0

Mind What You “Like” on Facebook

Written By: Ali Mousavi

The connection between a person’s browsing history and his or her own state of health is too tenuous to support plaintiffs’ contention that the disclosure requirements of HIPAA or California Civil Code section 1798.91 apply in the Smith case.[1]

Facebook has been capturing and selling the details of users who browse third-party health sites.[2] Plaintiffs, Winston Smith and two Jane Does, alleged that Facebook violated numerous federal and state laws by collecting and using their browsing data from various healthcare related websites.[3] The suit names Facebook and seven cancer institutions as defendants.[4]

The suit alleges that Facebook’s use of tracking cookies means that any site with a “like” button can potentially send browsing data to Facebook. That includes the site they have visited, any pages within that site, and anything they might enter into the search bar.[5] Plaintiff Smith alleges that Facebook captured the information about his “likes” and sold the information without his consent.[6]

In determining consent, courts determine “whether the circumstances, considered as a whole, demonstrate that a reasonable person understood that an action would be carried out so that their acquiescence demonstrates knowing authorization.”[7] The court cited an excerpt of Facebook’s disclosure that explains its collection and use of information of a person who visits or uses a third-party website that in turn uses Facebook’s services, for example, the “like” button.[8] The Ninth Circuit’s reading of the disclosure is that a reasonable person viewing the pertinent part of the disclosure would understand that Facebook maintains the practices of “(a) collecting its user’s data from third-party sites and (b) later using the data for advertising purposes.”[9] Consequently, the court held that knowing authorization of these practices constitutes the plaintiff’s consent.[10] Therefore, the Ninth Circuit held that the district court properly dismissed the action due to the fact that knowledge is a consent.

Plaintiff also argued that the collected data is subject to more stringent disclosure requirement under the Health Information Portability and Accountability Act of 1996 (“HIPAA”).[11] The court rejected this argument stating that the connection between a person’s browsing history and his or her own state of health is too “tenuous” to be protected under HIPPA.[12] The court reasoning was that the information available on publicly accessible websites “stands in stark contrast” to the personally identifiable patient record and medical histories protected by the statute.[13]

What is left as an option for Smith and other Facebook users is to be mindful of what they “like” on Facebook.

 

[1]Smith v. Facebook, Inc., 745 F. App’x 8 at 9 (9th Cir. 2018).

[2] Emma Woollacott, Man Called Winston Smith Files Lawsuit Against ‘Big Brother’ Facebook, Forbes, Mar. 19, 2016, https://www.forbes.com/sites/emmawoollacott/2016/03/19/man-called-winston-smith-files-lawsuit-against-big-brother-facebook/#1217059c7e28 (last visited Mar. 10, 2019).

[3] Smith, 745 F. App’x 8 at 8.

[4] Woollacott, supra note 2.

[5] Id.

[6] Id.

[7] Smith, 745 F. App’x 8 at 8.

[8] Id.

[9] Id. at 8-9.

[10]Id. at 9.

[11] Id.

[12] Id.

[13] Id.

The Face Behind Bitcoin: He Said, She Said

By Chris A. Batiste-Boykin

On March 6, 2014, Newsweek published an article by reporter Leah McGrath Goodman in which Goodman claimed to have identified the creator of Bitcoin as Mr. Dorian Nakamoto. The article reads almost like a Tom Clancy novel and suggests that the creator of the volatile, digital currency left clear and obvious hints as to his identity, despite an overwhelming public awareness that he intended to remain anonymous.

Mr. Nakamoto http://masterpapers.com/ vehemently denies being Bitcoin’s creator and has lawyered up to defend his position. Mr. Nakamoto claims he didn’t even know that Bitcoin existed until February 2014 and that Newsweek’s accusation is costing him opportunities for gainful employment and adversely affecting the health and well-being of his family. Continue Reading

Mark Your Calendars For Dropbox’s Arbitration Opt-Out!

By Lauren Harriman

Heads up—Dropbox just dropped a bomb during its most recent Terms of Service (TOS) and Privacy Policy update, and you need to take action! The update, which takes effect on March 24, adds an arbitration section to the TOS. If you prefer not to arbitrate, you must opt-out by completing an online form. While arbitration is a “quick and efficient way to resolve disputes,” and “provides an alternative to things like state or federal courts,” which can take “months or even years,” arbitration does not provide a record of the proceeding.

A record is crucial to developing common law. Common law is critical in an area of law, such as technology law, where legislation is severely lacking. Any Dropbox user legal complaint should have the potential to provide legal precedent for future disputes. Only complaints filed in the state and federal courts can provide that potential. Remember that arbitration means you will likely be hailed to Dropbox’s headquarters in San Francisco should you have a dispute. Dropbox users can opt-out of the arbitration clause now by signing in with their usernames and submitting their first and last names. So take a minute and opt-out of this drop-bomb.

Preventing the “Napsterization” of 3-D Printing

By Nicole Syzdek

Gartner, Inc., an American information technology research and advisory firm, reported that in 2013, combined end-user spending on 3-D printers will reach $412 million, up 43% from 2012.[1] This rapid increase in revenue for 3-D printing companies is not likely to slow down anytime soon. Gartner predicts that in 2014, spending will increase by 62%, reaching $669 million. The increase of 3-D printing has the ability to shake-up many areas of commerce.

3-D printers allow consumers to print three-dimensional objects at home. Although there are many competing designs for 3-D printers, most work in a similar way. The printing begins with a blueprint typically created with a computer aided design (CAD) program running on a desktop computer. CAD programs are presently utilized by many designers, engineers, and architects to model physical objects before they are created. Blueprints can also be created by using a 3-D scanner to scan an existing object in a similar manner in which a regular flat scanner can create a digital file of a 2-D image. Once the CAD is created, it is sent to the printer, which builds the object up, layer by layer, from tiny bits of material. Continue Reading

The Computer Fraud and Abuse Act: Current Coverage and Needed Reform

By Lauren Harriman

In 1984, Congress was facing a rapidly changing technological landscape. The world wide web was not yet available at the consumer level, but Internet use was growing quickly among universities. Law enforcement officers felt unprepared to handle what they believed would be “brand new” crimes of the Internet. Officers were not only concerned with domestic computer security threats, but international threats as well. Thus, in 1986, Congress enacted the Computer Fraud and Abuse Act (CFAA) to clarify the law surrounding computer-related crimes. However, the “brand new” Internet crimes that law enforcement feared and the CFAA meant to address were not entirely novel. In fact, the CFAA duplicated charges for several crimes already included in the Penal Code, simply providing prosecutors with one more tool to use in plea bargaining.

In plea negotiations, prosecutors are able to threaten law violators with extensive jail time if a settlement cannot be reached. This is especially true when prosecutors can charge violators under multiple statutes for the same crime. This plea bargaining tactic discourages the exercise of the right to a jury because violators are not willing to risk being found guilty of all charges. Aaron Swartz, prosecuted under multiple sections of the CFAA for excessively downloading documents from JSTOR over MIT’s network, fell prey to this tactic in 2012. Rather than face a sentence of thirty years in prison, Swartz committed suicide in 2013. His fate has united the Internet community in demanding for reformation of the CFAA. Continue Reading

The Judicial System: NSA’s Key Recovery Service

By Kennard Herfel

Among the global gossamer of controversies concerning the NSA revelations brews a key case involving Ladar Levison, the founder of the encrypted email provider Lavabit. Levison created Lavabit soon after the Congress passed the Patriot Act to preserve citizens’ privacy in online messages.

Last Tuesday, the Fourth Circuit Court of Appeals heard oral arguments regarding the legitimacy of the contempt order placed on Levison for not providing the FBI with the Secure Sockets Layer (“SSL”) key to Lavabit. SSL is security technology that encrypts the links between server, client, and browser. The SSL encryption by Lavabit was likely too elaborate for the FBI to decrypt; thus, the FBI’s SSL request.

When the feds can’t decrypt SSL, like that used by Lavabit, they customarily turn to other methods to obtain the desired information, such as using “backdoor” hardware installation or asking the company to disclose the information or turn over the SSL key. To the extend of public knowledge, a company has never refused to comply with a government request for encryption keys—until Lavabit. Continue Reading

CA Eraser Law: Sending the Wrong Message?

By Lauren Harriman

California’s new eraser law lets minors remove their posts from websites. But in a time where everything anyone posts is a google search away from being uncovered, is Internet erasability really something we want to teach the next generation? While I recognize that children need the opportunity to learn from their mistakes, should be we teaching them that the Internet is an acceptable place to make those mistakes? Rather than encouraging children to share every uncensored opinion though on Twitter, every bad outfit choice on Instagram, and every awkward dance move on Youtube, perhaps it’s better to instruct the young generation that the Internet is more like the podium at the school assembly rather than the note passed in class. I’m all for encouraging children to experiment, but perhaps that experimentation is best done at home, or at least in person, rather than in front of an Internet audience of over 1 billion people. Although the new law allows for the erasure of content, there is no way to erase it from the minds of the multitude of people who have already seen it.

Read more at: New California Law Lets Teen Press ‘Erasure Button’ Online

Google Fined $1.2 Million by Spanish Privacy Authority

By Emily Poole

Google has just been hit with a €900,000 ($1.2 million USD) fine, the maximum amount possible for violation of Spain’s data protection law. Google was found guilty of three distinct violations: (1) collecting users’ data, (2) combining users’ data from a variety of its services and (3) storing the data indefinitely, all without properly informing its users or obtaining consent.

Last year, privacy watchdogs from the 28 EU member states contacted Google, urging the company to amend its privacy policies to better align with the EU’s data protection principles. It appears that Google didn’t take the hint, however, as none of its privacy policies were revised after the notice.

Google has since responded in a written statement that the company is working with the Spanish authority to determine the next steps toward creating a privacy framework that will pass termpapersworld muster under Spanish law. Perhaps this week’s fine finally hit a nerve, though it’s more likely negative media attention is what actually struck a cord . . . what’s $1.2 million to a multi BILLION dollar conglomerate?

In the coming year, Google could also face fines in five other EU nations for similar privacy violations.

 

0

The EU’s Move Toward Stronger Digital Data Privacy

By Emily Poole

The European Union (“EU”) is in the process of strengthening its online data privacy laws, the far-reaching effects of which will be felt by any U.S. company or organization operating in the EU. The latest move toward implementation of the General Data Protection Regulation (“Regulation”) occurred in late October 2013, when the European Parliament approved certain amendments to the current draft of the legislation.

Right now, the 1995 Data Privacy Directive (“Directive”) regulates data privacy in the EU. It directs each of the twenty-eight member countries to create its own set of privacy laws that comply with the Directive’s seven principles: notice, purpose, consent, security, disclosure, access and accountability. Since the Directive only provides a framework by which countries are expected to abide, rather than imposing concrete regulations, privacy law in the EU is a patchwork of country-specific rules, with some countries implementing and enforcing robust privacy regulations and others creating laws that simply meet the minimum requirements of the Directive. Continue Reading

Secure Email: No Such Thing?

By Emily Poole

Encrypted email provider Lavabit, founded by Ladar Levison, closed shop last August after being ordered to give the U.S. government the SSL keys to the entire Lavabit website. With the keys, the government—appearing to only be after information regarding whistleblower Edward Snowden, one of Lavabit’s users—simultaneously obtained access to the content of 400,000 other Lavabit email users.

On October 10, 2013, Lavabit filed an appeal in the U.S. Court of Appeals for the Fourth Circuit, arguing that the government’s demand for the SSL keys was unconstitutional and in violation of the Fourth Amendment. The Department of Justice is meant to file a response brief later this month. Continue Reading