Archive for the ‘privacy’ Category

Blog Law Blog Has Never Cooperated with NSA’s Special Source Operations

Thursday, June 6th, 2013


Well, it’s been a busy day for cybernews.

The Washington Post has broken a huge story that the U.S. government, specifically the NSA and the FBI, are accessing e-mails, photos, videos, and other personal data via its “Special Source Operations” – NSA talk for buddy-bud tech companies. The cooperators in this outed “PRISM” program are, according to the Post story, “nine leading U.S. Internet companies”: Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, and Apple.

(Hey, good for AOL getting lumped into the category of “leading U.S. Internet companies.” No doubt they were super-psyched to see that.)

Well, for my part, I can state unequivocally that Blog Law Blog has never cooperated with the NSA or FBI in sharing any data. (But I do use Google Analytics, as do bazillions of others – so be warned.)

In the same news cycle comes the revelation that Chinese government hacking into private American computer systems is far wider and deeper than previously known. They even hacked the 2008 Obama and McCain presidential campaigns.

Unfortunately, I can make no guarantees that Blog Law Blog has not been hacked by the Chinese government. The only real protection I have against being hacked by China is staying below their radar. Which I’m guessing I probably have. (Although I’ve certainly discussed how China is a leading jailer of bloggers, among other things.)

Hey, by the way, did you notice who is missing from that Special Source Operations list? Yup, no Twitter. Good for Twitter. They’ve certainly shown their user-privacy backbone before. And no Amazon or eBay either.

Sadly, CISPA Passes U.S. House

Thursday, April 18th, 2013

U.S. Capitol dome in daytimeToday, sadly, the U.S. House of Representatives passed CISPA, the Cyber Intelligence Sharing and Protection Act (roll call).

The EFF, TechDirt, and the ACLU have explained why CISPA is bad. Basically, it tramples on civil liberties to give government the all clear to go spelunking through your personal data without a warrant.

CISPA now goes to the Senate. Please consider taking a moment to contact your senators to urge them to vote no on CISPA.

Cybersecurity Act Now Pending in U.S. Senate

Monday, July 30th, 2012

Jennifer Granick at the Stanford Center for Internet and Society has a good post on the Cybersecurity Act, now pending in the U.S. Senate, authored by Sen. Joseph Lieberman (D-Conn.), Sen. Dianne Feinstein (D-Calif.), Sen. Jay Rockefeller (D-W.Va.) and Sen. Susan Collins (R-Maine).

Jennifer also includes a link to her annotated version ([pdf]) of the bill. The bill is 211 pages. So any annotations are very helpful.

Jennifer says that the bill is “a step forward for those who see government implementation of state of the art security practices lagging behind.” But she emphasizes that the legislation “needs work,” especially to narrow the amount of government cyberspying the bill permits.

The bill already reflects some work by privacy advocates. Amendments that have been inserted to the bill to curtail government civil-liberties incursions are explained by Michelle Richardson in a post on the ACLU’s Washington Markup blog.

The bill, in its current form, does not weigh heavily on private industry, since it offers only “guidelines” for non-government actors, not regulations. But, as Jennifer notes, a report on national cybersecurity issues concludes that voluntary efforts on the part of industry “will be inadequate against advanced nation-state opponents.” In other words, the wisdom is that we will need government regs to keep the power company safe from North Korea.

Update on Pandora’s California Consumer Rights Notification

Friday, June 22nd, 2012

Pandora logoA while ago I blogged about a page footer I noticed on internet-radio/jukebox sitePandora with a link to “Your CA Privacy Rights,” advising California residents of California Civil Code §1798.83 and entreating them, pursuant to that law, to “request and obtain from us once a year, free of charge, a list of the third parties to whom we disclosed their personal information (if any) for direct marketing purposes in the preceding calendar year and the categories of personal information disclosed to those third parties.”

I wrote Pandora and made this request just to see what would turn up. As I disclosed to Pandora in the request, I am not, and was not during the past year, a California resident. I asked them if they would honor the request nonetheless. Josh M at Pandora responded the same day to say:

Hi there,

Pandora Media, Inc. has not disclosed your personal information to any third party for the third party’s direct marketing purposes within the immediately preceding year.

Hope that helps and thanks again for writing.
Best Regards,

Josh M

Listener Support
PANDORA® internet radio
Need help? http://help.pandora.com

Interesting. I would have imagined they had.

I wrote in some detail about §1798.83 in my previous post last month.

Your CA Privacy Rights on Pandora

Wednesday, May 23rd, 2012

Pandora logoJust noticed this on Pandora: The page footer contains a link to “Your CA Privacy Rights,” which takes you to this:

California Civil Code Section 1798.83 permits users who are California residents to request and obtain from us once a year, free of charge, a list of the third parties to whom we disclosed their personal information (if any) for direct marketing purposes in the preceding calendar year and the categories of personal information disclosed to those third parties. If you wish to make such a request or have any questions about Pandora’s information sharing practices, you may contact us by sending us an email at pandora-support@pandora.com or write to us at Pandora Media, Inc., 2101 Webster Street, Suite 1650 Oakland, CA 94612, Attn: Listener Support.

As the text discloses, this is the fruit of California Civil Code § 1793.83. It’s an internet era law, dating back to 2005, that puts obligations on businesses who disclose personal customer data to third parties that then use that data for direct marketing.

When I start to read the statute, I get that feeling I so often get when I read California statutes, of wanting to spite my eyeballs for what they are seeing. It’s not only confusing, it’s not even clearly confusing. Which is to say it’s confusing in a confusing way. After I read it, I’m not even clear on how I’m confused. So I really don’t want to try to explain to you what the statute requires because I’m not sure what it requires, and I’m not even sure I could be sure if I spent a lot of time on it.

A business required to comply with this section shall, at its election, do at least one of the following:

(A) Notify all agents and managers who directly supervise employees who regularly have contact with customers of the designated addresses or numbers or the means to obtain those addresses or numbers and instruct those employees that customers who inquire about the business’s privacy practices or the business’s compliance with this section shall be informed of the designated addresses or numbers or the means to obtain the addresses or numbers.

(B) Add to the home page of its Web site a link either to a page titled “Your Privacy Rights” or add the words “Your Privacy Rights” to the home page’s link to the business’s privacy policy. If the business elects to add the words “Your Privacy Rights” to the link to the business’s privacy policy, the words “Your Privacy Rights” shall be in the same style and size as the link to the business’s privacy policy. If the business does not display a link to its privacy policy on the home page of its Web site, or does not have a privacy policy, the words “Your Privacy Rights” shall be written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language. The first page of the link shall describe a customer’s rights pursuant to this section and shall provide the designated mailing address, e-mail address, as required, or toll-free telephone number or facsimile number, as appropriate. If the business elects to add the words “Your California Privacy Rights” to the home page’s link to the business’s privacy policy in a manner that complies with this subdivision, and the first page of the link describes a customer’s rights pursuant to this section, and provides the designated mailing address, electronic mailing address, as required, or toll-free telephone or facsimile number, as appropriate, the business need not respond to requests that are not received at one of the designated addresses or numbers.

(C) Make the designated addresses or numbers, or means to obtain the designated addresses or numbers, readily available upon request of a customer at every place of business in California where the business or its agents regularly have contact with customers.

Really, do they just go with their first draft of these things? Because I’m not sure most people could write such a confusing first draft. They must draft a first draft and then do some undrafting work on it to walk it back.

I know, I keep railing on California statutes over and over and over and over.

At any rate, I note that Pandora is saying “Your CA Privacy Rights” rather than “Your Privacy Rights” or “Your California Privacy Rights.” Risky, I guess. Or not. Hard to tell.

Anyway, I e-mailed Pandora to ask for a disclosure under the law – and I disclosed that I am not a California resident, but I’d appreciate it all the same if they would honor it – and I’ll post a follow-up here.

FTC Wins Settlement from FB

Tuesday, December 6th, 2011

wobbly Facebook logoFacebook has entered into a big settlement with the Federal Trade Commission – America’s top consumer cops – regarding privacy of user data. As part of the deal, FB will warn users about privacy changes and must submit to biennial privacy audits for the next two decades.

I love the FTC. They do good stuff. Of course, it’s good to note also that FB has done a lot of backpedaling on privacy issues because of user backlash – a kind of semi-organized consumer pressure that is possible these days because of social networking technologies like, um, Facebook!

Here’s what Zuckerberg said in his blog post about the settlement (which he rosily calls a “settlement”):

… I’m the first to admit that we’ve made a bunch of mistakes [including] a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago …

[W]e’re making a clear and formal long-term commitment to do the things we’ve always tried to do and planned to keep doing — giving you tools to control who can see your information and then making sure only those people you intend can see it. In the last 18 months alone, we’ve announced more than 20 new tools and resources designed to give you more control over your Facebook experience.

I actually think Facebook is getting quite a bit better – not just about privacy, but about being a better service altogether. I predicted the demise of Facebook earlier this year. If Facebook keeps changing fast enough, it might hold on. But I just don’t think it will. Fundamentally, the company seems out of touch with what people want. Like the Facebook ticker feature that was new this fall – that’s just creepy.

Here are the words from the parties:

Here are some write-ups:

School Assembly Shocker: Student’s Social Media Skimmed for Slideshow

Thursday, April 14th, 2011

Lynde Point Lighthouse near Old Saybrook, Conn. (Photo: Robert J. Beyus, NPS)

A high school in Connecticut illustrated a slideshow on internet privacy with photos of the school’s students, taken from Twitter, Tumblr, and Facebook.

Kashmir Hill called the ploy a “clever lesson,” and she gave “[k]udos to the Connecticut high school employee who came up with this dramatic lesson on Internet safety.”

Some students at Old Saybrook High School, however, reacted angrily, saying it invaded their privacy.

Do the students have a point? Legally speaking, yeah, maybe.

I think this would probably not make for an ultimately successful lawsuit for copyright or right-of-publicity infringement. But there’s probably enough on both of those causes of action to file a complaint that isn’t frivolous. And hey, publicity rights have been getting crazy lately, so you never know.

So far no word on whether Righthaven is trying to sign up students for copyright lawsuits.

According to the New Haven Register, principal Oliver Barton said the pictures selected were publicly accessible and thought unlikely to embarrass anyone.

But that didn’t stop the backlash.

For me, I just can’t believe school administrators thought this was a good idea. What a great way to peeve off parents. While I question their sense of judgment, it does look like their lesson is working. Check out this passage from the New Haven Register article:

“They told us we were going to watch something about Internet safety, and they said they personalized the slide show, ” said a freshman named Kayla, who didn’t want to use her last name.

Did you catch that? Kayla didn’t want to use her last name!

Lesson learned.

First Circuit Case on Right to Video Police in Public Places

Friday, March 18th, 2011
Boston skyline over the Charles River (Photo: EEJ)

Boston skyline over the Charles River (Photo: EEJ)

The First Circuit Court of Appeals is considering Glik v. Cunniffe, et al (10-1764), a case that has big-time implications for American bloggers and other members of the citizen media with a bent toward gathering news where it happens.

As the Citizen Media Law Project reports on its blog, Harvard Law School’s Cyberlaw Clinic, the CMLP, and a coalition of other organizations, including the Reporters Committee for Freedom of the Press and several big media companies, filed an amicus curiae (“friend of the court”) brief recently in the case. The amici urged the court to uphold a First Amendment right to gather news in public places.

Here’s the brief: [pdf]

An attorney, Simon Glik, used his cellphone to make a video recording of Boston Police officers arresting a homeless man in downtown’s Boston Common, a big public park. Obviously, the police were annoyed. Glik was then arrested. The charge was an interesting one – criminal wiretaping.

Yes, really.

Glik was charged with a violation of the Massachusetts Wiretap Statute (Mass. Gen. Laws ch. 272, § 99). Here’s the most relevant bits of the law:

B. Definitions. As used in this section—

2. The term “oral communication” means speech, except such speech as is transmitted over the public air waves by radio or other similar device.

3. The term “intercepting device” means any device or apparatus which is capable of transmitting, receiving, amplifying, or recording a wire or oral communication other than a hearing aid or similar device which is being used to correct subnormal hearing to normal and other than any telephone or telegraph instrument, equipment, facility, or a component thereof, (a) furnished to a subscriber or user by a communications common carrier in the ordinary course of its business under its tariff and being used by the subscriber or user in the ordinary course of its business; or (b) being used by a communications common carrier in the ordinary course of its business.

4. The term “interception” means to secretly hear, secretly record, or aid another to secretly hear or secretly record the contents of any wire or oral communication through the use of any intercepting device by any person other than a person given prior authority by all parties to such communication; provided that it shall not constitute an interception for an investigative or law enforcement officer, as defined in this section, to record or transmit a wire or oral communication if the officer is a party to such communication or has been given prior authorization to record or transmit the communication by such a party and if recorded or transmitted in the course of an investigation of a designated offense as defined herein.

C. Offenses.

1. Interception, oral communications prohibited.

Except as otherwise specifically provided in this section any person who—

willfully commits an interception, attempts to commit an interception, or procures any other person to commit an interception or to attempt to commit an interception of any wire or oral communication shall be fined not more than ten thousand dollars, or imprisoned in the state prison for not more than five years, or imprisoned in a jail or house of correction for not more than two and one half years, or both so fined and given one such imprisonment.

Do you think what Glik was doing was really “secret”. I kind of doubt it, since he was arrested on the scene.

Specifically, the police noticed what Glik was doing and then asked him whether the phone had audio recording capability. After Glik confirmed that it did, they arrested him.

Why was Glik recording the arrest of the homeless man, by the way? He thought the police were using excessive force. Now you begin to get a picture of just how annoyed these police officers must have been.

Well, the charges were, as you might imagine, quickly dismissed. After that, Gilk filed suit in federal court to vindicate his rights. The district court denied the defendant’s motion to dismiss, and now we are in the Court of Appeals.

Good luck to Glik and the amici!

More:

The Google Street View Case – What it Doesn’t Mean for Bloggers

Monday, January 3rd, 2011

A Google Street View car driving through the countryside. (Image: Google. Used without permission.)

A few weeks ago, Google lost a lawsuit over its Street View feature. The reporting about the case was generally off the mark, so let me try to clear things up.

In the federal lawsuit, Aaron and Christine Boring of Franklin Park, Pa. won $1 in damages against Google, Inc. for trespassing.

Press coverage (e.g., this not-very-well-written story) made it sound as if Google incurred liability by taking a picture of private property and displaying it on the internet. That’s not the case. The reason Google was liable for trespassing is because Google drove its Street View car onto private land, going up a private road that was marked with a “No Trespassing” sign.

In other words, the case doesn’t say it’s trespassing to take a picture of private property and display it on the internet. (Indeed it’s not.) What the case means is that it’s trespassing to trespass.

So, if you are a blogger, this case shouldn’t make you nervous about posting pictures of private property – unless those pictures serve as evidence of your having done something unlawful.

And that’s what Google did. By posting the pictures, they proved that they committed a civilly actionable trespass. It also would appear that Google violated Pennsylvania criminal trespass statute at 18 Pa. Cons. Stat. § 3503.

It was absurd for Google to fight this in court. They should have respected the law, and they should have respected private property rights. It’s too bad they only had to pay a dollar. I personally think a small measure of punitive damages would have been in order.

It’s another case of Google doing whatever Google gets ready to do – regardless of the law.

And they keep getting away with it.

Disgraced Professor Sues Alumni Blog

Wednesday, September 15th, 2010

Charging defamation and invasion of privacy, Bernard Moore, a former visiting professor at Williams College, has sued David Kane, the founder of EphBlog, according to a story from today’s Berkshire Eagle of Massachusetts.

EphBlog is a website run by Williams College alumni that focuses on their alma mater. It is not officially affiliated with the western Massachusetts liberal arts college.

Moore does not come to the lawsuit with a stellar rep. The political science teacher was dismissed mid-semester after pleading guilty to fraud charges, including student-aid fraud. He was also previously convicted of credit card fraud in 1987, according to a report on Moore’s plea in the Williams Record.

Moore (née Ernest B. Moore) is seeking $500,000 in compensatory damages plus $2 million in punitive damages, along with an injunction.

When I checked, I found material about Moore still up on the EphBlog site, although I couldn’t find the passage quoted by the paper as a basis for the suit.

One thing to watch out for in this case is a defense mounted on the idea that Moore is “libel proof.” In defamation law, a plaintiff who is libel proof has such a tarnished reputation, nothing more can be done to destroy it. Theoretically then, even false and defamatory statements about a libel-proof person cannot give rise to liability, since the alleged victim cannot prove that any damage to his or her reputation was caused by the alleged libel. The paper quotes the complaint as stating:

Kane’s public comments included false statements that would tend to expose Dr. Moore to public ridicule and tend to make other[s] less likely to associate and do business with Dr. Moore …

You can see what the possible problem is for Moore. The defense could argue that Moore’s exposure to public ridicule and difficulty in doing business with others – to the extent such facts are proved – cannot be traced to any allegedly defamatory statements made by the defendant.

Honestly, it is a little hard to imagine how an unofficial alumni blog could do half-a-million dollars in actual damage to the reputation of someone in Moore’s position.

Hopefully EphBlog will post court documents and keep us apprised of the litigation.

Jason Chen Getting His Stuff Back

Wednesday, July 21st, 2010

EFF’s Deep Links blog reports that the county prosecutors have now withdrawn the warrant they obtained to search Gizmodo blogger Jason Chen’s home during Apple’s desperate attempt to claw back its lost iPhone prototype: San Mateo D.A. Withdraws Controversial Gizmodo iPhone Warrant.

That means Chen will get all his stuff back. In April, members of the Silicon Valley’s R.E.A.C.T. law-enforcement task-force seized four of Chen’s computers and two servers from his home. (My posts: here, here, here, here, here, and here. All the posts together here.)

It’s ironic looking back at it all. Apple was so keen to protect the secrets of its G4 iPhone before the big product launch date. And now the ultrahyped gadget has turned out to be a total dog. Maybe Apple should have lost more prototypes in bars. That way, perhaps they would have gotten wind of the phone’s call-dropping problems when there was still time to change the design.

And this sad news just out today: The Associated Press reports via the NY Daily News: iPhone factory worker commits suicide over lost G4 prototype.

Scassa on Canadian Data Protection Law and Blogs

Monday, June 21st, 2010

Teresa Scassa of the law school at the University of Ottawa has published Journalistic Purposes and Private Sector Data Protection Legislation: Blogs, Tweets and Information Maps in the Queen’s Law Journal.

The abstract:

This paper explores how changes in the ways in which information is consumed and disseminated by myriad individuals in myriad forms may impact data protection law in Canada. The author uses examples of blogs, Twitter and information maps to illustrate the problems that will inevitably arise when trying to discern which individuals and which information will properly fit into the journalistic purposes exceptions in Canadian data protection statutes. She suggests that exceptions for the collection, use or disclosure of personal information for journalistic purposes raise vital questions about the purpose and scope of these exceptions. Recent case law illustrates the difficulties faced by decision-makers in defining the scope of these exceptions, particularly given the need to balance the public right to be informed with individual privacy rights. The author considers the journalistic purposes exceptions in light of the role of journalists by analyzing how reporters’ privilege, defamation law (“responsible journalism”) and ethical codes of conduct might affect and inform current Canadian case law. She then reviews how journalistic purpose exceptions are configured and applied in Australia and the United Kingdom. In the conclusion, the author considers the direction that data protection law in Canada should take. She suggests that a reasonableness test, which attempts to balance the various conflicting interests, should govern decisions on whether information is being provided for a journalistic purpose or for some “other” purpose.

The cite is 35 Queen’s L.J. 733. I was not able to find a copy of the article available freely online.