Lawyers and the State of Surveillance

Early last year, I wrote this:

Personal data privacy is an interesting issue for lawyers. For some, it’s part of their corporate practice. For most, it’s a confusing technological jumble, something they want to trust to someone else.

Interestingly, it was in the context of how the Obama administration was proposing a data privacy “bill of rights.” There wasn’t a lot of debate about this last year; perhaps the issue didn’t gain traction in an election year.

But it is now.

Putting aside political issues, in-house counsel and their key outside advisors will certainly be more involved with privacy issues this year. Here are a few that could appear at the top of the list:

1. Who is watching the watchers? A perennial risk issue for in-house counsel is the very IT department relied on to track, collect, and present potential risk inflection points. One of the most insidious parts of the Snowden case is that he was part of an IT group tasked with monitoring network use and security. And he apparently used a thumb drive! Whatever you think about what he did, he has put many people under a microscope; 99.99%+ of whom are professional and trustworthy. (But there are allegedly 1.4 million people with a Top Secret security clearance!)

2. Lawyers are put in a secrecy bind. Companies that receive secret orders from the FISA court cannot legally disclose them. Google has led the charge to obtain permission to disclose more information about these orders and their responses. Observers have noted that it is not in the global business interests of U.S.-based tech companies to operate under this cloud (broad government-mandated data collection) when they are trying to market that cloud (trust us virtually with your data).

3. Lawyers may not be in the loop. There is a report from Bloomberg this morning that some data-sharing “interactions” between the government and tech companies may be conducted on a “need to know” basis. It’s not clear that this would always involve company lawyers.

4. For all the focus on government data collection; watch the private sector. When President Obama first commented briefly on the Snowden disclosures (but before Snowden outed himself), he really didn’t (couldn’t?) say much at all. He did refer to the legality of government programs, and the challenges in balancing privacy and national security. He also noted that private companies collect a lot of data too, which sort of starts a shift in focus to what private companies do with customer data. If the public really understood how their purchase patterns and Internet usage was being monitored and aggregated, it might provoke more of an outcry.

5. Lawyers may not be the answer; some will certainly be asking the questions. One person who will likely have a big part in this unfolding story is James Comey. Reports say he is likely to be nominated as the new FBI director. He is a former Deputy Attorney General; and also later a General Counsel. He almost resigned his position in the Justice Department over some strong-arm tactics intended to certify certain surveillance activities as legal under the nascent Patriot Act. If you want to understand his resume, you can find it online. If you want to see one major reason for his nomination, you can watch it here:

I hope Mr. Comey gets the call and answers it.

We were taught early in the first year of law school the lesson in the cartoon below. A modern corollary to that rule for lawyers might be “ignorance of data privacy is not an option.” Both for our clients, our law practices or businesses, and even ourselves.

Asked and answered...

Bloomberg: Through the Looking Glass

When reporters become the story, you have something worth reading about.

Late last week, multiple media sources revealed that Bloomberg news reporters had accessed information about customer usage of the Bloomberg financial terminal. The New York Times covers it this morning here; earlier reporting is summarized by Buzzfeed here.

One of the first Bloomberg customers to complain was Goldman Sachs; one assumes that this would get some attention from management at Bloomberg given their corporate use of the terminal.

Apparently a Bloomberg reporter contacted Goldman about the employment status of an employee, because the reporter noted that this employee hadn’t logged on to their terminal for some time.

Last Friday, Bloomberg CEO Daniel Doctoroff posted a first draft of an apology on the corporate blog:

A Bloomberg client recently raised a concern that Bloomberg News reporters had access to limited customer relationship management data through their use of the Bloomberg Terminal. Although we have long made limited customer relationship data available to our journalists, we realize this was a mistake.

Mistake? At least one important customer apparently saw it as something more.

Then early this morning, the editor-in-chief of Bloomberg News, Matthew Winkler, published a slightly longer explanation, which included this:

The recent complaints go to practices that are almost as old as Bloomberg News. Since the 1990s, some reporters have used the terminal to obtain, as the Washington Post reported, “mundane” facts such as log-on information. There was good reason for this, as our reporters used to go to clients in the early days of the company and ask them what topics they wanted to see covered.

Mundane? What was possibly mundane in the 1990s is apparently different now.

Bloomberg News is really an awesome operation. Their iPhone app, with its integrated video and audio content, is way beyond what others offer right now in terms of global coverage and quality.

In-house counsel can watch this story to see what Bloomberg’s crisis management playbook says, and watch in play out in real time.

There may be more twists and turns to this story. One question some law firms and corporate legal departments may have is this: Did reporter access to selected customer use information extend to the Bloomberg Law product?

We are in the early stages of the digital era as far as privacy and appropriate data use are concerned. This is a really hard issue for lawyers since it has a technological nexus and is difficult to research and understand, let alone monitor in real time.

A common tactic in compliance training is to suggest front-line personnel imagine “reading about the company doing X on the front page of the New York Times” before doing it.

I guess that is no longer a hypothetical scenario for Bloomberg.

Here's looking at you, kid...

(Updated 2:05 pm EDT on 13 May 2013).

Facebook Gets Thrown to the Curb by GM

Facebook will finally go public tomorrow, making many millionaires in the process. CEO and founder Mark Zuckerberg will reportedly buy Greece early next week.

A few days ago, rust-belt-based General Motors crashed the party when reports surfaced that it was reviewing Facebook as an advertising outlet. Is this another example of how an old-line company just doesn’t understand the ways of the left-coast-driven brave new digital world?

Perhaps, but in truth GM had a more basic problem. Their Facebook ad campaigns, as designed, didn’t convert as well as other options (like Google). The other issue that surfaced in the initial Wall Street Journal article (which is paywalled) is that of GM’s total $40 million Facebook-directed spend, only $10 million went to Facebook, and the rest to media firms designing and managing the campaigns.

Nice work if you can get it.

For the record, Mr. Zuckerberg reportedly drives an Acura, and at least on one occasion was using a Chevrolet Suburban for a special event:

This all would be easy to dismiss if not for the fact that GM spent $1.78 billion on ads globally in 2011; other reports put total marketing spend in the $3-5 billion range in recent years. The $10 million spent directly on Facebook is peanuts to them, and probably will be to Mark Zuckerberg by the time NASDAQ closes tomorrow. (In other news from the Bizarro World that is the U.S. economy, California apparently has a $16 billion budget deficit and Michigan had a surplus in 2011 and projects one this year.)

Many in-house lawyers are trying to figure out how to balance social media presence with proper policies and privacy protections. Law firms are being told to get more savvy social media-wise. Facebook is probably not the first place for lawyers to start, and many of them will spend more time trying to understand what their kids are doing and posting about that will be locked in Facebook servers for decades, possibly appearing next to ads.

Facebook is an amazing story, and it looks like they have played the IPO game about as well as new registrant can. They boosted the initial pricing range of FB this week, which may allow them to walk the IPO tightrope of not leaving too much on the table, while allowing for enough of a first-day “pop” to make new shareholders feel like friending Mr. Zuckerberg for a while longer.

Lawyers and Privacy

Personal data privacy is an interesting issue for lawyers. For some, it’s part of their corporate practice. For most, it’s a confusing technological jumble, something they want to trust to someone else.

In-house counsel are often on the side of drafting privacy policies for their employers that allow for the appropriate use of consumer and web site visitor data.

In-house and outside counsel also have a hand in drafting those terms of use that we all never read and click “accept,” denoting we have. It’s almost a charade, worse than old-school small print on the back of used-car dealer’s installment sales agreement.

In addition, there are many examples of companies saying they will protect personal data, and then not doing so. Is it an oversight, a technical glitch, a lone hacker, or something else? Who knows, and I don’t want to link to any of these reports to single anyone out. It happens almost weekly. Some companies don’t even know when it’s happening.

Yesterday the Obama administration announced the outline of a data privacy “bill of rights.” The official report is here; major companies are trying to get out ahead of the issue; some observers think that the proposal doesn’t go far enough.

I think most people would expect lawyers to be conversant with these issues, thinking that protecting people from privacy intrusions is like securing financial assets or real estate investments. Indeed, lawyers who work on this issue for clients probably view it much differently when the privacy being potentially invaded is that of their teenage daughter. The New York Times covered some of this recently, as did NPR on how companies are tracking you on the web, right now, and how little you can do about it.

(There are no cookies used on this site; some are used as fuel for late-night writing sessions, however.)

Since many of the most successful Internet-based businesses are based on collecting information and selling it, or using it as a basis for advertising, you can expect a real fight over federal data privacy initiatives.

In the coming years, I think many lawyers will have to follow this issue and understand what’s going on. That will help represent corporate clients, and it will be essential in understanding what’s going on with their own data, and that of family members. It may even be an added-value service offered to individual clients who want or need help in this area.

I honestly think if most lawyers knew what was going on with their own personal information, they would see data privacy in a different, and more immediate, light.

On the Internet, the saying goes like this: when something is free, you are the product.

Looking Up and Locking Down.

This Application is Secure. No, Really…

Earlier this year, there were reports that an online application hosted by Nasdaq to share board information may have been hacked. At the time, there was apparently no evidence that customer information was accessed in the unauthorized entry.

Now Reuters reports that this optimistic scenario may not be the case, as a form of malicious software may have been installed that permitted actual board information to be viewed, including “confidential documents and the communications of board directors.”

This has happened before, when some parties penetrated defense contractor systems, and bypassed the commonly used RSA key fobs in the process.

One of the most sinister aspects of these episodes is that they are very hard to detect by common staff members using typical security means. You don’t know what you don’t know.

The good news is that most online applications aren’t of interest to these unsavory cyber-characters. Sort of the “hiding in plain sight” scenario. And everything these days is “in the cloud” to some extent. Indeed, some of these incursions may be state-sponsored.

What these reports do show is to be careful about who you use, and what you place on their systems. In addition, listen carefully to what they say about data protection, and lean in to the conversation when you hear things like “highest levels” of security or “enterprise grade” protections. Those may either be true or just be marketing copy that was never shown to their IT staff.

If the most sophisticated companies (like global financial institutions and major defense contractors) can be hacked, then it seems that anyone can.

And after all, when we used to send board books out by FedEx, they got there on time, but all someone had to do was open the envelope.