Probably not. If you work in California, or are otherwise subject to California law, I recently saw this article which again highlighted the oft-repeated warnings of many in the legal profession not to use your company’s e-mail to send out information that you deem to be confidential or, as in this case, even privileged. It can have consequences.

A California appeals court held that an e-mail an employee had sent from her employer’s work computer was not a confidential communication subject to the attorney-client privilege. Thus, the privilege which would have normally attached to the e-mail had she sent it from her own computer was deemed to be waived. A key factor in the case was that the employer had warned employees that e-mails sent from work were not confidential and could be monitored.

As noted in the article, not all courts have held this—and not all employers have such broad e-mail policies (although most do)—but it nevertheless again highlights the danger of using a computer at work when sending out confidential or sensitive information. Chances are that your employer has a fairly broad e-mail policy in place (and you might have even signed something which acknowledged it), but when in doubt … just don’t do it.

Senator Ron Wyden is quickly becoming a politician to be proud of on issues that we feel are important. We’ve already seen him single-handedly stand up to COICA (and forcefully stand behind that position after facing ridiculous lobbying pressure). He also was one of a very small number of US politicians who has publicly expressed concerns about ACTA. But it’s not just on copyright issues. Senator Wyden is now proposing a new law that would require that law enforcement get a warrant before being able to get location info from mobile devices.

While there are still some differing opinions in the courts on the legality of obtaining location info without a warrant, law enforcement has pushed hard to not need a warrant to get such info, preferring to just use a subpoena (basically just asking with no real judicial review). Wyden believes this is wrong, and a violation of basic privacy principles:

“If you asked most Americans, I think they would tell you that surreptitiously turning somebody’s cell phone into a modern-day tracking device … and using it to monitor their movements, 24/7, is a pretty serious intrusion into their privacy, pretty much comparable to searching their house or tapping their phone calls.”

It’s so rare to see a politician say things we agree with that it seems worth highlighting. Who knows if this will actually get anywhere (chances are it won’t), but Wyden still deserves kudos.

Permalink | Comments | Email This Story





&partnerID=167&key=segment”/> .8626,cat.TechBiz
.rss”/>

Techdirt Mike Masnick

The purpose of this blog is to hopefully inform and educate people about legal issues in technology, intellectual property, the Internet, and other areas of the law.  So I therefore try to avoid being political, but sometimes it’s hard to do.  And it’s really hard to do when the Republican brand—and isn’t it really all about branding these days?—has drifted so far from its roots that I would be remiss in not mentioning it.

There was a time, before September 11th at least, that Republicans—and the newly minted Tea Party—were for the concept of small and less intrusive government.  I’m all for that for reasons too numerous to mention here.  But I’m especially for it in areas of privacy, particularly on the Internet where personal data about people flows like water.  But alas, so much has changed in the world that up is down, small is big, and privacy now means data retention.

So to say I was disappointed when I read that the Republicans’ first major technology initiative in the House of Representatives was to introduce a bill to require Internet companies to keep track and store user data, would be an understatement.  The new bill, if it becomes law, would require ISPs and other Internet companies to store the Internet Protocol (“IP”) addresses and other records of users’ online activities for 2 years.  This goes far beyond what the Electronic Communication Transactional Records Act (“ECTRA”) passed in 1996 requires, which is for ISPs to retain any “record” for up to 180 days (in two 90 day increments) upon request by a “governmental entity.”  So where’s the smaller and less intrusive government we were promised?

The biggest backers of the bill are—no surprise here—law enforcement and prosecutors.  Of course they want the ability to fully investigate crimes on the Internet.  Who could realistically be against going after pedophiles, identity thieves, and scam artists?  But the potential for abuse by law enforcement remains a real one and a 2 year retention requirement (as opposed to companies who voluntarily save user data for a set period of time) strikes me as excessive.  Just ask these folks in Chicago who are being victimized by the police and prosecutors over the state’s absurd wiretap law.  So overreaching by law enforcement occurs in many different contexts.

As a practical common sense matter, do records on EVERYONE really need to be retained for at least 2 years?  Perhaps ECTRA has the more reasoned approach (dare I say) which requires preservation pursuant to a court order issued “only if the governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation.”  18 U.S.C. § 2703(d). 

But to retain records on everyone so that the police and law enforcement can cull through them at a later time and at their leisure seems particularly ripe for all sorts of abuse.  Hopefully, the Democrat-controlled Senate will be far more thoughtful in the consideration of such sweeping legislation (assuming it gets that far).  And if they’re not, then I’ll criticize the Democrats too, who are supposed to be more concerned about the “common man.”  Well, the common man needs his privacy too.  Rumor has it that he’s got the Internet now.

Okay, maybe I’m being a bit sarcastic with the title.  But according to a recent article and study (i.e., the Sophos Security Threat Report), spam, phishing, and malware attacks on social networking sites doubled from 2009 to 2010.  Not surprisingly, identity theft and third party use of personal information were primary goals of cybercriminals.

This is hardly shocking and it wouldn’t be surprising if these numbers doubled again from 2010 to 2011 given the increasing importance of social media—for better or worse—in our personal and business lives.  But what do people really expect?  Criminals go where the people are and when Facebook has 600 million users, that’s a big crowd to fleece.  And criminals can do so in the comfort of their own homes and in foreign countries knowing full well that their chances of getting nabbed are about as likely as Apple stopping production of the iPhone.  What do they really have to lose?

Not surprisingly according to the article, users want sites like Facebook to take stronger security measures.  And while sites can certainly do so in some instances voluntarily, it may take a court ruling (as it often does) to force a company to implement more substantive protections. But first you have to get past those nasty contractual disclaimers that we lawyers put into practically all user agreements about not holding the site liable for almost anything that happens on it:  “Identity theft be damned—so sorry, but it’s just not our problem!” 

Remember when you clicked “I AGREE” on that user agreement?  You can be sure Facebook does, because that’s an enforceable contract in most instances.  (No need to thank us, by the way—the public’s opinion of lawyers is thanks enough!)  Very tough to challenge, but not impossible if the right facts present themselves.  Combined with the right judge, of course.  Sometimes the lottery’s easier to win though.

The fact is that while social media sites have to do more, especially those that operate on the massive scale Facebook does, we have ourselves to blame also.  How much personal information do we really need to disclose about ourselves?  I’ve always believed that less is usually more, but perhaps because I’m over 40 (which is 95 in cyberyears), many young ’uns believe that more is more.  And that even more is still not enough.  I forget:  Does TMI stand for “Too Much Information” or “Too Many Idiots” when we  ”overshare?”  Because cybercriminals count on both meanings to do their dirty work.

Do we really need to tell everyone when we won’t be home, thereby inadvertently notifying criminals when the best time to rob us is?  Or are we so egotistical that we have to “friend” a ton of people so we can brag about how big our network is, only to unwittingly let in unsavory characters? Or to post a lot of personal details until the inevitable privacy breach thereby exposing all of that information to the world—and to sophisticated criminals who can then make use of it in all sorts of ways that decent law-abiding people have never thought of.

I often wonder where the proper practical balance is.  Because if you’re expecting the law to catch up to address some of these informational privacy and security issues, we’ll be on Web 5.0 at that point … and on Cybercriminal 7.0.  And do you really want to be the “test case” anyway?

According to a new survey by Forrester Research, 41% of large companies (those having at least 20,000 employees) either read or analyze the contents of outbound e-mail.  They’re either paying other employees to read them or presumably using any number of commercially available software programs to analyze them. 

44% of the companies surveyed investigated a confidential data breach involving e-mail in the past year, while 26% said they fired an employee for violating the company’s e-mail policy.  Companies also expressed concern over employees leaking information on message boards, blogs, and other electronic media.

Quite frankly, I’m surprised only 41% of large companies are doing this (although it depends on the industry).  I would have expected it to have been much higher given the daily parade of data and privacy breaches in the news.  After all, it’s large companies that have the financial and human resources to implement widescale e-mail monitoring systems.  Smaller companies may be in a much different situation.

Of course, many employers find it distasteful to engage in this type of monitoring.  It can, if not handled properly, be destructive to employee morale and have lasting effects.  Nevertheless—for better or worse—many employees are slowly coming to grips with their employers’ monitoring efforts.  It’s just becoming a fact of life. 

But the truth is, I’ve had clients whose employees have e-mailed confidential and sensitive company data.  Some workers do it without thinking about it, while others are far more malevolent in their intentions.  This is especially the case when employees leave their companies on bad or poor terms.  So it’s a very real problem for employers that has very real consequences.  Thus, like it or not, monitoring will only continue to increase. 

Bottom Line:  Be careful.  You don’t have any right to privacy when you’re at work.  So don’t think that anything you send—whether to a spouse, boyfriend, girlfriend, doctor, stockbroker, or anyone else—is private.  Even if you have to send it and it can’t wait until you get home, an employer is within its rights to read your e-mail, no matter how private the subject matter.  Of course, what it does with that information is another matter.

     In yet another invasion of privacy couched in the rhetoric of “but the consumer will benefit!” comes this story from the Washington Post.  Apparently, a small but growing number of ISPs are monitoring their users’ every click and keystroke.  The ISPs then harvest the data to determine a user’s interests and preferences and provide it to advertisers who make highly targeted pitches to the user.  I can see the pitch now:  “We’ve noticed that you’ve typed in the word “hemorrhoids” 12 times, searched Google 3 times, and visited 9 sites.  Here’s a coupon to try Preparation H for free.  It will stop the itch!”

      This monitoring is known as “deep-packet inspection” and it divides every aspect of a user’s data into packets that an ISP can analyze for content.   First, as a general matter, whenever I see anything with the words “deep” and “inspection” in a title, I get somewhat concerned without even having to read any further (similar to how the FBI first named its now infamous packet-sniffing software ”Carnivore,” but later changed it to the more benign-sounding “DCS1000″).  From a more substantive perspective, however, it represents a considerable escalation of an ISP’s ability to monitor its users.  Barring any legislative or regulatory action, it won’t be long until all ISPs engage in this practice.  According to the article, only 100,000 users are affected at the moment.

     As usual, the ISPs gain their users’ consent by burying the monitoring in their lengthy customer service agreements.  According to the article, one ISP—Knology—has a 27 page agreement and only makes vague reference to the system.  Few people actually have the time and energy to read them, and those that do will not necessarily understand them anyway.  The lawyers that draft them are not exactly known for their clarity, especially when it comes to a controversial subject such as this.  In fact, according to one Knology executive, there’s no violation of privacy at all.

     The article is silent as to how long an ISP actually retains all of this information, but presumably can retain it indefinitely.  And even if it doesn’t, once the information is disclosed and sold to advertisers, copies of it could continue to reside in cyberspace even if the ISP purges its records.  The article is also silent as to how such information could easily be disclosed to law enforcement or to parties involved in civil litigation.  So the march towards “zero privacy” continues. <sigh>