Advanced Technology
Seminar
Privacy
Cyrus Daftary & Todd Krieger
March 16, 2015
Agenda
 Administrative
Discussion
 Crowd Funding Update
 Employee Privacy Rights
 Individual / Consumer Privacy
 Questions and Answers
2
Nanoplug “Invisible Hearing Aid”
 Raised
funds on indiegogo
 “Half the size of the smallest devices
currently on the market.”
 Raised ~$293,000 from >1,000
https://www.youtube.com/watch?v=8zr1SG
contributors.
DrAhY
 “Half the size of other hearing aids”
3
Things Changed Along the Way
7.1 mm
11 mm
http://advancedhearing.com/h
earing-aids/bee-ii-800-cicdigital-hearing-aid
https://www.indiegogo.com/projects/nanoplug-the-world-s-firstinvisible-hearing-aid#activity
4
Employee Technology Privacy
Rights
 How
private are employees’ personal emails sent from work accounts?
 How
private are employees’ online
activities?
 How
private are employees’ computer
activities?
5
A. Should Employees have a Reasonable
Expectation of Privacy?
McLaren case:
(Bill McLaren Jr. v. Microsoft)

Facts: accused of sexual harassment and
‘inventory issues.’

Cause of action: invasion of privacy (Texas).


(1) Intrusion on the plaintiff’s seclusion or solitude or
into his private affairs;
There are two elements to this cause of action: (1) an
intentional intrusion, physically or otherwise, on
another’s solitude, seclusion, or private affairs or
concerns, which (2) would be highly offensive to a
6
reasonable person.
Should Employees have a Reasonable
Expectation of Privacy
(cont’d)
?
McLaren case:
 Argument: Is a password encrypted e-mail
account like a locker at work?
 How do their purposes differ?
 Conclusion: “the company’s interest in preventing

inappropriate and unprofessional comments, or even
illegal activity, over its e-mail system would outweigh
McLaren’s claimed privacy interest in those
communications.”
“Employees have no reasonable expectation of privacy
in electronic communication” (Hale and Dorr Internet
Alert, July 10, 2002).
7
Class Discussion: Had Quon Brought Back
an Expectation of Privacy in the Workplace?
Quon v. Arch Wireless:

Facts:





City provided pagers to police officers
XXX OOO
Policy prohibited personal use
Officers could pay for ‘overages’
City requests pager records from Arch Wireless
Audit turns up extensive and explicit ‘personal use’

Stored Wire and Electronic Communications Act
[18 U.S.C. §§ 2701-2711 (1986)]
 Compare with Warshak?
 How about cell tower records? [No.08-4227 3rd Circuit
Court of Appeals)]
8
Business Risks to Unregulated
Employee E-mail Access

Hostile or harassing work environment from
inappropriate downloaded or forwarded
messages or images.

In 1995 Chevron settled a sexual harassment claim for $2.2
million caused by several factors, including an e-mail listing ‘25
reasons beer is better than women.’ This action preceded the
company’s anti-harassment policy (NYLJ 8/23/99).

Reduced productivity from employees spending
too much time with personal e-mails.
 Inappropriate or protected information posted
online from workplace computers.
Source: www.haleanddoor.com/internet_law/burton.html
9
E-mail and Internet Use Policy is
Critical in the Workplace
 Two
Supreme Court cases created a new
standard for sexual harassment liability:

1) Tangible employment action: no defense
(ex: termination or demotion).

2) Affirmative defense:
• Exercised reasonable care to prevent and correct
harassing behavior and;
• Employee unreasonably failed to take advantage
of employer’s policy.
Source: Burlington v. Ellerth 535 US 742; Faragher v City of Boca
Raton 524 US 775 (1998).
10
Does Monitoring Employee e-mail
Violate ECPA?

Electronic Communications Privacy Act of 1986
(18 USC 2510):



Prohibits interception of electronic communications,
including e-mail affecting interstate or foreign
commerce.
Permits interception if there is consent.
Provides a business exception for delivered
communications (monitoring must not be excessive
and have a legitimate business purpose): Fraser v. National
Mutual Ins. Co.
Councilman case discussion
Smyth v. Pillsbury: No reasonable expectation of privacy,
despite employer’s policy.


11
How Far Can An Employer Reach?

Can an employer terminate an employee for
activities on Facebook?

Souza & Costco cases set NLRB standards.

Should an employer be able to see an employee’s
FB account?

Does an employer have a duty to monitor online chat
rooms technically outside of the workplace?

Blakey v. Continental: if employer knew about harassing comments, it
had a duty to stop them (164 NJ 38).
12
Illinois Public Act 097-0875

(b)(1) It shall be unlawful for any employer to
request or require any employee or prospective
employee to provide any password or other
related account information in order to gain
access to the employee's or prospective
employee's account or profile on a social
networking website or to demand access in any
manner to an employee's or prospective
employee's account or profile on a social
networking website.
13
Exceptions
(2) Nothing in this subsection shall limit an employer's
right to:
(A) promulgate and maintain lawful workplace policies
governing the use of the employer's electronic equipment,
including policies regarding Internet use, social networking
site use, and electronic mail use; and
(B) monitor usage of the employer's electronic
equipment and the employer's electronic mail without
requesting or requiring any employee or prospective
employee to provide any password or other related account
information in order to gain access to the employee's or
prospective employee's account or profile on a social
networking website.
14
Public Domain Exception
(3) Nothing in this subsection shall prohibit
an employer from obtaining about a
prospective employee or an employee
information that is in the public domain or
that is otherwise obtained in compliance with
this amendatory Act of the 97th General
Assembly.
http://www.ilga.gov/legislation/publicacts/fulltext.asp?Name=097-0875
15
Many Companies Claim To Monitor
Employee Activities
2001 AMA
Survey
2007 AMA
Survey
Computer
files
36.1%
45%
E-mail
46.5%
43%
Internet
activities
62.8%
66%
Sources: CFO 9/2001 – AMA 2001 Survey,
press.amanet.org/press-releases
Most
companies
who monitor
employee
activities cite
potential
liability as the
primary
reason for
monitoring.
16
More Employers are
Investigating Online Activities

28% of employers surveyed by AMA fired
employees for e-mail misuse.

30% of employers fired employees for
Internet misuse.

Aggressive investigations could impact
employee morale.

Companies are now aggressively blocking
access to inappropriate web sites and
automatically monitoring employee
activities.
17
Investigations May Be
Triggered By:
 Excessive


consumption of resources
Downloads or uploads that tie up the network
Hard drive filled with questionable content
 Colleague
complaints

Vigilant technical staff
 Odd
behavior
 Activities
software.
triggering alarms on monitoring
18
Monitoring Technologies
 Software





solutions
Monitor incoming and outgoing e-mail
Capture screen shots at regular intervals
Monitor online activities
Filter keywords and file types
Example: www.spectorsoft.com
 Hardware


solutions
Keystroke logger captures up to 2 GB of keystrokes,
including user names and passwords. Small physical
device runs independently of applications. Not
susceptible to anti-spy software applications.
Example: KeyLlama (www.KeyLlama.com).
19
Consumer & Invidual Privacy
We’ll address information security in another lecture
20
NSA’s Upstream Surveillance
 Government
monitoring of ‘Internet
Backbone’ traffic instead of just individual
activities.

Backbone: the network of high-capacity
cables, switches, and routers that are used for
communication
 Filters
for tens of thousands of search
terms.
 Not intended to target US citizens.
21
st
1
Amendment Right to Access
Wikipedia?
• Wikimedia foundation filed a lawsuit against
NSS & the US Department of Justice.
• Alleges mass surveillance of Internet traffic
violates 1st & 4th amendment
• “Wikipedia is founded on the freedoms of
expression, inquiry and information. By
violating our users’ privacy, the NSA is
threatening the intellectual freedom that is
central to people’s ability to create and
understand knowledge.”
•
https://www.aclu.org/files/assets/wikimedia_v2c_nsa__complaint.pdf
22
Wiki Argument
• Access to pages with NSA filtered terms will
be flagged
• Wikipedia relies on foreign journalists, editors,
volunteers, and other contributors.
• Encroachment of anonymity curtails free
speech.
23
Are Anonymous Google+
Ratings Truly Anonymous?
24
New Google+ Review Dispute
 Jason
Page v. Bussey Law Firm (2015)
 Anonymous Google review claims Bussey
Law Firm are ‘scumbags,’ who ‘pay for
positive reviews’ and ‘lose 80% of their
cases’
 Lawyer files for discovery from Google and
pursues UK poster
 Awarded £100k in UK court (£50k legal
fees)
25
Sometimes Victory is Brief
https://plus.google.com/+TheBusseyLawFir
mPCColoradoSprings/about?hl=en&gl=us
26
“You Already Have Zero Privacy – Get
Over it” (Sun CEO Scott McNealy 2000)
 Abacus
Ad: “This family just spent $425
for a down comforter, $225 for
lighting…they have 5 more rooms [to go],
want their address?”

http://lists.nextmark.com/market?page=order/online/data
card&id=216497
 How about a mailing list of customers who suffer
from: “Allergies, Arthritis, Cancer, Diabetes, Heart
Burn, Heart Disease, Impaired Vision, Potency…”

http://www.pharmdirectmail.com/
27
Data Brokers (60 Minutes)
 http://www.cbsnews.com/news/the-data-
brokers-selling-your-personal-information/
28
Technology Related Privacy
Concerns




Social Networks
Identity and Information Theft, Phishing
Spam (Usenet abuse / evolved into unsolicited commercial e-mail)
Reverse Computer Trespass / Data Mining /
Spyware (Common Gateway Interface – execute a program on host; examine files;
install software) )



E-mail Interception
Children
Geotracking

http://www.google.com/intl/en/policies/privacy/preview/

We will address security and digital discovery in
another lecture.
29
Consumer Concerns

The intrusion into personal affairs and how to
prevent it:


Suspicious of surreptitious monitoring of online
activities.
Web surfers are not aware of what information
collected or where it is going.

The free exchange of information and ideas
concept is not compatible with private
information.
 Stronger feeling of control with mail or telephone
disclosure.
30
Consumer Concerns
(cont’d)

Privacy and security are related concerns; a
lapse in privacy protection may mean there
was a security breach;

Host victim of security breach may not be
able to find the culprit, but could still be liable
to users who are harmed by the breach;

Privacy law may fall behind Internet
technology. Most states require companies
to disclose if the personal data of a resident
is compromised.
31
Business Needs





Track site usage and visits to better understand
customer patterns and needs.
Cost effectively market to potential customers.
Generate leads.
Track effectiveness of marketing and
advertising.
Generate revenue for third party advertisers.
32
Consumer Risks



Intercepted wireless communications:

Mobile device

Wireless laptop
Unauthorized data access

Bank or credit card company

Work

Online shopping sites

Social networks
Exposed data

Personal information

Financial information

Computer files

Access to employer’s network.
33
Internet Privacy - Definitions



“Cookie” - a data file written onto a user’s hard drive by programs
invoked by web page functions.
“Web Bugs” or “Secret Traces” or “Pixel Beacons” –
(1 x 1 pixel) GIF image, usually invisible, allowing the sender of an
e-mail or host of a web site (and third parties)
to load cookies on the user’s machine which then can track the
user’s movements across multiple sites (DoubleClick.com employed
such technology).
“Flash Cookies or Locally Stored Objects” – Secondary ‘cookies’ not
ordinarily removed when a user purges cookies.




http://www.macromedia.com/support/documentation/en/flashplayer/help
/settings_manager06.html
“Cyberstalking” – using the Internet to stalk an individual.
“Spyware”- software tracking activity on a computer without consent.
“History Sniffing”- data stored in a web browser to ascertain what
other sites the user has visited.
34
Online Privacy Legal Framework

Federal Trade Commission - fair
advertising standards

Local and State laws

Federal Statues:



COPPA (http://www.ftc.gov/bcp/conline/pubs/buspubs/coppa.htm)
Gramm-Leach-Bliley Act of 1999 (financial
privacy)
HIPAA / HiTech (protected health info)

Evolving Common Law

EU Data Privacy Directive
35
FTC Privacy Policy
Recommendation

Notice: let them know you are collecting data.

Choice: can they opt out of participating in the
data collection?

Access: who can view the data?

Security: can anyone else get to the data?

Practical note: don’t keep your policy static and claim
it will never change - companies are acquired or go
out of business? What if the court compels
36
disclosure? Source: www.ftc.gov
Tracking Technology

History sniffing: Should e-mailers be able to
determine how often a message was read and
by whom?

Should they be able to ascertain the I.P.
address, host, and computer type of the
recipient?


What if a vendor priced its products based on the
recipient’s processing speed or the value of the
computer?
http://www.proxyway.com/www/privacy-test.html
37
Online Privacy Mishaps

FTC v. Geocities: Geocities violated their own
privacy policy and distributed data collected from
children.

Travelocity accidentally posted the names,
addresses, (some) telephone numbers, and e-mail
addresses of 15,000 contest entrants in an online
link (http://www.dmnews.com/articles/2001-01-22/12804.html).

Prozac sent out an e-mailing to subscribers and
disclosed all of the e-mail addresses in the header
(Eli Lilly case available at www.ftc.gov).

More than 45 verdicts have been challenged in the
past two years because of internet related juror
misconduct (Reuters Legal).
38
Detailed Policies Can
Help Minimize Risk

Clients need a mechanism in place to:


Avoid privacy lapses
Address and investigate any mishaps

Massachusetts GL 93H creates an obligation to
have robust policies
 Privacy audits can yield surprising insight
 Different divisions of the same company may
not realize their impact on privacy practices






Telemarketing
Online marketing
E-mail marketing
Direct (mail marketing)
Customer service departments
Advertising
39
Other Considerations:

European Union privacy directive.
• Notice (what is collected and why?)
• Choice (opt out)
• Access (individuals can view and correct data)




Must have unambiguous consent for data
collection
Prohibition on data export without consent including H.R. data sent from subsidiaries to
U.S. company
Local statutes may include civil and criminal
penalties
Safe Harbor participants violating the
directive face potential U.S. fines from the
Dept. of Commerce: see http://www.export.gov/safeharbor
40
Questions & Answers
41