Hide Notes 

Slide 1: Privacy at the Bleeding Edge Lance Koonce www.privsecblog.com
Slide 2: Recent and Emerging Technologies • • • • • • • Blogs, Podcasts, Vlogs, Mologs WiFi, Wardriving, Wijacking RFID VoIP Biometrics, Encryption Mobile Technologies, Bluetooth Virtual Worlds
Slide 3: Blogs: The Technology • • • • • • Blog Authoring Software RSS Feeds Filtered or unfiltered comments Podcasting (audio blogs) Mologs (mobile phone blogs) Vlogs (video blogs)
Slide 4: Blogging • Types of Blogs: – Individual or Small Group Blogs • Diary-like • Topical • Journalistic – Corporate Sponsored • Topical / Corporate Marketing • Employee Blogs • Journalistic
Slide 5: Why Does Blogging Matter? • Anywhere from 15 to 100 million blogs in existence, depending on who you ask • Companies offer blogs as employee service (like a bulletin board) and as viral marketing • Whether company sponsors blogs or not, it is inevitable that some employees will have their own blogs • Big Danger is speed/breadth of dissemination of careless or impulsive commentary – Think of: Instantaneous publication of email
Slide 6: Blogging Issues • Legal Issues • Technical Issues • Practical Concerns
Slide 7: Privacy Overview From a corporate perspective, blogging privacy issues mainly arise in two contexts: • Corporation maintains a blog or is considering a blogging policy for employees • Employee or outside individual is blogging about the corporation
Slide 8: Blogging Overview: Whose Privacy? • Where corporation or employee maintains a blog, legal issues may arise: – Privacy torts: when blog entries or visitors’ comments constitute invasion of the rights of third parties – Defamation and libel of third parties – Disclosure of trade secrets or other sensitive information, and purported whistleblowing – Collection of information about visitors to the blog (registering users who post comments) – Monitoring of employee entries on blogs
Slide 9: Blogging Overview: Whose Privacy? • Corporate interests may also be implicated by outside blogs – Disclosure of trade secrets/sensitive info – Defamation of corporation
Slide 10: Blogging Overview: Examples of Disputes • Less than 10 legal cases mentioning the word “blog” in all federal and state courts to date • The only substantive cases about blogs have been Apple trade secret case, recent Delaware defamation case • Most disputes have been made public through blogs themselves, which demonstrates power of the medium
Slide 11: Blogging Overview: Examples of Disputes • Apple v. Doe trade secrets case (Cal.) • Doe v. Cahill defamation case (Del.) • Employer/Employee disputes: – Flight Attendant case – Google Employee – Microsoft – PR Company employee
Slide 12: Legal Issues for Corporate Blogs: Intrusion Into Private Affairs • Trespass constitutes intrusion – electronic trespass, recognized in some recent cases, would also be intrusion (intercepting phone calls, email, etc.) • Standard: Cannot perform any act that intrudes upon someone’s private affairs if the intrusion would be considered “highly offensive” to a reasonable person • Determination of what is highly offensive depends on social standards of community and what level of privacy people can expect under the circumstances • For blogs, liability turns on where and how information later posted on blog is collected – Mologs and Vlogs may be particularly susceptible to intrusion claim, if photos and video taken without another’s knowledge
Slide 13: Legal Issues for Corporate Blogs: Right of Publicity • Using another person’s name, likeness or personality without authorization for advertising or commercial purposes • Key here is whether use was for commercial purpose: unlikely to be the case for most blogs • But: for corporate blogs that serve marketing purpose, must be careful when using celebrity’s name, likeness or personality
Slide 14: Legal Issues for Corporate Blogs: Defamation, Libel and False Light • Defamation and libel: False statement of fact that damages the reputation of a person or business – Defamation is spoken, libel is written • Opportunities abound for liability with blogs: – By definition the libelous words are made public to third parties – Words are often written with little thought – Context of a discussion may make it clear that even cleverly worded statements (ie, not naming the person) are defamatory • False light: Publicizing information about a person that places person in false light in a manner that would be highly offensive to a reasonable person. – Person responsible for making info public must have acted with knowledge or reckless disregard with respect to the falsity of the publicized matter
Slide 15: Legal Issues for Corporate Blogs: Data Collection • Most blogs do not collect user information • However, can require users to register before posting comments – Again, even blogs with registration procedures usually do not require personally identifiable information • To the extent such information collected, privacy policy should be posted and data should be treated like any other data collected by a corporate website.
Slide 16: Legal Issues Arising from Third Party Blogs: Disclosure of Trade Secrets • Deliberate or inadvertent disclosure of sensitive information by former employees, or by third parties • Also arises in context of corporate blogs (usually through inadvertent disclosure) • Claim is defined by Uniform Trade Secrets Act, adopted by most states; unfair competition claims – Economic Espionage Act of 1996 for criminal claims – As practical matter, availability of legal claim may not be as important as acting quickly to remove material from the blog – Take-down notice to blog host or Internet Service Provider is likely the first step • To the extent possible, consider monitoring of blogs of disgruntled employees
Slide 17: Legal Issues Arising from Third Party Blogs: Defamation of Corporation • Disgruntled employees, unhappy customers, etc. • Corporation may be defamed, and products/services may be disparaged • Remedies dependent on state law, although product disparagement may also be subject to federal law
Slide 18: Industries For Which Blogs May Raise Additional Legal Issues • Technology Companies • Health Care Industry • Media Entities
Slide 19: Corporate Blogging Policies • Publicly available policies: – – – – – – – Sun Microsystems IBM Yahoo Borland Feedster Groove Networks Harvard Law School • Blogging policy “wiki”: – www.socialtext.net/charleneli/index.cgi? corporate_blogging_policies
Slide 20: Corporate Blogging Policies • See Appendix for corporate policies that have been made public • Policies can be as wide-ranging as the industries served and are dependent on the corporate cultures of the company • Decision must be made at outset as to how blog-friendly policy will be • Policy should always incorporate company’s privacy policy
Slide 21: Corporate Blogging Policies • Policy is as much about education as proscription: explain sources of liability • Restrictions on blogging outside of workplace are unlikely to be effective • Bloggers must respect not just privacy rights, but copyright, trademark, etc. • Company must decide whether to vet blog entries before posting (likely impractical in large organizations) • Must also decide whether to allow third party comments, and if so, whether to vet those comments before posting • Remind employees: although conflict makes for good drama (and good blogging in some contexts!), it does not necessarily make for good corporate blogging • Work with PR department as well as legal, HR • Section 230 of Communications Decency Act may shield employer liability in some instances
Slide 22: Employee Blogging Policies: Essentials • Disclaimer of corporate liability: consider giving employees precise language to use • Notice to employees that blogging must comply with all HR policies • Notice to employees re disclosing trade secrets and other sensitive info • Notice to employees re various legal claims that might be made • Notice re vetting of questionable posts • “Best Practices” component
Slide 23: WiFi • Wardriving/Wijacking – Unauthorized access to wireless networks – Recent example in Washington State: consultant for law firm accessing public utility files at public meeting • Risks: – Loss of trade secrets or competitive advantage – Loss of passwords/access information – Ultimately, data breach and identity theft
Slide 24: RFID • Second wave of ubiquitous customer preference and usage tracking – First wave was online advertising (cookies), TiVo • Business advantages are tremendous if cost structure becomes reasonable, but… • Customers will increasingly see tracking information as personal data deserving of privacy protection under existing or new laws – Question is whether RFID will be seen as “surveillance” or usage optimization • Procedures in place to make information available in the aggregate only and not personally identifiable? • There will be waves beyond RFID: constraints are only bandwidth, cost, deployment of networks
Slide 25: Voice Over Internet • Another example of digitization of personal communication – Same security and privacy concerns as other digital communications, but more to protect since audio is added • Not yet widely adopted by corporations, primarily because of quality issues – Most corporate systems are closed, no Internet connectivity – But need to guard against employees downloading peer-to-peer programs like Skype, which may be more vulnerable • Subject to eavesdropping, voice spam, phishing, spyware, denial-of-service attacks – But voice is harder to search and index than text, which may make some attacks less likely • Current wiretap laws may not address
Slide 26: Gaming / Virtual Worlds • Testing ground for next-generation issues • Electronic proxies for real individuals, interacting in purely digital environment • Expectation of privacy? • Relationship of personal information to virtual identity? • Bleeding edge example: phishing attacks in gaming environments