Accepting Guest Blog Posts

I have accepted a position that will not allow me to write in 2016. However, I want to continue to provide information on cyber, intellectual property (IP), social media, security, privacy, and technology law and policy to you all.  So…. I am accepting  submissions from guest bloggers!

Please send me your best cyber, IP and tech law and policy posts. Many of this blog’s followers are entrepreneurs, technophiles, tech novices, bloggers, social media user and those intrigued by tech, so please cater your posts to that audience. Please send posts to thedigitalcounselor@gmail.com. I will notify you if your post is selected.

Thank you for your submission, in advance, and more importantly, THANK YOU FOR READING!

I hope the readers find previous posts and any information others are able to provide in my absence helpful! And I look forward to returning in 2017!!

Internet Law & Security Updates

So much is happening online that it can be hard to keep up. I have compiled some of the most recent events in Social Media, Internet law & Cybersecurity. Know how these changes affect your privacy and other rights. If you have any questions leave them in the comments!

Social Media

Comments on social media considered and Facebook “Likes” enjoy federal protection. On August 25, the National Labor Relations Board found in Three D, LLC, d/b/a Triple Play Sports Bar and Grille v. Sanzone, Case No. 34-CA-012915, and Three D, LLC, d/b/a Triple Play Sports Bar and Grille v. Spinella, Case No. 34-CA-012926, that an employer had violated federal labor law by terminating an employee who had “liked” a former co-worker’s negative comment about the employer posted on Facebook.  The Board also ruled that the employer violated the National Labor Relations Act (the “Act”) by firing another employee for posting an expletive-laced comment about the employer in response to the former co-worker’s comment, and it found that the employer’s “Internet/Blogging” policy banning “inappropriate discussions” regarding the company unlawfully chilled employees’ exercise of their right to engage in protected, concerted activity under the Act.

BYOD

Reimburse employees for wireless service. A recent California ruling that requires companies to reimburse employees for wireless serviceAlthough the case raised more questions than it answered about what level of reimbursement is required, it seems clear that companies will bear a larger portion of the cost of BYOD programs than they had previously borne.

Security 
According to the New York Times, when one adds the compromised records in Target, PF Chang’s, Neiman Marcus, Sally Beauty, Michaels, UPS and others, the number of affected customers amounts to more than one-third of the U.S. population.

Home Depot the latest victim of security breach. Krebs has reported that it appears that two large dumps of purloined credit card numbers have made an appearance on the black market and that those numbers may have originated at Home Depot locations. Krebs’ reporting is here. This latest incident raises yet another round of concerns about the malware known as “Backoff” and the potential widespread effect on retailers. Home Depot has been hit with a class action lawsuit stemming from a suspected data breach at the home improvement retailer 

Using your cellphone’s gps to stay ahead of fraudsters. In a new effort to use technology to foil credit-card fraud, a company called BillGuard is testing a system that would monitor the precise whereabouts of mobile devices to detect possible payment issues. The tech firm is tracking mobile-phone locations in an attempt to stay one step ahead of fraudsters. Because smartphones are almost always near their owners, the technology would register and flag those occasions when a phone is not near the owner’s credit card. The technology would only be used with the consumer’s consent.

Healthcare.gov Server Hacked.The Department of Health and Human Services disclosed on Sept. 4 that malware had been uploaded on the Obamacare test server back in July. HHS officials say the malware was designed to launch a distributed-denial-of-service attack against other websites when activated and not designed to exfiltrate personally identifiable information. No consumer data was exposed in the incident, officials say (see HealthCare.Gov Server Hacked).

Apple plans to add safeguards to help address security vulnerabilities exploited by celebrity-photo hackers. The proposed changes include alerting users – using both e-mails and push notifications to devices – every time someone:

  • Changes an account password;
  • Uses a new device to log into an account;
  • Restores an iCloud backup to a new device.

After receiving a related alert, the user can immediately change their account password, or file a report of a suspected security breach with Apple. The company has yet to detail how exactly it will respond to those reports.

Privacy

Magazines in Michigan cannot share your personal information. The Michigan’s Video Rental Privacy Act limits the ability of companies to disclose information regarding customers’ video rental activities. In a case filed by a consumer who alleged that a magazine company had improperly disclosed her personal information, along with information about the magazines to which she subscribed, the U.S. District Court for the Eastern District of Michigan recently held that the law does in fact apply to magazines. The court noted that the statute is directed to companies “engaged in the business of selling at retail, renting, or lending books or other written materials, sound recordings, or video recordings,” and that magazines constitute “other written materials.”

Will Congress Limit NSA Data Collection?

Do you know when and how the government can access your telephone records? Do you care? Do you worry about your personal privacy? Well, there is major legislation on the horizon that will affect how and when your data is collected and retained.

Image courtesy of cuteomatic.com
Image courtesy of cuteomatic.com

On May 22, 2014, the United States House of Representatives passed bill H.R. 3361, the USA Freedom Act, aimed at limiting the federal government’s ability to collect bulk phone records and also increasing transparency. This bill, supported by the President, received bipartisan support. It restricts the data collected from communications companies by the NSA and other intelligence agencies. One of the goals is to minimize the retention and dissemination of non-public data. The House’s approach to data retention is to have telecoms store the data, to be made available to the government, by request. The bill has no mandated retention period. Finally, the bill also extends certain provisions of the USA Patriot Act, scheduled to expire in 2015.

What will the Senate do? It has been almost a month since they’ve received the bill and it has not yet passed.  Senate Intelligence Committee chair Dianne Feinstein (D-Calif.) said that she wanted to find a way to get the USA Freedom Act (H.R. 3361) passed, though she would prefer that the government, rather than telecom companies, retain the responsibility for storing and analyzing data.

The European Court of Justice recently determined that their data retention law, which is similar to the House’s bill, violates the fundamental rights of citizens. How should this determination play into the U.S.’s data retention law? If its a violation of the fundamental rights–namely privacy–for European citizens, does it violate the fundamental rights of US citizens? How do you want any data collected by your telecom company stored and accessed?  The expiration of portions of the US Patriot Act, as well as the call for data retention, and surveillance reform in the wake of the Snowden leaks raise a lot of questions. Now is the time for the US government to pass legislation that both protects the privacy of citizens and aids in protecting national security.

Get involved in this debate!

For more information about this issue and how the European Court of Justice’s decision factor’s in the debate, read the article I published,  “Does Personal Privacy Matter? Developments in EU and US Data Retention Law” in the American Bar Association’s Information Security & Privacy News.

Make Sure to Change Your Privacy Settings on Facebook…Again!

Tired of changing your privacy settings on Facebook? Well… Sorry!  You need to do it again…  If you do not want Facebook to track your browsing both on and off their site and track the apps you use, change your settings!

argyllfreepress.com
argyllfreepress.com
Today, Facebook announced that it would begin targeting advertisements to users based on the websites they visit and apps that they use. In a blog post, the company explained that users can opt out of the web browser-based tracking through an online ad industry program and can also opt out of the app-based tracking through their smartphones’ privacy controls.

If you have to see ads while using Facebook, they might as well cater to your specific needs and likes, right? It’s seemingly harmless and most people do not have anything to hide. However, this kind of customization is a double edge sword. On one side you have the benefit of a tailored experience while on the other hand your private searching is being consumed by entities like Facebook. A more specific and more troubling concern is that children as young as 13 will be monitored… Are your teens thinking about the ramifications of having Facebook watch their every movement? Congress is promising to monitor the implications of this new advertising system and so should you. Your privacy and the privacy of your family is important! 

Privacy is the price of convenience. Decide which one matters to you most.

How Much of Your Data can Apple Hand to Law Enforcement?

We are all aware (or at least we should be) that our telecom providers are handing over our data to the police when necessary. Well have you ever wondered just how much and what it takes to get that data? iphone-privacy-2011-04-06-1302104043Apple posted their new guidelines describing what data the company can provide to law enforcement and the processes for requesting that data.

The document breaks it down into two basic types of data: information stored on Apple’s servers and information stored locally on iOS devices.  I have outlined the kinds of data and how they can be obtained in a chart below.

Essentially anything you’ve backed up to or stored on iCloud is available for Apple to provide to law enforcement, including connection logs and IP addresses you’ve used. Additionally a lot of the data associated with your Apple ID is available as well. Therefore, any information you’re providing Apple is available for them to pass along. This is something to consider when deciding if or what to back up on iCloud.  You may want to avoid backing up sensitive company data or private information on iCloud. Some information cannot be avoided, such as anything associated with your Apple ID.

Can they access data on my iOS device???

Yes. Apple can bypass security passcodes on our iOS devices to extract “certain categories of active data,” though it apparently cannot bypass that protection entirely. If provided with a valid search warrant, Apple can hand over SMS messages, pictures and videos, contacts, audio recordings, and your phone’s call history, but it can’t access e-mails, calendar entries, or information from third-party applications. Devices must be running iOS 4 or newer, must be “in good working order,” and must be provided directly to Apple’s headquarters along with an external storage drive twice the size of the iOS device’s internal storage.

Will I know if this is happening?

Maybe. The guidelines state that Apple will “notify its customers when their personal information is being sought in response to legal process except where providing notice is prohibited by the legal process itself.” Apple will also avoid notifying users if the company “believes that providing notice could create a risk of injury or death to an identifiable individual or group of individuals or in situations where the case relates to child endangerment,” though this is entirely up to Apple and not to the law enforcement agencies involved. These notification requirement will help prevent random and unfounded searches.

What is missing?

The policies and capabilities surrounding iCloud Keychain, iMessages and FaceTime calls are unclear and disputed. Apple claims iMessage & Facetime are encrypted but there is some speculation otherwise.

Is this unusual?

No, other tech companies have similar policies. For example, Google provides a similar “Transparency Report” outlining the types of data available to law enforcement. The notification policy is new and several other tech giants, including Facebook and Microsoft, have already indicated that they plan to expand their policies on notifying customers whose data has been requested by law enforcement

 

Where is the Data? Type of Data Means to Obtain Data Restrictions
Information stored on Apple Servers Data Associated with your Apple ID contact inormation obtainable with a subpoena or greater legal process
customer service records
transaction history both in store & online
iTunes gift card information
Data Associated with your iCloud Account connection logs & IP address used Any iCloud information that the user deletes cannot be accessed.
60 days of iCloud mail logs that “include records of incoming and outgoing communications such as time, date, sender e-mail addresses, and recipient e-mail addresses” e-mail logs require a court order or search warrant
any e-mail messages that the user has not deleted requires a search warrant
any other information that can be backed up to iCloud – As of this writing, this list includes contacts, calendars, browser bookmarks, Photo Stream photos, anything that uses the “documents and data” feature (which can include not just word processors but also photo and video apps, games, and data from other applications), and full device backups
Information stored locally on iOS devices SMS messages requires a search warrant – Devices must be running iOS 4 or newer, must be “in good working order,” and must be provided directly to Apple’s headquarters along with an external storage drive twice the size of the iOS device’s internal storage. Cannot access e-mails, calendar entries, or information from third-party applications
pictures and videos
contacts
audio recordings
phone’s call history

Do Not Track Me… But Cater to Me

We have all become accustomed to having our technology cater to most of our needs in very personal way. However, we all desire to retain a certain amount of privacy.  For example, our cellphones track our every move and click while occasionally make calls – and yet we would be lost without the maps and ability to request anything from “Siri.” Our cable boxes may bring our favorite shows and movies but they also report back to providers all of your family’s television viewing habits.  We all appreciate the convenience that customization provides however that means a loss of privacy….

Why Are We Worried?
The latest buzz word is the The Internet of Things (IoT). What is that? “The Internet of Things” refers to the concept that the Internet is no longer just a global network for people to communicate with one another using computers, but it is also a platform for devices to communicate electronically with the world around them. The result is a global “network of physical objects that contain embedded technology to communicate or interact with people, things, and the external environment. It includes everything from traffic sensors to refrigerators, thermostats, medical devices, and wristwatches that can track or sense the environment and use the data they collect to provide a benefit, or transmit the data to a central repository for analysis, or both.”

This network of objects enables providers of goods and services to use your personal behavior to profile and evaluate your activities and habits.  The Internet of Things will result in increased data collection, amplifying the importance of simplifying choices and giving control to individuals with real-time notices. Transparency will facilitate consumer understanding of the collection, use and sharing of personal data. However, there is a real danger of data being used in unexpected ways. The Internet of Things has created a potential perfect storm of four major information policy concerns: online safety, privacy, security, and intellectual property issues. The goal is to determine what “reasonable” expectations regarding data usage should be, and then manage consumer expectations accordingly. Measures ensuring the network’s resilience to attacks, data authentication, access control and client privacy need to be established.  An ideal framework would consider the underlying technology and involve collaboration on an international scale.

The need to balance reasonable activity on the Internet and use of The Internet of Things with responsible privacy protections is exponentially increasing. This balance is extremely important because the last thing we want is to stifle innovation by over legislating this area.

Laws to Watch
At least 14 states have proposed legislation on the 2014 docket that is intended to increase privacy protection for consumers and limit both government and private sector surveillance via the Internet of Things. At the federal level, several bills are already making their way through Congress.

State
AB370, an amendment to the California Online Privacy Protection Act of 2003 (“CalOPPA”). CalOPPA requires owners of commercial websites and online service providers (“operators”) to conspicuously post a privacy policy. The privacy policy must disclose to consumers, among other things, the categories of personally identifiable information (PII), such as name, hone address, email address, social security number,  the operator collects and with whom the operator shares such information. Operators affected by CalOPPA include website operators and, as interpreted by the California Office of Attorney General, operators of software and mobile apps that transmit and collect PII online.

Federal 
The Black Box Privacy Protection Act is a bill in front of Congress that prohibits the sale of automobiles equipped with event data recorders-unless the consumer can control the recording of information. Additionally, the data collected would belong to the vehicle owner.

The We are Watching You Act is a bill in front of Congress that requires the operator of a video service (such as a DVR or Xbox) to display the message “We are watching you” as part of the programming provided to the consumer prior to the device is collecting visual or auditory information from the viewing area. This is not likely to pass but its a sign of legislation to come.

The Federal Trade Commission (FTC) has this phenomenon on its radar, it hosted an all-day workshop entitled, “Internet of Things: Privacy and Security in a Connected World in November. The FTC has also released a number of reports and guidelines that direct business on how to protect consumer privacy.

International 
With Internet Governance on the forefront of international discussion, international “Internet of Things” legislation is not the priority and likely to be left up to each country to decipher. International collaboration on issues like this early is one out come I hope comes from these Internet Governance talks…. but we’re a long way out from that happening.

The examples listed are a narrow sampling of privacy legislation designed to protect users from unwanted intrusions. Most notably, states have passed a number of laws protecting privacy rights in recent years.

Conclusion
The Internet of Things will bring tremendous new benefits to consumers but we must balance the need for consumer privacy. State, federal and international regulators must work to restrict government and private-sector collection and control of the data IoT will create. In the meantime, make sure you are aware of the information you provide through your IoT. Explore privacy settings and read privacy policies if you are concerned about sharing too much data with providers. Know what your priorities are as it relates to customization and privacy. If you value convenience and do not mind a prying eye or two, if it means a personalized user experience, share your data freely. However, if you value preserving your privacy be proactive about doing so until lawmakers can find the appropriate balance. Do not shun technology just educate yourself.

Why companies should beware of the BYOD movement and how to mitigate potential damage

BYOD (bring your own device) is a buzz word amongst company IT departments and policy makers.  BYOD is an employee-purchased and owned device (i.e., laptop, smartphone, tablet) that is connected to a corporate information network system or otherwise used to conduct company business. A recent Cisco study found that 90% of full-time American workers use their personal smartphones for work purposes. In this cyber age where privacy and cyber security are major concerns for employers and employees alike, BYOD is a proverbial minefield for those unaware of the legal, security and privacy risks.

Emerging BYOD Legal Risks

In this world of telecommuting and start-ups, many companies allow employees to use their own laptops and smartphones. Companies have thereby ended the Apple v. Android, Mac v. PC debates, a win-win for employees and their employees.  This all might sound great for both employers and employees, but as with any new invention, the risks of BYOD policies have not yet been resolved.  Nor have we seen any BYOD policies take center stage of a publicized legal dispute. We have, however, seen disputes arise over storing company data on personal devices. In Barrette Outdoor Living, Inc. v. Michigan Resin Representatives, the Court ordered an employee to pay $35,000 in sanctions for failing to preserve his cellular phone and deleting 270,000 company files from his personal laptop. Even when using a personal device, employees may have a duty to maintain corporate information if their employer goes to trial. Employees may face personal legal liability for actions taken while using their BYOD device.

Understanding BYOD Security Risks

When employees have access to company networks and data through their personal devices, the company becomes increasingly vulnerable to security and legal risks. Companies that allow broad access face the risk of employees to deleting company data and are susceptible to the carelessness of employees and third-party users. These users can be anyone from a child using a parent’s phone to office visitors connecting to the company wi-fi. When BYODs and third-party devices bypass security features normally applied to corporate devices, they are vulnerable to malware—a costly risk, particularly in regard to Android devices. Additionally, BYODs that bypass network security elevate the risk of non-compliance with data privacy laws and regulatory requirements.[1]

Mitigating Security Risks & Maintaining Employee Privacy

The most effective mitigation strategy will couple emerging tools with a BYOD policy to protect company assets and security, examples of which include:

  • Developing a BYOD policy that addresses ownership, password requirements, employee privacy, liability, limitations on access/use, search parameters and what situations trigger which reactions.
  •  Selectively publishing company data to new mobile apps; users get the data they need, and the company has greater control over data security.
  • Requiring device encryption.
  • Installing software to track which documents employees download.
  • Installing technology to wipe only corporate settings, data and apps to protect business assets while leaving personal data and settings intact.
  • Exploring geo-fencing to protect company information and prevent data breach by disabling device features such as the camera within company space.

Use and implementation of these tools will depend on company needs but should be considered to mitigate legal, security and privacy risks.

 

To see more from me on this issue visit: http://techpageone.dell.com/technology/byod-policies-tangle-hr-legal/

Security Risks & the Healthcare Roll Out

Anticipation of the healthcare roll-out tomorrow, October 1, 2013, has sparked heated debate and concern over costs, employer rescission of benefits, and questions about the Health Insurance Marketplace. One question, raised by the FTC and other stakeholders, remains to be fully addressed: What security measures will be put in place to protect Marketplace consumers from identity theft?

The new Health Insurance Marketplace allows you to fill out an application and see all the health plans available in your area. While all insurance plans are offered by private companies, the Marketplace is run by either your state or the federal government. As designed, consumers create an account online or over the phone with a “navigator.”  Under the Affordable Care Act (ACA), the government is training additional customer service professionals to help consumers “navigate” the Health Insurance Marketplace. To create an account, participants must provide their personal data such as household size, income, passport, address, and potentially a social security number for every member of the household that needs coverage. 

What measures are being taken to dispose of information gathered by customer service professionals? What safeguards are in place to prevent identity theft? Scammers are already calling consumers and pretending to be navigators to gather their personal information.  How will consumers know the difference?

​How to protect yourself in the interim:

  • Do not give personal information to cold calls or emails from navigators or others representing themselves as part of the Marketplace.
  • ​If you call-in or seek help in person, ask navigators what the internal policy is on handling your personal information. 
  • Share the least amount of information necessary when shopping for health plans.

For more information about the healthcare roll out visit healthcare.gov

Update October 1, 2013: The government has released the following on avoiding consumer fraud http://oig.hhs.gov/fraud/consumer-alerts/alerts/marketplace.asp