What Should You Consider When Drafting a Privacy Policy?

Businesses are often faced with the challenge of collecting information about their clients in order to tailor and improve their products and services, while respecting their customers’ privacy and protecting their personal information.  But outside of a narrow set of specific state requirements mandating minimum content requirements for privacy policies (see, for example, this discussion of California’s Online Privacy Protection Act (CalOPPA)), and other than the Federal Trade Commission (FTC) Act, which prohibits deceptive or unfair commercial practices, there are no federal laws or regulations that explicitly say what should be included in a privacy policy.  Nonetheless, the statements a company makes in its privacy policy regarding use and disclosure of personal information are enforceable by consumer protection agencies under regulations such as the FTC Act and state laws that prohibit deceptive commercial activity. Continue reading

Google Ordered to Cull Both European and Global Search Indexes

Google & Europe’s Right to Be Forgotten

A recent round of court decisions has forced Google, the internationally known search behemoth, to shrink its search index, instead of expanding on it. This past May, a ruling by the Luxembourg-based Court of Justice of the European Union (CJEU) required Google to provide a means by which citizens of the EU could request the search provider to delete information collected on individuals where the search result(s) “appear to be inadequate, irrelevant or no longer relevant or excessive in the light of the time that had elapsed. Continue reading

Privacy Roundup: 6/26/2014

Will the ECJ Kill the Privacy Safe Harbor for Facebook, Google and All Others?

Christie Barakat reports in SocialTimes that the ECJ, the European Court of Justice, will review the compatibility of the EU-US Safe Harbor with Europe’s Charter of Fundamental Rights.

The Safe Harbor is a legal convention under which US companies doing business in Europe may permissibly transfer the personal information of EU residents outside of the EU zone.  To qualify, the Safe Harbor requires that American companies commit to certain protections of that data in their processing and sharing practices, including stringent commitments on security of data.  The Safe Harbor is a self-certification process rather than a license or regulatory ruling process.  Although a little bit dated, see Henry Farrell’s nice primer on the Safe Harbor, here.

Barakat quotes from Farrell’s Washington Post blog, “Monkey Cage”, covering the immediate issue, which involves an Irish resident who sued Facebook in Ireland claiming that Facebook’s Safe Harbor self-certification status could not meet European Constitution standards for privacy protection due to Edward Snowden’s revelations of US government snooping of foreigners’ personal data.  As Farrell blogged in the Post, “the judge has presented the case to the ECJ in a way that seems designed to get the higher court to rule that the Safe Harbor is incompatible with European human rights standards, and hence invalid.”

Farrell describes the likely outcome of the ECJ’s review as “very hard to say”, at best.  Continue reading

Expanding Accessibility: UN Adopts Article 9, Raising Accessibility Standards

Introduction
In April 2014, the United Nations (UN) Committee on the Rights of Persons with Disabilities adopted its General Comment No 2 on the issue of Accessibility, which applies to member States within the UN that have signed the treaty. The General Comment to the Convention on the Rights of Persons with Disabilities (CRPD) seeks to provide guidance to all relevant stakeholders, such as states and international organizations, on how to ensure accessibility for persons with disabilities. The treaty serves as the first of its kind to address access to information and communication technologies (ICT) for users with disabilities, and may now serve as a basis for State parties to reinforce and regulate national legislative frameworks.

Notably the CRPD, Article 9, paragraph 13 places particular onus on public and private actors regarding ICT. “The focus is no longer on legal personality and the public or private nature of… information and communication, and services. As long as goods, products and services are open or provided to the public, they must be accessible to all, regardless of whether they are owned and/or provided by a public authority or a private enterprise.” This public and private distinction is a first of its kind. Prior regulations placed the requirements for accessible ICT solely on public or government entities. These entities were essentially held to be established in some way for the public good, and therefore had a right to be accessible to the public audience. The shift in language which now includes “all products and services open or provided to the public” places such accessibility requirements on private industry as well, and will set the tone for implementation of such standards by UN treaty members to the CRDP. Continue reading

Privacy Roundup: 6/18/2014

European Court of Justice’s Recent Ruling Has Many Asking: “What Now?”, Google’s Response, And the EU’s Counter-Response 

Mark Scott reported for The New York Times that 28 data privacy regulators from various agencies across the EU will carry out the European Court of Justice’s (EUCJ’s) recent ruling that Google can be forced to remove links from certain searches.  “But”, wrote Scott, “the court gave agencies little guidance in applying the ruling, and they (the regulators) are likely to interpret it in different ways.”  Scott reports that there are two other issues with the ruling: First, the question of whether non-Europeans would be eligible for petitioning European regulators to have information removed and second, the question of what obligation Google or other search engines will have in responding to requests to remove information.

Scott explained that, although Google has previously been confronted with requests to take down information, neither Google nor any other search provider has ever “faced the prospect of handling so many demands for unlinking online content that the new European ruling may have unleashed.” Continue reading

Privacy Round Up

Oh Snap, SnapChat Agrees to Settle FTC Charges/ Incriminating Selfies Could Come Back to Haunt You
In a news release issued Thursday, the Federal Trade Commission (FTC) reported that SnapChat, Inc., maker of the mobile app “Snapchat”, “has agreed to settle Federal Trade Commission charges that it deceived consumers with promises about the disappearing nature of messages sent through the service.”  According to the FTC’s complaint, Snapchat had previously touted privacy and security as selling points in providing its service which allows users to share “snaps”, ephemeral photos or videos with other users.  The FTC’s release quotes FTC Chairwoman Edith Ramirez: “Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.”  Additional charges against SnapChat included misrepresented information regarding data collection in its privacy policy, the tracking and transmission of Android users’ geo-location information despite Snapchat claiming otherwise, and the collection of names and phone numbers from users’ mobile address books without notice or permission.

*          *          *

Honey Badger, Stand Down: There’s a New Badger in Town
Peter Eckersley, Copper Quintin and Yan Zheuff announced on the Electronic Frontier Foundation’s (EFF) Deeplinks Blog that EFF has released Privacy Badger, a browser extension for Firefox and Chrome which “automatically detects and blocks spying ads around the web”.  Eckersley, Quintin, and Zheuff report that, according to recent Mozilla research, users want privacy more than anything else in a web browser.  According to the post, EFF considers Privacy Badger a part of the organization’s “growing campaign to deliver privacy by giving you the technical means to disallow trackers within the pages you read on the Web.”

Privacy Badger is currently in alpha release and they want your feedback.  You can install it here. Continue reading

Privacy Round Up

Can you Tweet That?

Venkat Balasubramani writes on the Technology & Marketing Law Blog about a suit filed recently in federal court by Uli Behringer against “John Doe” Twitter users claiming (among other things) violations of the Computer Fraud and Abuse Act (CFAA [http://www.law.cornell.edu/uscode/text/18/1030]), 18 U.S. Code § 1030, unfair competition, trademark and copyright infringement, cyberpiracy and libel.

The claims arise from the failed efforts of Mr. Behringer to have Twitter disable the accounts of users using the Twitter handles “@NotUliBehringer” and “@fakeuli”.  This, despite the fact that as Balasubramani writes, “the first thing that jumps out is that both accounts are clearly parody accounts – no reasonable twitter user would think otherwise.”  According to Balasubramani, Twitter responded that the accounts did not violate any of Twitter’s policies and therefore refused to disable the accounts, prompting Behringer to bring his case to federal court.

Balasubramani clearly thinks Behringer’s suit is frivolous, although not just because of the protected status of parody under First Amendment and fair use law.  He describes the copyright, trademark unfair competition and interference with contract claims as “tenuous at best”.

What is the Reach of US Jurisdiction Over Personal Data?

Hunton & Williams, in its Privacy and Information Security Law Blog, writes about a U.S. federal court ordering Microsoft to release user data to U.S. law enforcement in response to an otherwise valid search warrant even where the data was physically stored on servers based outside the United States.

In this case, the data was stored on servers in Ireland.  According to H&W, Microsoft argued that “U.S. courts are not authorized to issue warrants for extraterritorial search and seizure of emails.”  In response, a federal magistrate judge held that a search warrant for online data should be viewed – and treated – differently than a conventional warrant, and particularly should be viewed much more liberally for extraterritorial access purposes.  Allison Grande of Law360.com reports that the judge held that the Stored Communications Act, 18 U.S. Code § 2701 “does not explicitly bar extraterritorial access.”  Continue reading

Aereo and WWE: Disruptive Upstarts in the Land of Live Broadcast TV

Ever since YouTube streamlined the process for allowing anyone to easily post and watch videos online, the barrier to entry to provide and consume video has become incredibly low. Traditional television outlets have embraced online video to some extent, offering access to their most popular shows within a week, or sometimes a day after they originally air. What’s more, Internet-only services like Hulu Plus, Netflix, and Amazon’s Prime provide an extensive catalog of shows available on demand. One of the few remaining holdouts regarding online access to broadcast television is in the arena of live sports. Organizations like the National Football League (NFL) tightly control broadcast rights for live events, while other organizations, like World Wrestling Entertainment (WWE) and the Ultimate Fighting Championship (UFC), control access to their live events through pay-per-view broadcast. Both of these models, however, threaten to be up-ended by the new and novel approaches to content delivery.

WWE and the Digital Only Approach

A shake-up in the delivery of live sports can be found in this February’s launch of the World Wrestling Entertainment’s WWE Network. The WWE Network is a subscription-only streaming Internet video service that broadcasts professional wrestling events that were previously only available on cable and satellite television. The $9.99 a month subscription provides subscribers with access to WWE’s pay-per-view events, network original series, as well as a catalog of vintage wrestling programs from the past four decades. Continue reading

Privacy Roundup: 4/21/2014- 4/27/2014

Sarah N. Lynch reported that Digital 4th, a group that defines itself as “ a non-partisan coalition dedicated to bringing Fourth Amendment protections into the 21st century.”, is slamming the United States Securities and Exchange Commission (SEC) for resisting changes to federal privacy laws proposed in Congress in 2013.  The legislation would force government agents to obtain warrants prior to accessing the email of any individual under investigation.  In urging the public to lobby the White House to support this reform, Digital 4th launched the website notwithoutawarrant.com.  Lynch writes that, currently, government investigators can legally access certain emails with only a subpoena, which has a lower legal threshold than a warrant since it doesn’t require a judge’s approval.

In The Economist’s “Babbage” blog, H.G. reported that a couple of Harvard students created a service which allows users to delete or alter the content of messages that they have already sent.  The service, Pluto Mail, also lets email senders see whether or not recipients have opened their messages.  The service was released in beta on March 1, currently has about 2,000 users, and accepts new recruits each day from a waitlist.  H.G. reports that, although the sender can access and alter or delete the content of a message via the cloud, senders cannot delete the actual message from a recipient’s inbox.  “The ability to delete all trace of an email would require access to all other messaging services, obliging Pluto Mail to collaborate with every other email provider in the world—a feat they did not consider feasible.” Continue reading

Open Source, Dynamic Linking and Licensing Consideration for Developers

Introduction:

There is often confusion among software developers regarding the licensing of open source code. Questions center on what can be done with open source code and what is considered a derivative work.  One particular area of confusion arises when the derivative work uses static or dynamic links when compiling the source code.  This distinction is critical and implicates different licensing requirements dependent upon this decision.  It is important for developers to have an understanding of the basic principles of the most popular open source licenses and how static versus dynamic links can affect the end result from a licensing perspective.

GNU GPL

The GNU General Public License (GNU GPL or GPL) is the most widely used free software license. It grants end users the freedom to use, study, copy and modify a piece of software. Originally written by Richard Stallman of the Free Software Foundation in 1989, the GPL is now in its third iteration with the GPLv3. The GPL is based on the idea that nobody should be restricted by the software they use. To meet this goal, every user should have the freedom to: use the software for any purpose; change the software to suit a particular need; share the software; and share changes to the software. To this end, GPL-licensed software requires that source code be made available to all users. Furthermore, users have the right to use and modify that source code. Should those modifications be distributed, the source code of that distribution must also be licensed under the GPL. Continue reading