The number of consumers using multiple devices—from smartphones to tablets to laptop computers—has exploded in recent years and continues to grow globally. Companies are increasingly turning to new technologies in an attempt to ascertain that multiple devices are connected to the same person for a variety of purposes, such as preventing fraud, providing a more seamless user experience, and more effectively reaching their target audience. While such cross-device tracking provides a number of benefits, it also raises privacy concerns that have drawn increased regulatory scrutiny in the last few years.

Join Socially Aware contributors Julie O’Neill and Alja Poler De Zwart on Wednesday, Oct. 11, from 11:00 am until 12:00 pm ET for a practical, multijurisdictional look at cross-device tracking and best practices that companies can employ to achieve maximum commercial advantage while mitigating privacy risks. Topics that will be addressed include:

  • An overview of various cross-device tracking technologies and how they are used;
  • The privacy issues that cross-device tracking implicates and how to avoid common pitfalls;
  • Essential features of a compliant digital advertising program; and Recent U.S. and EU regulatory activity and trends, including self-regulatory guidance.

Register now.  There is no charge to attend the webinar.

As Socially Aware readers know, privacy and data security issues are among the most critical legal issues confronting companies that do business online. With ransomware attacks and hacking incidents on the rise, and with privacy and data security laws becoming increasingly burdensome, companies are spending more time and resources than ever before addressing privacy and data security issues. Indeed, Morrison & Foerster recently collaborated with ALM Intelligence to take an in-depth look at the types of privacy and data security issues with which in-house legal departments are wrestling, and how such departments are dealing with these issues. The resulting report is interesting and informative, and can be found here.

More and more often, the organizers of conferences, trade shows and events are taking advantage of beacon technology to track attendees’ movement throughout their conventions’ sessions and event spaces. Although no U.S. law specifically prohibits such tracking, the FTC has made it clear that companies need prior consent to engage in such tracking.

Find out how you may be able to monitor conference attendees’ movements throughout your event space without running afoul of the FTC Act. Read Convene magazine’s interview with Socially Aware marketing desk editor Julie O’Neill.

 

On June 22, 2017, the German Parliament passed a bill that, among other things, awards extensive surveillance powers to law enforcement authorities. The new law, once in force, will allow law enforcement to covertly install software on end user devices allowing the interception of ongoing communications via Internet services such as WhatsApp or Skype. These new measures may be used for investigating a wide array of crimes (the “Catalog Crimes”), which are classified as “severe” but range from murder to sports betting fraud to everything in between.

Today, the German Federal Criminal Police Office (BKA) is only allowed to engage in similar activities to prevent international terrorism. All other law enforcement authorities are only allowed to intercept regular text messages and listen to phone conversations in cases of Catalog Crimes. However, these investigators are currently fighting a losing battle against end-to-end encrypted Internet services. With respect to such services, the current legal framework only allows for access via the respective telecom operators. These operators, however, can only provide law enforcement with the encrypted communications streams. By introducing the new law, the German government now aims to prevent “legal vacuums” allegedly resulting from this surveillance gap. Continue Reading German Parliament Enacts Wide-ranging Surveillance Powers Allowing End User Devices to Be Hacked by Authorities

2015 11 30 DJV NAT 218Facebook’s four-year battle on behalf of its users, seeking to quash 381 warrants obtained by the New York County District Attorney’s Office, has come to a close. The decision of the New York Court of Appeals—which is New York’s highest court—leaves Facebook users exposed to wide-ranging and largely unchecked inquiries by New York criminal prosecutors into their Facebook accounts.

The story begins in July 2013, when the New York Supreme Court—which is the trial court in New York—issued 381 warrants arising out of the district attorney’s (DA) application for warrants under the Stored Communications Act (SCA). The DA was investigating an alleged Social Security Disability fraud scheme.

The DA’s request was extraordinarily broad. The warrants functionally amounted to a request for 381 users’ entire Facebook histories. The warrants compelled Facebook to produce not only any and all text, photos or videos a user had shared with his or her limited universe of friends, but also any private messages exchanged between the user and another individual (who could have been a spouse, doctor, religious figure or attorney) as well as information the user had chosen to no longer share with anyone, such as a previous email address, a deleted friend or a hidden post, and information the user had never intended to share with anyone, such as his or her searches and location.

The warrants also compelled Facebook to produce content shared by users who were not named in the 381 warrants, and may not even have known anyone named in the 381 warrants, but who had the misfortune of posting on the timelines of those users uploading photos of those users, or simply belonging to any one of the groups with which a named user was affiliated. At least several of the affected users were high school students who were highly unlikely to have been involved in a Social Security Disability fraud scheme. The issuing court also expressly prohibited Facebook from disclosing the existence or execution of the warrants.

While Facebook receives many such requests from law enforcement each year and often provides information in response, Facebook strongly objected to the wide-ranging requests in this case.

Facebook moved to quash the warrants on the ground that they were overly broad, but the New York Supreme Court denied the motion, finding that Facebook did not have standing to assert any privacy or Fourth Amendment rights on behalf of its users. Facebook also challenged the nondisclosure provisions of the warrants, but again the court sided with the DA, reasoning that disclosure of the warrants could jeopardize the DA’s ongoing investigation.

The intermediate appellate court dismissed Facebook’s appeal. The court explained that the orders from the lower court denying Facebook’s motion to quash were unappealable because, under New York law, there is no authority permitting review of interlocutory orders issued in criminal proceedings.

Facebook took the fight all the way to the New York Court of Appeals. Facebook argued that an order denying a motion to quash an SCA warrant should be treated like an appealable order denying a motion to quash a subpoena, rather than like an unappealable order denying a motion to quash a traditional warrant. While a traditional search warrant authorizes law enforcement officials to enter, search and seize property, an SCA warrant, like a subpoena, requires the target of the warrant to compile and turn over its own digital data.

On April 4, 2017, Facebook lost that fight when New York’s highest court ruled that it does not have authority to hear appeals from motions to quash search warrants issued under the SCA.

In a 5-1 decision, the Court of Appeals concluded that, despite the similarities between the manner of responding to SCA warrants and the manner of responding to subpoenas, an SCA warrant is a warrant, not a subpoena. As with traditional warrants, SCA warrants are only issued in criminal proceedings to a government entity that has supported its request for a warrant with probable cause. The court explained that the difference between execution of traditional warrants and SCA warrants is due to “the nature of the material sought”—it “ensures efficiency and minimizes intrusion” for a service provider to search and compile its own digital information rather than for law enforcement to conduct the search. Accordingly, the Court of Appeals found that the order denying Facebook’s motion to quash was not appealable.

Further, the Court of Appeals suggested that Facebook may not have had a right to bring a motion to quash in the first place. For purposes of this case, the Court of Appeals assumed, without deciding, that a motion to quash an SCA warrant was proper. However, the court noted that the SCA discusses warrants, subpoenas and court orders requiring disclosure of information separately, and only expressly provides for a motion to quash court orders.

The Court of Appeals did express some sympathy for Facebook’s concerns regarding the privacy of its users. At the outset, the court stated that “[t]his case undoubtedly implicates novel and important substantive issues regarding the constitutional rights of privacy and freedom from unreasonable search and seizures,” and that it was “tempting for the court to address those issues.” The court also noted that “Facebook’s concerns, as a third party, about overbroad SCA warrants may not be baseless.”

Notwithstanding its expressed concerns, and over a strenuous dissent from Judge Wilson, the New York Court of Appeals has provided criminal prosecutors wide-ranging investigative powers without providing Internet service providers an ability to obtain appellate review. With New York’s high court having spoken, the online industry’s focus is likely to shift toward a legislative fix that will promote users’ privacy interests and limit overreaching SCA warrants.

*        *       *

For other Socially Aware posts addressing user data and the Stored Communications Act, please see the following: Google Ordered to Comply with Warrant for Foreign-Stored User Data; Second Circuit: Email Stored Outside the U.S. Might Be Beyond Government’s Reach; and We’ve Come for Your Tweets: Twitter to Appeal Denial of Its Motion To Quash District Attorney’s Subpoena.

 

Computer laptop with ransomware malware virus key icon on red display background. Vector illustration technology data privacy and security concept.

The global WannaCry ransomware attack should be a wake up call for all companies about the threat ransomware poses. While WannaCry was one of the first highly publicized attacks in which ransomware was weaponized and used against numerous companies at once, there will undoubtedly be future attacks.  Companies can take proactive steps to reduce their chances of being hit by the next ransomware attack, and our team is working with companies around the world to help them be more resilient in light of these evolving threats.

Here are some key steps you can take to help your company protect itself from the next attack:

  1. Make sure software patches are routinely applied.
  2. If possible, only use supported operating systems and other software.
  3. Utilize antimalware and antivirus software tools and services.
  4. Back up your critical data.
  5. Train your employees on how to spot phishing emails.
  6. Create a cross-functional incident response plan.
  7. Practice responding to a ransomware attack in a table top exercise to be able to hit the ground running when this type of event occurs.
  8. Establish or enhance relationships with law enforcement and other critical partners.

In addition, we’ve compiled several resources to help you prepare for and respond to a ransomware incident:

Live Webinar: June 6, 2017 at 12:00 PM (ET) / 9:00 AM (PT)

The May 2018 compliance deadline for the EU’s new General Data Protection Regulation (GDPR) is fast approaching and—with non-compliance penalties of up to €20 million or 4% of annual global turnover at stake—you cannot afford to miss the deadline.

Please join Socially Aware contributors and Morrison Foerster privacy & data security attorneys Lokke Moerel and Marian A. Waldmann Agarwal for a complimentary, practical webinar explaining where you should be in your efforts to meet the May 2018 compliance deadline, where you need to be in a year, and how to get there.

Lokke and Marian will pay particularly close attention to the aspects of the GDPR that will have the greatest impact on your company’s operations:

  • How to best implement the GDPR’s extensive documentation requirements;
  • How the right to data portability and the individual’s right to be forgotten (RTBF) will impact your business; and
  • How vendors are implementing their new obligations under the GDPR and how vendor contracts will need to evolve to comply with GDPR requirements.

Register for the Data Protection Masterclass here.

GettyImages-520390753-600pxThe U.S. Department of Justice (DOJ) recently secured a notable victory against Google in a dispute over the enforceability of a U.S. search warrant seeking access to foreign-stored account data.

The April 19 ruling—from Magistrate Judge Beeler in the U.S. District Court for the Northern District of California—is the latest sign that DOJ is continuing to rely on the Stored Communication Act (SCA) to seek overseas account data even after the Department’s high profile defeat in the Second Circuit’s ruling in the Microsoft case.

And the opinion suggests that DOJ’s litigation strategy may be working.

The dispute arose after DOJ obtained a search warrant last year under the SCA directing Google to provide information related to specified Google user accounts. Google withheld some of the requested information and challenged the request. Google explained that it relies on algorithms to move user data around the world automatically to aid in network efficiency. Invoking the Second Circuit’s Microsoft ruling, which rejected DOJ’s efforts to obtain content stored on Microsoft servers in Ireland, Google argued that some of the requested data was stored exclusively overseas and therefore beyond the purview of an SCA warrant. Continue Reading Court Orders Google to Turn Over Foreign-Stored Data

03_April_SociallyAware_thumbnailThe latest issue of our Socially Aware newsletter is now available here.

In this edition, we explore the threat to U.S. jobs posed by rapid advances in emerging technologies; we examine a Federal Trade Commission report on how companies engaging in cross-device tracking can stay on the right side of the law; we take a look at a Second Circuit opinion that fleshes out the “repeat infringer” requirement online service providers must fulfill to qualify for the Digital Millennium Copyright Act’s safe harbors; we discuss a state court decision holding that Section 230 of the Communications Decency Act immunizes Snapchat from liability for a car wreck that was allegedly caused by the app’s “speed filter” feature; we describe a recent decision by the District Court of the Hague confirming that an app provider could be subject to the privacy laws of a country in the European Union merely by making its app available on mobile phones in that country; and we review a federal district court order requiring Google to comply with search warrants for foreign stored user data.

All this—plus an infographic illustrating how emerging technology will threaten U.S. jobs.

Read our newsletter.

Twitter is suing the Department of Homeland Security in an attempt to void a summons demanding records that would identify the creator of an anti-Trump Twitter account.

Facebook has joined the fight against the nonconsensual dissemination of sexually explicit photos online—content known as “revenge porn”—by having specially trained employees review images flagged by users and using photo-matching technologies to help stop revenge porn images from being shared on the company’s apps and platforms.

Amid its own revenge porn scandal, the U.S. Marines Corps has expanded its social media policy to clarify how military code can be used to prosecute members’ offensive or disrespectful online activities.

A Minnesota judge has ordered Google to disclose all searches for the name of the victim of a wire-fraud crime worth less than $30,000.

Scientists are studying the use of emoji in human interactions, marketing campaigns and business transactions. Here at Socially Aware we’ve taken a look at the difficulty that courts have had in evaluating the meaning of emoji in connection with contract, tort and other legal claims.

Did the White House’s social media director violate the Hatch Act with a tweet?

In the interest of maintaining big-spending advertisers’ business, Google is trying to teach computers the nuances of what makes content objectionable.

The upcoming desktop version of the popular mobile dating app Tinder, Tinder Online, prompts users to talk more and swipe less.

One jet-setting couple with a combined three million Instagram followers is earning between $3,000 and $9,000 per post.

The New York Times’s Brian Chen walks readers through some of the most worthwhile apps and tech gadgets in the pet-care category.