I grew up watching Robin Williams and loved his work. When I ran into him in New York City late one night with a friend of mine about 11 years ago he was gracious and funny and even said, "nano nano". My condolences go out to his family.
It saddened me to read in the New York Daily News that Robin Williams daughter Zelda Williams was tormented and harassed online for the sole reason she is Robin Williams daughter. Due to disgusting and hateful things people said about her and/or her father, she stated that she will not utilize her public digital accounts for the near future. While Twitter "vows to improve" it policies after this incident, what does this really mean?
Ms. Williams just shockingly lost her famous father and within 24 hours was hounded so relentlessly online that it led her to stop posting publicly. What is wrong with our society? Ms. Williams has tried to accommodate her father's fans by sharing some intimate details of her personal life with him and is instead criticized for her actions. Instead of just thanking Ms. Williams for sharing some private moments with her dad and/or sending her condolences some people are tormenting her.
In the Digital Age, I still believe that "sticks and stones may break my bones but names can never hurt me" applies. While it may difficult to sometimes see the value of this adage it is more important than ever. The United States was built upon the foundation of free speech and what may be considered vitriol by one may be nothing more than a personal political opinion. Even though I find many anonymous online comments to be worthless, I still believe as our founding fathers did that one should have the right to publicly voice their opinions anonymously.
Copyright 2014 by Shear Law, LLC All rights reserved.
Saturday, August 16, 2014
Wednesday, August 6, 2014
Foursquare App Update Harms User Privacy
According to the Wall Street Journal, as of 8/6/2014, "users who download or update the Foursquare app will
automatically let the company track their GPS coordinates any time their
phone is powered on. Foursquare previously required users to give the
app permission to turn on location-tracking.....Foursquare’s app goes beyond location-tracking features offered by
competitors. Social apps like Twitter collect GPS coordinates to give
users the option of sharing their location with friends, but don’t
collect this data when the app is off."
To justify Foursquare's privacy changes, founder Dennis Crowley stated "more users will be willing to share their location because they’re getting a more valuable service in return." Has Mr. Crowley read about the NSA Edward Snowden leaks? According to Wired, "[t]he data you share with Foursquare today could conceivably end up in the hands of the NSA, hackers, or private data brokers tomorrow."
The bottom line is that if you value your personal privacy and safety I would not recommend using the "new and improved" Foursquare. Do you want to share more personal information with data brokers, insurance companies, colleges, landlords, and future employers who may discriminate against you based upon your Foursquare usage? If so, Foursquare may be for you.
Copyright 2014 by Shear Law, LLC All rights reserved.
To justify Foursquare's privacy changes, founder Dennis Crowley stated "more users will be willing to share their location because they’re getting a more valuable service in return." Has Mr. Crowley read about the NSA Edward Snowden leaks? According to Wired, "[t]he data you share with Foursquare today could conceivably end up in the hands of the NSA, hackers, or private data brokers tomorrow."
The bottom line is that if you value your personal privacy and safety I would not recommend using the "new and improved" Foursquare. Do you want to share more personal information with data brokers, insurance companies, colleges, landlords, and future employers who may discriminate against you based upon your Foursquare usage? If so, Foursquare may be for you.
Copyright 2014 by Shear Law, LLC All rights reserved.
Monday, August 4, 2014
Union Street Guest House Social Media Wedding Agreement Failure
Many companies still don't understand social media and the viral nature of the Internet. The latest corporate social media failure appears to have been brought to you by the hotel Union Street Guest House in Hudson, New York.
According to the New York Post, the Union Street Guest House allegedly inserts into its wedding agreements the phrase: “If you have booked the inn for a wedding or other type of event . . . and given us a deposit of any kind . . . there will be a $500 fine that will be deducted from your deposit for every negative review . . . placed on any internet site by anyone in your party.”
This is an outrageous clause for any hotel or business to put into their agreements. How is this clause being enforced? How does Union Street Guest House know if a negative poster is from your wedding/event party? What if an imposter makes multiple fake posts to cause the person who booked the party to incur multiple $500 fines? Does Union Street Guest House troll Yelp, Facebook, Twitter and try to match up their hotel guests with their social media accounts?
This situation reminds me of the Kleargear.com matter. Kleargear.com fined a customer $3,500 for a what appears to be a clearly deserved negative review. The company claimed that its terms of service allowed it to fine customers under its disparagement clause section. The customer sued and won $306,000.
The bottom line is that companies should not be in the business of trying to silence their customers via required non-disparagement clauses in their agreements. This is a very troubling trend that I believe will increase in the near future. Within minutes of the New York Post publishing its article about this matter, the Internet made an example out of Union Street Guest House. In less than 24 hours, the hotel received hundreds of negative reviews and then changed its policy.
Copyright 2014 by Shear Law, LLC All rights reserved.
According to the New York Post, the Union Street Guest House allegedly inserts into its wedding agreements the phrase: “If you have booked the inn for a wedding or other type of event . . . and given us a deposit of any kind . . . there will be a $500 fine that will be deducted from your deposit for every negative review . . . placed on any internet site by anyone in your party.”
This is an outrageous clause for any hotel or business to put into their agreements. How is this clause being enforced? How does Union Street Guest House know if a negative poster is from your wedding/event party? What if an imposter makes multiple fake posts to cause the person who booked the party to incur multiple $500 fines? Does Union Street Guest House troll Yelp, Facebook, Twitter and try to match up their hotel guests with their social media accounts?
This situation reminds me of the Kleargear.com matter. Kleargear.com fined a customer $3,500 for a what appears to be a clearly deserved negative review. The company claimed that its terms of service allowed it to fine customers under its disparagement clause section. The customer sued and won $306,000.
The bottom line is that companies should not be in the business of trying to silence their customers via required non-disparagement clauses in their agreements. This is a very troubling trend that I believe will increase in the near future. Within minutes of the New York Post publishing its article about this matter, the Internet made an example out of Union Street Guest House. In less than 24 hours, the hotel received hundreds of negative reviews and then changed its policy.
Copyright 2014 by Shear Law, LLC All rights reserved.
Wednesday, July 30, 2014
U.S. Protecting Student Privacy Act Needs More Teeth
The bipartisan "Protecting Student Privacy Act" was introduced earlier today by Senators Edward J. Markey
(D-Mass.) and Orrin Hatch (R-Utah) and according to the bill's press
release, it "would help safeguard the educational records of students"
because, "[r]ecent changes to the Family Educational Rights and Privacy
Act (FERPA) have allowed for increased sharing and use of student data in the
private sector." As part of the rationale behind the need for the legislation it is mentioned that, "one survey found only 25 percent of districts inform
parents of their use of cloud services and 20 percent of districts fail to have
policies governing the use of online services."
It is very troubling that the Software & Information Industry Association (SIIA) continues to refuse to acknowledge the dire need for stronger digital privacy laws to protect our students despite clear and convincing evidence that FERPA does not properly protect our children's privacy in the Digital Age. During a June 25, 2014 hearing on Capitol Hill Professor Joel Reidenberg presented Fordham Law School's Center on Law and Information Policy's seminal cloud computing study findings that demonstrated some cloud computing vendors are negotiating agreements with schools that put our students personal privacy at risk.
In addition to Prof. Reidenberg's study, Education Week and Politico performed recent in-depth investigative reports regarding the need for FERPA to be updated to better protect student privacy. These investigations found that when provided the opportunity some educational technology vendors will abuse their access to student data for profit. For example, Education Week exposed Google's practice of scanning student emails for behavioral advertising purposes and Politico found multiple other educational technology companies that had similar troubling privacy practices and/or policies (or none at all) that enabled similar abuses of personal student data.
Since Congress has not addressed these issues until now, states across the country have introduced and enacted more robust student data protection laws to address the privacy concerns that FERPA was not designed to protect. For example, Kentucky and Rhode Island are some of the states that have acted to better protect our children from entities that may abuse their access to student educational digital data.
Copyright 2014 by Shear Law, LLC All rights reserved.
FERPA needs to be updated to account for the technological advancements that have occurred in the Digital Age. The law was enacted in 1974 when student educational records were mostly created by pen and paper and/or typewriter and stored in a school administration filing
cabinet or in a teacher's notebook or classroom closet. At that time, in general, only teachers and
school administrators had access to a student's educational records.
Since the 1970's, advancements in technology have changed the way teachers interact with students, parents,
and legal
guardians. When I was attending elementary, middle, and high school
throughout the 1980's, the primary form of communication between
teachers and students/parents
was via in-person meetings, paper letters, and/or phone calls. In contrast, the
primary form of communication between my children's teachers and my wife and I occurs via digital platforms.
As a parent, I watch my children play and learn with electronic devices on a regular basis. Even though my children watch television as I did at their age, they are becoming more interested in utilizing educational websites and digital device apps. Some of these platforms have helped them learn language skills, math, geography, history, etc....With more school districts beginning to provide students digital devices, the privacy and cyber safety issues inherent with the usage of these electronic platforms are becoming more apparent.
According to Politico, "[m]any of the latest digital tools (i.e. email, apps, cloud services, online textbooks, etc...) collect vast amounts of “metadata” as students work online; the sites track academic progress and log information about the child’s location, computer equipment and browsing habits. Most of that data never finds its way into official school files and thus is unlikely to be considered an “educational record.” That means private companies are free to do what they want with it." This is very alarming considering that when Kathleen Styles, the Chief Privacy Officer of the Department of Education was questioned about these issues she stated that "[a]lot of metadata won't fit as an educational record."
According to Politico, "[m]any of the latest digital tools (i.e. email, apps, cloud services, online textbooks, etc...) collect vast amounts of “metadata” as students work online; the sites track academic progress and log information about the child’s location, computer equipment and browsing habits. Most of that data never finds its way into official school files and thus is unlikely to be considered an “educational record.” That means private companies are free to do what they want with it." This is very alarming considering that when Kathleen Styles, the Chief Privacy Officer of the Department of Education was questioned about these issues she stated that "[a]lot of metadata won't fit as an educational record."
Due
to all of the personally identifiable student information included in emails,
apps, online textbooks, web browsing history and other digital activities (i.e. metadata) students may create while utilizing school provided digital services and
learning tools, it is imperative that FERPA is updated to ensure that our children
and future generations receive the same privacy protections we enjoyed while we attended school. Should colleges,
potential employers, insurance companies, etc... be allowed to access student scholastic digital communications and make hiring, firing, and policy decisions based on this information?
Should advertisers be allowed to prey upon (via behavioral
advertising) students based upon their student-teacher and/or student-student digital communications?
It is very troubling that the Software & Information Industry Association (SIIA) continues to refuse to acknowledge the dire need for stronger digital privacy laws to protect our students despite clear and convincing evidence that FERPA does not properly protect our children's privacy in the Digital Age. During a June 25, 2014 hearing on Capitol Hill Professor Joel Reidenberg presented Fordham Law School's Center on Law and Information Policy's seminal cloud computing study findings that demonstrated some cloud computing vendors are negotiating agreements with schools that put our students personal privacy at risk.
In addition to Prof. Reidenberg's study, Education Week and Politico performed recent in-depth investigative reports regarding the need for FERPA to be updated to better protect student privacy. These investigations found that when provided the opportunity some educational technology vendors will abuse their access to student data for profit. For example, Education Week exposed Google's practice of scanning student emails for behavioral advertising purposes and Politico found multiple other educational technology companies that had similar troubling privacy practices and/or policies (or none at all) that enabled similar abuses of personal student data.
Since Congress has not addressed these issues until now, states across the country have introduced and enacted more robust student data protection laws to address the privacy concerns that FERPA was not designed to protect. For example, Kentucky and Rhode Island are some of the states that have acted to better protect our children from entities that may abuse their access to student educational digital data.
While
it is a very positive development that states are acting to better
protect student privacy, it may be most efficient if robust federal
legislation is enacted. I commend Senators Markey and Hatch for
introducing the Protecting
Student Privacy Act and making student privacy an important bipartisan issue during these very partisan times on Capitol Hill.
The introduction of the Protecting Student Privacy Act is a good first step; however, it needs to be amended to have the intended effect of updating FERPA to account for the
Digital Age. For example, the bill needs to expand the definition of educational records to include student emails and digital metadata created on school provided services, platforms, and equipment. Under FERPA, there is no private right of
action against companies that utilize student data for
non-educational purposes. To be truly effective, the legislation must hold vendors legally accountable and allow for a private right of action against those entities that violate the law.
To
paraphrase Hilary Clinton, it takes a village to protect our students' personal
privacy. Absent more robust federal
student privacy laws, parents may soon come out in force
against utilizing innovative digital learning tools and services. It is imperative that Congress pass stronger student privacy laws that have strong enforcement mechanisms so students, parents, and teachers feel safe utilizing new learning tools that will help our students compete in the global economy.
Friday, July 18, 2014
Social Media Evidence May Determine Who Shot Down Malaysian Plane
It appears that a Malaysian passenger jet may have been mistakenly shot down in the skies above territory that is in dispute between Ukraine and Russia. USA Today is reporting that rebels who may be backed by Russia may have arms capable of downing a passenger jet that is flying 20,000+ feet in the sky.
Photos of the tragedy have appeared online and it leads me to believe that the crash site may become contaminated. In this hyper-sensitive and viral world everything posted online about this tragedy is put under a microscope. For example, American Pie actor Jason Biggs Tweet “Anyone wanna buy my Malaysian Airlines frequent flier miles?” was deemed so offensive by the Internet community that he ended up issuing an apology after it went viral.
Entertainers and politicians do not have a monopoly on regretting their online posts. According to AFP, it appears that some Pro-Russian insurgents may also have itchy social media fingers because some of their online postings boasting about downing an airplane around the same time/place that the Malaysian jet went down have now been deleted. Since the crash site may become contaminated will social media become crucial evidence in determining who shot down the Malaysian passenger jet?
Copyright 2014 by Shear Law, LLC. All rights reserved.
Photos of the tragedy have appeared online and it leads me to believe that the crash site may become contaminated. In this hyper-sensitive and viral world everything posted online about this tragedy is put under a microscope. For example, American Pie actor Jason Biggs Tweet “Anyone wanna buy my Malaysian Airlines frequent flier miles?” was deemed so offensive by the Internet community that he ended up issuing an apology after it went viral.
Entertainers and politicians do not have a monopoly on regretting their online posts. According to AFP, it appears that some Pro-Russian insurgents may also have itchy social media fingers because some of their online postings boasting about downing an airplane around the same time/place that the Malaysian jet went down have now been deleted. Since the crash site may become contaminated will social media become crucial evidence in determining who shot down the Malaysian passenger jet?
Copyright 2014 by Shear Law, LLC. All rights reserved.
Wednesday, July 9, 2014
Porky's Fan? VA Prosecutor Requests Warrant To Photo Sexting Teen's Erect Penis
An article in the Washington Post alleges that Manassas City police and Prince William County prosecutors want to take photos of a teenage suspect's erect penis as evidence to prosecute him for sexting with his girlfriend. In order to photograph the suspect's erect penis he may be required to go to a hospital and receive an injection to create an erection.
It appears that the case began when the suspect's (he is 17 years old) 15 year old girlfriend sent photos of herself to the 17 year old, who responded by sending the 15 year old girl allegedly pornographic images of himself. The family of the girl notified authorities about the matter. Interestingly, prosecutors did not file charges against the girl.
This case reminds me of the movie Porky's when physical education teacher Ms. Balbricker asks the high school principal if he would sanction a penis (tallywacker) lineup of several students so she can identify which student stuck his penis through a peep hole in the girl's bathroom. Ms. Balbricker claims she can identify the offending student's penis because it contains a distinctive mole. In the movie, the request for the penis line up was denied.
Was the prosecutor's troubling request inspired by Porky's? As a parent of two young children, I am outraged by the actions of the police and prosecutors in this matter. What happened to educating our kids about the dangers of sexting? Why are prosecutors utilizing public resources to try to photograph a teenager's erect penis?
My hope is that prosecutors and judges across the country realize that this is the wrong way to deal with sexting by teenagers.
Copyright 2014 by Shear Law, LLC. All rights reserved.
It appears that the case began when the suspect's (he is 17 years old) 15 year old girlfriend sent photos of herself to the 17 year old, who responded by sending the 15 year old girl allegedly pornographic images of himself. The family of the girl notified authorities about the matter. Interestingly, prosecutors did not file charges against the girl.
This case reminds me of the movie Porky's when physical education teacher Ms. Balbricker asks the high school principal if he would sanction a penis (tallywacker) lineup of several students so she can identify which student stuck his penis through a peep hole in the girl's bathroom. Ms. Balbricker claims she can identify the offending student's penis because it contains a distinctive mole. In the movie, the request for the penis line up was denied.
Was the prosecutor's troubling request inspired by Porky's? As a parent of two young children, I am outraged by the actions of the police and prosecutors in this matter. What happened to educating our kids about the dangers of sexting? Why are prosecutors utilizing public resources to try to photograph a teenager's erect penis?
My hope is that prosecutors and judges across the country realize that this is the wrong way to deal with sexting by teenagers.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Monday, July 7, 2014
Social Media Posts Lead To Firing of TV and Radio Personalities
Last month, Travel Channel personality Adam Richman made some very disturbing posts that led to his upcoming new show being postponed indefinitely. Talk show host Anthony Cumia of Sirius was fired from his radio show last week for a series of allegedly racists Tweets. Both of these incidents occurred "off the air" during personal time but they had negative employment consequences.
Social Media is not the panacea that some business consultants claim. Too many self styled "social media consultants" advise their clients to pump out content on multiple platforms 24/7. On a regular basis, clients ask me about the legal, business, and reputation related issues surrounding disturbing social media posts. Unfortunately, I am usually contacted after a "social media consultant" has already provided career killing advice or inadequate training.
If one feels the need to respond to Tweets (or other types of posts) or get into a Facebook discussion with others, the amount of information/content posted should be limited since it may be utilized against you forever. Yes, forever! Any postings may be submitted as evidence in a court of law or may be used in the court of public opinion to destroy your career so less is usually more. I have never had a client tell me he or she regretted not Tweeting more or posting a longer Facebook response.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Social Media is not the panacea that some business consultants claim. Too many self styled "social media consultants" advise their clients to pump out content on multiple platforms 24/7. On a regular basis, clients ask me about the legal, business, and reputation related issues surrounding disturbing social media posts. Unfortunately, I am usually contacted after a "social media consultant" has already provided career killing advice or inadequate training.
If one feels the need to respond to Tweets (or other types of posts) or get into a Facebook discussion with others, the amount of information/content posted should be limited since it may be utilized against you forever. Yes, forever! Any postings may be submitted as evidence in a court of law or may be used in the court of public opinion to destroy your career so less is usually more. I have never had a client tell me he or she regretted not Tweeting more or posting a longer Facebook response.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Sunday, July 6, 2014
EPIC Files FTC Complaint over Facebook's Emotion Study
The Electronic Information Privacy Center (EPIC), a privacy advocacy group that has been performing great work for 20 years filed a complaint with the FTC alleging that Facebook's emotion study "deceived its users and violated the terms of a 2012 FTC consent decree." The complaint was filed right before the July 4th holiday weekend.
Facebook's refusal to issue an immediate apology regarding this issue demonstrates once again that the company is tone deaf when it comes to user privacy. I have documented Facebook's troubling position regarding digital privacy time and time and time, etc...again.
When I initially stated that Facebook's emotion study may have violated Facebook's FTC consent agreement early in the day on 6/30/14, I didn't see any other published articles mentioning this possibility. Soon after I posted my article, Forbes reported that Facebook changed its terms to allegedly allow user data to be utilized for "research" purposes 4 months after the study was completed.
There are many users, technologists, and members of the media who are drinking the Silicon Valley Cool-Aid and defending Facebook's (and other companies) troubling practices because privacy policies, along with terms of use, and data use policies are written so broadly in the hopes that the language allows for any type of data usage and/or manipulation. Just because one agrees to a troubling privacy policy/terms of use/data use policy clause in an agreement, that doesn't mean a court of law will automatically rule that the policy is legal and enforceable.
The common law blue pencil doctrine is utilized when contract clauses are ruled to be unreasonable and violate public policy. This doctrine enables courts to strike troubling clauses from executed agreements. Is it time for the courts to start "blue penciling" unreasonable privacy policies, terms of use, data use policies, etc...?
If some Silicon Valley companies don't start changing their data collection and usage practices it would not surprise me if the courts start flexing their blue pencil muscles to protect the personal privacy and safety of citizens in the Digital Age.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Facebook's refusal to issue an immediate apology regarding this issue demonstrates once again that the company is tone deaf when it comes to user privacy. I have documented Facebook's troubling position regarding digital privacy time and time and time, etc...again.
When I initially stated that Facebook's emotion study may have violated Facebook's FTC consent agreement early in the day on 6/30/14, I didn't see any other published articles mentioning this possibility. Soon after I posted my article, Forbes reported that Facebook changed its terms to allegedly allow user data to be utilized for "research" purposes 4 months after the study was completed.
There are many users, technologists, and members of the media who are drinking the Silicon Valley Cool-Aid and defending Facebook's (and other companies) troubling practices because privacy policies, along with terms of use, and data use policies are written so broadly in the hopes that the language allows for any type of data usage and/or manipulation. Just because one agrees to a troubling privacy policy/terms of use/data use policy clause in an agreement, that doesn't mean a court of law will automatically rule that the policy is legal and enforceable.
The common law blue pencil doctrine is utilized when contract clauses are ruled to be unreasonable and violate public policy. This doctrine enables courts to strike troubling clauses from executed agreements. Is it time for the courts to start "blue penciling" unreasonable privacy policies, terms of use, data use policies, etc...?
If some Silicon Valley companies don't start changing their data collection and usage practices it would not surprise me if the courts start flexing their blue pencil muscles to protect the personal privacy and safety of citizens in the Digital Age.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Monday, June 30, 2014
Facebook's Unethical Experiment May Have Violated FTC Order
Facebook has proven once again that it does not care about its users' privacy and that it may manipulate their users' emotional well-being for corporate profit. In an explosive article in The Atlantic it is alleged that Facebook intentionally manipulated the news feeds of almost 700,000 users as part of an experiment about emotional contagion on social networks.
In the past, it appears Facebook related research was focused on analyzing the information users upload. In contrast, this appears to be the first time Facebook has publicly acknowledged that it was intentionally manipulating its users' news feeds for psychological experimentation. Is this the first time this has occurred? If not, is Facebook prepared to come clean about this matter and all similar user experiments?
According to the New York Times, "[t]he company [Facebook] says users consent to this kind of manipulation when they agree to its terms of service. But in the quick judgment of the Internet, that argument was not universally accepted." I have reviewed Facebook's Terms of Service and it appears it may be a legal super hero Plastic Man stretch (think South Park Humancentipad episode about terms of service) that users agreed to psychological experimentation by agreeing to Facebook's terms of service.
The National Institutes of Health (NIH) which is located about a mile from my office has a very detailed history about the laws relating to the protection of human subjects who are part of an experiment. Did Facebook violate the spirit or the letter of any of these laws?
It would not surprise me if Facebook and/or other digital platforms update their terms of service to clearly state they are able to perform this type of troubling psychological testing on users. While it is too soon to speculate on whether the experiment abided by Facebook's terms of service and traditional subject informed consent rules, this should be a wake up call to regulators to look more closely at the data collection and usage practices of the digital ecosystem.
Did Facebook inform the FTC about this experiment during its 2012 investigation that culminated in the 2012 FTC Consent Order that alleged Facebook violated its users' privacy. Does performing psychological experiments on users without expressed informed consent violate this order?
The bottom line is that this should be a wake up call to those who post on Facebook and utilize platforms that use your personal information for behavioral advertising purposes and/or sell it to data brokers. As I stated on June, 12, 2014, "I don't advise anyone who values their privacy to post personal information to Facebook because it has an abysmal record when it comes to protecting user privacy." Facebook's latest actions demonstrate that it believes its users are nothing more than lab rats who give up all of their rights when agreeing to Facebook's Terms of Service and Privacy Policy.
Copyright 2014 by Shear Law, LLC. All rights reserved.
In the past, it appears Facebook related research was focused on analyzing the information users upload. In contrast, this appears to be the first time Facebook has publicly acknowledged that it was intentionally manipulating its users' news feeds for psychological experimentation. Is this the first time this has occurred? If not, is Facebook prepared to come clean about this matter and all similar user experiments?
According to the New York Times, "[t]he company [Facebook] says users consent to this kind of manipulation when they agree to its terms of service. But in the quick judgment of the Internet, that argument was not universally accepted." I have reviewed Facebook's Terms of Service and it appears it may be a legal super hero Plastic Man stretch (think South Park Humancentipad episode about terms of service) that users agreed to psychological experimentation by agreeing to Facebook's terms of service.
The National Institutes of Health (NIH) which is located about a mile from my office has a very detailed history about the laws relating to the protection of human subjects who are part of an experiment. Did Facebook violate the spirit or the letter of any of these laws?
It would not surprise me if Facebook and/or other digital platforms update their terms of service to clearly state they are able to perform this type of troubling psychological testing on users. While it is too soon to speculate on whether the experiment abided by Facebook's terms of service and traditional subject informed consent rules, this should be a wake up call to regulators to look more closely at the data collection and usage practices of the digital ecosystem.
Did Facebook inform the FTC about this experiment during its 2012 investigation that culminated in the 2012 FTC Consent Order that alleged Facebook violated its users' privacy. Does performing psychological experiments on users without expressed informed consent violate this order?
The bottom line is that this should be a wake up call to those who post on Facebook and utilize platforms that use your personal information for behavioral advertising purposes and/or sell it to data brokers. As I stated on June, 12, 2014, "I don't advise anyone who values their privacy to post personal information to Facebook because it has an abysmal record when it comes to protecting user privacy." Facebook's latest actions demonstrate that it believes its users are nothing more than lab rats who give up all of their rights when agreeing to Facebook's Terms of Service and Privacy Policy.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Saturday, June 28, 2014
Supreme Court: 9-0 We Have The Right To Privacy In The Digital Age
In a 9-0 decision earlier this week in Riley v. California and U.S. v. Wurie, the U.S. Supreme Court ruled that the police generally need a warrant to search cell phones and personal electronic devices of those who are arrested. I agree wholeheartedly with Adam Liptak's assertion that its "a sweeping victory for privacy rights in the digital age."
This decision appears to have been built upon the U.S. v. Jones decision in 2012 which ruled 9-0 that a warrant is required to place a GPS tracker on a suspect's vehicle. I believe that when reviewed together U.S. v. Jones, Riley v. California, and U.S. v. Wurie, provides strong evidence that the 1979 Smith v. Maryland decision that use of a pen register by law enforcement is not a search within the meaning of the Fourth Amendment may be jeopardy.
The bottom line is that the U.S. Supreme Court has clearly recognized that we have an expectation of privacy in the digital age. Law enforcement appears now to need a warrant to not only search personal cell phones and digital devices, but also personal digital accounts such as email accounts, social media accounts, cloud computing accounts, app accounts, and other connected devices/accounts that may be referred to the "Internet of Things", etc... of the people whom they arrest.
Does this ruling strengthen the Electronic Communications Privacy Act by now requiring law enforcement to obtain a warrant for all emails regardless of their age during an investigation? While it is still too early to determine all of the ramifications of this decision, it demonstrates that the U.S. Supreme Court believes we still have a right to privacy despite the changing nature and usage of technology.
Copyright 2014 by Shear Law, LLC. All rights reserved.
This decision appears to have been built upon the U.S. v. Jones decision in 2012 which ruled 9-0 that a warrant is required to place a GPS tracker on a suspect's vehicle. I believe that when reviewed together U.S. v. Jones, Riley v. California, and U.S. v. Wurie, provides strong evidence that the 1979 Smith v. Maryland decision that use of a pen register by law enforcement is not a search within the meaning of the Fourth Amendment may be jeopardy.
The bottom line is that the U.S. Supreme Court has clearly recognized that we have an expectation of privacy in the digital age. Law enforcement appears now to need a warrant to not only search personal cell phones and digital devices, but also personal digital accounts such as email accounts, social media accounts, cloud computing accounts, app accounts, and other connected devices/accounts that may be referred to the "Internet of Things", etc... of the people whom they arrest.
Does this ruling strengthen the Electronic Communications Privacy Act by now requiring law enforcement to obtain a warrant for all emails regardless of their age during an investigation? While it is still too early to determine all of the ramifications of this decision, it demonstrates that the U.S. Supreme Court believes we still have a right to privacy despite the changing nature and usage of technology.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Thursday, June 26, 2014
Congressional Hearing: More Enforcement Needed To Protect Student Data Privacy
I recently attended a Joint Hearing with the Subcommittee on Early Childhood, Elementary, and Secondary Education titled, "How Data Mining Threatens Student Privacy"in Congress. This hearing caught my attention because as a parent of two young children student privacy is very near and dear to my heart.
Invited to testify were: Prof. Joel Reidenberg, Founding Academic Director of Fordham Law School's Center on Law and Information Policy, Mr. Mark MacCarthy, Vice President of Public Policy for the Software & Information Industry Association (SIIA), Ms. Joyce Popp, Chief Information Officer of the Idaho State Department of Education, and Mr. Thomas Murray, State and District Digital Learning Director for the Alliance for Excellent Education.
During the hearing, Prof. Reidenberg discussed his groundbreaking Privacy and Cloud Computing in Public Schools study that found, "fewer than 7% of contracts [between schools and ed-tech vendors] restrict the sale or marketing of student information by vendors, and many [cloud] computing agreements allow vendors to change the terms without notice." He also stated that 25% of services offered to schools use "freemium" models that have to monetize student data in a manner that most likely does not benefit student learning. These troubling findings were of great interest to the members of Congress and those who attended the hearing.
The SIIA appeared not to be interested in acknowledging Prof. Reidenberg's findings and the organization may have even provided intentionally misleading testimony. For example, on pages 4-5 of its written testimony the SIIA stated, "The federal government recently updated regulations and guidance for FERPA [Family Educational Rights and Privacy Act] and COPPA [Children’s Online Privacy Protection] specific to online educational services." This statement is factually incorrect.
FERPA's regulations were not recently updated. Earlier this year, the Department of Education issued updated guidelines which do not provide the same protections as updated regulations. During the hearing, Prof. Reidenberg made the committee aware of this distinction. When the SIIA stated that Prof. Reidenberg's study did not have concrete proof that some ed-tech vendors were utilizing personal student data for non-educational purposes, Prof. Reidenberg mentioned Google's recent admission in federal court that it scans student emails for potential advertising.
The SIIA's members include ed-tech vendors that sell their services to schools. Some of these companies offer their digital services for free to schools and in return may data mine student emails and build student user profiles for advertising purposes. For example, in an ongoing federal lawsuit in California that Prof. Reidenberg mentioned in his testimony, Google admitted under oath, that it “scans and indexes the emails of all Apps for Education users for a variety of purposes, including potential advertising,....that cannot be turned off—even for Apps for Education customers who elect not to receive ads."
While intense outrage from parents and schools along with international media scrutiny recently led to Google announcing it will allegedly stop these practices, Google's behavior demonstrates the need for stronger enforcement of student privacy laws, greater transparency in the industry, and where needed a strengthening of the current legal and regulatory framework.
One of the most memorable instances of the hearing occurred when Rep. Pat Meehan of Pennsylvania asked the SIIA whether current law would protect his son from receiving targeted Coca-Cola ads based on data provided by his school. The SIIA claimed it would be illegal due to existing government regulations and that FERPA applies to vendors; however, Prof. Reidenberg strongly disagreed with these assertions and proved that the SIIA was misleading the committee about these issues.
Prof. Reidenberg recommended modernizing FERPA so it applies to all student information and mandates a notice to parents for public disclosure of the educational uses of student data. He also stated that schools need written contracts with specific prohibitions against the use of student data for non-educational purposes, chief privacy officers, and a private right of action against vendors who misuse student data because currently parents and families do not have legal remedies to hold ed-tech companies legally accountable.
Its unfortunate that the SIIA appears to be more interested in protecting its members who are either monetizing student data for profit or who may want the ability to do so in the future. During the hearing, it sounded as though the SIIA would not support a private right of action for students and/or their families to hold ed-tech vendors legally accountable for mishandling their personal information. This apparent admission is very troubling and appears to demonstrate that the SIIA is out of touch with the needs of students, parents, and schools. If the ed-tech industry wants to ensure the continued growth of the sector it must be willing to support robust enforcement actions and stronger privacy protections for students.
Presidents Bill Clinton, George W. Bush, and Barack Obama each were able to achieve our country's highest elective office because their personal thoughts and the activities they participated in while they were growing up and "exploring their youth" were not held against them for the rest of their lives. The only way current and future generations of students will have the same opportunities to make their hopes and dreams come true is if they are afforded stronger privacy protections regarding their personal digital information.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Invited to testify were: Prof. Joel Reidenberg, Founding Academic Director of Fordham Law School's Center on Law and Information Policy, Mr. Mark MacCarthy, Vice President of Public Policy for the Software & Information Industry Association (SIIA), Ms. Joyce Popp, Chief Information Officer of the Idaho State Department of Education, and Mr. Thomas Murray, State and District Digital Learning Director for the Alliance for Excellent Education.
During the hearing, Prof. Reidenberg discussed his groundbreaking Privacy and Cloud Computing in Public Schools study that found, "fewer than 7% of contracts [between schools and ed-tech vendors] restrict the sale or marketing of student information by vendors, and many [cloud] computing agreements allow vendors to change the terms without notice." He also stated that 25% of services offered to schools use "freemium" models that have to monetize student data in a manner that most likely does not benefit student learning. These troubling findings were of great interest to the members of Congress and those who attended the hearing.
The SIIA appeared not to be interested in acknowledging Prof. Reidenberg's findings and the organization may have even provided intentionally misleading testimony. For example, on pages 4-5 of its written testimony the SIIA stated, "The federal government recently updated regulations and guidance for FERPA [Family Educational Rights and Privacy Act] and COPPA [Children’s Online Privacy Protection] specific to online educational services." This statement is factually incorrect.
FERPA's regulations were not recently updated. Earlier this year, the Department of Education issued updated guidelines which do not provide the same protections as updated regulations. During the hearing, Prof. Reidenberg made the committee aware of this distinction. When the SIIA stated that Prof. Reidenberg's study did not have concrete proof that some ed-tech vendors were utilizing personal student data for non-educational purposes, Prof. Reidenberg mentioned Google's recent admission in federal court that it scans student emails for potential advertising.
The SIIA's members include ed-tech vendors that sell their services to schools. Some of these companies offer their digital services for free to schools and in return may data mine student emails and build student user profiles for advertising purposes. For example, in an ongoing federal lawsuit in California that Prof. Reidenberg mentioned in his testimony, Google admitted under oath, that it “scans and indexes the emails of all Apps for Education users for a variety of purposes, including potential advertising,....that cannot be turned off—even for Apps for Education customers who elect not to receive ads."
While intense outrage from parents and schools along with international media scrutiny recently led to Google announcing it will allegedly stop these practices, Google's behavior demonstrates the need for stronger enforcement of student privacy laws, greater transparency in the industry, and where needed a strengthening of the current legal and regulatory framework.
One of the most memorable instances of the hearing occurred when Rep. Pat Meehan of Pennsylvania asked the SIIA whether current law would protect his son from receiving targeted Coca-Cola ads based on data provided by his school. The SIIA claimed it would be illegal due to existing government regulations and that FERPA applies to vendors; however, Prof. Reidenberg strongly disagreed with these assertions and proved that the SIIA was misleading the committee about these issues.
Prof. Reidenberg recommended modernizing FERPA so it applies to all student information and mandates a notice to parents for public disclosure of the educational uses of student data. He also stated that schools need written contracts with specific prohibitions against the use of student data for non-educational purposes, chief privacy officers, and a private right of action against vendors who misuse student data because currently parents and families do not have legal remedies to hold ed-tech companies legally accountable.
Its unfortunate that the SIIA appears to be more interested in protecting its members who are either monetizing student data for profit or who may want the ability to do so in the future. During the hearing, it sounded as though the SIIA would not support a private right of action for students and/or their families to hold ed-tech vendors legally accountable for mishandling their personal information. This apparent admission is very troubling and appears to demonstrate that the SIIA is out of touch with the needs of students, parents, and schools. If the ed-tech industry wants to ensure the continued growth of the sector it must be willing to support robust enforcement actions and stronger privacy protections for students.
Presidents Bill Clinton, George W. Bush, and Barack Obama each were able to achieve our country's highest elective office because their personal thoughts and the activities they participated in while they were growing up and "exploring their youth" were not held against them for the rest of their lives. The only way current and future generations of students will have the same opportunities to make their hopes and dreams come true is if they are afforded stronger privacy protections regarding their personal digital information.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Tuesday, June 24, 2014
In The Digital Age It Takes A Village To Protect Student Privacy
Some privacy advocates have breathed a sigh of relief since hearing of the demise of non-profit inBloom, an organization that was created in 2011 to store and aggregate a wide
range of student information to be used by classroom educators. The merits of
inBloom's mission can be debated until its advocates and detractors are blue or
red in the face. Regardless of whether
one is for or against inBloom, or its future progeny, the real win here is that
student privacy is now part and parcel of the education technology (ed-tech)
conversation.
Protecting
the personal privacy of students has gained national attention due to the
issues surrounding inBloom combined with several high profile data breaches.
Compounding
the privacy challenges facing students is that the Family Educational Rights
and Privacy Act (FERPA), which aims to protect
the privacy of students and their families, has not been updated to account for
the issues inherent in the Digital Age. The Electronic Privacy Information Center, along with
other privacy advocates, has alleged that the Department of Education actually
weakened FERPA in 2011.
In
fact, weakening student privacy protections at the dawn of the age of Big Data,
the cloud, mobile apps and social media appears to have lead to a situation
where some companies offer
student digital learning tools for free or a reduced price to schools and
in return student information may be data mined for profit. According to a recent Politico
"examination of hundreds of pages of privacy policies, terms of service
and district contracts there are gaping holes in the protection of children’s
privacy."
Earlier
this year, Education Week reviewed
the ongoing Gmail wiretapping
litigation, a case that began in 2010
seeking damages on behalf of Gmail and Google Apps for Education users and
those whose messages were sent to Gmail based services and made some very
startling discoveries. The most troubling was that Google "scans and
indexes the e-mails of all Apps for Education users for a variety of purposes,
including potential advertising, via automated processes that cannot be turned
off—even for Apps for Education customers who elect not to receive ads."
Google's
admission in federal court and its confirmation to the media about its practices
created such a huge media firestorm that within weeks after this information
became public, Google announced that it would
no longer scan the e-mails of students who utilize Google Apps For Education
for advertising purposes. While this announcement
was a step in the right direction, why did it take an international media
feeding frenzy for a change to a policy that should have never been implemented
in the first place?
In
response to Google's about face regarding its student email scanning policy, Prof.
Joel Reidenberg of Fordham stated, "Google can change this policy at
any time, and, the scanning disclaimer is associated with advertising purposes
only....There may be other commercial uses that they are exploiting student
data for,....such as selling information to textbook publishers, or test-preparation
services."
New
technology sometimes creates situations that were never imagined when FERPA was
enacted 40 years ago. For example, when
students utilize new digital learning tools offered through their schools is the
metadata (the information
associated with a student's use of the digital learning service) that may be
created by student usage considered an "education record" and thus
protected from being data mined for advertising purposes? According
to Kathleen
Styles, the U.S. Department of Education's Chief Privacy Officer, “I don’t
think it’s necessarily an easy decision, what is and what is not the
‘educational record,.... “It’s very contextual. A lot of metadata won’t fit as an educational
record.” This uncertainty demonstrates
the need for stronger privacy laws that better protects the personal privacy and
digital emissions of students.
States have began to
take action to enhance digital privacy protections for students. For example, Kentucky's recently enacted HB 232 bans ed-tech
service providers from processing student data for any purpose other than
providing, improving, developing or maintaining the integrity of the service. This type of prohibition is imperative in
order for parents and students to feel comfortable using new digital learning tools.
According to Politico, "in the past five
months, 14 states have enacted stricter student privacy protections, often with
overwhelming bipartisan support, and more are likely on the way."
Sens. Edward
Markey (D-MA) and Orrin Hatch (R-UT) recently introduced a discussion draft legislation
titled, "Protecting Student Privacy Act." According to the press
release, "The draft legislation would ensure that students are better
protected when data is shared with and held by third parties." While new federal legislation is a step in
the right direction since uniformity across the country is preferred by most
stakeholders, I believe an update to the terms "education records"
and "personally identifiable information" to account for the
increased capturing of student data in a digital format is needed to ensure
that children are better protected from companies that
put profits ahead of student privacy.
InBloom's
demise and Google's recently exposed student data mining practices have brought
greater attention to student privacy and the need for stronger regulations and
laws that prohibit ed-tech providers from utilizing student data for commercial
purposes which may include behavioral advertising, digital profiling, and other
exploitation. Ed-tech vendors must
incorporate Privacy by Design into their platforms and commit to making student
privacy a priority and not an afterthought.
The bottom line is that students, parents, teachers,
school administrators, lawmakers, state attorney generals, the FTC, and the
ed-tech industry must work together to ensure that student privacy is protected in the Digital Age.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Thursday, June 12, 2014
Facebook's Expanded Behavioral Advertising Further Erodes User Privacy
According to the Wall Street Journal, "Facebook will soon begin using data it collects about users’ activities around the Web to better target ads on its service.....[f]or years Facebook has dropped small pieces of code on websites and in
mobile apps, through which it records users’ browsing habits and online
interests. Now it’s going to start using that information to help it
deliver personalized ads on Facebook."
The term "personalized ads" means behavioral advertising. In layman's term, Facebook acts like a private NSA; however, instead of using the digital information it collects about you to protect against terrorist attacks, Facebook uses the data you post and gleaned from your digital activity (posts, messages, and now websites visited, etc...) to make money. The information Facebook collects about you may also assist foreign hostile governments who legally or illegally acquire access to Facebook's systems.
About a year ago, Advertising Age reported that Facebook inked agreements with multiple data brokers to mine the personal digital information of users. These agreements convinced me that posting personal information on Facebook may contribute to consumer discrimination. The World Privacy Forum and The White House published recent reports that discussed how some populations may be vulnerable to discriminatory practices based upon large amounts of personal information being bought and sold by data brokers and data sources such as Facebook.
I don't advise anyone who values their privacy to post personal information to Facebook because it has an abysmal record when it comes to protecting user privacy. For example, in 2012 Facebook settled charges with the FTC that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.
The bottom line is that if you value your privacy be careful what and where you post online.
Copyright 2014 by Shear Law, LLC. All rights reserved.
The term "personalized ads" means behavioral advertising. In layman's term, Facebook acts like a private NSA; however, instead of using the digital information it collects about you to protect against terrorist attacks, Facebook uses the data you post and gleaned from your digital activity (posts, messages, and now websites visited, etc...) to make money. The information Facebook collects about you may also assist foreign hostile governments who legally or illegally acquire access to Facebook's systems.
About a year ago, Advertising Age reported that Facebook inked agreements with multiple data brokers to mine the personal digital information of users. These agreements convinced me that posting personal information on Facebook may contribute to consumer discrimination. The World Privacy Forum and The White House published recent reports that discussed how some populations may be vulnerable to discriminatory practices based upon large amounts of personal information being bought and sold by data brokers and data sources such as Facebook.
I don't advise anyone who values their privacy to post personal information to Facebook because it has an abysmal record when it comes to protecting user privacy. For example, in 2012 Facebook settled charges with the FTC that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.
The bottom line is that if you value your privacy be careful what and where you post online.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Saturday, June 7, 2014
Lawsuit: University of Cincinnatti Medical Center Employee Posted Patient STD Diagnosis on Facebook
While social media may be utilized to connect people all over the world to raise money for charity or to persuade citizens to overthrow dictatorships, it may also be used to spread the most personal information for all to see. Recently, a 20-year old Ohio woman had her sexually transmitted disease diagnosis posted on Facebook by a hospital employee.
The Cincinnati Enquirer reported that an image of the victim's medical record showing her name and syphilis diagnosis was posted on Facebook to a group called "Team No Hoes" in 2013. This posting appears to be a federal HIPAA violation and it may also violate multiple Ohio state laws.
What is the value of the damage to one's reputation if their sexually transmitted disease diagnosis is posted online? The victim is a 20-year old female who may be unable to obtain employment or gain acceptance into college or graduate school because of this disgusting breach of her personal privacy. She may also be fired from her employment and/or discriminated against in other unsubtle and undetectable ways. In addition, the victim may have trouble getting a date and/or finding a mate due to this information being disseminated.
I am surprised that the hospital did not settle this matter out of court before it was filed. The reputational damage to the University of Cincinnati Medical Center may be steep. Will patients go to other service providers due to this incident? Will the hospital reach a settlement with the victim before it goes to trial? Does the hospital want a jury to even hear this case?
While I believe the new European "right to be forgotten" may be abused by child molesters, rapists, murders, politicians, etc...who may want to hide their criminal past, and it may be difficult to implement this new right, should victims of this type breach of their personal medical privacy be afforded the right to be forgotten in the United States?
Copyright 2014 by Shear Law, LLC. All rights reserved.
The Cincinnati Enquirer reported that an image of the victim's medical record showing her name and syphilis diagnosis was posted on Facebook to a group called "Team No Hoes" in 2013. This posting appears to be a federal HIPAA violation and it may also violate multiple Ohio state laws.
What is the value of the damage to one's reputation if their sexually transmitted disease diagnosis is posted online? The victim is a 20-year old female who may be unable to obtain employment or gain acceptance into college or graduate school because of this disgusting breach of her personal privacy. She may also be fired from her employment and/or discriminated against in other unsubtle and undetectable ways. In addition, the victim may have trouble getting a date and/or finding a mate due to this information being disseminated.
I am surprised that the hospital did not settle this matter out of court before it was filed. The reputational damage to the University of Cincinnati Medical Center may be steep. Will patients go to other service providers due to this incident? Will the hospital reach a settlement with the victim before it goes to trial? Does the hospital want a jury to even hear this case?
While I believe the new European "right to be forgotten" may be abused by child molesters, rapists, murders, politicians, etc...who may want to hide their criminal past, and it may be difficult to implement this new right, should victims of this type breach of their personal medical privacy be afforded the right to be forgotten in the United States?
Copyright 2014 by Shear Law, LLC. All rights reserved.
Wednesday, June 4, 2014
comScore Agrees To $14 Million Settlement For Privacy Violations
According to its website, comScore is,"a leading Internet technology company that measures what people do as they navigate the digital world-and turns that information into insights and actions for our clients to maximize the value of their digital investments." Interestingly, according to a lawsuit comScore has recently settled it may have also put profits ahead of its users' personal privacy.
MediaPost has reported that comScore has agreed to settle a lawsuit that it violated its users' privacy for $14 million dollars. In 2011, several plaintiffs filed a class-action privacy lawsuit alleging they unknowingly installed comScore's software after downloading a free product and that the company was then able to collect data that included usernames, passwords, search queries, credit card numbers, retail transactions, etc...
Companies that put profits ahead of privacy not only risk the safety and security of their users, they may also be slapped with lawsuits and/or regulatory investigations that may lead to multi-million dollar settlements, fines, legal fees, and other expenses. The bottom line is that some members of the digital ecosystem must learn that it pays to protect their users' privacy.
Copyright 2014 by Shear Law, LLC. All rights reserved.
MediaPost has reported that comScore has agreed to settle a lawsuit that it violated its users' privacy for $14 million dollars. In 2011, several plaintiffs filed a class-action privacy lawsuit alleging they unknowingly installed comScore's software after downloading a free product and that the company was then able to collect data that included usernames, passwords, search queries, credit card numbers, retail transactions, etc...
Companies that put profits ahead of privacy not only risk the safety and security of their users, they may also be slapped with lawsuits and/or regulatory investigations that may lead to multi-million dollar settlements, fines, legal fees, and other expenses. The bottom line is that some members of the digital ecosystem must learn that it pays to protect their users' privacy.
Copyright 2014 by Shear Law, LLC. All rights reserved.
Subscribe to:
Posts (Atom)