Do you have a reasonable expectation of privacy in social network posts? No, here is why …

Social Media SwirlThere is no reasonable expectation of privacy in information you post on social networking sites, regardless of what privacy setting you use.  

That is the rule that can be taken from Nucci v. Target Corp., a recent opinion from an appellate court in Florida. The court’s rationale is set out below, with citations omitted:

We agree with those cases concluding that, generally, the photographs posted on a social networking site are neither privileged nor protected by any right of privacy, regardless of any privacy settings that the user may have established. Such posted photographs are unlike medical records or communications with one’s attorney, where disclosure is confined to narrow, confidential relationships. Facebook itself does not guarantee privacy. By creating a Facebook account, a user acknowledges that her personal information would be shared with others. “Indeed, that is the very nature and purpose of these social networking sites else they would cease to exist.” 

Because “information that an individual shares through social networking web-sites like Facebook may be copied and disseminated by another,” the expectation that such information is private, in the traditional sense of the word, is not a reasonable one.
As one federal judge has observed,

Even had plaintiff used privacy settings that allowed only her “friends” on Facebook to see postings, she “had no justifiable expectation that h[er] ‘friends’ would keep h[er] profile private. . . . ” In fact, “the wider h[er] circle of ‘friends,’ the more likely [her] posts would be viewed by someone [s]he never expected to see them.” Id. Thus, as the Second Circuit has recognized, legitimate expectations of privacy may be lower in e-mails or other Internet transmissions.

We distinguish this case from Root v. Balfour Beatty Construction, LLC. That case involved a claim filed by a mother on behalf of her three-year-old son who was struck by a vehicle. Unlike this case, where the trial court ordered the production of photographs from the plaintiff’s Facebook account, the court in Balfour ordered the
production of a much broader swath of Facebook material without any temporal limitation—postings, statuses, photos, “likes,” or videos—that relate to the mother’s relationships with all of her children, not just the three year old, and with “other family members, boyfriends, husbands, and/or significant others, both prior to, and following the accident.” The second district determined that “social media evidence is discoverable,” but held that the ordered discovery was “overbroad” and compelled “the production of personal information . . . not relevant to” the mother’s claims. Id. at 868, 870. The court found that this was the type of “carte blanche” irrelevant discovery the Florida Supreme Court has sought to guard against. The discovery ordered in this case is narrower in scope and, as set forth above, is calculated to lead to evidence that is admissible in court.

Thanks to my friend Dale Rodriguez for bringing this case to my attention.

Podcast: #DtR Episode on Lines in the Sand on “Security Research”

You really need to hear this podcast where we draw lines in the sand staking out what is — and what is not — security research

The #DtR Gang [Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst)] invited me to tag along for another episode of the Down the Security Rabbit Hole podcast.

Also joining us for this episode were Chris John Riley (@ChrisJohnRiley) and Kevin Johnson (@SecureIdeasllc).

You can click here to see a list of the topics we covered in this episode or just jump straight into the podcast.

Let us know what you think by tagging your comments with #DtR on Twitter!

Podcast: DtR NewsCast of Hot Cyber Security Topics

I had the pleasure of joining the DtR Gang for another podcast on Down the Security Rabbit Hole and, as usual with this bunch, it was more fun than anything — but I learned a lot as well. Let me just tell you, these guys are the best around at what they do and they’re really great people on top of that!

This episode had the usual suspects of Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst), though James was riding passenger in a car and could only participate through IM. Also joining as a guest along with me was was  Philip Beyer (@pjbeyer).

Go check out the podcast and let us know what you think — use hashtag #DtR on Twitter!

Thank you Raf, James, Michael and Phil — this was a lot of fun!

Podcast: CFAA, Shellshock and Cyber Security Research — What the Heck Do We Want?

Today I had a blast doing a podcast on the CFAA, Shellshock, and cyber security research with Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst) — in fact, we had so much fun that I suspect Raf had quite a time trying to edit it!

The starting point for our discussion was a recent article written by security researcher and blogger Robert Graham (@ErrataRob) titled Do shellshock scans violate CFAA?

As I mentioned on the show, when I first saw Robert’s article, I viewed it with skepticism. However, after actually reading it (yeah, I know — makes sense, right?), I found the article to be very well written, sound on the principles and issues of the CFAA — in my view, Robert did a great job of framing some key issues in the debate that definitely needs to happen.

From the article, our discussion expanded to a general discussion of the Computer Fraud and Abuse Act, its confusion as to application to “security research,” and whether it is even possible for Congress to “fix” the CFAA.

I do not think Congress is able to “fix” the CFAA right now for many reasons. However, I believe we pointed out some additional issues that must be taken into consideration during the public debate in determining what we as a society really value and want on these issues. Until “we the people” can figure that out, I see no way for Congress to “fix” this law which means the Common Law method is what we are left with.

Anyway, this post is just skimming the surface — Raf turned this into a really nice podcast so check it out: Down the Security Rabbithole.

Thank you Raf, James and Michael — this was a lot of fun!

The Law and the Hacker – Podcast on the Computer Fraud and Abuse Act

Not too long ago I had a nice visit with Rafal Los (@Wh1t3Rabbit) who is otherwise known as the Chief Security Evangelist for HP and blogs at Following the Wh1t3Rabbit – Practical Enterprise Security. Raf is one dude you really need to follow if you’re interested in #infosec

Anyway, our discussion was centered around the Computer Fraud and Abuse Act and how it applies to hackers. Raf turned this into a really nice podcast so check it out: Down the Security Rabbithole.

Responsiveness and Responsibility Are Considered in Assessing Data Breach Fines

About a year and a half ago I wrote a post titled Data Breach – Who’s Gonna Get it? where I made the point that, much like with Ford’s “bean counting” with the Pinto deaths back in the ’70s, companies that were aware of the risk of data breach but did not act responsibly were going to get it. The message, that is. While my post anticipated receiving that message from a jury, the point is no different when it comes to having a message sent by the Office of Civil Rights or some other governmental agency. When something bad happens, as it inevitably does, people instinctively want to know whether it was truly an unfortunate circumstance or whether it was because of willful neglect. That is, were they trying to “do right” or did they just not care? If it is the former, they will usually cut you some slack, if the later, you’re going to hang!

This point was confirmed in a recent interview with the Director of the Office of Civil Rights, Leon Rodriguez, who indicated that the OCR will take into consideration how a company responds to a data breach in deciding whether to assess monetary fines.

Rodriguez expects the coming year will see a higher number of data breaches being reported, partly as a precipitate of an increase in data analytics and risk assessment procedures, but adds that entities that respond decisively and responsibly to data breaches most likely won’t be the subject of monetary enforcement.

If you want to read more, check out the full article with Rodriguez’s interview: OCR looking for ‘high level of sensitivity’ in data breaches | Government Health IT.

Don’t let your company be “that company” — now is the time to be proactive in putting policies and procedures in place to help prevent a data breach or, should one occur, be prepared to respond in a responsible way so that your company doesn’t “get the message.” Give me a call or send me an email, I’ll be happy to talk with you about these issues and any others.

-Shawn Tuma (469.635.1335 /

Privacy and Cyber Legislation Pending in the 112th Congress

Computer hacking, data breach, data privacy, and information security have dominated the news lately and created a sense of urgency in Congress to “do something” to fix the problems. Over the last few days I have searched the web for a source to keep me updated on all of the cyber-legislation that is currently pending in the 112th United States Congress. I have been unable to find such a source so I have resorted to a rather crude search of the Library of Congress’ “Thomas” website — this is my first “search” of Thomas for such purposes so I can’t guaranty the accuracy of my research. Since I am going through the trouble myself, however, I thought I would share it with you as well.

The following is an over-inclusive (by a long shot) list of the current legislative initiatives that I have found that appear to be privacy or cyber related. Initially, I went through and linked each bill to its Thomas summary but then, after going through that whole process, learned the hard way that Thomas times out after 30 minutes and the links were useless. As my teenage daughter would say, that was a FAIL! So, we’ll just have to use a work around — go HERE and type in the Bill Number and it will take you to the Thomas page where you can find the text and summary of the legislation as well as track its status and find other helpful information.

H.R.76 : Cybersecurity Education Enhancement Act of 2011

H.R.102 : Photo Identification Security Act

H.R.108 : Voting Opportunity and Technology Enhancement Rights Act of 2011

H.R.174 : Homeland Security Cyber and Physical Infrastructure Protection Act of 2011

H.R.220 : Identity Theft Prevention Act of 2011

H.R.352 : To permit members of the House of Representatives to donate used computer equipment to public elementary and secondary schools designated by the members.

H.R.423 : Member Address Privacy and Protection Act

H.R.427 : To amend the Internal Revenue Code of 1986 to provide a 5-year recovery period for computer-based gambling machines.

H.R.484 : Personal Privacy Clarification Act

H.R.592 : Sunshine in Litigation Act of 2011

H.R.611 : Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act / BEST PRACTICES ACT

H.R.653 : Financial Information Privacy Act of 2011

H.R.654 : Do Not Track Me Online Act

H.R.685 : Checkpoint Images Protection Act of 2011

H.R.877 : To express the sense of Congress that Federal job training programs that target older adults should work with nonprofit organizations that have a record of success in developing and implementing research-based technology curriculum designed specifically for older adults.

H.R.948 : Embedded Mental Health Providers for Reserves Act of 2011

H.R.1059 : To protect the safety of judges by extending the authority of the Judicial Conference to redact sensitive information contained in their financial disclosure reports, and for other purposes.

H.R.1136 : Executive Cyberspace Coordination Act of 2011

H.R.1187 : Fix HIT Act of 2011

H.R.1261 : Chief Technology Officer Act

H.R.1279 : Aircraft Passenger Whole-Body Imaging Limitations Act of 2011

H.R.1389 : Global Online Freedom Act of 2011

H.R.1509 : Medicare Identity Theft Prevention Act of 2011

H.R.1528 : Consumer Privacy Protection Act of 2011

H.R.1538 : Social Security Identity Defense Act of 2011

H.R.1707 : Data Accountability and Trust Act

H.R.1841 : Data Accountability and Trust Act (DATA) of 2011

H.R.1895 : Do Not Track Kids Act of 2011

H.R.2004 : Technology Security and Antiboycott Act

H.R.2089 : Technology Helps Revamp, Evaluate, and Expedite Designs Act of 2011

H.R.2096 : Cybersecurity Enhancement Act of 2011

H.R.2102: FCC Commissioners’ Technical Resource Enhancement Act

H.R.2125 : Electronic Paycard Protection Act of 2011

H.R.2168 : Geolocational Privacy and Surveillance Act

(Discussion Draft) ‘‘Secure and Fortify Electronic Data Act’’ or the ‘‘SAFE Data Act’’ (Introduced 6/10/11)

H.RES.98 : Expressing the Sense of the House of Representatives that the Commissioner of the Food and Drug Administration should give the greatest weight in making critical policy decisions to readily available hard science data, including evidence from the natural sciences, physical sciences, and computing sciences.

H.RES.175 : Expressing the sense of the House of Representatives that in order to continue aggressive growth in the Nation’s telecommunications and technology industries, the United States Government should “Get Out of the Way and Stay Out of the Way”.

S.1 : American Competitiveness Act

S.8 : Tough and Smart National Security Act

S.21 : Cyber Security and American Cyber Competitiveness Act of 2011

S.193 : USA PATRIOT Act Sunset Extension Act of 2011

S.224 : Stalkers Act of 2011

S.257 : Small Business Broadband and Emerging Information Technology Enhancement Act of 2011

S.290 : USA PATRIOT Act Sunset Extension Act of 2011

S.372 : Cybersecurity and Internet Safety Standards Act

S.413 : Cybersecurity and Internet Freedom Act of 2011

S.539 : Behavioral Health Information Technology Act of 2011

S.611 : FCC TECH Act

S.643 : Fix HIT Act of 2011

S.799 : Commercial Privacy Bill of Rights Act of 2011

S.801 : Information Technology Investment Management Act of 2011

S.813 : Cyber Security Public Awareness Act of 2011

S.848 : Consumer Information Enhancement Act of 2011

S.890 : Fighting Fraud to Protect Taxpayers Act of 2011

S.913 : Do-Not-Track Online Act of 2011

S.1011 : Electronic Communications Privacy Act Amendments Act of 2011

S.1050 : Fourth Amendment Restoration Act

S.1070 : Fourth Amendment Restoration Act

S.1073 : A bill to require the Attorney General to establish minimization and destruction procedures governing the acquisition, retention, and dissemination by the Federal Bureau of Investigation of certain records.

S.1075 : A bill to provide judicial review of National Security Letters.

S.1125 : USA PATRIOT Act Improvements Act of 2011

S.1151 : Personal Data Privacy and Security Act of 2011

S.1152 : Cybersecurity Enhancement Act of 2011

S.1159 : Cyberspace Warriors Act of 2011

S.1199 : Protecting the Privacy of Social Security Numbers Act

S.1207: Data Security and Breach Notification Act of 2011

S.1212 : Geolocational Privacy and Surveillance Act

S.1223 : Location Privacy Protection Act of 2011

S.RES.35 : A resolution expressing support for the designation of January 28, 2011 as National Data Privacy Day.

S.AMDT.141 to S.23 To clarify that section 14 shall not apply to an invention that is a computer program product or system used solely for preparing a tax or information return or other tax filing.

If you find that something is missing and should have been included, please let me know and I’ll make the addition. Better yet, if you know of a website that has this information and keeps it updated, let me know — I’ve never been much on reinventing the wheel!