ILI Student Blog

Blog

  • Google Privacy Policy

    Drew Hodel

     

    I’m a law student in an information privacy class and when Google alerted me: “New Really Really Important Privacy Policy.  Click here,” …I clicked… but definitely not ßthere.  My lack of bargaining power told me it wasn’t worth my time.  So instead, I signed in and began g-chatting with a friend…

     

    Anonymous: Hey man.

    Me:                  Hey.  Did you check out Google’s new privacy policy?

     

    Anonymous:  No.

    Anonymous:  You’re such a nerd.

    Me:             I know.  I figure I’ll check it out later.

     

    The problem is I’m not representing Google and I’m not representing its users.  I haven’t been hired to write anyone’s privacy policy, I’m definitely not switching to hotmail and if I use Microsoft my situation won’t change.  So when I tried reading the policy today, I struggled to get through the entire thing.  That’s just the truth but in case you were curious:

     

    Here is a link to a good article discussing the new policy: http://marketingland.com/google-terms-of-service-privacy-policy-4293

     

    Here is a link to the new policy:

    http://www.google.com/intl/en/policies/privacy/preview/

     

    In any case, whether you think Google is moving in the right direction or not with this privacy policy can it serve as a legally binding contract between you and them and should it?

    Google wants to create a “beautifully simple, intuitive user experience” by converting its more than 70 different privacy policies into 1, and I appreciate the thought, but it’s not always the thought that counts.  Substituting 70 individually convoluted policies with one convoluted policy does nothing to solve the convoluted part.  Moreover, no one reads the policies anyways.

    On one hand these policies seem insufficient (in most cases) to constitute unilateral contracts:  The general rule in contracts cases is that “general statements of policy are not contractual.”  User’s lack of knowledge and reliance interests, making it difficult to say any offer was “accepted” in the traditional sense.  On the other hand: if these policies are simply meant to serve as warnings or notices, they’re clearly not getting that job done either.

    All this set aside, the casebook points out that users do “regularly take advantage of” their privacy settings. (p. 819) So if google were to expose a user’s information more broadly than he set it in his privacy settings I believe the user would at least have a viable lawsuit under the theory of promissory estoppel and perhaps as a breach of a legally binding and bargained for contract.  In any case, I do not like the idea that privacy policy might represent a legally binding contract.  Google has unfair bargaining power and should not be able to take advantage of this by including terms that not favorable to customers in a legally binding contract.

  • Invasion of Privacy Charges in Rutgers Case

    Maud Zimmerman

    Invasion of Privacy Charges in Rutgers Case

    These articles discuss the charges that have been brought against Dharun Ravi for using a web cam to spy on his college roommate, Tyler Clementi. (1,2) Clementi committed suicide after learning that Ravi and others had witnessed him kissing a man in their dorm room over a webcam on his roommate’s computer, and that Ravi had then tried to set up and stream video of another encounter, which was publicized on his Twitter feed. Danielle Citron’s discussion of the way privacy harms are magnified in the Internet age seems particularly relevant to this case. Here Ravi’s actions may have led directly or indirectly to Tyler Clementi’s suicide. They clearly contributed to significant emotional distress for Clementi in the days before his death.

    The Rutgers case started a public outcry over cyberbullying, particularly for LGBT youth, and prompted at least one state to adopt tough new laws about bullying online and in the schoolyard. (3) This was an especially shocking case because Ravi’s actions intruded upon a particularly private and sensitive area of Clementi’s personal life, which Ravi exposed to fellow classmates and his online audience of followers on Twitter. Ravi did not simply start online rumors about his roommate’s sexual orientation, but actually tried to stream live video footage of a sexual encounter, an intrusion that any reasonable person would consider to be a massive violation of privacy. Given the dramatic facts of this case, it seems clear that Ravi severely injured his roommate even in terms of Prosser’s somewhat narrow conceptualization of privacy interests. Despite this already strong case, however, it is striking that prosecutors brought a total of 15 charges against Ravi, including additional charges of witness tampering, destruction of evidence, and a hate crime. I’m not sure if they feared that a conviction on the privacy tort alone would lead to an inappropriately lenient sentence, or if they were motivated by the intense publicity the case received and the tragedy of Clementi’s suicide. It will be interesting to see how Ravi’s trial plays out, and the ramifications of this case for similar torts in future where the outcome is not as tragic, but the psychic harm to the victim of the intrusion is nevertheless severe.

     

    1. Roommate Is Arraigned in Rutgers Spy-Suicide Case

    http://www.nytimes.com/2011/05/24/nyregion/roommate-arraigned-in-rutgers-spy-suicide-case.html

    2. Roommate Faces Hate-Crime Charges in Rutgers Case

    http://www.nytimes.com/2011/04/21/nyregion/rutgers-roommate-faces-hate-crime-charges-in-spying-suicide.html

    3. Bullying Law Puts New Jersey Schools on Spot

    http://www.nytimes.com/2011/08/31/nyregion/bullying-law-puts-new-jersey-schools-on-spot.html

  • Privacy Group Sues to Stop Googles Privacy Changes

    The Electronic Privacy Information Center (EPIC) filed a lawsuit on Wednesday to compel the Federal Trade Commission (FTC) to enjoin Google’s planned changes to its privacy settings. On March 1, 2012, Google intends to modify its privacy settings by sharing user information between its services. For example, keywords in user’s private emails could affect search results on YouTube.

    Just last year, Google settled with the FTC over allegations that it violated its own privacy policy by opting users into Google Buzz without their consent. The settlement requires Google to obtain consent from its users prior to making any changes to its third party sharing policies, including its communication with advertisers. EPIC argues in this lawsuit that Google’s recent privacy changes violate the settlement by “failing to obtain affirmative consent from users prior to sharing their information with third parties and by misrepresenting the extent to which the company protects users’ private information.”

    Although EPIC is filing for an injunction, the problems of collecting and disseminating data to other services is reminiscent of the Dwyer case. Future tort plaintiffs would have difficulty demonstrating intrusion upon seclusion given the four elements which must be alleged to state a cause of action. Similar to Dwyer, having a privacy policy to which users of Google must assent would tend to show that intrusion was not in fact unauthorized. Nor does the intrusion seem offensive, though the information may be considered private. Shibley would tend to support that conclusion.

    From the point of view of Stan Karas the information Google uses to communicate with its other servers would reveal private facts regarding a person’s identity, however, the case law suggests that Google would not be liable in tort for intrusion upon seclusion or appropriation.

     

    http://thehill.com/blogs/hillicon-valley/technology/209749-privacy-group-sues-to-stop-googles-privacy-changes

  • DHS monitoring of social media concerns civil liberties advocates

    Andrew Chiusano

    DHS monitoring of social media concerns civil liberties advocates

    Advertisers and corporations are not the only ones mining data from social media sites. The Department of Homeland Security has monitored blogs and social media networks to help, “enhance DHS’s ‘situational awareness, fusion and analysis and decision support’ to senior leaders.” DHS has contracted with a private firm, General Dynamics, to monitor social media sites and produce reports.

    The Department of Homeland Security says the program helps it to learn more about current events, like tracking suspicious packages or monitoring other threats in real time. However, privacy advocates think DHS is tracking people who write negative posts about the DHS’s activities, which could chill speech in the future.

    Going forward, this type of data mining could prove very useful to the government. Private parties enter, compile, and could even process all of the data, so the government does not have to worry about creating and maintaining its own databases. In addition, receiving real-time updates from many witnesses of ongoing situations could be very useful to law enforcement. However, the free speech concerns are very real – if the DHS put people on its “No Fly List” for posting negative articles on DHS screening, many people would stop sharing those kinds of articles. Data reliability could also pose serious problems. Anyone can pretend to be someone else online, and users of social media may not provide particularly accurate data.

    http://www.washingtonpost.com/world/national-security/dhs-monitoring-of-social-media-worries-civil-liberties-advocates/2012/01/13/gIQANPO7wP_story.html

  • Google = Web-Nielsen?

    Joe Hall here.

    Google appears to be trying to better measure household and end-user internet traffic, similar to how Nielsen measures cable and television watching habits (“Google Screenwise: New Program Pays You To Give Up Privacy & Surf The Web With Chrome”).  In a new program, called Screenwise, Google will pay individuals a token amount ($5 up front plus $5 every three months) to install a browser extension that monitors what web sites you visit and how you use those sites.  For households, Google has a router device that will presumably capture all the household internet activity, and it pays a bit better ($100 up front plus $20 per month).

    This leaves me with a ton of questions:

    • While the browser extension will measure web traffic (port 80, in geek speak), will the router appliance measure all internet traffic?
    • Does the router appliance have a way of “seeing” into encrypted sessions using HTTPS, such as when you visit your bank? (It could do this by asking individuals to install a certificate on their machines that would allow the appliance to pass through encrypted client sessions as if it were the client and then re-encrypt the content when passing back to the user… otherwise known as a man-in-the-middle (MITM) attack).
    • Just what is the router capturing?  I doubt it, but is it also sniffing wifi, cellular signals, etc.?
    • What are the specific terms of service and privacy policy for screenwise? How long will such information be kept? Is it associated with personally-identifiable information or is demographic information enough?
    • Don’t these prices seem exceedingly low for the amount of information the user is giving up? I would most certainly price my detailed web surfing logs an order of magnitude or two ($50-500) higher than this.
    • I wonder how they’ll avoid gaming… for example, I only rarely use Chrome as I prefer the control I get from FireFox. If I sign up and only use Chrome once in a while, do I still get the incentive?
    • Will this information be combined with other Google information, now that Google can share data about your activities across all of their products?
    • Will this also capture data when Chrome is in it’s private browsing mode (incognito)?  That seems very unwise.

  • Your IP address is just like a zip code! Thanks, Google!

     

    Google has a new ad campaign in the NY subways!

    “You live in Peoria.

    Do you really need a plumber from New York?

    We didn’t think so. Imagine the service charge for a start. That’s why search engines, including Google, give you results based on your city or region.

    They can do this by using your computer’s IP address. It’s a number like 209.85.229.147, which acts like a zip code to tell them the rough area your computer is in.”

    They just want to help you out, guys! Google’s providing much better customer service!

    Sigh…

  • Google consent decree

    This is what the Google-FTC consent decree says about changing it sharing practices:

    II.
    IT IS FURTHER ORDERED that respondent, prior to any new or additional sharing by
    respondent of the Google user’s identified information with any third party, that: 1) is a change
    from stated sharing practices in effect at the time respondent collected such information, and 2)
    results from any change, addition, or enhancement to a product or service by respondent, in or
    affecting commerce, shall:

    A. Separate and apart from any final “end user license agreement,” “privacy policy,”
    “terms of use” page, or similar document, clearly and prominently disclose: (1)
    that the Google user’s information will be disclosed to one or more third parties,
    (2) the identity or specific categories of such third parties, and (3) the purpose(s)
    for respondent’s sharing; and

    B. Obtain express affirmative consent from the Google user to such sharing.

    Here is the relevant definition:

    “Third party” shall mean any individual or entity other than: (1) respondent; (2) a service
    provider of respondent that: (i) uses or receives covered information collected by or on
    behalf of respondent for and at the direction of the respondent and no other individual or
    entity, (ii) does not disclose the data, or any individually identifiable information derived
    from such data, to any individual or entity other than respondent, and (iii) does not use
    the data for any other purpose; or (3) any entity that uses covered information only as
    reasonably necessary: (i) to comply with applicable law, regulation, or legal process, (ii)
    to enforce respondent’s terms of use, or (iii) to detect, prevent, or mitigate fraud or
    security vulnerabilities.

    Interestingly, the Facebook consent decree has similar, but less restrictive, language:

    II.
    IT IS FURTHER ORDERED that Respondent and its representatives, in connection
    with any product or service, in or affecting commerce, prior to any sharing of a user’s
    nonpublic user information by Respondent with any third party, which materially exceeds the
    restrictions imposed by a user’s privacy setting(s), shall:

    A. clearly and prominently disclose to the user, separate and apart from any “privacy
    policy,” “data use policy,” “statement of rights and responsibilities” page, or other
    similar document: (1) the categories of nonpublic user information that will be
    disclosed to such third parties, (2) the identity or specific categories of such third
    parties, and (3) that such sharing exceeds the restrictions imposed by the privacy
    setting(s) in effect for the user; and

    B. obtain the user’s affirmative express consent.

    Nothing in Part II will (1) limit the applicability of Part I of this order; or (2) require Respondent
    to obtain affirmative express consent for sharing of a user’s nonpublic user information initiated
    by another user authorized to access such information, provided that such sharing does not
    materially exceed the restrictions imposed by a user’s privacy setting(s). Respondent may seek
    modification of this Part pursuant to 15 U.S.C. §45(b) and 16 C.F.R. 2.51(b) to address relevant
    developments that affect compliance with this Part, including, but not limited to, technological
    changes and changes in methods of obtaining affirmative express consent.

  • Proposed Amendment to Privacy Act

    J.D. Bean

    Proposed Amendment to the Privacy Act: The Privacy Act Modernization for the Information Age Act of 2011

    – Introduced October 18th, 2011 by Senator Daniel K. Akaka chairman of the Senate Subcommittee on Oversight of Government Management, the Federal Workforce, and the District of Columbia

    – Available At: http://www.gpo.gov/fdsys/pkg/BILLS-112s1732is/pdf/BILLS-112s1732is.pdf

    – More Info At: http://akaka.senate.gov/press-releases.cfm?method=releases.view&id=b5750831-557f-452d-a96d-b98dc967de57

    – Relevance: The amended act would overturn Doe v. Chao, update definitions and language to better correspond with modern IT techniques/concepts, codify the OMB definition of “personally identifiable information”, and extend the enhanced authority to investigate privacy act violations currently enjoyed by the Department of Homeland Security’s Chief Privacy Officer to additional agency CPOs. The act would stregthen civil and criminal remedies for Privacy act violations and updates both exceptions for agency notice of disclosure requirements and the requirements to agency publication of notices of systems of records.

  • Digital Data on Patients Raises Risk of Breaches

    Vladimir Andric

     

    http://www.nytimes.com/2011/12/19/technology/as-patient-records-are-digitized-data-breaches-are-on-the-rise.html?_r=1&ref=identitytheft

     

    Digital Data on Patients Raises Risk of Breaches

     

    Another article confirming the “stick with it like glue” as the major security principle when it comes to data protection in the world of electronic data management systems. The health industry is reported to have lost $6.5 billion to consequences of data breaches in 2010, and 2011 estimates show a 32% increase in the number of reported breaches. The article offers some interesting points on dealing with such data breaches and liability issues.

     

    And for an international perspective, http://www.aboutidentitytheft.co.uk/ provides an outlook of how the United Kingdom deals with identity theft issues.

  • What Google knows about You!

    Eleni Gessiou

     

    Lately, Google advertises its logo about the new privacy policy “One policy, one Google experience”!

    So, I spent some time reading the overview and searching (in Google of course!) for it..

    The results of my research are the following links:

    https://www.google.com/dashboard/

    http://www.google.com/s2/search/social?hl=en

    and especially if you own an Android mobile phone:

    https://www.google.com/contacts_v2/#contacts

    Now you can find all your friends’ phone numbers using your web browser only! Convenient or Scary?…

    Take a look at what Google knows about you and tune your privacy policies!

    Now, I’m sure.. Google knows everything!