It may be due to a difficult job market.  Or perhaps it’s just a sign of the times.  According to one article, however, 83% of recruiters now search the internet for “digital dirt” in order to weed out prospective job candidates.  Thus, inappropriate Facebook photos, unbecoming MySpace profiles, vituperative message board postings, controversial political statements, publicly available criminal records, or any other questionable information are helping recruiters eliminate otherwise promising candidates from available positions.   

But it’s not just recruiters who are doing this.  More and more companies—both large and small—are either doing their own in-house searches or subcontracting them out to investigators who do them quickly and inexpensively.  Employers are all too aware that the costliest and most expensive decisions they make have to do with hiring the “right” people.  And the flood of information out there helps them in their decision-making process. 

And it’s perfectly legal.  If you voluntarily provide information and pictures for others to see, you can’t complain if it doesn’t always garner the results you want.  Of course, if a potential employer hacks into a system or uses a password without authorization to compile its profile on you, then you may have legal recourse (assuming that you ever find out about it).  You won’t have the job, but you’ll have the chance to bring an expensive and time-consuming lawsuit. 

So, as I mentioned in my last posting, be careful in general, but especially if you’re unemployed and looking for work (or will be facing that prospect shortly).  If you have any doubts about posting something, this in itself should tell you that perhaps it’s better to resist the urge.  Remember:  When in doubt, keep it out! 

According to a new survey by Forrester Research, 41% of large companies (those having at least 20,000 employees) either read or analyze the contents of outbound e-mail.  They’re either paying other employees to read them or presumably using any number of commercially available software programs to analyze them. 

44% of the companies surveyed investigated a confidential data breach involving e-mail in the past year, while 26% said they fired an employee for violating the company’s e-mail policy.  Companies also expressed concern over employees leaking information on message boards, blogs, and other electronic media.

Quite frankly, I’m surprised only 41% of large companies are doing this (although it depends on the industry).  I would have expected it to have been much higher given the daily parade of data and privacy breaches in the news.  After all, it’s large companies that have the financial and human resources to implement widescale e-mail monitoring systems.  Smaller companies may be in a much different situation.

Of course, many employers find it distasteful to engage in this type of monitoring.  It can, if not handled properly, be destructive to employee morale and have lasting effects.  Nevertheless—for better or worse—many employees are slowly coming to grips with their employers’ monitoring efforts.  It’s just becoming a fact of life. 

But the truth is, I’ve had clients whose employees have e-mailed confidential and sensitive company data.  Some workers do it without thinking about it, while others are far more malevolent in their intentions.  This is especially the case when employees leave their companies on bad or poor terms.  So it’s a very real problem for employers that has very real consequences.  Thus, like it or not, monitoring will only continue to increase. 

Bottom Line:  Be careful.  You don’t have any right to privacy when you’re at work.  So don’t think that anything you send—whether to a spouse, boyfriend, girlfriend, doctor, stockbroker, or anyone else—is private.  Even if you have to send it and it can’t wait until you get home, an employer is within its rights to read your e-mail, no matter how private the subject matter.  Of course, what it does with that information is another matter.

In today’s world, where fraud is just a mouse click away, it’s nice to know that every so often the good guys win.  Three international hackers were indicted by the Department of Justice (”DOJ”) last week for trying to steal and sell credit card information from customers of Dave & Buster’s, the popular restaurant/entertainment chain.

According to the indictment, the hackers were able to install “packet sniffers” on many of the company’s servers to copy credit card information as it traveled between restaurants and Dave & Buster’s corporate headquarters in Dallas.  The company detected the intrusion and alerted the authorities, but not before 5,000 credit/debit card numbers were stolen and sold to other criminals to make fraudulent purchases.

One of the foreign hackers was arrested in Miami.  No problem there.  The other two, however, were arrested in the Ukraine and in Germany by those countries’ authorities.  It’s certainly not a done deal yet.  The DOJ is seeking the extradition of the other two, but no word yet whether those efforts will be successful. 

While these sorts of arrests are still few and far between given the magnitude of data theft and online fraud, it’s a start.  The DOJ is obviously taking the problem seriously.  Hopefully, other countries will too and the cooperation will continue.  With any luck, if these hackers are extradited, tried, and found guilty, the court will make an example out of them. 

Kudos to the New Jersey Supreme Court.  Last week, the court ruled that ISPs can’t release personal information about their New Jersey users without a valid subpoena.  The court, in a unanimous 7-0 ruling, found that the New Jersey Constitution gives its residents greater protection against unreasonable searches than the U.S. Constitution does.  In the case before the court, the court ruled that the police were required to first obtain a grand jury subpoena before learning a woman’s identity from an ISP.  Her ISP apparently released this information at the request of the police. 

This is an important decision.  First, the New Jersey Supreme Court is one of the more highly regarded state courts in the United States.  Other state courts wrestling with these types of issues will undoubtedly look to see how the New Jersey court decided this case.  Second, it illustrates the continued rise of “state constitutionalism.”  People typically don’t realize that the federal constitution sets a “floor” on a person’s constitutional rights, not a “ceiling.”  In other words, a state court can’t rule that its state’s constitution gives less protection than the federal one does, but can find that the state constitution gives more—at least to its own residents.

Given the perception that the U.S. Supreme Court is less friendly (and somewhat hostile) to privacy rights—especially when it comes to the rights of law enforcement to obtain personal data in these post-9/11 times—combined with the continued paralysis in Congress over individual privacy rights, a ruling from a state’s highest court on issues such as this serves as an implicit rebuke at the lack of leadership at the federal level.  While it’s only one state so far that has now recognized a reasonable expectation of privacy for internet users, it’s got to start somewhere.  Let’s hope other states follow suit.  

Talk about a slow news day.  A recent article in USA Today discusses the so-called “fine print” in ISP contracts and then concludes that it doesn’t really matter anyway.  This non-story highlights the fact that ISP contracts, which their company lawyers draft, give ISPs rights to read their subscribers’ e-mail, block their subscribers from accessing certain websites, and can terminate their subscribers for overusage of their networks.  The horror.  Imagine that?  A business that protects itself.  The shareholders will be outraged.

As an attorney who drafts these contracts, this article is much ado about nothing.  Yes, ISPs put all sorts of language into these agreements to make sure that their services are not abused by users.  But simply because an ISP has the right to read a user’s e-mail or block a user from accessing certain sites doesn’t mean that it will actually do so.  The article makes it sound inevitable.

An ISP, like every other business in America, is keenly aware of the public relations disaster that would result if it was disclosed that they routinely read their users’ e-mails, blocked access to websites, or simply terminated their users accounts due to overusage, without good cause.  They would quickly and perhaps permanently lose users as the media and blogosphere savaged them.  And as they know all too well, everything in cyberspace lives on indefinitely. 

But think of the public relations disaster that would result if it was disclosed that an ISP was aware or suspected that a user was engaging in wide scale spamming, copyright infringement, or the downloading of child pornography.  Or that certain users were hogging bandwidth to the point that other subscribers’ service was affected, while the ISP took a laissez-faire attitude?  It’s not exactly a model of corporate responsibility in these post-Sarbanes Oxley times.  The blogosphere would again be buzzing, albeit for different reasons.  You’re damned if you do, and damned if you don’t.

Furthermore, some of these clauses are economic necessities.  The RIAA has begun targeting ISPs whose users engage in massive and sustained downloading of copyrighted music through their networks.  If an ISP suspects that a user is downloading copyrighted material and does nothing, it can be held liable for contributory copyright infringement in certain instances.  But by terminating the offending user’s account, it may insulate itself from liability.  The “fine print” of the contract allows an ISP to do so.

Is an ISP contract really that different from signing a lease with a landlord?  A landlord has the right to access your apartment with or without notice and can potentially invade your privacy.  A landlord puts certain restrictions as to how its property can be used and how many people can live in it.  And a landlord can evict you under the right circumstances.  While internet access is certainly important nowadays, so is having a place to live.  Yet many tenants have rules not unlike what their ISPs impose, but don’t assume that their landlords will exercise them indiscriminately.

So the contractual provisions such as those described in the article are not necessarily a bad thing.  It all depends upon the circumstances.  If an ISP does include a provision that a court finds to be unfair or onerous, it can be struck from the contract (to say nothing of the scrutiny the ISP would get from that state’s attorney general).  So it’s not as if an ISP can do anything it wants.  While it may sound like this is a case of “ISPs gone wild,” the simple fact is that—for the moment at least—this was an article in search of a story.  But when an ISP does overreach or overreact, I’m sure we’ll hear about it somehow.

     A Pennsylvania couple recently added their names to the long list of people who have sued Google.  Aaron and Christine Boring, who own a home in Pittsburgh, have filed suit against Google after learning that their house appears on Google’s controversial “Street View” feature, which allows its users to see an actual street-level view of a particular road, including all of the homes, apartments, people, and anything else that appears on it.  The Borings claim that Google violated their privacy, devalued their property, and caused them mental distress.

      This isn’t the first time that the Street View feature has raised privacy concerns, both here or abroad, when it made its debut last year.  Still, the Borings’ suit illustrates the shape of things to come with respect to the growing conflict between privacy rights and First Amendment rights.  Expect more lawsuits like this, especially as sites like Google continually roll out more and more features to provide detailed and information-rich experiences for their users.

     By and large, there’s no expectation of privacy on a public street, so Google hasn’t broken any laws.  Anybody and their property can be photographed on a public street at any time.  And the company does provide a means by which people can submit a request that certain images be removed.  Nevertheless, it’s still a bit creepy and just because a company has the right to do something doesn’t mean that it should do it.  Unless you’re Google—who has piles and piles of money.

      Of course, the problem with suing the 800 pound gorilla is that the gorilla has the resources to fight back.  And Google isn’t exactly known for rolling over and writing large checks to make litigants go away.  But despite Google’s claim that there’s no merit to the lawsuit—a common response from the company—the Borings’ case may have some teeth to it.  It appears that Google may have trespassed onto the Borings’ property in order to take the picture.  If so, then Google may indeed be in the wrong. 

    Damages, however, are another matter.  Assuming that the Borings’ privacy was violated, it’s hard to see how a picture of their home—which has apparently since been removed by Google—has either devalued their property or caused them mental suffering (which usually has to be severe in order to be compensable).  So if there are damages here, they seem somewhat nominal in nature.  But as any trial attorney knows, when you have either a sympathetic plaintiff or,  as in this case, an unsympathetic defendant (or both),  and a potentially unpredictable jury which may have the ability to award punitive damages, discretion on Google’s part may indeed be the better part of valor.  So perhaps the case will go away quietly.  Until the next one pops up.

     After my post about privacy yesterday, it’s nice to know that there are entrepreneurs out there who seek to make sure that our government—which generally has little problem with how private industry treats and shares our personal information—is as transparent as possible when it comes to its own information.  According to a story in the Washington Post, congressional staffers are outraged by a website, LegiStorm, which posts public information about the financial affairs of senior congressional staffers.       

     Under federal law, congressional staff members who earn more than $110,000 per year are required to file disclosure forms which list, among other things, their detailed financial holdings.  Why shouldn’t such staffers be subject to almost as much scrutiny as their bosses?  If they have the ear of some of the most powerful politicians in the world and serve as their handlers and gatekeepers, it only seems fair that the voters know if their financial interests may perhaps be influencing how their bosses vote on certain issues.  (Like issues involving privacy, for example.)  We sometimes forget that behind any politician is a group of people who write these influential laws.     

     And therein lies the irony:  Congress wrote these disclosure laws to help prevent public corruption and instill a sense of confidence in our public officials.  All staffers are obviously aware of them when they took their jobs.  So disclosure doesn’t seem to be the issue—it is the law, after all—but the dissemination that’s problematic.  Oh well, welcome to the internet age.  If congressional staffers really live in that much of a bubble where they think that they’re somehow exempt from close scrutiny in these politically polarizing times, then perhaps they’re as out of touch as some of the people they advise.         

     But the staffers have some legitimate concerns as well.  Some of the documents, which have since been redacted by the site, reportedly contained social security and bank account numbers.  Given the prevalence and ease of identity theft, this information obviously has to be removed prior to posting.  And if there is an instance of identity theft that can actually be traced back to the site (which is very unlikely), the site could conceivably be held liable.  There is such a thing as being too transparent.  While I may want to know if a staff member for a senator on the Finance Committee has large holdings in Fidelity, I don’t need to know the account numbers.  And we don’t want to dissuade smart, talented, and motivated people from joining the government if every conceivable detail of their financial lives is made public and widely disseminated.  Beyond these obvious concerns, however, sites like LegiStorm may help to keep Big Brother from getting too big . . . at least for a little while.

     In yet another invasion of privacy couched in the rhetoric of “but the consumer will benefit!” comes this story from the Washington Post.  Apparently, a small but growing number of ISPs are monitoring their users’ every click and keystroke.  The ISPs then harvest the data to determine a user’s interests and preferences and provide it to advertisers who make highly targeted pitches to the user.  I can see the pitch now:  “We’ve noticed that you’ve typed in the word “hemorrhoids” 12 times, searched Google 3 times, and visited 9 sites.  Here’s a coupon to try Preparation H for free.  It will stop the itch!”

      This monitoring is known as “deep-packet inspection” and it divides every aspect of a user’s data into packets that an ISP can analyze for content.   First, as a general matter, whenever I see anything with the words “deep” and “inspection” in a title, I get somewhat concerned without even having to read any further (similar to how the FBI first named its now infamous packet-sniffing software ”Carnivore,” but later changed it to the more benign-sounding “DCS1000″).  From a more substantive perspective, however, it represents a considerable escalation of an ISP’s ability to monitor its users.  Barring any legislative or regulatory action, it won’t be long until all ISPs engage in this practice.  According to the article, only 100,000 users are affected at the moment.

     As usual, the ISPs gain their users’ consent by burying the monitoring in their lengthy customer service agreements.  According to the article, one ISP—Knology—has a 27 page agreement and only makes vague reference to the system.  Few people actually have the time and energy to read them, and those that do will not necessarily understand them anyway.  The lawyers that draft them are not exactly known for their clarity, especially when it comes to a controversial subject such as this.  In fact, according to one Knology executive, there’s no violation of privacy at all.

     The article is silent as to how long an ISP actually retains all of this information, but presumably can retain it indefinitely.  And even if it doesn’t, once the information is disclosed and sold to advertisers, copies of it could continue to reside in cyberspace even if the ISP purges its records.  The article is also silent as to how such information could easily be disclosed to law enforcement or to parties involved in civil litigation.  So the march towards “zero privacy” continues. <sigh>