“Internet privacy” is this age’s biggest oxymoron.
Last summer’s controversy over the National Security Agency’s anti-terrorism surveillance program confirms what author George Orwell said in his seminal novel, 1984: Big Brother is watching you.
And so, it seems, is everyone else.
The heinous acts of the accused Boston Marathon terrorist bombers were captured on surveillance cameras. If you zoom across the Golden Gate Bridge without the mandatory FasTrak, a camera will record your license plate number and a ticket will arrive in the mail within weeks. If you have a smartphone, your cellular provider knows exactly where you are (not to mention Google). Amazon.com tracks your product searches on the Internet, and ads for the items miraculously show up on your Facebook page within minutes. That email you sent to a business associate six years ago—which both of you subsequently erased—is still out there. And how in the world did your boyfriend’s ex-girlfriend get hold of all those pictures of the two of you together? You posted them on Facebook.
Welcome to the Age of TMI (too much information). While we may think the government’s actions are, for lack of a better word, “Orwellian,” the fact of the matter is that the very technology we’ve embraced to make communication easier, faster and more transparent has made us more vulnerable and has shattered the illusion of privacy on multiple levels. And nowhere is this more evident than on the Internet—the biggest mass surveillance “device” of the modern world.
These days, the business world relies on the Internet. Just about every winery, company, store or restaurant has a Web presence. And while being available online provides a business with expanded marketing ability and customer outreach, there are potential downsides as well. How do you make sure your site is protected from security breaches? Are you giving away business secrets without even knowing you’re doing it? Is a disgruntled employee or customer defaming your reputation? Are there legal recourses to protect your interests?
Security by obscurity
Peter Nevin is the founder and CEO of Sebastopol-based DeVineWare LLC, a software company that focuses on distribution management, inventory and depletion sales for wineries and mobile wine applications, which will soon launch “The Winery App” for mobile devices; it’s had “The Wine Locator,” which assists consumers in choosing wines at restaurants and retail shops across America, on mobile devices and client websites for three years (a subsidiary will launch similar services in Europe soon). He’s been in the information technology (IT) sector for nearly 30 years and has been heavily involved in the evolution of Internet use by wineries over the past two decades.
Nevin notes that wineries—a major economic force in the North Bay—have generally underutilized the Internet historically, resulting in something he refers to as “security by obscurity.”
“If you’re not out there sticking your nose into a lot of places on the Internet, and your business isn’t heavily invested [on the web], you’re flying under the radar,” he explains. But when a company does decide to sally forth and join the Internet party, the biggest issue is security, especially when it comes to financial information like credit card numbers.
“Wineries have wine clubs and direct-to-consumer sales. The number one thing I’ve seen among North Bay wineries is a gross misunderstanding about using email. Most people don’t realize that every single email you send can be read by anyone with elementary knowledge of the Internet,” Nevin says. “There’s packet sniffer software all over the place that can read unencrypted email. If you send credit card information via email, that’s a high ticket item for hackers and people with ill will.”
“Packet sniffing software can be downloaded from legitimate sites by anyone. A hacker can sit on a company’s Internet connection, watch emails come off the server and easily steal credit card numbers.”
Nevin also warns about sending spreadsheets with customer data (names, addresses, credit card numbers and the like) via email, even if you’re sending it to someone just three desks over. “The email goes out and you have no control over where your ISP [Internet service provider] sends it before it comes back in to your company. It could go to Thailand, Taiwan and New York City for all you know. People need to understand that the Internet is a web, built for redundancy by the military and universities to let them continue to communicate even if a bomb went off in [Washington, D.C.] and a major part of it was taken out.”
Every email flowing through the Web moves through a series of computers from sender to receiver and is recorded and saved every step along the way. There’s no such thing as a deleted email. Maybe you can’t see it, but someone else can. That fact became a bit of a controversy in the legal world, according to Bill Arnone, a partner in Merrill, Arnone & Jones LLP in Santa Rosa, specialists in intellectual property law. When attorneys first started using email to communicate with clients, some said it nullified attorney-client privilege.
“If I engage in a loud conversation with a client at a restaurant and someone overhears it, then it blows attorney-client privilege, because I’m willing to share it with the guy at the next table. With email, the theory was that, if email accounts could be hacked, then any use of email communication with a client also nullified attorney-client privilege,” Arnone explains. “As the electronic world evolved, however, that line of thought became passé. Today, email is recognized as a secure method of communication with clients.”
Lock your front door
When building websites, most businesses invest in firewalls to protect their sites from hackers.
“A firewall is like having your front door locked,” says Brian Kreck, president/CEO of Kreck Design, a leading North Bay provider of graphic design and Internet services based in Healdsburg. It’s something you have to have, he continues, “but it’s not magical in any way, shape or form, and sometimes people have an unhealthy reliance on it.”
One major problem, according to Nevin, is that companies spend a lot of money on a firewall, feel safe about having one, and then don’t understand that it needs to be maintained.
“It’s almost like painting the Golden Gate Bridge: You’re never really finished,” he says. “Let’s say your firewall was up to date in January. Well, by March, hackers will have found five more ways they can get in. It’s a piece of hardware that needs to be constantly maintained—and people don’t realize that. It needs to be checked at least once every month.”
Password protected
Almost every company has a series of passwords to let employees access various network sites.
“For protection, they should be good passwords. They shouldn’t be too short and they shouldn’t be common words, like ‘password,’ ‘secret’ or, in the case of wineries, names of varietals like ‘Pinot’ or ‘Zinfandel,’” says Kreck. “It’s something I call ‘password hygiene.’”
Kreck also recommends businesses download password manager software that lets them properly store and maintain a database of its various passwords for its own protection (there are many free and paid applications for Mac, PC and mobile platforms). That way, if an employee creates a company account that’s password protected and then leaves the company, it can be properly handed off to the next employee. “It can be devastating if you lose a password,” he says.
It’s also important to know who has passwords to what accounts.
“Companies purchase through Amazon and other online retailers,” Kreck says. “They need to be careful who has those passwords.”
Employees themselves are often a security risk for companies. A disgruntled employee armed with passwords can wreak havoc, but so can a happy one that has an online blog and likes to write about what projects he or she is working on. Ergo, it’s a good idea to establish policies regarding what can be shared online.
On the other hand, employees need to understand that company computers are just that—company computers. And, in many cases, they have no expectation of privacy when they’re using them.
“California law lets employers monitor their own computers,” Kreck says. “They don’t need to notify their employees, but most of them do post notices. Using software designed specifically for this purpose, some monitor every key computer stroke, but others aren’t quite that intrusive. They can tell how much time you’re spending on Facebook and what other websites you visited. Just normal timestamps can tell when you open a file and when you saved it. If you tell your boss you worked on something all day, he or she can look at the record and see that you never opened the file. Emails in and out can be recorded—and, in some cases, such as the financial industry, the law requires it.”
Social security
With the advent of social media—Facebook, Twitter, Yelp and countless other sites—the Internet is becoming a playground where just about anyone can find their 15 minutes of fame (thank you, Andy Warhol). And sometimes that’s not a good thing.
Brian Howlett is a social media consultant in the North Bay, advising clients across a broad spectrum of professions. The Santa Rosa resident grew up in Los Angeles and had many friends in the movie business.
“In Hollywood, there’s no separation between your personal and your professional lives. They mesh. For most regular people, though, personal life and professional life have typically been separated. But not anymore. I like to tell people it’s all Hollywood now,” he says.
When people get on social media sites and engage by creating their own accounts and by commenting on others, “they have to recognize everything is a matter of public record.”
“People are what they project,” Howlett says. “There’s a technical side, and there are services to help people adjust and make an attempt to erase something on the Internet. But the reality is, you just shouldn’t put it out there in the first place. If you want to talk to your kids about your recent colon cancer, send an email, write a letter or call them on the phone. If you put it on social media, it’s being broadcast to a wide spectrum. Essentially, it’s like you’re sending it out on the radio.”
According to Howlett, no matter how strong your privacy settings are, they aren’t strong enough to withstand a hacker. Facebook and other social media companies aren’t regulated like traditional media. “They don’t guarantee your privacy, and policies constantly change,” Howlett says.
Many businesses use social media as another means of marketing. But Howlett says they need to understand that social media is a dialog, and sometimes the opinions that come back aren’t the ones companies want to see posted on the Internet.
“The next step is damage control. When you get a bad Yelp review or Facebook post, rather than go into a panic mode and try to erase it, take the blame and make an apology. It’s a different culture now than it was in the 1950s and ’60s. Since the Clinton Era, we forgive people for their mistakes,” he explains.
And then there’s the employment factor. While no one is read their Miranda Rights before signing up for social media, it may be a good idea to pretend it has, especially the line about “the right to remain silent.” Because, in fact, anything someone says can be used against them.
These days, more and more businesses are taking a look at the social media accounts of their employees and of people they’re considering for employment. “It’s not a wise idea to post college photos of you smoking a bong,” advises Kreck.
But sometimes it’s not the self-poster than causes a problem. It’s his or her friend with a cellphone camera, who posts an incriminating photo to their own account. It gets out on the Internet, and you’re essentially busted.
“Photos never leave the Internet,” Kreck says. “It’s just part of our new, wild and crazy world. Minimize pictures if you’re concerned about it. Remember, employers can always search.”
“Employers are entitled to look at online postings by employees,” says Arnone. “And they have the right to release someone if those postings disclose conduct that’s against their stated policy. Police and fire departments, for example, can release people for conduct unbecoming an officer. It doesn’t matter if it’s something posted on Facebook or, instead, a phone call from someone who says they saw an employee doing something wrong. Regardless of how they find out, an employer is entitled to take action. In my own case, I assume everything I post is public. And emails have a life of their own, especially when you hit the ‘reply all’ button.”
In the case of companies perusing social media to learn more about potential new-hires, online information is fair game, as long as there are no misrepresentations or fake identities assumed to gain access to information that would otherwise be private. Prospective employers are entitled to look for patterns of behavior inconsistent with their business philosophy. But they cannot use it to determine—or make decisions based on—a person’s race, color, creed, gender, national origin or the like: “That would be a violation of equal opportunity and anti-discrimination laws,” Arnone explains.
Hacked off?
So what recourse do people or businesses have if their privacy has been compromised online?
“The problem with the web is that there’s no centralized control of content. There’s no place you can go to expunge the information once it’s there. You just have to use a variety of different tools, depending on the context in which the issues come up,” Arnone says.
A victim of identity theft himself, Arnone has first-hand experience. When his daughter went to UC Santa Barbara, family information got out on the Internet. Someone purchased a motorcycle under his name, using his social security number to secure a loan. A collection agency “kept hitting me up for payments. I sent them a detailed letter explaining it wasn’t me, but once you get in the bill collection process, there’s a computer-generated timetable for them to send letter one, two and three, and then they file a lawsuit.
“This one went quite a ways down the road, and I had to get more and more aggressive, and threaten them with a counter-claim for violation of the Fair Debt Collection Practices Act. It’s a tool people can use if subjected to collection efforts improperly. So I threatened them with legal action if they didn’t leave me alone. Finally they stopped bugging me. They never apologized and they gave me no reason. On my end, it was a matter of persistence, which is required in the Internet Age if you want to address information that gets out.”
There are other ways to clear your name. “Many websites have fine-print policies that you can use to get them to take down information about you from their website. There are also companies out there that sell themselves as reputation repairers after you’ve been harmed on the Internet,” Arnone says. (Brandyourself.com and reputation.com are two examples.)
If you’ve been defamed anonymously on Facebook, “You can file a lawsuit against unnamed parties based on the defamation which then lets you use a subpoena for Facebook records to find out who did it. Then you can add them to the litigation,” Arnone suggests.
And sometimes, if you have the right connections, the legislature will help you. “That happened when Maria Shriver was admitted to a Los Angeles area hospital, and health care professionals bragged about treating her, making her information public,” Arnone says. As a result of their disclosure, her then-husband Arnold Schwarzenegger—who also happened to be the governor—worked with the legislature to enact laws that added California-specific requirements on top of the existing Federal Health Insurance Portability and Accountability Act (HIPAA) regarding personal health information. As a result, California’s laws are among the strictest in the nation.
The right to privacy
In the end, despite all the discourse and hullaballoo about Big Brother, does a person really have a right to privacy?
“The U.S. constitution has no clause expressly granting a right to privacy,” says Arnone. “In fact, privacy is a western culture phenomenon that’s recent, with Britain and the United States being the most advanced in protecting it. Around the world, many cultures have no concept of it. Even in the United States, the founders didn’t expressly provide for the protection of privacy rights. But starting in the 1900s, judicial scholars and judges started writing a right to privacy into the U.S. Constitution by interpreting the 5th and 14th amendments, which guarantee due process, in such a way as to protect the right of privacy.”
The landmark case Arnone cites is Roe v Wade, the 1973 Supreme Court ruling that said a right to privacy under the due process clause of the 14th amendment extended to a woman’s decision to have an abortion.
“Privacy is a court-created right that’s becoming more deeply ingrained in our society, but people forget how recent a phenomenon it is. It’s been in our lifetime. I think the United States might be the most highly attuned to the issue of privacy of any culture, ever. We excel at recognizing personal rights and personal liberties, and it’s been a hallmark since our founding,” Arnone concludes.
That may be the case, in theory, but while you may have a right to “Internet privacy,” it’s also this age’s biggest oxymoron.
