You can’t find me, at least not without a warrant

618px KeystoneKops

In a 5-4 decision, the Supreme Court decided today that location information for cellphones cannot be collected by law enforcement without a warrant. In doing so, the court relies on a cell phone user’s “expectation of privacy” in his or her physical location, as well as in information held by third parties. Previous cases involving data held by third parties has not necessarily been so favorable, particularly where the user understands the the data will be turned over to another party, or where the data is knowingly shared with the third party. Unfortunately, “understands” and “knowingly” are loaded concepts, since on some level, all cell phone users understand that the cell provider collects a lot of information about them whether they want it collected or not.

The court appears to distinguish location records from “business records” based on other cases which have limited the tracking of individuals’ locations by law enforcement, and the court goes to some effort to distinguish location data from other “business records” collected by cell phone providers in essentially the same way.

In short, on first read, this case appears to be narrowly applicable to location data only, but it’s still a win on the privacy front for end users.

Photo courtesy of By Mack Sennett Studios – Publicity still from 1914 film “In the Clutches of the Gang”, via [1], Public Domain, https://commons.wikimedia.org/w/index.php?curid=4489310

Disability-related lawsuits find new targets

Since at became law in 1990, there’s little doubt that the Americans with Disabilities Act (ADA) has helped make public buildings and businesses more accessible to the disabled. At the same time, however, brick-and-mortar businesses have long complained about the cost of ADA compliance, and claim that many ADA-related lawsuits are more about making money for lawyers than about actually increasing accessibility. Now that most shopping has moved online, lawsuits have begun to extend the ADA to websites and other online services, concepts which really didn’t exist at the time the law was passed.

For example, Home Depot was sued in 2015 by a blind Pennsylvania man alleging that the Home Depot website relied too heavily on images without the alternative text and descriptive links required to allow access by the sight-impaired. The same plaintiff had filed at least 68 similar lawsuits targeting online retailers. Companies from Target to eBay have been sued for ADA issues, and many companies have paid out millions to the government or class action plaintiffs, in addition to the cost of becoming compliant after the fact. Now, plaintiffs’ lawyers have begun targeting platform providers, in what may well result in a new wave of ADA litigation against the internet’s infrastructure providers.

While it’s increasingly clear that internet accessibility is required under the ADA, it’s less clear what constitutes an accessible website. Here are some of the steps you can take to make your website more accessible and less likely to result in a lawsuit or legal liability:

  • Perform a website audit, to determined what aspects of your website might not meet reasonable accessibility standards.
  • Update your website to comply with the Web Consortium’s Web Content Accessibility Guidelines 2.0 (WCAG), currently the closest thing there is to an accessibility standard under the ADA.
  • Make sure your development and design policies include guidelines for continuing WCAG compliance, since it’s all too easy to lose sight of accessibility in the stress of a new site or product rollout.
  • Train customer support and technical personnel to understand and facilitate use of your website by disabled customers, and to be sensitive to the needs and complaints of disabled users.

Although the Department of Justice is expected to issue guidelines some time in 2018, it’s probably not a good idea to wait. In addition to good risk management, it may well be good business, to keep both your disabled and able-bodied customers happy.

Do I really have to worry about the new European privacy rules?

Is it finally time to pay attention to European efforts to regulate privacy? At least according to pwc, the answer is yes.

Let’s face it – many Europeans regarded the former “Safe Harbor” as a loophole big enough to drive a truck through, and many US companies quietly agreed by effectively ignoring it. The GDPR is an attempt to address that more effectively, at least with respect to American companies with assets in Europe, particularly behemoths like Google and Facebook. As of May 25, 2018 most processing of European personal data will have to comply with the GDPR (General Data Protection Regulation), including processing by US-based companies. There are a few reasons for US companies to be more concerned about the GDPR than previous efforts to regulate privacy:

  • The GDPR has the effect of law, without the need for individual (and often inconsistent) country legislation.
  • All businesses which “target” EU nationals are subject to the regulation, no matter where they are based.
  • The fines have been increased significantly and can be tied to worldwide revenue, to ensure that they are meaningful for even the largest of companies.

Of course, it’s easy for EU officials to threaten Google, which has at least four data centers located in the EU, each presumably worth many millions of dollars. It’s a little harder for them to penalize US companies which don’t have assets on the ground in the EU, particularly given that US courts are likely to be skeptical of attempts to enforce the regulation against companies with no offices in Europe. So, how do you know if you should be worried about the GDPR? If you answer yes to any of the following you need to start getting your privacy house in order:

  • Do you have assets in Europe? As already noted, you should be GDPR compliant unless you’re willing to kiss those assets goodbye without compensation.
  • Do you have personnel in Europe? Even with limited assets on the ground, you need to consider the risk to your employees, and the subsequent risk to your company if they are penalized and decided to sue.
  • Is the European market is important to you, or is it expected to be important to you in the future? Obviously, an adverse judgement in the EU could result in loss of any European-based revenue, to say nothing of the loss of customers due to bad publicity.

Notwithstanding the hype, companies with no footprint in Europe and minimal aspirations of success in the European market probably have little to fear from the GDPR. That being said, given increasing concern over privacy on this side of the ocean, even those companies may want to consider implementing some of the GDPR requirements, to minimize any penalties and to make compliance easier if and when it becomes necessary. Besides, better privacy practices may well make business sense for a lot of US companies.

You’re running out of time!

Anderson Sophie Christmas Time Heres The Gobbler PublicDomain

Quick, I have dinner, you handle the rest!

When I say you’re running out of time, you may think I’m referring to time needed to buy presents, drawing the absolutely incorrect conclusion that I have not yet purchased a suitable present for my wife. I have. It’s just that she changed the ground rules on me and … oh, never mind, that’s not what I meant anyway.

What I meant is that you’re running out of time to register your DMCA Designated Agent under the new system we reported on earlier this year. Like it or not, agents designated under the old system are no longer valid starting January 1, 2018, so if you are in any way hosting third-party content you’ll want to register a new agent under the new system.

It’s not terribly difficult, so cruise on over to the US Copyright office’s website and register. You’ll need the following information for both the designated agent and the owner or operator of the website (which may or may not be the same):

  • Name
  • Address
  • Phone number
  • E-mail address

Oh, and you’ll need a credit card. You can’t use mine, I have a little more shopping to do.

German court decides Parents can’t access deceased child’s Facebook account

Facebook

A German appeals court has decided that the Facebook account belonging to a deceased minor cannot be accessed by the deceased minor’s parents, according to German business website Handelsblatt. A couple in Berlin sued for access to the Facebook records of their daughter after she was killed by a subway train in Berlin, hoping to find clues as to the events leading up to her death. They were particularly interested in the chat records, which they thought might provide clues as to whether the daughter’s death might have been a suicide.

The lower court decided for the parents, determining that the Facebook account was part of the deceased minor’s estate. In deciding to appeal, Facebook, the subject of much criticism in Germany for its handling of data privacy, found itself in the unusual position of defending those same rights. The appellate court decided against the parents, and refused access. It appears likely that the parents will appeal the decision.

In the United States, Facebook generally does not allow parents access to a child’s account, deceased or not. Facebook does allow parents to request that the account be terminated, rather than leaving it online in “memorialized” mode, and in rare instances Facebook will honor requests for account data by parents or other authorized individuals.

At the rate we’re going, we’ll soon be traveling with books and cassettes

IMG 1917

Let’s not go here again

As I watched the luggage carousel spin slowly around I was pretty well aware what I would see there – nothing, or at least nothing which belonged to me. We had barely made our connection in Frankfurt, after circling for hours, and the only thing which made it through to Philadelphia was a cat. I don’t even like cats.

No problem, right? We could just run out and buy luggage on the airline’s dime.

Or not. Airline liability for lost or damaged baggage on international flight is regulated by a treaty called the Warsaw Convention, which limits airline liability for checked baggage significantly. According to Delta’s website, that’s $9.07 per pound up to a maximum of $640. Normally the answer is simple – if it’s valuable, don’t check it. The proposed ban on laptops and tablets for flights to the US from Europe, however, adds a new wrinkle to that otherwise simple advice, since most business travelers don’t really have an alternative to traveling with a laptop. Most road warriors won’t be terribly happy about seven to nine hours of lost work time, to say nothing of that low-res airline entertainment. They’ll be even less happy if they can’t retrieve the laptop at the end of that long flight.

The bigger issue, of course, is security. A lost laptop means lost data, and lost data can result in all sorts of headaches depending on what’s actually on the laptop. While encryption can limit the damage, that still won’t compensate for the loss of productivity for business travelers who depend on their laptops for their daily work.

While business travel won’t stop, the laptop ban combined with other issues which make international travel more onerous may well hit the bottom line of airlines with international routes. It will also increase the interest in everything from insurance for lost luggage to rentals of laptops and similar equipment overseas (which brings with it additional security concerns). Some frequent travelers may even consider storing electronics at offices or apartments overseas, to ensure that they are able to get back to work quickly upon arrival.

In the grand scheme, however, Skype begins to look pretty attractive when the alternative is eight hours of airline entertainment or watching TV on a cell phone followed by a full cavity search on arrival.

Of course, you could always fly via Canada.

Germany’s DeNIC offers (a bit) more privacy for some registrants

Whois screengrab

With the increasing focus on privacy in Europe, and ongoing challenges to the US-European “Privacy Shield” agreement, domain name registrants from Europe see domain names as (yet another) weak link in privacy rights. They wouldn’t be wrong in that – in order to protect domain name registrants in the case of the failure of a domain name registrar, all registrars are required to put the underlying registrant data in escrow with an accredited data escrow provider. Until recently, however, the only ICANN-approved data escrow provider has been the US company Iron Mountain, and as a result all of the agreements (and the underlying data) were subject to US law. That, of course, means they were subject to US law enforcement and civil litigation demands as well.

That has recently changed. According to heise online (in German), DeNIC, the German company in charge of the .de country level domain, has recently been accredited by ICANN as a third party data escrow provider for registrar data. DeNIC’s accreditation provides a European alternative to Iron Mountain, and provides some assurances that European data remains in Europe subject to European privacy laws. While that’s an improvement, domain registries must also escrow data, and there’s only a single provider for those services as well (can you guess who that might be?). DeNIC, looking to close that weak link in data protection, is actively seeking accreditation there as well.

While this particular service may not impact US business to any great extent, it does demonstrate an increasing interest in European alternatives under the current political climate. No doubt companies like XING (a German LinkedIn alternative) and UK online bookseller Wordery will seek to capitalize on increasing European concern over US service providers.

At the rate things are going, US disregard for privacy may create the European Internet champions that European lawmakers could not.

For more on DeNIC’s accreditation and continuing efforts, see this press release.

So long e-signatures, it was nice to know you.

DocuSign screenshot

We recently bought a house or, more accurately, a bank bought a house which we own a teeny-tiny part of. That, of course, resulted in an unending series of requests by mortgage companies, banks, title companies, realtors, sellers, etc. for signatures on long and seemingly duplicative documents. In most of those cases, our signatures were obtained via DocuSign. That’s become pretty standard practice in the real estate industry these days, and also in other industries which require large numbers of signed documents. While it’s annoying, I suppose it beats having an equally large pile of signed originals in a file somewhere.

Or maybe it doesn’t. According to a recent memorandum in a California court, however, a “signed” DocuSign document might not be enough. The judge in that case sanctioned an attorney for relying on DocuSign signatures in the context of bankruptcy law, pointing specifically at a requirement that electronic signatures are only valid if a copy of the “original” signed document was retained. DocuSign, of course, has based its entire platform on the idea that the digitally signed document is the original, which may now be in serious doubt.

For now, the memorandum serves as a reminder that users of digital or e-signatures have to be certain that the laws pertaining to that particular transaction allow e-signatures without a “wet signature” to fall back on in the event of a dispute. Bankruptcy lawyers in particular, take note. That being said, the logic behind the memo calls into question the entire premise behind electronic and digital signatures and, if followed, may end up being a really good development for paper companies. After all, if I sign by putting my name following /s/ in an e-mail, or using the signature function in Apple’s Preview application, the potential authentication issues raised in the memo are exactly the same as raised in this case.

I’ll keep that in mind if we have second thoughts about this whole home-ownership thing.

Hat tip to Whitney Merrill (via Twitter, @wbm312)

How about Estonian law with your morning cuppa’

DailyTimes screengrab

It’s like the Hotel California, you can subscribe any time you like but you can never leave.

It’s not often you start the morning with an international legal dispute, and that before one’s morning coffee. This morning, from the kitchen, I was treated with the dulcet tones of my wife arguing with the London Times about cancellation of her online subscription. It turns out they only accept cancellations from the US via passenger pigeon on odd Tuesdays which have a full moon, and then only when written in the blood of a recently slain unicorn. Ok, not really, but as we haven’t actually figured out how one successfully cancels a subscription, that may in fact be the cancellation policy. Pro tip – don’t subscribe to the London Times.

Anyway, the interesting thing about that kerfuffle is the degree to which the average consumer worldwide is entering into contracts with companies in other countries, ostensibly under the laws of those countries. As consumers, however, those individuals remain protected under the consumer protection and other laws of their respective countries (or, in the case of the US, an odd patchwork of federal, state, and local laws). As a result, even as simple transaction as a newspaper subscription or Facebook registration can give rise to significant legal cases with an international impact.

Many of those cases involve privacy and the EU-US privacy shield. Europe isn’t alone in its concern for the privacy of citizens, however, with a new decision extending the protections of Canadian Privacy to data disseminated outside of Canada (hat tip to Daniel Solove). While the US doesn’t really care as much (or perhaps at all) about privacy, there are laws like the Speech Act which attempt to protect US residents (in this case writers) from the effects of foreign laws which are against US public policy (in this instance, the right to free speech).

There are a host of other issues which arise from these contracts, however. Do companies like the Daily Times understand and follow US legal requirements like the Fair Debt Collection Practices Act or, in the case of selling (and upselling), the Telephone Consumer Protection Act? Even if they do, how does one collect a relatively small debt in a foreign country in an efficient and cost-effective way? In the other direction, Europe has extended its controversial “right to forget” worldwide, creating a compliance nightmare for Google and other big US tech companies, and an unresolved conflict for others without as much skin in the game in Europe.

The Internet makes international business possible from your kitchen table. What that means for public policy and protection for the consumer remains largely unresolved.

A cold wind on privacy

AMadison screenshot

Not just your moment; yours, Verizon’s, Amazon’s …

Standing outside in the chill of what passes for “spring” these days, with a cold breeze numbing the end of my uncovered ears (it’s SPRING for God’s sake), I listened to my fellow soccer parents discussing the merits of the Senate’s recent vote to rescind the FCC’s as-yet unimplemented rules on privacy for ISPs. Overall, I think most of the parents were pretty ok with the loss of some privacy in exchange for the perceived benefits of data sharing. Most of that had to do with the cool things technology can do when provided with access to data, like make sure your latté is ready before you actually arrive at Starbucks in the morning.

Listening, I was trying to think of why I’m not on board with that logic (other than the fact that I’m not a huge latté fan). Aside from the many concerning ways in which ISPs can and have used data, the bigger problem would seem to be that there’s no real guarantee that the data will remain with the ISP or their marketing partners.

First of all, big companies of all stripes are pretty terrible at keeping data secure. That means that, in addition to that cool relocation feature which allows you to pre-order a late on the drive to that early-morning soccer tournament, you may be letting hackers from the Ukraine into details about your life which may (or may not) allow them to hack into your bank accounts or determine the content of that highly sensitive e-mail you received.

Secondly, as lawyers well know, data of all types is discoverable in litigation, so those “innocent” late night visits to Ashley Madison may not be as private as you think they are. While much of that data is already available and discoverable from your e-mail provider or home computer, giving ISPs an incentive to keep and distribute that data certainly won’t improve matters any. Increasing the amount of data available also means more data available to the government, and while it’s nice to believe that only matters if you’ve done something wrong, that’s not always true. In Europe, the public and the courts have been fighting against mandatory data retention rules, even as the US arguably incentivizes the private collection of data.

For or against, there’s not much you can do to protect yourself against data collection – most Americans have limited choice in ISPs, and some have no choice at all. Short of running everything through a VPN, or simply not using the internet, it looks as though consumers have to get used to the idea that their traffic will be collected and shared by ISPs, the government, and pretty much everyone else who has access to it.