Transcript Privacy at the Bleeding Edge

Privacy at the Bleeding Edge
Lance Koonce
www.privsecblog.com
Recent and Emerging Technologies
•
•
•
•
•
•
•
Blogs, Podcasts, Vlogs, Mologs
WiFi, Wardriving, Wijacking
RFID
VoIP
Biometrics, Encryption
Mobile Technologies, Bluetooth
Virtual Worlds
Blogs: The Technology
•
•
•
•
•
•
Blog Authoring Software
RSS Feeds
Filtered or unfiltered comments
Podcasting (audio blogs)
Mologs (mobile phone blogs)
Vlogs (video blogs)
Blogging
• Types of Blogs:
– Individual or Small Group Blogs
• Diary-like
• Topical
• Journalistic
– Corporate Sponsored
• Topical / Corporate Marketing
• Employee Blogs
• Journalistic
Why Does Blogging Matter?
• Anywhere from 15 to 100 million blogs in
existence, depending on who you ask
• Companies offer blogs as employee service (like
a bulletin board) and as viral marketing
• Whether company sponsors blogs or not, it is
inevitable that some employees will have their
own blogs
• Big Danger is speed/breadth of dissemination of
careless or impulsive commentary
– Think of: Instantaneous publication of email
Blogging Issues
• Legal Issues
• Technical Issues
• Practical Concerns
Privacy Overview
From a corporate perspective, blogging
privacy issues mainly arise in two contexts:
• Corporation maintains a blog or is
considering a blogging policy for
employees
• Employee or outside individual is blogging
about the corporation
Blogging Overview:
Whose Privacy?
• Where corporation or employee maintains a
blog, legal issues may arise:
– Privacy torts: when blog entries or visitors’ comments
constitute invasion of the rights of third parties
– Defamation and libel of third parties
– Disclosure of trade secrets or other sensitive
information, and purported whistleblowing
– Collection of information about visitors to the blog
(registering users who post comments)
– Monitoring of employee entries on blogs
Blogging Overview:
Whose Privacy?
• Corporate interests may also be implicated
by outside blogs
– Disclosure of trade secrets/sensitive info
– Defamation of corporation
Blogging Overview:
Examples of Disputes
• Less than 10 legal cases mentioning the
word “blog” in all federal and state courts
to date
• The only substantive cases about blogs
have been Apple trade secret case, recent
Delaware defamation case
• Most disputes have been made public
through blogs themselves, which
demonstrates power of the medium
Blogging Overview:
Examples of Disputes
• Apple v. Doe trade secrets case (Cal.)
• Doe v. Cahill defamation case (Del.)
• Employer/Employee disputes:
– Flight Attendant case
– Google Employee
– Microsoft
– PR Company employee
Legal Issues for Corporate Blogs:
Intrusion Into Private Affairs
• Trespass constitutes intrusion – electronic trespass,
recognized in some recent cases, would also be
intrusion (intercepting phone calls, email, etc.)
• Standard: Cannot perform any act that intrudes upon
someone’s private affairs if the intrusion would be
considered “highly offensive” to a reasonable person
• Determination of what is highly offensive depends on
social standards of community and what level of privacy
people can expect under the circumstances
• For blogs, liability turns on where and how information
later posted on blog is collected
– Mologs and Vlogs may be particularly susceptible to intrusion
claim, if photos and video taken without another’s knowledge
Legal Issues for Corporate Blogs:
Right of Publicity
• Using another person’s name, likeness or
personality without authorization for advertising
or commercial purposes
• Key here is whether use was for commercial
purpose: unlikely to be the case for most blogs
• But: for corporate blogs that serve marketing
purpose, must be careful when using celebrity’s
name, likeness or personality
Legal Issues for Corporate Blogs:
Defamation, Libel and False Light
• Defamation and libel: False statement of fact that
damages the reputation of a person or business
– Defamation is spoken, libel is written
• Opportunities abound for liability with blogs:
– By definition the libelous words are made public to third parties
– Words are often written with little thought
– Context of a discussion may make it clear that even cleverly
worded statements (ie, not naming the person) are defamatory
• False light: Publicizing information about a person that
places person in false light in a manner that would be
highly offensive to a reasonable person.
– Person responsible for making info public must have acted with
knowledge or reckless disregard with respect to the falsity of the
publicized matter
Legal Issues for Corporate Blogs:
Data Collection
• Most blogs do not collect user information
• However, can require users to register before
posting comments
– Again, even blogs with registration procedures usually
do not require personally identifiable information
• To the extent such information collected, privacy
policy should be posted and data should be
treated like any other data collected by a
corporate website.
Legal Issues Arising from Third Party Blogs:
Disclosure of Trade Secrets
• Deliberate or inadvertent disclosure of sensitive
information by former employees, or by third parties
• Also arises in context of corporate blogs (usually through
inadvertent disclosure)
• Claim is defined by Uniform Trade Secrets Act, adopted
by most states; unfair competition claims
– Economic Espionage Act of 1996 for criminal claims
– As practical matter, availability of legal claim may not be as
important as acting quickly to remove material from the blog
– Take-down notice to blog host or Internet Service Provider is
likely the first step
• To the extent possible, consider monitoring of blogs of
disgruntled employees
Legal Issues Arising from Third Party Blogs:
Defamation of Corporation
• Disgruntled employees, unhappy
customers, etc.
• Corporation may be defamed, and
products/services may be disparaged
• Remedies dependent on state law,
although product disparagement may also
be subject to federal law
Industries For Which Blogs May
Raise Additional Legal Issues
• Technology Companies
• Health Care Industry
• Media Entities
Corporate Blogging Policies
• Publicly available policies:
–
–
–
–
–
–
–
Sun Microsystems
IBM
Yahoo
Borland
Feedster
Groove Networks
Harvard Law School
• Blogging policy “wiki”:
– www.socialtext.net/charleneli/index.cgi?corporate_blo
gging_policies
Corporate Blogging Policies
• See Appendix for corporate policies that
have been made public
• Policies can be as wide-ranging as the
industries served and are dependent on
the corporate cultures of the company
• Decision must be made at outset as to
how blog-friendly policy will be
• Policy should always incorporate
company’s privacy policy
Corporate Blogging Policies
• Policy is as much about education as proscription: explain sources
of liability
• Restrictions on blogging outside of workplace are unlikely to be
effective
• Bloggers must respect not just privacy rights, but copyright,
trademark, etc.
• Company must decide whether to vet blog entries before posting
(likely impractical in large organizations)
• Must also decide whether to allow third party comments, and if so,
whether to vet those comments before posting
• Remind employees: although conflict makes for good drama (and
good blogging in some contexts!), it does not necessarily make for
good corporate blogging
• Work with PR department as well as legal, HR
• Section 230 of Communications Decency Act may shield employer
liability in some instances
Employee Blogging Policies:
Essentials
• Disclaimer of corporate liability: consider giving
employees precise language to use
• Notice to employees that blogging must comply
with all HR policies
• Notice to employees re disclosing trade secrets
and other sensitive info
• Notice to employees re various legal claims that
might be made
• Notice re vetting of questionable posts
• “Best Practices” component
WiFi
• Wardriving/Wijacking
– Unauthorized access to wireless networks
– Recent example in Washington State: consultant for
law firm accessing public utility files at public meeting
• Risks:
– Loss of trade secrets or competitive advantage
– Loss of passwords/access information
– Ultimately, data breach and identity theft
RFID
• Second wave of ubiquitous customer preference and
usage tracking
– First wave was online advertising (cookies), TiVo
• Business advantages are tremendous if cost structure
becomes reasonable, but…
• Customers will increasingly see tracking information as
personal data deserving of privacy protection under
existing or new laws
– Question is whether RFID will be seen as “surveillance” or usage
optimization
• Procedures in place to make information available in the
aggregate only and not personally identifiable?
• There will be waves beyond RFID: constraints are only
bandwidth, cost, deployment of networks
Voice Over Internet
• Another example of digitization of personal
communication
– Same security and privacy concerns as other digital
communications, but more to protect since audio is added
• Not yet widely adopted by corporations, primarily
because of quality issues
– Most corporate systems are closed, no Internet connectivity
– But need to guard against employees downloading peer-to-peer
programs like Skype, which may be more vulnerable
• Subject to eavesdropping, voice spam, phishing,
spyware, denial-of-service attacks
– But voice is harder to search and index than text, which may
make some attacks less likely
• Current wiretap laws may not address
Gaming / Virtual Worlds
• Testing ground for next-generation issues
• Electronic proxies for real individuals,
interacting in purely digital environment
• Expectation of privacy?
• Relationship of personal information to
virtual identity?
• Bleeding edge example: phishing attacks
in gaming environments