Sunday, May 3, 2015

DOJ Will Be More Transparent About Secret Cell Phone Tracking

The U.S. Department of Justice (DOJ) has stated that it will soon become more transparent about its secret cell phone tracking program.  According to The Wall Street Journal"the Federal Bureau of Investigation has begun getting search warrants from judges to use the devices, which hunt criminal suspects by locating their cellphones, the officials said. For years, FBI agents didn’t get warrants to use the tracking devices."

This change in behavior is welcome news.  Law enforcement should be required to obtain a warrant before deploying these technologies.  Police across the country have utilized devices sometimes called stingrays without a warrant thousands of times to collect information about cell phone users for years.  The usage of these technologies on American soil appears to have started around 2007 and according to published reports is widespread across the country.

In a democratic and free society, it is imperative for law enforcement to be transparent about their practices.  Even though there may be security concerns regarding being too transparent about some of the details of these programs, the usage of these technologies without a warrant is a clear violation of our Fourth Amendment rights

While I applaud the DOJ's decision to change its practice and now obtain a warrant before deploying these tools what triggered the change in policy?  In 2014, the Supreme Court in Riley v. California ruled 9-0 that the police generally need a warrant to search electronic devices of those who are arrested.  The DOJ's policy should have been updated right after this ruling occurred and not almost a year later.     

The bottom line is that privacy still matters in the Digital Age and that transparency and accountability are more important than ever due to the increased sophistication of digital surveillance tools.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Friday, May 1, 2015

Facebook Threatens European Regulators Over Stronger Privacy Laws

In a very troubling development that shows Facebook's true colors, one of its corporate executives stated that if European regulators continue to scrutinize Facebook's data collection and utilization practices its citizens will not be provided certain features in a timely manner.  This veiled threat to European regulators demonstrates that the EU is on the right track in questioning the data privacy policies and practices of Facebook and other Internet companies.  

Manufacturers of cars and heavy machinery, pharmaceutical companies, banks, chemical companies, etc.. are required to follow appropriate safety regulations in Europe and around the world.  Data collection and usage laws are nothing more than safety regulations and it is time for Facebook and the entire digital ecosystem to get on board with regulations that will enhance user trust of their platforms. 

An Austrian class action lawsuit about Facebook's data usage practices, the ongoing Netherlands privacy regulator investigation into Facebook's activities, and the possibility that Europe will enact stronger data protection laws that will provide greater regulatory tools to protect citizens from some of Facebook's troubling data collection and usage practices appears to worry the company.  These developments demonstrate the importance of baking privacy into your platform's design and the need for Facebook to change its data collection and usage practices and its policies.   

The bottom line is that data privacy is a safety issue.  My hope is that U.S. lawmakers and regulators soon follow Europe's lead in understanding that unfettered data collection and usage is a clear and present danger to its citizens and that more robust privacy laws are a must in the Big Data Age.

 Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Thursday, April 30, 2015

U.S. Student Digital Data Privacy and Parental Rights Act of 2015 Introduced

On April 29, 2015, Representatives Luke Messer and Jared Polis introduced the bipartisan Student Digital Privacy and Parental Rights Act of 2015.  According to The New York Times, "the bill would prohibit operators of websites, apps and other online services for kindergartners through 12th graders from knowingly selling students’ personal information to third parties; from using or disclosing students’ personal information to tailor advertising to them; and from creating personal profiles of students unless it is for a school-related purpose."  

The legislation is modeled after California's SB 1177, (the "Student Online Personal Information Protection Act") which Education Week hailed as a "landmark" student data privacy law.  The federal Student Digital Privacy and Parental Act of 2015 is a positive piece of legislation that would help better protect the personal privacy and safety of students around the country.  The fact that some members of the ed-tech industry are wary of the bill demonstrates the potential effectiveness of the legislation.

This bill is sorely needed because as Education Week reported last year, some ed-tech vendors such as Google have been caught intentionally misleading parents about their data mining and privacy practices.  For example, exactly 1 year ago today, Google promised to stop scanning student emails and other digital content for advertising purposes.

Unfortunately, Google's promise to better protect personal student data has fallen woefully short since its troubling consumer privacy policy still covers its education offerings and this policy clearly allows it to data mine and profile students on its Google Apps For Education platform.  For example, Google's promise to stop data mining students does not extend to Google + or YouTube since neither platform is considered a  Google Apps "Core Service".   

A former IT policy director at Cornell recently authored an eye opening research paper about Google's troubling profiling and data mining practices which is a must read for school administrators, parents, and educators.  Unfortunately, Google is not the only ed-tech company with weak privacy policies and practices.  Politico and others have also called out Khan Academy for its data mining and profiling practices of students.

Earlier this year, I advocated for my home state of Maryland to enact a similar student privacy bill which was also modeled after California's SB 1177.  I was very troubled to witness Facebook and Google (here is a link to the hearing where you will see that the representatives of these companies were actively trying to thwart passage of robust student privacy protections) advocate for amendments to gut the bill's privacy protections for our children. 
  
My hope is that Facebook, Google, etc... realize that their continued refusal to accept appropriate limits on student data collection, processing, and usage will continue to make parents suspicious about their motives for providing educational technology tools.  These companies are two of the largest advertising entities in the world and their actions so far clearly demonstrate that they want access to personal student data for marketing purposes.

The following national education groups have already voiced support for the federal Student Digital Data Privacy and Parental Rights Act of 2015:
  •  AASA, the School Superintendents Association
  • International Society for Technology in Education
  • National Association of Elementary School Principals
  • National Association of Secondary School Principals
  • National Education Association
  • National PTA
  • State Educational Technology Directors Association
along with Common Sense Media which has worked with state and federal lawmakers around the country to enact stronger student privacy laws.  On the ed-tech side, Education Week reported that Microsoft voiced its support by stating "that it [the bill] will help build public trust that vendors are adequately protecting and appropriately using student information".

Its time for the entire ed-tech industry to support the Student Digital Data Privacy and Parental Rights Act of 2015.  Embracing enhanced digital privacy protections for our students will signal to parents that the industry can be trusted to protect our children's personal information.

As a parent, I want my children to be able to utilize the latest and greatest digital education platforms; however, until stronger privacy laws are enacted I have little confidence that all school technology vendors will make my children's personal privacy and safety a priority.  Therefore, I challenge Facebook, Google, and every other ed-tech company and organization that advocated to weaken Maryland's Student Data Privacy Act of 2015 to do the right thing and support this bill as drafted.     

UPDATE May 1, 2015:  The White House has announced that it supports the new bill.  In a blog post, The White House stated: "[w]e are pleased to see Representatives Luke Messer (R-IN) and Jared Polis (D-CO) answer the President’s State of the Union call to enact new protections for K-12 students’ data to ensure that classrooms can embrace technology with confidence.

Introduced yesterday, The Student Digital Privacy and Parental Rights Act is an important bipartisan step, building upon existing momentum from industry leaders committed to ensuring educational data is not misused by providers or third parties, and carrying the strong endorsement of privacy advocates, the private sector, and associations representing parents and educators."  

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Monday, April 27, 2015

Supreme Court to Hear Major Data Privacy and Digital Reputation Case

According to the Associated Press, the Supreme Court announced today that it will decide whether digital platforms "that collect personal data can be sued for publishing inaccurate information even if the mistakes don’t cause any actual harm."  A Virginia resident sued Spokeo.com (an Internet company that compiles alleged publicly available data on people and lets subscribers view the information, including address, age, marital status, economic health, etc...) because it listed inaccurate information about him and he claims it damaged his job prospects.  The plaintiff lost in federal district court; however the 9th U.S. Circuit Court of Appeals reversed and found that Spokeo had violated the Fair Credit Reporting Act (FCRA).

This is a very interesting case because of the importance of one's digital reputation.  Should companies such as Spokeo and others that acquire and re-purpose information about people be required to authenticate the accuracy of the data they publish?  If so, how should authentication occur?  

In the Digital Age, what does actual harm mean?  How does one know if actual harm has occurred?  Do prospective employers, colleges, financial firms, insurance companies, etc.. always tell applicants they were denied an offer because of data found online at Spokeo or another digital platform?

Should companies that compile data on users/consumers and provide this information to others for a fee be regulated as a consumer reporting agency under FCRA?  Recently, a judge in California found that LinkedIn was not a consumer reporting agency under the definition of FRCA.  Despite this one court's ruling, are companies such as Spokeo, Facebook, Google, LinkedIn, etc... avoiding being regulated under FCRA because of an outdated definition of a consumer reporting agency

Facebook has agreements in place that enable it to send all your personal information (i.e. personal feelings indicated, posts, photos, friend connections, likes, etc...) to data brokers and this information may be utilized against you when applying for a job, insurance, etc...  Google scans your emails, calendars, cloud drive, etc... for behavioral advertising and who knows what other purposes.  Does some of Facebook's and Google's activities fall under FCRA and if not should they? 

The bottom line is that due to the importance of digital reputation stronger regulations are needed to protect our privacy.  Spokeo advertises itself as the "leading people search platform using proprietary technology to organize information into comprehensive yet easy-to-understand online profiles;" Google states its "mission is to organize the world’s information and make it universally accessible and useful;" and Forbes has stated Facebook "moves to become the world's most powerful data broker."

If these companies acts like data brokers should they also be regulated as them as well?  We may soon find out how the Supreme Court views data privacy and digital reputation in the Digital Age.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Tuesday, April 21, 2015

U.S. Government Ethics Office Releases Personal Social Media Usage Standards

Earlier this month, the U.S. Office of Government Ethics (OGE) released its Standards of Conduct as Applied to Personal Social Media Usage.  The standards are as follows:

1.  Use of Government Time and Property
This requirement limits the amount of time employees may access their personal social media accounts while working on government business (i.e. while on the job).  In addition, supervisors may not order or ask a subordinate to work on their (the supervisor's) personal social media accounts.  

2. Reference to Government Title or Position & Appearance of Official Sanction
This requirement prohibits employees from using their official titles, position, or any authority associated with their government employment for personal gain.  This rules implies that in certain situations it may be a best practice to post a "clear and conspicuous disclaimer" that the content on one's personal social media account is not sanctioned or endorsed by the government.

3.  Recommending and Endorsing Others on Social Media
Government employees may recommend others on social media platforms such as LinkedIn.  However, in my opinion, supervisors and subordinates should be very careful when endorsing each other on digital platforms because it may create potential legal issues in the future.

4.  Seeking Employment through Social Media
Those seeking employment via digital platforms must conform with all applicable laws and regulations.  Therefore it is imperative to know and understand all rules and regulations when utilizing social media for employment purposes.

5.  Disclosing Nonpublic Information
Employees are prohibited from disclosing non-public information on digital platforms to further their personal interests or the personal interests of others.  The World War II adage, "Loose lips sink ships" is alive and well in the Social Media Age so use caution when posting information online.

6.  Personal Fundraising
Employees are permitted to utilize personal digital accounts to fund raise for non-profit charitable organizations as long as they comply with all appropriate federal rules.  For example, employees should not personally solicit funds from subordinates or prohibited sources.

7.  Official Social Media Accounts
Employees who are authorized to utilize official social media accounts must comply with all applicable laws, rules, regulations, policies, directives, etc...

OGE may issue updates from time to time so it is best to utilize caution when participating in social media.  The bottom line is when in doubt don't post online.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Monday, April 20, 2015

Twitter Quietly Updates Its Terms of Service

According to Mashable, Twitter quietly updated its Terms of Service on Friday in anticipation of new European Data Protection (privacy) laws.  Unfortunately for U.S. users, Twitter's new terms apply to international and not U.S. based users.

An Irish subsidiary was chosen as the location for international user data because it has a reputation for less Internet related regulations.  In other words, other European countries have different beliefs in how data should be protected.  In my opinion, many of Ireland's Internet related regulatory positions are based purely upon economic reasons.

Less regulations may mean more economic development.  For example, I live and work in Montgomery County, Maryland and it has an unfavorable regulatory reputation compared to multiple Northern Virginia counties. Therefore, Fortune 500 companies are more willing to relocate and open subsidiaries in the "business friendly" climate of Virginia.

In general, social media companies are not platforms that are built with privacy by design in mind.  The services provided by Twitter, Facebook, Google, etc... were created to data mine users for behavioral advertising purposes (don't believe any co-founder who states they wanted to make the world a better place, etc....).  Therefore, I do not trust these platforms to handle any sensitive or confidential information/communication.

The European Union is working on stronger data protection regulations because it understands the dangers inherent when companies engage in unfettered collection and data mining of personal information.  It is expected that  Europe will enact stronger data protection laws sometime later this year.  My hope is that the U.S. will follow the EU's lead in trying to create a more private, less discriminatory, and non-monopolistic digital data future.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Thursday, April 16, 2015

Fox News Settles 9/11 Social Media Copyright Lawsuit

According to The Hollywood Reporter, Fox News has confidentially settled its 9/11 photo social media lawsuit.  The case commenced soon after September 11, 2013 because Fox News' "Justice with Judge Jeanine" posted on Facebook the iconic photo of three firefighters raising the American flag at the ruins of the World Trade Center without obtaining permission from the copyright holder.   

Copyright issues are becoming more challenging in the Social Media Age.  However, its important to read and understand the terms of service and privacy policy of each platform.  For example, when utilizing Facebook, "you grant us [Facebook] a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License).  Since I don't like these terms I don't post personal photos to my Facebook account.

News organizations must be very careful about monetizing the photographs they see online without obtaining a proper license. For example, in 2013 a jury awarded a photojournalist $1.2 million dollars after Agence France-Presse and Getty Images (and others) utilized photos he posted on Twitter regarding the 2010 Haiti earthquake without obtaining the proper licenses from him. 

The bottom line is that when posting and re-posting content online it is important to understand copyright law issues.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Wednesday, April 15, 2015

European Commission: Google's Conduct Infringes on Antitrust Rules

The European Commission (EC) has sent a Statement of Objections (i.e. a formal complaint) against Google for violating European antitrust laws.  In particular, the EC alleges Google “has abused its dominant position in the markets for general internet search services in the European Economic Area (EEA) by systematically favouring its own comparison shopping product in its general search results pages.  The Commission's preliminary view is that such conduct infringes EU antitrust rules because it stifles competition and harms consumers.”

According to the EC’s press release, it has also “formally opened a separate antitrust investigation into Google's conduct [regarding] the mobile operating system Android. The investigation will focus on whether Google has entered into anti-competitive agreements or abused a possible dominant position in the field of operating systems, applications and services for smart mobile devices.”

These announcements have come after an almost five year investigation into Google’s European business practices.  The EC has tried three times to settle this matter to no avail.  New EC Competition Commissioner Margrethe Vestager, reinvigorated the investigation last year when her office requested additional information from various Internet vendors of online services to determine if consumers have been harmed by Google’s behavior and to figure out if Google has utilized its dominant market position to illegally hinder competition.

The EC’s investigation appears to have picked up momentum after The Wall Street Journal recently obtained a confidential 2012 U.S. Federal Trade Commission (FTC) report where key staff recommended suing Google for antitrust violations after finding real harm to consumers and innovation.  While the FTC report focused on Google’s U.S. behavior, the company most likely acted in a similar fashion in the European Union where it controls more than 90% of the Internet search market.

Since the EC opened its antitrust investigation into Google, the company has paid 100s of millions of dollars in fines and settlements due to illegal behavior. For example, in 2011 it paid a $500 million fine for knowingly accepting illegal advertisements from Canadian pharmacies.  Subsequently, it has paid multiple million dollar fines in the United States and in Europe for privacy violations in connection with its Street View data collection project, the deceptive privacy practices in Google's roll out of its Buzz social network, its 2012 privacy policy change, and the Safari hack incident. 

Illegally abusing market position in Internet search (and/or other areas) is intertwined with data collection, usage, and privacy issues because in order to receive the most relevant search results to a search query a search engine must be able to access and process voluminous amounts of data very quickly.  For years, 90% to 96% of Google’s revenue has come from advertising which means it is dependent upon being able to obtain massive amounts of personal information at a low cost to feed its behavioral advertising machine. 

Data dominance also appears to be a growing concern of the EC.  For example, Commissioner Vestager recently stated that she’s studying the U.S.’s “stringent approach to dealing with personal data as a means to payment” in its review of deals.  This appears to signal that regulators are beginning to understand that personal and corporate data issues are intertwined with antitrust matters.

The EC’s announcement that it has also opened up an investigation into whether Google has entered into anti-competitive agreements and/or abused its dominant position in regards to its Android operating system demonstrates that it wants to ensure that consumers are not harmed and that innovation is not stifled by illegal market activities in the growing mobile space.  Last year, The Wall Street Journal and The Information reported that Google’s confidential Android agreements have been “increasing the number of Google apps that must be pre-installed on [each Android] device to as many as 20, placing more Google apps on the home screen or in a prominent icon folder and making Google Search more prominent.” 

Google’s Android contract requirements are very troubling when comparing them to Microsoft’s pre-2002 agreements with PC vendors which “required PC manufacturers to bundle and promote the Internet Explorer Web browser and other software in prominent locations on the computer screen.” Therefore, it doesn’t surprise me that the EC is investigating whether Google’s Android agreements violate antitrust law. 

This enforcement action and the announcement of another investigation into Google’s other market activities demonstrates the need for users of its services to carefully read their contracts with Google and be familiar with their terms of service and troubling world-wide privacy policy.  Google's terms and privacy policy allows for unfettered data mining and profiling of consumer, education, corporate, and government data. Multiple European Data Protection Authorities have already fined Google for its privacy practices and ordered Google to change it privacy policy; unfortunately that has had virtually no effect on its market behavior.

Today’s European Commission announcement is the first step in what may be a long drawn out legal process, which in theory could lead to a fine up to $6.4 billion dollars and require Google to change some of its business practices.  As a long time Google user, my hope is that Google soon begins to once again abide by its corporate motto by not being “evil”.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.
 

Thursday, April 9, 2015

Facebook faces new class action privacy lawsuit in Austria

A new class action lawsuit has been filed against Facebook in Austria by privacy advocate Max Schrems.  The lawsuit alleges that Facebook has breached EU privacy law due to its privacy practices and involvement in the NSA’s Prism program.

Max Schrems has been a thorn in Facebook's side for years.  He appeared in the documentary "Terms and Conditions May Apply" a couple of years ago where he discussed the data and metadata Facebook had collected on him and others.  Schrems has been advocating against Facebook's data collection practices for years so it will be interesting to follow this case. 

According to The Guardian, Schrems is also fighting to stop security services from gaining access to his personal data held by Facebook and other technology firms.  One of the best ways to stop Facebook and other technology firms from gaining access to his personal data without going through the proper legal channels in his home country is to support U.S. legislation such as the LEADS Act which I have previously discussed. 

The bottom line is that fighting for privacy takes a tremendous amount of time and resources.  Class action lawsuits along with new legislation are some of the arrows in the quiver that may be utilized to better protect our personal privacy and safety.  Its imperative that an international framework on how to resolve the digital privacy challenges of our times is created to ensure that these issues are provided the necessary attention.    

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Wednesday, April 1, 2015

Maryland's Student Data Privacy Act of 2015 Is Needed

The Internet and broadband access has led to many innovations in how we teach our children. During the past 10 years, K-12 schools have implemented new and exciting technologies that will help students learn and be prepared for life inside and outside of the workforce. Unfortunately, privacy law has not kept up with the technology that is being utilized by our schools because the primary student privacy law, the Family Educational Rights and Privacy Act (FERPA) was enacted in 1974 and it has not been updated to account for all of the new digital activities and metadata that is being created by students on school contracted digital platforms.

Earlier today, I testified again on behalf of a Maryland bill (HB 298) that would help better protect students' digital privacy without hampering educational technology companies with burdensome regulations.  Maryland's HB 298 is based upon California's landmark Student Online Personal Information Protection Act (SOPIPA or SB 1177).  I testified with the sponsor of the bill along with other advocates and some of my written testimony is as follows:

"House Bill 298 as passed by the House of Delegates is a positive piece of legislation that will help protect the personal privacy and safety of Maryland students and their families.  Three federal privacy statutes address student information that may be collected by and from schools:  The Family Educational Rights and Privacy Act (FERPA), the Children’s Online Privacy Protection Act (COPPA), and the Protection of Pupil Rights Amendment (PPRA).

FERPA was enacted in 1974 when student records were housed in filing cabinets.  This statute is essentially a confidentiality law designed to protect student paper records.  Forty years ago, schools didn’t have personal computers and Internet access.  FERPA was not designed to protect digital student information.  COPPA focuses on the online collection of personal information directly from children younger than 13 years old without parental consent.  The PPRA primarily address the use of certain types of data collected from in-school surveys as well as some marketing activities.   

FERPA covers “educational records” such as transcripts that were originally kept in a school principal or central district office.  The statute specifically carves out an exemption for “directory information” such as a student’s name, address, date of birth, telephone number, age, sex, and weight.  This 1974 definition of “educational records” and the directory information exclusion no longer makes sense in 2015.  Much of the data gathered and utilized by electronic based services is outside the scope of FERPA’s existing definition. 

As an example, the metadata gathered from a learning app used by a child in school is not considered an “educational record” and would not be protected by FERPA.  Under FERPA, the app maker and other third parties such as digital advertising networks may utilize the information obtained from our children’s use of school contracted online digital technologies.  This data which may include information regarding health, sexual orientation, religion, race, etc… may then be utilized by third parties to discriminate against our children when they apply to colleges, for jobs, insurance, etc…              
  
Absent stronger privacy protections for online student content, our children’s privacy will be compromised and innovative learning tools and educational technologies will face increased parent skepticism and opposition.  HB 298 as passed by the House of Delegates helps assuage parent’s fears while not stifling industry innovation.  HB 298 is modeled after California’s widely applauded Student Online Personal Information Act (SOPIPA) that has been called a “landmark” student data privacy bill by the highly regarded K-12 focused publication Education Week.    

Due to the well balanced approach that HB 298 takes, I am asking for your support of this legislation as it passed in the House of Delegates."  

Google and Facebook's representatives were lobbying to add amendments that would gut the bill's privacy protections for our children. Behind the scenes, these two companies appeared to be not just the two primary opponents of this bill but of other similar bills around the country (watch/listen to the testimony).  Google's behavior is not surprising since it has been caught by Politico spending hundreds of thousands of dollars to lobby against privacy bills that would better protect the personal privacy of students and their families around the country. Facebook's participation in this process appears to demonstrate that it wants to enter the education market. Due to Facebook's agreements with data brokers and its troubling privacy practices and policies, student data should not be entrusted on their platform.

The bottom line is that if you care about student privacy and cyber safety, our laws need to catch up with the technology that is being deployed.  To support Maryland's Student Data Privacy Act of 2015 please reach out to the senators on the Education, Health & Environmental Affairs Committee to voice your support.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Tuesday, March 24, 2015

Radio Shack's Proposed Sale Of Customer Data Violates Its Privacy Policy

Radio Shack is on life support and will soon no longer exist in its current format.  Its unfortunate that a store I grew up going to with my grandfather will soon be out of business.  Its last great hurrah was its awesome Super Bowl ad that brought back its glory days from the 1980's. 

Radio Shack is losing so much money that it has resorted to selling one of its most prized assets.  Its customers' personal information.  What is most disturbing is that despite its long stated privacy promise that "[w]e will not sell or rent your personally identifiable information to anyone at any time," this promise may be ignored in bankruptcy court

Last year, an educational technology company ConnnectEDU tried to sell the millions of records it had accumulated on young children and the FTC stepped in and fought to require it to honor its privacy promises.  My hope is that the FTC joins Texas regulators in fighting to protect Radio Shack's customers' personal information.  Personally Identifiable Information is extremely valuable and its a very positive step that regulators are beginning to understand the importance of requiring companies to honor their privacy commitments to its customers or users. 

I don't want data brokers to learn about all of the cool things I use to make with my late grandfather.  Its none of their damn business! 

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Monday, March 23, 2015

New York Times Facebook Content Deal Is A Threat To Personal Privacy

The New York Times is one of the world's most respected news organizations and one of the most popular destinations for news on the Internet.  However, I was dismayed to read in The New York Times that it may strike a deal to house some of its content inside Facebook.

This is a very troubling development for not just the media landscape but also for the freedom of thought and expression.  The ramifications of this potential deal will erode the privacy of The New York Times' readers and it will enable data brokers and their clients to create richer profiles of those who read the paper via Facebook due to Facebook's troubling deal with multiple data brokers.

When a New York Times reader utilizes Facebook to access articles, this information will be sent to Facebook's data broker partners who will insert this content into a user's digital dossier.  This data may be utilized by banks, insurance companies, employers, etc... to discriminate against people for reading about certain topics.  For example, when someone reads a lot of articles about their race, sexual orientation, health issue, religion, etc.. this data will be tracked and a data broker may provide it to one of their clients who may utilize it to decide on whether a reader is a good fit for a job. 

While ad networks and other digital tracking platforms already combine every digital morsel about users they can find, being able to track users from their personal Facebook account creates a new level of data purity that from a privacy standpoint is very troubling.  I don't want data brokers to be able to track everything that I read on The New York Times and combine that information with other personal characteristics about myself.

Due to Facebook's troubling privacy policy and practices, I do not utilize it for personal communications and I have no plans on doing so in the future.  I urge The New York Times and others who may be thinking about hosting their content on Facebook to think about these important privacy issues before finalizing any deal that may harm their users' in unanticipated ways.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Thursday, March 19, 2015

WSJ: Key FTC staff wanted to sue Google after finding ‘real harm to consumers and to innovation’

The Wall Street Journal has uncovered a never before released bombshell report that "concluded in 2012 that Google Inc. used anti-competitive tactics and abused its monopoly power in ways that harmed Internet users and competitors."  These revelations are very troubling and raise serious questions about Google's business practices that appear to warrant further investigation.

The unreleased 160-page report concluded that Google’s “conduct has resulted—and will result—in real harm to consumers and to innovation in the online search and advertising markets.”  This internal document was apparently released due to a FOIA request and appears to have not been intended for public consumption.    

According to Yelp's vice president of public policy Luther Lowe, “This document appears to show that the FTC had direct evidence from Google of intentional search bias."  The FTC received testimony from some of the largest technology companies and the evidence compiled appears very troubling.

The bottom line is that the tech business is extremely cut throat and some companies may do almost anything to obtain market share and dominance.  That may include "acting evil" and intentionally harming consumers and stifling innovation for corporate profit.

Copyright 2015 by Shear Law, LLC All rights reserved.

Tuesday, March 10, 2015

Warrants Should Be Required For Email Access

Last week, I attended the International Association of Privacy Professional’s Washington DC conference and I was impressed with the topics that were discussed.  The keynotes by journalist Glenn Greenwald and Harvard Professor Michael Sandel were top notch and so were all of the sessions that I attended. 

One panel that I found interesting was titled, “Search Warrants vs. Privacy Laws: Can They Live Together”.  The session was moderated by Professor Peter Swire of Georgia Tech and included Bruce Brown, the Executive Director of the Reporter’s Committee for Freedom of the Press; Nuala O’Connor, President of the Center for Democracy and Technology; and Andrew Pincus a partner at the international law firm of Mayer Brown. 

At first glance, this topic sounds boring and highly legalistic.  However, the issues that were discussed affects everyone who utilizes email, has a cloud based storage account, or other digital based service.  One of the questions discussed during the panel was should a warrant be required for an Internet Service Provider (ISP) to turn over an email or other digital content to law enforcement?  The answer to this question is important because under the Electronic Communications Privacy Act (ECPA) which was enacted in 1986, the government may read any email without a warrant that is more than 180 days old.     

ECPA was written approximately 8 years before The Today Show and other national media outlets started to cover the Internet or the “Information Superhighway”.  The way we communicate has drastically changed in the past 30 years.  For example, instead of sending traditional U.S. postal service mail many people send emails and utilize messaging apps and other digital technologies because these platforms are generally less expensive and faster.  Since our old school traditional paper correspondence is protected from the government absent a warrant shouldn’t our digital communications have the same protections?

Last year, in Riley v. U.S. the Supreme Court ruled 9-0 that we have an expectation of privacy in the Digital Age and that the police are generally required to obtain a warrant to search a personal digital device.  This case built upon the 2012 U.S. v. Jones case that ruled a warrant was required to place a GPS tracker onto a car.  Following the reasoning in both of these Supreme Court cases, a California federal district court ruled last week that police need a warrant to obtain access to one’s cell phone location or GPS data. 

These recent cases have signaled that we still have an expectation of privacy despite new forms of digital communications and surveillance techniques. Unfortunately, an ongoing matter that has major privacy and public policy implications has not followed the Supreme Court’s lead in recognizing the importance of establishing clear digital privacy rights. 

In Microsoft v. U.S., the company is arguing that the government must obtain a warrant or other court order in the host country of where a digital communication is located even though the company may have the capability of providing access to the document from the United States.  On page 36 of 73 in the U.S. response [that was filed on 3/9/15] to Microsoft's argument that the government must obtain a warrant to obtain access to an email it states, [b]ecause the emails sought in this investigation are now more than 180 days old the plain language of the SCA [Stored Communications Act of ECPA] would authorize the government to use a subpoena to compel disclosure of everything it sought pursuant to the Warrant."  

The government's argument is disconcerting; however, so far the courts have ruled that a warrant is not needed for emails older than 180 days.  The government's interpretation of the SCA that emails older than 180 days do not need a warrant to be turned over demonstrates that more education is needed about these issues. 

In general, the government is required to obtain a warrant or have exigent circumstances (i.e. occurs when people are in imminent danger, when evidence may be destroyed, or when a suspect is on the run) to be able to gain entrance into your tangible property (i.e. your home, or car, etc..) so it should be required to obtain a warrant to gain access to your digital property (i.e. your email account, cloud storage, etc...).   

As a hedge against the courts continuing to follow an outdated and unconstitutional law (the SCA), its time to support a long overdue legislative fix to the situation.  The bipartisan Law Enforcement Access to Data Stored Abroad  Act (LEADS Act) follows a common sense philosophy that by properly balancing law enforcement’s need to obtain access to digital data with our privacy.  The Act would update the SCA of ECPA to account for the changes in technology that have occurred during the past 30 years and how we communicate with each other. 

In general, it takes time before the law catches up with the capabilities of technology.  This is true across many industries.  However, we must not forget that we still have an expectation of privacy in the Digital Age and now is the time to stand up for that right.  If it becomes law, the LEADS Act will signal to the rest of the world that the U.S. is serious about taking a leadership role in protecting the privacy rights of Internet users not just here but also around the globe.

Copyright 2015 by Shear Law, LLC All rights reserved.

Friday, February 27, 2015

White House Releases Disappointing Consumer Privacy Draft Bill

Privacy in school, at home, and at work has become a very hot topic over the past several years due to the increased amount of our everyday activities that are being digitized.  Earlier today, The White House released an administration discussion draft of the President's vision for enhanced consumer privacy protections.  Unfortunately, the proposal appears to fall short. 

According to Jeff Chester of the Center for Digital Democracy, the draft is "a big victory for the tech industry because it really sidelines the FTC and removes it as an effective force."  Alvaro Bedoya, director of the Center on Privacy and Technology at Georgetown's law school believes that Obama's bill may preempt state laws, in favor of letting companies collect what they want as long as they maintain some level of transparency.  These concerns are very real and demonstrates that The White House needs to rethink its approach. 

The FTC also weighed in and stated, "[w]e are pleased that the Administration has made consumer privacy a priority, and this legislative proposal provides a good starting point for further discussion. However, we have concerns that the draft bill does not provide consumers with the strong and enforceable protections needed to safeguard their privacy. We look forward to working with Congress and the Administration to strengthen the proposal.”

I agree with above sentiments and hope this draft spurs a robust conversation on digital privacy and technology.  Absent stronger privacy protections, digital platform users will be discriminated against based upon their age, race, religion, sex, sexual orientation, physical/mental impairments, etc....There needs to be not only mandatory industry transparency but also stronger regulation on data collection and utilization practices.  Federal legislation should be a floor and not a ceiling for privacy protections and the FTC needs to be provided enhanced regulatory enforcement powers.

I want my children to grow up with the same expectation of privacy I had as a kid and I don't want them to fear that their emails, Internet searches, and digital activity will be utilized to create robust profiles about them which will affect their schooling, career prospects, and ability to obtain insurance, etc...

I fight for our digital privacy because it is the right thing to do.  I encourage those who believe we have an expectation of privacy in the Digital Age to contact The White House and their federal and state lawmakers to tell them to make stronger digital privacy protections a priority this year. 

Copyright 2015 by Shear Law, LLC All rights reserved.