Probably not. If you work in California, or are otherwise subject to California law, I recently saw this article which again highlighted the oft-repeated warnings of many in the legal profession not to use your company’s e-mail to send out information that you deem to be confidential or, as in this case, even privileged. It can have consequences.

A California appeals court held that an e-mail an employee had sent from her employer’s work computer was not a confidential communication subject to the attorney-client privilege. Thus, the privilege which would have normally attached to the e-mail had she sent it from her own computer was deemed to be waived. A key factor in the case was that the employer had warned employees that e-mails sent from work were not confidential and could be monitored.

As noted in the article, not all courts have held this—and not all employers have such broad e-mail policies (although most do)—but it nevertheless again highlights the danger of using a computer at work when sending out confidential or sensitive information. Chances are that your employer has a fairly broad e-mail policy in place (and you might have even signed something which acknowledged it), but when in doubt … just don’t do it.

Senator Ron Wyden is quickly becoming a politician to be proud of on issues that we feel are important. We’ve already seen him single-handedly stand up to COICA (and forcefully stand behind that position after facing ridiculous lobbying pressure). He also was one of a very small number of US politicians who has publicly expressed concerns about ACTA. But it’s not just on copyright issues. Senator Wyden is now proposing a new law that would require that law enforcement get a warrant before being able to get location info from mobile devices.

While there are still some differing opinions in the courts on the legality of obtaining location info without a warrant, law enforcement has pushed hard to not need a warrant to get such info, preferring to just use a subpoena (basically just asking with no real judicial review). Wyden believes this is wrong, and a violation of basic privacy principles:

“If you asked most Americans, I think they would tell you that surreptitiously turning somebody’s cell phone into a modern-day tracking device … and using it to monitor their movements, 24/7, is a pretty serious intrusion into their privacy, pretty much comparable to searching their house or tapping their phone calls.”

It’s so rare to see a politician say things we agree with that it seems worth highlighting. Who knows if this will actually get anywhere (chances are it won’t), but Wyden still deserves kudos.

Permalink | Comments | Email This Story





&partnerID=167&key=segment”/> .8626,cat.TechBiz
.rss”/>

Techdirt Mike Masnick

Ah, the hypocrisy of politicians. We’ve pointed out in the past how often politicians seem to push for data retention laws and privacy laws at the same time, without realizing the two are in fundamental conflict. It looks like the Obama administration is going through a bit of that as well. The FTC has been threatening to force browser makers to include a do not track feature, that would let people surf without having their data retained. And yet… at the same time, the Justice Department is pushing for extensive data retention laws, with the help of the supposed “small government” Congressional reps who don’t even seem to realize what they’re supporting. Even worse, Congress seems so eager to push for a data retention law that some Congressional Reps are apparently annoyed that the Justice Department hasn’t just handed them a bill to approve.

The problem, of course, is that these politicians don’t actually fully understand what the issues are involved here. They’re viewing the issues on a very narrow basis. On the “do not track” issue, they think “privacy is important, of course we support privacy — do not track is important.” On the “data retention” issue, they think “well, law enforcement needs to have access to data to solve crimes, and without requiring internet companies to retain data, then it’ll make law enforcement harder, so of course we need to have data retention.” What they don’t recognize is that these two things are in fundamental conflict with each other. Requiring data retention means less privacy. Period. But these politicians never actually think that far.

Permalink | Comments | Email This Story





&partnerID=167&key=segment”/> .8626,cat.TechBiz
.rss”/>

Techdirt Mike Masnick

The purpose of this blog is to hopefully inform and educate people about legal issues in technology, intellectual property, the Internet, and other areas of the law.  So I therefore try to avoid being political, but sometimes it’s hard to do.  And it’s really hard to do when the Republican brand—and isn’t it really all about branding these days?—has drifted so far from its roots that I would be remiss in not mentioning it.

There was a time, before September 11th at least, that Republicans—and the newly minted Tea Party—were for the concept of small and less intrusive government.  I’m all for that for reasons too numerous to mention here.  But I’m especially for it in areas of privacy, particularly on the Internet where personal data about people flows like water.  But alas, so much has changed in the world that up is down, small is big, and privacy now means data retention.

So to say I was disappointed when I read that the Republicans’ first major technology initiative in the House of Representatives was to introduce a bill to require Internet companies to keep track and store user data, would be an understatement.  The new bill, if it becomes law, would require ISPs and other Internet companies to store the Internet Protocol (“IP”) addresses and other records of users’ online activities for 2 years.  This goes far beyond what the Electronic Communication Transactional Records Act (“ECTRA”) passed in 1996 requires, which is for ISPs to retain any “record” for up to 180 days (in two 90 day increments) upon request by a “governmental entity.”  So where’s the smaller and less intrusive government we were promised?

The biggest backers of the bill are—no surprise here—law enforcement and prosecutors.  Of course they want the ability to fully investigate crimes on the Internet.  Who could realistically be against going after pedophiles, identity thieves, and scam artists?  But the potential for abuse by law enforcement remains a real one and a 2 year retention requirement (as opposed to companies who voluntarily save user data for a set period of time) strikes me as excessive.  Just ask these folks in Chicago who are being victimized by the police and prosecutors over the state’s absurd wiretap law.  So overreaching by law enforcement occurs in many different contexts.

As a practical common sense matter, do records on EVERYONE really need to be retained for at least 2 years?  Perhaps ECTRA has the more reasoned approach (dare I say) which requires preservation pursuant to a court order issued “only if the governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation.”  18 U.S.C. § 2703(d). 

But to retain records on everyone so that the police and law enforcement can cull through them at a later time and at their leisure seems particularly ripe for all sorts of abuse.  Hopefully, the Democrat-controlled Senate will be far more thoughtful in the consideration of such sweeping legislation (assuming it gets that far).  And if they’re not, then I’ll criticize the Democrats too, who are supposed to be more concerned about the “common man.”  Well, the common man needs his privacy too.  Rumor has it that he’s got the Internet now.

Okay, maybe I’m being a bit sarcastic with the title.  But according to a recent article and study (i.e., the Sophos Security Threat Report), spam, phishing, and malware attacks on social networking sites doubled from 2009 to 2010.  Not surprisingly, identity theft and third party use of personal information were primary goals of cybercriminals.

This is hardly shocking and it wouldn’t be surprising if these numbers doubled again from 2010 to 2011 given the increasing importance of social media—for better or worse—in our personal and business lives.  But what do people really expect?  Criminals go where the people are and when Facebook has 600 million users, that’s a big crowd to fleece.  And criminals can do so in the comfort of their own homes and in foreign countries knowing full well that their chances of getting nabbed are about as likely as Apple stopping production of the iPhone.  What do they really have to lose?

Not surprisingly according to the article, users want sites like Facebook to take stronger security measures.  And while sites can certainly do so in some instances voluntarily, it may take a court ruling (as it often does) to force a company to implement more substantive protections. But first you have to get past those nasty contractual disclaimers that we lawyers put into practically all user agreements about not holding the site liable for almost anything that happens on it:  “Identity theft be damned—so sorry, but it’s just not our problem!” 

Remember when you clicked “I AGREE” on that user agreement?  You can be sure Facebook does, because that’s an enforceable contract in most instances.  (No need to thank us, by the way—the public’s opinion of lawyers is thanks enough!)  Very tough to challenge, but not impossible if the right facts present themselves.  Combined with the right judge, of course.  Sometimes the lottery’s easier to win though.

The fact is that while social media sites have to do more, especially those that operate on the massive scale Facebook does, we have ourselves to blame also.  How much personal information do we really need to disclose about ourselves?  I’ve always believed that less is usually more, but perhaps because I’m over 40 (which is 95 in cyberyears), many young ’uns believe that more is more.  And that even more is still not enough.  I forget:  Does TMI stand for “Too Much Information” or “Too Many Idiots” when we  ”overshare?”  Because cybercriminals count on both meanings to do their dirty work.

Do we really need to tell everyone when we won’t be home, thereby inadvertently notifying criminals when the best time to rob us is?  Or are we so egotistical that we have to “friend” a ton of people so we can brag about how big our network is, only to unwittingly let in unsavory characters? Or to post a lot of personal details until the inevitable privacy breach thereby exposing all of that information to the world—and to sophisticated criminals who can then make use of it in all sorts of ways that decent law-abiding people have never thought of.

I often wonder where the proper practical balance is.  Because if you’re expecting the law to catch up to address some of these informational privacy and security issues, we’ll be on Web 5.0 at that point … and on Cybercriminal 7.0.  And do you really want to be the “test case” anyway?

It probably goes without saying that if you’re planning to sue your employer, you shouldn’t use your work email address to contact your lawyer. However, if you did do that, according to a California court, that email is not protected by attorney-client privilege. I don’t find this to be all that surprising (or really, problematic). It’s quite common that employers control the rights to your work emails, so it’s hard to see why that wouldn’t extend to emails you send your lawyer. All it really makes me wonder is why someone would use their work email for sending those types of emails.

Permalink | Comments | Email This Story





&partnerID=167&key=segment”/> .8626,cat.TechBiz
.rss”/>

Techdirt Mike Masnick

Does the flood of information ever end?  Do we have to know everything about everyone—in real time?  While location-tracking software is not new (well, not too new, anyway), Google’s expected move into this market only further reinforces Scott McNealy’s eerily prophetic saying, “You have zero privacy anyway.  Get over it.”  But now when you “get over it,” all of your friends will be able to see exactly where you were and when.

Google just launched its Latitude software that lets mobile phone users share their mapped location with their network of contacts—if they so choose.  This is nothing new, per se, given the existence of other companies such as Loopt, BrightKite, and Dopplr (for example), as well as most people’s familiarity with GPS, but Google’s entry into the marketplace provides further evidence that the technology is becoming even more widespread.  Maybe too much so.  But when the 800 pound gorilla talks, everyone listens.

According to the article, Google “hopes it will help people find each other while out and about and keep track of loved ones.”  Those are helpful and noble intentions.  What parents wouldn’t want to know where their teenagers are?  Or be able to direct a lost friend to your precise location?  But hope is a fickle thing.  And what Google hopes for and how Latitude will actually be used are two entirely different things.  We all know what the road to hell is paved with.  Lawyers make their living off of it (more on that in a moment).

Google requires that people expressly sign-up for the service and gives them the opportunity to tailor their preferences as to who they can share their location with, as well as the type of information shared.  While that gives the user some degree of control, it’s probably only a matter of time before a bored 16 year-old in hacks into the system and tracks people. 

Even if this doesn’t occur anytime soon, a disgruntled ex-husband may be able to track his ex-wife who forgot to take him out of her “network.”  While entire companies have sprung-up offering this type of GPS-based (and typically illegal) service, now a person can do so without any special equipment whatsoever.  Just a little bit of software and a forgetful spouse.  It goes without saying that stalking is a very real problem in this digital age and tools that used to be available only to law enforcement are becoming increasingly more common.

The fact that such software is even available is part of the larger privacy debate that will be with us for quite some time.  There are no easy answers in a society that never seems to have enough information about others.  Yet from a litigation perspective, few people may realize that all of this location data is stored by a provider for varying degrees of time and subject to subpoena and disclosure in the proper circumstances. 

Thus, in criminal or civil cases where a person’s time and location is an issue, it provides yet one more tool for lawyers to pursue when representing their clients.  Just ask those divorce attorneys in Massachusetts and elsewhere about getting all of that “E-Z Pass” toll information to discover cheating spouses.  Modern convenience has its costs.

So the age old Perry Mason question, “Where were you on February 4, 2009?” now becomes, “Why were you on the corner of 53rd and 7th Avenue at 3:12 p.m. on February 4, 2009?”  And while it may—may—help lawyers such as myself get to the truth faster in a courtroom, the human part of me (and yes, that still exists) finds it it to be unsettling.  So bad grammar aside, the question, ”Where you at?” now becomes, “Why you there?”  Ah technology . . . .