New California Law Bans Google From Data Mining and Profiling Students For Profit

California has enacted the Student Online Personal Information Protection Act (SOPIPA or SB 1177) that better protects the personal privacy of students.  According to the bill's Legislative Counsel's Digest, "[t]his bill would prohibit an operator of an Internet Web site, online service, online application, or mobile application from knowingly engaging in targeted advertising to students or their parents or legal guardians, using covered information to amass a profile about a K–12 student, selling a student’s information, or disclosing covered information..."

One of new law's staunchest supporters is Common Sense Media's CEO and founder James Steyer.  On October 14, 2013 Common Sense Media sent an open letter and publicly sounded the alarm regarding the need to better safeguard the personal privacy of our children's school created digital data.  According to The New York Times, the organization sent a letter to 16 educational technology vendors to start a conversation on how to better protect student privacy.  The New York Times reported that Google declined to comment on Common Sense Media's public call for stronger privacy safeguards for students.

Google's refusal to comment on Common Sense Media's open letter to the educational technology industry followed an earlier sidestep to the Rhode Island School of Design's questions about its privacy protections for students who utilize Google's Apps For Education service by allegedly equating "not serving ads" to "no student data mining".  While Google may not be serving behavioral based ads to students through its school offerings at this point, this does not mean it is not data mining personal student information for other non-educational purposes.

Common Sense Media's concerns about  a lack of strong privacy protections for students were validated with the release of Fordham University Law School's Privacy and Cloud Computing Study.   According to the Huffington Post, the Fordham Study "found that only one-fourth of [school] districts tell parents about these services [new cloud based technologies] and one-fifth of districts don't have policies explicitly governing their use [of the data collected]. Many contracts between districts and technology vendors don't have privacy policies, and less than 7 percent of the contracts restrict vendors from selling student information. The agreements rarely address security, according to the Fordham research."  These findings were very disturbing and further confirmed the importance of Common Sense Media's call to strengthen student privacy laws.

Education Week's March 2014  investigative report regarding the federal Google Gmail wiretap lawsuit uncovered that Google "scans and indexes" student emails for advertising purposes.  At that time, Google refused to answer whether it was building user profiles of students based upon its access to their school work.  This troubling admission and refusal to be fully transparent about its student data collection and usage practices set off such a huge firestorm that on April 30, 2014,  Google announced it would allegedly discontinue the practice of scanning student emails for advertising purposes.  

In response to Google's alleged policy change, privacy law scholar Prof. Joel Reidenberg of Fordham told Education Week, Google's measure is "a positive step,"....... [however] "he identified two "significant problems" with it: Google can change this policy at any time, and, the scanning disclaimer is associated with advertising purposes only. There may be other commercial uses that they are exploiting student data for,...."... "such as selling information to textbook publishers, or test-preparation services."  Prof. Reidenberg's statements were prescient because subsequently Politico investigated the educational technology industry and validated his concerns that student data may be utilized by vendors for "other commercial uses".

More than 93% of Google's 2013 $55 billion dollars in revenue was derived from advertising.  While this is slightly lower than 2009's 97% figure, it demonstrates that Google's primary business for years has been data acquisition and mining to create user profiles for advertising purposes.  Google's advertising business has propelled it to become the 2nd most valuable company in the world.  While becoming the most valuable advertising/data mining company in the history of the world, Google has on multiple occasions intentionally cut corners and violated the personal privacy and safety of its users.  During the past several years, privacy regulators around the world have fined Google tens of millions of dollars for its illegal practices.    

The 2011 FTC-Google Buzz Agreement banned Google from making future privacy misrepresentations.  Unfortunately for users, Google wasted no time in breaching this agreement because in 2012 it paid a $22.5 million dollar record fine for misleading users about its privacy practices regarding the scandal known as the Apple "Safari Hack".  In 2013, Google entered into a multi-million dollar privacy violation settlement with 38 states regarding its Street View Project's data collection practices.  In Septemberof 2014, Germany's Hamburg data protection (privacy) regulator ruled that "Google is ordered to take the necessary technical and organizational measures to guarantee that their users can decide on their own if and to what extend their data is used for profiling."

When Education Week contacted Google regarding its position on SB 1177, "Google...declined to clarify whether it scans student email messages sent using its wildly popular Apps for Education tool suite in order to build profiles that might be used for commercial purposes other than targeted advertising...."  Google's refusal to emphatically deny it scans student emails to create user profiles for non-educational purposes may indicate that it is violating the 2011 FTC-Google Buzz Agreement, and/or its 2013 multi-state Attorney Generals Street View Project Agreement. 

While the EU generally appears to be moving in the right direction regarding enforcing its data protection laws against Google, the company so far has not been held accountable in the United States for violating the personal privacy of millions of students who utilize its school provided services.  When will Google be required by a regulatory authority or a court of law to answer the following questions relating to its student data collection and usage practices?: 

1.   How long has Google been scanning the emails of students for advertising/potential advertising purposes (List dates) and which school and how many students by school were affected by this practice?
2.  Has Google deleted the information it collected under the policy of scanning student emails for advertising/potential advertising purposes?  If so, when?

3.  Why was Google scanning student emails for advertising/potential advertising purposes?

4.  Does Google scan student emails or other student content for any purpose other than virus checking/spam filtering?  If yes, for what other purposes?

5.  Does Google create user profiles and/or combine multiple data points on students for any purpose other than to deliver school contracted services?  If yes, what data points is Google collecting, why is it collecting these data points, and when will Google delete these data points? 

Google's troubling behavior and policy reversal appears to have been the spark that ensured SB 1177 was passed by the state legislature and signed into law.  In addition, Google's unfair and deceptive trade practices demonstrate the need for greater accountability and enforcement to ensure that our children's personal privacy and safety are not compromised for corporate profit.  While the enactment of SB 1177 is a positive development, it is time for students, parents, school administrators, lawmakers, privacy advocates, and regulators to start holding Google accountable for its illegal student data mining and usage.

Copyright 2014 by Shear Law, LLC All rights reserved.

Did Facebook's Real Name Policy Lead to the Killing of An Iraqi Mother By Militants?

The Associated Press has reported that militants belonging to the Islamic State group have murdered a human rights lawyer in Mosul, Iraq.  According to the AP, "gunmen with the group's newly declared police force seized Samira Salih al-Nuaimi last week in a northeastern district of the Mosul while she was home with her husband and three children". 

It has been reported that the United Nations Assistance Mission in Iraq believes her arrest was connected to Facebook messages she posted that were critical of the militants' destruction of religious sites in Mosul. This troubling execution demonstrates how dire the situation is in the Middle East.

Are militants social media monitoring the areas that are under their control?  Are they buying social media monitoring services and deploying them to silence any dissent?  If so, which programs are being utilized?  Did Facebook's real name policy requirement make it easy for the militants to find and execute this lawyer and others who voice dissenting opinions on Facebook? 

Facebook's real name requirement enables it to better track users for advertising and monetization purposes.  The reason behind the policy is money.  Facebook has deals in place with data brokers to enable them to combine people's online persona/activities with their offline activity.  These agreements directly lead to the erosion of personal privacy.  This policy may also discriminate against drag queens and other artists.

Now that it appears that militants are using Facebook's Real Name policy to silence and kill its critics will Facebook change this policy to better protect users?

Copyright 2014 by Shear Law, LLC All rights reserved.

Dr. Selfie, Joan Rivers, Social Media Privacy, and HIPAA Violations

CNN is reporting that while the late comedian Joan Rivers was under anesthesia during the procedure that led to her death one of the doctors took a selfie with her without her consent.  If this allegation is true this is a blatant violation of the Health Insurance Portability and Accountability Act.

This is not the first time a doctor has been accused of inappropriate digital behavior.  Earlier this year, a Seattle doctor was accused of sexting during surgery.  Last year, a doctor was accused of posting photos of a drunk emergency room patient online.  There is no excuse for this type of behavior.   Inappropriate digital interactions is not just a problem in the medical profession.  An Arkansas judge recently was disbarred for leaking confidential information online about an adoption involving actress Charlize Theron.

Was Ms. Rivers' doctor so focused on getting the perfect selfie that the appropriate standard of care not followed?  If it is proven that a doctor took an unauthorized selfie of Joan Rivers during a medical procedure the doctor should lose his medical license.  Regardless of the medical examiners findings on the cause of death, the act of taking a selfie with a patient without consent who is being operated on may in and of itself create significant legal liability.  There is no room in the medical profession for this troubling behavior.

Copyright 2014 by Shear Law, LLC All rights reserved.

California Enacts Yelp Bill To Protect Consumers Freedom of Speech

Earlier this week, California enacted a law that protects consumers from businesses that want to ban them from providing truthful negative online reviews.  Yelp supported AB 2365 and stated, "AB 2365 makes it explicitly clear that non-disparagement clauses in consumer contracts for goods or services in the state of California are void and unenforceable. What this means is that individuals writing online reviews in California are now further protected from those bad actors who hide jargon in consumer contracts in attempts to prohibit you from posting reviews -- positive or negative -- online."

I wrote about this legislation on April 23, 2014 and then again on August 30, 2014 because it is an important digital freedom of speech issue.  According to the Digital Media Law Project, 28 states have Anti-SLAPP (Strategic Lawsuits Against Public Participation) statutes.  States that have enacted Anti-SLAPP laws and/or recognized Anti-SLAPP protections via case law may provide some protections for their citizens. 

While I believe Anti-SLAPP laws may help to ensure that citizens aren't silenced for publicizing unpopular opinions, they may not always protect consumers from sneaky terms of service that companies such as Kleargear.com may slip into their agreements with customers.  Therefore, it wouldn't surprise me if more states enact similar "Yelp" inspired laws.

Copyright 2014 by Shear Law, LLC All rights reserved.