Facebook and the State of Washington Join Forces in Fighting Online Spam

Photo titled "Dislike" by Charlotte Road on Flickr

For the first time since the enactment of the federal CAN-SPAM Act, a state government and a private company joined forces in protecting consumers from spammers/scammers. On January 26, 2012, Facebook and the State of Washington filed two separate lawsuits against internet marketing company Adscend Media, alleging violations of the anti-spam law. Specifically, they claimed that Adscend Media tricked Facebook users into clicking deceptive links that appeared as recommendations from their friends. These deceptive links led users to disclose their personal information, direct them to advertising sites, and continued the cycle of spreading spam to their friends.

The CAN-SPAM Act was enacted by Congress in 2003, aiming to protect consumers from unsolicited commercial email. It requires that all commercial electronic mail must clearly and conspicuously identify the message as an ad in the subject line, clearly and conspicuously disclose to the recipient an opt-out right to not receive future emails in the text body, and cease transmission of commercial emails within 10 days of recipient of the opt-out request. The Act also establishes tough penalties of up to $16,000 for each separate email, it also grants the government and private parties the right to bring civil and criminal action against violators.

The Act covers all commercial messages, defined as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service.” Courts have interpreted “electronic mail message” broadly, reasoning that such a broad interpretation is consistent with Congress’ intent to curtail the number of misleading commercial messages that overburden the infrastructure of the internet. In Myspace v. Wallace and Myspace v. the Globe.com, Inc., the Central District Court of California defined an electronic mail message as a message deliverable to a unique electronic mail address. An electronic mail address is a form of electronic communications, including a traditional email address, inbox, and other alternative forms. A message posted on a Facebook wall, news feed, or home page is an electronic mail message.

The Act grants a limited right to a private party (namely internet access service providers) to bring a civil action against alleged offenders in federal court. In order to have standing to bring such action, an internet access service provider must show an adverse effect by the violation of the Act. “An adverse effect” can be a very high standard in some jurisdictions, requiring an actual harm from specific messages, rather than a general harm from receiving messages. Despite the limited private right and high standard of proving an adverse effect, more and more private entities enjoy the success against spammers. For example, Facebook has been awarded millions of dollars in judgments under the CAN-SPAM Act since 2008, including a $873.3 million judgment against a Canadian-based site for illegally using Facebook user’s log-in information to distribute spam, and a $711 million judgment against “spam king” Sanford Wallace for fraudulently gaining access to Facebook accounts and using them to send spam throughout the Facebook network.

States have the right to bring a civil action on behalf of their residents if they reasonably believe that the interests of their residents has been or is threatened or adversely affected by commercial email senders. States can either seek to enjoin future violations, or recover monetary damage. The bar for the later is much higher than the former. A state must prove that an alleged offender had actual or implied knowledge for the alleged unlawful conduct in order to recover monetary damage which is not required in an enjoinment action.

In the current joint action against Adscend Media, it is likely that both Facebook and the State of Washington have a good chance of winning. Under the broad interpretations promulgated by the courts, messages Adscend Media sent to Facebook users were electronic messages because they reached destinations receivable by Facebook users. These messages were fraudulent, as they were not recommended by Facebook users’ friends as their outward appearance would suggest. The messages were deceptive and intended to direct unsuspecting Facebook users to third party commercial sites so as to obtain the user’s personal information. Facebook suffered damages because its rights were violated. The interests of citizens of Washington State were compromised because they were tricked into disclosing personal information and pay for unwanted subscription services through spam. Adscend Media’s alleged unlawful conduct is not likely unintentional, if their actual or implied knowledge can be proven. It is not only likely to pay damages to Facebook, but also to Facebook’s users in the Washington.

IP Kidnapping

Photo titled: "Obama propone penas de cárcel obligatorias con un mínimo de tres años para los hackers" by jediadame on Flickr

On February 6th, 2012, CNET.com confirmed that the Internet security giant Symantec offered to pay a hacker or hacker group $50,000 for a promise to not release its valuable security code on the Internet. Specifically, CNET reports that beginning in early January of this year, a hacker known as “Yamatough” reached out to Symantec in an extortion attempt. Yamatough claimed to be part of the “Anoymous” hacker group that has attracted headlines in recent months, both for their attack on local, state, and federal government websites and its support of the Occupy Movement.

The object at issue is Symantec’s source code. Source code is the text written using the format and syntax of the programming language (computer language) that is specifically designed to facilitate the specific program it supports. Source code is significant because it is useful to a user, programmer, or system administrator to better understand how a program works, or more importantly, modify the program. Symantec identified the source code as that for Symantex Endpoint and Symantec Antivirus 10.2. Evidence at the time suggests that the hacker(s) may have obtained the code after breaking into servers run by Indian military intelligence.

Although Symantec publicly stated that its customers have no significant security threats due to this situation, a rational person would of course be worried. Although Symantec can and most likely has adapted its programs to this security threat, there is great reason for alarm. The source code obtained by the hackers can give them extra knowledge of Symantec projects and procedures, along with the ability to manipulate the code to best serve their interests. In addition, and perhaps most important, the threat to expose the source code to the Internet as a whole exponentially increases this risk because there will likely be no way to track the source code once it is released.

In fact, as of approximately 9:00 p.m. on February 6th, 2012, a 1.2 GB filed labeled “Symantec’s pcAnywhere Leaked Source Code” has appeared on The Pirate Bay, a large bit-torrent file sharing site. Symantec has not yet confirmed whether this is the source code at issue. What does this mean for your average attorney? Basically, its time to add another area of concern for attorneys, along with issues such as conflicts of interests, fiduciary duties, and professional responsibilities. If an Internet security giant is breached in this manner, then it may be time for attorneys, who are entrusted with confidential and sensitive personal and professional information, to be even more careful with this type of data. As technology becomes a more crucial part of an attorney’s arsenal of tools, events like this remind the profession why some times, having a simple lock and key safe may be the better bet in protecting a client’s information.

Google’s New Master Privacy Policy

Photo titled: "Scary Google with Sauron Eyes" by dullhunk on flickr

Google, Inc. announced their new “master privacy policy” earlier this week, which will take effect on March 1, 2012. The new policy will replace 60 different privacy policies currently in place. Google’s goal of implementing the new policy is as follows; “Our new policy covers multiple products and features, reflecting our desire to create one beautifully simple and intuitive experience across Google.”

One of the major changes stemming from the new policy is the relationship of the user to all of Google’s products. A user will be treated as a single user. Now information will be shared across Google products, including YouTube, Picasa, Calendar, and Gmail. Under the current policy, information is maintained by each individual Google produce, rather than consolidated. By sharing information across multiple products, Google has the ability to offer more innovative features for users, customize ads, and compete with Facebook.

Eight House lawmakers already reacted to Google’s updated policy by writing a letter to Google Chief Executive, Larry Page, requesting a response by mid-February. The lawmakers, which consist of 5 Democrats and 3 Republicans, requested more information about the policy mainly regarding the collection and storage of information. Their main concern stems from a user’s ability to opt out of data collection. The lawmaker’s wrote, “Google's announcement raises questions about whether consumers can opt-out of the new data sharing system either globally or on a product-by-product basis."

Betsy Masiello, the company policy manager, responded to the letter on a blog post. She said, the company looks “forward to answering those questions, and clearing up some of the misconceptions about our privacy policies.”

A lot of the criticism stems from a lack of understanding of what information Google is currently able to obtain, and what they are going to be obtaining in the future. The information Google can access has not changed, however their process for handling the information has. In Google’s 2005 privacy policy, the company states, “We may combine the information you submit under your account with information from other Google services or third parties in order to provide you with a better experience, and to improve the quality of our services.”

Users should be aware of the new effective privacy policy to understand what type of data Google is capturing. Check out the new privacy policy below:

Google Privacy Policy, available at https://www.google.com/policies/privacy/preview

Carrier IQ – Has someone violated the Electronic Communications Privacy Act?

Photo Titled "Completely Taped" by Byung Kyu Park available on Flickr

141 Million handsets have a software program deployed on them which purports to only collect network diagnostic information for mobile phone service carriers. However, this software program is secretly running because is not easy for an average mobile phone user to see the program running on their phone because it does not appear as a “running application” on the applications list. Nor is there a clear disclosure of what data is being collected by the application, or a way to easily opt out of the application running on the mobile device. Nor is there any easy way to stop it from running on the Android phones. On November 28, 2011 Trevor Eckhart uploaded a seventeen minute video (shown above) exposing the extent of the data being captured by Carrier IQ, an application that mobile phone providers and/or carriers install on mobile phones. The video shows an Android developer searching his phone for privacy policy disclosures, and not finding any privacy disclosures related to the Carrier IQ program, he proceeds to show the type of data that is logged by Carrier IQ onto the phone’s debug log. For example, each time he presses a key that key press is logged, even when he enters information into a web page over his own local WiFi connection and the session is protected with SSL (which is an encrypted means of communicating between a client and host and forms the backbone of all secure communication over the Internet; as a standard and all data transferred within an SSL connection should be encrypted and protected after the SSL handshake). As of January 25, 2012, Eckhart’s video received over 1.9 Million views on YouTube.

In response, Carrier IQ sent Eckhart a letter threatening legal action unless he retracted his research, characterizing his analysis and posting of privacy policies as a breach of copyright which could expose him to an excess of $150,000 in damages. In response, Eckhart reached out to the E.F.F., who agreed to represent him; Carrier IQ has since backed off from its legal action and apologized for the cease and desist letter. The question remains now – has Carrier IQ, or the mobile phone manufacturers, or the mobile service carriers violated the E.C.P.A. by secretly running a software program on the mobile phones?

The Electronic Communications Privacy Act (E.C.P.A., 18 U.S.C.A. § 2510) was enacted to expand the scope of the Wiretap Act (which was focused on the interception of voice communication) to protect data transferred by computers. Title I of the Act protects messages that are in transit, and Title II of the Act protects messages that are in storage on a device. Within the E.C.P.A., it is unlawful for a person to distribute “any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications” (18 U.S.C.A. § 2512(1)(a)). However carriers do have an exception, where under the normal course of their business in maintaining their communication systems, they can use devices to intercept wire communications.

Senator Al Franken, who chairs the Senate Judiciary Subcommittee on Privacy, Technology and the Law, has requested more information regarding what data is being collected and where the data is being sent. Depending on the type of data that is actually collected and sent to the carriers, they may be able to claim that they were operating within their normal course of business in maintaining the stability of the wireless networks. A criminal or civil case under the E.C.P.A. may not be a guaranteed success in a court of law. However, the public surprise of the extent of data being captured, and the lack of notice and control that users are able to exercise over how much activity is being tracked has already made the carriers and Carrier IQ losers in the court of public opinion.

Carrier IQ: Cell Phone Data Snooping Revealed

Photo by: sam_churchill 

Earlier this week, a 25-year old security researcher named Trevor Eckhart posted a YouTube video detailing a program called “HTC IQ Agent” that was installed on his cell phone. Trevor showed that the program was recording every action taken on his phone, including key presses, text messages, and passwords - and then transmitting this data directly to the offices of the company Carrier IQ. The program started automatically with the phone, ran in the background, and could not be turned off. It wasn’t a virus, nor was it installed by an outside vendor; it came pre-installed on his phone.

The revelation that a company was extensively tracking cell phone users actions lit off a firestorm of controversy. Numerous technology blogs decried Carrier IQ's actions. Carrier IQ soon threatened Mr. Eckhard with legal action, but then apologized after Mr. Eckhard sought the protection of the Electronic Frontier Foundation.

In its defense, Carrier IQ claims that all of the recorded data transmitted is anonymous. The company provides a valuable service to many U.S. cell phone carriers, who contract with Carrier IQ to provide specialized diagnostic, trending, and troubleshooting data for the devices on their network. The issue is the sheer volume and depth of data being recorded, which seems unnecessary for purely diagnostic or reporting purposes.

Whenever I accept a terms of service or license agreement on a website, I assume that I'm giving up all of my rights related to content and privacy. However, even in this digital age, I still consider my right of privacy to extend to my personal belongings; the information in my wallet, my documents, and even information stored on my cellphone. As cellphones have become more powerful and increasingly connected, they have become personal organizers. My calendar, contact list, Christmas shopping ideas, and other personal information are all stored on my cellphone. Given that I've tapped all this information into my cell phone at some point, it is likely that this information is also now stored somewhere on Carrier IQ's servers.

So far, Carrier IQ software has been found on both Android and iOS cell phones for several U.S. carriers. Many guides and how-to documents have been posted with instructions on how to disable the software. The Senate has even gotten involved, giving Carrier IQ until December 14th to address privacy concerns. In addition, it's possible that Carrier IQ has violated federal wiretapping statutes, and already there are rumblings of class action lawsuits.

It's also quite possible that this story has been overblown. Many journalists have noted that the data stored are purely anonymized metrics that carriers use to improve their service, ultimately benefiting consumers. There is no evidence that personal, identifying information has been used in an improper manner. However, given the amount and type of data being recorded, I am uncomfortable with any company having this information on their servers. A line has been crossed, and thanks to Trevor Eckhart, the world knows.

A Step Towards Anonymous Browsing on Mobile Devices

Photo by: jeffschuler 

As Americans we “get” our right to privacy through provisions of the 1st, 4th and 14th amendments. We have the 1st amendment right to free assembly, the 4th amendment right be free from unwarranted search and seizure and the 14th amendment right to due process. Through these provisions the Supreme Court has addressed and upheld birth control rights, abortion rights, marriage rights, and child rearing rights among other issues related to privacy.

With the surge of people using the Internet over the past 2 decades, from children to college students to baby boomers, there is endless amounts of personal information on the internet, some of it intentionally put there and some of it not intentionally publicized. It is harder to maintain ones privacy in this world of instant Facebook access and oversharing on Twitter. Adding to this dilemma is the advent of the smart phone, from Iphones to Blackberries, you can now remotely upload a picture to Facebook, you can browse the Internet on the train, and update your blog while out to dinner.

Using these devices can leave the user or others vulnerable to their privacy being invaded. Not only can others access public Facebook profiles and see content that 3rd parties in pictures or mentioned may not be aware of, but websites track browsing and respond with ads and suggestions, not to mention the dangerous problems of phishing, hacking and identity theft. For example Google scans emails and then advertises for things mentioned in “personal” emails. Anyone with access to your computer or device can check your history and see where you have been poking around on the Internet.

This week, Apple approved the use of an application that will now be offered in the App Store. This Covert Browser for Ipad will allow users to confidentially browse the Internet (a similar App is also available for the Iphone). Although there are kinks to be worked out, you can purchase the peace of mind of “completely” anonymous web browsing for just $2.99. The Covert Browser is a much more secure way to browse than other secure networks. The technology behind the application is Tor. Tor triple encrypts data and routes it through three computers whereas other secure browsing only route through one computer, leaving users vulnerable to the companies responsible for the routing. The Apple endorsed application is a much needed move towards privacy for mobile devices.

Carrier IQ, the Electronic Communications Privacy Act, and the Digital Millennium Copyright Act

Image titled Android Virus by Charliesalima

In the same week that Facebook settled its dispute with the Federal Trade Commission (“FTC”) over allegedly deceiving consumers about its privacy practices, an Android developer, Trevor Eckhart, discovered that Android phones run software that logs keystrokes and hides its presence on the phone. The discovery of Carrier IQ (CIQ) software embedded in the Android (and over the following days, other smartphones) raises legal questions that might expose both smartphone vendors and customers to liability.

The Electronic Communications Privacy Act, 18 U.S.C. 2510 et. seq. (2006)(ECPA) expanded the Federal Wiretap Act to prohibit interception of electronic communications through any “system affecting interstate or foreign commerce” without the consent of at least one of the parties to the communication. The Digital Millennium Copyright Act prohibits circumvention of effective measures designed to prevent unauthorized access to copyrighted material. 17 U.S.C.A. 1201 (2006).

Much of the analysis of Carrier IQ misunderstands the ECPA, so some discussion of what the ECPA does and does not cover is in order. The ECPA has been interpreted to allow keystroke logging which intercepted signals sent between the keyboard and the computer, because until an email or other message is actually sent, the computer is not “a system affecting interstate or foreign commerce.” U.S. v. Ropp, 347 F. Supp. 2d 831(C.D. Cal. 2004). The bulk of CIQ’s spying does not violate the ECPA. As Eckhart noted in his criticism of CIQ, when he dialed a phone number, the software logged the number before he made the call. Some states may have privacy laws prohibiting CIQ’s conduct, and certain consumers may have other claims (e.g. copyright infringement if any of their emails or texts contained material they owned a copyright to), but the ECPA does not prohibit keylogging.

Other portions of CIQ’s data collection may violate the ECPA. CIQ apparently also intercepts incoming text messages and emails. Incoming messages satisfy the “affecting interstate or foreign commerce” standard. Whether the manufacturers or carriers who installed CIQ violated the ECPA would then depend on whether they had valid contracts which allowed them to intercept their customers’ messages, a factual question specific to each carrier. Carriers’ recent panicked statements to the media indicate that most do not, as carriers have generally claimed either that they do not collect the data Carrier IQ collects, or that they only collect some less offensive subset of it. Carriers have put themselves in a precarious position by making such assertions, which smartphone manufacturers claim are false. The claim that a carrier does not collect data is only believable if the carrier does not include a data collection provision in its contracts, or includes the provision in a manner designed to keep consumers from recognizing or understanding it. Carriers who try to avoid bad publicity now may find themselves estopped from asserting a contract defense to ECPA claims in a later lawsuit.

A lawsuit may be the only option consumers have. Self-help is available to copyright owners in many scenarios, but is denied to people who want to protect their privacy from their wireless carrier. CIQ cannot be turned off through normal means, at least on the phone Eckhart tested. It can be defeated by hacking the phone. However, because CIQ is protected by digital rights management (DRM) software, consumer attempts to turn CIQ off may violate the DMCA.

In 2010, the Librarian of Congress used its powers under the DMCA to create an exemption for “jailbreaking” smartphone handsets. However, the exemption only applies when the jailbreaking is for purposes of interoperability, offering consumers no hope for protecting their privacy.

The DRM technology in use does not need to be strong to make circumventing it illegal. In spite of the word “effective” in the statute, courts have held that the DMCA also prohibits circumvention of ineffective measures designed to protect copyrighted material, because effective measures don’t need legal restrictions on circumvention and the word “effective” would be mere surplusage if it didn’t also cover ineffective measures. See Universal City Studios v. Reimerdes, 111 F. Supp. 273 F.3d 429 (2d Cir. 2001). The DMCA applies even when no copyright is violated, and it carries criminal penalties.

The DMCA leaves customers of carriers who use CIQ no other option but to accept violations of their privacy, find a carrier which does not use CIQ, or sue. Given the number of misleading press releases put out by carriers in the last few days and the frequent use of adhesion contracts that lock customers in to long periods of service, option 2 may not be so easy. While the case for ECPA violations is not as strong as some have asserted, it is still viable, and may be consumers’ only hope.

A Christmas Gift is Waiting for You at the Airport…

Photo by: Mashable Tech

The Transportation Security Administration (TSA) has got a new toy for you if you travel this holiday season – new software that will not reveal anything under your clothes except for weapons. This is a relief for the vast majority of people who were concerned about not only their privacy at the airport, but their safety and health.

There are two main full body scanners that you will likely see at the airport: the millimeter wave scanner and the backscatter x-ray. The former produces only “millimeter” waves instead of x-rays and therefore is not strong enough to produce a genotoxic effect likely to cause cancer. On the other hand the x-ray scanner’s safety has not been proven but it’s known that x-rays in general are high frequency devices that damage DNA in cells and can eventually be cancer causing.

In addition to safety concerns, members of the public allege that the full body scanners violate their right to privacy when their nude image appears on a screen for all to see. However, in July of 2011, the United States Court of Appeals for the District of Columbia ruled that the scanners do not violate the Fourth Amendment’s protection against unreasonable searches. Furthermore, to calm the fears of many, the TSA will finally utilize software this holiday season which produces a generic nude image of passengers but at the same time, retain the scanners’ ability to reveal concealed weapons and other contraband. The new software will also prevent future leaks of nude images that were leaked in 2010 before generic images were produced.

Are these uneconomical efforts to decrease the public’s concern worth it or are they creating unnecessary problems stemming from legal and safety concerns? Well, the reality is that the U.S. is concerned about preventing terrorist attacks that have occurred in the past. It was shown that less sophisticated scanners will not reveal small weapons.

Given the added security that the country needs, a balancing of all interests shows that the millimeter and backscatter x-ray scanners should be used. The millimeter wave scanner was proven to be safe because it produces very small waves. The backscatter x-ray scanner may be harmful but passengers pass through the scanners infrequently for a very short amount of time and therefore any negative effect will likely be negligible. The new software will assure passengers that a personally identifiable nude image will not be produced so privacy concerns should decrease.

Most importantly, the United States’ need to be vigilant and protect against weapons entering airplanes is paramount. To this point, the TSA found an alternative way, less invasive to travelers, which reveals dangerous weapons. Any negative effect on health will be virtually non-existent.

If you still are not convinced, just think: You are seated on an airplane and you are ready to take-off. Imagine that no one on the airplane passed through a full body scanner . . . how safe would you feel?

Supreme Court Set to Hear Arguments on GPS Tracking Devices in United States v. Jones

Photo courtesy of Sho Hashimoto on Flickr

On November 8th, the Supreme Court will hear arguments in what the New York Times has described as, “the most important Fourth Amendment case in a decade.” United States v. Jones is on appeal from the D.C. Circuit, and considers the issue of whether law enforcement can install and subsequently monitor a GPS tracking device on a suspect’s car without first obtaining a warrant. The Supreme Court was inclined to grant certiorari following a decision by the D.C. Circuit that the police violated defendant Jones’s Fourth Amendment rights, a clear split from other circuit courts which have heard the issue.

The case is essentially the next step in a pair of decisions handed down by the Court in 1983 and 1984, United States v. Knotts and United States v. Karo, respectively. In Knotts and Karo the Supreme Court ruled that monitoring a beeper tracking device attached to a suspect’s car was not a Fourth Amendment violation. The Court’s decision stemmed from the fact that one could not have a reasonable expectation of privacy in their public movements, because the police could have essentially conducted the same surveillance without the aid of the tracking device. Defendant’s which have attempted to distinguish themselves from the Knotts and Karo decisions have focused on dicta in Knotts, explaining that the issue could be reconsidered when twenty-four hour surveillance encompassing dragnet-type law enforcement was being conducted. The circuit courts which considered the GPS issue prior to the D.C. Circuit all found that law enforcement did not use GPS tracking devices in a volume to be distinguished based on the language in Knotts.

In the D.C. case, the circuit court took an alternate approach. Instead of considering the amount of people being investigated with GPS tracking devices, the court determined that the Knotts court was actually referring to the length of the surveillance. The court found that the vast technological differences between GPS and beepers enabled the police to conduct surveillance for a much longer period of time and in greater detail. Beepers require the police to follow a suspect’s car and only give the relative distance that the police are from the suspect. GPS on the other hand, is able to map a suspect’s movement without any police involvement. The D.C. Circuit relied on a mosaic theory, essentially finding that the sum of the information provided by GPS was greater than the amount of information the suspect intended to convey through his public movements.

Despite the rulings in Knotts and Karo, the Supreme Court should distinguish GPS technology from the beeper technology used in those cases. Without a warrant, police are free to conduct GPS surveillance on whomever they please, without making any showing of suspicion. In beeper technology cases, law enforcement were still limited as to how they could conduct surveillance. Beepers required police to still be an active part of the investigation because they had to follow the electronic beeps emitted by the device. Besides the initial investigation, police can monitor GPS passively. This, combined with the falling cost of GPS, means that police can monitor a greater number of people than traditional or beeper technology would allow, going beyond the capabilities of surveillance the public reasonably expects.

Facebook-Tapping: Facebook sued for watching you once you sign-out.

Photo courtesy of Alan Cleaver on Flickr

It seems like Facebook maybe tapping our computers without us knowing. Recently, a lawsuit was filed against the social networking site claiming that they monitor their users after they log out. The lawsuit seeks class action status and is requesting that the court block the tracking of users based on violations of federal wiretapping laws, computer fraud, and abuse fraud. With Facebook already facing privacy concerns over their new features such as “Timeline,” this could be one of many lawsuits the social-networking powerhouse faces in the near future.

The issue arose after an Australian blogger conducted tests on Facebook’s cookies. He discovered that when users logged out of Facebook the site did not delete their “tracking cookies” but modified them so they were allowed to continue monitoring users. With this allegation, Facebook admitted that that cookies were used to track users even after they logged out. Just recently, Facebook has informed users that any cookies that were installed on user computers that track their Facebook interaction and websites have been removed.

With Facebook’s recent admission of tracking users, will the lawsuit lead to users losing their trust in the social networking site? Facebook has thrived on their privacy policy over the years, and it has been a major reason why they have over-powered their competition. Facebook, however, has also flourished on the advertisements they sell and the third party applications they run. With these recent tactics Facebook is exposing their users’ privacy without them knowing for Facebook’s own financial benefit. If Facebook is found guilty of such acts, it may lead to major backlash by users and lead to more lawsuits revolving around privacy against the social networking titan.

Whatever the outcome of the lawsuit, users may feel a sense of concern over whether they will continue to be watched by Facebook. The federal wiretapping laws are set in place to prevent such monitoring without explicit authorization by a judge. However, there is already a sentiment building that the more power Facebook has over the social networking realm, the more likely they will continue to expose their users for financial and transactional purposes. With many users not technology savvy, Facebook has enough computer geniuses to figure out another way to monitor users without being detected. In the end, depending on what further information comes out of the lawsuit, if Facebook can’t continue to ensure a user’s privacy, then users may turn to emerging sites like Google+ to get their social networking fix.

E-Privacy: The Way the Cookie Crumbles

Photo Provided by: Pete Taylor on Flickr

On May 26th, 2011, a new European Union (EU) Directive came into effect revolutionizing Internet privacy. The newly enacted Directive, Directive 2009/136/EC of the European Parliament and of the Council of 25 Nov. 2009, has been appropriately labeled “the Cookie Directive” because it mandates that without an Internet user’s affirmative assent websites cannot use cookies. Cookies are files that are installed on a user’s computer during web browsing used to authenticate, track, and profile the Internet user’s web surfing behavior. The Cookie Directive requires that any Internet website that directs activities at EU Member States must allow users to opt-in, providing explicit consent to access or store personal information.

The Cookie Directive amends EU directives addressing electronic privacy (e-privacy): Directive 2002/22/EC, Directive 2002/58/EC and Regulation (EC) No 2006/2004. Unlike the earlier E-Privacy Directive that required an option to opt-out to refuse cookies, the new Cookie Directive requires that users opt-in before cookies are used at all. The Cookie Directive requires that a website get a users informed, affirmative consent before using cookies to store or access personal information or to track their website activity.

Internet users have expressed an interest in protecting their personal information. Google Inc.’s Executive Chairman, Eric Schmidt, said some pretty scary stuff in a 2010 interview with The Wall Street Journal concerning the lack of privacy on the Internet. “[W]e [at Google] know roughly who you are, roughly what you care about, roughly who your friends are." “It will be very hard for people to watch or consume something that has not in some sense been tailored for them.” The EU has responded to these concerns with multiple Directives that are representative of value Europe places in protecting individual privacy.

Companies with websites are not yet sure how to comply with the new regulations. There are worries about how to actually implement the directive. If a website is forced to comply with the directive, operators will have to spend a lot of time and resources to make the changes.

Web analytics, is third-party software installed on websites to track user behavior. Web analytics software uses cookies to track website behavior. It is one of the best methods for tracking the interest of website users. Adobe Omniture is one of the most popular web analytic software programs. The directive may require Adobe, and other web analytic companies, to implement changes to their software. The cost of the change will likely be passed on to web operator, users of the software. The online marketing industry will also take a hit, as they rely on analytics software.

If websites can no longer track user behavior, web operators will have to make uninformed, wild guesses about the best user experience. Being prevented from tracking user interests will prevent tailoring the experience and will result in less relevant and individually interesting user experience. The directive is overly broad. It should be limited to tracking individuals, but not include tracking users as a whole.

A Whole New Kind of Overshare

Photo is entitled "Facebook" by Massimo Barbieri

On Thursday, September 22, 2011, Facebook founder and CEO, Mark Zuckerberg announced the newest Facebook features to come. Zuckerberg announced the new features at Facebook’s annual developers’ conference, explaining what he calls “Timeline” and “Ticker.”

According to Zuckerberg, Timeline is “the story of your life,” allowing users to fully express who they are by sharing and gathering user information in an entirely new way.

In Timeline, a user has different stories that appear at the bottom of the page on the left, while on the right side of the page, a timeline appears that basically compiles and breaks down previous user page posts from different points in time. Zuckerberg explained that these different story pages allow people to go back in time to earlier posts and feeds easily. Therefore, not only will recent shares be seen on the page, as they currently are, but posts will be organized by year, month, etc. The user will also be able to add photos and other information to these past time periods, like a scrapbook of sorts…adding information to their life that might have been missed for that period.

While Timeline appears to be a new and different way for users to gather and organize their personal information on pages, as well as efficiently view other friends’ information, the second new Facebook feature, “Ticker,” is wrought with privacy concerns.

Ticker and Open Graph are two programs that work complementary to one another. Open Graph is already existing through Facebook, and it is a map of user connections. Ticker takes Open Graph to the next step by taking everything a Facebook user is experiencing in real time and placing it on that map. Open Graph allows the user to obtain things like movies, music, games, shows, and news from different media content sources. Facebook, making it now easier through Ticker to post information to their profiles, is partnering with other companies and developers in order to stream information directly from certain sites to Facebook. What does this mean? For the Facebook user, it means that every song listened to, every movie watched, or every book read may appear on your Facebook profile page for the world to see (or at least all of your 2,000 “friends”).

Thus, without taking the extra steps to ensure that only information you want on your profile page is listed there, Facebook is taking it out of your hands by automatically wiring these things directly into your account when you log into these other sites with your Facebook account profile. Many users may decide to opt out of using Facebook for their social networking needs, as these new features could share more private matters than originally bargained for. By taking the choice out of sharing pictures, music, movies, books, and the like, Facebook may be offering more than users want, or maybe, this is exactly what this over-sharing society is looking for.

No Easy Fix to Cell Phones and Warrantless Searches

Photo titled "Day 8" courtesy of Nathan Brown on Flickr

On January 3, 2011, the Supreme Court of California held that law enforcement officers did not violate a defendant’s Fourth Amendment right when they looked through his cell phone’s text message folder 90 minutes after being taken into custody for drug charges. See People v. Diaz, 51 Cal.4th 84, 93 (2011). In a reaction to the court’s decision in Diaz, the California Legislature recently passed a bill that requires law enforcement officers to obtain a warrant before searching a defendant’s cell phone. The bill passed unanimously in the State Assembly. Governor Jerry Brown has until October 9th to sign the bill into law. What makes this bill even more important is that the United States Supreme Court denied certiorari to the Diaz case for its new term that began on October 3, 2011. As such, this bill, or similar piece of legislation, represents the only potential change to California law in the near future.

The issue at hand for the Diaz court was whether the defendant’s cell phone in these circumstances was “personal property” associated with him, which would allow a warrantless search incident to the arrest, or whether the cell phone was not associated with him, which would require a search warrant absent very narrow exceptions. The court determined that the cell phone was personal property associated with the defendant because the cell phone was on his person during the arrest and administrative process at the police station, regardless of the cell phone’s ability to hold vast amounts of information.

There is no question that cell phones do much more than just facilitate phone calls – they are readily becoming the primary means that people check their e-mail, surf the internet, and communicate with one another. Moreover, cell phones now also hold a significant amount of personal information due to vastly improved capabilities, such as electronic documents, passwords, bank accounts, and even recently visited locations. Proponents of this bill and other similar legislation argue that the people of California need such an explicit limitation to protect themselves from “Big Brother.”

While this fear is not unfounded, signing such a bill into law would be a tremendous mistake, because it would effectively prevent the Fourth Amendment jurisprudence from evolving to fit the needs of developing technology. There are many questions that should be answered before the California legislature, or any state legislature for that matter, signs such a bill into law. The Diaz ruling is very fact specific and does not represent a “blank check” that allows all police officers to search any and all cell phones. The court specifically noted that the cell phone in this circumstance acted as personal property associated with the defendant because the defendant had the phone on his person during the arrest and administrative process at the police station. As such, there may be a completely different outcome if the cell phone is somewhere besides on the defendant’s person, such as in a vehicle’s glove compartment or even cup holder.

Despite the many questions and the difficulty in waiting for these answers, drastically shutting the door to any and all warrantless searches of cell phones is not wise because such legislation aims to place an absolute right of privacy in individuals’ cell phones. This attempt to grant cell phone users an absolute right against any and all warrantless searches destroys the delicate balance that Fourth Amendment jurisprudence has always aimed for. This bill effectively ignores decades of precedent in establishing exceptions to the general requirement of search warrants, such as exigent circumstances or search incident to arrest.

Although this is not the easiest answer and no doubt the least popular one, the judiciary is the government branch that should decide the Fourth Amendment’s evolution as to warrantless cell phone searches rather than politicians. Simply signing a bill that bans all warrantless searches altogether is a naïve attempt to simplify an area of law that, for better or for worse, requires constant evaluation to properly evolve and protect the delicate balance between law enforcement and individuals.

Say Cheese: Facial Recognition and Privacy Rights

Photo courtesy of Chris Seary on Flickr

What was once fantastic in the 1980’s has quickly become a reality in 2011. Technology that audiences oohed and ahhed in scenes of Robocop or The Terminator have become the technology that is currently seeking to put criminals behind bars. Full body scans at the airport represent not just a leap in x-ray tech but also a battleground of privacy and constitutional rights debates. In the fight against crime BI2 Technologies developed a product that seeks to put more power into police officers’ hands, and I’m not talking about his gun.

BI2 is currently marketing an iPhone additive that will allow police and other law enforcement officials to take pictures of peoples’ faces and link those pictures to records for identification. This MORIS technology links the iPhone to biometric databases that record facial features, iris patterns and fingerprints. This technology has the potential to allow law enforcement to take a picture of anybody walking down the street, instantly run a background check and pull their record.

While it is legal to photograph individuals in public places, this technology begs the question of whether privacy rights as protected under the Fourth Amendment will be violated. Probable cause seems to go out the widow with the realities of facial recognition technology. Similar issues have been raised when it comes to GPS tracking and whether or not the comings and goings of a person should be protected. Facial recognition is the new frontier of technology going hand in hand with law enforcement. This emerging technology, while not implemented currently, has the potential to serve the public good while simultaneously raising legal red flags.

This technology, outside of law enforcement, would be able to serve many functions without running into legal issues. It could be used privately as a way to keep track of employee or client data. It could also be very well used in protecting data as an alternative to alphanumerical passwords. Biometrics is the future of data protection as it is much less susceptible to hacker intrusions.

Use of this technology in law enforcement will undoubtedly be a source of debate. Critics of facial recognition will raise arguments that include probable cause requirements as well as privacy issues. The Fourth Amendment ensures the American citizen freedom from unreasonable search and seizures and that they be secure in their persons. An officer with an iPhone may be able to circumvent these constitutional protections.

Privacy rights and the debates surrounding them have been ever present in current news. Proponents of strict privacy rights have been vociferous in their condemnation of all invasive technology as well as invasive practices seeking to secure public safety. The question is going to be whether the public is willing to allow for flexibility in privacy rights in order to foster a safer living environment. Technology like biometrics has the potential to be used very effectively and for positive change, if we allow it. A firestorm from a myriad of social and legal groups will meet these technologies head on as they are slated for production and dissemination.

Future tech will continue to evolve in spite of legal debates and public opinion. If something has the potential for so much good, should we condemn it on the grounds of law and tradition?

Cloud Computing: Terms of Service and Risks

Image Courtesy of Wikimedia Commons

Cloud computing is an increasingly used buzzword among IT departments, businesses, advertisers, and individuals. Without even knowing it, many of us use cloud computing daily. For example, the emails I receive, sent to various addresses, are all forwarded to GMail (www.gmail.com), where I’m allowed a free 7 gigabytes of storage – provided that I allow Google to search and read my email, determine what I’m most likely to buy, and serve up advertisements accordingly. Nearly all of my important documents are stored in DropBox (www.dropbox.com), a cloud computing storage drive. It’s installed on my work computer and laptop, and synchronizes with both. Documents are also accessible via the DropBox website. I can pay for more storage, or refer others to get more storage for free. Wherever I am, I have a copy of my important documents. I don’t have to worry about my hard drive crashing or spilling coffee on my laptop (well that’s still a worry but at least I can still access my materials if it happens).

What is cloud computing? There are many definitions, but generally it is a system where resources are accessed remotely from a dedicated internet-based service. In this respect, cloud computing is not a new concept; it’s core functionality has been around in one form or another since the early days of computing.

Originally, computing was prohibitively expensive and typically performed on large systems called mainframes. People would connect to, share time, and work on these systems via a ‘dumb’ terminal. As IBM, Microsoft, and Apple popularized the personal computer, the bulk of computing moved to individual machines with their own dedicated processing units. With the exponential growth of the Internet and increase in network speeds, we now see the proliferation of low (and high) cost ‘terminals’ that ultimately connect to a central resource for the bulk of computing power and storage needed. Cloud computing differs from mainframe computing in that the resources are typically spread across many datacenters and accessible from anywhere with an Internet connection. Cloud-based services can provide greater redundancy and reliability, while also offering elasticity – the ability to instantly scale as needed.

However, there are risks to moving to a cloud model. The most prominent risk is the possibility of data loss. For example, in April 2011 Amazon’s EC2 service crashed. Amazon quickly worked to restore all of their customer data, but their backups were insufficient and a small percentage of data was lost. The outage affected thousands of companies who had outsourced their web hosting and data storage needs to Amazon. The customers who lost data had little recourse; the Amazon EC2 terms of service, the terms that all users of the service must agree to, states that the customer is ultimately the one responsible for backing up his own data.

The terms of service agreements for cloud computing services, while rarely read or understood, highlight many of the risks involved, such as privacy. Data stored with a cloud vendor may physically reside on multiple servers. Any computer attached to a network is vulnerable to security intrusions. In their terms of service (TOS), companies typically do not guarantee against security intrusions. Generally, vague terms such as “Reasonable and Appropriate Measures” will describe the steps taken to secure your data. Having your files hosted and replicated across several data centers in different states and possibly different countries may also lead to some jurisdictional issues.

Another issue is ‘uptime,’ or the percentage of time that a cloud computing service is up and running. Cloud vendors should guarantee a minimum level of service, embodied in what are called Service Level Agreements (SLAs). This level is usually guaranteed to be in excess of 99.9%, with service credits or refunds offered if it dips below this level. However, there are few mechanisms available to monitor uptime for any service, and it is questionable whether the term covers service that is technically up and available, but the speed is frustratingly slow. Businesses that decide to migrate to cloud computing services should ensure that uptime is included in the agreement and determine means for enforcement.

While cloud computing typically offers redundancy, reliability and elasticity, people should be aware of the risks involved and plan on its use accordingly. Businesses should assess the potential reduction in costs by integrating cloud computing into their environments, and compare it with the loss of control inherent to using a cloud provider. However, for the general public, cloud computing storage and services are likely to be more reliable than the same services on a home PC – though having an extra backup couldn’t hurt.

Facebook’s Open Graph API - Be Afraid or Be Very Afraid?

Illustration by Hank Grebe

Mark Zuckerberg unveiled the next generation of Facebook’s Open Graph API at the F8 conference in San Francisco on Thursday, September 22nd. The updated protocol allows third party applications to more easily utilize Facebook users’ data. The goal is to encourage users to share increasingly dynamic content more frequently. A simple example of the API in action is the inclusion of a Like button on a webpage – when a visitor clicks the Like button that information is recorded in that user’s Facebook feed.

The new version of Open Graph “allows apps to model user activities based on actions and objects.” Eventually, the old-fashioned (ha!) Like button will be supplemented with a number of other verb choices. Thus, you can receive news by emulating what your friends are reading on Yahoo! News, be exposed to new music by examining what your friends are listening to on Spotify, or challenge yourself by running the same route as your friend that uses a Nike Running application.

As happens pretty much any time Facebook changes their site in a way that implicates privacy concerns, a backlash is building. Critics’ primary concern: the availability of data to application developers for more than 24 hours, strikes me as fairly harmless considering that many applications previously circumvented this restriction anyway. Other concerns focus on the fact that Facebook has a variety of new partners that automatically fall under the ‘Instant Personalization’ category and automatically ‘personalize the experience’ for you. In other words, new users have to opt out of in order to avoid sharing information that they might not otherwise want to share by using these applications. However, all of the Open Graph features can be easily disabled.

So are there any laws in the United States that will govern Facebook’s conduct when they roll out new functionality with respect to these privacy concerns? Well, not really; not any comprehensive ones, at least. The United States has taken a very pointed approach to regulating privacy issues, addressing privacy only certain specific instances such as HIPAA (Health Information), Gramm-Leach-Bliley (Financial Information), or FERPA (Educational Records). This is to be contrasted with the European (most notably French) approach to privacy regulation where privacy is implicit in the constitution. Social networking sights such as Facebook and Google have found themselves more frequently arguing privacy issues in European states. So while we are largely at the mercy of the social networking industry giants, we can take some comfort stateside in the fact that many of these concerns are mitigated by the market forces imposed on the companies because they do not want to alienate the user base.

One last point that all these Facebook shenanigans got me thinking about – are the developers of these applications adequately protecting their copyrights? Facebook encourages independent third-party development of integrated applications. For that matter, what about users that are, in addition to just going around Liking things, generating a wide variety of copyrightable material in the form of photos, blog posts, and music? If they’re not – they will be, as new tools are popping up to facilitate this protection. The website Myows provides free tools to manage your copyrightable works and to build a case for infringement. In their own words, “Myows offers a professional one-stop copyright management solution from registration through to issuing take-down notices.” Very cool. The website DepotCode is an alternate site that provides similar tools for managing and proving copyrights in source code.

Regulation of Social Networks: Unfortunately Unnecessary

Photo courtesy of Dave Makes, on Flickr

The advent of social networking has drastically changed the way people interact on a global level. Corresponding with this change is the use of personal information for the commercial gain of the very websites used for these personal connections. In “Regulation of Social Networks: Unfortunately Unnecessary”, author Jan Blackburn explores the legal issues and potential solutions surrounding the covert practices of Facebook. In a thought-provoking prose, Mr. Blackburn is bound to conjure up feelings of outrage from those readers who used Facebook.

Click here to read the full article

Small Businesses Encounter Difficulty in Coping with Massachusetts Data Privacy Law

In March 2010, Massachusetts passed into law the Massachusetts Data Privacy Law. The passage of this law has proven to be an important point in the development of American data privacy law. While most states’ data privacy laws merely require public disclosure upon the occurrence of a breach, Massachusetts has taken a more proactive stance. The Massachusetts law requires organizations, no matter where they are located, “that store personal information about Massachusetts residents…to write security policies detailing how the data will be protected, encrypt the data when it is stored on laptops or other portable devices or transmitted over public networks, and monitor their systems for breaches.” The purpose of the law is to make certain that companies have an enforceable data security infrastructure.

While many large companies, especially those in finance and the healthcare industry, are able to readily adapt to the new law because they are already subject to data security laws like HIPAA, smaller companies are having a difficult time adjusting. Because of the law’s reach, these businesses are located all throughout America and even many foreign countries. In addition to struggling with understanding what the law requires and how to implement a satisfactory policy, many companies will have a difficult time financing such a program. It is entirely possible for a firm to spend a six figure sum in complying with the law.

Despite the difficulties inherent in adapting to this change, companies have reported upsides stemming from their compliance. In attempting to ensure that information is handled properly, firms learn where their data goes and how it is processed. This knowledge enables firms to understand their processes better as well as improve any inefficiencies. However, despite the fact that companies will enjoy benefits in complying with the law, small businesses still stand to bear a large burden, in terms of both time and money, in complying with the law. This does not mean that the legislature needs to amend the law in any way. Rather, it is up to the Attorney General’s Office to provide as much guidance as possible in helping small businesses ease the already heavy burden of implementing this law.

Wikileaks Causing Headaches at Home and Abroad

A plethora of issues come to mind when you think about Wikileaks; national security, freedom of speech, freedom of the press and espionage are just a few. Julian Assange, founder of Wikileaks, probably did not imagine the backlash and support he would receive from Wikileaks. Wikileaks was founded on the principle of transparency in the transactions between nations. Transparency at a time like this however, can be a double-edged sword.

To begin, it is important to understand how the initial leaks happened. The former Commander of the U.S. Central Command, David Petraeus created a system of sharing sensitive information with U.S. allies. The information transferred by downloading documents from a secret network to a flash memory stick, and then transferring the documents to the allies. This supposedly time saving system of sharing information backfired and ended up being the cause of the initial information leak. The problem has since been fixed and new access restrictions have been made. However, the damage may have already been done.

As should have been expected, backlash to the leaking of hundreds of thousands of top-secret government documents is coming from all angles. The U.S. government has attempted to shut down Wikileaks. U.S. Senator Joe Liberman, head of the Senate Homeland Security Committee led the charge, pushing Wikileaks from the Amazon server. The French Industry Prime Minister, Eric Besson has called for the site to be banned from his country. A Swiss bank froze an account that was set up as a defense fund for Wikileaks. Surprisingly, governments are not alone in their fight against Wikileaks. Creditcard and internet payment companies such as Paypal, Visa, and Mastercard have blocked donations to Wikileaks in protest.

Now we ask the question, can legal action be taken by the government to stop Wikileaks and to punish Julian Assange for leaking the classified information? The government’s options are limited. Members of Congress want Assange to face criminal charges and a Senator even went as far as calling for a change in the law if prosecuting Assange under current U.S. law presents impossible.

The major legal issue that comes to mind in prosecuting Assagne for his cyber document dumping is the 1st Amendment to the U.S. Constitution. The Constitution provides extensive protection for publishers of state secrets. The right of news organizations to publish documents has historically been protected by the 1st Amendment. The 1st Amendment protects the news organizations but does not protect the individuals who initially leaked the secrets (Government Officials and Soldiers) as they can face prosecution. Arguments that Assange did not review and edit all documents before publishing them, that he played an active role in obtaining the information, and that he acted as more of a broker of the documents than a publisher are all going to be tough to prove and are essential to defeat the claim of a violation of his 1st Amendment rights.

The other legal avenues that the U.S. government is considering are theft and espionage. Theft is one avenue they are pursing because the documents were stolen. Nevertheless, that is going to be a difficult argument to make. Espionage under the U.S. Espionage Act of 1917 is a possible way to prosecute Assange, but it also comes with its challenges. The Act is broadly worded and on its face makes stealing or sharing secrets from the government a federal crime. The problems with the espionage act is that Assange is Australian and not a U.S. citizen so it is unclear if the U.S. law will apply to him, and extradition for prosecution in the U.S. will be challenging. If the U.S. Government charges Assange with espionage then they may have to charge the other news outlets that accepted the stolen documents from him. Lastly going around the 1st Amendment could set a precedent that could limit press freedoms in the future.

Wikileaks has effected not only governments but also visitors to the site. Federal employees and students have been warned by their respective institutions to beware of reading, commenting, and sharing documents that have been released on the Wikileaks site. The White House Office of Management and Budget sent out a memo to various government agencies warning employees not to view classified documents. The reason being that classified documents, even if posted on public websites are still considered classified. It is unclear if viewing the documents could result in termination but it has been said that it will be subject to applicable sanctions under long existing law. Students at Boston University Law School, Georgetown and Columbia received memos from their career development offices warning students that accessing the site could potentially affect them if they decided to pursue employment within the federal government. The warning was sent out because students who wish to work specific government agencies where security clearance is high may not make it though the screening process. The sentiment from the schools was that this was an attempt to educate the students of the possibility of potential problems down the road and not an attempt to persuade students from viewing the sites.

Wikileaks is at the forefront of technology and information sharing which exists in a legal gray area. How the governments of the world handle the distribution of classified documents will have long felt ramifications in the legal community. Will governments seek to classify Julian Assanage as a cyber-terrorists or will they assume the risks of classified documents becoming public in order to protect the freedoms that the 1st Amendment of the U.S. Constitution?

From the Water Cooler to the Blogosphere

Are social media sites the water coolers of the digital age?

If you ask the National Labor Relations Board, it seems that answer is yes.

This week, the board settled out of court with a Connecticut-based ambulance company that fired an employee after she criticized her boss on Facebook.

The incident happened in December of 2010, when the employee posted vulgar comments about her boss after he denied one of her requests. Several of her co-workers spotted the thread and joined in with additional criticism. The employee was soon after fired and the NLRB filed suit. In their claim, the NLRB said the employee’s comments were protected speech and further argued that the ambulance company’s social media and internet policies violated an employees’ right to talk about wages, working conditions and other factors.

While the financial terms of the settlement have not been disclosed, the company has revealed that they will be changing their blogging and internet use policies to no longer prohibit employees from talking about or even criticizing their jobs online.

This outcome serves as a major signal to companies rewriting their internet policies. Just as they cannot restrict employees from complaining around the water cooler, they cannot stop them from taking to the internet to voice their complaints to a wider audience.

For employees looking to voice their malcontent online, a word of warning however. It’s important to note that in this case, the employee made the comments from her own computer, on her own time. Therefore, it may be safe to say that when and how you choose to make these online comments could impact your rights.