The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

LinkedIn Passwords Leaked by Hackers

Social networking website LinkedIn is investigating claims that over six million users’ passwords have been leaked onto the Internet. The BBC News reports that hackers posted a file containing encrypted passwords onto a Russian web forum. According to SecurityWeek, the website Dangens IT reported that the lists were uploaded in an effort to crowd-source their cracking, i.e., the hacking community was invited to participate in the decryption. Presently, some 300,000 passwords have been cracked. While it is unclear how many of those passwords are associated with LinkedIn accounts, many cracked codes that have been publicly posted contain the phrase "LinkedIn" in some fashion. LinkedIn has confirmed on its blog that "some" of the compromised passwords correspond to LinkedIn accounts. According to its blog, those passwords are no longer valid and affected users would be receiving further email instructions.

The news comes at the heels of yesterday’s discovery by security researchers of a privacy flaw in LinkedIn’s mobile app. According to Skycure Security, the mobile app was automatically sending unencrypted calendar entries to LinkedIn servers without users’ knowledge or consent. The information included meeting notes, which often contain personal information such as dialing numbers and passcodes for conference calls. Skycure reported that the names and email addresses of the meeting organizer and attendees were being collected even for those who did not have a LinkedIn account. This practice arguably violates Apple’s privacy guidelines that prohibit apps from transmitting personal data without users’ informed consent. In response, LinkedIn issued a statement that it would no longer send data from the meeting notes section of users’ calendar, and that it would include a new "learn more" link to provide greater transparency in LinkedIn’s data collection and use practices.

As a precautionary measure, security experts advise that all LinkedIn users immediately change their passwords.

Leave a comment

FCC Fines Google in Street View Case for Lack of Cooperation in Inquiry, But No Enforcement Action Sought

One remembers the stir that Google’s Street View project created during 2010 in the United States, Canada, and the European Union, when it was discovered that the California company had collected WiFi  network data, when its Street View cars roamed the streets of the world, taking pictures of the of the environment in order to create a comprehensive map. It turned out that this data included “payload” data, that is, the content of emails, text messages, or even passwords.

Google had first denied payload data collection, then admitted it, but stated that such data was fragmented, and then finally acknowledged in October 2010 that sometimes entire emails had been captured. Following that statement, the Federal Communications Commission (FCC) started an inquiry to determine whether such conduct violated section 705(a) of the Communications Act of 1934, which prohibits the interception of interstate radio communications, except if authorized by the Wiretap Act.  

Google had argued that, under the Wiretap Act, which prohibits the intentional interception of electronic communications, it is not unlawful to intercept electronic communications made though a system readily accessible to the general public, and that such a definition encompassed unencrypted WiFi communications networks.  

On April 13, 2012, the FCC filed a Notice of Apparent Liability for Forfeiture (NAL) finding that Google “apparently willfully and repeatedly violated [the FCC] orders to produce… information and documents” that the FCC had requested. Such conduct would carry a $25,000 penalty. However, the FCC decided not to take any enforcement action under Section 705(a), as “[t]here is not clear precedent for applying [it] to… Wi-Fi communications.”

Leave a comment

Illegal Now For Maryland Employers to Ask for Employees Electronic Account Passwords


 The State of Maryland could become the first State to pass a law prohibiting employers to request employees to disclose their passwords allowing access to a personal electronic account. That would cover email accounts, but also social networking accounts.  The bill now awaits the Governor’s signature.

Employers will be prohibited from taking, or threatening to take disciplinary actions, if the employee refuses to disclose her passwords. Employers will also be prohibited from refusing to hire an applicant because of his refusal to disclose his passwords.

In 2010, Robert Collins, a Maryland corrections officer was asked to provide the Maryland Division of Corrections (DOC) his Facebook login information during a recertification interview. The American Civil Liberties Union of Maryland sent a letter in January 2011 to DOC Secretary Gary Maynard. Secretary Maynard answered in February 2011 and ordered the practice be suspended for 45 days to allow further study of the issue. The DOC then revised its policy: candidates would have to sign a form stating that they understand that providing their passwords is voluntary.

A similar bill is still being discussed in Illinois. Is a federal law around the corner? Senator Richard Blumenthal (D-Conn) plans to introduce a bill which would prevent employers to ask applicants to provide their social media passwords as part of the hiring process.


Leave a comment

Class Action Lawsuit Filed Against Eighteen Companies For Allegedly Distributing Privacy-Invading Mobile Applications

Last week, a class action lawsuit was filed against eighteen technology and social networking companies in Texas federal district court for allegedly distributing privacy-invading mobile applications ("apps"). Opperman et. al. v. Path, Inc. et. al, Case No. 1:12-cv-00219-SS (W.D. Tex. March 12, 2012). The companies sued were Path, Twitter, Apple, Facebook, Beluga, Yelp!, Burbn, Instagram, Foursquare Labs, Gowalla, Foodspotting, Hipster, LinkedIn, Rovio Mobile Oy, ZeptoLab, Chillingo, Electronic Arts, and Kik Interactive. The 152-page class action complaint begins with an adage from Robert Fulghum’s book, All I Really Need to Know I Learned in Kindergarten: "Don’t take things that aren’t yours." The platitudes continue. The plaintiffs allege that the defendants, through these apps, "surreptiously harvest, upload and illegally steal the owner’s address book data without the owner’s knowledge or consent." Due to the ubiquity of wireless networks, the end result is that the defendants have "quite literally, turned the address book owners’ wireless mobile device into mobile radio beacons broadcasting and publicly exposing the unsuspecting device owner’s address book data to the world." The plaintiffs are thirteen Austin-area residents and primarily iPhone users. They have collectively installed all of the defendants’ apps that are allegedly conducting illegal reconnaissance on the information contained in their address books, including contact names, phone numbers, physical and email addresses, job titles, and birthdays. The illicit apps include the usual suspects such as Facebook, Twitter, and Foursquare, in addition to popular games such as Angry Birds and Cut the Rope.

The plaintiffs and the putative class members accordingly seek injunctive, equitable, statutory, and monetary relief for, inter alia, invasion of privacy and violations of numerous provisions of state and federal law, including the Electronic Communication Privacy Act (18 U.S.C. §§ 2701, et. seq.), the Computer Fraud and Abuse Act (18 U.S.C. § 1030(g)), along with violations of the Racketeer Influenced & Corrupt Organizations Act (including 18 U.S.C. § 1343 (wire fraud), §§ 1961-64 (civil liability for racketeering activities and conspiracies), and § 2314 (transportation of stolen property)). The putative class includes all owners of iOS- or Android-based wireless mobile devices who acquired any application that "without the owner’s prior effective consent accessed, copied, uploaded, transferred, broadcast and/or otherwise used any portion of the owner’s address book data . . . that the owner had transferred onto the owner’s wireless mobile device."

A copy of the complaint can be found here.

Leave a comment

New Developments on Canadian Anti-Spam Law

The Canadian Radio-television and Telecommunications Commission (CRTC) has made and registered its Electronic Commerce Protection Regulations for the Anti-Spam Act (CASL), which is expected to come into force in 2012.  The newly released regulations set out the information to be included in, and the form of, commercial electronic messages (CEMs), and information to be included in a request for consent.  The regulations also address how to get consent for the installation of computer programs.

The CRTC has responded to a select few of the broad-ranging concerns raised by businesses on the draft regulations during last year’s consultation phase.  Businesses will find there is a bit more flexibility in the “must-have” information they set out in CEMs, and when they seek consent to send them.  This implicitly recognizes that:

  • businesses operating online are not all created equal:  they do not all have the same contact capabilities, in terms of either human or online resources; and
  • CEMs are are not all created equal:  an email may be easy (relatively speaking) to load up with prescribed information, but online communications come in many forms, and some are not as adaptable to detailed information and contact requirements.

The following points compare the final regulations to the draft regulations (the latter in parentheses).  When sending a CEM or seeking consent, businesses may do the following.

  • simply include the name by which they carry on business (rather than both that and their legal name);
  • include their mailing address, and either a staffed or voicemail phone number, email address or web address (rather than the physical and mailing address, plus all of the above, plus any other electronic address);
  • include the information in the above point on a website that “is readily accessible” (rather than via a single click);
  • use an unsubscribe mechanism that can be “readily performed” (rather than “performed in no more than two clicks or other method of equivalent efficiency”);
  • simply indicate that the person whose consent is sought can withdraw their consent (no need to indicate the means to do so).

Despite the above points of flexibility, there is no denying that the Act and regulations will impose much higher requirements for CEMs than many businesses are prepared for.  This notably includes U.S. businesses operating in Canada who are familiar with, and compliant with, CAN-SPAM.  As we explained in a previous post, CAN-SPAM and CASL are different in several very important ways.  CASL has a broader application, clear reach outside Canada, higher standard for consent, and higher penalties.

In short, any business sending CEMs to Canadians needs to become informed about the CASL requirements and take steps to become compliant.

Next Steps

Further regulations are expected from Industry Canada before CASL comes into force.

Businesses and industry associations have called on the government to introduce even more flexibility to reduce the impact of CASL on their operations, while still meeting the government’s anti-spam priorities.  One of the frequent “asks” has been for some lead time prior to entry into force CASL to allow businesses to prepare their databases and operations.  Others have requested that the government use its regulation-making authority to exclude certain types of CEMs, and CEMs sent under certain circumstances, from the requirements of the Act.

It remains to be seen whether the government will introduce new exceptions, or more flexibility, under regulations to come either before or after CASL comes into effect – expected later this year.

Leave a comment

White House Announces Privacy Policy Framework

The Executive Office of the President today released a 52-page framework document setting out the Obama Administration’s policies "for protecting privacy and promoting innovation in the global digital economy."  The policy framework includes four principal elements: A Consumer Privacy Bill of Rights, a multistakeholder process to agree how the principles in the Consumer Privacy Bill of Rights apply in particular business contexts, effective enforcement, and a commitment to increase interoperability with the privacy frameworks of international partners. 

The Administration acknowledges that existing United States privacy law and policy "effectively address some privacy issues" but adds that "additional protections are necessary to preserve consumer trust" in the online environment.  The framework therefore calls for consumer data privacy legislation, under which the FTC and State Attorneys General would have authority to enforce the Consumer Privacy Bill of Rights.

The baseline protections – described as "privacy principles recognized throughout the world" – established in the Consumer Privacy Bill of Rights are:

Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how it is used.

Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.

Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which they provide the data.

Security: Consumers have a right to secure and responsible handling of personal data.

Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is accurate.

Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.

Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure that they adhere to the Consumer Privacy Bill of Rights.

Going forward, the Administration encourages privacy stakeholders, including the private sector, to implement the Consumer Privacy Bill of Rights through the auspices of the Commerce Department; it also commits to work with Congress to "write these flexible, general principles into law."

Leave a comment

Markey Releases Bill to Address Issue of Smart Phone Monitoring Software.

Congressman Markey (D-Mass.), co-chair of the Bi-Partisan Congressional Privacy Caucus, released a discussion draft of a bill today aimed at addressing the privacy concerns brought to light recently regarding the use of monitoring software on mobile phones. The proposed bill, named the Mobile Device Privacy Act, would require several companies involved with mobile phones to disclose the use of phone monitoring software and obtain the user’s express consent to transmission of data from the phone. 
The bill would require disclosures regarding use of phone monitoring software prior to the sale of a phone by the company selling the phone, and after the sale by the wireless carrier, manufacturer, and/or providers of mobile phone apps if monitoring software is later installed on the phone. The required disclosures would identify the following: the types of information the monitoring software is capable of collecting and transmitting, any person to whom the data will be transmitted, how the data will be used, and whether such data will be shared. The bill would also require the Federal Trade Commission to promulgate regulations imposing reasonable information security obligations upon recipients of data from monitoring software.
Violations of the proposed bill could be enforced by the Federal Trade Commission (as an unfair or deceptive act or practice), the Federal Communications Commission (as a violation of the Communications Act of 1934) and state attorneys general. There is also a private right of action with the ability to seek the greater of $1,000 per violation or actual damages, with treble damages for willful violations. 
Markey’s bill comes in the wake of the recent controversy over the use by several wireless carriers and phone manufactures of Carrier IQ monitoring software. The Carrier IQ controversy came to light last fall by a researcher who discovered and reported that Carrier IQ software secretly collects vast amounts of data regarding use of a mobile phone. The controversy resulted in Markey requesting investigation by the FTC, Senator Franken (D-Minn.) requesting information from Carrier IQ, and numerous putative class action law suits. In a statement released in response to Senator Franken’s request, Carrier IQ claims that its software is only used by wireless carriers to diagnose network problems and provide customer care.

Leave a comment

Warrantless GPS Tracking is Unconstitutional Government Trespass


st1\:*{behavior:url(#ieooui) }

/* Style Definitions */
{mso-style-name:”Table Normal”;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
font-family:”Times New Roman”;}

In a 9-0 opinion released on Monday, the Supreme Court found that the installation of a Global-Positioning-System (GPS) device on a suspected drug dealer’s car without a current search warrant violated the Fourth Amendment’s prohibition on unreasonable searches. All nine justices agreed on the fundamental Fourth Amendment proposition but differed in their reasoning, leaving uncertain the scope of digital privacy.

The high court heard the case after the D.C. Circuit overturned the conviction of Antoine Jones, a nightclub owner convicted for conspiracy to distribute cocaine. His conviction was primarily based on the 2000 pages of data transmitted from the GPS device agents had secretly planted on Jones’s car for 28 days.

The majority opinion, written by Justice Scalia and joined by Chief Justice Roberts and Justices Kennedy, Thomas, and Sotomayor, emphasized the fact that the Government had physically occupied private property for the purpose of obtaining information. Applying traditional notions of trespass to the Fourth Amendment analysis, the high court stated, "[w]e have no doubt that such a physical intrusion would have been considered a `search’ within the meaning of the Fourth Amendment when it was adopted." While the majority made clear that the trespass test was not the exclusive test, it declined to address to what degree the reasonable expectation of privacy test applied in digital privacy cases not involving a trespass.

A concurrence authored by Justice Alito and joined by Justices Ginsburg, Breyer, and Kagan, criticized the majority’s reliance on the trespass-based rule or what Justice Alito described as “18th century tort law.” Justice Alito would have analyzed the question presented by asking whether Jones’s reasonable expectations of privacy were violated by long-term GPS monitoring. He noted the panoply of new devices operating GPS technology, such as smart phones and other location-based services offered as social tools. In an environment of dramatic technological change, Justice Alito acknowledged that the best solution to privacy concerns may be legislative. In the absence of such guidance, Justice Alito’s concurrence suggests the exclusive application of the reasonable expectation test to all digital privacy cases.

An additional concurring opinion by Justice Sotomayor feared the majority decision would provide little guidance in cases of electronic or other novel modes of surveillance that do not depend on a physical invasion of property. Her concern touched less on the mode of surveillance than on the content of sensitive data collected. Accordingly, Sotomayor suggested a paradigm shift in the way that privacy issues are considered. In her view, the premise that the individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties is ill-suited to the digital age and should be reformed.

At a minimum, this case demonstrates the Supreme Court’s recognition of the need to preserve privacy in an increasingly digital age. Given the majority’s limited holding, however, many questions about digital privacy remain unanswered.

Leave a comment

Comparing CAN-SPAM to Canada’s new Anti-Spam Law

Those who operate or have customers in the U.S. market, are already familiar with the requirements of the 2003 CAN-SPAM Act. If your operations or customers extend into Canada, however, there are new Canadian Anti-Spam rules you need to know. Why? Because these new rules will impact how you engage in online communications in Canada, starting in early 2012.

The SlideShare presentation linked below provides an overview of the key differences between Canada’s new Anti-Spam Law, CASL, and CAN-SPAM. Here are a few:

• Broader application: CASL also applies not only to e-mail, but also to IM, text and more. It also covers more activities, including the installation of computer programs.

• Clear reach outside Canada: CASL expressly applies to messages “accessed from a computer system in Canada”. This means that a message can be sent from outside Canada.

• Higher standard for consent: “Opt-in” consent for CASL versus “Opt-out” for CAN-SPAM.

• Higher penalties: $10 million maximum penalty for an organization that contravenes CASL.

The implications of this:

More online activities will be caught by CASL.

• More activities affecting Canadians will be caught by CASL, even if initiated outside Canada.

More steps will be needed under CASL to be permitted to communicate online.

Overall, there is greater exposure to liability under CASL.

Learn more about CASL, including what steps to take now to avoid liability:

1 Comment

Spain Enforces “Right to Be Forgotten”

Spain’s Data Protection Agency has ordered Google to delete personal information regarding approximately 90 individuals from Google’s search engine indexes. These individuals filed formal complaints with the Data Protection Agency alleging that certain personal information, such as decades old arrest records and the current address of a domestic violence victim, should not be accessible through the Internet. In ordering Google to delete information, the Data Protection Agency indicated that every individual has the “right to be forgotten” and have certain information deleted from the Internet.

The Agency and Google are now engaged in a lawsuit regarding whether Google can be required to remove certain information from its search indexes. Privacy experts have expressed concern that requiring search engines to delete certain personal information could restrict access to public information. Regardless of the outcome, however, the European Union is expected to draft legislation later this year that could include a “right to be forgotten” provision and allow individuals to have certain information deleted from the search indexes or websites.