Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

The social networking and micro-blogging service Twitter recently agreed to settle charges with the Federal Trade Commission (FTC) regarding its privacy and data security practices. Similar to settlement terms reached with other online merchants, the settlement bars Twitter from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information. Notably, the agreement also requires Twitter to maintain a comprehensive information security program and submit to audits of the program for 10 years. The settlement agreement does not include a monetary penalty. The FTC alleged that despite Twitter’s promises on its website to protect the personal information of its users, Twitter’s practices failed to provide reasonable and appropriate security.  Unlike many of the other companies that the FTC has pursued regarding online security practices, Twitter does not sell goods online or collect financial information from its users.

The FTC’s complaint alleged that between January and May 2009, intruders twice obtained control of Twitter administrative accounts because of deficient password security policies. In January 2009, an intruder gained control of Twitter by using a “brute force” automated password-guessing tool that attempted to login to Twitter thousands of times until it guessed the correct password. The password was a weak, lowercase, letter-only common dictionary word. In April 2009, an intruder compromised a Twitter employee’s personal email account by unspecified means. The intruder was able to guess the Twitter employee’s administrative password based on two similar passwords that were stored in the employee’s email in plain text for at least six months before the security incident. With administrative access, the intruders were capable of accessing nonpublic user information and nonpublic tweets from any Twitter user and resetting Twitter users’ passwords. The first intruder reset certain user passwords and posted tweets from the compromised accounts.

According the FTC, Twitter was vulnerable to these attacks because it failed to prevent unauthorized administrative control of its system. The FTC claimed that Twitter failed to take reasonable steps to:

• Require employees to use hard-to-guess passwords that were not used for other purposes;
• Prohibit employees from storing administrative passwords in plain-text within their personal e-mail accounts;
• Suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts;
• Provide an administrative login page that is separate from the ordinary user login page and whose location is known only to authorized users;
• Enforce periodic changes of administrative passwords;
• Restrict access to administrative controls to employees whose jobs required it; and
• Impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.

Pursuant to the agreement, Twitter is required to engage in a number of actions to address its security practices, most notably:

• Identifying reasonably-foreseeable, material risks that could result in unauthorized disclosure of nonpublic consumer information or unauthorized administrative control of the Twitter system; and
• Implementing reasonable safeguards to address the identified risks.

The agreement also includes provisions requiring Twitter to designate an employee or employees to coordinate and be accountable for the information security program. Additionally, the agreement includes provisions addressing Twitter’s use of service providers and requiring Twitter to evaluate and adjust its information security to address material changes to its business or other events that might materially impact the effectiveness of its security program. 

The FTC’s pursuit of, and subsequent agreement with, Twitter is significant because it demonstrates that the FTC’s concern regarding the protection of personal information is not limited to personal financial information and identity theft. Unlike many of the other companies that the FTC has pursued regarding online security practices, Twitter is not an online merchant and does not collect financial information from its users. Nevertheless, a Twitter user’s account may contain other personally identifiable information and may contain private tweets. The FTC’s pursuit of Twitter demonstrates that the FTC is interested in holding companies to their representations regarding their security practices. The FTC’s allegations regarding Twitter’s security practices may also prove useful to companies, as the allegations signal several behaviors that the FTC considers being inconsistent with reasonable security.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On June 16, 2009, in Pietrylo v. Hillstone Restaurant Group, USDC D.N.J. Case No. 2:06-cv-5754-FSH-PS, a New Jersey federal jury found that the Houston’s restaurant chain violated the Stored Communications Act (SCA) and the New Jersey Wiretapping and Electronic Surveillance Control Act (NJWESCA) by allegedly requiring an employee to surrender to Houston’s managers login information that would allow access to an employee MySpace gripe group called “Spec-Tator.” Spec-Tator’s creators, Brian Pietrylo and Doreen Marino, were fired for violating Houston’s policies regarding professionalism and positivity. They sued for alleged violations of their common law right to privacy, freedom of speech, the SCA and the NJWESCA, and for wronful termination.

Liability hinged on whether access to Spec-Tator was unauthorized. When Pietrylo and Marino created the group, they invited a select group of Houston’s employees, but no managers. The SCA and the NJWESCA extend liability to parties that exceed authorization to access electronic communications. Thus, the jury form asked: “Did Houston’s knowingly or intentionally or purposefully access the Spectator without authorization from Karen St. Jean?” The jury answered in the affirmative and awarded to plaintiffs $17,000 in compensatory and punitive damages.

While employers with appropriately-worded policies may monitor employee communications using company equipment, the Hillstone verdict, as well as the court’s refusal to dismiss the SCA and NJWESCA claims on summary judgment, indicate that employers may be liable if they exceed their authorization by accessing protected sites not intended for them to see. However, there is extensive grey area yet to be explored. For example, the outcome of the case might have been different had a Spec-Tator user logged in using a work computer and failed to log herself out, or if Spec-Tator had dropped a cookie onto her computer permitting persistent login.

Summer Associate Todd Mobley contributed to this report.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

 

With social networking sites proliferating across international boundaries, privacy and data protection concerns are becoming increasingly relevant. With these concerns in mind, the Article 29 Working Party, an independent European advisory body on data protection and privacy, adopted an opinion on online social networking on June 12, 2009.

As noted by the Working Party, the personal information a user posts online combined with the data outlining the user’s actions and interactions with other people can create a rich profile of that person’s interests and pose major risks such as identity thefts, loss of employment or business opportunities.  In this new era of social networking, no longer are even the most secretive organizations free from the public eye. Just last Sunday, a British tabloid published revealing photos, taken off of a social networking website, of the soon-to-be chief of the country’s foreign intelligence service, MI6.

 

The opinion focuses on how the operation of social networking sites can meet the requirements of EU data protection legislation, and advises social network service (hereafter “SNS”) providers what measures must be in place to ensure compliance. Companies that make applications for or utilize social networking sites should be mindful of their obligations under EU law, as well.

 

An SNS is defined as an online communication platform which enables individuals to join or create networks of like-minded users. Usually, these services invite users to provide personal data, post their own material, and interact with other contacts who use the service. Well-known examples would include Facebook, Twitter, and MySpace. Under the EU’s 1995 Data Protection Directive (95/46/EC) (the "Directive), SNS providers are considered data controllers, which are subject to several of the Directive’s provisions, even if their headquarters are outside the European Economic Area. Among their obligations:

 

Security and Default Privacy Settings – Data controllers must take technical and organizational measures that will maintain the security of the users.  The Working Party recommends that SNS providers offer default privacy settings that restrict viewing the user’s profile to self-selected contacts.

 

Information to be Provided by SNS – SNS providers must inform users of their identity and their purposes in using personal data. The Working Party recommends that providers inform users of the privacy risks both to users and third parties of uploading information.  If third party information or pictures are uploaded, it should be done with that individual’s consent. They should also provide information and adequate warning to users about privacy risks when uploading data on the SNS.

 

Sensitive Data – Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, health, or sex life may only be published with the explicit consent from the data subject or if he has made the data public himself. It is therefore incumbent upon the SNS to make it clear that answering any questions regarding such sensitive data is completely voluntary.

 

Processing Data of Non-Members – SNS providers may not use independently gathered information to create profiles for those who are not members of the service.

 

Third Party Access – When SNS providers offer additional applications on their service by third parties, or make their service available on third party hardware (mobile phones) or software (outside websites), they should ensure that the third parties only have access to necessary personal data and provide a mechanism whereby users can report concerns about applications.

 

Legal Grounds for Direct Marketing – Marketing activity by SNS providers is permissible, but it must comply with the Data Protection and ePrivacy Directives.

 

Retention of Data – Personal data of users should not be kept after their accounts are deleted.  When a user is inactive for a period of time, his profile should become invisible to the outside world and eventually the user should be notified that the data will be deleted.

 

Respecting the Rights of Users – Members and non-members whose information is processed by an SNS should have rights to access, correct, and delete their data. Further, because data is not to exceed the purposes for which it is being collected, SNS providers should consider giving users the choice of using pseudonyms in place of their real names.

 

Protecting Children – SNS providers should be especially attentive to protecting the data of minors. The Working Party recommends not asking minors for sensitive data in subscription forms, not directly marketing to minors, ensuring the prior consent of parents before subscribing, having suitable degrees of separation between communities of children and adults, and providing adequate age verification software.

 

Users of social networking sites are considered data subjects rather than data controllers, so they are generally exempt from the above responsibilities. However, this is not always the case. When a user processes personal data for more than purely personal or household activity, he or she is no longer covered by the so-called “household exemption” that excepts him or her from the Directive’s mandates. Examples of non-personal activity are using the SNS on behalf of a company or association, using the SNS mainly as a platform to advance commercial, political, or charitable goals, or having a high number of contacts, some of whom he may not actually know. When this occurs, the user assumes the full responsibilities of a data controller.

 

Thus, companies that do not operate an SNS may still governed by the Directive merely by virtue of using the service. Where the company is collecting personal information (e.g. through applications or otherwise), it should take heed of the foregoing recommendations, such as getting consent from parties before publishing their personal information and images, only using necessary personal data, deleting personal information after an account has been removed, and having a mechanism users can employ to voice privacy concerns about the application.

 

Proskauer summer associate Adam Freed contributed to this post.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

According to a new, partially-published California Court of Appeal decision, there is no cause of action for invasion of privacy under the California Constitution where a plaintiff’s myspace.com posting is republished in a newspaper.   In Moreno et al. v. Hanford Sentinel, Inc., et al., F054138, slip op. (Cal. Ct. App. April 2, 2009), plaintiff Cynthia Moreno published on her myspace.com page “An ode to Coalinga,” in which she excoriated her hometown. She removed the Ode six days after she published it.

Before Ms. Moreno removed the Ode, the principal of Coalinga High passed the Ode on to the Editor of the Coalinga Record, which published the Ode, with Ms. Moreno’s first and last names, as a letter to the editor. The community reacted strongly (sometimes violently) and the Moreno family was forced to move from Coalinga. The Moreno family alleged that it suffered significant damages as a result.

The court held that Ms. Moreno’s publication of the Ode on myspace.com meant that the Ode was not private, and that Ms. Moreno’s expectation of a more limited myspace.com audience was of no consequence.  Further, the fact that she removed the Ode prior to publication in the Coalinga Record did not render the Ode private; “[t]he publication was not so obscure or transient that it was not accessed by others.”  Slip op. at 6.  Finally, the Court held that the Moreno family did not have standing to sue based on alleged invasion of Ms. Moreno’s privacy; “the right of privacy is purely personal.” Id.

It is not clear from the Court's opinion whether Ms. Moreno had protected her myspace.com page with some kind of privacy settings.  The outcome might have been different had Ms. Moreno explicitly alleged that she did so.  Because the court ruled at the demurrer stage, there was no evidence regarding that issue.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On May 16, 2008 the U.S. Court of Appeals for the Fifth Circuit agreed with a number of other courts, holding that the Communications Decency Act (“CDA”) (47 U.S.C. Sec. 230) protects social networking websites from liability with respect to negligence claims based on third-party content published on the website and the consequences stemming from such content. In Doe v. MySpace, Inc., No. 07-50345, 2008 WL 2068064 (5th Cir. May 16, 2008), the plaintiff argued that MySpace negligently failed to implement appropriate technological safeguards to prevent the plaintiff, a 13-year-old, from registering on MySpace. The plaintiff lied in her registration materials, pretending to be 18 years old, and ignored MySpace’s warnings against sharing personal information on the website by posting her phone number. According to the plaintiff, the technological safeguards would have prevented her from meeting and being sexually assaulted by another MySpace user.

The so-called “Good Samaritan” provision of the CDA sets out, at 47 U.S.C. Sec. 230(c)(1), that     “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”  This immunity provision has been construed broadly in cases involving the publication of user-created content.  Nevertheless, in Fair Housing Council v. Roomates.com LLC, 489 F.3d 921 (9th Cir. 2007), aff’d en banc 2008 (9th Cir., April 3, 2008), the Ninth  Circuit Court of Appeals found Roommates.com was not immunized under Section 230(c) because it required every user to answer questions regarding the user’s age, sex and sexual orientation. The Ninth Circuit held that these questions allowed users to discriminate against other users in violation of the Fair Housing Act. For more information, see our blog entry here.  

In Doe v. MySpace, the Fifth Circuit found that the CDA immunized MySpace from the plaintiff’s negligence claim because it was merely the web-based publisher of third-party information, not the author of the content.  Although the plaintiff claimed that she was not seeking to hold MySpace liable as a publisher of third-party content, the court held that the plaintiff’s allegations “speak to MySpace’s role as a publisher of online third-party-generated content,” and thus the CDA applied.  he plaintiff also argued that MySpace encouraged or allowed members to post information after the profiles had been created, and therefore that MySpace would not be immunized by the CDA because it partially created the content. The court declined to review the issue as plaintiff failed to raise it in the lower court. 

Unlike Roomates.com, MySpace does not require its users to post personal information that could potentially lead to discrimination. Moreover, MySpace discourages its users from sharing of personal information on its website whereas Roommates.com made sharing personal information a requirement of using the service. 

Section 230(c) of the CDA will be addressed further in the ongoing Subway v. Quiznos case (Doctor’s Associates Inc., v. QIP Holders LLC) involving sandwich giant Subway suing rival Quiznos. The case revolves around user-generated videos created at Quiznos behest that compare Subway’s sandwiches unfavorably to Quiznos’. Quiznos claims that the videos were not created by the company and that the online posting of the videos is protected by the CDA as Quiznos was merely hosting the website. Advertisers are concerned that they will no longer be able to run contests featuring user-created content comparing their product to a competitor’s. The case will be tried in a Connecticut federal district court in 2009.

Adam Rottenberg, a summer associate in Proskauer’s Los Angeles office, contributed to this post.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Yesterday, attorneys general from 49 states (all but California’s) and the District of Columbia announced a sweeping agreement with MySpace under which the company will adopt new measures to protect children online. This announcement culminates many months of negotiations between a task force of the attorneys generals led by Richard Blumenthal, the Connecticut Attorney General and Roy Cooper, the North Carolina Attorney General and is reflective of the intense pressure on web 2.0 sites to protect children online. We previously posted about that pressure, reporting on state attorneys general investigations of MySpace and Facebook here and the subsequent New York attorney general settlement with Facebook here. The new agreement with MySpace is available as an attachment to the press release on the North Carolina Attorney General’s website. 

The agreement is notable for its breadth. It goes well beyond the scope of the federal Children’s Online Privacy Protection Act (“COPPA”), which applies to the collection of personal information online from children 12 and under. The agreement includes some protections designed to protect teenagers under 18 with stronger protections for those under 16. Under the agreement, MySpace will take some readily achievable operational steps and work towards certain longer term goals such as developing new procedures and tools to protect children.

The more immediate steps include the following:

• continuing to dedicate resources to educate parents and educators on child safety online;
• using “best efforts” to acknowledge consumer complaints within 24 hours of receipt with a follow-up of the steps taken within 72 hours;
• retaining an “Independent Examiner” to evaluate and examine handling of complaints;
• continuing to cooperate with law enforcement on complaints, which includes continuing the law enforcement hotline number and creating a law enforcement liaison;
• implementing a series of operational changes including:
  • “age locking” to reduce the number of times a user can change their age above or below the 18 year old threshold;
  • age restrictions on certain website functions that make it harder for adults to contact children such as limiting the ability of users over 18 to search in school sections; limiting the ability of users under 18 to designate themselves as swingers; limiting being able to browse certain categories such as “body type”, “smoke” and “drink”; limiting group invites; and automatically designating profiles as private for those under 16;
  • an image monitoring policy with technology to hash inappropriate images;
  • limitations on tobacco and alcohol advertisements to those under 18 and 21 respectively;
  • expanded age specific classifications for events;
  • expanded reporting functionality for violations including a drop down for categories such as pornography, cyberbullying and unauthorized use;
  • enhancing safety tools for members such as the ability to set profiles to private, the ability to block others and requiring those under 18 to affirmatively consent to having reviewed posted safety tips before registration; and
  • enhanced tools for parents such as the ability to remove a child’s profile.

MySpace also has agreed to engage in the following longer term efforts:  

• organizing an industry-wide Internet Safety Technical Task Force to develop online safety tools – specifically, improved online identity authentication tools – with quarterly reports to the attorney generals’ task force;
• designating a senior executive to work with the task force;
• holding regular meetings with the attorney generals to discuss website design and functionality improvement to protect children;
• hiring a third party to build and host a database of email addresses for parents to register users under 18 (to prevent child registration at social networking sites);
• blocking access by those under 18 to profiles related to the entertainment industry;
• increasing staff for monitoring and increasing the use of textual searching and other technologies for monitoring.

The agreement is set forth as a statement of principles and the parties have agreed to attempt to achieve the foregoing objectives, among others. According to reports, the attorney generals and MySpace continue to differ on the feasibility of new age authentication and verification technologies. The attorneys general have not ruled out legal action in the future if sufficient progress is not achieved.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In follow-up to our earlier blog post regarding recent pressure on social networking sites from law enforcement, New York Attorney General Andrew Cuomo announced yesterday that his office had entered into a settlement with Facebook. The settlement resolves the Attorney General’s investigation of Facebook’s failure to fulfill public claims it made about protecting minors, which the Attorney General believed were deceptive acts and practices and false advertising in violation of New York consumer protection laws. Facebook did not admit to any wrongdoing.  

The settlement is particularly noteworthy for its resulting “new model” to protect children. As set forth in the settlement agreement and settlement terms, Facebook will:

• Disclose the newly implemented safety procedures on its website as specified by the agreement and ensure that all other public statements made by Facebook about safety are consistent with the specified language.

• Accept complaints about nudity or pornography, harassment or unwelcome contact confidentially via hyperlinks placed throughout Facebook’s website as well as via an independent email to abuse@facebook.com.

• Respond to and begin addressing complaints about nudity or pornography, harassment or unwelcome contact within 24 hours.

• Report to the complainant the steps it has taken to address the complaint within 72 hours where the complaint has been submitted via an independent email to abuse@facebook.com.

• Allow Facebook’s complaint review process to be examined by an Independent Safety and Security Examiner (ISSE), a third party approved by the New York State Attorney General’s Office, to report on Facebook’s compliance with the agreement.

• Provide a prominent and easily accessible hyperlink to allow a Facebook user or their parent/guardian to give feedback to the Independent Safety and Security Examiner (ISSE) about Facebook’s performance in responding to complaints. 

• Submit to the Office reports prepared by the Independent Safety and Security Examiner (ISSE) evaluating Facebook’s performance in responding to complaints. The Examiner will report bi-annually and may recommend additional safety measures concerning complaint handling, as appropriate.

Both Attorney General Cuomo and Facebook are touting the agreement as setting new industry standards to protect children. Notably, Connecticut Attorney General Richard Blumenthal, co-chair of the national social networking task force of all 50 state Attorneys General, issued a press release stating the settlement terms were not strong enough. He is urging social networking sites to increase the use of filtering technology and monitors to screen content, identity and age verification for anyone 18 and older, parental consent for anyone under 18, the hiding of children’s profiles from adults, certain restrictions on advertising to children, and other measures. In light of the settlement, the likely continued interest by law enforcement, and the potential dangers to children, social networking sites should consider assessing their security practices and policies.           

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Kids like social networking sites, most notably MySpace and Facebook. So it is not surpising that law enforcement is scrutinizing how the sites protect children. Recent subpoenas issued to Facebook by New York Attorney General Andrew Cuomo and New Jersey Attorney General Anne Milgram are illustrative.

Both subpoenas sought information about Facebook’s Internet safety and security policies. The New York subpoena, issued last month, also sought information concerning Facebook’s complaint resolution procedures. In its subpoena cover letter to Facebook, Attorney General Cuomo noted Facebook’s public representations concerning how it responds to reports of pornographic material and inappropriate contact with minors.  It also described its undercover investigation of Facebook. According to the letter, the investigation revealed pornographic and other inappropriate content readily available on the site. In addition, after investigators set up profiles as young teenage users, they received inappropriate sexual advances. The investigators filed complaints about these issues through Facebooks’ complaint procedures. The letter notes various instances of non-responsiveness or delayed response to such complaints. The New Jersey subpoena issued earlier this month, described here, sought information from Facebook concerning convicted New Jersey sex offenders that Facebook has identified as site users.  Facebook previously informed the New Jersey Attorney General it had removed sex offenders with profiles matching individuals listed on the New Jersey sex offender registry. Attorney General Milgram also sent letters to eleven other social networking sites requesting they compare their registrants against the state’s sex offender list.     

These actions from New York and New Jersey are the latest steps by attorneys general from all 50 states to pressure social networking sites to enhance security protocols, specifically parental controls and age verification tools because of the vulnerability of children to online predators and inappropriate content. In particular, since early last year, Richard Blumenthal, the Connecticut Attorney General and Roy Cooper, the North Carolina Attorney General, have led a task force of the attorneys general calling on social networking sites to increase protections for children. Some of the steps the task force has urged of social networking sites have included enhanced age verification tools, restrictions on the ability of children increased parental consent to allow children to make profiles available to others in the absence of parental consent, increased staff and technology dedicated to screening inappropriate content, giving parents software to block the site, and raising the minimum age of participation to 16.       

This Spring, MySpace was in the news after receiving a letter from eight attorneys general demanding information concerning registered sex offenders on its site. After initially asserting it was unable to legally comply, MySpace struck an agreement with the attorneys general about the form of the requests. MySpace later announced it had removed more than 29,000 profiles of sex offenders from its site.

North Carolina and Connecticut are among states that introduced legislation requiring age verification measures on websites. Those bills have not passed but are expected to be introduced in future legislative sessions.

Businesses developing social networking sites that may attract children should not only comply with the Children’s Online Privacy Protection Act (“COPPA”) and its regulations concerning parental consent when collecting personal information of children, but should also be aware of increased state activity that may require enhanced practices. Companies should consider scrubbing user profiles against sex offender registries and utilizing enhanced tools for age verification. Finally, companies should be sure they are not making any security representations they are not abiding by or with which they cannot comply.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link