Friday, February 27, 2015

White House Releases Disappointing Consumer Privacy Draft Bill

Privacy in school, at home, and at work has become a very hot topic over the past several years due to the increased amount of our everyday activities that are being digitized.  Earlier today, The White House released an administration discussion draft of the President's vision for enhanced consumer privacy protections.  Unfortunately, the proposal appears to fall short. 

According to Jeff Chester of the Center for Digital Democracy, the draft is "a big victory for the tech industry because it really sidelines the FTC and removes it as an effective force."  Alvaro Bedoya, director of the Center on Privacy and Technology at Georgetown's law school believes that Obama's bill may preempt state laws, in favor of letting companies collect what they want as long as they maintain some level of transparency.  These concerns are very real and demonstrates that The White House needs to rethink its approach. 

The FTC also weighed in and stated, "[w]e are pleased that the Administration has made consumer privacy a priority, and this legislative proposal provides a good starting point for further discussion. However, we have concerns that the draft bill does not provide consumers with the strong and enforceable protections needed to safeguard their privacy. We look forward to working with Congress and the Administration to strengthen the proposal.”

I agree with above sentiments and hope this draft spurs a robust conversation on digital privacy and technology.  Absent stronger privacy protections, digital platform users will be discriminated against based upon their age, race, religion, sex, sexual orientation, physical/mental impairments, etc....There needs to be not only mandatory industry transparency but also stronger regulation on data collection and utilization practices.  Federal legislation should be a floor and not a ceiling for privacy protections and the FTC needs to be provided enhanced regulatory enforcement powers.

I want my children to grow up with the same expectation of privacy I had as a kid and I don't want them to fear that their emails, Internet searches, and digital activity will be utilized to create robust profiles about them which will affect their schooling, career prospects, and ability to obtain insurance, etc...

I fight for our digital privacy because it is the right thing to do.  I encourage those who believe we have an expectation of privacy in the Digital Age to contact The White House and their federal and state lawmakers to tell them to make stronger digital privacy protections a priority this year. 

Copyright 2015 by Shear Law, LLC All rights reserved.

Thursday, February 19, 2015

Maryland's Student Data Privacy Act of 2015

Last fall, California enacted what Education Week called a "landmark" student-data privacy law (SB 1177).  This was passed because some educational technology companies were caught abusing their access to personal student data

As a parent, the digital privacy of my children is very important.  I don't want an educational technology vendor using my kids' school created digital data for behavioral advertising or for profiling purposes that may be utilized to discriminate against them in the future.  The Family Educational Educational Rights and Privacy Act (FERPA) was enacted in 1974 and has not kept up with the innovative digital learning technologies that are becoming more widely available for our students. 

Today, schools utilize cloud-based technologies, apps, and other digital services to teach our children.  Unfortunately, metadata created from these platforms is not considered an educational record under FERPA and thus not protected from the prying eyes of advertisers and others who covet this rich information.  Therefore, students and their families need stronger legal privacy protections.  Absent more robust student privacy laws, our children's privacy and safety will be compromised and innovative learning and educational technologies will face increased parent skepticism and opposition. 

Maryland, a state that has vied with California to be a national leader in digital privacy protection recently introduced the Student Privacy Act of 2015.  The bill is modeled after California's groundbreaking SB 1177.  Mark Schneiderman, senior director of education policy for the Software & Information Industry Association said California's SB 1177 "seems to generally strike the right balance".  Thus, the SIIA should hold the same position on Maryland's student data privacy act. 

Last month, President Obama gave a historic speech at the FTC about his privacy agenda for the last two years of his term.  In regards to student privacy the President stated: "But we’ve already seen some instances where some companies use educational technologies to collect student data for commercial purposes, like targeted advertising.  And parents have a legitimate concern about those kinds of practices.

So, today, we’re proposing the Student Digital Privacy Act. That's pretty straightforward.  We’re saying that data collected on students in the classroom should only be used for educational purposes -— to teach our children, not to market to our children. We want to prevent companies from selling student data to third parties for purposes other than education.  We want to prevent any kind of profiling that outs certain students at a disadvantage as they go through school."

Congress is also concerned about student privacy issues.  On February 12, 2015, it held a hearing entitled, "How Emerging Technology Affects Student Privacy".  The testimony during the hearing demonstrated that FERPA needs to be updated.  While my hope is that one day Congress passes stronger student privacy legislation, I am not optimistic in the short term due to all of the acrimony on Capitol Hill. 

Until this occurs, states such as Maryland must fill this void and step up to protect the digital privacy and cyber security of our kids. 

Copyright 2015 by Shear Law, LLC All rights reserved.

Monday, February 16, 2015

Law Enforcement Access To Data Stored Abroad Act Introduced

Late last week, Sen. Orrin Hatch of Utah introduced the Law Enforcement Access To Data Stored Abroad Act (LEADS Act) which would require law enforcement to obtain a warrant under the Electronic Communication Privacy Act (ECPA) to obtain the content of subscriber communications from an electronic communications or cloud computing service.  According to Sen. Hatch, the legislation would "strengthen privacy in the digital age and promote trust in US technologies worldwide by safeguarding data stored abroad, while still enabling law enforcement to fulfill its important public safety mission".

The LEADS Act appears to have been introduced in response to an ongoing federal court case that required a U.S. email service provider to turn over customer emails that are stored in Ireland in response to a U.S. warrant instead of going through the proper legal channels in Ireland.  This ruling was very troubling because it disregarded European digital privacy laws.  Unless this decision is reversed, it may encourage foreign countries to ignore U.S. privacy laws when demanding access to their citizens digital content that is located in the U.S.    

The passage of the LEADS Act is needed not only to better protect digital privacy, but also from a business perspective.  According to The New York Times, the U.S. cloud computing industry may lose tens of billions of dollars in business because international companies and governments have lost confidence in U.S. technology companies due to the NSA surveillance programs that Edward Snowden exposed in 2013.  Forrester Research has indicated that these losses could be as high as $180 billion dollars for U.S. based firms.

As a lawyer who focuses on privacy and cyber security matters, I have seen some of my clients change their communication habits based upon the information obtained from the NSA documents leaked by Snowden.  Even though I am a proponent of utilizing cloud platforms, due to the troubling state of our digital privacy protections and an increase in hacking incidents, I have been encouraging some of my clients to conduct more business in person and/or on the phone until the U.S. enacts stronger digital privacy laws.  In some instances, I am advising clients to go "old school" and send more physical packages via personal courier or a trusted commercial parcel service.

Unless there are digital exigent circumstances, the government should generally be required to obtain a warrant to access our electronic communications.  Since law enforcement officials generally need a warrant to search our physical homes and businesses, the same standard should apply to our digital homes and businesses.

The LEADS Act is a sensible bill that will help protect online privacy and bring digital public policy into the 21st century.  With more of our personal and business communications occurring digitally, it is imperative that our electronic communications receive the same protections as our "old school" pen and paper documents.

Copyright 2015 by Shear Law, LLC All rights reserved.  

Tuesday, February 10, 2015

Student Forced To Change Schools Because His Social Media Activity Indicated His Sexual Orientation

The Social Media Age has drastically changed how we interact with others and how we express ourselves.  For example, we may connect professionally on LinkedIn, like a product or service on Facebook, or we may film videos about our thoughts and activities and post them on YouTube.  These platforms were not available to us just 15 years ago.

While the Social Media Age has created tremendous new opportunities to do business, communicate with others, and express ourselves, there is also a dark side to all of this sharing and connectedness. Its plain old discrimination.  According to The Daily Mail, a Texas teen was told to delete his YouTube account and other social media accounts because it showed what the school alleged stated was a  "sinful" lifestyle.  This so called "sinful" lifestyle was that the teenager was gay.  Instead of deleting his social media accounts the student transferred to another school.     

This situation is very troubling and further demonstrates the need for students to have stronger privacy protections in the Social Media Age.  While it may be easy to identify a student based upon seeing them in a video uploaded to YouTube or other digital platforms, absent a student being required to authenticate their personal social media accounts it may be difficult to identify their Facebook or Twitter accounts because anyone can create a fake account.    

The bottom line is that students deserve stronger personal digital legal protections in the Social Media Age and schools should not be required to become the Social Media Police.  Maryland's  HB 210:  Educational Institutions-Personal Electronic Account-Privacy Protection which was introduced by State Senator Ronald Young would go a long way in achieving these goals.  The bill would help protect the personal digital privacy of students while at the same time providing schools a legal liability shield against claims that they have a legal duty to police their students' personal digital behavior.

To support MD HB 210 I urge you to reach out to Senator Young's office for more information. 

Copyright 2015 by Shear Law, LLC All rights reserved.

Sunday, February 1, 2015

Emoji Evidence Important in Silk Road Trial

Have you ever sent a text or email with an emoji?  For those who don't know what an emoji is, it is a small picture that helps demonstrate an emotion.  Some examples include a smiley face or a frown that is included at the end of a text or inside of an email. 

An emoji or emoticon should only be inserted after carefully weighing the potential legal consequences.  Every time you insert a smiley face or frown in a text or email you need to realize that it may be utilized as digital evidence.  An emoticon may create tremendous legal liability for the sender.

For example, during the Silk Road trial emoji evidence has become an important issue.  While video and phone call/audio recordings have been introduced as evidence during legal proceedings for years, digital evidence is now coming into its own.  During the past 15 years, emails, text messages, and other digital created data has grown in importance.  This change has occurred since we now communicate more and more on digital platforms.

The bottom line is that not only may written or spoken words may come back to haunt someone in a legal proceeding but also alleged emotions based upon an emojis or other symbols.  Therefore, it is imperative to be very careful when utilizing emoticons and/or symbols on digital platforms.  

Copyright 2015 by Shear Law, LLC All rights reserved.

Tuesday, January 20, 2015

Kids Digital Privacy and Cyber Security Highlighted in State Of The Union

During President Obama's State of the Union Address this evening the importance of children's digital privacy and cyber security was highlighted.  According to The White House Medium account, the President's official prepared address stated,

"No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information. If we don’t act, we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe."

Since more of our personal information is being housed in digital cloud based platforms, the President's comments are a welcome development.  When the President's State of the Union Address is combined with his recent historic speech at the FTC that discussed the need for stronger student privacy laws, I am optimistic more attention will be paid to these very important issues in the near future.

Copyright 2015 by Shear Law, LLC All rights reserved.

Monday, January 19, 2015

Will the FTC Investigate Turn and Verizon Wireless For Privacy Killing Zombie Cookies?

A very troubling recent ProPublica investigation found that Turn, an online advertising company is "using tracking cookies [i.e. "Zombie Cookies"] that come back to life after Verizon [Wireless] users have deleted them."  These revelations are very troubling and demonstrate why stronger privacy laws are needed and why state and federal regulators need to investigate and take action against those companies that abuse their access to our personal information.

According to ProPublica, "Some users try to block such tracking by turning off or deleting cookies. But Turn says that when users clear their cookies, it does not consider that a signal that users want to opt out from being tracked....Turn executives said the only way users can opt out is to install a Turn opt-out cookie on their machine. That cookie is not designed to prevent Turn from collecting data about a user - only to prevent Turn from showing targeted ads to that user.  ProPublica's tests showed that even Verizon users who installed the Turn opt-out cookie continued to receive the Turn tracking cookie as well. Turn said despite the appearance of the tracking cookie, it continues to honor the opt-out cookie.  Initially, Turn officials also told ProPublica that its zombie cookie had a benefit for users: They said they were using the Verizon number to keep track of people who installed the Turn opt-out cookie, so that if they mistakenly deleted it, Turn could continue to honor their decisions to opt out.  But when ProPublica tested that claim on the industry's opt-out system, we found that it did not show Verizon users as opted out. Turn subsequently contacted us to say it had fixed what it said was a glitch, but our tests did not show it had been fixed."

Within a couple of days of ProPublica's excellent investigation, Turn announced that it "would stop using tracking cookies [i.e. Zombie Cookies] that are impossible to delete."  While this is a welcome development there are many questions left unanswered.  For example:
How long was Turn using Zombie Cookies?
What information was Turn's Zombie Cookies collecting and how was it being utilized?
Will Turn permanently delete all the data its Zombie Cookies collected?
How can we verify that the Zombie Cookie program has been terminated?
How can Turn be trusted not to create similar programs that are as troubling as the Zombie Cookie?

Zombie and Super Cookies are not only a threat to our personal privacy, they are also a threat to our personal safety and may lead to hidden discrimination against people based upon their race, religion, sexual orientation, age, health, etc...

Last week, during President Obama's history making privacy speech at the FTC he stated, "[i]f we are going to be connected we need to be protected."  Will Turn and its advertising clients change its practices and heed the President's call to better protect our privacy?

Copyright 2015 by Shear Law, LLC All rights reserved.

Monday, January 12, 2015

President Obama Proposes The Student Digital Privacy Act

In a very positive development, President Obama earlier today proposed The Student Digital Privacy Act.  According to The New York Times, the Act would "prohibit technology firms from profiting from information collected in schools as teachers adopt tablets, online services and Internet-connected software".

During the President's speech today at the FTC, he stated, "Our children are meeting and growing up in cyberspace", and  "here at the FTC, you’ve pushed back on companies and apps that collect information on our kids without permission"... and "we need our kids privacy protected." 

The President's speech appears to indicate that he is aware that Google and others have abused access to personal student data.  For example, in March of 2013, Google admitted to Education Week that it was data mining student emails for advertising purposes.  Soon after this was uncovered, a media firestorm erupted and subsequently Google allegedly changed its practices.  Therefore, when the President mentioned, "[b]ut we’ve already seen some instances where some companies use educational technologies to collect student data for commercial purposes, like targeted advertising" was he referring to Google?

President Obama stated, "I want to encourage every company that provides these technologies to our schools to join this effort.  It’s the right thing to do.  And if you don’t join this effort, then we intend to make sure that those schools and those parents know you haven’t joined this effort. So, this mission, protecting our information and privacy in the Information Age, this should not be a partisan issue.  This should be something that unites all of us as Americans."

I applaud the President and his team for recognizing the importance of student digital privacy and his willingness to make the issue an important part of his legislative agenda during his final two years in office.  As a parent, I want my children to be able to utilize the most advanced digital learning tools available.  However, our kids should not have to compromise their personal privacy and/or safety to utilize new digital technologies.

While I am optimistic about the opportunity for stronger student privacy protections to become law, I know there is a lot of work ahead.  Therefore, it is imperative for students, parents, teachers, school administrators, privacy advocates, and education technology vendors to work with regulators, lawmakers, and the President to enact a thoughtful and forward thinking bill into law.

Copyright 2015 by Shear Law, LLC All rights reserved. 

Sunday, January 11, 2015

French Police Told To Erase Social Media Profiles

According to CNN, "French law enforcement officers have been told to erase their social media presence and to carry their weapons at all times because terror sleeper cells have been activated over the last 24 hours in the country".  The Charlie Hebdo terrorist attack and subsequent terrorist attacks on civilian targets in France have led the police to rethink cyber safety and security in the country.

The order to erase social media profiles in France is not unique.  Last November, UK police officers were told not to discuss their jobs on social media.  In 2009, the Pentagon mulled banning soldiers using social media and in 2011 China banned its soldiers from using social media.  

I believe it is time for the U.S. military, federal and state government agencies, and law enforcement officials re-evaluate their social media policies.  Privacy is not just cool but a necessity for personal safety and national security. 

Too many self-described social media experts/consultants/ninjas/gurus/etc....are telling people how important it is to create detailed public LinkedIn profiles, share your most personal information on Facebook, Google+, Instagram, Twitter, etc...  Some of the phrases these "experts" utilize when providing their advice include, "social media is about a conversation", "be authentic", "sharing is caring", etc...  Don't trust any social media consultant who shares too much personal information online and/or uses Twitter or other digital platforms to have regular public conversations.

It is time for Internet users to re-evaluate their relationship with social media and digital platforms that are not created with a privacy first mentality.  Privacy is hip and in because sharing too much may destroy your reputation, get you fired, or get you killed.  Therefore, you need to ask yourself if its time to limit or erase any of your social media profiles.   

Copyright 2015 by Shear Law, LLC All rights reserved.

Saturday, January 10, 2015

Do You Really Want to Destroy Your Privacy By Using A Social Login?

In general, when signing into a website to check your personal account, you need to use a unique user name/password.  However, for years other sign in options have included to sign in with your Facebook, Google, LinkedIn, etc... account.  This other option is called a social login. 

According to VentureBeat, Google is catching up to Facebook in market share regarding social logins.  Facebook has 43% of the market while Google has 40%.  Social logins have proliferated because companies want to track you for monetization purposes.

I don't use social logins and I don't recommend anyone who values their privacy to utilize social logins.  Facebook and Google are advertising companies that sell your personal data points for profit. Facebook is selling your personal information to data brokers and Google has paid tens of millions of dollars in fines for intentionally misleading users about its privacy practices.

There is no reason to sign into non-Facebook/non-Google websites with a Facebook or Google social login.  These companies may send your personal information to data brokers, insurance companies, the police, employers, etc...

Will 2015 be the year that users wise up and avoid social logins? 

Copyright 2015 by Shear Law, LLC All rights reserved.

Wednesday, December 31, 2014

10 Social Media Privacy New Year's Resolutions

I have listed below 10 New Year's resolutions for those who want to better protect their personal privacy in the Social Media Age:

1)    Limit social sharing.  Privacy is cool and hip and sharing too much is not.
2)    Don't take nude selfies.
3)    Send fewer emails and make more phone calls and have more face to face meetings.
4)    Use disappearing apps cautiously.
5)    Keep your smartphone location off unless using it for directions.
6)    Don't trust apps or online services that have bad privacy policies/practices.
7)    Don't trust Facebook with your personal information because its agreements with data brokers destroy your privacy.
8)   Don't trust Google's Gmail, Apps, etc... because its privacy policy allows for unfettered data mining and user profile creation that destroy your privacy. 
9)    Limit Twitter and other public social media conversations.
10)  Advocate for stronger digital privacy laws.  Lawmakers and regulators need to hear your voice!  

These 10 recommendations are the tip of the ice berg.  Data brokers, employers, schools, insurance companies, financial firms, law enforcement, etc... are watching your social media profile so limit your digital footprint.  In the Social Media Age, this famous proverb should still be followed:  "Better to remain silent and be thought a fool than to speak and to remove all doubt."

Wishing you all a happy and healthy 2015 and beyond!

Copyright 2014 by Shear Law, LLC All rights reserved.

Tuesday, December 30, 2014

Dog Left on Tarmac By United Airlines Angers Twitterverse

Do you remember the catchy song, "United Breaks Guitars"?  Did United Airlines forgot about that incident from 2008 that was made into a song in 2009 by a customer whose guitar was broken while he flew with them?  The video has been seen more than 14 million times in the past 5 years.

The latest social media incident to hit United Airlines is a photo of a dog sitting on the tarmac in the Houston, Texas airport while it is raining.  While the angle of the photo makes it hard to discern how wet the dog was getting, the optics don't look good.  The initial Tweet about the incident was ret-tweeted more than fifteen hundred times and then re-tweeted by countless others.  In addition, news organizations around the world such as The Daily Mail, and The New York Daily News, The New York Post, etc... picked up the story and wrote about it.

The bottom line is that companies large and small must realize that one wrong move can create a major negative pubic relations event.  Will this harm United's bottom line?  Most likely not since the entire industry is seeing record profits, and now that oil prices are falling airline profits are soaring ever higher.

While this social media incident may not hurt United Airline's financially, due to current market conditions, it has become part and parcel of its history the next time a social media incident occurs.  Therefore, it is imperative to ensure that employees are trained in how to properly deal with social media incidents.     

Copyright 2014 by Shear Law, LLC All rights reserved.

California's New Digital "Eraser Button" Law

On January 1, 2015, California's SB 568 Privacy Rights For California's Minors in The Digital World goes into effect.  The bill was signed in September 2013 and gave website operators a little more than a year to ensure that they have the ability to comply with the new law.

In general, SB 568, seeks to protect minors by generally prohibiting operators of digital platforms (such as web sites, online services, online applications, mobile apps, etc...) from knowingly marketing and advertising to a minor a broad range of products specified in the law.  Some of these products may include alcoholic beverages, firearms, ammunition, tobacco products, fireworks, lottery tickets, tattoos, drug paraphernalia.  The new law requires operators of digital platforms to notify minors of their rights to remove content or information they posted and honor their requests to remove such data, subject to specified conditions and exceptions.

At first glance, this new law doesn't appear to have much teeth.  For example, the law doesn't appear to have an enforcement mechanism and it is silent about a private right of action against those who may violate the law.  Therefore, when this new law is allegedly violated how does one go about rectifying the situation?    

While SB 568 may help protect California minors from some digital mistakes that may harm their ability to gain acceptance into the college of their dreams, it should not replace educating our children about the digital issues that they confront every day.

Copyright 2014 by Shear Law, LLC All rights reserved. 

Friday, December 26, 2014

Facebook Message Scanning Lawsuit Moves Forward

According to Reuters, U.S. District Judge Phyllis Hamilton in Oakland, California recently ruled that a lawsuit alleging Facebook violates its users privacy by illegally scanning the contents of  messages sent on its platform for advertising purposes may move forward.  This lawsuit appears to sound similar to a recent lawsuit against Google for scanning users emails for advertising purposes.   

It appears that Facebook is claiming that the scanning of emails for advertising purposes is "an ordinary business practice".  Only in the world of Facebook and Google is scanning personal messages for advertising purposes an acceptable "ordinary business practice."  Is it an ordinary business practice for the U.S. Postal Service, Federal Express, United Parcel Service, etc... to scan the contents of their packages to build user profiles about senders/receivers for advertising and other purposes?  Of course not.  Therefore, why do some digital based companies believe this practice is ordinary and should be legal?

According to ArsTecnica, the court "read Facebook's entire terms of service. And, in this case, their vague language—typically used to provide broad immunity—became a liability: "[the document] does not establish that users consented to the scanning of their messages for advertising purposes, and in fact, makes no mention of 'messages' whatsoever." Thus, the plaintiffs may have had reason to expect that their messages would remain private. And, although the practice may have been discontinued, the plaintiffs allege that Facebook could start scanning messages again whenever it wanted to."

On Facebook's home page it states, "Connect with friends and the world around you on Facebook".  Nowhere does it state that your messages will be scanned for advertising purposes.  Should Facebook and other digital properties such as Google that are actually digital advertising platforms that masquerade as other services be required to have clear warnings every time a user sends and/or opens up a message (or uses other services) from their platform?  The FDA recently created new calorie labeling rules to better inform Americans about the foods they eat so should the FTC create rules that require digital platforms to be more transparent about their practices to better protect the privacy and safety of its citizens?   

The biggest challenge for plaintiffs moving forward may be to identify how Facebook's actions have financially harmed them.  Unfortunately, the court system in general has been slow to recognize privacy harms absent a direct monetary loss from a practice.  Will the Sony Hack change this mentality?  We may find out in the new year.  

Copyright 2014 by Shear Law, LLC.  All rights reserved.

Court: Police May Create Fake Social Media Profiles To Catch Criminals

According to CNN, a federal judge recently ruled that law enforcement officials may create fake social media profiles to obtain access to a suspect's social media account.  The police may entice suspects to "friend" them and use the information gleaned from their Facebook, Instagram, etc... accounts against them in court. 

This ruling is not surprising.  The police have utilized moles and undercover agents to gain access to crime syndicates and gangs for years and this ruling appears to extend this practice to the Digital Age.  As long as the "friending" is mutual, meaning that a suspect allows a "fake profile" to access their account the "search" may be deemed consensual.

Facebook has protested law enforcement's use of fake profiles in the past.  For example, several months ago, Facebook sent a letter to the DEA to demand that it stop creating fake accounts on their platform.  Facebook cares about this issue, not because of the privacy implications to its users, but because it may interfere with its ability to monetize the data being created on their platforms.  A fake account is worthless to data brokers, advertisers, etc....

I don't encourage anyone who values their privacy to utilize Facebook to post personal information.  Everything one posts to Facebook may end up in the hands of data brokers, law enforcement officials, etc... Facebook is an advertising platform and its users are the products it sells to marketers and data brokers.  I don't trust Facebook with my personal information.  Should you?

Copyright 2014 by Shear Law, LLC.  All rights reserved.