Will the European Union Ban Data Mining of Student School Content?

To lower costs and increase efficiencies a growing number of educational institutions are transitioning from utilizing internal servers to external cloud based services.  Well known technology companies such as Amazon, Google, HP, IBM, Microsoft, and Oracle are competing to become the go-to cloud service provider for schools.

Milton Friedman, a famous economist, popularized the phrase, "there ain't no such thing as a free lunch".  In other words, one always has to pay for a good or service, whether by exchanging money or giving up something of value.  During the past decade, a growing number of digital companies have adopted a model where they offer their services for free in the hope that their platform gains widespread acceptance.  In return, those utilizing these services pay for the service by giving up their personal privacy by accepting agreements that enable service providers to monetize their personal information. 

Education budgets in some European member states have been slashed during the past several years due to the economic downturn.  Some cloud computing providers appear to be capitalizing on these deep budget cuts as part of their pitch to governments and educational institutions.  Unfortunately, some digital service providers do not have the best intentions because strong privacy protections are not built into the design of some of their platforms.  

These companies may require schools to execute agreements that do not properly protect the personal data of students.  For example, Sweden's data protection authority recently ordered a school district to stop utilizing Google Apps for Education because the service contract didn't comply with Sweden's Data Protection Act.  In other words, Google's agreement with a municipality in Stockholm did not provide the proper safeguards to protect student data.

The model UK Google Apps For Education Agreement, states, "Customer agrees that Google may serve advertisements (“Ads“) in connection with the Service to End Users who are not designated by Customer as enrolled students."  Does this clause mean that teachers, administrators, and almuni are served ads?  Since students most likely are utilizing school provided email to communicate with their teachers and teachers may discuss student matters with administrators via email are teacher-student and administrator-student, and teacher-administrator emails data mined and monetized by Google? 

Another troubling agreement clause states, "Customer agrees that any revenue generated by Google from the Ads or otherwise derived by Google from the Services will be retained by Google and will not be subject to any revenue sharing."  Does this indicate that in addition to serving ads based upon teacher-student/administrator-student/teacher-administrator digital interactions, the information contained in these emails may be monetized in other forms not necessarily mentioned in the agreement?   

SafeGov.org recently released a report about cloud computing and student privacy.  The organization conducted "in-depth interviews with over a dozen  representatives of European Data Protection Authorities (DPAs) as well as a number of European Commission officials involved in the development of data protection policy."  Their report found, "wide support for the idea that vulnerable data subjects such as school children deserve special protection."

SafeGov.org's findings stated that some cloud providers may be offering schools services that were initially built for the consumer behavioral advertising market and that these services do not appear to have privacy by design built into their architecture.  According to SafeGov.org, "advertising-oriented cloud services may jeopardize the privacy of data subjects in schools, even when ad-serving is nominally disabled." 

Some major threats to student privacy noted in SafeGov.org's report include:

Lack of privacy policies suitable for schools: "[C]loud providers may deliberately or inadvertently force schools to accept policies or terms of services that authorize user profiling and online behavioral advertising."

Potential for commercial data mining: "When school cloud services derive from ad-supported consumer services that rely on powerful user profiling and tracking algorithms, it may be technically difficult for the cloud provider to turn off these functions even when ads are not being served."

User interfaces that don't separate ad-free and ad-based services: "By failing to create interfaces that distinguish clearly between ad-based and ad-free services, cloud providers may lure school children into moving unwittingly from ad-free services intended for school use (such as email or online collaboration) to consumer ad-driven services that engage in highly intrusive processing of personal information (such as online video, social networking or even basic search)."

Contracts that don't guarantee ad-free services:  "By using ambiguously worded contracts and including the option to serve ads in their services, some cloud providers leave the door open to future imposition of online advertising as a condition for allowing schools to continue receiving cloud services for free."

SafeGov.org's findings are very troubling and demonstrate the need for regulators and lawmakers in the EU to be proactive to protect the personal privacy of our next generation of leaders.  While this report was based upon research performed in the EU, it would not surprise me if regulators and lawmakers around the world have similar thoughts and ideas regarding the need to protect vulnerable groups such as students and children from behavioral advertising.  Shouldn't all students and children, regardless of their geographic location, be afforded the same privacy protections?  

Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved. 

France's CNIL: Google Failed To Comply With EU Data Protection Laws Before Enforcement Notice Deadline

The CNIL, France's Data Protection Authority has released a statement that Google has failed to comply with its order set in its enforcement notice to reverse its 2012 privacy policy change.  According to the CNIL,

"[o]n the last day of the three-month time period [September 20, 2013] given to Google Inc., the company [Google] contested the reasoning followed by the CNIL, and notably the applicability of the French data protection law to the services used by residents in France. Therefore, it has not implemented the requested changes. In this context, the Chair of the CNIL will now designate a rapporteur for the purpose of initiating a formal procedure for imposing sanctions, according to the provisions laid down in the French data protection law."

On October 15, 2012, I wrote that the CNIL may require Google to reverse its March 2012 privacy policy update that enables it to better monetize its users' personal information.  On June 20, 2013, "France's data protection watchdog (CNIL) said Google had broken French law and gave it three months to change its privacy policies or risk a fine of up to 150,000 euros ($200,000)."  

While potential fines may be a drop in the bucket to Google's bottom line, it would not surprise me if data protection authorities across the world turn up the heat against Google and utilize all available legal and regulatory avenues to ensure that Google complies with their data protection laws.

Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved. 

New California Law Protects Minors From Digital Mistakes

A new California law is leading the way to protect our children's digital privacy.  Earlier today, Gov. Brown signed into SB-568 Privacy: Internet: Minors that will protect the online privacy of those under 18 years of age who reside in the State of California.  According to CA Senate President Pro Tem Darrell Steinberg, the bill's sponsor, the legislation "requires all web sites, social media sites and apps to allow anyone under 18 to remove content they posted earlier."

The new law will become effective as of January 1, 2015.  It has two main provisions. It seeks to protect minors by generally prohibiting operators of digital platforms (such as web sites, online services, online applications, mobile apps, etc...) from knowingly marketing and advertising to a minor a broad range of products specified in the law.  Some of these products may include alcoholic beverages, firearms, ammunition, tobacco products, fireworks, lottery tickets, tattoos, drug paraphernalia.  In addition, the new law requires operators of digital platforms to notify minors of their rights to remove content or information they posted and honor their requests to remove such data, subject to specified conditions and exceptions.

California has become the first state to offer greater digital protections to minors than the recently revised Children's Online Privacy Protection Act.  While SB-568 is a win for the digital privacy of minors, those under 18 should not use this as an excuse to be reckless about their digital lives.  For example, the law does not enable a minor to require a digital platform remove content that another person posts about that minor.  In addition, Internet companies are only required to remove publicly available content a minor posts and not data that is not publicly viewable.

While SB-568 may help protect California minors from some digital mistakes that may harm their ability to gain acceptance into the college of their dreams, it should not replace educating our children about these issues.

Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved.  

Dead Cyberbullying Victim's Image Used In Facebook Ad

Bullying whether offline or in cyberspace has the potential to cause great pain for its victims and their families.  With the increased usage of social media, more bullies are going online to target their victims.  Unfortunately, the children's rhyme, "sticks and stones may break my bones, but words will never harm me," is losing some power in today's social media fueled world. 

Over the past several years, there have been multiple incidents where online bullying has been a contributing factor in teenagers committing suicide. These tragedies demonstrate the need for parents and teachers to stress the importance that the above children's rhyme is now more important than ever.  In addition to better educating our children, social media platforms must do a better job of policing their web sites and making the personal privacy of their users a top priority.

One such example of a social media platform putting profits ahead of personal privacy is when Facebook was recently caught featuring a photo of Canadian teenage Rehtaeh Parsons who killed herself earlier this year.  Even though Facebook apologized for allowing this to happen, it demonstrates that most digital platforms are reactive in nature and not proactive when it comes to privacy.  While I am generally not a proponent for stricter regulations, this appears to be another example of why stronger digital privacy laws may be needed to protect our children from companies that may be putting profits ahead of privacy.

Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved.  

Social Media Scam Entangles Miami Heat Star

Athletes and other high profile individuals are constant targets of scams offline and on social media.  Earlier this year, Manti Te'o, then a student-athlete with Notre Dame was the target of an elaborate catfishing scheme that almost destroyed his NFL career before he was even drafted.  Manti Te'o is not alone in being targeted by con artists who utilize electronic communications.  The Miami Heat's Chris Andersen was also recently entangled in a digital scheme that almost destroyed his NBA career and personal life.  

These incidents are the tip of the iceberg.  I have counseled multiple high profile individuals who have been the target of these scams.  Fortunately for most of my clients, they usually contact me before these issues become public knowledge.  When I provide services to professional athletes, professional sports teams, college athletic departments, Fortune 500 executives, and other high profile clients, I discuss these type of issues and the importance of limiting one's digital footprint.  Unless one is able to authenticate the person with whom they are texting with and/or sending emails/social media messages with I do not recommend communicating with them.

The bottom line is that some people are putting their guard because a growing number of self-styled social media consultants are advocating that high profile individuals should focus on increasing one's social media usage to build one's personal brand and/or their school and/or corporate brand.  My philosophy is different.  It is about protecting the individual, school, corporation, etc... first.  Brand building is a long process that takes years of hard work and a handful of Tweets or Facebook posts won't do it despite what some self-styled social media consultants advocate.  

Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved. 

4th Circuit Appeals Court: Facebook "Like" Is Protected Free Speech

The Fourth U.S. Circuit Court of Appeals has ruled that "liking" a Facebook page may be protected free speech.  In this case, a Virginia man, Daniel Ray Carter, “Liked” the “Jim Adams for Hampton Sheriff” Facebook page in 2009. The incumbent sheriff learned of his subordinate’s (Mr. Carter's) “Like” for his opponent and fired Carter shortly after he won re-election. Mr. Carter sued, and in 2012 a U.S. District judge ruled that "Facebook ‘Likes’ aren’t enough speech to warrant constitutional protection." 

To help explain the context of its opinion, the court cited the 1994 case, City of Ladue v. Gilleo, and reasoned that Facebook "likes" are similar to political lawn signs because they are both symbolic expressions.  In addition, the court stated the "thumbs-up" symbol may be considered similar to a 1974 case (Spence v. Washington), which held that expression occurs when "there is an intent to convey a particularized message".

This ruling demonstrates that a growing number judges are willing to extend free speech protections that we have in the traditional world to the digital or social media world.  The bottom line is that government and private sector employers along with schools need to better understand the issues inherent with social media to avoid social media legal liability.

Copyright 2012 by the Law Office of Bradley S. Shear, LLC All rights reserved. 

The terms and conditions that apply to the storage of your data are important

The terms and conditions of a digital service provider are extremely important because they govern their legal obligations to their customers.  Businesses, governments, and schools are moving from internal servers to cloud based platforms and with this change in platforms comes a concern regarding the privacy and security of sensitive corporate, government, and personal identifiable information.

Clicking "I Agree" when registering for a new digital account/service or when a digital service's policies have been updated may have major legal consequences.  The television show South Park made an interesting observation about what may happen when a company changes its terms and conditions in an episode last year titled the Human Centipad.  While this episode demonstrated the potential pitfalls of what may happen when you agree to terms and conditions you may not understand, an online British retailer once inserted a clause into its digital agreements that gave it the right to reclaim its customers' immortal souls. 

Recently, I attended a showing of a new documentary titled Terms and Conditions May Apply (TACMA). The film emphasizes the importance of reading and understanding the terms and conditions of  digital platforms.  In particular, the  documentary explores in-depth the privacy policies and data collection practices of some of the most popular web based services that are utilized by businesses, governments, and schools.

TACMA spends a significant amount of time discussing the privacy policies and practices of LinkedIn and Google.  As a platform focused on professionals and the corporate market one may think that LinkedIn's terms and conditions would protect the privacy of the data that its professionals and corporate partners post.  However, according to TACMA's director, Cullen Hoback, "LinkedIn's [terms and conditions are] abysmal.  It’s the most over-reaching, ridiculous and shouldn’t-be-allowed-to-exist contract out there that I found." This description is not surprising since LinkedIn recently announced that it has lowered its minimum U.S. user age from 18 to 14 years old.  This move appears to be designed to enable it to collect a treasure trove of personal information from high school students.  

LinkedIn is not alone in requiring users to agree to terms and conditions that may not properly protect the privacy and security of its users.  Google's March 2012 privacy policy change eroded the personal privacy of its users in order to enable it to better monetize the data it collects about those who utilize its services.  Before Google's consolidated privacy policy became effective, data protection authorities across Europe raised serious concerns about the legality of the change and stated that they would investigate the matter.  During the past several months,  multiple European data protection authorities have stated that Google's privacy policy change violates data protection laws.  

When TACMA premiered in January of this year at the Sundance Film Festival, the film alleged that Google's earliest privacy policies were not listed in its publicly available privacy policy archive.  One of Google's earliest privacy policies from December of 2000 stated, "A cookie can tell us, [t]his is the same computer that visited Google two days ago, but it cannot tell us, [t]his person is Joe Smith or even, [t]his person lives in the United States."  This privacy policy indicates that during its early years Google had a policy in place that respected and protected its users' personal privacy. 

However, by December of 2001, the language "it [a cookie] cannot tell us, this person is Joe Smith or even, [t]his person lives in the United States," had been removed from Google's privacy policy.  Eliminating these protections from its privacy policy appears to have been the turning point when Google stopped making user privacy a top priority.  Updating a privacy policy that removes user anonymity protections may jeopardize personal privacy and security.    

According to CNET, TACMA "provides special scrutiny of Google, and argues that the company bowed to advertiser pressure by removing language from its privacy policy promising users anonymity unless they willingly gave it up."  Regarding Google's privacy policy history, Hoback stated, "[t]hey [Google] really did care in the beginning quite a lot about privacy. But when your profit margins come in direct opposition to your principles, sometimes those principles suffer." 

Interestingly, Google declined to be interviewed for TACMA.  May Google's refusal to directly answer TACMA's questions serve as an admission that Hoback's film provides an accurate portrayal of Google's privacy policies?  For those who question the film's accuracy, The Wall Street Journal recently stated "the breadth of Google's information gathering about Internet users rivals that of any single entity, government, or corporation....Google's privacy policy puts few restrictions on how much it can collect or use."    

TACMA publicizes the importance of reading and understanding the terms and conditions of digital platforms.  However, is greater awareness about these issues the only solution or are stronger laws and more robust enforcement actions required to protect users from companies that put profits ahead of privacy?

Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved.