Nov 302011
 November 30, 2011  Posted by  Breaches, Business, Court

Based on comments I’ve read around the web, this blog may be one of the few that thinks an actress who sued IMDB for revealing her true birthdate raised some legitimate concerns (other coverage on this blog here and here).

But Eriq Gardner reports that the actress just got some probably welcome support from an executive and general counsel for the Screen Actor’s Guild, who not only supported her request to sue as Jane Doe, but backed her claim that IMDB listing real ages of actors/actresses over 40 is harmful to their chances of getting jobs.

Read more on Hollywood Reporter, where you can also read his declaration to the court.

Even if IMDB obtained her true birthdate through means other than her credit card-related info, I don’t see where their policy permits this.  As a reminder, the relevant portion of their policy says:

Information from Other Sources: For reasons such as improving personalization of our service (for example, providing better movie recommendations or special offers that we think will interest you), we might receive information about you from other sources and add it to our account information. We also sometimes receive updated delivery and address information from other sources so that we can correct our records and deliver your next communication more easily

That suggests to me that information added to the account is done so for the benefit of the paid subscriber. If a subscriber chooses to keep their birthdate private, how can IMDB claim that their revelation of the data improves personalization of their service or in any way benefits the subscriber?

So I’ll just stay in the minority on this one and wait to see what happens.  But those who believe in user control of information might want to get behind Jane Doe instead of ridiculing her for this lawsuit.  You may not care about her age, but I bet you do care and would care if a service you paid for revealed your personal information and the information resulted in you losing job opportunities.

Nov 302011
 November 30, 2011  Posted by  Non-U.S., Surveillance

R. Jai Krishna reports:

India’s federal home ministry is examining a report by an expert panel on monitoring data transmitted though telecommunications networks after security agencies and a technical committee failed to find a way to decrypt some of the data, the government said Wednesday.


Security agencies have been able to access telecom services, including Blackberry, through interception and monitoring facilities provided by service providers, junior Telecom Minister Milind Deora told lawmakers in the lower house of parliament.”However, security agencies have intimated that they are not able to decrypt some of encrypted intercepted communication.”

Read more on Total Telecom

So what next? Will they ban encrypted communications? How much more will Blackberry and other service providers bend over?

Nov 302011
 November 30, 2011  Posted by  Business, Surveillance

The Carrier IQ kerfluffle that came to light after a researcher, Trevor Eckhart, revealed some really spooky snooping took a wicked turn. Andy Greenberg reports:

A piece of keystroke-sniffing software called Carrier IQ has been embedded so deeply in millions of Nokia, Android, and RIM devices that it’s tough to spot and nearly impossible to remove, as 25-year old Connecticut systems administrator Trevor Eckhart revealed in a video Tuesday.

That’s not just creepy, says Paul Ohm, a former Justice Department prosecutor and law professor at the University of Colorado Law School. He thinks it’s also likely grounds for a class action lawsuit based on a federal wiretapping law.

Read more on Forbes.  David Kravets had reported on this matter yesterday on Threat Level.

The Mountain View, California-based firm is really getting a lot of bad press since Trevor Eckhart published his findings.  First they threatened to sue him – until EFF jumped in to defend him and made them see the errors of their way.  Now this.  Watch the video and be … appalled… offended… furious:

Somewhat ironically, Carrier IQ’s most recent tweet, on November 21, was “Understanding the experience of the mobile user.” I guess they meant really, really, really, REALLY understanding the experience.

But not everyone agrees with Professor Ohm’s opinion that Carrier IQ could be facing a criminal wiretap charge or massive class action lawsuit. In a post on Pastebin today, security researcher Dan Rosenberg writes, in part:

After reverse engineering CarrierIQ myself, I have seen no evidence that they are collecting anything more than what they’ve publicly claimed: anonymized metrics data.  There’s a big difference between “look, it does something when I press a key” and “it’s sending all my keystrokes to the carrier!”.

In response, Professor Ohm tweeted

Wiretap only if one “acquires” content, so maybe a defense, but “anonymized metrics data” may be content.

I guess we’ll have to wait to see if federal prosecutors charge the firm. What’s more certain is that at least some lawyers will rush to file a civil suit.

Nov 302011
 November 30, 2011  Posted by  Breaches, Court, Featured News

The Supreme Court heard oral argument today in a privacy case that hasn’t gotten nearly as much attention as United States v. Jones. In Federal Aviation Administration v. Cooper, the Court considers whether under the Privacy Act of 1974, an individual can sue the government for emotional distress caused by a privacy breach if there is no other “injury.” The transcript of the argument is available on SCOTUS’s web site.

Reading the transcript, it appears that counsel for the government, Eric Feigin, didn’t get far into his argument that Congress intended to limit compensation to “actual damages” before Justice Ginsburg jumped in and challenged him as to whether emotional distress was an actual injury:

MR. FEIGIN: Your Honor, the term “actual injury” and the term “actual damages,” those are ambiguous terms. Sometimes they might include emotional distress and sometimes they might not.
JUSTICE GINSBURG: Well, let’s take this case. Did the plaintiff suffer an actual injury?
MR. FEIGIN: He did not -­
JUSTICE GINSBURG: At least, did he allege that he had suffered an actual injury?
MR. FEIGIN: He did not suffer actual damages within the meaning of the Privacy Act.
JUSTICE GINSBURG: I didn’t — I didn’t ask you that. I asked you did he suffer an actual injury, as opposed to someone who is complaining about something — an abstract right or an abstract theory?
Is there an actual injury here?

Feigin acknowledged that Cooper had suffered an adverse effect which gave him standing, but noted that suffering an adverse effect doesn’t mean he suffered actual damages. That’s when Justice Sotomayor chimed in and questioned him about “general damages” vs. “actual damages.” Feigin argued that emotional distress would fall under “general damages,” and Congress had not provided a remedy for that in the Privacy Act.

Justice Kennedy helped clarify the issue:

JUSTICE KENNEDY: Are there instances where, if there is an invasion of privacy and there is a documented trauma from psychosomatic illness with medical expenses and lost wages, is that special? Is that actual damage?
MR. FEIGIN: Yes, Your Honor. If there are documented medical expenses that were out-of-pocket expenses, then we think, even if they arise from emotional distress, they would be pecuniary harm and
could be compensated under the Privacy Act.

Other than the one interjection by Justice Kennedy, only Justices Ginsburg and Sotomayor questioned Mr. Feigin (Justice Kagan having recused herself from this case).

When counsel for Cooper, Raymond Cardozo, got up to argue, Justice Alito immediately jumped in, followed by Justices Kennedy, Breyer, Scalia, and Chief Justice Roberts. Justice Scalia seemed to view the government’s violation of the Privacy Act as a “picky, picky” one:

You are not doing the kind of thing that constitutes an invasion of privacy under State law. You just failed, intentionally failed, to follow the very detailed and as I say picky, picky prescriptions contained in the Privacy Act. To say that you get emotional distress for that as opposed to genuine — what I would call genuine privacy incursions, which State law covers is a different question.

Overall, the debate seems to be about what Congress intended with respect to emotional distress as a harm in the Privacy Act, and whether such harm falls under “special damages” or “general damages.” Complicating the issue greatly is that Congress had referred a question for post-legislation consideration and had used its own idiosyncratic term, “actual damages” which makes relating its language to common law more difficult. As Justice Sotomayor asked Mr. Feigin during his rebuttal:

Counsel, you seem to be arguing throughout that general damages meant actual damages, when general damages, in my understanding, meant two things: presumed and actual. So why is it illogical for Congress to look at what general damages meant, and pick the meaning that included proven damages, actual?

Finally, in his closing minute of rebuttal, Feigin summarizes the government’s argument succinctly:

Congress didn’t provide emotional distress awards when it passed the act in 1974, it never amended the act to include them, and the act does not provide for them.

Did Congress intend to provide a remedy for those who have (only) been emotionally harmed by a willful breach by a federal agency? Mr. Cardozo convinced me, but we’ll have to wait to learn if he convinced the justices.

For background on Federal Aviation Administration v. Cooper, see SCOTUSblog.