Thursday, June 18, 2015

IACP Releases Updated Guidance On Police Bodyworn Camera Video Data Storage

Privacy and cybersecurity go hand and hand.  Therefore, it is imperative that policy makers on the local, state, and federal level adopt policies and enforce practices that promote these principles.  This is especially important due to the increased amount of data that governments are collecting.

During the past decade, law enforcement agencies around the world have begun to implement police body cameras to assist in evidence gathering, transparency, and accountability.  In the United States, several incidents during the past year have prompted local police departments to test and begin utilizing body cameras.  While this technology brings great promise it also creates new privacy and cyber security challenges. 

To help alleviate these concerns, the International Association of Chiefs of Police (IACP) recently published their "Guiding Principles on Cloud Computing in Law Enforcement".  These principles are much needed because as more digital video evidence is created by law enforcement, the proper safeguards must be in place to ensure that the data is stored in an appropriate manner for the legal justice system.

The IACP's principles state: 

1)  FBI CJIS Security Policy Compliance Services provided by a cloud service provider must comply with the requirements of the Criminal Justice Information Services (CJIS) Security Policy (current version 5.3, dated August 4, 2014), as it may be amended.  

2)  All Data Storage Systems Should Meet the Highest Common Denominator of Security.

3)  Data Storage Technology Can Be Disaggregated From Collection.

4)  Data Ownership-Law enforcement agencies should ensure that they retain ownership of all data.

5)   Impermissibility of data mining-Law enforcement agencies should ensure that the cloud service provider does not mine or otherwise process or analyze data for any purpose not explicitly authorized by the law enforcement agency.

6)   Auditing - Upon request, or at regularly scheduled intervals mutually agreed, the cloud service provider should conduct, or allow the law enforcement agency to conduct audits of the cloud service provider's performance, use, access, and compliance with the terms of any agreement.

7)  Portability and interoperability - The cloud service provider should ensure that that CJI maintained by the providers is portable to other systems and interoperable with other operating systems to an extent that does not compromise the security and integrity of the data.

8)  Integrity - The cloud service provider must maintain the physical or logical integrity of CJI.

9)  Survivability - The terms of any agreement with cloud service providers should recognize potential changes in business structure, operations, and/or organization of the cloud service provider, and ensure continuity of operations and the security, confidentiality, integrity, access and utility of the data.

10)  Confidentiality - The cloud service provider should ensure the confidentiality of CJI it maintains on behalf of a law enforcement agency.

11)  Availability, Reliability, and Performance - The cloud service provider must ensure that CJI will be available to the law enforcement agency when it is required within agreed performance metrics.

12)  Cost - Law enforcement agencies should focus cloud acquisition decisions on the Total Cost of Ownership model.

The recent multiple hacks into the federal government's networks have demonstrated the importance of updating and implementing the proper digital policies and technologies.  With access comes responsibility.  It is imperative that law enforcement agencies that utilize bodyworn cameras and other digital data collection technologies follow these principles to protect law enforcement agencies, the general public, and the criminal justice system.  The IACP's cloud computing principles will help ensure that justice stays blind in the age of police body cameras.

 Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Tuesday, June 16, 2015

FBI Investigating St. Louis Cardinals For Allegedly Hacking Houston Astros

According to The New York Times, the FBI is investigating the St. Louis Cardinals for allegedly hacking into the Houston Astros' internal network.  The Cardinals are the most successful National League franchise and 2nd most successful organization in Major League Baseball after the New York Yankees.  While this investigation is ongoing, it would not surprise me if in addition to serious state and federal charges, Major League Baseball imposes a harsh penalty on the Cardinals and those employees responsible if it is found that they hacked into the Astros computer networks.

This is a breaking story so more updates may be provided later. 

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Facial Recognition Privacy Talks Collapse Due to Inadequate Consumer Safeguards

According to The New York Times, nine civil rights and other advocacy organizations announced today that they are withdrawing from "talks with trade associations over how to write guidelines for the fair commercial use of face recognition technology for consumers."

Why are these talks so important?  Because every time you walk into a fast food restaurant instead of a health food store you will be tracked and this information will be sent to data brokers who will insert it into your digital dossier.  You will be penalized for who you talk to in public (whether its a friend, business associate, or a stranger on the street) and this data will be tied to you forever.  What stores you visit and when you visit them will be collected and available to interested parties.

Should private companies have the right to know if you attend weekly religious functions and what faith you practice based upon your comings and goings?  What about whether you are seen visiting a bar or other gathering known for particular social or political characteristics?  Do you want others to know whether you frequent casinos, liquor stores, cigar shops, or certain specialty retailers?  Visiting these places and making purchases are perfectly legal.  However, when each of these individual activities are taken together it can paint a picture of our lives.  This is why John Hancock has created a new life insurance product that tracks your every move.  These are just a few examples of why stronger privacy protections are needed for biometrics.

Privacy is a civil right.  The potential for discrimination is high.  The more data that is being collected about us the greater the risk of the information falling into the wrong hands.  For example, the recent cyber attack on federal databases by Chinese hackers is a serious threat to national security and personal safety.  The systems compromised housed information on federal workers, their families, and those who interact with them.  The type of data contained in these files may be utilized for strategic national and economic security, blackmail, and who knows what else.

Absent participation by civil rights groups and privacy advocates, the facial recognition talks are worthless.  Its time for more technology companies to take a public stand for greater privacy protections.  The 4th amendment has protected us against unreasonable government searches and seizures for more than 200 years.  Its time for us to demand that our government extend this principle to protect us against unreasonable data collection and usage by private companies.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Monday, June 15, 2015

Belgium Sues Facebook Over Its Troubling Privacy Practices

According to The Wall Street Journal, Belgium's Privacy Commission is taking Facebook to court over its very troubling privacy practices.  Last month, the Commission publicly chastised Facebook for the way it handles the personal data of Internet users.  The Commission has focused on "how Facebook tracks Internet users on external websites through the use of “like” and “share” buttons".

In general, I avoid using Facebook's "like" or "share" button because for years the company has demonstrated via its privacy policy and agreements with data brokers that it has does not care about the privacy of its users.  The New York Times recently shed some light on how Facebook's Mark Zuckerberg is a privacy hypocrite.  Mr. Zuckerberg's business practices demonstrate that he doesn't believe his users deserve to have their personal data kept private but he wants those who are working with him personally to sign non-disclosure agreements (NDA) to protect his personal information.  This behavior appears to demonstrates that Mr. Zuckerberg believes privacy is only for the super-rich and not the Average Joe or Facebook user.

My hope is that U.S. lawmakers, regulators, and state attorney generals closely watch how the European Union (EU) deals with digital privacy issues.  While I don't agree with every public policy decision that the EU makes regarding the digital ecosystem, when it comes to holding companies such as Facebook and Google accountable for the way they handle and utilize the personal information of Internet users', the U.S. should closely explore emulating the EU's thought process on these matters. 

Privacy is one of the hallmarks of a democratic society and we must protect it before some members of the technology community permanently destroy it to maximize their corporate profits.  While Facebook and Google talk the talk regarding privacy they have failed to walk the walk and refrain from abusing their access to the data they are collecting about all of us.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.        

Thursday, June 11, 2015

Warrants Must Be Required for Digital Data Access

Growing up, I enjoyed watching L.A. Law and Law & Order.  So it was at a relatively young age that I learned that a warrant was required for the police to search your home and personal belongings. In law school, my criminal law classes focused on the need for the police to follow proper legal procedures to obtain a search warrant. Case after case demonstrated that the Fourth Amendment protects us against unreasonable searches and seizures—a basic tenet of American jurisprudence.

When I began practicing law at the dawn of the Internet Age, I soon realized that in the digital space, this long-held, common-sense approach to law enforcement searches is not always applicable. Surprisingly, searches in the physical world almost always require a warrant while searches in the “digital world” generally do not.  Under the 1986 Electronic Communications Privacy Act (ECPA), enacted with 1980s technology in mind, the legal need for a warrant to access one’s personal digital content depends on the type of technology utilized to store the data and how old the correspondence is.   

According to an Electronic Information Privacy Center (EPIC) analysis of ECPA, the backbone of U.S. digital privacy law, law enforcement does not need a warrant to access both opened and unopened emails stored in the cloud for more than 180 days.  In contrast, emails located on a home hard drive and opened emails that are less than 180 days old require a warrant.

The deficiencies in this approach are becoming more apparent every day.  For example, law enforcement agencies across the country are using mobile devices called Stingrays  to collect information that is stored on our cell phones and other digital devices without warrants. Law enforcement has refused to discuss, even in court, the technology utilized in Stingray devices. And this is just one example of overreach.    

Our current legal framework worked best in 1986. ECPA made sense then because lawmakers didn’t envision people storing thousands of personal files for years on remote or cloud-based servers.  In 1986, these technologies did not exist.  Over the past 30 years, technological innovation has changed how we create, access, process, and archive digital content.  Today, many people store personal emails and data in the cloud or apps.  Due to the growing interconnectedness of our society, many of these platforms have servers located around the globe.  At any given time, our data may be processed, archived, or stored in servers anywhere in the world.        

Whether a warrant is required to access one’s digital data should not depend on the age of the content, the technology utilized to store the information, or the location of the data.  In the face of ECPA’s limitations, some states, such as Virginia and California, have enacted laws requiring a warrant before Stingray technology may be deployed.  A forward-thinking national law that requires a warrant to access digital content regardless of data’s age or the type of storage technology utilized is needed. 

Fortunately, Congress has recently proposed a bipartisan fix to this problem with the introduction of the Law Enforcement Access to Data Stored Abroad Act (LEADS).  This bill offers a well-balanced approach that requires law enforcement to obtain a warrant when it wants access to personal digital content.  If data is located on an app or a server that is located overseas, it requires law enforcement to follow the legal process required to obtain the information in the jurisdiction where the content is located.  This common-sense approach ensures that personal information is treated equally whether located in the physical or the digital world.   

It’s time for the United States to demonstrate leadership on digital privacy issues. A step in the right direction would be to enact the bipartisan LEADS Act.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.         

Wednesday, June 3, 2015

Apple CEO Blasts Facebook and Google For Privacy and Security Practices

Earlier this week, I attended the Electronic Privacy Information Center's (EPIC) annual Champions of Freedom Awards Dinner.  According to its website, "EPIC is an independent non-profit research center in Washington, DC. EPIC works to protect privacy, freedom of expression, democratic values, and to promote the Public Voice in decisions concerning the future of the Internet."  The event honored those who have made a significant contribution to protecting our personal digital privacy and cyber security.

This year, Richard Clarke, Tim Cook, Kamala Harris, and Susan Linn were honored.  Each of these honorees have performed excellent work in furtherance of protecting our personal privacy and safety from online and offline threats.  Richard Clarke and Susan Linn were in attendance while Tim Cook and Kamala Harris who both live in California spoke to the audience remotely.

The most passionate remarks of the evening came from Apple CEO Tim Cook. He discussed the importance of strong privacy protections in digital products and services and blasted those companies (i.e. Facebook and Google) that provide free services in exchange for selling their customers' personal information to data brokers.     

I do not utilize Facebook or Google products/services for any private communications and I do not recommend anyone who values their digital privacy and safety to do so either because the practices of these companies enable very troubling data mining that may lead to discrimination when applying to college, applying for credit, and when applying for a new job.  For several years, it has been known that Facebook sells its users' personal information to data brokers; however, Google's troubling data broker agreements were not as well known until The Wall Street Journal recently reported that Google is combining users' offline purchases with their digital activity.

Privacy is a civil rights issue and in order to stay a free society we must ensure that no private or public entity is allowed to destroy it.  The bottom line is that digital privacy and cyber safety go hand and hand and organizations such as EPIC work to better protect us from companies such as Facebook and Google that have troubling privacy policies and practices.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.         

Friday, May 29, 2015

EU Competitiveness Council Conclusions On The Digital Economy

In order for the European Union (EU) to better compete in the digital economy it may need to have a more cohesive strategy.  Earlier this month, the EU discussed its plans to encourage its member countries to work together to create a single market for the online economy.

The EU's vision to become more competitive as a region may entail setting up unified rules that cover issues such as e-commerce, broadband spectrum, courier and parcel delivery rates, telecoms matters, and a revision of intellectual property rules.  A major challenge in the EU for many companies is over-regulation and incompatible rules across the region. 

According to The Wall Street Journal, "[m]any European policy makers say the region’s homegrown Internet companies haven’t made the big leagues at least in part because of a patchwork of tax, copyright and e-commerce rules that have stunted their growth. They also point to allegedly unfair business practices by U.S.-based competitors" such as Google.

The European Commission's recent antitrust statement of objections against Google has made some people claim that the EU is acting in a protectionists manner to bolster home grown companies.  While there may or may not be some truth to these allegations, the bottom line is that all entities whether they are digital focused or not, must abide by the rules and regulations of the countries in which they operate. 

Recently, the EU's Competitiveness Council, which gathers European Ministers in charge of economic and industrial affairs, issued itsConclusions on the digital transformation of European industry”. The Competitive Council's conclusions discussed the EU's recent progress regarding the digital transformation of EU industry and expressed members states' interests and priorities for future action.  Some of the conclusions touch upon the need to develop IT standards for 5G wireless communications, cloud computing, Big Data, the Internet of Things, and interoperability between platforms and technologies. 

These conclusions further emphasized the "importance of ensuring that European standards....are established in coordination with international standards and globally recognised technical specifications and, where possible, promoted as international standards. This is particularly so in such areas as data formats, digital documents and signatures, pan-European e-Procurement, accounting in digital environment and cross-border data exchange...."

The bottom line is that the EU is working feverishly to catch up with other regions of the world such as Silicon Valley and the United States that are perceived to be leaders in the digital economy.  While it may take years for the EU to create and then implement a coherent digital economy strategy, its business and political leaders along with its regulatory bodies have recently acknowledged the importance of these issues.  Therefore, it leads me to believe that the EU will utilize whatever tools at its disposal to be an active participant in the future growth of the international digital ecosystem. 

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.    

Sunday, May 24, 2015

Drone Privacy Policy Released By DOJ

While most of the country was thinking about the Memorial Day weekend, the U.S. Department of Justice released its policy guidance on domestic use of unmanned aircraft systems.  According to The Hill, the new DOJ policy is based upon a presidential memorandum that outlined some of the civil liberty issues inherent with drone usage. 

Drones and other new and exciting technologies are here to stay.  However, there are significant privacy, surveillance, and other civil liberty issues that must be balanced when utilizing these new tools.  My hope is that we have a robust national conversation on these issues and create sound public policy, and when needed draft the proper regulations and/or enact well-balanced laws to ensure that we can effectively deal with the societal consequences.

Drones have many positive uses in our society; however, we must understand the legal and public policy challenges inherent with their deployment.  The DOJ's policy guidance is a starting point for this conversation. 

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.        

Saturday, May 23, 2015

Instagram Photos Show Slip and Fall Lawsuit Against NYC Is Frivolous

Taking photos and sharing them digitally is so easy.  However, just because it is, that doesn't mean you should do so.  In Silicon Valley, the term "frictionless sharing" was coined to describe the ability to make it as simple as possible to share your personal content with others via the Internet and apps. 

Technology companies make billions of dollars per year in advertising revenue due to frictionless sharing.  This capability is so important to the monetary viability of many digital companies that some of them recently spent millions of dollars lobbying Congress to weaken the Video Privacy Protection Act to make it easier for consumers to share their video viewing habits with others.  While Silicon Valley may promote this change as providing more "consumer choice", others may believe this revision has diminished important privacy protections. 

Just because you have the ability to take a photo or a video doesn't mean you should do so and share it digitally.  Having the skills to understand when not to share is very important in the Social Media Age.  In general, I advise many clients not share their personal content digitally unless it is in furtherance of their professional career.

The latest person who has not mastered the skill of  when not to share appears to be Rev. Al Sharpton's daughter Dominique Sharpton.  According to The New York Post's analysis of Ms. Sharpton's personal Instagram account she has "a lot of explaining to do."  Ms. Sharpton is suing the City of New York for $5 million dollars because she allegedly injured her angle on a Soho sidewalk.  I am highly skeptical of this claim because it appears that on her personal Instagram account she has posted photos of herself climbing mountains in the U.S. and overseas.     

Ms. Sharpton's Instagram account photos do not appear to demonstrate that she has a $5 million dollar claim against the New York City.  According to The New York Post, New York City has ordered Ms. Sharpton to preserve her photos because they appear to contradict the claims in her complaint against the City.  If the photos on  Ms. Sharpton's Instagram account are authenticated, the City of New York may take legal action against her because it appears that her legal complaint is deficient due to a "failure to state a claim."     

The bottom line is be careful what you post because it may create tremendous legal liability for you and/or others. 

UPDATE:  According to The New York Post, Ms. Sharpton has made her social media accounts "private".  In light of all of the media coverage regarding this matter, Ms. Sharpton's latest move further demonstrates her $5 million dollar legal claim against the City of New York appears to be frivolous. 

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.    

Friday, May 22, 2015

Adult Sex Website Hacked, Personal Data At Risk

The Internet and apps may be utilized for many productive and interesting activities.  For example, users and companies may engage in Business to Business (B to B), Business to Consumer (B to C) commerce, general digital marketing/branding, etc....  However, some of the most popular digital activities include viewing porn and cheating on one's spouse. 

In 2013, The Huffington Post reported that porn sites receive more traffic than Netflix, Amazon, and Twitter combined.  Internet porn is ingrained in popular culture.  Who can forget Avenue Q's catchy number, "The Internet is For Porn"?  In addition to porn, many people utilize the Internet and apps to cheat on their spouses and significant others.  For example, near the area where I live and work (in Bethesda), cheating website Ashleymadison.com ranked the Washington, DC area #1 for usage for the third year in a row.  This distinction is nothing to brag about. 

What many people may not realize is that when utilizing a website or app to find a sexual partner, you create a digital trail that puts your personal information at risk. For example, a married pastor in Michigan was recently exposed while utilizing a "hook up" app.  He uploaded photos of himself and other personal information that appears to have led to his identification. 

CNN is reporting that the website Adultfriendfinder.com was hacked in March and this incident appears to have exposed the personal information of millions of users.  The data leaked may include very intimate details about users.  The information exposed may be utilized to destroy personal lives, professional careers, and/or blackmail users.

The bottom line is that when using the Internet and apps it is very important to be cautious about the data you upload.  To protect your personal privacy and safety (and your family's), its imperative to limit the personal information that you post about yourself and your family.   

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.    

Sunday, May 3, 2015

DOJ Will Be More Transparent About Secret Cell Phone Tracking

The U.S. Department of Justice (DOJ) has stated that it will soon become more transparent about its secret cell phone tracking program.  According to The Wall Street Journal"the Federal Bureau of Investigation has begun getting search warrants from judges to use the devices, which hunt criminal suspects by locating their cellphones, the officials said. For years, FBI agents didn’t get warrants to use the tracking devices."

This change in behavior is welcome news.  Law enforcement should be required to obtain a warrant before deploying these technologies.  Police across the country have utilized devices sometimes called stingrays without a warrant thousands of times to collect information about cell phone users for years.  The usage of these technologies on American soil appears to have started around 2007 and according to published reports is widespread across the country.

In a democratic and free society, it is imperative for law enforcement to be transparent about their practices.  Even though there may be security concerns regarding being too transparent about some of the details of these programs, the usage of these technologies without a warrant is a clear violation of our Fourth Amendment rights

While I applaud the DOJ's decision to change its practice and now obtain a warrant before deploying these tools what triggered the change in policy?  In 2014, the Supreme Court in Riley v. California ruled 9-0 that the police generally need a warrant to search electronic devices of those who are arrested.  The DOJ's policy should have been updated right after this ruling occurred and not almost a year later.     

The bottom line is that privacy still matters in the Digital Age and that transparency and accountability are more important than ever due to the increased sophistication of digital surveillance tools.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Friday, May 1, 2015

Facebook Threatens European Regulators Over Stronger Privacy Laws

In a very troubling development that shows Facebook's true colors, one of its corporate executives stated that if European regulators continue to scrutinize Facebook's data collection and utilization practices its citizens will not be provided certain features in a timely manner.  This veiled threat to European regulators demonstrates that the EU is on the right track in questioning the data privacy policies and practices of Facebook and other Internet companies.  

Manufacturers of cars and heavy machinery, pharmaceutical companies, banks, chemical companies, etc.. are required to follow appropriate safety regulations in Europe and around the world.  Data collection and usage laws are nothing more than safety regulations and it is time for Facebook and the entire digital ecosystem to get on board with regulations that will enhance user trust of their platforms. 

An Austrian class action lawsuit about Facebook's data usage practices, the ongoing Netherlands privacy regulator investigation into Facebook's activities, and the possibility that Europe will enact stronger data protection laws that will provide greater regulatory tools to protect citizens from some of Facebook's troubling data collection and usage practices appears to worry the company.  These developments demonstrate the importance of baking privacy into your platform's design and the need for Facebook to change its data collection and usage practices and its policies.   

The bottom line is that data privacy is a safety issue.  My hope is that U.S. lawmakers and regulators soon follow Europe's lead in understanding that unfettered data collection and usage is a clear and present danger to its citizens and that more robust privacy laws are a must in the Big Data Age.

 Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Thursday, April 30, 2015

U.S. Student Digital Data Privacy and Parental Rights Act of 2015 Introduced

On April 29, 2015, Representatives Luke Messer and Jared Polis introduced the bipartisan Student Digital Privacy and Parental Rights Act of 2015.  According to The New York Times, "the bill would prohibit operators of websites, apps and other online services for kindergartners through 12th graders from knowingly selling students’ personal information to third parties; from using or disclosing students’ personal information to tailor advertising to them; and from creating personal profiles of students unless it is for a school-related purpose."  

The legislation is modeled after California's SB 1177, (the "Student Online Personal Information Protection Act") which Education Week hailed as a "landmark" student data privacy law.  The federal Student Digital Privacy and Parental Act of 2015 is a positive piece of legislation that would help better protect the personal privacy and safety of students around the country.  The fact that some members of the ed-tech industry are wary of the bill demonstrates the potential effectiveness of the legislation.

This bill is sorely needed because as Education Week reported last year, some ed-tech vendors such as Google have been caught intentionally misleading parents about their data mining and privacy practices.  For example, exactly 1 year ago today, Google promised to stop scanning student emails and other digital content for advertising purposes.

Unfortunately, Google's promise to better protect personal student data has fallen woefully short since its troubling consumer privacy policy still covers its education offerings and this policy clearly allows it to data mine and profile students on its Google Apps For Education platform.  For example, Google's promise to stop data mining students does not extend to Google + or YouTube since neither platform is considered a  Google Apps "Core Service".   

A former IT policy director at Cornell recently authored an eye opening research paper about Google's troubling profiling and data mining practices which is a must read for school administrators, parents, and educators.  Unfortunately, Google is not the only ed-tech company with weak privacy policies and practices.  Politico and others have also called out Khan Academy for its data mining and profiling practices of students.

Earlier this year, I advocated for my home state of Maryland to enact a similar student privacy bill which was also modeled after California's SB 1177.  I was very troubled to witness Facebook and Google (here is a link to the hearing where you will see that the representatives of these companies were actively trying to thwart passage of robust student privacy protections) advocate for amendments to gut the bill's privacy protections for our children. 
  
My hope is that Facebook, Google, etc... realize that their continued refusal to accept appropriate limits on student data collection, processing, and usage will continue to make parents suspicious about their motives for providing educational technology tools.  These companies are two of the largest advertising entities in the world and their actions so far clearly demonstrate that they want access to personal student data for marketing purposes.

The following national education groups have already voiced support for the federal Student Digital Data Privacy and Parental Rights Act of 2015:
  •  AASA, the School Superintendents Association
  • International Society for Technology in Education
  • National Association of Elementary School Principals
  • National Association of Secondary School Principals
  • National Education Association
  • National PTA
  • State Educational Technology Directors Association
along with Common Sense Media which has worked with state and federal lawmakers around the country to enact stronger student privacy laws.  On the ed-tech side, Education Week reported that Microsoft voiced its support by stating "that it [the bill] will help build public trust that vendors are adequately protecting and appropriately using student information".

Its time for the entire ed-tech industry to support the Student Digital Data Privacy and Parental Rights Act of 2015.  Embracing enhanced digital privacy protections for our students will signal to parents that the industry can be trusted to protect our children's personal information.

As a parent, I want my children to be able to utilize the latest and greatest digital education platforms; however, until stronger privacy laws are enacted I have little confidence that all school technology vendors will make my children's personal privacy and safety a priority.  Therefore, I challenge Facebook, Google, and every other ed-tech company and organization that advocated to weaken Maryland's Student Data Privacy Act of 2015 to do the right thing and support this bill as drafted.     

UPDATE May 1, 2015:  The White House has announced that it supports the new bill.  In a blog post, The White House stated: "[w]e are pleased to see Representatives Luke Messer (R-IN) and Jared Polis (D-CO) answer the President’s State of the Union call to enact new protections for K-12 students’ data to ensure that classrooms can embrace technology with confidence.

Introduced yesterday, The Student Digital Privacy and Parental Rights Act is an important bipartisan step, building upon existing momentum from industry leaders committed to ensuring educational data is not misused by providers or third parties, and carrying the strong endorsement of privacy advocates, the private sector, and associations representing parents and educators."  

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Monday, April 27, 2015

Supreme Court to Hear Major Data Privacy and Digital Reputation Case

According to the Associated Press, the Supreme Court announced today that it will decide whether digital platforms "that collect personal data can be sued for publishing inaccurate information even if the mistakes don’t cause any actual harm."  A Virginia resident sued Spokeo.com (an Internet company that compiles alleged publicly available data on people and lets subscribers view the information, including address, age, marital status, economic health, etc...) because it listed inaccurate information about him and he claims it damaged his job prospects.  The plaintiff lost in federal district court; however the 9th U.S. Circuit Court of Appeals reversed and found that Spokeo had violated the Fair Credit Reporting Act (FCRA).

This is a very interesting case because of the importance of one's digital reputation.  Should companies such as Spokeo and others that acquire and re-purpose information about people be required to authenticate the accuracy of the data they publish?  If so, how should authentication occur?  

In the Digital Age, what does actual harm mean?  How does one know if actual harm has occurred?  Do prospective employers, colleges, financial firms, insurance companies, etc.. always tell applicants they were denied an offer because of data found online at Spokeo or another digital platform?

Should companies that compile data on users/consumers and provide this information to others for a fee be regulated as a consumer reporting agency under FCRA?  Recently, a judge in California found that LinkedIn was not a consumer reporting agency under the definition of FRCA.  Despite this one court's ruling, are companies such as Spokeo, Facebook, Google, LinkedIn, etc... avoiding being regulated under FCRA because of an outdated definition of a consumer reporting agency

Facebook has agreements in place that enable it to send all your personal information (i.e. personal feelings indicated, posts, photos, friend connections, likes, etc...) to data brokers and this information may be utilized against you when applying for a job, insurance, etc...  Google scans your emails, calendars, cloud drive, etc... for behavioral advertising and who knows what other purposes.  Does some of Facebook's and Google's activities fall under FCRA and if not should they? 

The bottom line is that due to the importance of digital reputation stronger regulations are needed to protect our privacy.  Spokeo advertises itself as the "leading people search platform using proprietary technology to organize information into comprehensive yet easy-to-understand online profiles;" Google states its "mission is to organize the world’s information and make it universally accessible and useful;" and Forbes has stated Facebook "moves to become the world's most powerful data broker."

If these companies acts like data brokers should they also be regulated as them as well?  We may soon find out how the Supreme Court views data privacy and digital reputation in the Digital Age.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Tuesday, April 21, 2015

U.S. Government Ethics Office Releases Personal Social Media Usage Standards

Earlier this month, the U.S. Office of Government Ethics (OGE) released its Standards of Conduct as Applied to Personal Social Media Usage.  The standards are as follows:

1.  Use of Government Time and Property
This requirement limits the amount of time employees may access their personal social media accounts while working on government business (i.e. while on the job).  In addition, supervisors may not order or ask a subordinate to work on their (the supervisor's) personal social media accounts.  

2. Reference to Government Title or Position & Appearance of Official Sanction
This requirement prohibits employees from using their official titles, position, or any authority associated with their government employment for personal gain.  This rules implies that in certain situations it may be a best practice to post a "clear and conspicuous disclaimer" that the content on one's personal social media account is not sanctioned or endorsed by the government.

3.  Recommending and Endorsing Others on Social Media
Government employees may recommend others on social media platforms such as LinkedIn.  However, in my opinion, supervisors and subordinates should be very careful when endorsing each other on digital platforms because it may create potential legal issues in the future.

4.  Seeking Employment through Social Media
Those seeking employment via digital platforms must conform with all applicable laws and regulations.  Therefore it is imperative to know and understand all rules and regulations when utilizing social media for employment purposes.

5.  Disclosing Nonpublic Information
Employees are prohibited from disclosing non-public information on digital platforms to further their personal interests or the personal interests of others.  The World War II adage, "Loose lips sink ships" is alive and well in the Social Media Age so use caution when posting information online.

6.  Personal Fundraising
Employees are permitted to utilize personal digital accounts to fund raise for non-profit charitable organizations as long as they comply with all appropriate federal rules.  For example, employees should not personally solicit funds from subordinates or prohibited sources.

7.  Official Social Media Accounts
Employees who are authorized to utilize official social media accounts must comply with all applicable laws, rules, regulations, policies, directives, etc...

OGE may issue updates from time to time so it is best to utilize caution when participating in social media.  The bottom line is when in doubt don't post online.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.