InfoSec & Forensics Law: May 2008

Google Privacy Policy & Terms of Service

Internet Protocol (IP) Address Record Storage: Legal Notice and Publication of Agreement

World Wide Web Contract Formation

Google says its privacy policy is effective on users of its search service, even though it does not publish a link to that policy on its main search page, google.com. Its spokesman says users can easily find the policy simply by searching for "google privacy policy." Further, paragraph 7.2 of Google's terms of service declares that users agree (by contract) to Google's privacy policy simply by using Google services. Just as there is no direct link on google.com to the company's privacy policy, there is no direct link to its terms of service. Effectively, Google says: by virtue of our publication of terms, people who use our services are on notice of our terms sufficient for them to form a contract under those terms. In other words, we don't have to specifically call a web user's attention to terms in order for them to be effective.

Case Decisions
Google's position has merit. In this age of information abundance, a contracting party should be able to notify other parties of terms simply by publishing them in an easy-to-find way. That's what happened in the Shell v. Internet Archive and Greer v. 1-800-FLOWERS cases I've discussed previously. (More on the 1-800-Flowers case appears here.)

Publication of Legal Terms is a Two-Way Street
Yet Google should be mindful that publication of contract terms is a two-way street. Just as Google can publish its terms and thereby notify John Q. Public, Mr. Public can publish his own terms. For example, Mr. Public might publish these terms prominently at johnquincypublic.com: "Contract Terms for Search Engines. My name is John Q. Public and my Internet Protocol address is 111.11.111.1. By virtue of providing search services to me, every Internet search engine agrees not to store, for more than 10 minutes, my Internet Protocol address in relation to my search queries. Any search engine that violates the immediately foregoing sentence agrees to pay me $5 per violation, plus any costs, including attorney fees, I incur in collecting such payment."

An alternative: The legal terms above might be published through a web service that aggregates the privacy message from thousands or millions of individual Internet users. Through the service each individual could log their IP address and adopt the no-search-engine-recording-of-IP-address terms. Individuals could install scripts on their PCs to send updated IP addresses to the service automatically. The service would carry added weight if it were operated by a government privacy commissioner, such as from one of the provinces of Canada. See also my article on publication of privacy terms in electronic healthcare records maintained by companies like Google.

Update: Google has added a privacy link to its search home page. My reading is that Google placed the link on its home page in order to comply with a specific California privacy statute, and not because Google believed the link was necessary to enforce its privacy policy under general contract law.

Update: Historically, public publication of legal notices by government was done through the newspaper. Now, more and more governments are publishing legal notices on their web pages, bypassing newspapers. Eric Sherman, “More Newspaper Bad News: Public Notices Look Elsewhere,” May 25, 2009.

--Benjamin Wright

[Again, ideas on this blog are not legal advice for any particular situation. They are just ideas for public discussion; comments invited.]

Nix Smoking Gun Text, E-mail, e-Discovery

Self-Regulation In the Networked Age

Cell Phone, Instant Messages (IM) & Twitter in Litigation and Investigations

The Institute for the Advancement of the American Legal System (IAALS) issued a major report on how businesses can prepare for e-discovery. E-discovery is the requirement to disclose relevant electronic records in litigation.

Electronic business records are dangerous because they can evidence illegal or embarrassing conduct. Foolish employee e-mail, IM, text or cell phone messages can be hard for a corporation to defend in court.

So, as a matter of policy, what is a corporation to do?

The usual response is to place e-records on a short retention schedule, like 180 days. But systematic destruction of e-records brings its own troubles. Court cases penalize enterprises for destroying records too early.

So rather than recommend that businesses destroy records quickly, IAALS recommends that businesses organize electronic records so they are easier to search. A key tool for good organization and searching is an e-mail archival system.

The idea is that most businesses, most of the time, try to be ethical and law-abiding. If they can search for and find all their records, they can find the ones that tell a favorable story. On balance the good records will often outweigh the few bad ones.

Managing Risk
An additional response draws from the philosophy that just as information technology breeds risk, it can be used to reduce risk and provide healthy feedback.

Information technology is all about communication. The communication in employee e-mail will sometimes be unfortunate. But the damage from unfortunate messages can be mitigated by positive messages. Technology enables a business to propagate positive messages.

Here is an example of a positive message: "Acme Corporation does not condone unethical, unfair or illegal activity or statements on the part of itself or its employees. The company repudiates any such activity or statement, and wants to correct it if it ever exists. If any person knows of unethical, unfair or illegal activity or statements by the company or employees, Acme asks that person promptly to notify the company." To get this message out, technology affords corporations myriad tools.

Such a message can be posted on web sites and business-oriented social network pages. It can be published in product catalogs or with purchase orders. It can be referenced at the bottom of e-mails or text messages, or in IM sessions. It can be stated multifarious ways – a corporation can rotate 25 different messages at the bottom of all e-mails. Thus, when bad e-mails are later revealed to an opponent in e-discovery, they include positive statements to temper the negative ones.

The multitude of messages can include humor. A humble example:

Such a message is like the sign on the back of a commercial vehicle: "Report unsafe driving at 1-800-XXX-XXXX." Not only does it hasten the delivery of critical information to the company when it has a problem, it nurtures a culture of honesty and ethical behavior. When an employer repeats a policy through multiple media, employees absorb it.

Legal Incentive
Our legal culture rewards enterprises that genuinely regulate themselves. The Federal Sentencing Guidelines prescribe reduced sentences for corporate criminals that implement programs to deter and report wrongdoing. Government prosecutors are naturally more lenient on defendant organizations that earnestly strive to keep their houses in order. (See the statement of Deputy Assistant Attorney General Robert S. Litt.)

When an enterprise broadcasts it wants to do the right thing, and it requests notice if it is failing, the enterprise casts a burden on its potential adversary (or whistleblower). Effectively the enterprise says, "If you are being mistreated, or if you witness misbehavior, then please tell us now so we can bring it to a swift end and repair the damage." If, after getting this message, an adversary delays in reporting bad news she possesses, she may be opening herself to blame or discredit.

Inspiration from Sexual Harassment Law
Consider the Ellerth/Faragher line of cases in the sexual harassment field. Those cases say an employer is absolved of liability if it maintains a reasonable program against sexual harassment and the harassment victim fails to take advantage of the remedies available under the program.

By the same token, the video above shows a business that is genuinely promoting a program and culture of compliance. If adversaries like regulators, whistleblowers or plaintiff lawyers do not take advantage that program and report the bad behavior promptly to the business, then the adversaries' credibility diminishes.

By: Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

New for 2012: How to archive text messages as legal evidence.

For more corporate record retention, see my article on e-mail archives.

Secure e-Signature Law

Electronic Signatures in Global and National Commerce Act (E-SIGN)

In some countries electronic signature law wrestles with whether a signature must be secure to be legally effective. An outstanding work in this field is Electronic Signatures in Law by Stephen Mason. Mr. Mason analyzes e-signature legislation and case law from around the world.

The History of Secure e-Signature Law

In the mid-1990s, an influential school of thought held that e-commerce needed reliable digital signatures (based on public key infrastructure, or PKI), and reliability required government licensure and regulation. This school of thought led to adoption of the pioneering Utah Digital Signature Act of 1995, which unabashedly aimed to promote PKI digital signatures. At the time the Utah Act attracted much attention and inspired similar legislation in other states such as Washington and in other countries such as Malaysia.

A related school of thought said law should favor secure or advanced forms of e-signatures over other kinds of e-signatures, such as voice signatures. For this school of thought, "secure" or "advanced" e-signatures was code language intended for PKI digital signatures (although the school champions stuggled to develop definitions for "secure" or "advanced" that achieved their goal of advancing PKI while locking out its competitors). This school of thought led to adoption of influential regulations by the California Secretary of State and strange legislation in Illinois.

These two schools of thought -- I'll call them the secure-signature movement – were vocal in the US through the end of the 1990s.

Secure e-Signature Law Died in US

As US legal experts drafted national legislation for e-commerce –- the E-SIGN for federal law and the UETA for state law –- the secure-signature movement advocated special favor for digital signatures, or at least special favor for secure or advanced signatures. The debate was intense, but the secure-signature movement lost. Fortunately, E-SIGN and UETA became the law in the US. E-SIGN and UETA are technology neutral and do not favor digital signatures or secure/advanced signatures. For this reason, we in the US have largely liberated ourselves from the distractions caused by the secure-signature movement.

And, as Mr. Mason indicates on page 586 of his book, Utah formally repealed its Digital Signature Act in 2006. Utah's repeal was the coup de grâce for the secure-signature movement in the US.

Secure e-Signature Law Lives in Europe and Causes Confusion

In Europe, however, the secure-signature movement was more influential. The European Union’s Directive on electronic signatures elevates “advanced” (or more secure) electronic signatures over other kinds of signatures. See Mr. Mason’s Chapter 4.

It has been eight years since the EU’s Directive went into effect, and its elevation of advanced signatures has come to nothing but trouble. As Mr. Mason explains on page 144, a Finnish court denied effect to an e-mail because it was not authenticated with an advanced e-signature. But as Mr. Mason says on page 161 advanced e-signatures (digital signatures) have been a commercial failure in Europe. PKI vendors have not been able to offer digital signatures in a way that appeals to users. What does this mean? It means the EU adopted a directive that lends special emphasis and support to a technology that exists more in theory than practice. Such lawmaking confuses both courts (like the one in Finland) and the public, and retards the adoption of e-commerce.

Mr. Mason astutely observes: "[I]t is to be wondered why the digital signature (which is, arguably, a flawed concept looking for a problem to solve) is considered to be so important by some legislators."

For More Information

Electronic Signatures in Law (Second Edition) is published by Tottel Publishing.

For more on electronic signatures, see demonstration of webcam signature to preserve evidence in a cyber investigation.

Update: A new case, Kerr v Dillard Store Services, Inc, ___F.Supp. 2d___(D. Kans. February 17, 2009), invalidated an employee's so-called electronic signature on an online arbitration agreement. The employer was not able to produce enough evidence of password reliability and e-mail accountability to support its contention that the employee had approved the agreement. My analysis: The same outcome could be possible had the alleged signature been a PKI digital signature. Just as the signature in this Kerr case was unprovable because there was inadequate evidence of password reliability, a PKI digital signature can be unprovable if there is inadequate evidence that the password protecting the PKI private key is reliable.

Update 2014: A problem with legislation that holds PKI digital signatures to be powerful legal signatures is that it invests great authority in the signer's private key. But when so much authority is invested in a single bit of code (the private key), hackers have much incentive to steal it. See stories about hackers stealing private keys from entities like Sony Pictures. Similarly, hackers have stolen the private keys that control valuable Bitcoin. For that reason Bitcoin is evolving to a multi-signature model, so that less power resides in any given private key.

--Benjamin Wright

About

Benjamin Wright is an attorney in private practice. He teaches the Law of Data Security and Investigations for the SANS Institute. He is author of The Law of Electronic Commerce (published by Wolters Kluwer) and Business Law and Computer Security (published by SANS). He helps others navigate the law of data compliance, including privacy, e-commerce, e-discovery, cloud contracts, records management and cyber investigations.

He is spotlighted in the book The Devil Inside the Beltway for his uncommonly insightful advice to LabMD in its now famous information security law dispute.

Public Statements Are Not Legal Advice

None of Mr. Wright's public statements, such as remarks on blogs, twitter, youtube web pages, social media and the like, are guaranteed for accuracy or are legal advice for any particular situation. You use the ideas in those statements at your own risk. If you need legal advice, you should consult a lawyer.

Mr. Wright's blogs, updates, tweets, web comments, youtube videos, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer.

Mr. Wright does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Wright has done anything illegal or unethical, he asks that person promptly to telephone him at 1.214.403.6642. Promptness helps mitigate damage.

Any person accessing any of Mr. Wright's blogs, tweets, profiles, comments, web pages or other public activities or statements agrees not to use data from them in a way that is adverse to Wright's interests.

No Advertisement

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Communication with Mr. Wright via private message does not, in itself, create an attorney-client relationship.

Privacy/Security Vision

Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

IMPORTANT Confidentiality Notice

Benjamin Wright is licensed as an attorney. Some of Mr. Wright's non-public records stored in the cloud are confidential and subject to protections associated with attorney work and communications. The laws of many countries recognize such protections. Mr. Wright insists that you recognize those protections with respect to his records and communication.

Relationships

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has earned money from some organizations he mentions online, such as Messaging Architects/Netmail, SANS Institute and LabMD.

Attribution

Some images, sounds and font output associated with Wright's work and comments are copyrighted by Corel Corporation or its licensors or partners like iStockphoto; they reserve all their rights. Some images are declared on wikimedia to be public domain. Mr. Wright strives to respect IP rights, but sometimes technology behaves in surprising ways. If you are an IP owner and you have a problem with something published by Mr. Wright, please telephone him promptly. Trademarks are property of their respective owners.

Dallas, Texas. Tel: +1.214.403.6642

InfoSec & Forensics Law