Thursday, October 31, 2013

FAA Now Permits Use of Electronic Devices During Takeoff and Landing


The Federal Aviation Administration ("FAA") announced on October 31, 2013 that it would revise its rules regarding passenger use of personal electronic devices ("PEDs") during takeoffs and landings of commercial flights. According to the FAA's press release, the new rules would permit airlines to themselves determine whether or not to permit passengers to use PEDs, although the timing and details could vary among the airlines. These new rules, though, do not include permitting passenger use of the cellular radios in PEDs; these remain prohibited during all phases of flights.

The FAA's release included some guidance for passenger as well:

Top Things Passengers Should Know about Expanded Use of PEDs on Airplanes:
1. Make safety your first priority.
2. Changes to PED policies will not happen immediately and will vary by airline. Check with your airline to see if and when you can use your PED.
3. Current PED policies remain in effect until an airline completes a safety assessment, gets FAA approval, and changes its PED policy.
4. Cell phones may not be used for voice communications.
5. Devices must be used in airplane mode or with the cellular connection disabled. You may use the WiFi connection on your device if the plane has an installed WiFi system and the airline allows its use. You can also continue to use short-range Bluetooth accessories, like wireless keyboards.
6. Properly stow heavier devices under seats or in the overhead bins during takeoff and landing. These items could impede evacuation of an aircraft or may injure you or someone else in the event of turbulence or an accident.
7. During the safety briefing, put down electronic devices, books and newspapers and listen to the crewmember’s instructions.
8. It only takes a few minutes to secure items according to the crew’s instructions during takeoff and landing.
9. In some instances of low visibility – about one percent of flights – some landing systems may not be proved PED tolerant, so you may be asked to turn off your device.
10. Always follow crew instructions and immediately turn off your device if asked.
The complete set of PED materials is available on the FAA Web site.

Wednesday, October 30, 2013

Facebook Loosens Privacy Policy for Teens


On October 16, 2013, Facebook gave teenagers (age 13-17) the option of sharing their videos, pictures, and status updates with the general public. Previously, people aged 13-17 only had the option of sharing with people designated as “Friends” of their social network and “Friends of Friends.” In a statement on Facebook’s website, the company touted the new freedoms it was affording its teenage users:

Teens are among the savviest people using social media, and whether it comes to civic engagement, activism, or their thoughts on a new movie, they want to be heard. So, starting today, people aged 13 through 17 will also have the choice to post publicly on Facebook.

Teenagers will also be able to turn on the “Follow” feature for their profile, allowing any Facebook member (Friends or otherwise) to see the teen’s public posts in the main news feed. To balance these less strict settings, Facebook has implemented two new privacy protection measures for teenagers as well. Now, when a teenager signs up for a Facebook account, by default their posts will only be shown to their “Friends.” Previously, posts where shown to “Friends” and “Friends of Friends” by default. Also, when a teen chooses to share their posts with the general public, they will be presented with a pair of warnings. One warning reads:

Did you know that public posts can be seen by anyone, not just people you know?


You and any friends you tag could end up getting friend requests and messages from people you don’t know personally.

Following acceptance of the above warning, the user will be presented with another warning, which states:

Tip: Sharing with Public means anyone (not just people you know) may see your post.

It is likely that Facebook has opted to ease the privacy restrictions on teenagers to compete with other social networks such as Twitter and Tumblr, which allow teenagers to share with the public. In Facebook’s 10-K Report filed with the Securities Exchange Commission last February, the company expressed concerns that “younger users, are aware of an actively engaging with other products and services similar to, or as a substitute for, Facebook.”


Critics fear that Facebook’s new policy affords teenagers too much freedom and puts them at risk. Indeed, users who choose to share with the general public run the risk of being contacted and/or solicited by complete strangers. Also, teenagers that choose to share their images, statuses, and videos with the general public are burdened with the fact that any ill-advised posts may come back to haunt them, either professionally or otherwise.

(Blog entry written by Alex Diamond, IBLT/Carter DeLuca Entrepreneurship Support Fellow for the Fall 2013 semester)

Ezor on Secure Times: Recent FTC Actions and Statements Show Continuing Focus on Privacy

IBLT Director Jonathan I. Ezor is blogging this week at the American Bar Association Privacy & Security Law Committee's Secure Times blog. His first contribution is below:

Recent FTC Actions and Statements Show Continuing Focus on Privacy

The Federal Trade Commission has long taken a lead role in issues of privacy and data protection, under its general consumer protection jurisdiction under Section 5 of the FTC Act (15 U.S.C. §45) as well as specific legislation such as the Children's Online Privacy Protection Act of 1998 ("COPPA") (which itself arose out of FTC reports). The FTC continues to bring legal actions against companies it believes have improperly collected, used or shared consumer personal information, including the recent settlement of a complaint filed against Aaron's, Inc., a national rent-to-own retail chain based in Atlanta, GA. In its October 22, 2013 press release announcing the settlement, the FTC described Aaron's alleged violations of Section 5:
Aaron’s, Inc., a national, Atlanta-based rent-to-own retailer, has agreed to settle FTC charges that it knowingly played a direct and vital role in its franchisees’ installation and use of software on rental computers that secretly monitored consumers including by taking webcam pictures of them in their homes. According to the FTC’s complaint, Aaron’s franchisees used the software, which surreptitiously tracked consumers’ locations, captured images through the computers’ webcams – including those of adults engaged in intimate activities – and activated keyloggers that captured users’ login credentials for email accounts and financial and social media sites.... The complaint alleges that Aaron’s knew about the privacy-invasive features of the software, but nonetheless allowed its franchisees to access and use the software, known as PC Rental Agent. In addition, Aaron’s stored data collected by the software for its franchisees and also transmitted messages from the software to its franchisees. In addition, Aaron’s provided franchisees with instructions on how to install and use the software. The software was the subject of related FTC actions earlier this year against the software manufacturer and several rent-to-own stores, including Aaron’s franchisees, that used it. It included a feature called Detective Mode, which, in addition to monitoring keystrokes, capturing screenshots, and activating the computer’s webcam, also presented deceptive “software registration” screens designed to get computer users to provide personal information.
The FTC's Consent Order Agreement with Aaron's includes a prohibition on the company using keystroke- or screenshot-monitoring software or activating the consumer's microphone or Web cam and a requirement to obtain express consent before installing location-tracking technology and provide notice when it's activated. Aaron's may not use any data it received through improper activities in collections actions, must destroy illegally obtained information, and must encrypt any transmitted location or tracking data it properly collects. The FTC is also continuing its efforts to educate and promote best practices about privacy for both consumers and businesses. On October 28, 2013, FTC Commissioner Julie Brill published an opinion piece in Advertising Age magazine entitled Data Industry Must Step Up to Protect Consumer Privacy. In the piece, Commissioner Brill criticizes data collection and marketing firms for failing to uphold basic privacy principles, and calls on them to join an initiative called "Reclaim Your Name" which Commissioner Brill announced earlier this year. Brill writes in AdAge:
The concept is simple. Through creation of consumer-friendly online services, Reclaim Your Name would empower the consumer to find out how brokers are collecting and using data; give her access to information that data brokers have amassed about her; allow her to opt-out if a data broker is selling her information for marketing purposes; and provide her the opportunity to correct errors in information used for substantive decisions. Improving the handling of sensitive data is another part of Reclaim Your Name. Data brokers that participate in Reclaim Your Name would agree to tailor their data handling and notice and choice tools to the sensitivity of the information at issue. As the data they handle or create becomes more sensitive -- relating to health conditions, sexual orientation and financial condition, for example -- the data brokers would provide greater transparency and more robust notice and choice to consumers.
For more information on the FTC's privacy guidance and enforcement, see the privacy and security section of the FTC Web site.

Tuesday, October 15, 2013

Legal Aid Society of San Mateo CA Suffers Data Breach Including Health Info



On October 10, 2013, the Legal Aid Society of San Mateo County, California sent out a letter notifying potential victims of a data breach suffered by the Society. As the letter states,
On the night of August 12, 2013, our office was burglarized and ten of our laptops were stolen. The stolen laptops were used by our attorneys to assist individuals in getting services. We believe that your personal information may have been stored on the stolen laptops. The personal information believed to be stored on the stolen laptops includes your name, Social Security number, date of birth, medical and health information.
What makes this data breach particularly noteworthy is that, although it occurred at a legal aid organization, the information stolen reportedly included health information. The notice does not discuss how and why health information might have been collected and stored by LASSMC; it may relate to the Society's health advocacy services.

Beyond the immediate impact on the LASSMC clients and others whose stolen personal information may be misused, this incident serves as a reminder that even non-medical professionals may hold, and must keep safe, health information. Even where the formal privacy and security requirements of HIPAA may not directly apply, organizations may still need to comply with HIPAA's Business Associates rules as well as general consumer protection obligations. Attorneys in particular should be aware not only of these requirements, but of their ethical obligations to keep client information confidential, which may further be relevant in a data breach situation.

The California Attorney General's list of reported data breaches may be found here; the LACSSMC letter and information is at this link.

Thursday, October 10, 2013

Got an Internet Business Law Question? Ask the IBLT!


The Touro Law Center for Innovation in Business, Law and Technology ("IBLT") proudly announces "Ask the IBLT," a new initiative to help entrepreneurs and others better understand the business-critical issues of Internet-related law and risk management. Anyone can e-mail a question to asktheiblt@tourolaw.edu. The IBLT will provide answers (prepared by Touro Law students and IBLT faculty affiliates) through its blog, YouTube channel, Google+ page, Facebook page, Twitter account and other channels.

Among the topics for questions for the IBLT are:

  • Privacy and data breaches
  • Social media use (and misuse)
  • Intellectual property (copyright, trademark, patent, trade secrets)
  • Online advertising and marketing
  • Affiliate programs
  • Sweepstakes, contests and other prize promotions
  • Cybercrime
  • Crowdsourcing
  • Crowdfunding
  • International law


"Ask the IBLT is just one part of our overall mission to educate our students and the business and legal communities about these new and evolving areas of law and risk," says Prof. Jonathan I. Ezor, director of the IBLT. "We can't answer every question, and we won't be giving specific legal advice. Instead, we're answering those questions that apply to the most organizations, and offering information and links to resources they can use to succeed and grow while avoiding the biggest pitfalls of doing business online."

Title II of the JOBS Act Goes into Effect: Golden Age of Venture Capital or the Opening of Pandora’s Box?


On September 23, a major legislative overhaul went into effect in an attempt to help entrepreneurs and start up companies raise money for new ventures.  The new legislation is Title II of the 2012 Jumpstart Our Business Start-Ups (JOBS) Act.  Title II permits start-ups and small businesses to publicly advertise their fundraising efforts and ask for equity investments without registering shares for sale.  Companies can use digital public media such as Facebook or Twitter to help spread the word as well as more conventional media like newspapers and radio.  However, only accredited investors (those making more than $200,000 a year or those with a personal net worth of more than $1 million) may actually invest in these companies.
Title II of the JOBS Act effectively gives companies access to a much broader array of potential investors than ever before.  For the past 80 years, it has been illegal for startups (or any private company for that matter) to notify the public that they are looking to raise investment capital.  The law forbidding public solicitation was enacted during the Great Depression to protect consumers from scams and fraud.  As of September 23, however, general advertising and solicitation of the public are fair game.  All a company must do to begin soliciting openly both online and offline is file with the SEC and disclose their fundraising methods within 15 days of soliciting.
There is much value to be had from the new law.  Indeed, the funding process will no doubt be accelerated, as companies can reach out to more potential investors than ever before.  This augmented process will also allow founders and CEOs to focus more of their time on the actual execution of their business as opposed to expending all of their energy on fundraising efforts.  Investors, too, will benefit from being exposed to more investment opportunities.
Some critics have argued that this deregulation of equity investment will unleash a plethora of swindlers and devious con artists looking to defraud the less savvy investor.  It’s true that restricting investments only to “accredited investors” acts as a safeguard to protect against potential fraud; the idea being that more savvy investors are less likely to invest in dubious ventures.  However, Title III of the JOBS Act, which is likely to go into effect sometime in 2014, will allow non-accredited investors to participate as well.
It remains to be seen whether the critics’ fears of rampant fraud will come to fruition or if Title II of the JOBS Act will herald a golden age for start-up companies.

(Blog entry written by Alex Diamond, IBLT/Carter DeLuca Entrepreneurship Support Fellow for the Fall 2013 semester)

FBI Shuts Down Digital Black Market “Silk Road,” Seize Millions of Bitcoins



On October 2, 2013 the FBI arrested the alleged owner and operator of an illicit website that facilitated the sale of drugs, stolen bank information, hacking tools, firearms, and countless other illegal products and services.  The website, known as “Silk Road,” functioned as a black-market eBay, connecting buyers and suppliers through a seemingly untraceable underground website.  Before it was seized and shut down by the United States government, Silk Road was a massive criminal enterprise that generated $1.2 billion in sales over the course of only two years.  The site enabled several thousand drug dealers and other criminal vendors from over ten countries to conduct transactions anonymously over the Internet.  The alleged mastermind of Silk Road is 29-year old Ross Ulbricht, a former physicist who went by the username “Dread Pirate Roberts,” a reference to the movie, “The Princess Bride.”  Ulbricht made approximately $88 million by charging a commission for every transaction conducted on Silk Road.  As owner and operator of Silk Road, Ulbricht is accused by U.S. Attorneys of narcotics trafficking conspiracy, computer hacking conspiracy, and money laundering conspiracy.  It is also believed that Ulbricht had hired a hitman to execute two people, one a former employee, and the other, a man attempting to blackmail Ulbricht.

Silk Road operated on the “Deep Web,” an area that cannot be found using standard search engines like Google or Yahoo.  Silk Road operated on the “Tor” network, (a.k.a “The Onion Network”) a special network on the Internet designed to mask users’ IP addresses, making it nearly impossible to physically locate the computers hosting or accessing websites on the network.  To access the site, a user would first download the necessary Tor browser software, usually available for free.  From there a user would simply type in the Silk Road’s “.onion” address into their newly downloaded Tor browser.  However, one could not simply stumble upon Silk Road while using a search engine, even if they were using Tor browser software.  The actual Silk Road’s domain name had to be discovered, either through word-of-mouth or by searching Internet forums and chatrooms.

To further ensure anonymity, the only currency permitted on Silk Road was Bitcoins, a new form of virtual currency.  It is an anonymous, decentralized form of electronic currency, not backed by any government or bank.  The currency does not have any tangible form and instead exists only on the Internet.  Bitcoins are legal and can typically be purchased from Bitcoin exchanges, such as www.Mtgox.com.  These exchanges also allow users to exchange their Bitcoins for conventional currency, which is valued based on a fluctuating exchange rate. The number of Bitcoins in existence is limited, however, at 21 million (though only 11.7 million are currently in circulation), to protect its value from inflation.  Each individual Bitcoin is represented by a unique online registration number, 64 digits long.  To receive a Bitcoin a user must also have a Bitcoin address, a randomly generated string of 27-34 numbers and letters.  This address acts as a virtual mailbox to and from which Bitcoins are delivered.  There is no registry of these virtual Bitcoin mailboxes, which allows users to remain anonymous.  However, all Bitcoin transactions are recorded to a public ledger known as the “Blockchain,” although the ledger only illustrates the movement of funds between anonymous Bitcoin addresses.  This prevents a user from spending the same Bitcoin more than once.

As this investigation proves, however, maintaining anonymity on the Web, even the Deep Web, is no easy task.  The FBI was able to trace and finally arrest Ulbricht by scouring Internet forums.  After identifying the first ever mention of Silk Road in a forum, the Feds proceeded on a hunch that this initial post originated from or would lead to Silk Road’s founder.  The FBI was correct in its assertion and was able to uncover and track countless communications from Ulbricht regarding his operation of this digital black market.  This investigation also demonstrates that Bitcoins are not untouchable.  The FBI has thus far seized Bitcoins from Silk Road worth approximately $3.6 million as a result of this investigation.  In turn, the value of the Bitcoin dropped about 20% when the news of Silk Road’s shutdown was first announced, October 2, 2013.  It has since clambered back in value, though not to its previous levels.
 
The entire copy of the Federal complaint against Ross Ulbricht and Silk Road can be found here.

(Blog entry written by Alex Diamond, IBLT/Carter DeLuca Entrepreneurship Support Fellow for the Fall 2013 semester)