Yottabytes: Storage and Disaster Recovery

December 20, 2015  7:51 PM

Oh, Go On, Use That Work Database for Anything You Want, Court Rules

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Database, privacy, Security

A U.S. appellate court has recently ruled that violating rules about the use of databases at work isn’t subject to criminal penalties, which opens the potential for all sorts of interesting possibilities.

Of course, just this particular case was interesting enough: A police officer who used a police department database to look up information about women he wanted to kill, cook, and eat.

“Former New York City Police Officer Gilberto Valle was found guilty at trial in March 2013 of conspiring to kidnap women and illegally accessing a police database to collect information on potential victims,” writes Joseph Ax for Reuters. But the 2nd U.S. Circuit Court of Appeals in New York vacated his conviction for using the database, “finding that federal law does not prohibit individuals from accessing a computer they are normally authorized to use, even if they do so for an improper purpose,” he continues.

“As an NYPD officer, Valle had access to the Omnixx Force Mobile (“OFM”), a computer program that allows officers to search various restricted databases, including the federal National Crime Information Center database, which contain sensitive information about individuals such as home addresses and dates of birth,” the court writes. “It is undisputed that the NYPD’s policy, known to Valle, was that these databases could only be accessed in the course of an officer’s official duties and that accessing them for personal use violated Department rules.  In May 2012, he accessed the OFM and searched for Maureen Hartigan, a woman he had known since high school and had discussed kidnapping with Aly Khan.    This access with no law enforcement purpose is the basis for the CFAA charge.”

Prosecutors also used Valle’s illicit research in the database as evidence that he was actually planning to carry out some of his fantasies, for which he was also charged and which the appellate court also threw out because they felt he was simply expressing fantasies. “Valle was not accused of harming any women,” Ax writes. “Instead, prosecutors said he discussed with other online enthusiasts his intention to abduct, torture, cook and eat women.”

Not men, though, because, you know, that would be weird.

The computer charge hinged on the Computer Fraud and Abuse Act (CFAA), and the court reversed the conviction because it was concerned that upholding it would give the government too much power, writes Justin William Moyer in the Washington Post. “While the Government might promise that it would not prosecute an individual for checking Facebook at work, we are not at liberty to take prosecutors at their word in such matters,” he quotes from the opinion. “A court should not uphold a highly problematic interpretation of a statute merely because the Government promises to use it responsibly.”

The problem with the prosecutor’s initial argument, writes Orin Kerr for the Volokh Conspiracy, is that various parts of the law and other courts had used the CFAA to make largely artificial distinctions between the notion of illegal “access” vs. illegal “use” – which, taken to their logical extreme, could make playing Freecell or using Facebook on a work computer a criminal offense. “Playing solitaire or using Facebook plainly satisfies this element,” he writes. “When you play solitaire, you enter in commands to see cards. You therefore obtain information about your cards from the computer accessed. And when you spend time on Facebook, you’re constantly seeing new text, pictures, and videos that you hadn’t seen before you logged in. You are ‘obtaining information’ for purposes of the statute.”

Valle did have access to the National Crime Information Center database in the normal course of his job, and the way the CFAA is written, he could only be charged under it if he was gaining access to information he was not entitled to in any way, writes the Electronic Frontier Foundation in its amicus curiae on the case. (If you’re just dying to read the argument yourself, it’s pages 28-38 in the court’s ruling, and 24-34 in the dissent.)

Consequently, Kerr didn’t feel that Valle was guilty under that charge. “If violating a written restriction on a computer is an unauthorized access, then pretty much everyone is a criminal,” he writes. “That includes me, as I have even testified to Congress about one of my many violations of written restrictions on computers: My Facebook account says I live in Washington, DC, although I actually live in Arlington, VA.”

On the other hand, one wonders, what sorts of shenanigans with work computers are now considered legal due to this ruling? Are there people (other than the mom who created a fake MySpace account for the purposes of harassing one of her daughter’s classmates) who have been charged under this who should now go free? Is there any activity with a work computer that can now be considered criminal, or is it at this point on only a matter of workplace discipline?

Ultimately, the case could go to the Supreme Court, writes Noah Feldman, a professor of law at Harvard University and a columnist for Bloomberg View. “This issue has split the federal courts of appeal, with four adopting the government’s view, and now three saying that under the rule of lenity, an ambiguous criminal statute ought to be read restrictively and in favor of the defendant,” he writes. “The 2nd Circuit’s worry is that a broad reading of the statute turns every violation of an employer’s computer rules into a violation of federal law. That would certainly be an overreading of the statute, not to mention bad policy. The split means the Supreme Court should resolve this issue — possibly even in an appeal in this case.” It also seems likely that the CFAA should be modified to be more clear.

December 11, 2015  12:10 AM

Betamax Goes the Way of the Cassette

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

First it’s the cassette. Now it’s Betamax. What’s a tech geezer to do?

Sony – which, surprisingly, was still making them, more than ten years after it quit making Betamax players – recently announced it was going to stop manufacturing Betamax tapes no later than March, after introducing the machine in 1975.

Assumed already dead by many, the final Betamax cassette will roll off the production line in March 2016 as its maker concedes defeat to the march of time, 20, maybe 30, years late,” writes Samuel Gibbs in the Guardian.

Now, to all you whippersnappers out there who don’t recognize the significance of this action, Betamax – essentially the first popular consumer video recording device – is what gave you the privilege of still watching The Walking Dead or Game of Thrones if you’re busy when it airs. It was a seminal Supreme Court case, filed against Sony and Betamax, that determined that making recordings of tv shows for yourself was fair use.

“For the first time ever TV fans weren’t tied to their local stations’ schedules,” reminisces Douglas Perry in the Oregonian. “No longer would kids have to run home from the school bus to avoid missing the first five minutes of Scooby-Doo. No longer would their parents have to cut out of the neighbor’s cocktail party after only two drinks so they could catch Hill Street Blues. They could watch their favorite shows whenever they wanted to.”

The court ruled that, even if some copyright infringement might occur, the right of the consumer was paramount. “Even if it were deemed that home-use recording of copyrighted material constituted infringement, the Betamax could still legally be used to record noncopyrighted material or material whose owners consented to the copying,” says the decision. “An injunction would deprive the public of the ability to use the Betamax for this noninfringing off-the-air recording.”

“The ruling opened the door for TiVo and other digital gadgetry in the home, then helped defend an assortment of Web-based services with both infringing and non-infringing uses, such as YouTube and other user-generated content sites and Dropbox and other online storage services,” wrote the Los Angeles Times in an editorial on the 30th anniversary of the case.

Of course, even if the Supreme Court had ruled the other way, the horse was out of the barn by then, writes the Museum of Broadcast Communications. “Although the U.S. Court of Appeals reversed the lower court’s decision in October 1981, the decision, if it were to stand, would have been impossible to enforce,” the organization writes. “The home video market had been expanded enormously since the start of the case; VCR sales had increased from 30,000 sets a year in 1976 to 1,400,000 a year in 1981.”

Sadly, Sony never got to enjoy the fruits of its success. A year after the Betamax was introduced, JVC introduced VHS (for Video Home System, who knew?), which within another year was eating the Betamax’ lunch, and eventually killed it. This was even though Betamax reportedly offered better features – “more accurate colour replication, superior resolution and smaller tapes,” writes Stuff. (In fact, the format is still used in the industry, such as for making aircheck tapes.)

“In its first year of sales, VHS took 40% of Sony’s business,” writes Marc C. Scott in The Conversation. “By 1987, 90% of the US$5.25 billion VCR market sales were VHS. Furthermore by 1988, 170 million VCRs had been sold worldwide, of which only 20 million (12%) were Betamax.”

Sales of Betamax videocassettes reached their peak in 1984 (coincidentally, the year the Supreme Court ruled on the case), when Sony shipped 50 million units, writes Robert Hackett in Fortune. “Soon after they became obsolete, living fossils.” By 2002, the company stopped making the machines, after having manufactured 18 million of them, he adds.

What was the fatal blow? Some people like to blame the porn industry.


There’s two theories. The first is the claim that, as with the Blu-Ray format (also produced by Sony), the pornography industry killed Betamax by preferring the VHS format. The second is that Sony indirectly killed Betamax by not allowing porn producers to use the format.

As it turns out, it’s more a correlation than a causality. First of all, some porn was manufactured for the Betamax, though it is true that Sony frowned on it. Second of all, to the extent that porn manufacturers picked VHS, they did so for the same reason that the majority of consumers were choosing it – and it wasn’t because consumers preferred lousier pictures.

A number of factors contributed:

  • Like the PC vs. Apple battles, Sony was more restrictive on its licensing policies, so there were fewer Betamax than VHS manufacturers, meaning machines were more expensive and less common. (Especially with the first model, where it was actually built into the television and cost $2,295, while a one-hour cassette cost $15.95.)
  • Because VHS machines were more plentiful, providers were also more likely to make their content available on VHS, and consumers became more interested in renting or buying content than recording it themselves.
  • Because content was more available on VHS, stores (remember Blockbuster?) tended to stock more VHS than Betamax tapes for rental or purchase.

And this became a vicious circle. The more people bought VHS systems, the more content was available for them, and consequently the less space was devoted to Betamax systems and content.

“VHS became a more open and widely adopted format for the video cassette, which resulted in a larger economy of scale, allowing VHS to beat Betamax on price,” Gibbs writes. “That greater adoption and lower cost saw the pornography industry pick VHS as the format of choice for its home videos, which is largely considered the turning point that propelled VHS to victory.”

Moreover, while Betamax tapes offered better quality, that quality came at a price: The tapes would only last 90 minutes, at most, at a time. This meant you couldn’t go out while recording a two-hour movie or sporting event, which defeated the whole purpose of having a VCR in the first place.

“Betamax was the first successful consumer video format, and at one time it had close to 100% of the market,” writes Jack Schofeld in the Guardian. “All of the video machines in use and all of the pre-recorded movies were Betamax. It had a de facto monopoly, and an element of lock-in (because of tape incompatibilities). It lost because, at the time, it could not do what consumers wanted: record a whole movie unattended.”

Meanwhile, VHS tapes continue to be produced, according to Gibbs, even though they, too, have been superseded by other technology.

Still have a Betamax machine for which you need blank tapes or recorded content? Or do you still have Betamax content you’d like to be able to watch? Cheer up. There’s always eBay.

November 30, 2015  2:49 PM

13 Ways (Besides the Obvious) Trump’s ‘Muslim Database’ is Bad

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Database, privacy, Security

Republican Presidential candidate Donald Trump recently indicated that he would at least consider setting up a database to track Muslims. While he’s since to some degree backed away from it, it still makes an interesting thought experiment in the context of database design and public policy – if only to point out how very, very fraught such a thing would be.

Needless to say, the whole notion of such a database is problematic. Any student of American history, ranging from the Japanese internment to McCarthyism, can explain this. But simply as a technical issue, here’s all the reasons it’s impractical.

  1. How do we define “Muslim”? Self-defined? Your parents were? What if one parent was? How devout do you have to be to “count”? (Theoretically, the U.S. could use the definition of Jewish that the Nazis used, but that might be politically unpopular.)
  2. Similarly, which people “in” the U.S. would need to register? Citizens? Students? (That should go over well with the colleges and universities that count on foreign student tuition.) Visitors? How long do you have to be in the country before you sign up? Do they get removed from the database when they leave?
  3. Just what information is going to be tracked? And how does it get updated when it’s changed? Keep in mind how challenging it is even to ensure that voter rolls are kept up to date.
  4. How do you get people to sign up? If it’s voluntary, do we really think that people with terrorist leanings are going to meekly put their names on a database? If not, how do you enforce signups? Where do you get the data to begin with to find the people you want to sign up? The census, for example, no longer tracks religion.
  5. On the other hand, how do you keep non-Muslims from signing up as an “I am Spartacus” act of protest? Following the (sadly untrue) belief that World War II’s King Christian of Denmark wore a yellow star to show solidarity with Jews, a number of people have already indicated that they plan to identify as Muslim should any such system be implemented. Do we just shrug and say ok, if you want to say you’re Muslim, you are?
  6. If you don’t just register yourself, how do you deal with false positives? Remember that even Senator Ted Kennedy has been put on a terrorism no-fly list.
  7. Who’s going to provide this database? While companies such as IBM reportedly worked with the Nazis during World War II, many vendors these days consider themselves progressive. It’s difficult to believe, for example, that Google or Facebook would cooperate with such an effort.
  8. Similarly, who’s going to set this up and work on it? Presumably this would be a government effort, perhaps through the Department of Homeland Security. But how many techies are actually going to consent to work on this? It doesn’t seem like the sort of project where outsourcing is going to be a good idea, you know?
  9. More to the point, how do you ensure that protesting techies don’t sabotage it in some way? Does anyone think that Anonymous – which is doing its own work to help reduce terrorism – is going to let this database stay up and functioning properly for more than ten seconds? Won’t an effort like this spawn a dozen Edward Snowdens who want people to know what their country is doing?
  10. Aside from the politically motivated hackers, how is the database going to be secured, both for the amount of personally identifiable information it would have and from the people who might decide to use it to take out their Muslim neighbors?
  11. How much is this going to cost? And where’s the money going to come from? Michigan, for example, has paid HP $33 million to develop a replacement for its Secretary of State’s system. The state’s population is about 9 million, right in the 5 to 12 million range estimated for the number of Muslims in the U.S.
  12. How long is this going to take? Going back to Michigan, the state is now suing HP for $49 million after the company took more than ten years and still didn’t deliver a working product.
  13. Finally, keep in mind that every organization from the ACLU to the EFF would be taking the government to court on this, which would mean development would take even more time.

In short, even if this database were a good idea, it would be years before the data could be used. Hopefully, by then, we’ll have wised up.

November 24, 2015  11:57 PM

How You’re Helping Governments Build Facial Recognition Databases

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Biometrics, Facial recognition, privacy, Security

Smile. You’re on the government’s camera.

Increasingly, governments are able to identify people using facial recognition software, and are collecting databases of people’s faces – not just criminals, but regular, ordinary people. Generally, there’s no laws against it.

And what’s more, we’re helping them do it.

Collectors of such images range from border security to law enforcement organizations to even retailers. “Before taking her away, Officer Rob Halverson paused in the front yard, held a Samsung Galaxy tablet up to the woman’s face and snapped a photo,” writes Ali Winston, of a program in San Diego. “Halverson fiddled with the tablet with his index finger a few times, and – without needing to ask the woman’s name or check her identification – her mug shot from a previous arrest, address, criminal history and other personal information appeared on the screen.”

Photos used in the system come from the statewide law enforcement database, which includes 32 million driver’s license photos, Winston writes. The county is also looking at using mug shots from statewide gang and parolee databases, he adds.

Similarly, Australia announced earlier this year that it was spending $18.5 million to create a database of facial photos – including photos from Facebook and Instagram — for use in federal law enforcement. “The images can come from drivers’ licences, passport photos or security cameras in your local shopping center,” write Margot O’Neill and Amy Sherden for ABC Australia.

The FBI has a similar program. Incidentally, the system has a 20 percent failure rate in terms of identification.

There’s also the security aspect. “If your passport, credit card, PIN or tax file number are compromised due to a security breach, they can be replaced fairly easily,” writes Adam Molnar in The Conversation. “Not so with your facial features. If a biometric database is hacked, the information can potentially be abused by criminals over your entire life.”

Coincidentally, there’s suddenly a swarm of games out there that seem to have the goal of collecting facial photographs. Earlier this year, Microsoft’s “How Old Do I Look” analyzer swept through Facebook. Were the results right? Were they wrong? Who cares? The point is, within a few hours, Microsoft had tens of thousands of new facial photographs.

Proposed uses include verifying whether two faces in separate photos belong to the same person, or using one person’s photos to find him or her in multiple other photos,” writes CBC News. You know, like searching photos of a demonstration to identify protesters.

For what it’s worth, the developers now say the site doesn’t save the photo. “No we don’t store photos, we don’t share them and we only use them to guess your age and gender,” write Corom Thompson and Santosh Balasubramanian, Engineers in Information Management and Machine Learning at Microsoft, who wrote a blog post about it. “The photos are discarded from memory once we guess. While we use the terms of service very common in our industry, and similar to most other online services, we have chosen not to store or use the photos in any way other than to temporarily process them to guess your age.”

But even assuming that’s true, how many people even thought about that aspect before trying to find out how young they looked? Even without saving the pictures, the database now has a lot more practice identifying people. And just because this app doesn’t save photos, how about other apps?

More recently, there’s the “My Most-Used Words on Facebook” app, which not only looks at the words you’ve posted in the past year but every picture that’s been posted – which most people didn’t even notice, writes Paul Bischoff.Over 16 million people have agreed to give up almost every private detail about themselves to a company they likely know nothing about just to play a quiz,” he writes.  In addition to a boatload of information about yourself and your friends, it also has access to all the photos you’re tagged in.

Like Microsoft, the word cloud app vendor, Vonvon, said it didn’t save the data, and later allowed people to edit the permissions for their personal information. But again – how many people even thought to look at the permissions?

(And now there’s a new one, Which is Your Most-Liked Photo On Facebook?)

Or there’s the recent trend toward “gigapixel” super-high resolution photos of enormous sporting events, where the more than 100,000 attendees are not only perfectly identifiable, but are encouraged to helpfully tag themselves and their friends. It takes only 2 minutes and 40 seconds to photograph an entire stadium, and the company specializing in the process says it typically has eight such projects every weekend.

It may be that all these apps are perfectly innocent. But we don’t know. And until we do, it behooves us to be careful – at least til we find out who’s on the other side of the camera.

November 19, 2015  5:27 PM

UK Government Invokes Paris to Hurry Internet Tracking Bill Adoption

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

The British government is pushing for a law that would require Internet service providers to keep for a year a list of all the websites that their users visit – an action that has already been ruled a violation of privacy by the European Court of Justice. And this new law was in response to the last set of Paris terrorist attacks, let alone the most recent ones.

The Investigatory Powers Bill would order communications companies, such as broadband firms, to hold basic details of the services that someone has accessed online, explains the BBC. “This duty would include forcing firms to hold a schedule of which websites someone visits and the apps they connect to through computers, smartphones, tablets and other devices,” the BBC writes. “Police and other agencies would be then able to access these records in pursuit of criminals — but also seek to retrieve data in a wider range of inquiries, such as missing people.”

While the government already has some of these powers, it doesn’t have historical information about the websites people visit, reports the BBC.

“This isn’t a license for the police to simply prowl over everything you have been doing, but I quite accept that a lot of data is being kept by these service providers and under the government’s proposals it would be kept for a very long time,” David Anderson, described as the “government’s terror watchdog,” told the BBC.

Predictably, some members of the UK government are using the most recent Paris attacks to justify accelerating adoption of the Investigatory Powers Bill. “Lord Carlile says Theresa May’s Snooper’s Charter should be rushed through Parliament within the next month, to prevent terrorist attacks in the UK,” writes Mikey Smith for the Mirror. “Speaking in the wake of the Paris terror attacks, the Lib Dem peer warned: ‘It could have been London.’”

What might end up stopping the whole plan is less a matter of privacy or personal liberty and more a matter of money. Though the cost of performing universal surveillance has gotten a lot more affordable lately, thanks to cheaper storage, tracking all these websites still adds up, reports the BBC. The British government had allocated 175 million pounds – about $267 million – but that might not be enough, the BBC writes.

Part of the cost, of course, is protecting all that data. It could end up being a treasure trove for hackers, after all, because it could provide all sorts of juicy blackmail material such as which porn sites people visit. “Making sure there’s no way the hackers can get in is a challenge for any company, and that is hard work,” Adrian Kennard, director of Andrews & Arnold, a Bracknell-based internet provider, told the BBC. “This is sensitive personal information, even if you are just holding the websites people went to and not the specific pages. That makes it a very valuable target for criminals to go after — they may even try to infiltrate employees into companies to try to access it.”

Ironically, this is all happening despite findings that such broad-based surveillance actually doesn’t do much to help prevent terrorist attacks. “Court documents lodged in the US and UK, as well as interviews with involved parties, suggest that data-mining through Prism and other NSA programmes played a relatively minor role in the interception of the two plots” that governments claimed were prevented, writes Ed Pilkington and Nicholas Watt for the Guardian. “Conventional surveillance techniques, in both cases including old-fashioned tip-offs from intelligence services in Britain, appear to have initiated the investigations.”

That said, other law enforcement organizations such as the FBI are also using the Paris attacks to justify their long-held position that governments should mandate a “back door” into encryption, even though there’s no evidence the attackers used encryption — and, in fact, quite a lot of evidence that they didn’t.

November 12, 2015  11:00 AM

Does Inaccurate Data Hurt You? Supreme Court Will Decide

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
privacy, Security

Companies that collect data – and organizations that like to help people concerned about the data the companies are collecting – are on opposing sides of a case that the Supreme Court is hearing.

Like the recent decision on whether you had to give up your phone password, this is one of those incredibly arcane legal things that has very little to do with the actual case, but could have major ramifications to the computer industry either way it’s decided.

The actual case revolves around the data aggregation site Spokeo. This site has been around for a while. It uses publically available data to collect information about a person, some of which it provides for free and some of which you pay for. Because of how it collects and aggregates the data, it can sometimes be laughably inaccurate.

“It listed me as married to someone ten years older than his actual age whom I divorced in 2002, that my house was worth $1 million (let me tell you, my *town* is hardly worth that much), that I played hockey and football, and that my 60+ year-old house was built in 2003,” I wrote in 2010 when this site first started making the rounds. It’s not much more accurate today; it lists my former husband as taking my name and has his age wrong, it lists an email address I never used and a phone number I haven’t used in two years, and has me living in two houses a thousand miles apart at the same time (one of them is off by almost twenty years).

That said, it still has a list of all the places I’ve lived since college with significant information about them, and enough contact information that if someone wanted to be a pest, they could do so, especially if they were willing to pay to get additional information about me. Could someone have gotten this information on their own? Sure, but it would have been harder and more time-consuming. (Interestingly, some of the briefs in this case encourage the Justices to look themselves up.)

Anyway, there’s this guy, Thomas Robins, who didn’t find the inaccuracies laughable. In fact, he said they had caused him harm. Did they say he was an embezzler or a child molester? No, they said he had a graduate degree and was married with children. He was concerned that this inaccurate information would make it harder for him to find a job, though he didn’t have any evidence that had happened or that anyone had even looked at his file in the first place. And so he was suing Spokeo, not because their collection of data was creepy and an invasion of his privacy, but because it was inaccurate. Now the case has made its way to the Supreme Court, which heard oral arguments on it this month.

And so that’s what the legal decision hinges on. It’s not about Spokeo’s collection of the data. It’s not about whether Robins was damaged by the inaccurate data. (Indeed, a number of the arguments on either side make it clear that they aren’t commenting on the merits of his case, which implies they think it’s a crock.)

Instead, it’s all about whether Robins has “standing” to file a case, because he can’t point to any specific damages that were done – simply the fact that he believes that Spokeo is violating the Fair Credit Reporting Act by having this inaccurate information about him in its database.

How many millions does he stand to get if he wins? None. At most, if the court decides he has standing, and if he wins, he gets $1,000. So why is he going to all this effort to file the case? And why are companies like Google, Facebook, eBay, and Yahoo! lining up to fight him on it? (To give some indication of the significance of this case, there’s 17 friend of the court briefs on it. That’s a lot.)

Because if it’s decided Robins has standing, even though he doesn’t have any specific damages he can prove, anybody can file a case any time they find a company making some sort of mistake or violating some aspect of a federal law, even if it didn’t hurt them – such as failing to follow the law by including an 800 number in its listing. “Plaintiffs can seek damages for unwanted phone calls or text messages, [Spokeo’s attorneys] noted, as well as improper disclosure of videos, mislabeled food, a failure to provide full notices involving loans or debts and retaining or disclosing personal information from credit cards and other electronic transactions,” writes David Savage in the Los Angeles Times.

Moreover, they can do it as a class action. Let’s say they discovered Facebook was making some sort of error in its data collection that applied to every member of Facebook. So that $1,000 per person suddenly becomes $1.23 trillion, plus the cost of fighting the case. And Facebook, Google and Yahoo have already all faced similar lawsuits over violations of different federal laws, writes Lawrence Hurley for Reuters.

“This closely-watched case has major potential implications for consumer-facing companies of all types, as it may result either in a ‘green light’ for no-damage class actions based on technical liability theories, or could result in a requirement that plaintiffs plead and prove some concrete harm, which would create a major new roadblock for consumer claims, particularly class actions,” summarizes the Consumer Financial Services Law Monitor. The case could also limit Congress’ ability to pass laws in the future to help protect people from inaccurate information.

Of course, who really stands to make money with this kind of case? The lawyers. Chances are you’ve gotten one of these class-action notifications before – pages and pages of tiny print telling you that if you jump through a whole lot of hoops, eventually you’ll get $5.34, while the legal firms that fought the case collect millions. People arguing against this case say that a finding in favor of Robins will result in many, many more class-action lawsuits.

On the other hand, it’s important to retain the right to have class-action lawsuits in the first place, because that’s how change gets made and wrongs get righted. And people arguing in favor of this case point out that there’s other times when people have been allowed to sue without having to prove specific damages in their case, such as housing discrimination cases. “If Spokeo wins the broad holding its lawyers at Mayer Brown are advocating, class actions under all sorts of consumer and civil rights statutes, including the Telephone Consumer Protection Act, the Wiretap Act, and the Americans with Disabilities Act, will be endangered,” writes Alison Frankel for Reuters. On the other hand, requiring plaintiffs to show that they’ve suffered “real-world harm” could make it harder to fight patent trolls, she adds.

So organizations such as the Center for Democracy and Technology and the Electronic Frontier Foundation are also stepping in, because they want to ensure that people have the right to protect themselves from inaccurate data collection. “A host of privacy laws, including the Stored Communications Act, the Video Privacy Protection Act, and the Cable Communications Policy Act, create a private right of action similar to FCRA, and could be limited by a broad ruling in this case,” writes G.S. Hans of the CDT. “As with FCRA, each of these laws remains vital to protecting individual privacy today, given how much data exists about us online and the potential for privacy violations involving that data.”

What might be the most Solomonic ruling, these organizations and analysts say, is for the Court to rule that Robins does or doesn’t have standing, but to limit it to this case in particular rather than establishing a broad legal precedent. “A broad ruling that an alleged statutory violation alone is insufficient injury in fact to establish Article III standing would impinge on congressional authority and invalidate private actions in a wide range of federal statutes,” the CDT and EFF write. “The question before the Court asks whether Congress can confer Article III standing by authorizing a private right of action based on a ‘bare violation’ of any federal statute. As framed, the question presented has implications far beyond Mr. Robins’ particular case and the FCRA itself. The Court’s ruling could affect the ability of individuals to file claims under private rights of action authorized by a vast number of other federal statutes, as well.”

The Court is expected to rule by June.

October 31, 2015  10:49 PM

European Governments Slam Door on Transferring Data to U.S.

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
privacy, Safe Harbor, Security

The Edward Snowden revelations happened more than two-and-a-half years ago, but repercussions are still happening.

Here’s the background, according to the firm Paul Hastings. The European Union passed a law that went into effect in October, 1998, that prohibited transfers of personal data to third countries that do not ensure an “adequate level of protection.” The Clinton Administration then negotiated the U.S.-EU Safe Harbor program, which enabled U.S. organizations to transfer data from the EU to the United States based on their declared compliance with the EU’s privacy principles. In 2000, the European Commission found the Safe Harbor program provided adequate protection.

So what happened? In early October, the European Court of Justice responded to a lawsuit by Maximillian Schrems, an Austrian law student, who filed a complaint with the Irish Data Protection Commissioner challenging the transfer of his personal data from Facebook Ireland to Facebook, Inc. in the United States. “Citing revelations by Edward Snowden, Mr. Schrems alleged that the United States did not ensure adequate protection of personal data against surveillance by public authorities,” explains Paul Hastings. The Court agreed and found that the U.S. was no longer in compliance with those principles, and invalidated the Safe Harbor program. (Later in the month, Israel also jumped on the bandwagon.)

Needless to say, the entire legal and technology industry had kittens. Law enforcement, for example, could no longer count on getting information about possible criminals from Europe. And almost two dozen technology companies, including Google and Microsoft, wrote a letter to Congress about it. “Without the adequacy finding, many of the 4,400 companies that relied solely upon the Safe Harbor agreement to transfer data from the EU to the United States face tremendous uncertainty regarding what bases exist to justify transatlantic flows of data,” they wrote.

Safe harbor “allowed big companies like Facebook and Google, for example, to carry out a self-certification process, promising to protect EU data stored on U.S. soil,” writes Arjun Kharpal for CNBC. “The agreement is key for thousands of companies operating in the EU.”

The data in question could be as minor – or as major, depending on how you look at it – as people’s web search histories and social media updates, writes Mark Scott in the New York Times. “At issue is the sort of personal data that people create when they post something on Facebook or other social media; when they do web searches on Google; or when they order products or buy movies from Amazon or Apple,” Scott writes. “Such data is hugely valuable to companies, which use it in a broad range of ways, including tailoring advertisements to individuals and promoting products or services based on users’ online activities. The data-transfer ruling does not apply solely to tech companies. It also affects any organization with international operations, such as when a company has employees in more than one region and needs to transfer payroll information or allow workers to manage their employee benefits online.”

There are other data transfer alternatives, Kharpal notes. “Two such processes are Binding Corporate Rules and Model Contract Clauses,” he writes. “These are essentially contracts allowing companies to transfer data out of the EU by going through different approval processes involving the European Commission and data protection authorities in the member states.” Larger companies typically have access to these alternative methods to transfer data from Europe to the U.S.; it’s the smaller companies that are particularly left out in the cold by the decision, he writes. And companies that are big enough to have their own servers in Europe to store data about Europeans are also okay, writes Kurt Wagner in Re/code.

European authorities have given the U.S. until the end of January to fix the problem. So the U.S. Congress is scrambling (though some believe its solution is still inadequate) through the Judicial Redress Act. It “gives the citizens of some of the U.S.’s allies access to records about them that have been collected by the U.S. government, as well as the ability to amend those records and, importantly, civil redress (the right to file a civil suit) when such records are unlawfully disclosed,” writes John Eggerton in Broadcasting & Cable. (There are exceptions for reasons such as national security, adds Brendan Sasso of the National Journal.)

The House passed the bill on October 20; the Senate still needs to pass it.

The U.S. can also try to argue with the ruling, writes Karen Kornbluh for the Council on Foreign Relations (though it cannot be appealed). “Experts within and outside the U.S. government have argued that the ECJ based its ruling on erroneous factual assumptions regarding the nature and oversight of U.S. surveillance,” she writes. “Moreover, they note that the United States provides adequate privacy protections, especially in comparison to European countries many of which have no independent data protection oversight of law enforcement and intelligence surveillance. The ECJ also based its decision on a 2013 European Commission report on U.S. surveillance, parts of which are outdated given U.S. surveillance reforms spurred by President Obama’s 2014 executive order. Robert Litt, general counsel for the Office of the Director of National Intelligence, wrote an opinion piece for the Financial Times before the ruling to argue that the surveillance program at issue in the ECJ’s decision ‘does not give the U.S. ‘unrestricted access’ to data.’”

But this is unlikely to go far, writes Timothy Edgar in Lawfare. “So, perhaps all the US has to do is convince enough people that Bob Litt is right about PRISM, the European Commission is wrong, and the Europeans will say it was all a big misunderstanding?” he writes. “Not likely.”

October 28, 2015  8:02 PM

More on the Western Digital-SanDisk Dynastic Marriage

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
SanDisk, Seagate, Storage, western digital

Back in the day, kings used to forestall a potential war from another country by marriage. Thus merged, the theory went, the countries would henceforth work together instead of competing.

In the computer industry, that’s not really an option. This is why we’re seeing alliances like the merger of hard disk powerhouse Western Digital with solid state size queen SanDisk, announced last week after having been rumored earlier this month.

Western Digital, which has to have been getting itchy because it hasn’t bought anybody major in a while, was also facing a problem in that it had pretty much bought everyone who’d hold still for it in the hard disk space this decade. (They weren’t alone. Seagate bought Samsung storage, and Toshiba bought Fujitsu storage.)

True, Western Digital could always have bought Seagate itself, or vice versa, but eventually the Federal Trade Commission would start finding all these computer storage mergers to be monopolistic. As it is, when Western Digital bought Hitachi GST in March, 2012, it had to sell off some pieces first. For example, it sold to Toshiba assets that Hitachi GST used to make and sell desktop hard- disk drives. In addition, the European Commission required Western Digital to sell one of Hitachi’s 3.5-inch manufacturing plants and associated intellectual property for making these drives. In return, Western Digital received a Toshiba plant that had been damaged in last year’s Thai floods.

And why haven’t either Western Digital or Seagate bought Toshiba, anyway? “When Western Digital’s leadership gets comfortable with this new partnership, I wouldn’t be surprised to see it develop into yet another hard-drive buyout,” agrees The Fool’s Anders Bylund. “If Western Digital doesn’t own Toshiba’s hard drive operations by 2018, I’ll be shocked.”

In fact, this deal hinges on whether Toshiba approves, writes Reuters. “Any deal with SanDisk will require a sign off from Toshiba . SanDisk uses Toshiba’s foundries to make its chips and the two have an important intellectual property-sharing joint venture,” writes Reuters. “Analysts have said Toshiba is more likely to accept Western Digital as a buyer for SanDisk than Micron, a rival memory chip maker.”

In any event, Sandisk, while not as profligate a shopper as Western Digital, had had its own share of acquisitions over the years, such as Fusion-io and SMART Storage Systems. It was generally considered to be third in the NAND flash memory market after Samsung and Toshiba. It was also just ahead of Micron, which had also been suggested as a potential Sandisk acquirer.

According to Leo Sun at The Motley Fool, Western Digital was the leader of the hard disk drive market, holding 43 percent market share. Assuming the acquisition completes, it will then control 14 percent of the SSD market, including Sandisk’s 11 percent, ranking it second after Samsung.

That said, Sun is wondering whether Western Digital is paying too much. The $19 billion total calls for an $86.50 purchase price — $85.10 in cash and the rest in stock. But if a planned 15 percent investment in WD by Tsinghua Unigroup subsidiary Unisplendour doesn’t go through, the cash portion of the deal will drop to $67.50 per share. “WD’s offer of $86.50 per share values SanDisk at nearly 35 times trailing earnings, compared to the industry average P/E of 15 for the data storage industry.”

On the other hand, for several reasons, buying Sandisk now was cheaper and more manageable than waiting, Sun writes. For that matter, there’s a potential class action lawsuit brewing because Western Digital isn’t paying enough with its 15 percent premium. Plus, sales on both the Western Digital and Sandisk side are slowing. “A slowing business buying another slowing business at a hefty price tag doesn’t sound all that appealing to Western Digital shareholders,” writes The Fool’s Evan Niu.

Incidentally, Unisplendour’s parent company also proposed investing in Micron a while back. (Honestly, keeping track of all this is like Game of Thrones.) After some unease about the plan due to a Chinese company investing in an American chipmaker, perhaps that’s why Unisplendour is taking this circuitous route toward investing in a different American chipmaker.

Anyway, if approved and all the various contingencies fall into place, the deal is expected to close in the third quarter of 2016. A whole fistful of financial and legal companies are involved, because of the complexities and how much debt will be involved.

October 22, 2015  9:59 AM

Why the Government Wants Your Spit: Genetic Databases

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

There must be some sort of Murphy’s Law that when a database reaches a certain size, law enforcement is going to want to get their hands on it.

We’ve seen this recently with 23andme, a database of information compiled through voluntarily offered genetic material (spit, actually), which recently hit a million users.

If you don’t remember 23andme, they made headlines in 2007 by offering people the chance to test their genetics for susceptibility for a number of various diseases, as well as look at their ancestry. People who couldn’t resist the opportunity to find out just what percentage of Neanderthal they had were soon coughing up $99 for the chance to spit at these people and, in the process, find out what weaknesses their flesh might be heir to.

This, however, caught the attention of the U.S. Food and Drug Administration, which declared in 2013 that the company was offering tests that the FDA hadn’t approved, and the company pulled the test kits off the market.

The kits were still available for ancestral testing, though, and people continued to submit their genetic material, albeit more slowly. While the company had 500,000 subscribers by 2013, it took until this year to hit a million, according to the New York Times.

That’s when the cops started getting interested.

It’s not unusual for police officers to obtain DNA evidence at crime scenes. And here was a database of a million people’s DNA. Did the police really think that criminals were coincidentally also having their ancestries tested? No, but certain components of DNA are passed down through the father and mother. It could happen that a relative of a criminal would be tested and in the database, which would help narrow down the search.

“People who submitted genetic samples for reasons of health, curiosity, or to advance science could now end up in a genetic line-up of criminal suspects,” writes Kashmir Hill in Fusion. “If you’re a cop trying to solve a crime, and you have DNA at your disposal, you’re going to want to use it to further your investigation. But the fact that your signing up for 23andMe or Ancestry.com means that you and all of your current and future family members could become genetic criminal suspects is not something most users probably have in mind when trying to find out where their ancestors came from.”

Hill has been on the forefront of this issue; as long ago as 2010, she was warning in Forbes about the possibility. “How far should law enforcement be allowed to go?” she wrote then. “Should prosecutors be allowed to subpoena a company’s DNA database of thousands of people if they suspect it contains a match to a crime suspect?”

The problem is, such genetic testing isn’t foolproof; among other things, someone could be adopted, illegitimate, or cuckolded, and never know it. That may be what happened in one case earlier this year, when police officials used a similar database, operated by Ancestry.com, to compare it with DNA material from a crime scene. (Ancestry.com has since taken the database down, Hill writes.) Police then looked up all the relatives of the person in the database who matched, found a likely prospect, and got him to submit a DNA sample – which ended up exonerating the person, but still.

Meanwhile, 23andme and Ancestry.com come right out and says they’ll cooperate with law enforcement when served with a warrant. And they don’t really have any choice. Since they’re not doctors, Health Insurance Portability and Accountability Act (HIPAA) and other laws that could protect people don’t play into it.

This concerns a number of civil liberties organizations, such as the Electronic Frontier Foundation. “if the cops can access private databases—especially private databases like Ancestry.com and 23 and Me that collect matrilineal and patrilineal markers—everyone’s risk increases,” the organization writes. “People should be able to learn about their ancestors and relatives and about possible risks for genetic diseases without fear that their data will be shared with the cops without their consent.”

“Civil liberties groups have called for laws that would prohibit the use of private genetic databases for law enforcement purposes, but until one comes into existence, the only thing standing between police and the spit you send to a private DNA company is the company’s lawyers,” Hill writes.

What 23andme is doing, like companies such as Facebook and Google, is hiring a privacy officer and publishing a quarterly government transparency report that tracks how many such requests it gets. It just published its first report, which notes that it’s had five requests. It will be interesting to see how it trends; similar reports from other vendors have shown sharp increases over time.

Interestingly, just a week after news got out about police requesting the data, the FDA decided to give 23andme permission to once again offer the genetic tests, meaning it will be able to collect even more data. (Not to mention, that knocked all the stories about police access to the database off the front page as well.) Is it getting too much into black helicopter territory to wonder whether law enforcement agencies asked the FDA to lay off of 23andme so that it could help them do their jobs?

October 13, 2015  2:14 PM

Joe Tucci Finally Finds a Way to Retire From EMC, and Other Stories

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Autonomy, Dell, EMC, HP, Pivotal, VMware

After years of on-again, off-again retirement plans, the 68-year-old chairman and CEO of the Hopkinton, Mass., storage company is on his way with a $27 million golden parachute, according to David Goldman in CNN Money.

“Tucci’s severance package includes $7 million in cash, equal to triple his annual salary and bonus,” Goldman writes. “The other $20 million comes in the form of EMC stock that Tucci had been awarded, according to executive compensation research firm Equilar. Had he not sold EMC to Dell, he otherwise would have needed to remain at the company to receive that stock.” In addition, EMC will pay Tucci for his unused vacation time, plus his life, disability, accident and health insurance benefits for himself and his dependents for three years, he adds.

This is all courtesy of what is said to be among the largest tech acquisitions of all time, the $67 billion acquisition of EMC by Dell. Yes, even bigger than HP and Autonomy. It remains to be seen whether the Dell-EMC acquisition will prove to be more successful. (It could hardly be worse.)

Incidentally, HP’s Meg Whitman, herself presiding over the conscious uncoupling of HP, criticized the Dell-EMC deal. “Of course, Whitman is hardly an impartial witness to the mega tech deal,” writes Matt Egan in CNN Money. “The new Dell is going to fiercely compete for business customers with HP Enterprise, which is splitting itself from HP on November 1. HP Enterprise, led by Whitman, will be focused on selling hardware like servers and also cloud technology, big money makers for Dell and EMC.”

People have been talking about Dell and EMC for more than a year, and the consensus then was that there was too much disparity in size and too much overlap in their product lines, so it’s going to be entertaining (if you’re not an EMC or Dell customer, that is) to see how that works out.

There are, of course, a few other loose ends to the acquisition.

The other interesting aspect of this – and it’s hard to know whether Tucci did it on purpose or it was an unintended consequence – is that EMC, which was put into this position by virtue of being a public company that was hijacked by activist investor Elliott Management Corp, will never again have to go through this, because as part of Dell, it’s now a private company. (Well, sort of. Mostly.)

“Anyone who has talked to [Michael] Dell in recent years has witnessed the huge smile on his face when he discusses the joys of being private,” concurs Alan Murray in Fortune. “In his view, this transformation couldn’t have happened in the public markets.”

That said, even Dell is owned by a conglomerate including Silver Lake, which reportedly was shopping around Dell’s PC business just last week. We may yet see bits and pieces of EMC up on the auction block.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: