Search and You’ll Be Found – Two Recent Lawsuits Allege that ISP's Violated Privacy by Sharing Referrer Data.

From the National Law Review’s Featured Guest Blogger(s) this week  Damon E. Dunn and Seth A. Stern of Funkhouser Vegosen Liebman & Dunn Ltd – some interesting insight on some recent lawsuits pending against Google and Facebook:  

Two recent lawsuits allege that internet service providers violated users’ privacy by sharing “referrer data” containing potentially identifying information.

A former technologist with the Federal Trade Commission filed a privacy complaint(link via WSJ) against Google with his ex-employer.   The complaint alleges that Google does not allow users to easily prevent transmission of information that allows website operators to determine the search terms used to access their sites.  It claims that this constitutes a deceptive business practice by Google because “if consumers knew that their search queries are being widely shared with third parties, they would be less likely to use Google.”

According to the complaint, Google search URLs contain the user’s search terms, and when users click on a search result the webmaster of that site can see the terms used to access it.   The complaint alleges that this conflicts with Google’sPrivacy Policy and cites to Google’s court admissions that search queries may reveal “personally identifying information” and that consumers trust Google to keep their information private.

Google has allegedly tested products that deleted search terms from the referrer data visible to webmasters but discontinued them after receiving complaints and posted reassurances that search terms would remain visible. Apparently Google now offers an SSL encrypted search engine at https://www.google.com which protects search terms from being intercepted, but the complaint notes that this is not the default setting and it is not linked from the regular Google site.  It also notes that Google provides search term protection to Gmail users searching their inboxes.

The merits of the complaint may hinge on whether search terms should be considered “personal information.”  The complaint notes that the New York Times was able to indentify supposedly anonymous AOL searchers in 2006 when AOL leaked a dataset of search queries.

The second suit alleges that, from February through May, Facebook transmitted referrer information to advertisers about users who clicked on their ads.  It alleges violations of the federal Electronic Communications Privacy Act and Stored Communications Act as well as California computer privacy and unfair competition laws and common law claims of breach of contract and unjust enrichment.

The suit claims that “Facebook has caused users’ browsers to send Referrer Header transmissions that report the user ID or username of the user who clicked an ad, as well as the page the user was viewing just prior to clicking the ad . . . For example, if one Facebook user viewed another user’s profile, the resulting Referrer Headers would report both the username or user ID of the person whose profile was viewed, and the username or user ID of the person viewing that profile.”

As in the Google complaint discussed above, the plaintiffs allege that Facebooks actions violate its privacy policy (which allegedly states “we never share your personal information with our advertisers”) and other representations to users as well as state and federal privacy laws.   The amended complaint may be stronger than the suit against Google because referring Facebook pages, unlike Google searches, are often highly personalized and contain the Facebook user’s name.  Facebook allegedly stopped embedding referrer data in May after media accounts exposed the practice.

Although some tech executives have been quick to sound the death knell for online privacy, consumers – even those who are products of the Internet generation – continue to disagree.   A recent poll shows that 85 percent of teens believe social media sites should obtain their permission before using their information for marketing purposes.

Excerpted from FVLD’s blog, http://www.postorperish.com, which regularly discusses these and other issues facing online publishers.

© Copyright 1999-2010, Funkhouser Vegosen Liebman & Dunn Ltd. All rights reserved.

 

The Ten Commandments of Drafting a Social Networking Policy

The National Law Review’s featured Guest Bloggers this week are from Steptoe & Johnson PLLC. Vanessa L. Goddard provides some concrete do’s and don’ts for drafting a company Social Media policy.  Read on:

You’ve probably heard this “fact”: if Facebook was a country, it would be the fourth largest country in the world! Web 2.0 has infiltrated every aspect of our lives, including the workplace. As a result, most lawsuits in which employers become mired are fraught with electronic data issues. To guard against a wide range of legal claims, as well as reap the benefits of a global marketplace, many employers are instituting social networking policies. But, as with any policy, a social networking policy must be carefully drafted to meet your business needs. With that, I introduce to you the 10 Commandments of drafting a social networking policy:

NUMBER ONE: Thou shalt NOT use a sample policy pulled willy-nilly from the Internet.

While your search results will pull up dozens of fine looking policies, you won’t know who wrote them, the legal jurisdiction from which they hale, or the business interests the policy seeks to promote. Many times, a bad policy is worse than no policy at all.

NUMBER TWO: Thou SHALT work in harmony to craft a policy appropriate for your business.

If you decide that a social networking policy is appropriate for your business (and it may not be), the combined cooperation of your IT department, human resources, legal, and company decision-makers is necessary to formulate an effective policy.

NUMBER THREE: Thou SHALT know the risks and guard against them.

Employee use of social networking media can have wide-ranging legal ramifications for employers. Possible claims include: harassment, discrimination, defamation, invasion of privacy, and a variety of statutory violations.

NUMBER FOUR: Thou SHALT proclaim that the eye of the employer sees all.

Notify employees that they have no expectation of privacy in their use of company technology, that their activities should be work related only, and that their communications may be accessed at any time.

NUMBER FIVE: Thou shalt NOT take the name of the employer in vain.

The policy should require disclaimers be used indicating that the opinions stated therein are those of the employee and not the employer.

NUMBER SIX: Thou SHALT respect thy co-workers, customers, competitors, and employer.

Require employees to act respectfully in their social networking/blogging activities. Provide guidance on what is and what is not appropriate behavior.

NUMBER SEVEN: Thou shalt NOT steal or do other really bad things with your employer’s computer.

The policy should prohibit disclosure of confidential information, the use of legally-protected/copyrighted information, and the dissemination of personal information of co-workers.

NUMBER EIGHT: Thou SHALT know the consequences of thy actions.

Inform your employees that their social networking activities on the job are subject to all company policies and explain the consequences of violating your social networking policy.

NUMBER NINE: Thou SHALT spread the word throughout the masses.

Distribute the policy. Have your employees sign off on their receipt and understanding of the policy. Provide training on the policy.

NUMBER TEN: Thou shalt NOT commit random acts of destruction.

You MUST ensure that your litigation hold policy incorporates procedures and methodologies to capture and preserve social networking data in the event of litigation.

© 2010 Steptoe & Johnson PLLC All Rights Reserved

About the Author:

Vanessa Goddard’s primary focus is in the area of labor and employment law. She has been involved in representing clients in various employment cases, including sexual harassment, deliberate intent, age, race, and disability discrimination, wrongful discharge, and various other employment-related torts. She is admitted to various state and federal courts as well as the Third Circuit Court of Appeals and Fourth Circuit Court of Appeals.  304-598-8158 /www.steptoe-johnson.com

For Health Care / HR Professionals ASHHRA's 46th Annual Conference & Expo Sept. 25-28 in Tampa, FL

For Health Care – HR Professionals – the National Law Review wants to remind you that the Advanced Registration Discount date in August 25th  for the 46th Annual ASHHRA Conference in Tampa, FL.  The  conference runs from September 25th – 28th.  For more info:    http://dld.bz/rBN8

Almost Ten Years After the Enron Meltdown: More Costs, More Prosecution, More Compliance?

I recently heard Sherron Watkins speak as part of a panel at Inside Counsel’s recent Super Conference in Chicago.  Ms. Watkins is former Enron Vice President who is widely credited with exposing the accounting and other irregularities, which lead to Enron’s demise and ushered in a new era of compliance awareness. Ms. Watkins provided some chilling insights and timely reminders about how a company can take great lengths to appear to be highly compliant and ethical but in reality can be a very different creature.      

At the time of the Enron meltdown, Enron was the seventh biggest company in America and the world’s biggest energy trader. Enron also had a Code of Corporate Compliance which would be technically compliant today with many of the Code of Conduct requirements mandated under Sarbanes Oxley (SOX) enacted because of the Enron meltdown. Enron’s Board of Directors famously waived various provisions of their well crafted Code of Conduct twice. These waivers of the Code of Conduct allowed the company’s CFO to run competing companies and companies which traded directly with Enron, and many other questionable business practices.     

Back in 2001, Watkins began investigating Enron’s relationship with LJM (a special purpose entity designed to take high-risk poor-performing assets off Enron’s balance sheet). Watkins became increasingly alarmed as it became apparent that the LJM relationship didn’t stand up to accounting scrutiny. Watkins sent Kenneth Lay, then Chairman of Enron’s Board of Directors, a detailed memo in August 2001 explaining her concerns.  Watkins outlined how the structuring of the LJM deals didn’t seem to have a true third-party relationship and warned Lay that the aggressive accounting would come back and haunt the company. After drafting the memo, Watkins met with Lay to convey her fears face to face.     

Enron Founder Kenneth Lay & Former Enron CEO Jeffrey Skilling

Enron went down quickly. By December of 2001 Enron filed bankruptcy, which at the time was the biggest bankruptcy case in US history. Thousands of workers lost their jobs and thousands of investors lost billions of dollars. Soon after Enron’s bankruptcy, Watkins role publicly came to light. In January 2002, a Congressional committee published her memo to Ken Lay and Watkins and many others testified before Congress about Enron’s corporate culture, internal controls and accounting practices.     

Kenneth Lay Mugshot

In response to Enron, WorldCom and other financial scandals, Congress enacted SOX. Section 404 of SOX requires that company management document, test and adequately support the effectiveness of its internal controls. It also states that such documentation, testing and support be audited and reported on by external auditors.  Certifying officers, the  CEO and CFO, face penalties of $1million for false certification and/or up to 10 years imprisonment for “knowing” violations, and $5 million and/or up to 20 years imprisonment for “willing” violations. In theory, a new era of “transparency” was born.    

Jeffrey Skilling Mugshot

 But Enron famously had a “no harm, no foul” culture and to the outside world, a state of the art Code of Conduct. Whether it was simply looking the other way or actual ignorance, most Enron employees prior to 2001 were unaffected by the executive pillaging going on across all levels of the business and the executives heartily benefited from it. Watkins believes the true bite from SOX comes from the Act’s enforcement penalties. Back in 2003, Watkins famously stated: “Monetary fines don’t do it. If you’ve made a hundred million dollars and you’re fined $25m, you’re still filthy rich. To go to jail scares these guys to death. Standing in a cafeteria line for food, communal showers? It will change them forever.
       

Significantly Increased Corporate Compliance Spending:

It’s difficult to quantify directors and officers fear but one measurable result of Enron, World Com and SOX has been significantly increased compliance costs. Such costs have been well documented – some estimates placing them at well over $6 billion annually. Two accounting professors at the University of Illinois estimated that companies spent 120 million hours in 2004  alone complying with SOX. They also suggested that outside auditors spent another 12 million hours. That equates to 132 million hours – or, to put it another way, 66,000 people working for one year on nothing else.    

Experts all agree the costs have been steep, but how steep? According to one study that has attracted a lot of attention, SOX contributed significantly to wiping US$1.4 trillion off the value of the stock market. This startling amount comes from a study by Ivy Xiying Zhang, Assistant Professor of Accounting at the University of Minnesota.   

In spite of  the current recession, roughly three out of four companies either kept compliance spending even in 2009 or actually increased it.  For 2010 compliance spending is expected to be about the same as 2009 or even slightly higher.  This data was revealed in a survey published in January conducted by the Society of Corporate Compliance and Ethics (SCCE) and the Health Care Compliance Association (HCCA).   http://www.corporatecompliance.org   

Roy Snell, Chief Executive Officer of SCCE,  recently stated: “According to our survey results 33%  of companies surveyed expect a budget increase in 2010, and 18% expect their staffing to increase.” “This shows that the business community has come to realize that the price of cutting back on compliance far exceeds any potential rewards.”    

Increased Regulatory Enforcement of Financial Crime:

While it is difficult to tell if the increased spending on compliance is having any measurable effect on actual compliance, the government has certainly turned corporate and financial crimes as the new target of the “war on crime.”  One area of heightened government enforcement is the FCPA (Foreign Corrupt Practices Act) which prohibits bribery of foreign government officials. Some statistics illustrate:    

  • In 2000 federal prosecutors brought no FCPA criminal cases.
  • In 2004 there were 3.
  • In 2009 there were 34 criminal FCPA actions with many more in the pipeline – the justice department currently has approximately 150 open investigations.
  • On January 19, 2010, 22 individuals were arrested under portions of the FCPA.   This is the largest single investigation and prosecution against individuals in the 32-plus year history of the FCPA.

In 2009, the federal government significantly beefed up the False Claims Act (FCA) under FERA (Federal Employment and Recovery Act). The FCA applies to the Troubled Asset Relief Program (TARP) to prosecute persons who make false statements to obtain TARP funds.   TARP also created a Specialized Inspector General (SIGTARP) who will collaborate with the FBI and federal prosecutors.  Many states also have their own false claims acts which will should also come into play as TARP money flows to states.     

State Attorney Generals and Federal officials are starting to work together as never before, too.     

  • Operation Short Change:   A joint effort of the FTC and 18 state attorney generals targeting business scams taking advantage of the economic downturn.
  • Operation Loan Lies:  A joint effort of the FTC and 18 state attorney generals targeting mortgage modification scams.
  • Operation Stolen Hope:  A joint effort of 26 federal and state agencies to crackdown on mortgage foreclosure rescue and loan modification scams.

Take Away:  While Enron had a stellar Code of Conduct on paper – it was waived by the Board and the potential  profits at the time seemed to seriously outweigh any civil and criminal penalties in force at the time.  Almost ten years later, companies are spending vast resources on compliance, even in the wake of the current recession.  Wall Street’s recent problems which prompted TARP seems to have motivated both federal and state governments to step in with heightened enforcement of financial crimes.  Whether heightened government enforcement coupled with increased corporate awareness is enough to deter the temptation of potential profits still remains to be seen.

What Corporate America Can Learn from America’s Greatest Spy. Corporate Data Security Quick Reminders.

Since the 1990’s the information explosion has drastically increased the ability to share information and also the ability to steal information.  Former FBI undercover operative Eric O’Neill is widely credited with bringing down America’s most notorious spy, Robert Phillip Hanssen.  At Inside Counsel’s Super Conference, Eric gave the first day’s Keynote address where he outlined how Corporation’s can learn some lessons from the Hanssen case.

As an undercover surveillance specialist, O’Neill was trained to watch, profile and follow people. In 2001, O’Neill was approached by his superiors to investigate special agent Robert Hanssen. O’Neill was assigned as a direct report of Hanssen’s and on his first day of work, Hanssen introduced O’Neill to “Hanssen’s Law.” “Hanssen’s law” was that the spy is always where he has access to the information that he knows he can use to do the most damage and get the most money.

In the corporate setting , O’Neill outlined a few obvious and not so obvious ways that industrial spies obtain proprietary corporate information:

Corporate Dumpster Diving: Picking up information that is cast off (i.e. trash at home or work.)  Most larger organizations have thorough data destruction policies and employ data destruction vendors. But things can go very wrong if procedures are not faithfully followed or if vendors are not fully vetted and monitored.  There needs to be corporate awareness that data security is everyone’s  daily concern.

Security industry analyst Steve Hunt, who heads up Hunt Business Intelligence, believes too many people think  that data security is just an IT issue. “There are so many physical security aspects to data protection it ought to never be considered merely an IT security issue,” Hunt said in an article written for CSO On-Line.   With all the focus on protecting electronic data, many organizations forget about paper data and the physical protection of electronic data.                                                                                                                                                                                                    

Hunt recently did a corporate dumpster dive in a major U.S. City and found all sorts of things that would be in violation of most companies’ data destruction policies.  The dive turned up cancelled checks with the bank account owner’s social security number written on top. The bank account numbers, balances for the political fundraising account of “a certain prominent politician in the area.” Hunt also found the personal financial statement of a very wealthy individual, including the person’s name, home address, real estate owned and values of the properties, several of the individual’s bank account numbers, social security number and date of birth. Hunt’s experiment even yielded a whole laptop with a tag on the back that says “Property of [another financial institution]”.  Steve’s adventure took all of three minutes and he astutely advises companies to do their own dumpster diving tests to monitor how their company’s data destruction policies are actually functioning. 

Corporate Charity:  Information that is ‘castoff’ can include old computers donated to charity.  O’Neill detailed situations where companies purchased all the old computers of their competitor from a charity who supposedly cleaned off all pertinent information and the purchaser ended up obtaining valuable business information from their competitor’s donated computers.  If making a charitable donation of your used electronic equipment, is what your organization chooses to do, it may make sense to do the data cleaning in house prior to physically surrendering your old equipment, so you can control the data cleaning process.

Corporate Posers / Impostors:  Corporate spies often attempt to gain access by relying on people’s willingness to help out, the awkwardness of questioning strangers, and the excitement of receiving free stuff. Corporate spies know these human tendencies and use them to their full advantage. According to O’Neill, a hacker could be posing as ‘Joe from IT’ sending you an email or phone call requesting your password.  If you’re busy or distracted, this just may work.

“Hi, I’m the rep from Cisco and I’m here to see Nancy.”  Chris Nickerson, founder of Lares, a Colorado-based security consultancy, recently pulled off a successful social engineering exercise for a client by wearing a $4 Cisco shirt that he got at a thrift store (Read: Anatomy of a Hack).

Criminals will often take weeks or months getting to know a place before even coming in the door, according to O’Neill. Posing as a client or service technician is one of many possibilities. Knowing the right thing to say, who to ask for, and having confidence are often all it takes for an unauthorized person to gain access to a facility, according to Nickerson.  

Other old stand-bys according to O’Neill are: “Can you hold the door for me? I don’t have my key/access card on me.”. An another version would be “Can you hold the door for me?” while carrying a box of “paper for a printer” using both hands.  How many people at your organization would turn away a HVAC person on an emergency call after normal business hours?  Would the air conditioner  / heater actually be serviced? Or would bugs be planted,  phones be tapped,  pictures be taken? Would computer drives be duplicated, papers photocopied, or data altered? 

Another ruse is Flash Drives distributed at conferences or left in strategic locations. Flash drives left unattended in a parking lot, public bathroom or elevator of a targeted company may be a part of a sophisticated social engineering attack. These drives may be seeded with a trojan horse set to automatically run as soon as the drive is inserted and quietly steal your personal or company information in the background.  This happened in an actual attack against the U.S. Pentagon!

Take Away:   Closely check the background and reputation of any data destruction vendors.  Verify  that the data is actually destroyed in a non-usable format, and monitor closely that your corporate record destruction procedures are being faithfully followed.  Remember the simple and obvious ways that corporate spies can try to gain your trust and gain access to vital information.   Be wary of free give away computer devices or cast off computer items that can be inserted into your computer.

Eric M. O’Neill is the founding partner of the Georgetown Group, where he specializes in counterintelligence and counterterrorism operations, security risk assessments, investigations into economic espionage, internal investigations, and background investigations. Eric served as an undercover operative for the F.B.I., where he conducted national security field operations against terrorists and foreign intelligence agents.  His role in the investigation and capture of Robert Phillip Hanssen, the most notorious spy in United States history, became the subject of Universal Studio’s , movie Breach , released to critical acclaim in 2007.