I have listed below 10 New Year's resolutions for those who want to better protect their personal privacy in the Social Media Age:
1) Limit social sharing. Privacy is cool and hip and sharing too much is not.
2) Don't take nude selfies.
3) Send fewer emails and make more phone calls and have more face to face meetings.
4) Use disappearing apps cautiously.
5) Keep your smartphone location off unless using it for directions.
6) Don't trust apps or online services that have bad privacy policies/practices.
7) Don't trust Facebook with your personal information because its agreements with data brokers destroy your privacy.
8) Don't trust Google's Gmail, Apps, etc... because its privacy policy allows for unfettered data mining and user profile creation that destroy your privacy.
9) Limit Twitter and other public social media conversations.
10) Advocate for stronger digital privacy laws. Lawmakers and regulators need to hear your voice!
These 10 recommendations are the tip of the ice berg. Data brokers, employers, schools, insurance companies, financial firms, law enforcement, etc... are watching your social media profile so
limit your digital footprint. In the Social Media Age, this famous proverb should still be followed: "Better to remain silent and be thought a fool than to speak and to remove all doubt."
Wishing you all a happy and healthy 2015 and beyond!
Copyright 2014 by Shear Law, LLC All rights reserved.
Wednesday, December 31, 2014
Tuesday, December 30, 2014
Dog Left on Tarmac By United Airlines Angers Twitterverse
Do you remember the catchy song, "United Breaks Guitars"? Did United Airlines forgot about that incident from 2008 that was made into a song in 2009 by a customer whose guitar was broken while he flew with them? The video has been seen more than 14 million times in the past 5 years.
The latest social media incident to hit United Airlines is a photo of a dog sitting on the tarmac in the Houston, Texas airport while it is raining. While the angle of the photo makes it hard to discern how wet the dog was getting, the optics don't look good. The initial Tweet about the incident was ret-tweeted more than fifteen hundred times and then re-tweeted by countless others. In addition, news organizations around the world such as The Daily Mail, and The New York Daily News, The New York Post, etc... picked up the story and wrote about it.
The bottom line is that companies large and small must realize that one wrong move can create a major negative pubic relations event. Will this harm United's bottom line? Most likely not since the entire industry is seeing record profits, and now that oil prices are falling airline profits are soaring ever higher.
While this social media incident may not hurt United Airline's financially, due to current market conditions, it has become part and parcel of its history the next time a social media incident occurs. Therefore, it is imperative to ensure that employees are trained in how to properly deal with social media incidents.
Copyright 2014 by Shear Law, LLC All rights reserved.
The latest social media incident to hit United Airlines is a photo of a dog sitting on the tarmac in the Houston, Texas airport while it is raining. While the angle of the photo makes it hard to discern how wet the dog was getting, the optics don't look good. The initial Tweet about the incident was ret-tweeted more than fifteen hundred times and then re-tweeted by countless others. In addition, news organizations around the world such as The Daily Mail, and The New York Daily News, The New York Post, etc... picked up the story and wrote about it.
The bottom line is that companies large and small must realize that one wrong move can create a major negative pubic relations event. Will this harm United's bottom line? Most likely not since the entire industry is seeing record profits, and now that oil prices are falling airline profits are soaring ever higher.
While this social media incident may not hurt United Airline's financially, due to current market conditions, it has become part and parcel of its history the next time a social media incident occurs. Therefore, it is imperative to ensure that employees are trained in how to properly deal with social media incidents.
Copyright 2014 by Shear Law, LLC All rights reserved.
California's New Digital "Eraser Button" Law
On January 1, 2015, California's SB 568 Privacy Rights For California's Minors in The Digital World goes into effect. The bill was signed in September 2013 and gave website operators a little more than a year to ensure that they have the ability to comply with the new law.
In general, SB 568, seeks to protect minors by generally prohibiting operators of digital platforms (such as web sites, online services, online applications, mobile apps, etc...) from knowingly marketing and advertising to a minor a broad range of products specified in the law. Some of these products may include alcoholic beverages, firearms, ammunition, tobacco products, fireworks, lottery tickets, tattoos, drug paraphernalia. The new law requires operators of digital platforms to notify minors of their rights to remove content or information they posted and honor their requests to remove such data, subject to specified conditions and exceptions.
At first glance, this new law doesn't appear to have much teeth. For example, the law doesn't appear to have an enforcement mechanism and it is silent about a private right of action against those who may violate the law. Therefore, when this new law is allegedly violated how does one go about rectifying the situation?
While SB 568 may help protect California minors from some digital mistakes that may harm their ability to gain acceptance into the college of their dreams, it should not replace educating our children about the digital issues that they confront every day.
Copyright 2014 by Shear Law, LLC All rights reserved.
In general, SB 568, seeks to protect minors by generally prohibiting operators of digital platforms (such as web sites, online services, online applications, mobile apps, etc...) from knowingly marketing and advertising to a minor a broad range of products specified in the law. Some of these products may include alcoholic beverages, firearms, ammunition, tobacco products, fireworks, lottery tickets, tattoos, drug paraphernalia. The new law requires operators of digital platforms to notify minors of their rights to remove content or information they posted and honor their requests to remove such data, subject to specified conditions and exceptions.
At first glance, this new law doesn't appear to have much teeth. For example, the law doesn't appear to have an enforcement mechanism and it is silent about a private right of action against those who may violate the law. Therefore, when this new law is allegedly violated how does one go about rectifying the situation?
While SB 568 may help protect California minors from some digital mistakes that may harm their ability to gain acceptance into the college of their dreams, it should not replace educating our children about the digital issues that they confront every day.
Copyright 2014 by Shear Law, LLC All rights reserved.
Friday, December 26, 2014
Facebook Message Scanning Lawsuit Moves Forward
According to Reuters, U.S. District Judge Phyllis Hamilton in Oakland,
California recently ruled that a lawsuit alleging Facebook violates its users privacy by illegally scanning the contents of messages sent on its platform for advertising purposes may move forward. This lawsuit appears to sound similar to a recent lawsuit against Google for scanning users emails for advertising purposes.
It appears that Facebook is claiming that the scanning of emails for advertising purposes is "an ordinary business practice". Only in the world of Facebook and Google is scanning personal messages for advertising purposes an acceptable "ordinary business practice." Is it an ordinary business practice for the U.S. Postal Service, Federal Express, United Parcel Service, etc... to scan the contents of their packages to build user profiles about senders/receivers for advertising and other purposes? Of course not. Therefore, why do some digital based companies believe this practice is ordinary and should be legal?
According to ArsTecnica, the court "read Facebook's entire terms of service. And, in this case, their vague language—typically used to provide broad immunity—became a liability: "[the document] does not establish that users consented to the scanning of their messages for advertising purposes, and in fact, makes no mention of 'messages' whatsoever." Thus, the plaintiffs may have had reason to expect that their messages would remain private. And, although the practice may have been discontinued, the plaintiffs allege that Facebook could start scanning messages again whenever it wanted to."
On Facebook's home page it states, "Connect with friends and the world around you on Facebook". Nowhere does it state that your messages will be scanned for advertising purposes. Should Facebook and other digital properties such as Google that are actually digital advertising platforms that masquerade as other services be required to have clear warnings every time a user sends and/or opens up a message (or uses other services) from their platform? The FDA recently created new calorie labeling rules to better inform Americans about the foods they eat so should the FTC create rules that require digital platforms to be more transparent about their practices to better protect the privacy and safety of its citizens?
The biggest challenge for plaintiffs moving forward may be to identify how Facebook's actions have financially harmed them. Unfortunately, the court system in general has been slow to recognize privacy harms absent a direct monetary loss from a practice. Will the Sony Hack change this mentality? We may find out in the new year.
Copyright 2014 by Shear Law, LLC. All rights reserved.
It appears that Facebook is claiming that the scanning of emails for advertising purposes is "an ordinary business practice". Only in the world of Facebook and Google is scanning personal messages for advertising purposes an acceptable "ordinary business practice." Is it an ordinary business practice for the U.S. Postal Service, Federal Express, United Parcel Service, etc... to scan the contents of their packages to build user profiles about senders/receivers for advertising and other purposes? Of course not. Therefore, why do some digital based companies believe this practice is ordinary and should be legal?
According to ArsTecnica, the court "read Facebook's entire terms of service. And, in this case, their vague language—typically used to provide broad immunity—became a liability: "[the document] does not establish that users consented to the scanning of their messages for advertising purposes, and in fact, makes no mention of 'messages' whatsoever." Thus, the plaintiffs may have had reason to expect that their messages would remain private. And, although the practice may have been discontinued, the plaintiffs allege that Facebook could start scanning messages again whenever it wanted to."
On Facebook's home page it states, "Connect with friends and the world around you on Facebook". Nowhere does it state that your messages will be scanned for advertising purposes. Should Facebook and other digital properties such as Google that are actually digital advertising platforms that masquerade as other services be required to have clear warnings every time a user sends and/or opens up a message (or uses other services) from their platform? The FDA recently created new calorie labeling rules to better inform Americans about the foods they eat so should the FTC create rules that require digital platforms to be more transparent about their practices to better protect the privacy and safety of its citizens?
The biggest challenge for plaintiffs moving forward may be to identify how Facebook's actions have financially harmed them. Unfortunately, the court system in general has been slow to recognize privacy harms absent a direct monetary loss from a practice. Will the Sony Hack change this mentality? We may find out in the new year.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Court: Police May Create Fake Social Media Profiles To Catch Criminals
According to CNN, a federal judge recently ruled that law enforcement officials may create fake social media profiles to obtain access to a suspect's social media account. The police may entice suspects to "friend" them and use the information gleaned from their Facebook, Instagram, etc... accounts against them in court.
This ruling is not surprising. The police have utilized moles and undercover agents to gain access to crime syndicates and gangs for years and this ruling appears to extend this practice to the Digital Age. As long as the "friending" is mutual, meaning that a suspect allows a "fake profile" to access their account the "search" may be deemed consensual.
Facebook has protested law enforcement's use of fake profiles in the past. For example, several months ago, Facebook sent a letter to the DEA to demand that it stop creating fake accounts on their platform. Facebook cares about this issue, not because of the privacy implications to its users, but because it may interfere with its ability to monetize the data being created on their platforms. A fake account is worthless to data brokers, advertisers, etc....
I don't encourage anyone who values their privacy to utilize Facebook to post personal information. Everything one posts to Facebook may end up in the hands of data brokers, law enforcement officials, etc... Facebook is an advertising platform and its users are the products it sells to marketers and data brokers. I don't trust Facebook with my personal information. Should you?
Copyright 2014 by Shear Law, LLC. All rights reserved.
This ruling is not surprising. The police have utilized moles and undercover agents to gain access to crime syndicates and gangs for years and this ruling appears to extend this practice to the Digital Age. As long as the "friending" is mutual, meaning that a suspect allows a "fake profile" to access their account the "search" may be deemed consensual.
Facebook has protested law enforcement's use of fake profiles in the past. For example, several months ago, Facebook sent a letter to the DEA to demand that it stop creating fake accounts on their platform. Facebook cares about this issue, not because of the privacy implications to its users, but because it may interfere with its ability to monetize the data being created on their platforms. A fake account is worthless to data brokers, advertisers, etc....
I don't encourage anyone who values their privacy to utilize Facebook to post personal information. Everything one posts to Facebook may end up in the hands of data brokers, law enforcement officials, etc... Facebook is an advertising platform and its users are the products it sells to marketers and data brokers. I don't trust Facebook with my personal information. Should you?
Copyright 2014 by Shear Law, LLC. All rights reserved.
Tuesday, December 23, 2014
FTC Warns Children's Apps Maker About Potential COPPA Violations
The FTC recently sent a letter to a Chinese based children's app maker alleging that it may be in violation of the Children's Online Privacy Protection Act (COPPA). According to the allegations, "it appears the child-directed applications marketed by
the company, BabyBus, appear to collect precise geolocation information
about users" without parental consent.
COPPA requires companies collecting personal information from children under 13 to post clear privacy policies and to notify parents and get their consent before collecting or sharing any information from children. While this app is not the only one that has allegedly violated COPPA and/or collected more information than needed to operate, it demonstrates a very troubling trend in apps: privacy by design continues to be an afterthought.
While I believe the FTC's letter is a positive development, it demonstrates the need for constant vigilance to protect our children's privacy. In general, it is none of the app's business where my children live, go to school, play, etc....
Copyright 2014 by Shear Law, LLC. All rights reserved.
COPPA requires companies collecting personal information from children under 13 to post clear privacy policies and to notify parents and get their consent before collecting or sharing any information from children. While this app is not the only one that has allegedly violated COPPA and/or collected more information than needed to operate, it demonstrates a very troubling trend in apps: privacy by design continues to be an afterthought.
While I believe the FTC's letter is a positive development, it demonstrates the need for constant vigilance to protect our children's privacy. In general, it is none of the app's business where my children live, go to school, play, etc....
Copyright 2014 by Shear Law, LLC. All rights reserved.
A Sony Hack Lesson: Digital Privacy and Cyber Security Go Hand and Hand
The Sony hack has taught us many lessons about digital privacy and cyber security. One of the biggest lessons is to be careful about what you put in an email. Another is to ensure that proper email retention policies are in place. A third lesson is that employees need to be better trained about these issues. As privacy law expert Prof. Dan Solove recently stated, there are real harms when one's privacy is breached.
According to multiple published reports, the FBI has named North Korea as the prime suspect in the hacking attack. If North Korea directed or encouraged those responsible for the hack because it wasn't happy with the theme of the movie The Interview it opens up a new front on what companies will have to prepare for when a business decision may not be popular with a foreign government or a well funded adversary.
If a nation state such as North Korea or a well funded organization is determined to hack into a corporate computer system it will do so. Companies can take steps to reduce the risk by creating new digital policies, training their employees, installing new cyber security systems, taking certain systems offline, etc...
The Sony hack has exposed most if not all of its secrets for all to see. From the troubling gender pay gap to the leak of social security numbers, personal health care records, corporate budgets, etc...the hack has greatly damaged Sony's reputation. While Sony may eventually be able to recover from this very troubling matter, it wouldn't surprise me if multiple executives leave the company in the near future due to what is contained in their emails.
The bottom line is that the most state of the art cyber security system may not protect against human error or stupidity. Therefore, it is imperative to constantly train and educate employees about digital privacy and cyber security matters. Privacy is something we take for granted until it has been lost. With the right education and mindset, privacy and cyber security doesn't have to be a luxury.
Copyright 2014 by Shear Law, LLC. All rights reserved.
According to multiple published reports, the FBI has named North Korea as the prime suspect in the hacking attack. If North Korea directed or encouraged those responsible for the hack because it wasn't happy with the theme of the movie The Interview it opens up a new front on what companies will have to prepare for when a business decision may not be popular with a foreign government or a well funded adversary.
If a nation state such as North Korea or a well funded organization is determined to hack into a corporate computer system it will do so. Companies can take steps to reduce the risk by creating new digital policies, training their employees, installing new cyber security systems, taking certain systems offline, etc...
The Sony hack has exposed most if not all of its secrets for all to see. From the troubling gender pay gap to the leak of social security numbers, personal health care records, corporate budgets, etc...the hack has greatly damaged Sony's reputation. While Sony may eventually be able to recover from this very troubling matter, it wouldn't surprise me if multiple executives leave the company in the near future due to what is contained in their emails.
The bottom line is that the most state of the art cyber security system may not protect against human error or stupidity. Therefore, it is imperative to constantly train and educate employees about digital privacy and cyber security matters. Privacy is something we take for granted until it has been lost. With the right education and mindset, privacy and cyber security doesn't have to be a luxury.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Tuesday, December 16, 2014
Netherlands Privacy Regulator To Investigate Facebook's Privacy Policy
The Netherlands privacy regulator has announced an investigation into Facebook's recently announced privacy policy change that is scheduled to go into effect on January 1, 2015. Facebook's new privacy policy states that it has the right to use the information provided by its users through their posts, messages, and other online interactions for commercial purposes. This change is not very surprising since Facebook makes most of its money via behavioral advertising.
Due to the agreements that Facebook has with data brokers and its tracking capabilities across the Internet and devices, I do not trust the company with my personal data or my children's personal information. I choose not to share my personal thoughts on Facebook because the information may be shared with not only data brokers and marketers, but also insurance companies, the government, etc... My personal thoughts, data points, etc... may then be utilized against me in ways I never intended.
It is a welcome trend that European data protection regulators are investigating Facebook and fining companies such as Google for violating the personal privacy of users. My hope is that the FTC and state attorney generals follow in their footsteps and require these companies and others to become more transparent about their digital collection and utilization practices and impose fines when they have made misrepresentations about their activities.
Facebook and Google are two of the most successful advertising companies in the world. However, both of these companies appear to perform similar functions as some telecommunications entities and data brokers. Should these companies and others with similar privacy policies and practices be regulated as such?
Copyright 2014 by Shear Law, LLC. All rights reserved.
Due to the agreements that Facebook has with data brokers and its tracking capabilities across the Internet and devices, I do not trust the company with my personal data or my children's personal information. I choose not to share my personal thoughts on Facebook because the information may be shared with not only data brokers and marketers, but also insurance companies, the government, etc... My personal thoughts, data points, etc... may then be utilized against me in ways I never intended.
It is a welcome trend that European data protection regulators are investigating Facebook and fining companies such as Google for violating the personal privacy of users. My hope is that the FTC and state attorney generals follow in their footsteps and require these companies and others to become more transparent about their digital collection and utilization practices and impose fines when they have made misrepresentations about their activities.
Facebook and Google are two of the most successful advertising companies in the world. However, both of these companies appear to perform similar functions as some telecommunications entities and data brokers. Should these companies and others with similar privacy policies and practices be regulated as such?
Copyright 2014 by Shear Law, LLC. All rights reserved.
Iowa Digital License App Has Major 4th Amendment Implications
Wouldn't it be great if we didn't have to carry around a wallet with a driver's license, credit cards, ATM cards, health insurance cards, etc...? As Apple famously trademarked and states in some of its commercials, "There's an app for that". For almost every interaction we have in the real world, software developers are creating apps to allegedly make our lives "easier" and more "frictionless".
In the tech world, "frictionless" may mean making it very easy to "share your personal thoughts, viewing habits, etc...without violating privacy laws", or making it very easy to "make online purchases." This is why so many companies are rushing to create apps for users. Unfortunately, multiple FTC reports have found many apps lack proper disclosures which may in turn lead to data leakage which creates cyber safety challenges for users.
The latest app that aims to make our lives "easier" is an app that may replace a physical Iowa driver's license. At first glance, this sounds great. Since more and more people are using their smartphones to do every day tasks and these mini computers hold so much of our personal information why not utilize an app which would mean one less thing (physical driver's license) to carry around?
There are numerous questions that still need to be answered. If a person who uses the app is questioned by a police officer during a "routine traffic stop" or a "stop and frisk" and asked to show the driver's license app will a police officer be able to access other parts of the phone or will a password be needed? What happens if a text message, email, or phone call comes through at the moment the police officer is reviewing the app license? Will the police officer be able to see the sender of the message, or the contents of the communications, or the phone number of the caller? When downloading the app, will it request access to your contacts or want to see what other apps you have downloaded like Twitter?
According to the recent Supreme Court decision in Hein v. North Carolina, the police may stop a car based on a "reasonable" misunderstanding of the law. What if while reviewing a driver's license app a police officer "misunderstands the law" and searches your smartphone, or makes subtle threats about providing access to your smartphone?
The bottom line is that there are still many questions that need to be answered regarding this new app. As more and more of our lives become digital, it is imperative that app developers work closely with lawyers and regulators to ensure that privacy by design is part and parcel of the process. While we may not know all of the potential consequences of utilizing driver's license apps, it is important that we have a national conversation about these issues to ensure that our 4th amendment rights are properly protected in the Digital Age.
Copyright 2014 by Shear Law, LLC. All rights reserved.
In the tech world, "frictionless" may mean making it very easy to "share your personal thoughts, viewing habits, etc...without violating privacy laws", or making it very easy to "make online purchases." This is why so many companies are rushing to create apps for users. Unfortunately, multiple FTC reports have found many apps lack proper disclosures which may in turn lead to data leakage which creates cyber safety challenges for users.
The latest app that aims to make our lives "easier" is an app that may replace a physical Iowa driver's license. At first glance, this sounds great. Since more and more people are using their smartphones to do every day tasks and these mini computers hold so much of our personal information why not utilize an app which would mean one less thing (physical driver's license) to carry around?
There are numerous questions that still need to be answered. If a person who uses the app is questioned by a police officer during a "routine traffic stop" or a "stop and frisk" and asked to show the driver's license app will a police officer be able to access other parts of the phone or will a password be needed? What happens if a text message, email, or phone call comes through at the moment the police officer is reviewing the app license? Will the police officer be able to see the sender of the message, or the contents of the communications, or the phone number of the caller? When downloading the app, will it request access to your contacts or want to see what other apps you have downloaded like Twitter?
According to the recent Supreme Court decision in Hein v. North Carolina, the police may stop a car based on a "reasonable" misunderstanding of the law. What if while reviewing a driver's license app a police officer "misunderstands the law" and searches your smartphone, or makes subtle threats about providing access to your smartphone?
The bottom line is that there are still many questions that need to be answered regarding this new app. As more and more of our lives become digital, it is imperative that app developers work closely with lawyers and regulators to ensure that privacy by design is part and parcel of the process. While we may not know all of the potential consequences of utilizing driver's license apps, it is important that we have a national conversation about these issues to ensure that our 4th amendment rights are properly protected in the Digital Age.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Monday, December 15, 2014
Netherlands May Fine Google Millions of Euros For Privacy Law Violations
According to The Wall Street Journal, Google may soon be fined the equivalent of $19 million dollars by the Netherlands Data Protection Authority for violating privacy laws. The Dutch privacy regulator announced earlier today that Google collects and combines
personal data for advertising purposes without obtaining user consent. The threat of a fine follows a 900,000 euro-penalty from Spain’sdata privacy regulator last year and another 150,000 euro penalty Google received earlier this year.
In 2012, Google consolidated most of its privacy policies into one comprehensive policy that enables it to combine almost all information it gains about its users. This troubling change demonstrated that Google doesn't care about its users privacy. Google's platforms are not built with privacy by design in place. It is an advertising company disguised as a search engine and communications provider. This business model has created the most successful advertising entity in the history of the world.
During the past several years, Google has been fined tens of millions of dollars by the FTC, state attorney generals, and European regulators for violating privacy laws. Regulator fines are designed to stop and deter illegal behavior. Google makes so much money from the data it mines on its users that it may be cheaper for it to continue to pay fines for bad behavior instead of changing its business practices. Until regulators around the world are provided the tools that have the teeth required to deter Google and other companies from harming our privacy this troubling behavior will continue.
Will 2015 be the year that legislators and regulators really clamp down on digital data collection and usage? Time will only tell.
Copyright 2014 by Shear Law, LLC. All rights reserved.
In 2012, Google consolidated most of its privacy policies into one comprehensive policy that enables it to combine almost all information it gains about its users. This troubling change demonstrated that Google doesn't care about its users privacy. Google's platforms are not built with privacy by design in place. It is an advertising company disguised as a search engine and communications provider. This business model has created the most successful advertising entity in the history of the world.
During the past several years, Google has been fined tens of millions of dollars by the FTC, state attorney generals, and European regulators for violating privacy laws. Regulator fines are designed to stop and deter illegal behavior. Google makes so much money from the data it mines on its users that it may be cheaper for it to continue to pay fines for bad behavior instead of changing its business practices. Until regulators around the world are provided the tools that have the teeth required to deter Google and other companies from harming our privacy this troubling behavior will continue.
Will 2015 be the year that legislators and regulators really clamp down on digital data collection and usage? Time will only tell.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Thursday, December 11, 2014
The Sony Hack, Corporate Email Acceptable Use Policies, and Legal Liability
The Sony email hack has become a nightmare for the company, its employees, and those who interacted with Sony via its corporate digital systems. The New York Times, The New York Daily News, and The New York Post are reporting on the contents of some very damaging leaked emails between its corporate executives on all sorts of subjects. For example, Gawker discussed the contents of some unflattering Sony emails about the upcoming Steve Jobs biopic; while Buzzfeed reported on some emails that may contain racist comments about the President.
While the Apple iCloud hacking scandal embarrassed many famous people who had their naked images stolen from their iCloud accounts, the images were on personal accounts and meant for personal consumption. There was an expectation of privacy. However, this hack is different because it focused on the contents of corporate data systems.
Most companies have email acceptable use policies and it is possible that some of the leaked correspondence may have been in violation of these standards. While it is too soon to speculate since not all of the facts are publicly known, Sony may also have significant compliance, regulatory, and legal liability associated with the matter.
Will any of Sony's executives be terminated due to the contents in their leaked emails? Will this incident change people's digital behavior? Will the hackers ever be caught? Which company is next? These are some of the many questions that may soon be answered.
Copyright 2014 by Shear Law, LLC. All rights reserved.
While the Apple iCloud hacking scandal embarrassed many famous people who had their naked images stolen from their iCloud accounts, the images were on personal accounts and meant for personal consumption. There was an expectation of privacy. However, this hack is different because it focused on the contents of corporate data systems.
Most companies have email acceptable use policies and it is possible that some of the leaked correspondence may have been in violation of these standards. While it is too soon to speculate since not all of the facts are publicly known, Sony may also have significant compliance, regulatory, and legal liability associated with the matter.
Will any of Sony's executives be terminated due to the contents in their leaked emails? Will this incident change people's digital behavior? Will the hackers ever be caught? Which company is next? These are some of the many questions that may soon be answered.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Wednesday, December 10, 2014
Harvard, Digital Reputation, Social Media, and Chinese Food
Never put in an email anything that may embarrass you if it were to show up on the front page of the New York Times or in this case Boston.com. According to Boston.com, Harvard Business School Professor Ben Edelman got into an email war of words with a local Chinese food restaurant after he realized that its online menu had outdated takeout prices and that he was charged $4 dollars more than what was listed online.
Should the restaurant have an accurate online take out menu? Yes. Online prices should accurately reflect current prices. While Prof. Edelman cites potential violations of Massachusetts law, he could have also mentioned that the matter was a potential Article 5 Violation of the FTC Act regarding unfair and deceptive trade practices. Is a class action lawsuit or an FTC complaint coming soon?
Even though it appears that Prof. Edelman utilized his personal email account when interacting with the Chinese food restaurant, what if he utilized his professional account? Since Harvard has closely monitored the emails of some of its deans in the past, could this situation trigger Harvard to search through Prof. Edelman's Harvard account to determine if he has violated any of its rules regarding personal use of Harvard's computer accounts or systems?
Due to social media, every time Ben Edelman is Binged, Googled, Yahooed!, etc.. this situation may show up on the first page of his search results. Whenever I hear the name Ben Edelman, I will think about Chinese food and a $4 overcharge. However, this should also be a lesson to all businesses that they must ensure that their online advertised prices accurately reflect current prices.
The Digital Age has made our personal online activities more discoverable and it has eroded our personal privacy. Even though Prof. Edelman was right regarding the need for businesses to have the correct prices listed on their websites, the way he handled the situation may create some potential reputation issues for him both personally and professionally. The bottom line is that it is imperative to be careful whenever sending a digital correspondence.
UPDATE: 4:49pm
Boston.com is reporting that Prof. Edelman has released an apology. Here it is:
"Many people have seen my emails with Ran Duan of Sichuan Garden restaurant in Brookline. Having reflected on my interaction with Ran, including what I said and how I said it, it’s clear that I was very much out of line. I aspire to act with great respect and humility in dealing with others, no matter what the situation. Clearly I failed to do so. I am sorry, and I intend to do better in the future. I have reached out to Ran and will apologize to him personally as well.”
Copyright 2014 by Shear Law, LLC. All rights reserved.
Should the restaurant have an accurate online take out menu? Yes. Online prices should accurately reflect current prices. While Prof. Edelman cites potential violations of Massachusetts law, he could have also mentioned that the matter was a potential Article 5 Violation of the FTC Act regarding unfair and deceptive trade practices. Is a class action lawsuit or an FTC complaint coming soon?
Even though it appears that Prof. Edelman utilized his personal email account when interacting with the Chinese food restaurant, what if he utilized his professional account? Since Harvard has closely monitored the emails of some of its deans in the past, could this situation trigger Harvard to search through Prof. Edelman's Harvard account to determine if he has violated any of its rules regarding personal use of Harvard's computer accounts or systems?
Due to social media, every time Ben Edelman is Binged, Googled, Yahooed!, etc.. this situation may show up on the first page of his search results. Whenever I hear the name Ben Edelman, I will think about Chinese food and a $4 overcharge. However, this should also be a lesson to all businesses that they must ensure that their online advertised prices accurately reflect current prices.
The Digital Age has made our personal online activities more discoverable and it has eroded our personal privacy. Even though Prof. Edelman was right regarding the need for businesses to have the correct prices listed on their websites, the way he handled the situation may create some potential reputation issues for him both personally and professionally. The bottom line is that it is imperative to be careful whenever sending a digital correspondence.
UPDATE: 4:49pm
Boston.com is reporting that Prof. Edelman has released an apology. Here it is:
"Many people have seen my emails with Ran Duan of Sichuan Garden restaurant in Brookline. Having reflected on my interaction with Ran, including what I said and how I said it, it’s clear that I was very much out of line. I aspire to act with great respect and humility in dealing with others, no matter what the situation. Clearly I failed to do so. I am sorry, and I intend to do better in the future. I have reached out to Ran and will apologize to him personally as well.”
Copyright 2014 by Shear Law, LLC. All rights reserved.
Wednesday, November 26, 2014
Twitter's App Graph Privacy Fail Whale: Will The FTC Investigate?
Wishing everyone a Happy and Healthy Thanksgiving! Before leaving the office for the Thanksgiving Holiday, I noticed that Twitter has made a troubling announcement about its privacy practices moving forward for its iOS and Andoid users. According to the Wall Street Journal, "Twitter
is now collecting information about the apps installed on users’
devices in order to better target and tailor advertising and other
content to them."
Twitter announced, "[t]o help build a more personal Twitter experience for you, we are collecting and occasionally updating the list of apps installed on your mobile device so we can deliver tailored content that you might be interested in."
Mashable has reported that, "[o]nce the update goes live, users are automatically opted-in to the tracking, though Twitter will notify users within the app once it starts and you can opt out at any time. Twitter notes that it is only tracking a list of the apps users have downloaded and is not accessing any data within those apps."
In general, most digital and social media platforms are not built with privacy by design in mind. For example, Facebook and Google are notorious for their very troubling privacy policies and practices which demonstrate that user privacy is an afterthought for these companies.
It is none of Twitter's business what apps I have uploaded on my mobile device. Period. End of story. Twitter has a right to monitor the apps I have connected to their platform; however, it has no right whatsoever to automatically know what apps I have downloaded onto my mobile device just because I have downloaded its app. Under no circumstances should this be opt-out. This is a very troubling issue that may lead more apps to do the same thing.
During the past couple of years, the FTC has published multiple reports on the troubling privacy practices of some mobile apps and ecosystems. Does Twitter even have the legal right to automatically opt-in users for this program? Since this was announced right before Thanksgiving, it leads me to believe that Twitter may be trying to bury this troubling matter right before a holiday weekend. Will the FTC soon open an investigation into this issue?
The bottom line is that Twitter and other digital companies should make their defaults opt-in. Opt-out defaults are a threat to personal privacy and safety. I am fully aware of the corporate monetary reasons for automatic opt-in. Wall Street has been disappointed with Twitter's revenue performance and recently punished its stock so this automatic opt-in to the App Graph may be an attempt to increase the corporate bottom line.
If Twitter and other social/digital media companies such as Facebook and Google want me to trust them with my personal and/or corporate data they need to make privacy a priority and not an afterthought.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Twitter announced, "[t]o help build a more personal Twitter experience for you, we are collecting and occasionally updating the list of apps installed on your mobile device so we can deliver tailored content that you might be interested in."
Mashable has reported that, "[o]nce the update goes live, users are automatically opted-in to the tracking, though Twitter will notify users within the app once it starts and you can opt out at any time. Twitter notes that it is only tracking a list of the apps users have downloaded and is not accessing any data within those apps."
In general, most digital and social media platforms are not built with privacy by design in mind. For example, Facebook and Google are notorious for their very troubling privacy policies and practices which demonstrate that user privacy is an afterthought for these companies.
It is none of Twitter's business what apps I have uploaded on my mobile device. Period. End of story. Twitter has a right to monitor the apps I have connected to their platform; however, it has no right whatsoever to automatically know what apps I have downloaded onto my mobile device just because I have downloaded its app. Under no circumstances should this be opt-out. This is a very troubling issue that may lead more apps to do the same thing.
During the past couple of years, the FTC has published multiple reports on the troubling privacy practices of some mobile apps and ecosystems. Does Twitter even have the legal right to automatically opt-in users for this program? Since this was announced right before Thanksgiving, it leads me to believe that Twitter may be trying to bury this troubling matter right before a holiday weekend. Will the FTC soon open an investigation into this issue?
The bottom line is that Twitter and other digital companies should make their defaults opt-in. Opt-out defaults are a threat to personal privacy and safety. I am fully aware of the corporate monetary reasons for automatic opt-in. Wall Street has been disappointed with Twitter's revenue performance and recently punished its stock so this automatic opt-in to the App Graph may be an attempt to increase the corporate bottom line.
If Twitter and other social/digital media companies such as Facebook and Google want me to trust them with my personal and/or corporate data they need to make privacy a priority and not an afterthought.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Monday, November 24, 2014
Supreme Court To Decide Groundbreaking Social Media Speech Case
In general, it takes the Supreme Court years to address an issue and by the time a matter is resolved the technology utilized in the case may be obsolete. For example, in 2010, the Supreme Court ruled on a sexting and workplace privacy case (City of Ontario, California et al v. Quon) that began in 2002. By 2010, many employers had switched from providing pagers to smartphones to communicate with some of their employees. While technology had greatly changed during those 8 years, the underlying issues litigated were and still are very relevant today.
A new case before the U.S. Supreme Court may determine when does a social media threat cross the line and violate the law. According to The Washington Post, the court will decide "whether violent images and threatening language posted on Facebook and other social media constitute a true threat to others or simply [the] protected rants..."
The basic facts of the case are that a man was sentenced to approximately 4 years in prison (and served the sentence) for posting allegedly disturbing messages on Facebook about his estranged wife, co-workers, and law enforcement. It appears that some of the people who viewed the man's Facebook messages were concerned for their personal safety and/or the safety of others so the appropriate authorities were made aware of the situation which led to the matter ending up in court.
With more and more communications occurring online, this case has the potential to radically change how we utilize and communicate as a society. This case also may change how the law views First Amendment protections in the Digital Age.
The Supreme Court needs to strike the right balance between protecting our First Amendment rights and public safety. What should the test be when determining whether social media speech violates the law? Should the test be how a reasonable person may view the postings or should the test be whether a person has the intent to follow through with the online threats?
My hope is that Supreme Court creates a framework that properly weighs First Amendment rights with public safety that may be easily applied to similar situations in the future. While this case may be the first major social media freedom of speech matter that is decided by the high court, I doubt it will be the last.
Copyright 2014 by Shear Law, LLC. All rights reserved.
A new case before the U.S. Supreme Court may determine when does a social media threat cross the line and violate the law. According to The Washington Post, the court will decide "whether violent images and threatening language posted on Facebook and other social media constitute a true threat to others or simply [the] protected rants..."
The basic facts of the case are that a man was sentenced to approximately 4 years in prison (and served the sentence) for posting allegedly disturbing messages on Facebook about his estranged wife, co-workers, and law enforcement. It appears that some of the people who viewed the man's Facebook messages were concerned for their personal safety and/or the safety of others so the appropriate authorities were made aware of the situation which led to the matter ending up in court.
With more and more communications occurring online, this case has the potential to radically change how we utilize and communicate as a society. This case also may change how the law views First Amendment protections in the Digital Age.
The Supreme Court needs to strike the right balance between protecting our First Amendment rights and public safety. What should the test be when determining whether social media speech violates the law? Should the test be how a reasonable person may view the postings or should the test be whether a person has the intent to follow through with the online threats?
My hope is that Supreme Court creates a framework that properly weighs First Amendment rights with public safety that may be easily applied to similar situations in the future. While this case may be the first major social media freedom of speech matter that is decided by the high court, I doubt it will be the last.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Saturday, November 15, 2014
Britain Jails First Revenge Porn Perp
According to The Guardian, the UK has jailed its first revenge porn perpetrator. Luke King, 21 has been jailed for posting revenge porn online. He was given a 12-week sentence after pleading guilty to
online harassment.
It appears that Mr. King had published naked photos of a woman on WhatsApp earlier this year after threatening her. On October 13, 2014, I discussed that the UK was set to criminalize revenge porn because it is a growing problem not only in the UK but also around the world.
While a 12-week sentence may not sound like much for harassing someone online, it may make someone think twice before posting compromising photos of others in the future. It is too soon to speculate whether the UK's new revenge porn law is a strong enough deterrence.
The law is constantly trying to catch up with technology so it doesn't surprise me that this may be the first case in the UK where someone was jailed for uploading revenge porn. A major challenge with revenge porn is the likelihood of needing to play a game of whack a mole to remove it from the Internet. Once content is posted online it is extremely difficult for it to be permanently removed.
Copyright 2014 by Shear Law, LLC. All rights reserved.
It appears that Mr. King had published naked photos of a woman on WhatsApp earlier this year after threatening her. On October 13, 2014, I discussed that the UK was set to criminalize revenge porn because it is a growing problem not only in the UK but also around the world.
While a 12-week sentence may not sound like much for harassing someone online, it may make someone think twice before posting compromising photos of others in the future. It is too soon to speculate whether the UK's new revenge porn law is a strong enough deterrence.
The law is constantly trying to catch up with technology so it doesn't surprise me that this may be the first case in the UK where someone was jailed for uploading revenge porn. A major challenge with revenge porn is the likelihood of needing to play a game of whack a mole to remove it from the Internet. Once content is posted online it is extremely difficult for it to be permanently removed.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Monday, October 27, 2014
California Highway Patrol Nude Photo Theft Scandal May Create Hundreds of Millions In Legal Liability
The Contra Costa Times is reporting that a California Highway Patrol
officer has been "accused of stealing nude photos from a DUI suspect's phone" and "that he and his fellow officers have been trading such
images for years." This behavior is not only very troubling, it may violate multiple federal and state computer theft laws and may even trigger California's revenge porn statute.
The Contra Costa Times further states, "[i]n the search warrant affidavit [for the matter], senior Contra Costa district attorney inspector Darryl Holcombe wrote that he found probable cause to show both CHP officers Harrington and Hazelwood and others engaged in a "scheme to unlawfully access the cell phone of female arrestees by intentionally gaining access to their cell phone and without their knowledge, stealing and retaining nude or partially clothed photographs of them."
This alleged behavior demonstrates why the Riley v. California case is so important. In that matter, the U.S. Supreme Court held 9-0 that the police generally need a warrant before searching cell phones and electronic devices of those arrested. All of the facts of this case have not yet been proven so it is difficult to determine exactly in what manner the victims had their phones searched and their personal images stolen and forwarded to others.
Johns Hopkins Hospital recently paid $190 million dollars to settle a matter where a doctor had taken thousands of nude photos of patients without their consent. In that case, there was no evidence the photos had been shared. However, in this case, court documents allege that images had been shared. Therefore, the Johns Hopkins Hospital $190 million dollar settlement may be a benchmark for any potential settlement.
In general, many organizations need to do a better job of training their employees about digital usage and legal matters. Here, since those who are accused of wrong doing are police officers they should have known that their alleged behavior may violate multiple state and/or federal laws.
Copyright 2014 by Shear Law, LLC. All rights reserved.
The Contra Costa Times further states, "[i]n the search warrant affidavit [for the matter], senior Contra Costa district attorney inspector Darryl Holcombe wrote that he found probable cause to show both CHP officers Harrington and Hazelwood and others engaged in a "scheme to unlawfully access the cell phone of female arrestees by intentionally gaining access to their cell phone and without their knowledge, stealing and retaining nude or partially clothed photographs of them."
This alleged behavior demonstrates why the Riley v. California case is so important. In that matter, the U.S. Supreme Court held 9-0 that the police generally need a warrant before searching cell phones and electronic devices of those arrested. All of the facts of this case have not yet been proven so it is difficult to determine exactly in what manner the victims had their phones searched and their personal images stolen and forwarded to others.
Johns Hopkins Hospital recently paid $190 million dollars to settle a matter where a doctor had taken thousands of nude photos of patients without their consent. In that case, there was no evidence the photos had been shared. However, in this case, court documents allege that images had been shared. Therefore, the Johns Hopkins Hospital $190 million dollar settlement may be a benchmark for any potential settlement.
In general, many organizations need to do a better job of training their employees about digital usage and legal matters. Here, since those who are accused of wrong doing are police officers they should have known that their alleged behavior may violate multiple state and/or federal laws.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Friday, October 17, 2014
TV Show Scandal Sex Tape Episode and Sextortion
The TV show Scandal contains the type of story lines needed for a successful television program: sex, scandals, beautiful people, politics, power, money, etc.... According to Wikipedia, the plot centers around, "Olivia Pope (Kerry Washington) [who] is a former White House Communications Director for the President of the United States who has left to start her own crisis management firm, Olivia Pope & Associates. Olivia has decided to dedicate her life to protecting the public images of the nation's elite but is finding that no matter how hard she tries, she cannot leave parts of her past behind."
Last night's episode centered around the President's daughter slipping her Secret Service detail and doing drugs and creating a threesome sex tape with a couple of boys/young men she has never met before having sex with them. Olivia Pope's team was called into action and asked to do what was necessary to delete the photos and avoid a scandal for the First Family.
Olivia's employees utilize social media and what may be considered NSA tactics combined with good old fashion detective work to track down the boys/young men who had sex with the president's daughter and then filmed it. As the episode progresses, it appears that the president's daughter was targeted because the parents of one of the boys/young men demand $2.5 million dollars to turn over all copies of the embarrassing sex tape.
The fictional parents live near my office in Bethesda and sound as though they were already very well off. After Olivia has received the authority to pay $2.5 million dollars to ensure that the video and all copies are destroyed, the parents demand an additional $500,000. This angers Olivia and she turns the tables on the black mailers and threatens to ruin them due to their despicable behavior. The bottom line is that the sex tape is destroyed and it appears that no blackmail money was paid.
Digital black mail has been a troubling growing trend. As USA Today reported earlier this year, the crime of sextortion against children is an epidemic. Once content has been put into a digital format, texted, and uploaded to the cloud it is very difficult to delete. Even technology experts are not sure if content uploaded online can be deleted.
While Scandal is a fictitious television program, some of the story lines are based upon real events. Not everyone has the resources available to clean up a sex tape incident. Even celebrities who may have the money to make a sex tape "disappear" are unable to protect themselves from a sex tape scandal.
The bottom line is that it is imperative to protect your privacy at all times. You never know who may use their cell phone or other digital device as a digital extortion weapon.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Last night's episode centered around the President's daughter slipping her Secret Service detail and doing drugs and creating a threesome sex tape with a couple of boys/young men she has never met before having sex with them. Olivia Pope's team was called into action and asked to do what was necessary to delete the photos and avoid a scandal for the First Family.
Olivia's employees utilize social media and what may be considered NSA tactics combined with good old fashion detective work to track down the boys/young men who had sex with the president's daughter and then filmed it. As the episode progresses, it appears that the president's daughter was targeted because the parents of one of the boys/young men demand $2.5 million dollars to turn over all copies of the embarrassing sex tape.
The fictional parents live near my office in Bethesda and sound as though they were already very well off. After Olivia has received the authority to pay $2.5 million dollars to ensure that the video and all copies are destroyed, the parents demand an additional $500,000. This angers Olivia and she turns the tables on the black mailers and threatens to ruin them due to their despicable behavior. The bottom line is that the sex tape is destroyed and it appears that no blackmail money was paid.
Digital black mail has been a troubling growing trend. As USA Today reported earlier this year, the crime of sextortion against children is an epidemic. Once content has been put into a digital format, texted, and uploaded to the cloud it is very difficult to delete. Even technology experts are not sure if content uploaded online can be deleted.
While Scandal is a fictitious television program, some of the story lines are based upon real events. Not everyone has the resources available to clean up a sex tape incident. Even celebrities who may have the money to make a sex tape "disappear" are unable to protect themselves from a sex tape scandal.
The bottom line is that it is imperative to protect your privacy at all times. You never know who may use their cell phone or other digital device as a digital extortion weapon.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Thursday, October 16, 2014
Will The FTC Soon Investigate Whisper For Deceptive Privacy Promises?
Will the Federal Trade Commission soon investigate the app Whisper for false and misleading privacy promises? The Guardian recently reported some very troubling allegations about Whisper that if true lead me to believe that the app may soon be contacted by the Federal Trade Commission to fully explain the matter.
According to The Guardian, Whisper "is tracking the location of its users, including some who have specifically asked not to be followed." This may be a violation of Article 5 of the FTC Act regarding unfair and deceptive trade practices. Earlier this year, the FTC alleged that Snapchat, "deceived consumers over the amount of personal data it collected and the security measures taken to protect that data from misuse and unauthorized disclosure....According to the FTC’s complaint, Snapchat made multiple misrepresentations to consumers about its product that stood in stark contrast to how the app actually worked."
Whisper's actions after learning that The Guardian was about to publish its story are very disturbing. For example, according to The Guardian, after learning about the upcoming story Whisper rewrote its terms of service to "explicitly permit the company to establish the broad location of people who have disabled the app’s geo-location feature." In addition, The Guardian reported that Whisper recently changed its privacy policy from it “is committed to protecting your privacy and the security of personally identifying information” to “our goal is to provide you with a tool that allows you to express yourself while remaining anonymous to the community."
Whisper's terms of service and privacy policy govern its relationship with its users. Whisper's response to The Guardian's allegations do not appear to address why its terms of service and privacy policy were changed. Are these changes an acknowledgement that Whisper has been making unfair and deceptive privacy promises about its app?
Copyright 2014 by Shear Law, LLC. All rights reserved.
According to The Guardian, Whisper "is tracking the location of its users, including some who have specifically asked not to be followed." This may be a violation of Article 5 of the FTC Act regarding unfair and deceptive trade practices. Earlier this year, the FTC alleged that Snapchat, "deceived consumers over the amount of personal data it collected and the security measures taken to protect that data from misuse and unauthorized disclosure....According to the FTC’s complaint, Snapchat made multiple misrepresentations to consumers about its product that stood in stark contrast to how the app actually worked."
Whisper's actions after learning that The Guardian was about to publish its story are very disturbing. For example, according to The Guardian, after learning about the upcoming story Whisper rewrote its terms of service to "explicitly permit the company to establish the broad location of people who have disabled the app’s geo-location feature." In addition, The Guardian reported that Whisper recently changed its privacy policy from it “is committed to protecting your privacy and the security of personally identifying information” to “our goal is to provide you with a tool that allows you to express yourself while remaining anonymous to the community."
Whisper's terms of service and privacy policy govern its relationship with its users. Whisper's response to The Guardian's allegations do not appear to address why its terms of service and privacy policy were changed. Are these changes an acknowledgement that Whisper has been making unfair and deceptive privacy promises about its app?
Copyright 2014 by Shear Law, LLC. All rights reserved.
Monday, October 13, 2014
United Kingdom To Criminalize Revenge Porn
This summary is not available. Please
click here to view the post.
Tuesday, October 7, 2014
Significant Tech Players Absent from Student Privacy Pledge
According to The
New York Times, the enactment of a new California
student privacy law (SB 1177) that restricts
how "education technology companies can use the information they collect
about elementary through high school students" has led "a group of
leading industry players...[to] pledg[e] to adopt similar
data protections nationwide." Some
of the companies that have agreed to sign the pledge include: Amplify, Edmodo,
Houghton Miflin Harcourt, and Microsoft.
• Not sell student information
• Not behaviorally target advertising
• Use data for authorized education purposes only
• Not change privacy policies without notice and choice
• Enforce strict limits on data retention
• Support parental access to, and correction of errors in, their children’s information
• Provide comprehensive security standards
• Be transparent about collection and use of data
Apple, Pearson, Khan Academy, and Google's absence from this initiative is very concerning. Several weeks ago, Apple took a shot at Google regarding Google's privacy policies and data mining/profiling practices. This occurred soon after email evidence was uncovered that appear to indicate major improprieties during the contracting process that awarded both Apple and Pearson multi-million dollar educational technology contracts in the Los Angeles Unified School District.
Google's lack of transparency on student privacy issues and its refusal to participate in an industry backed student privacy initiative that was created by two organizations it supports should be of great concern to any parent whose school has adopted Google Apps For Education. According to Google's Apps For Education website, it has a massive footprint in the education space. More than 30 million students, faculty members, and staff utilize its platform.
Unfortunately for education users, their privacy is still governed by Google's standard Consumer Privacy Policy that allows for all emails and metadata collected to be data mined to create user profiles for non-educational commercial purposes. The Consumer Privacy Policy that covers Google's educational offerings is the same one that a German data protection authority (privacy regulator) recently ruled violates EU data protection (privacy) laws. Shouldn't U.S. school children be afforded the same privacy protections as German citizens?
As a parent, lawyer, and user of Apple, Pearson, Khan Academy, and Google's products/services, I am very troubled by their refusal to sign an industry created Pledge to better protect student privacy. If these companies are not willing to change their data collection and usage practices, their privacy policies, and agree to the sign the Pledge can we trust them with our children's most personal information?
The Pledge is a
positive step in the right direction. Representatives
Jared Polis of Colorado and Luke Messer of Indiana worked with the Future of
Privacy Forum and the Software & Information Industry Association on this important
bipartisan matter. According to Studentprivacypledge.org,
The Pledge will make clear that school service providers are accountable to:
• Not sell student information
• Not behaviorally target advertising
• Use data for authorized education purposes only
• Not change privacy policies without notice and choice
• Enforce strict limits on data retention
• Support parental access to, and correction of errors in, their children’s information
• Provide comprehensive security standards
• Be transparent about collection and use of data
This
initiative is an acknowledgement that some education technology providers are intentionally
putting student privacy and safety at risk due to invasive and non-transparent data
mining and student profiling practices. Education
Week and Politico's
in-depth investigative reports on the industry demonstrates the need for greater
accountability, transparency, and regulatory enforcement to protect our children.
Apple, Pearson, Khan Academy, and Google's absence from this initiative is very concerning. Several weeks ago, Apple took a shot at Google regarding Google's privacy policies and data mining/profiling practices. This occurred soon after email evidence was uncovered that appear to indicate major improprieties during the contracting process that awarded both Apple and Pearson multi-million dollar educational technology contracts in the Los Angeles Unified School District.
Politico's
student data mining report found that Khan Academy students allegedly trade
their privacy for free tutoring. Only
after Politico
"inquired about Khan Academy’s privacy policy, which gave it the right to
draw on students’ personal information to send them customized advertising,"
was the policy "completely rewritten."
Google's
refusal to sign the Pledge is most troubling because it may indicate it is still
scanning student emails for advertising purposes and it creates student
profiles for non-educational commercial purposes. Soon after Education Week reported that Google
was scanning student emails for advertising purposes, Google publicly
announced it would stop
the unethical and illegal practice; however, it refused to state whether it was
creating student profiles for commercial and/or other non-educational purposes.
When
Education
Week contacted Google last week about its position on California's new
student privacy law, Google declined to clarify whether it scans student email
messages sent using its Apps for Education
platform to build student user profiles that may be utilized for
non-educational commercial purposes. Google's
refusal to emphatically deny it scans student emails to create student user
profiles may indicate that it is violating the 2011
FTC-Google Buzz Agreement, and/or its 2013
multi-state Attorney Generals Street View Project Agreement.
As
The
New York Times stated, "although the pledge is not legally binding,
companies that violate their own public representations on privacy could be
subject to enforcement actions by the Federal Trade Commission." Google's refusal to sign the industry backed
Pledge appears to be an acknowledgement that if it signs the Pledge it will be
in violation of Article 5 of
the FTC Act regarding unfair and deceptive trade practices. In 2012, Google paid
a $22.5 million dollar record FTC fine for misleading users about its privacy
practices regarding the scandal known as the Apple
"Safari Hack" because it had violated its 2011 agreement not to mislead
consumers about its privacy promises.
Google's lack of transparency on student privacy issues and its refusal to participate in an industry backed student privacy initiative that was created by two organizations it supports should be of great concern to any parent whose school has adopted Google Apps For Education. According to Google's Apps For Education website, it has a massive footprint in the education space. More than 30 million students, faculty members, and staff utilize its platform.
Unfortunately for education users, their privacy is still governed by Google's standard Consumer Privacy Policy that allows for all emails and metadata collected to be data mined to create user profiles for non-educational commercial purposes. The Consumer Privacy Policy that covers Google's educational offerings is the same one that a German data protection authority (privacy regulator) recently ruled violates EU data protection (privacy) laws. Shouldn't U.S. school children be afforded the same privacy protections as German citizens?
When will Google come clean and be transparent about its past and present student data collection practices? Some questions that Google still needs to answer include:
•How long was (is) Google scanning
student emails for advertising and/or other non-educational commercial purposes?
•Were the parents or legal guardians of students who had their emails
scanned for advertising/commercial profiling purposes provided notice and did the parents or legal
guardians respond by giving written consent to allow their children's personal
information to be utilized for advertising and/or other non-educational commercial
purposes?
•How many students had their
emails scanned for advertising and/or non-educational commercial purposes?
•Has Google deleted all the emails and associated metadata that was scanned
for advertising and/or other non-educational commercial purposes? If so, when?
•Is Google data mining students to create user profiles? If so, why and how many students is it profiling?
As a parent, lawyer, and user of Apple, Pearson, Khan Academy, and Google's products/services, I am very troubled by their refusal to sign an industry created Pledge to better protect student privacy. If these companies are not willing to change their data collection and usage practices, their privacy policies, and agree to the sign the Pledge can we trust them with our children's most personal information?
Copyright 2014 by Shear Law, LLC All rights reserved.
Monday, October 6, 2014
Titan has installed hundreds of advertising beacons around NYC
Buzzfeed is reporting that the New York City government has allowed outdoor media company Titan to install hundreds of advertising beacons (small radio transmitters that may be used to track people's movements) in pay phones around the city. Beacons may be utilized to track your movements via cell phone for not just behavioral advertising, but also for nefarious spying purposes that may put cell phone users in harms way. Interestingly, there has been no public notice about this program so all the facts are hard to come by.
When this type of technology is deployed in a public space without the community's input it is very troubling. After hearing about this new program, the New York American Civil Liberties Union Executive Director Donna Lieberman denounced it. As a former New Yorker and regular visitor, I am very concerned about this development.
Should Titan (or any other company) have been allowed to install these beacons on public property in the first place? Should Titan be required to publicly list (i.e. transparency) where each of its beacons are located? Should Titan be required to place large signs next to their beacon locations so those who walk nearby are notified of this program? Will consumers who have been tracked by Titan without their knowledge or consent soon sue Titan or New York City for breaching their personal privacy? These are legitimate questions and concerns that require a national conversation.
For those who are care about their personal privacy and security, now is the time to stand up and be counted before it is too late.
UPDATE:
According to Buzzfeed, New York City has asked Titan to remove its beacons from city owned property and this may occur in the next several days. This 180 demonstrates the power of social media because within hours of this matter being reported on by Buzzfeed the beacons in question are planning to be removed.
Will Titan be required to answer the following questions: What type of data did its beacons collect on public property? From how many people did Titan's beacons collect information from? How much data did it collect? Will Titan delete all the data it has collected on public property? What were the start dates and what will be the exact end date of this program? For New York City, who authorized this program without public input? Will the public be asked the next time this or a similar issue occurs?
Copyright 2014 by Shear Law, LLC All rights reserved.
When this type of technology is deployed in a public space without the community's input it is very troubling. After hearing about this new program, the New York American Civil Liberties Union Executive Director Donna Lieberman denounced it. As a former New Yorker and regular visitor, I am very concerned about this development.
Should Titan (or any other company) have been allowed to install these beacons on public property in the first place? Should Titan be required to publicly list (i.e. transparency) where each of its beacons are located? Should Titan be required to place large signs next to their beacon locations so those who walk nearby are notified of this program? Will consumers who have been tracked by Titan without their knowledge or consent soon sue Titan or New York City for breaching their personal privacy? These are legitimate questions and concerns that require a national conversation.
For those who are care about their personal privacy and security, now is the time to stand up and be counted before it is too late.
UPDATE:
According to Buzzfeed, New York City has asked Titan to remove its beacons from city owned property and this may occur in the next several days. This 180 demonstrates the power of social media because within hours of this matter being reported on by Buzzfeed the beacons in question are planning to be removed.
Will Titan be required to answer the following questions: What type of data did its beacons collect on public property? From how many people did Titan's beacons collect information from? How much data did it collect? Will Titan delete all the data it has collected on public property? What were the start dates and what will be the exact end date of this program? For New York City, who authorized this program without public input? Will the public be asked the next time this or a similar issue occurs?
Copyright 2014 by Shear Law, LLC All rights reserved.
Sunday, October 5, 2014
PA Attorney General's Office Rocked By Porn Email Scandal
In a very troubling development, prosecutors in the Pennsylvania attorney general's office and employees in other state agencies have been accused of sending porn and other inappropriate content via government email systems. According to the Pittsburgh Post-Gazette, the Secretary of the Department of Environmental Protection and the department's deputy chief counsel have resigned over the scandal.
NBC News has reported that one political appointee who sits on the state Board of Probation and Parole has refused to step down at this point. The emails involved in the scandal reportedly contained, "still photos of women in pin-up-style poses; mock workplace motivational posters that showed women performing sex acts with male characters who appeared to be their bosses; and video files, bearing winking titles like "NASCAR Victory," or "Delta Faucet commercial" that showed women and men engaged in intercourse and other sexually suggestive acts."
I have talked to some friends of mine who work(ed) in the attorney general's office of other states and none of them send porn via email to their coworkers on work or personal email. Each person I spoke with also stated that if they were involved in this type of behavior they most likely would be fired or forced to resign. Last year, a federal judge in Montana was forced into retirement over allegedly racist emails that he sent.
It is important to be very careful about what one sends via email or other digital platforms. In general, I do not recommend utilizing work email for personal purposes.
Copyright 2014 by Shear Law, LLC All rights reserved.
NBC News has reported that one political appointee who sits on the state Board of Probation and Parole has refused to step down at this point. The emails involved in the scandal reportedly contained, "still photos of women in pin-up-style poses; mock workplace motivational posters that showed women performing sex acts with male characters who appeared to be their bosses; and video files, bearing winking titles like "NASCAR Victory," or "Delta Faucet commercial" that showed women and men engaged in intercourse and other sexually suggestive acts."
I have talked to some friends of mine who work(ed) in the attorney general's office of other states and none of them send porn via email to their coworkers on work or personal email. Each person I spoke with also stated that if they were involved in this type of behavior they most likely would be fired or forced to resign. Last year, a federal judge in Montana was forced into retirement over allegedly racist emails that he sent.
It is important to be very careful about what one sends via email or other digital platforms. In general, I do not recommend utilizing work email for personal purposes.
Copyright 2014 by Shear Law, LLC All rights reserved.
Saturday, October 4, 2014
Student Yik Yak Threat at Towson University Leads To Arrest
Be careful what you post online. I discuss this theme constantly with my clients, during seminars, and with the media. Earlier this week, a Towson University student was arrested after posting a threat on the app called Yik Yak.
An 18-year old Towson University student allegedly made an anonymous threat against Towson University utilizing Yik Yak. The alleged threat made a reference to creating a "Virginia Tech Part 2". This troubling alleged reference to the terrible tragedy that occurred at Virginia Tech in 2007 that killed 33 people demonstrates that the student may need the assistance of a mental health professional.
According to the Towson Towerlight, "[a] resident student first reported the threat to her resident assistant Wednesday afternoon. The RA took it to the Department of Housing and Residence Life, according to the Director of University Communications Ray Feldmann, who then took it to University Police. TUPD then alerted Baltimore County Police, Maryland State Police and the FBI."
The student who allegedly threatened Towson was charged with, "threat of massive violence and disturbing operations at a school." According to the Baltimore Sun, the defendant, "told police he had learned he wasn't performing well in the jazz class and was worried his parents would pull him out of school if his GPA dropped too much..."
The bottom line is that no matter how angry one is it is generally not recommended to express your anger on social media or any other digital platform. If someone is thinking about harming others or themselves, they should meet with a mental health professional who may be able to assist them.
Copyright 2014 by Shear Law, LLC All rights reserved.
An 18-year old Towson University student allegedly made an anonymous threat against Towson University utilizing Yik Yak. The alleged threat made a reference to creating a "Virginia Tech Part 2". This troubling alleged reference to the terrible tragedy that occurred at Virginia Tech in 2007 that killed 33 people demonstrates that the student may need the assistance of a mental health professional.
According to the Towson Towerlight, "[a] resident student first reported the threat to her resident assistant Wednesday afternoon. The RA took it to the Department of Housing and Residence Life, according to the Director of University Communications Ray Feldmann, who then took it to University Police. TUPD then alerted Baltimore County Police, Maryland State Police and the FBI."
The student who allegedly threatened Towson was charged with, "threat of massive violence and disturbing operations at a school." According to the Baltimore Sun, the defendant, "told police he had learned he wasn't performing well in the jazz class and was worried his parents would pull him out of school if his GPA dropped too much..."
The bottom line is that no matter how angry one is it is generally not recommended to express your anger on social media or any other digital platform. If someone is thinking about harming others or themselves, they should meet with a mental health professional who may be able to assist them.
Copyright 2014 by Shear Law, LLC All rights reserved.
Friday, October 3, 2014
Can Facebook Be Trusted With Personal Medical Information?
According to Reuters, Facebook wants to get into the healthcare business via your personal health care status. The report states, "[t]he company [Facebook] is exploring creating online "support
communities" that would connect Facebook users suffering from various
ailments. A small team is also considering new "preventative care" applications that would help people improve their lifestyles."
Is Facebook a safe environment to share personal health information? This is a question that Facebook users need to answer themselves. Would I ever trust Facebook with my personal health information? I don't utilize Facebook to communicate with my family or friends or for any reason other than to explore the constantly changing features on the platform. For the past several years, I have only utilized Facebook for professional purposes since I don't trust the platform with my personal information.
If you watch Cullen Hoback's documentary Terms and Conditions May Apply you may better understand how Facebook utilizes your personal information. If watching a documentary is not up your alley, I encourage you to read the clause on Facebook's Terms and Conditions that states, "...you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License)." In layman's terms by posting content on Facebook you agree to Facebook utilizing your content in any way it sees fit.
Last year, Forbes reported that Facebook entered into agreements with multiple data brokers to ensure that the personal information you post (i.e. your friends lists, status updates, likes, etc..) is provided to companies/shadowy entities that are creating detailed online and offline personal dossiers about people. Besides advertisers, the information posted on Facebook may be utilized by insurance companies to deny claims and/or employers to discriminate against employees, and colleges to turn down applicants.
If after reading the above you still want to share your personal medical information with Facebook that is your right. When it comes to privacy, you don't know how valuable it is until you lose it.
Copyright 2014 by Shear Law, LLC All rights reserved.
Is Facebook a safe environment to share personal health information? This is a question that Facebook users need to answer themselves. Would I ever trust Facebook with my personal health information? I don't utilize Facebook to communicate with my family or friends or for any reason other than to explore the constantly changing features on the platform. For the past several years, I have only utilized Facebook for professional purposes since I don't trust the platform with my personal information.
If you watch Cullen Hoback's documentary Terms and Conditions May Apply you may better understand how Facebook utilizes your personal information. If watching a documentary is not up your alley, I encourage you to read the clause on Facebook's Terms and Conditions that states, "...you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License)." In layman's terms by posting content on Facebook you agree to Facebook utilizing your content in any way it sees fit.
Last year, Forbes reported that Facebook entered into agreements with multiple data brokers to ensure that the personal information you post (i.e. your friends lists, status updates, likes, etc..) is provided to companies/shadowy entities that are creating detailed online and offline personal dossiers about people. Besides advertisers, the information posted on Facebook may be utilized by insurance companies to deny claims and/or employers to discriminate against employees, and colleges to turn down applicants.
If after reading the above you still want to share your personal medical information with Facebook that is your right. When it comes to privacy, you don't know how valuable it is until you lose it.
Copyright 2014 by Shear Law, LLC All rights reserved.
Thursday, October 2, 2014
Google May Have A Strong Defense Against Hacked Celeb Photo Lawsuit Threat
Page 6 of the New York Post was the first media outlet to report that some of the celebrities whose photos were recently hacked may sue Google for not "expeditiously" removing links/images to/of their copyrighted nude photos. The lawyer, Marty Singer wrote a scathing letter to Google demanding it act "expeditiously" to remove the infringing content or face a lawsuit that may create $100+ million dollars in damages.
According to The New York Times, Marty Singer is "Guard Dog To The Stars (Legally Speaking)". In a profile from several years ago, Mr. Singer is quoted as saying, “We’re one of the few firms that sue; we don’t just send a letter.” While I admire Mr. Singer's work in protecting some of the most famous celebrities in the world, I wish him the best of luck and a very sympathetic court room if he follows through and sues Google for not responding "expeditiously" to his take down requests that are governed under the Digital Millennium Copyright Act.
In 2010, I wrote about the challenges copyright holders have under the Digital Millennium Copyright Act regarding protecting their content in a digital world. At that time I stated,
"According to the Senate Report about the DMCA (S. Rep. 105-190 at 44), "[b]ecause the factual circumstances and technical parameters may vary from case to case, it is not possible to identify a uniform time limit for expeditious action." In my opinion, this indicates that a non-profit may be held to a different less onerous standard than a commercial entity. Since S. Rep 105-190 was created, technology has drastically changed and I do not believe it was the intent of the Senate to provide ISPs/OSPs wide latitude to remove infringing content at their leisure when even a minor delay in removal may cause serious financial repercussions to rights holders."
I further opined, "The DMCA's safe harbor provision is already tilted heavily in favor of ISPs/OSPs. Therefore, to level the playing field it is time for either Congress or the courts to declare that under the DMCA commercial entities have one business day to remove infringing content." Whether one business day is still an "expeditious" enough standard is debatable; however, at that time I thought it was a good starting point to begin the discussion.
Since 2010, neither Congress nor the courts have created a universal definition of the term "expeditiously". Google has one of the most technologically advanced data mining machines in the world so it most likely can do a better job of removing copyrighted nude photos and/or links to them from appearing on its platforms.
Unfortunately, removing content from the Internet is a lot like "whack a mole". When it has been removed from one website there is a chance it may appear on another platform. Due to the recent Right To Be Forgotten Ruling in Europe, Mr. Singer may have better luck if any of his clients are European Union citizens; however, this right appears to only apply to Google's European products/services and it is unclear exactly how this new right will be implemented.
From a legal perspective, does Google have a strong legal defense under the DMCA's safe harbor? In the 2013 Capital Records v. Vimeo case, a New York federal district court ruled that it was "expeditious" to take three and a half weeks to remove 170 infringing videos. While this ruling only applies to the Southern District of New York, it may provide persuasive opinion for other jurisdictions.
Here, it appears a couple hundred copyrighted photos may have been part of the take down requests and the time frame appears to be a couple of weeks. Since there is not a definitive legal standard regarding how "expeditiously" a digital platform must act to remove infringing content it appears Google may qualify for "Safe Harbor" protection. If Google is eventually sued for allegedly violating the DMCA regarding this matter, it should be able to mount a vigorous and most likely successful defense.
Copyright 2014 by Shear Law, LLC All rights reserved.
According to The New York Times, Marty Singer is "Guard Dog To The Stars (Legally Speaking)". In a profile from several years ago, Mr. Singer is quoted as saying, “We’re one of the few firms that sue; we don’t just send a letter.” While I admire Mr. Singer's work in protecting some of the most famous celebrities in the world, I wish him the best of luck and a very sympathetic court room if he follows through and sues Google for not responding "expeditiously" to his take down requests that are governed under the Digital Millennium Copyright Act.
In 2010, I wrote about the challenges copyright holders have under the Digital Millennium Copyright Act regarding protecting their content in a digital world. At that time I stated,
"According to the Senate Report about the DMCA (S. Rep. 105-190 at 44), "[b]ecause the factual circumstances and technical parameters may vary from case to case, it is not possible to identify a uniform time limit for expeditious action." In my opinion, this indicates that a non-profit may be held to a different less onerous standard than a commercial entity. Since S. Rep 105-190 was created, technology has drastically changed and I do not believe it was the intent of the Senate to provide ISPs/OSPs wide latitude to remove infringing content at their leisure when even a minor delay in removal may cause serious financial repercussions to rights holders."
I further opined, "The DMCA's safe harbor provision is already tilted heavily in favor of ISPs/OSPs. Therefore, to level the playing field it is time for either Congress or the courts to declare that under the DMCA commercial entities have one business day to remove infringing content." Whether one business day is still an "expeditious" enough standard is debatable; however, at that time I thought it was a good starting point to begin the discussion.
Since 2010, neither Congress nor the courts have created a universal definition of the term "expeditiously". Google has one of the most technologically advanced data mining machines in the world so it most likely can do a better job of removing copyrighted nude photos and/or links to them from appearing on its platforms.
Unfortunately, removing content from the Internet is a lot like "whack a mole". When it has been removed from one website there is a chance it may appear on another platform. Due to the recent Right To Be Forgotten Ruling in Europe, Mr. Singer may have better luck if any of his clients are European Union citizens; however, this right appears to only apply to Google's European products/services and it is unclear exactly how this new right will be implemented.
From a legal perspective, does Google have a strong legal defense under the DMCA's safe harbor? In the 2013 Capital Records v. Vimeo case, a New York federal district court ruled that it was "expeditious" to take three and a half weeks to remove 170 infringing videos. While this ruling only applies to the Southern District of New York, it may provide persuasive opinion for other jurisdictions.
Here, it appears a couple hundred copyrighted photos may have been part of the take down requests and the time frame appears to be a couple of weeks. Since there is not a definitive legal standard regarding how "expeditiously" a digital platform must act to remove infringing content it appears Google may qualify for "Safe Harbor" protection. If Google is eventually sued for allegedly violating the DMCA regarding this matter, it should be able to mount a vigorous and most likely successful defense.
Copyright 2014 by Shear Law, LLC All rights reserved.
Tuesday, September 30, 2014
New California Law Bans Google From Data Mining and Profiling Students For Profit
California has enacted the Student
Online Personal Information Protection Act (SOPIPA or SB 1177) that better protects the personal privacy of students.
According to the bill's Legislative Counsel's Digest, "[t]his bill would prohibit an operator of an
Internet Web site, online service, online application, or mobile application
from knowingly engaging in targeted advertising to students or their parents or
legal guardians, using covered information to amass a profile about a K–12
student, selling a student’s information, or disclosing covered
information..."
One of new law's staunchest supporters is Common Sense Media's CEO and founder James Steyer. On October 14, 2013 Common Sense Media sent an open letter and publicly sounded the alarm regarding the need to better safeguard the personal privacy of our children's school created digital data. According to The New York Times, the organization sent a letter to 16 educational technology vendors to start a conversation on how to better protect student privacy. The New York Times reported that Google declined to comment on Common Sense Media's public call for stronger privacy safeguards for students.
Google's troubling behavior and policy reversal appears to have been the spark that ensured SB 1177 was passed by the state legislature and signed into law. In addition, Google's unfair and deceptive trade practices demonstrate the need for greater accountability and enforcement to ensure that our children's personal privacy and safety are not compromised for corporate profit. While the enactment of SB 1177 is a positive development, it is time for students, parents, school administrators, lawmakers, privacy advocates, and regulators to start holding Google accountable for its illegal student data mining and usage.
Copyright 2014 by Shear Law, LLC All rights reserved.
One of new law's staunchest supporters is Common Sense Media's CEO and founder James Steyer. On October 14, 2013 Common Sense Media sent an open letter and publicly sounded the alarm regarding the need to better safeguard the personal privacy of our children's school created digital data. According to The New York Times, the organization sent a letter to 16 educational technology vendors to start a conversation on how to better protect student privacy. The New York Times reported that Google declined to comment on Common Sense Media's public call for stronger privacy safeguards for students.
Google's
refusal to comment on Common Sense Media's open letter to the educational
technology industry followed an earlier sidestep to the Rhode
Island School of Design's questions
about its privacy protections for students who utilize Google's Apps For
Education service by allegedly equating "not serving ads" to "no student
data mining". While Google may not
be serving behavioral based ads to students through its school offerings at
this point, this does not mean it is not data mining personal student information
for other non-educational purposes.
Common
Sense Media's concerns about a lack of
strong privacy protections for students were validated with the release of
Fordham University Law School's Privacy
and Cloud Computing Study. According to the Huffington
Post, the Fordham Study "found that only one-fourth of [school] districts
tell parents about these services [new cloud based technologies] and one-fifth
of districts don't have policies explicitly governing their use [of the data
collected]. Many contracts between districts and technology vendors don't have
privacy policies, and less than 7 percent of the contracts restrict vendors
from selling student information. The agreements rarely address security,
according to the Fordham research."
These findings were very disturbing and further confirmed the importance
of Common Sense Media's call to strengthen student privacy laws.
Education
Week's March 2014 investigative report
regarding the federal Google Gmail wiretap lawsuit uncovered that Google
"scans and indexes" student emails for advertising purposes. At that time, Google refused to answer
whether it was building user profiles of students based upon its access to
their school work. This troubling
admission and refusal to be fully transparent about its student data collection
and usage practices set off such a huge firestorm that on April
30, 2014, Google announced it would
allegedly discontinue the practice of scanning student emails for
advertising purposes.
In
response to Google's alleged policy change, privacy law scholar Prof. Joel
Reidenberg of Fordham told Education
Week, Google's measure is "a positive step,"....... [however] "he
identified two "significant problems" with it: Google can
change this policy at any time, and, the scanning disclaimer is associated with
advertising purposes only. There may be other commercial uses that they are
exploiting student data for,...."... "such as selling information to
textbook publishers, or test-preparation services." Prof. Reidenberg's statements were prescient
because subsequently Politico
investigated the educational technology industry and validated his concerns
that student data may be utilized by vendors for "other commercial
uses".
More
than 93%
of Google's 2013 $55 billion dollars in revenue was derived from advertising. While this is slightly lower than 2009's
97% figure, it demonstrates that Google's primary business for years has
been data acquisition and mining to create user profiles for advertising
purposes. Google's advertising business
has propelled it to become the 2nd
most valuable company in the world.
While becoming the most valuable advertising/data mining company in the history
of the world, Google has on multiple occasions intentionally cut corners and violated
the personal privacy and safety of its users.
During the past several years, privacy regulators around the world have fined
Google tens of millions of dollars for its illegal practices.
The
2011 FTC-Google
Buzz Agreement banned Google from making future privacy misrepresentations. Unfortunately for users, Google wasted no
time in breaching this agreement because in 2012 it paid
a $22.5 million dollar record fine for misleading users about its privacy practices
regarding the scandal known as the Apple
"Safari Hack". In 2013,
Google entered into a
multi-million dollar privacy violation settlement with 38 states regarding
its Street View Project's data collection practices. In Septemberof 2014, Germany's
Hamburg data protection (privacy) regulator ruled that "Google is ordered to take the necessary
technical and organizational measures to guarantee that their users can
decide on their own if and to what extend their data is used for
profiling."
When Education Week contacted Google regarding its position on SB 1177, "Google...declined
to clarify whether it scans student email messages sent using its wildly
popular Apps for Education tool suite in order to build profiles that might be
used for commercial purposes other than targeted advertising...." Google's refusal to emphatically deny it scans
student emails to create user profiles for non-educational purposes may
indicate that it is violating the 2011 FTC-Google Buzz
Agreement, and/or its 2013 multi-state Attorney
Generals Street View Project Agreement.
While
the EU generally appears to be moving in the right direction regarding enforcing its data protection laws against Google, the company so far has not been held accountable in the United States for violating the personal privacy of millions
of students who utilize its school provided services. When will Google be required by a regulatory
authority or a court of law to answer the following questions relating to its
student data collection and usage practices?:
1. How long has Google been scanning the
emails of students for advertising/potential advertising purposes (List dates)
and which school and how many students by school were affected by this
practice?
2. Has Google deleted the information it collected under the policy of scanning student emails for advertising/potential advertising purposes? If so, when?
2. Has Google deleted the information it collected under the policy of scanning student emails for advertising/potential advertising purposes? If so, when?
3. Why was
Google scanning student emails for advertising/potential advertising purposes?
4. Does
Google scan student emails or other student content for any purpose other than
virus checking/spam filtering? If yes,
for what other purposes?
5. Does Google
create user profiles and/or combine multiple data points on students for any
purpose other than to deliver school contracted services? If yes, what data points is Google collecting,
why is it collecting these data points, and when will Google delete these data
points?
Google's troubling behavior and policy reversal appears to have been the spark that ensured SB 1177 was passed by the state legislature and signed into law. In addition, Google's unfair and deceptive trade practices demonstrate the need for greater accountability and enforcement to ensure that our children's personal privacy and safety are not compromised for corporate profit. While the enactment of SB 1177 is a positive development, it is time for students, parents, school administrators, lawmakers, privacy advocates, and regulators to start holding Google accountable for its illegal student data mining and usage.
Copyright 2014 by Shear Law, LLC All rights reserved.
Subscribe to:
Posts (Atom)