Accepting Guest Blog Posts

I have accepted a position that will not allow me to write in 2016. However, I want to continue to provide information on cyber, intellectual property (IP), social media, security, privacy, and technology law and policy to you all.  So…. I am accepting  submissions from guest bloggers!

Please send me your best cyber, IP and tech law and policy posts. Many of this blog’s followers are entrepreneurs, technophiles, tech novices, bloggers, social media user and those intrigued by tech, so please cater your posts to that audience. Please send posts to thedigitalcounselor@gmail.com. I will notify you if your post is selected.

Thank you for your submission, in advance, and more importantly, THANK YOU FOR READING!

I hope the readers find previous posts and any information others are able to provide in my absence helpful! And I look forward to returning in 2017!!

The Future of the Internet of Things: Utopia or Disaster?

Guest post by Mr. Leon Silver.

Leon Silver, National Practice Group leader of Gordon & Rees’ Retail & Hospitality Practice Group and a privacy law expert, hosted a seminar on Privacy and The Internet of Things on June 25 at the State Bar of Arizona annual convention at the Arizona Biltmore. He provided this recap of the discussion.

Throughout the many articles and blog posts on the topic of the Internet of Things (IoT), I’ve noticed a recurring theme. Everyone is talking about the fact that no one is talking about the privacy implications of ubiquitous connectivity and data mining through the IoT. This summer I had the opportunity to lead a panel discussion at the Arizona State Bar convention to further the conversation about privacy and security on the Internet of Things.

The panel included K Royal, Privacy Counsel at CellTrust, Inc., an attorney and compliance professional with over 20 years of experience in the legal and health-related fields; Dan Christensen, Global Group Counsel of IT, Privacy & Security at Intel Corporation; and David Bodney, partner at Ballard Spahr, LLP, a litigator focusing on media and constitutional law.

I kicked things off by posing the question of the day: “Will the Internet of Things result in a utopian future, or a dystopian future?”

I then asked the audience not to shut off in our back pockets, but to grab their phones, turn them on and make use of them to actively share the information being discussed. My intention? To spark more of the very conversations the seminar was seeking to have.

We were honored to have guest speaker Frank Jones, vice president of the Internet of Things Group and general manager of the Operations and Group Marketing Division at Intel Corporation, share his insight with the group. Mr. Jones provided an overview of the vast scope and rapid progress being made on the IoT. He explained that in today’s world, we create as much electronic data every two days as we did from the dawn of civilization up until 2003.

The IoT will help solve challenges around the globe, he explained, by driving growth and helping to solve critical problems such as illiteracy and water supply. According to Mr. Jones, this movement is already in process and actually began with the introduction of the smartphone.

Intel is committed to making this a positive movement, he said. “The core value and base of IoT will be security,” said Mr. Jones. “Without security as the foundation, nothing is possible.”

In order for IoT to progress, “cooperation across the industry is necessary.” Mr. Jones said companies that are otherwise competitors will have to join forces and create a uniform platform to make way for IoT because this is something that can’t be done alone. With security as the foundation and an established industry-wide standard, adopting IoT to generate global solutions will be a reality.

In his words, IoT is about connecting the unconnected and unleashing data to enable unprecedented transformations. IoT will touch everyone on Earth.

So how much connectivity can we bear to have in our personal life?

As ideal and exciting as IoT seems to be, the panel, the audience and I were all too aware of the dangers and risks associated with this new era of technology.

I asked if the one layer of security that manufacturers build into systems is enough to protect us. Mr. Christensen replied, “No it’s not. One layer at the base is not enough.” He explained that IoT is like turning a house with only one, easily secured window, into a glass house. Massive vulnerability will be created, resulting in a lack of control. Repurposing of information will be an issue, the quality of user consent will be crippled, and jurisdiction creep will become a serious issue. How will security policies/laws change from country to country? These are just a few of various concerns raised by Mr. Christensen.

When asked who would own our personal information in this IoT era, Mr. Bodney said this would depend on the agreement. Very much like today, “If you want to participate, you are consenting.” It is unknown, however, how the law will treat this issue when data is collected without consent and in the gray areas of a person’s reasonable expectation of privacy. The commercial and private use of drones, for example, has raised far more questions than have been answered.

Ms. Royal questioned whether you could own private personal data when each country defines “private personal data” differently. In the U.S., federal rights to privacy are for customers of certain industries (education, health, financial). Other countries, however, ascribe privacy rights on the basis of being an individual, rather than being a consumer. While most agree that health data and financial information are sensitive, nations differ as to the scope. Israel, for example defines personality as sensitive information. Australia includes membership in a professional organization as sensitive, whereas here in the U.S., you can buy a list containing that information. Some countries define arrests as sensitive (not just convictions), whereas the U.S. considers that public information.

So what can be done to protect personal data? Ms. Royal informed the audience that there are companies that specialize in keeping information private. She suggested that consumers read through privacy policies, find “off” switches, and disconnect devices when not in use, install security updates, opt out of Wi-Fi connectivity on devices if it isn’t important to them, and accept the fact that devices collect data or stop using them altogether.

The biggest threat, Mr. Christensen explained, remains organized crime. “Organized crime is still the biggest problem area.” These are the groups that try to get into bank accounts — hacktivists and malicious insiders.

The audience wanted to know if there would be a group to lobby for the protection of privacy as the IoT movement takes off, and if so, what group they should be keeping an eye on. Ms. Royal said there has been a Consumer Privacy Bill of Rights push more than once, but unfortunately, it has never fully materialized.

In response to the question whether we can expect Congress to provide legal protection to children, Mr. Bodney stated that because the pace of technology is so rapid, Congress has a tough time keeping up. By the time Congress gets around to adopting these new laws and policies, said Mr. Bodney, technology will have surpassed any legislation. Regardless, young people have a different sense of privacy than older generations, he added. “They grew up in this environment and are far more comfortable in it.” Ms. Royal added that younger generations are often referred to as “digital natives” and older generations are considered “digital immigrants.”

Mr. Christensen believes manufacturers should cater to the consumers that value privacy. He mentioned consumers must be aware, however, of the risks they take every time they get a hold of new devices. For example, as soon as customers open a new Intel device, the first thing they see when they open the box is a note that informs customers that by turning on the device, they are agreeing to Intel’s terms and conditions, including their privacy policy.

If you value your privacy, Ms. Royal suggests looking for companies that feel the same way. “Maybe one day there will be a list of companies that value privacy.”

As the seminar came to a close, I asked each panel member the same question I had asked earlier. Will the Internet of Things result in a utopian future, or a dystopian future? Each panel member responded with an optimistic, “Utopian,” although some were more “cautiously optimistic” than others.

I urge that not only lawyers, but everyone, pay attention to our personal privacy and what is being done with our personal data.

 

Disclaimer: The views expressed here are solely those of the author in his private capacity and do not in any way represent the views of TheDigitalCounselor.com, any other poster/blogger of this blog or any entity affiliated with blog posters.

Recent Virginia Case Carries Major Implications for Fingerprint Passcodes and Self-Incrimination

This article was originally published in the Spring 2015 issue of the Virginia Bar Association YLC Docket Call.

The ever-evolving technological landscape constantly elicits new and interesting questions of law. Privacy and data security are areas of contention and confusion for many. Why?  Because privacy limits are unclear because the reach of technology outpacing the evolution of the law. As cell phones have advanced, they have become essential to everyday life and are no longer merely phone used to make and receive calls. Cell phones are minicomputers filled with personal, and mostly private, information including calendars, alarm clocks, books, videos and photos. People store everything from grocery lists to banking information in phones. How do the laws that govern phones solely to make and receive calls apply to these new multifaceted devices? Courts and lawmakers are slowly answering that question.

In Reily v. California, the Supreme Court shed some light on privacy limits regarding cell phones.[1] The Court held that the police generally may not, without a warrant, search digital information on a cellphone seized from an individual who has been arrested. The Court characterized cell phones as minicomputers filled with massive amounts of private information, which distinguished them from the traditional items that can be seized from an arrestee’s person, such as a wallet. This ruling is a necessary stride towards deciphering how the Fourth Amendment applies in this digital age but leaves a lot of unanswered questions.

After obtaining a warrant to search a phone how will officers access the contents? Can officers compel the accused to provide one’s passcode or fingerprint? Existing laws do not apply smoothly and presents an interesting question: Is producing one’s passcode or fingerprint to allow access to digital information on a smartphone testimonial communication subject to the Fifth Amendment privilege against self-incrimination?[2] This was the question answered in the Virginia case Commonwealth of Virginia v. Baust.[3]

In Commonwealth of Virginia v. Baust, the defendant David Baust was indicted on charges of assault.[4] The victim alleged that video of the assault was on Baust’s smartphone.[5] The police obtained and executed a search warrant, retrieving (among other items) the smart phone.[6] However, the phone was “locked” and could only be entered using a passcode or fingerprint.[7] The court decided to review each method of entry separately under the Fifth Amendment and arrived at two different conclusions.

The court held that fingerprints and passcodes are different in the eyes of law because of the testimonial nature of providing a passcode, which violates the accused’s right not to incriminate him or herself. The Judge explained that Baust could not be compelled to provide his passcode to access the smartphone, but could be compelled to produce his fingerprint to access the phone.[8] Producing the passcode would require the defendant to divulge knowledge—information from his own mind, placing it in the testimonial realm.[9] However, he concluded that a personal fingerprint does not require any similar knowledge—it is equivalent to a key that fits into a lock.[10]

This legal distinction will have a major impact on smartphone users, especially as providers market the increased security of these alternate access mechanisms. Your fingerprint is advertised as a more secure method for accessing tour phone but presents vulnerability if ever compelled to provide access to your phone. The legal differences may not be clear to users, as the passcode and the fingerprint are functionally equivalent. Should they really be distinguished under the law? Is there a distinction between telling police a passcode and typing in the passcode so that police may gain access to a phone? By typing the code, the individual does not have to provide any knowledge (testimony) directly to the police, although still providing access to data that is potentially criminally incriminating. Is the outcome or the means more important, because although not a verbal testimony providing a fingerprint or writing a passcode may lead to criminally incriminating information?

This decision raises a lot of questions and determining privacy rights in our technology will only get more complex as technology continues to evolve. The court is being charged to assess the functional and technological implications of new technology and create laws with those perspectives in mind. This is a difficult balance. Consistency will also be important to citizens as they seek to protect themselves within the bounds of these laws.

Most immediately, in Virginia, you should protect your phone using a passcode, not your fingerprint.

 

 

[1] 134 S. Ct. 2473, 2477 (2014).

[2] Commonwealth of Virginia v. Baust, No. CR14-1439, at 2 (Va. 2d Cir. Ct. Oct. 28, 2014).

[3] Id. at 1.

[4] Id.

[5] Id.

[6] Id.

[7] Id.

[8] Id. at 4.

[9] Id. at 5.

[10] Id.

Millions of Gmail Usernames & Passwords Leaked! How do you protect yourself?

This morning Freedom Hacker reported that 5 million gmail usernames and passwords had been dumped on reddit’s netsec section linking to the another website hosting the leaked gmail accounts. They caution against checking if your password is secure because it appears scams are already appearing or Reddit users are getting ready for the scams to come.
According to one security firm the data is old and likely sourced from multiple data breaches. “The security of our users is of paramount importance to us,” a Google representative said Wednesday via email. “We have no evidence that our systems have been compromised, but whenever we become aware that an account has been compromised, we take steps to help our users secure their accounts.”

It is highly recommended you change your email password regardless and turn on a form of two-factor authentication to heighten security and prevent any possible future attacks.

Here are some other tips to protect your accounts and private data:

  • Do no use the same password or variations of the same password for your accounts
  • Change your account passwords frequently.
  • Always check you bank accounts and other financial accounts fro fraudulent charges.
  • Review your credit report for fraud at least annually.
  • Have two-factor authentication whenever possible.
  • The longer the password is, the exponentially more difficult it becomes to crack.
  • To help remember the password, use it immediately. Then log in and out several times the first day.
  • Do not provide your password or other private data when solicited via email or phone, this could be a social engineering attempt. Most reputable companies will not ask for this information via email and financial institutions NEVER do. If they claim there is an issue with your account do not click on the link provided go to the company’s main website and access your account from there.
  • Report attacks and social engineering attempts to the company being impersonated.
  • NEVER give your password to anyone!

Please go and change your gmail password and if you have not changed your other passwords in a while use this as an opportunity to do so!

Stay safe & smart!

 

Internet Law & Security Updates

So much is happening online that it can be hard to keep up. I have compiled some of the most recent events in Social Media, Internet law & Cybersecurity. Know how these changes affect your privacy and other rights. If you have any questions leave them in the comments!

Social Media

Comments on social media considered and Facebook “Likes” enjoy federal protection. On August 25, the National Labor Relations Board found in Three D, LLC, d/b/a Triple Play Sports Bar and Grille v. Sanzone, Case No. 34-CA-012915, and Three D, LLC, d/b/a Triple Play Sports Bar and Grille v. Spinella, Case No. 34-CA-012926, that an employer had violated federal labor law by terminating an employee who had “liked” a former co-worker’s negative comment about the employer posted on Facebook.  The Board also ruled that the employer violated the National Labor Relations Act (the “Act”) by firing another employee for posting an expletive-laced comment about the employer in response to the former co-worker’s comment, and it found that the employer’s “Internet/Blogging” policy banning “inappropriate discussions” regarding the company unlawfully chilled employees’ exercise of their right to engage in protected, concerted activity under the Act.

BYOD

Reimburse employees for wireless service. A recent California ruling that requires companies to reimburse employees for wireless serviceAlthough the case raised more questions than it answered about what level of reimbursement is required, it seems clear that companies will bear a larger portion of the cost of BYOD programs than they had previously borne.

Security 
According to the New York Times, when one adds the compromised records in Target, PF Chang’s, Neiman Marcus, Sally Beauty, Michaels, UPS and others, the number of affected customers amounts to more than one-third of the U.S. population.

Home Depot the latest victim of security breach. Krebs has reported that it appears that two large dumps of purloined credit card numbers have made an appearance on the black market and that those numbers may have originated at Home Depot locations. Krebs’ reporting is here. This latest incident raises yet another round of concerns about the malware known as “Backoff” and the potential widespread effect on retailers. Home Depot has been hit with a class action lawsuit stemming from a suspected data breach at the home improvement retailer 

Using your cellphone’s gps to stay ahead of fraudsters. In a new effort to use technology to foil credit-card fraud, a company called BillGuard is testing a system that would monitor the precise whereabouts of mobile devices to detect possible payment issues. The tech firm is tracking mobile-phone locations in an attempt to stay one step ahead of fraudsters. Because smartphones are almost always near their owners, the technology would register and flag those occasions when a phone is not near the owner’s credit card. The technology would only be used with the consumer’s consent.

Healthcare.gov Server Hacked.The Department of Health and Human Services disclosed on Sept. 4 that malware had been uploaded on the Obamacare test server back in July. HHS officials say the malware was designed to launch a distributed-denial-of-service attack against other websites when activated and not designed to exfiltrate personally identifiable information. No consumer data was exposed in the incident, officials say (see HealthCare.Gov Server Hacked).

Apple plans to add safeguards to help address security vulnerabilities exploited by celebrity-photo hackers. The proposed changes include alerting users – using both e-mails and push notifications to devices – every time someone:

  • Changes an account password;
  • Uses a new device to log into an account;
  • Restores an iCloud backup to a new device.

After receiving a related alert, the user can immediately change their account password, or file a report of a suspected security breach with Apple. The company has yet to detail how exactly it will respond to those reports.

Privacy

Magazines in Michigan cannot share your personal information. The Michigan’s Video Rental Privacy Act limits the ability of companies to disclose information regarding customers’ video rental activities. In a case filed by a consumer who alleged that a magazine company had improperly disclosed her personal information, along with information about the magazines to which she subscribed, the U.S. District Court for the Eastern District of Michigan recently held that the law does in fact apply to magazines. The court noted that the statute is directed to companies “engaged in the business of selling at retail, renting, or lending books or other written materials, sound recordings, or video recordings,” and that magazines constitute “other written materials.”

SCOTUS rules that police need a warrant to search cell phones

As we become more reliant on our devices, they collect more data on us, much of which is extremely private. Access to this data has been a point of contention for some time. The Supreme Court’s decision to hear Riley v. California presented an opportunity to draw clear boundary for police in the area of personal privacy.   Privacy groups have been advocating for requirements on how and when cell phone data can be accessed and used by the government since that decision. On June 25, 2014,the Supreme Court announced a win for personal privacy by deciding that a warrantless search of a suspect’s cellphone data incident to arrest is unconstitutional.

Case Highlights

  • “Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans ‘the privacies of life.’”
  • The Court observed that modern phones are mini-computers that perform multiple functions and hold immense amount of personal data, and were themselves inconceivable when the Court had originally permitted police to search individuals incident to arrest.
  • The Court acknowledged that searching a cell phone can potentially expose more information to the government than a search of an individual’s house, given the amount of data typical phones can store. The fact “that technology now allows an individual to carry such information in his hand does not make the information any less worthy of . . . protection.”
  • The Court makes clear that “Privacy comes at a cost,” and that the warrant requirement is “an important working part of our machinery of government” that must be respected.
  • The Exception: Although the Court dismissed all of the arguments that were presented for justification of a warrantless search they did say that in “exigent” circumstances like prevention of a terrorist plot or finding a missing child, that police are able to proceed without a warrant. However, after such a warrantless seizure, a court would still have to “examine whether an emergency justified a warrantless search in each particular case.”

Bottom line

From now on, your phone should not be searched just because you have been arrested. Officers must have a warrant to search your phone, aside from a narrow exception.

What’s Next

This case will play a major role in the already contentious debate surrounding personal privacy. It will be interesting to hear how this changes the application of Fourth Amendment protections to searches and seizures of all computers.

Internet Updates June 2014

There is so much going on in the Internet space that I have compiled some of the most interesting happenings of June. They all link to more info. Please read, enjoy and let me know if you want me to expand on anything!

Are threats made on social media protected free speech, or potentially criminal actsThe U.S. Supreme Court has agreed to examine the constitutionality of a federal law making it a crime to transmit communications containing “any threat to injure the person of another.” In this case, the “threats” were in a series of Facebook postings.

Be careful what you post on Facebook, you might get a ticket for it… A woman in a Chicago suburb received a $50 ticket in the mail alleging that she had used a dog park without a permit. The ticket was based entirely on a Facebook posting that the woman had made, and the police immediately rescinded it, saying  that they do not monitor social media in search of potential lawbreakers.

It might be a crime to friend your boss if you live in Arkansas! Arkansas legislators are considering changing a 2013 law after Facebook informs them that the law may have inadvertently made it a crime for a boss and an employee to become Facebook friends.

Snapchat may have competition. According to the Los Angeles Times, Facebook prematurely released, then withdrew, a new mobile app called Slingshot that is intended to compete with Snapchat and permit users to send each other photo and video messages.

Is Twitter in trouble? Twitter’s leadership was thrown into disarray on June 12 after Ali Rowghani resigned suddenly as the company’s chief operating officer amid a dispute with Chief Executive Dick Costolo. Twitter’s stock has fallen about 42 percent this year as concerns have arisen that the company is not signing up enough new users.

Should you make social media rules for your marriage? More and more couples are sitting down with their lawyers before marriage to discuss a social media clause in their prenuptial agreement – covering what they can and cannot say or post about each other. These agreements appear to be enforceable in court if they are specific enough.

The CIA is on Twitter! The CIA has entered the realm of social media, setting up a Twitter presence and a Facebook account. There one can find, among other things, reflections on intelligence history and fun facts from the CIA World Factbook.

Can’t ask for personal social media account logins in Louisiana! 
On May 23, Louisiana became the latest state to enact a law prohibiting employers and public and private educational institutions from requiring applicants, employees, and students to provide access to their personal online accounts.

Every company would be well advised scrutinize their marketing practices on an ongoing basis to ensure that they do not inadvertently expose the company to risks under the Lanham Act. Two US Supreme Court cases decided this term could result in a substantial increase in the number of Lanham Act claims brought under that statute alleging “unfair competition” resulting from product labeling and marketing practices that are alleged to be false or misleading.

  • Lexmark International, Inc. v. Static Control Components, Inc., No. 12-873, slip op. (March 25, 2014), in which the Supreme Court broadly construed the Lanham Act to permit lawsuits by all companies alleging injuries that were proximately caused by false or misleading advertising or promotion, even if the plaintiff was not a direct competitor of the defendant and suffered only “collateral damage.”
  • Pom Wonderful LLC v. Coca-Cola Co., No. 12–761, slip op.  (June 12, 2014), the Court’s second Lanham Act case of the term,  in which it eliminated a potential safe harbor from Lanham Act claims for companies in regulated industries who complied fully with applicable regulations regarding the labeling and marketing of their products.

Interested in being social anonymously? It is harder than you think… Recently a variety of “private” media platforms have emerged. For years, social media platforms have facilitated (or even, in many cases, required) us to use our real identities, with the aim of building friendships and networks in the online world. But these new social media apps (such as “Secret,” “Whisper,” “Yik Yak”) are designed specifically to enable users to share posts anonymously.

“Anonymous” doesn’t necessarily mean anonymous. Even if users are not required to provide any form of contact details to use an anonymous app, the app is very likely to collect certain information that will help identify the user (e.g., the unique digital ID of the user’s phone, location information, etc.). Therefore, it could be be fairly easy to trace a user if required (e.g., by subpoena/court order). Indeed Secret’s Terms of Service state, “We may share information about you … in response to a request for information if we believe disclosure is in accordance with any applicable law, regulation or legal process, or as otherwise required by any applicable law, regulation or legal process.”

For more updates visit: http://www.sociallyawareblog.com

Will Congress Limit NSA Data Collection?

Do you know when and how the government can access your telephone records? Do you care? Do you worry about your personal privacy? Well, there is major legislation on the horizon that will affect how and when your data is collected and retained.

Image courtesy of cuteomatic.com
Image courtesy of cuteomatic.com

On May 22, 2014, the United States House of Representatives passed bill H.R. 3361, the USA Freedom Act, aimed at limiting the federal government’s ability to collect bulk phone records and also increasing transparency. This bill, supported by the President, received bipartisan support. It restricts the data collected from communications companies by the NSA and other intelligence agencies. One of the goals is to minimize the retention and dissemination of non-public data. The House’s approach to data retention is to have telecoms store the data, to be made available to the government, by request. The bill has no mandated retention period. Finally, the bill also extends certain provisions of the USA Patriot Act, scheduled to expire in 2015.

What will the Senate do? It has been almost a month since they’ve received the bill and it has not yet passed.  Senate Intelligence Committee chair Dianne Feinstein (D-Calif.) said that she wanted to find a way to get the USA Freedom Act (H.R. 3361) passed, though she would prefer that the government, rather than telecom companies, retain the responsibility for storing and analyzing data.

The European Court of Justice recently determined that their data retention law, which is similar to the House’s bill, violates the fundamental rights of citizens. How should this determination play into the U.S.’s data retention law? If its a violation of the fundamental rights–namely privacy–for European citizens, does it violate the fundamental rights of US citizens? How do you want any data collected by your telecom company stored and accessed?  The expiration of portions of the US Patriot Act, as well as the call for data retention, and surveillance reform in the wake of the Snowden leaks raise a lot of questions. Now is the time for the US government to pass legislation that both protects the privacy of citizens and aids in protecting national security.

Get involved in this debate!

For more information about this issue and how the European Court of Justice’s decision factor’s in the debate, read the article I published,  “Does Personal Privacy Matter? Developments in EU and US Data Retention Law” in the American Bar Association’s Information Security & Privacy News.

Make Sure to Change Your Privacy Settings on Facebook…Again!

Tired of changing your privacy settings on Facebook? Well… Sorry!  You need to do it again…  If you do not want Facebook to track your browsing both on and off their site and track the apps you use, change your settings!

argyllfreepress.com
argyllfreepress.com
Today, Facebook announced that it would begin targeting advertisements to users based on the websites they visit and apps that they use. In a blog post, the company explained that users can opt out of the web browser-based tracking through an online ad industry program and can also opt out of the app-based tracking through their smartphones’ privacy controls.

If you have to see ads while using Facebook, they might as well cater to your specific needs and likes, right? It’s seemingly harmless and most people do not have anything to hide. However, this kind of customization is a double edge sword. On one side you have the benefit of a tailored experience while on the other hand your private searching is being consumed by entities like Facebook. A more specific and more troubling concern is that children as young as 13 will be monitored… Are your teens thinking about the ramifications of having Facebook watch their every movement? Congress is promising to monitor the implications of this new advertising system and so should you. Your privacy and the privacy of your family is important! 

Privacy is the price of convenience. Decide which one matters to you most.