Archive for the ‘Privacy Law’ Category

Terms of Service Didn’t Read

Thursday, February 28th, 2013

Terms of Service If you thought reading privacy policies was a was a waste of time you were right. The Carnegie Mellon Institute calculated that it would take 10 minutes to read the privacy policies of the 75 most popular websites at the standard reading rate of 250 words per minute. The medium length of privacy policies from top websites was calculated to be 2514 words.¬† If you can do the math, it takes about 10 minutes to read each privacy policy. The Carnegie Mellon Institute estimated, based upon several sources, that the average American visits between 1354 and 1518 websites per year.¬† Assuming that you are an average Internet user, if you were to read every privacy policy on each website you visit, you would spend 25 days out of the year just reading privacy policies.¬† Carnegie Mellon “put a dollar amount on this massive time suck” and came up with an astonishing hypothetical cost of $781 billion per year!¬† According to the Atlantic, that’s more than the GDP of Florida.

It’s no wonder, that nobody reads web site privacy policies or terms of service. In fact, it’s a standard joke. Of course, because nobody reads them doesn’t mean that they aren’t important.¬† When you agree to a web site’s privacy policy you can be handing the web site owner your credit cards, personal information and other matters that you don’t wish to share with the public.¬† It’s really imperative that you insure that the web site owner protects your information. To make it easier to understand what rights you are giving up by visiting popular websites a new online project called Terms of Service Didn’t Read tries to make the process simpler. The project provides easy-to-read summaries of the privacy policies and terms of service of most popular websites. Although not all sites are rated yet, a quick visit provides some interesting observations:

Facebook

Thumbs Down: Very broad copyright license on your content.

Thumbs Up: You can give your feedback before changes: Facebook will solicit your feedback during the 3 or 7 days minimum preceding changes to their terms. However, the results are not binding unless 30% of the active users voted.

Wikipedia

All Thumbs Up – very good user policies.

Yahoo

Thumbs Down: Terms may be changed any time at their discretion, without notice to the user.

Dropbox

All Thumbs Up: Transparency on law enforcement requests and  Promise to inform about data requests.

Microsoft

Big X: Lawsuit and class action waiver. Arbitration for dispute resolution in the United States: a binding arbitration clause and class action waiver that affects how disputes with Microsoft will be resolved in the United States. This clause governs many of Microsoft’s online services – including your Microsoft account and many of their online products and services for consumers, such as Hotmail, SkyDrive, Bing, MSN, Office.com, Windows Live Messenger, Windows Photo Gallery, Windows Movie Maker, Windows Mail Desktop, and Windows Writer.

Evernote

Big X:  You cannot delete your account.

Terms of Service Didn’t Read should be required reading for anybody that uses the Internet.

–Adam G. Garson, Esq.

Privacy in the Age of Apps

Monday, December 31st, 2012

Anonymous

If you use or develop online software or smartphone “apps” then you need to know about CalOPPA. ¬†No, that’s not some form of steam-driven musical device from an old-time carousel. It’s the¬†California Online Privacy Protection Act, and it has very real consequences for any company that does business online. This month, the State of California sued Delta Airlines for failure to comply with CalOPPA, and the suit seeks $2.500 for EACH TIME the Fly Delta mobile app was downloaded!

To comply with CalOPPA, you need to figure out if your online system or app collects any personally identifiable information (“PII”) such as a name, email address, physical address, telephone number, IP address, current location, or sensitive information such as a social security number. ¬†Next, you have to know the target age range for your web page or app. If it’s under 13, you need to talk to an attorney ASAP. There are special rules that apply.

Next you need a list of every party that will have access to the PII that you collect. ¬†You then need to specify how the user can control that PII. ¬†Can they view what you’ve collected, edit it, and delete it from your database? You then need a written policy that you will display to anyone from whom you collect PII that explains what you collect, how you intend to use it, with whom you may share it, and what the user can do to view, change or delete his own PII in your systems. You may want to review the sample policies available from the Center for Democracy and Technology, which has a very complete template, and then have your attorney review your policy after you’re done drafting it.¬† Finally, you may wish to get certified by a third party like TrustE so that you tell your users that you’re trustworthy with their PII.

Compliance with privacy regulations also varies in other countries, but these basic steps are the minimum necessary for any developer. If you need a hand, the attorneys at Lipton, Weinberger & Husick can help to draft these kinds of policies, and others. Give them a call.

–Lawrence A. Husick, Esq.

You Have the Right to Remain Silent…

Friday, June 29th, 2012

shsshThe 1966 landmark Supreme Court case of Miranda v. Arizona gave us that famous TV cop phrase, “You have the right to remain silent…” This warning, called the Miranda Warning after the name of the criminal defendant in the case, is so common that many citizens can almost repeat it by heart. The holding of that famous case is that when a person is placed in custody by law enforcement officers, they must inform the person of the Constitutional right against self-incrimination and the right to counsel.¬† And this warning must be understood by the person in custody. So far, so good.

In 2010, the Supreme Court ruled in Berghuis v. Thompkins that a person cannot just remain silent, but that, paradoxically, in order to invoke the right to remain silent, the person in custody has to unambiguously state that he or she wishes to remain silent.

But what if you are not in custody, but you are being spoken to by an employee of a government agency? What are your rights, and what should you do?

A troubling trend in recent years has been for the Federal Government to prosecute under the provisions of 18 U.S.C. § 1001, which prohibits lying to or concealing information from a federal official.  That law provides, in part:

¬†(a)¬†Except as otherwise provided in this section, whoever, in any matter within the jurisdiction of the executive,¬†legislative, or judicial branch of the Government of the United States, knowingly and willfully (1)¬†falsifies, conceals, or covers up by any trick, scheme, or device a material fact; (2)¬†makes any materially false, fictitious, or fraudulent statement or representation; or (3)¬†makes or uses any false writing or document knowing the same to contain any materially false, fictitious, or¬†fraudulent statement or entry; shall be fined under this title, imprisoned not more than 5 years…

Nobody is required to read you your rights when you’re not in custody. ¬†That’s because this crime — lying to the government — has not yet been committed. When that official starts asking you questions, you may not be in trouble – yet.

In recent years, this provision has been used to prosecute an increasing number of cases, some having only a distant relation to federal crimes. In one case,¬†an Idaho farmer, Cory King, was convicted of lying to a state livestock inspector about¬†where a valve on the property sent some water. Mr. King allegedly said the valve routed the water to¬†a sprinkler system when in fact it sent water to a well. Idaho didn’t pursue criminal charges, but the federal government did, under Section 1001. ¬†Mr. King’s statement was made to a state official, but the¬†Justice Department argued that¬†lying to the state inspector interfered with enforcement of federal drinking-water laws. The false¬†statement “need not be made directly” to the federal government, said one Justice Department court¬†filing.

In the same way that Gangster Al Capone was eventually jailed on charges of tax evasion (“Selected Documents: Jury Verdict Form (October 17, 1931)”), rather than, say, machine-gunning his rivals, the government convicted Martha Stewart of, among other offenses, lying to securities investigators, rather than of insider trading in her sale of 4,000 shares of ImClone stock to avoid a loss of about $46,000 (“Stewart Convicted on All Charges,” CNN, March 5, 2004).

So what is the law-abiding citizen to do? How are we to know when a simple misstatement of fact will be the basis for a full-blown federal prosecution, potentially costing years and hundreds of thousands of dollars in legal fees? The simple answer is that for a small but still significant number of citizens who have spoken to federal, state and local officials about everything from photographing migrating whales to valves on pipes, there was no way to tell.  When a government official shows up at your door and starts asking questions, you will have no way to tell. While we would not go so far as to recommend that our clients never speak to government officials, we counsel caution when doing so. After all, pausing to talk to your attorney may give a bit of time to consider what is being asked of you, and the answer you want to give. If there is any doubt, attorneys may always ask officials for limited immunity, and obtaining that may prevent a simple mistake of fact from becoming a felony conviction later on.

In Brogan v. US,¬†Justice Ruth Bader Ginsburg worried about “the extraordinary authority Congress, perhaps unwittingly, has¬†conferred on prosecutors to manufacture crimes” out of false statements. Mr. King, that Idaho farmer, knows that she was right to be worried.

 

–Lawrence Husick, Esq.

A Book By Any Other Name

Thursday, March 29th, 2012

bookReaders of this newsletter will recall that trademark rights in the United States are established by use, not by registration. There are benefits to registration, of course, but rights arise by the actual use of a mark in commerce in conjunction with a product or service. Often, the assertion of a trademark use is indicated by the placement of the letters TM adjacent the mark. These letters let the public know that the user is claiming trademark rights.

Another generally established principal of trademark law is that one can not, by asserting a trademark right in a word, remove that word from its common language use. In other words, one can not extract from the language the common use of a word by claiming trademark rights in it. However, it is possible to assert a trademark right to a word in the limited context of a particular association or use.

Facebook has been very proactive in trying to establish trademark rights to words it uses in association with its social networking site. For instance as of March 26, 2012, the United State Patent and Trademark Office has granted trademark registrations for FACEBOOK and WALL. Pending applications include: LIKE and FB among others. The use of FACE as a trademark has also been approved by the USPTO.  Registration is awaiting proof from Facebook that it actually has used the mark in commerce.

To establish trademark rights to a word, it is useful to demonstrate that the public associates the use of the word with a product or service. Which brings us to the present interesting attempt by Facebook to begin to establish rights to the word “BOOK.” The recently proposed Facebook user agreement open for public comment states: “You will not use our copyrights or trademarks (including Facebook, the Faceboo, and F Logos, FB, Face, Poke, Book and Wall) or any confusingly similar marks, except as expressly permitted by our Brand Usage Guidelines or with our prior written permission.” So, following these guidelines, use of your Facebook account mandates that you recognize BOOK as a trademark belonging to Facebook. This may be an end run by Facebook to bolster future argument against other users of the word BOOK that Facebook has already established in the public’s mind an association between the word BOOK with Facebook. What do you think of this strategy?

– Laurence Weinberger, Esq.

Is Facebook Your Friend?

Wednesday, February 29th, 2012

facebookDo you have a Facebook Account?¬† Do you realize that every time you click the “Like” button for a product, service or website,¬† Facebook may distribute a paid advertisement (“a sponsored story”) using your name to all of your “Friends” suggesting that you are recommending the product or service?¬† While Facebook is described in the popular media as a social networking site, it is, in reality, an advertising business generating its revenue¬† through the sale of advertising. Zuckerberg (CEO of Facebook) has said: “…nothing influences people more than a recommendation from a trusted friend. A trusted referral influences people more than the best broadcaster message. A trusted referral is the Holy Grail of advertising.” Facebook’s COO has said: “…making your customers your marketers”…”is the illusive goal we’ve been searching for.” Consequently, Facebook is able to charge a higher rate for the “sponsored stories.”

Now¬†Facebook has been sued¬†in Federal Court in California over its “sponsored story” advertising practice under statutory provisions governing the right of publicity, unfair competition and fraudulent and deceptive practices. California has a law on the books that says everyone has the right to control how their name, photo, likeness, and identity is used for commercial purposes, and such use may not be done without their consent and a minimum ($750) payment. The complaint makes several interesting points, not the least of which is that Facebook employs a unique lexicon of doublespeak by intentionally distorting the everyday meaning of words and misleading members.¬† Terms such as “friends,” “like,” “stories,” and “sponsor” may not mean the same to us as they do to Facebook. On Facebook, “friends” are not really limited to close or intimate associates; “like” does not necessarily imply an affinity for the site/item; “sponsors” are really advertisers paying for the ads; and “stories” are not written tales but are either items of friends doings, or in the case of¬† “sponsored stories” the advertisements generated from members clicking the “Like” button. In addition, plaintiffs allege that Facebook provides no avenue for opting out of the sponsored stories.

An interesting side light to the case is that minors are allowed to become members and have their names and images used in the advertisements without requiring the consent of their parents or guardians. Needless to say, Facebook has mounted a vigorous legal challenge on both procedural and legal grounds to the accusations, asserting a laundry list of defenses including: consent upon registering under Facebook’s terms;¬† protection under the Federal Communications Decency Act; First Amendment legitimate interest protection under the Constitution; and protection under the “newsworthy exception” for reporting on the activities of famous people.¬† (Would you believe that Facebook asserts that that members are famous to their friends?)

On December 16, 2011, ruling on Facebook’s motion to dismiss the lawsuit, the Court refused to accept most of Facebook’s arguments, finding that plaintiffs had asserted valid causes of action under the law. The Court reserved the question of whether members consented to Facebook’s practices¬†¬† The case is now in its discovery phase.

In an interesting twist, just last week, two of the plaintiffs asked to drop out of the case after Facebook’s lawyers demanded discovery depositions that threatened the plaintiffs with even more loss of privacy. As of this writing, the Court has not ruled on their request.

– Laurence Weinberger, Esq.

Has Your Privacy Been Breached? Now You Have a Resource.

Saturday, December 31st, 2011

PrivacyEver wonder if private information about you has been made publicly available on the Internet? You could search the Internet underground to discover if someone is distributing information about you, but such a search would require knowledge of where to look that most of us do not have.

Now there is help out there. Alen Puzic and fellow security researchers have established a website that anyone can use to discover if their e-mail address is among breached records available on the Internet. You enter your e-mail address or user name and the site tells you whether your address is among those in its database.

So you may wonder where the compromised information is found. Puzic initially amassed about five million breached records containing about three and a half million e-mail addresses and one and a half million user names that had been published by online attackers or otherwise inadvertently exposed. Puzic uses internet crawling spiders  to index underground hacking forums, account dumps from hacking groups, Pastebin, as well as accessible releases of public information, e-mail services, social media sites, merchants, and even financial institutions. The site is updated every 24 hours, and a current count of the number of entries is displayed on the first page of the web site. The site claims that none of the information associated with each e-mail address is retained, only the address itself . In addition, no queries of the web site are stored, but if you are concerned, a securely hashed input (using a publicly available hashing algorithm) is provided to search the site.

–Laurence Weinberger, Esq.

Privacy We Give Up for Cell Phone Convenience

Wednesday, November 30th, 2011

privacyMost of us use our cell phones for business and personal use. For instance, in the car returning from a family Thanksgiving celebration, my wife read her business e-mail, checked the weather, referred to a map for our location, and browsed for Black Friday sales. We all assume such phone activities are relatively private, but are they?

Recently, the ACLU obtained from the Justice Department a document guide for law enforcement that describes how major cell phone companies handle data and location information for phones using their service. It turns out that most carriers store usage information, albeit the kinds of data and the length of time the data is stored differs among carriers.

While carriers don’t record calls, they keep a record of calls made and received. Verizon also stores¬†for a year the identity of cell tower connections a phone makes; AT&T has accumulated the same data since 2008. These data may be used to accurately determine where a phone is physically located at any moment during the day or night.

Web browsing information is not maintained by T-Mobile, but Verizon stores some web site identity information for up to a year. Sprint Nextel stores text messages for three months while Verizon only for three to five days. Other carriers do not keep text content, but instead store records of who texted who for a year or more.  AT&T preserves such data for seven years.

The ACLU takes the position that we all have a right to know how long records are kept. Do you agree?

– Laurence Weinberger, Esq.

Keeping it Private in the Work Place

Thursday, September 30th, 2010

Have you ever wondered about the privacy of your web-based e-mail communications, e.g., Hotmail, Yahoo, or Gmail, as you carry out your personal business on your company-owned computer?¬† A March 2010 decision by the Supreme Court of New Jersey sheds some light on the subject.¬† In Stengart vs. Loving Care Agency, Inc.,¬† Marina Stengart used her company-issued computer to communicate with her lawyer through her personal, password-protected, web-based Yahoo e-mail account. Stengart eventually resigned her position and sued her former employee, Loving Care Agency, for employment discrimination. During the lawsuit, Loving Care Agency conducted a forensic examination of her computer and discovered her e-mails, including e-mails to her attorney written on her Yahoo account, among the web pages stored in the computer’s Internet cache.¬† The story does not end there because opposing counsel disclosed Stengart’s attorney-client e-mail exchanges, claiming that Loving Care Agency had the right to review them. That’s where the court jumped in.

The issues before the court were, first, whether Stengart had an expectation of privacy in her personal e-mail despite her having accessed them on a company computer and, second, whether Loving Care Agency’s lawyer violated the attorney-client privilege by reviewing her e-mail.¬† In New Jersey, as in most states, an employee’s expectation of privacy in his or hers computer equipment is typically determined by employee policies, particularly if they are written and disseminated to all employees in the form of an employee handbook. Loving Care Agency issued a pretty standard employee handbook, which prohibited certain obvious misuses of company computer equipment and provided it the right to “review, audit, intercept, access and disclose” all materials on company computer equipment.

Although it appears that this language provided sufficient notice to employees that they have no expectation of privacy in their computers, the handbook created an ambiguity by also permitting occasional¬† personal use.¬† The Court also pointed out that handbook did not warn employees that the contents of web-based e-mails could be forensically retrieved by Loving Care.¬† The Court held that the ambiguous employee handbook, Stengart’s obvious desire to keep her e-mail private, and her expectation of privacy in her attorney-client communications created an expectation of privacy in her personal e-mails even though they were contained on company-provided computer equipment.¬† Having determined that Stengart had an expectation of privacy in her e-mails, it was an easy step for the Court to conclude that Loving Care Agency’s lawyer had violated the attorney-client privilege by disclosing obviously privileged communications.

The Supreme Court of New Jersey’s decision in Stengart is important for a number of reasons. It suggest to employees that they should be careful with respect to e-mail communications — even web-based e-mail — made on company computers, and for employers it suggests that employee policies must give adequate notice about the information the employer can retrieve from employees’ computers.¬† Also, if an employer permits employees to use company equipment for personal use, it may create an expectation of privacy where none may have previously existed.¬† Take heed even if you are not a New Jersey company.¬† Although the case was decided by New Jersey court, other state courts may find it persuasive.

– Adam G. Garson, Esq.