On December 14, 2016, operators of online extramarital dating and social networking website AshleyMadison.com came to an agreement with the Federal Trade Commission, and several States, to settle FTC and related state charges that the website deceived consumers and failed to protect 36 million users’ account and profile information. As we discussed immediately following the July 2015 breach (and in several later posts) the data of some 36 million AshleyMadison.com accounts was posted online. It was reported by KrebsOnSecurity that the breach included the theft of user databases, financial records (including salary information), and other records from AshleyMadison, Cougar Life, and Established Men, three social networking web sites operated by the Toronto, Canada-based firm Avid Life Media, now known as Ruby Corp.
FriendFinder Networks is a company in the adult entertainment, social networking, and online dating space. Several databases from FriendFinder Networks web sites with more than 412 million accounts, including usernames, e-mails, and passwords, have been breached and leaked.
November reports of this data breach on The Verge, LeakedSource and TechCrunch, to name a few, describe it as of one of the largest security breaches of 2016, and possibly the largest breach to date, surpassing the breach of approximately 360 million Myspace usernames, passwords and e-mail addresses reported earlier this year.
Following up on our earlier post regarding the Era of Hashtag Surveillance, the FBI has published documents indicating that it intends to enter into a deal with a Twitter data miner, appropriately named Dataminr (and partially owned by Twitter), for access to its monitoring technology. Techcrunch reports that the FBI disclosed its intent to enter into a licensing agreement with Dataminr for access to Twitter’s “firehose” data stream. As opposed to the normal data streams that Twitter makes available to the public which only provide access to a fraction of the posts made to the site, the “firehose” stream contains all public posts made on Twitter and would essentially allow a user to search, in almost real-time, every post made to the service.
Earlier this month, the ACLU published a report alleging that it had obtained public records showing that social media user data such as location tracking, photos and hashtag usage may have been used by law enforcement to monitor activists and protests. ACLU claims that records show that Twitter, Facebook and Instagram provided user data access to Geofeedia, a developer of a social media monitoring program that is marketed to law enforcement agencies as a tool for such tracking. According to the report, law enforcement used the monitoring program to track protests in Baltimore and Ferguson, Missouri.
In this political season, much has been made about late-night Twitter rants targeting women and other social media attacks on individuals and celebrities. Although these harsh online critiques create a more hostile cyber community, more imminent danger may arise from the safety risks that accompany online activity in general. Law-enforcement officials have long warned users against disclosing travel plans on social media to would-be thieves by, for example, posting pictures of a boarding pass from that long-awaited trip to Barcelona. But what about apps and services like Find My Friends, where users can share their location with up to 50 friends, or Snapchat, which shows a user’s location when posting an image or video? With a culture focused on sharing and instant access to information via social media feeds, it bears considering if location-revealing apps engender some inherent danger, whether the app developers disclose potential risks, and what steps can be taken to protect personal safety.
What are the privacy limits when users give permission for an app to access their smartphone’s microphone? A purported class action filed last week by LaTisha Satchell (a New York resident) against the Golden State Warriors (the first NBA franchise employing such an app), Signal360 (the New York-based licensor of the relevant technology) and Yinzcam (the Pennsylvania-based app developer) tackles this issue. Plaintiff filed her complaint in the Northern District of California, asserting violations of the Electronic Communications Privacy Act of 1986 for the class that downloaded the Android version of the Warriors app and for a broader class of those using any Android app with the Signal360 technology.
Famed wrestler Hulk Hogan’s $140 million trial verdict against Gawker Media for publishing a tape of him having relations with his best friend’s wife and using racially offensive language, sends a clear message that despite the proliferation of Internet journalism, social media, paparazzi, and the 24 hour news cycle, celebrities are still entitled to privacy in their most intimate moments—at least for now.
In the Joint Commission Perspectives May 2016 edition, the Commission reversed its 2011 position prohibiting clinician texting of patient orders within accredited health care institutions, stating technological advancements now allow for secure transmission. The Joint Commission first issued its ban in 2011 by posting an often overlooked response to the frequently asked question regarding the by then ubiquitous communication tool: “[I]t is not acceptable for physicians or licensed independent practitioners to text orders for patients to the hospital or other healthcare setting. This method provides no ability to verify the identity of the person sending the text and there is no way to keep the original message as validation of what is entered into the medical record.” While the Commission did not have a specific policy against electronic communications, its FAQ response highlighted concerns surrounding texting’s privacy, security, reliability and record retention shortcomings. Following FAQ response’s posting, institutions accredited by the Commission were expected to comply with the texting ban on clinical orders. However, recent studies have shown that permitting the texting of orders within health systems could significantly increase hospital efficiencies and reduce the length of patient stays.
On April 29, 2016, Judge Ross issued his ruling on Ashley Madison’s motion for a protective order, prohibiting Plaintiffs from using the leaked documents, reports quoting the leaked documents, and information “stolen from Avid” in drafting their consolidated class action complaint. The result was largely policy driven, with Judge Ross stating broadly, “the Court cannot and will not allow Plaintiffs to take advantage of the work of hackers to access documents outside the context of formal discovery. To do so would taint these proceedings and, if left unremedied, potentially undermine the integrity of the judicial process.” The Court also ruled that it had inherent authority to issue a protective order with respect to documents obtained outside the course of normal discovery, and distinguished cases cited by the Plaintiffs in opposition. Rejecting Plaintiffs’ First Amendment argument, Judge Ross notes, “[j]ournalists … are in a completely different position than parties involved in private litigation. No doubt exists that the news media enjoy the freedom of ‘the press;’ however, the conduct of attorneys is informed by their ethical responsibilities as officers of the Court.” The amici briefs submitted by other Ashley Madison users made an impact on the Court as the Court found that the leaked information could not truly be considered “readily available to the public” due to the efforts of the other users to protect their privacy following the leak, as asserted in their briefs. Ultimately, Judge Ross emphasized the need to “protect the integrity of the internet and make it a safer place for business, research and casual use.”
The Federal Trade Commission recognizes that many people benefit from companies’ online tracking by getting advertising that is more targeted to their preferences. However, as the technologies and techniques used by companies and advertisers to uniquely identify and track individuals’ online behavior advances, the FTC warns that companies’ privacy disclosures and practices must be updated. Failure to do so could be considered deceptive under the FTC Act.