Archive for the ‘Privacy’ Category

Selfies are Not Security

Posted by | Privacy, Security | July 13, 2015

It’s so hard to reach the kids these days, what with their internets and their Facepages. But Mastercard is going to try anyway. After all, what product is better for the young ones than unmanageable credit. Now they want to make “selfies” the new way to verify your identity using facial recognition verification software. It’s the perfect blend of pop culture meets privacy creepiness.

To make it better, the technology is not secure. Previous attempts at this software were breached when users drew animated eyes on photographs to overcome the “blink” commands. So why would they do this?

According to their security expert, “The new generation, which is into selfies… I think they’ll find it cool.”

To quote the kids these days, “I can’t even…”

BBC – Mastercard testing facial recognition security app

Read More

Terms and Conditions Are Not Enough

Posted by | Privacy, Terms and Conditions | August 20, 2014

Disclaimer: Obviously, this blog does not provide legal advice. How do you know? This is free. Legal advice you have to pay for.

Enforceability Requires Reasonable Notice

The Ninth Circuit Court of Appeals

Simply posting terms and conditions on your website is not enough, even if you provide a link on every page. That’s the take away from the Ninth Circuit’s opinion on Monday in the case of Nguyen v. Barnes & Noble. Essentially, the court said that “close enough” was not enough when it comes to agreeing to terms and conditions. The case arose when Nguyen filed suit over a purchase dispute. Barnes & Noble responded by claiming that Nguyen was bound by the site’s terms and conditions, which had a choice of law provision and an arbitration clause. Nguyen never read the terms, and claimed not to be bound.

Judge Noonan wrote the opinion, which stated, “the proximity or conspicuousness of the hyperlink alone is not enough to give rise to constructive notice.” She distinguished this case which included a “browsewrap” agreement with those upholding “click-wrap agreements.” It is also a distinction between what we call actual knowledge verses constructive knowledge. Constructive knowledge is where a person is legally assumed to know something, even if they don’t actually know it. It arises when the information is presented in such a way that the user should have known it. Actual knowledge is exactly what it sounds like.

Click-wrap agreements require the user to actually affirm that they have read the terms and conditions, even if they haven’t. This is usually done by presenting a link to the terms, or the terms themselves, along with a checkbox stating that the user has read them. If they click the box then the courts will generally uphold those terms as a binding contract. Essentially, the court will say that the user has constructive knowledge of the terms and has consented to be bound.

A click-wrap agreement.

Browsewrap agreements, on the other hand, claim that merely using the website is agreement to the terms, even if the user has not read them or even visited the terms and conditions page. The courts have been very reluctant to uphold these. However, they will be upheld if there is evidence that the user did have actual knowledge of the terms, by reading them or being presented with them.

Ultimately, the Ninth Circuit held that Nguyen was not bound by the terms and conditions of the Barnes & Noble website. The takeaway for online businesses is that terms and conditions need to be obvious and provide “reasonable notice.” Remember, your terms and conditions are your most important legal document, since they control most of your interactions with your customer. Bad terms lead to bad business.

Here are some best practices:

  • Make sure your terms and conditions are easy to read so that anyone (not just lawyers) can understand them.
  • Make sure that your terms and conditions actually reflect how you want to interact with your customers. Too often, companies don’t understand their own terms (especially when they are copied from the internet), and are surprised to learn of weird provisions after the fact.
  • Include a link to your terms and conditions and privacy policy at the footer of every page on your site.
  • Use click-wrap agreements any time the user is providing personally identifiable information or making a purchase. These are easy to make, and there are many pre-made widgets that can be plugged into your website.


Read the Case – Nguyen v. Barnes & Noble


Read More

SCOTUS Finds Expectation of Privacy in Cell Phones

Posted by | Legal Analysis, Privacy | June 27, 2014

Warrant Required to Search Cell Phone Data

The Supreme Court has determined that police need a warrant in order to search a cell phone under the Fourth Amendment. The question in Riley v. California was whether the data within a cell phone is subject to a search incident to arrest. Basically, when police arrest someone, they are allowed to do a complete search of that person. Now, with the new court ruling, the police can no longer access the cell phone’s data during that search without a warrant.

Search Incident to Arrest

The search incident to arrest rule came about in a 1973 case called United States v. Robinson which held that police can do a warrantless search of a person when they are arrested. In coming to this rule, the Court balanced the police interest with the individual’s right to privacy. For the police, the Court decided that police concerns about risks to officers and destruction of evidence were present in all arrests, and were very important interests. On the other hand, individuals have very little expectation of privacy when they are arrested. So lots of government interest, very little privacy interest.

A Modern Rebalancing

Fast forward 40 years and now we have smart phones. These things carry insane amounts of very personal data, from bank accounts to geotracking. The Court in 1973 never could have imagined such a world. In fact, the world’s supercomputer at that time held only 200mb of data ( Compare that to a 32gb cell phone. So the Court in 2014 looked at the same balancing of interests that they did in 1973, but applied it just to cell phone data. When it comes to cell phone data, the risks of harm to the police or destruction of evidence are very little (are you going to Tweet them to death?). However, the individual’s expectation of privacy is huge. So the balance shifts to little government interest verses large privacy interests.

riley v california

Of course, police can still seize your cell phone when you’re arrested; they just can’t start poking around to check your email or anything without getting a warrant first. The Supreme Court basically distinguished between physical objects, and digital data. The balance of interests is very different between the two, so they need a different result under the Fourth Amendment.

Decision Will Have a Wider Impact on Digital Data Privacy

This was the correct decision, and one that should have been made decades ago when computers became standard. In fact, while this case is limited to cell phone data, it may expand very soon. Chief Justice Roberts, who wrote the Court’s opinion, called cell phones “mini-computers.” If privacy interests exist in cell phones, why not exist in other computers and data storage devices? The lower courts have been struggling with this question, and the Court may have answered it for them.

From a practical perspective, police will probably get warrants for cell phone data very easily if it’s relevant to the case. It’s just a bit more paperwork.

NY Times – Major Ruling Shields Privacy of Cellphones

Read More

The Law for Affiliate Marketing: Privacy Policies

Posted by | Affiliate Marketing, Privacy | June 24, 2014

Disclaimer: Obviously, this blog does not provide legal advice. How do you know? This is free. Legal advice you have to pay for.

Our overview of affiliate marketing rules now moves into privacy policy requirements. Online privacy is always in the news, and the balance between users’ privacy and your companies need for information is always going to be tricky. A site’s privacy policy explains to your users what information is being collected, and how it’s being used. This way, users can make an informed decision about working with you.

Do You Need a Privacy Policy?

Privacy policies are not legally required by the federal government. However, some states do require them. California requires privacy policies where the site collects information from any California resident. That’s right – resident. It doesn’t matter where you are. Unless your business in no way attracts users in California (or any of the other privacy policy states), you should put together a privacy policy.

Beyond the legal requirement, they’re a good idea anyway. At this point, users expect them. They’ll never read the damn thing, but it’s comforting to know it’s there. Sites without a privacy policy seem less legitimate. Some business will not even work with companies that don’t display privacy policies.

Finally, it’s just plain fair to your users. Remember, they’re the ones you’re trying to persuade. Ultimately, it’s their information and it shouldn’t seem like you’re sneaking it away from them. Let them make their own decisions. Respect your customers, and they will respect you.

Following Your Privacy Policy

I say this so often it seems like a mantra – Follow your privacy policy. While there is no federal law requiring a privacy policy, the FTC does require those with a policy to comply with it. And they love to enforce this one, even when the site didn’t put any thought into making it. They consider it a “deceptive” practice to post a privacy policy, but not follow it. If you remember the discussion about using disclosures to avoid deception, then you’ll know that you can’t tell customers one thing, and then do another.

Snapchat recently got caught up by the FTC for failing to comply with its privacy policy. The policy stated that users’ information would be deleted, which was the whole purpose of the app. However, there were so many ways to save the information and get around the deletions, that it was completely ineffective. Snapchat had to change their policy (notice they didn’t fix the app) to say that nothing would be deleted. Similarly, the FTC filed a complaint against Google because it was using information without permission to build the now defunct Google Buzz.

Once you put that policy out there, you need to know what it says and ensure that it matches your actual practice. Don’t just copy and paste something you found on another site, since lazy drafting is not a defense.

Don’t Forget the Little Children

The law is particularly strict when it comes to kids’ information. While a privacy policy isn’t required by federal law normally, it is if your site collects information on children. Under COPPA, sites cannot collect information from users under 13 without the guardian’s consent. This includes cookies.

This is a particularly tricky area, since it’s not always easy to know when users are under 13, and COPPA compliance brings in a whole array of requirements. The important thing to remember is that you are responsible for third parties. This means that even if you do not collect any information from kids, if one of your third party plug-ins or apps does, then you must comply with COPPA (they need to as well). It also means that you are responsible for your affiliates, so make sure they understand COPPA and won’t violate it.

What Goes Into a Privacy Policy

The general rule is to simply make clear what information you are collecting, and how it’s being used. Let them know if you’re selling it to third parties, or keeping it safe for them. Here are a few things to make sure you include:

  • What information is being collected;
  • What steps you are taking to make sure personal information (name, address, phone number, etc) is secure;
  • Whether you will share the information with anyone outside your, whether you sell it or not;
  • Let them know how they can opt out of communications, or modify/delete their information;
  • Unless you prohibit kids from visiting your site, include COPPA information like how a parent can delete their kids’ info;
  • Tell them how you will notify them when the policy changes (because you need to update your policy as you upgrade your business); and
  • The effective date of the policy (when it begins).

Depending on your practices, there may be specific clauses to add. For example, if you’re using Google Adwords remarketing, then they have specific language they want you to include in your privacy policy. You may also need language if you’re using analytics, Facebook integration, or other info sharing systems.

Do It Already!

A privacy policy is usually the last thing put on a site or app, and too often ignored. But it can have significant consequences. If you don’t want to mess with it, hand it off to an attorney. You’ve got enough to do already. If you do it yourself, make sure it matches your actual practices. Make notes of what your site or your affiliates are collecting, what kind of data security you have in place, and what you plan to do with all that information. Write it down. Now it’s 90% done. Put it through a privacy policy generator, like this or this. Then show that to your attorney to make sure it’s got everything you need. Finally, put a link on every page of your site or app so it’s easy to find. Common practice is to put it in the footer – you users will look for it there.

Read More

Canada’s Right to Online Anonymity

Posted by | News, Privacy | June 16, 2014

Following EU’s Right to be Forgotten, Canada Goes Anonymous

Last month we all watched the EU recognize the right to be forgotten online. The case told search engines that upon request, some links should be deleted (though not the original content). Of course, it was immediately abused, but the right remains.

Now our neighbors to the North have recognized the right to online anonymity. Essentially, it is a recognition that law enforcement needs a warrant to search online information. Unlike the US, where online information is generally not protected by the Fourth Amendment because it goes through a third party (your ISP), Canada is now saying that they will recognize the expectation of privacy in online activities.

Of course, law enforcement is upset, but it raises an interesting question. At what point does the expectation of privacy become more important than the actuality of privacy? Even here in the US, we have a split between the 5th and 11th Circuits about whether your location is private information, since your cell phone transmits it everywhere you go. Clearly, there is no actual privacy since data is constantly being sent to cell towers, but don’t we kind of expect it anyway?

Wall Street Journal – Canadians Have a Right to Online Anonymity, Nation’s Top Court Rules

Read More

Snapchat Dinged by FTC

Posted by | Privacy | May 09, 2014

Failure to Enforce Promised Privacy Leads to FTC Enforcement of Snapchat

Snapchat is all about privacy. The whole purpose of the program is to completely delete the message or picture sent. It’s the very basis of the app and is what led to its incredible popularity. But today, in a deal with the FTC, Snapchat’s inability to actually provide any privacy was exposed. It turns out that it’s really, really difficult to delete something on the internet. So much so, that Snapchat was not actually doing it despite advertising that messages would be deleted forever. In addition, it seems that they had been ignoring data security problems, despite repeated warnings, leading up to a hacker breach in December which exposed user’s names and phone numbers.

In a blog post, Snapchat commented that it had been focusing too much on growth, but was learning from its mistakes. “Even before today’s consent decree was announced, we had resolved most of those concerns over the past year by improving the wording of our privacy policy, app description and in-app just-in-time notifications.” The important thing to note is that they updated the privacy policy and legal descriptions, not the app. In other words, they nuanced their promises about privacy, but did not actually fix the technical issues surrounding the app’s inability to fully delete messages.

While it’s unclear whether this will hurt Snapchat, it seems unlikely. There have been easy work-arounds to Snapchat posted all over the internet. It’s common knowledge among its users. Yet that has not prevented significant investment in the company or last year’s offer by Facebook to purchase the company for about $3 billion. Snapchat turned that offer down, believing they could make more.

The lesson here goes back to privacy policies. As the FTC stated, “If you make promises about privacy, you must honor those promises or otherwise risk FTC enforcement.” So review your privacy policies and compare them to your data protection procedures. If they do not match, then one or the other needs to change.

Wall Street Journal – Snapchat Settles FTC Charges

Read More

Why Following Your Own Privacy Policy is Vital

Posted by | Privacy | April 16, 2014

FTC Enforces Privacy Policies

Companies that claim to protect their customers’ information in their privacy policy actually have to follow up and do it. The FTC got mobile app companies Fandango and Credit Karma to sign consent decrees in order to settle charges against them for failing to protect their customers’ information.

The main charge against the companies was that they disabled SSL encryption of customers’ communications, leaving them vulnerable to hackers, despite telling customers that they used encryption. SSL is one of the strongest protections for customer data, and is widely available. Notwithstanding the Heartbleed exploit (which affects OpenSSL software), it’s still the most used encryption system out there.

“Consumers are increasingly using mobile apps for sensitive transactions,” said FTC Chair Ramirez.  “Yet research suggests that many companies, like Fandango and Credit Karma, have failed to properly implement SSL encryption. Our cases against Fandango and Credit Karma should remind app developers of the need to make data security central to how they design their apps.”

There are some resources available from the FTC to help developers keep secure. Importantly, all companies should check your privacy policies and see what you have promised. Remember, if you don’t follow the terms of your privacy policy, you may open the door to liability.


Cyber Report – FTC Announces Mobile App Security Consent Decrees

Read More

Judge Rules NSA’s Cell Phone Program Unconstitutional

Posted by | NSA, Privacy, Security | December 19, 2013

I would be remiss not to comment on the recent court ruling holding the NSA phone program unconstitutional. U.S. District Judge Richard Leon held that the Fourth Amendment’s right to privacy outweighs the government’s interests in gathering and analyzing  cell phone information (see the full opinion here). This was the first judicial opinion since the release of the NSA’s secret documents by Edward Snowden.

Central to the issue was the way the NSA bulk collected everyone’s information without a warrant. Judge Leone described it as an “arbitrary invasion” that targeted “virtually every citizen.” The Government had proffered a 1979 case, Smith v. Maryland, 442 U.S. 735 (1979). The Supreme Court in Maryland had held that dialing a number was no different than calling an operating and asking to be connected. In doing so, the caller loses the expectation of privacy, so police did not need a warrant to get “pen register” data from phone companies. The Government had tried to argue that metadata collected in bulk followed the same logic.

Judge Leone distinguished Maryland by pointing out that the case only dealt with a short period of time for calls targeting a suspect in a robbery. The NSA program, instead deals with an untold number of citizens not suspected of anything over an indefinite period. Further, he noted that use of phones and the technology (and private information) involved had increased dramatically since 1979 so such standards could no longer control.

Judge Leon’s arguments make sense. Relying on the analogy of old technology is clearly flawed, though the difficulty in making those distinctions is also apparent. The emergence of cell phones as multi-purpose devices further muddies the issue. There is disturbingly little precedent dealing with cell phone data to date.

I also noticed that almost every article discussing this case pointed out that Judge Leon was appointed by President George W. Bush (eg. This is something that happens almost every time a federal case or judge is discussed in the media. It is as if a judge’s decisions can only be viewed through the lens of the judge’s obvious partisanship. It is a disturbing sign that partisan politics is so widely assumed in judicial decision making as to make such appointment a necessary part of the story.

Back to the case – Judge Leon granted the plaintiffs’ injunction, but stayed the order pending the Government’s inevitable appeal. This will be an interesting case to follow as it makes its way to the Supreme Court. It will certainly be a major test of the post-9/11 laws that granted the government many unbridled powers to combat terrorism and crime.

Read More