Spier Sues Spy Software Maker

I would guess that there are several companies in the business of selling what is basically “over the counter” or consumer grade spyware for the beginner level user. Depending on how this suit turns out, they will have to start being careful about how they promote their wares, and how they instruct their customers in using them:

Caught Snooping, Husband Sues Spy Software Vendor
By Ryan Singel

An Ohio man facing a lawsuit from his wife’s friend for intercepting her emails using spyware on a household computer filed suit Friday against the spyware maker, arguing the company’s ads failed to warn him that using it to monitor his family, including his wife, would violate state and federal laws.

As I previously blogged, intercepting communications can expose you to large civil liabilities.

Posted: September 23, 2007 in:

NYT on Digital Evidence and Divorce

A friend emailed this NYT article:

Tell-All PCs and Phones Transforming Divorce
The age-old business of breaking up has taken a decidedly Orwellian turn, with digital evidence like e-mail messages, traces of Web site visits and mobile telephone records now permeating many contentious divorce cases.

Spurned lovers steal each other’s BlackBerrys. Suspicious spouses hack into each other’s e-mail accounts. They load surveillance software onto the family PC, sometimes discovering shocking infidelities.

The article also mentions using GPS to track spouse; the ethical issues some spouses have when they decide to spy; and how the person spied upon can find it “particularly disturbing.”

In the legal issues, though, the article seems to be lacking. The only consideration is the admissability of the evidence: whether it can be seen by the divorce court. Furthermore, the entire article seems to gloss over the difference between the use of electronic evidence gained via discovery — the legitimate, court supervised method of gaining records from the other side — and the surreptitious access to information that is the use of spyware and unauthorized access to devices.

The legal issues are serious. The Electronic Communications Privacy Act (ECPA) governs interception of electronic communications. Intercepting an electronic communication can land you jail for five years. 18 USC 2511(4). You can also be sued civilly, being responsible for attorney’s fees and minimum damages of $10,000. Besides interception, accessing stored communications is regulated by the Stored Communications Act. Accessing someone’s stored communications can be punished by up to a year in jail. 18 USC 2702. And it can also expose you to suits of a minimum of $1000 plus attorneys fees. 18 USC 2707.

But under both of these, the issues can get tricky if the computer is shared between people, or if people have previously shared their passwords with each other. It’s no surprise that a reporter talking to divorce lawyers didn’t go into wiretap laws. But at least they should not have mixed up the very legitimate accessing of stored information during a lawsuit with spousal espionage and stalking.

Posted: September 17, 2007 in:

Facebook Takes More Steps to Spread Your Data

Social networking website Facebook recently announced that they would be sharing some of their user’s information with the world:

Starting today, we are making limited public search listings available to people who are not logged in to Facebook. We’re expanding search so that people can see which of their friends are on Facebook more easily.

However, it is not just your friends who will be able to find you:

In a few weeks, we will allow these Public Search listings (depending on users’ individual privacy settings) to be found by search engines like Google, MSN Live, Yahoo, etc.

If you object to these steps. Facebook will allow you to avoid this:

As always, if you do not want your public search listing to be visible to people searching from outside of Facebook, you can control that from the Search Privacy page.

So Facebook has decided to share data without asking for permission, and instead posted on its blog this fact, and has given people about 30 days notice to go and change this. They’ve done this before: when they set up their applications to share data with third parties, and when they set up their news feed to spread a users actions to that users network.

In privacy, this is known as an opt-out system: the holder of the data has decided to use your data in a certain way, and lets you stand up to object. This is in contrast to an opt-in system. Under an opt in system, the owner of the data asks for your permission before going off and sharing it further.

The major difference? Think about who has the incentives and costs here. Under opt-out, a person has to continuously monitor what Facebook is doing, they can never expect that what is happening is something they previously ok’ed. Under opt-in, a person can rest easy knowing that no surprises will come along. Under opt-in, Facebook has the incentive to describe the benefits of sharing the information, in order to get user’s permission. Under opt-out, Facebook’s incentive is to not give much notice: the more notice they give, the more people will choose not follow Facebook’s plan for sharing the data. Thus individuals are more informed under opt-in.

Facebook offers a lot of choice in privacy settings. Which is a good feature. But they should stop taking liberties with data, and start asking for permission before spreading it.

This article shows exactly how Facebook is getting away with avoiding the “opt-in/opt-out” distinction:

“The only data that will be available is your profile picture and your name – and then only if you agree that your profile should be searchable,” said [Facebook privacy chief] Chris Kelly.

But the problem is they’re not asking if you agree: they’re assuming you do. Now 40 million people have to find out about this and edit their privacy settings. This instead of Facebook simply selling the program on its merits to users.

Posted: September 9, 2007 in: