Google reaches settlement with FTC in Google Buzz privacy case

via BGR by Todd Haselton on 3/30/11

On Wednesday, the U.S. Federal Trade Commission announced it has reached a settlement with Google over its controversial Google Buzz social network. The FTC charged Google with using “deceptive tactics and [violating] its own privacy promises to consumers” when it launched Google Buzz — its Twitter-like social network — in 2010. The FTC’s proposed settlement will bar Google from “future privacy misrepresentations,” and requires that Google implement a comprehensive privacy program. The FTC has also called for regular, independent privacy audits during the next 20 years. “When companies make privacy pledges, they need to honor them,” said Jon Leibowitz, chairman of the FCC. “This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations.” The FTC argued that some Google users who declined to participate in Google Buzz were still enrolled in some features of the service. Similarly, it said that those who did decide to join Google Buzz were often confused on how to control the privacy settings.  This is not the only lawsuit that was brought against Google in relation to its Buzz service. In November 2010 Google was required to create an $8.5 million fund dedicated to “promoting privacy education on the web” as the result of a class action lawsuit.  Hit the jump for the full release. 

FTC Charges Deceptive Privacy Practices in Google’s Rollout of Its Buzz Social Network 

Google Agrees to Implement Comprehensive Privacy Program to Protect Consumer Data

Google Inc. has agreed to settle Federal Trade Commission charges that it used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz, in 2010. The agency alleges the practices violate the FTC Act. The proposed settlement bars the company from future privacy misrepresentations, requires it to implement a comprehensive privacy program, and calls for regular, independent privacy audits for the next 20 years. This is the first time an FTC settlement order has required a company to implement a comprehensive privacy program to protect the privacy of consumers’ information. In addition, this is the first time the FTC has alleged violations of the substantive privacy requirements of the U.S.-EU Safe Harbor Framework, which provides a method for U.S. companies to transfer personal data lawfully from the European Union to the United States. 
“When companies make privacy pledges, they need to honor them,” said Jon Leibowitz, Chairman of the FTC. “This is a tough settlement that ensures that Google will honor its commitments to consumers and build strong privacy protections into all of its operations.” 
According to the FTC complaint, Google launched its Buzz social network through its Gmail web-based email product. Although Google led Gmail users to believe that they could choose whether or not they wanted to join the network, the options for declining or leaving the social network were ineffective. For users who joined the Buzz network, the controls for limiting the sharing of their personal information were confusing and difficult to find, the agency alleged. 
On the day Buzz was launched, Gmail users got a message announcing the new service and were given two options: “Sweet! Check out Buzz,” and “Nah, go to my inbox.” However, the FTC complaint alleged that some Gmail users who clicked on “Nah…” were nonetheless enrolled in certain features of the Google Buzz social network. For those Gmail users who clicked on “Sweet!,” the FTC alleges that they were not adequately informed that the identity of individuals they emailed most frequently would be made public by default. Google also offered a “Turn Off Buzz” option that did not fully remove the user from the social network. 
In response to the Buzz launch, Google received thousands of complaints from consumers who were concerned about public disclosure of their email contacts which included, in some cases, ex-spouses, patients, students, employers, or competitors. According to the FTC complaint, Google made certain changes to the Buzz product in response to those complaints. 
When Google launched Buzz, its privacy policy stated that “When you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use.” The FTC complaint charges that Google violated its privacy policies by using information provided for Gmail for another purpose – social networking – without obtaining consumers’ permission in advance. 
The agency also alleges that by offering options like “Nah, go to my inbox,” and “Turn Off Buzz,” Google misrepresented that consumers who clicked on these options would not be enrolled in Buzz. In fact, they were enrolled in certain features of Buzz. 
The complaint further alleges that a screen that asked consumers enrolling in Buzz, “How do you want to appear to others?” indicated that consumers could exercise control over what personal information would be made public. The FTC charged that Google failed to disclose adequately that consumers’ frequent email contacts would become public by default. 
Finally, the agency alleges that Google misrepresented that it was treating personal information from the European Union in accordance with the U.S.-EU Safe Harbor privacy framework. The framework is a voluntary program administered by the U.S. Department of Commerce in consultation with the European Commission. To participate, a company must self-certify annually to the Department of Commerce that it complies with a defined set of privacy principles. The complaint alleges that Google’s assertion that it adhered to the Safe Harbor principles was false because the company failed to give consumers notice and choice before using their information for a purpose different from that for which it was collected. 
The proposed settlement bars Google from misrepresenting the privacy or confidentiality of individuals’ information or misrepresenting compliance with the U.S.-E.U Safe Harbor or other privacy, security, or compliance programs. The settlement requires the company to obtain users’ consent before sharing their information with third parties if Google changes its products or services in a way that results in information sharing that is contrary to any privacy promises made when the user’s information was collected. The settlement further requires Google to establish and maintain a comprehensive privacy program, and it requires that for the next 20 years, the company have audits conducted by independent third parties every two years to assess its privacy and data protection practices. 
Google’s data practices in connection with its launch of Google Buzz were the subject of a complaint filed with the FTC by the Electronic Privacy Information Center shortly after the service was launched. 
The Commission vote to issue the administrative complaint and accept the consent agreement package containing the proposed consent order for public comment was 5-0. Commissioner Rosch concurs with accepting, subject to final approval, the consent order for the purpose of public comment. The reasons for his concurrence are described in a separate Statement. 
The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through May 1, 2011, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit written comments electronically or in paper form by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section. Comments in electronic form should be submitted using the following web link: https://ftcpublic.commentworks.com/ftc/googlebuzz and following the instructions on the web-based form. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions. 

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. The complaint is not a finding or ruling that the respondent has actually violated the law. A consent agreement is for settlement purposes only and does not constitute an admission by the respondent that the law has been violated. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $16,000. 

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,800 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s website provides free information on a variety of consumer topics. “Like” the FTC on Facebook and “follow” us on Twitter.

ATT and it’s Discriminatory Policy on Minorities @ it’s Retail Stores Which Violates the US Constitution

Lohan is currently locked in the middle of a constitutional battle with ATT Wireless over customers being able to pay cash for products (namely the iPhone 3G) @ their retail stores all over the country which ATT currently has a polity that only a credit card can be used.

The only thing is that ATT seems to ‘have neglected’ the fact the it violates 2 Supreme Court Rulings that all products available for sale @ a store must except legal notes issued by the US Treasury Department as payment for such item (namely cash).

Lohan is not letting up and is pressing ATT on the issue. Hopefully Lohan will not have to get the US Attorney General Civil Rights Division involved in the matter!

Don’t believe me? Call or visit any ATT retail store!

What do you think?

UE3 devs subpoenaed in SK / Epic suit

via Xbox 360 Fanboy by Richard Mitchell on 1/24/08

Shacknews reports that subpoenas have been served to several Unreal Engine 3 liscensess in a lawsuit against Epic games, filed by Silicon Knights last year. The subpoenas have been served in order to acquire the liscensees’ engine contracts as evidence in the upcoming trial. Specific liscensees are not named, though known liscensees include Square Enix, Ubisoft, 2K Boston/Australia, EA, and the US Army.

Mark Rein, Epic VP, stated, “I’m leaving the litigation to the lawyers but, if this is the case, I’d like to apologize to any of our licensees who Silicon Knights have inconvenienced.” And inconvenienced they may be. If submitted as unsealed evidence, the contents of the contracts could become public record, allowing anyone access to the trade secrets therein. Epic’s lawyers can move to seal the documents if this turns out to be the case.

The lawsuit was filed last July, with Silicon Knights claiming that Epic did not deliver final code for the Unreal Engine 3 on time, thus hampering the development of Too Human. The company further asserted that Epic purposefully sabotaged UE3 liscensees while promoting its own products such as Gears of War. Epic later filed a counterclaim and a motion to have the case dismissed. The motion was denied in November last year and both suits will come to trial.

[Via Joystiq]

N. Dakota Judge rules that "host -l" command constitutes hacking

via Download Squad by Christina Warren on 1/17/08

Filed under: ,

A North Dakota judge issued a ruling in Sierra Corporate Design v. Ritz that has some pretty stunning implications about the use of the “host -l” command when accessing DNS records. In the judgment (which was prepared by the plaintiff’s counsel and sent to the judge), the use of the “host -l” command is tantamount to computer hijacking and hacking.

For the uninitiated, when using the “host -l” command on a DNS server, the user will receive a list (hence the “l”) of all information pertaining to the domain’s zone file, assuming it has not been protected. The same way WHOIS returns information on the owner of a domain, “host -l” returns information about hosts on that domain.

And although this was a civil matter, this ruling could (and we stress could, no need getting ahead of ourselves) lead to “unauthorized” “host-l” usage to be deemed a criminal act, per North Dakota’s computer crime statute.

Before even discussing the merits (or lack thereof) of the case in question, this judgment just strikes us as uninformed, bizarre and wrong. The “host -l” command when accessing DNS records does not reveal any information that is not set for public display. The plaintiff’s contention in this case was that the information obtained by “host -l,” non-routable IP addresses, host names and domain registrations was not meant to be publicly accessible. Because the defendant was able to procure this information and published it in various USENET groups, the plaintiff claims that the act was a violation of the computer crime statute.

Here’s the problem: “host -l” will only show information that the administrator has allowed to be public. Just because it is a DNS command that many computer users are unaware of does not mean that leaving information that one wishes to remain undisclosed is safe.

Continue reading N. Dakota Judge rules that “host -l” command constitutes hacking

AACS LA Versus Digg, Google in DMCA Showdown Over Leaked Key

Beginning two weeks ago, attorneys for the licensing authority for the Advanced Access Copy System used in both Blu-ray and HD DVD issued letters to multiple Web sites and services, including search engines, demanding they remove direct references to a 32-hexadecimal digit code they claim is a processing key that could be used to circumvent DRM protection in HD DVD discs.

“It is our understanding that you are providing to the public the above-identified tools and services at the above referenced URL,” reads one letter sent by AACS LA’s attorneys to a representative of Google, “and are thereby providing and offering to the public a technology, product, service, device, component, or part thereof that is primarily designed, produced, or marketed for the purpose of circumventing the technological protection measures afforded by AACS (hereafter, the “circumvention offering”). Doing so constitutes a violation of the anti-circumvention provisions of the Digital Millennium Copyright Act.”

The letter goes on to demand the removal of references to four Web sites whose articles include the code, as well as to any other material where the code may appear, otherwise “failure to do so will subject you to legal liability.” In an extra bit of irony, the document filename in one of the four URLs the attorneys cite is actually the 32-bit code itself.

The key in question appears to be the same one discovered by the Doom9 Forum user whose screen handle is arnezami, back in February as reported then by BetaNews. What this user discovered, other forum members verified, was a media key that software could use to identify itself as a validly licensed media player of HD DVD discs. While Linux media players could theoretically read the code from HD DVDs, they cannot decrypt that code since AACS LA has thus far declined to issue licenses – and thus, licensed media keys as well – to creators of open-source software, who could theoretically share that code in the act of source code distribution.

Word does not travel as fast as those who repeat online what they read elsewhere online believe it to; and thus, the existence of the discovered media key was only widely reported after a Digg user posted a link to an article where that key happened to appear. That article, appearing Monday on the blog Rudd-O.com – almost two and a half months after the key’s discovery – begins with the key itself, explains its discovery on the Doom9 Forum, and links to a 17-page autobiographical feature of the fellows who found it on Doom9 (through Digg) and repeated it on Rudd-O.com, entitled, “Stickin’ It to the Man: The Illustrated Report of an Epic Event.”

That article which links to “Stickin’ It to the Man” was itself Dugg, by way of another blog post – this time entitled, “Spread This Number. Now.” – which the author then self-Dugg, and in so doing, generated by his count 15,492 Diggs (votes of approval from Digg.com users).

It is that article with the high Digg count which caught the attention of AACS LA’s attorneys, who immediately issued a takedown notice. At first, Digg complied, removing references to “Spread This Number” and other material. In an explanation on Digg’s corporate blog, CEO Jay Adelson wrote, “We’ve been notified by the owners of this intellectual property that they believe the posting of the encryption key infringes their intellectual property rights. In order to respect these rights and to comply with the law, we have removed postings of the key that have been brought to our attention.

“Our goal is always to maintain a purely democratic system for the submission and sharing of information,” Adelson continued, “and we want Digg to continue to be a great resource for finding the best content. However, in order for that to happen, we all need to work together to protect Digg from exposure to lawsuits that could very quickly shut us down.”

Digg also apparently suspended the accounts of individuals who provided the original Digg links, including the one to “Spread This Number,” as its author posted on his own blog last night. However, multiple Diggs to the original Digg, including comments generated there, apparently remained.

There was an immediate public outcry from Digg users – which, for a story that took two and a half months to germinate, is perhaps noteworthy. However, many of the thousands of comments posted to already long threads appear to consist of meaningless data, side discussions irrelevant to the topic, spam, and even cute little pictures drawn with ANSI characters.

Regardless of the substance of the protest, it was enough to provoke Digg’s executives to reverse their course. In a blog post late last night whose title actually includes the media key code, Digg founder Kevin Rose wrote, “Today was a difficult day for us. We had to decide whether to remove stories containing a single code based on a cease and desist declaration. We had to make a call, and in our desire to avoid a scenario where Digg would be interrupted or shut down, we decided to comply and remove the stories with the code. But now, after seeing hundreds of stories and reading thousands of comments, you’ve made it clear. You’d rather see Digg go down fighting than bow down to a bigger company.

“If we lose, then what the hell, at least we died trying,” Rose concluded. Exactly what action Digg takes from this point on was not stated.

Next: Much hexadecimal ado about &00H?

The entire uproar over whether the posting of a 32-hex digit code should be censored as copyright infringement or upheld like a banner of liberty, overlooks a fairly significant technical issue: specifically, whether the media key, discovered last February after all, still works.

Last month, AACS LA began its first wave of distribution of so-called revocation keys. Through Internet connections and through the distribution of new HD DVD discs, these keys are matches to media keys considered to have been compromised, and this list is believed to contain the now-celebrated 32-hex digit code.

Whether a site posting a software patch that contains revocation keys may, in so doing, be distributing the media keys that were compromised – and thus violating the terms of the DMCA, as maintained by AACS LA’s lawyers – remains to be seen.

Meanwhile, members of the Doom9 Forum, including arnezami, have been working since last month to apply a homebrew patch to Microsoft’s Xbox 360 HD DVD attachment drive, after having reverse-engineered the firmware from two drives to compare the differences in their code and determine the locations of secret keys. Their stated objective is to make it possible for software to decrypt the contents of a disc using its volume key only – which is more easily located.

If they are successful, then theoretically software could be permitted which enables Linux users to play HD DVD movies without a processing key at all, which would have made this whole two-and-a-half month discovery process another chronicle of wasted time.

In his Freedom to Tinker blog yesterday, engineer Ed Felten – who last year demonstrated the ease in which an unauthorized party could break into a Diebold voting machine – made a poignant comment about this whole affair.

“It’s hard to see the logic in AACS LA’s strategy here,” Felten wrote. “The key will inevitably remain available, and AACS LA are just making themselves look silly by trying to suppress it. We’ve seen this script before. The key will show up on T-shirts and in song lyrics. It will be chalked on the sidewalk outside the AACS LA office. And so on.”


Update ribbon (small)


5:35 pm May 2, 2007 – A spokesperson for the HD DVD Promotions Group denied to BetaNews late this afternoon that the organization had any involvement in the sending of takedown notices to Web sites and search engines. Press reports have cited, in addition to the AACS Licensing Authority, the HD DVD Promotions Group and the Motion Picture Association of America as being behind these notices; to the best of BetaNews’ knowledge, and based on the spokesperson’s comments to us, we believe these reports to be inaccurate.

[originating url]


High School principal sues students over fake MySpace page

high schoolA high school principal in western Pennsylvania is suing four former students who allegedly created a fake MySpace profile for the principal. He claims the page, which stated that he smoked pot, kept a keg of beer behind his desk, enjoyed pornography, and had sex with students, hurt his reputation and earning potential.

One of the students was suspended after the principal first learned of the profile. That student sued, saying the MySpace page was protected speech under the First Amendment.

Now the principal, who is currently at a different school is suing back for unspecified damages.

The thing is, it’s awfully easy to create a fake MySpace page. It’s probably too much to expect that anyone who fears they may be defamed in some way would create their own page first as a preemptive measure. But maybe we just need to not take things written on websites any more seriously than notes scrawled in bathroom stalls.

[via Techdirt]

[originating url]