Advanced Technology Seminar

Cyrus Daftary & Todd Krieger

March 16, 2015

Privacy

2

Agenda

Administrative Discussion Crowd Funding Update Employee Privacy Rights Individual / Consumer Privacy Questions and Answers

3

Nanoplug “Invisible Hearing Aid”

Raised funds on indiegogo “Half the size of the smallest devices

currently on the market.” Raised ~$293,000 from >1,000

contributors. “Half the size of other hearing aids”

https://www.youtube.com/watch?v=8zr1SGDrAhY

4

Things Changed Along the Way

7.1 mm

11 mm

https://www.indiegogo.com/projects/nanoplug-the-world-s-first-invisible-hearing-aid#activity

http://advancedhearing.com/hearing-aids/bee-ii-800-cic-digital-hearing-aid

5

Employee Technology Privacy Rights

How private are employees’ personal e-mails sent from work accounts?

How private are employees’ online activities?

How private are employees’ computer activities?

6

A. Should Employees have a Reasonable

Expectation of Privacy? McLaren case:

(Bill McLaren Jr. v. Microsoft)

Facts: accused of sexual harassment and ‘inventory issues.’

Cause of action: invasion of privacy (Texas). (1) Intrusion on the plaintiff’s seclusion or solitude or

into his private affairs; There are two elements to this cause of action: (1) an

intentional intrusion, physically or otherwise, on another’s solitude, seclusion, or private affairs or concerns, which (2) would be highly offensive to a reasonable person.

7

Should Employees have a Reasonable

Expectation of Privacy (cont’d)? McLaren case:

Argument: Is a password encrypted e-mail account like a locker at work?

How do their purposes differ? Conclusion: “the company’s interest in preventing

inappropriate and unprofessional comments, or even illegal activity, over its e-mail system would outweigh McLaren’s claimed privacy interest in those communications.”

“Employees have no reasonable expectation of privacy in electronic communication” (Hale and Dorr Internet Alert, July 10, 2002).

8

Class Discussion: Had Quon Brought Back

an Expectation of Privacy in the Workplace? Quon v. Arch Wireless:

Facts: City provided pagers to police officers Policy prohibited personal use Officers could pay for ‘overages’ City requests pager records from Arch Wireless Audit turns up extensive and explicit ‘personal use’

Stored Wire and Electronic Communications Act [18 U.S.C. §§ 2701-2711 (1986)]

Compare with Warshak? How about cell tower records? [No.08-4227 3rd Circuit

Court of Appeals)]

XXX OOO

9

Business Risks to Unregulated Employee E-mail Access

Hostile or harassing work environment from inappropriate downloaded or forwarded messages or images.

In 1995 Chevron settled a sexual harassment claim for $2.2 million caused by several factors, including an e-mail listing ‘25 reasons beer is better than women.’ This action preceded the company’s anti-harassment policy (NYLJ 8/23/99).

Reduced productivity from employees spending too much time with personal e-mails.

Inappropriate or protected information posted online from workplace computers.

Source: www.haleanddoor.com/internet_law/burton.html

10

E-mail and Internet Use Policy is Critical in the Workplace

Two Supreme Court cases created a new standard for sexual harassment liability: 1) Tangible employment action: no defense

(ex: termination or demotion). 2) Affirmative defense:

• Exercised reasonable care to prevent and correct harassing behavior and;

• Employee unreasonably failed to take advantage of employer’s policy.

Source: Burlington v. Ellerth 535 US 742; Faragher v City of Boca Raton 524 US 775 (1998).

11

Does Monitoring Employee e-mail Violate ECPA?

Electronic Communications Privacy Act of 1986 (18 USC 2510):

Prohibits interception of electronic communications, including e-mail affecting interstate or foreign commerce.

Permits interception if there is consent. Provides a business exception for delivered

communications (monitoring must not be excessive and have a legitimate business purpose): Fraser v. National Mutual Ins. Co.

Councilman case discussion Smyth v. Pillsbury: No reasonable expectation of privacy,

despite employer’s policy.

12

How Far Can An Employer Reach? Can an employer terminate an employee for

activities on Facebook? Souza & Costco cases set NLRB standards.

Should an employer be able to see an employee’s FB account?

Does an employer have a duty to monitor online chat rooms technically outside of the workplace?

Blakey v. Continental: if employer knew about harassing comments, it had a duty to stop them (164 NJ 38).

13

Illinois Public Act 097-0875

(b)(1) It shall be unlawful for any employer to request or require any employee or prospective employee to provide any password or other related account information in order to gain access to the employee's or prospective employee's account or profile on a social networking website or to demand access in any manner to an employee's or prospective employee's account or profile on a social networking website.

14

Exceptions

(2) Nothing in this subsection shall limit an employer's

right to:

(A) promulgate and maintain lawful workplace policies governing the use of the employer's electronic equipment, including policies regarding Internet use, social networking site use, and electronic mail use; and

(B) monitor usage of the employer's electronic equipment and the employer's electronic mail without requesting or requiring any employee or prospective employee to provide any password or other related account information in order to gain access to the employee's or prospective employee's account or profile on a social networking website.

15

Public Domain Exception

(3) Nothing in this subsection shall prohibit an employer from obtaining about a prospective employee or an employee information that is in the public domain or that is otherwise obtained in compliance with this amendatory Act of the 97th General Assembly.

http://www.ilga.gov/legislation/publicacts/fulltext.asp?Name=097-0875

16

Many Companies Claim To Monitor Employee Activities

2001 AMA Survey

Computer files

36.1%

E-mail 46.5%

Internet activities

62.8%

Sources: CFO 9/2001 – AMA 2001 Survey, press.amanet.org/press-releases

Most companies who monitor employee activities cite potential liability as the primary reason for monitoring.

2007 AMA Survey

45%

43%

66%

17

More Employers are Investigating Online Activities

28% of employers surveyed by AMA fired employees for e-mail misuse.

30% of employers fired employees for Internet misuse.

Aggressive investigations could impact employee morale.

Companies are now aggressively blocking access to inappropriate web sites and automatically monitoring employee activities.

18

Investigations May Be Triggered By:

Excessive consumption of resources Downloads or uploads that tie up the network Hard drive filled with questionable content

Colleague complaints

Vigilant technical staff

Odd behavior

Activities triggering alarms on monitoring software.

19

Monitoring Technologies

Software solutions Monitor incoming and outgoing e-mail Capture screen shots at regular intervals Monitor online activities Filter keywords and file types Example: www.spectorsoft.com

Hardware solutions Keystroke logger captures up to 2 GB of keystrokes,

including user names and passwords. Small physical device runs independently of applications. Not susceptible to anti-spy software applications.

Example: KeyLlama (www.KeyLlama.com).

20

Consumer & Invidual Privacy

We’ll address information security in another lecture

21

NSA’s Upstream Surveillance Government monitoring of ‘Internet

Backbone’ traffic instead of just individual activities. Backbone: the network of high-capacity

cables, switches, and routers that are used for communication

Filters for tens of thousands of search terms.

Not intended to target US citizens.

22

1st Amendment Right to Access Wikipedia?

• Wikimedia foundation filed a lawsuit against NSS & the US Department of Justice.

• Alleges mass surveillance of Internet traffic violates 1st & 4th amendment

• “Wikipedia is founded on the freedoms of expression, inquiry and information. By violating our users’ privacy, the NSA is threatening the intellectual freedom that is central to people’s ability to create and understand knowledge.”

• https://www.aclu.org/files/assets/wikimedia_v2c_nsa_-_complaint.pdf

23

Wiki Argument

• Access to pages with NSA filtered terms will be flagged

• Wikipedia relies on foreign journalists, editors, volunteers, and other contributors.

• Encroachment of anonymity curtails free speech.

24

Are Anonymous Google+ Ratings Truly Anonymous?

25

New Google+ Review Dispute

Jason Page v. Bussey Law Firm (2015) Anonymous Google review claims Bussey

Law Firm are ‘scumbags,’ who ‘pay for positive reviews’ and ‘lose 80% of their cases’

Lawyer files for discovery from Google and pursues UK poster

Awarded £100k in UK court (£50k legal fees)

26

Sometimes Victory is Briefhttps://plus.google.com/+TheBusseyLawFirmPCColoradoSprings/about?hl=en&gl=us

27

“You Already Have Zero Privacy – Get Over it” (Sun CEO Scott McNealy 2000)

Abacus Ad: “This family just spent $425 for a down comforter, $225 for lighting…they have 5 more rooms [to go], want their address?”

http://lists.nextmark.com/market?page=order/online/datacard&id=216497

How about a mailing list of customers who suffer from: “Allergies, Arthritis, Cancer, Diabetes, Heart Burn, Heart Disease, Impaired Vision, Potency…”

http://www.pharmdirectmail.com/

28

Data Brokers (60 Minutes)

http://www.cbsnews.com/news/the-data-brokers-selling-your-personal-information/

29

Technology Related Privacy Concerns

Social Networks Identity and Information Theft, Phishing Spam (Usenet abuse / evolved into unsolicited commercial e-mail)

Reverse Computer Trespass / Data Mining / Spyware (Common Gateway Interface – execute a program on host; examine files; install software) )

E-mail Interception Children Geotracking http://www.google.com/intl/en/policies/privacy/preview/ We will address security and digital discovery in

another lecture.

30

Consumer Concerns

The intrusion into personal affairs and how to prevent it:

Suspicious of surreptitious monitoring of online activities.

Web surfers are not aware of what information collected or where it is going.

The free exchange of information and ideas concept is not compatible with private information.

Stronger feeling of control with mail or telephone disclosure.

31

Consumer Concerns (cont’d)

Privacy and security are related concerns; a lapse in privacy protection may mean there was a security breach;

Host victim of security breach may not be able to find the culprit, but could still be liable to users who are harmed by the breach;

Privacy law may fall behind Internet technology. Most states require companies to disclose if the personal data of a resident is compromised.

32

Business Needs

Track site usage and visits to better understand customer patterns and needs.

Cost effectively market to potential customers. Generate leads. Track effectiveness of marketing and

advertising. Generate revenue for third party advertisers.

33

Consumer Risks Intercepted wireless communications:

Mobile device

Wireless laptop

Unauthorized data access Bank or credit card company

Work

Online shopping sites

Social networks

Exposed data Personal information

Financial information

Computer files

Access to employer’s network.

34

Internet Privacy - Definitions “Cookie” - a data file written onto a user’s hard drive by programs

invoked by web page functions. “Web Bugs” or “Secret Traces” or “Pixel Beacons” –

(1 x 1 pixel) GIF image, usually invisible, allowing the sender of an e-mail or host of a web site (and third parties) to load cookies on the user’s machine which then can track the user’s movements across multiple sites (DoubleClick.com employed such technology).

“Flash Cookies or Locally Stored Objects” – Secondary ‘cookies’ not ordinarily removed when a user purges cookies.

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager06.html

“Cyberstalking” – using the Internet to stalk an individual. “Spyware”- software tracking activity on a computer without consent. “History Sniffing”- data stored in a web browser to ascertain what

other sites the user has visited.

35

Online Privacy Legal Framework

Federal Trade Commission - fair advertising standards

Local and State laws Federal Statues:

COPPA (http://www.ftc.gov/bcp/conline/pubs/buspubs/coppa.htm)

Gramm-Leach-Bliley Act of 1999 (financial privacy)

HIPAA / HiTech (protected health info)

Evolving Common Law EU Data Privacy Directive

36

FTC Privacy Policy Recommendation

Notice: let them know you are collecting data.

Choice: can they opt out of participating in the data collection?

Access: who can view the data?

Security: can anyone else get to the data?

Practical note: don’t keep your policy static and claim it will never change - companies are acquired or go out of business? What if the court compels disclosure? Source: www.ftc.gov

37

Tracking Technology

History sniffing: Should e-mailers be able to determine how often a message was read and by whom?

Should they be able to ascertain the I.P. address, host, and computer type of the recipient?

What if a vendor priced its products based on the recipient’s processing speed or the value of the computer?

http://www.proxyway.com/www/privacy-test.html

38

Online Privacy Mishaps FTC v. Geocities: Geocities violated their own

privacy policy and distributed data collected from children.

Travelocity accidentally posted the names, addresses, (some) telephone numbers, and e-mail addresses of 15,000 contest entrants in an online link (http://www.dmnews.com/articles/2001-01-22/12804.html).

Prozac sent out an e-mailing to subscribers and disclosed all of the e-mail addresses in the header (Eli Lilly case available at www.ftc.gov).

More than 45 verdicts have been challenged in the past two years because of internet related juror misconduct (Reuters Legal).

39

Detailed Policies Can Help Minimize Risk

Clients need a mechanism in place to: Avoid privacy lapses Address and investigate any mishaps

Massachusetts GL 93H creates an obligation to have robust policies

Privacy audits can yield surprising insight Different divisions of the same company may

not realize their impact on privacy practices Telemarketing Online marketing E-mail marketing Direct (mail marketing) Customer service departments Advertising

40

Other Considerations: European Union privacy directive.

• Notice (what is collected and why?)• Choice (opt out)• Access (individuals can view and correct data)

Must have unambiguous consent for data collection

Prohibition on data export without consent - including H.R. data sent from subsidiaries to U.S. company

Local statutes may include civil and criminal penalties

Safe Harbor participants violating the directive face potential U.S. fines from the Dept. of Commerce: see http://www.export.gov/safeharbor

41

Questions & Answers