Embed Size (px)
Citation preview
Privacy at the Bleeding Edge
Lance Kooncewww.privsecblog.com
Recent and Emerging Technologies
• Blogs, Podcasts, Vlogs, Mologs
• WiFi, Wardriving, Wijacking
• RFID
• VoIP
• Biometrics, Encryption
• Mobile Technologies, Bluetooth
• Virtual Worlds
Blogs: The Technology
• Blog Authoring Software
• RSS Feeds
• Filtered or unfiltered comments
• Podcasting (audio blogs)
• Mologs (mobile phone blogs)
• Vlogs (video blogs)
Blogging
• Types of Blogs:– Individual or Small Group Blogs
• Diary-like• Topical• Journalistic
– Corporate Sponsored• Topical / Corporate Marketing• Employee Blogs• Journalistic
Why Does Blogging Matter?
• Anywhere from 15 to 100 million blogs in existence, depending on who you ask
• Companies offer blogs as employee service (like a bulletin board) and as viral marketing
• Whether company sponsors blogs or not, it is inevitable that some employees will have their own blogs
• Big Danger is speed/breadth of dissemination of careless or impulsive commentary– Think of: Instantaneous publication of email
Blogging Issues
• Legal Issues
• Technical Issues
• Practical Concerns
Privacy Overview
From a corporate perspective, blogging
privacy issues mainly arise in two contexts:
• Corporation maintains a blog or is considering a blogging policy for employees
• Employee or outside individual is blogging about the corporation
Blogging Overview: Whose Privacy?
• Where corporation or employee maintains a blog, legal issues may arise:– Privacy torts: when blog entries or visitors’ comments
constitute invasion of the rights of third parties– Defamation and libel of third parties– Disclosure of trade secrets or other sensitive
information, and purported whistleblowing– Collection of information about visitors to the blog
(registering users who post comments)– Monitoring of employee entries on blogs
Blogging Overview: Whose Privacy?
• Corporate interests may also be implicated by outside blogs
– Disclosure of trade secrets/sensitive info
– Defamation of corporation
Blogging Overview: Examples of Disputes
• Less than 10 legal cases mentioning the word “blog” in all federal and state courts to date
• The only substantive cases about blogs have been Apple trade secret case, recent Delaware defamation case
• Most disputes have been made public through blogs themselves, which demonstrates power of the medium
Blogging Overview: Examples of Disputes
• Apple v. Doe trade secrets case (Cal.)
• Doe v. Cahill defamation case (Del.)
• Employer/Employee disputes:– Flight Attendant case– Google Employee– Microsoft– PR Company employee
Legal Issues for Corporate Blogs: Intrusion Into Private Affairs
• Trespass constitutes intrusion – electronic trespass, recognized in some recent cases, would also be intrusion (intercepting phone calls, email, etc.)
• Standard: Cannot perform any act that intrudes upon someone’s private affairs if the intrusion would be considered “highly offensive” to a reasonable person
• Determination of what is highly offensive depends on social standards of community and what level of privacy people can expect under the circumstances
• For blogs, liability turns on where and how information later posted on blog is collected– Mologs and Vlogs may be particularly susceptible to intrusion
claim, if photos and video taken without another’s knowledge
Legal Issues for Corporate Blogs: Right of Publicity
• Using another person’s name, likeness or personality without authorization for advertising or commercial purposes
• Key here is whether use was for commercial purpose: unlikely to be the case for most blogs
• But: for corporate blogs that serve marketing purpose, must be careful when using celebrity’s name, likeness or personality
Legal Issues for Corporate Blogs: Defamation, Libel and False Light
• Defamation and libel: False statement of fact that damages the reputation of a person or business – Defamation is spoken, libel is written
• Opportunities abound for liability with blogs:– By definition the libelous words are made public to third parties– Words are often written with little thought– Context of a discussion may make it clear that even cleverly
worded statements (ie, not naming the person) are defamatory• False light: Publicizing information about a person that
places person in false light in a manner that would be highly offensive to a reasonable person. – Person responsible for making info public must have acted with
knowledge or reckless disregard with respect to the falsity of the publicized matter
Legal Issues for Corporate Blogs:Data Collection
• Most blogs do not collect user information• However, can require users to register before
posting comments– Again, even blogs with registration procedures usually
do not require personally identifiable information
• To the extent such information collected, privacy policy should be posted and data should be treated like any other data collected by a corporate website.
Legal Issues Arising from Third Party Blogs: Disclosure of Trade Secrets
• Deliberate or inadvertent disclosure of sensitive information by former employees, or by third parties
• Also arises in context of corporate blogs (usually through inadvertent disclosure)
• Claim is defined by Uniform Trade Secrets Act, adopted by most states; unfair competition claims– Economic Espionage Act of 1996 for criminal claims– As practical matter, availability of legal claim may not be as
important as acting quickly to remove material from the blog– Take-down notice to blog host or Internet Service Provider is
likely the first step
• To the extent possible, consider monitoring of blogs of disgruntled employees
Legal Issues Arising from Third Party Blogs: Defamation of Corporation
• Disgruntled employees, unhappy customers, etc.
• Corporation may be defamed, and products/services may be disparaged
• Remedies dependent on state law, although product disparagement may also be subject to federal law
Industries For Which Blogs May Raise Additional Legal Issues
• Technology Companies
• Health Care Industry
• Media Entities
Corporate Blogging Policies
• Publicly available policies:– Sun Microsystems– IBM– Yahoo– Borland– Feedster– Groove Networks– Harvard Law School
• Blogging policy “wiki”:– www.socialtext.net/charleneli/index.cgi?
corporate_blogging_policies
Corporate Blogging Policies
• See Appendix for corporate policies that have been made public
• Policies can be as wide-ranging as the industries served and are dependent on the corporate cultures of the company
• Decision must be made at outset as to how blog-friendly policy will be
• Policy should always incorporate company’s privacy policy
Corporate Blogging Policies• Policy is as much about education as proscription: explain sources
of liability• Restrictions on blogging outside of workplace are unlikely to be
effective• Bloggers must respect not just privacy rights, but copyright,
trademark, etc.• Company must decide whether to vet blog entries before posting
(likely impractical in large organizations)• Must also decide whether to allow third party comments, and if so,
whether to vet those comments before posting• Remind employees: although conflict makes for good drama (and
good blogging in some contexts!), it does not necessarily make for good corporate blogging
• Work with PR department as well as legal, HR• Section 230 of Communications Decency Act may shield employer
liability in some instances
Employee Blogging Policies: Essentials
• Disclaimer of corporate liability: consider giving employees precise language to use
• Notice to employees that blogging must comply with all HR policies
• Notice to employees re disclosing trade secrets and other sensitive info
• Notice to employees re various legal claims that might be made
• Notice re vetting of questionable posts• “Best Practices” component
WiFi
• Wardriving/Wijacking– Unauthorized access to wireless networks– Recent example in Washington State: consultant for
law firm accessing public utility files at public meeting
• Risks:– Loss of trade secrets or competitive advantage– Loss of passwords/access information– Ultimately, data breach and identity theft
RFID
• Second wave of ubiquitous customer preference and usage tracking– First wave was online advertising (cookies), TiVo
• Business advantages are tremendous if cost structure becomes reasonable, but…
• Customers will increasingly see tracking information as personal data deserving of privacy protection under existing or new laws– Question is whether RFID will be seen as “surveillance” or usage
optimization• Procedures in place to make information available in the
aggregate only and not personally identifiable?• There will be waves beyond RFID: constraints are only
bandwidth, cost, deployment of networks
Voice Over Internet
• Another example of digitization of personal communication– Same security and privacy concerns as other digital
communications, but more to protect since audio is added• Not yet widely adopted by corporations, primarily
because of quality issues – Most corporate systems are closed, no Internet connectivity– But need to guard against employees downloading peer-to-peer
programs like Skype, which may be more vulnerable• Subject to eavesdropping, voice spam, phishing,
spyware, denial-of-service attacks– But voice is harder to search and index than text, which may
make some attacks less likely• Current wiretap laws may not address
Gaming / Virtual Worlds
• Testing ground for next-generation issues
• Electronic proxies for real individuals, interacting in purely digital environment
• Expectation of privacy?
• Relationship of personal information to virtual identity?
• Bleeding edge example: phishing attacks in gaming environments
