Google States in Lawsuit Users Have No Legitimate Expectation of Privacy

The Guardian recently reported that consumer interest group Consumer Watchdog uncovered a digital privacy case that may better protect the privacy of school provided student digital accounts.  Fread v. Google was filed on April 29, 2013, by two university students who allege that Google unlawfully and intentionally intercepts electronic communications (emails and other data collected by the service) from their school provided Google Apps For Education accounts.  The lawsuit claims that Google's cloud based school service is utilizing user data in a manner that violates the Electronic Communications Privacy Act of 1986.  

To better understand Google's Apps for Education program it is essential to read the agreement that Google requires schools to execute to obtain the service.  Google generally offers this program to secondary or post-secondary schools for free (there may be maintenance and/or other costs associated with implementation and/or operation of the service).  While the default setting for the U.S. Google Apps for Education service is one that does not allow for Google to serve ads, it is troubling that the agreement provides schools the ability to data mine their students with the “click of a mouse” in the Admin Console.  

Why has Google provided schools the ability to behavioral advertise to students based upon their school emails, attachments, uploaded videos and related digital activity?  Does the agreement include the ability to behavioral-advertise so cash strapped schools may negotiate an advertising revenue share with Google in the future when they need an easy-to-implement new income stream? 

Since Google provides schools the ability to turn on and off the behavioral advertising function for its school based services it makes me wonder what Google is doing behind the scenes with student content.  Is Google’s Apps for Education service a Trojan Horse to data mine and erode our children’s personal privacy and safety?  How is this service able to so easily go in and out of data mining mode with just a "flip of a switch" by a school administrator?  Why isn't Google more transparent regarding its data mining capabilities for the services it offers to schools?  Does this indicate that Google believes that students don’t have an expectation of privacy when utilizing its school branded services?

It appears that Google presumes that its Apps For Education users don't have an expectation of privacy.  To defend its practices, in its motion to dismiss Fread, Google directly quotes from a 1970's case, Smith v. Maryland, 442 U.S. 735, 743-744 (1979), "a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties".  This case was decided before the widespread adoption of cell phones, email, the cloud, and other digital technologies. 

In U.S. v. Jones, 132 S. Ct. 945 (2012), the most recent major privacy case the Supreme Court has decided, Justice Sotomayor in referencing Smith's central premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties, stated "[t]his approach is ill suited in the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks."  Justice Sotomayor's statement clearly diminishes the central tenet of Smith and her philosophy has resonated recently with state lawmakers and courts around the country. 

State legislatures and the courts are moving towards recognizing that one has an expectation of privacy in the digital age.  For example, at least 13 states have enacted legislation in the past 15 months that protects employees and students from generally being required to provide access to their 3rd party created personal digital accounts.  Earlier this year, Texas enacted HB 2268 that requires law enforcement to obtain a warrant before accessing one's personal email accounts or cloud content.  In addition, a federal district court in Minnesota recently stated that students have an expectation of privacy regarding their personal electronic accounts.  These news laws and court rulings demonstrate that our courts and legislatures firmly acknowledge that we have an expectation of privacy despite third parties storing our content. 

Google's actions speak louder than its words. In 2010, Google listed its privacy principles and they included:  "Develop products that reflect strong privacy standards and practices; Make the collection of personal information transparent; and Give users meaningful choices to protect their privacy".  If Google practiced its privacy principles it would be more transparent about how it processes student data and it would strictly prohibit data mining in its Google Apps For Education Agreements. 

Fread raises some important issues about student privacy in the digital age.  It demonstrates the need for school technology providers to make their users' personal privacy a top priority. Unfortunately, it appears that absent court guidance and/or Department of Education rules that ban the data mining of school sanctioned digital accounts, some cloud providers may continue to put profits ahead of the need for privacy in an educational setting.  Until technology providers are legally banned from data mining school provided digital accounts, students and parents/guardians must be informed of the risks associated with utilizing school provided digital services that may erode personal privacy and put our children's safety at risk.

Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved.  

Doctor sued for $1.5 million for allegedly photographing patient without consent and posting on Facebook

According to ABC News in Chicago, a former Northwestern University student has claimed that after she was admitted to Northwestern Memorial Hospital a doctor took photos of her without her consent and posted them online.  This is not the first time that it has been alleged that an employee in the medical field has posted online photos of patients without their consent.  Unfortunately, this will not be the last time either.   

The doctor allegedly posted photographs of the patient on Instagram and Facebook with "attached statements of commentary" about the patients condition. The plaintiff is claiming invasion of privacy and infliction of emotional distress.  If these allegations are proven true, it would not surprise me that the hospital and/or doctor may be liable for more than the $1.5 million dollars that the complaint requests.   

This type of behavior has no place in the medical profession.  Hospitals need to ensure that they have the proper policies in place and that their employees are trained regularly to ensure their employees fully understand these issues.  Spending money on preventative training is a lot less expensive than defending and/or losing a lawsuit.     

Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved.  

Illinois Enacts Right To Privacy in the School Setting Act

Illinois has recently become the 2nd state in the country to enact social media privacy legislation that provides protection to the personal digital accounts of K-12 and post-secondary students. Michigan was the first state to enact social media privacy protections for K-12 and post-secondary students last year.  Multiple other states across the country have enacted social media privacy laws that protect post-secondary school students.   

The Right to Privacy in the School Setting Act was enacted because of several troubling social media related situations in Illinois.  For example, there was an incident where an Illinois public middle school violated the constitutional rights of several students by requiring some students to turn over their Facebook and email usernames and passwords.

Unfortunately, this aspect of the act is very troubling and will have unintended consequences:

Section 10. Prohibited inquiry.
(d) This Section does not apply when a post-secondary school has reasonable cause to believe that a student's account on a social networking website contains evidence that the student violated a school disciplinary rule or policy.

 Northwestern University will be required to change its student-athlete social media policy before 1/1/2014 due to the new law.  Northwestern's Online Soical Networking Student-Athlete policy states,  "You must provide full access to members of your coaching staff and/or selected members of the Athletics Department for any and all personal online networking pages." and "You must fully participate in any system developed by your coaching staff to assist in self-monitoring your teammates' personal online networking pages (e.g., buddy system)." This language clearly violates the new law. 

As a parent of young children, I would never turn over the passwords of their personal digital accounts absent a warrant and/or a court order and I believe this law is poorly drafted.  Does this law violate the Stored Communications Act and/or a student's first and/or 4th amendment?  Time will tell.

The bottom line is that K-12 and post-secondary schools must ensure they do not create social media policies that violate state/federal laws and/or our Constitution.  Its ironic that social media was intended to expand the freedom of speech; unfortunately, the reality is that some institutions that don't like the messages being created are using social media to curtail free speech rights.   

Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved. 

CA School District Lodi Implements Unconstitutional Student Social Media Policy

Colleges and high schools across the country are implementing unconstitutional social media policies that are requiring state legislatures, Congress, and the courts to  show them the error of their ways.  For example, Utah State and Northwestern University implemented clearly unconstitutional social media policies directed at their student-athletes.  Due to these policies, Utah and Illinois enacted legislation banning these schools' social media policies. 

The Lodi Unified School District in California recently enacted a student social media policy that infringes on the 1st amendment rights of those who participate in extracurricular activities.   This new policy covers student-athletes, student newspaper reporters, band members, chess club members, the glee club, the lesbian, gay, bisexual and transgender club, etc...  The policy clearly violates the First Amendment. As Tinker v. Des Moines states, "students do not shed their constitutional rights to freedom of speech or expression at the schoolhouse gate."

In addition to violating the First Amendment, this new policy violates California Education Code Section 48907 that protects students' free speech rights in California.  The bottom line is that K-12 schools and post-secondary schools must be more aware of the policies that their administrators are implementing to ensure they don't create tremendous legal liability.

Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved. 

New federal legislation aims to stop the digital exploitation of children

The Forbidding Advertisement Through Child Exploitation Act (FACE Act) of 2013 was introduced in Congress on July 10, 2013 by U.S. Congressman John J. Duncan, Jr. (R-Tenn.) to help protect the  personal privacy of children and teens.  The official title as introduced states, "[t]o prohibit providers of social media services from using self-images uploaded by minors for commercial purposes."

The FACE Act states, "(a) provider of a social media service may not intentionally or knowingly use for a commercial purpose a self image uploaded to such a service by a minor." The Act empowers the FTC to promulgate regulations under section 553 of title 5 of the United States Code to implement the Act.  This aspect of the legislation is extremely important because it appears to provide the FTC the flexibility to create regulations that will enable it to account for changes in technology.    

To be effective, legislation should have adequate enforcement mechanisms.  This bill appears to enable not only the FTC, but also state attorney generals and/or state officials and/or state agencies to enforce the Act.  According to the bill, a "state may enforce the act by bringing a civil action to: enjoin such act or practice; enforce compliance with such section or such regulation; obtain damages, restitution, or other such compensation on behalf of residents of the State; or obtain such other legal and equitable relief as the court may consider to be appropriate."

The Act specifically states that it would not preempt states or political subdivisions of a state from enacting a law that provides minors greater personal privacy protection.  At first glance, this appears to provide the potential to create burdensome regulations on cloud providers and their clients; however, cloud computing vendors have been able to flourish despite being required to adhere to different privacy laws in each state.  For example, at least 46 states, including the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have data breach notification statutes. 

According to a GigaOM's article about Gartner's Forecast Overview: Public Cloud Services, Worldwide, 2011-2016, 4Q12 Update that was released earlier this year, "the U.S. is predicted to remain number one in overall cloud services deployment-by a wide margin-into 2016."  Therefore, despite almost every state in the U.S. enacting their own data breach notification statutes (whose provisions may vary widely state by state) cloud computing providers have still been able to offer to clients compliant cost effective solutions.

While the FTC's recent updates to the Children's Online Privacy Protection Act provide our children more privacy protections, state attorney generals along with state officials or agencies may be in a better position to protect the digital privacy of our children.  For example, while multiple EU data protection authorities are pursuing enforcement actions against Google because of its March 1, 2012 privacy policy change; so far the FTC has declined to do so. 

In contrast, the National Association of Attorney Generals sent a letter (signed by 36 state attorney generals) in 2012 expressing their concern about Google's privacy policy change. Last month, 23 state attorney generals signed onto a follow up letter that stated, "[w]e are still greatly concerned about the way Google collects consumer information" and "[w]e also think more needs to be done to enable consumers to review and delete data that has been collected about them from specific Google products."    

In addition to the actions spearheaded by the National Association of Attorney Generals, California's Attorney General Kamala Harris has been active regarding protecting those who utilize mobile apps.  Her office's recent report on mobile apps "provides guidance on developing strong privacy practices."  Attorney General Harris also created the Privacy Enforcement and Protection Unit to enforce federal and state privacy laws.  Other states, such as Massachusetts, have introduced legislation (H 331) that would ban cloud computing service providers who contract with K-12 schools from processing student data for commercial purposes.

Even though some state attorney generals and state lawmakers around the country are working to protect the digital privacy of our children, more tools are needed to ensure that our children are not exploited.  The FACE Act's introduction is important because it demonstrates that legislators realize that enacting stronger digital privacy laws is not only best for society, but that it will resonate with voters on election day.  

While it may take several legislative sessions for the FACE Act to move forward due to the acrimony on Capitol Hill, it demonstrates that lawmakers still believe we have an expectation of privacy in the Digital Age.  It would not surprise me if the FACE Act's introduction encourages state lawmakers to introduce similar bills in their respective legislatures around the country.  Therefore, it is imperative that the cloud computing industry work with stakeholders to ensure that our children's personal digital data is not utilized for commercial purposes. 

Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved.     

Report: NSA Had "Compliance Problems" Protecting Digital Databases

According to an NBC News report, there are documents from 2009 and 2011 that allege that the NSA had "compliance problems" with their digital databases.  This information was declassified today due to the growing calls for transparency about the type of information that the U.S. government is collecting about users of electronic devices.

When I first wrote about the NSA's collection of electronic information in early June, I didn't want to speculate on where these allegations would lead.  I have long suspected that the United States and other countries were collecting and analyzing vast amounts of digital information; however, until this information became public knowledge it sounded as though this was something that came out of George Orwell's book Nineteen Eighty-Four.

Should the U.S. be collecting and analyzing electronic data?  Of course.  However, are the government programs involved adhering to the law?  The declassification of documents related to these matters may help shed some light on these issues.

I am concerned by the internal government documents that allege there are "compliance problems"  with these programs.  "Compliance problems" may indicate that there are some legal issues regarding how the program is administered.  If there are "compliance problems", an investigation may be needed to determine if any laws were/are being broken.

UPDATE:
According to The Guardian, an NSA tool called XKeyscore "allows analysts to search with no prior authorization through vast databases containing emails, online chats and the browsing histories of millions of individuals".  According to former NSA contract employee Edward Snowden,  he "could "wiretap anyone, from you or your accountant, to a federal judge or even the president, if I had a personal email".  If these allegations are true, they are very troubling and may demonstrate the need for an independent commission to review the NSA's digital data collection programs. 

Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved.    

New Jersey Supreme Court: Police Need A Search Warrant To Track Cell Phones

New Jersey's Supreme Court has taken the Fourth Amendment and applied it to the Digital Age.  In a win for personal privacy, the police are now required to obtain a search warrant before receiving from cellphone service provides user tracking information.

This decision bolsters the position that we still have an expectation of privacy in the Digital Age.  Last year, Bob Sullivan of NBC News wrote about an in-depth investigation of how law enforcement officials were obtaining cell phone tracking information without a warrant all over the country.  This story was eye-opening and discussed some very troubling practices.

New Jersey's decision appears to be inspired by the Supreme Court's U.S. v. Jones case from last year.  In a 9-0 decision, the court basically ruled that we still have an expectation of privacy from the government digitally tracking us without a warrant.   

While law enforcement officials need to be able to utilize modern tools to track criminals, they still need to adhere to the principles our founding fathers put in place more than 200 years ago.  While more of our information is being put into electronic form, it is imperative that the laws to protect our personal privacy keep up with technology.

Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved.   

O'Bannon Lawsuit against NCAA Adds Current Student-Athletes

The image and likeness rights to current and former student-athletes are valuable assets.  For years, the basic deal has been that a school offers a prospective student a one year renewable (by the school) scholarship to students and in return a student becomes a student-athlete, receives an education, and hopefully a valuable degree that may be utilized to obtain gainful employment. As part of the deal, a school and/or conference, and/or the NCAA may monetize the name and likeness of their student-athletes in perpetuity. 

Is this a fair deal?  This is a question that is currently being litigated by what is known as the O'Bannon lawsuit.  According to a press release by the law firm representing the O'Bannon class representatives, there is "a conspiracy by the NCAA and its business partners, such as videogame manufacturer EA and licensing agent CLC, to license and sell the names, images, and likeness of current and former student-athletes without compensation to those student-athletes, under the guise of amateurism."

The former student-athlete class representatives Ed O’Bannon, Oscar Robertson, William Russell, Harry Flournoy, Alex Gilbert, Sam Jacobson, Thad Jaracz, David Lattin, Patrick Maynor, Tyrone Prothro, Damien Rhodes, Eric Riley, Bob Tallent, Danny Wimprine, Ray Ellis, and Tate George have now been joined by current student-athletes, Jake Fischer, Jake Smith,Darius Robinson, Moses Alipate, Chase Garnham, and Victor Keise.

If the court certifies the lawsuit as a class action, the case has the potential to change the financial structure of college athletics.  If the lawsuit moves forward, the court may have to determine if the current financial structure of college sports is equitable to all parties.  If this occurs, it is possible that the court may determine that a redistribution of college athletic revenues may be in order.  

Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved.    

Google's Privacy Policy Violates EU Law According To UK, German, And Italian Data Protection Authorities

On July 4th, 2013, European data protection authorities continued to take a stand to protect the digital privacy and personal safety of its citizens.  Regulators in the United Kingdom, Germany, and Italy each announced that they are in the process of taking legal action against Google because its March 1, 2012 privacy policy change violates European data protection laws.  According to The Guardian, multiple European data protection authorities have notified Google that it must revise its privacy policy or it will face sanctions.

 

These new announcements follow the June 20, 2013 statement by France and Spain's data protection authorities that ordered Google to comply with European data privacy laws or face sanctions for non-compliance.  The CNIL's October 16, 2012, common findings regarding Google's March 1, 2012 privacy policy change stated "Google provides insufficient information to its users on its personal data processing operations," and Google "should therefore modify its practices when combining data across services for these purposes".    

In response to allegations by data protection authorities that its privacy policy violates European law, Google stated, "[o]ur privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the authorities involved throughout this process, and we'll continue to do so going forward."  If regulators in at least five European countries have determined that Google's privacy policy is not in compliance with European data protection laws why does Google continue to claim that its privacy policy respects European law? 

Is Google practicing a technique known as "The Big Lie" when it continues to state that its privacy policy respects European data protection laws?  According to Merriam-Webster's online dictionary, a "big lie" is defined as "a deliberate gross distortion of the truth used especially as a propaganda tactic."  Is Google's consistent position that its privacy policy does not violate European data protection laws despite the findings of non-compliance by multiple European regulators part of a strategy to deny non-compliance so it can continue to utilize the data that it is collecting from users until regulators impose fines and/or take other measures that would require compliance? 

Delay, hinder, and deny appears to be Google's modus operandi when confronted with a privacy investigation. Google has been fined multiple times by regulators around the world for its data collection practices.  For example, the FCC fined Google $25,000 in 2012 because during its Street View project in the United States it collected data from U.S. citizens such as personal emails and texts and then refused to fully cooperate with the FCC's investigation.  According to an FCC's Notice of Apparent Liability Forfeiture report, "Google deliberately impeded and delayed the Bureau’s investigation by failing to respond to requests for material information and to provide certifications and verifications of  its responses".... and "Google apparently willfully and repeatedly violated Commission orders to produce certain information and documents that  the Commission required for its investigation." 

The personal privacy of Europeans was also violated by Google's Street View project.  Earlier this year, Google was fined  $189,230 by German data protection authorities because of its Street View project's data collection practices and it was also fined $142,000 by French data protection authorities in 2011 for similar issues.  Does this indicate a troubling pattern where Google violates the personal privacy of Internet users for corporate financial gain because the potential fines are less than the worth of the data it is obtaining and monetizing?  Since regulators across the world have fined Google multiple times for violating data protection/privacy laws and these penalties have not pushed Google to reform its behavior, an update to these laws that include much harsher penalties may be needed.   

The European Union's continued march towards requiring Google to change its privacy policy and become more transparent about how it is utilizing user data not only will better protect the digital privacy and safety of consumers, but it will also protect students who utilize Google's official school offerings, along with businesses and governments and their employees who are Google Enterprise customers. 

Google's Apps For Business Enterprise Privacy Center clearly links to Google's standard privacy policy which allows it to merge data from paid professional services with free consumer services.  For example, while a Gmail user is logged in as a Google Apps professional user, he is covered by the Google Apps Agreement.  However, if a Gmail user performs a Google Search, while still logged into his professional Google Apps account, the Gmail user is then bound to a different set of terms which appear to provide Google the right to all the data uploaded. 

Google's Privacy Policy states, "[w]e may combine personal information from one service with information, including personal information, from other Google services."  This appears to mean that Google is combining data from all of its services (both consumer and professional) while a user is logged into a business account. The YouTube videos being watched, ads being clicked on, search terms utilized, business emails sent/received, etc... are all being mined and the results combined to build a profile which is used “to offer [Google users] tailored content – like giving you more relevant search results and ads.” 

 

Should content gleaned from business or official government accounts also be intermixed with data from personal consumer accounts?  Why isn't there a clear notice such as a large pop up screen or some other type of conspicuous warning when a user moves from one Google service to another that their data may be combined?  Should Google or any company be able to use private business data for purposes such as providing “more relevant search results and ads?”  

Allowing any company, whether Google or a competitor to collect and combine large amounts of information about a person may create unintended and unforeseen legal consequences for Google's users and society.  What will happen when a government agency and/or lawyers request access to all of the data that Google is collecting about someone? These practices appear to not only put the personal privacy and safety of Google's users at risk but they also raise significant legal issues about the intermingling of personal and/or corporate or government data.

The time is now for Google to change its privacy policy not just for users in the European countries that are moving forward with enforcement actions but for all users throughout the world.  Since Google's official corporate code of conduct includes the phrases, "don't be evil," "doing the right thing," and "following the law",  I would like to see Google prove they practice what they preach by changing its privacy policy to not only better protect the personal privacy and safety of all of its users but to also follow European data protection laws.  

Copyright 2013 by the Law Office of Bradley S. Shear, LLC All rights reserved.