Thursday, January 31, 2013

Bird Watching: Twitter's Transparency Report


Following in the example of Google, Twitter is also releasing a semi-annual Transparency Report disclosing the number and type of user information requests it receives from various governments, and the percentage of the requests to which Twitter responded positively. In its most recent report, covering July through December 2011, Twitter stated that it had received 1,009 information requests, 42 content removal requests, and 3,268 takedown and related notices regarding alleged copyright infringement on the service. The former two numbers were up substantially from the preceding six month period; the copyright notices declined slightly (from 3,378 to 3,268) in that time.

Twitter additionally broke down the data by country, and specifically focused on its home country, the United States. According to Twitter, requests from governmental bodies within the United States from July through December 2012 included the following:

User Information RequestsPercentage where some or all information producedUser / Accounts SpecifiedSubpoenasCourt OrdersSearch WarrantsOthers
81569%114560%11%19%10%

As with that of Google, Twitter's transparency report is a useful reminder both of the attractiveness of social media services to governmental information gathering, as well as the overall privacy issues arising out of social media use. Law enforcement and other government officials understand how much information people share on social media services; it's crucial for users to understand this as well.

Wednesday, January 30, 2013

Impressions from LegalTech New York

Greetings from the lobby of the New York Hilton, site of this year's LegalTech NY conference and trade show. I've been touring the show floor this afternoon, learning about the state of the art and best practices in all aspects of the technology supporting legal practice. The vast majority of the exhibiting companies are offering products and services relating to electronic discovery (or e-discovery), from computer forensics to predictive coding (a big buzzword this year) to document review and production to analytics.

There are, though, other industry categories that are well represented here, mainly relating to law practice management. Numerous vendors offer ways to put your practice online and loft it to the cloud, whether for software as a service (SaaS), backup, document sharing or all of the above. There are a fair number of back office management solutions as well: bookkeeping, billing, resource management and cost controls. Data security makes a good showing, whether from companies with tiger teams to seek out and identify firms' and companies' security holes, or hardware and software to close the holes before they are found; some do both. Finally, there are some translation service companies, mobile practice tools, and printing/document creation and management offerings.

From the number of people here, and the filled-to-bursting floor space, it appears that legal technology is a thriving area, and no wonder:electronic discovery is now a part of almost every litigation, firms and in-house departments alike are desperately seeking ways to reduce their costs and increase efficiency, and clients are demanding instant response and full access to case files. As a legal educator, I see some small challenges in this technological expansion (some of the most common entry-level lawyer jobs for our graduates could be made obsolete by technology and outsourced service providers), but much more opportunity for law school graduates to learn about, master and implement these solutions in their own practices and with colleagues.

There are a few other points that are clear after walking around LegalTech NY. First, based upon the "drop a card and win" prize assortment, iPad Minis are thought to be the hot item to pull in people's contact data. Second, based upon the food being given away, vendors are well aware that lawyers and IT professionals alike live on caffeine and sugar (coffee and chocolate abound). Finally, there seems to be no geographic center of legal tech companies; I've spoken with vendors from Utah, Kentucky, all over Canada and many other places.

For more about LegalTech NY, you can follow the #ltny hashtag. Meanwhile, I'm on my way back in. Wish me luck winning an iPad Mini! {Jonathan}

Thursday, January 24, 2013

The Other Google Search: 8438 Data Requests by U.S. Gov't


Google has released the latest version of its Transparency Report, covering the period from July 1 through December 31, 2012. In the report, Google states that the U.S. government made 8,438 requests of user data from Google during the period, covering a reported 14,791 users/accounts, and that Google responded fully or partially to an aggregate of 88% of those requests, broken down as follows:

July to December 2012

Records Requested

Users/Accounts

Percentage Fully/Partially Complied With

Search Warrant

1,896

3,152

88%

Subpoena

5,784

10,390

88%

Other 

758

1,249

90%

The number of of these requests, particularly from the U.S. government, has been steadily increasing over the past few years; the U.S. government made only 3,580 total requests in the same period in 2009. Google states in the introduction to its report, "We review each request to make sure that it complies with both the spirit and the letter of the law, and we may refuse to produce information or try to narrow the request in some cases." It also attributes some of the increase to its own growth: "Usage of our services have increased every year, and so have the user data request numbers."

While Google is to be commended for its efforts to disclose (some of) the requests for information it receives, the report and the increases it shows serve as a reminder of the size, scope and value of Google's collection of data about its users. Given how many products Google owns, many of which may not bear obvious Google branding (such as the Zagat Restaurant Guide) but may still be feeding user data into Google's central servers (Zagat's privacy policy is the Google shared one, as is that of its fellow non-obvious Google acquisition, the Frommer's Travel Guides site), one may legitimately question whether all users are able to provide truly informed consent to Google's data collection, which is increasingly a governmental resource as well.

Thursday, January 3, 2013

FTC/Google Settlement: Covers Patents, Advertising; No Actionable Search Bias


The FTC has reached a proposed settlement with Google regarding multiple antitrust-related claims. The FTC's investigations covered issues including Google's control over key patents after its Motorola Mobility acquisition, Google's policies regarding cross-platform advertising campaign management, and allegations of so-called "search bias" through which Google was supposedly favoring its own content in its search results over competitors' pages.

With regard to search bias, the FTC found:
...that the evidence presented at this time does not support the allegation that Google’s display of its own vertical content at or near the top of its search results page was a product design change undertaken without a legitimate business justification. Rather, we conclude that Google’s display of its own content could plausibly be viewed as an improvement in the overall quality of Google’s search product. Similarly, we have not found sufficient evidence that Google manipulates its search algorithms to unfairly disadvantage vertical websites that compete with Google-owned vertical properties....
The FTC did, however, find some evidence that Google may have unfairly "scraped" competing Web sites' content for its own use and threatened to delist those that protested, and may further have placed "unreasonable restrictions" on advertisers' abilities to advertise on Google and competing search engines at the same time. Google agreed to refrain from both types of practices in the future.

Google additionally agreed to make certain changes in its patent and advertising practices. The FTC found that Google had blocked willing licensees of its patents from making deals on so-called fair, reasonable and non-discriminatory ("FRAND") terms, including through use of injunctions; in the settlement, Google agreed not to pursue such injunctions against those with whom Google had previously agreed to FRAND terms:


Google also agreed to alter elements of the contract terms covering the use of its AdWords API (application programming interface), which impeded advertisers' efforts to better manage and control their ad campaigns both within and beyond Google and its properties.

The FTC's proposed consent agreement with Google is subject to public comment through February 4th, 2013, in hard copy or online. The release (with links to the relevant documents, including dissents) may be found on the FTC's Web site.

$50,000 HIPAA Security Violation Settlement Announced by HHS OCR


On January 2, 2013, the Office of Civil Rights of the U.S. Department of Health and Human Services ("OCR") announced its first-ever settlement of a health privacy violation case involving information from fewer than 500 individuals. According to OCR, the Hospice of North Idaho will pay $50,000 to settle the case brought under the Security Rule of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").

According to the OCR's press release,
The HHS Office for Civil Rights (OCR) began its investigation after HONI reported to HHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen in June 2010. Laptops containing ePHI are regularly used by the organization as part of their field work. Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI. Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule. Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

The Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to the Secretary of HHS and the media within 60 days after the discovery of the breach. Smaller breaches affecting less than 500 individuals must be reported to the Secretary on an annual basis. 
The release also discussed a new joint educational effort by OCR and the HHS Office of the National Coordinator for Health Information Technology entitled Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information.

The resolution agreement for the Hospice of North Idaho case can be read here. For more information on both the HIPAA Privacy Rule and HIPAA Security Rule, visit HHS' main HIPAA page. OCR also offers an e-mail distribution list for its privacy-related activities, OCR-PRIVACY-List, available via this link.