Probably not. If you work in California, or are otherwise subject to California law, I recently saw this article which again highlighted the oft-repeated warnings of many in the legal profession not to use your company’s e-mail to send out information that you deem to be confidential or, as in this case, even privileged. It can have consequences.

A California appeals court held that an e-mail an employee had sent from her employer’s work computer was not a confidential communication subject to the attorney-client privilege. Thus, the privilege which would have normally attached to the e-mail had she sent it from her own computer was deemed to be waived. A key factor in the case was that the employer had warned employees that e-mails sent from work were not confidential and could be monitored.

As noted in the article, not all courts have held this—and not all employers have such broad e-mail policies (although most do)—but it nevertheless again highlights the danger of using a computer at work when sending out confidential or sensitive information. Chances are that your employer has a fairly broad e-mail policy in place (and you might have even signed something which acknowledged it), but when in doubt … just don’t do it.

Ugh.  It really is a sign of the cynical times in which we live when “only” 8.1 million people who have been victims of some type of identity theft is considered to be an improvement.  But according to this article and a recent report, that’s 3 million fewer victims than 2009.

The report attributes the drop to a supposedly dramatic decrease in the number of data breaches whereby large amounts of personal information are exposed to or accessed by identity thieves.  In 2009, there were 604 breaches.  In 2010, the number decreased to 407 or 26 million records exposed.  Yippee!  While the article notes that banks and other companies are taking stronger precautions to prevent data breaches, it’s silent as to why companies are doing that.

I like to think that it’s due to all of those data breach notification laws that 46 states have passed, since California first did so in 2002 (and why haven’t you done so Alabama, Kentucky, New Mexico, and South Dakota?).  These laws require companies to notify consumers if their personal information has been compromised. And needless to say, once a company does that, it spreads like wildfire on the Internet.  As companies have learned, informing the public that their data has been compromised can be very bad for business (and can even result in bankruptcy, e.g., CardSystems Solutions, Inc).

The article gives 4 common sense things to do to minimize your chances of becoming an identity theft victim:  (1) Protect your own personal data, and start by investing in a shredder; (2) monitor your bank and credit card accounts at least once a month; (3) pay attention to any notices that you receive from companies regarding the theft or loss of your own personal information; and (4) don’t share so much on social networks (like Facebook).

Number 4 is my favorite because I firmly believe that people disclose far too much about themselves on-line to folks they don’t know very well.  TMI! I can’t tell you how many times as a lawyer I’ve seen companies claim trade secrets in certain information, only to find out that it’s the companies themselves which freely disclose this supposedly confidential information on their own websites and social media sites, at business presentations or seminars, to customers, or to vendors (for example).  So it’s these voluntary disclosures that can come back and bite you.  Remember, there are a lot of smart identity thieves out there who pray upon our vanity and our belief that they are interested in what we have to say about ourselves.  And they really are interested—but for all of the wrong reasons.

And it can be an expensive mistake.  According to the article, it cost victims an average of $631 in 2010 (up 63% from $387 in 2009) to rectify the situation. And this doesn’t include all of the time spent, phone calls made, and general aggravation in doing so.  In addition, a victim may also have to hire a lawyer in some cases to clear his/her name, which costs far more.  In any instance, let’s see if the drop continues from 2010 to 2011.  Criminals are always inventing new ways to dupe us and get access to our information, and I wouldn’t bet against them just yet.

Senator Ron Wyden is quickly becoming a politician to be proud of on issues that we feel are important. We’ve already seen him single-handedly stand up to COICA (and forcefully stand behind that position after facing ridiculous lobbying pressure). He also was one of a very small number of US politicians who has publicly expressed concerns about ACTA. But it’s not just on copyright issues. Senator Wyden is now proposing a new law that would require that law enforcement get a warrant before being able to get location info from mobile devices.

While there are still some differing opinions in the courts on the legality of obtaining location info without a warrant, law enforcement has pushed hard to not need a warrant to get such info, preferring to just use a subpoena (basically just asking with no real judicial review). Wyden believes this is wrong, and a violation of basic privacy principles:

“If you asked most Americans, I think they would tell you that surreptitiously turning somebody’s cell phone into a modern-day tracking device … and using it to monitor their movements, 24/7, is a pretty serious intrusion into their privacy, pretty much comparable to searching their house or tapping their phone calls.”

It’s so rare to see a politician say things we agree with that it seems worth highlighting. Who knows if this will actually get anywhere (chances are it won’t), but Wyden still deserves kudos.

Permalink | Comments | Email This Story





&partnerID=167&key=segment”/> .8626,cat.TechBiz
.rss”/>

Techdirt Mike Masnick

There is nothing against the law about photographing federal buildings from public property. And yet, there have been plenty of stories about security guards and law enforcement trying to block photographers from taking those shots. There have been stories of seized cameras, demands to delete photos, etc., and the usual defense is that they’re just “protecting against terrorism.” However, after a settlement in a lawsuit concerning a guy who was arrested for videotaping outside the Federal courthouse in NY, Homeland Security has issued a notice to federal employees not to disrupt the photographing of federal buildings. An excerpt from the now released document (which is fully embedded below):

For properties under the protective jurisdiction of FPS, there are currently no general security regulations prohibiting exterior photography of any federally owned or leased building, absent a written local rule or regulation established by a Court Security Committee or Facility Security Committee. Furthermore, it is important to understand that this regulation does not prohibit photography by individuals of the exterior of federally owned or leased facilities from publicly accessible spaces such as streets, sidewalks, parks and plazas…. Absent reasonable suspicion or probable cause, law enforcement and security personnel and (sic) must allow individuals to photograph the exterior of federally owned or leased facilities from publicly accessible space.

The report does say they can go speak to the photographer to determine the purpose of the photography if they believe it’s warranted. However, unless they establish a higher bar of suspicion, they need to allow the photography to continue. They also are not allowed to seize cameras and cannot demand that a photographer delete the contents of the camera.

Permalink | Comments | Email This Story





&partnerID=167&key=segment”/> .8626,cat.TechBiz
.rss”/>

Techdirt Mike Masnick

Ah, the hypocrisy of politicians. We’ve pointed out in the past how often politicians seem to push for data retention laws and privacy laws at the same time, without realizing the two are in fundamental conflict. It looks like the Obama administration is going through a bit of that as well. The FTC has been threatening to force browser makers to include a do not track feature, that would let people surf without having their data retained. And yet… at the same time, the Justice Department is pushing for extensive data retention laws, with the help of the supposed “small government” Congressional reps who don’t even seem to realize what they’re supporting. Even worse, Congress seems so eager to push for a data retention law that some Congressional Reps are apparently annoyed that the Justice Department hasn’t just handed them a bill to approve.

The problem, of course, is that these politicians don’t actually fully understand what the issues are involved here. They’re viewing the issues on a very narrow basis. On the “do not track” issue, they think “privacy is important, of course we support privacy — do not track is important.” On the “data retention” issue, they think “well, law enforcement needs to have access to data to solve crimes, and without requiring internet companies to retain data, then it’ll make law enforcement harder, so of course we need to have data retention.” What they don’t recognize is that these two things are in fundamental conflict with each other. Requiring data retention means less privacy. Period. But these politicians never actually think that far.

Permalink | Comments | Email This Story





&partnerID=167&key=segment”/> .8626,cat.TechBiz
.rss”/>

Techdirt Mike Masnick

The purpose of this blog is to hopefully inform and educate people about legal issues in technology, intellectual property, the Internet, and other areas of the law.  So I therefore try to avoid being political, but sometimes it’s hard to do.  And it’s really hard to do when the Republican brand—and isn’t it really all about branding these days?—has drifted so far from its roots that I would be remiss in not mentioning it.

There was a time, before September 11th at least, that Republicans—and the newly minted Tea Party—were for the concept of small and less intrusive government.  I’m all for that for reasons too numerous to mention here.  But I’m especially for it in areas of privacy, particularly on the Internet where personal data about people flows like water.  But alas, so much has changed in the world that up is down, small is big, and privacy now means data retention.

So to say I was disappointed when I read that the Republicans’ first major technology initiative in the House of Representatives was to introduce a bill to require Internet companies to keep track and store user data, would be an understatement.  The new bill, if it becomes law, would require ISPs and other Internet companies to store the Internet Protocol (“IP”) addresses and other records of users’ online activities for 2 years.  This goes far beyond what the Electronic Communication Transactional Records Act (“ECTRA”) passed in 1996 requires, which is for ISPs to retain any “record” for up to 180 days (in two 90 day increments) upon request by a “governmental entity.”  So where’s the smaller and less intrusive government we were promised?

The biggest backers of the bill are—no surprise here—law enforcement and prosecutors.  Of course they want the ability to fully investigate crimes on the Internet.  Who could realistically be against going after pedophiles, identity thieves, and scam artists?  But the potential for abuse by law enforcement remains a real one and a 2 year retention requirement (as opposed to companies who voluntarily save user data for a set period of time) strikes me as excessive.  Just ask these folks in Chicago who are being victimized by the police and prosecutors over the state’s absurd wiretap law.  So overreaching by law enforcement occurs in many different contexts.

As a practical common sense matter, do records on EVERYONE really need to be retained for at least 2 years?  Perhaps ECTRA has the more reasoned approach (dare I say) which requires preservation pursuant to a court order issued “only if the governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation.”  18 U.S.C. § 2703(d). 

But to retain records on everyone so that the police and law enforcement can cull through them at a later time and at their leisure seems particularly ripe for all sorts of abuse.  Hopefully, the Democrat-controlled Senate will be far more thoughtful in the consideration of such sweeping legislation (assuming it gets that far).  And if they’re not, then I’ll criticize the Democrats too, who are supposed to be more concerned about the “common man.”  Well, the common man needs his privacy too.  Rumor has it that he’s got the Internet now.

Okay, maybe I’m being a bit sarcastic with the title.  But according to a recent article and study (i.e., the Sophos Security Threat Report), spam, phishing, and malware attacks on social networking sites doubled from 2009 to 2010.  Not surprisingly, identity theft and third party use of personal information were primary goals of cybercriminals.

This is hardly shocking and it wouldn’t be surprising if these numbers doubled again from 2010 to 2011 given the increasing importance of social media—for better or worse—in our personal and business lives.  But what do people really expect?  Criminals go where the people are and when Facebook has 600 million users, that’s a big crowd to fleece.  And criminals can do so in the comfort of their own homes and in foreign countries knowing full well that their chances of getting nabbed are about as likely as Apple stopping production of the iPhone.  What do they really have to lose?

Not surprisingly according to the article, users want sites like Facebook to take stronger security measures.  And while sites can certainly do so in some instances voluntarily, it may take a court ruling (as it often does) to force a company to implement more substantive protections. But first you have to get past those nasty contractual disclaimers that we lawyers put into practically all user agreements about not holding the site liable for almost anything that happens on it:  “Identity theft be damned—so sorry, but it’s just not our problem!” 

Remember when you clicked “I AGREE” on that user agreement?  You can be sure Facebook does, because that’s an enforceable contract in most instances.  (No need to thank us, by the way—the public’s opinion of lawyers is thanks enough!)  Very tough to challenge, but not impossible if the right facts present themselves.  Combined with the right judge, of course.  Sometimes the lottery’s easier to win though.

The fact is that while social media sites have to do more, especially those that operate on the massive scale Facebook does, we have ourselves to blame also.  How much personal information do we really need to disclose about ourselves?  I’ve always believed that less is usually more, but perhaps because I’m over 40 (which is 95 in cyberyears), many young ’uns believe that more is more.  And that even more is still not enough.  I forget:  Does TMI stand for “Too Much Information” or “Too Many Idiots” when we  ”overshare?”  Because cybercriminals count on both meanings to do their dirty work.

Do we really need to tell everyone when we won’t be home, thereby inadvertently notifying criminals when the best time to rob us is?  Or are we so egotistical that we have to “friend” a ton of people so we can brag about how big our network is, only to unwittingly let in unsavory characters? Or to post a lot of personal details until the inevitable privacy breach thereby exposing all of that information to the world—and to sophisticated criminals who can then make use of it in all sorts of ways that decent law-abiding people have never thought of.

I often wonder where the proper practical balance is.  Because if you’re expecting the law to catch up to address some of these informational privacy and security issues, we’ll be on Web 5.0 at that point … and on Cybercriminal 7.0.  And do you really want to be the “test case” anyway?

It probably goes without saying that if you’re planning to sue your employer, you shouldn’t use your work email address to contact your lawyer. However, if you did do that, according to a California court, that email is not protected by attorney-client privilege. I don’t find this to be all that surprising (or really, problematic). It’s quite common that employers control the rights to your work emails, so it’s hard to see why that wouldn’t extend to emails you send your lawyer. All it really makes me wonder is why someone would use their work email for sending those types of emails.

Permalink | Comments | Email This Story





&partnerID=167&key=segment”/> .8626,cat.TechBiz
.rss”/>

Techdirt Mike Masnick

We’ve had plenty of problems with Senator Patrick Leahy on this blog, as his push is to always make intellectual property laws worse, such as with ProIP and now COICA. However, sometimes he does things that deserve kudos, such as his plan to investigate the TSA’s new scanners, calling them “invasive.” Leahy apparently wants the Senate Judiciary Committee (which he heads) to examine whether or not the machines really make sense. Of course, perhaps we should withhold any kudos until we find out what comes out of that “review…”

Permalink | Comments | Email This Story





&partnerID=167&key=segment”/> .8626,cat.TechBiz
.rss”/>

Techdirt Mike Masnick

Hopefully by now, most people who have upgraded to a smartphone (such as an iPhone, Blackberry, or Android) have realized that it’s not simply a phone, but a powerful mobile computer which just happens to be about the size of a 3″ x 5″ index card.  And just like your big heavy personal computer or laptop, it contains all sorts of personal information—perhaps too much information—about you and what you do.  If you haven’t come to that conclusion yet, the increasing police power of the state may soon force you to.  It should also force you to take steps to protect yourself from what could become an overzealous police officer should you ever find yourself in the unfortunate situation of being arrested (even for a misdemeanor).

For me, a big part of being a technology and internet lawyer is privacy law.  While privacy appears to have all but  disappeared in this 24/7 networked world where everyone posts a whole lot of information about themselves, it’s easy to forget that not everything is everyone’s business—especially the police, who may seek to use such information against you for violations of laws that you may not have realized even existed.  Think it can’t happen?  As a lawyer, I’ve seen many overzealous police officers, state agents, and prosecutors looking to establish a name for themselves.  Civil liberties be damned.  (Of course, there are many good ones too, but it’s often the other ones we hear about.)

An insightful article by Ryan Radia discusses the recent California Supreme Court decision in People v. Diaz, which held that police officers can lawfully search a mobile phone on a person they arrest without first obtaining a search warrant.  The court found that mobile phones, like cigarette packs and wallets, fall under the “search incident to arrest” exception of the Fourth Amendment.  While the Supreme Court may have the final say as to whether this is legal, many state courts have come to the same conclusion as California has.

Most significantly, Radia discusses the importance of taking measures to make your smartphone as secure as possible, such as full disk encryption of all content on the device.  He notes that password protection—which is certainly an important first step—may not be enough and is easy to bypass due not only to the rise of digital forensics, but the vulnerabilities in your smartphone’s own operating system that a forensic expert can exploit easily.  While Radia notes that no mobile encryption system at the moment is perfect or especially secure, this will hopefully change.

If you have a few minutes, the article is definitely worth a read.  Whether people realize it or not, privacy is one of the most daunting issues facing us (and lawyers) in this information age, and the law has difficulty keeping up.  And as the Diaz case shows when the law does catch up, it’s usually not in our favor, but works to the benefit of the state’s police power.  At least for now.