• Time change. Until now, Twitter has made a clear distinction between people you follow and people you don’t follow: You only saw tweets from those whom you followed. Now, the service, in what it calls a “timeline experiment,” will place tweets on your timeline from select users that you are not following. Twitter is using an algorithm that determines which such tweets you will see based on the users that you do follow, the popularity of the users you do not follow, and other factors. You won’t be able to opt out of this feature and some frequent Twitter users have complained that it removes one of the factors that distinguishes Twitter from other social media platforms.
  • False flag. We wrote recently about the fake Facebook account that the Drug Enforcement Administration created to gather information for a narcotics investigation. On October 17, Facebook’s chief security officer wrote a letter to DEA Administrator Michele Leonhart calling the agency’s actions a “knowing and serious breach” of Facebook’s policies. Facebook asked the DEA to confirm that it had stopped engaging in this tactic. Facebook’s letter specifically questioned the DEA’s contention that the woman who was the subject of the fake account implicitly consented to use of her personal information for such purposes when she consented to a search of her phone.
  • Square deal. Foursquare has been known mostly as a check-in app – a place where you post your location but not much more. The company’s new ad campaign hopes to change that image and to position Foursquare as a food-oriented rating and recommendation network similar to Yelp and Urbanspoon. “Introducing the all-new Foursquare, which learns what you like and leads you to places you’ll love,” is the new slogan on the Foursquare website. The ad campaign will roll out in mass transit in New York and Chicago and in bike-share locations in the Windy City.

In a little-noticed decision, Matter of Noel v. Maria, Support Magistrate Gregory L. Gliedman—a Staten Island, New York family court official—recently permitted a father seeking to modify his child support payments to serve process on the child’s mother by sending her a digital copy of the summons and petition through her Facebook account.

Magistrate Gliedman’s decision struck us at Socially Aware—where we follow such developments closely—as a groundbreaking move. We are unaware of any published U.S. court opinion permitting a plaintiff to serve process on a domestic, U.S.-based defendant through a Facebook account.

As we addressed in a 2012 Socially Aware blog post, in Fortunato v. Chase Bank a federal district court in Manhattan held that Chase Bank could not rely on Facebook to serve a third-party defendant.

While the same federal district court subsequently allowed the FTC to serve defendants through Facebook in FTC v. PCCare247, the service at issue in that case concerned documents other than the summons and complaint, and the defendants were two India-based entities and three India-based individuals who had already appeared through counsel and shown themselves to be on notice of the lawsuit.

Other cases authorizing service via social media have been similarly limited in scope. For example, in WhosHere v. Orun, the U.S. District Court for the Eastern District of Virginia allowed service via social media on a defendant who allegedly resided in Turkey. In Mpafe v. Mpafe, a Minnesota family court authorized the service of divorce proceedings on a defendant by “Facebook, Myspace or any other social networking site” where the defendant was believed to have left the country.

Continue Reading New York Family Court Magistrate Allows Unprecedented Service of Process via Facebook; Will Others Follow?

Not to be outdone by Florida, California has yet again amended its data security breach law and again in groundbreaking (yet confusing) fashion. On September 30, 2014, California Governor Brown signed into law a bill (“AB 1710”) that appears to impose the country’s first requirement to provide free identity theft protection services to consumers in connection with certain data security breaches. The law also amends the state’s personal information safeguards law and Social Security number (“SSN”) law. The amendments will become effective on January 1, 2015.

Free Identity Theft Protection Services Required for Certain Breaches

Most significantly, AB 1710 appears to amend the California breach law to require that a company offer a California resident “appropriate identity theft prevention and mitigation” services, at no cost, if a breach involves that individual’s name and SSN, driver’s license number or California identification card number. Specifically, AB 1710 provides, in pertinent part, that if a company providing notice of such a breach was “the source of the breach”:

an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer to any person whose information was or may have been breached.

The drafting of this requirement is far from clear and open to multiple readings. In particular, the use of the phrase “if any” can be read in multiple ways. For example, the phrase “if any” can be read to modify the phrase “appropriate identity theft prevention and mitigation services.” Under this reading, the law would impose an obligation to provide free identity theft protection services if any such services are appropriate. The phrase “if any,” however, could be read to modify the “offer” itself. Under this alternate reading, the law would provide that if a company intends to offer identity theft protection services, those services must be at no cost to the consumer. It is difficult to know how the California Attorney General (“AG”) or California courts will interpret this ambiguity. One thing is clear: until the AG or courts opine, the standard will remain unclear.

The drafting of the requirement also is not clear in other ways. For example, the statute does not specify what type of services would qualify as “appropriate identity theft prevention and mitigation services.” For example, would a credit monitoring product alone be sufficient to meet the requirement? Or would the law require something in addition to credit monitoring, such as an identity theft insurance element?

Nonetheless, state AGs historically have encouraged companies to provide free credit monitoring to consumers following breaches. In addition, even though not legally required, free credit monitoring has become a common practice, particularly for breaches involving SSNs and also increasingly for high-profile breaches. Nonetheless, California appears to be the first state to legally require that companies offer some type of a free identity theft protection service for certain breaches.

AB 1710 is particularly notable in its approach. First, the offer of free identity theft protection services will only be required for breaches involving SSNs, driver’s licenses or California identification card numbers. In this regard, an offer of free identity theft protection services will not be required for breaches involving other types of covered personal information, such as payment card information or usernames and passwords. This approach endorses a position that many companies have long held—that credit monitoring is appropriate only when the breach creates an actual risk of new account identity theft (as opposed to fraud on existing accounts). In addition, the offer of free identity theft protection services will only be required for a period of one year (as opposed to, for example, two years). The length of the offer of free credit monitoring has always been an issue of debate, and California has now endorsed a position that a one-year offer is sufficient.

Continue Reading Breaking Old Ground: California Again Amends Data Security Breach Law

  • Blind spots. Self-driving cars are an excellent example of innovation, and the ones with Google technology have already traveled more than 700,000 miles. But what if a self-driving car doesn’t “see” a new traffic light or a previously nonexistent traffic sign? This could result in traffic citations, or worse. But Google says it’s taking steps towards eliminating this type of problem and that the future of self-driving cars is essentially unlimited.
  • Getting personal. As the name suggests, Michigan’s Video Rental Privacy Act limits the ability of companies to disclose information regarding customers’ video rental activities. But does the law cover magazines as well as videos? In a case filed by a consumer who alleged that a magazine company had improperly disclosed her personal information, along with information about the magazines to which she subscribed, the U.S. District Court for the Eastern District of Michigan recently held that the law does in fact apply to magazines. The court noted that the statute is directed to companies “engaged in the business of selling at retail, renting, or lending books or other written materials, sound recordings, or video recordings,” and that magazines constitute “other written materials.”
  • Geotargeting crime. In a new effort to use technology to foil credit-card fraud, a company called BillGuard is testing a system that would monitor the precise whereabouts of mobile devices to detect possible payment issues. The tech firm is tracking mobile-phone locations in an attempt to stay one step ahead of fraudsters. Because smartphones are almost always near their owners, the technology would register and flag those occasions when a phone is not near the owner’s credit card. The technology would only be used with the consumer’s consent.
  • Breaking the ice. No one expected that people dumping buckets of ice water over their heads for charity would become the viral phenomenon that it has. One key technical secret to the success of the “ice bucket challenge” may have been Facebook’s adoption of “autoplay” videos. Autoplay videos, which are muted by default, attract attention to video content on the social network by moving without being prompted—a great way to help spread memes.
  • What happens next will shock you! “Clickbait”—provocative headlines that often lead to less-than-compelling content—has been around for quite a while, and some folks are striking back. Facebook is reportedly trying to fight clickbait by making user-friendly changes to its News Feed that promote more informative headlines. Meanwhile, Twitter user @SavedYouAClick retweets clickbait-y hyperlinks with a brief summary of the actual content. Spoiler alert, indeed.
  • TMI? Should psychotherapists have social media profiles that are open for patients’ perusal? Although therapists are often reluctant to share personal details with patients IRL (in real life), that may not be the case on social media… which can blur the boundaries between personal and professional. Meanwhile, ethical rules governing the online interaction between therapists and patients are just starting to take shape. The Washington Post offers an interesting take on the role of social media in the therapist/patient relationship.
  • May a lawyer ethically instruct a client to delete potentially damaging information from a client’s Facebook page? According to a new ethics opinion from the Philadelphia Bar Association, yes, so long as the information is preserved in some way, should it become relevant to the case. The opinion also determined that, under the Pennsylvania Rules of Professional Conduct, a lawyer may ethically instruct a client to change the privacy settings on a client’s Facebook page.  It remains to be seen whether other bar associations will follow Philadelphia’s lead on these thorny issues.
  • Google reportedly noticed probable child pornography in someone’s email and tipped off police, who obtained a search warrant and arrested the Houston man for possession of child pornography. This is clearly permitted by Google’s terms of service. While no one has sympathy for predators, some have expressed concern over the privacy implications of Google’s actions.
  • LinkedIn has announced that it is launching a new service designed to help buyers and salespeople find each other. The service is called Sales Navigator. It could help diversify LinkedIn and make it more profitable, experts say, and it could also pose strong competition to existing, and pricey, software platforms, that salespeople currently use to find customers.
  • Going mainstream. For the first time, both Twitter and Facebook are seeing significant growth in online advertising placed by major companies for brands such as Heineken, Tide, McDonald’s, and Charmin. Major consumer products companies have long struggled with the question of how to reach consumers on their mobile devices, and right now, this appears to be how they’re doing it.
  • Mismatch? The popular dating site OKCupid conducted some experiments with its user base — changing the type of information available to them about prospective matches and even falsifying it to an extent — in order to see what effect it had on conversations among daters and on how relationships developed. Some observers are critical of this type of experiment on ethical grounds.
  • Loose tweets sink ships? Law enforcement agencies in the Pacific Northwest have launched a “Tweet Smart” program that is intended to discourage people from using social media during emergencies to describe the movements and activities of law enforcement personnel. After a few recent shooting incidents, police are concerned that a tweet, for example, might tip off a perpetrator to police tactics.
  • Judges’ perspective. A recent survey of federal judges found that the vast majority of them do not believe that jurors’ use of social media has posed a problem in their courtrooms. Only 33 of 494 judges responding reported any detectable instances of jurors using social media, and the vast majority of those instances were harmless.

In November 2012, we wrote an Alert about the European Commission’s Communication on Cloud Computing intended, it said, to “… unleash the potential of cloud computing in Europe”.  Sceptics were doubtful that the cloud industry needed much help from European regulators to thrive.

Twenty months later, the Commission has begun to deliver on its key actions in the Communication with the publication of its Cloud Service Level Agreement Standardisation Guidelines.

How helpful are these Standardisation Guidelines to the cloud sector at this point in its development?

The recently-issued Cloud Service Level Agreement Standardisation Guidelines have their origin back in November 2012.  At that time, the European Commission issued a Communication setting out a road map for the future growth of cloud computing in Europe.

In the 2012 Communication, the Commission set out a number of key actions, including to cut through the jungle of standards and to promote safe and fair cloud contracts.  The Commission believes that the development of model terms for cloud computing – and, specifically, service level agreements in the cloud sector – is one of the most important issues affecting the future growth of the cloud industry in Europe, and that standardising the approach to cloud services will enable buyers of cloud computing services to make fair comparisons between different providers’ offerings.

Continue Reading EU Cloud Standardisation Guidelines

The latest issue of our Socially Aware newsletter is now available here.

Welcome to a special privacy issue of Socially Aware, focusing on recent privacy law developments relating to social media and the Internet. In this issue, we analyze a controversial European ruling that strengthens the right to be forgotten; we examine a recent California Attorney General report regarding best practices for compliance with the updated California Online Privacy Protection Act; we summarize the FTC’s recent settlement with Snapchat and its broader implications for mobile app developers; we report on a case filed by a French consumer association accusing three major social networking sites of using confusing and unlawful online privacy policies and terms of use; and we highlight the growing popularity of anonymous social apps and the security risks that they pose.

All this–plus a collection of thought-provoking statistics about online privacy…