Israeli Supervisor of Banks Issues Letter on Social Networking

Posted on August 4, 2010 by Hunton & Williams LLP

Reporting from Israel, legal consultant Dr. Omer Tene writes:

On July 28, 2010, the Israeli Supervisor of Banks, Rony Hizkiyahu, issued a letter to the CEOs of all local banks expressing concern over the banks' and their employees' use of online social networks, including both proprietary Web 2.0 tools and networking sites such as Facebook, Twitter, LinkedIn, MySpace and YouTube, all of which are explicitly referred to in the letter.  The Supervisor of Banks, Israel’s banking regulator, requires banks to take steps to ensure data protection and information security, including having outside experts perform risk assessments, creating and enforcing policies for use of social networking tools as well as guidelines and procedures for implementation and audit, and devising a data security strategy to address increased risks to employee and customer data.  These instructions are in addition to the Supervisor of Banks Proper Conduct of Banking Business Regulation No. 357, Information Technology Management, as well as applicable data protection law and regulations.

View the Supervisor of Banks’ letter (in Hebrew).

Tags: , , , , , , , , ,

Facebook Announces Privacy Changes for Third-Party Applications

Posted on July 1, 2010 by Hunton & Williams LLP

Bret Taylor, the Chief Technology Officer of Facebook, announced this week on the Facebook Blog that the company will enhance privacy protections pertaining to third-party applications.  When a Facebook user logs into a third-party application with his or her Facebook account, the application will only be able to access the public parts of the user’s Facebook profile.  If the application wants to access private sections of a user’s Facebook profile, the application has to explicitly ask the Facebook user for permission.  For example, if a greeting card application wants to access a user’s photos to create a personalized greeting card, the Facebook user will have to click a button to allow such access.

In his announcement, Mr. Taylor stated that the changes “reflect two core Facebook beliefs: first, your data belongs to you; second, it should be easy to control what you share.  If at any point you ask a developer to remove the data you’ve granted them access to, we require that they delete this information.”  The changes come in the wake of scrutiny by both legislators and privacy organizations regarding privacy protections on the social networking website.

Tags: , , , , ,

Privacy Settings on Social Networking Sites May Determine Protection Under Stored Communications Act

Posted on June 10, 2010 by Hunton & Williams LLP

On May 26, 2010, the court in Crispin v. Christian Audigier, Inc. quashed portions of subpoenas seeking the disclosure of private messages sent through Facebook and MySpace.  The court left open the question of whether Crispin’s wall postings and comments should be disclosed pending a more thorough review of his online privacy settings. 

On February 10, 2010, defendants in the copyright infringement case subpoenaed the social networking sites for wall postings and private messages from plaintiff Crispin’s accounts.  Crispin filed a motion to quash the subpoenas, asserting that the Stored Communications Act (“SCA”) prohibited the disclosure.  The SCA generally prohibits an entity that provides an “electronic communication service” (“ECS”) or a “remote computing service” (“RCS”) to the public from disclosing the contents of certain communications that are carried, maintained or stored on that service. 

After a lengthy analysis, the court determined that Facebook and MySpace were each either an ECS or RCS and thus potentially covered by the SCA.  The court then referred to a provision in the federal Wiretap Act stating that “[i]t shall not be unlawful under [the SCA] for any person . . . to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public.” (emphasis added)  Based on this provision, the court quashed the subpoena insofar as it sought messages that Crispin sent through the websites’ private messaging services.  The court found that those communications are “inherently private” such that the stored messages are not “readily accessible to the general public.”

The plaintiff’s Facebook wall posts and MySpace comments, however, presented a thornier question.  Because Crispin’s privacy settings could have determined whether his wall posts were public, the court declined to resolve the issue, instead directing that the parties “develop a fuller evidentiary record regarding plaintiff’s privacy settings and the extent of access allowed to his Facebook wall and MySpace comments.”
Tags: , , , , , , , , ,

U.S. Legislators Urge Enhanced Privacy Protections for Social Networking Websites

Posted on April 29, 2010 by Hunton & Williams LLP

Legislators at the federal and state levels are urging social networking websites to enhance privacy protections available to their users.  On April 27, 2010, four U.S. Senators wrote a letter to Facebook’s CEO expressing “concern regarding recent changes to the Facebook privacy policy and the use of personal data on third party websites.”  The letter urged Facebook to provide opt-in mechanisms for users, as opposed to lengthy opt-out processes, and highlighted default sharing of personal information, third-party advertisers’ data storage and instant personalization features as three areas of concern.

The Senators’ letter to Facebook comes on the heels of New York Senator Charles Schumer’s April 26, 2010, letter to the Federal Trade Commission asking it to look into privacy concerns about the use and disclosure of personal data on social networking websites.  Senator Schumer offered to “introduce appropriate legislation” that would give the FTC authority in “creating effective guidelines and protecting the privacy of online social network site users.” 

At the state level, the California Senate passed a bill on April 22, 2010, that prohibits social networking websites from displaying, “the home address or telephone number of a registered user who identifies himself or herself as being under 18 years of age” to the public or to other registered users.  Social networking websites that “knowingly and willfully” violate the provision can be fined up to $10,000 for each violation.  The measure is currently being considered by the California State Assembly.
Tags: , , , , , , , , ,

Canadian Privacy Commissioner Investigates Facebook

Posted on February 4, 2010 by Hunton & Williams LLP

Pursuant to a public complaint, on January 27, 2010, the Privacy Commissioner of Canada announced a new investigation into Facebook.  The investigation concerns the social networking site’s introduction of a tool that required its users to review their privacy settings in December 2009.  According to the complaint, Facebook’s new default settings allegedly made some users’ information more accessible than previously had been the case.  Elizabeth Denham, the Assistant Privacy Commissioner, indicated “[s]ome Facebook users are disappointed by certain changes being made to the site – changes that were supposed to strengthen their privacy and the protection of their personal information.”

The new complaint follows the Commissioner’s July 2009 release of findings resulting from an investigation into Facebook’s privacy policies and practices.  The findings highlighted concerns regarding Facebook, including a need for increased transparency and clarity.  The Office of the Privacy Commissioner will continue to follow up with Facebook as the company implements changes to its site.  

For further information, please see the Office of the Privacy Commissioner's News Release.

Tags: , , , , , , , ,

Privacy Group Files FTC Complaint Against Facebook

Posted on December 18, 2009 by Hunton & Williams LLP

On December 17, 2009, the Electronic Privacy Information Center (“EPIC”) filed a complaint with the FTC claiming that Facebook is engaging “unfair and deceptive trade practices” by changing its privacy policies.  Notably, the changes allow anyone who browses the Internet to view a Facebook user’s name, profile picture, gender, geographic region and list of friends.  Facebook has stated that it implemented these changes to make it easier to find individual users among the estimated 350 million Facebook users.

EPIC’s complaint, which was signed by nine other privacy organizations, alleges that Facebook’s privacy changes injure users by “invading their privacy; allowing for disclosure and use of information in ways and for purposes other than those consented to or relied upon by such users; causing them to believe falsely that they have full control over the use of their information; and undermining the ability of users to avail themselves of the privacy protections promised by the company.”  EPIC’s complaint further alleges that Facebook’s claim that users “have extensive and precise controls available to choose who sees what among their network and friends, as well as tools that give them the choice to make a limited set of information available to search engines and other outside entities” is deceptive because “Facebook’s changes to users’ privacy settings and associated policies in fact categorize as ‘publicly available information’ users’ names, profile photos, lists of friends, pages they are fans of, gender, geographic regions, and networks to which they belong.”

EPIC is requesting the FTC compel Facebook to “restore its previous privacy settings” and “make its data collection practices clearer and more comprehensible and to give Facebook users meaningful control over personal information provided by Facebook to advertisers and developers.”  In response to EPIC’s complaint, Facebook released a statement that the company had “discussed the privacy program with many regulators, including the FTC, prior to launch and expect to continue to work with them in the future.”
 
Tags: , , , , ,

Federation of German Consumer Organisations Successful against Social Networks - Providers Intend to Discontinue Use of Certain Data Protection Provisions

Posted on November 25, 2009 by Hunton & Williams LLP

On November 12, 2009, the Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband e.V., “vzbv”), a non-governmental organization acting as an umbrella for 41 German consumer associations announced that the social networks Xing, MySpace, Facebook, Lokalisten, Wer-kennt-Wen and StudiVZ signed undertakings that they would discontinue use of certain terms and conditions and data protection provisions.  The vzbv sent warning notices to the six leading social network providers regarding a number of clauses.

The main criticism from vzbv referred to general terms and conditions and data protection provisions that disadvantaged users and gave wide-ranging rights to the providers.  The provisions regarding comprehensive use of data and data processing have been a primary subject of the proceedings.  These uses and processing often took place without the user’s consent and exceeded the original purpose for which the data were collected.  These practices are supposed to be changed in the future.  The providers promised to implement amendments to the provisions by January 2010 the latest.

The vzbv also has published a position paper that outlines what providers need to be doing from a user perspective.  This guidance includes for example, that the providers should ensure restrictive pre-settings for user profiles to more fully protect new users.  In addition, the providers should assess implications for data protection and consumer protection in case of new technical developments.

For more information please see the press release by vzbv (in German).

Tags: , , , , , , , ,

Draft Bill to Require Disclosure of Online Behavioral Tracking

Posted on March 24, 2009 by Hunton & Williams LLP

Behavioral targeting on the Internet has recently come under the scrutiny of lawmakers and privacy advocates.  This increased interest has been triggered in part by Facebook’s and Google’s recent adoption of targeted advertising practices.  In response to growing concerns over behavioral tracking, three U.S. congressmen are preparing a draft bill that would mandate the disclosure of monitoring practices for advertising purposes.  The goal of the bill is to increase transparency and provide individuals with the opportunity to learn what information is being collected about them, by whom and how the information will be used.  At present, there are suggested best practices set forth in the Federal Trade Commission’s (“FTC’s”) Staff Report on Self-Regulatory Principles for Online Behavioral Advertising.  These Self-Regulatory Principles are designed to encourage industry self regulation for the protection of consumer privacy in online advertising activities.  The FTC is in the process of reviewing the privacy issues raised by online behavioral advertising over the course of the last decade.  An FTC Town Hall meeting to address behavioral advertising practices was hosted in November 2007.  In response to the comments received at the Town Hall meeting, the FTC issued Self-Regulatory Principles to promote industry self-regulation.  If enacted, the proposed bill would frustrate industry’s nascent efforts to self-regulate in this area.

While there has been considerable discussion of online behavioral advertising, the placement of targeted ads on the Internet is not a new phenomenon.  A number of well-known companies, including Yahoo! and Microsoft, have made use of the technology for years.  Facebook has joined the bandwagon and notified advertisers that they could begin targeting ads to users based on language and location.  A posting on Facebook’s company blog indicated that the location and language features represented a “huge upgrade for Facebook’s targeting.”  The ability for advertisers to target specific users is significant given that Facebook recently announced that it expects to have 200 million users by the end of March 2009.  Google also announced that it will begin interest-based advertising that provides users with ads based on the types of websites they visit.  This service would supplement Google’s existing contextual advertising.  As part of its approach to targeted ads, and perhaps to allay privacy concerns,  Google will offer users an opt-out by downloading a browser level plug-in to restrict the use of interest-based ads.   

The FTC’s online behavioral advertising principles are available here.
Tags: , , , , , ,