Three law firms based in Austin, Texas recently filed suit on behalf of 13 people claiming that almost 20 apps, including Facebook, Foursquare, Yelp and Twitter, violate policies put in place by distributers such as Apple’s App Store, Amazon’s App Store and Google Play.  The American Statesmen reports that the violations are a result of mobile apps “stealing” address book data, such as names, phone numbers, email addresses and even birthdays.  The lawsuit seeks to stop app developers from harvesting data without permission.  The complaint cites an industry publication that claims the information collected could be worth 60 cents to several dollars per contact. 

A New York Times article investigating contact mining recently noted that “the address book in smartphones — where some of the user’s most personal data is carried — is free for app developers to take at will, often without the phone owner’s knowledge.”  The app developers use the data in an effort to expand the number of people using their program.  Developers use email addresses to target potential new customers and to target advertisements.  Several companies, including Path, a social networking site, have issued apologies regarding “how [their] application used your phone contacts.” 

Attorney Richard Newman, an Internet law attorney and managing partner of the Hinch Newman firm, with offices in both California and New York, thinks that the lawsuits are starting to have an impact.  Mr. Newman stated “the mobile communications industry is finding that failing to properly inform consumers of what is happening to their information is increasingly grabbing the attention of regulatory authorities, including the Federal Trade Commission.”  Until a regulatory framework is hammered out to govern emerging data privacy issues, litigation may be one of the only things keeping pace with technology development.  

A growing trend among employers is requesting applicants’ usernames and passwords to gain access to restricted social media in order to investigate applicants during the hiring process.  In response to this trend, Illinois and Maryland have each recently proposed laws that would essentially ban employers from requesting this type of information.  The main arguments for and against the proposed laws are centered around constitutional privacy concerns, however,  employers should consider that restricting their hiring personnel’s access to this type of information is not as harmful as some opponents have argued.

If you use the Google search engine (and I’m guessing that includes pretty much everyone) you may have noticed a text box appearing on the screen during the past couple weeks, imploring you to read Google’s new privacy disclosures, along with the caveat “this stuff matters.”  That text box stopped appearing on March 1, when Google introduced its new privacy policy.  According to Reuters, at the beginning of the year, Google began reporting that it was simplifying its privacy policy, consolidating 60 guidelines into a single policy that applies to all its services, including YouTube, Gmail and the social network Google+. 

According to the title of a Washington Post article, the “New privacy policy lets Google watch you – everywhere.”  More specifically, the new policy allows Google to track users’ activities by consolidating information it gathers on them across all of the company’s platforms.  Users cannot opt out of the new policy if they want to continue using Google’s services.  A company representative, Alma Whitten, noted that until now, the company has been restricted in their ability to combine YouTube search histories, for example, with other information on a user’s account (email activity).  Although the company claims that it does not sell or trade personally identifiable user information, it now shares usage habits and historical data across all platforms and uses the information to match ads to your online behavior .  Moreover, the fact that Google is gathering so much user specific information on individuals creates the potential for additional privacy implications in the future.  

The National Association of Attorneys General sent a letter to Google signed by 36 members expressing concern about the new policy.  In part, the letter noted:

Consumers have diverse interests and concerns, and may want the information in their Web history to be kept separate from the information they exchange via Gmail. Likewise, consumers may be comfortable with Google knowing their search queries but not with it knowing their whereabouts, yet the new privacy policy appears to give them no choice in the matter, further invading their privacy.

EU Justice Commissioner Viviane Reding stated that data protection agencies in European countries have concluded that Google’s new privacy policy is in breach of European law.  Given the amount of attention the new privacy policy has generated, it appears as though it’s only a matter of time before the company faces its first significant legal challenge to the policy.  Until then, the digital footprint of all internet users will undoubtedly continue to grow.

Chad Godwin

Attorney

Carr Allison

In the wild, wild west of the internet, it looks like the Federal Trade Commission is saddling up to play the role of sheriff. On November 29, 2011, the FTC announced its proposed settlement of claims against the social networking goliath, Facebook. (By the way, you can read about it on the Commission’s Facebook page. http://www.facebook.com/federaltradecommission?v=wall.) The settlement resolves an eight-count administrative complaint charging Facebook with misleading their users by telling them they would protect the privacy of personal information, but repeatedly allowing that information to be shared with third parties or made public without the users’ knowledge or consent.  (In the matter of Facebook, Inc., File no. 092 3188.) Coming on the heels of the FTC’s March 2011 settlement of charges that Google, Inc. violated its own privacy promises to consumers when it rolled out its social network site, Google Buzz (In the Matter of Google, Inc., File no. 102 3136), the Facebook case demonstrates the agency is willing to use consumer protection laws to “make sure companies live up to the privacy promises they make to American consumers.” http://ftc.gov/opa/2011/11/privacysettlement.shtm.)

Ad Age recently posted an article addressing the meteoric rise and overwhelming dominance of the smartphone.  At the end of this holiday season, over 50 percent of mobile phone users will be using a smartphone.  A year from now, that figure is projected to almost double, to 90 percent of mobile users.  Moreover, smartphone capabilities are growing almost as fast as their market saturation.  I regularly use my phone as a search tool, GPS, communications device (most of which centers on e-mail) and social hub, and I do not consider myself to be a “power user.”  Despite the amazing smartphone developments of the past 5 years, there are more on the horizon.  If the experts are right, we will soon be using our phones in place of our wallets, for identification and point of sale purchases.  Phones could be used to unlock and start our cars and to open our garage doors and set our home thermostats.  This week, conference attendees will be using the DRI smartphone App to keep track of their schedule and contact other attendees.  However, like most any “smart” device, the more we use our phones the more data we generate regarding our whereabouts, activities and lifestyles.

Attorneys used to subpoena cell phone records to see if litigants were on their phones at the time of an injury or during an auto accident.  Already, Historical Cellular Reconstruction (HCR) can be used to provide the history of a phone’s probable location, regardless of whether a user was actually on their phone.  HCR is not based on GPS data, but upon data and information maintained by the cellular provider related to a particular cell phone’s connection to a given cell tower.  Although HCR does not result in pinpoint precision, it can often place a phone within a very small vicinity.  If a user’s cell phone is turned on and the GPS is in operation, the precision increases dramatically.

Now attorneys look for information and material addressing whether a litigant was texting, surfing the web, on Facebook or taking one of virtually countless actions on their cell phones during the time of a given event, or in the hours and days leading up to a significant event.  Lawyers can use cell phone records to compare the location of a litigant to their claimed location.  This is particularly relevant where litigants, such as commercial drivers, are required to routinely log their position.  Records may indicate that an allegedly injured party went to an amusement park, or that an allegedly incapacitated person made a purchase.  The possibilities already seem endless, and as smartphone services continue to expand, so will the potential for using the resulting data in litigation.  As more and more opportunities are created by smartphone data, attorneys need to remain mindful of the fact that there may be data available that will impact their case.  

For the last week or two, the lead story in international media has been the cell phone hacking scandal at the News of the World in London.  As the investigation into those events has widened and details have become publicly known, we have learned that the hacking may have extended to other media outlets and most likely took place outside of the United Kingdom, including in the United States.  Frankly, before this story broke, I never considered that hacking into cell phones by a private person or entity might be possible.  However, now that we know that cell phone privacy may be a real concern, there may be several implications for the legal community.

The first concern we should all have must be our own cell phone security.  It appears that the cell phone hacking allegedly perpetrated by the News of the World was accomplished primarily by hacking into the voicemails of the targets.  The scheme was actually quite simple.  Most people have a four digit code to access their voicemails.  According to a recent ABC News report, the most common passcodes are 0000, 1234, 5555, or the last four digits of social security numbers or the birthdates of the user or a close family member.  Obviously, these are not hard to guess.  Furthermore, people tend to use the same passcodes, PINs and passwords for multiple applications, so finding those codes can lead to even more information, accounts, etc. being compromised. 

Since we as lawyers are entrusted with the private and proprietary information of our clients, we have a duty to safeguard that information. We should now all be aware of the risks of cellular privacy and take steps to ensure that our clients' information, as well as our own, remains confidential.  We need to make sure that our voicemails are protected by unique and difficult to decipher PINs and deleted once received. Unfortunately, publicity of events such as the News of the World hacking scheme can lead to many ill-intentioned people learning a new method to steal information or assets.  We can expect this type of act to spread until further security protocols to prevent it are developed.

Another potential implication of the cell hacking scandal is the possibility of attracting the interest of members of the plaintiff's bar interested in pursuing claims related to cellular security.  The victims of the recent cellular hacking most likely will have claims against the perpetrators for invasion of privacy and similar torts.  If the practice of accessing private data of others through cellular phones is more widespread, and it certainly appears from recent news that it is, then we can expect that there will be attorneys out there who will begin marketing the representation of those who have been victims of that practice.  You can expect that the targets will be not only be the hackers,  but also entities or people who may have been in a position to prevent or mitigate the acts.  Our clients will need to be advised accordingly.

CNN reported that the 19 year-old suspected of hacking into Sony’s networks was recently arrested in London.  Britain does not release the name of criminal suspects, but London’s Metropolitan Police appear confident that they apprehended the person responsible for breaching more than 100 million Sony user accounts and obtaining personal and credit card data.  Authorities believe that the suspect is associated with the hacker group LulzSec, though that has not yet been confirmed.  According to Sony’s estimates, responding to the attacks will ultimately cost the company more than $171 million.  However, it does not appear that Sony’s estimate attempts to account for the avalanche of litigation that was triggered by the data breach.

Chad Godwin has contributed several articles to the DRI Blog following this story closely.  For a full recap, check out Chad's other posts regarding this story.

PlayStation Online System Breached by Hacker - Offline Indefinitely - April 28, 2011
Sony Data Breach Part II: PlayStation Online System Breached by Hacker - Offline Indefinitely - May 3, 2011
Sony Data Breach Part III - Sony Offers Insurance of $1 Million Per User - May 12, 2011
Sony Data Breach Part IV: Plaintiffs Take Aim at Sony - Hacks = Mass Torts - May 13, 2011
Sony Data Breach Part V: Hacked Again! - May 20, 2011
Sony Data Breach Part VI: Four Attacks Since April - May 24, 2011

A number of media outlets have been reporting that the European Union is investigating Facebook’s rollout of its new face-recognition photo-tagging system.  Mashable reported that the new feature “recognizes” faces in photos, which enables users to connect a face in a photo to a user in a much easier “semi-automated process.”  More specifically, Facebook provides suggestions for individuals in photos, and the user chooses to either accept or reject them.  The feature is now enabled by default, though it can be disabled by altering an account’s privacy settings.

The New York Times reported that, on Wednesday, European Union data protection regulators announced that they would investigate the feature.  Gérard Lommel, a Luxembourg member of the Article 29 Data Protection Working Party, stated “tags of people on pictures should only happen based on people’s prior consent and it can’t be activated by default.”  He went on to note that tagging suggestions “can bear a lot of risks for users.”  In an emailed statement, Facebook noted that it “launched Tag Suggestions to help people add tags of their friends in photos; something that’s currently done more than 100 million times a day.  Tag suggestions are only made to people when they add new photos to the site, and only friends are suggested.”  Meanwhile, the Electronic Privacy Information Center, based in Washington, is working on its complaint and is expected to file it with the FTC today. 

The privacy concerns associated with the new face-recognition feature are generally obvious.  Individuals should have a say in whether and where their photographic image is distributed.  Once a photo enters the digital domain, it is difficult if not impossible to “undo” that publication.  A photo that one user deems harmless fun, may not appear that way to the subject’s employer.  Although Facebook users could already tag photos manually, this feature encourages tagging. Further, it would appear to make it easier for users to tag photos of distant “friends,” a concern given the fact that some users have hundreds or even thousands of “friends” that they may know little to nothing about.  Moreover, being able to associate a face with a name would make it easier to gain additional information on individuals, such as an address. 

Once your identity is confirmed, the legal implications are seemingly endless.  Computerworld.com reports that legal service via Facebook, for documents such as paternity and restraining orders, is becoming more popular internationally, in countries such as Canada, Australia, New Zealand and the United Kingdom. Indeed, service via Facebook may soon be acceptable in the United States.  Computerworld.com quoted Joseph DeMarco, co-chair of the American Bar Association's criminal justice cyber-crime committee and a lawyer at New York-based DeVore & DeMarco, as noting that he considered service via Facebook a “useful tool.”  Photographs linked to a user’s account would only serve to strengthen an argument that service was properly perfected.  It will be interesting to see whether Facebook caves to international pressure to turn off the new face-recognition feature as a default setting.  Regardless of the outcome, the proliferation of this type of technology is likely to continue.

Technolog, on MSNBC.com, is reporting that Sony is now suffering through an additional round of network attacks, bringing the total number of attacks that have occurred since April to at least four.  The official website for Sony BMG Greece was hacked on Monday and some of the confiscated data, including user data, was dumped onto the Internet.  Today, reports suggest that Sony Music Japan suffered the same fate.  The facts surrounding the attacks suggest that they are designed to taunt the engineers responsible for ensuring network security.  This time, the hackers brazenly left messages noting, “we just want to embarrass Sony some more,” and “stupid Sony, so very stupid.”  Although Sony claims that the most recent attacks are not associated with compromised personal or credit card data, they continue to damage Sony’s already reeling image.

Attackers first hit Sony’s PlayStation Network between April 17 and April 19, 2011.  The company has been feverishly working since that time to secure its networks and restore the profits associated with its user accounts.  In early May, Sony attempted to bring its Network back on-line only to discover that an additional hack allowed attackers to gain access to new user passwords.  Now, the company faces taunting from hackers who seem almost as though they are able to breach security at will.  If one of the largest, most recognizable leaders in technology is vulnerable to so many security issues, how safe are the multitude of additional networks harboring such data, and what company will the hackers set their sights on next?

Computer and electronics giant Sony continues to take two steps back with every step forward while trying to restore services on its PlayStation Network.  Geek.com recently reported that the network has been hacked again.  The new attack comes just over one month after the network was initially hacked, which resulted in the breach of over 100 million accounts.  After shutting the network down for over a month to bolster security, Sony was in the process of bringing network services back on-line when the company discovered another hack.  In an effort to strengthen security, Sony forced users to reset their password upon returning to what was supposed to be a reinforced network.  However, an additional hack allows someone to reset a user password if they know the corresponding email address and birth date associated with the account, both of which were compromised in the initial attack.  Sony has since disabled the password reset system and gone back to the drawing board, with no word on when full network access will be restored.

While Sony certainly has its hands full attempting to return network functionality, the company continues to experience mounting legal problems.  In addition to the multitude of suits being filed in the U.S., Sony is now facing claims filed by Canadian citizen Natasha Maksimovic.  Geek.com reports that Toronto law firm McPhadden Samac Tuovi, LLP represents Maksimovic and is seeking in excess of $1 billion in damages from Sony Japan, Sony USA and Sony Canada.  Maksimovic wants to see some of the damages go to paying for 2 years of credit monitoring services and fraud insurance coverage for network customers.  Sony has not commented on the filing.