Advanced Technology Seminar Cyrus Daftary & Todd Krieger Cyrus Daftary & Todd Krieger March 16, 2015...
-
Upload
garry-blair -
Category
Documents
-
view
218 -
download
1
Transcript of Advanced Technology Seminar Cyrus Daftary & Todd Krieger Cyrus Daftary & Todd Krieger March 16, 2015...
2
Agenda
Administrative Discussion Crowd Funding Update Employee Privacy Rights Individual / Consumer Privacy Questions and Answers
3
Nanoplug “Invisible Hearing Aid”
Raised funds on indiegogo “Half the size of the smallest devices
currently on the market.” Raised ~$293,000 from >1,000
contributors. “Half the size of other hearing aids”
https://www.youtube.com/watch?v=8zr1SGDrAhY
4
Things Changed Along the Way
7.1 mm
11 mm
https://www.indiegogo.com/projects/nanoplug-the-world-s-first-invisible-hearing-aid#activity
http://advancedhearing.com/hearing-aids/bee-ii-800-cic-digital-hearing-aid
5
Employee Technology Privacy Rights
How private are employees’ personal e-mails sent from work accounts?
How private are employees’ online activities?
How private are employees’ computer activities?
6
A. Should Employees have a Reasonable
Expectation of Privacy? McLaren case:
(Bill McLaren Jr. v. Microsoft)
Facts: accused of sexual harassment and ‘inventory issues.’
Cause of action: invasion of privacy (Texas). (1) Intrusion on the plaintiff’s seclusion or solitude or
into his private affairs; There are two elements to this cause of action: (1) an
intentional intrusion, physically or otherwise, on another’s solitude, seclusion, or private affairs or concerns, which (2) would be highly offensive to a reasonable person.
7
Should Employees have a Reasonable
Expectation of Privacy (cont’d)? McLaren case:
Argument: Is a password encrypted e-mail account like a locker at work?
How do their purposes differ? Conclusion: “the company’s interest in preventing
inappropriate and unprofessional comments, or even illegal activity, over its e-mail system would outweigh McLaren’s claimed privacy interest in those communications.”
“Employees have no reasonable expectation of privacy in electronic communication” (Hale and Dorr Internet Alert, July 10, 2002).
8
Class Discussion: Had Quon Brought Back
an Expectation of Privacy in the Workplace? Quon v. Arch Wireless:
Facts: City provided pagers to police officers Policy prohibited personal use Officers could pay for ‘overages’ City requests pager records from Arch Wireless Audit turns up extensive and explicit ‘personal use’
Stored Wire and Electronic Communications Act [18 U.S.C. §§ 2701-2711 (1986)]
Compare with Warshak? How about cell tower records? [No.08-4227 3rd Circuit
Court of Appeals)]
XXX OOO
9
Business Risks to Unregulated Employee E-mail Access
Hostile or harassing work environment from inappropriate downloaded or forwarded messages or images.
In 1995 Chevron settled a sexual harassment claim for $2.2 million caused by several factors, including an e-mail listing ‘25 reasons beer is better than women.’ This action preceded the company’s anti-harassment policy (NYLJ 8/23/99).
Reduced productivity from employees spending too much time with personal e-mails.
Inappropriate or protected information posted online from workplace computers.
Source: www.haleanddoor.com/internet_law/burton.html
10
E-mail and Internet Use Policy is Critical in the Workplace
Two Supreme Court cases created a new standard for sexual harassment liability: 1) Tangible employment action: no defense
(ex: termination or demotion). 2) Affirmative defense:
• Exercised reasonable care to prevent and correct harassing behavior and;
• Employee unreasonably failed to take advantage of employer’s policy.
Source: Burlington v. Ellerth 535 US 742; Faragher v City of Boca Raton 524 US 775 (1998).
11
Does Monitoring Employee e-mail Violate ECPA?
Electronic Communications Privacy Act of 1986 (18 USC 2510):
Prohibits interception of electronic communications, including e-mail affecting interstate or foreign commerce.
Permits interception if there is consent. Provides a business exception for delivered
communications (monitoring must not be excessive and have a legitimate business purpose): Fraser v. National Mutual Ins. Co.
Councilman case discussion Smyth v. Pillsbury: No reasonable expectation of privacy,
despite employer’s policy.
12
How Far Can An Employer Reach? Can an employer terminate an employee for
activities on Facebook? Souza & Costco cases set NLRB standards.
Should an employer be able to see an employee’s FB account?
Does an employer have a duty to monitor online chat rooms technically outside of the workplace?
Blakey v. Continental: if employer knew about harassing comments, it had a duty to stop them (164 NJ 38).
13
Illinois Public Act 097-0875
(b)(1) It shall be unlawful for any employer to request or require any employee or prospective employee to provide any password or other related account information in order to gain access to the employee's or prospective employee's account or profile on a social networking website or to demand access in any manner to an employee's or prospective employee's account or profile on a social networking website.
14
Exceptions
(2) Nothing in this subsection shall limit an employer's
right to:
(A) promulgate and maintain lawful workplace policies governing the use of the employer's electronic equipment, including policies regarding Internet use, social networking site use, and electronic mail use; and
(B) monitor usage of the employer's electronic equipment and the employer's electronic mail without requesting or requiring any employee or prospective employee to provide any password or other related account information in order to gain access to the employee's or prospective employee's account or profile on a social networking website.
15
Public Domain Exception
(3) Nothing in this subsection shall prohibit an employer from obtaining about a prospective employee or an employee information that is in the public domain or that is otherwise obtained in compliance with this amendatory Act of the 97th General Assembly.
http://www.ilga.gov/legislation/publicacts/fulltext.asp?Name=097-0875
16
Many Companies Claim To Monitor Employee Activities
2001 AMA Survey
Computer files
36.1%
E-mail 46.5%
Internet activities
62.8%
Sources: CFO 9/2001 – AMA 2001 Survey, press.amanet.org/press-releases
Most companies who monitor employee activities cite potential liability as the primary reason for monitoring.
2007 AMA Survey
45%
43%
66%
17
More Employers are Investigating Online Activities
28% of employers surveyed by AMA fired employees for e-mail misuse.
30% of employers fired employees for Internet misuse.
Aggressive investigations could impact employee morale.
Companies are now aggressively blocking access to inappropriate web sites and automatically monitoring employee activities.
18
Investigations May Be Triggered By:
Excessive consumption of resources Downloads or uploads that tie up the network Hard drive filled with questionable content
Colleague complaints
Vigilant technical staff
Odd behavior
Activities triggering alarms on monitoring software.
19
Monitoring Technologies
Software solutions Monitor incoming and outgoing e-mail Capture screen shots at regular intervals Monitor online activities Filter keywords and file types Example: www.spectorsoft.com
Hardware solutions Keystroke logger captures up to 2 GB of keystrokes,
including user names and passwords. Small physical device runs independently of applications. Not susceptible to anti-spy software applications.
Example: KeyLlama (www.KeyLlama.com).
21
NSA’s Upstream Surveillance Government monitoring of ‘Internet
Backbone’ traffic instead of just individual activities. Backbone: the network of high-capacity
cables, switches, and routers that are used for communication
Filters for tens of thousands of search terms.
Not intended to target US citizens.
22
1st Amendment Right to Access Wikipedia?
• Wikimedia foundation filed a lawsuit against NSS & the US Department of Justice.
• Alleges mass surveillance of Internet traffic violates 1st & 4th amendment
• “Wikipedia is founded on the freedoms of expression, inquiry and information. By violating our users’ privacy, the NSA is threatening the intellectual freedom that is central to people’s ability to create and understand knowledge.”
• https://www.aclu.org/files/assets/wikimedia_v2c_nsa_-_complaint.pdf
23
Wiki Argument
• Access to pages with NSA filtered terms will be flagged
• Wikipedia relies on foreign journalists, editors, volunteers, and other contributors.
• Encroachment of anonymity curtails free speech.
25
New Google+ Review Dispute
Jason Page v. Bussey Law Firm (2015) Anonymous Google review claims Bussey
Law Firm are ‘scumbags,’ who ‘pay for positive reviews’ and ‘lose 80% of their cases’
Lawyer files for discovery from Google and pursues UK poster
Awarded £100k in UK court (£50k legal fees)
26
Sometimes Victory is Briefhttps://plus.google.com/+TheBusseyLawFirmPCColoradoSprings/about?hl=en&gl=us
27
“You Already Have Zero Privacy – Get Over it” (Sun CEO Scott McNealy 2000)
Abacus Ad: “This family just spent $425 for a down comforter, $225 for lighting…they have 5 more rooms [to go], want their address?”
http://lists.nextmark.com/market?page=order/online/datacard&id=216497
How about a mailing list of customers who suffer from: “Allergies, Arthritis, Cancer, Diabetes, Heart Burn, Heart Disease, Impaired Vision, Potency…”
http://www.pharmdirectmail.com/
28
Data Brokers (60 Minutes)
http://www.cbsnews.com/news/the-data-brokers-selling-your-personal-information/
29
Technology Related Privacy Concerns
Social Networks Identity and Information Theft, Phishing Spam (Usenet abuse / evolved into unsolicited commercial e-mail)
Reverse Computer Trespass / Data Mining / Spyware (Common Gateway Interface – execute a program on host; examine files; install software) )
E-mail Interception Children Geotracking http://www.google.com/intl/en/policies/privacy/preview/ We will address security and digital discovery in
another lecture.
30
Consumer Concerns
The intrusion into personal affairs and how to prevent it:
Suspicious of surreptitious monitoring of online activities.
Web surfers are not aware of what information collected or where it is going.
The free exchange of information and ideas concept is not compatible with private information.
Stronger feeling of control with mail or telephone disclosure.
31
Consumer Concerns (cont’d)
Privacy and security are related concerns; a lapse in privacy protection may mean there was a security breach;
Host victim of security breach may not be able to find the culprit, but could still be liable to users who are harmed by the breach;
Privacy law may fall behind Internet technology. Most states require companies to disclose if the personal data of a resident is compromised.
32
Business Needs
Track site usage and visits to better understand customer patterns and needs.
Cost effectively market to potential customers. Generate leads. Track effectiveness of marketing and
advertising. Generate revenue for third party advertisers.
33
Consumer Risks Intercepted wireless communications:
Mobile device
Wireless laptop
Unauthorized data access Bank or credit card company
Work
Online shopping sites
Social networks
Exposed data Personal information
Financial information
Computer files
Access to employer’s network.
34
Internet Privacy - Definitions “Cookie” - a data file written onto a user’s hard drive by programs
invoked by web page functions. “Web Bugs” or “Secret Traces” or “Pixel Beacons” –
(1 x 1 pixel) GIF image, usually invisible, allowing the sender of an e-mail or host of a web site (and third parties) to load cookies on the user’s machine which then can track the user’s movements across multiple sites (DoubleClick.com employed such technology).
“Flash Cookies or Locally Stored Objects” – Secondary ‘cookies’ not ordinarily removed when a user purges cookies.
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager06.html
“Cyberstalking” – using the Internet to stalk an individual. “Spyware”- software tracking activity on a computer without consent. “History Sniffing”- data stored in a web browser to ascertain what
other sites the user has visited.
35
Online Privacy Legal Framework
Federal Trade Commission - fair advertising standards
Local and State laws Federal Statues:
COPPA (http://www.ftc.gov/bcp/conline/pubs/buspubs/coppa.htm)
Gramm-Leach-Bliley Act of 1999 (financial privacy)
HIPAA / HiTech (protected health info)
Evolving Common Law EU Data Privacy Directive
36
FTC Privacy Policy Recommendation
Notice: let them know you are collecting data.
Choice: can they opt out of participating in the data collection?
Access: who can view the data?
Security: can anyone else get to the data?
Practical note: don’t keep your policy static and claim it will never change - companies are acquired or go out of business? What if the court compels disclosure? Source: www.ftc.gov
37
Tracking Technology
History sniffing: Should e-mailers be able to determine how often a message was read and by whom?
Should they be able to ascertain the I.P. address, host, and computer type of the recipient?
What if a vendor priced its products based on the recipient’s processing speed or the value of the computer?
http://www.proxyway.com/www/privacy-test.html
38
Online Privacy Mishaps FTC v. Geocities: Geocities violated their own
privacy policy and distributed data collected from children.
Travelocity accidentally posted the names, addresses, (some) telephone numbers, and e-mail addresses of 15,000 contest entrants in an online link (http://www.dmnews.com/articles/2001-01-22/12804.html).
Prozac sent out an e-mailing to subscribers and disclosed all of the e-mail addresses in the header (Eli Lilly case available at www.ftc.gov).
More than 45 verdicts have been challenged in the past two years because of internet related juror misconduct (Reuters Legal).
39
Detailed Policies Can Help Minimize Risk
Clients need a mechanism in place to: Avoid privacy lapses Address and investigate any mishaps
Massachusetts GL 93H creates an obligation to have robust policies
Privacy audits can yield surprising insight Different divisions of the same company may
not realize their impact on privacy practices Telemarketing Online marketing E-mail marketing Direct (mail marketing) Customer service departments Advertising
40
Other Considerations: European Union privacy directive.
• Notice (what is collected and why?)• Choice (opt out)• Access (individuals can view and correct data)
Must have unambiguous consent for data collection
Prohibition on data export without consent - including H.R. data sent from subsidiaries to U.S. company
Local statutes may include civil and criminal penalties
Safe Harbor participants violating the directive face potential U.S. fines from the Dept. of Commerce: see http://www.export.gov/safeharbor