Computer User, You've Got Jail: Terms of Service and Computer Usage Policies in Civil and Criminal Cases

Posted on April 29, 2009 by Kevin Whitaker

The Computer Fraud and Abuse Act (CFAA) prohibits accessing a computer without authorization. The law has been used in civil cases in a variety of contexts for some time. The CFAA drew attention last year, however, when it was applied in the criminal prosecution of Lori Drew in the suicide of Meghan Taylor Meier, a 13 year old girl, who committed suicide after being cyber-bullied and harassed by Drew.

The cyber-bullying involved Drew pretending to be someone else on a fictitious MySpace account created by Drew. The account's use was "unauthorized" under the MySpace terms of service. The breach of MySpace's terms of service was used to apply the CFAA and support Drew's criminal conviction. This use of a private company's terms of service agreement to apply criminal liability under the CFAA led many to argue the case has far reaching consequences. A number of critics of the case asserted the case went too far while others hailed it as a positive step toward protecting children online. Regardless, the case illustrates the changing nature of our laws, technology, and the emerging attempts to apply existing laws in novel ways, especially in those areas where the law may be lagging behind technology's pace.

Orin Kerr, at The Volokh Conspiracy blog, posts about a case seeking to test or expand the CFAA criminal liability theory even further.  In Lori Drew, Take2? The Government's Computer Fraud and Abuse Act Prosecution in United States v. Nosal, Kerr offers,

... the government is testing a similarly broad theory of the CFAA, if not an even broader one. The case is United States v. Nosal, No. CR 08-0237 MHP, ....
Continue Reading...
Tags: , ,

Businesses Beware: FTC Red Flag Rule on Required "Identity Theft Prevention Programs" Become Effective May 1, 2009

Posted on April 21, 2009 by Kevin Whitaker

After a six month extension, the Federal Trade Commission's Red Flag Rule on business and organizations' identity theft prevention programs goes into effect May 1, 2009. In sum, the Rule requires development and adoption of a comprehensive "Identity Theft Prevention Program" into the day-to-day operations of covered companies and organizations (which includes most operating businesses, both large and small.)

The Rule requires the development, implementation, and administration of a program which must address four key areas:

  1. Identifying Red Flags - Identify suspicious patterns or practices, or specific activities indicating identity theft possibilities you may come across in your business (the "Red Flags.")
  2. Detecting Red Flags - Procedures to detect the identified red flags .
  3. Preventing and Mitigating Identity Theft - An action plan for when red flags are detected.
  4. Updating to the Program - A process for periodically re-evaluating and revising your identity theft program.

There has been some confusion over who must comply with the Red Flag Rule. The Rule applies to both "financial institutions" and "creditors" who have "covered accounts." The use of these terms has caused uncertainty as they do not refer to specific industries, but to anyone who falls under the definitions. For instance, "creditor" includes businesses and organizations who:

  • Regularly defer payment for goods or services or provide goods or services and bill customers later;
  • Regularly grant loans, arrange for loans or the extension of credit, or make credit decisions;
  • Routinely participate in decisions to extend, renew, or continue credit, including setting the terms of the credit; or
  • Extend credit to other businesses.

This expansive definition of "creditor" means most businesses would be considered a creditor under the Rule. Whether this interpretation holds up under later judicial review is an open question, but for now the FTC is clearly casting a wide net in defining "creditor."  With respect to covered accounts, these are either:

  1. Consumer accounts that are primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions; or
  2. Any other accounts where there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.

Should the Rule apply, then the size, scope and complexity of a business are all factors to be considered in creating a specific Program. Because noncompliance can involve heavy fines, adopting and implementing a Program is advised as soon as possible.

The FTC offers the following resources which may help with developing a Identity Theft Prevention Program:

Continue Reading...
Tags: , , ,

Marathon Monday, Patriots' Day, and Privacy Law

Posted on April 20, 2009 by Kevin Whitaker

Throughout Massachusetts, including Boston where crowds awaited their victors, today is “Marathon Monday,” signifying the running of the Boston Marathon, a challenging race with many individuals striving towards a common goal. 

Through the streets of Boston, some will run fast, some slow. Regardless (or “Irregardless” as is often heard here), the field of runners couldn’t participate unless there was a shared goal and a protected course laid out for their journey. Shouldn’t we aim for the same in privacy law and policy, a shared goal of protecting individual's privacy rights while defending against infringements along our journey?

Society’s direction over the information superhighway, however, is not anywhere nearly as well laid out and organized as the Boston Marathon. While the Internet is a course we are all racing on more and more, law and policy aren’t the ones leading the pack or setting the pace. Rather, a widening gap is developing between the law (looking back over its shoulder of precedent to gage how it’s doing) versus a Web 2.0 world racing ahead under the quickening pace of Moore’s law.

But privacy’s race is not yet lost—individuals’ rights have triumphed before and are the fabric of our democracy. In Boston, today is not only “Marathon Monday,” it is also Patriots’ Day, a day honoring the first battles fought on April 19th, 1975 in Lexington and in Concord. Ralph Waldo Emerson memorialized this day in this stanza with it's famous last line,

By the rude bridge that arched the flood,
Their flag to April's breeze unfurled;
Here once the embattled farmers stood,
And fired the shot heard 'round the world.
In a day when information now travels round the world in an instant, what rights will be secured and which ones might be forgotten?
Tags: , , , ,

Obama On His Privacy and Anonymity Regrets

Posted on April 6, 2009 by Kevin Whitaker
Recently, a young woman from Heidelberg, Germany, asked U.S. President Obama whether he ever regretted running for president, Tom Raum, an AP Writer, recounts in his White House Notebook series:

Before becoming a political celebrity, he [Obama] said that when he visited Europe he was free to wander down to a cafe, sip wine, do some people-watching and shopping, and watch the sun set. "Now, I'm in hotel rooms all the time and I have security around me all the time," said Obama…. 

Answering the query about regrets, he also noted the loss of "privacy and anonymity." But he was quick to add that "there's nothing more noble than public service."

While the nobility of public service may be worth the President’s privacy regrets, do these casual remarks hint at global concerns in a New Web 2.0 World Order? I find it interesting to note Obama’s statements came during his first overseas trip as President. With technologies reach making all nations virtual neighbors on the Internet, are privacy concerns best suited for local, national, or international laws or standards? To whom should they apply? How do we best safeguard privacy rights in this new digital world as well as respond to intrusions into a private person’s privacy and anonymity.

While Massachusetts, California, and Nevada are enacting independent privacy laws of sorts, what effect do these have on those outside of their borders, both within the U.S. and abroad? Recently we’ve seen a call for nationalizing the web for public safety reasons. Is a privacy argument next? If not, how will privacy be protected in the cloud and how will we handle those who make unwanted intrusions? These and other concerns are raising interesting policy questions for a linked in globally interdependent world.

Some may ask, “Is an Obama administration likely to get tech and its issues?” Given, there’s much on his plate and agenda, but don’t forget, during this same trip, the President (also referred to in the above article as “geek-in-chief”) did give the Queen of England an engraved iPod while he was visiting Buckingham Palace. Maybe a tech friendly president coupled with his privacy regrets might still open the door for meaningful policy debate and innovative privacy legislation.

Tags: