Online Privacy, Cloud Computing, and Online Fraud

Law Offices of

Salar Atrizadeh

Online Privacy

Privacy issues fall under two general categories:

1. Corporate privacy

2. Employee privacy

Corporate privacy- It concerns the protection of business data, including

electronic communications, from retrieval or interception by unauthorized parties

- Security is important due to protection of trade secrets and other proprietary information and privileged communications

- The failure to maintain confidentiality in these areas can result in a loss of trade secret status

- Trade secret means … a formula, pattern, compilation, program, device, method, technique, or process that derives independent economic value and is not generally known to the public [See Civil Code § 3426.1(d)]

Policies that can help us preserve corporate privacy

o Use Encryptiono Classify confidential information (i.e., “top secret” designation)o Restrict access to confidential information (i.e., need-to-know

system)o Use software that detects trade secret information in e-mailso Include warnings in privileged correspondence (e.g., “This E-mail

Contains Privileged Communications”)o Provide employee handbooks that outline protocols

o Train employees regarding corporate privacy and confidentiality

o Check on incoming and outgoing employees (i.e., execute Non-Disclosure or Non-Compete Agreements)

o Look out for external devices (e.g., external hard drives, flash drives)

Employee Privacy

o It involves claims by employees that employer monitoring of their e-mail and computer files violates their right of privacy

o See California Constitution, Article I, § 1 - right of privacy o Hill v. National Collegiate Athletic Assn. - discusses the common law

right of privacyo In California, the courts have considered a handful of cases involving e-

mail privacy claims. Most have been decided in favor of the employer. o For example:

Flannagan v. Epson America, Inc. - company employees failed to establish “reasonable expectation of privacy” and that interception of e-mail was not wiretapping

Bourke v. Nissan Motor Corp. - employees have no reasonable expectation of privacy because they had signed a written waiver

Employee Privacy … continued

o Employees may also claim that review of their e-mail violates a federal statute known as the Electronic Communications Privacy Act of 1986 (“ECPA”) which is codified under 18 U.S.C. §§ 2510 to 2710

o The ECPA was originally enacted to supplement the Federal Wiretap Act, but has been expanded to include e-mail and other forms of electronic communication

o Steve Jackson Games, Inc. v. U.S. Secret Service - The ECPA prohibits unauthorized interception of e-mail and unauthorized access to e-mail stored on a computer system. [See 18 U.S.C. § 2511]

Employee Privacy … continuedo ECPA – its extent and application to computer networks maintained by

private businesses is still undetermined

o For example, companies require access to employee computer files and e-mail for the following reasons:

a) ensure computer resources are not abused

b) guard against disclosure of trade secrets

c) investigate employee complaints regarding harassing or offensive materials

d) respond to discovery requests in litigation

o Based on a company’s need and rights to access employee computer files there may be a conflict with its employees’ privacy rights and the ECPA

o So, it’s important that policies be developed to avoid problems

How to minimize the likelihood of claims for invasion of privacy or ECPA violations:

o Access employee files and e-mail only for legitimate business reasons

o Make sure employees understand that the office network and telecommunications systems are owned by the business and should be used only for business purposes

o Adopt written policies governing network use and telecommunications equipment

o Review union and collective-bargaining agreements to determine if there are any contractual restrictions that limit employee monitoring

Employee Privacy

o For more information, visit my law firm’s blog (internetlawyer-blog.com) - in the November 11, 2012 post (Privacy Concerns in the Changing Face of Internet and Technology)

o Review the FTC Report providing the steps companies can take to ensure consumer privacy protection

o If you can’t find it, send an email to info@atrizadeh.com

Cloud Computingo A global technological infrastructure, where user of a computer

accesses and uses software and data located outside of a digital device (e.g., a computer)

o A user connects to external devices thru an Internet connection, but has no knowledge of the nature/location of the server on which the data and software are located

o This anonymous, external, and often unidentifiable interaction is known as “cloud computing” or simply “the Cloud.”

o A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage devices, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. See www.nist.gov/itl/csd/cloud-102511.cfm

Three basic types:

1. Software as a Service (SaaS)

2. Platform as a Service (PaaS)

3. Infrastructure as a Service (IaaS)

Software as a Service (SaaS)

o It’s the most common type

o SaaS applications provide the function of software that would normally have been installed and run on the user's desktop

o The application is stored on the service provider's servers and runs through the user's web browser over the Internet

o Examples - Gmail, Google Apps, and Salesforce

Platform as a Service (PaaS)

o Provides a place for developers to develop and publish new web applications stored on the servers of the provider

o Customers use the Internet to access the platform and create applications using the provider's API, web portal, or gateway software

o Examples - Saleforce's Force.com, Google App Engine, Mozilla Skywriter, and Zoho Creator

Infrastructure as a Service (IaaS)

o It seeks to obviate the need for customers to have their own data centers

o The provider sells access to web storage space, servers, and Internet connections

o The provider owns and maintains the hardware and customers rent space according to their needs

o Customer maintains control of software environment, but not over equipment

o Examples - Amazon Web Services, IBM SmartCloud, Terremark Enterprise Cloud

Privacyo Issue – How to protect personal information on the Web

o Examples: Banking, Emailing via Web mail account, Sharing Pictures

o Questions:

o What happens to the information when it disappears into the Cloud?

o Where are your passwords and your account numbers saved?

o Who can access them and what do they do with them?

o Can you delete the information, in the sense that no one will be able to access it in the future?

Tips on protecting personal information:

1. Do not inadvertently reveal personal information

2. Turn on cookies notices in your browser or use cookie management software

3. Keep a "clean" e-mail address (e.g., main and alternate email accounts)

4. Avoid revealing personal details to unknown persons/entities

5. Avoid sending highly personal e-mail to mailing lists

6. Avoid replying to spammers

7. Be conscious of Web security (e.g., https v. http)

8. Be conscious of home computer security (i.e., use firewall and encryption)

9. Examine privacy policies and seals (e.g., TRUSTe - www.TRUSTe.com)

See http://www.consumer.ftc.gov

Contract Law

o In general, contract law is applicable

1. Licensing Agreement - a contract where licensor gives licensee permission to use intellectual property (e.g., patent, trademark, or copyright)

2. End User License Agreement (EULA) - contract between the licensor and purchaser, establishing the purchaser's right to use the software

o Question: Is there equal bargaining power?

o In general, privacy is about controlling what is done with information after it’s released to the Cloud

o So, who should have the power to collect, cross-reference, publicize, or share information about us?

Case Study: Facebook.com

o “For content that is covered by intellectual property rights, like photos and videos (IP content), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it.”

o Statement of Rights & Responsibilities - www.facebook.com/legal/terms

o Data Use Policy - www.facebook.com/about/privacy

Protecting Personal Information

o Fourth Amendment - protects people and their property “against unreasonable search and seizures”

o Electronic Communications Privacy Act (ECPA)

Objective: To protect electronic communications from unwanted interception by both state and private actors

Violations/Remedies:

Individuals - face up to 5 years imprisonment and a $250,000 fine

Victims - entitled to a civil suit of actual damages, punitive damages and attorney’s fees

U.S. Government - cannot be sued for a violation, but evidence that’s gathered illegally cannot be introduced in court

Electronic Communications Privacy Act

o It was envisioned to create “a fair balance between the privacy expectations of citizens and the legitimate needs of law enforcement”

o It’s codified under 18 U.S.C. §§ 2510-2522

o Any violation may be punishable as a felony under 18 U.S.C. § 2511(4)

o Violators may be liable for:

I. $10,000 in statutory damages or, if greater, actual damages suffered by the party whose communication was intercepted

II. Punitive damages

III. Attorney’s fees and litigation costs

ECPA - It has three sub-parts:

o Title I - Wiretap Act

o Title II - Stored Communications Act

o Title III – Pen Register Act

Title I - Wiretap Act

o It’s codified under 18 U.S.C. §§ 2510-2522

o Protects communications in transit

o Protects against both government and private intrusion into electronic communications

o The protection is strong in most situations

o Access requires a search warrant and any evidence obtained in violation of this part of the Act is subject to exclusion in court proceedings

Title II - Stored Communications Act

o Protects the storage of electronic information

o It covers nearly all information in the “Cloud” that is no longer in transit from sender to recipient (i.e., it refers to e-mails not in transit)

o There are certain exceptions for law enforcement access and user consent

o General rule: Employers are forbidden from accessing employee’s private e-mails

o Exception: It may be lawful if consent is given in the form of an employment contract that explicitly authorizes the employer to access e-mails

o It’s codified under 18 U.S.C. §§ 2701-2712

Title III - Pen Register Act

o Pen Registers/Trap and Trace devices provide non-content information about the origin and destination of communications

o It’s subject to less restrictions than actual content since it doesn’t contain the communication’s content

o U.S. Supreme Court

There is no “reasonable expectation of privacy” in this information because the telecommunication company has access to it

In fact, the telecommunication company must utilize this information to ensure communications are properly routed and delivered

Title III - Pen Register Act

o There is no statutory exclusionary rule that applies when the government illegally uses a pen register/trap and trace device

o There is no private cause of action against the government for violations

o It’s codified under 18 U.S.C. §§ 3121-3127

ECPA - Disclosure of Records

o Lays out guidelines for law enforcement access to data

o Per the Stored Communication Act:

Government is able to access many forms of stored communications without a warrant (e.g., customer records from communications providers)

Under 18 U.S.C. § 2703, an administrative subpoena, a National Security Letter (“NSL”), can be served on a company to compel disclosure of basic subscriber information

Section 2703 also allows a court to issue an order for records

Whether an NSL or court order is warranted depends on the information

The following table illustrates the different treatment of email contents:

FTC Guidelines

Fair Information Practice Principles:

i. Notice/Awareness

ii. Choice/Consent

iii. Access/Participation

iv. Integrity/Security

v. Enforcement/Redress

See www.ftc.gov/reports/privacy3/fairinfo.shtm

Notice/Awareness:

o The most fundamental principle

o Before any personal information is collected, consumers should be given notice of an entity's information collection practices

o Without notice, consumers cannot make informed decisions as to whether and to what extent to disclose personal information

o California's Online Privacy Protection Act (COPPA) - ensures consumers are able to access a website's privacy policy before release of personal information

o See Business & Professions Code §§ 22575-22579

Essential disclosures to consumers may include:

o Entity’s identificationo Identification of the useso Identification of potential recipientso Nature of the data collected and the means by which it is

collected if not obvious o Passively - by means of electronic monitoring o Actively - by asking the consumer to provide the information

o Whether the provision of the requested data is voluntary or required, and consequences of refusal

o Steps taken by data collector to ensure confidentiality, integrity and quality

Choice/Consent:

o Choice - giving consumers options as to how any personal information collected from them may be used

o It relates to secondary uses of information (i.e., uses beyond those necessary to complete the contemplated transaction)

Internal – being on a company's mailing list; or

External - transfer of information to third parties

Choice/Consent:

o Two types of choice/consent regimes:

1) Opt-in

2) Opt-out

o The choice regime should provide a simple and accessible method for consumers to exercise their choice

o Online – user’s choice may be exercised by clicking a box showing his/her decision regarding the information’s use and/or dissemination

o Another Option – An application requiring consumers to specify privacy preferences before visiting a website may be incorporated into Internet browsers

Access/Participation:

o It refers to the:

1) Ability to access data (i.e., view personal data in entity's files)

2) Ability to contest data accuracy and completeness

o Access must encompass:

i. Timely and inexpensive data access

ii. Simple means for contesting inaccurate or incomplete data

iii. Mechanism by which the data collector can verify information, and

iv. Means by which corrections and/or objections can be added to the data file and sent to all data recipients

See FCRA, 15 U.S.C. § 1681i; see also EU Directive, 95/46/EC, Art. 12.

Integrity/Security:

o Collectors must take reasonable steps to ensure integrity such as:

i. Use reputable sources of data

ii. Cross-reference data against multiple sources

iii. Provide consumer access to data

iv. Destroy untimely data or conversion to anonymous form

o Technical security measures may include:

i. Encryption in the transmission and storage of data

ii. Limits on access through use of passwords; and

iii. Storage of data on secure servers or computers inaccessible by modem

Enforcement/Redress:

o General Idea - Consumers enforce policies and procedures

o Alternative Enforcement approaches:

a. Industry Self-Regulation

b. Private Remedies

c. Government Enforcement

Industry Self-Regulation

o Enforcement (i.e., mechanism to ensure compliance) includes:

o Making acceptance of and compliance with a code of fair information practices a condition of membership in an industry association

o External audits to verify compliance

o Certification of entities that have adopted and comply with the code at issue

o Redress (i.e., appropriate means of recourse by injured party) includes:

o Institutional mechanisms to ensure that consumers have a simple and effective way to address concerns

Private Remedies

o General Idea - create private right of action for consumers harmed by an entity's unfair information practices

o The following privacy acts provide for the recovery of actual, liquidated, and punitive damages:

i. Video Privacy Protection Act of 1988, 18 U.S.C. § 2710(c) – providing for award of actual damages or liquidated damages of not less than $2,500, punitive damages, attorney's fees, and equitable relief

ii. Cable Communications Policy Act of 1984, 47 U.S.C. § 551(f) – providing for recovery of actual or liquidated damages of not less than $1,000, punitive damages, and attorney's fees

Government Enforcement

o General Idea - Enforcement of fair information practice by means of civil or criminal penalties

o Whether enforcement is civil or criminal depends on the nature of the data at issue and the violation committed

o See IITF Report § III.C - redress should be appropriate to violation

Electronic Privacy Information Center (www.epic.org)

o EPIC filed a complaint against Google - claiming that it was misrepresenting the safety and security of information of several of its Cloud service websites, including Gmail, Google Docs, Google Desktop, and Google Calendar

o EPIC alleged that, while Google professed the security of its services, there were:

i. Flaws permitting unauthorized users access to documents

ii. Exposures of usernames and passwords to theft

iii. Security flaws allowing others full control of a user's system

o If these allegations are true, then it means that Google did not follow several different principles such as Integrity/Security and Notice/Awareness

Cloud Computing Act of 2012

o Proposed by Senator Amy Klobuchar (D-MN) - September 19, 2012

o It attempts to give “cloud computing services” extra protections under the Computer Fraud and Abuse Act (CFAA)

o It states that each instance of “unauthorized access” (the lynchpin of liability under the CFAA) of a cloud computing account is a separate offense

o Loss is presumed to be the greater of the value of the loss of use or information, or a minimum of $500, multiplied by the number of cloud computing accounts accessed

o See http://beta.congress.gov/bill/112th/senate-bill/3569/text

Computer Fraud and Abuse Act

o Is a hybrid civil-criminal law

o It’s codified under 18 U.S.C. § 1030

o It originally passed as a purely anti-hacker criminal statute prohibiting wrongful access to computers

o It focused on issues relating to the protection of federal computers and financial institutions. It also touched on interstate and foreign cybercrimes

o The 2002 amendment (aka the “Patriot Act”) gave federal officials more flexibility regarding monitoring and prosecuting suspected cyber criminals

o It’s been used by employers regarding internal data breaches and misappropriation by employees

Types

o Identity Theft and Fraudo Click Fraudo Mass marketing fraud

o Advance fee schemeso Bank and financial account schemeso Investment opportunities

o Auction and Retail schemeso Business Opportunity or “Work-at-Home” schemeso Market Manipulation schemeso Short-selling or “scalping” schemeso Credit-Card schemeso Intricate schemes o Real Estate Scams

Online Fraud

Identity Theft and Fraud

o General rule: It’s illegal to use someone else's personal identifying information without authority to obtain credit, goods, services, money, or property. (See California Civil Code § 1798.92)

o Personal identifying information - name, address, telephone number, driver's license number, social security number, place of employment, employee identification number, mother's maiden name, demand deposit account number, savings account number, or credit card number.

o Statute of Limitations

o 4 years

o See California Civil Code § 1798.96

Scenarios

o Example 1: In one federal prosecution, the defendants allegedly obtained the names and Social Security numbers of U.S. military officers from a website, then used more than 100 of those names and numbers to apply via the Internet for credit cards with a Delaware bank.

o Example 2: In another federal prosecution, the defendant allegedly obtained personal data from a federal agency's website, then used the personal data to submit 14 car loan applications online to a Florida bank.

Tips for Avoiding Identity Theft

o Do not throw away ATM receipts, credit statements, credit cards, or bank statements in a usable form

o Do not respond to "spam" or unsolicited email promising some benefit but requesting identifying data

o Do not give your credit card number over the telephone unless you make the call

o Reconcile your bank account monthly, and notify your bank of discrepancies immediately

o Report unauthorized financial transactions to your bank, credit card company, and the police as soon as you detect them

o Review a copy of your credit report at least once each year. Notify the credit bureau in writing of any questionable entries and follow through until they are explained or removed

Click Fraud

o Occurs on the Internet in pay-per-click (“PPC”) online advertising when a person, automated script, or computer program imitates a legitimate user of a web browser clicking on an ad, for the purpose of generating a charge per click without having actual interest in the target of the ad's link

o It’s a controversial subject

o It’s caused an increase in litigation because advertising networks are key beneficiaries

How to Detect Click Fraud

o Unusual peaks in impressions (i.e., number of times the advertisement shows on a search results page)

o Unusual peaks in the number of clicks

o No increase in conversions during peaks in impressions or clicks

o Drop in the number of page views (i.e., how many pages were visited per visitor) during peaks in impressions or clicks

o Higher bounce rate (i.e., number of people clicking the advertisement and then quickly going back to the search results page) during peaks in impressions or clicks

Click Fraud - Class Action lawsuits

o Google v. Auction Experts - Google (acting as both an advertiser and advertising network) won against Auction Experts (acting as a publisher), which Google accused of paying people to click on ads that appeared on Auction Experts' site, costing advertisers $50,000.

o In July 2005, Yahoo settled a class-action lawsuit against it by plaintiffs alleging it did not do enough to prevent click fraud. Yahoo paid $4.5 million in legal bills for plaintiffs and agreed to settle advertiser claims dating back to 2004. In July 2006, Google settled a similar suit for $90 million.

o Lane’s Gifts & Collectibles v. Google - In March 2006, Google agreed to a $90 million settlement fund in a class-action lawsuit. The lawsuit alleged Google had conspired with its advertising partners to conceal the magnitude of click fraud to avoid making refunds.

Relevant Laws

1. Identity Theft and Assumption Deterrence Act

2. Fair and Accurate Credit Transactions Act

3. Fair Credit Reporting Act

4. Fair Debt Collection Practices Act

5. Check Clearing for the 21st Century Act

6. CAN-SPAM Act of 2003

Identity Theft and Assumption Deterrence Act

It was passed into law on October 30, 1998

It’s codified under 18 U.S.C. § 1028 et seq.

It’s a federal crime if someone “knowingly transfers, possesses or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law.”

“Means of Identification” includes:

i. Name, SSN, date of birth, driver’s license, alien registration number, passport number, EIN

ii. Unique biometric data (e.g., fingerprint, voice print, retina or iris image)

iii. Unique electronic ID Number, address or routing code

iv. Electronic serial number / Mobile ID number

Penalties:

o Fines, criminal forfeiture of any personal property used or intended to be used to commit the offense

o Imprisonment of up to 15 years

It accomplished four things:

1) It made identity theft a separate crime against the individual whose identity was stolen and credit destroyed. Previously, victims had been defined solely by financial loss and often the emphasis was on banks and other financial institutions, rather than individuals.

2) It established the FTC as the federal government’s central point of contact for reporting identity theft instances by creating the Identity Theft Data Clearinghouse.

3) It increased criminal penalties for identity theft and fraud by carrying a maximum penalty of 15 years imprisonment and substantial fines.

4) It closed legal loopholes, which previously made it a crime to produce or possess false identity documents, but not to steal another person’s personal identifying information.

California Laws:

Penal Code §§ 530.5 – 530.8

Section 530.5(a) - Every person who willfully obtains personal identifying Information…of another person, and uses that information for any unlawful purpose, including to obtain, or attempt to obtain, credit, goods, services, real property, or medical information without the consent of that person, is guilty of a public offense, and upon conviction therefor, shall be punished by a fine, by imprisonment in a county jail not to exceed one year, or by both a fine and imprisonment…

See www.leginfo.ca.gov

California Spam Laws

a) Business & Professions Code, § 17529 It’s estimated that spam costs California organizations over 1.2

billion dollars Spam is responsible for virus proliferation causing damage to

both individual computers and business systems Prohibits spam and regulates commercial advertising e-mails

b) Bus. & Prof. Code, § 17538.41 - Text message advertisements c) Bus. & Prof. Code, § 17538.45 - Unsolicited email advertisement See www.leginfo.ca.gov

Executive Order

o Title: Improving Critical Infrastructure Cybersecurity

o Released by White House - February 12, 2013

o Policy: i. Repeated cyber intrusions into critical infrastructure demonstrate

the need for improved cybersecurity ii. The cyber threat to critical infrastructure continues to grow and

represents serious national security challengesiii. The national and economic security depends on the reliable

functioning of the Nation's critical infrastructure

Policy … continued:

iv. To enhance the security and resilience of critical infrastructure

v. To maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties

vi. Develop partnerships with the owners and operators of critical infrastructure to improve cyber-security information sharing and collaboratively develop and implement risk-based standards

Resources

o Federal Trade Commission – www.ftc.gov

o Department of Homeland Security – www.dhs.gov

o Office for Victims of Crime - www.ovc.gov/pubs/ID_theft/idtheftlaws.html

o Identity Theft Resource Center - www.idtheftcenter.org/map.html

o USA.gov - www.usa.gov/Citizen/Topics/Internet-Fraud.shtml

o Department of Justice - www.justice.gov/criminal/fraud

o White House - www.whitehouse.gov

o eConsumer - www.econsumer.gov/english

Any Questions?

Salar Atrizadeh, Esq.9701 Wilshire Blvd., 10th FloorBeverly Hills, CA 90212Email: salar@atrizadeh.comWebsite: www.atrizadeh.com Blog: www.internetlawyer-blog.com