The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

1 Comment

Recent Google and LinkedIn Lawsuits Provide Lessons for Web and Mobile App Developers

Recent lawsuits against Google and LinkedIn remind website and mobile application developers to be fully transparent when crafting user agreements and interacting with users.

In the Google suit, Google’s Gmail service is accused of scanning users email in order to create user profiles and provide targeted advertising.  In an attempt to dismiss the case, Google unsuccessfully argued that the Wiretap Act, which authorizes email providers to intercept messages in order to facilitate message delivery (or other incidental functions), protected its practices.  More significantly, however, was how the court treated Google’s assertion that Gmail users had consented to the scanning under its end-user agreement.  The court held that the agreement did not adequately spell out Gmail’s practices.  Nor did it explain how Google would use the information it was scanning.  Additionally, the court found that non-Gmail users, whose emails to Gmail users would also be scanned, did not consent to the user agreement.  This ruling suggests that developers should continually be transparent about their practices, including the purpose of the information they are collecting.  And developers should be mindful about non-users who may interact with their platform, and whether such users’ consent raises privacy concerns.

In a separate suit, LinkedIn is accused of improperly accessing a user’s contacts through the user’s email account.  Upon logging in, LinkedIn asks for permission to access a user’s email account to discover the user’s contacts.  And once these contacts’ addresses are imported, LinkedIn asks for permission to invite them to connect.  Rather than asking the user to opt in, however, LinkedIn preselects all of the contacts it wishes to invite on the users behalf, and requires the user to uncheck contacts that should not be invited.  Under the procedure, a user may unwittingly send out hundreds of invitations to contacts in his/her address book. The lawsuit alleges that LinkedIn will email these contacts two reminder emails, and there is no way to unsend the invitations.  Finally, plaintiffs criticize LinkedIn’s notification of its terms of use policy because it does not require the user to actually view it or click through the policy.  Though the court has not ruled on the legality of LinkedIn’s practices, prudent developers will affirmatively require users to select contacts to invite to a service and generally disclose the implications of the users’ actions.  Additionally, developers should remember to require users to actually click through the terms of use (as opposed to simply requiring users to check a box).

The lawsuits are In re: Google Inc. Gmail Litigation, 13-MD-02430-LHK, and Perkins et al. v. LinkedIn Corporation, Case No. 13-cv-04303-HRL.

1 Comment

Amendments to CalOPPA Allow Minors to “Erase” Information from the Internet and Also Restricts Advertising Practices to Minors

On September 23, 2013, California Governor Jerry Brown signed SB568 into law, which adds new provisions to the California Online Privacy Protection Act. Officially called “Privacy Rights for California Minors in the Digital World,” the bill has already garnered the nickname of the “Internet Eraser Law,” because it affords California minors the ability to remove content or information previously posted on a Web site. The bill also imposes restrictions on advertising to California minors.

California Minors’ Right to Remove Online Content

Effective January 1, 2015, the bill requires online operators to provide a means by which California minors may remove online information posted by that minor. Online operators can elect to allow a minor to directly remove such information or can alternatively remove such information at a minor’s request. The bill further requires that online operators notify California minors of the right to remove previously-posted information.

Online operators do not need to allow removal of information in certain circumstances, including where (1) the content or information was posted by a third party; (2) state or federal law requires the operator or third party to retain such content or information; or (3) the operator anonymizes the content or information. The bill further clarifies that online operators need only remove the information from public view; the bill does not require wholesale deletion of the information from the online operator’s servers.

New Restrictions on Advertising to California Minors

Also effective January 1, 2015, the bill places new restrictions on advertising to California minors. The bill prohibits online services directed to minors from advertising certain products, including alcohol, firearms, tobacco, and tanning services. It further prohibits online operators from allowing third parties (e.g. advertising networks or plug-ins) to advertise certain products to minors. And where an advertising service is notified that a particular site is directed to minors, the bill restricts the types of products that can be advertised by that advertising service to minors.


Given the sheer number of California minors, these amendments to CalOPPA will likely have vast implications for online service providers. First, the bill extends not just to Web sites, but also to mobile apps, which is consistent with a general trend of governmental scrutiny of mobile apps. Online service providers should expect regulation of mobile apps to increase, as both California and the Federal Trade Commission have issued publications indicating concerns over mobile app privacy. Second, the bill also reflects an increased focus on privacy of children and minors. Developers should consider these privacy issues when designing Web sites and mobile apps, and design such products with the flexibility needed to adapt to changing legislation. Thus, any business involved in the online space should carefully review these amendments and ensure compliance before the January 1, 2015 deadline.

Leave a comment

Upcoming Program in D.C. on Career Opportunities in Privacy, Advertising, and Consumer Protection Law

Advertising, Consumer Protection, & Privacy Law: An Emerging Practice with Exciting Career Opportunities

Presented by the ABA Section of Antitrust Law

Private Advertising Litigation Committee
Consumer Protection Committee
Privacy and Information Security Committee

Wednesday, October 23, 2013
12:00pm to 1:00pm Eastern Time

George Washington University Law School
Lisner Hall Room 201 (Student Conference Center)
2023 G Street, N.W.
Washington, D.C. 20052

Join young attorneys from the ABA Antitrust Section for a discussion about exciting new career opportunities in advertising, consumer protection, and privacy law. This program will provide students and other junior attorneys with the opportunity to dialogue with young attorneys in the field about pathways into these emerging areas of the law. It will also include a broad overview of the relevant laws and agencies that operate within the fields. The discussion will conclude with an opportunity to ask questions about what led the speakers to these fields. This program will be held live at George Washington University Law School. GW law students and non-students who would like to attend in person should RSVP to Kevin Motsinger at with “ABA Antitrust” as the subject line. Registration for the live teleconference of this event is available through the link on the attached Program Flyer.  All other questions may be directed to David Conway at


• David Conway, Venable LLP


• Andi Arias, Federal Trade Commission, Division of Privacy & Identity Protection
• Donnelly McDowell, Kelley Drye
• Ella Krainsky, Federal Trade Commission, Division of Advertising Practices
• Mona Thakkar, Volkswagen Group


The ABA is not seeking CLE credit for this program.

Audio Archive

Provided all releases are obtained, MP3 recordings of this program will be available to Section members on the Committee Program Audio page.

1 Comment

Online Privacy Is Getting Interestinger and Interestinger!

In case you haven’t heard, online privacy is getting very complicated and Internet users are worried.  It’s no wonder given all the activity in the industry, with daily stories on stolen identities and data breaches, companies you’ve never even heard of collecting information about you and even mobile game applications knowing about your physical whereabouts. (Let’s not even get into the recent NSA PRISM disclosures!)  So different than in the 1990s when online privacy was pretty much an “Opt-in” or “Opt Out” proposition or people didn’t even know to worry about it.   Today, things are much more complex.  Pew Research Center’s recently published survey, Anonymity, Privacy, and Security Online, confirms that not only do most users want control over their online personal information but fear that this is no longer possible. 

It isn’t just government surveillance that people are worried about; in fact, users are more intent on masking their personal information–things like email and download content, contacts and their online presence–from hackers and advertisers to even friends and family members.  How hard are they trying to hide?  Well, the study reports that 64 percent of users clear their browser history or disable cookies while 14 percent have resorted to setting up anonymous browsing capabilities.  And, 13 percent actively misidentify themselves in their efforts to “hide.”  It’s not that individuals want to be completely hidden online, they just want to decide when they are unseen based on what kind of data is at issue, who might be watching, and what they think might happen if they don’t hide.  Not surprisingly, the younger and more sophisticated users are more likely to “bounce” back and forth between disclosing who they are and remaining anonymous depending on what they are doing online.


Personal photos top the list of key pieces of personal information users know are available online.  Next come birthdates, phone numbers (both cell and home), home addresses and group affiliations.  Over one third of online users avoid websites that ask for their name, and 41 percent have deleted or modified a prior posting.

Perhaps users are more aware of what information about them is floating around out there in cyberspace because cybersecurity is having a hard time keeping up with the sophisticated methods of hackers.  21% of online adults report having had an email or social media account hijacked and 11% having had vital information like Social Security numbers, bank account data, or credit cards stolen.  With all this complexity and increasing numbers of identify theft, it is not surprising then that 68% of those surveyed do not believe current laws are sufficient to protect individual online privacy.  So what’s to be done?  Industry groups are racing to pull together self-regulatory measures and codes of conduct in an effort to avert what they fear could be cumbersome and over-reaching legislation and regulations in both the security and privacy spheres—whether or not they succeed in time remains to be seen. And, of course, the government is keeping a careful watch over the whole issue (pun intended)!


Leave a comment

FTC Cracks Down on Webcam Company for Lack of Security

In its first move to address privacy concerns raised by the interconnectivity of multiple devices commonly referenced as the “Internet of Things,” the Federal Trade Commission last week entered an agreement with TrendNet, resolving allegations that the company failed to adequately protect its customers’ private video feeds.

TrendNet, a retailer of Internet and other mobile devices, manufactures IP cameras that permit customers to monitor their homes or businesses remotely, via live video and audio feeds. The live feeds are transmitted via Internet and can be accessed by the customer via computer or mobile device.

Though TrendNet advertised its customers SecurView cameras as secure, the Commission alleges the company’s representations were misleading. According to the Commission’s complaint, from January 2010, the company — whose motto is “Networks People Trust” — transmitted unencrypted user login credentials over the Internet and failed to implement reasonable security measures to prevent unauthorized access to live feeds. The Commission also alleges TrendNet failed to take reasonable steps to ensure that its customers’ security settings would be honored.

In January 2012, a hacker publicly exposed the flaw in TrendNet’s system, posting links to almost 700 customers’ live feeds. The feeds displayed footage of infants sleeping in cribs, young children playing, and private rooms in customers’ homes. TrendNet issued a software patch to resolve the problem affecting 20 of its IP camera models, but it was not an automatic upgrade.

Pursuant to its agreement with the Commission, TrendNet is immediately required to install and maintain a comprehensive security program to protect its customers’ personal information. TrendNet is also required to conduct periodic risk assessments of its security systems for the next 20 years, which will include responding to third-party security vulnerability reports.

TrendNet also must notify its customers of the flaw that allowed third parties to access their live feed information and provide instructions and live customer support on how to resolve the flaw.

Though this is the Commission’s first order against this type of retailer, this case parallels other actions taken by the Commission against companies that misrepresented the nature or extent of its measures to protect its customers’ personal information. As recently as last month, the Commission issued an administrative Part 3 complaint against medical testing laboratory LabMD, Inc. for failing to protect the security of the medical information and other personal data of nearly 10,000 consumers.

Practical Points to Consider

As companies continue to develop interconnected products that link to the Internet, consumer privacy and security issues will become increasingly important. Some practical points for any business to consider are the following:

  • If your company is responsible for accessing or storing a customer’s sensitive information, take reasonable steps to ensure that information is secure.
  • Periodically assess your system for risks, for instance, by implementing regular vulnerability testing or by conducting a periodic review of third-party vulnerability reports.
  • Regularly audit your system to verify that data access restrictions are consistent with each user’s individual security settings.
  • To minimize risk further, periodically assess whether the consumer information being collected and retained is actually necessary to the successful operation of your business.