Facebook has proven once again that it does not care about its users' privacy and that it may manipulate their users' emotional well-being for corporate profit. In an explosive article in The Atlantic it is alleged that Facebook intentionally manipulated the news feeds of almost 700,000 users as part of an experiment about emotional contagion on social networks.
In the past, it appears Facebook related research was focused on analyzing the information users upload. In contrast, this appears to be the first time Facebook has publicly acknowledged that it was intentionally manipulating its users' news feeds for psychological experimentation. Is this the first time this has occurred? If not, is Facebook prepared to come clean about this matter and all similar user experiments?
According to the New York Times, "[t]he company [Facebook] says users consent to this kind of manipulation when they
agree to its terms of service. But in the quick judgment of the
Internet, that argument was not universally accepted." I have reviewed Facebook's Terms of Service and it appears it may be a legal super hero Plastic Man stretch (think South Park Humancentipad episode about terms of service) that users agreed to psychological experimentation by agreeing to Facebook's terms of service.
The National Institutes of Health
(NIH) which is located about a mile from my office has a very detailed
history about the laws relating to the protection of human subjects who
are part of an experiment. Did Facebook violate the spirit or the letter of any of these laws?
It would not surprise me if Facebook and/or other digital platforms update their terms of service to clearly state they are able to perform this type of troubling psychological testing on users. While it is too soon to speculate on whether the experiment abided by Facebook's terms of service and traditional subject informed consent rules, this should be a wake up call to regulators to look more closely at the data collection and usage practices of the digital ecosystem.
Did Facebook inform the FTC about this experiment during its 2012 investigation that culminated in the 2012 FTC Consent Order that alleged Facebook violated its users' privacy. Does performing psychological experiments on users without expressed informed consent violate this order?
The bottom line is that this should be a wake up call to those who post on Facebook and utilize platforms that use your personal information for behavioral advertising purposes and/or sell it to data brokers. As I stated on June, 12, 2014, "I don't advise anyone who values their privacy to post personal information to Facebook because it has an abysmal record when it comes to protecting user privacy." Facebook's latest actions demonstrate that it believes its users are nothing more than lab rats who give up all of their rights when agreeing to Facebook's Terms of Service and Privacy Policy.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Monday, June 30, 2014
Saturday, June 28, 2014
Supreme Court: 9-0 We Have The Right To Privacy In The Digital Age
In a 9-0 decision earlier this week in Riley v. California and U.S. v. Wurie, the U.S. Supreme Court ruled that the police generally need a warrant to search cell phones and personal electronic devices of those who are arrested. I agree wholeheartedly with Adam Liptak's assertion that its "a sweeping victory for privacy rights in the digital age."
This decision appears to have been built upon the U.S. v. Jones decision in 2012 which ruled 9-0 that a warrant is required to place a GPS tracker on a suspect's vehicle. I believe that when reviewed together U.S. v. Jones, Riley v. California, and U.S. v. Wurie, provides strong evidence that the 1979 Smith v. Maryland decision that use of a pen register by law enforcement is not a search within the meaning of the Fourth Amendment may be jeopardy.
The bottom line is that the U.S. Supreme Court has clearly recognized that we have an expectation of privacy in the digital age. Law enforcement appears now to need a warrant to not only search personal cell phones and digital devices, but also personal digital accounts such as email accounts, social media accounts, cloud computing accounts, app accounts, and other connected devices/accounts that may be referred to the "Internet of Things", etc... of the people whom they arrest.
Does this ruling strengthen the Electronic Communications Privacy Act by now requiring law enforcement to obtain a warrant for all emails regardless of their age during an investigation? While it is still too early to determine all of the ramifications of this decision, it demonstrates that the U.S. Supreme Court believes we still have a right to privacy despite the changing nature and usage of technology.
Copyright 2014 by Shear Law, LLC. All rights reserved.
This decision appears to have been built upon the U.S. v. Jones decision in 2012 which ruled 9-0 that a warrant is required to place a GPS tracker on a suspect's vehicle. I believe that when reviewed together U.S. v. Jones, Riley v. California, and U.S. v. Wurie, provides strong evidence that the 1979 Smith v. Maryland decision that use of a pen register by law enforcement is not a search within the meaning of the Fourth Amendment may be jeopardy.
The bottom line is that the U.S. Supreme Court has clearly recognized that we have an expectation of privacy in the digital age. Law enforcement appears now to need a warrant to not only search personal cell phones and digital devices, but also personal digital accounts such as email accounts, social media accounts, cloud computing accounts, app accounts, and other connected devices/accounts that may be referred to the "Internet of Things", etc... of the people whom they arrest.
Does this ruling strengthen the Electronic Communications Privacy Act by now requiring law enforcement to obtain a warrant for all emails regardless of their age during an investigation? While it is still too early to determine all of the ramifications of this decision, it demonstrates that the U.S. Supreme Court believes we still have a right to privacy despite the changing nature and usage of technology.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Thursday, June 26, 2014
Congressional Hearing: More Enforcement Needed To Protect Student Data Privacy
I recently attended a Joint Hearing with the Subcommittee on Early Childhood, Elementary, and Secondary Education titled, "How Data Mining Threatens Student Privacy"in Congress. This hearing caught my attention because as a parent of two young children student privacy is very near and dear to my heart.
Invited to testify were: Prof. Joel Reidenberg, Founding Academic Director of Fordham Law School's Center on Law and Information Policy, Mr. Mark MacCarthy, Vice President of Public Policy for the Software & Information Industry Association (SIIA), Ms. Joyce Popp, Chief Information Officer of the Idaho State Department of Education, and Mr. Thomas Murray, State and District Digital Learning Director for the Alliance for Excellent Education.
During the hearing, Prof. Reidenberg discussed his groundbreaking Privacy and Cloud Computing in Public Schools study that found, "fewer than 7% of contracts [between schools and ed-tech vendors] restrict the sale or marketing of student information by vendors, and many [cloud] computing agreements allow vendors to change the terms without notice." He also stated that 25% of services offered to schools use "freemium" models that have to monetize student data in a manner that most likely does not benefit student learning. These troubling findings were of great interest to the members of Congress and those who attended the hearing.
The SIIA appeared not to be interested in acknowledging Prof. Reidenberg's findings and the organization may have even provided intentionally misleading testimony. For example, on pages 4-5 of its written testimony the SIIA stated, "The federal government recently updated regulations and guidance for FERPA [Family Educational Rights and Privacy Act] and COPPA [Children’s Online Privacy Protection] specific to online educational services." This statement is factually incorrect.
FERPA's regulations were not recently updated. Earlier this year, the Department of Education issued updated guidelines which do not provide the same protections as updated regulations. During the hearing, Prof. Reidenberg made the committee aware of this distinction. When the SIIA stated that Prof. Reidenberg's study did not have concrete proof that some ed-tech vendors were utilizing personal student data for non-educational purposes, Prof. Reidenberg mentioned Google's recent admission in federal court that it scans student emails for potential advertising.
The SIIA's members include ed-tech vendors that sell their services to schools. Some of these companies offer their digital services for free to schools and in return may data mine student emails and build student user profiles for advertising purposes. For example, in an ongoing federal lawsuit in California that Prof. Reidenberg mentioned in his testimony, Google admitted under oath, that it “scans and indexes the emails of all Apps for Education users for a variety of purposes, including potential advertising,....that cannot be turned off—even for Apps for Education customers who elect not to receive ads."
While intense outrage from parents and schools along with international media scrutiny recently led to Google announcing it will allegedly stop these practices, Google's behavior demonstrates the need for stronger enforcement of student privacy laws, greater transparency in the industry, and where needed a strengthening of the current legal and regulatory framework.
One of the most memorable instances of the hearing occurred when Rep. Pat Meehan of Pennsylvania asked the SIIA whether current law would protect his son from receiving targeted Coca-Cola ads based on data provided by his school. The SIIA claimed it would be illegal due to existing government regulations and that FERPA applies to vendors; however, Prof. Reidenberg strongly disagreed with these assertions and proved that the SIIA was misleading the committee about these issues.
Prof. Reidenberg recommended modernizing FERPA so it applies to all student information and mandates a notice to parents for public disclosure of the educational uses of student data. He also stated that schools need written contracts with specific prohibitions against the use of student data for non-educational purposes, chief privacy officers, and a private right of action against vendors who misuse student data because currently parents and families do not have legal remedies to hold ed-tech companies legally accountable.
Its unfortunate that the SIIA appears to be more interested in protecting its members who are either monetizing student data for profit or who may want the ability to do so in the future. During the hearing, it sounded as though the SIIA would not support a private right of action for students and/or their families to hold ed-tech vendors legally accountable for mishandling their personal information. This apparent admission is very troubling and appears to demonstrate that the SIIA is out of touch with the needs of students, parents, and schools. If the ed-tech industry wants to ensure the continued growth of the sector it must be willing to support robust enforcement actions and stronger privacy protections for students.
Presidents Bill Clinton, George W. Bush, and Barack Obama each were able to achieve our country's highest elective office because their personal thoughts and the activities they participated in while they were growing up and "exploring their youth" were not held against them for the rest of their lives. The only way current and future generations of students will have the same opportunities to make their hopes and dreams come true is if they are afforded stronger privacy protections regarding their personal digital information.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Invited to testify were: Prof. Joel Reidenberg, Founding Academic Director of Fordham Law School's Center on Law and Information Policy, Mr. Mark MacCarthy, Vice President of Public Policy for the Software & Information Industry Association (SIIA), Ms. Joyce Popp, Chief Information Officer of the Idaho State Department of Education, and Mr. Thomas Murray, State and District Digital Learning Director for the Alliance for Excellent Education.
During the hearing, Prof. Reidenberg discussed his groundbreaking Privacy and Cloud Computing in Public Schools study that found, "fewer than 7% of contracts [between schools and ed-tech vendors] restrict the sale or marketing of student information by vendors, and many [cloud] computing agreements allow vendors to change the terms without notice." He also stated that 25% of services offered to schools use "freemium" models that have to monetize student data in a manner that most likely does not benefit student learning. These troubling findings were of great interest to the members of Congress and those who attended the hearing.
The SIIA appeared not to be interested in acknowledging Prof. Reidenberg's findings and the organization may have even provided intentionally misleading testimony. For example, on pages 4-5 of its written testimony the SIIA stated, "The federal government recently updated regulations and guidance for FERPA [Family Educational Rights and Privacy Act] and COPPA [Children’s Online Privacy Protection] specific to online educational services." This statement is factually incorrect.
FERPA's regulations were not recently updated. Earlier this year, the Department of Education issued updated guidelines which do not provide the same protections as updated regulations. During the hearing, Prof. Reidenberg made the committee aware of this distinction. When the SIIA stated that Prof. Reidenberg's study did not have concrete proof that some ed-tech vendors were utilizing personal student data for non-educational purposes, Prof. Reidenberg mentioned Google's recent admission in federal court that it scans student emails for potential advertising.
The SIIA's members include ed-tech vendors that sell their services to schools. Some of these companies offer their digital services for free to schools and in return may data mine student emails and build student user profiles for advertising purposes. For example, in an ongoing federal lawsuit in California that Prof. Reidenberg mentioned in his testimony, Google admitted under oath, that it “scans and indexes the emails of all Apps for Education users for a variety of purposes, including potential advertising,....that cannot be turned off—even for Apps for Education customers who elect not to receive ads."
While intense outrage from parents and schools along with international media scrutiny recently led to Google announcing it will allegedly stop these practices, Google's behavior demonstrates the need for stronger enforcement of student privacy laws, greater transparency in the industry, and where needed a strengthening of the current legal and regulatory framework.
One of the most memorable instances of the hearing occurred when Rep. Pat Meehan of Pennsylvania asked the SIIA whether current law would protect his son from receiving targeted Coca-Cola ads based on data provided by his school. The SIIA claimed it would be illegal due to existing government regulations and that FERPA applies to vendors; however, Prof. Reidenberg strongly disagreed with these assertions and proved that the SIIA was misleading the committee about these issues.
Prof. Reidenberg recommended modernizing FERPA so it applies to all student information and mandates a notice to parents for public disclosure of the educational uses of student data. He also stated that schools need written contracts with specific prohibitions against the use of student data for non-educational purposes, chief privacy officers, and a private right of action against vendors who misuse student data because currently parents and families do not have legal remedies to hold ed-tech companies legally accountable.
Its unfortunate that the SIIA appears to be more interested in protecting its members who are either monetizing student data for profit or who may want the ability to do so in the future. During the hearing, it sounded as though the SIIA would not support a private right of action for students and/or their families to hold ed-tech vendors legally accountable for mishandling their personal information. This apparent admission is very troubling and appears to demonstrate that the SIIA is out of touch with the needs of students, parents, and schools. If the ed-tech industry wants to ensure the continued growth of the sector it must be willing to support robust enforcement actions and stronger privacy protections for students.
Presidents Bill Clinton, George W. Bush, and Barack Obama each were able to achieve our country's highest elective office because their personal thoughts and the activities they participated in while they were growing up and "exploring their youth" were not held against them for the rest of their lives. The only way current and future generations of students will have the same opportunities to make their hopes and dreams come true is if they are afforded stronger privacy protections regarding their personal digital information.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Tuesday, June 24, 2014
In The Digital Age It Takes A Village To Protect Student Privacy
Some privacy advocates have breathed a sigh of relief since hearing of the demise of non-profit inBloom, an organization that was created in 2011 to store and aggregate a wide
range of student information to be used by classroom educators. The merits of
inBloom's mission can be debated until its advocates and detractors are blue or
red in the face. Regardless of whether
one is for or against inBloom, or its future progeny, the real win here is that
student privacy is now part and parcel of the education technology (ed-tech)
conversation.
Protecting
the personal privacy of students has gained national attention due to the
issues surrounding inBloom combined with several high profile data breaches.
Compounding
the privacy challenges facing students is that the Family Educational Rights
and Privacy Act (FERPA), which aims to protect
the privacy of students and their families, has not been updated to account for
the issues inherent in the Digital Age. The Electronic Privacy Information Center, along with
other privacy advocates, has alleged that the Department of Education actually
weakened FERPA in 2011.
In
fact, weakening student privacy protections at the dawn of the age of Big Data,
the cloud, mobile apps and social media appears to have lead to a situation
where some companies offer
student digital learning tools for free or a reduced price to schools and
in return student information may be data mined for profit. According to a recent Politico
"examination of hundreds of pages of privacy policies, terms of service
and district contracts there are gaping holes in the protection of children’s
privacy."
Earlier
this year, Education Week reviewed
the ongoing Gmail wiretapping
litigation, a case that began in 2010
seeking damages on behalf of Gmail and Google Apps for Education users and
those whose messages were sent to Gmail based services and made some very
startling discoveries. The most troubling was that Google "scans and
indexes the e-mails of all Apps for Education users for a variety of purposes,
including potential advertising, via automated processes that cannot be turned
off—even for Apps for Education customers who elect not to receive ads."
Google's
admission in federal court and its confirmation to the media about its practices
created such a huge media firestorm that within weeks after this information
became public, Google announced that it would
no longer scan the e-mails of students who utilize Google Apps For Education
for advertising purposes. While this announcement
was a step in the right direction, why did it take an international media
feeding frenzy for a change to a policy that should have never been implemented
in the first place?
In
response to Google's about face regarding its student email scanning policy, Prof.
Joel Reidenberg of Fordham stated, "Google can change this policy at
any time, and, the scanning disclaimer is associated with advertising purposes
only....There may be other commercial uses that they are exploiting student
data for,....such as selling information to textbook publishers, or test-preparation
services."
New
technology sometimes creates situations that were never imagined when FERPA was
enacted 40 years ago. For example, when
students utilize new digital learning tools offered through their schools is the
metadata (the information
associated with a student's use of the digital learning service) that may be
created by student usage considered an "education record" and thus
protected from being data mined for advertising purposes? According
to Kathleen
Styles, the U.S. Department of Education's Chief Privacy Officer, “I don’t
think it’s necessarily an easy decision, what is and what is not the
‘educational record,.... “It’s very contextual. A lot of metadata won’t fit as an educational
record.” This uncertainty demonstrates
the need for stronger privacy laws that better protects the personal privacy and
digital emissions of students.
States have began to
take action to enhance digital privacy protections for students. For example, Kentucky's recently enacted HB 232 bans ed-tech
service providers from processing student data for any purpose other than
providing, improving, developing or maintaining the integrity of the service. This type of prohibition is imperative in
order for parents and students to feel comfortable using new digital learning tools.
According to Politico, "in the past five
months, 14 states have enacted stricter student privacy protections, often with
overwhelming bipartisan support, and more are likely on the way."
Sens. Edward
Markey (D-MA) and Orrin Hatch (R-UT) recently introduced a discussion draft legislation
titled, "Protecting Student Privacy Act." According to the press
release, "The draft legislation would ensure that students are better
protected when data is shared with and held by third parties." While new federal legislation is a step in
the right direction since uniformity across the country is preferred by most
stakeholders, I believe an update to the terms "education records"
and "personally identifiable information" to account for the
increased capturing of student data in a digital format is needed to ensure
that children are better protected from companies that
put profits ahead of student privacy.
InBloom's
demise and Google's recently exposed student data mining practices have brought
greater attention to student privacy and the need for stronger regulations and
laws that prohibit ed-tech providers from utilizing student data for commercial
purposes which may include behavioral advertising, digital profiling, and other
exploitation. Ed-tech vendors must
incorporate Privacy by Design into their platforms and commit to making student
privacy a priority and not an afterthought.
The bottom line is that students, parents, teachers,
school administrators, lawmakers, state attorney generals, the FTC, and the
ed-tech industry must work together to ensure that student privacy is protected in the Digital Age.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Thursday, June 12, 2014
Facebook's Expanded Behavioral Advertising Further Erodes User Privacy
According to the Wall Street Journal, "Facebook will soon begin using data it collects about users’ activities around the Web to better target ads on its service.....[f]or years Facebook has dropped small pieces of code on websites and in
mobile apps, through which it records users’ browsing habits and online
interests. Now it’s going to start using that information to help it
deliver personalized ads on Facebook."
The term "personalized ads" means behavioral advertising. In layman's term, Facebook acts like a private NSA; however, instead of using the digital information it collects about you to protect against terrorist attacks, Facebook uses the data you post and gleaned from your digital activity (posts, messages, and now websites visited, etc...) to make money. The information Facebook collects about you may also assist foreign hostile governments who legally or illegally acquire access to Facebook's systems.
About a year ago, Advertising Age reported that Facebook inked agreements with multiple data brokers to mine the personal digital information of users. These agreements convinced me that posting personal information on Facebook may contribute to consumer discrimination. The World Privacy Forum and The White House published recent reports that discussed how some populations may be vulnerable to discriminatory practices based upon large amounts of personal information being bought and sold by data brokers and data sources such as Facebook.
I don't advise anyone who values their privacy to post personal information to Facebook because it has an abysmal record when it comes to protecting user privacy. For example, in 2012 Facebook settled charges with the FTC that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.
The bottom line is that if you value your privacy be careful what and where you post online.
Copyright 2014 by Shear Law, LLC. All rights reserved.
The term "personalized ads" means behavioral advertising. In layman's term, Facebook acts like a private NSA; however, instead of using the digital information it collects about you to protect against terrorist attacks, Facebook uses the data you post and gleaned from your digital activity (posts, messages, and now websites visited, etc...) to make money. The information Facebook collects about you may also assist foreign hostile governments who legally or illegally acquire access to Facebook's systems.
About a year ago, Advertising Age reported that Facebook inked agreements with multiple data brokers to mine the personal digital information of users. These agreements convinced me that posting personal information on Facebook may contribute to consumer discrimination. The World Privacy Forum and The White House published recent reports that discussed how some populations may be vulnerable to discriminatory practices based upon large amounts of personal information being bought and sold by data brokers and data sources such as Facebook.
I don't advise anyone who values their privacy to post personal information to Facebook because it has an abysmal record when it comes to protecting user privacy. For example, in 2012 Facebook settled charges with the FTC that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.
The bottom line is that if you value your privacy be careful what and where you post online.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Saturday, June 7, 2014
Lawsuit: University of Cincinnatti Medical Center Employee Posted Patient STD Diagnosis on Facebook
While social media may be utilized to connect people all over the world to raise money for charity or to persuade citizens to overthrow dictatorships, it may also be used to spread the most personal information for all to see. Recently, a 20-year old Ohio woman had her sexually transmitted disease diagnosis posted on Facebook by a hospital employee.
The Cincinnati Enquirer reported that an image of the victim's medical record showing her name and syphilis diagnosis was posted on Facebook to a group called "Team No Hoes" in 2013. This posting appears to be a federal HIPAA violation and it may also violate multiple Ohio state laws.
What is the value of the damage to one's reputation if their sexually transmitted disease diagnosis is posted online? The victim is a 20-year old female who may be unable to obtain employment or gain acceptance into college or graduate school because of this disgusting breach of her personal privacy. She may also be fired from her employment and/or discriminated against in other unsubtle and undetectable ways. In addition, the victim may have trouble getting a date and/or finding a mate due to this information being disseminated.
I am surprised that the hospital did not settle this matter out of court before it was filed. The reputational damage to the University of Cincinnati Medical Center may be steep. Will patients go to other service providers due to this incident? Will the hospital reach a settlement with the victim before it goes to trial? Does the hospital want a jury to even hear this case?
While I believe the new European "right to be forgotten" may be abused by child molesters, rapists, murders, politicians, etc...who may want to hide their criminal past, and it may be difficult to implement this new right, should victims of this type breach of their personal medical privacy be afforded the right to be forgotten in the United States?
Copyright 2014 by Shear Law, LLC. All rights reserved.
The Cincinnati Enquirer reported that an image of the victim's medical record showing her name and syphilis diagnosis was posted on Facebook to a group called "Team No Hoes" in 2013. This posting appears to be a federal HIPAA violation and it may also violate multiple Ohio state laws.
What is the value of the damage to one's reputation if their sexually transmitted disease diagnosis is posted online? The victim is a 20-year old female who may be unable to obtain employment or gain acceptance into college or graduate school because of this disgusting breach of her personal privacy. She may also be fired from her employment and/or discriminated against in other unsubtle and undetectable ways. In addition, the victim may have trouble getting a date and/or finding a mate due to this information being disseminated.
I am surprised that the hospital did not settle this matter out of court before it was filed. The reputational damage to the University of Cincinnati Medical Center may be steep. Will patients go to other service providers due to this incident? Will the hospital reach a settlement with the victim before it goes to trial? Does the hospital want a jury to even hear this case?
While I believe the new European "right to be forgotten" may be abused by child molesters, rapists, murders, politicians, etc...who may want to hide their criminal past, and it may be difficult to implement this new right, should victims of this type breach of their personal medical privacy be afforded the right to be forgotten in the United States?
Copyright 2014 by Shear Law, LLC. All rights reserved.
Wednesday, June 4, 2014
comScore Agrees To $14 Million Settlement For Privacy Violations
According to its website, comScore is,"a leading Internet technology company that measures what people do as they navigate the digital world-and turns that information into insights and actions for our clients to maximize the value of their digital investments." Interestingly, according to a lawsuit comScore has recently settled it may have also put profits ahead of its users' personal privacy.
MediaPost has reported that comScore has agreed to settle a lawsuit that it violated its users' privacy for $14 million dollars. In 2011, several plaintiffs filed a class-action privacy lawsuit alleging they unknowingly installed comScore's software after downloading a free product and that the company was then able to collect data that included usernames, passwords, search queries, credit card numbers, retail transactions, etc...
Companies that put profits ahead of privacy not only risk the safety and security of their users, they may also be slapped with lawsuits and/or regulatory investigations that may lead to multi-million dollar settlements, fines, legal fees, and other expenses. The bottom line is that some members of the digital ecosystem must learn that it pays to protect their users' privacy.
Copyright 2014 by Shear Law, LLC. All rights reserved.
MediaPost has reported that comScore has agreed to settle a lawsuit that it violated its users' privacy for $14 million dollars. In 2011, several plaintiffs filed a class-action privacy lawsuit alleging they unknowingly installed comScore's software after downloading a free product and that the company was then able to collect data that included usernames, passwords, search queries, credit card numbers, retail transactions, etc...
Companies that put profits ahead of privacy not only risk the safety and security of their users, they may also be slapped with lawsuits and/or regulatory investigations that may lead to multi-million dollar settlements, fines, legal fees, and other expenses. The bottom line is that some members of the digital ecosystem must learn that it pays to protect their users' privacy.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Saturday, May 17, 2014
Court Rules Mom May Be Banned From Posting About Family on Facebook
An appeals court recently ruled that a mother may be banned from posting about her children and ex-husband on Facebook. According to Mycentraljersey.com, "[t]he restriction on what she [the mother] could say on Facebook was imposed after her ex-husband's family and the Hunterdon County Prosecutor's Office argued that the mother's maniacal postings were frightening, saying that they referenced Book of Revelation in the Bible, serial killer Jeffrey Dahmer, Satan and Adolf Hitler."
In the initial ruling the judge stated, "You can talk about what you want to talk about, but don't reference (your husband) or the children," The woman claimed that the restriction was a prior restraint.
On the surface, this sounds like a clear cut First Amendment violation; however, it appears that
the court imposed the special condition with the purpose of advancing the mother's rehabilitation. The woman was diagnosed with bipolar disorder and was arrested in May 2011 after trying to take her children to Canada in violation of a custody order. She pled guilty to interference with custody and in return it appears that the prosecution dropped kidnapping charges.
The bottom line is that infringing on one's First Amendment rights is a slippery slope. Taking away someone's right to freely express themselves is not something that should be done without weighing other options. It would not surprise me if these types of cases become more commonplace in the future.
Copyright 2014 by Shear Law, LLC. All rights reserved.
In the initial ruling the judge stated, "You can talk about what you want to talk about, but don't reference (your husband) or the children," The woman claimed that the restriction was a prior restraint.
On the surface, this sounds like a clear cut First Amendment violation; however, it appears that
the court imposed the special condition with the purpose of advancing the mother's rehabilitation. The woman was diagnosed with bipolar disorder and was arrested in May 2011 after trying to take her children to Canada in violation of a custody order. She pled guilty to interference with custody and in return it appears that the prosecution dropped kidnapping charges.
The bottom line is that infringing on one's First Amendment rights is a slippery slope. Taking away someone's right to freely express themselves is not something that should be done without weighing other options. It would not surprise me if these types of cases become more commonplace in the future.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Tuesday, May 6, 2014
Facebook's Troubling Move App Privacy Policy Change
Does Facebook really care about protecting its users' privacy? Facebook's history appears to demonstrate that the answer is no. For example, in 2012 Facebook entered into a settlement with the FTC resolving charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.
In 2012, Facebook changed Instagram's (Facebook had recently purchased it) privacy policy to enable it to better monetize its users' personal information. At that time, I stated that the changes were very troubling. Soon after making the privacy policy change announcement, Instagram (i.e. Facebook) backtracked on some of the revisions due to public backlash. In 2013, Facebook agreed to a $20 million dollar settlement in a lawsuit that alleged it utilized its users' names and likeness in paid advertisements without permission.
On April 24, 2014, Facebook purchased fitness tracking app Move. The Wall Street Journal reported that Move just "changed its privacy policy to allow broader sharing of user data, including with Facebook." Interestingly, Facebook's "move" to erode Move users' privacy took less than 2 weeks. Move users may have their fitness information combined with their likes, friend lists, photos, personal messages, etc...and this information may be sold to data brokers such as Axciom, Epsilon, Datalogix and Blue Kai. In turn, data brokers may sell your combined "likes" and fitness routine information to insurance companies, banks, etc... Unfortunately, Move/Facebook users may be discriminated against based upon their daily exercises or lack thereof.
Since companies such as Facebook appear to put privacy ahead of profits our lawmakers need to act to protect Internet/App users from Digital Usage Discrimination before it is too late.
Copyright 2014 by Shear Law, LLC. All rights reserved.
In 2012, Facebook changed Instagram's (Facebook had recently purchased it) privacy policy to enable it to better monetize its users' personal information. At that time, I stated that the changes were very troubling. Soon after making the privacy policy change announcement, Instagram (i.e. Facebook) backtracked on some of the revisions due to public backlash. In 2013, Facebook agreed to a $20 million dollar settlement in a lawsuit that alleged it utilized its users' names and likeness in paid advertisements without permission.
On April 24, 2014, Facebook purchased fitness tracking app Move. The Wall Street Journal reported that Move just "changed its privacy policy to allow broader sharing of user data, including with Facebook." Interestingly, Facebook's "move" to erode Move users' privacy took less than 2 weeks. Move users may have their fitness information combined with their likes, friend lists, photos, personal messages, etc...and this information may be sold to data brokers such as Axciom, Epsilon, Datalogix and Blue Kai. In turn, data brokers may sell your combined "likes" and fitness routine information to insurance companies, banks, etc... Unfortunately, Move/Facebook users may be discriminated against based upon their daily exercises or lack thereof.
Since companies such as Facebook appear to put privacy ahead of profits our lawmakers need to act to protect Internet/App users from Digital Usage Discrimination before it is too late.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Monday, May 5, 2014
#SocialMediaFail: PayPal director Rakesh Agrawal Departs After Troubling Tweets
Social Media may be utilized to fund raise for philanthropic causes, to crowd source to help catch criminals, and to help unite family members. Unfortunately, too many people have lost their jobs because of the content they have posted online.
The latest person who appears to have joined the #SocialMediaFail club is now former PayPal Director Rakesh Agrawal. According to The Daily Mail, Mr. Agrawal went on a late night Twitter tirade while in New Orleans. Mr. Agrawal appears to have made some derogatory comments about his co-workers online that became newsworthy very quickly. While there appears to be some dispute as to the timing of Mr. Agrawal's departure from PayPal; there is no denying that soon after his Tweets appeared he stopped being employed by PayPal.
New Orleans is one of the most interesting and exciting cities in the world. I have had the pleasure of visiting the city on many occasions and experiencing some of the fun festivals and events that the city hosts. However, not everything one does in New Orleans is meant for the entire world to see. Unfortunately, what goes on in "Vegas (or in New Orleans or anywhere else) stays in Vegas" may no long apply in the Digital Age.
The bottom line is that everyone, including self described "tech/social media experts", "social media consultants", and the "digerati" need to better understand the ramifications of publicly posting personal thoughts and/or images online. My hope is that those who read about this incident will realize that just because you may have a Twitter account it does not mean you should actively Tweet.
Copyright 2014 by Shear Law, LLC. All rights reserved.
The latest person who appears to have joined the #SocialMediaFail club is now former PayPal Director Rakesh Agrawal. According to The Daily Mail, Mr. Agrawal went on a late night Twitter tirade while in New Orleans. Mr. Agrawal appears to have made some derogatory comments about his co-workers online that became newsworthy very quickly. While there appears to be some dispute as to the timing of Mr. Agrawal's departure from PayPal; there is no denying that soon after his Tweets appeared he stopped being employed by PayPal.
New Orleans is one of the most interesting and exciting cities in the world. I have had the pleasure of visiting the city on many occasions and experiencing some of the fun festivals and events that the city hosts. However, not everything one does in New Orleans is meant for the entire world to see. Unfortunately, what goes on in "Vegas (or in New Orleans or anywhere else) stays in Vegas" may no long apply in the Digital Age.
The bottom line is that everyone, including self described "tech/social media experts", "social media consultants", and the "digerati" need to better understand the ramifications of publicly posting personal thoughts and/or images online. My hope is that those who read about this incident will realize that just because you may have a Twitter account it does not mean you should actively Tweet.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Sunday, May 4, 2014
The NBA, Donald Sterling, and Secretly Recording Professional Athletes, Coaches, and Owners
In the Digital Age, almost everyone has a smartphone that contains a video/audio recording feature. In general, this is a good feature that can be used to tape record your family doing fun things. Many people don't see this as a potential threat to personal privacy. However, if you are a celebrity, professional athlete, politician, billionaire, etc... there is a possibility that your most embarrassing and/or private moments may be recorded for blackmail purposes. This in turn may create tremendous financial and reputational harm.
The Donald Sterling matter demonstrates that even the people whom you may allegedly trust the most, such as your "personal assistant" or your "silly rabbit" may tape your private conversations without your knowledge for personal gain. This is a growing problem in the sports world. For example, according to ESPN former Golden State Warriors assistant coach Darren Erman secretly taped his fellow coaches and players without their knowledge. It appears he may have done this via his smartphone. The motive for Mr. Erman's behavior is not yet known but his actions appear to have been illegal.
In some states such as California, two party consent is required when taping a conversation. I find it hard to believe that Sterling would have consented to being taped making racist and sexist comments to his "personal assistant"/"silly rabbit". However, until all of the facts are available it is only speculation as to whether he consented. In addition, I doubt Mr. Erman's fellow coaches and the players on his team would have consented to having their private conversations recorded.
The bottom line is that while smartphones, apps, and other new digital technologies may help make our lives easier they may also capture unpleasant personal activities and enable them to be easily shared to the entire world in an instant. This is why it is so important to take the precautions necessary to protect yourself in the Digital Age.
Copyright 2014 by Shear Law, LLC. All rights reserved.
The Donald Sterling matter demonstrates that even the people whom you may allegedly trust the most, such as your "personal assistant" or your "silly rabbit" may tape your private conversations without your knowledge for personal gain. This is a growing problem in the sports world. For example, according to ESPN former Golden State Warriors assistant coach Darren Erman secretly taped his fellow coaches and players without their knowledge. It appears he may have done this via his smartphone. The motive for Mr. Erman's behavior is not yet known but his actions appear to have been illegal.
In some states such as California, two party consent is required when taping a conversation. I find it hard to believe that Sterling would have consented to being taped making racist and sexist comments to his "personal assistant"/"silly rabbit". However, until all of the facts are available it is only speculation as to whether he consented. In addition, I doubt Mr. Erman's fellow coaches and the players on his team would have consented to having their private conversations recorded.
The bottom line is that while smartphones, apps, and other new digital technologies may help make our lives easier they may also capture unpleasant personal activities and enable them to be easily shared to the entire world in an instant. This is why it is so important to take the precautions necessary to protect yourself in the Digital Age.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Wednesday, April 30, 2014
Google To Stop Scanning Student Emails, But Troubling Privacy Policies Continue
Google announced earlier today that it will stop automatically scanning student and teacher emails sent through Google Apps for Education and will no longer use the platform to deliver any advertising.
This is a positive development for student privacy and means that if the media questions and reports on troubling and illegal corporate practices positive change may occur. I initially blogged about this issue on January 24, 2014. At that time I stated, "[I]t does not appear that students, parents, and/or teachers have been informed and provided consent that would enable their digital interactions and the content sent and received on school contracted Gmail services to be utilized for advertising purposes."
Soon after I wrote about this tremendous threat to student privacy, I spoke to Education Week about this huge privacy and safety risk to our children. I told Education Week that I saw “major FERPA violations” in Google’s activities and suggested that the Education Department should investigate the company. The Federal Trade Commission, which is responsible for monitoring deceptive business practices, should also take note and....[t]he personal safety of students are at risk when commercial entities obtain access to student data and act upon the information."
While I believe this is a good first step for protecting student privacy, why did it take Google years to make this change? Absent multiple lawsuits and the investigative reporting from Education Week would Google have changed its practices? Will Google also turn off its scanning and behavioral advertising functions for its other services such as YouTube, Google Plus, etc...in a school setting? Will Google also change its Android and Chromebook policies to better protect student privacy? Will Google change its Terms of Service and Privacy Policies that govern all of its education offerings? Will Google revise all of its school contracts to reflect this announcement?
Will Google delete all of the personal and highly monetizable personal information that it has been collecting on students, parents, teachers, and their families? Since Google has been caught misrepresenting its practices once again should we as President Regan stated when describing the Soviet Union trust but verify? Who will do the verifying? The U.S. Department of Education, state departments of education, state attorney generals, the FTC? What about better protecting non-student users such as consumers?
Google's announced impending policy change appears to be an admission that it was violating Article 5 of the FTC Act that bans "unfair and deceptive acts". According to a 2011 FTC Consent Decree related to the Google's Buzz matter, it appears the FTC has wide latitude to investigate what appears to be an intentional privacy violation and fine Google accordingly. Under the consent agreement, it appears that Google may be fined up to $16,000 for each violation. Since Google has publicly stated that it has 30 million users, Google's legal liability may reach into the billions of dollars. For example, 30 million x $16,000 for each violation is a fine of $480,000,000,000. Will the FTC open an investigation to determine if Google violated its consent decree?
Since Google's troubling consumer privacy policy governs almost all of its services, more pressure needs to be exerted onto Google to better protect the personal privacy and safety of all of its users. Multiple EU data protection authorities have already either fined Google for its illegal and inherently dangerous privacy policy that clearly violates data protection laws across Europe and/or opened investigations into its troubling "evil behavior".
While Google creates some great products and services, it has consistently refused to do the right thing when it comes to protecting the personal privacy and safety of its users. Is this announcement being done to ward off an FTC investigation into its privacy practices and to stop more potential litigants from joining the Gmail scanning lawsuit(s)?
My hope is that now that Google plans on changing its student data collection and utilization practices in its Apps For Education platform, it will also do the same for its other school offerings. The bottom line is that Google and other companies that create user/people profiles for advertising and other purposes need to not only become more transparent but stop practices that erode the public's privacy and put them in harm's way.
Copyright 2014 by the Law Office of Bradley S. Shear, LLC. All rights reserved.
This is a positive development for student privacy and means that if the media questions and reports on troubling and illegal corporate practices positive change may occur. I initially blogged about this issue on January 24, 2014. At that time I stated, "[I]t does not appear that students, parents, and/or teachers have been informed and provided consent that would enable their digital interactions and the content sent and received on school contracted Gmail services to be utilized for advertising purposes."
Soon after I wrote about this tremendous threat to student privacy, I spoke to Education Week about this huge privacy and safety risk to our children. I told Education Week that I saw “major FERPA violations” in Google’s activities and suggested that the Education Department should investigate the company. The Federal Trade Commission, which is responsible for monitoring deceptive business practices, should also take note and....[t]he personal safety of students are at risk when commercial entities obtain access to student data and act upon the information."
While I believe this is a good first step for protecting student privacy, why did it take Google years to make this change? Absent multiple lawsuits and the investigative reporting from Education Week would Google have changed its practices? Will Google also turn off its scanning and behavioral advertising functions for its other services such as YouTube, Google Plus, etc...in a school setting? Will Google also change its Android and Chromebook policies to better protect student privacy? Will Google change its Terms of Service and Privacy Policies that govern all of its education offerings? Will Google revise all of its school contracts to reflect this announcement?
Will Google delete all of the personal and highly monetizable personal information that it has been collecting on students, parents, teachers, and their families? Since Google has been caught misrepresenting its practices once again should we as President Regan stated when describing the Soviet Union trust but verify? Who will do the verifying? The U.S. Department of Education, state departments of education, state attorney generals, the FTC? What about better protecting non-student users such as consumers?
Google's announced impending policy change appears to be an admission that it was violating Article 5 of the FTC Act that bans "unfair and deceptive acts". According to a 2011 FTC Consent Decree related to the Google's Buzz matter, it appears the FTC has wide latitude to investigate what appears to be an intentional privacy violation and fine Google accordingly. Under the consent agreement, it appears that Google may be fined up to $16,000 for each violation. Since Google has publicly stated that it has 30 million users, Google's legal liability may reach into the billions of dollars. For example, 30 million x $16,000 for each violation is a fine of $480,000,000,000. Will the FTC open an investigation to determine if Google violated its consent decree?
Since Google's troubling consumer privacy policy governs almost all of its services, more pressure needs to be exerted onto Google to better protect the personal privacy and safety of all of its users. Multiple EU data protection authorities have already either fined Google for its illegal and inherently dangerous privacy policy that clearly violates data protection laws across Europe and/or opened investigations into its troubling "evil behavior".
While Google creates some great products and services, it has consistently refused to do the right thing when it comes to protecting the personal privacy and safety of its users. Is this announcement being done to ward off an FTC investigation into its privacy practices and to stop more potential litigants from joining the Gmail scanning lawsuit(s)?
My hope is that now that Google plans on changing its student data collection and utilization practices in its Apps For Education platform, it will also do the same for its other school offerings. The bottom line is that Google and other companies that create user/people profiles for advertising and other purposes need to not only become more transparent but stop practices that erode the public's privacy and put them in harm's way.
Copyright 2014 by the Law Office of Bradley S. Shear, LLC. All rights reserved.
Wednesday, April 23, 2014
California Introduces Social Media Anti-Disparagement Consumer Protection Bill
California recently introduced AB 2365 which would prohibit businesses and service professionals from contractually silencing customers who may
want to complain online about their experiences. While I am generally not in favor of increased digital regulations, this bill may be a step in the right direction because more businesses are exploring contractually silencing their critics.
Kleargear.com is the poster child for how not to treat consumers in the Social Media Age. It inserted a non-disparagement clause into its online agreements several years ago in order to pursue disgruntled customers who complained about their service. For example, Kleargear.com threatened a former consumer who wasn't even subject to its non-disparagement clause since she made her purchase before the clause was effective. The company demanded $3,500 from this customer because it did not agree with her online review. When this former consumer refused to pay she was reported to multiple credit reporting agencies which caused real world damages.
During the initial media firestorm when Kleargear.com's reprehensible behavior was publicized last year, it removed the non-disparagement clause. However, it appears that it was recently reinstated. Kleargear.com's non-disparagement clause states:
"In an effort to ensure fair and honest public feedback, and to prevent the publishing of libelous content in any form, your acceptance of this sales contract prohibits you from taking any action that negatively impacts KlearGear.com, its reputation, products, services, management or employees.
Should you violate this clause, as determined by KlearGear.com in its sole discretion, you will be provided a seventy-two (72) hour opportunity to retract the content in question. If the content remains, in whole or in part, you will immediately be billed $3,500.00 USD for legal fees and court costs until such complete costs are determined in litigation. Should these charges remain unpaid for 30 calendar days from the billing date, your unpaid invoice will be forwarded to our third party collection firm and will be reported to consumer credit reporting agencies until paid."
Kleargear.com is the poster child for how not to treat consumers in the Social Media Age. It inserted a non-disparagement clause into its online agreements several years ago in order to pursue disgruntled customers who complained about their service. For example, Kleargear.com threatened a former consumer who wasn't even subject to its non-disparagement clause since she made her purchase before the clause was effective. The company demanded $3,500 from this customer because it did not agree with her online review. When this former consumer refused to pay she was reported to multiple credit reporting agencies which caused real world damages.
During the initial media firestorm when Kleargear.com's reprehensible behavior was publicized last year, it removed the non-disparagement clause. However, it appears that it was recently reinstated. Kleargear.com's non-disparagement clause states:
"In an effort to ensure fair and honest public feedback, and to prevent the publishing of libelous content in any form, your acceptance of this sales contract prohibits you from taking any action that negatively impacts KlearGear.com, its reputation, products, services, management or employees.
Should you violate this clause, as determined by KlearGear.com in its sole discretion, you will be provided a seventy-two (72) hour opportunity to retract the content in question. If the content remains, in whole or in part, you will immediately be billed $3,500.00 USD for legal fees and court costs until such complete costs are determined in litigation. Should these charges remain unpaid for 30 calendar days from the billing date, your unpaid invoice will be forwarded to our third party collection firm and will be reported to consumer credit reporting agencies until paid."
Kleargear.com's behavior demonstrates that without robust digital consumer protections some companies will abuse their power and insert very troubling language into their Terms of Use/Sale agreements. Caveat emptor when making online purchases.
Copyright 2014 by the Law Office of Bradley S. Shear, LLC. All rights reserved.
Copyright 2014 by the Law Office of Bradley S. Shear, LLC. All rights reserved.
Thursday, April 10, 2014
Kentucky Takes the Lead To Protect Student Privacy in the Digital Age
According to WHAS11.com in Kentucky, HB 232 was signed into law today by Governor Steve Beshear. This new law states "[a] cloud computing service provider shall not in any case process student data to advertise or facilitate advertising or to create or correct an individual or household profile for any advertisement purpose, and shall not sell, disclose, or otherwise process student data for any commercial purpose." In a nutshell, the new law bans school vendors who provide cloud based services from data mining student digital communications for advertising purposes.
HB 232 received bipartisan support and passed 98-0 in the Kentucky House and 38-0 in the Kentucky Senate. The bill appears to be have been inspired by the Target 2013 holiday data breach and the Gmail data mining lawsuit where Google recently admitted in court documents that its Google Apps For Education platform that it offers for "free" to schools data mines student digital activity for corporate profit.
Kentucky has taken a significant step to protect its students in the Digital Age. This new law demonstrates that in Kentucky children's privacy and safety do not take a back seat to the special interests that believe they have the right to data mine our students' digital activity for commercial gain. Other states such as Oklahoma and New York have enacted or introduced student privacy legislation in the past year; however, Kentucky's new law appears to be the first that offers much greater privacy protection than the Family Educational and Privacy Rights Act (FERPA).
My hope is that other states and eventually Congress follows Kentucky's lead to enact legislation that ensures our children's privacy is better protected in the Digital Age.
Copyright 2014 by the Law Office of Bradley S. Shear, LLC. All rights reserved.
HB 232 received bipartisan support and passed 98-0 in the Kentucky House and 38-0 in the Kentucky Senate. The bill appears to be have been inspired by the Target 2013 holiday data breach and the Gmail data mining lawsuit where Google recently admitted in court documents that its Google Apps For Education platform that it offers for "free" to schools data mines student digital activity for corporate profit.
Kentucky has taken a significant step to protect its students in the Digital Age. This new law demonstrates that in Kentucky children's privacy and safety do not take a back seat to the special interests that believe they have the right to data mine our students' digital activity for commercial gain. Other states such as Oklahoma and New York have enacted or introduced student privacy legislation in the past year; however, Kentucky's new law appears to be the first that offers much greater privacy protection than the Family Educational and Privacy Rights Act (FERPA).
My hope is that other states and eventually Congress follows Kentucky's lead to enact legislation that ensures our children's privacy is better protected in the Digital Age.
Copyright 2014 by the Law Office of Bradley S. Shear, LLC. All rights reserved.
Saturday, April 5, 2014
Facebook Insult About Islam May Lead To Execution in Iran
Be careful about what you say online. For example, if you are a United Kingdom resident and post allegedly derogatory messages about Iran and/or Islam and then visit Iran you may be detained by the Iranian authorities. This appears to have happened to a British resident recently.
According to The Independent, a British woman allegedly posted derogatory comments about Iran's government and Islam on Facebook. It appears that as soon as she landed in Shiraz, Iran to visit family she arrested and was taken to Tehran and charged with "gathering and participation with intent to commit crime against national security" and "insulting Islamic sanctities". These charges may lead to her execution.
This set of facts leads me to believe that Iran is social media monitoring every negative comment online about its government and when it has the opportunity to arrest the alleged speakers it does.
The bottom line is that sometimes it is best to have anonymity online. The Federalist Papers were published anonymously for a reason and that reason was to express political opinions without fear of retribution. Therefore, before making online political comments about certain issues anonymity may be best.
Copyright 2014 by the Law Office of Bradley S. Shear, LLC. All rights reserved.
According to The Independent, a British woman allegedly posted derogatory comments about Iran's government and Islam on Facebook. It appears that as soon as she landed in Shiraz, Iran to visit family she arrested and was taken to Tehran and charged with "gathering and participation with intent to commit crime against national security" and "insulting Islamic sanctities". These charges may lead to her execution.
This set of facts leads me to believe that Iran is social media monitoring every negative comment online about its government and when it has the opportunity to arrest the alleged speakers it does.
The bottom line is that sometimes it is best to have anonymity online. The Federalist Papers were published anonymously for a reason and that reason was to express political opinions without fear of retribution. Therefore, before making online political comments about certain issues anonymity may be best.
Copyright 2014 by the Law Office of Bradley S. Shear, LLC. All rights reserved.
Subscribe to:
Posts (Atom)