1/642 What can happen in a second (in privacy)

John F. Kennedy once said “JFKThings do not happen. Things are made to happen.”

So rather than considering what can happen in a second in privacy – which brings to mind all kinds of crazy stuff…breaches, hacks – let’s instead consider what could be made to happen in a second.

I went online to find you an interesting link for breaches and instead saw an article, hot news, one hour ago that 80,000 students’ data was compromised who were enrolled at Cal State in an online sexual violence prevention class.

That happened in a second.

What could be made to happen in a second? Awareness – instantly share the news article via myriad social media.

Shame – 80,000 students may now be ashamed of their online class. They may not be. 80,000 students may now be proud.

Anxiety. Confusion.  80,000 students may now not know how they feel. It’s a non-credit required course. They have nothing to be ashamed or proud of. The breach exposed passwords used to log into the class, user names, campus-issued email addresses, gender, race, relationship status, and sexual identity. Now these 80,000 students may have to change their passwords for whatever they use based on that email – grades? financial aid? What if their sexual identity is something they did not want known publicly?

On the other hand, based on amount of breaches in the news, are we desensitized? Can apathy happen in a second?

Could lawmakers get motivated in a second? It may take years to get someone to see the light, but perhaps that light blows on like the winds of a haboob in Arizona in August.

  • It only takes a second longer than normal to use a password that is resistant to compromise.
  • It only takes a second to lock your computer when you walk away.
  • It only takes a second for a hacker to publish ill-gotten gains.
  • It only takes a second for your identity to be taken.

It only takes a second to realize your life has changed forever and way too many seconds to put it back together.

Make something good happen in a second.

FTC tireless on Consumer Beat….

The tweets and shares this morning were frequent and deluged with the recent ruling in favor of the U.S. Federal Trade Commission (FTC). In a long-awaited and precedential ruling, the U.S. Court of Appeals for the third circuit upheld a 2014 ruling by a lower court in which Wyndham Worldwide Corp sought to have the case against the FTC dismissed. The lower court denied that motion, and the Circuit Court of Appeals granted interlocutory appeal on two issues: whether the FTC has authority to regulate cybersecurity under the unfairness prong of 15 U.S. Code § 45(a) and, if so, whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision.

Commissioner Julie Brill tweeted: that it was “a great win for @FTC & consumers. We will continue to be tireless cop on beat of consumer.”

In affirming the lower court’s ruling 3-0, the Court of Appeals has permitted the case to move forward and determined that the FTC has authority to regulate corporate cybersecurity, and may pursue a lawsuit against corporations (in this case Wyndham) accusing them of failing to properly safeguard consumers’ information.

What happened? In 2008 and 2009, Wyndham had three incidents where hackers breached their computer systems and stole consumer data – mainly credit card data along with other personally identifiable information on over 619,000 consumers, totaling more than $10.6 million in fraudulent charges to those consumers. The FTC felt that Wyndham’s business practices put the consumers at risk.

Without a decision on the merits, here is what the appellate court noted about the FTC’s arguments that Wyndham failed to:

  1. Store payment card information securely (stored in clear text);
  2. Require complex passwords to access the systems (permitted easy-to-guess passwords);
  3. Use common security practices, such as firewalls, to limit access;
  4. Control network access with appropriate cybersecurity precautions (permitted outdated operating systems, used default passwords, lacked appropriate policies, and failed to inventory connected devices);
  5. Restrict third party access to networks;
  6. Employ reasonable measures to detect and prevent unauthorized access to its computer network or to conduct security investigations; and
  7. Follow proper incident response procedures (hackers used the same method each time).

Although not before the court on appeal, “the complaint also raises a deception claim, alleging that since 2008 Wyndham has published a privacy policy on its website that overstates the company’s cybersecurity.”

Awaiting this decision eagerly, the privacy community (and other communities as well) have debated whether Wyndham’s argument that unless the FTC publishes a cybersecurity guide detailing the standards to which it expects companies to uphold, the FTC cannot pursue a company for unfair cybersecurity practices. The Court of Appeals demolished this belief. “In sum, we have little trouble rejecting Wyndham’s fair notice claim,” Circuit Judge Thomas Ambro said. He held that Wyndham failed to show that its alleged conduct “falls outside the plain meaning of ‘unfair.'”

So while cybersecurity itself may not necessarily be within the purview of the FTC, unfair business practices are – and shoddy cybersecurity is unfair to consumers.

My recommendations: update your cybersecurity program, review your online privacy statement for accuracy, and for goodness sake – if you have a breach, plug the durn hole.

Revenge Porn – Cyber Rape – what is it and what can we do to stop it?

Having non-consensual nude photos of you posted online – revenge porn or cyber rape – is a problem few ever imagined we would have. Revenge porn, a form of cyberbullying, is a problem that destroys lives and careers, yet is not adequately addressed by laws.

Last week I attended the Berkeley Center for Law and Technology’s Privacy Law Forum in Silicon Valley #BCLTPrivacy. The lunchtime keynote speaker was Danielle Keats Citron, professor of law at the University of Maryland law school, who spoke on Revenge Porn, Hate Crimes, and what Silicon Valley and the law should do now. Riveting topic. Heartbreaking topic.

One would have to be living completely off the radar to not be aware of the issue of revenge porn. However, it only takes living a normal life to be unaware of the prevalence and damage of revenge porn. As I listened to Citron speak, I was horrified, saddened, outraged, and driven to help.

The lady who founded the Cyber Civil Rights Legal Initiative, Holly Jacobs, was a victim of revenge porn. Private pictures and videos of her nude that had been shared only with a partner started popping up seemingly everywhere and not just on revenge porn sites – no, on Facebook and popular online dating sites – with titles inferring she slept with her students, included contact information, family names, work information, etc. She was not able to get all websites to remove the photos, and those that would wanted to charge her (blackmail essentially) or jump through a bunch of hoops to prove she was the individual in the pictures and she had the right to revoke authorization or prove she never provided authorization. How do you prove something that never happened? She wound up changing her name and trying to help others.

Danish journalist Emma Holten took another tactic, one similarly used  by Jennifer Lawrence when nude pictures were leaked. They both responded with their own version of nude pictures. The key difference had nothing to do with whether you and I see their pictures, it has to do with their choice, their consent. I remember how many people criticized Jennifer – how could she oppose the leaked photos when she released her own photos? and other similar stupidities uttered in ignorance.



Revenge porn is not a rare event. The question is what can we do to help end this problem? Many laws addressing cybercrimes involve communications with that person directly. Revenge porn is not usually communicating with that person. It’s posting nonconsensual sexually explicit photos without that person’s consent, often with other personal information, often pretending to be that person, and even using photoshop to mock up nude pictures. Suggesting that the individual desires a rape scenario, with information identifying where the person will be at a particular time.

The solution is not to tell people to stop sharing such photos (although prudent people probably shouldn’t share such images). We live in a technological world where people can form relationships around the world. Certain relationships are formed on intimacy and technology provides a forum to be intimate. That is another debate. But don’t try to solve this problem the way people used to (some still do) try to solve rape by blaming the victim. Blame the criminal. period.

Social media companies need to ban such material, like Facebook recently took a major step, as did Twitter. States need to pass laws that truly address the problem. Law enforcement need to train personnel how to interact with a victim of this type of cybercrime.

This is not a feminist issue as alleged by some authors. It is not a misogynist issue as alleged by others. It’s a human issue with the goal to destroy someone’s life through technology, in the most base, vulgar way possible – ways which encourage someone who wishes to do physical harm to another to do so.