Are You Concerned About Privacy On The Web?

There are as many different mindsets on web privacy as there are web users out there. Every week or so, a new “scare” crops up, be it a hacking scam or an expose on oversharing. But I wonder if users are truly aware of the limits of their privacy on-line. I know that I could have a better understanding than I currently posses.

I am a bit wiser about protected information after reading a Computerworld article (link here), published yesterday about the information that Facebook or Comcast may turn over to authorities in response to subpoenas. The breadth of the information is quite large. As the article explains, the information to be turned over must comply with applicable laws (and presumably Constitutional protections). However, as the ability to track information on the internet is far more fine-grained than in real-life, failing to comply with the law can be far more damning in cyber-space.

The documents supporting the Computerworld article are concededly a few years dated and may have been updated. Nonetheless, they are illuminating. For example, when Facebook is served with a subpoena, it follows its internal guidelines, set forth below:

Types of Information Available

User Neoprint

The Neoprint is an expanded view of a given user profile. A request should specify that they are requesting a “Neoprint of used Id XXXXXX”.

User Photoprint

The Photoprint is a compilation of all photos uploaded by the user that have not been deleted, along with all photos uploaded by any user which have the requested user tagged in them. A request should specify that they are requesting a “Photoprint of user Id XXXXXX”.

User Contact Info

All user contact information input by the user and not subsequently deleted by the user is available, regardless of whether it is visible in their profile. This information may include the following:
Name
Birth date
Contact e-mail address(s)
Physical address
City
State
Zip
Phone
Cell
Work phone
Screen name (usually for AOL Messenger/iChat)
Website

With the exception of contact e-mail and activated mobile numbers, Facebook validates none of this information. A request should specify that they are requesting “Contact information of user specified by [some other piece of contact information]”. No historical data is retained.

Group Contact Info

Where a group is known, we will provide a list of users currently registered in a group. We will also provide a PDF of the current status of the group profile page.

A request should specify that they are requesting “Contact information for group XXXXXX”.

No historical data is retained.

IP Logs

IP logs can be produced for a given user ID or IP address. A request should specify that they are requesting the “IP log of user Id XXXXXX” or “IP log of IP address xxx.xxx.xxx.xxx”.

The log contains the following information:

* Script – script executed. For instance, a profile view of the URL http://www.facebook.com/profile.php?id=29445421 would populate script with “profile.php”

* Scriptget – additional information passed to the script. In the above example, scriptget would contain “id=29445421”

* Userid – The Facebook user id of the account active for the request

* View time – date of execution in Pacific Time

* IP – source IP address

IP log data is generally retained for 90 days from present date. However, this data source is under active and major redevelopment and data may be retained for a longer or shorter period.

Special Requests

The Facebook Security Team may be able to retrieve specific information not addressed in the general categories above. Please contact Facebook if you have a specific investigative need prior to issuing a subpoena or warrant.

When Comcast is directed to hand over information, the type and amount is even more overwhelming. Of course, there are the emails, customer information including contact and payment data, and similar details one might expecte. But Comcast also can assist law enforcement in effecting what are called “pen registers” or “trap and trace” devices, which track all of your internet activity, including emails, websites and IMs.

Of course, one should bear in mind that there must first be some lawful basis for investigation to support the issuance of a subpoena (although some of the safeguards may be bypassed if there  “is an immediate danger of death or an immediate risk of serious physical injury…”).

I still contend that the best safeguard against inadvertent disclosure of dangerous information is a healthy dose of common sense. Lacking that, however, privacy should indeed be a concern, particularly for those skirting the line of legality. Perhaps assuming that you have no privacy on-line would be the safest way to proceed.

When Social Media Hits Your Wallet

I just read an interesting post by Omar-Ha-Redeye at Slaw on how social media usage might result in an increase in insurance’ premiums to reflect an increased risk of loss (link here). The article actually discussed homeowners’ premiums and privacy and location-based services. These topics have been the subject of heavy discussion over the past two weeks, spurred at least in part by the brouhaha from Google’s launch of Buzz with insufficient privacy controls and the articles surrounding the website Please Rob Me. Personally, I think Please Rob Me is about ten times more irresponsible than the original location posters – it opens up location data to anyone and everyone in a clearinghouse-style, hyper-organized fashion not available to the potential robber who randomly peruses Twitter, Foursquare or any of the other location-based services that first require a friend or follow connection. Furthermore, I doubt that the persons engaging in this activity are learning the lesson this site is “purporting” to teach. But enough about that.

The title of Omar’s post sent my thoughts in a different direction – lawyers using social media who might experience an increase in legal malpractice fees. I am not suggesting that this is currently the case – I don’t have the data to back it up. But there certainly have been news stories over the past year outlining the different ways that lawyers can get themselves in trouble in and out of court based on their own on-line activities.

Engaging in social media in general, and for lawyers in particular, requires common sense. The same common sense that people and professionals should employ in the off-line world. Internet trouble may result from the incorrect perception that only those you are interested in targeting with your efforts will see your efforts. In reality, the digital trail is wide and clear for anyone interested enough to follow.

That said, if you only publish content that is valuable and well-thought out, there should be little problem with the law. On the other hand, you cannot control the perceptions of the other side in a dispute. So, how do you engage and protect at the same time? Carefully read your malpractice policy to ensure that on-line activity is not excluded. If it is excluded, then consider contacting your carrier / agent to discuss adding such coverage. There are specific insurance policies now being offered that cover blogging activity. It is worth it to take some time with your coverage and make sure it protects against the risks you want it to protect against.

Above all, if you are on-line in a professional capacity, keep it professional! If your activity doesn’t pass the “smell” test, well, then ….

Microsoft Seeking Stronger Laws Regarding Cloud Computing

No doubt spurred in part by the ongoing federal FCC/ FTC hearings on bringing the internet into the 21st century and dealing with security gaps in the cloud, Microsoft put in its request to Congress and state governments to firm up the legal framework for ensuring stratospheric privacy and protection. Microsoft’s General Counsel Brad Smith addressed attendees on these issues at a keynote at the Brookings Institute on January 19, 2010.

Microsoft identified the primary concerns as privacy, security, transparency, and international sovereignty, the latter being a major issue in connection with storage server locations that know no boundaries. Transparency means that consumers and businesses should know whether and how their information will be accessed and used by service providers and how it will be protected online.

Smith is justifiably concerned with privacy protections and the fact that laws currently on the books do not take into account the heightened risk and the broader ramifications of hacking in the cloud. Smith proposed a new law, which he dubbed the Cloud Computing Advancement Act, and urged the revamping of an existing law,  the Electronic Communications Privacy Act, in order to address the spectrum of risks. He also proposed stronger sanctions under the Computer Fraud and Abuse Act: currently, cloud hackers face the same penalties as hackers that attack an individual PC.

I see mass movement into the cloud and, as a techie,  I understand the value of it. As attorneys, however, it pays to be aware of what our current technology can ensure with respect to privacy and security, be versed on the scope of the laws supporting cloud integrity, and choose cloud services accordingly. Lawyers, or course, have heightened responsibility with respect to privacy, security, and privilege. Perhaps this is one area of technology in which lawyers can afford to be slightly behind the curve – right behind security developments.

Hat tip to eWeek. For further reading on the topic, check out these articles:

The ABC’s of Cloud Based Practice Tools

 Seeding the Clouds: Key Infrastructure Elements of Cloud Computing

A Pragmatic and Effective Approach to Cloud Computing — Real Benefits From the

IBM Perspective on Cloud Computing

HIPAA and Beyond: Meeting New Healthcare Security Requirements for Email

I’m Not Private. I’m Virtual.

An example of various cloud colors
Image via Wikipedia

Reasonable. Expectation. Of. Privacy.

This morning, my RSS feed reader is chock-full of posts about privacy. Because my interests, as reflected in my reader content, are law and technology, you can bet that the discussions center around law and legal matters on the internet. From questions regarding whether the use of Gmail for your law practice constitutes violation of ethical rules governing client confidentiality, to lawsuits by Facebook users against Facebook for violating their privacy, to new federal regulations requiring health care providers to notify individuals when their health information is breached, questions abound regarding the degree to which you can lock down or expect to lock down your information.

The gifts the internet has to offer are compelling and the price nearly unbeatable. It is difficult for any business, particularly a solo or small business, to ignore the allure of cloud computing with free, highly developed services and applicatinos like Gmail, Open Office, on-line storage sites and web-syncronized clipping services like Evernote. These tools make it simple to move, store, organize, send and manipulate information.

What is cloud computing, you ask? Apparently this is a valid question – many engage in it on a daily basis without even realizing it. John Foley at InformationWeek has come up with a seven-part definition of the term:

Off-site. A basic principle of cloud computing is that you’re accessing IT resources that are in a data center that’s not your own. That means you don’t buy the servers and storage, someone else does. So-called private clouds are the exception, but forget them for this discussion.

Virtual. IT resources in the cloud can be assembled with drag-and-drop ease. Employing virtualization, cloud service providers let you assemble software stacks of databases, Web servers, operating systems, storage, and networking, then manage them as virtual servers.

On demand. In the cloud, you can add and subtract resources, including number and type of processors, amount of memory, network bandwidth, gigabytes of storage, and 32-bit or 64-bit architectures. You can dial up when you need more, and dial down when you need less.

Subscription style. These tend to be month-to-month deals, often payable by credit card, rather than annual contacts. Amazon charges in intervals of 10 cents per hour for EC2.

Shared. For economies of scale (that’s what cloud computing is all about), many service providers use a multitenant architecture to squeeze workloads from multiple customers onto the same physical machines. It’s just one of the things that distinguish cloud computing from outsourcing and from hosted data centers.

Simple. Many of the cloud services providers — whether they specialize in application hosting, storage, or compute cycles — let you sign up and configure resources in a few minutes, using an interface that you don’t have to be a system administrator to understand.

Web based. Others might make this characteristic #1, but I put it last to make the point that there’s more to cloud computing than the Web. That said, it does involve browser access to hosted data and resources.

In other words, says Foley, cloud computing is on-demand access to virtualized IT resources that are housed outside of your own data center, shared by others, simple to use, paid for via subscription, and accessed over the Web.

So, with all of the benefits an on-line practice has to offer, why not look to the skies? It’s not as if the average citizen has the know-how and means to develop a social network with the reach of a Facebook by setting up their own servers, building applications and then inviting 300 million of their closest friends to connect, share and discuss.  It is easy to see the benefits and even easier to don blinders with respect to the drawbacks.

There are drawbacks, of course, and privacy is a big player among them. Many points along the chain can expose or “leak.” First, your information may not necessarily be your own once it enters the cloud. Read the terms of service (“TOS”) carefully to see just who can get to it and what can be done with it by persons other than you. Next, the location of your information may not be all that easy to identify. David Navetta at InfoSec Compliance advises that “in a cloud environment, geography can lose all meaning.” Not only can your data be spread across services, it can be copied and stored in several locations. Data can even cross physical boundaries the original user never intended to cross. Because it is difficult to pinpoint where the data goes once it leaves the terminal, you realistically can have no concept of how secure that data may be. Thus, heightened obligations may be imposed on a business or practice using the cloud to ensure the security of cloud service providers based on a reasonable awareness of the risks.

On the flip side, security risks are not new and businesses are not completely unfamiliar with the concept. In many ways, humans have been breaking down privacy barriers for years on a societal level.  One already can see a breakdown in traditional concepts of privacy in the manner in which people connect and share on the internet. And, like all areas of the law, privacy and security issues will morph as our lives become more virtual and our concepts of privacy change.

Do the benefits outweight the risks? First the risks must be quantified. The process of risk quantification is alive and well among tech experts, as well as in the courts and legislatures, as groups take up the cause and lawmakers grapple with the boundaries of protection. When in doubt, an attorney can always seek the advice of state ethics committees, but be prepared for answers that may not completely address the questions. With rapidly emerging technologies, any answer can become outdated before the ink has dried.

Then consider the benefits and efficiencies for your clients. Avoid misunderstandings by fully informing yourself and your clients of your process. Many clients may appreciate your considered approach to a modern practice and welcome the service improvements. Many clients also are cloud denizens and already well aware of the concerns. If not, then you can provide an additional service by advising them in this regard.

Bottom line? Don’t take privacy for granted on the internet, but don’t allow a fear of privacy breach to preclude consideration of on-line tools. Educate yourself fully on the global risks of the cloud and the particular limitations of your preferred services. Take all reasonable steps to disclose only what you intend to disclose. Read the TOS and, by all means, keep those drunken cocktail party pictures off your professional networking sites and Flickr.

Reblog this post [with Zemanta]

I'm Not Private. I'm Virtual.

An example of various cloud colors
Image via Wikipedia

Reasonable. Expectation. Of. Privacy.

This morning, my RSS feed reader is chock-full of posts about privacy. Because my interests, as reflected in my reader content, are law and technology, you can bet that the discussions center around law and legal matters on the internet. From questions regarding whether the use of Gmail for your law practice constitutes violation of ethical rules governing client confidentiality, to lawsuits by Facebook users against Facebook for violating their privacy, to new federal regulations requiring health care providers to notify individuals when their health information is breached, questions abound regarding the degree to which you can lock down or expect to lock down your information.

The gifts the internet has to offer are compelling and the price nearly unbeatable. It is difficult for any business, particularly a solo or small business, to ignore the allure of cloud computing with free, highly developed services and applicatinos like Gmail, Open Office, on-line storage sites and web-syncronized clipping services like Evernote. These tools make it simple to move, store, organize, send and manipulate information.

What is cloud computing, you ask? Apparently this is a valid question – many engage in it on a daily basis without even realizing it. John Foley at InformationWeek has come up with a seven-part definition of the term:

Off-site. A basic principle of cloud computing is that you’re accessing IT resources that are in a data center that’s not your own. That means you don’t buy the servers and storage, someone else does. So-called private clouds are the exception, but forget them for this discussion.

Virtual. IT resources in the cloud can be assembled with drag-and-drop ease. Employing virtualization, cloud service providers let you assemble software stacks of databases, Web servers, operating systems, storage, and networking, then manage them as virtual servers.

On demand. In the cloud, you can add and subtract resources, including number and type of processors, amount of memory, network bandwidth, gigabytes of storage, and 32-bit or 64-bit architectures. You can dial up when you need more, and dial down when you need less.

Subscription style. These tend to be month-to-month deals, often payable by credit card, rather than annual contacts. Amazon charges in intervals of 10 cents per hour for EC2.

Shared. For economies of scale (that’s what cloud computing is all about), many service providers use a multitenant architecture to squeeze workloads from multiple customers onto the same physical machines. It’s just one of the things that distinguish cloud computing from outsourcing and from hosted data centers.

Simple. Many of the cloud services providers — whether they specialize in application hosting, storage, or compute cycles — let you sign up and configure resources in a few minutes, using an interface that you don’t have to be a system administrator to understand.

Web based. Others might make this characteristic #1, but I put it last to make the point that there’s more to cloud computing than the Web. That said, it does involve browser access to hosted data and resources.

In other words, says Foley, cloud computing is on-demand access to virtualized IT resources that are housed outside of your own data center, shared by others, simple to use, paid for via subscription, and accessed over the Web.

So, with all of the benefits an on-line practice has to offer, why not look to the skies? It’s not as if the average citizen has the know-how and means to develop a social network with the reach of a Facebook by setting up their own servers, building applications and then inviting 300 million of their closest friends to connect, share and discuss.  It is easy to see the benefits and even easier to don blinders with respect to the drawbacks.

There are drawbacks, of course, and privacy is a big player among them. Many points along the chain can expose or “leak.” First, your information may not necessarily be your own once it enters the cloud. Read the terms of service (“TOS”) carefully to see just who can get to it and what can be done with it by persons other than you. Next, the location of your information may not be all that easy to identify. David Navetta at InfoSec Compliance advises that “in a cloud environment, geography can lose all meaning.” Not only can your data be spread across services, it can be copied and stored in several locations. Data can even cross physical boundaries the original user never intended to cross. Because it is difficult to pinpoint where the data goes once it leaves the terminal, you realistically can have no concept of how secure that data may be. Thus, heightened obligations may be imposed on a business or practice using the cloud to ensure the security of cloud service providers based on a reasonable awareness of the risks.

On the flip side, security risks are not new and businesses are not completely unfamiliar with the concept. In many ways, humans have been breaking down privacy barriers for years on a societal level.  One already can see a breakdown in traditional concepts of privacy in the manner in which people connect and share on the internet. And, like all areas of the law, privacy and security issues will morph as our lives become more virtual and our concepts of privacy change.

Do the benefits outweight the risks? First the risks must be quantified. The process of risk quantification is alive and well among tech experts, as well as in the courts and legislatures, as groups take up the cause and lawmakers grapple with the boundaries of protection. When in doubt, an attorney can always seek the advice of state ethics committees, but be prepared for answers that may not completely address the questions. With rapidly emerging technologies, any answer can become outdated before the ink has dried.

Then consider the benefits and efficiencies for your clients. Avoid misunderstandings by fully informing yourself and your clients of your process. Many clients may appreciate your considered approach to a modern practice and welcome the service improvements. Many clients also are cloud denizens and already well aware of the concerns. If not, then you can provide an additional service by advising them in this regard.

Bottom line? Don’t take privacy for granted on the internet, but don’t allow a fear of privacy breach to preclude consideration of on-line tools. Educate yourself fully on the global risks of the cloud and the particular limitations of your preferred services. Take all reasonable steps to disclose only what you intend to disclose. Read the TOS and, by all means, keep those drunken cocktail party pictures off your professional networking sites and Flickr.

Reblog this post [with Zemanta]