Data v. Privacy

EDPB Hints at the Need for Post-Quantum Cryptography in New Data Transfer Recommendations

by Leave a Comment

The European Data Protection Board (EDPB) issued its final recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data last week, which provides additional guidance for international transfers to countries without an Article 45(3) adequacy finding.

Appropriate Safeguards and Technical Supplementary Measures

Getting to the heart of Schrems II and Article 46 transfers subject to appropriate safeguards, the EDPB notes “[a]n essentially equivalent level of protection to that guaranteed within the EU must accompany the data when it travels to third countries outside the EEA to ensure that the level of protection guaranteed by the GDPR is not undermined, both during and after the transfer.” EDPB Recommendations 01/2020 at 9.

As we’ve learned, standard contractual clauses and other Article 46 transfer tools are not bulletproof alternatives to an adequacy finding. Even when using SCCs and other transfer tools containing “appropriate safeguards,” the EDPB points out the other “supplementary measures” may be required “to ensure an essentially equivalent level of protection.” Id. at 13.

[Read more…] about EDPB Hints at the Need for Post-Quantum Cryptography in New Data Transfer Recommendations

Supreme Court Refuses to Extend CFAA to Employer’s Computer Policies in Van Buren v. United States

by Leave a Comment

The Computer Fraud and Abuse Act of 1986 (CFAA) has been used for 35 years to prosecute cybercriminals and recover damages in civil suits. Those bad actors under the CFAA have more and more commonly been employees who violated company policies by accessing information that the technical controls placed on their employer-issued credentials allowed them to access.

The distinction between such employees and other bad actors is that their employers’ policies prohibited them from using the information in a manner that the employer didn’t like. Unlike the third-party hackers that come to mind when you think of computer fraud and cybercriminals, the employees were given credentials to use their employers’ computer systems in order to access the files within.

The core behavior at issue in Van Buren was whether a computer user who has authorized access to the computer system (in a technical sense) runs afoul of the CFAA if the user’s purpose in accessing the data is prohibited by the terms of their computer use policy.

[Read more…] about Supreme Court Refuses to Extend CFAA to Employer’s Computer Policies in Van Buren v. United States

Apple iOS 14.5 and the Power of Privacy by Default

by Leave a Comment

Apple made sweeping changes to the privacy settings available to users in iOS 14.5, dubbed App Tracking Transparency (“ATT”). The new operating system has been publicly available since April 26, 2021 and has advertisers and app makers losing their collective minds at the reality of losing the ability to track users.

While iPhone users have previously had a degree of control over which apps on their phones can track them across the web, iOS 14.5 moves from the Opt-Out design to an Opt-In design. The difference is staggering and gives us a taste of the privacy benefits that we receive when our ubiquitous devices adapt a privacy by default framework.

[Read more…] about Apple iOS 14.5 and the Power of Privacy by Default

AMG v. FTC: Supreme Court Kneecaps FTC’s Privacy Enforcement

by Leave a Comment

In AMG v. FTC, the Supreme Court undercut FTC’s privacy enforcement capability with its holding that “Section 13(b) [of the Federal Trade Commission Act] does not authorize the Commission to seek, or a court to award, equitable monetary relief such as restitution or disgorgement.”

The Court cited the differing appellate court interpretations of relief available under Section 13(b) in granting cert to the question presented.

Background of FTC Monetary Relief

The key administrative enforcement history is summarized by the Court as follows (emphasis added):

[Read more…] about AMG v. FTC: Supreme Court Kneecaps FTC’s Privacy Enforcement

Is Data Scraping Public Websites a Data Breach?

by Leave a Comment

Hot on the heels of more news of Facebook’s data leak affecting 533 million users, we continue to hear about a similarly-sized “breach” of LinkedIn data that affects another 500 million or so users. The word “breach” is being thrown around in reports of both incidents when the data appears to have been (at least, somewhat) publicly accessible.

Are these data events actually breaches? Should they be considered breaches?

Facebook’s 533 Million User Records

According to Facebook, at some point prior to September 2019, someone scraped over 530 million Facebook users’ “publicly available data” using Facebook’s own contact importer tool.

At the time, you could upload phone numbers en masse to see which ones matched existing Facebook users. This vulnerability is what Facebook believes led to the “public access” of its users’ data.

Facebook is adamant that the data was public and, thus, fair game for scrapers to access. Private information was not scraped. Accordingly, Facebook’s position is that there was no breach. However, this explanation doesn’t necessarily match other news reports.

LinkedIn’s 500 Million User Database

As for the LinkedIn data breach/leak, all reports so far seem to confirm that same factual scenario. Data of some 500 million users was scraped from publicly accessible pages on LinkedIn.com.

On April 6, 2021, the LinkedIn dataset was then spotted up for sale on a hacker forum for a “4 digit minimum price.”

Multiple sources confirmed a sample set of the data was legit and then the “LinkedIn Data Breach!” articles started making their rounds.

LinkedIn took the same public position as Facebook did with its phone-number data incident — this was no “data breach.”

What is Data Scraping?

Depending on who you ask, data scraping is either a simple tool to efficiently aggregate data that’s on the web or a nefarious process by which cybercriminals steal data in violation of a website’s terms of service. In many cases, it’s a gray area somewhere in between.

Commonly, a program is used to automatically load (and even interact with) a webpage and gather data from the page. That data is then collected in a file or database for further processing or distribution.

There are plenty of code-based ways to scrape data from relatively simple python scripts with Beautiful Soup or Selenium to a vast array of commercial SaaS applications like Web Scraper or ParseHub. These tools allow the user to target specific portions of web pages and then parse the data to fit their needs.

Is Data Scraping Legal?

Again, it depends on who you ask. However, publicly-facing websites in the United States have a bit of an uphill battle in light of the recent 9th Circuit Court of Appeals ruling in hiQ Labs, Inc. v. LinkedIn Corp., No. 17-16783 (9th Cir. 2019).

hiQ Labs v. LinkedIn: A Data Scraping Case for the Ages

In hiQ Labs v. LinkedIn, the Ninth Circuit addressed a dispute between the two companies over hiQ’s business model that involved scraping the LinkedIn public-facing website. If this is an area relevant to you, it’s a great case to read but the facts and analysis are a bit lengthy – weighing in at 38 pages for the full case.

The short of the dispute appears to have surfaced after a dustup when LinkedIn started offering a competing product to what hiQ was providing to customers. Until then, the parties appeared to cooperate somewhat. LinkedIn threatened to sue hiQ if it didn’t stop scraping data, which was a technical violation of LinkedIn’s terms of service.

hiQ then sued LinkedIn, seeking an injunction that would prevent LinkedIn from blocking hiQ from its website. Additionally, hiQ asked for a declaratory judgment that LinkedIn couldn’t invoke the Computer Fraud and Abuse Act (CFAA), which it had previously threatened in a cease and desist letter.

The federal district court granted a preliminary injunction in hiQ’s favor, which the Ninth Circuit affirmed. The case is now awaiting a certiorari decision from the US Supreme Court.

Whatever the outcome, this fight is far from over as the battle is presently only focused on whether a preliminary injunction is appropriate. However, the Ninth Circuit made some important and relevant statements surrounding the legality of data scraping on public websites.

  1. hiQ’s business interests outweigh the privacy interests of LinkedIn’s users.
  2. LinkedIn’s act of barring hiQ’s access may amount to a tortious interference of contract claim for the contracts between hiQ and its customers.
  3. “It is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA.”

The Ninth Circuit did give LinkedIn a tip – even if the CFAA is unlikely to apply – that “state law trespass to chattels claims may still be available.”

A state law trespass to chattels claim might be the only way to prevent continuous scraping of your webservers sitting in your own data center?

hiQ’s Business Interest vs. Darkweb Data Broker’s “4 digit minimum price”

The Ninth Circuit’s bright-line public data access characterization makes it tough to tackle a nefarious data scraper with a CFAA charge — like for LinkedIn’s aggregated data that’s currently up for sale. It’s also consistent with LinkedIn’s position that the scrape was not a data breach.

Unless the Supreme Court reverses this line of holdings, the CFAA is going to be useless against bad actor data scrapers. (As a quick aside, we’ll get a sneak peek at the current Supreme Court’s feelings on the CFAA’s meaning of “without authorization” in the upcoming Van Buren v. United States ruling, which was argued before the Court back in November 2020.)

Turning the CFAA into a “terms of service violation = federal felony” law seems like it would open a can of worms that will yield disastrous results. The data scraping balancing act likely needs to fall somewhere in the gray area between welcomed public service actions (e.g., COVID-19 data research and aggregation, etc.) and aggregate-personal-data-for-sale-on-the-dark-web.

In the US, it seems like a comprehensive federal privacy law might be able to address a matter like this. Important questions for Congress to consider when addressing these data scraping issues are:

  1. determining where the line is drawn on the good-actor/bad-actor spectrum of scrapers
  2. how (as hiQ notes in its certiorari opposition brief) chilling effects of First Amendment access to publicly accessible speech are balanced, and
  3. determining whether and when the disclosure of aggregated personal data that is otherwise individually available on a public-facing website becomes a data breach (and who has the responsibility of disclosure to those affected)