Mobile Device Security Policies for Employers – Small and Large

As a business owner, perhaps you have seen articles about setting ground rules for BYOD (a.k.a. employees bringing their own devices to work to use for work purposes). Placing restrictions on access to Company information, however, should not be limited only to those BYOD devices. Instead, if the Company issues Company-owned devices to employees for use on Company systems, similar ground rules should be put in place to set expectations and provide the backdrop for any disciplinary action that may be needed later if an employee misuses Company information or loses an unsecured device.

Here are some questions to keep in mind as you develop policies for Company-owned devices issued to employees: Continue reading

Why Privacy Policies Must be Personalized

The best argument for why companies should never simply copy and paste the text of another entities’ privacy policy onto their own website can be found in the recent announcement by the FTC of a settlement reached with Snapchat – relating to misrepresentations contained in the Privacy Policy, among other things. (Snapchat is not alleged to have used someone else’s Privacy Policy as its own; however, its mistakes in its public statements about its products illustrate fully that companies should say what they mean, and mean what they say in their privacy policies!) Continue reading

New Year’s Resolution: Always Read Terms of Service for Social Media Networks!

You should always read very carefully the various terms of service associated with the social media networks in which you participate – particularly with respect to ownership of the material that you post and/or share on these sites.   In other words, do you know who owns what you post?

Recently, one social media site’s public announcement highlighted this question in appalling clarity.  On December 17, 2012, Instagram announced that it had the right to sell any photo that you took and uploaded using its service – in other words, to “commercialize” it.  (SeeCNET’s article about the change in terms: Declan McCullagh, Instagram says it now has the right to sell your photos,” CNET, Dec. 17, 2012.) 
If you are unfamiliar with Instagram, it used to be a standalone company, but was recently acquired by Facebook and is used on Facebook to share customized photos with your networks.
Here’s the rub:  the right to distribute (or not to) is actually an exclusive right set forth in the Copyright Act as being owned EXCLUSIVELY by the copyright owner.  17 U.S.C. §106.  Not by a vendor who handles the distribution.
Unless the author has licensed its ability to redistribute an “original work of authorship fixed in a tangible medium of expression” (as an original photograph surely is) to another, any redistribution of a published work constitutes copyright infringement under 17 U.S.C. §501, and carries certain remedies and penalties depending on the context.
The public outcry in response to this notice was apparently widespread, as Instagram immediately appeared to retract this statement, and stated that users retain the copyrights in their original photographs even when posting them using Instagram’s tools.  Declan McCullagh and Donna Tam, Instagram apologizes to users: We won’t sell your photos,” CNET, Dec. 18, 2012; see also Instagram Blog, “Thank You and We’re Listening,” Dec. 18, 2012.  Its restatement of the policy suggested that Instagram believed the hue and cry to have been solely based on a misunderstanding of the revised terms of use and privacy policies.
 
In this restatement, Instagram explained that ownership rights would not change as a result of this policy, and neither would any privacy settings users have already set.  Current Version of Instagram’s Privacy Policy and Terms of Use, updated Dec. 18, 2012.
The Copyright Alliance points out that this explanation does not meant that Instagram cannot commercialize your images – in fact, the text that Instagram removed was merely a disclosure of the ways in which it “can” use your photos:
“Instagram has issued a statement saying that it has heard its customer’s complaints, is removing the clause that most offended its customers, and reverting to its old terms of use. But ironically, the clause that caused the outrage, and which Instagram says it has removed, was merely a disclosure and acknowledgment by the user of how Instagram could use a customer’s images. Removing that clause alone doesn’t change the license the user grants Instagram. Moreover, even if Instagram reverts to its current terms of service, those terms of use not only permit Instagram to commercialize user posted images in virtually unrestricted ways, they pass the responsibility for paying any royalties or fees owed for such commercialization on to the user who originally posted the works.” (emphasis added).  Read the Copyright Alliance’s full article for more on this point, “Instagram Still Has the Right to Commercialize Your Work (or Why You Should Read Terms of Service Carefully),” Dec. 21, 2012.
The lesson to be learned here is to be proactive with all of your social media use – understand what Terms of Service apply to your use, and whether the company will be using your information in a way with which you are not comfortable.  Review carefully to determine whether by using their site, you automatically grant the site a license to use your content (your text, pictures, video, whatever) without specific notice or obtaining your consent to that specific use. 
And, try to stay on top of changes to these policies in case changes are made that further impose on your privacy or intellectual property rights.  Many of these policies have a “these terms can be modified without prior notice” provision, but the sites may also host blogs that announce new features or changes to their services.  You might want to subscribe to them (through RSS feeds or email) so that you are notified promptly of any advertised changes. 
Here are links to some of the more commonly-used social media sites, and their relevant blogs (if available):
·       Facebook (“Facebook and privacy”; privacy policy; terms of service)
·       MySpace (privacy policy; terms of service; “learn more”)
·       Twitter (blog; privacy policy; status)
·       LinkedIn (blog; community guidelines; privacy policy)
·      Instagram (terms of service; blog)
·       Snapfish (terms of service; privacy policy; sharing FAQ)
·       Google (which owns Google+, YouTube, Blogger, Picasa, and Instagram competitor, Snapseed)
·       Reddit (blog; privacy policy; user agreement; rules; “reddiquette”)
You might also be interested in posts from The Copyright Alliance(their article on Instagram is here) or the Electronic Frontier Foundation(their article on Instagram is here) generally, as they both cover issues like these on a regular basis. 

Google’s Privacy Policy Under Fire Before it Became Effective

On February 22, thirty-six attorneys general signed and sent a letter (through the National Association of Attorneys General) to Google objecting to its new privacy policy, scheduled to take effect on March 1. (See prior post about the provisions of the new policy.) The National Association of Attorneys General reports that the letter objects to Google’s one-size-fits-all approach for all consumers of all of its various services. Specifically, the letter states, “Google’s new privacy policy is troubling for a number of reasons. On a fundamental level, the policy appears to invade consumer privacy by automatically sharing personal information consumers input into one Google product with all Google products. Consumers have diverse interests and concerns, and may want the information in their Web History to be kept separate from the information they exchange via Gmail.” Feb. 22, 2012 Letter. Indeed, the policy requires that consumers to “allow information across all of these products to be shared, without giving them the proper ability to opt out.” Id.

The letter also points out that users of Android phones will be significantly impacted: “Even more troubling, this invasion of privacy is virtually impossible to escape for the nation’s Android-powered smartphone users, who comprise nearly 50% of the national smartphone market. . . . For these consumers, avoiding Google’s privacy policy change may mean buying an entirely new phone at great personal expense. No doubt many of these consumers bought an Android-powered phone in reliance on Google’s existing privacy policy, which touted to these consumers that ‘We will not reduce your rights under this Privacy Policy without your explicit consent.'” Id. (Footnotes omitted). So much for that promise.

The letter requests a response by February 29. It’s unclear whether a response was provided.

EPIC v. FTC Lawsuit

In a related story, the Electronic Privacy Information Center filed suit on February 17 against the FTC to require it to enforce the Google Consent Order, thus barring the amended privacy policy from becoming effective. The court dismissed the complaint on February 24 for lack of jurisdiction over the FTC, but noted its own concerns about the terms of the privacy policy. EPIC filed an emergency appeal with the Circuit Court of Appeals for the D.C. Circuit on February 24, seeking argument before the March 1 effective date. Details about EPIC’s efforts, copies of its pleadings and information about the FTC Chairman’s interview on C-SPAN, the EU’s objection to the privacy policy changes, and the attorneys’ general’s objections can be found on its Consent Order Page.

Note also that EPIC obtained (through a FOIA request) a copy of Google’s Privacy Compliance Report that it filed with the FTC on January 26, 2012. EPIC has posted a copy on its Consent Order Page (see the heading entitled, “‘FOIA Matters’ – EPIC Obtains Google Privacy Compliance Report”). The Privacy Compliance Report describes the March 1 privacy policy changes, although the description is rather watered down and focuses on Google’s efforts to notify its users that the change was coming.

Five Privacy Organizations Request Congressional Hearing

On February 24, five privacy organizations wrote to Representative Mary Bono Mack and Representative G.K. Butterfield of the House Energy and Commerce Committee, Subcommittee on Commerce, Manufacturing and Trade objecting to the privacy policy and requesting that the currently scheduled private hearing with Google to discuss the changes to the privacy policy be opened to the public. Feb. 24, 2012 Letter. These organizations were the Center for Digital Democracy (CDD), Consumer Watchdog, Consumer Federation of America (CFA) and U.S. Public Interest Research Groups. As of this writing, a hearing has not yet been scheduled, but continue to check the Committee’s hearing schedule for updates.

Foreign Organizations Respond in Opposition to New Privacy Policy 

On February 27, 2012, the Commission Nationale de l’Informatique et des Libertés (CNIL) – an independent commission in the French government charged with “ensuring that information technology remains at the service of citizens, and does not jeopardize human identity or breach human rights, privacy or individual or public liberties” – sent a letter to Google, reporting that it has preliminarily concluded that “Google’s new policy does not meet the requirements of the European Directive on Data Protection (95/46/CE), especially regarding the information provided to data subjects.” (The phrase “data subject” refers to “an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.” Art. 2, Definitions, (a))

The Commission had been asked by the Article 29 Data Protection Working Party of the EU to take the lead on this investigation.  (Google’s response to the initial letter from the Article 29 Data Protection Working Party was sent on February 3, 2012, and basically argued that its policies had not changed, but were merely consolidated.)

Earlier, but for similar reasons, on February 23, 2012, the Australian Privacy Commissioner, Timothy Pilgrim wrote to Google on behalf of the Technology Working Group of the Asia Pacific Privacy Authorities expressing concern about the implementation of the new changes. Google responded on February 29.

News Coverage

Here are some samples of articles published in the past few days on this topic:

Google’s Response Thus Far

Google has not posted any response on its press releases page, but that’s not to say that Google hasn’t responded directly to any of these organizations. At some point, I’m sure that Google will make some public statement – in some forum – that will continue to defend its decision to consolidate its privacy policies and the accumulated consumer data into one single data source, probably on the grounds that this is a benefit to consumers because it would allow Google to customize its services to their use.

Conclusions

It appears that the only recourse a consumer has if he or she does not want to participate in the new consolidation of their data currently spread over various Google services is to cancel all Google accounts. It could be very time-consuming to find replacement services (for instance, set up and transition to a new email account, remove YouTube video content and re-post somewhere else that does not require such a broad license to the host, port a blog from Blogger to WordPress (for instance) and publicize the new address). For anyone who uses these services for business or advertising/marketing purposes, the impact in both time and money – and perhaps goodwill developed from a loyal following – could be significant to transition to new providers. As a result, perhaps it’s not really a valid “choice.”

Google Announces New Privacy Policy and Terms of Service

Effective March 1, 2012, Google’s new Privacy Policy and Terms of Service will go into effect.  These changes are billed as simplifying and consolidating over 60 different privacy policies that apply to Google’s library of services and tools – specifically that it’s “a lot shorter and easier to read.”  (See Overview for this text.)  What appears below is a brief summary of each document, but I encourage you to read the originals, as other issues may jump out at you based on your individual circumstances.  Following these summaries is a description of how to opt out.
Privacy Policy
A quick comparison between the new Privacy Policy and the October 20, 2011 version of the main Privacy Policy suggests that perhaps the information collected by Google – or how that information is used – hasn’t changed, but instead, how the policy is explained.  (I did not compare the March policy with any of the other 60-odd policies that Google referenced in its Overview, so there may be some significant changes here.)
Among other notable provisions of the new policy are the following: 
·        Google may collect device-specific information (such as specifics about your hardware model and mobile network, including your phone number).  Google may associate such device-identifying information or phone number with your Google account.
·        Google may collect and store server logs showing how you used their services (such as search engine queries), call history (to/from phone numbers, duration of calls, SMS routing info, forwarding numbers, and time and date), IP address, device crash history, browser type and browser language, and may also use cookies.
·        Google may collect information about your location using GPS signals sent by a mobile device or sensor data searching for nearby WiFi access points and cell towers.
·        Google may use information from cookies or “pixel tags” to “improve your user experience and the overall quality of our services.”  The example Google gives is being able to remember your language preferences, but the breadth of this tool could be rather large.
Google offers several tools to provide “Transparency and Choice,” including links to review and control information tied to your Google Account, view and edit ad preferences, adjust your Google Profile, control with whom you share information and port your data from Google’s services through a tool called Dataliberation.
Google also reminds users that any information that users share publicly will be indexable by search engines, including Google.  Google explains that it provides mechanisms to correct or remove incorrect data that reside on its servers, but provides no links to place a request to the begin the process. 
Finally, Google provides information about what it shares with non-Google entities and explains it security protections.
Terms of Service
Google’s new Terms of Service are pretty straightforward and contain provisions such as warranties, disclaimers, limitations on liability, business use of Google’s services, and choice of law (California – although specifically disclaims California’s conflict of laws rules).  The Terms of Service uses expressions like “Don’t misuse our services” and “Don’t interfere with our services.”  It also provides confirmation that “you retain ownership of any intellectual property rights that you hold in” content that you upload to Google’s services.  But, and this is significant, “When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations, or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.”  Google follows this broad automatic license with this explanation:  “The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones.”
Additional Details about Managing Your Online Profile

In its Privacy Policy, Google also provides information about how to opt out of certain advertising delivery (such as DoubleClick) – more information can be found here: https://www.google.com/intl/en/privacy/ads/.  Google explains that you can opt out of Network Advertising through a single page (http://www.networkadvertising.org/managing/opt_out.asp), which tells you whether certain cookies are present are your machine and allows you to opt-out to each individually or to all of them at once.   You can also permanently block the DoubleClick cookie.  Be sure to read all of the disclaimers before making permanent changes to your browser. 

Note also that in the Advertising and Privacy section, Google explains, “Ads that appear next to Gmail messages can also be personalized based on emails in your account. Read more about ads in Gmail and your personal data.     

You can also request that content you don’t want to be included in Google’s search engine results be removed.  Details are here:  http://support.google.com/webmasters/bin/answer.py?hl=en&answer=164734 (Google cautions that these tools should only be used to remove pages urgently – such as if a private credit card number is exposed – where immediate action is required.  Google adds that using the tools too liberally within your own web site could cause functionality problems.)

As mentioned above, these new policies go into effect across the board for Google services on March 1, 2012.  You have a little time between now and then, and I’d encourage you to read these policies for yourself and determine what pieces (if any) matter to you so that you can make changes or opt out, if necessary to protect your interests.