The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

Class Action Suit Filed Against Google, Alleges Email Interception and Eavesdropping under California’s CIPA

A class action suit has been filed last month against Google in the Superior Court of California. The class is all California residents who are not Gmail subscribers, and who have sent an email to Gmail subscribers using a non-Gmail email account.

The complaint alleges that Google intentionally intercepted emails sent by individuals who are not Gmail subscribers to Gmail subscribers. Google then reviewed the words, the content and thought processes of these emails.

According to the complaint, while Gmail subscribers consented to their emails being reviewed by Google, including their incoming email, senders of these non-Gmail emails have not given Google their consent to intercept emails sent from their non-Gmail accounts. As this interception is done before the email is delivered to the Gmail subscriber, the complaint alleges that it constitutes wiretapping and eavesdropping in violation of California Invasion of Privacy Act (CIPA), Cal. Penal Code § 630 et seq.

Cal. Penal Code § 630 states the intent for CIPA:

The Legislature hereby declares that advances in science and technology have led to the development of new devices and techniques for the purpose of eavesdropping upon private communications and that the invasion of privacy resulting from the continual and increasing use of such devices and techniques has created a serious threat to the free exercise of personal liberties and cannot be tolerated in a free and civilized society. The Legislature by this chapter intends to protect the right of privacy of the people of this state.”

Wiretapping: Cal. Pen. Code § 631 provides for the liability of "[a]ny person who … willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state." The complaint claims that Google violated § 631.

Eavesdropping: If Google conduct is not wiretapping, the complaint states that Google has violated § 632 of Cal. Pen. Code which makes it illegal to engage in eavesdropping on e-mail conversations.

The Complaints seeks an order requiring Google to cease violating CIPA, and also seeks an award of statutory damages for each member of the class.

The case will be interesting to follow, as a California Court held last April that the Federal Wiretap Act does not completely preempt California’s Invasion of Privacy Act, Cindy Leong v.  Carrier IQ Inc et al, Carey Eckert  v. Carrier IQ Inc et al, CV 12-01564, United States District Court, C.D. California. In that case, defendant had filed a notice of removal, arguing that "[c]ourts in both the Central and Northern Districts of California have held that the Federal Wiretap Act, as amended by the ECPA in 1986, comprehensively regulates privacy claims concerning electronic communications."  The Court was not convinced by the arguments, stating that the California law is more restrictive than the Federal law, and that the Federal law supersedes state law only to the extent that state law offers less protection.

Leave a comment

FTC Brings Action against Wyndham Hotels for Failure to Protect Consumers’ Personal Information

The Federal Trade Commission (FTC) filed a complaint on June 26 against Wyndham Worldwide Corporation and three of its subsidiaries, alleging failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information. The FTC claims that because of this failure, intruders were able to obtain unauthorized access to the Defendants’ computer networks. This led to fraudulent charges on consumers’ accounts, incurring more than $10.6 million in losses, and the exporting  of credit card account information to a domain registered in Russia.

Defendants Controlled the Hotels’ Computer Systems

Independent hotels operating under a franchise agreement with Wyndham Hotels had to use a property management system designed by Defendants, which stored consumers’ personal information, including payment information. This system was linked to the Wyndham Hotel corporate network, much of it located at a Phoenix, Arizona data center, operated by Wyndham Hotels. Only Defendants had administrator access to control the property management systems of the independent hotels. Defendants also had direct control over the computer networks of the Wyndham-branded hotels managed by one of the Defendants, Hotel Management.

Privacy Policies

Wyndham Worldwide was responsible for creating information security policies for itself and for its subsidiaries, and for overseeing subsidiaries’ information security programs.

Defendants have published privacy policies on their websites since at least 2008, claiming that they will safeguard the customers personally identifiable information “by using standard industry practices,” and that it will “take commercially reasonable efforts to create and maintain “fire walls” and other appropriate safeguards” to protect customers’ information.

Inadequate Data Security Practices

However, the FTC claims that Defendants’ data security practices were inadequate, and thus unnecessarily exposed consumers’ personal data to unauthorized access and theft. Defendants’ security failures led to fraudulent charges on consumers’ accounts.

The FTC alleges such shortcoming as storing credit card information in clear readable text, failure to limit access between the different property management systems, or failure to secure the Defendants’ servers. Also, Defendants did not require the use of complex passwords to access the property management systems, and allowed the use of easily guessed passwords.

The FTC claims that these shortcomings allowed intruders to gain unauthorized access into Wyndham Hotels’ computer networks on three separate occasions, using similar techniques in each of the three occurrences.  After discovering each of the first two breaches, Defendants failed to take appropriate measures to prevent another breach.

Violations of the FTC Act

The representations made by Defendants’ privacy policies were thus inadequate according to the complaint. The FTC alleges that even though Defendants represented to their customers that they had implemented reasonable and appropriate measures to protect their personal information against unauthorized access, they had not in fact implemented these measures, and thus the representations made to the customers were unfair and deceptive and violated the FTC Act. The FTC also claims that this failure to safeguard consumers’ personal information caused or was likely to cause substantial injury to consumers.



Leave a comment

Canada’s Anti-Spam Law is coming – and will affect US businesses

Canada’s Anti-Spam Law (CASL) is now expected to enter into force in 2013.  Don’t expect things to sit idle until then, however. 

3 Next Steps for CASL in 2012

Following are three next steps for 2012, ranked in order of importance to industry stakeholders:

1.  Industry Canada to issue new set of regulations for comment

While businesses had hoped that regulations would clarify key terms and obligations under the Act, and lessen the Act’s impact on certain types of communications, many stakeholders were disappointed.  Many businesses considered that neither the draft Industry Canada regulations, nor the Canadian Radio-Television and Telecommunications Commission (CRTC) regulations as finalized, went far enough to clarify obligations.  Moreover, neither set of regulations provided the exemptions many businesses have called for, to exclude certain categories or types of messages from the application of CASL consent requirements. 

A glimmer of hope is in sight:  Industry Canada is expected to publish a new set of regulations for comment in the coming weeks.  These regulations are expected to contain some exemptions from the application of CASL requirements.  In the comment period, businesses will have the opportunity to comment on the regulations, and seek further changes to make CASL more workable. 

2.  CRTC to issue a series of information bulletins for industry

Anyone who has tried to read through CASL’s provisions and the accompanying CRTC regulations knows that they tend to raise at least as many questions as they answer. 

The CRTC is expected to issue information bulletins in the coming weeks and months to help clarify what is meant, and required, by some key elements of the regulations.  These bulletins may include matters relating to what it means to get consent “in writing” online, and how far businesses must go to make information accessible in “commercial electronic messages”. 

3.  Spam Reporting Centre

The government is currently reviewing bids by third-party service providers to operate the The Spam Reporting Centre.  The Centre will act as a liaison between the public and the government agencies (CRTC, Office of the Privacy Commissioner, Competition Bureau) on spam complaints and monitoring.  The government states that:

“When operational, the Spam Reporting Centre will accept various types of electronic messages from individuals and organizations in Canada. Reporting spam and related electronic threats will not stop such threats completely; however, the data sent to the Spam Reporting Centre will help it identify trends, and try to find out who is sending the spam and other threats and from where. This will aid in the future prosecution and civil proceedings against those responsible for electronic threats in Canada and internationally.”

The final line of the above quote – “future prosecution and civil proceedings”, and “threats in Canada and internationally” – is a stark reminder of two important points. 

First, the government means business.  Its objective is to “drive spammers out of Canada” (then Minister of Industry Tony Clement, 2010).  Second, CASL is designed to reach beyond Canada.  It is designed to capture commercial electronic messages that may be sent from other countries, and also to provide the framework for international monitoring and enforcement. 

3 Things to do while you “wait” for CASL in 2013:

  1. Participate in the comment process on the coming draft Industry Canada regulations
  2. Remind yourself of the differences between the U.S. CAN-SPAM requirements, and CASL
  3. It’s strongly recommended that businesses use the lead time before CASL’s entry into force to get their operations in order.  Prepare your organization’s  CASL audit, checklist, and Compliance Policy.  The CAN-SPAM vs. CASL presentation can help explain the basics. 

Leave a comment

LinkedIn Passwords Leaked by Hackers

Social networking website LinkedIn is investigating claims that over six million users’ passwords have been leaked onto the Internet. The BBC News reports that hackers posted a file containing encrypted passwords onto a Russian web forum. According to SecurityWeek, the website Dangens IT reported that the lists were uploaded in an effort to crowd-source their cracking, i.e., the hacking community was invited to participate in the decryption. Presently, some 300,000 passwords have been cracked. While it is unclear how many of those passwords are associated with LinkedIn accounts, many cracked codes that have been publicly posted contain the phrase "LinkedIn" in some fashion. LinkedIn has confirmed on its blog that "some" of the compromised passwords correspond to LinkedIn accounts. According to its blog, those passwords are no longer valid and affected users would be receiving further email instructions.

The news comes at the heels of yesterday’s discovery by security researchers of a privacy flaw in LinkedIn’s mobile app. According to Skycure Security, the mobile app was automatically sending unencrypted calendar entries to LinkedIn servers without users’ knowledge or consent. The information included meeting notes, which often contain personal information such as dialing numbers and passcodes for conference calls. Skycure reported that the names and email addresses of the meeting organizer and attendees were being collected even for those who did not have a LinkedIn account. This practice arguably violates Apple’s privacy guidelines that prohibit apps from transmitting personal data without users’ informed consent. In response, LinkedIn issued a statement that it would no longer send data from the meeting notes section of users’ calendar, and that it would include a new "learn more" link to provide greater transparency in LinkedIn’s data collection and use practices.

As a precautionary measure, security experts advise that all LinkedIn users immediately change their passwords.

Leave a comment

FCC Fines Google in Street View Case for Lack of Cooperation in Inquiry, But No Enforcement Action Sought

One remembers the stir that Google’s Street View project created during 2010 in the United States, Canada, and the European Union, when it was discovered that the California company had collected WiFi  network data, when its Street View cars roamed the streets of the world, taking pictures of the of the environment in order to create a comprehensive map. It turned out that this data included “payload” data, that is, the content of emails, text messages, or even passwords.

Google had first denied payload data collection, then admitted it, but stated that such data was fragmented, and then finally acknowledged in October 2010 that sometimes entire emails had been captured. Following that statement, the Federal Communications Commission (FCC) started an inquiry to determine whether such conduct violated section 705(a) of the Communications Act of 1934, which prohibits the interception of interstate radio communications, except if authorized by the Wiretap Act.  

Google had argued that, under the Wiretap Act, which prohibits the intentional interception of electronic communications, it is not unlawful to intercept electronic communications made though a system readily accessible to the general public, and that such a definition encompassed unencrypted WiFi communications networks.  

On April 13, 2012, the FCC filed a Notice of Apparent Liability for Forfeiture (NAL) finding that Google “apparently willfully and repeatedly violated [the FCC] orders to produce… information and documents” that the FCC had requested. Such conduct would carry a $25,000 penalty. However, the FCC decided not to take any enforcement action under Section 705(a), as “[t]here is not clear precedent for applying [it] to… Wi-Fi communications.”

Leave a comment

Illegal Now For Maryland Employers to Ask for Employees Electronic Account Passwords


 The State of Maryland could become the first State to pass a law prohibiting employers to request employees to disclose their passwords allowing access to a personal electronic account. That would cover email accounts, but also social networking accounts.  The bill now awaits the Governor’s signature.

Employers will be prohibited from taking, or threatening to take disciplinary actions, if the employee refuses to disclose her passwords. Employers will also be prohibited from refusing to hire an applicant because of his refusal to disclose his passwords.

In 2010, Robert Collins, a Maryland corrections officer was asked to provide the Maryland Division of Corrections (DOC) his Facebook login information during a recertification interview. The American Civil Liberties Union of Maryland sent a letter in January 2011 to DOC Secretary Gary Maynard. Secretary Maynard answered in February 2011 and ordered the practice be suspended for 45 days to allow further study of the issue. The DOC then revised its policy: candidates would have to sign a form stating that they understand that providing their passwords is voluntary.

A similar bill is still being discussed in Illinois. Is a federal law around the corner? Senator Richard Blumenthal (D-Conn) plans to introduce a bill which would prevent employers to ask applicants to provide their social media passwords as part of the hiring process.


Leave a comment

Class Action Lawsuit Filed Against Eighteen Companies For Allegedly Distributing Privacy-Invading Mobile Applications

Last week, a class action lawsuit was filed against eighteen technology and social networking companies in Texas federal district court for allegedly distributing privacy-invading mobile applications ("apps"). Opperman et. al. v. Path, Inc. et. al, Case No. 1:12-cv-00219-SS (W.D. Tex. March 12, 2012). The companies sued were Path, Twitter, Apple, Facebook, Beluga, Yelp!, Burbn, Instagram, Foursquare Labs, Gowalla, Foodspotting, Hipster, LinkedIn, Rovio Mobile Oy, ZeptoLab, Chillingo, Electronic Arts, and Kik Interactive. The 152-page class action complaint begins with an adage from Robert Fulghum’s book, All I Really Need to Know I Learned in Kindergarten: "Don’t take things that aren’t yours." The platitudes continue. The plaintiffs allege that the defendants, through these apps, "surreptiously harvest, upload and illegally steal the owner’s address book data without the owner’s knowledge or consent." Due to the ubiquity of wireless networks, the end result is that the defendants have "quite literally, turned the address book owners’ wireless mobile device into mobile radio beacons broadcasting and publicly exposing the unsuspecting device owner’s address book data to the world." The plaintiffs are thirteen Austin-area residents and primarily iPhone users. They have collectively installed all of the defendants’ apps that are allegedly conducting illegal reconnaissance on the information contained in their address books, including contact names, phone numbers, physical and email addresses, job titles, and birthdays. The illicit apps include the usual suspects such as Facebook, Twitter, and Foursquare, in addition to popular games such as Angry Birds and Cut the Rope.

The plaintiffs and the putative class members accordingly seek injunctive, equitable, statutory, and monetary relief for, inter alia, invasion of privacy and violations of numerous provisions of state and federal law, including the Electronic Communication Privacy Act (18 U.S.C. §§ 2701, et. seq.), the Computer Fraud and Abuse Act (18 U.S.C. § 1030(g)), along with violations of the Racketeer Influenced & Corrupt Organizations Act (including 18 U.S.C. § 1343 (wire fraud), §§ 1961-64 (civil liability for racketeering activities and conspiracies), and § 2314 (transportation of stolen property)). The putative class includes all owners of iOS- or Android-based wireless mobile devices who acquired any application that "without the owner’s prior effective consent accessed, copied, uploaded, transferred, broadcast and/or otherwise used any portion of the owner’s address book data . . . that the owner had transferred onto the owner’s wireless mobile device."

A copy of the complaint can be found here.