2H 2019 and Q1 2020 Quick Links, Part 5 (Privacy)
* Campbell v. Facebook, No. 17-16873 (9th Cir. March 3, 2020): “Plaintiffs identified a concrete injury by claiming that Facebook violated ECPA and CIPA when it intercepted, catalogued, and used without consent URLs they had shared in private messages.”
The General Data Protection Regulation (GDPR) “Right of Access” grants (European) natural persons the right to request and access all their personal data that is being processed by a given organization. Verifying the identity of the requester is an important aspect of this process, since it is essential to prevent data leaks to unauthorized third parties (e.g. criminals). In this paper, we evaluate the verification process as implemented by 55 organizations from the domains of finances, entertainment, retail and others. To this end, we attempt to impersonate targeted individuals who have their data processed by these organizations, using only forged or publicly available information extracted from social media and alike. We show that policies and practices regarding the handling of GDPR data requests vary significantly between organizations and can often be manipulated using social engineering techniques. For 15 out of the 55 organizations, we were successfully able to impersonate a subject and obtained full access to their personal data. The leaked personal data contained a wide variety of sensitive information, including financial transactions, website visits and physical location history. Finally, we also suggest a number of practical policy improvements that can be implemented by organizations in order to minimize the risk of personal information leakage to unauthorized third parties.
* Mirlis v. Greer, 952 F.3d 51 (2d Cir. March 3, 2020):
We have not set an absolute rule that the public availability of a deposition transcript guarantees the court’s protection of a deposition video, nor do we do so now. As we observed in CBS, “[v]ideotaped depositions … convey the meaning of testimony more accurately and preserve demeanor evidence as well.” 828 F.2d at 960. These undoubtedly are valuable components of the truth-finding process. The general rule of production that we applied in 1987 in CBS thus remains vital today. But we must also acknowledge what has changed since we decided CBS in 1987: The astonishing and pervasive rise of the Internet; the attendant ease with which videos may be shared worldwide by individuals; and the eternal digital life with which those videos are likely endowed by even a single display online. These are all factors that multiply and intensify the privacy costs to the individual of releasing sensitive videos; those costs are undeniably greater than what they might have been 30 years ago. Whereas the subject of a video deposition made public in 1987 may have suffered brief notoriety and embarrassment as the subject of an evening’s newscast, today, Hack could reasonably fear that, for the rest of his life, this video would be the first result of an internet search for his name. Given the proliferation of smartphones and improved digital streaming capabilities, he could also reasonably expect, as a schoolteacher and father, that his students and his children would view the video not only at home, on family computers, but possibly also during (his) class, on their cell phones. Common sense and over two decades of widespread and constant use of the Internet are sufficient to tell us that a video of a person describing details of his abuse is likely to garner more attention, be distributed more widely, and last longer in the public’s attention than are copies of a transcript or even local news articles.
* Ching v. Dung, 2019 WL 3822327 (HI Ct. App. Aug. 15, 2019):
The Dungs also argue that the Facebook posts are not actionable as an invasion of privacy because the posts do not actually name Ching. However, the Facebook posts contain video footage of Ching, pictures of Ching and her vehicle, images of Ching’s house, and comments about Ching’s personal life, such as, “she’s had so many different men going up and down. Our driveway. On this morning the guy driving her is-not the same one she returned with later that night. … He just spent the night.” Courts generally require that a plaintiff be reasonably identifiable to support an invasion of privacy claim. Here, we conclude that there was sufficient evidence for a jury to find that Ching’s identity was reasonably identifiable from the Dungs’ Facebook postings.
* Dancel v. Groupon, No. 19-1831 (7th Cir. Dec. 18 2019):
Instagram usernames identify only Instagram accounts. The IRPA, however, requires more than that. It demands that an attribute, even a name, serve to identify an individual. And not just an individual but “that individual,” the one whose identity is being appropriated…. Some Instagram usernames—maybe a great many of them— might qualify as identities under the broad definition in the IRPA. An ordinary, reasonable viewer might recognize that meowchristine serves to identify Christine Dancel, or that isa.tdg, artistbarbie, and loparse serve to identify their respective users. We cannot say. What we can say is, under the IRPA, that ordinary, reasonable viewer would need to have evidence of which username, which account, and which person it was linking before it could make that decision. This individualized evidentiary burden prevents identity from being a predominating common question under Rule 23(b)(3)
* NY Times: One Nation, Tracked
* NBC News: Can privacy be big business? A wave of startups thinks so.
* NY Times: What Does California’s New Data Privacy Law Mean? Nobody Agrees
* More people are staying offline due to privacy fears, Oxford research warns
* WSJ: How the 1% Scrubs Its Image Online