New Google Service - Creative or Creepy

Posted on July 30, 2012 01:57 by Chad Godwin

Google recently launched a new service called Google Now that is available to users of its most current mobile operating system, Android Jelly Bean.  Google Now automatically creates and presents a series of “cards” that try to organize your life by presenting information Google thinks you’ll need at a given moment.  The information presented via the cards is based on data Google collects based on how you use various Google services - such as Google searches and Gmail.  For example, a recent Tech Crunch article notes that the cards may present you with information relevant to your current location, such as nearby restaurants, weather, schedules for nearby mass transit or how long it will take you to drive home from your given location.  Similarly, the cards may present you with flight schedules and currency exchange rates if you’re in a foreign country.  The first time you click on the Google search box within Jelly Bean, Google pops up an introductory screen to provide more information about Google Now.  Users can then explore the topic further.  To use Now, users must explicitly opt in.

Once a user opts in, Google collects and aggregates even more information about you on a daily basis: accessing your email, your calendar, your contacts, your text messages, your location, your shopping habits, your payment history, as well as your choices in music, movies and books.  In other words, what Google Now does is simply take the new, unified privacy policy you had to opt into a short time ago and regurgitates that information to you in what it considers to be useful ways.  When Google first introduced its new privacy policy, at the beginning of this year, more than 30 U.S. state attorneys general protested.  Now, by opting in to this program, users are providing even more information to Google, including the GPS coordinates for their home.  Nonetheless, there has not been a great deal of attention placed on Google Now or its accompanying privacy implications. Although users may appreciate the convenience of the features that are transparent, they may not consider the significance of the information they are providing access to and what Google may elect to do with their data in the future.  A case can be made that Google essentially “forced” users into agreeing to its new privacy policy, as you could not continue to use Google services without doing so.  However, by actively “opting in” to the new Google Now program, it becomes more difficult to argue that you did not willingly provide Google with access to your data.  So for now, users need to be aware of what they are providing access to.

 

Bookmark and Share

 

Three law firms based in Austin, Texas recently filed suit on behalf of 13 people claiming that almost 20 apps, including Facebook, Foursquare, Yelp and Twitter, violate policies put in place by distributers such as Apple’s App Store, Amazon’s App Store and Google Play.  The American Statesmen reports that the violations are a result of mobile apps “stealing” address book data, such as names, phone numbers, email addresses and even birthdays.  The lawsuit seeks to stop app developers from harvesting data without permission.  The complaint cites an industry publication that claims the information collected could be worth 60 cents to several dollars per contact. 

A New York Times article investigating contact mining recently noted that “the address book in smartphones — where some of the user’s most personal data is carried — is free for app developers to take at will, often without the phone owner’s knowledge.”  The app developers use the data in an effort to expand the number of people using their program.  Developers use email addresses to target potential new customers and to target advertisements.  Several companies, including Path, a social networking site, have issued apologies regarding “how [their] application used your phone contacts.” 

Attorney Richard Newman, an Internet law attorney and managing partner of the Hinch Newman firm, with offices in both California and New York, thinks that the lawsuits are starting to have an impact.  Mr. Newman stated “the mobile communications industry is finding that failing to properly inform consumers of what is happening to their information is increasingly grabbing the attention of regulatory authorities, including the Federal Trade Commission.”  Until a regulatory framework is hammered out to govern emerging data privacy issues, litigation may be one of the only things keeping pace with technology development.  

Bookmark and Share

 

On January 16, 2012, attorneys filed a class action against Amazon.com relating to an online hacking attack that compromised the personal information of up to 24 million customers of its online shoe retailer, Zappos.com.  Data Breach Legal Watch reported that less than 24 hours after the breach occurred, the plaintiffs’ bar had already filed a Complaint claiming that the attack resulted in the exposure of the following:

Names;
Addresses;
Telephone Numbers;
Email Addresses;
Passwords (cryptographically scrambled); and
The Last 4 Digits of Credit Card Numbers

The attack did not expose the social security numbers or complete credit card numbers of customers.  Nonetheless, the Complaint claims that customers will be exposed to “phishing” attacks that are tailored to the compromised information, as well as anxiety, emotional distress and loss of privacy.  Further, similar to the Sony data breach case, the Complaint seeks compensation for the costs of identity theft insurance and credit monitoring.  
Data Breach Legal Watch notes that, aside from the Hannaford decision that the 1st Circuit recently published, courts have generally rejected fear of identity theft claims, requiring a showing of some actual harm to the individuals affected by the breach.  This breach, however, did not expose complete credit card numbers like in Hannaford or several of the hacking attacks directed at Sony.  It would seem that Zappos is unlikely to be on the hook for anything beyond being forced into providing identity protection and/or monitoring for its customers.  However, the cumulative effect of these data breaches and the class actions that inevitably follow will likely be greater data security within internet industries.
Bookmark and Share

 

The FTC Reins in Facebook

Posted on December 5, 2011 02:03 by Jim Fieweger

 

 

In the wild, wild west of the internet, it looks like the Federal Trade Commission is saddling up to play the role of sheriff. On November 29, 2011, the FTC announced its proposed settlement of claims against the social networking goliath, Facebook. (By the way, you can read about it on the Commission’s Facebook page. http://www.facebook.com/federaltradecommission?v=wall.) The settlement resolves an eight-count administrative complaint charging Facebook with misleading their users by telling them they would protect the privacy of personal information, but repeatedly allowing that information to be shared with third parties or made public without the users’ knowledge or consent.  (In the matter of Facebook, Inc., File no. 092 3188.) Coming on the heels of the FTC’s March 2011 settlement of charges that Google, Inc. violated its own privacy promises to consumers when it rolled out its social network site, Google Buzz (In the Matter of Google, Inc., File no. 102 3136), the Facebook case demonstrates the agency is willing to use consumer protection laws to “make sure companies live up to the privacy promises they make to American consumers.” http://ftc.gov/opa/2011/11/privacysettlement.shtm.)

The FTC’s charges stemmed from representations Facebook made to users regarding their ability to restrict access to personal information they loaded onto the site.  For example, according to the FTC, the company told users they could restrict access to personal data by using a “Friends Only” setting, but in fact, software applications developed by third parties -- “third-party apps” -- and employed by the users’ “Friends” could still access and collect the allegedly restricted data.  Facebook further misled users by telling them that third-party apps could not access data unnecessary to run the apps, and that Facebook would not share information with advertisers.  Neither of those representations was true.  Also, in December 2009, the company allegedly overrode users’ privacy settings when it enacted wholesale changes that public disclosed previously restricted information such as “Friends” lists, without first getting the users’ approval to enact these changes.  (You can read Facebook’s eight alleged deceptions  in the complaint at the FTC’s website - http://ftc.gov/os/caselist/0923184/111129facebookcmpt.pdf.)

Under the proposed settlement, Facebook will be prohibited from making any further deceptive privacy claims, from changing the way it shares a user’s data without first obtaining the user’s approval, and from allowing anyone to access a user’s information more than 30 days after the user deletes his or her account.  In addition, Facebook will be required to maintain a comprehensive privacy program intended to address privacy concerns associated with both new and existing products used on its site.  To ensure the existence and proper administration of its privacy program, Facebook will be audited by an independent third party every two years for the next twenty years.  Though the settlement does not impose any monetary sanctions, Facebook could incur fines of up to $16,000 per day if it fails to comply with its terms.  The FTC will take public comments on the proposed settlement through December 30, 2011.  

The FTC’s charges focused on Facebook’s failure to live up to its own representations regarding data security, not the simple fact that it shared personal data with third parties. This tack derived from the consumer protection standards underlying the complaint -- specifically, section 5(a) of the Federal Trade Commission Act, which prohibits "unfair or deceptive acts or practices in or affecting commerce.” (15 U.S.C. §. 45(a)(1)).  (The FTC also is tasked with enforcing the Children’s Online Privacy Protection Act, 15 U.S.C. § 6501 et seq., which imposes restrictions on operators of commercial websites who knowingly collect personal information from children under age 13, but that statute was not invoked in this case.)  
While it is easy to view this decision primarily as a vindication of personal privacy interests -- and in many ways, it is -- it really reflects a victory in the FTC’s efforts to defend consumer rights.  Facebook’s problems arose not from the dissemination of data, but from its failure to live up to its own promises.  Had Facebook not told its users that it would protect certain personal data, or had it simply informed users more fully regarding their December 2009 changes in their privacy practices, it is likely they could have disseminated the data precisely as they did, but avoided their run-in with the FTC.  

Facebook remains under criticism for other data collection practices, such as tracking webpages visited by both members and non-members.  As quoted in USA Today, West Virginia Senator Jay Rockefeller urges the passage of new laws to help consumers “protect their personal information from companies surreptitiously collecting and using . . . personal information for profit.” (http://www.usatoday.com/tech/news/story/2011-11-29/facebook-settles-with-ftc/51467448/1) Whether or not those new laws come to pass, the FTC has demonstrated that consumer protection laws already on the books give it some potent guns for policing the internet frontier.

Jim Fieweger is a partner in the Chicago law firm Williams, Montgomery & John.  A former Assistant United States Attorney in the Northern District of Illinois, Jim is an experienced trial lawyer whose practice focuses on commercial litigation and white collar criminal defense.  Jim is a member of the DRI Government Enforcement and Corporate Compliance Committee.

Bookmark and Share

 

For the last week or two, the lead story in international media has been the cell phone hacking scandal at the News of the World in London.  As the investigation into those events has widened and details have become publicly known, we have learned that the hacking may have extended to other media outlets and most likely took place outside of the United Kingdom, including in the United States.  Frankly, before this story broke, I never considered that hacking into cell phones by a private person or entity might be possible.  However, now that we know that cell phone privacy may be a real concern, there may be several implications for the legal community.

The first concern we should all have must be our own cell phone security.  It appears that the cell phone hacking allegedly perpetrated by the News of the World was accomplished primarily by hacking into the voicemails of the targets.  The scheme was actually quite simple.  Most people have a four digit code to access their voicemails.  According to a recent ABC News report, the most common passcodes are 0000, 1234, 5555, or the last four digits of social security numbers or the birthdates of the user or a close family member.  Obviously, these are not hard to guess.  Furthermore, people tend to use the same passcodes, PINs and passwords for multiple applications, so finding those codes can lead to even more information, accounts, etc. being compromised. 

Since we as lawyers are entrusted with the private and proprietary information of our clients, we have a duty to safeguard that information. We should now all be aware of the risks of cellular privacy and take steps to ensure that our clients' information, as well as our own, remains confidential.  We need to make sure that our voicemails are protected by unique and difficult to decipher PINs and deleted once received. Unfortunately, publicity of events such as the News of the World hacking scheme can lead to many ill-intentioned people learning a new method to steal information or assets.  We can expect this type of act to spread until further security protocols to prevent it are developed.

Another potential implication of the cell hacking scandal is the possibility of attracting the interest of members of the plaintiff's bar interested in pursuing claims related to cellular security.  The victims of the recent cellular hacking most likely will have claims against the perpetrators for invasion of privacy and similar torts.  If the practice of accessing private data of others through cellular phones is more widespread, and it certainly appears from recent news that it is, then we can expect that there will be attorneys out there who will begin marketing the representation of those who have been victims of that practice.  You can expect that the targets will be not only be the hackers,  but also entities or people who may have been in a position to prevent or mitigate the acts.  Our clients will need to be advised accordingly.

 

 

 

Bookmark and Share

Categories: Identity Theft | Privacy | Technology

Actions: E-mail | Comments

 

Sony Data Breach Part VII: Suspect Nabbed!

Posted on June 23, 2011 04:10 by Chad Godwin

CNN reported that the 19 year-old suspected of hacking into Sony’s networks was recently arrested in London.  Britain does not release the name of criminal suspects, but London’s Metropolitan Police appear confident that they apprehended the person responsible for breaching more than 100 million Sony user accounts and obtaining personal and credit card data.  Authorities believe that the suspect is associated with the hacker group LulzSec, though that has not yet been confirmed.  According to Sony’s estimates, responding to the attacks will ultimately cost the company more than $171 million.  However, it does not appear that Sony’s estimate attempts to account for the avalanche of litigation that was triggered by the data breach.

Chad Godwin has contributed several articles to the DRI Blog following this story closely.  For a full recap, check out Chad's other posts regarding this story.

PlayStation Online System Breached by Hacker - Offline Indefinitely - April 28, 2011
Sony Data Breach Part II: PlayStation Online System Breached by Hacker - Offline Indefinitely - May 3, 2011
Sony Data Breach Part III - Sony Offers Insurance of $1 Million Per User - May 12, 2011
Sony Data Breach Part IV: Plaintiffs Take Aim at Sony - Hacks = Mass Torts - May 13, 2011
Sony Data Breach Part V: Hacked Again! - May 20, 2011
Sony Data Breach Part VI: Four Attacks Since April - May 24, 2011

Bookmark and Share

 

A number of media outlets have been reporting that the European Union is investigating Facebook’s rollout of its new face-recognition photo-tagging system.  Mashable reported that the new feature “recognizes” faces in photos, which enables users to connect a face in a photo to a user in a much easier “semi-automated process.”  More specifically, Facebook provides suggestions for individuals in photos, and the user chooses to either accept or reject them.  The feature is now enabled by default, though it can be disabled by altering an account’s privacy settings.

The New York Times reported that, on Wednesday, European Union data protection regulators announced that they would investigate the feature.  Gérard Lommel, a Luxembourg member of the Article 29 Data Protection Working Party, stated “tags of people on pictures should only happen based on people’s prior consent and it can’t be activated by default.”  He went on to note that tagging suggestions “can bear a lot of risks for users.”  In an emailed statement, Facebook noted that it “launched Tag Suggestions to help people add tags of their friends in photos; something that’s currently done more than 100 million times a day.  Tag suggestions are only made to people when they add new photos to the site, and only friends are suggested.”  Meanwhile, the Electronic Privacy Information Center, based in Washington, is working on its complaint and is expected to file it with the FTC today. 

The privacy concerns associated with the new face-recognition feature are generally obvious.  Individuals should have a say in whether and where their photographic image is distributed.  Once a photo enters the digital domain, it is difficult if not impossible to “undo” that publication.  A photo that one user deems harmless fun, may not appear that way to the subject’s employer.  Although Facebook users could already tag photos manually, this feature encourages tagging. Further, it would appear to make it easier for users to tag photos of distant “friends,” a concern given the fact that some users have hundreds or even thousands of “friends” that they may know little to nothing about.  Moreover, being able to associate a face with a name would make it easier to gain additional information on individuals, such as an address. 

Once your identity is confirmed, the legal implications are seemingly endless.  Computerworld.com reports that legal service via Facebook, for documents such as paternity and restraining orders, is becoming more popular internationally, in countries such as Canada, Australia, New Zealand and the United Kingdom. Indeed, service via Facebook may soon be acceptable in the United States.  Computerworld.com quoted Joseph DeMarco, co-chair of the American Bar Association's criminal justice cyber-crime committee and a lawyer at New York-based DeVore & DeMarco, as noting that he considered service via Facebook a “useful tool.”  Photographs linked to a user’s account would only serve to strengthen an argument that service was properly perfected.  It will be interesting to see whether Facebook caves to international pressure to turn off the new face-recognition feature as a default setting.  Regardless of the outcome, the proliferation of this type of technology is likely to continue.

 

Bookmark and Share

Categories: Identity Theft | Privacy | Technology

Actions: E-mail | Comments

 

Technolog, on MSNBC.com, is reporting that Sony is now suffering through an additional round of network attacks, bringing the total number of attacks that have occurred since April to at least four.  The official website for Sony BMG Greece was hacked on Monday and some of the confiscated data, including user data, was dumped onto the Internet.  Today, reports suggest that Sony Music Japan suffered the same fate.  The facts surrounding the attacks suggest that they are designed to taunt the engineers responsible for ensuring network security.  This time, the hackers brazenly left messages noting, “we just want to embarrass Sony some more,” and “stupid Sony, so very stupid.”  Although Sony claims that the most recent attacks are not associated with compromised personal or credit card data, they continue to damage Sony’s already reeling image.

Attackers first hit Sony’s PlayStation Network between April 17 and April 19, 2011.  The company has been feverishly working since that time to secure its networks and restore the profits associated with its user accounts.  In early May, Sony attempted to bring its Network back on-line only to discover that an additional hack allowed attackers to gain access to new user passwords.  Now, the company faces taunting from hackers who seem almost as though they are able to breach security at will.  If one of the largest, most recognizable leaders in technology is vulnerable to so many security issues, how safe are the multitude of additional networks harboring such data, and what company will the hackers set their sights on next?

 

Bookmark and Share

 

Sony Data Breach Part V: Hacked Again!

Posted on May 20, 2011 07:35 by Chad Godwin

Computer and electronics giant Sony continues to take two steps back with every step forward while trying to restore services on its PlayStation Network.  Geek.com recently reported that the network has been hacked again.  The new attack comes just over one month after the network was initially hacked, which resulted in the breach of over 100 million accounts.  After shutting the network down for over a month to bolster security, Sony was in the process of bringing network services back on-line when the company discovered another hack.  In an effort to strengthen security, Sony forced users to reset their password upon returning to what was supposed to be a reinforced network.  However, an additional hack allows someone to reset a user password if they know the corresponding email address and birth date associated with the account, both of which were compromised in the initial attack.  Sony has since disabled the password reset system and gone back to the drawing board, with no word on when full network access will be restored.

While Sony certainly has its hands full attempting to return network functionality, the company continues to experience mounting legal problems.  In addition to the multitude of suits being filed in the U.S., Sony is now facing claims filed by Canadian citizen Natasha Maksimovic.  Geek.com reports that Toronto law firm McPhadden Samac Tuovi, LLP represents Maksimovic and is seeking in excess of $1 billion in damages from Sony Japan, Sony USA and Sony Canada.  Maksimovic wants to see some of the damages go to paying for 2 years of credit monitoring services and fraud insurance coverage for network customers.  Sony has not commented on the filing.

 

Bookmark and Share

 

Based on a recent article published by the Chicago Tribune, it appears that the tide of inevitable lawsuits associated with Sony’s data breach recently started to wash across the country.  The Tribune reports that at least 25 lawsuits have been filed in U.S. federal courts following the hacker attack and data breach at Sony’s PlayStation and Qriocity Networks.  The lawsuits accuse Sony of negligence and breach of contract for allowing the personal data of more than100 million network subscribers to be compromised and stolen.  Moreover, the article suggests that Sony now acknowledges that whoever hacked into their networks may have gained access to approximately 12.3 million credit card numbers, a statistic that Sony had not previously owned up to. 

Citing language typical for such claims, one lawsuit reads, “had Sony properly secured its database through known and available encryption methods, even if a hacker were able to enter the network, he would be limited in his ability to inflict harm.”  Judges are just beginning to address the issue of whether the loss of personally identified information (PII) represents a loss in and of itself, or whether plaintiffs mush show that they suffered additional damages due to an attack. 

Last month, U.S. District Court Phyllis Hamilton declined to dismiss a proposed class action involving a 2009 data breach at RockYou, a company that develops social networking applications.  Hearing the issue in Oakland, California, Judge Hamilton found that the plaintiffs’ allegations were sufficient to allow the lawsuit to move forward, but ruled that the case will ultimately fail in the event the plaintiffs are unable to demonstrate tangible harm stemming from the breach.  It does not appear that Judge Hamilton’s ruling deterred the plaintiffs’ bar, as Ira Rothken, a San Francisco-based lawyer who handles privacy class actions noted that he expects data breaches to grow in the future.  Rothken moved to consolidate all the Sony lawsuits in the District Court for the Northern District of California on Monday.  Nonetheless, despite expanding data breach litigation, internet privacy lawsuits do not yield the large settlements that are traditionally associated with classic securities fraud litigation.  In the case at bar, the fact that Sony already offered its customers complementary enrollment in an identity theft protection plan should act to minimize realized losses. 

 

Bookmark and Share

 
 

Submit Blog

If you wish to submit a blog posting for DRI Today, send an email to today@dri.org with "Blog Post" in the subject line. Please include article title and any tags you would like to use for the post.
 
 
 

Search Blog


Recent Posts

Categories

Authors

Blogroll



Staff Login