Online Privacy, Cloud Computing, and Online Fraud Law Offices of Salar Atrizadeh Online Privacy Privacy issues fall under two general categories: 1.
Download ReportTranscript Online Privacy, Cloud Computing, and Online Fraud Law Offices of Salar Atrizadeh Online Privacy Privacy issues fall under two general categories: 1.
Online Privacy, Cloud Computing, and Online Fraud Law Offices of Salar Atrizadeh Online Privacy Privacy issues fall under two general categories: 1. Corporate privacy 2. Employee privacy Corporate privacy - It concerns the protection of business data, including electronic communications, from retrieval or interception by unauthorized parties - Security is important due to protection of trade secrets and other proprietary information and privileged communications - The failure to maintain confidentiality in these areas can result in a loss of trade secret status - Trade secret means … a formula, pattern, compilation, program, device, method, technique, or process that derives independent economic value and is not generally known to the public [See Civil Code § 3426.1(d)] Policies that can help us preserve corporate privacy o Use Encryption Classify confidential information (i.e., “top secret” designation) Restrict access to confidential information (i.e., need-to-know system) Use software that detects trade secret information in e-mails Include warnings in privileged correspondence (e.g., “This E-mail Contains Privileged Communications”) Provide employee handbooks that outline protocols o Train employees regarding corporate privacy and confidentiality o Check on incoming and outgoing employees (i.e., execute NonDisclosure or Non-Compete Agreements) o Look out for external devices (e.g., external hard drives, flash o o o o o Employee Privacy o o o o o It involves claims by employees that employer monitoring of their email and computer files violates their right of privacy See California Constitution, Article I, § 1 - right of privacy Hill v. National Collegiate Athletic Assn . - discusses the common law right of privacy In California, the courts have considered a handful of cases involving e-mail privacy claims. Most have been decided in favor of the employer. For example: Flannagan v. Epson America, Inc. - company employees failed to establish “reasonable expectation of privacy” and that interception of e-mail was not wiretapping Bourke v. Nissan Motor Corp. - employees have no reasonable expectation of privacy because they had signed a written waiver Employee Privacy … continued o o o Employees may also claim that review of their e-mail violates a federal statute known as the Electronic Communications Privacy Act of 1986 (“ECPA”) which is codified under 18 U.S.C. §§ 2510 to 2710 The ECPA was originally enacted to supplement the Federal Wiretap Act, but has been expanded to include e-mail and other forms of electronic communication Steve Jackson Games, Inc. v. U.S. Secret Service - The ECPA prohibits unauthorized interception of e-mail and unauthorized access to e-mail stored on a computer system. [See 18 U.S.C. § 2511] Employee Privacy … continued o ECPA – its extent and application to computer networks maintained by private businesses is still undetermined o For example, companies require access to employee computer files and e-mail for the following reasons: a) ensure computer resources are not abused b) guard against disclosure of trade secrets c) investigate employee complaints regarding harassing or offensive materials d) respond to discovery requests in litigation o Based on a company’s need and rights to access employee computer files there may be a conflict with its employees’ privacy rights and the ECPA o So, it’s important that policies be developed to avoid problems How to minimize the likelihood of claims for invasion of privacy or ECPA violations: o Access employee files and e-mail only for legitimate business reasons o Make sure employees understand that the office network and telecommunications systems are owned by the business and should be used only for business purposes o Adopt written policies governing network use and telecommunications equipment o Review union and collective-bargaining agreements to determine if there are any contractual restrictions that limit employee monitoring Employee Privacy o For more information, visit my law firm’s blog (internetlawyerblog.com) - in the November 11, 2012 post (Privacy Concerns in the Changing Face of Internet and Technology) o Review the FTC Report providing the steps companies can take to ensure consumer privacy protection o If you can’t find it, send an email to [email protected] Cloud Computing o o o o A global technological infrastructure, where user of a computer accesses and uses software and data located outside of a digital device (e.g., a computer) A user connects to external devices thru an Internet connection, but has no knowledge of the nature/location of the server on which the data and software are located This anonymous, external, and often unidentifiable interaction is known as “cloud computing” or simply “the Cloud.” A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage devices, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. See www.nist.gov/itl/csd/cloud102511.cfm Three basic types: 1. Software as a Service (SaaS) 2. Platform as a Service (PaaS) 3. Infrastructure as a Service (IaaS) Software as a Service (SaaS) o It’s the most common type o SaaS applications provide the function of software that would normally have been installed and run on the user's desktop o The application is stored on the service provider's servers and runs through the user's web browser over the Internet o Examples - Gmail, Google Apps, and Salesforce Platform as a Service (PaaS) o Provides a place for developers to develop and publish new web applications stored on the servers of the provider o Customers use the Internet to access the platform and create applications using the provider's API, web portal, or gateway software o Examples - Saleforce's Force.com, Google App Engine, Mozilla Skywriter, and Zoho Creator Infrastructure as a Service (IaaS) o It seeks to obviate the need for customers to have their own data centers o The provider sells access to web storage space, servers, and Internet connections o The provider owns and maintains the hardware and customers rent space according to their needs o Customer maintains control of software environment, but not over equipment o Examples - Amazon Web Services, IBM SmartCloud, Terremark Enterprise Cloud Privacy o Issue – How to protect personal information on the Web o Examples: Banking, Emailing via Web mail account, Sharing Pictures o Questions: o What happens to the information when it disappears into the Cloud? o Where are your passwords and your account numbers saved? o Who can access them and what do they do with them? o Can you delete the information, in the sense that no one will be able to access it in the future? Tips on protecting personal information: 1. Do not inadvertently reveal personal information 2. Turn on cookies notices in your browser or use cookie management software 3. Keep a "clean" e-mail address (e.g., main and alternate email accounts) 4. Avoid revealing personal details to unknown persons/entities 5. Avoid sending highly personal e-mail to mailing lists 6. Avoid replying to spammers 7. Be conscious of Web security (e.g., https v. http) 8. Be conscious of home computer security (i.e., use firewall and encryption) 9. Examine privacy policies and seals (e.g., TRUSTe - www.TRUSTe.com) Contract Law o In general, contract law is applicable 1. Licensing Agreement - a contract where licensor gives licensee permission to use intellectual property (e.g., patent, trademark, or copyright) 2. End User License Agreement (EULA) - contract between the licensor and purchaser, establishing the purchaser's right to use the software o Question: Is there equal bargaining power? o In general, privacy is about controlling what is done with information after it’s released to the Cloud o So, who should have the power to collect, cross-reference, publicize, or share information about us? Case Study: Facebook.com o “For content that is covered by intellectual property rights, like photos and videos (IP content), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it.” o Statement of Rights & Responsibilities www.facebook.com/legal/terms o Data Use Policy - www.facebook.com/about/privacy Protecting Personal Information o Fourth Amendment - protects people and their property “against unreasonable search and seizures” o Electronic Communications Privacy Act (ECPA) Objective: To protect electronic communications from unwanted interception by both state and private actors Violations/Remedies: Individuals - face up to 5 years imprisonment and a $250,000 fine Victims - entitled to a civil suit of actual damages, punitive damages and attorney’s fees U.S. Government - cannot be sued for a violation, but evidence that’s gathered illegally cannot be introduced in court Electronic Communications Privacy Act o It was envisioned to create “a fair balance between the privacy expectations of citizens and the legitimate needs of law enforcement” o It’s codified under 18 U.S.C. §§ 2510-2522 o Any violation may be punishable as a felony under 18 U.S.C. § 2511(4) o Violators may be liable for: I. $10,000 in statutory damages or, if greater, actual damages suffered by the party whose communication was intercepted II. Punitive damages III. Attorney’s fees and litigation costs ECPA - It has three sub-parts: o Title I - Wiretap Act o Title II - Stored Communications Act o Title III – Pen Register Act Title I - Wiretap Act o It’s codified under 18 U.S.C. §§ 2510-2522 o Protects communications in transit o Protects against both government and private intrusion into electronic communications o The protection is strong in most situations o Access requires a search warrant and any evidence obtained in violation of this part of the Act is subject to exclusion in court proceedings Title II - Stored Communications Act o Protects the storage of electronic information o It covers nearly all information in the “Cloud” that is no longer in transit from sender to recipient (i.e., it refers to e-mails not in transit) o There are certain exceptions for law enforcement access and user consent o General rule: Employers are forbidden from accessing employee’s private e-mails o Exception: It may be lawful if consent is given in the form of an employment contract that explicitly authorizes the employer to access e-mails Title III - Pen Register Act o Pen Registers/Trap and Trace devices provide non-content information about the origin and destination of communications o It’s subject to less restrictions than actual content since it doesn’t contain the communication’s content o U.S. Supreme Court There is no “reasonable expectation of privacy” in this information because the telecommunication company has access to it In fact, the telecommunication company must utilize this information to ensure communications are properly routed and delivered Title III - Pen Register Act o There is no statutory exclusionary rule that applies when the government illegally uses a pen register/trap and trace device o There is no private cause of action against the government for violations o It’s codified under 18 U.S.C. §§ 3121-3127 ECPA - Disclosure of Records o Lays out guidelines for law enforcement access to data o Per the Stored Communication Act: Government is able to access many forms of stored communications without a warrant (e.g., customer records from communications providers) Under 18 U.S.C. § 2703, an administrative subpoena, a National Security Letter (“NSL”), can be served on a company to compel disclosure of basic subscriber information Section 2703 also allows a court to issue an order for records Whether an NSL or court order is warranted depends on the information The following table illustrates the different treatment of email contents: FTC Guidelines Fair Information Practice Principles: i. Notice/Awareness ii. Choice/Consent iii. Access/Participation iv. Integrity/Security v. Enforcement/Redress See www.ftc.gov/reports/privacy3/fairinfo.shtm Notice/Awareness: o The most fundamental principle o Before any personal information is collected, consumers should be given notice of an entity's information collection practices o Without notice, consumers cannot make informed decisions as to whether and to what extent to disclose personal information o California's Online Privacy Protection Act (COPPA) - ensures consumers are able to access a website's privacy policy before release of personal information o See Business & Professions Code §§ 22575-22579 Essential disclosures to consumers may include: Entity’s identification Identification of the uses Identification of potential recipients Nature of the data collected and the means by which it is collected if not obvious o Passively - by means of electronic monitoring o Actively - by asking the consumer to provide the information o Whether the provision of the requested data is voluntary or required, and consequences of refusal o Steps taken by data collector to ensure confidentiality, integrity and quality o o o o Choice/Consent: o Choice - giving consumers options as to how any personal information collected from them may be used o It relates to secondary uses of information (i.e., uses beyond those necessary to complete the contemplated transaction) Internal – being on a company's mailing list; or External - transfer of information to third parties Choice/Consent: o Two types of choice/consent regimes: 1) Opt-in 2) Opt-out o The choice regime should provide a simple and accessible method for consumers to exercise their choice o Online – user’s choice may be exercised by clicking a box showing his/her decision regarding the information’s use and/or dissemination o Another Option – An application requiring consumers to specify privacy preferences before visiting a website may be incorporated into Internet browsers Access/Participation: o It refers to the: 1) Ability to access data (i.e., view personal data in entity's files) 2) Ability to contest data accuracy and completeness o Access must encompass: i. Timely and inexpensive data access ii. Simple means for contesting inaccurate or incomplete data iii. Mechanism by which the data collector can verify information, and iv. Means by which corrections and/or objections can be added to the data file and sent to all data recipients See FCRA, 15 U.S.C. § 1681i; see also EU Directive, 95/46/EC, Art. 12. Integrity/Security: o Collectors must take reasonable steps to ensure integrity such as: i. Use reputable sources of data ii. Cross-reference data against multiple sources iii. Provide consumer access to data iv. Destroy untimely data or conversion to anonymous form o Technical security measures may include: i. Encryption in the transmission and storage of data ii. Limits on access through use of passwords; and iii. Storage of data on secure servers or computers inaccessible by modem Enforcement/Redress: o General Idea - Consumers enforce policies and procedures o Alternative Enforcement approaches: a. Industry Self-Regulation b. Private Remedies c. Government Enforcement Industry Self-Regulation o Enforcement (i.e., mechanism to ensure compliance) includes: o Making acceptance of and compliance with a code of fair information practices a condition of membership in an industry association o External audits to verify compliance o Certification of entities that have adopted and comply with the code at issue o Redress (i.e., appropriate means of recourse by injured party) includes: o Institutional mechanisms to ensure that consumers have a simple and effective way to address concerns Private Remedies o General Idea - create private right of action for consumers harmed by an entity's unfair information practices o The following privacy acts provide for the recovery of actual, liquidated, and punitive damages: i. Video Privacy Protection Act of 1988, 18 U.S.C. § 2710(c) – providing for award of actual damages or liquidated damages of not less than $2,500, punitive damages, attorney's fees, and equitable relief ii. Cable Communications Policy Act of 1984, 47 U.S.C. § 551(f) – providing for recovery of actual or liquidated damages of not less than $1,000, punitive damages, and attorney's fees Government Enforcement o General Idea - Enforcement of fair information practice by means of civil or criminal penalties o Whether enforcement is civil or criminal depends on the nature of the data at issue and the violation committed o See IITF Report § III.C - redress should be appropriate to violation Electronic Privacy Information Center (www.epic.org) o EPIC filed a complaint against Google - claiming that it was misrepresenting the safety and security of information of several of its Cloud service websites, including Gmail, Google Docs, Google Desktop, and Google Calendar o EPIC alleged that, while Google professed the security of its services, there were: i. Flaws permitting unauthorized users access to documents ii. Exposures of usernames and passwords to theft iii. Security flaws allowing others full control of a user's system o If these allegations are true, then it means that Google did not follow several different principles such as Integrity/Security and Notice/Awareness Cloud Computing Act of 2012 o Proposed by Senator Amy Klobuchar (D-MN) - September 19, 2012 o It attempts to give “cloud computing services” extra protections under the Computer Fraud and Abuse Act (CFAA) o It states that each instance of “unauthorized access” (the lynchpin of liability under the CFAA) of a cloud computing account is a separate offense o Loss is presumed to be the greater of the value of the loss of use or information, or a minimum of $500, multiplied by the number of cloud computing accounts accessed o See http://beta.congress.gov/bill/112th/senate-bill/3569/text Computer Fraud and Abuse Act o Is a hybrid civil-criminal law o It’s codified under 18 U.S.C. § 1030 o It originally passed as a purely anti-hacker criminal statute prohibiting wrongful access to computers o It focused on issues relating to the protection of federal computers and financial institutions. It also touched on interstate and foreign cybercrimes o The 2002 amendment (aka the “Patriot Act”) gave federal officials more flexibility regarding monitoring and prosecuting suspected cyber criminals o It’s been used by employers regarding internal data breaches and misappropriation by employees Online Fraud Types o Identity Theft and Fraud o Click Fraud o Mass marketing fraud o Advance fee schemes o Bank and financial account schemes o Investment opportunities o Auction and Retail schemes o Business Opportunity or “Work-at-Home” schemes o Market Manipulation schemes o Short-selling or “scalping” schemes o Credit-Card schemes o Intricate schemes o Real Estate Scams Identity Theft and Fraud o General rule: It’s illegal to use someone else's personal identifying information without authority to obtain credit, goods, services, money, or property. (See California Civil Code § 1798.92) o Personal identifying information - name, address, telephone number, driver's license number, social security number, place of employment, employee identification number, mother's maiden name, demand deposit account number, savings account number, or credit card number. o Statute of Limitations o 4 years o See California Civil Code § 1798.96 Scenarios o Example 1: In one federal prosecution, the defendants allegedly obtained the names and Social Security numbers of U.S. military officers from a website, then used more than 100 of those names and numbers to apply via the Internet for credit cards with a Delaware bank. o Example 2: In another federal prosecution, the defendant allegedly obtained personal data from a federal agency's website, then used the personal data to submit 14 car loan applications online to a Florida bank. Tips for Avoiding Identity Theft o Do not throw away ATM receipts, credit statements, credit cards, or bank statements in a usable form o Do not respond to "spam" or unsolicited email promising some benefit but requesting identifying data o Do not give your credit card number over the telephone unless you make the call o Reconcile your bank account monthly, and notify your bank of discrepancies immediately o Report unauthorized financial transactions to your bank, credit card company, and the police as soon as you detect them o Review a copy of your credit report at least once each year. Notify the credit bureau in writing of any questionable entries and follow through until they are explained or removed Click Fraud o Occurs on the Internet in pay-per-click (“PPC”) online advertising when a person, automated script, or computer program imitates a legitimate user of a web browser clicking on an ad, for the purpose of generating a charge per click without having actual interest in the target of the ad's link o It’s a controversial subject o It’s caused an increase in litigation because advertising networks are key beneficiaries How to Detect Click Fraud o Unusual peaks in impressions (i.e., number of times the advertisement shows on a search results page) o Unusual peaks in the number of clicks o No increase in conversions during peaks in impressions or clicks o Drop in the number of page views (i.e., how many pages were visited per visitor) during peaks in impressions or clicks o Higher bounce rate (i.e., number of people clicking the advertisement and then quickly going back to the search results page) during peaks in impressions or clicks Click Fraud - Class Action lawsuits o Google v. Auction Experts - Google (acting as both an advertiser and advertising network) won against Auction Experts (acting as a publisher), which Google accused of paying people to click on ads that appeared on Auction Experts' site, costing advertisers $50,000. o In July 2005, Yahoo settled a class-action lawsuit against it by plaintiffs alleging it did not do enough to prevent click fraud. Yahoo paid $4.5 million in legal bills for plaintiffs and agreed to settle advertiser claims dating back to 2004. In July 2006, Google settled a similar suit for $90 million. o Lane’s Gifts & Collectibles v. Google - In March 2006, Google agreed to a $90 million settlement fund in a class-action lawsuit. The lawsuit alleged Google had conspired with its advertising partners to conceal the magnitude of click fraud to avoid making refunds. Relevant Laws 1. Identity Theft and Assumption Deterrence Act 2. Fair and Accurate Credit Transactions Act 3. Fair Credit Reporting Act 4. Fair Debt Collection Practices Act 5. Check Clearing for the 21st Century Act 6. CAN-SPAM Act of 2003 Identity Theft and Assumption Deterrence Act It was passed into law on October 30, 1998 It’s codified under 18 U.S.C. § 1028 et seq. It’s a federal crime if someone “knowingly transfers, possesses or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law.” “Means of Identification” includes: i. Name, SSN, date of birth, driver’s license, alien registration number, passport number, EIN ii. Unique biometric data (e.g., fingerprint, voice print, retina or iris image) iii. Unique electronic ID Number, address or routing code iv. Electronic serial number / Mobile ID number Penalties: o Fines, criminal forfeiture of any personal property used or intended to be used to commit the offense o Imprisonment of up to 15 years It accomplished four things: 1) It made identity theft a separate crime against the individual whose identity was stolen and credit destroyed. Previously, victims had been defined solely by financial loss and often the emphasis was on banks and other financial institutions, rather than individuals. 2) It established the FTC as the federal government’s central point of contact for reporting identity theft instances by creating the Identity Theft Data Clearinghouse. 3) It increased criminal penalties for identity theft and fraud by carrying a maximum penalty of 15 years imprisonment and substantial fines. 4) It closed legal loopholes, which previously made it a crime to produce or possess false identity documents, but not to steal another person’s personal identifying information. California Laws: Penal Code §§ 530.5 – 530.8 Section 530.5(a) - Every person who willfully obtains personal identifying Information…of another person, and uses that information for any unlawful purpose, including to obtain, or attempt to obtain, credit, goods, services, real property, or medical information without the consent of that person, is guilty of a public offense, and upon conviction therefor, shall be punished by a fine, by imprisonment in a county jail not to exceed one year, or by both a fine and imprisonment… See www.leginfo.ca.gov California Spam Laws a) Business & Professions Code, § 17529 It’s estimated that spam costs California organizations over 1.2 billion dollars Spam is responsible for virus proliferation causing damage to both individual computers and business systems Prohibits spam and regulates commercial advertising e-mails b) Bus. & Prof. Code, § 17538.41 - Text message advertisements c) Bus. & Prof. Code, § 17538.45 - Unsolicited email advertisement See www.leginfo.ca.gov Executive Order o Title: Improving Critical Infrastructure Cybersecurity o Released by White House - February 12, 2013 o Policy: i. Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity ii. The cyber threat to critical infrastructure continues to grow and represents serious national security challenges iii. The national and economic security depends on the reliable functioning of the Nation's critical infrastructure Policy … continued: iv. To enhance the security and resilience of critical infrastructure v. To maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties vi. Develop partnerships with the owners and operators of critical infrastructure to improve cyber-security information sharing and collaboratively develop and implement risk-based standards Resources o Federal Trade Commission – www.ftc.gov o Department of Homeland Security – www.dhs.gov o Office for Victims of Crime www.ovc.gov/pubs/ID_theft/idtheftlaws.html o Identity Theft Resource Center - www.idtheftcenter.org/map.html o USA.gov - www.usa.gov/Citizen/Topics/Internet-Fraud.shtml o Department of Justice - www.justice.gov/criminal/fraud o White House - www.whitehouse.gov o eConsumer - www.econsumer.gov/english Any Questions? Salar Atrizadeh, Esq. 9701 Wilshire Blvd., 10th Floor Beverly Hills, CA 90212 Email: [email protected] Website: www.atrizadeh.com Blog: www.internetlawyer-blog.com