U.S. Student Digital Data Privacy and Parental Rights Act of 2015 Introduced

On April 29, 2015, Representatives Luke Messer and Jared Polis introduced the bipartisan Student Digital Privacy and Parental Rights Act of 2015.  According to The New York Times, "the bill would prohibit operators of websites, apps and other online services for kindergartners through 12th graders from knowingly selling students’ personal information to third parties; from using or disclosing students’ personal information to tailor advertising to them; and from creating personal profiles of students unless it is for a school-related purpose."  

The legislation is modeled after California's SB 1177, (the "Student Online Personal Information Protection Act") which Education Week hailed as a "landmark" student data privacy law.  The federal Student Digital Privacy and Parental Act of 2015 is a positive piece of legislation that would help better protect the personal privacy and safety of students around the country.  The fact that some members of the ed-tech industry are wary of the bill demonstrates the potential effectiveness of the legislation.

This bill is sorely needed because as Education Week reported last year, some ed-tech vendors such as Google have been caught intentionally misleading parents about their data mining and privacy practices.  For example, exactly 1 year ago today, Google promised to stop scanning student emails and other digital content for advertising purposes.

Unfortunately, Google's promise to better protect personal student data has fallen woefully short since its troubling consumer privacy policy still covers its education offerings and this policy clearly allows it to data mine and profile students on its Google Apps For Education platform.  For example, Google's promise to stop data mining students does not extend to Google + or YouTube since neither platform is considered a  Google Apps "Core Service".   

A former IT policy director at Cornell recently authored an eye opening research paper about Google's troubling profiling and data mining practices which is a must read for school administrators, parents, and educators.  Unfortunately, Google is not the only ed-tech company with weak privacy policies and practices.  Politico and others have also called out Khan Academy for its data mining and profiling practices of students.

Earlier this year, I advocated for my home state of Maryland to enact a similar student privacy bill which was also modeled after California's SB 1177.  I was very troubled to witness Facebook and Google (here is a link to the hearing where you will see that the representatives of these companies were actively trying to thwart passage of robust student privacy protections) advocate for amendments to gut the bill's privacy protections for our children. 
  
My hope is that Facebook, Google, etc... realize that their continued refusal to accept appropriate limits on student data collection, processing, and usage will continue to make parents suspicious about their motives for providing educational technology tools.  These companies are two of the largest advertising entities in the world and their actions so far clearly demonstrate that they want access to personal student data for marketing purposes.

The following national education groups have already voiced support for the federal Student Digital Data Privacy and Parental Rights Act of 2015:

•  AASA, the School Superintendents Association
• International Society for Technology in Education
• National Association of Elementary School Principals
• National Association of Secondary School Principals
• National Education Association
• National PTA
• State Educational Technology Directors Association

along with Common Sense Media which has worked with state and federal lawmakers around the country to enact stronger student privacy laws.  On the ed-tech side, Education Week reported that Microsoft voiced its support by stating "that it [the bill] will help build public trust that vendors are adequately protecting and appropriately using student information".

Its time for the entire ed-tech industry to support the Student Digital Data Privacy and Parental Rights Act of 2015.  Embracing enhanced digital privacy protections for our students will signal to parents that the industry can be trusted to protect our children's personal information.

As a parent, I want my children to be able to utilize the latest and greatest digital education platforms; however, until stronger privacy laws are enacted I have little confidence that all school technology vendors will make my children's personal privacy and safety a priority.  Therefore, I challenge Facebook, Google, and every other ed-tech company and organization that advocated to weaken Maryland's Student Data Privacy Act of 2015 to do the right thing and support this bill as drafted.     

UPDATE May 1, 2015:  The White House has announced that it supports the new bill.  In a blog post, The White House stated: "[w]e are pleased to see Representatives Luke Messer (R-IN) and Jared Polis (D-CO) answer the President’s State of the Union call to enact new protections for K-12 students’ data to ensure that classrooms can embrace technology with confidence.

Introduced yesterday, The Student Digital Privacy and Parental Rights Act is an important bipartisan step, building upon existing momentum from industry leaders committed to ensuring educational data is not misused by providers or third parties, and carrying the strong endorsement of privacy advocates, the private sector, and associations representing parents and educators."  

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Supreme Court to Hear Major Data Privacy and Digital Reputation Case

According to the Associated Press, the Supreme Court announced today that it will decide whether digital platforms "that collect personal data can be sued for publishing inaccurate information even if the mistakes don’t cause any actual harm."  A Virginia resident sued Spokeo.com (an Internet company that compiles alleged publicly available data on people and lets subscribers view the information, including address, age, marital status, economic health, etc...) because it listed inaccurate information about him and he claims it damaged his job prospects.  The plaintiff lost in federal district court; however the 9th U.S. Circuit Court of Appeals reversed and found that Spokeo had violated the Fair Credit Reporting Act (FCRA).

This is a very interesting case because of the importance of one's digital reputation.  Should companies such as Spokeo and others that acquire and re-purpose information about people be required to authenticate the accuracy of the data they publish?  If so, how should authentication occur?  

In the Digital Age, what does actual harm mean?  How does one know if actual harm has occurred?  Do prospective employers, colleges, financial firms, insurance companies, etc.. always tell applicants they were denied an offer because of data found online at Spokeo or another digital platform?

Should companies that compile data on users/consumers and provide this information to others for a fee be regulated as a consumer reporting agency under FCRA?  Recently, a judge in California found that LinkedIn was not a consumer reporting agency under the definition of FRCA.  Despite this one court's ruling, are companies such as Spokeo, Facebook, Google, LinkedIn, etc... avoiding being regulated under FCRA because of an outdated definition of a consumer reporting agency? 

Facebook has agreements in place that enable it to send all your personal information (i.e. personal feelings indicated, posts, photos, friend connections, likes, etc...) to data brokers and this information may be utilized against you when applying for a job, insurance, etc...  Google scans your emails, calendars, cloud drive, etc... for behavioral advertising and who knows what other purposes.  Does some of Facebook's and Google's activities fall under FCRA and if not should they? 

The bottom line is that due to the importance of digital reputation stronger regulations are needed to protect our privacy.  Spokeo advertises itself as the "leading people search platform using proprietary technology to organize information into comprehensive yet easy-to-understand online profiles;" Google states its "mission is to organize the world’s information and make it universally accessible and useful;" and Forbes has stated Facebook "moves to become the world's most powerful data broker."

If these companies acts like data brokers should they also be regulated as them as well?  We may soon find out how the Supreme Court views data privacy and digital reputation in the Digital Age.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

U.S. Government Ethics Office Releases Personal Social Media Usage Standards

Earlier this month, the U.S. Office of Government Ethics (OGE) released its Standards of Conduct as Applied to Personal Social Media Usage.  The standards are as follows:

1.  Use of Government Time and Property
This requirement limits the amount of time employees may access their personal social media accounts while working on government business (i.e. while on the job).  In addition, supervisors may not order or ask a subordinate to work on their (the supervisor's) personal social media accounts.  

2. Reference to Government Title or Position & Appearance of Official Sanction
This requirement prohibits employees from using their official titles, position, or any authority associated with their government employment for personal gain.  This rules implies that in certain situations it may be a best practice to post a "clear and conspicuous disclaimer" that the content on one's personal social media account is not sanctioned or endorsed by the government.

3.  Recommending and Endorsing Others on Social Media
Government employees may recommend others on social media platforms such as LinkedIn.  However, in my opinion, supervisors and subordinates should be very careful when endorsing each other on digital platforms because it may create potential legal issues in the future.

4.  Seeking Employment through Social Media
Those seeking employment via digital platforms must conform with all applicable laws and regulations.  Therefore it is imperative to know and understand all rules and regulations when utilizing social media for employment purposes.

5.  Disclosing Nonpublic Information
Employees are prohibited from disclosing non-public information on digital platforms to further their personal interests or the personal interests of others.  The World War II adage, "Loose lips sink ships" is alive and well in the Social Media Age so use caution when posting information online.

6.  Personal Fundraising
Employees are permitted to utilize personal digital accounts to fund raise for non-profit charitable organizations as long as they comply with all appropriate federal rules.  For example, employees should not personally solicit funds from subordinates or prohibited sources.

7.  Official Social Media Accounts
Employees who are authorized to utilize official social media accounts must comply with all applicable laws, rules, regulations, policies, directives, etc...

OGE may issue updates from time to time so it is best to utilize caution when participating in social media.  The bottom line is when in doubt don't post online.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Twitter Quietly Updates Its Terms of Service

According to Mashable, Twitter quietly updated its Terms of Service on Friday in anticipation of new European Data Protection (privacy) laws.  Unfortunately for U.S. users, Twitter's new terms apply to international and not U.S. based users.

An Irish subsidiary was chosen as the location for international user data because it has a reputation for less Internet related regulations.  In other words, other European countries have different beliefs in how data should be protected.  In my opinion, many of Ireland's Internet related regulatory positions are based purely upon economic reasons.

Less regulations may mean more economic development.  For example, I live and work in Montgomery County, Maryland and it has an unfavorable regulatory reputation compared to multiple Northern Virginia counties. Therefore, Fortune 500 companies are more willing to relocate and open subsidiaries in the "business friendly" climate of Virginia.

In general, social media companies are not platforms that are built with privacy by design in mind.  The services provided by Twitter, Facebook, Google, etc... were created to data mine users for behavioral advertising purposes (don't believe any co-founder who states they wanted to make the world a better place, etc....).  Therefore, I do not trust these platforms to handle any sensitive or confidential information/communication.

The European Union is working on stronger data protection regulations because it understands the dangers inherent when companies engage in unfettered collection and data mining of personal information.  It is expected that  Europe will enact stronger data protection laws sometime later this year.  My hope is that the U.S. will follow the EU's lead in trying to create a more private, less discriminatory, and non-monopolistic digital data future.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Fox News Settles 9/11 Social Media Copyright Lawsuit

According to The Hollywood Reporter, Fox News has confidentially settled its 9/11 photo social media lawsuit.  The case commenced soon after September 11, 2013 because Fox News' "Justice with Judge Jeanine" posted on Facebook the iconic photo of three firefighters raising the American flag at the ruins of the World Trade Center without obtaining permission from the copyright holder.   

Copyright issues are becoming more challenging in the Social Media Age.  However, its important to read and understand the terms of service and privacy policy of each platform.  For example, when utilizing Facebook, "you grant us [Facebook] a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License).  Since I don't like these terms I don't post personal photos to my Facebook account.

News organizations must be very careful about monetizing the photographs they see online without obtaining a proper license. For example, in 2013 a jury awarded a photojournalist $1.2 million dollars after Agence France-Presse and Getty Images (and others) utilized photos he posted on Twitter regarding the 2010 Haiti earthquake without obtaining the proper licenses from him. 

The bottom line is that when posting and re-posting content online it is important to understand copyright law issues.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

European Commission: Google's Conduct Infringes on Antitrust Rules

The European Commission (EC) has sent a Statement of Objections (i.e. a formal complaint) against Google for violating European antitrust laws.  In particular, the EC alleges Google “has abused its dominant position in the markets for general internet search services in the European Economic Area (EEA) by systematically favouring its own comparison shopping product in its general search results pages.  The Commission's preliminary view is that such conduct infringes EU antitrust rules because it stifles competition and harms consumers.”

According to the EC’s press release, it has also “formally opened a separate antitrust investigation into Google's conduct [regarding] the mobile operating system Android. The investigation will focus on whether Google has entered into anti-competitive agreements or abused a possible dominant position in the field of operating systems, applications and services for smart mobile devices.”

These announcements have come after an almost five year investigation into Google’s European business practices.  The EC has tried three times to settle this matter to no avail.  New EC Competition Commissioner Margrethe Vestager, reinvigorated the investigation last year when her office requested additional information from various Internet vendors of online services to determine if consumers have been harmed by Google’s behavior and to figure out if Google has utilized its dominant market position to illegally hinder competition.

The EC’s investigation appears to have picked up momentum after The Wall Street Journal recently obtained a confidential 2012 U.S. Federal Trade Commission (FTC) report where key staff recommended suing Google for antitrust violations after finding real harm to consumers and innovation.  While the FTC report focused on Google’s U.S. behavior, the company most likely acted in a similar fashion in the European Union where it controls more than 90% of the Internet search market.

Since the EC opened its antitrust investigation into Google, the company has paid 100s of millions of dollars in fines and settlements due to illegal behavior. For example, in 2011 it paid a $500 million fine for knowingly accepting illegal advertisements from Canadian pharmacies.  Subsequently, it has paid multiple million dollar fines in the United States and in Europe for privacy violations in connection with its Street View data collection project, the deceptive privacy practices in Google's roll out of its Buzz social network, its 2012 privacy policy change, and the Safari hack incident. 

Illegally abusing market position in Internet search (and/or other areas) is intertwined with data collection, usage, and privacy issues because in order to receive the most relevant search results to a search query a search engine must be able to access and process voluminous amounts of data very quickly.  For years, 90% to 96% of Google’s revenue has come from advertising which means it is dependent upon being able to obtain massive amounts of personal information at a low cost to feed its behavioral advertising machine. 

Data dominance also appears to be a growing concern of the EC.  For example, Commissioner Vestager recently stated that she’s studying the U.S.’s “stringent approach to dealing with personal data as a means to payment” in its review of deals.  This appears to signal that regulators are beginning to understand that personal and corporate data issues are intertwined with antitrust matters.

The EC’s announcement that it has also opened up an investigation into whether Google has entered into anti-competitive agreements and/or abused its dominant position in regards to its Android operating system demonstrates that it wants to ensure that consumers are not harmed and that innovation is not stifled by illegal market activities in the growing mobile space.  Last year, The Wall Street Journal and The Information reported that Google’s confidential Android agreements have been “increasing the number of Google apps that must be pre-installed on [each Android] device to as many as 20, placing more Google apps on the home screen or in a prominent icon folder and making Google Search more prominent.” 

Google’s Android contract requirements are very troubling when comparing them to Microsoft’s pre-2002 agreements with PC vendors which “required PC manufacturers to bundle and promote the Internet Explorer Web browser and other software in prominent locations on the computer screen.” Therefore, it doesn’t surprise me that the EC is investigating whether Google’s Android agreements violate antitrust law. 

This enforcement action and the announcement of another investigation into Google’s other market activities demonstrates the need for users of its services to carefully read their contracts with Google and be familiar with their terms of service and troubling world-wide privacy policy.  Google's terms and privacy policy allows for unfettered data mining and profiling of consumer, education, corporate, and government data. Multiple European Data Protection Authorities have already fined Google for its privacy practices and ordered Google to change it privacy policy; unfortunately that has had virtually no effect on its market behavior.

Today’s European Commission announcement is the first step in what may be a long drawn out legal process, which in theory could lead to a fine up to $6.4 billion dollars and require Google to change some of its business practices.  As a long time Google user, my hope is that Google soon begins to once again abide by its corporate motto by not being “evil”.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

 

Facebook faces new class action privacy lawsuit in Austria

A new class action lawsuit has been filed against Facebook in Austria by privacy advocate Max Schrems.  The lawsuit alleges that Facebook has breached EU privacy law due to its privacy practices and involvement in the NSA’s Prism program.

Max Schrems has been a thorn in Facebook's side for years.  He appeared in the documentary "Terms and Conditions May Apply" a couple of years ago where he discussed the data and metadata Facebook had collected on him and others.  Schrems has been advocating against Facebook's data collection practices for years so it will be interesting to follow this case. 

According to The Guardian, Schrems is also fighting to stop security services from gaining access to his personal data held by Facebook and other technology firms.  One of the best ways to stop Facebook and other technology firms from gaining access to his personal data without going through the proper legal channels in his home country is to support U.S. legislation such as the LEADS Act which I have previously discussed. 

The bottom line is that fighting for privacy takes a tremendous amount of time and resources.  Class action lawsuits along with new legislation are some of the arrows in the quiver that may be utilized to better protect our personal privacy and safety.  Its imperative that an international framework on how to resolve the digital privacy challenges of our times is created to ensure that these issues are provided the necessary attention.    

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Maryland's Student Data Privacy Act of 2015 Is Needed

The Internet and broadband access has led to many innovations in how we teach our children. During the past 10 years, K-12 schools have implemented new and exciting technologies that will help students learn and be prepared for life inside and outside of the workforce. Unfortunately, privacy law has not kept up with the technology that is being utilized by our schools because the primary student privacy law, the Family Educational Rights and Privacy Act (FERPA) was enacted in 1974 and it has not been updated to account for all of the new digital activities and metadata that is being created by students on school contracted digital platforms.

Earlier today, I testified again on behalf of a Maryland bill (HB 298) that would help better protect students' digital privacy without hampering educational technology companies with burdensome regulations.  Maryland's HB 298 is based upon California's landmark Student Online Personal Information Protection Act (SOPIPA or SB 1177).  I testified with the sponsor of the bill along with other advocates and some of my written testimony is as follows:

"House Bill 298 as passed by the House of Delegates is a positive piece of legislation that will help protect the personal privacy and safety of Maryland students and their families.  Three federal privacy statutes address student information that may be collected by and from schools:  The Family Educational Rights and Privacy Act (FERPA), the Children’s Online Privacy Protection Act (COPPA), and the Protection of Pupil Rights Amendment (PPRA).

FERPA was enacted in 1974 when student records were housed in filing cabinets.  This statute is essentially a confidentiality law designed to protect student paper records.  Forty years ago, schools didn’t have personal computers and Internet access.  FERPA was not designed to protect digital student information.  COPPA focuses on the online collection of personal information directly from children younger than 13 years old without parental consent.  The PPRA primarily address the use of certain types of data collected from in-school surveys as well as some marketing activities.   

FERPA covers “educational records” such as transcripts that were originally kept in a school principal or central district office.  The statute specifically carves out an exemption for “directory information” such as a student’s name, address, date of birth, telephone number, age, sex, and weight.  This 1974 definition of “educational records” and the directory information exclusion no longer makes sense in 2015.  Much of the data gathered and utilized by electronic based services is outside the scope of FERPA’s existing definition. 

As an example, the metadata gathered from a learning app used by a child in school is not considered an “educational record” and would not be protected by FERPA.  Under FERPA, the app maker and other third parties such as digital advertising networks may utilize the information obtained from our children’s use of school contracted online digital technologies.  This data which may include information regarding health, sexual orientation, religion, race, etc… may then be utilized by third parties to discriminate against our children when they apply to colleges, for jobs, insurance, etc…              

  

Absent stronger privacy protections for online student content, our children’s privacy will be compromised and innovative learning tools and educational technologies will face increased parent skepticism and opposition.  HB 298 as passed by the House of Delegates helps assuage parent’s fears while not stifling industry innovation.  HB 298 is modeled after California’s widely applauded Student Online Personal Information Act (SOPIPA) that has been called a “landmark” student data privacy bill by the highly regarded K-12 focused publication Education Week.    

Due to the well balanced approach that HB 298 takes, I am asking for your support of this legislation as it passed in the House of Delegates."  

Google and Facebook's representatives were lobbying to add amendments that would gut the bill's privacy protections for our children. Behind the scenes, these two companies appeared to be not just the two primary opponents of this bill but of other similar bills around the country (watch/listen to the testimony).  Google's behavior is not surprising since it has been caught by Politico spending hundreds of thousands of dollars to lobby against privacy bills that would better protect the personal privacy of students and their families around the country. Facebook's participation in this process appears to demonstrate that it wants to enter the education market. Due to Facebook's agreements with data brokers and its troubling privacy practices and policies, student data should not be entrusted on their platform.

The bottom line is that if you care about student privacy and cyber safety, our laws need to catch up with the technology that is being deployed.  To support Maryland's Student Data Privacy Act of 2015 please reach out to the senators on the Education, Health & Environmental Affairs Committee to voice your support.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.