Are violent selfies protected by the Constitution?

by Paul Rubell, Esq.

We all cringe from the recent spate of hateful videos made by criminals while committing heinous felonies. As if their ugly crimes aren’t enough, we have to watch the gruesome spectacle unfold before our eyes on Facebook, Twitter and the nightly news.  The crime victims suffer embarrassment and worse.

Here in New York, a state senator has introduced legislation that would make it a crime to film a video of a violent crime in action. The intent of the proposed law is a good one.  Facebook, Twitter and LinkedIn need to stop felons from using social media to promote their violent crimes online. We do not want to give these hoodlums 15 seconds of fame.

Question:  Are crime-scene selfie videos protected under the Constitution?  News12 asked me to remark. You can watch here:

 

Senator Philip Boyle’s proposed law probably violates people’s First Amendment rights to speak freely and publish freely. These fundamental freedoms are at the foundation of American law.  Our Constitution guarantees you the right to express yourself.  In fact, the Constitution states that you own the copyright to your own creations including songs, paintings, poems, photos, multimedia, computer code and apps.

Taking videos is a form of expression that is guaranteed by the Bill of Rights.  However, even free speech has constitutional limits. For instance, if you  shout “fire” in a crowded theater, you can be arrested and the 1st Amendment will not protect you. In 1942, the US Supreme Court ruled in Chaplinsky vs. New Hampshire that “fighting words” are not protected speech.

Are crime scene videos the kind of “fighting words” that are unprotected by the Constitution?  I think Senator Boyle’s proposed anti-video law could rupture the 1st Amendment. What do you think?

Not best practices: Apple’s iCloud is neither private nor secure

by Paul Rubell, Esq.

Can your business survive a massive data breach? If your business stores, backs up or syncs its data to the cyber cloud, take note. Apple’s iCloud is currently the subject of ransomware. As you will read, the moral to this article is that confidential business data, trade secrets, customer lists and other information is at peril if it is stored off-site on a remote web server such as Office365 or iCloud. The details are fascinating but the song remains the same as it has always been: caveat emptor when it comes to the world of processing information online.turk

A hacking group that calls itself the Turkish Crime Family alleges that it has gained remote access to more than 627 million iCloud accounts maintained on Apple’s servers. The group has threatened to delete all of the data maintained on those accounts, as well as data contained on the Apple desktop and mobile devices to which the accounts are connected. Turkish Crime Family has claimed on Twitter that the data will be deleted unless Apple pays a random by April 7, 2017. The amount of the random is either $75,000 US in Bitcoin or Ethereum blockchain currency or $100,000 US in iTunes gift cards.

turk2Apple users whose email addresses contain the domains ‘icloud.com’ and ‘me.com’ are apparently at risk. The rogue hackers had posted a video on YouTube (ironically a Google company) that purportedly showed communications between the group and Apple. That video has been deleted, presumably at Apple’s insistence.

Notably, even iCloud accounts that utilize enhanced two-factor authentication are vulnerable. This casts a shadow over the entire concept of securing one’s data because most users do not utilize robust 2-F authentication. (This author strongly urges you to enable 2-F on all of your financial and sensitive accounts.

Apple has not made any public comment about this ransomware threat, presumably because Apple’s often-stated corporate policy is not to pay hostage fees. As a result, 624 million iCloud accounts could be deleted and worse, the computers and devices to which those paypalaccounts belong could be wiped clean on April 7th.

Best practice to keep your trade secrets private: avoid Password Managers

by Paul Rubell, Esq.

Information is the currency of 2017. For this reason it is mission-critical to keep data currency safe, secure and private. Just as gold bricks should be stored in a physical safe, data needs to be kept secret electronically.

Passwords are the key to enter the digital vault. Strong passwords are designed to thwart hacking attacks but their drawback is that they can be difficult to remember. A weak password such as “123456” can be memorized, but a more clever password like “A1@b2*C3(d)Zx4#” can be readily forgotten. And when numerous passwords are deployed to protect data further, the problem is exacerbated. There are many ways to keep track of passwords. Although no single method is fool-proof, some techniques are more iron-clad than others.

In order to achieve data privacy, software developers urge their customers to purchase password manager applications. Some apps store passwords in the cloud on a remote web server; others host the electronic keys locally on a mobile or desktop device. In addition, some apps generate complex passwords using mathematical algorithms and store them in a data capsule. No matter how an app’s technology functions, the unifying theme is to secure all points of entry to electronic information in a single place. Experts urge us to use password manager applications for this reason. By the way, it does not matter whether an app is free of charge or not. What really matters is the app’s functionality and security.

As a result, many people download password managers for their Android phones such asgold LastPass, Keeper, 1Password, My Passwords, Dashlane Password Manager, Informaticore Password Manager, F-Secure KEY, Keepsafe, and Avast Passwords. Each of these popular apps has been download from the Google Play store between 100,000 and 50 million times. What a relief to know that one’s data currency is secured and encrypted.

Unfortunately their security is just vaporware. On February 28, 2017, a group of German security experts issued a report showing that all nine of these apps contain vulnerabilities that make them susceptible to compromise by hackers. In some cases the master key that locks the cryptic safe is stored in plain text, visible to the naked eye let alone to a computer. In other cases features that have been designed to make the apps user-friendly, such as auto-fill, are themselves insecure. To make this point crystal clear — the software developers built their apps with vulnerabilities built in.

sign

 

Relying on an app in the cloud to keep a company’s trade secrets private is irresponsible.  If you need a financial incentive to protect your company’s golden eggs, you should be aware that some cyberliability insurance policies exclude data breaches from insurance coverage, if the breach might be related to the company’s use of insecure software applications such as password managers. It is incumbent upon each of us to design protocols and corporate policies that maintain the integrity as well as the privacy of the gate-keepers to our most important and vulnerable trade secrets.

Caveat emptor.  Let the buyer beware.  Best practices demands more from each of us than downloading apps from that iCandy Store in the Cloud.” The Google Play store is insecure, as are the password manager apps that are available for download there. After decades of building your business, it is reckless for you to rely blindly on public software to protect your golden goose. Your company does not want to litigate and you do not want to lose a shareholder derivative lawsuit claiming that you breached your fiduciary duty by failing to secure information.

Take due care and exercise due caution.  Get expert advice.  Purchase cyberliability insurance.  Develop best practices.  Build a digital Fort Knox to keep safe your business’ trade secrets.

best practices sign

 

 

 

 

Twitter says hello to hacking; Users say goodbye to privacy

By Paul Rubell, Esq.

The President has illustrated the power of social media by his use of Twitter. Like Facebook and LinkedIn, Twitter is a “platform” that enables users to interact “socially” with each other online. However as Twitter has gained popularity with hundreds of millions of users, it has also come under attack by hackers and bad actors worldwide. These global social platforms have enormous armies of employees guarding their crown jewels to avert hacking. But as with any system, it is the weakest link that can cause the stronger links to fail. Witness the Target hack that was caused by an HVAC contractor’s connection to Target’s intranet.

On March 14, 2017, thousands of global Twitter accounts were compromised, apparently by racists and/or a rogue government. The EU Parliament, Forbes, Amnesty International, UNICEF, Nike Spain and other social sites were defaced. These accounts were flooded with swastikas and hashtags including “#NaziHollanda”. Profile pictures of users were changed to pictures of the Turkish flag. A link to a Youtube site was inserted into many of these Twitter accounts with text containing the cruel words “Nazi Germany, Nazi Netherlands! Do not force the patience of the Turk. We got out of this way by wearing our kefen.

Politics aside, the real legal issue and technological quandary is that the Twitter accounts were illegally accessed via a weak link in the flow of social information. In this instance, a 3rd party application called TwitterCounter.com was hacked, and in turn Twitter Counter unwittingly and robotically instructed Twitter to modify the contents of its users’ accounts.

ae2ee69273c6ea6a3f65019852f23f2fTwitter Counter is an analytic tool that connects to Twitter and enables its users to determine information about their accounts’ metrics. Twitter Counter is one of thousands of so-called 3rd party apps that are used to access or interact with major social media platforms. What is a 3rd party app? As examples, Apple does not produce all of the mobile apps that are available from its App Store, and Google does not develop all of the apps on Google Play. These apps have been developed by outside companies who have been granted permission to interface with the main social platforms. They are called third-party applications, or 3rd party apps for short.

In the world of social media, many people use TweetDeck and HootSuite to monitor and post their tweets, Facebook posts and LinkedIn seamlessly, with scheduling and other useful features that are not readily available on Twitter or Facebook’s own HootSuite_Social_Media_Management_Systemplatforms. These are 3rd party apps. So is Twitter Counter. But not all 3rd party apps are as safe and secure as you’d like. And none of them have the manpower (sorry for the sexist word) and financial strength of the Big 3 (Twitter, Facebook, LinkedIn) to ensure cyber protection. Thus you have to use 3rd party apps with caution.

Where is the legal part to this story? Privacy of information is the gold standard to which one must strive. A company’s website needs to have its own privacy policy. If a company’s web user clicks its site’s Facebook or Twitter button, the user will suddenly find herself on Facebook instead of the company’s proprietary site. She is traveling on Facebook’s webpages. As a result, entirely different privacy practice will affect them. As a dramatic example, Mark Zuckerberg renamed his Privacy Policy as a Data Policy because there is no such thing as privacy on Facebook. Without politicizing the matter, it is important for websites to inform their users that once they travel through cyberspace to a social media site, their privacy will be regulated by the social site’s privacy rules, not their own.

And what of 3rd party apps? When you access a social media site (such as a company’s Facebook page) via HootSuite, for example, your usage is governed by the privacy policies of the 3rd party app as well as the Facebook platform. Remember the weak link in Target. Not all 3rd party apps are safe to use. Some are soft because of financial insecurity. Others are unsafe because they may have unsavory owners or employees who can access customer data. In any case, 3rd party apps create a backdoor to the major social platforms. If the backdoor to your home is not locked securely, a thief can enter and steal your property. Similarly, if a 3rd party app is insecure (by design or error or just bad computer coding), a hacker or bad actor or disgruntled employee can steal your identity and private information.

Companies’ privacy policies need to inform their users about all of these risks. Most CEO’s don’t realize that they may be unwittingly putting their customers in harm’s waylinkedin by linking to LinkedIn with a button – and they’d be shocked to find this out the hard way, after a data breach has occurred. From a lawyer’s vantage, disclosure can cleanse many problems. Telling your users about the potential pitfalls to their privacy can be a good defense to a lawsuit or criminal investigation following a breach. The “I told you” defense is my own mantra when I prepare Internet policies for clients.

So travel the Internet safely and protect your business with technology and with solid legal safeguards in place. 

 

 

 

Awaiting the President’s Cybersecurity Executive Order

by Paul Rubell, Esq.

Witness today’s risks of cyber crime.  Hackers, bad actors and foreign governments have long had the ability to assault our Nation. Current events have opened citizens’ eyes to the reality of the cyber threat. It is remarkable how the public has either forgotten or turned a blind eye to well-known security breaches such as those at Target and Yahoo. It has taken a national election for the public to recognize that the specter of data breaches is not theoretical and that its ramifications extend far beyond credit card data.

In February 2016, President Obama signed anNorth_Façade_White_House Executive Order that established a nonpartisan Presidential Commission on Enhancing National Security. Four countervailing premises spurred the Executive Order. First, the advent of advanced and interconnected technologies benefit the country and its economy. Second, these benefits pose significant security challenges and threats. Third, individual privacy rights need to be protected. Fourth, despite the risks, we need to encourage breakthroughs in new technologies to solve many of the problems that the world faces. The executive order stated that its foundation was laid:

“in order to enhance cybersecurity awareness and protections at all levels of Government, business, and society, to protect privacy, to ensure public safety and economic and national security, and to empower Americans to take better control of their digital security…”

With those grand goals in mind, the Commission issued its report in December 2016, after the election and prior to Inauguration Day. Its “Report on Securing and Growing the Digital Economyaddressed ten sweeping topics: federal governance, critical infrastructure, cybersecurity research and development, cybersecurity workforce, identity management and authentication, Internet of Things, public awareness and education, and state and local government cybersecurity, insurance, and international issues. The Commission recommended to the incoming President that the White House needs to be the locus for government and private-sector security initiatives.

abstract-lock-feature-250x165

Shortly after the President took office in January 2017, he stated that:

“I will hold my Cabinet secretaries and agency heads accountable, totally accountable for the cybersecurity of their organizations which we probably don’t have as much, certainly not as much as we need”

With that in mind, an Executive Order entitled “Strengthening U.S. Cyber Security and Capabilities” was drafted but never signed. A few weeks later, in February 2017, a revcropped-data-privacy11.jpgised Executive Order was proposed, called “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure“. As before, this proposed order has neither been signed nor released publicly. Unlike prior efforts to combat cyber risk, this latest draft order focuses on the federal government’s internal cyberspace efforts to deter malicious attacks and protection the country from them. The draft Order was designed to call upon all federal agencies to modernize their internal IT (information technology) systems and coordinate and cooperate with each other. In addition, the head of each agency was to be responsible for his/her agency’s cybersecurity initiatives. The buck is not to be passed down the ladder to the agency’s CIO.  I have stated for many years that the corner office in private industry as well as the public sector is the place where cyber responsibility must reside. The CEO is the only person who should direct his/her company’s Twitter feed, oversee its Facebook page or ensure the security of personal customer data. The new President appears to share that view by placing the onus of cyber responsibility on agency chiefs, not subordinates.Capture

However this latest draft Executive Orde
r was met with criticism from industries that are considered central to national infrastructure, including telecommunications, banks, energy, water and public transportation. These industries would have been subjected to additional government requirements beyond those imposed upon other private sector businesses. As a result of this push back, the President has withheld signing the Executive Order.

With this backdrop in place, a noted Cyber Policy Task Force issued its own cyber reportrecommendations to the new Administration. Its report “From Awareness to Action: A Cybersecurity Agenda for the 45th President” states that many of America’s current cyber policies are antiquated. The recommendations call for the development of an international cybersecurity strategy, increasing transparency so that the public becomes aware of data breaches, evaluates the pros and cons of encryption, and addresses IoT (Internet of Things) risks to global cyberstability.

At the V4 Cybersecurity Conference held at Google Headquarters in Washington, DC on March 7, 2017, Rudolph Giuliani recommended that companies should subject themselves to attacks on their IT infrastructure by “red teams” of outside firms that specialize in penetrating security vulnerabilities. So-called “white knight” hacking can be a good way for companies to test and strengthen their internal cyber defenses.

The Internet has become part of our nation’s infrastructure, just like roads, bridges and the power grid. We await the President’s cybersecurity Executive Order with eagerness because it has never been more important to ensure the safety of our country’s infrastructure.

power-lines

Net Neutrality is No More

By Paul Rubell, Esq.

Internet users have been suddenly stripped of an important source of privacy protection.  On March 1, 2017, the Federal Trade Commission (FTC) and Federal Communications Commission (FCC) abruptly suspended the net neutrality rules that had been scheduled to go into effect on March 2ndnetneutrality-contentblocked1

Internet users in the United States have long been protected by privacy frameworks such as the Consumer Privacy Bill of Rights and by government agencies such as the FTC. These privacy protections were vastly enhanced on October 27, 2016 when the FCC adopted rules that empowered users to decide how their personal data is used and shared by broadband Internet providers (ISP’s) such as Verizon and ATT. These rules, commonly known as “net neutrality”, require ISP’s to obtain the express consent from customers before sharing or using their personal information. Before net neutrality, ISP’s were immune from consumer privacy laws because they are regulated as public utilities like the electric company rather than providers of consumer services.

In adopting net neutrality, the FCC stated that “privacy rights are fundamental because they protect important personal interests—freedom from identity theft, financial loss, or other economic harms, as well as concerns that intimate, personal details could become the grist for the mills of public embarrassment or harassment or the basis for opaque, but harmful judgments, including discrimination.”

ispISPs serve as a consumer’s “on-ramp” to the Internet. Providers have the ability to see a tremendous amount of their customers’ personal information that passes over that Internet connection, including their browsing habits, beliefs, preferences and likely future activities. The FCC determined that consumers deserve the right to decide how that information is used and shared — and to protect their privacy and their children’s privacy online.”

ISP’s have access to all sorts of personal information, including your geolocation, your children’s information, health information,  financial data, Social Security number, your Internet browsing history, app usage history, financial status, familial status, race, religion, political leanings, age,  location and most significantly, the content of your communications. Under the October 2016 net neutrality rules, ISPs became required to obtain affirmative ‘opt-in’ consent from consumers before using or sharing sensitive information. The FCC required ISP’s to provide transparency to their customers with “clear, conspicuous and persistent notice” about the information they are collecting, how and when they share the information, and the types of advertisers and others with which the ISP shares these kinds of information. In addition, ISP’s became subject to the same government privacy requirements that the FTC imposes on search engines such as Google, social media such as Facebook, and other edge providers.

Needless to say, neither the ISP’s nor their advertisers were happy with the new regulatory scheme. On March 1, 2017, the new Administration’s FCC Chair delayed the implementation of the regulations.  In announcing the decision, the FCC stated that “After all, Americans care about the overall privacy of their information when they use the Internet, and they shouldn’t have to be lawyers or engineers to figure out if their information is protected differently depending on which part of the Internet holds it.” It may be worth noting that the FCC Chair was formerly Associate General Counsel at Verizon Communications Inc.

In the absence of protection, ISP’s can once again sell your personal information for advertising purposes without asking for your permission or letting you know about it.4408358-net-neutrality

Cross-Browser Tracking: It’s time to update your Privacy Policy!

by Paul Rubell, Esq.

It is remarkable that many companies do not know the vastness of private information they obtain from their social media and website.  It is essential for every business to understand its legal responsibility to protect their customers’ personal information.

OLD NEWS:  Web browsers can follow your voyage through the Intdnt1_thumb2ernet. Firefox, Internet Explorer, Chrome and Safari can watch you jump from one website to the next as you journey across the hyperlinks. A company can incur legal liability when its social media, mobile apps and website obtain personal information while tracking you, and you run the risk of losing your legal right to maintain your privacy.

NEW NEWS:  Web browsers have learned how to track your hyperlinks across browser platforms. Some of us keep browser windows open in multiple browsers at the same time to expedite surfing. For instance, I often run Firefox, Chrome and Safari  at the same time. I like to study different subjects in alternate browsers but sometimes a hyperlink in one browser’s window will send me to the other browser’s window. This is important because suddenly two browsers can monitor your web movement  as well as your jumps from, say, Firefox to Chrome and back. For example, Firefox will leave a digital “fingerprint” on a computing device when it visits a website. Through cross-browser tracking, another browser like Chrome can detect and use Firefox’s fingerprint when it runs on the same mobile device or computer.  In this way, a company can continue to targeting advertisements to its users even if they change browsers.

Web tracking presents significant privacy law issues. A company can face business risks and legal responsibilities when it obtains personally identifiable information (PII) from people who visit its social media or website. This was true with older website tracking and it is just as true and even more important today with the advent of multiple-browser tracking. More and more private information will become susceptible to online harvesting and analysis.

United States and international lawsct-biz-do-not-track_ctmain 1202 sr protect individuals’ most private information including healthcare records, financial secrets and students’ education records. Your name, address, Social Security number and date of birth are unquestionably private and need to be protected. In

contrast, some personal information may not seem private or important to you — but in the hands of a bad actor, your vacation schedule, your nephew’s name or the names of your online “friends” can become very valuable. Advertisers and consumer product companies want to obtain information about you. They see your world very differently than you do. They see your world as a dark secret waiting to be uncovered and sold for lawful reasons as well as for illegal purposes.

How can a business avoid liability for obtaining web tracking data from its social media or website?  Full disclosure is the best way to avoid liability. It is essential to inform your customers and media users that your business collects private information from them. Once they have been notified, your customers will not be able to claim ignorance of your Internet practices and data retention policies. For this reason, your business needs a good Privacy Policy that specifically notifies users about what data your company collects and what it does with the data. firefox_screenshot

Do Not Track is an opt-out setting in most browsers that allows a user to electronically inform companies that she does not want to be tracked across the web on websites and social media. By turning on this setting, a user’s mobile device or computer will send a digital signal to websites and social media to inform them that she does not want to be tracked. According to Google, some websites respect Do Not Track requests and others do not. Compliance with Do Not Track is voluntary, not mandatory. As a result, even when a user send a digital no-track request, many websites will ignore the request and continue to collect all sorts of browsing data.  A user is not able to force a website to stop tracking her or to know whether her digital footprints are being followed. 

Today’s new cross-browser tracking technique is just another indication that data harvesting is here to stay. The challenge for any business is to avert online legal liability. One of the best ways for a company to protect itself from liability is by updating its Privacy Policy.  With an enhanced policy in place, every mobile user and social media consumer will understand the extent of a company’s collection of personal data. By disclosing this information to the public in a customized Privacy Policy, companies can mitigate their risk of litigation and adverse publicity.