Tuesday, January 20, 2015

Kids Digital Privacy and Cyber Security Highlighted in State Of The Union

During President Obama's State of the Union Address this evening the importance of children's digital privacy and cyber security was highlighted.  According to The White House Medium account, the President's official prepared address stated,

"No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information. If we don’t act, we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe."

Since more of our personal information is being housed in digital cloud based platforms, the President's comments are a welcome development.  When the President's State of the Union Address is combined with his recent historic speech at the FTC that discussed the need for stronger student privacy laws, I am optimistic more attention will be paid to these very important issues in the near future.

Copyright 2015 by Shear Law, LLC All rights reserved.

Monday, January 19, 2015

Will the FTC Investigate Turn and Verizon Wireless For Privacy Killing Zombie Cookies?

A very troubling recent ProPublica investigation found that Turn, an online advertising company is "using tracking cookies [i.e. "Zombie Cookies"] that come back to life after Verizon [Wireless] users have deleted them."  These revelations are very troubling and demonstrate why stronger privacy laws are needed and why state and federal regulators need to investigate and take action against those companies that abuse their access to our personal information.

According to ProPublica, "Some users try to block such tracking by turning off or deleting cookies. But Turn says that when users clear their cookies, it does not consider that a signal that users want to opt out from being tracked....Turn executives said the only way users can opt out is to install a Turn opt-out cookie on their machine. That cookie is not designed to prevent Turn from collecting data about a user - only to prevent Turn from showing targeted ads to that user.  ProPublica's tests showed that even Verizon users who installed the Turn opt-out cookie continued to receive the Turn tracking cookie as well. Turn said despite the appearance of the tracking cookie, it continues to honor the opt-out cookie.  Initially, Turn officials also told ProPublica that its zombie cookie had a benefit for users: They said they were using the Verizon number to keep track of people who installed the Turn opt-out cookie, so that if they mistakenly deleted it, Turn could continue to honor their decisions to opt out.  But when ProPublica tested that claim on the industry's opt-out system, we found that it did not show Verizon users as opted out. Turn subsequently contacted us to say it had fixed what it said was a glitch, but our tests did not show it had been fixed."

Within a couple of days of ProPublica's excellent investigation, Turn announced that it "would stop using tracking cookies [i.e. Zombie Cookies] that are impossible to delete."  While this is a welcome development there are many questions left unanswered.  For example:
How long was Turn using Zombie Cookies?
What information was Turn's Zombie Cookies collecting and how was it being utilized?
Will Turn permanently delete all the data its Zombie Cookies collected?
How can we verify that the Zombie Cookie program has been terminated?
How can Turn be trusted not to create similar programs that are as troubling as the Zombie Cookie?

Zombie and Super Cookies are not only a threat to our personal privacy, they are also a threat to our personal safety and may lead to hidden discrimination against people based upon their race, religion, sexual orientation, age, health, etc...

Last week, during President Obama's history making privacy speech at the FTC he stated, "[i]f we are going to be connected we need to be protected."  Will Turn and its advertising clients change its practices and heed the President's call to better protect our privacy?

Copyright 2015 by Shear Law, LLC All rights reserved.

Monday, January 12, 2015

President Obama Proposes The Student Digital Privacy Act

In a very positive development, President Obama earlier today proposed The Student Digital Privacy Act.  According to The New York Times, the Act would "prohibit technology firms from profiting from information collected in schools as teachers adopt tablets, online services and Internet-connected software".

During the President's speech today at the FTC, he stated, "Our children are meeting and growing up in cyberspace", and  "here at the FTC, you’ve pushed back on companies and apps that collect information on our kids without permission"... and "we need our kids privacy protected." 

The President's speech appears to indicate that he is aware that Google and others have abused access to personal student data.  For example, in March of 2013, Google admitted to Education Week that it was data mining student emails for advertising purposes.  Soon after this was uncovered, a media firestorm erupted and subsequently Google allegedly changed its practices.  Therefore, when the President mentioned, "[b]ut we’ve already seen some instances where some companies use educational technologies to collect student data for commercial purposes, like targeted advertising" was he referring to Google?

President Obama stated, "I want to encourage every company that provides these technologies to our schools to join this effort.  It’s the right thing to do.  And if you don’t join this effort, then we intend to make sure that those schools and those parents know you haven’t joined this effort. So, this mission, protecting our information and privacy in the Information Age, this should not be a partisan issue.  This should be something that unites all of us as Americans."

I applaud the President and his team for recognizing the importance of student digital privacy and his willingness to make the issue an important part of his legislative agenda during his final two years in office.  As a parent, I want my children to be able to utilize the most advanced digital learning tools available.  However, our kids should not have to compromise their personal privacy and/or safety to utilize new digital technologies.

While I am optimistic about the opportunity for stronger student privacy protections to become law, I know there is a lot of work ahead.  Therefore, it is imperative for students, parents, teachers, school administrators, privacy advocates, and education technology vendors to work with regulators, lawmakers, and the President to enact a thoughtful and forward thinking bill into law.

Copyright 2015 by Shear Law, LLC All rights reserved. 

Sunday, January 11, 2015

French Police Told To Erase Social Media Profiles

According to CNN, "French law enforcement officers have been told to erase their social media presence and to carry their weapons at all times because terror sleeper cells have been activated over the last 24 hours in the country".  The Charlie Hebdo terrorist attack and subsequent terrorist attacks on civilian targets in France have led the police to rethink cyber safety and security in the country.

The order to erase social media profiles in France is not unique.  Last November, UK police officers were told not to discuss their jobs on social media.  In 2009, the Pentagon mulled banning soldiers using social media and in 2011 China banned its soldiers from using social media.  

I believe it is time for the U.S. military, federal and state government agencies, and law enforcement officials re-evaluate their social media policies.  Privacy is not just cool but a necessity for personal safety and national security. 

Too many self-described social media experts/consultants/ninjas/gurus/etc....are telling people how important it is to create detailed public LinkedIn profiles, share your most personal information on Facebook, Google+, Instagram, Twitter, etc...  Some of the phrases these "experts" utilize when providing their advice include, "social media is about a conversation", "be authentic", "sharing is caring", etc...  Don't trust any social media consultant who shares too much personal information online and/or uses Twitter or other digital platforms to have regular public conversations.

It is time for Internet users to re-evaluate their relationship with social media and digital platforms that are not created with a privacy first mentality.  Privacy is hip and in because sharing too much may destroy your reputation, get you fired, or get you killed.  Therefore, you need to ask yourself if its time to limit or erase any of your social media profiles.   

Copyright 2015 by Shear Law, LLC All rights reserved.

Saturday, January 10, 2015

Do You Really Want to Destroy Your Privacy By Using A Social Login?

In general, when signing into a website to check your personal account, you need to use a unique user name/password.  However, for years other sign in options have included to sign in with your Facebook, Google, LinkedIn, etc... account.  This other option is called a social login. 

According to VentureBeat, Google is catching up to Facebook in market share regarding social logins.  Facebook has 43% of the market while Google has 40%.  Social logins have proliferated because companies want to track you for monetization purposes.

I don't use social logins and I don't recommend anyone who values their privacy to utilize social logins.  Facebook and Google are advertising companies that sell your personal data points for profit. Facebook is selling your personal information to data brokers and Google has paid tens of millions of dollars in fines for intentionally misleading users about its privacy practices.

There is no reason to sign into non-Facebook/non-Google websites with a Facebook or Google social login.  These companies may send your personal information to data brokers, insurance companies, the police, employers, etc...

Will 2015 be the year that users wise up and avoid social logins? 

Copyright 2015 by Shear Law, LLC All rights reserved.

Wednesday, December 31, 2014

10 Social Media Privacy New Year's Resolutions

I have listed below 10 New Year's resolutions for those who want to better protect their personal privacy in the Social Media Age:

1)    Limit social sharing.  Privacy is cool and hip and sharing too much is not.
2)    Don't take nude selfies.
3)    Send fewer emails and make more phone calls and have more face to face meetings.
4)    Use disappearing apps cautiously.
5)    Keep your smartphone location off unless using it for directions.
6)    Don't trust apps or online services that have bad privacy policies/practices.
7)    Don't trust Facebook with your personal information because its agreements with data brokers destroy your privacy.
8)   Don't trust Google's Gmail, Apps, etc... because its privacy policy allows for unfettered data mining and user profile creation that destroy your privacy. 
9)    Limit Twitter and other public social media conversations.
10)  Advocate for stronger digital privacy laws.  Lawmakers and regulators need to hear your voice!  

These 10 recommendations are the tip of the ice berg.  Data brokers, employers, schools, insurance companies, financial firms, law enforcement, etc... are watching your social media profile so limit your digital footprint.  In the Social Media Age, this famous proverb should still be followed:  "Better to remain silent and be thought a fool than to speak and to remove all doubt."

Wishing you all a happy and healthy 2015 and beyond!

Copyright 2014 by Shear Law, LLC All rights reserved.

Tuesday, December 30, 2014

Dog Left on Tarmac By United Airlines Angers Twitterverse

Do you remember the catchy song, "United Breaks Guitars"?  Did United Airlines forgot about that incident from 2008 that was made into a song in 2009 by a customer whose guitar was broken while he flew with them?  The video has been seen more than 14 million times in the past 5 years.

The latest social media incident to hit United Airlines is a photo of a dog sitting on the tarmac in the Houston, Texas airport while it is raining.  While the angle of the photo makes it hard to discern how wet the dog was getting, the optics don't look good.  The initial Tweet about the incident was ret-tweeted more than fifteen hundred times and then re-tweeted by countless others.  In addition, news organizations around the world such as The Daily Mail, and The New York Daily News, The New York Post, etc... picked up the story and wrote about it.

The bottom line is that companies large and small must realize that one wrong move can create a major negative pubic relations event.  Will this harm United's bottom line?  Most likely not since the entire industry is seeing record profits, and now that oil prices are falling airline profits are soaring ever higher.

While this social media incident may not hurt United Airline's financially, due to current market conditions, it has become part and parcel of its history the next time a social media incident occurs.  Therefore, it is imperative to ensure that employees are trained in how to properly deal with social media incidents.     

Copyright 2014 by Shear Law, LLC All rights reserved.

California's New Digital "Eraser Button" Law

On January 1, 2015, California's SB 568 Privacy Rights For California's Minors in The Digital World goes into effect.  The bill was signed in September 2013 and gave website operators a little more than a year to ensure that they have the ability to comply with the new law.

In general, SB 568, seeks to protect minors by generally prohibiting operators of digital platforms (such as web sites, online services, online applications, mobile apps, etc...) from knowingly marketing and advertising to a minor a broad range of products specified in the law.  Some of these products may include alcoholic beverages, firearms, ammunition, tobacco products, fireworks, lottery tickets, tattoos, drug paraphernalia.  The new law requires operators of digital platforms to notify minors of their rights to remove content or information they posted and honor their requests to remove such data, subject to specified conditions and exceptions.

At first glance, this new law doesn't appear to have much teeth.  For example, the law doesn't appear to have an enforcement mechanism and it is silent about a private right of action against those who may violate the law.  Therefore, when this new law is allegedly violated how does one go about rectifying the situation?    

While SB 568 may help protect California minors from some digital mistakes that may harm their ability to gain acceptance into the college of their dreams, it should not replace educating our children about the digital issues that they confront every day.

Copyright 2014 by Shear Law, LLC All rights reserved. 

Friday, December 26, 2014

Facebook Message Scanning Lawsuit Moves Forward

According to Reuters, U.S. District Judge Phyllis Hamilton in Oakland, California recently ruled that a lawsuit alleging Facebook violates its users privacy by illegally scanning the contents of  messages sent on its platform for advertising purposes may move forward.  This lawsuit appears to sound similar to a recent lawsuit against Google for scanning users emails for advertising purposes.   

It appears that Facebook is claiming that the scanning of emails for advertising purposes is "an ordinary business practice".  Only in the world of Facebook and Google is scanning personal messages for advertising purposes an acceptable "ordinary business practice."  Is it an ordinary business practice for the U.S. Postal Service, Federal Express, United Parcel Service, etc... to scan the contents of their packages to build user profiles about senders/receivers for advertising and other purposes?  Of course not.  Therefore, why do some digital based companies believe this practice is ordinary and should be legal?

According to ArsTecnica, the court "read Facebook's entire terms of service. And, in this case, their vague language—typically used to provide broad immunity—became a liability: "[the document] does not establish that users consented to the scanning of their messages for advertising purposes, and in fact, makes no mention of 'messages' whatsoever." Thus, the plaintiffs may have had reason to expect that their messages would remain private. And, although the practice may have been discontinued, the plaintiffs allege that Facebook could start scanning messages again whenever it wanted to."

On Facebook's home page it states, "Connect with friends and the world around you on Facebook".  Nowhere does it state that your messages will be scanned for advertising purposes.  Should Facebook and other digital properties such as Google that are actually digital advertising platforms that masquerade as other services be required to have clear warnings every time a user sends and/or opens up a message (or uses other services) from their platform?  The FDA recently created new calorie labeling rules to better inform Americans about the foods they eat so should the FTC create rules that require digital platforms to be more transparent about their practices to better protect the privacy and safety of its citizens?   

The biggest challenge for plaintiffs moving forward may be to identify how Facebook's actions have financially harmed them.  Unfortunately, the court system in general has been slow to recognize privacy harms absent a direct monetary loss from a practice.  Will the Sony Hack change this mentality?  We may find out in the new year.  

Copyright 2014 by Shear Law, LLC.  All rights reserved.

Court: Police May Create Fake Social Media Profiles To Catch Criminals

According to CNN, a federal judge recently ruled that law enforcement officials may create fake social media profiles to obtain access to a suspect's social media account.  The police may entice suspects to "friend" them and use the information gleaned from their Facebook, Instagram, etc... accounts against them in court. 

This ruling is not surprising.  The police have utilized moles and undercover agents to gain access to crime syndicates and gangs for years and this ruling appears to extend this practice to the Digital Age.  As long as the "friending" is mutual, meaning that a suspect allows a "fake profile" to access their account the "search" may be deemed consensual.

Facebook has protested law enforcement's use of fake profiles in the past.  For example, several months ago, Facebook sent a letter to the DEA to demand that it stop creating fake accounts on their platform.  Facebook cares about this issue, not because of the privacy implications to its users, but because it may interfere with its ability to monetize the data being created on their platforms.  A fake account is worthless to data brokers, advertisers, etc....

I don't encourage anyone who values their privacy to utilize Facebook to post personal information.  Everything one posts to Facebook may end up in the hands of data brokers, law enforcement officials, etc... Facebook is an advertising platform and its users are the products it sells to marketers and data brokers.  I don't trust Facebook with my personal information.  Should you?

Copyright 2014 by Shear Law, LLC.  All rights reserved.

Tuesday, December 23, 2014

FTC Warns Children's Apps Maker About Potential COPPA Violations

The FTC recently sent a letter to a Chinese based children's app maker alleging that it may be in violation of the Children's Online Privacy Protection Act (COPPA).  According to the allegations, "it appears the child-directed applications marketed by the company, BabyBus, appear to collect precise geolocation information about users" without parental consent. 

COPPA requires companies collecting personal information from children under 13 to post clear privacy policies and to notify parents and get their consent before collecting or sharing any information from children.  While this app is not the only one that has allegedly violated COPPA and/or collected more information than needed to operate, it demonstrates a very troubling trend in apps:  privacy by design continues to be an afterthought.

While I believe the FTC's letter is a positive development, it demonstrates the need for constant vigilance to protect our children's privacy.  In general, it is none of the app's business where my children live, go to school, play, etc.... 

Copyright 2014 by Shear Law, LLC.  All rights reserved.

A Sony Hack Lesson: Digital Privacy and Cyber Security Go Hand and Hand

The Sony hack has taught us many lessons about digital privacy and cyber security.  One of the biggest lessons is to be careful about what you put in an email.  Another is to ensure that proper email retention policies are in place.  A third lesson is that employees need to be better trained about these issues.  As privacy law expert Prof. Dan Solove recently stated, there are real harms when one's privacy is breached.

According to multiple published reports, the FBI has named North Korea as the prime suspect in the hacking attack.  If North Korea directed or encouraged those responsible for the hack because it wasn't happy with the theme of the movie The Interview it opens up a new front on what companies will have to prepare for when a business decision may not be popular with a foreign government or a well funded adversary.   

If a nation state such as North Korea or a well funded organization is determined to hack into a corporate computer system it will do so.  Companies can take steps to reduce the risk by creating new digital policies, training their employees, installing new cyber security systems, taking certain systems offline, etc...

The Sony hack has exposed most if not all of its secrets for all to see.  From the troubling gender pay gap to the leak of social security numbers, personal health care records, corporate budgets, etc...the hack has greatly damaged Sony's reputation.  While Sony may eventually be able to recover from this very troubling matter, it wouldn't surprise me if multiple executives leave the company in the near future due to what is contained in their emails.

The bottom line is that the most state of the art cyber security system may not protect against human error or stupidity.  Therefore, it is imperative to constantly train and educate employees about digital privacy and cyber security matters.  Privacy is something we take for granted until it has been lost.  With the right education and mindset, privacy and cyber security doesn't have to be a luxury.

Copyright 2014 by Shear Law, LLC.  All rights reserved.

Tuesday, December 16, 2014

Netherlands Privacy Regulator To Investigate Facebook's Privacy Policy

The Netherlands privacy regulator has announced an investigation into Facebook's recently announced privacy policy change that is scheduled to go into effect on January 1, 2015. Facebook's new privacy policy states that it has the right to use the information provided by its users through their posts, messages, and other online interactions for commercial purposes.  This change is not very surprising since Facebook makes most of its money via behavioral advertising.

Due to the agreements that Facebook has with data brokers and its tracking capabilities across the Internet and devices, I do not trust the company with my personal data or my children's personal information.  I choose not to share my personal thoughts on Facebook because the information may be shared with not only data brokers and marketers, but also insurance companies, the government, etc...  My personal thoughts, data points, etc... may then be utilized against me in ways I never intended.

It is a welcome trend that European data protection regulators are investigating Facebook and fining companies such as Google for violating the personal privacy of users.  My hope is that the FTC and state attorney generals follow in their footsteps and require these companies and others to become more transparent about their digital collection and utilization practices and impose fines when they have made misrepresentations about their activities.

Facebook and Google are two of the most successful advertising companies in the world.  However, both of these companies appear to perform similar functions as some telecommunications entities and data brokers.  Should these companies and others with similar privacy policies and practices be regulated as such?  

Copyright 2014 by Shear Law, LLC.  All rights reserved.

Iowa Digital License App Has Major 4th Amendment Implications

Wouldn't it be great if we didn't have to carry around a wallet with a driver's license, credit cards, ATM cards, health insurance cards, etc...?  As Apple famously trademarked and states in some of its commercials, "There's an app for that".  For almost every interaction we have in the real world, software developers are creating apps to allegedly make our lives "easier" and more "frictionless".

In the tech world, "frictionless" may mean making it very easy to "share your personal thoughts, viewing habits, etc...without violating privacy laws", or making it very easy to "make online purchases."  This is why so many companies are rushing to create apps for users.  Unfortunately, multiple FTC reports have found many apps lack proper disclosures which may in turn lead to data leakage which creates cyber safety challenges for users.

The latest app that aims to make our lives "easier" is an app that may replace a physical Iowa driver's license.  At first glance, this sounds great.  Since more and more people are using their smartphones to do every day tasks and these mini computers hold so much of our personal information why not utilize an app which would mean one less thing (physical driver's license) to carry around?

There are numerous questions that still need to be answered. If a person who uses the app is questioned by a police officer during a "routine traffic stop" or a "stop and frisk" and asked to show the driver's license app will a police officer be able to access other parts of the phone or will a password be needed?  What happens if a text message, email, or phone call comes through at the moment the police officer is reviewing the app license?  Will the police officer be able to see the sender of the message, or the contents of the communications, or the phone number of the caller?  When downloading the app, will it request access to your contacts or want to see what other apps you have downloaded like Twitter?
According to the recent Supreme Court decision in Hein v. North Carolina, the police may stop a car based on a "reasonable" misunderstanding of the law.   What if while reviewing a driver's license app a police officer "misunderstands the law" and searches your smartphone, or makes subtle threats about providing access to your smartphone?

The bottom line is that there are still many questions that need to be answered regarding this new app.  As more and more of our lives become digital, it is imperative that app developers work closely with lawyers and regulators to ensure that privacy by design is part and parcel of the process.  While we may not know all of the potential consequences of utilizing driver's license apps, it is important that we have a national conversation about these issues to ensure that our 4th amendment rights are properly protected in the Digital Age.

Copyright 2014 by Shear Law, LLC.  All rights reserved.  

Monday, December 15, 2014

Netherlands May Fine Google Millions of Euros For Privacy Law Violations

According to The Wall Street Journal, Google may soon be fined the equivalent of $19 million dollars by the Netherlands Data Protection Authority for violating privacy laws. The Dutch privacy regulator announced earlier today that Google collects and combines personal data for advertising purposes without obtaining user consent.  The threat of a fine follows a 900,000 euro-penalty from Spain’sdata privacy regulator last year and another 150,000 euro penalty Google received earlier this year.

In 2012, Google consolidated most of its privacy policies into one comprehensive policy that enables it to combine almost all information it gains about its users.  This troubling change demonstrated that Google doesn't care about its users privacy.  Google's platforms are not built with privacy by design in place.  It is an advertising company disguised as a search engine and communications provider.  This business model has created the most successful advertising entity in the history of the world. 

During the past several years, Google has been fined tens of millions of dollars by the FTC, state attorney generals, and European regulators for violating privacy laws.  Regulator fines are designed to stop and deter illegal behavior.  Google makes so much money from the data it mines on its users that it may be cheaper for it to continue to pay fines for bad behavior instead of changing its business practices.  Until regulators around the world are provided the tools that have the teeth required to deter Google and other companies from harming our privacy this troubling behavior will continue.

Will 2015 be the year that legislators and regulators really clamp down on digital data collection and usage?  Time will only tell.  

Copyright 2014 by Shear Law, LLC.  All rights reserved.