article here). There was also some legislative action, as internet advertisers warned that a new privacy bill, the "best practices act" would "would turn the Internet from a fast-moving information highway to a slow-moving toll-road." Also, speaking of slow-moving toll-roads, Google and Verizon came together to formally announce that net neutrality (i.e., the concept that all traffic on the internet should be treated equally) is a rather quaint notion that shouldn't apply to wireless networks. All in all, it's been a relatively busy month or so.

So why no posts? Well, in addition to all of these privacy events, we also got a huge non-privacy decision - Bilski v. Kappos - which basically upended a decade's worth of precedent on whether you can get patents on novel software or business methods. Since software and business method patents are a big part of my practice, a good deal of the time that I would have spent on privacy was spent on patent stuff instead. To make matters worse, at least time-wise, I also got a copy of Starcraft II, which turned out to be a huge time suck. Happily, rather than releasing a full game, with three playable races and campaigns for each (the approach taken with the original), Blizzard decided to only release a human campaign, which turned out to be approximately a third of a game's worth of play for a full game's price. As a result, I not only get to get back to blogging sooner, I also get to know to avoid new releases from Blizzard in the future, which I guess means that everyone wins.

Why Do People Keep Thinking This is a Good Idea?

2010-07-11T15:04:00.000-07:00

Earlier this month, Blizzard Entertainment (makers of World of Warcraft, among other successful computer games) decided that they would change their game forums from anonymous forums (i.e., you can't tell the identity of someone posting to the forums unless they tell you) to forums where comments are connected with a person's real name. After a firestorm of criticism (e.g., here) Blizzard spiked the program, at least for now. And the reason for going down this path, with its utterly predictable and embarrassing trajectory? Two words: Facebook Integration. Actually (as explained here) it's slightly more complicated than that, but what it boils down to is that Blizzard wanted to get in on some of that social networking magic, and giving everyone a single ID that was consistent across all of Blizzard's forums (and Facebook) seemed to be a good way to do it.

This is an old story, and one that often ends in class action lawsuits (e.g., Google Buzz, Facebook Beacon). Why do people keep doing this? My guess is because they see their existing user data as an asset, and they hate letting an asset go unexploited. However, that's the wrong mindset. The safest way to think of user data is as something that actually belongs to users, which they have allowed you to temporarily safeguard. The point of the user data isn't to exploit it, it's to allow a business to maintain its relationship with its users. If you want to integrate with Facebook - fine. However, the way to do so is going forward, collecting new data (with a clear explanation of what you're collecting the data for), and without degrading or changing the services provided for old users. True, at the outset, this seems much harder than leveraging an existing user base. On the other hand, many existing user bases don't like being leveraged, and going about things the hard way can take that into account, and avoid turning an existing base into a historical user base.

Tech Apologies of 2010

2010-06-28T04:42:00.000-07:00

Wired put up an article on the biggest tech apologies so far this year (link). The list is:

Google: Sorry about Buzz, Street View Privacy Issues (providing information to unwelcome Buzz "followers" and recording WiFi data while making Street View maps)

Adobe Apologizes For Old Flash Bug (failing to patch bug for 16 months)

McAfee’s Antivirus Snafu (releasing update that shut down computers running XP)

AT&T Begs Pardon for iPad E-mail Breach (allowed hackers to identify email addresses of iPad customers through a flaw in an authentication web site)

Facebook Apologizes for Privacy Shortcomings (Sort Of) (Mark Zuckerberg issues non-apology for constantly changing facebook privacy policies)

Ellen Degeneres Didn’t Mean To Hurt Apple’s Feelings (Apparently, a comedian made fun of Apple...and this made the list why?)

Apple: Sorry We Couldn’t Keep Up With iPhone 4 Orders (The description says it all)

Not separately counting the two separate Google apologies squished into the top bullet, that makes 3/7 apologies for privacy gaffes. The moral of the story - privacy mistakes are the gift that keeps on giving, at least in terms of bad publicity.

Ontario v. Quon Decided

2010-06-20T18:40:00.001-07:00

As described in this article from Computer World, the Supreme Court has issued its decision in City of Ontario v. Quon. A quick recap of the facts: the city of Ontario California issued Jeff Quon (a SWAT team member) a pager. Quon exceeds his text message allotment on the pager and is audited. The audit reveals the Quon has overwhelmingly used the pager for personal text messages. Quon is subsequently disciplined.

The decision was totally unsurprising - the police department was allowed to audit messages sent during work hours on the pager it provided. What was surprising, or at least, was something of a relief, was that the Court reached the expected result in a way that leaves a nascent right to employee privacy in electronic communications basically unscathed. Indeed, the Court seemed to go out of its way to avoid upsetting precedent like Stengart v. Loving Care, which had found that employees have at least some expectation of privacy in personal emails, even if sent on company computers. For example on page 14 of its decision, the Supreme Court specifically distinguished personal emails such as were at issue in Stengart:

OPD’s audit of messages on Quon’s employer-provided pager was not nearly as intrusive as a search of his personal e-mail account or pager, or a wiretap on his home phone line, would have been.

All in all, I think Ontario v. Quon was a good decision. Indeed, given the issues involved, and the potential for damage, it was probably the best that the Court could have done.

Movement in the Streetview cases

2010-06-13T15:01:00.000-07:00

Via this article from Wired's threat level blog, we learn that Google has begun its defense in the Streetview litigation by moving to have all the various lawsuits that have been filed against it consolidated in the Northern District of California (Google's motion can be found here). We also learned what is likely to be Google's defense (at least in the United States). According to the motion

Google will likely argue that even if plaintiff's allegations are true, Google did not violate the federal Wiretap Act (and similar state statutes) for a number of reasons, including the fact that open WiFi transmissions are "readily accessible" to the general public under 18 U.S.C. 2511(2)(g)(i).

(from page 18 of the pdf)
Actually, maybe learned is a bit too strong of a word, since it was generally expected (see, e.g., here) that Google would defend using the public accessibility exception to the wiretap act. However, it is nice to actually see it in writing from someone who has authority to speak for Google, rather than relying on second-hand prognostications from commentators with no particular relation to the case.

Is Wireless Data Picked up by Google Publicly Accessible?

2010-06-06T17:35:00.000-07:00

Some new developments in the Google Streetview WiFi monitoring controversy.

First, according to this article one of the lawyers suing Google is alleging that a Google patent application for increasing the accuracy of location based services by intercepting data communications indicates that the Google Streetview monitoring was intentional. I find this unconvincing. Unlike many other countries, the United States doesn't have a requirement that a company exploit patented technology. Absent some other evidence of intentionality, the patent application proves nothing (and, of course, if there was other evidence of intentionality, the patent application wouldn't be necessary).

Second, and more interestingly, some observers (e.g., here) have stated that the lawsuits against Google may have no merit because the electronic communications privacy act has a safe harbor for intercepting communications which are publicly accessible. It's an interesting argument, but I don't know it's a show stopper. The relevant statutory provision is 18 USC 2511(2)(g)(i):

(g) It shall not be unlawful under this chapter or chapter 121 of this title for any person—
(i) to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public;

"readily accessible to the general public" is then defined in 18 USC 2510(16):

(16) “readily accessible to the general public” means, with respect to a radio communication, that such communication is not—
(A) scrambled or encrypted;
...

That definition is the reason I don't think the publicly accessible argument is a show stopper. As I noted here, at least one of the parties bringing suit against Google has alleged that Google engaged in decrypting the communications it intercepted. I don't know what evidence they have to back that allegation. However, at this point, it doesn't matter, since at this stage in the litigation a court is bound to accept the allegations in the complaint as true.

Whether they have enough to get through discovery is another question entirely, but one which won't be raised until Google files its answer and moves for summary judgment.

Boucher Bill Continues to Evoke Comment

2010-05-24T14:30:00.000-07:00

Since Rep. Rick Boucher (D-VA) released his proposed privacy bill for public comment in early May, privacy advocates as well as interested industry representatives have been quick to criticize it as too overreaching or not sufficiently protective. This mixed reaction suggests that maybe he has actually struck a middle ground. A recent blogpost on the Workplace Privacy Counsel blog critcizes the bill as too burdensome for employers, and argues that despite its exclusion from coverage of businesses with 5,000 or less individuals, it will impact most employers since employers often collect "sensitive information" on their employees. Employers would actually have to disclose to the employees how they intend to use that sensitive information. The author expresses concern that the employers be faced with preparing a complex privacy notice, since different types of information require different uses and retention periods. Allusions to such complexity and the unwillingness of employers to be open and forthright are what cause privacy advocates to express concern about how sensitive personal information is being used, transferred, and retained. Yet, consumer groups have criticized the bill as not being comprehensive enough, and for preventing stronger state laws or individual rights of action. We know from press releases that Rep. Boucher has been studying this issue for quite some time, and is sensitive to being overreaching and quelching innovation. Yet he has heard the concerns of consumer privacy advocates and recognizes that left unchecked, privacy rights will be trampled. Rep. Boucher is to be applauded for reaching out by proposing his bill for comments, and starting a discussion that needs to be aired, hopefully in formal Congressional hearings sooner than later.

What did Google do?

2010-05-23T06:27:00.001-07:00

Fresh off the heels of its Buzz debacle Google is facing another class action suit, this time for collecting data from WiFi networks as it took pictures as part of its street view project (which has, of course, raised privacy concerns on its own). The complaint (available here) asserts that Google's WiFi information collection violated 18 USC 2511 (the wiretap act). This could be a problem for Google. When news of Google collecting information off wireless networks first came out, the company stated that the information was essentially nothing more than identifying data (e.g., machine addresses and network IDs). However, subsequently Google admitted that, not only did it identifying information for machines and networks, it also collected the actual traffic (i.e., payloads) running across the networks.

The distinction is important. The 18 USC 2511 prohibits intercepting any electronic communication. 18 USC 2510 defines "intercept" as

the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.

(emphasis added) It also includes an explicit definition of "contents"

“contents”, when used with respect to any wire, oral, or electronic communication, includes any information concerning the substance, purport, or meaning of that communication.

Given those definitions, if all Google had been acquiring was the identifying information of the machines communicating on a wireless network, they would have a good argument that what they did didn't count as "intercepting" as prohibited by the wiretap act. However, if Google was actually acquiring the communications passing across the networks, that argument loses a lot of its force. Even worse, in the complaint, the plaintiffs assert that

a GSV [Google Street View] vehicle has collected, and defendant has stored, and decoded/decrypted Van Valin's wireless data on at least one occasion.

While the complaint is written a bit strangely, at least on the face of it, it appears as though the plaintiff's attorney has reason to believe that Google intercepted and decrypted encrypted communications on at least one occasion. If true, it's hard to imagine a more blatant violation of wireless privacy, and it's also hard to imagine a way that Google could escape liability.

So what will happen? Stay tuned. Assuming Google was served with on the 17th (the day the complaint was filed), their answer is due June 7 (see FRCP 12).

Privacy can hurt

2010-05-19T05:47:00.000-07:00

While this blog is generally all about privacy and how to protect it, it's important to keep in mind that privacy can be a double edged sword. Take the case of Ward v. Cisco Systems. It all started with a 2007 post by an anonymous blogger about a patent infringement suit against Cisco in the Eastern District of Texas (see this article for background information). In it, the blogger, who claimed to be "just a lawyer, interested in patent cases, but not interested in publicity" made some rather acerbic comments about the lawyer suing Cisco, as well as about the Eastern District of Texas.

As it happened, the anonymous blogger wasn't "just a lawyer," he was Rick Frenkel, intellectual property counsel for Cisco. In the subsequent defamation suit filed (where else) in the Eastern District of Texas, the plaintiff's strategy highlighted the anonymity of the Troll Tracker, painting his actions as part of a sinister consipiracy by Cisco. As a result, Cisco changed its blogging policy to specify that:

If you comment on any aspect of the company’s business or any policy issue the company is involved in where you have responsibility for Cisco’s engagement, you must clearly identify yourself as a Cisco employee in your postings or blog site(s) and include a disclaimer that the views are your own and not those of Cisco. In addition, Cisco employees should not circulate postings that they know are written by other employees without informing the recipient that the source was within Cisco.

(emphasis added)

In short, while privacy per-se isn't a bad thing, it can be dangerous, and that danger is something that businesses need to be aware of as they go about their business.

More on Email Privacy

2010-05-09T16:26:00.000-07:00

I've been writing about email privacy with City of Ontario v. Quon and Stengart v. Loving Care, how about an encore from New York: People v. Klapper. Factually, People v. Klapper is pretty straightforward. The defendant, Andrew Klapper, was a dentist who installed keystroke logger on his office computers. As a result, when one of Mr. Klapper's employees accessed a personal email account from a work computer, Mr. Klapper learned the employee's email password, which Mr. Klapper later used to access the employee's personal email himself. As a result, Mr. Klapper was charged with Unauthorized use of a Computer, which appears to be a New York state law analog of the Computer Fraud and Abuse Act

Now, from an intuitive standpoint, what Mr. Klapper did seems wrong, and I would like to think that the law provides some disincentives for behavior like that engaged in by Mr. Klapper. However, that's a relatively minor point, as there's lots of behavior that people may find objectionable that the law doesn't prohibit, or even frown upon. Indeed, from the decision in this case, it appears that Mr. Klapper's activities fall into that broad class of behavior, as the judge dismissed the charges against him as facially insufficient. What isn't a minor point is the reason given for dismissing the charges. According to Judge Whiten

In this day of wide dissemination of thoughts and messages through transmissions which are vulnerable to interception and readable by unintended parties, armed with software, spyware, viruses and cookies spreading capacity; the concept of internet privacy is a fallacy upon which no one should rely.

It is today's reality that a reasonable expectation of internet privacy is lost, upon your affirmative keystroke. Compound that reality with an employee's use of his or her employer's computer for the transmittal of non-business related messages, and the technological reality meets the legal roadway, which equals the exit of any reasonable expectation of, or right to, privacy in such communications.

I don't like the end result of the case, but the reasoning behind it is an abomination which should be stricken from the face of history. If anything that you type into a computer is considered to not be private (i.e., "a reasonable expectation of internet privacy is lost, upon your affirmative keystroke"), then everything I do, including work done for clients that I have asserted is covered by attorney-client privilege, is potentially public and could be considered fair game for anyone who wants to request it in litigation. This would be a complete surprise for me, and, I'm guessing every other practicing lawyer in the country.

In any case, I expect that the reasoning behind People v. Klapper is unlikely to be considered persuasive in many cases going forward. However, the fact that it appeared in even one case serves as a reminder that, when it comes to information privacy law, relying on even the most basic principles can be a dicey proposition.

via

Limiting Information Sharing Based on Context

2010-05-02T11:32:00.000-07:00

In this article, Computer World describes an argument made by Microsoft research Danah Boyd that social networks should consider the context in which information is provided, and not re-use the information outside of that context. The argument, to the extent it can be distilled down to one paragraph is as follows:

"You're out joking around with friends and all of a sudden you're being used to advertise something that had nothing to do with what you were joking about with your friends," Boyd said. People don't hold conversations on Facebook for marketing purposes, she said, so it would be incorrect for marketing efforts to capitalize on these conversations.

In the article, this concept was described as "relatively new." I'm not sure that that's correct. After all article 6 of the EU Data Privacy Directive provides that

1. Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

which appears to be analogous to the concept of recognizing the context in which data is provided when deciding how that data should be used.

Of course, the question of whether an idea is a new one is entirely different from the question of whether the idea is a good one. However, recognizing the similarity between the proposed context limitations on social networks and the EU's data privacy directive can certainly be beneficial in evaluating the merits of the new idea. Specifically, the criticisms of the EU directive (e.g., here) can be examined to see if they also apply to the specific context based limitations, and if context based limitations can somehow be implemented in a way that addresses those criticisms.

FTC TO CREATE GUIDELINES FOR INTERNET PRIVACY

2010-04-29T12:06:00.000-07:00

After over a year of silence by the FTC concerning Internet privacy, the Commission has responded to the increasingly loud outcry by privacy advocates and legislators. Earlier this week, the FTC announced that it plans to create guidelines on Internet privacy. A spokeswoman for the FTC stated that the FTC is “examining how social networks collect and share data as part of a project to develop a comprehensive framework governing privacy going forward.” The guidelines will provide a framework for how social networks and others collect, use and share personal data.

The catalyst for this step appeared to be a letter sent by Senator Charles Schumer (D-N.Y.), along with fellow Democratic senators Franken (Minn.), Bennet (Colo.), and Begich (Alaska), to the CEO of Facebook, Mark Zuckerberg, in response to Facebooks’s announcement that it would make data from its users available to third parties unless Facebook users opted out. Schumer’s letter requested Zuckerberg to reverse the policy and expressed concern that the federal government had not stepped up to protect the consumer from misuse of personal information. It called for the FTC to adopt consumer enforcement rules, and to step up consumer protection enforcement. See this Washington Post article.

Specifically, the senators requested Facebook to use an “opt-in” method, as opposed to the “opt-out” method announced by Facebook. Facebook has been pushing the envelope on sharing the personal data of its users for months now, and it was simply a matter of time before it reached the tipping point. With each new step taken by Facebook, privacy advocates denounced the moves more strongly, and criticized the FTC for failing to respond to complaints over Facebook’s changes, as well as the mishap by Google when it launched its own social networking site, Buzz. One thing is certain – this battle will continue to be waged aggressively on both sides. For Facebook, there are millions of dollars in revenue at stake. For the privacy advocates, Facebook is aiming to make itself the center of the internet, without regard to users’ privacy rights or the ability to control their personal data. The FTC has been under increasing pressure to impose a European-style opt in” standard in connection with the use of personal data by social networking sites. CDD FTC Complaint If past experience is any indication, however, it will be months before we know definitively whether the FTC will choose to move in that direction.

(Posted on behalf of Jane Shea)

Distinguishing Quon and Stengart

2010-04-25T15:54:00.000-07:00

A few weeks ago, I posted about Stengart v. Loving Care Agency, a case where the New Jersey Supreme Court held that employees can send emails to their attorneys on company computers without waiving attorney-client privilege. About a week later, the Supreme Court of the United States heard oral arguments in City of Ontario v. Quon, a case where, from the oral arguments, it looks like the Supreme Court will hold that an employer can read messages sent to an employee on a company pager. The question is, will any meaningful part of the employee protections from Stengart survive the probable employer friendly ruling of Quon?

After re-reading the decision in Stengart, and the oral arguments in Quon, I think that, when the ruling in Quon is handed down, it will likely be distinguishable from Stengart, leaving the employee protections in that case fully intact. The critical question for whether Quon will undermine Stengart is whether Quon will state that employers can abrogate an employee's reasonable expectation of privacy with a policy stating that all communications made using company equipment are non-confidential, and will be monitored. Stengart, as I mentioned in my last post, stated that, even if such a policy did exist, it would be unenforceable (at least with respect to emails which would otherwise be covered by the attorney-client privilege). By contrast, the oral arguments in Quon indicated that the US Supreme Court was at least open to the possibility that employers would use a "no-privacy policy" to eliminate whatever privacy expectations their employees would otherwise have. If the Supreme Court does decide Quon on the theory that such a "no-privacy policy" could eliminate the employee's expectation of privacy, it would cut the heart out of the Stengart decision.

However, while I still think it is likely that the Supreme Court will issue an employer friendly ruling in Quon, it doesn't necessarily have to do so based on the theory that a "no-privacy policy" can eliminate an expectation of privacy. As mentioned by Justice Kennedy (see page 12 of the transcript), the city had two arguments it could prevail on:

One, that it's -- there is no reasonable expectation of privacy [this would be the no-privacy policy argument]; [two]even if there were, that this was a reasonable search [meaning that the no-privacy policy wouldn't have to be effective for the city to win].

Further, Justice Scalia seemed to indicate that the second of those rationales would be an easier way for the Court to find in favor the city (see page 24 of the transcript). As a result, when the decision in Quon does come out, I think there is a good chance that it will be possible to distinguish that decision from Stengart by pointing out that Quon was (once the hypothetical decision comes out) was decided based on the reasonableness of the employer's actions, rather than based on the effectiveness of the employer's no-privacy policy.

Of course, it's also possible that the Supreme Court will hold that the no-privacy policy in Quon eliminated the employee's reasonable expectation of privacy. If that happens, there are still a number of grounds on which the two cases can likely be distinguished. For example, Stengart was decided based on New Jersey common law, while Quon was a fourth amendment case. However, I find that distinction analytically unsatisfying, since Stengart made clear that the analysis under the common law was similar to that under the fourth amendment, and didn't turn on any distinction between them. It's also possible that the cases could be distinguished based on the fact that the communications in Quon were personal messages, while those in Stengart were messages from an attorney about a case. While this is slightly more satisfying, since courts have traditionally been highly protective of the privilege, it seems a bit odd that a reasonable expectation of privacy would turn on the content of a message.

In any case, it's possible that all this prognostication is beside the point. The Supreme Court hasn't ruled in City of Ontario v. Quon, and, until it does, there's no real way to know what impact it will have on Stengart. However, given the above, even once it does, I think there's a good chance that it'll leave the employee protections of Stengart mostly intact.

City of Ontario v. Quon

2010-04-20T05:10:00.000-07:00

Yesterday, the Supreme Court heard oral arguments in City of Ontario v. Quon (transcript here), a case which addressed the ability of government employers to read personal text messages sent using government pagers. The background: Jeff Quon was a SWAT Sergeant who used a department issued pager to exchange text messages with his wife and girlfriend. After Quon repeatedly exceeded the department's 25,000 character/month limit, an audit was conducted which revealed Quon's personal text messages. Quon sued, claiming that he had a reasonable expectation of privacy in his personal text messages, and that reading the messages as part of the audit was an unreasonable search. The district court disagreed, the Ninth Circuit court of appeals reversed, and the Supreme Court accepted cert.

There were a couple of factual issues in the case, such as whether the police department's policy regarding personal communications covered text messages, and whether that policy had been modified by a later staff meeting where a Lieutenant had said that he wouldn't audit the messages as long as the individual employees paid for any overages. However, as described in the Scotuswiki (which did a pretty good job of summarizing the case and arguments), at oral argument, the Supreme Court seemed to be minimizing those factual issues, and coming down pretty squarely against Sergeant Quon. The Scotuswiki cited Justice Ginsburg as indicative of the court's apparent leanings. My preference would have been Justice Scalia, for this characteristically blunt exchange

JUSTICE SCALIA: I guess we don't decide our -- our Fourth Amendment privacy cases on the basis of whether there -- there was an absolute guarantee of privacy from everybody. I think -- I think those cases say that if you think it can be made public by anybody, you don't -- you don't really have a right of privacy. So when the -- when the filthy-minded police chief listens in, it's a very bad thing, but it's not offending your right of privacy. You expected somebody else could listen in, if not him.
MR. RICHLAND [representing the City of Ontario]: I think that's correct, Justice Scalia.
JUSTICE SCALIA: I think it is.

(emphasis added)
Of course, whether you focus on Scalia, or Ginsburg, or one of the other Justices, the result looks the same - the Supreme Court is likely to decide that, at least for SWAT personnel using government issued pagers, employers are allowed to audit text messages by reading them, even if some of those text messages are personal.

Yahoo Fights for Privacy; Ultimate Result Inconclusive

2010-04-18T16:25:00.000-07:00

Via this story from Wired.com, Yahoo has "prevailed" in its efforts to resist a court order to turn over emails based on an assertion that the emails were "relevant and material to an ongoing criminal investigation," rather than on a warrant. Technically, at least in the legal sense, Yahoo actually prevailed. Federal prosecutors, who had requested the emails as part of their investigation into a sealed criminal case, dropped their request, meaning that Yahoo prevailed on whether it would have to turn the particular requested emails over in this case. However, in a broader sense, Yahoo's "victory" is an empty one, and could arguably be treated as worse than a clear loss. The reason is that the heart of Yahoo's dispute with the prosecutors was interpretation of the stored communications act. As I mentioned previously (see here), this law has been the subject of substantial controversy, and a definitive ruling could have helped clarify the situation. As it is though, the cloud of uncertainty remains, leaving future litigants in the same situation of potentially having to defy a court order when prosecutors request emails that are arguably material, but which can't be obtained with a warrant.

Personal Emails on Company Computers

2010-04-14T16:56:00.000-07:00

In December of 2007, Marina Stengart was employed as the Executive Director for Nursing at Loving Care Agency Inc., a company which provides home-care nursing and health services. Sadly, Ms. Stengart's relationship with Loving Care soured, and she left Loving Care and sued for, among other things, harassment based on gender, religion and national origin. However, before she left, Ms. Stengart used a laptop computer provided by the company to exchange emails with her attorney. When she left, she returned the laptop to Loving Care, and they were able to retrieve and read those emails by examining her computer's cache.

Not surprisingly, her lawyer went berserk (which, when a lawyer does it, is called applying for an order to show cause) and said that Loving Care's attorney should have treated the emails as privileged and returned them once they were discovered. Loving Care's attorney disagreed, and, on March 30, the New Jersey Supreme Court issued a comprehensive opinion (which can be found here) stating that Loving Care's attorney should have treated the emails as privileged and remanding to the trial court to determine an appropriate sanction.

Some interesting points from the opinion:

1) The Court said that Loving Care's policy regarding personal emails received on company machines was not entirely clear. However

Because of the important policy concerns underlying the attorney-client privilege, even a more clearly written company manual -- that is, a policy that banned all personal computer use and provided unambiguous notice that an employer could retrieve and read an employee's attorney-client communications, if accessed on a personal, password protected e-mail account using the company's computer system -- would not be enforceable.

2) The fact that Ms. Stengart was technically unsophisticated and didn't know that her computer automatically cached documents contributed to her having a reasonable subjective expectation of privacy in the emails. If she had been more technically savvy, the Court may not have decided the emails were protected (though, given the policy considerations surrounding the privilege, I wouldn't bet on it).

3) Even though it wasn't searching for privileged materials, once it found that it had emails that were potentially privileged, Loving Care's law firm had a duty not to read them, and to report them to Stengart's lawyer. Because Loving Care's firm didn't do that, they could be disqualified and/or forced to pay Stengart's costs (or face whatever other sanctions the trial court deems appropriate).

An interesting case, and a result I'm sure was an unpleasant surprise to Loving Care.

via this article from Computer World.

Internet Giants’ Online Advertising Practices Challenged

2010-04-14T07:22:00.000-07:00

Just as one might wonder whether the FTC had decided to choose its battles and allow the online behavioral marketing dog to continue its nap, the dog has been awakened with a loud boom. Targeted behavioral advertising practices have been in the crosshairs of privacy advocates for several years, and the privacy advocates have finally pulled the trigger. The Center for Digital Democracy (CDD) and two other public interest groups filed a complaint with the Federal Trade Commission last week challenging the tracking and profiling practices used by Internet companies such as Google, Yahoo and Microsoft. Specifically, the complainants ask the Internet companies to acknowledge that the software “cookies” they embed in a Web browser collects data about a person’s online movements that should be considered personally identifiable information, even though the cookies don’t have a person’s name attached to them.

The privacy groups claim they are not calling for an outright ban of behavioral advertising. Instead they seek a balance between what they term the “Wild West” of data collection in the world of online advertising, and privacy controls such as notice and consent. Specifically, CDD, U.S. PIRG and World Privacy Forum called on the FTC to investigate the internet companies using its Section 5 authority for conduct that constitutes unfair and deceptive practices, and to issue an injunction against the unfettered use of what they claim is personal information collected by the companies. A full copy of the complaint can be found here.

The use of targeted behavioral advertising has been a controversial practice for several years, with privacy advocates sounding the alarms, and advertisers pushing for self-regulation. Following the release by the FTC of the FTC Staff Report: Self Regulatory Principles for Online Behavioral Advertising in February, 2009, various industry associations released the Self-Regulatory Principles for Online Behavioral Advertising in July, 2009. In the Conclusion to its Report, the FTC stated that it would continue to evaluate the industry’s efforts at self-regulation, monitor the marketplace and conduct investigations to determine whether there have been violations of Section 5, and meet with industry representatives and consumer protection groups to keep pace with changes. There has been no official word from the FTC in response to the industry’s publication of its Self-Regulatory Principles.

One can only surmise that the consumer protection groups simply got tired of waiting. How the FTC proceeds in response to the complaint will reveal how forcefully the FTC intends to address the online behavioral marketing phenomenom going forward.

Microsoft v. Waledac

2010-04-11T15:51:00.000-07:00

This is a site that all lawyers working in the area of computer security should be aware of and visit. It's a page which contains all the pleadings from Microsoft's current case against John Does 1-27 (aka the "Waledac" botnet). This page is important for two reasons. First, Microsoft's efforts against the botnet are on the cutting edge of legal efforts to shut down hacking operations, and so should be seen as examples of legal theories that can be used in that area. Second, it has some interesting (and probably useful) examples of rhetoric and explanations which can be used to sway a (presumably) technologically unsavvy judge to your side. For example, on pages 3-9 of the PDF of Microsoft's motion for a temporary restraining order against the botnet, there is a non-technical tutorial on what a botnet is, and how issuing the TRO would shut it down, complete with pictures. Similarly, in making the arguments in support of the TRO, Microsoft repeatedly seeks to establish the harm the botnet is causing by explaining how it harms Microsoft's customers. E.g.:

Once customers' computers are infected and become part of the botnet, they are unaware of that fact and may not have the technical resources to solve the problem, allowing their computers to be misused indefinitely. Thus, extrajudicial, technical attempts to remedy the problem alone are insufficient and the injury caused to customers continues.

While this might not be the most relevant argument legally (after all, one is generally not allowed to bring suit based on injuries to third parties) from an emotional standpoint, it almost certainly made the judge more likely to grant Microsoft's requested relief.*

In any case, there's too much there to succinctly summarize here. Further, there's no reason to want to read a summary. The information is valuable enough to be worth the time to read in the original.

*Yes, I am aware that harm to third parties can be used to establish that issuing an injunction is in the public interest. However, Microsoft invoked its customers' interests essentially everywhere, not only when arguing that the public interest would be served by granting a TRO.

Cloud Computing: Good for Privacy?

2010-04-04T16:15:00.000-07:00

In general, cloud computing is not good for privacy. For documents stored on the cloud, not only is there the same risk of hacking that is present for all electronic documents, but there's also a risk that the cloud service provider will accidentally share your data with other clients or users who don't have your permission to see it (see, e.g., Google Privacy Blunder Shares Your Docs Without Permission). However, now, a group of technology companies is coming together to try and address some of the concerns related to cloud computing with a positive change in the law. As described in this article, the group, calling itself the Digital Due Process Initiative, is pressing for the law regarding access to electronically stored information to be clarified, and the protections for that information to be strengthened.

To my mind, this is a positive development. The law on what protections are afforded to electronic communications is not at all clear, as there is currently a split between the First Circuit's decision in U.S. v. Councilman and the Ninth Circuit's decision in Konop v. Hawaiian Airlines on the question of when (and if) the protections of the wiretap act apply to email (see here). While clarifying that (and preferably strengthening existing law) won't eliminate problems that could be caused by cloud service providers accidentally sharing data, if the coalition succeeds, it would change cloud computing from a phenomenon which is almost wholly destructive of privacy, to one which could have beneficial effects, at least in terms of lobbying and raising people's awareness of the issues.

Punishing Cybercrime

2010-03-21T11:06:00.000-07:00

Is chasing cybercrooks worth it?

That's the headline to this article from CNN. I was a bit shocked to see it. The triggering event for that article was the arrest of three men who appear to have operated the 13 million computer "Mariposa" botnet. I would have expected that taking down such a significant* botnet would be followed by multiple rounds of self-congratulation, rather than questions about the value of the whole enterprise. However, according to the article

the whole get-the-bad-guys effort, while it makes for good drama, is a futile way to secure the Internet, some computer security experts say.

"The virus writers and the Trojan [horse] writers, they're still out there," said Tom Karygiannis, a computer scientist and senior researcher at the National Institute of Standards and Technology. "So I don't think they've deterred anyone by prosecuting these people."

...

It would be smarter, Karygiannis said, to develop new anti-virus technologies and to teach people how to protect themselves from Internet crime.

To my mind, the sentiment reflected in the above quote is simply wrong.

First, Karygiannis' proposed alternatives are, at best, highly imperfect solutions. With respect to user education, I suspect Karygiannis has underestimated how difficult user education actually is, though, given that it's common knowledge that people still fall for Nigerian email scams (see, e.g., here), I don't know why he would. Further, even if user education were perfect, it's not at all clear how it would protect against malware which spreads by exploiting vulnerabilities in legitimate software. Indeed, Mariposa itself has been observed to spread through vulnerabilities in Internet Explorer 6 (among other vectors, described here), so even the specific botnet addressed in the article provides a counterexample to the proposition that user education is some kind of panacea.
With respect to better anti-virus technologies, technical protection mechanisms are certainly helpful, but they too aren't a panacea. Better anti-virus protection is nice, but the people writing malware aren't dummies, and they constantly improve their products to address advances in security technology. A great example of how this works is Conficker, a malware program whose "unknown authors are ... believed to be tracking anti-malware efforts from network operators and law enforcement and have regularly released new variants to close the worm's own vulnerabilities" (via Wikipedia).

Second, with respect to Karygiannis' comment that "I don't think they've deterred anyone by prosecuting these people," to the extent that comment is meant literally - that cybercriminals, as a class, are immune to the deterrent effect of criminal prosecution, it seems unbelievable. That's especially true since the arrests related to the Mariposa botnet are only part of a series of well publicized law enforcement actions against cybercriminals (for example, the recommended 25 year sentence for computer hacker Albert Gonzalez, described in this article). Further, even if it were true that prosecution of cybercriminals had no deterrent effect whatsoever, it would still have the effect of preventing the particular cybercriminals who had been prosecuted from committing further crimes. This effect, referred to as incapacitation, is something that has been well studied and documented with respect to other types of crimes (e.g., here), and there is no reason why it shouldn't apply to cybercrime as well.

The bottom line is that punishment of cybercriminals is a necessary part of our collective defense against cybercrime. To simply focus on user education and technical protection mechanisms, while those are important tools, would do nothing to address the source of these crimes.

*Determining the actual size of botnets is, to put it mildly, an inexact science. For example, this article about the size of the "Kraken" botnet pointed out that the controversy regarding Kraken's size was not limited to how many machines it controlled, but also reached more basic questions, such as whether Kraken was really separate from the older "Bobax" botnet. However, regardless of how botnet size is counted, Mariposa is undeniably huge (by comparison, Kraken was estimated at 400,000 machines - several orders of magnitude smaller than Mariposa).

Netflix Fails Data Anonymization

2010-03-14T18:57:00.000-07:00

According to this story from the wired threat level blog, Netflix has shut down the sequel to its original $1,000,000 Netflix prize as a result of a privacy lawsuit. The problem for Netflix was that there is a specific law which prevents disclosure of a person's video rentals, and Netflix provided enough information about individual users in their supposedly anonymized training data that at least some of that data could be de-anonymized.

So, was Netflix wrong to give out the data it included in the second contest? Well, the second contest indicated what movies people had watched, and what ratings they had been given. The people weren't identified by name, but their ZIP codes, ages and gender, were provided. As it happens, there is an 87% chance that, if you have someone's birth date, zip code, and gender, you can uniquely identify that person (as related in this article, also from threat level). Does that mean Netflix's second contest ran afoul of the law? Well, it was settled, so we don't know what a court will say. However, it was certainly a significant enough risk that Netflix decided to cancel the well-publicized sequel to its earlier successful efforts, which probably means that Netflix made a bit too much public.

Now that it's all over, given the benefit of 20/20 hindsight, what should Netflix have done with the second contest? Well, from a conservative standpoint, it could probably have avoided the type of privacy complaints that came up if, instead of just removing names, it had followed the anonymization guidelines provided for medical research on human subjects (a good summary of which can be found here). That has the benefit of being the gold standard for data anonymization, and also including specific items to exclude, including the zip codes included in Netflix's data set.

HIPAA Enforcement

2010-03-07T11:58:00.000-08:00

Is HIPAA meaningful? For a long time, the answer to that question was arguably no. The date for compliance with the privacy rules was April 14, 2003, and the date for compliance with the security rule was two years later (the HIPAA Wikipedia entry has a good summary of this history). Nevertheless, it wasn't until 2007 that the first HIPAA audit took place (see here), and the lack of enforcement led many to believe that HIPAA was basically toothless (see, e.g., here).

Now though, that may be changing. One of the notable features of the HITECH act was that it gave state attorneys general the right to file suit on behalf of state residents who have been harmed by a HIPAA violation (the text of the act can be found here). Since then, the attorney general of Connecticut has taken advantage of that new authority, and filed suit against Health Net Connecticut, Inc. for HIPAA violations (among other things). The press release is here, and the complaint can be found here. Does this herald a new era of aggressive HIPAA enforcement? I tend to think not. The HITECH act limits the amount of damages recoverable by attorneys general to $25,000 per calendar year for violations of any individual requirement or prohibition, so HIPAA enforcement isn't going to be a panacea for states which already have limited enforcement budgets. On the other hand, there has already been one suit, and if an attorney general is already thinking about bringing an action (e.g., under some applicable state law), the extra HIPAA recovery could make the difference in whether a suit is brought. Either way though, with the Connecticut attorney general's action, the era of absent HIPAA enforcement is officially closed.

Creepiest Privacy Violation of 2009?

2010-02-28T19:01:00.000-08:00

Imagine your child's school offered him or her a free laptop to do homework. That'd be pretty cool, right? Now, imagine that the school administrators used a built in web cam to surreptitiously take pictures of your children. According to the complaint filed in Robins v. Lower Merion School District, that's exactly what happened in one Pennsylvania school district (actually, it's even creepier than that, if the allegations set forth here are true). The complaint alleges violations of (among other things) the electronic communications privacy act, the stored communications act, the computer fraud and abuse act, and the fourth amendment (since the school administrators were acting on behalf of the state when they were allegedly violating the student's privacy rights).

Of course, the school officials are denying any wrongdoing, and claim they have been unfairly portrayed (see here). That could be true. After all, there's a reason we have trials, and it makes sense not to rush to judgment until after both sides have been able to have their proverbial day in court. However, while I don't want to rush to judgment, I can make a few comments at least on the legal theories in the case. First, while I understand the plaintiff's argument, that taking surreptitious web cam pictures violated the stored communications act and electronic communications privacy acts, I still don't know how good a fit those acts are for this particular (alleged) crime. After all, while the hypothetical communications (i.e., web cam images) were illicit, they weren't intercepted or accessed by anyone other than their intended recipients. Instead, I think the computer fraud and abuse act arguments seem a bit more natural. For the computer fraud and abuse act, I can't imagine how taking surreptitious pictures over a web cam doesn't exceed unauthorized access to a protected computer. I think the fourth amendment claim is also a good fit. While students have a lessened right to privacy in the school, there must still be a reasonable suspicion of illegal activity before school authorities can perform a search (a more detailed, and better, explanation of the relevant precedent can be found here). Further, the alleged monitoring wasn't limited to school hours, but also caught students while they were at home and, according to the complaint, "in various stages of dress or undress."

Again, all of the allegations in the complaint are just that - allegations. Until the defendants have a chance to answer, and the case is actually tried, they are presumed innocent (or, in this case, not liable). However, at least from the face of the complaint, it appears as though there could have been some serious privacy violations (potentially supporting claims under at least the fourth amendments and the computer fraud and abuse act).

(via Bruce Schneier)

Google Buzz Lawsuit

2010-02-21T13:50:00.000-08:00

In a completely unsurprising development, a class action lawsuit has been filed on behalf of all Gmail users who were linked to Google Buzz (story here). The complaint alleges that Google unlawfully shared users' personal data without their permission, and cites the electronic communications privacy act, the computer fraud and abuse act, the stored communications act, as well as California statutory and common law.

At this point, Google hasn't answered (or even been served with) the complaint, so we don't know how they'll defend against the suit. However, the complaint is available online (e.g., here). From my brief perusal, there are a couple of points about it that look a bit odd. For example:

The lawsuit alleges (paragraph 17) that

Google Buzz "posted" to Buzz any information that was previously posted to certain other Google websites, including but not limited to Picasa, Google Reader, and Twitter.

Why Twitter is considered a Google website it something of a mystery, especially since Buzz is seen (e.g., here) as an attempt to compete with (among others) Twitter.

The lawsuit was filed in the 9th circuit (specifically, California), which has adopted an interpretation of the electronic communications privacy act which makes it relatively difficult to apply that act to email communications (see, e.g., here).

The lawsuit alleges violation of the computer fraud and abuse act, which is a little odd because that act is generally focused on unauthorized access to protected computers, rather than on unauthorized access to third party data.

Anyway, I suspect that, oddities in the complaint notwithstanding, the Buzz lawsuit will go the way of the Beacon lawsuit before it. That is, it will be settled with the individual class members getting nothing but whatever warm feeling comes from having been part of a lawsuit.* However, while it lasts, the lawsuit could be interesting (especially if Google fights at all), and might provide an incentive for Google to pay a bit more attention to privacy going forward.

*Of course, the settlement hasn't been finalized yet. The terms of the settlement, as well as other information on the Beacon case, can be found here.

Google Buzz

2010-02-14T06:41:00.000-08:00

On the 13th, Lawyers, Guns and Money, a blog I read regularly, posted the following complaint (originally posted at Fugitivus a blog which is not open to the public) regarding Google Buzz:

I use my private Gmail account to email my boyfriend and my mother. There’s a BIG drop-off between them and my other “most frequent” contacts. You know who my third most frequent contact is? My abusive ex-husband.

Which is why it’s SO EXCITING, Google, that you AUTOMATICALLY allowed all my most frequent contacts access to my Reader, including all the comments I’ve made on Reader items, usually shared with my boyfriend, who I had NO REASON to hide my current location or workplace from, and never did.

My other most frequent contacts? Other friends of Flint’s.

Oh, also, people who email my ANONYMOUS blog account, which gets forwarded to my personal account. They are frequent contacts as well. Most of them, they are nice people. Some of them are probably nice but a little unbalanced and scary. A minority of them — but the minority that emails me the most, thus becoming FREQUENT — are psychotic men who think I deserve to be raped because I keep a blog about how I do not deserve to be raped, and this apparently causes the Hulk rage.

F--- you, Google. My privacy concerns are not trite. They are linked to my actual physical safety, and I will now have to spend the next few days maintaining that safety by continually knocking down followers as they pop up. A few days is how long I expect it will take before you either knock this shit off, or I delete every Google account I have ever had and use Bing out of f---ing spite.

F--- you, Google. You have destroyed over ten years of my goodwill and adoration, just so you could try and out-MySpace MySpace.

As a note, while the concerns expressed in the above complaint are personal to the author, they are no means limited to that one individual. Depending on the study, either one in five or one in four women are victims of a completed or attempted rape (see here) at some point in their lives, and 70 percent of the perpetrators are "intimates, other relatives, friends or acquaintances" (source) who might show up as being a contact for the victim.

Of course, the problems with Google Buzz aren't limited to rape victims (see, e.g., Google Buzz: Privacy Nightmare). Instead, they're just one more example of how, when communication is commoditized, it will eventually be made publicly available.

How to Discuss Open WiFi

2010-02-01T18:23:00.000-08:00

As reported in this article from C|NET, Cathy Paradiso, a technical recruiter who works out of her home near Pueblo, Colo., was recently threatened with having her internet access discontinued based on allegations of copyright infringement that ultimately proved unfounded. According to the article, Ms. Paradiso had an unsecured wireless network, and someone took advantage of her connection to download various television shows and movies.

Anyway, on its own, this isn't that big a deal. Certainly, it isn't that big a deal in the ongoing story of copyright infringement accusations and open WiFi (my thought is that this story about an Ohio county which had its free WiFi shut down over a copyright infringement complaint is much more noteworthy). However, something about the reporting on Ms. Paradiso's predicament rubbed me the wrong way. After noting that cutting off internet for someone who works from home is essentially the same as destroying that person's business, the article asked

is it right to penalize someone for not being tech-savvy enough to properly secure a wireless network?

To me, that's entirely the wrong question. Whether someone has open WiFi isn't just a matter of tech savvy. After all, even Bruce Schneier, who is probably the web's best known expert on computer security has advocated for open WiFi, saying that people who maintain open WiFi make the world a better place, by making a valuable resource more easily available to more people. While Mr. Schneier's analysis of the costs and benefits of leaving WiFi open might not convince everyone that open WiFi is the way to go, it certainly disproves the idea that leaving WiFi open is something that only the technically unsavy would do, and that policies should be built around the idea that leaving WiFi open is somehow a less legitimate choice than the alternative.

So, how would I like to have seen the article deal with the open WiFi issue? I think treating it as a real issue, with real policy consequences would have been a better way to go. For example, instead of assuming open WiFi is bad, it could have explained why the problems with open WiFi (e.g., making it harder to police copyright violations) outweigh the benefits (e.g., broader access to valuable resources). Or, in the alternative, it could have explained that open WiFi is valuable, and then discussed policies which would help foster it (for example, stripping ISPs who go after people with open WiFi of their protections under section 512 of the DMCA, under the theory that those providers are no longer acting as passive conduits, and so shouldn't be protected as if they were). Either way, it would have been a great deal more informative and interesting than simply treating open WiFi as something that happens only by mistake.

Data Security Deadline Looms

2010-02-01T03:52:00.000-08:00

The following legal update is posted on behalf of my colleague Jane Shea.

Despite the temporary relief provided by the six-month extension to June 1, 2010 of the Identity Theft Red Flags regulations deadline, businesses that are located in Massachusetts, or who have customers or employees that are domiciled in Massachusetts, find that they must maintain their focus on data security for another reason – the Massachusetts data privacy regulations compliance deadline is March 1, 2010.

Like the Red Flags regulations, the Massachusetts law deadline has been extended multiple times since its first deadline of January 1, 2009. In addition, the implementing regulations were twice revised in response to feedback received from affected businesses concerning the strict encryption requirements and the "one size fits all" mandate for the written security program that the original regulations imposed.

The Massachusetts Data Security Law (MGL Chapter 93H) and its implementing Regulations (201 CMR 17.00) (the "Massachusetts Regulations") apply to anyone engaged in commerce, and specifically, those who "store" personal information, in addition to those who receive, maintain, process, or otherwise have access to such information. The Massachusetts Regulations apply to the personal information of Massachusetts residents, whether they are customers or employees. Thus, the reach of the Massachusetts Regulations is not limited to businesses located or operating in Massachusetts. There are no exceptions or exemptions, so that both for-profit and non-profit organizations located inside and outside of Massachusetts must comply.

"Personal information" is defined as a Massachusetts resident's first name and last name, or first initial and last name, combined with one or more of "(a) Social Security Number, (b) drivers license or state-issued identification number, or (c) financial account or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account." Publicly available information is not included provided it has been lawfully obtained.

The requirements of the Massachusetts Regulations are comparable to the FTC's Safeguards Rule. This Rule requires financial institutions subject to the federal Gramm-Leach-Bliley Act to maintain the security of their customers' personal financial information by evaluating security risks and adopting a written security program, and to oversee service providers' practices with respect to such personal information. Similarly, the Massachusetts Regulations impose a duty on every person that owns or licenses personal information to develop, implement, and maintain a written comprehensive information security program (WISP). The recent revisions permit the business to take a risk-based approach to information security, much like the federal Safeguards Rule's approach. The WISP must address the administrative, technical, and physical safeguards utilized. However, the size and scope of the business, as well as its resources, and the nature and quantity of data collected or stored, may be taken into account in developing the WISP.

The original version of the Massachusetts Regulations imposed specific technical computer security elements. The revised version retained the specific listing of these elements as guidance only, by adding a standard of technical feasibility, so that the requirements are technology neutral.

Finally, the Massachusetts Regulations require businesses to oversee service providers, with the requirements revised to be consistent with federal law. Thus, a business is required to perform reasonable due diligence in selecting a service provider to determine that it uses appropriate security measures to protect personal information, and to contractually require such measures of their service providers.

As noted above, the deadline for compliance is March 1, 2010. The law is enforced by the Massachusetts Attorney General. Businesses with customers or employees in Massachusetts need to prepare and finalize a WISP, after reviewing and evaluating their information security operations and procedures. The suggested elements of a WISP are included in the Massachusetts Regulations, but as the revisions to the Regulations make clear, these are not intended to be a rigid template. The Regulations now recognize that the nature and operations of the businesses that are subject to the law vary considerably, and like the Identity Theft Red Flag Program requirements, each WISP will be unique based upon the particular business. Additionally, businesses subject to the Massachusetts Regulations need to review their outsourcing contracts that affect personal information to determine compliance with the Regulations by their service providers. The deadline for updating service provider contracts is March 1, 2012.

Microsoft Disaster Response

2010-01-27T19:01:00.000-08:00

Was I the only person who saw the headline A view from Microsoft's disaster central and immediately thought that the following article would be about Microsoft's efforts to contain the damage from the explorer weakness that was exploited in the Google hack?

Probably. I guess it's an occupational hazard that comes from being a lawyer who focuses on computer software.

And speaking of software, I wanted to mention that, in my hiatus from Ephemerallaw, I started up a new blog, Developer Diary, which is devoted to my ongoing programming efforts. I also set up a page, By Hand Games where you can download some of the games I've written.

Of course, the above has nothing to do with information security or data privacy. Then again, I'm not exclusively devoted to information security and data privacy, and I see no particular reason why Ephemerallaw should be either.

Will Microsoft be sued for the vulnerability used in the Google hack?

2010-01-24T16:21:00.000-08:00

Quick answer: I don't know, but it's less likely than it might initially appear.

Earlier this month several sources, including Wired, reported that over 30 large companies, including Google and Adobe, had been victims of a sophisticated hack, which Microsoft admits was made possible by a weakness in Internet Explorer 6. Microsoft also admits that it learned of the flaw in September, and that it was holding back a patch so that it could be released in a cumulative update that was due out next month. Given the above, and the notoriously litigious nature of the American public, it would seem that Microsoft is almost guaranteed to be hit by a lawsuit seeking damages based on the failure to release the patch earlier. Certainly, when I read that Microsoft had learned about the flaw and withheld the patch, my first thought was that this was something that would keep their lawyers busy in court for months (if not years) to come.

However, the more I think about the situation, the less I think Microsoft is guaranteed to go to court. If this had happened 3-4 years ago, I'd expect Microsoft would already have been hit by a class action lawsuit filed on behalf of consumers who used IE6. However, since that time, courts have been pretty uniformly unreceptive to claims that consumers are damaged by increased risks caused by unauthorized access to data by third parties (e.g., here). A consumer wanting to sue Microsoft for vulnerabilities in IE6 would be even less likely to succeed, since (unlike the unsuccessful plaintiffs in the security breach cases) the hypothetical consumer suing Microsoft wouldn't even be able to show that an unauthorized third party had accessed their system, only that they were at an increased risk of such access due to using IE6. Looking at that history, the chances of a consumer class action against Microsoft seem pretty slim.*

So, consumers aren't likely to sue Microsoft, what about the businesses who were victimized because of the flaw? While they'd have an easier time proving damages (after all, it is known that they were hacked, and at least some of what the hackers did), there are also forces which could prevent them from going to court. For one thing, most businesses try and work things out before involving the judiciary. In this case, I assume that Google, Adobe, et al have contacted Microsoft about helping them clean up the damage. Microsoft has a significant interested in trying to make sure those out of court efforts are successful, since a drawn out court battle could only hurt Microsoft's brand in the already competitive browser market. Similarly, the companies that have been hacked would probably like to avoid going to court as well, since any lawsuit would invariably have the effect of calling their own security into question, even if they could convince the public that the reason their systems weren't secure is because they were using unsafe products, rather than that their own internal practices were deficient.

Of course, strong incentives to avoid a court battle don't necessarily mean there won't be one. If the damage caused by the hackers is too expensive, Microsoft might be willing to fight not to pay it, and the injured company might be willing to fight to get paid. At this point it's impossible to say how likely that is to play out. However, I think, given the incentives on all sides to avoid it, the likelihood of a lawsuit against Microsoft on this is much lower than it would initially appear.

*Obviously, the chances aren't zero. If there was going to be a suit against Microsoft, I would expect it in a state which has allowed suits for increased risk of health problems as a result of a chemical spill. The analogy isn't perfect, but it does make it somewhat easier to prove damages.

Turn on your Syndication

2009-04-12T19:21:00.000-07:00

Sadly, my actual job, combined with some personal issues have been taking up essentially all of my time recently, and will likely continue to do so for the foreseeable future. I expect to be able to return to maintaining the blog on a more regular basis at some point in the future. However, at this point, I recommend taking advantage of the feed for the site, since coming back in order to see when I have a new post up is unlikely to result in finding anything.

Federal Security Breach Notification is Here

2009-04-04T19:27:00.000-07:00

After years of talk, and failed attempts, tucked into a corner of the massive American Recovery and Reinvestment Act, we get a federal security breach notification law. Actually, we get a whole chunk of health care related privacy legislation, but what I'm going to focus on is the security breach notification part of it, as there's simply too much there for a single post otherwise.

In any case, the relevant provisions are sections 13402 (Notification in the case of breach, starting at page 146 in the linked PDF) and 13407 (Temporary breach notification requirement for vendors of personal health records and other non-HIPAA covered entities, starting at page 155 in the linked PDF). The question that needs to be asked is: how do they stack up against existing state security breach notification laws? The answer: reasonably well. The new federal law covers security breaches which expose individually identifiable health information* which means it's actually broader than some state laws which limit their coverage based on how the information is stored (e.g., California's SB1386 which is limited to "computerized" data). The new federal law also includes a media notice provision, which requires notice to "prominent media outlets" if the unsecured protected health information of more than 500 residents is compromised. That provision is actually stricter than the media notice from California's security breach notification law (used as a model for similar laws around the country), which is triggered if the number of people to be notified exceeds 500,000.

On the other hand, while the new federal law is stricter in some ways, it lacks what I consider one of the most important features of an effective protection - an individual right to bring suit. The lack of an individual right in various state laws has been used against people seeking compensation before (e.g., here), and I think the fact that the new federal law could be used in the same way could undermine enforcement. However, even though enforcement is a little questionable, the substance of the new federal law looks like a significant expansion in the rights of individuals to be notified when their data is exposed to unauthorized parties.

*Note: I am aware that it says it covers "unsecured protected health information". However, if you look at the definitions, the "unsecured" part basically means unencrypted, while the "protected health information" refers back to the HIPAA regulations, and translates into individually identifiable health information which is either transmitted or maintained in any medium.

Red Flag Rules - Deadline May 1

2009-03-24T19:05:00.000-07:00

My colleagues Jane Shea and Gretchen Ackerman have published a new business advisory on the FTC red flag rules. I am posting it here with permission.

The May 1, 2009 deadline for creating and implementing an Identity Theft Protection and Prevention Program required by FTC Rules is fast approaching. The Identity Theft Red Flag Rules apply to all organizations with accounts primarily for personal, family or household purposes that permit multiple payments. Creditors subject to these rules include utilities, retailers, local governments, and car dealers, if such organizations carry consumer accounts permitting multiple repayments. Many hospitals and patient care facilities extend credit to patients for deferred payment of treatment costs. These health care entities must implement an Identity Theft Protection and Prevention Program to identify, detect and respond to the possible existence of identity theft with respect to these accounts. Health care entities must also take care to ensure that these programs do not conflict with other Federal and State laws, rules and regulations such as EMTALA.

The FTC Rules require all such organizations to develop and implement a proactive identity theft prevention program, and provide detailed guidelines intended to provide assistance in creating such a program. Financial institutions regulated by a regulatory agency other than the FTC were required to adopt and implement an Identity Theft Protection and Prevention Program no later than November 1, 2008.

Federal regulators were required by the FACT Act of 2003 to issue regulations that implement Section 114 of the Act, which amended the Fair Credit Reporting Act to require financial institutions and other creditors which maintain consumer accounts to adopt and maintain a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection with the opening of accounts maintained for personal, family or household purposes, so long as the accounts permit multiple payments or transactions. Examples include credit card accounts, patient deferred payment plans, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts or savings accounts.

The regulations provide organizations subject to the Rules with flexibility in developing their programs according to their relative size and complexity. However, the Program must include reasonable policies and procedures that:

identify relevant Red Flags, and then incorporate those Red Flags into the Program;
detect such Red Flags;
respond appropriately to any Red Flags to prevent and mitigate identity theft; and
ensure that the Program is updated periodically to reflect changes in risks to customers
What are the "Red Flags"? The regulations define them as a "pattern, practice, or specific activity that indicates the possible existence of identity theft." However, the concept is fleshed out considerably in the supplementary materials to the regulations. The federal regulatory agencies have adopted Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation. The Regulations include a section explaining the relationship of the rules to the guidelines, specifically, that each financial institution or creditor must consider the guidelines in developing its Program, and must include those Guidelines that are appropriate. They provide policies and procedures that can be used, where appropriate, to satisfy the regulatory requirements of the Rules.

Thus, the Guidelines provide with respect to risk factors an organization should consider in identifying red flags, likely sources of red flags, and categories of red flags that should be included in the Program. Additionally, the supplementary materials to the Guidelines include illustrative examples of Red Flags which may be incorporated into a Program, and break these down into five categories: 1) Alerts, Notifications or Warnings from a Consumer Reporting Agency; 2) Suspicious Documents; 3) Suspicious Personal Identifying Information; 4) Unusual Use of, or Suspicious Activity Related to, the Covered Account; and 5) Notice from Customers, Victims of Identity Theft, Law Enforcement Authorities, or Others Regarding Possible Identity Theft in Connection with Covered Accounts Held by the Financial Institution or Creditor. Examples include:

a fraud or active duty alert is included with a consumer report
a consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report
a consumer reporting agency provides a notice of address discrepancy
identification documents appear to be forged
inconsistencies between identification provided and the consumer's/patient's appearance or the information actually provided by the consumer/patient
inconsistencies between personally identifying information provided and that obtained from external information sources
a new revolving credit account is used in a manner commonly associated with known patterns of fraud.
Once the Program has been established, the organization must administer the Program, and not simply place it on a shelf. This involves requiring that the board of directors or an appropriate committee of the Board approve the initial written Program, and that the Board, an appropriate Board committee, or a designated member of senior management be responsible for the oversight, development, implementation and administration of the Program. Additionally, training of relevant staff and effective oversight of third party service providers with respect to the Program is also required.

Organizations covered by the Red Flag Identity Theft Rules are subject to oversight by the appropriate federal regulators, and for those creditors that are not federally regulated financial institutions, the Federal Trade Commission provides oversight. Besides regulatory enforcement actions, violations of the FACT Act can subject an organization to civil actions for damages. The type and amount of damages available will depend on whether the violations are "negligent" or "willful." For a claim for negligent violation, a plaintiff must prove he or she suffered actual harm as a result of the defendant's negligence. In the case of a claim for a willful violation, most courts will require proof of actual knowledge and intentional violation of the relevant statute by the organization.

EPIC Files Interesting Complaint Regarding Google Services

2009-03-22T17:08:00.000-07:00

Earlier this month, Google sent out an email admitting to a bug (subsequently fixed) which caused some documents on Google's cloud computing services to be shared without their owners' knowledge or consent (a copy of the email can be found in this blog post). Now, the Electronic Privacy Information Center (EPIC) has filed a complaint with the FTC asking it to investigate Google's procedures, to force Google to revise its terms of service, and to spend $5,000,000 on security research. The complaint also asks that Google be enjoined from offering cloud computing services until "safeguards are verifiably established." The complaint can be found here.

At this point, I actually don't want the complaint to succeed - at least, not to succeed in full, as I use some of the services in question, and I don't want to wait for Google to get its act together on privacy before using them again. However, while I don't want the complaint to succeed, I do think it makes for interesting reading for people who care about, but aren't familiar with, the FTC's role in protecting consumer privacy. Highly recommended reading, at least for that class of reader.

via

PCI and the Efficacy of Self Regulation

2009-03-15T20:59:00.000-07:00

Tucked away in the conclusion of this article is an interesting question: is the PCI Data Security Standard effective? Actually, the question as posed, which was whether the PCI Data Security Standard in its current form is effective, is not particularly interesting (at least to me). The more interesting question is whether the PCI DSS, or any self regulation can be an effective counter to information security threats. I don't know the answer, but the article gives some indication that that answer might be no.

Of course, the article itself did not tackle the question of self regulation versus governmental oversight. The article was devoted to describing a new set of guidelines which is intended to facilitate the process of becoming PCI compliant. Apparently, there is a perception that some businesses look at the PCI requirements, become overwhelmed by what's necessary to comply, and, as a result, do nothing. The hope is that, by breaking things down and ranking them in terms of priority, the new guidelines will make the task more manageable, and therefore increase compliance. The article then mentioned that these new efforts to increase compliance come at a time when the effectiveness of the PCI DSS is being questioned based on recent security breaches such as that at Heartland Payment Systems. The article mentioned that a spokesman from the PCI Security Standards council had said that there wasn't anything wrong with the standards. However, if that's true, it raises a bigger question - why are the breaches still happening?

One possible answer, the one I alluded to at the beginning of the post, is that breaches are still happening because self regulation isn't an effective means of influencing behavior. I think that position is probably too extreme - merchants do care about the PCI DSS. However, the fact that there is a perceived need for the current compliance campaign, and the fact that massive breaches like that at Heartland keep happening indicates that something needs to change. Maybe what that is is to add a dose of federal government enforcement power to the supposedly sufficient requirements of the PCI DSS.

What I wouldn't give for some time...

2009-03-10T19:07:00.000-07:00

Actually, I know very well what I wouldn't give up for some time. I wouldn't give up my productivity at work, or my relaxing evenings with my wife. However, if I would give those things up, I could write a great blog post on proposed changes to California's security breach notification act. Instead, I'll just mention this article from Computer World, and quickly note that the proposed changes require businesses that suffer breaches to report them to a centralized authority, not just to the people whose data is compromised.

Of course, if I were writing a really good blog, post, I wouldn't just talk about the proposed changes, but instead I'd try and put them in broader context, perhaps by referring to this post from the Threat Level blog, which describes a panel discussion on whether notification laws "work". I might even have some analysis on the proper way to measure the efficacy of notification laws.

As it is though, I'm not writing that blog post, I'm writing this relatively uncreative excuse for a blog post. Oh well. On the bright side, I'm still a good lawyer by day, and I've had a nice evening with my wife.

Facebook Content Policy

2009-03-01T16:21:00.000-08:00

Last month, there was something of a controversy regarding the terms of service for the popular social networking site Facebook. The issue (described in this article) was that Facebook removed a statement from its terms of service that said it couldn't claim rights in original content uploaded by users after they terminated their accounts, and replaced it with a statement saying that Facebook might maintain archived copies of user content. From my perspective, this would not have seemed like a significant event. I assume that everything (including this web site) I put online is archived somewhere, whether its at the site that's hosting the content (e.g., Facebook), some external site (e.g., the internet archive), or the local computers of whoever happens to have looked at whatever I posted (e.g., blog readers). My guess is that the lawyers who recommended that Facebook make the change thought that most Facebook users were about like me, and wouldn't see the modification of the policy as a significant change.

They were wrong.

Facebook's users were outraged. They started a Facebook group (!) to protest, and it quickly signed up 88,000 members. The Electronic Privacy Information Center prepared an FTC complaint. As one user rhetorically asked: "Will I wind up seeing pictures of my niece staring at me from a bus stop at some point and be told I shoulda read the fine print?" (quote via this article).

Anyway, because of the outrage, Facebook backed down, and is now asking users to help define its policies (article here). On one hand, it's a demonstration that consumer pressure actually can have beneficial effects. On the other hand, it's a demonstration that privacy concerns crop up over the most bizarre things. For example, if someone really wants to have their niece's picture taken out of an advertisement, they can sue Facebook for making an unauthorized public display and get an injunction.* Additionally, there have been several cases where people have sued for common law torts such as libel, or false light invasion of privacy for using pictures in advertisements without the subjects' consent (e.g., Virgin, which was sued for using a picture uploaded to Flickr with the tag line "virgin to virgin" - article here). In short, the fears that led to the revolt against Facebook are one of the areas where the law does offer redress for unauthorized use of personal data. Strange that people got outraged over that, rather than something where the law offers little or no protection.

*Copyright protection subsists in any work fixed in a tangible medium of expression. 17 USC 102. That includes computer memory, which means that everything uploaded to Facebook is automatically protected by copyright.**

**Yes, there is a requirement for registration, but you can register after infringement has taken place. 17 USC 408 et seq. While there are significant advantages to registering before an infringement occurs, a discussion of those advantages is way outside the scope of this post.

A Quick Reminder: If you want legal advice, get a lawyer

2009-02-22T19:32:00.001-08:00

As it says in the disclaimer at the bottom of the page (which you should definitely read): "This site is provided for informational purposes only...This site should not be used as a substitute for competent legal advice from a licensed professional attorney in your state."

Data privacy and information security is governed by a patchwork of state laws, and there is massive variation from jurisdiction to jurisdiction. For example, my home state, Ohio, has a data security notification law (ORC 1349.19). However, if I drive 10 minutes south from my office, I'm in Kentucky, which doesn't have an equivalent law (a handy table of what states do and do not have such laws can be found here). Tort remedies, such as trespass to chattels, breach of contract, negligence and intentional infliction of emotional distress (to name 4) are also governed by state law.

This web site does discuss the law surrounding information security and data privacy. However, anyone who has a question about their own information security or data privacy situation should get a lawyer who can apply the law as it exists in their jurisdiction to the facts as it exists in their case - not rely on a web site (this one, or any other).

Massachusetts Extends Compliance with Data Security Rules

2009-02-16T17:12:00.000-08:00

We've written previously (e.g., here) about Massachusetts' new data security rules. Briefly, they would have required anyone who owns, stores or maintains the personal data about a resident of Massachusetts who stores data electronically to encrypt the data before transmitting it wirelessly or over a public network. The rules would also have required encryption of data stored on mobile devices. I say "would have" because because their implementation deadline, which had been previously set at May 1, 2009 has been extended till January 1, 2010 (see article here).

Of course, this isn't a big surprise, since regulations having to do with privacy (both strengthening, like the red flag rules and weakening, like Real ID) have a history of getting delayed.

Even More Limitations on Private Rights of Action

2009-02-10T17:02:00.000-08:00

Previously, I've written about problems with protecting privacy through private civil suits, such as transaction costs, difficulty of proving damages, and a generally hostile court system. However, a recent breach notification by Geeks.com as indicated that even when those factors aren't present, people (or, in this case, businesses) still aren't that interested in enforcing their rights. The story, according to this article from Computer World is that the web site was victimized by an SQL injection attack, and the operators eventually entered into a settlement with the FTC wherein they agreed to undergo audits and not to make any further misleading claims about privacy. So far not particularly notable. However, as the article says, unlike most security breaches:

The breach was notable because the Geeks.com site prominently displayed a "Hacker Safe" seal provided to companies by McAfee Inc. as part of its ScanAlert vulnerability scanning service. However, McAfee officials said at the time that the Hacker Safe certification — since renamed McAfee Secure — had been withdrawn from Geeks.com on multiple occasions during 2007 after scans found vulnerabilities in its systems.

To me this is shocking. Not because a supposedly secure site was compromised, but because they were improperly displaying the "Hacker Safe" seal.

Where was McAfee?

Didn't it care about its good name? I would guess that Geeks.com would have taken down the "Hacker Safe" seal if McAfee simply asked them to. I doubt even a sternly worded letter would have been necessary. Still, if it had been, there are any number of attorneys who could have written it, and who would have been happy to go to court to get the seal removed if Geeks.com wouldn't take it down otherwise. Happily, the FTC stepped up in this case. However, it's a little surprising that they were the ones who ended up doing it, rather than the private actor who one would think would have had both the incentive and opportunity to have taken action earlier.

A view from the dark side

2009-02-01T18:45:00.000-08:00

Via Bruce Schneier, we have a fascinating interview with an adware author. From a technical perspective, it's fascinating - he gives a programmer's eye view of the various mechanisms he used to make sure his adware couldn't be uninstalled or stopped. From a privacy standpoint it's disturbing. When asked the question of whether people had any security or privacy at all, his answer was (essentially) no, but it doesn't matter because most people aren't criminals so you're probably ok.

From a legal standpoint, it had two interesting takeaways. First: End User License Agreements are trouble. The interviewee's opinion was that people don't read EULAs, so you can put anything in them, including agreements by the user that the adware company can install whatever software they want on the user's computer. In the coming years, I would expect to see some limits placed on this (e.g., by the FTC under its authority to police unfair or deceptive trade practices). Second, the legal system can work to curb bad practices, but only once the bad practices are known. The company the interviewee worked for, Direct Revenue, was sued by Elliot Spitzer. The problem is, the suit only happened after the company made the poor business decision to start branding their adware. If they hadn't done that, it's anyone's guess as to whether they even would have shown up on the (now disgraced) attorney general's radar screen.

Also, one final takeaway from the interview: if you want to reduce your susceptibility to adware (or various forms of viruses or other malware) switch off Microsoft products. The interviewee was openly contemptuous of Microsoft products. The money quote: "If you’re using IE [Internet Explorer], then either you don’t care or you don’t know about all the vulnerabilities that IE has." I'm not sure I agree with him, but it's interesting to see how an insider views the world at large.

Privacy for me but not for thee

2009-01-25T19:00:00.000-08:00

Via BoingBoing, I found this article, which shows that the UK government has no (or at most very little) respect for the privacy of individual citizens. According to the article, there is a clause in a pending piece of UK legislation which would

allow ministers to make 'Information Sharing Orders', that can alter any Act of Parliament and cancel all rules of confidentiality in order to use information obtained for one purpose to be used for another.

Now, admittedly, I am not an expert on UK law, but allowing such information sharing orders would seem to basically nullify any types of privacy protections which currently exist. It's almost as if the British government doesn't care about privacy at all.

...of course, we know that can't be true, since just a week earlier, British MPs (members of parliament) had attempted to pass a law which would have exempted records of their expenses from freedom of information act requests (see this article, also via BoingBoing). I guess this is just one more example of how government officials care deeply about privacy - but only if it's their own information that they're trying to keep secret.

And They're Off

2009-01-21T17:21:00.000-08:00

We're a little less than a month into the new year, and there's already a strong contender for biggest data security breach of '09. Actually, the breach, which involved a compromise of Heartland Payment Systems took place in 2008, but it wasn't publicly disclosed until yesterday, so I'm classifying it as a 2009 breach. However, whatever year the breach is placed in, it's potentially a monster, with over 100,000,000 accounts at risk. We don't know the full extent of the breach yet, but this is one to keep an eye on as potentially not only being a candidate for the biggest breach of 2009, but also as having the potential to dethrone TJX as the biggest breach ever.
via

Malwarebytes Link

2009-01-14T19:12:00.000-08:00

As a (most likely final) follow up to my posts (here and here) on removing Antivirus 2009, I contacted Malwarebytes and asked if they had an alternate site where you could download their tools without being blocked. In response, they sent me this link to their free product. I can't guarantee that it will work, and I'm not planning on purposefully getting infected just to test it. However, if anyone happens to stumble across this blog looking for a way to remove the virus, the above link might do the trick.

Government spurs security improvements

2009-01-13T17:58:00.000-08:00

Well, we still don't know if (as I predicted here) Obama will be the first email friendly president. However, we do know that there is now a PDA which has been certified by the NSA for top secret voice communication. Sadly, the price tag is a hefty $3,350, which will keep it out of the hands of most private citizens (including me). Still, that's no object for Obama, and I wouldn't be at all surprised if he uses this device (or something like it) to avoid having to give up email.

via

Hallmark E-Card Virus

2009-01-09T15:53:00.000-08:00

Today I received an email (actually, several emails) with yet another virus. Unlike Antivirus 2009, which has the potential to trick unsuspecting users by masquerading as a legitimate program, this one, which appears to spread via email attachment would only catch the absolutely most unsophisticated. Indeed, unlike some email viruses, this one doesn't even bother trying to personalize the emails it sends out. Instead, it uses the following generic message:

Hello!

You have recieved a Hallmark E-Card from your friend.

To see it, check the attachment.

There's something special about that E-Card feeling. We invite you to make a friend's day and send one.

Hope to see you soon,
Your friends at Hallmark

Your privacy is our priority. Click the "Privacy and Security" link at the bottom of this E-mail to view our policy.

I'm not sure what to say about it, except that anyone who trusts a card from an anonymous "friend" who wants them to open an email attachment probably has so many viruses on their system already that one more won't do much damage (either that or an antivirus program strong enough to protect them from themselves - something I recommend all users get regardless of their sophistication).

Removing Antivirus 2009

2009-01-08T16:04:00.000-08:00

I've received a number of hits on my previous post about some legal issues regarding Antivirus 2009 which I suspect are from people looking for how to get rid of the malware but can't get to the big antivirus sites because Antivirus 2009 has blocked them. For anyone looking for how to get rid of the program, here's my advice:

1) Don't expect to download a tool to fix the problem. The nastiest feature of Antivirus 2009 is that blocks downloads from the major antivirus websites. In particular, Malwarebytes, which is recommended in a number of places to deal with Antivirus 2009, is blocked.

2) Get to a clean system. Just because you can't download the proper tools on a compromised system doesn't mean you can't download them at all. Go to another computer and download the tools you need. Malwarebytes Anti-Malware, mentioned above, can be downloaded here.

3) Send the tools from the clean system to the compromised system. The most obvious way to do this is via a flash drive. However, the version of Antivirus 2009 I dealt with (surprisingly) allowed me to send the mbam-setup.exe program though email.

4) Once the tool (whatever it is) is downloaded, rename it to .bat. With the version of Antivirus 2009 I dealt with, it wouldn't let mbam-setup.exe execute, but it would let blank.bat (what I renamed mbam-setup.exe) run just fine.

Please note that, for step 4 above to work, you might have to restart Windows in safe mode. A description of how to do that can be found here.

Please also note that the above 4 steps (including restarting in safe mode) might not actually work. The version of Antivirus 2009 which got onto my grandmother's computer let me run the antivirus setup program, but blocked the antivirus program itself. My next step after step 4 would have been to create a rescue CD and use that to boot from. However, my brother who also happened to be visiting that weekend had different advice: since my grandmother's computer was brand new, why not reformat the hard drive and just reinstall everything my grandmother wanted? In the end, that's what happened, since I would have been required to go back to my house (across town) to get a rescue CD, while my brother could reformat the hard drive immediately. It's an extreme measure, but I can testify that it certainly worked for my grandmother.

Update: As a potential alternative, I sent a message to Malwarebytes and asked them if they had a link that wouldn't be blocked by Antivirus 2009. They sent me a link, and I added it in this post.

Will Anyone be Ready for the Next Level of Identity Theft Protection?

2009-01-07T17:31:00.000-08:00

The Massachusetts and Nevada Models

Brace yourself for the countless retrospectives to appear in the coming months, touting 2008 as an eventful year for so many reasons: an historic presidential election, a meltdown in the financial and real estate industry and resulting economic maelstrom, Michael Phelps winning a record-breaking eight gold medals in the Beijing Olympics – the list goes on.

One notable characteristic of 2008 that may go unnoticed by the mainstream commentators, but is no less remarkable, is the continuing wave of consumer protection legislation enacted by state legislatures in the wake of spiraling incidents of identity theft. In addition, an otherwise lethargic Congress has managed to enact a cybercrime law, signed by President Bush in early October, called The Identity Theft Enforcement and Restitution Act of 2008. This law makes it easier for prosecutors to bring hacking and other cybercrime charges against an individual, eliminating the minimum $5,000 in damages requirement. It also makes it a felony, during any one-year period, to damage ten or more government or financial institution computers, and directs the U.S. Sentencing Commission to consider increasing its penalty guidelines for those convicted of identity theft, computer fraud, illegal wiretapping or breaking into computer systems. Combined with the issuance early in 2008 of the FTC’s Identity Theft Red Flag Guidelines, these new legislative and regulatory initiatives are designed to combat what has become a crime wave of increasing dimensions.

The proactive trend of the state legislatures began several years ago with California’s data security breach notification and security freeze laws, resulting in 44 states and the District of Columbia enacting the same or similar laws. The momentum has continued with many states strengthening identity theft laws concerning the protection from the public of social security numbers and personal information from credit cards. Massachusetts has moved in another new direction with a law that will become effective on May 1, 2009. The law was an addition to Massachusetts Laws Chapter on Security Breaches, and was as expanded upon by administrative regulations. It applies to anyone who owns, stores or maintains the personal data about a resident of Massachusetts. The data that is stored electronically must be encrypted before it is transmitted over a public network or transmitted wirelessly, especially on portable devices such as laptop computers and Blackberries, as well as other portable devices such as flashdrives, cellphones and CDs. For this reason, according to some commentators, the law is a little ahead of its time, since the technology for encryption of portable devices is just starting to be developed.

In addition to the computer system security requirements, the law imposes a duty to protect and standards for protecting personal information. Its requirements are similar to the federal Identity Theft Red Flag Guidelines requirements, effectively extending the federal regulations’ applicability well beyond the original class of “creditors,” as defined in the Guidelines, to all types of businesses. It requires the development and maintenance of a comprehensive, written information security program, that includes the designation of an employee responsible for the program, identifying foreseeable risks, ongoing employee training, employee compliance with policies and procedures, and processes for detecting and preventing security system failures. It requires disciplinary measures be imposed for violations of the program rules, the prevention of terminated employees from accessing records, and the taking of reasonable steps to verify that third-party service providers have the capacity to protect the personal data. It imposes data collection and retention standards and requires access be limited to those persons reasonably required to know, as well as restrictions on physical access.

Nevada has also enacted a similar law that went into effect October 1, 2008. NRS 597.970 takes a different approach than Massachusetts to applicability, so that it only applies to businesses operating or “doing business in” the state of Nevada, without regard to where their customers reside. It imposes an encryption requirement as well, by simply stating that businesses in the state of Nevada “shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.” Of course, as with the Massachusetts law, the devil is in the details. The Nevada law defines “encryption” broadly to mean the use of any protective or disruptive measure (including cryptography, enciphering, encoding or a computer contaminant) to prevent or disrupt access to, or the normal operation of, any device, system or network, or to cause such data to be unintelligible or unusable. The definition raises more questions than it answers. While the definition of “personal information” is similar to that found in many data security laws, the questions of who is a customer and what constitutes “doing business” in Nevada have no clear answers. It could arguably apply to businesses with no physical presence in the state of Nevada, but which do business through an internet website.

The Massachusetts law is enforceable only by the Massachusetts Attorney General. However, the Nevada law does not limit enforcement to its attorney general, nor does it contain any specific penalty provisions, so that the potential for a private lawsuit (including a class action suit) exists with no limit on damages. Companies operating nationally should consider whether their existing policies and procedures regarding the transmission of personal data meet the encryption and other requirements of these laws.

Whether the Massachusetts and Nevada laws forecast a trend or whether they are isolated anomalies remains to be seen. But if recent experience with state enactment of security breach notification and security freeze statutes is any gauge, these two laws may very well signal the beginning of the next wave of state law initiatives designed to combat the growing phenomenon of identity theft.

Reviews and Comparisons

2009-01-06T18:28:00.000-08:00

Recently, I discovered (or, more accurately, was informed of) the site NextAdvisor, a web page which provides comparisons and reviews for a variety of services, including (of particular interest to readers of this blog) Identity Theft, Security Software, and Online Backup Services. They also have a blog which has quick summaries of recent identity theft news items. The blog appears to be updated relatively regularly, and the articles are fun in an offbeat sort of way (for example, this article about a mother who pretended to be her daughter for cheerleading tryouts). Definitely a site to consider for some quick info or tidbits on identity theft.

Antivirus 2009

2009-01-04T16:40:00.000-08:00

Over the holidays I had the intriguing experience of watching a computer get hijacked by a nasty piece of malware: Antivirus 2009. According to this article from Bleeping Computer

Antivirus 2009 is a new rogue anti-spyware program from the same family as Antivirus 2008 and Doctor Antivirus. Antivirus 2009 is installed and advertised through the use of misleading web sites that attempt to make you think your computer is infected with a variety of malware. Once installed, Antivirus 2009 will scan your computer and list a variety of fake infections that can't be removed unless you first purchase the software. These infections are fake, though, and only being shown to scare you into purchasing the software.

What that article doesn't make clear is the fact that Antivirus 2009 (or at least the variant I was dealing with) will also cause a substantial slowdown in your computer's performance, and will cause your browser to display all manner of annoying pop-ups. The other point about Antivirus 2009 that that article doesn't make clear is that Antivirus 2009 includes some relatively sophisticated countermeasures to prevent people from removing it from their system. For example, the variant I was dealing with stopped by grandmother's computer (where it was installed) from accessing websites of antivirus vendors (e.g., AVG) and technical web sites which had instructions on how to remove it (e.g., Bleeping Computer). Additionally, it also detected and prevented execution of removal tools that I was able to download on another system and install on the infected computer. I have to admit, I was impressed by the countermeasures the creators of Antivirus 2009 had included, as they made it MUCH harder to remove than the last virus I had to deal with (slammer).

Anyway, as impressed as I was by the measures Antivirus 2009 took to prevent me from disabling it, the more interesting aspect of the program is that it even exists at all. Antivirus 2009 isn't just a program that enrolls a computer in a botnet where it can be rented out for pump and dump schemes or to spew fake Viagra spam. Instead, it appears to be connected with a business selling subscriptions which could, in theory, be shut down (or at least taken off the web). Therefore, it should be possible to file suit against the business connected with Antivirus 2009 (i.e., the people selling the software using bogus virus notifications). My guess is that either the people behind the software don't know that what they're doing is illegal (highly unlikely) or they think that whatever profit they can make between the time they released their software and the time a court inevitably shuts them down will be enough to compensate them for their efforts in creating their malware. Either way, the fact that Antivirus 2009 exists raises serious questions about whether the law can function as a deterrent to even the most blatant cybercrime.

PostScript: One other point of interest on the Antivirus 2009 front: both the FTC and Microsoft have filed suit against fake antivirus companies (see here). My suspicion is that these suits will accomplish nothing, as the companies are probably set up with pseudonyms, and the people behind them will vanish into the woodwork long before any court can find them. However, I would very much like to be wrong, and I would be quite happy to see the FTC and/or Microsoft being awarded (and collecting) some sizeable judgments.

Update: As a potential alternative, I sent a message to Malwarebytes and asked them if they had a link that wouldn't be blocked by Antivirus 2009. They sent me a link, and I added it in this post.

Holidays

2008-12-28T16:07:00.001-08:00

In case anyone was wondering:

No, I'm not dead.
Yes, I do intend to continue to post.
No, I don't intend to do so before the first Monday of 2009.

So happy new year to all, and I'll be back in about a week.

-William Morriss

Self Inflicted Wounds

2008-12-14T15:38:00.000-08:00

Massive data security breaches get lots of headlines, which makes sense, since big numbers (e.g., 94 million records stolen) are an easy way to capture attention. Similarly, security breaches also come with a built in and easily understandable storyline - hackers from somewhere breached the (usually poorly implemented or obsolete) defenses of some large company, exposing large numbers of innocent consumers to an increased risk of losing money due to various forms of fraud. However, while security breaches generate easy headlines and narratives, it's important to remember that, totally independent of hackers, companies can get in trouble for improperly collecting or exploiting user data.

The newest object lesson on this point is Sony, which has agreed to pay a $1,000,000 penalty to settle charges that it violated the Children's Online Privacy Protection Act and section 5 of the FTC act (FTC press release here, via this story from Computer World). The upshot of the complaint filed by the FTC was that Sony knowingly obtained personal information from at least 30,000 children without their parents' consent (alleged COPPA violation) and falsely stated that it restricted children under the age of 13 from participating in Sony's online activities (alleged FTC act violation). Thus, it was Sony's websites functioning for their intended purpose, not hackers, that hurt Sony in this case.

So how can companies avoid being in the position to pay seven figure settlements? My recommendation is to talk to a lawyer in the area who knows what he/she is doing, and to have that lawyer stay in contact with the marketing people who are responsible for the design and operation of a website. The staying in contact part can be particularly important. For example, as shown in the Gateway Learning case, even if a company is acting properly when an information collection program is first launched, changes made later on (e.g., starting to sell consumer data in violation of a privacy policy that said consumer data would not be sold) can expose a company to liability. My guess is that something similar happened with Sony, where the lawyers were probably consulted early in the process, but, later on, changes were made which weren't run by the lawyers first. Hopefully, settlements like Sony's will provide an incentive for other companies not to follow that same path.

Too Much Protection for Computer Security

2008-12-08T18:17:00.000-08:00

Generally, I find that my posts advocate additional protections for data privacy, and argue that people don't pay enough attention to security. This is post is the exception, where I unequivocally state that people should not be criminally liable for violating a website's terms of service, even if such a violation may technically be prohibited by the computer fraud and abuse act. As is admirably laid out in this post in the Wired threat level blog, the consequences of attaching criminal liability to a terms of service violation would be severe. However, while that post, which argues that a criminal conviction based on a terms of service violation is likely to be overturned, I'm not so sure. The computer fraud and abuse act can be analogized, roughly, to a criminal trespass statute. While I doubt that Congress intended to make random terms of service violations criminal acts when it passed the CFAA, in the real world criminal trespass can be based on entry onto the land of another in violation of restrictions placed on entry by the owner (see ORC 2911.21(A)(2)). Thus, it wouldn't be such a stretch to imagine that the application of the CFAA to a terms of service violation will be upheld. True, I think it would be a bad result, but it would be a result that would not be outside the realm of the possible.

Giving up Email

2008-11-30T15:55:00.000-08:00

How long could you live without email? What would it cost in terms of lost productivity and increased difficulty and expense of communication?

I know that I could live without email. I suspect that doing so would significantly decrease my productivity (a suspicion supported by this study of the impact of email on productivity in a white collar environment). There would unquestionably be a period of adjustment when I would be most unhappy to lose what is probably my primary means of communication with friends and clients.

Now, Barack Obama is facing the prospect of losing his ability to use email (see article here). The short version of why is that there are concerns that email isn't secure enough for presidential communications, and the White House doesn't want the president to create an email paper trail which could potentially be subpoenaed. To me, this is crazy. Other secrecy sensitive professions, such as lawyers (who have to protect client confidences) have managed to make peace with the limitations of email and embraced it as a useful tool (see, e.g., this opinion regarding usage of cell phones and email by lawyers). Now, it's true that the president has information (e.g., plans for the conduct of war) which is substantially more important than the confidential information lawyers have access to. However, there's no reason for the president to be completely cut off from email.

So, given that most people are not, and will never be, president, what significance does this have for the day to day lives of ordinary individuals? Only this: I don't think Obama will do it. Even back in 2000, George W. Bush lamented having to give up his email. Since 2000, people's usage of email has increased dramatically (compare this article from 2000 which predicted email usage of about 9 megs/day/person in 2001, with this white paper which puts email usage at 19.3 megs/day/person in 2008) and Obama is a famously wired individual. I predict (though I realize that there is a note of wishful thinking in this prediction) that Obama will rebel against the prohibition on email, and will use his position as the most powerful person in the world to do something about it. Maybe he'll request that technology be put in place that will make his emails more secure, and that technology will eventually become available to the public at large. Maybe he'll propose tougher laws or regulations on network service providers so that email becomes a more secure medium of communication. Whatever the case, if Obama takes action to make being a wired professional more consistent with the heightened security requirements of being president, it can't help but have positive security implications for the country as a whole.

New Blogs (Update)

2008-11-23T18:53:00.000-08:00

Back in June, I put up a post about a the (then new) blog Identity Theft and Business, highlighting it as a resource for news and information on identity theft. In the comments to that post, several bloggers put up links to their own blogs, which I wanted to repost here, since, as I said in the June post, the run of the mill stories about the latest thousand, or million, or ten million records being exposed get old fast, so new sources of informed comment can be good to have.
Anyway, without further ado, I'd like to highlight the Identity Theft Daily, and Identity Theft.com (featuring Sarah Smith).

Also, from the random rhetorical question file: will fact that Barack Obama's cell phone records were breached lead to broad support for privacy protective legislation since it shows that people on all parts of the political spectrum are vulnerable, or will it simply be another quickly forgotten blip in today's 24 hour news cycle? My cynical guess is the latter, but I suppose one can always hope...

Encryption and the Law

2008-11-17T18:08:00.000-08:00

Encryption technology is so commonplace, one might think that it would be required by basically all information security laws and regulations. However, as discussed in the comments to yesterday's post, encryption isn't even required by HIPAA, one of the most well known information security laws on the books. Well, as was the case with data breach notification laws, states are stepping up to fill the void left by the Federal Government. For example, as discussed in this post at The Email Admin Massachusetts is set to implement legislation requiring encryption of personal data for its residents (rule here). It is this kind of law (+ private rights of action) that I was referring to when I said if people want legal protection they should work to get new laws passed. The Federal Government is slow, and generally lags far behind. If consumers really want to make a change, the place to do it is at the state, not the federal, level.

333,000 Unencrypted Records Exposed a Month Ago

2008-11-16T15:56:00.000-08:00

In the "wow, that sounds bad" category, the University of Florida announced on November 12 that on October 3, they discovered that 333,000 unencrypted records for patients at the college of dentistry had been potentially accessed by unauthorized individuals. To make matters worse, the breach itself was caused when malware was remotely installed on the University's system. To make matters even worse, the malware was only discovered during a server upgrade (rather than, say, because the University's system detected and prevented installation of the malware). So, to recap, the facts (as set forth in this article from Computer World) are: (1) more than a quarter million records exposed; (2) notification takes more than a month after discovery; (3) records were patient records; (4) that were kept unencrypted; (5) on a system which was vulnerable to remote installation of malware; and (6) no automated security systems detected the remotely installed software.

Now, as it happens, I've presented the facts in such a way as to accentuate the negative, and I've done so to make a point: you aren't as protected as you think. While I don't know all the facts about this breach, simply from the facts I do know, it's not clear that any laws were broken either before or after the breach took place (other than the remote installation of the malware, of course). The HIPAA security standard regarding encryption (45 CFR 164.312(a)(2)(iv)) states that encryption of data is an addressable standard, not a required one. Similarly, Florida's security breach notification act gives a 45 day period for when notice can take place, so the month+ delay in this case could be (and, according to a spokesman, actually is) within Florida's law. Of course, even if there had been flagrant violations of both HIPAA and Florida's notification law, that wouldn't make much difference to the individuals whose information was exposed. Neither HIPAA nor Florida's law provides for a private right of action.

The bottom line? Laws relating to privacy and information security aren't as comprehensive or as effective as consumers may think. If people really want legal protection for their personal information, they should work to get new laws passed, not simply rely on the laws on the books. Otherwise, they could be in for a sad surprise when and if they try to go to court for redress when their own information is exposed.

Really valuable information

2008-11-09T16:55:00.000-08:00

Before the election, I noted that private information of Samuel "Joe the Plumber" Wurzelbacher had been stolen, and it had been stolen in such a way (no way to know who had logged into the system, test account open for years, multiple individuals using the same log on information) that it seemed that someone had really dropped the ball on security. However, lest I give the impression that people's information is only menaced by insecure government (or large corporate) systems, I would like to present the example of the Intel Itanium Processor. The design for the Itanium processor, like Joe the Plumber's personal information, was stolen. This is true even though the Itanium processor was undoubtedly protected by the most sophisticated security available.

The moral of the story - if it has value, it is at risk of being stolen. Whether your personal information is stored on a government server with minimal security, or on a corporate server with encryption limited access, there is no such thing as complete safety.

Election eve privacy post

2008-11-03T18:47:00.000-08:00

As you contemplate tomorrow's election, keep a place in your thoughts for Samuel Joseph Wurzelbacher, aka "Joe the Plumber." Of course, everyone knows the world's most famous plumber from John McCain's decision to repeatedly invoke him during his October 15 debate with Barack Obama. However, Joe the Plumber is more than a symbol of the economic everyman. He's also an example of the risks inherent caused by the lax security at many government databases. As described in this article, Joe the Plumber's data was access using a test account created when Ohio's Law Enforcement Information Sharing Network was created - over four years ago. Apparently, the test account was shared with several with several unidentified contractors when the system was being built, and was still available for whoever (currently no charges have been filed) accessed the Plumber's data.

It's a little surprising that this type of screw up would have happened. I count at least three glaring errors which never should have taken place that contributed. First, there was a test account left open for 4 years after the deployment of the system. Second, there were multiple contractors using the same account - in general, you should have a 1:1 user:account ratio. Third, they didn't have good enough controls to know who was actually in the account. Any system storing sensitive information should have logs which can be used to determine who accessed what and when. All in all, it sounds like whoever was in charge of security really dropped the ball.

Of course, that's why symbols like Joe the Plumber are valuable. His data security incidents reflect the risks that face us all, and serve as a potent reminder that none of us are truly safe from having our private data compromised.

And, on that happy note, I hope everyone (in the U.S.) has a great election day, and takes the time to vote.

The Most Anticipated Patent Case Ever

2008-10-30T18:19:00.000-07:00

Last year, Microsoft was hit with a $1,500,000,000 verdict in a patent infringement suit related to Mp3 technology (see here, later thrown out). In 2006, RIM agreed to pay over $600,000,000 to settle litigation related to the ubiquitous blackberry (see here). Last year Vonage agreed to a $100,000,000+ settlement with Verizon over patents for VOIP technology (see here). The bottom line is that patents for software are big money, which was why In re Bilski, a decision the Federal Circuit issued today, was so anticipated. You see, many people had thought that Bilski might put an end to software patents, or at least curtail patent protection for business methods.

My take on the subject was somewhat different. As I explained in this guest post at Patent Baristas I felt that it was unlikely Bilski would have much effect, and that even if the Federal Circuit wanted to, it couldn't eliminate software patents. The reason was the Supreme Court's decision in the case of Diamond v. Diehr said that a patent couldn't be invalidated on the basis that it included software, as long as the claimed invention as a whole performs a function the patent laws were designed to protect (e.g., transforming or reducing an article to a different state or thing). As I wrote in that guest post,
"I can easily tie almost any process I write claims for to a computer, and it would be a trivial task to require that the computers make a physical change in an article (e.g., printing an invoice)," which meant that, based on Diamond v. Diehr, software patents were safe.

So, what did the Federal Circuit do in Bilski? Well, everyone who had anticipated the death of software patents was undoubtedly disappointed. The Federal Circuit specifically addressed and smashed that hope: "we decline to adopt a broad exclusion over software or any other such category of subject matter beyond the exclusion of claims drawn to fundamental principles set forth by the Supreme Court." Bilski, FN 23. It also adopted a "machine-or-transformation" test for patent eligibility (from page 10 of the opinion): "A claimed process is surely patent-eligible under § 101 if: (1) it is tied to a particular machine or apparatus, or (2) it transforms a particular article into a different state or thing" - exactly the approach I had recommended in my guest post for obtaining patent protection for software inventions. The Federal Circuit's reasoning was also strikingly similar to my guest post, including an extended discussion of Diamond v. Diehr (see pages 7-9 of the opinion) and used that case to answer potential objections based on arguably contrary Supreme Court precedent (see FN 8: "To the extent it may be argued that Flook did not explicitly follow the machine-or-transformation test first articulated in Benson, we note that the more recent decision in Diehr reaffirmed the machine-or-transformation test. See Diehr, 450 U.S. at 191-92. Moreover, the Diehr Court explained that Flook 'presented a similar situation' to Benson and considered it consistent with the holdings of Diehr and Benson. Diehr at 186-87, 189, 191-92. We thus follow the Diehr Court's understanding of Flook.").

The bottom line is that Bilski reaffirmed the patentability of computer software, and did so in a manner which was strikingly similar to what I had predicted some 7 months previously (the guest post went up on March 6, while the actual decision came down October 30). For the future, this can be a lesson: if there's a billion dollar patent law question, you can either wait for the court to decide it, or you can ask me, and I'll tell you the answer.

NOTE: While I'm aware that this blog primarily focuses on the law related to information security and data privacy, when I read Bilski I had an almost irresistible urge to crow about my previous analysis being validated. Thus, given that blogs are basically tailor made platforms for self promotion, I felt that this would be as good a platform as any to engage in a bit of self-congratulation.

Red Flag Rules Delayed

2008-10-28T17:17:00.000-07:00

Happy news for all organizations which would have been affected by the FTC's red flag rules: the deadline for enforcement of the rules has been pushed back six months from its original date of November 1, 2008. The rule requires that creditors and financial institutions implement identity theft prevention programs, but the FTC found that many companies needed more time to come into compliance. The new enforcement deadline is May 1, 2009. In its statement, the FTC said that the extension does "not affect other federal agencies' enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance."

We (and by we, I mean my colleague Jane Shea) previously wrote about the red flag rules here and here.

Consumer Self-Protection

2008-10-20T17:29:00.000-07:00

Yesterday I posted about weaknesses in systems deployed by the IRS. In that post, I used the weaknesses as an example of the limits of government regulation, given that they showed that even the government itself couldn't keep its house in order. However, something I didn't explicitly address in that post is that the weaknesses in the IRS' systems also demonstrate that there are serious limits on what consumers can do to prevent their information from being compromised. After all, you can't avoid paying taxes, and, by definition, the information held by the IRS is highly sensitive financial data. The result is, simply by virtue of being an American and following the law, your information is at risk.*

So what can ordinary consumers do to protect themselves? In the case of information security, for individuals, I'd say that an ounce of cure is worth a pound of prevention. That is, rather than worrying about protecting your data (which should be the responsibility of the merchants/government entities your data is entrusted to) individual consumers should worry about how they'll find out and deal with it if their data is compromised. Easy steps like credit monitoring, promptly disputing unauthorized charges, and maintaining backup accounts/lines of credit in case one gets frozen as a result of fraud can make recovering from the extremely hard to prevent data compromises a substantially less miserable experience.

*As a note, I don't mean to single the IRS out as an exceptionally bad actor. Indeed, if you compare the IRS' security practices with security practices at TJX before their big breach, I think the IRS comes out way ahead.

Weaknesses in Government Systems

2008-10-19T16:06:00.000-07:00

According to this report (via), the IRS deployed two major software systems, its Customer Account Data Engine (CADE), and its Account Management Services (AMS) system, despite the existence of "known security vulnerabilities relating to the protection of sensitive data, system access, monitoring of system access, and disaster recovery." Obviously, this is a problem. Indeed, given some of the vulnerabilities noted in the Computer World article summarizing the report (e.g., failure to encrypt data either in storage or transit), the IRS systems wouldn't even pass the private sector PCI Data Security Standard, let alone government imposed standards such as those in HIPAA.

The interesting part of the report though, is not that the IRS deployed systems with flaws. Frankly, while that part may be depressing, similar mistakes take place in both the public and private spheres frequently enough that the existence of one more flawed system doesn't really raise my attention. What interests me about the report is that it shows the limits on what you can do with regulation. The IRS has specific guidelines and requirement for handling data that, in theory, should have prevented the deployment of systems with known vulnerabilities. Moreover, as the report noted the IRS had implemented development policies which "require security and privacy safeguards to be planned for and designed in the early phases of a system’s development life" - something that many private sector businesses would benefit from doing. The problem was that the IRS' cybersecurity organization knew about the vulnerabilities and accepted them anyway - in other words, it decided to save money by skimping on security for taxpayer information. With that kind of culture (which I find a bit surprising in government) it's not likely that an organization will have good security, regardless of how heavily regulated it is.

So how do you create a security conscious culture? The easy answer is feedback. Make sure that there are rewards for doing things right, penalties for doing things wrong, and that the rewards and penalties (as well as what counts as right and wrong) are well known. Unfortunately, that easy answer is only easy in theory. In practice it's really hard to implement, and involves things like keeping open lines of communication, making sure decision makers pay attention to security even though it doesn't contribute directly to the bottom line, and educating people about what resources are available in an organization to provide decision support on security issues. While it seems that there is a slow change underway from a culture where consumer data is treated only as something to be valued, to a culture where it's viewed as something to be protected, that change is very slow indeed. Before the change is complete, I think there will be many more reports revealing that large entities (both public and private) have undervalued securing consumer data.

Can Privacy Come Back?

2008-10-12T17:55:00.000-07:00

In this interview at Computer World private investigator Steve Rambam argues that "Privacy is dead. Get over it. You can't put the genie back in the bottle." His argument seems to be based in large part on his own database, which supposedly contains

pretty much every American's name, address, date of birth, Social Security number, telephone number, personal relationships, businesses, motor vehicles, driver's licenses, bankruptcies, liens, judgments [etc...]

He uses that database, as well as advances in computer technology and changes in government policy to make the case that more and more information is becoming available about people, and that privacy is a thing of the (rapidly receding) past.

My belief is that Rambam is wrong. I'm willing to concede that the state of individual privacy right now is pretty grim (though I don't think it's dead). However, there is a substantial disconnect between observing that things are bad now, and concluding that they'll never get better in the future. Indeed, as my own contribution to putting Rambam's genie back in the bottle, I would like to present the following things people can do to use the law to help privacy:
1) Remember the FTC. While people generally have little success in suits alleging damages based exposure of their personal data, the FTC has broad enforcement authority to combat unfair and deceptive trade practices. That means that if a company isn't following their privacy policy, or if they're saying they value privacy while they actually sell your personal information to the highest bidder, a complaint to the FTC could be a way to deal with it.
2) Watch the EULAs. As I have written before (e.g., here) contract law in general, and abusive end user license agreements in particular present a serious threat to privacy. Thus, when someone asks you to click before continuing, read what it is that you're being asked to agree to and, if it's abusive, don't agree. In fact, not only should you refuse to agree, you should also complain. While generally consumer complaints are of questionable effectiveness, if a company is interested in its image, it can lead to changes in behavior (e.g., Google Chrome).
3) Know your rights. For example, the Fair and Accurate Credit Transactions Act prohibits printing complete credit or debit card numbers on receipts. By being aware of their rights, consumers can know how to protect themselves and their privacy, either by enforcing their rights themselves (e.g., through a private suit) or though others (e.g., by bringing an FTC complaint).

Ohio Lemon Law: What’s Covered and What Isn’t

2008-10-08T18:04:00.000-07:00

Today, Sergei Lemberg, a lemon law attorney who normally blogs at LemonJustice, discusses what you need to know about new car lemons.

With all of the cars, SUVs, trucks, motorcycles, and RVs being manufactured in the U.S. and abroad, it’s reasonable to expect that some will have defects. After all, vehicles are incredibly complex pieces of machinery and a lot of things can go wrong. In the best-case scenario, any defects that weren’t caught by quality assurance are quickly repaired by the dealer. In the worst-case scenario, you have a vehicle with pronounced defects that make it run poorly, that constitute a safety hazard, or that reduces its value – and the dealer or manufacturer refuse to buy back or replace it.

When that happens, Ohio lemon law can come to the rescue. Ohio lemon law covers new passenger vehicles, SUVs, vans, trucks, and motorcycles that are purchased or leased in Ohio. The motorized portions of RVs are also covered, as are used cars that are purchased within one year or 18,000 miles of delivery to the original owner.

Although it doesn’t cover minor defects (like a non-working stereo system), the lemon law does force the manufacturer to stand by its product. In order for the lemon law to apply to new vehicles, the defects have to occur during the first year from the delivery date or the first 12,000 miles on the odometer – whichever comes first. In addition, the vehicle must have been taken in one time for a problem that could cause serious injury or death or eight times for different problems. Alternately, the vehicle can have been out of service for a cumulative total of 30 calendar days. In addition, you have to notify the manufacturer in writing of the defect within one year from the delivery date or the first 18,000 miles (whichever comes first).

If you think you have a lemon, you have to take part in the manufacturer’s dispute resolution process (if one exists) before going to court. Before you begin, though, you should have a lemon law lawyer by your side. After all, you can be sure that the manufacturer’s team of legal eagles will be there to fight your claim every step of the way. The good news is that, if your claim is successful, the manufacturer has to pay your attorney fees. Often, with the help of a lawyer, you can get a refund, replacement vehicle, or cash settlement without having to go through the entire lemon law process – and get your attorney’s fees covered in the process.

Whenever you buy a new or used vehicle, it’s important to know your rights. And, if you think your vehicle is a lemon, it pays to persevere to make the manufacturer stand by its product.

Why So Apathetic?

2008-09-28T15:18:00.000-07:00

Every so often, I see expressions of frustration from identity theft professionals, or people who care about data privacy in general, that people are so inexplicably apathetic. For example, in the comments to a previous post, Jason Dickens at Prosperity Protection opined that "The general public just doesn’t take this stuff seriously." Similarly, my friend Jack Dunning temporarily shuttered his blog because of what he saw as public apathy (see here).

As I have noted before while consumers are, in fact, appallingly apathetic about their privacy, they are highly concerned about identity theft. In my previous post, I recommended that, if you want someone to care about privacy, you should try and explain that lack of privacy leads to a greater risk of identity theft. However, it occurs to me that there's more to it than just drawing the connection between privacy and identity theft. Consumers also need to know that what appears to be a common approach to trying to protect against identity theft - curtailing online shopping - isn't appropriate. A good example of this approach, and it's ineffectiveness, is provided by this article, which stated that, as a result of (then) recent data security breaches, some consumers were refusing to make credit or debit card purchases with online merchants they didn't know. Of course, even ceasing to do business over the internet entirely would do absolutely nothing to protect against something like the TJX breach, where thieves exploited vulnerabilities in network security at TJX's brick and mortar stores.

Once consumers have a more realistic understanding of the ways that identity theft actually takes place (and yes, obviously internet use is a part of it, as the continued popularity of phishing scams shows) I would think it would be substantially easier to convince them that they'd be better off paying attention to their privacy that they would retreating from the internet.

Self-Regulation by Advertisers

2008-09-22T17:24:00.000-07:00

According to this article from Media Post the Interactive Advertising Bureau is pushing for the creation of an industry body to create non-governmental rules to protect consumer privacy online. The goal of this self-regulation, as is the case with most self-regulation, is to prevent actual regulations from being imposed by Congress. While generally, consumers appear apathetic about their privacy online, it appears that advertisers might have reason to worry. Specifically, Eileen Harrington deputy director of the Bureau of Consumer Protection, Federal Trade Commission has said that online privacy is a hot issue in Washington right now, and compared the situation of on-line advertisers to that of telemarketers before the government established the national Do-Not-Call-List. Given that kind of comparison, it makes sense that advertisers are thinking about regulating themselves, so they can convince Congress that regulation by government isn't necessary.

Of course, the elephant in this particular room is that it's too late - section 5 of the FTC act, which prohibits unfair or deceptive trade practices, already covers online advertisers. Moreover, the FTC already uses its authority under section 5 to prosecute online advertisers. For example, currently on the FTC's privacy site there's a link to an article about a 2.9 million dollar settlement which was wrung out of online advertiser ValueClick (link here so it isn't lost when the FTC's site is updated). While I can understand the IAB's desire to forestall more regulation, if their goal was to avoid any regulation, they're about 70 years too late.

Bonus non-legal observation: when you're making a comparison, do not say the following: "It's the same issue. What's really changed, really, is everything." It completely undermines whatever point you were trying to make by the comparison, and makes your reader/listener wonder why you drew the comparison between such dissimilar things in the first place.

And Now for Something Completely Different (and totally surreal)

2008-09-18T17:39:00.000-07:00

Question: What happens when a criminal forum is taken down?
Answer: The criminals who used said forum launch into an orgy of mewling self pity so miserable that even an attention whoring toddler whining about being sent to bed without dinner would consider it undignified.

A little background: What happened is that the forum DarkMarket, which was used by criminals to (among other things) swap stolen identities and tools for stealing more, was shut down. For most people, this is, of course, a happy event, though one which I think will likely have minimal long term significance in the overall world of identity theft. While clearly this is a setback to the criminals who used the forum, my expectation would have been that they'd slink away, perhaps to start up another forum to replace the one which had been closed. However, after reading this article about the closing of the site, it's clear that my expectation would have been wrong. Instead of slinking away, the criminals who used the forums started posting self-pitying screeds about how they were downtrodden victims, and lamenting the unfairness of it all. To me it's just nuts. What kind of a warped individual would respond to the closing of a criminal board by stating that "There must be another solution to the problem. Do we just let them win?"

Oh well, I suppose that's why I went into law, rather than turning to a life of crime.

Perception of Privacy Policies

2008-09-07T07:38:00.000-07:00

Here's some shocking news I learned via Bruce Schneier, apparently:

California consumers overvalue the mere fact that a website has a privacy policy, and assume that websites carrying the label have strong, default rules to protect personal data. In a way, consumers interpret "privacy policy" as a quality seal that denotes adherence to some set of standards.

(Bruce's blog post here).

The above quotation was taken from a paperentitled "What Californians Understand about Privacy Online." Because of the understanding which consumers (at least in California) have regarding the meaning of a "privacy policy," the authors conclude that "its use should be limited to contexts where
businesses provide a set of protections that meet consumersʼ expectations." The vehicle for that limitation could be section 5 of the FTC act, which prohibits unfair or deceptive trade practices, the argument being that, if consumers believe that "privacy policy" has a certain meaning, that it is deceptive/unfair for a web site to say that it has a privacy policy if the web site's privacy policy doesn't conform to consumers' preconceptions.

My opinion is that, while the impulse to prevent people from being deceived by the label "privacy policy" is certainly understandable, limiting the use of the term "privacy policy" to situations which conform to consumers' preconceptions isn't a workable solution. The biggest problem is that consumers' ideas of a "privacy policy" aren't necessarily uniform. The paper is based on a survey of California consumers, but California is known for being at the forefront of privacy protection in the United States. What should the FTC do about differences between the consumer understandings between California and the rest of the country? Since the FTC act is nationwide, it would seem most logical to have a nationwide standard. However, if that nationwide standard is lower than the standard expected by consumers in California, wouldn't those consumers still be deceived by the label "privacy policy"? To me it seems that a better idea would be to allow businesses flexibility to define their own policies. Businesses which wanted consumers to be aware of specific privacy protective practices (e.g., not selling to third parties, not storing personally identifiable data, etc) could advertise them, while businesses which didn't care could put their policies behind a "privacy policy" link. While that might not protect consumers who don't take the time to read a web site's privacy policy, it would allow privacy policies to be tailored as appropriate to particular situations (e.g., banks might have more stringent policies than search engines) and it wouldn't put the FTC in an untenable position of trying to find a standard which is both applicable and appropriate nationwide.

More stuff I wish I could blog about

2008-08-26T19:37:00.000-07:00

In another installment of the disturbingly frequent series of posts which only advert to things I would write about at more length if I had more time, I present for your approval this extremely interesting article from Bruce Schneier via Wired.com. In the article Bruce looks at the differing reactions of U.S. and European courts to potential disclosures of security flaws. In short, the U.S. courts, though ostensibly bound by the first amendment, prohibited disclosure of the flaws, while the European courts supported the free speech rights of the researchers who found the flaws. While Bruce didn't really explore the rich history of prior restraints in U.S. law, or discuss how antithetical such prior restraints (supposedly) are to our system, he did a very good job of explaining why suppressing free dissemination of information about security flaws is a bad idea from a practical standpoint, rather than just a legal one.

In any case, as I said at the beginning of the post, I'd love to blog about this further. However, given my current time situation, I'll have to be content with linking to the article, and identifying it as just one more example of why civil liberties (in this case freedom of speech), even when they appear to be detrimental to security interests, shouldn't be thrown aside lightly.

To the Extent Vice Presidential Candidates Matter

2008-08-25T18:33:00.000-07:00

To the extent vice presidential candidates matter, Obama's pick of Joe Biden doesn't seem to auger well for privacy. According to this article from C|NET, Biden has a nasty habit of strongly supporting privacy unfriendly measures, usually under the guise of specious claims of law enforcement necessity. While I don't know anyone who is voting based on privacy concerns in November (including me), it would be nice to have a VP candidate who was a little bit more privacy friendly.

Only the Guilty Have Something to Hide

2008-08-24T13:50:00.000-07:00

The mayor of shuts down a stand where little girls sold excess produce from their family's garden (link).

TSA employees ground plane by using critical instruments as handholds (link).

A pilot is placed on the no-fly list, destroying his ability to do his job (link).

On their face, these incidents aren't obviously about data privacy and information security - the nominal topics of this blog. However, it's incidents like these that come to mind when I hear that privacy doesn't matter because only the guilty have something to hide. To me, the incidents above show that government action, even when the government is faithfully enforcing regulations or laws, can be unpredictable, and even people who never knowingly commit a crime could very well be "guilty" in the sense of incurring adverse government actions. Thus, to say that only the "guilty" have any reason to care about privacy shows a dangerous lack of awareness of how easy it is to violate some law or regulation and thereby become "guilty" yourself. Even worse, when the government goes about collecting enormous amounts of data without having to justify itself and without any oversight, there will inevitably be false positives which have the potential to literally ruin someone's life (e.g., a pilot who can't do his job because he gets added to a no fly list).

For this post I intentionally avoided cases where individual privacy is violated as a result of government lawbreaking (e.g., here, which describes an IRS employee who decided to peruse celebrity tax filings). The reason is that, while rogue employees are a problem, the attitude that only the guilty have any reason to value privacy is a problem even when the government is functioning as it is supposed to.

Data Storage

2008-08-19T17:45:00.000-07:00

As a general rule, one of the easiest ways to make sure data isn't stolen is to not have it. Unfortunately, as mentioned in this paper from GFI Software there are often legal requirements that prevent a company from purging its data. As the paper mentions, there are a variety of securities regulations that require companies to keep records. While true, that's only part of the story. For example, electronic discovery rules can prohibit a company from purging its records. What's (potentially) worse, even if a company doesn't purge it's records, it can still be sanctioned under the electronic discovery rules if it's records aren't in a reasonably accessible form.

The moral of the story? You need to know not just how to protect data, but what data to keep, and how to keep it in a form where you can get it back.

There was a time when...

2008-08-14T18:25:00.001-07:00

There was a time when privacy violations were considered a serious matter. During colonial times (yes, it's been that long) the British would issue general warrants (discussed here) which essentially gave the people executing the warrant broad power to search for contraband or make arrests, without specifying what contraband was being searched for (or why) or the reason for an arrest. To do away with this generally detested practice, the fourth amendment was written to require that:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Truly, it appears that the late 18th century was a heady time for privacy. By contrast, today, government seems to take the same approach to information gathering as some people do with climbing Everest - they don't need a good reason, they just do it because it's there. The stated reason given for most intrusions is to prevent terrorism, but this is largely bunk. Take this plan to photograph and store the license numbers of every vehicle that enters Manhattan. If I were a terrorist who wanted to bring a bomb into Manhattan, this plan would be no deterrent whatsoever, as I would simply rent a car. This would have the advantages (from the terrorist point of view) of both being anonymous, and probably being large enough to carry more explosives than I can fit into my actual car. So why is there a plan to gather this data? My guess is that someone in government thought it would be cool, and some vendor wanted to sell a new toy, and no one even considered that broad scale, suspicionless data collection is not something that government should be involved in. *sigh*

On the bright side, during the late 18th century I would have had to worry about things like yellow fever, and or malaria, so I suppose it all evens out in the end.

Drawing the Wrong Lessons from a Breach

2008-08-07T03:59:00.000-07:00

The other day, I was listening to the radio, and a commentator said that the most significant harm that could come from a major breach like the TJX breach was not identity theft, but was actually people losing faith in doing business over the internet. Frankly, I'm not sure he was right, given that identity theft is a major problem for consumers. However, while it might not be the biggest harm from a breach, losing faith in doing business over the internet would be an inappropriate response to a breach like that at TJX for the simple reason that the internet had nothing to do with that breach. Instead, the hackers found stores which had unsecure wireless connections, used them to install malicious software on the TJX corporate network, then used the software to harvest credit cards from TJX's systems. The internet didn't come into play until after the cards were stolen and the thieves needed to sell them. While avoiding doing business over the internet might avoid some types of risks (particularly phishing scams), it would have no effect whatsoever on a consumer's risk of being affected by a breach such as took place at TJX.

Hackers Caught

2008-08-06T03:56:00.000-07:00

As described in this article from cnn.com, the justice department has issued 11 indictments for stealing more than 40 million credit and debit card numbers. Unsurprisingly given the nature of the crime the suspects are from all over the world - three from the U.S., three from Estonia, two from Ukraine, two from China, and one from Belarus. The arrests are the result of years of investigation, showing both the difficulty of making arrests in cases of international card fraud, and the potential of dedicated police work.

One question raised by the article is how many more people were involved. The article says that "[t]he 41 million credit and debit numbers were used internationally," and also says that the suspects are accused of hacking into the TJX network. There's something of a disconnect between the numbers and the crime. As I mentioned here, depending on whose numbers you go by, the TJX breach involved either 94 or 45 million records. Thus, if the indicted suspects really were behind the breach, and actually did steal only 41 million numbers, it implies that they aren't the only ones who were taking numbers from TJX. Still, aside from that small detail, the indictments appear to be happy news. Hopefully the police got the right people, and will continue to do so in the future.

Stuff I Want to Blog About

2008-07-29T04:02:00.001-07:00

Unfortunately, I'm about to leave on vacation, and the effort of trying to get my various work related projects in order before I leave has resulted in my not being able to write any kind of substantive blog post this week (and not much of a post last week either). Anyway, in lieu of a substantive post, I'll have to provide this: things I would blog about if I had time.

First, did you know that a major bug in the domain name system (it's the thing that actually makes the internet work) had been found? Did you know that the bug could be used by phishers to redirect people from trusted sites to data gathering or malware distribution sites without their knowledge? What kind of liability might attach to that situation? Products liability for DNS vendors? Negligence for sysadmins who don't patch? If I had time, I'd be blogging on those questions. However, as it is, I'll have to leave them hanging.

Also, Ecora actually has an interesting post on counterproductive effects of regulation. Normally, when people complain about regulation, it's something on the lines of whining about the cost of being forced to do things they should be doing anyway. However, Ecora's post discusses something a good deal more realistic - the cost of having to store data that you otherwise wouldn't. Normally, I'd like to address their argument (for example, would companies really purge their data if not for regulations like Sarbox?). However, as it is, I'll just link and leave the addressing for another day (assuming nothing happens while I'm on vacation, of course).

And now even this post is taking up more time than I realistically have. Oh well...I suppose I'm not that good at the non-substantive blogging thing. In any case, I'll be back the second week in August. While I might put something up between now and then, I wouldn't bet on it. Until then...

Fighting words

2008-07-21T04:05:00.000-07:00

Disturbing cartoon about a dystopian surveillance which we, happily, don't live in (yet).

Discovery

2008-07-16T17:47:00.000-07:00

Unless otherwise limited by court order, the scope of discovery is as follows: Parties may obtain discovery regarding any nonprivileged matter that is relevant to any party's claim or defense — including the existence, description, nature, custody, condition, and location of any documents or other tangible things and the identity and location of persons who know of any discoverable matter.

That's the text of the first sentence of rule 26(b)(1) of the Federal Rules of Civil Procedure. For the non-lawyers out there, I'll unpack it a bit. The first part, about obtaining discovery of any nonprivileged matter, means that, unless information falls into certain narrowly defined categories (e.g., attorney-client, doctor-patient, etc) it is subject to discovery. The next part, about relevant to any party's claim or defense, means (generally) that it has to have some bearing on the subject matter of the litigation. In practice, this means that during pre-trial discovery, litigants can request essentially any records maintained by a business, its principals, and their agents (e.g., vendors). The bottom line is that, if a lawsuit takes place, the parties can request virtually any information, that information has to be provided to them, unless it falls within the narrowly defined (privileged) categories.

While massive security incidents like the TJX breach generate more headlines, these pretrial discovery rules could represent an even bigger threat to consumer privacy. Two instructive cases in this respect are Viacom v. Google and MPAA v. Bunnell. In the Viacom case, Viacom requested, and the judge ordered Google to produce, records showing who watches videos on YouTube and what videos they watch (see article here). This release of data has the potential to be even more damaging to the affected users (including me, since I use YouTube regularly) than the release of information such as social security and credit card numbers, because YouTube viewing records can be used to make out a case for copyright infringement - a charge that can bankrupt all but the super-wealthy (for example, in the case described here the defendant was found liable for almost a quarter million dollars in damages for infringing copyrights on only 24 songs). In the MPAA case, the judge also ordered that user records be turned over - in that case the records showed what users had searched for using the popular bit torrent software. However, there, rather than take an act which it saw as betraying its users privacy expectations, the defendant blocked access to his web site from the U.S. - a radical solution, but the only way the defendant saw to protect his users' privacy.

The cases above showcase a trend which is, to me, highly disturbing. Instead of relying on black hat hackers, businesses can use litigation to obtain consumer information. In the cases above, that result in the exposure of (likely) millions of records from Google, and the complete shutdown of TorrentSpy in the U.S. Those are serious consequences, and they should be considered whenever people think of possible threats to their privacy.

FTC Clarifies CAN-SPAM Act

2008-07-09T19:21:00.000-07:00

The Federal Trade Commission (“FTC”) has issued a Final Rule that adds four new provisions and provides clarification of some of the CAN-SPAM Act’s requirements. This Final Rule, effective July 7, 2008, is the culmination of work that was begun three years ago with a proposed FTC rule, and takes into account comment letters from 150 individuals, businesses, and organizations.

The CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003) regulates the sending of unsolicited commercial emails, and became effective January 1, 2004. Although “spam” is generally defined as unsolicited commercial e-mail sent to a large number of addresses, the Act makes no distinction between solicited and unsolicited commercial e-mail. It defines commercial e-mail as "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose)." Transactional or relationship messages are not subject to or regulated by the Act.

The CAN-SPAM Act outlaws certain commercial acts and practices with respect to commercial email, and imposes requirements on senders of commercial emails:

The transmission of any email that contains false or misleading header or “from” line information is prohibited.
The transmission of emails with false or misleading “subject” line information is prohibited.
The Act requires that a commercial email message contain a functioning return email address or similar Internet-based mechanism for recipients to use to “opt out” of receiving future commercial email messages.
The sender, or others acting on the sender’s behalf, is prohibited from initiating a commercial email to a recipient more than ten business days after the recipient has opted out.
A commercial email may not be sent without including three disclosures – a clear and conspicuous indication that the email is an advertisement or solicitation, a message and mechanism for the recipient to opt out of future solicitations, and a postal address for the sender.

Four specific practices are cited by the CAN-SPAM Act as “aggravated violations” which, when alleged and proven in combinations with certain other violations of the Act, will increase the statutory damages imposed upon the sender. These practices are: address harvesting; dictionary attacks; automated creation of multiple email accounts; and relaying or retransmitting through unauthorized access to a protected computer or network.

Changes to Definitions

The FTC made some changes several changes to the definitions found in the Act:

It modified the definition of “sender” to clarify that for single emails promoting the products, services or Internet website of multiple persons, each of the persons whose products or services are promoted will be deemed to be a “sender” of the email, except that such emails will be considered to have only one sender if: (1) one person is within the definition of “sender” under the Act, (2) that person is identified in the “from” line as the sole sender of the email, and (3) that person complies with certain provisions of the Act that are applicable to initiators of emails.

This change provides a more flexible approach for email marketers, and is more logical from a consumer perspective since the consumer is likely to focus on the “from” line to identify the sender. It is this sender that must honor “opt out” requests, and is responsible for the email’s compliance with the CAN-SPAM Act requirements. It is important to realize, however, that liability for compliance with the Act does not shift exclusively to the sender, since certain other requirements and prohibitions imposed by the Act upon “initiators” of emails, will continue to apply to all persons identified in the commercial email.

It added the new definition of “person” to mean any individual, group, unincorporated association, limited or general partnership, corporation, or other business entity. Despite strident calls by commentators to exempt non-profit entities, the FTC refused to do so, stating that consumers were deserving of the protections provided by the Act against all forms of spam, no matter the nature of the sender’s enterprise.

The Act requires senders to include a “valid physical postal address” in any commercial email. The FTC broadened the definition of this term to allow senders to use post office boxes that have been accurately registered with the U.S. Postal Service, or a private mailbox accurately registered with a commercial mail receiving agency operating according to the U.S. Postal Service regulations.

Transactional or Relationship Messages

The FTC considered whether to change the statutory definition of “transactional or relationship messages,” to address various types of messages such as legally mandated notices, debt collection email communications, and employment-related messages. It ultimately declined to make any changes to the statutory definition, since none of the types of messages put forth in the Notice of Proposed Rulemaking met the statutory standard for modifying the definition. Some of the issues raised by the commentators with respect to a particular type of message could be resolved using the “primary purpose test”, as in the case of legally mandated messages, messages concerning copyright infringement or emails messages for the purpose of conducting market research. In the case of others, such as messages from debt collectors, including third party agents, or in the case of most employment-related email messages, the overwhelming majority of such messages will likely fall within the existing definition of “transactional or relationship messages.”

However, the FTC did provide guidance on the interpretation of some particular forms of communication:

Email messages to effectuate or complete a negotiation will be considered “transactional or relationship messages” if issued in connection with a commercial transactions. However, where an unsolicited email delivers an offer to purchase goods or services, and attempts to launch a negotiation as part of the message, it would not fall within the definition of “transactional or relationship messages.”

Email messages facilitating, completing or confirming registration with a “free” internet service where there is no exchange of consideration are likely to be “transactional or relationship messages,” but the FTC was not willing to preclude the possibility that such a message may be commercial even if there is no exchange of consideration.

Where a recipient subscribes to a newsletter or other periodical to be delivered by email, or to which the recipient is entitled as a result of a prior transaction, the FTC would consider such an email to be a “transactional or relationship message,” as opposed to an unsolicited newsletter or periodical to which the recipient has not subscribed, which would likely be considered a commercial message.

Forward-to-a-“Friend” Messages

The FTC was persuaded by the commentators to modify its earlier position on forward-to-a-“friend” messages. This type of message could arise under two different scenarios – where the content of the email message encouraged the recipient to forward the message to others, and where the seller’s web site encouraged visitors to supply others’ email addresses. Rather than attempt to refine the definition based upon the nature and method of forwarding, the FTC established a bright line test that turns on the presence or absence of consideration for the act of forwarding. A seller would not have liability under the Act for the forwarding of these types of email messages so long as the seller did not offer consideration for the forwarding. No matter what the nature (coupons, discounts, rewards) or amount of consideration – even an offer of de minimus consideration – an offer of consideration will be sufficient to cause the seller to be an “initiator” of the forwarded message, and subject the seller to liability under the Act.

No Fee for Opting Out

The FTC adopted a rule prohibiting a sender of commercial emails from imposing a fee upon a recipient for opting out of future unsolicited emails, or from requiring the recipient to provide any information other than a recipient’s email address and opt out preferences.

Enforcement

The CAN-SPAM Act gives the FTC enforcement authority for the Act. In addition, the Act gives the state attorneys general the authority to bring an enforcement action in federal court after giving advance notice to the FTC where possible. Finally, internet service providers may bring a federal court action to enforce certain of the Act’s prohibitions. The enforcement authority given to the FTC is the same as that afforded the FTC under its trade regulation rule authority, meaning that each violation is subject to fines of $11,000 per day, with additional penalties where “aggravated violations” are proven.

The Other Side of Consumer Data Collection

2008-07-06T15:53:00.000-07:00

While I generally consider myself an advocate of strong consumer privacy protection, even I have to admit that there are generally two sides to every invasion of consumer privacy. For example, shopper loyalty programs are criticized for raising consumers' fraud risk, and for leading to a proliferation of annoying telemarketer and junk mail contacts (e.g., here). However, sometimes, the information gathered by grocery stores is used in ways which are unarguably beneficial to consumers. Case in point: product recalls. Before my fourth of July barbecue, I got a call from Kroger's. Apparently, the ground beef I'd purchased earlier in the week had been recalled, and should be thrown away rather than eaten. Of course, they knew who I was and what I'd purchased, because I used my Kroger card to buy the meat, which meant they were tracking my purchases and storing the data.

The bottom line is that the same data type of data collection which leads to annoying circulars and telemarketer calls led to Kroger being able to provide me with information that I really needed. Of course, consumer data collection isn't an unalloyed good, but it isn't an unalloyed evil either. The trick is to find ways to deal with (or regulate) the data collection that maximizes the good while minimizing the harm.

Observation on Legal Blogging

2008-06-30T18:26:00.000-07:00

While looking at Hack-igations I noticed a fun little statement at the bottom of his post:

[Again, all my blog comments are just public discussion and not legal advice for any particular situation.]

He had one on the previous post as well:

[Again, nothing I say on this blog is legal or other professional advice. It is just general public discussion. If you need expert help, you should not rely on this blog. You should go get help.]

This (at least for someone with my sense of humor) is one of the funny side effects of being part of a profession that basically sells words - when we give words away for free (e.g., on a blog) we have to make very sure that no one confuses the public comments on our blogs with the legal advice that we sell professionally. Of course, I have a similar disclaimer here (it's at the bottom of the page above the link to Patent Baristas), but mine's a permanent part of the setup. I thought it was funny that Ben at hack-igations seems to write a new disclaimer for every single post he puts up.

Protecting Privacy by Contract

2008-06-29T18:12:00.000-07:00

I have long been on record as believing that modern contract law will essentially be the death of individual privacy - the basic argument being that people want their toys, so they'll click on abusive clickthroughs and EULAs that essentially sign away their personal data (see, e.g., this post on Privacy and Contract). However, recently Ben Wright has proposed that these contracts could be harnessed on behalf of privacy - essentially, that consumers could put up their own websites with terms of use that require businesses to respect their personal information (see, here). Ben even points to a case where a website's terms of use were enforced against a consumer who made a contract over the phone, to demonstrate how the mere existence of the terms of use can be used in litigation.

I think Ben's argument is appealing, and I'd like to agree with it...unfortunately, there are a couple of problems with the argument that prevent me from endorsing it, as appealing as it may be. First, as a practical matter, it would be difficult to show that a company which sells an individual's personal data ever visited the website where the privacy protective terms of use were posted. In the case Ben cited to show that terms of use could be enforced even against a consumer who made a contract over the telephone, it was easy to prove that the consumer visited the website which hosted the terms of use, because the consumer was trying to enforce the website's privacy policy. However, in most cases, I think it would be hard to prove in court that a company which sells consumer data actually visited the websites of the consumers whose data is being sold. Second, even if it were possible to show that the a company which sells consumer data visited the consumer's website, there is no reason to believe that a court would enforce the website's privacy protective terms of use. For example, in the case of In re Northwest Airlines Litigation, the court refused to allow consumers to sue Northwest Airlines for a violation of its privacy policy. Given that, I see no reason to believe that a court would be any more solicitous of privacy protective terms of use that a consumer might put on his or her website.

The bottom line is I like Ben's idea, and I would love to see the approach to abusive terms of service turned against businesses that don't respect privacy. However, I think the practical obstacles to implementing the idea are such that Ben's idea isn't something that most people can rely on.

Measuring the Effect of Security Breach Notification Laws

2008-06-22T14:35:00.000-07:00

How do you measure the effectiveness of security breach notification laws? One way is to take data on how many consumers report that they were victims of an ID theft due to a security breach, break the data down by state, and compare the states which do have security breach notification laws with those that don't. If the states that have notification laws have a lower rate of identity theft due to security breach (after controlling for various confounding variables) then you would conclude that the notification laws are effective in reducing identity theft.

The cross-state comparison described above was essentially the approach taken in this paper by Romanosky et al., which attempted to measure whether data breach disclosure laws reduce identity theft. Unfortunately, while measuring the effect of data breach disclosure laws is a laudable goal, I don't think the paper's approach was likely to result in any meaningful conclusion. The biggest problem with the paper's approach is that it didn't appear to adequately take into account the effect of interstate commerce in extending the coverage of existing security breach notification acts to states where those acts haven't been enacted. That isn't to say that the paper ignored this effect. However, its efforts to account for it seemed to focus on interstate movement by people (e.g., students attending an out of state university), when interstate movement of data is almost certainly a much bigger effect (largely because there is a well developed interstate market for data, while such an interstate market for people is prohibited by the 13th amendment). Most security breach notification laws are triggered not only by security breaches at in-state companies, but also by security breaches at out of state companies which expose the data of state residents. This results in a duty to disclose data traveling from the point where the data was collected to anywhere in the country. Similarly, if the data for a resident of a state which doesn't have a security breach notification act is transferred to a state where such an act does exist, the individuals whose data was transferred will benefit from the out-of-state notification law, even if the person has never left their local jurisdiction. Thus, since the effects of security breach notification acts bleed so freely across state lines, trying to measure the effectiveness of those acts by comparing jurisdictions with security breach notification acts to jurisdictions without security breach notification acts is unlikely to yield any meaningful results.

So what would be a better approach to measuring the effect of security breach notification laws? One way would be to compare jurisdictions where transfer of data is either nonexistent or severely limited. Unfortunately, it seems likely that there would be so many other differences between such jurisdictions that meaningful comparisons would simply be impossible. For example, if you were comparing between the U.S. and E.U., how would you control for the effect of the E.U. data privacy directive? Another approach would be to examine relative rates of identity theft caused by security breaches with id thefts caused by something that isn't influenced by security breach notification acts (e.g., dumpster diving). The problem with that though, is that the absolute most common cause of identity theft is "unknown." Thus, it could be that security breach notification laws would actually increase the reported incidence of ID theft due to security breaches, because some ID thefts caused by breaches would move from the "unknown" column to the security breach column. Further, when making that kind of fine grained comparison, it's necessary to have a larger data set than is necessary to simply look at overall rates of ID theft, and such a data set might not be available. The bottom line is that measuring the effectiveness of security breach notification acts is hard, and if there is a good way to do so, it isn't clear what it is.

New Identity Theft Blog

2008-06-18T16:56:00.000-07:00

One of the most difficult things about running a blog is finding good material. True, it seems there's a new data security breach every few days, but reporting that another million, or thousand, or ten million records have been compromised gets old fast. Thus, I was happy to be discover (discover in the sense of follow a link left in a comment) a new ID theft blog: ID Theft and Business. I look forward to using it as a source for informed comment on the subject, and (hopefully) picking up a few ideas there to use for my own posts.

Always Go With the Original

2008-06-17T03:38:00.000-07:00

Via The Dunning Letter, I learned about this paper which (according to Jack's post) says that data security breach notification laws don't actually work. When I first read the post discussing the paper, I was somewhat unnerved, since that would mean that one of the primary vehicles that governments have used to try and address the vulnerability of consumer data is ineffective. Happily, when I read the paper I found that this was one time that the normally astute Dunning Letter was simply wrong. What the paper actually found was that, using their data set (which, as I will discuss in a later post, was not the proper data to evaluate security breach notification laws) they did not detect a statistically significant effect of security breach notification laws on identity theft. However, that is different from saying that there is no effect. Indeed, the paper explicitly recommends increasing disclosure requirements to help address the lack of data: "[other authors argue that] current information is not sufficient and that banks and other organizations should be
required to release identity theft data to the public for proper research. We certainly agree with this view."

So what can be gained from this? First, the paper itself is quite interesting, and I plan on addressing it in more detail in future posts. For now though, the lesson I draw from this is that you should always go to the original source when blogging. When discussing the paper, the Dunning Letter also linked to a TechWorld article with the bold headline that "Researchers say notification laws in US not lowering ID theft." My guess is that Jack probably read the TechWorld article but not the original paper. While that might be a nice shortcut, it can also (as demonstrated here) lead to perpetuating falsehoods just because they make nice screaming headlines.

Ephemeral Law Named to Top 100

2008-06-12T16:07:00.000-07:00

Happy news for me today. Ephemeral law has been named as one of the top 100 civil liberties advocacy blogs by the criminal justice degrees guide. Now, of course, one could point out that Ephemeral law's rankings, plus $3.25 would get me a coffee at Starbucks, but whatever. It certainly isn't bad news, and I'm happy with all the not-bad blog related news I can get.

Value of Security Breach Notification Laws

2008-06-11T17:59:00.000-07:00

This article from Computer World advances a position which I find truly bizarre: that security breach notification laws don't help people. The article's reasoning (and I use the term loosely) seems to be that notification laws only require action after a breach takes place, so they really don't prevent identity theft. It would be better for consumers, according to the article, if the money companies now spend on complying with security breach notification laws were instead spent on security that might prevent identity theft. In any case, the article points out, more identity theft takes place due to telephone scams, lost wallets, or consumers who don't properly protect their computers. Basically, the article minimizes the harm caused by security breaches, and tries to argue that the money spent notifying consumers of the breaches would be better spent elsewhere.

Frankly, it's hard to know where to begin criticizing the article. My immediate instinct is to slam the prose. The author has a terrible habit (epidemic in lawyers, I'm sad to say) of asking rhetorical questions and making mealy mouthed equivocations rather than just taking a position. For example, the author points out that "Enforcement of these laws may not help consumers, either." So there's a possibility that consumers may not be helped by enforcing laws. Similarly, it's possible that the sun may not rise in the east tomorrow. If the author really feels that security breach notification laws don't help people, he should say so, rather than couching his arguments in insubstantial speculation and rhetorical questions.

However, while my instinct is to slam the prose, I think it's more important to recognize that the logic underlying the prose is really, really bad. The primary mistake the author makes (and it's a doozy) is to assume that the only benefit which can come from security breach notification acts is to prevent identity theft. That's simply nuts. The primary benefit of the notification acts is that, because of them, people are notified when there's a problem. Without notification laws, businesses would never go public about security breaches, and what is indisputably a major public policy issue would simply be swept under the rug. Perhaps the author of the article thinks ignorance is bliss, but I prefer that problems be widely acknowledged so that they can be addressed. A secondary mistake the author makes is that he assumes that the more money businesses spend complying with notification laws, the less money they'll spend on security. This doesn't make sense. If businesses could sweep security breaches under the proverbial rug, they would spend even less on security. The high cost of security breach notifications (in terms of both money and bad PR) will cause companies to spend more on security, not less.

I could go on almost indefinitely about what's wrong with the author's position, but I won't. Instead, I can illustrate with a simple analogy: if the author were arguing that statutes requiring businesses to notify consumers when there was a toxic waste spill were ill conceived because they diverted money which would otherwise be used preventing spills, he would be treated as a laughing stock. While drinking toxic waste is clearly a more direct threat to health than a data security breach, it's no more logical to allow the release of personal data to be swept under the rug than it is to allow the release of toxic waste to be covered up.

Facebook Accused of Violating Canadian Law

2008-06-01T14:49:00.000-07:00

According to this article from Computer World, a complaint has been filed against Facebook for violating Canada's Personal Information and Electronic Documents Act (PIPEDA). If that law, and its rather unwieldy acronym, seem familiar, it could be because there were concerns last year that Google's Street View product might violate it (see, e.g., here). In the case of Street View, the concerns were raised over the broad scope and indefinite retention of the data which was collected. In the case of Facebook, there are several possible violations. First, Facebook (allegedly) does not fully inform users how broadly their information can be shared with strangers for social networking. Second, Facebook (again, allegedly), fails to notify users of how their information will be used for advertising, and shared with third parties.

Without commenting on the merits of the complaint, I will note that the Computer World article points out that

Jeffrey Chester, founder and executive director of the Center for Digital Democracy in the U.S., said the Canadian organization "has lifted the veil that covers Facebook's extensive personal data collection apparatus." [and said that]...It's a giant privacy wake-up call about Facebook from our friends up north."

My own view is a bit different. I don't think this is a wake-up call at all. American consumers already know that there are some serious privacy issues surrounding Facebook. In fact, there is already a lawsuit in U.S. court based on Facebook's beacon program (see, e.g., here).. The problem is that U.S. consumers don't really have much they can do about privacy. The lawsuit about beacon is only possible because of a very narrow provision of federal law which covers video tape rentals and sales records, but that kind of sui generis protection doesn't really translate into decent coverage for personal information. Thus, my view is that the Canadian complaint, to the extent it's a wakeup call at all, is a wakeup about the state of U.S. privacy laws, not a wakeup about the threats to privacy.

Well, he was asking for it...

2008-05-25T06:26:00.000-07:00

Normally, someone getting their identity stolen isn't news. It's annoying for the victim, but not of great enough consequence for the rest of the world to bear reporting. However, in this case, the person who's ID was stolen was Todd Davis. While that name might not be immediately familiar, it's a good bet you've seen Mr. Davis in the near-ubiquitous online adds for Lifelock, where he poses with his social security card to show just how confident he is in Lifelock's services. Thus, for him to have his identity stolen is not just news, it's also the trigger for a lawsuit by Lifelock customers saying that David's identity theft shows that he knew his product didn't work, even as he promoted it nationwide.
Of course, the filing of a lawsuit, and a decision by a court that Lifelock is liable for damages are two totally different things. Indeed, I'm not sure that the existence of one identity theft incident shows that Davis knew his service didn't work. Davis has been flashing his complete social security number all over the internet for years. The fact that he was only victimized once in that time seems (to me at least) to show that Lifelock's services really do work to mitigate the threat of identity theft, though they can't eliminate it entirely.

More Potential Legal Troubles for Google Streetview

2008-05-13T19:12:00.000-07:00

Ever since its introduction, Google Streetview has raised concerns about privacy (see, e.g., here). Now, Streetview is being prepared for Europe, and apparently French law is presenting a problem. According to this article from Computer World, under French law, you are not permitted to publish images of people going about their business without their permission. The article says that that's a problem for Streetview because it could require Google to employ "an army of clipboard-wielding legal assistants asking bystanders to sign release forms as they sip their coffee."

My initial take on it is that something about the article doesn't make sense. While I'm not familiar with French law, it seems unbelievable to me that any country would have regulations that prevent the publication of pictures taken in public. After all, if French law really did include that requirement, it would seem completely incompatible with newspapers publishing pictures of crowds, such as might appear at political rallies and sporting events. In any case though, if the article's portrayal of French law really is correct, then it's an example of where I think giving individuals control over some aspect of their persona (in this case their image) goes too far. The loss of privacy from allowing pictures to be published without permission is slight (if it shows up on Google Streetview it was, by hypothesis, visible to the public). By contrast, the cost is real - loss of a popular product which could spin off potentially interesting follow on technologies. Thus, in this case, assuming the choice is real, I'd have to come down on the side of Google, rather than on the side of individual control of information.

Pricing Personal Privacy

2008-05-11T06:04:00.001-07:00

One perennial problem plaguing plaintiffs pursuing privacy protective pleadings is the difficulty in showing damages. When people have gone to court to try and obtain compensation from companies who exposed their personal data in a security breach incident (e.g., DSW Shoe, TJX, etc...) they have consistently lost because the courts say that they can't show damage, and therefore can't be compensated. One approach to this has been to try and argue that expenditures for dealing with the exposure of personal information (e.g., money spent on credit monitoring) should be compensated. However, courts have by and large rejected that approach, concluding that money spent on credit monitoring is intended to prevent future loss, and therefore isn't damages which the court can compensate.

However, according to this article from C|NET, criminal identity thieves have no problem valuing stolen data which has not yet been used for identity theft. Indeed, there was even a price list found on a server containing stolen business and personal data which said exactly what various accounts were worth (e.g., bank account with $16,040 had an asking price of 700 Euros; bank account with $14,400 had an asking price of 600 Euros, etc...). Now, do I think that courts should start using the price lists of criminal identity thieves to determine how to compensate victims in security breaches? No. I think a much better measure of damages would be quantifiable damages, such as the cost of replacing compromised credit cards (something I discussed here. However, even if the prices given for stolen accounts shouldn't be used as a measure of damages, they should at least be considered evidence that personal data, even if not used in identity theft, has value, and that that value should be recognized, either in current law (where it often isn't) or in future regulatory changes (where it might be).

Private Information in Court Documents

2008-05-04T16:25:00.000-07:00

As described in a pair of articles (here and here) from Computer World, privacy advocate Betty "BJ" Ostergren has been campaigning to have personal data removed from California court websites. BJ claims that she has turned up "complete tax filings, medical reports pertaining to cases handled by the court, and images of checks complete with signatures as well as account and bank-routing numbers" on the court's website. Further, she says that it's possible to retrieve similar documents by entering popular last names at random. The response to this from the court's personnel - that they have tens of millions of documents and finding personal information among them is like looking for a needle in a haystack - is not encouraging. Essentially, everyone who comes into contact with their system is defended through "security through obscurity," and there's nothing that they can do about it.

The question then, is whether the posting of thousands, perhaps tens or hundreds of thousands, of documents containing personal information to the court's website is a problem. As it happens, in my opinion is isn't. I think it is a huge benefit to society for courts to make filings publicly available. Indeed, full access to court records gives people the option of finding out how courts have handled various types of scenarios so that they can plan their actions accordingly. This ability to know (and therefore follow) the law is an indispensable aspect of any system where rule of law is taken seriously. If a court makes tens of millions of document available, I'm not at all surprised that some small percentage of them include information which shouldn't be made publicly available. Certainly that's regrettable, but I think it's a small price to pay for making courts and the law available to all.

Does that mean I think the status quo is optimal? No. I think the response from the court is totally inappropriate. The correct response would have been to to redact the personal information from the identified documents. Even then, the system wouldn't be perfect, since there's no guarantee that personal information would be discovered by privacy advocates who report it to court personnel rather than by criminals who would use it in identity theft. However, it doesn't make sense to expect any system to be perfect, and shutting down something so clearly positive as public access to court filings because they don't perfectly protect privacy would be a terrible mistake.