Articles Posted in Privacy

Posted

A UK charity recently did a survey
to look at how people deal with idea of death and digital music, photography and online bank accounts. Their research found that although 80% of those surveyed have such things, fewer than 10% have given any thought about what should happen to those assets when they die. More than half also said their computers contained important domestic and personal information which could not be accessed by family members.

This issue has been gaining importance as our online life becomes an increasing portion of our activity and consumption. People used to keep photos in albums – now they’re scattered among devices, memory cards and online services. Personal diaries are now protected with a password instead of a physical lock – and might even be stored on Blogger or LiveJournal or another online service rather than on a hard drive.  Family financial information or even personal recipes might be stored in Google Docs.  Most of the services we use on a regular basis have little-to-no provisions in place for a family member or an executor to transfer account information. Few companies and even fewer users are thinking about end of life issues when it comes to their online lives.

In some cases it takes legal action to gain access to an email account because of the privacy issues involved with messages to and from others who are still living. After the case of Lance Corporal Justin Ellsworth in 2004, the US Army began counseling deploying soldiers on this issue,

Legal Assistance attorneys can counsel deploying soldiers about the merits and consequences of giving a letter that contains the user ID and password to their e-mail to someone they trust. The merits include comforting their loved ones by enabling them to piece together his or her life “down range.” The consequences include that access is not selective and the soldier may want to protect his or her privacy even after their death. In the alternative, LA attorneys may advise deploying soldiers to draft a letter specifically telling their loved ones to respect his or her privacy and not attempt to access his or her e-mail account posthumously. LA attorneys providing this counseling should also instruct deploying soldiers to keep the contents of his or her letter secret from the person intended to deliver it to the soldier’s loved ones.

Following up on the US Army’s approach, companies like Legacy Locker are providing people with the ability to create an archive of userids and passwords as part of a “digital will.” Going beyond the sentimental value of photographs and correspondence, 80%
of those responding to the UK charity survey thought their collections of virtual goods (music, iPhone apps and other virtual goods) were financially valuable. Yet only 9% had considered including them among assets to be distributed after their death.  Companies like Confidant are providing users with the ability to create a single online repository of important information and designate specific individuals who have access to some or all of the information.

As demonstrated by the UK charity’s study, the digital assets we acquire during life have value that is not just sentimental.  The US IRS Taxpayer Advocate recognized this in 2008 in her annual report to Congress.  The relevant portions of the report were extracted and posted here.
So when you die, your heirs would theoretically have to pay an estate tax on all of the digital assets you collected in your years of virtual asset collecting and building. As long as it has a real-world value, it can be taxed for that real-world amount just like a piece of art or a valuable stamp collection.

Any consumer who collects digital assets – whether through playing games ranging from Kingdom of Loathing to World of Warcraft,
participating in a virtual world, simply purchasing music or other digital goods, or just saving important pictures and files – should consider what should and will happen to those files when the consumer dies.  Consumers should consider whether the terms of use for relevant services permits those assets to be transferred to a third party or whether the service has policies and procedures for dealing with the death of a user.  In addition, the heirs of consumers with significant, valuable collections of digital assets may need to deal with estate tax issues related to the value of those digital assets.  Similarly, providers of online services need to consider how they will deal with the death of users, whether they will permit accounts and/or specific assets to be transferred to third parties and what levels of evidence they will require to verify the death.  In many cases, where a service provides a virtual currency, laws may regulate the manner in which such online currency accounts must be maintained and/or transferred.
Providers of online role-playing games and other virtual worlds may need to create systems to notify other users of the death of a member and, perhaps,
even hold online memorial services.

 

Posted

There are a number of people out there who are warning us that there needs to be more awareness of how much information we’re disclosing via social networks. Some of them, like the now-shuttered PleaseRobMe.com, were doing it intentionally. Others, like Facebook Breakup Notifier (FBN),
do it by implication. FBN lets users pick certain friends whose relationship status they’d like to monitor. If one of those relationships changes, the user gets notified by e-mail. Every tweet, update, video and blog post is a micro-chapter of your public profile that anyone can access. Although the information that is created is for friends, family and colleagues,
people seem to rely on the scale of the internet to keep them anonymous without realizing that the information they post is also available to people with less virtuous interests. According to a study reported in The Telegraph, 36% of users who responded to a survey do not limit access to their social media profiles.

The latest tool for would-be stalkers is the aptly-named “Creepy.”  Its creator describes it as a ‘geolocation information aggregator.’ Creepy is an application for Linux or Windows —
with a Mac OS X port in the works — that gathers public information on a selected individual via social networking services to map their travel patterns. Right now it only works through Twitter and Flickr, but it’s already pretty impressive. Creepy uses the services’ APIs to download every photo or tweet the target user has ever published, analyzing each for the user’s location at the time.  Although Twitter’s geolocation setting is optional, images shared via sites like Twitpic and Yfrog are usually taken using a smartphone – which, usually unbeknownst to the user, records the location information in the EXIF data of the image. Creepy finds these photos,
downloads them, and extracts the location data.

The end result looks something like this:

creepy_mapview.png

With a map icon appearing for each location listed. Given that people spend the majority of their time at work/school or at home, Creepy discloses a frequent Tweeter/cell phone camera user-Flickr poster’s travel patterns.

According to the same article in The Telegraph, a survey of reformed burglars determined that 12% would use websites like Facebook and Twitter to find out when their potential victim is out of the house, and that was before they had the aid of something like Creepy.

According to the Creepy FAQ, “I don’t think that the fact that your geolocation information can be gathered and aggregated is disturbing. The fact that you were publishing it in the first place, is, on the other hand. Just to be clear, the intention behind creating creepy was not to help stalkers or promote/endorse stalking. It was to show exactly how easy it is to aggregate geolocation information and make you think twice next time you opt-in for geolocation features in twitter, or hitting ‘allow’ in the ‘this application wants to use your current location dialog on your iphone.”

To quote Helen Popkin, “Honestly, the way some of you people behave online, it’s like you’ve never had a stalker.”

Posted

The U.S. District Court for the Northern District of
Illinois has held that a company’s alleged use of an employee’s Facebook and Twitter
pages without her permission to post marketing messages that looked like they
were written by the employee may be liable under the Illinois Right to Publicity
Act and the Lanham Act for false endorsement.

In this case, the employee, Jill Maremont, worked for an
interior design firm in Chicago.  As part of her job, Maremont created a
work-related blog that was hosted on her employer’s website. She also frequently
posted to both her Facebook page and Twitter, which both included her picture
and were, according to her, personal accounts. 

In September 2009, Maremont was in an automobile accident
and was seriously injured. During Maremont’s convalescence, her employer posted
company messages to Maremont’s Facebook page and Twitter account, writing posts
that claimed to be from Maremont.

When Maremont found out about the substitute posts, she
asked her employer to stop because, among other things, it made it seem like she
was already back and work and her injuries were less severe than they actually
were. However, the posts allegedly continued until Maremont changed the
passwords to her Facebook and Twitter accounts.

The court held that those allegations were sufficient to
proceed under the theories of false endorsement and breaches of her right to
publicity. However, the court dismissed the plaintiff’s common law
misappropriation of likeness claim, noting that the tort was replaced by the
state’s Right to Publicity Act, and rejected the plaintiff’s unreasonable
intrusion upon seclusion claim.

Full text of the court’s opinion in Maremont v. Susan
Fredman Design Group, N.D. Ill., No. 10-7811, 3/15/11, is available at
Maremont v Fredman 110315.pdf.

This case deals with
something employers should deal with in their social media policy – personal
social media accounts. Like most other issues regarding social media, how a
given employer deals with a given question depends a lot on the employer, its
industry and its culture. Some businesses prohibit employees from having
personal work-related social media accounts, while some encourage it. Consider
what the right position is for your business, discuss it with your employees who
are active in social media, and document the decision in your social media
policy.

Posted

According to a recent study by OpenDNS,
Facebook is both the most widely blocked site in enterprises today and the second most widely allowed site in enterprises today. The study goes on to report that more than 14 percent of all enterprises that block websites on their networks choose to block Facebook, and MySpace and YouTube round out the top three most commonly blocked websites for business users.

The OpenDNS findings are consistent with those reported in ProofPoint’s 7th Annual Survey on Outbound Messaging and Content Security, which broke the blocking statistics down by company size:

And there’s a good reason for companies to be blocking that access. According to the ProofPoint report, in 2010:

  • 25%
    of US companies investigated exposure of confidential/proprietary info via blogs/message boards
  • 24% disciplined employee for violation of blog policy w/in last 12 months
  • 11% terminated employee for violation
  • 20% of US companies investigated exposure of confidential/proprietary info via social networks
  • 20% disciplined employee for violation of social network policy w/in last 12 months
  • 7% terminated employee for violation
  • 18%
    of US companies investigated exposure of confidential/proprietary info via video/audio sharing services
  • 21% disciplined employee for violation of media sharing/posting policy w/in last 12  months
  • 9% terminated employee for violation
  • 18%
    of US companies investigated exposure of confidential/proprietary info via SMS/web-based messaging

So what should your company be doing?

First, have a social media policy. Talk to employees and solicit ideas for the corporate social media policy. You want to encourage all personnel to think and act like an official company spokesperson, but make sure they know they are not an official company spokesperson and cannot claim to be. The company should designate social media representatives and give them limitations what they are and aren’t supposed to do.

Identify off-limit subjects ahead of time and share that with your company’s social media representatives. Employee training and communication are key to compliance.

Second, have a monitoring policy. From a company perspective, the policy should state that all use of company-provided equipment or services can be monitored, but limit searches of communications/devices to where there is suspicion of misconduct, and limit those searches so that they are consistent with the purpose of the investigation.


Third, make disciplinary consequences clear in your policies, and be consistent in application of the policies.
Turning a blind eye to executive violations of the policies, or applying different disciplinary consequences to executives who violate policies can undercut both the company’s moral authority in the eyes of the employees who are subject to those policies and the company’s legal ability to enforce those policies.

Posted

In the real world (at least in the US), the 5th Amendment to the Constitution states, “No person shall … be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.” A host of jurisprudence has determined what the government is, and is not, allowed to do affecting property owned by private citizens. With an announcement from Linden Labs that the Teen Grid in Second Life will be shutting down on Dec. 31, a number of users are discovering that there’s no such protection in a privately owned virtual world.

According to this article, those who have invested in developing content and educational tools for use in Second Life Teen are faced with the question of whether to transfer to another platform or give up using the tools they’ve developed. The situation illustrates the catch-22 facing those who want to invest significant time, energy and resources into developing virtual world real estate when the owner of the platform has the right to take away that real estate without compensating the members of the community for “taking” their property rights in the virtual world away.

As discussed further in this post, Linden Research Inc. and its CEO Philip Rosedale have already been named as defendants in a class action lawsuit relating to the ownership status of virtual property in Second Life. Interestingly, the home page for Teen Second Life still includes, “Click here for a FREE Lifetime Basic account.” It isn’t clear what Linden plans to do with all of its teen members, since Second Life includes more adult interactions and content and currently requires users to be over 18. The Teen Second Life page also still advertises the monthly rental pricing for virtual land on the Teen Second Life grid.

Posted

A German data protection official has initiated action against Facebook for its use and storage of information about people who are not members. The actions result in part from the ability for registered users to use a tool provided by Facebook that scans a user’s existing email contacts and retrieves and stores that contact information, including information about non-user contacts.
friendfinder.jpg

Facebook faces potential fines for storing personal information of people who don’t use the site and have not granted Facebook permission to access or store their details.

Facebook has until Aug. 11 to respond to the legal complaint.

This is another example of how certain technology, which may be useful to users of a social media site may adversely affect the rights of non-users.

Posted

The Federal Trade Commission has extended until July 12, 2010, the deadline for public comments on its review of the Children’s Online Privacy Protection Act (COPPA) Rule. The request for comments was originally published in the Federal Register on April 5, 2010.

As stated on the FTC website:

The primary goal of the Children’s Online Privacy Protection Act (COPPA) Rule is to give parents control over what information is collected from their children online and how such information may be used.

The Rule applies to:

* Operators of commercial Web sites and online services directed to children under 13 that collect personal information from them;

* Operators of general audience sites that knowingly collect personal information from children under 13; and
* Operators of general audience sites that have a separate children’s area and that collect personal information from children under 13.

The Rule requires operators to:

* Post a privacy policy on the homepage of the Web site and link to the privacy policy on every page where personal information is collected.

* Provide notice about the site’s information collection practices to parents and obtain verifiable parental consent before collecting personal information from children.

* Give parents a choice as to whether their child’s personal information will be disclosed to third parties.

* Provide parents access to their child’s personal information and the opportunity to delete the child’s personal information and opt-out of future collection or use of the information.

* Not condition a child’s participation in a game, contest or other activity on the child’s disclosing more personal information than is reasonably necessary to participate in that activity.

* Maintain the confidentiality, security and integrity of personal information collected from children.

Many in the industry have complained that the FTC has not provided clear enough guidance on how to comply with COPPA.

However, in order to encourage active industry self-regulation, COPPA also includes a safe harbor provision allowing industry groups and others to request Commission approval of self-regulatory guidelines to govern participating Web sites’ compliance with the Rule.

One of the few companies to have received Safe Harbor status is Pillsbury client Privo, Inc.

Posted

The FTC recently posted a press release (FTC Press Release) on their settlement with Twitter, Inc. over charges that the company failed to protect users’ private information. The charges against Twitter stem from several high-profile incidences where hackers were able to gain administrative control of Twitter to: view nonpublic user information; gain access to direct messages and protected tweets; reset any user’s password; and send authorized tweets from any user account.

The FTC made it a point to remind companies that a promise to keep user personal information secure must be kept. Furthermore, even when social networking users choose to share information with others, they still have a right to expect that their personal information will be kept private and secure. The press release outlines the reasonable steps Twitter failed to take and serves as a useful guideline for companies that want to make sure their user information security practices do not run afoul of FTC expectations.