Privacy Compliance & Data Security : Data Security Lawyer & Attorney : Fox Rothschild Law Firm : Privacy Rights, Security Breach Responses

The Federal Trade Commission announced yesterday a settlement with Epic Marketplace, an online advertising network, which prohibits Epic from further collection of data obtained by "browser sniffing" the surfing history of Internet users and requires Epic to destroy all previously collected data.

According to the FTC complaint, Epic was collecting information from millions of individuals by “browser sniffing,” which is a practice that allowed Epic to determine whether the user had previously visited more than 54,000 websites, including websites relating to fertility issues, impotence, menopause, incontinence, disability insurance, credit repair, debt relief, and personal bankruptcy. Once Epic had this information, it would then send targeted advertisements to the user.

Many users have no idea that this technology even exists, and the FTC’s main gripe appears to be that the user did not have knowledge this was occurring on sites outside of Epic's advertising network. Epic’s privacy policy promised that Epic would collect information about users only for use in Epic’s 45,000 website network. Apparently, the FTC was not concerned with the practice but it’s concern was centered around Epic collecting information from users about visits to websites not in Epic’s website network.

"Consumers searching the Internet shouldn't have to worry about whether someone is going to go sniffing through the sensitive, personal details of their browsing history without their knowledge," FTC Chairman Jon Leibowitz said in a statement. "This type of unscrupulous behavior undermines consumers' confidence, and we won't tolerate it."

Stated another way, the FTC is saying that Epic could collect information about whether consumers visited sites in its advertising network having to do with fertility issues, impotence, menopause, incontinence, disability insurance, credit repair, debt relief, and personal bankruptcy, and then use that information to serve that consumer advertisements. The problem was that Epic went beyond its own advertising network. That makes sense.  A company breaching the representations in its own privacy policy is low hanging fruit.

What the FTC is NOT saying is that consumers would never know what the heck Epic’s privacy policy says, so how could they consent to this collection and use of their information. Online advertisers are in this wonderful position where the consumer never really “gets” to them, the consumer only sees the advertisements that are served. . 

So is the take away that any company besides Epic can use “browser sniffing” as long as its use is disclosed in its privacy policy (which consumers would not even know existed) and followed by that company?  The FTC is certainly not taking a contrary position.

The FTC press release follows:

• Print
• Comments
• Trackbacks
• Share Link

 With the ever-growing popularity of social networking sites, and with so many employees exercising poor judgment online, it's easy to understand why employers are concerned about the messages and images that that their employees are disseminating on these websites.

For employers, the costs are real: Poor choices by their employees can bring with it not only bad publicity but the loss of confidential information and the risk that the employer and employee will be sued by a third party for a wide range of legal claims, including defamation, invasion of privacy, negligence, discrimination, false light publicity, public disclosure of private facts, infliction of emotional distress and violations of state and federal data breach laws.

Employees seem to comprehend the potential effect of their online rants. According to the 2009 Deloitte Ethics and Workplace Survey, 74 percent of employees believe it is easy to damage a company’s reputation on social media sites. Yet, many conduct themselves as they have a right to do so. Fifty three percent of the employees surveyed believe that an employee’s social networking page is not their employer’s business, and nearly one third said they never consider what their boss would think before posting material online. 

Social media content is also becoming a new source of evidence in employment cases. Employers view such material as a unique way to identify false statements employees make in these cases.  Employees, however, often view their employer’s interest in such content as an invasion of their privacy.

These divergent viewpoints are creating new tensions in the workplace and new issues for the courts to address.  I have written an article in the New Jersey Law Journal this week discussing these issues and trends.   To view the article, click this link.

• Print
• Comments
• Trackbacks
• Share Link

We just wrote about the recent privacy SNAFU by Facebook and other mega-social media site that was reported on by the Wall Street Journal.  If you want to hear some really smart people, plus me, talk about the issue, you should check out this brief podcast.

Description:    According to a Wall Street Journal investigation, many of the public’s favorite Facebook applications like Farmville, Texas HoldEm Poker and FrontierVille, are allegedly sharing users’ personal information with third-party advertisers and Internet tracking companies.  Attorneys and co-hosts Bob Ambrogi and J. Craig Williams  welcome Kimberley Isbell, a Fellow at the Berkman Center for Internet and Society and Mark G. McCreary from the firm Fox Rothschild LLP, to discuss this matter.  They look at the potential impact of this privacy breach, the legal issues and how this breach could affect the business of Facebook.


Page URL:    http://legaltalknetwork.com/podcasts/lawyer-2-lawyer/2010/10/the-facebook-privacy-breach/

MP3 Link: Click Here

• Print
• Comments
• Trackbacks
• Share Link

The Wall Street Journal wrote a series of articles on Monday about Facebook and other meda-social media sites passing User Identifications (UIDs) to its advertisers.  The article has generated a huge amount of attention, begging the question whether the Wall Street Journal is exposing a significant privacy problem, or making something of nothing in the pursuit of web page impressions.

The UID for users can be used to look up all of the public information of Facebook (for example) users, but does not allow access to information that the user has chosen to make private through privacy controls.  Basically, if you are a Facebook user you cannot hide your name and gender, but everything else can be hidden.  The hidden information is not a risk.  The UID unlocks the public information.

To be clear, there should be no confusion that we are not talking about disclosure of personally identifiable information in the sense of a data breach (i.e., name with SSN, bank information, health information or the like).  This is all information that users know is to be made public.

But because of a web protocol deficiency (this is a technology issue, not a Facebook issue), the UID is transmitted as part of the "referrer" when the user clicks on an application in Facebook.  Basically, almost any web page that you browse to can learn from what page you just left.  In this case, the "referrer" told the application maker your UID because it is coded into the "referrer."

At that point, privacy red flags go up.

• Print
• Comments
• Trackbacks
• Share Link

This week, the Supreme Court of New Jersey unanimously ruled on a novel issue of privacy law, holding that an employee has a reasonable expectation of privacy in e-mail communications with her attorney sent and received through a personal, web-based e-mail account even though the account is accessed on an employer-issued computer. In making its decision, the Court recognized that (a) the employer's policy did not specifically give notice that messages sent or received on a personal, web-based e-mail account were subject to monitoring if accessed on company equipment and (b) the policies underlying the attorney-client privilege support the preservation of confidentiality in these circumstances. The Court stated that analysis of the issue was inherently fact-specific, and that employees have a greater expectation of privacy when using a personal, web-based e-mail account (as opposed to a company e-mail system). Other relevant factors considered by the Court were (a) the fact that the account's password was not saved on the employee's computer and (b) the fact that the e-mails contained a legend warning the reader that the communication may be attorney-client privileged. While no one fact was found to be outcome-determinative, the totality of the circumstances created a reasonable expectation of privacy, with no waiver of the privilege.

The Court also clarified that its ruling was not meant to prevent employers from regulating or monitoring the use of workplace computers, but rather was a holding that reading the contents of attorney-client communications was not necessary to do so. In fact, the Court held that even a policy which provided unambiguous notice that a company could read such communications would be unenforceable.

Matthew S. Olesh co-wrote this post.

• Print
• Comments
• Trackbacks
• Share Link

An early March death of a University of Kansas student has many colleges and universities rethinking privacy policies regarding their students.

Recent news reports indicate that Jason Wren, a 19 year-old student from Colorado was ejected from university housing after repeated infractions involving alcohol. Reportedly, the university’s policy regarding its students’ privacy prohibited the disclosure of the basis for his removal from university housing to Mr. Wren’s parents.

On March 8, 2009, Jason Wren was found dead in his bed at a fraternity house in Lawrence, Kansas. The Kansas City Star reported that Jay Wren, the father of the deceased student, indicated that the university would not disclose to him the basis for his son’s removal from university housing. The Star further reported that Mr. Wren said he would have pulled his son out of school if he knew of an alcohol problem.

Kansas University has reported that it is examining the privacy issues (and policies) currently in place. Apparently the university will be examining whether any changes can or should be made to the policy, in light of these recent events.

• Print
• Comments
• Trackbacks
• Share Link