Sunday, January 31, 2016

Computer Trespass or Authorized User Given Access


Computer trespass occurs when access to a computer and or related network is attained without authority.  Such is the case when the Computer Fraud and Abuse Act (CFAA) 18 U.S.C. § 1030 is deemed violated.   For there to be a violation the matter had to involve a protected computer which is described as one engaged in commerce or network related system communications.  What also has to be established is the element of trespass where it can be established where one has conducted an activity that surpasses the authority given.  Issues of agency and employees have peppered the courts over the issue of agency and the scope granted.

Facebook has had a dispute with Power Ventures regarding these elements to the extent that the courts have delved into the extent of authority provided by users, who are members of Facebook’s social media community, to a social network aggregator, i.e., Power Ventures.  The issue has been what authority does Power have to access Facebook user information upon user consent, though Facebook is opposed?  The intricate aspect of this is that Power was granting, through a promotion, a monetary incentive to Facebook users if they sought friends to also join Power Ventures in order aggregate user information from other social media platforms as well.
As Power.com would operate, users would be able to access any social media platform through their website portal.  What culminated for the district court to rule in February 2012 against Power Ventures was that it found it guilty of violating CFAA the CAN-SPAM Act, where the court subsequently awarded several millions in damages along with an injunction.  The trigger was that emails would be sent to friends of Facebook community members appearing as if it came from Facebook itself.  Despite the placement of an internet protocol block, it was bypassed by Power.
Recently, however, Power returned to the 9th Circuit to oppose the award and challenges the reasoning underscoring the finding. It argues that the CFAA was not intended to cover this realm of this type of permission for access as well as challenging Facebook’s claimed ownership of community members’ information and information of their friends.   Power claims that the user owned the information and not Facebook. Therefore, it was not taking Facebook owned information, it was using user information and users were giving permission and access.
The question that continues to gnaw is it a criminal unauthorized access under the CFAA when an individual receives user permission to access user information but it is opposed by social media platform, i.e., in this case Facebook?  As initially raised, the elements of agency come into play where authority is granted to have access, originating from when the user established an account.  Afterward, the user, member of the community has privileges of access to its account and it can delegate it and assign it to whomever it chooses.  As long as the recipient conducts itself consistent with the boundaries of its agent responsibilities, it should not be deemed infringed.
What also gnaws is whether bypassing an IP block and ignoring the cease and desist violates CFAA.  The latter involves something that is ephemeral and the former involves the matter of consistency.  The former it technically not reliable to withstand resistance. To the latter, either the account is active, where the users has rights to grant access to whomever it chooses or the account is not active and the user is devoid of authority of administering its own account and information. See Facebook v. Power Ventures (9th Circuit).

Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web."
Copyright 2016, all rights reserved Lorenzo Law Firm, P.A.

Saturday, January 23, 2016

How Private is our Privacy

Privacy may not be as private as we would consider, and not much more than what we are capable of to keep private, as long as we live a cyber life.  Take for instance, the wearables that caught the craze throughout 2015 and became a popular item to buy at Christmas and other items that are catching on to monitor our health and status on a daily basis.  Did you know that if the data collected is leaked somehow it does not fall under the protections of the Health Insurance Portability and Accountability Act of 1996?  This provision was ‘only’ intended to protect your privacy as a patient that is stored by health providers, insurers, and related data storage partners. Any monitored health information culled, collected, and stored by anyone else is not covered.
One should wonder how private is our health information that we the consumer try to learn about to stay fit or monitor our progress and measure performance from many different forms of activity.  It could get very embarrassing for some if their caloric burn performance data for a described activity was attainable by an unauthorized person from their cyber profile.  Nevertheless, the security of the collected data that identifies us is precarious.  We could as well include for our own concern, the privacy at stake when one seeks to learn about personal genealogy and pursues to fill out details of one’s personal life to learn a spec of someone’s past.
Our concern for privacy and the ability to maintain some level of privacy comfort is heightened when we learn that entities that store, manage, receive, and share medical records, do not have the mechanisms in place to know if a record was retrieved without authority.  The amount of medical related information that we voluntarily generate and that can be accessed is alarming.  What is also alarming is that the Office of Civil Rights, within the Agency for Health and Human services that is authorized to carry out the requirements under HIPAA, has only addressed a bit more than 30 percent of claims filed because the agency either lacks authority over the company the claimants filed a claim against or the claims may have been filed outside of time limits.  The majority of denials fall along the former.

Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web."
Copyright 2016, all rights reserved Lorenzo Law Firm, P.A.

Cyber Security Events and Lessons of 2015

The process of cyber security is an everyday occurrence in every entity, from government to small and large enterprises.  A handful of events took place in 2015, each shedding a lesson or two going forward.  Counseling clients on requirements always involves sharing best practices, despite them not being a guarantee.  But always the focus is on the standards that have been established and federal and state requirements for securing data, transferring data, sharing data, processing financial information of transactions, including medical records.
The occurrence of cyber security touched the unthinkable entities.  For instance, a group identified as Carbank was able to get the credentials for gaining access to international banks.  The amount stolen from ATMs approximates one billion affecting about 100 banks.  U.S. taxpayers were affected when the IRS was breached where over 100,000 records were illegally accessed to an amount approximating tens of millions of dollars.  A blackmail scheme affected the accounts at a dating site called Ashley Madison where millions of customer information was taken.  Even the Central Intelligence Agency Director’s email, displaying sensitive files were hacked into his AOL account and posted in a web-based information platform.  Moreover, Blue Cross Blue Shield and Anthem were also compromised, affecting millions of insurance policy holders.

While these are the just some of the occurrences the lessons reveal useful anecdotes for prescription, though there is no guarantee of absolute prevention of attempts and their relative success.  Noticeably and in addition to the above list is the event experienced at the U.S. Office of Personnel Management compromising thousands of federal employees.  Why this is unfair, we know that hind sight is 20-20 vision.  With that, we can say that we learned that there ‘was not enough of this’ and ‘there was not enough of that’.

Specifically, information that was needed regarding security risks were not properly conveyed to different levels of employees up and down the management chain of command.  Practices and methods were not updated and tested as they should which would have resulted in new standard practices.   Security authorized personnel were not integrated into the day-to-day practical administration of the entities.  This resulted in personnel not being up to date on vulnerabilities and the entities ended up not making the changes needed in anticipation of a cyber event.  This eventually compromised any risk management endeavor within the particular entity.  When vulnerabilities were known, necessary entity process to resolve the risk was not taken.  The most glaring lesson among them all was the lack of security governance and management.  Just like an entity has an individual over-seeing personnel paperwork, records, policies, and administration, cyber concerns as well merits the same dedicated assignment within an entity.  This will necessarily entail reprioritizing how cyber security plays out within an entity which will involve routine monitoring, assessment, implementation of updates, methods and policies.  The cyber events of 2015 have been a lesson for all.

Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web."
Copyright 2016, all rights reserved Lorenzo Law Firm, P.A.

Tuesday, January 19, 2016

Copyright Challenge - Ideas and Expression

Copyright for many individuals appears to be anything they write, express, or present on paper.  By putting content on a book one assumes it’s copyrightable, whether it is text, photos, or drawings.  For a yoga studio in California this was the mindset.  That which they organized together in the form of photos displaying poses was considered protected under copyright law.  Underscored by this belief, an organization exercising the Bikram methodology of poses had produced a compilation of photos displaying poses that were in a sequence.
Subsequently and throughout an undetermined period of time, Mr. Bikram Choudhury the author of the yoga pose sequence would issue cease and desist letters threatening anyone, including yoga studios who would practice the poses.  Several settlements were garnered but one studio challenged the efforts to prevent other studios from copying the poses in their classes.
The District Court in California noted the distinction between what is considered an ‘expression’ from what is an ‘idea’.  The latter is not acceptable for copyright protection.  The Court explained that the contents of a book, i.e., literary expression or photos are copyrightable, with the exception being the manner of form that it is presented.  The exact sequence itself was at issue and it drew the distinction between an expression and an idea.  The expression that is copyrightable is the presentment, if you will, of the photos in the book, but the selection of the photos or the order of the photos together in a compilation is not copyrightable.  That intellectual contribution, regardless of its benefits claimed, is not protectable.
The 9th Circuit affirmed the lower court by emphasizing that the displayed sequence in the otherwise copyrightable book, is not more of a ‘an idea, process, or system’ designed for a particular purpose and not serving as a form of ‘expression’ of an idea.  Its displayed format and structure of order of the selected photo sequence, as the Court determined, despite the urging that it was an expression by selecting the photos engendering a beneficial purpose, did not satisfy the rigors of a copyrightable expression.
See Bikram's Yoga College of India, L.P. v. Evolation Yoga, LLC.

Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web."
Copyright 2016, all rights reserved Lorenzo Law Firm, P.A.

Cloud Technology Use for a ‘God View’

Uber’s cloud technology use for a ‘God view’ was exciting to experience among its employees.  With every innovative creation there is always the bit of excitement and a bit of dreaming of the capability devoid of cognition for security and for its ramifications.  To insert concepts of security and considerations of ramifications is a downer, watering out the limitless dream of innovation.   One can fathom how excited the engineers were to have the technological ability to employ a ‘God view’ to track users, their location, trajectory of travel, and rider history log, along with riders’ personal information.  This feature and use was revealed by one of Uber’s managers to a journalist.
The New York Attorney General’s office started an investigation into, not into the ‘God view’ technology but into the security policies of the company.  A security breach in late 2014 had exposed the data of over 50,000 Uber drivers throughout the U.S.  Uber’s data security breach followed a report on Buzzfeed which stated that an Uber executive claimed to have used a “God view” technology program that helps track the vehicles and that it tracked its reporter's ride without permission.
Subsequently the Senate Subcommittee on Privacy, Technology, and the Law, upon looking into Uber's privacy policies, New York AG conducted an investigation November 2014. How Uber managed the collected data regarding customer emails, names, addresses, phone numbers, and credit card information was now being looked into. The innovative use of technology was giving Uber the ability to track in real time the GPS location of the vehicle in use.
Uber has caught the world by storm with its users able to book a taxi ride through its mobile application.  Gone is soon to be the day that one stands along the street to hail a cab.  The function is now used in over 50 countries and over 250 cities.  This has caused municipal entities and taxi firms firing out lawsuits to stop Uber’s spread.
However, an external source entered Uber’s third-party cloud storage database and acquired Uber user and driver information.  The access to the cloud storage database was available as well to Uber employees. Also, Uber did not timely inform drivers and users of its data breach. Over a year’s worth of investigating Uber has ended with a settlement that has resulted in a $20,000 fine, but with stipulated conditions.
Similar to Wyndham, as previously commented, who entered into a series remedial stipulations, Uber agreed to maintain more secure standards for collected data.  It stipulated to encrypt the real-time transit information, sort of limiting the access to the ‘God view’ others in company had.  It agreed as well to store the GPS location data in a password protected environment.
It is now obliged to restrict access to the ‘God view’ tool by implementing diligent privacy and security practices, coupled with innovative genius of password protection, encrypting transit data of users and drivers, and foremost, using multi-step process for authenticating valid user access.  Moreover, Uber under advice of counsel will be emphasizing employee accountability with the implementation of training on security guidelines and installing a data retention policy.  The emphasis among many FTC highlighted guidelines will be the principle of transparency, governance, internal access controls, and scheduled monitoring of the company's privacy program and external source applications, i.e., Android.

Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web."
Copyright 2016, all rights reserved Lorenzo Law Firm, P.A.  

Monday, January 18, 2016

Child Privacy and the Apps They Play


Child privacy while playing with apps is something to consider.  The Federal Trade Commission (FTC) has been concerned.  The aspect of how information, that is children’s personal information, is shared with advertisers and the related networks brings to mind the requirements of the Children Online Privacy Protection Act (COPPA).
In 2013, the FTC amended the Act to include in the Rule the definition of ‘personal information’.  The FTC has been made aware that specific advertising was directed to children.  The FTC found that these third-party entities were advertising to children using ‘identifiers’ that strategically marketed to children.  The identifiers would link to the internet protocol of the child’s device being used which then provided advertising tailored to the child.
In pursuing legal action against app developers, the FTC argued that the thirty-party network advertisers using persistent identifiers were collecting personal information of the children.  Furthermore, the FTC asserted that the app developers were particularly designing apps for children with the combined functioning of other entities who would collect the user data.  Also, the FTC argued that the app developers did not inform the advertisers that children were being focused on with their apps.  The alarming aspect of these cases was that children were being targeted with specific advertising without allowing parental consent, nor providing notice, for the data that was being collected on their children.
Several app developers who developed apps focusing on children including Hair Salon Makeover, Marley the Talking Dog, My Cake Shop, and Animal Sounds have entered into settlement agreements with the FTC, to the extent that LAI Systems is obliged to pay a civil penalty of $60,000 and Retro Dreamer is obliged to pay a $300,000 civil penalty, both for violating COPPA.

Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web."
Copyright 2016, all rights reserved Lorenzo Law Firm, P.A.