In a major setback for privacy advocates who seek to preserve the confidentiality of consumer data, the New York Supreme Court recently ruled that Facebook lacks legal standing to challenge search warrants on behalf of its users. The case pits Facebook against the government, which had requested account data for 381 Facebook users as part of an in-depth investigation into over 1,000 people who allegedly cost the government over $400 million in benefits due to false disability claims.
The government demanded that Facebook hand over all of the account information of the 381 users and sought to place a gag order on Facebook, forbidding it from notifying any user that his or her account information was being investigated. Facebook challenged the warrant, arguing that the request for the data was overbroad. In fact, although the government only ended up primarily using photos from 130 user accounts and only 62 users were charged with a crime, it held all of the photos, biographical information, and message history from all 381 accounts. Facebook asked that the government’s request be limited, as holding such a massive amount of information was unnecessary in Facebook’s eyes. Facebook also argued that the gag order violated the company’s privacy policies, and it owed a legal obligation to its users to notify them if their information was being used by a third-party.
The court rejected Facebook’s arguments. The court reasoned that the government’s request was lawful because procedural safeguards were in place to ensure the constitutionality of any seized evidence, such as probable cause and an examination of the evidence’s admissibility. The court further stated that the government held the authority to gather such a large amount of data because, as the court put it: “In the course of a long-term criminal investigation, the relevance or irrelevance of items seized within the scope of a search warrant may be unclear and require further investigatory steps.” As for the gag request, the court held that any knowledge of the investigation outside of the court could have resulted in the tampering with vital evidence, as users could have altered profile information had they known their accounts were being investigated. The court’s decision stands as a warning to social media users to be wary of the vast amounts of data they upload to companies who might be asked to turn that data over to the government.
[back to top]
The National Labor Relations Board (NLRB) has struck down many social media policies as unlawfully restrictive and overbroad. However, a recent NLRB decision suggests that the NLRB might be open to permitting more restrictions on social media use by employees.
In this decision involving Landry’s, a/k/a Bubba Gump Shrimp Restaurants, Inc., the NLRB analyzed the legality of a company policy which discouraged employees from posting information that could “lead to morale issues in the workplace or detrimentally affect the Company’s business.” The NLRB’s primary concern was whether this language could reasonably be construed to chill employees’ so-called “Section 7” rights to engage in “concerted activity” under federal law. Concerted activity could include such things as organizing a union, discussing or complaining about working conditions, or seeking higher pay or better benefits.
Although the NLRB’s General Counsel argued that the policy was unlawful because employees could reasonably construe its language to prohibit protected activity, the NLRB disagreed, stating that the policy does not prohibit employees from posting job-related information or even personal co-worker information. Instead, it just asks employees to avoid using language that could “create morale problems.”
While the NLRB decision can still certainly be regarded as the exception to the Board’s typical stance regarding social media policies and protected concerted activity, it will be interesting to see how broadly or narrowly the Board will construe a company’s concerns over “morale problems” in future cases.
[back to top]
Imagine driving 70 miles per hour down a highway when your steering wheel suddenly turns on its own and you are unable to regain control no matter how hard you try. Then, although it’s sunny, the windshield wiper turns itself on and wiper fluid sprays the glass. The radio changes stations and the volume goes to full blast. Next, your brakes stop working. In seconds, you have lost complete control of your car – and the culprit was someone on a laptop in another state.
“This is a reality,” says well-respected security researcher Charlie Miller. In a recently conducted experiment that tested the security limits of internet-connected cars, Miller and his colleague Chris Valasek were able to create the disturbing above scenario by wirelessly hacking into a Jeep Cherokee using a laptop and cellphone. The two were able to gain complete control of a vehicle located miles away, even eventually steering the car into a ditch. As automobile manufacturers are rushing to be at the forefront of the “smart” car race, the spectacle of new technological features has proven to oftentimes overshadow an imminent need for cybersecurity standards, especially when the features’ data is shared over the Internet. It is estimated that approximately 500,000 internet-connected vehicles may be at risk of an attack.
As of now, there appears to be only one other documented vehicular hack. In 2010, an employee remotely disabled 100 cars in an attempt to force customers into making payments on the cars. Not surprisingly, Miller and Valasek have expressed genuine concern over the potential harm that could ensue if lawmakers and automobile manufacturers do not take immediate action. The two men have shared their findings with lawmakers and car companies; Chrysler has released a manually-implemented patch, and the U.S. Senate has proposed a bill entitled the “Security and Privacy in Your Car Act of 2015 (“SPY CAR Act”), which calls for heightened evaluation of systems for security vulnerabilities, capabilities to report and stop unwarranted data collection and interception, and the implementation of a cyber-dashboard on all vehicles manufactured after the bill becomes law.
The cyber dashboard would “inform consumers through an easy-to-understand, standardized graphic, about the extent to which the motor vehicle protects owners, lessees, drivers, and passengers beyond” certain minimum requirements. Consumers would also have the option to opt-out of any data collection while still retaining tools and features, such as a GPS system, as long as the data is not used for safety systems, or other “regulatory compliance programs.” As technology progresses at a rapid rate, it will be interesting to see not only how vehicle features advance over the years, but also how legislators and manufacturers ensure the security of these features so consumers can use them safely. Finally, another substantial unanswered question remains: will standard car insurance coverage apply to accidents and injuries caused by carhacked vehicles? Only time will tell.
[back to top]
NOTE: The editor wishes to thank his college intern, Celine DeSantis, for her excellent work in connection with this DISPATCH and other social media articles this summer.