E.P.A.'s Secret Social Media Campaign Violated The Law

According to The New York Times, the Environmental Protection Agency (E.P.A.) engaged in an illegal covert social media campaign to back an Obama administration rule that was intended to to increase protections for our country's streams and waters according to the Government Accountability Office (G.A.O.).

The E.P.A. disputed the G.A.O.'s findings and an official with the agency stated, "[w]e use social media tools just like all organizations to stay connected and inform people across the country about our activities...[a]t no point did the E.P.A encourage the public to contact Congress or any state legislature."

Under the law, federal agencies may not participate in lobbying. The G.A.O. stated that the E.P.A. violated the federal Anti-deficiency Act which prohibits federal agencies from spending money without authorization.  Violating this act may lead to fines and/or jail time.  While its highly unlikely that anyone will be fined or sent to jail for these activities this should serve as a wake up call to government agencies because utilizing social media for illegal activities may create tremendous legal issues that can lead to fines and/or imprisonment.   

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Wyndam Settles FTC Data Security Charges

The FTC announced earlier today that Wyndham Hotels and Resorts has agreed to settle charges that the company’s security practices unfairly exposed the payment card information of hundreds of thousands of consumers to hackers in three separate data breaches.  The settlement requires Wyndham to establish a comprehensive information security program designed to protect cardholder data and to conduct annual information security audits and maintain safeguards in connections to its franchisees’ servers.

This settlement demonstrates that the FTC will go after companies that it believe do not have the proper data privacy and security protocols in place. Companies must be careful when determining what type of data they collect from their customers, how they will safeguard the information, and how long they utilize the information. In conjunction with a data collection and usage program it is imperative to have robust privacy and security audits.

The bottom line is that companies should bake privacy and security into their customer data collection and usage programs or they risk millions of dollars in potential legal liability.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

  

Canadian Cable Company Facebook Shames Late Paying Customers

There is a valid reason why people are "cutting the cord" and getting rid of their cable subscriptions.  Some cable companies don't have a clue about customer service.  In a very troubling report, Canadian cable company Senga Services has been publicly shaming on Facebook its customers who are in arrears.

Senga Services' behavior was deemed so troubling that Canada's Office of the Privacy Commissioner asked the company to delete its customer shaming Facebook posts.  Do any of the publicly shamed customers have potential legal claims under Canadian law?  What if some of the customers that Senga publicly shamed had a bona fide billing dispute that Senga refused to addressed?  What if some customers were not properly notified of the billing issue due to a move?

Earlier this year, I switched my cable company because I had a major billing dispute.  My now former cable company had lied to me for years and over charged me hundreds of dollars.  Only after I wrote multiple letters to the company and threatened to file FTC and state attorney general complaints was I finally refunded several hundred dollars.

My matter was most likely only settled by the cable company because I am an attorney who has the knowledge and means to easily utilize the proper judicial or regulatory process to obtain the money I was owed.  Most people don't have this luxury.

Companies should tread very carefully when utilizing social media to reach their goals.  Too often organizations empower employees and/or agents to act on their behalf online who don't understand that their digital actions may have legal repercussions.  The bottom line is that its imperative to think before you post.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Mattel, Cybersecurity, Privacy, and Hackable Barbie

Barbie has been an All-American favorite since its introduction in 1959.  She has played a starring role in our popular culture for years; so much so that some girls have gone to great lengths to try to look like her.  The bottom line is that Barbie has become a mainstay in many homes.

For this holiday season, Mattel, the maker of Barbie created a version called "Hello Barbie" that is going to be able to be connected to the Internet.  Some privacy advocates such as the Campaign for a Commercial Free Childhood are very troubled by this new Barbie and have created a social media campaign called #HellNoBarbie because they have some major concerns about how the data being collected will be utilized.

A major problem with Hello Barbie is that parents may not always know when a particular conversation is being recorded by the doll and sent to Mattel's third party technology vendor. Pam Dixon of the World Privacy Forum pointed out to NBC News that the recordings could be utilized in divorce cases and custody battles.

Another issue is cybersecurity. Earlier today, it was reported that Hello Barbie has major privacy and security flaws that could expose the personal privacy and safety of our children. This is a very troubling report. Why didn't Mattel bake privacy and cybersecurity into the design of this toy?  Mattel isn't the only toy maker to have overlooked privacy and cybersecurity issues. VTech, a provider of electronic toys for children was recently hacked and exposed the personal information of millions of children.

The bottom line is that we are entering the era of the "Internet of Toys" where manufacturers may soon start trying to one up each other with how their products are connected online.  The problem is that is appears that many of the privacy and cybersecurity issues that are paramount to protecting the safety our of kids have not been made a priority in this rush for greater profits.

As a parent, I don't want or need my kids toys connected to the Internet. iPhones and Xboxes are meant to be connected online but Barbie, Ken, and GI Joe are not.  Parents must be able to easily control what is recorded about their family in the privacy of their home.  What happened to just being able to play with your kids and having a personal moment that is not shared with the whole world for eternity?

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Email Privacy Act: Much Needed Reform

In general, the government should be required to obtain a warrant in order to access the private password protected digital accounts of its citizens.  Unfortunately, due to an outdated law, the Electronic Communications Privacy Act of 1986 (ECPA) this is not the case.

The ubiquitous nature of online communications has made updating the law to account for how technology has changed over the past 30 years a necessity to ensure that our 4th amendment rights in the virtual world equal our 4th amendment rights in the physical world.  A Congressional hearing on the Email Privacy Act will be held this week to try to update the woefully out of date ECPA statute.  Multiple efforts over the years have failed so I am cautiously optimistic that this effort and others such as the LEADS Act which complement this bill will be passed this term.

The Email Privacy Act has more than 300 cosponsors in the House of Representatives and it would close a glaring loophole in ECPA which enables the government to utilize a subpoena instead of a warrant to require digital service providers to provide their customer's digital communications if they are greater than 180 days old.  When ECPA was enacted in 1986, this loophole wasn't concerning because our technology wasn't such that we could hold years of personal communications in an email account stored in the cloud around the world.

According to a recent poll by Vox Populi, 77% of 1000 registered voters said "a warrant should be required to access emails, photos and other private communications stored online." This super majority demonstrates the importance of this issue and that Congress should listen to the voters to rectify this glaring hole in our 4th amendment protections.

In order for the Email Privacy Act to became law, it is imperative to contact your local members of Congress to tell them about the importance of this issue.  Absent public support, Congress doesn't act. Therefore, if you believe that our 4th amendment protections should extend to our digital activities please take a stand and urge your representatives and senators to support the much needed Email Privacy Act.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Towson University Locker Room Recording Scandal May Cost Millions

The Washington Post, has reported that a Towson University diving coach was indicted on criminal charges by a grand jury for allegedly utilizing a cell phone to tape record student-athletes inside of a women's locker room on campus.  According to Baltimore County Circuit records, Maureen Mead who is married to Pat Mead who is the head coach of the women's diving team has been charged with Interception of Communication, Peeping Tom, and Altering Physical Evidence.

These are serious crimes and its possible that after the facts have been uncovered that federal charges may be forthcoming.  It wouldn't surprise me if Towson University is sued for millions of dollars by the student-athletes who were recorded.  Last year, Johns Hopkins Hospital settled a lawsuit for $190 million dollars where a doctor had illegally tape recorded his patients.

How many other times did Maureen Mead tape record student-athletes in the locker room? Why were the recordings created in the first place?  How were these recordings re-purposed? There are a lot of questions that still need to be answered.  The bottom line is that it may be prudent for Towson University to set aside several million dollars to investigate and resolve this matter.  

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Emoji (and the law): The Oxford Dictionary Word of The Year

The Oxford Dictionaries have chosen "emoji" as the word of the year.  According to the Oxford University Press, the use of the word "emoji" has increased "hugely" this year so it was natural for it to become the word of the year.

An emoji or emoticon is a digital icon or image that may be used during electronic interactions to convey an idea or feeling. Utilizing emojis in text messages may be useful because they express a feeling or idea more quickly than a group of words. 

Emojis or emoticons have been slowly showing up in court over the past couple of years. There have been some cases where emojis have been introduced into evidence during trial. As more people utilize these images to convey thoughts or ideas the more these issues will need to be addressed by the judicial system.  

The bottom line is that before sending an emoji in a message or posting it online make sure you understand the legal ramifications.  

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Belgian Court Says Facebook Must Stop Tracking Non-Users

In a very promising development, a Belgian court has ruled that Facebook may no longer collect information about non-users. According to The New York Times, the court ruled that Facebook may no longer collect and store digital information from Belgians who do not have a Facebook account due to a lack of consent.

Facebook will appeal the ruling because it wants the right to track everyone on the Internet for monetary purposes.  However, if Facebook loses and fails to abide by the court's decision it may be fined up to $270,000 per day.

I do not trust Facebook with my personal information. Even though I have a personal Facebook account, my profile photo shows my "favorite social media titan," and I have intentionally included incorrect personal information about myself.  I do not utilize the platform to share my personal thoughts or activities because the data is sent to data brokers.  Furthermore, Facebook is not transparent regarding how personal user information is utilized by its business partners.

Its too early to speculate on whether Facebook will ultimately win the case; however, my hope is that other countries around the world including the U.S. require Facebook, Google, etc... to become more transparent about their data collection and utilization practices. Those who do not use Facebook have an expectation that it will not destroy non-users' privacy. We may soon find out if the Belgian judiciary agrees.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Supreme Court Declines Cell Phone Privacy Case

Earlier today, the Supreme Court declined to hear a case regarding whether law enforcement needs a warrant to access the location information of cell phone users.  While the decision to turn down the case may disappoint some privacy advocates it is not surprising.

Earlier this year in Davis v. U.S., the 11th Circuit Court of Appeals determined that it was not necessary for the police to obtain a warrant before accessing cell phone location records.  The defendant was convicted of armed robbery based in part by his cell phone location data. The appeals court opinion compared cell phone location data to security camera surveillance images (page 27 of the opinion) which is an interesting analogy.

In general, absent exigent circumstances (legal jargon for an emergency), a warrant should be required to access the content and meta data associated with one's digital devices.  In the physical world, law enforcement is generally required to obtain a warrant to search one's home or car.  A home or car may contain physical information (i.e. clothing, hard copy paper records, etc...) that may indicate an investigatory target's location history or other relevant data.

Since a warrant is generally required for physical world evidence, a warrant should generally be required for digital world evidence including location information, meta data, etc...I am hoping that the court declined this matter because it is waiting for a test case that will more easily enable them to strengthen our privacy laws.

This denial of cert demonstrates that it is imperative for the privacy community to increase its efforts to better educate the judiciary, state and federal lawmakers, and other stakeholders about digital privacy issues.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Stevenson University Caught Requiring Access To Private Student Facebook Accounts

Playing college athletics is a privilege and not a right. However, student-athletes do not lose their civil rights when they enter the locker room.  In an insightful and troubling ESPN Outside the Lines Report, it was uncovered that a now former student-athlete at Stevenson University was forced to quit her school's athletic team because she refused to abide by an illegal and discriminatory social media policy. The policy required the women's ice hockey student-athletes to provide their coaches access to their personal social media accounts.

Requiring students to provide coaches and administrators access to personal digital accounts is not just a privacy issue but also a personal safety, cyber security, and civil rights matter.  Does a coach have a legal right to demand to see what political candidate a student-athlete supports?  Does a college administrator have a legal right to see if a student-athlete likes a page that may indicate their sexual preference?  Does a coach have a legal right to see all of your personal messages to your friends and family?  

Maryland was the first state in 2012 to enact legislation to generally ban employers from demanding access to personal social media accounts and it was also the first state to introduce legislation to protect students from being required to turn over the same information to schools. While Maryland was the first state to introduce legislation to protect personal student social media accounts it wasn't able to enact a state law on the matter until earlier this year when it became the 13th state to do so.  

While the student-athlete who was profiled by ESPN was harmed by Stevenson University's clearly unethical and illegal social media policy, it doesn't appear she has a claim under Maryland's new student social media privacy law that went into effect on June 1, 2015. However, she may have a claim under the 2012 employee social media privacy law if she worked in some type of capacity for the university. On the federal level, there may be potential Title IX, federal computer crime law (i.e. the Stored Communications Act), Office of Civil Rights claims, etc... If Stevenson University's illegal social media policy was in effect after June 1, 2015 the school may have additional legal challenges on the horizon.

The bar to settle this type of matter was set at $70,000 per student last year when a Minnesota student received this amount to settle a similar situation.  Since the student profiled in the ESPN piece appears to have been clearly harmed by her university's illegal policy her damages may be significantly higher than $70,000. Every student who was told they must provide access to their personal social media account to participate in a school sponsored activity may also be entitled to at least $70,000.

There appears to be approximately 24 students on the Stevenson University Women's ice hockey team this year.  If 24 students participated on last year's team and they were required to provide access to their personal social media accounts, Stevenson University may be on the hook to compensate each student-athlete at least $70,000.  For example, 24*$70,000=$1,680,000 in potential damages just for last year's team.

If last year's social media policy was in effect this year that could cause additional trouble for Stevenson. While the new Maryland law caps state damages at $1,000 per student plus reasonable attorney fees and court costs, this law doesn't affect potential damages under federal law. If the student-athletes band together and obtain joint legal representation they may be able to file a class action lawsuit and the total damages against the university could theoretically reach $2,000,000+.  

Stevenson needs to become transparent about this matter and held accountable.  How long has their illegal and discriminatory social media policy be in effect?  How many students were required to abide by this policy?  Did the policy just apply to female ice hockey players?  If not, who else. These are just some of the many questions that Stevenson must answer.

The bottom line is that universities need to better understand the legal ramifications of their social media policies and engage those who actually understand best practices. The legal issues involved are very serious and trump the personal/university branding issues that many schools focus on.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

UK Police May Soon Have Power To View All Users Web History

Privacy is something you don't know you have until you lose it.  Unfortunately, the Internet has gone from the world's greatest communication and knowledge spreading platform to the best surveillance tool ever invented.

According to The Independent, UK police may soon be granted the power to view the web browsing history of everyone in the country.   The alleged bill would require communication companies to retain all web browsing history of its customers for 12 months in case the police or spy agencies want access.  The article claims that the police will still need to go through some type of judicial process to obtain the data.

A user's Internet search history may be very useful for law enforcement.  For example, in the United States, it appears that in the infamous disappearance of Caylee Anthony the police may have forgotten to check all of the Internet browsing history of a computer that was searched.  If all of the browsing history of the computer that was checked was readily accessible in one dashboard would it have changed the outcome of the case?

This potential new UK law is very troubling.  Will phone companies soon be required to tape record every phone call that is made?  Will people soon be required to tape record every personal voice conversation and keep a physical copy of every pen and paper interaction they have?  Will librarians soon be required to track every request by every user and keep it on file for 12 months?

The potential for abuse is tremendous.  Will one be prosecuted for just doing an Internet search about a topic?  Who will have access to it?  Will the proper cyber security and privacy safeguards be implemented to protect the data?  What happens when multiple people utilize a device?  Will everyone eventually be forced to have their own Internet ID # to track everything they do online? How much compensation will one be able to obtain after their browsing history is illegally leaked to the media?   These are just some of the many questions that need to be answered.    

Unfortunately, it sounds as though George Orwell's Nineteen Eighty-Four surveillance society is coming true in the U.K.  Which country will be next?  

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.   

Snapchat's Troubling New Terms Destroy User Privacy and Safety

Snapchat is an ephemeral messaging app that has become popular with millions of people due to its claim that the content users send using its platform is permanently erased after a certain period of time. This sounds great; however, federal regulators have found otherwise.

According to the FTC, in 2014 Snapchat was caught making false promises to consumers about the amount of content it was collecting and saving about them. This deception led to an FTC settlement that was announced in December of 2014 that prohibits Snapchat from misrepresenting the extent to which it maintains the privacy, security, or confidentiality of users' information.  

Unfortunately, this settlement has not yet encouraged Snapchat to become a company that actually cares about user privacy and personal safety.  For example, Marketwatch.com has reported that Snapchat recently changed its terms of service and the update appears to be very similar to Facebook's terms. Snapchat's new policy states, 

"But you grant Snapchat a worldwide, perpetual, royalty-free, sublicensable, and transferable license to host, store, use, display, reproduce, modify, adapt, edit, publish, create derivative works from, publicly perform, broadcast, distribute, syndicate, promote, exhibit, and publicly display that content in any form and in any and all media or distribution methods (now known or later developed)." 

and

"To the extent it’s necessary, you also grant Snapchat and our business partners the unrestricted, worldwide, perpetual right and license to use your name, likeness, and voice in any and all media and distribution channels (now known or later developed) in connection with any Live Story or other crowd-sourced content you create, upload, post, send, or appear in. This means, among other things, that you will not be entitled to any compensation from Snapchat or our business partners if your name, likeness, or voice is conveyed through the Services."

In other words, these terms allow Snapchat to publicly display user content and utilize personal data in ways many users most likely do not understand nor would they knowingly agree to. Will Snapchat soon include a clear warning message in front of its app stating that its new terms harm user privacy and safety?  I highly doubt it....:)

I do not trust services that contain the above or similar terms.  Whether its words, photos, or videos, your content is not private nor safe when the above terms govern.  If you don't trust Facebook because of its privacy killing agreements with data brokers you shouldn't trust Snapchat.  It appears not to be a question of if, but when Snapchat enters into similar privacy killing agreements with data brokers.  Will the FTC soon open an investigation into these new terms?

The bottom line is that if you care about your personal privacy and safety you should avoid utilizing Snapchat.  

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.   

U.S. Must Pass Judicial Redress Act To Demonstrate International Privacy Leadership

The recent invalidation of the U.S.-E.U. Safe Harbor Agreement by the European Union Court of Justice has demonstrated that the U.S. must enact privacy laws that protect non-U.S. citizens from law enforcement over reach.  The Snowden NSA revelations that were first revealed in 2013 not only angered many American citizens and civil rights advocates, but they also created a schism with Europe regarding government surveillance and digital privacy.

   

For the past 15 years, companies that do business across the Atlantic have relied on the U.S.-E.U.Safe Harbor Agreement to transfer personal data from the E.U. to the U.S. While this agreement was not perfect, it created a mechanism that was consistent with E.U. data protection directives that enabled companies to process and utilize personal digital data without running afoul of E.U. privacy laws.

Austrian privacy advocate Max Schrems' challenge against Facebook regarding how it handles the data it collects from E.U. users was the catalyst behind the demise of Safe Harbor.  E.U.data protection authorities have given lawmakers in the U.S. and the E.U. three months to negotiate a new treaty to replace the Safe Harbor’s data privacy protocols.  Under E.U. law, personal information may be exported if it is provided the same protections that are offered in the E.U. 

U.S. digital privacy protections are generally stuck in the 1980’s and many of our laws did not anticipate how technology would change over time.  While privacy has been a fundamental human right in the E.U. since 1950, U.S. digital privacy rights have been slow to evolve to catch up with how we are utilizing the many life changing services and devices that are now being deployed. 

Congress is working on strengthening our digital privacy rights but the process has been slow and arduous.  Fortunately, yesterday’s passage of the Judicial Redress Act in the U.S. House of Representatives which will enable foreign citizens to have the same legal rights as U.S. citizens if law enforcement violates their personal privacy rights is a step in the right direction.  While the bill still must be passed in the Senate and signed by the President to become law, this development demonstrates that we are on the right track and hopefully this will help lead to a new U.S.-E.U. Safe Harbor data agreement.  

This legislation and others such as ECPA reform, and the Law Enforcement Access To Data Stored Abroad Act (LEADS) are much needed bills that must be enacted to demonstrate that we will be a beacon for digital privacy rights.  We can have both privacy and security while respecting fundamental human rights.  However, we must showcase this leadership by enacting digital privacy laws that equally protect both U.S. and foreign citizens.  

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.   

Facebook "Unfriending" May Create Legal Liability

Be careful whom you Facebook "friend" and "unfriend" because this act may have legal consequences.  An employment law case originating in Australia recently mentioned Facebook "Unfriending" in one of its decisions as a point of contention and it wouldn't surprise me if this issue gains more legal significance in similar cases around the world.

According to Wired UK, Australia's Fair Work Commission recently stated that that "unfriending" a work colleague showed a "lack of emotional maturity".  Did the commission declare the act bullying?  No; however, the fact that this was even mentioned demonstrates that the issue was on the minds of the commission's members and that it may play a larger role in future decisions.  

This new development demonstrates the importance of creating reasonable digital policies and training and continually educating employees about online issues.  The bottom line is that every digital mouse click and character posted may have legal repercussions.  Therefore, its imperative to ensure that the legal issues inherent are understood before you "friend" or "unfriend" people on Facebook and other electronic platforms.  

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.     

Did Volkswagen Violate the Computer Fraud and Abuse Act?

I was very troubled to learn that Volkswagen has been intentionally misleading consumers, governments, and other industry members about its cars' emissions.  This was obviously an attempt engineered to steal market share away from its competitors, harm consumers, and mislead governments about its practices.  As a former Volkswagen owner, I am outraged by this behavior.

When I recently took my car to have its bi-annual emissions inspection in Maryland, I wondered if the inspection was still really needed because I was under the impression that all cars today adhere to the EPA's emissions standards.  Obviously, Volkswagen's intentionally reckless and illegal behavior will ensure that state emissions testing programs will continue on for years to come.
    
There are potential FTC Article 5 unfair and deceptive trade practice and state consumer protection violations here.  In addition, it wouldn't surprise me if there are multi-billion dollar class action lawsuits filed.  However, one legal issue that has been largely overlooked is that it appears Volkswagen hacked its own car software for monetary gain.

Investigative Journalist Bob Sullivan was the first reporter to discuss the hacking issue in the proper context.  In a recent article he stated, the "Volkswagen story should be the beginning of some really serious soul searching, perhaps even a turning point for the Internet of Things.  It’s inevitable: our light bulbs, toasters, door bells, and our cars will all communicate some day soon.  We need a rock-solid ethic — not just laws, but a social morality — that machines should never do things unless people know all about them."

Did Volkswagen violate the Computer Fraud and Abuse Act by intentionally accessing software without car owners' knowledge or consent?  Did it also violate multiple state computer access/hacking laws?

While its too soon to speculate on all of the fallout that will occur, I believe this matter will bring more attention to computer/digital crimes, the Internet of Things, and the privacy and cyber security issues inherent.  My hope is that federal and state authorities make an example out of Volkswagen so other companies are less inclined to follow the same path.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.