On September 5, the Federal Trade Commission published its first guide specifically with mobile app developers in mind. Entitled “Marketing Your Mobile App: Get It Right From the Start,” the guide is not legally binding, but it does set out guidelines to help mobile app developers comply with truth-in-advertising and privacy laws. In particular, the guide lays out seven principles for complying with federal data privacy requirements under statutes like the Graham-Leach-Bileley Act, the Fair Credit Reporting Act, the Child Online Privacy Protection Act, and the Federal Trade Commission Act. Click here for the press release and a link to the guide.
Tag: privacy
Twitter To Appeal
Twitter will appeal the recent decision of a New York court ordering it to turn over the tweets of an Occupy protester being prosecuted for disorderly conduct. Twitter’s legal counsel, Benjamin Lee (@BenL) , announced the decision in a tweet (how appropos). Read the Wall Street Journal story here. We’ll follow the appeal.
Know Thy Privacy Settings
Not knowing others can see your Facebook comments doesn’t mean you can sue for invasion of privacy. — Sumien v. Careflite, 2012 WL 2579525 (Tex. Ct. App. July 5, 2012)
This case goes into the category of “what you don’t know can hurt you.” Two emergency medical technicians (Sumien and Roberts) had an exchange on the Facebook wall of another co-worker in which they made derogatory comments about a patient they had transported via ambulance. Haynes, the sister of a compliance officer of employer of the two technicians (CareFlite), saw Roberts’ comments and was offended. Haynes notified her sister (Calvert), who had access to the comments because she was Facebook friends with Roberts. After Haynes complained to the management of CareFlite, Sumien and Roberts were terminated. They sued CareFlite for unlawful termination and invasion of privacy. The trial court granted summary judgment to CareFlite on all claims, and one of the technicians (Sumien) appealed. The only issue in the appeal was whether the trial court should have granted summary judgment on the intrusion upon seclusion claim.
One of the requirements of an “intrusion into seclusion” claim is, unsurprisingly, an intentional intrusion into the seclusion or private affairs of another. Sumien argued that CareFlite intruded upon his seclusion because one of its employees read his comments. Sumien claimed to be unaware that Roberts’ Facebook friends (including Calvert) could see the comments he posted on Roberts’ wall. Too bad, said the court. The comments were visible to the Roberts’ friends, and so there was no intrusion into a private matter.
LegalTXTS Lesson: Know your privacy settings, and think through who could see what you share in the social media space. This seems rather obvious, but then again, there are those who don’t do this and then claim their privacy is invaded. The other point is that a intrusion into seclusion claim based on material posted on a social media network probably is difficult to win. Some courts, like the one who ordered Twitter to comply with a subpoena last week, simply don’t regard posts on social media private at all.
LinkedIn Sued
LinkedIn announced on June 6 that it experienced a data breach compromising the passwords of some of its members. Ten days later, LinkedIn got hit with a class action lawsuit. The lawsuit was filed in a California federal district court. You can read the complaint here.
A few key points about the lawsuit:
- The plaintiffs consist of two classes — (1) anyone in the U.S. who had a LinkedIn account on or before June 6, 2012, and (2) anyone in class #1 who paid for a premium account.
- The lawsuit alleges that LinkedIn did not comply with industry standard encryption protocols, contrary to its Privacy Policy. Specifically, the plaintiffs contend that LinkedIn stored member passwords in “unsalted SHA1 hashed format.”
- In simple terms, adding “salt” to a password means assigning random values to a password to make it more difficult to decipher. For example, if the password were “JohnDoe,” you could salt it by adding the characters “5a6b7c,” giving you “JohnDoe5a6b7c.”
- Hashing refers to the process of running a password into a cryptographic function to convert it into an unreadable and encrypted format. The plaintiffs say that LinkedIn used an outdated hashing function that was first published by the NSA in 1995.
- The plaintiffs say that LinkedIn should have at least salted the passwords before running them through the hash function. Better yet, LinkedIn should have salted the passwords, input them into the hash function, salt the resulting hash value, and then run the hash value through a hash function. Then, LinkedIn should have stored the fully encrypted password on a separate and secure server apart from all other user information.
- The lawsuit brings claims based on California’s unfair competition law, California’s Consumers Legal Remedies Act, breach of contract, breach of implied covenant of good faith and fair dealing, breach of implied contract, and negligence.
- The plaintiffs in the first class (all LinkedIn users) say they were in the form of loss of value in their personal information. (Whether the court will accept that damage theory is questionable.) Those in the second class (premium members who paid fees) say they were injured in the form of the fees they paid to LinkedIn for premium membership.