Blog

March 26th, 2015

FTC AND CONSUMER PRIVACY

RadioShack’s bankruptcy and Auctioning off Customer Data- A violation of Privacy Policy

By: Vasundhara Apte

http://www.computerworld.com/article/2901691/new-york-threatens-action-if-radioshack-sells-customer-data.html

http://www.bloomberg.com/news/articles/2015-03-24/radioshack-s-bankruptcy-could-give-your-customer-data-to-the-highest-bidder

http://www.pcworld.com/article/2902472/about-25-us-states-oppose-sale-of-radioshacks-customer-data.html

RadioShack is a leading national retailer of technology products and services as well as products related to personal and home technology and power supply needs. RadioShack filed for Chapter 11 Bankruptcy on February 5^th, 2015 after striking a deal to sell up to 2400 of its stores to the wireless service provider Sprint and a hedge fund that is its biggest shareholder.

On 23^rd March, 2015 RadioShack commenced the auction of its assets which include its name and intellectual property, trademarks, patents, leases and the names, email addresses and phone numbers of its customers. According to a Bloomberg Report it is estimated that RadioShack is offering more than 13 million email addresses and 65 million physical addresses to the highest bidder.

Standard General, a hedge fund which is one of RadioShack’s creditors emerged the winner of the auction.Salus Capital Partners claims it did not get a fair hearing at the auction on a bid it made which was materially superior. The Attorney General of Texas Ken Paxton filed a challenge arguing that RadioShack made an explicit promise to its customers that it would not sell their personal data. He brought attention to the fact that it was a breach of the company’s statement wherein RadioShack clearly stated that they prided themselves on not selling their private mailing list. Hilco Streambank a subsidiary of RadioShack also remarked that the deals may not be approved by the bankruptcy court and there have already been two legal filings in attempts to block the sale of consumer data.

There have been several oppositions to the sale of customer data by RadioShack. The State Law in Texas prohibits companies from selling personally identifiable information which violates their own privacy policies. At present the states of Oregon, Texas, Pennsylvania and Tennessee are challenging RadioShack’s attempt to sell its customer data which includes personal information like their names, email addresses and phone numbers. AT&T is also trying to stop the sale of customer information as AT&T believes that RadioShack does not have the ownership of the data which it contends rightfully belongs to AT&T. AT&T claims that AT&T helped RadioShack to market phones and in the process allowed RadioShack to amass information which included among other things a list of AT&T customers. AT&T is concerned as one of the bidders plans to co-brand some of the RadioShack stores as Sprint stores and thus AT&T is concerned that this could lead to giving information to its competitor.

One of the first legal challenges to the sale of customer information was in the FTC V TOYSMART.COM case. FTC sued to prevent Toysmart from engaging in the sale of its customer information as part of a bankruptcy auction. The company’s privacy policy said that personal information of its customers would in no circumstances be shared with a third party and thus the sale of its customer’s information as part of the bankruptcy auction was a clear violation of its privacy policy. The customer data was the company’s most valuable asset in bankruptcy. Toysmart did eventually destroy the information and the case resulted in a federal legislation that imposed a restriction on the sale of assets in bankruptcy.

While addressing the Bankruptcy of Borders, a bookstore chain the FTC realized that bankruptcy was a special case and consented to allowing the sale of personal data with certain conditions. The data could not be sold as a stand-alone asset it would have to be sold in connection with its goodwill, the buyer would have to be in the same line of business as the seller and the buyer must abide by the same privacy policy as the seller. The FTC went on to add that if any changes were made to the privacy policy the consent of the customers would have to be obtained.

The RadioShack bankruptcy filing and sale of its assets particularly consumer information has been a major concern. RadioShack promised its online customers that it would not sell their personally identifiable information to anyone at any time. The signs at RadioShack’s sentiment also sent out the same message that a customer’s information would be treated with respect and dignity and that RadioShack prided itself in not selling its private mailing list. However despite these promises to its customers RadioShack has done just the contrary. A customer’s data has vast market power and is of great economic value but adequate precaution must be taken to ensure that a company does not go back on its word and violate its own privacy policy.

There has been widespread opposition against RadioShack’s plans of selling its customer data. The State of Texas said it had received support from 21 governmental consumer protection entities to its objection of RadioShack’s planned sale of personally identifiable information (PII) of 117 million RadioShack customers. Although New York has not signed on the Texas challenge the the Attorney General Eric. T. Schneiderman said that New York would take appropriate action to protect New York customers if RadioShack violated its customer privacy policy and went ahead with the sale of its customer data.

Approval of the deal is expected to come on Thursday (26^TH March, 2015 when the bankruptcy court is scheduled to rule on the case.

March 26^th 2015

Marketing Drones now flying over Los Angeles Area for Cellphone Location Data

By: Sofia Grafanaki

Panel 5

http://venturebeat.com/2015/02/23/drones-over-head-in-las-valley-are-tracking-mobile-devices-locations/

http://www.popsci.com/marketing-drones-scanned-la-cellphone-location-data

http://www.forbes.com/sites/frankbi/2015/02/23/drones-are-already-intercepting-cell-phone-signals-in-l-a/

A Singapore based marketing company proudly announced last month that it started using drones in order to detect cell phone signal strength and WiFi transmission of cell phone users over part of Los Angeles. Using cell phone triangulation and other such methods, allows them not only to determine specific location data per device, but also their users movements and travel patterns. They can then target consumers with very specific ads, based on their route and what is around them, which coffee shop they are walking by etc.

This practice is not that new, the same company has been previously doing it using bikes, cars and trains in the past, but with the use of drones the scale changed drastically, raising even more privacy concerns relating to their use. While the company claims that it does not collect any personally identifiable data such as names or phone numbers, it does identify each user through the device ID in order to track them. And while the company is trying to use this distinction to respond to privacy concerns, it is widely accepted that the disctinction between PII and non-PII is not as efficient as it was once thought to be when the goal is to protect privacy, as the combination of non-PII from several sources can very often reveal a lot more information about an individual than one would expect.

In the case of this use of drones, there is also an issue with “consent”. Concepts of notice, choice and consent are criticized as weak protectors of privacy in the light of new technologies, but here it is not clear at all when they come into play, even in their weak form. At no point does a user have an option to not be tracked by these drones, like he would (at least theoretically) when using a website that places cookies on his computer. It seems that cellphone users don’t even need to have location services on their smartphones turned on for the tracking to happen, all that needs to be happening is the user to have an app open that is transmitting any kind of data through cell service or WiFi.

March 12th, 2015

The Privacy of Regulators

http://www.nytimes.com/2015/03/12/us/politics/storing-emails-from-these-senators-will-be-easy-if-they-ever-send-one.html

By Emily Naphtal

Recently, the New York Times interviewed the “flip phone caucus”, a group of Senators that barely uses email. For many of these Senators, such as Charles Schumer (D, New York), Lindsey Graham (R, North Carolina), John McCain (R, Arizona), and Orrin Hatch, (R, Utah), this may just be a habit formed over many years of operating in the political world without email. However, the article concludes by lauding the foresight of these Senators – stating that not using email is “a very smart way to avoid embarrassment and possibly jail.”

This suggestion that individuals should “just opt out” of various trappings of modern technology if they want to maintain their privacy has been frequently advanced in discussions on U.S. consumer protection. For example, if a certain service provider such as Facebook updates its privacy policy, users theoretically have a choice to continue using the service or to discontinue their use. However, opt out is not a straight-forward policy for most consumers to understand or implement in a world of interconnected marketing agencies, data collection, and usage. The flip phone caucus Senators have aides to handle their various necessary electronic communications. Most Americans do not enjoy this privilege and must use the internet to fulfill their occupations as well as carry out personal commercial transactions and research.

Companies record and store information about individuals’ movements from webpage to webpage as they browse the internet. Some industry self regulating agencies such as the Network Advertising Initiative (NAI) offer the option to opt out of their customizing advertisement infrastructure. Just by visiting the NAI website, I discovered that 93 different NAI members currently track my internet usage through cookies in order to provide me with targeted advertising. While I can opt out of  “internet advertising delivered to [my] device via HTTP cookies,” my opt out through their trade organization covers neither non NAI members, nor the use of other technologies besides http cookies by NAI members. NAI states that a mechanism for opting out of these other tracking devices is in development. Also, critical to note, opting out of NAI members’ tracking does not affect the storing and sharing of information by various social networking or email services with which I elect to share how I am feeling, where I am going, and the identities of my friends.

A Time journalist recently discovered that opting out of online data collection required behavior that made her appear anti-social and even criminal. The goal of her experiment was to hide her pregnancy from the data collection “bots” on the internet. To accomplish this, she only paid for purchases with cash and prepaid gift cards, only visited baby related websites through Tor, a private browser that routes an individual’s traffic through foreign servers, and she attempted to convince all her acquaintances not to mention the pregnancy on social networking sites. She says this quest forced her into increasingly awkward interactions with family members and the wider world. She deleted an uncle from facebook after he mentioned her pregnancy in a message (which he mistakenly thought was private). And the corner store put her on a watch list for her abnormal purchasing behavior.

Lest consumers become too alarmed they should know that the law does adequately protect information about personal movie rentals. In 1987, a member of the media obtained Robert Bork’s video rental records and they surfaced as part of his contentious and ultimately unsuccessful Supreme Court nomination hearing. In response, Congress made it a crime to disclose video, DVD, and video game rentals without specific consumer consent. 18 U.S.C. § 2710. Companies such as Netflix are still fighting to change this law in order to integrate their products with social media websites.

Perhaps this strangely specific law sheds light on what must happen in order to safeguard the internet privacy of ordinary Americans. Members of Congress must feel that the current dragnet data collection regime threatens their own privacy, their own reputations, and their own jobs, just as they did with respect to movie rental information following the Bork hearing. Until that fated day arrives, Americans who value their privacy can attempt to follow the lead of the Senate’s flip-phone caucus.

March 12th, 2015

The Mosaic Theory, Riley, and the Legacy of Jones

USA v. Timothy Carpenter (Amicus Brief), Brennan Center for Justice, http://www.brennancenter.org/legal-work/usa-v-timothy-carpenter-amicus-brief

“EFF Fights Government’s Effort to Get Cell Location Records Without a Warrant,” Electronic Frontier Foundation,” https://www.eff.org/deeplinks/2014/11/new-eff-brief-explains-why-cell-phone-location-records-are-private-and-government

“The Mosaic Theory of the Fourth Amendment,” Orin S. Kerr, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2032821

By: David G. Krone

In U.S. v. Jones, five U.S. Supreme Court justices signed or joined concurring opinions indicating they would support a “mosaic theory” of the Fourth Amendment whereby the aggregation of locational information would have amounted to a search. As Justice Alito wrote, “relatively short-term monitoring of a person’s movements on public streets accords with expectations of privacy that our society has recognized as reasonable. But the use of longer term GPS monitoring in investigations of most offenses impinges on expectations of privacy.” In that case, the Supreme Court ultimately ruled in favor of the appellant based on a theory of physical trespass on the appellant’s car. Since that case, organizations such as the Brennan Center for Justice at NYU the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) have pushed courts to recognize the privacy Interest in cell tower through amicus briefs filed in cases involving convictions based on the data. In particular, they have cited the Supreme Court’s ruling in California v. Riley, relating the privacy interest that the Court found in the type and quantity of data on a cell phone to the interest a defendant would have in cell tower data that is just as potentially invasive.

Most recently, an amicus brief signed by all three organizations the specifically addresses USA v. Timothy Carpenter in the 6^th Circuit. In Carpenter, the defendant is appealing his conviction of robbery charges based of evidence that “included five months of cell site data procured without a warrant.” The amicae argue, firstly, that, much like the GPS surveillance information in Jones, the cell site location information (CSLI) acquires reveals invasive and precise information about the defendant’s locations. The amicae note that, during that five month period, the CSLI records the defendant’s location at the beginning and end of each phone call—revealing, in addition to his proximity to the robbery, when he was at church, at home and when he slept away from home. Secondly, the amicus brief argues that the CSLI record was a Fourth Amendment search requiring a warrant by citing both the Alito and Sotomayor concurrences in Jones, as well as the Court’s assessment of the of cell phone data in Riley. As the brief states, “The expectation that a cell phone will not be tracked is even more acute than is the expectation that cars will not be tracked because individuals are in their cars for discrete (and typically brief) periods of time, but carry their cell phones with them wherever they go.” In fact there is potentially greater privacy interest in the here than in in Jones because, because CSLI may include information recorded while in the defendant’s home. Finally, the brief also argues that the third-party doctrine (as articulated in Smith v. Maryland) should not apply, because people, “do not input or knowingly input their location information to their wireless carrier” (emphasis added).

The 6^th Circuit has yet to hear oral arguments in USA v. Carpenter. However, other circuits have remained conflicted. In 2013, the EFF and the ACLU submitted an amicus brief in the 11^th Circuit case, United States v. Davis, similarly basing their argument on the quantitative and qualitative differences in CSLI. In June 2014, the Court sided with the amicae, but later elected to rehear the case en banc, seeking further arguments on whether the CSLI acquisition violated the Fourth Amendment. Courts do face considerable concerns in adopting a “mosaic theory” approach to Fourth Amendment searches. As Georgetown Washington Law Professor Orin Kerr points out in his seminal article on “The Mosaic Theory of the Fourth Amendment,” adopting this approach would require future courts to tackle issues in applying the standard. For instance, Courts would have to determine what standard should apply and whether data collection alone would meet the threshold, or whether post-collection analysis or use would also be required. The Courts would also have to decide the scope of the mosaic theory not only in terms of duration and scale but which surveillance methods count. Finally, the Courts will also have to address issues of constitutional reasonableness and whether remedies such as the exclusionary rule will apply.

Nevertheless, as Kerr himself notes, Courts are accustomed to dealing with ambiguity in defining Fourth Amendment protections. The Supreme Court has consistently recognized in cases ranging from Kyllo to Riley the need to shape the law in anticipation of the persistent march of technology. For better or for worse, the bulk, machine-readable data is gaining an increasingly prominent role in society, from our cell phones to Facebook. As Justice Roberts colorfully pointed out in the unanimous Riley opinion, comparing cell phone data to the evidence found in a physical object like a wallet, “is like saying a ride on horseback is materially indistinguishable from a flight to the moon. Both are ways of getting from point A to point B, but little else justifies lumping them together.”

March 12th, 2015

“Smart” Cars – In the Fast Lane to Government Regulation

By: Thomas A. Warns

https://www.lexology.com/library/detail.aspx?g=57d1ca69-4db8-42eb-a56c-c9d198547db3

Last month, Senators Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) announced legislation aimed at establishing federal data security and privacy standards for Internet-connected automobiles, generally referred to as “smart cars.” This development was novel in many respects worthy of mention.

First, the report comes on the heels of an FTC report in January which recommended a technology-neutral data security approach to the “Internet of Things.” That report suggested general standards for all internet connected objects; instead, the Senate bill for smart cars continues to general trend of “sectoral” data privacy legislation. In contrast with practices typical in the EU, the United States generally legislates on an industry by industry basis when it comes to data privacy, rather than creating one standard for all. Many businesses praise this approach because it allows for flexibility in approaching the different nuances of industries with different practices; consumer advocates warn that the lack of any statutory privacy baseline leaves consumers unable or unwilling to effectively wade through the different privacy standards in each field.

The Senators’ bill is based on a report that examined the data privacy practices of sixteen car companies, and found that these manufacturers collected driver and passenger data but had “alarmingly incomplete or inconsistent” privacy and data security practices. The bill alleviates these problems by demanding certain testing of wireless security, making consumers explicitly aware of when information is collected, giving them the option to allow the collection, prohibiting manufacturers from using the information for advertising purposes, and creating a new security rating to be displayed on vehicles, much like fuel economy information is also included on new cars.

This broaches several relevant issues in the regulatory sphere. First, it is a massive deviation from the self-regulation that persists in the U.S. automobile industry prior to the legislation. Some will question the wisdom of this decision. Industry leaders often prefer self-regulation because it allows companies to innovate in a rapidly changing technological field; Congressional laws take so long to pass, and are so difficult to amend, that they may become outdated rather quickly, and only serve to stifle development in important fields. Likewise, they would argue that regulation will impede the efficient allocation of privacy that has already been achieved by the market. While consumers may express opinions that data privacy and security have value to them, they often assign a very low value to it when they are confronted with voluntary transactions that trade information for a product or application. Perhaps consumers believe that the collection of data by companies to target advertising is completely benign, or perhaps will even enhance their welfare, since they are given more relevant advertisements. The companies want this information because it lowers the costs of advertising for them, potentially creating a socially desirable outcome. If some consumers do truly value their privacy at a higher value than many others, then companies can compete to deliver the most data-secure smart cars.

That picture, however, may be challenged on several grounds. Consumers may not be able to fully comprehend the “cost” of surrendering their personal information. For one, it is almost impossible to quantify the information into a monetary value, like we do with most other transactions. For another, consumers aren’t even sure what data collection means. Privacy policies may spell out some of the terms of use, but it is often unclear how long the collection will last, what exactly will be collected, who the information is shared with, and whether it will be stored and aggregated with other information from other sources indefinitely. If consumers are unable to understand the cost when deciding to surrender their personal information, a top-down command and control style regulation may be the optimal solution.

One of the virtues of this bill then, is that it attempts to combat the information gap that may lead to a widespread market failure. The bill lets customers explicitly know when their information is being collected, and forbids the information from being shared for advertising purposes. Knowing when their data is being collected may make the “cost” more salient and encourage more drivers to opt-out of the data collection; the flip-side of this argument, however, is that drivers may not opt-out when informed of later data collection out of a sense that all hope is lost, and that they have already lost control over their data. Likewise, the complete prohibition on sharing info for advertising purposes may cut off a revenue stream for car companies, and force price hikes onto the backs of consumers who may otherwise prioritize a price discount over data privacy.

This Senate bill will undoubtedly improve personal data privacy for drivers, but it may do so at the expensive of socially good data collection and use by car companies. Perhaps a better alternative would be co-regulation, which has had demonstrated success in the field of environmental law. Co-regulation involves placing the regulator, the regulated, and interested third parties in a position to negotiate directly with each other over regulations, rather than indirectly through notice and comment rulemaking. This allows each stakeholder to make tradeoffs and over concessions in ways that best reflect their own priorities.

As Professor Ira Rubinstein notes, co-regulation tends to succeed because there is greater legitimacy and industry “buy-in” when the industry has a hand in creating its own rules. The effect of this is likely a decrease in litigation, as there are fewer court battles over the interpretation of an agency’s regulation when the regulated parties and interested citizen groups participated in writing it. One criticism to this approach is that it places too much weight in the hands of interested private parties, as opposed to disinterested government agencies working towards the public good. Anyone who has studied administrative law, however, knows that agencies are already subject to capture by special interests. Further, as long as the agency involved ensures equal participation by industry and consumers, and is the ultimate arbiter of any regulation, fairness can be protected. While this co-regulatory approach would be intelligent, smart car regulation is likely destined to drive down a road towards traditional agency regulation with notice and comment rulemaking.

Read the story, “Smart Car Legislation Suggests a Different Approach to the Internet of Things Regulation”, at https://www.lexology.com/library/detail.aspx?g=57d1ca69-4db8-42eb-a56c-c9d198547db3

March 12, 2015

Digital Advertising and the Apple Watch

By: Daniel Lin

This blog post discusses how the material for our March 12, 2015 class, appertaining to models of digital advertising, might be pertinent with regards to the potential widespread public adaptation of increasingly personalized tech items such as the upcoming Apple Watch. (Link to relevant article: http://www.theatlantic.com/technology/archive/2015/03/if-apple-watch-isnt-a-watch-what-is-it/387067/)

Apple has established a reputation for (and fortune by) making complicated technology simple to use for the “regular” consumer. In her article “If Apple Watch Isn’t a Watch, What Is It?” Adrienne LaFrance subscribes to the notion that Apple Watch as “the most personal product [Apple has] ever made” in part because of its tracking capabilities (right down to the number of “times your heart beats in a day”!). LaFrance posits that the Watch will be a “device that saves you the trouble of pulling out your phone” (the logic being that user will customize on their Watch what phone notifications are most important to her/him, such that they will only go to their phone if the notification meets such idiosyncratic, personalized criteria). The ultimate postulation of LaFrance’s article is that the Watch will be greatly revelatory as to the user’s most unique and intimate preferences. How will users be affected by the increasingly personalized third party applications that will crop up in response to the Watch’s greater user personalization abilities? Without question, third party application creators, subscribing to the behavioral advertising model, must be salivating at such a notion.

Professor Strandburg, in her article “Free Fall: The Online Market’s Consumer Preference Disconnect,” outlines three “broadcast advertising business models,” which include: (1) the broadcast advertising model [generic advertisements, geared towards the broadest swath of the consuming public possible]; (2) the online contextual advertising business model [more specialized advertising, which assumes a relation between site visit and interest], and (3) the behavioral advertising business model [the most specialized form of advertising, which also entails the most data collection].

As articulated in Professor Strandburg’s article, an adverse consequence to the consumer of the behavioral advertising model is a sort of information dissonance, in that the user will not be able to accurately anticipate the effects of his interaction with a digital output, and thus adapt her/his behavior according to a manner that best reflects his consuming and personal preferences. If it is a valid assumption that few users first read a software application’s privacy strictures before interacting with it, then the fact that Apple products rely so heavily on third party application creators (a major selling point of Apple products over Android and other products is the Apple’s extensive application ecosystem) the behavioral advertising problem, as described by Professor Strandburg, is exacerbated (the logic being a glut of third party applications means a glut of independent privacy outlines, which is more off-putting to a user focused on convenience and efficiency).

In practical terms, the user faces the daily (or however often he interacts with an application) “one-or-the-other” decision of whether to make use of the convenience of an app (the reason why you purchased an Apple product in the first place!), or whether to take hours and read the each application’s publicly proffered privacy programs (and thus lose the benefit/purpose for which you purchased the Apple product). One can easily grasp the ramifications of this mindset transposed from an app ecosystem primarily offering contextual advertising (as currently appears to be the case) into one portended by the increased personalization offered by the Apple Watch, wherein behavioral advertising appears imminent, if the third party should so choose to offer this information to support their “free” applications.

Perhaps the user’s interaction with his Watch will be no more personal than his interaction with his iPhone. But if indeed LaFrance’s position is accurate, that use of the Watch and the iPhone will not only be coterminous (one cannot use the Watch without the iPhone), but also complementary, and users do end up using the Watch as means of personalizing their iPhone and broader digital experience even further, then the privacy implications are great, because then advertisers will have before them not just data regarding the user’s personal information and personal activity, but data regarding the user’s attitudes towards this information and activity (a second piece to the puzzle for advertisers, as alluded to in Professor Strandburg’s article)!

March 12th, 2015

Panel 6

Privacy Concerns Rise as Consumers Seek Substitutes for Traditional Television

http://www.washingtonpost.com/news/business/wp/2015/03/11/americans-are-moving-faster-than-ever-away-from-traditional-tv/

By: Gerard Cicer

For broadcast and cable networks, the writing is on the wall. Any person with an eye or ear toward pop culture and consumer trends knows that traditional television viewership is declining. Whether it be network news casts that have been replaced by internet news aggregators or former staples, such as premium cable movie channels—uprooted in favor of paid streaming services, consumer tastes have shifted away from the tube, towards alternative internet based programming. A recent Washington Post article, found here, gives little hope to traditional television media, in a chronicle of the accelerating trend towards internet based substitutions. However, in the wake of accelerating biannual decline, to the tune of almost 10 percent, author Cecilia King reveals that broadcast and cable networks are fighting back. These networks are attempting to claw back some market share, by entering the very market that is quickly eroding their decades old platform.

The last few years has seen a rise of online video viewership, as the Post article points out, roughly “40 percent of U.S. homes”, up from just 36 percent last year, subscribe to at least one paid internet streaming service like Netflix or Hulu. For traditional networks, hungry for advertising fees and licensing arrangements, this trend is difficult to ignore. Networks such as HBO, NBC, and CBS have either launched or announced plans for streaming services to compete with current internet incumbents. While new service providers in an already dense market unquestionably strokes the public’s desire for more price and quality competition, the increase in service options comes with a matched increase in opportunities for consumer privacy information appropriations and mishaps.

With these new entrants, the internet programming industry is becoming more diffuse. Consumers will likely no longer be giving information merely to the cable company and one other internet provider such as Netflix. For example, I have already eschewed cable for a combination, though not simultaneously, of Netflix, Amazon Prime, HBO-Go and Hulu subscriptions as well as “free” providers like YouTube and Twitch.tv. As in my case, consumers are no longer putting their identifying information, address, credit card information, email address, viewing habits in the hands of one or two companies. Rather, in order to match and surpass the level of choice they once had through network and cable TV, consumers may very well sign up for multiple streaming services, the combined cost of which is still less than traditional television. The rub of course is, that to access these services, consumers must in effect deal with multiple companies and provide varied information to each of them. This raises privacy concerns that are much more nascent than when there was only one video entertainment provider.

Ask any regular user of “free” video providers such as YouTube and they will tell you that the website has an uncanny ability to recommend new videos based on your history and subscriptions, as well as tailor advertising towards your interests. While you do not necessarily have to sign-up to YouTube to access its content, linking your Google account to YouTube arguably enhances your experience and augments this tailoring. Paid subscription services like Netflix operate similarly by tracking your preferences and spitting out recommendations. There is no doubt that this preference data, collected by Google, Netflix, and the like, is valuable—evidenced by the ubiquitous tailored advertising located on many websites. In addition to preference metadata, paid services require you provide them billing information, meaning, that you must give them, among other things, your credit card information and name. With the entry of more paid services, consumers must give this static data to more and more companies. A short example may shed light on one concern presented by only one provider. Perusing Netflix’s stated privacy policy as of March 12, 2015, reveals that it sends consumer information oversees for what it bills as provision of services. Netflix notes that “the countries to which we may transfer information may not have as comprehensive a level of data protection as in your country, although your personal information will continue to be protected in accordance with the standards described in this policy.” While it is comforting that Netflix will endeavor to protect our information, the information is not invulnerable to theft or misappropriation overseas.

But what is a consumer supposed to do when faced with an increased number of service providers, each with their own informational requirements and privacy policy? The question is daunting and may call for a more unified industry wide standard to bring privacy sharing policies back in line with consumer expectations as to traditional television providers. While this is by no means the correct answer to the question, one thing is clear, with more market participants, the opportunities for perceived and actual privacy breaches increase, an unsettling proposition for consumers.

March 9th, 2015

Behind the Times: Playing Catch-Up with Privacy Law

By: Otis Comorau

Article: Law Firm Founds Project to Fight ‘Revenge Porn,’ The New York Times, Jan. 29, 2015

http://dealbook.nytimes.com/2015/01/29/law-firm-founds-project-to-fight-revenge-porn/

While it is no secret that technological advancement often outpaces legal development, the problem is especially severe in the information privacy context. As a recent New York Times article points out, victims of ‘revenge porn’ – pornography uploaded to the internet (frequently by ex-partners) with the intent to shame and humiliate – have resorted to filing copyright claims against websites displaying the embarrassing photographs or videos.

Indeed, despite the near-universal consensus that uploading this kind of information should, without the consent of those pictured, be strictly prohibited, the law is remarkably unclear and outdated. While some states have recently passed statutes criminalizing revenge porn, the majority have failed to address the issue at all. Moreover, under existing tort doctrine, claims for “intentional infliction of emotional distress” are notoriously difficult to win.

Similarly, at the national level, the Federal Trade Commission is just now beginning to recognize the importance of the issue. It is finally taking a more aggressive stance against the practice. Federal prosecutors are following suit as best they can, as they attempt to charge perpetrators under existing “online stalking” and “unauthorized computer access” laws. Such prosecutions are, however, fairly uncommon.

While these changes are laudable, they are grossly insufficient. Modern, technology-based disputes regarding informational privacy are simply poor fits for traditional civil and criminal laws. In the linked article above, for example, the New York Times points out that victims of revenge porn can only file copyright complaints if 1) they took the photographs and/or videos themselves, and 2) they register the photos and/or videos with the United States Copyright Office. Obviously, these requirements present a huge (and wildly unnecessary) constraint upon information privacy enforcement.

But that is exactly the problem, isn’t it? Copyright laws were never designed to meet the needs of revenge-porn victims. Similarly, charging perpetrators with “online stalking” or “unauthorized computer access” is merely a bait and switch. The issue, as everyone knows, is not really “stalking,” or whether an ex-partner “downloaded a file without permission.” The issue is that, through whatever means, extremely personal information ended up on the internet for everyone to see. This is unacceptable. Everyone has, or should have, a right to keep such information private. Unauthorized publication of that information should be prohibited, end of story.

In short, the status quo is unacceptable. Revenge porn disputes cannot be adequately addressed through the existing tort system, the copyright office, or federal “stalking” charges. On the contrary, they present new, technology-based concerns that do not fit well into existing legal doctrine. The country should therefore follow the lead of the 12 states that criminalized revenge porn last year. It is time to pass a national law outlawing the practice.

March 9th, 2015

Federal Judge Dismisses Challenge of NSA’s Internet Surveillance

By: Nicholas Morales

https://www.eff.org/deeplinks/2015/02/jewel-v-nsa-making-sense-disappointing-decision-over-mass-surveillance

https://www.eff.org/cases/jewel

Last month marked a blow for plaintiffs in Electronic Frontier Foundation’s (EFF) lawsuit against mass surveillance, Jewel v. NSA. EFF filed the class action suit on behalf of AT&T customers whose Internet history is being recorded by the National Security Agency.

The case was filed on September 18, 2008 after various documents were made public by whistleblower and former AT&T employee Mark Klein. Klein’s documents along with testimony by NSA whistleblower William Binney revealed a tap on AT&T’s fiber optic Internet backbone. As details began to emerge, many began to suspect that the NSA was engaging in Upstream collection, a surveillance technique that stores Internet users’ traffic history as it traverses the backbone. In their filing, EFF’s clients alleged that the Upstream collection, as well as the collection of telephone call detail records, violated the First and Fourth Amendments to the Constitution, as well as several other laws related to electronic surveillance.

On February 10, 2015 Judge Jeffrey White of the U.S. District Court for the Northern District of California dismissed the challenge of the constitutionality of the Internet data collection program. In his ruling, Judge White stated that the challenge would require an impermissible disclosure of secret information that could jeopardize national security and also ruled that the plaintiffs did not have standing to pursue the claims. The court also found that the plaintiffs lacked proper standing. Judge White stated that because plaintiffs could not prove that the surveillance occurred as they alleged, they did not have the standing to challenge the program’s constitutionality.

EFF criticized the ruling for allowing state secrets to “trump the judicial process” and vowed to continue its case against the NSA. It should be noted that Judge White’s ruling did not decide the legality of the NSA’s Internet surveillance practices, nor does the ruling apply to the challenge of the constitutionality of the NSA’s surveillance of telephone records.

March 5th, 2015

Future of NSA Phone Surveillance Program Remains Unclear

By: Matt Daly-Grafstein

http://www.newsmax.com/US/nsa-megadata-phone-records/2015/03/03/id/627966/

http://www.defenseone.com/politics/2015/03/clock-ticking-congress-produce-nsa-surveillance-reform/106653/

Last week the Foreign Intelligence Surveillance Court (FISC) extended a mandate for the operation of the NSA’s phone surveillance program until June 1st after receiving a specific request from the Obama administration. At issue remains certain provisions of the Patriot Act, including section 215 which grants the NSA extremely broad access to a variety of civilian records under the Foreign Intelligence Surveillance Act (FISA). If the June 1st deadline passes and Congress takes no further action, then the NSA will ostensibly lose the legal authority to continue mining American phone records.

Currently it appears that Congress has no plans in place to allow the continuation of the NSA’s operations. Several bills have been previously introduced to the previous Congress in an attempt to reform how the NSA goes about its collection of American phone records but none were ultimately passed. The USA Freedom Act, introduced this past November, by Dem. Sen. Patrick Leahy, came the closest but fell a mere two votes shorts of advancing. There are no bills that have been introduced in the current Congress that address the issue.

Critics are worried that the lack of action by Congress may be evidence that a last-minute bill will be rushed through that will grant the same broad powers that were given under the much maligned Patriot Act. The same type of debate surrounding the failed USA Freedom Act that led many to believe that it reflected a true bipartisan effort may not be possible given the less than 100 days until the expiration of the current laws. This past year Obama had proposed that data should remain with telephone companies and that the government should only be able to access data through specific individual court orders, a proposal that may have more favorable support from critics of the current government surveillance programs. No legislation to date however has incorporated this suggestion.

The short window remaining to pass new legislation may also mean that Congress simply lets Section 215 and its related provisions expire. This would legally end the ability for the NSA to continue its current efforts in gathering bulk phone data. While it’s unclear the true efficacy of the program given the unwillingness of the NSA to share detailed data about its operations it’s enough for some in Congress and the intelligence community to worry that the vacuum created may mean that the USA will be less effective in preventing future terrorist operations within the country. In any case, we should know for certain the future of the NSA surveillance program within the next few months.