Trial and Error: VPN Continues to Disappoint

The last time I wrote I said I would be trying Nord VPN to see how well it worked to allow me to access bank and office email when traveling. Today, I’ll tell you why I gave up using it. This may tell you more about me, however, than about Nord VPN. My primary reason for using an IPN was to be able to access bank sites from hotel rooms. (I’d hate to think the stock market fell and I couldn’t sweat the details that evening!)

I found it too difficult to use such sites after I logged in. Many times, my fix to turn the VPN on to log in then turn it off to download transactions into my financial software. Some banks regard the use of an IPN as a red flag for fraud, particularly if you appear to be logging in from a foreign country.

(I haven’t found that myself).

I looked on the internet to see what I could do and was disheartened by the complexity of it all.

Maybe I am spoiled by the ease of using an iPhone but I was hoping this would work without having to troubleshoot settings.

Bottom line: VPNs do not appear to be a ready and easy way to safely use unprotected Wi-Fi connections. Your cellular phone connection is safe.

(I sure hope so.)

If you can’t use your laptop via cellular, you can use your phone to change your password, use laptop on an unsecure network, then use phone to change password back.

(Or am I missing some other problem?)

Beware the Pitfalls of Public WiFi

Public Wi-Fi’s may seem harmless, as users connect to them every day in coffee shops, airports, bars and other places. But most users do not realize the extent to which their personal information, passwords, logins and other sensitive data are left exposed when connecting to an unsafe public WiFi network. While not all such connections are dangerous, you can never be confident that your information is secure when you use one. Thus, for example, as tempting as it might be, you should not access your financial accounts or make credit card purchases over public WiFi. That is, unless you use a VPN (virtual private network).

VPN (virtual private network) service providers can create secure connections between the Internet and the Internet user device, whether the user is connected at home, the office or using Public WiFi. Because Internet traffic that is encrypted is difficult to crack, a VPN can make using public WiFi considerably safer.

Note that I said that a VPN “can” create a secure connection and “can” make using public WiFi safer. That is because not all do. Many use outdated technology that can be readily hacked. Thus, a 2015 study reported that 11 of 14 commercial VPNs were vulnerable to hacking.1

So what is one to do? If you try to research VPN providers you soon run into a salad of acronyms that are likely only understood by those who already know what to do about Internet security. For example, you would learn that a secure VPN must protect IPv6, as well as IPv4 and that “all desktop VPN clients tested, except for Private Internet Access, Mullvad and VyprVPN, leak the entirety of IPv6 traffic.”2 See what I mean?

I failed at trying to understand the technology. But I found an easy answer in a current article in PC Magazine.3 This article rated several VPN providers favorably. I’m giving one a try and will let you now how it goes next time.

_______________________________________________________________________

1 V.C. Perta, M.V. Barbera, G. Tyson, H. Haddadi, and A. Mei, A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients, Proc. Privacy Enhancing Tech., 2015 (1): 77–91 (available online at http://www.eecs.qmul.ac.uk/~hamed/papers/PETS2015VPN.pdf).
2 Id. at 81.
3 The Best VPN Services of 2017, PC Magazine (Nov. 27, 2017) (available online at https://www.pcmag.com/article2/0,2817,2403388,00.asp).

The Border Search Exception to the Warrant Requirement

You are sitting in O’Hare airport or in a Starbucks in Tucson, Arizona skyping with a friend when an ICE agent approaches you, asks you to produce evidence of your legal presence, and demands that you hand over your laptop and cell phone and give him the passcodes. You refuse. Can he detain you or confiscate your devices? Maybe.

The Supreme Court has long recognized that the “border search exception to the warrant requirement” allows the government to conduct search and seizure in proximity to the international border without reasonable suspicion. United States v. Martinez-Fuerte, 428 U.S. 561-61 (1976). This allows the government to conduct warrantless searches of laptop computers and cell phones at the border without reasonable suspicion of illegal content. United States v. Arnold, 533 F.3d 1003 (9th Cir. 2008). Albeit, an agent must have “reasonable suspicion” (but still not a probable cause warrant) to conduct an extensive forensic search of a laptop. United States v. Cotterman, 709 F.3d 952, 957 (9th Cir. 2013).

The border search exception applies well beyond geographic borders. It applies anywhere within a zone extending 100 miles from such borders and from all ports of entry. See 8 CFR § 287.1 (a). About 2/3 of the US population lives within this zone. Thus, without reasonable suspicion, ICE agents can stop you throughout much of the USA and inquire as to your immigration status. If they do, you would be subject to immediate deportation, without getting the opportunity to go before a judge, unless you can establish your legal presence in the country. See M. Shear & R. Nixon, “New Trump deportation Rules Allow Far More Expulsions,” New York Times (Feb. 21, 2017) (available online at https://www.nytimes.com/2017/02/21/us/politics/dhs-immigration-trump.html).

Arguably, if you were overheard conversing in Spanish or a foreign language unintelligible to the agent (Arabic?) and aggressively objected to the agent’s demands, the agent could determine reasonable suspicion and, on that basis, could confiscate your devices and conduct an extensive forensic search. If you did not have identification establishing legal presence, the agent could detain you until you can provide such proof. Happy travels.

Privacy of Nonparty Patients

The public has a right to every man’s evidence, unless that evidence is protected by a constitutional, common-law, or statutory privilege. How should this doctrine apply where a litigant seeks discovery of the identity of a nonparty patient who may have been a witness to negligence or malpractice? At what point is the right to evidence trumped by a patient’s right to privacy? When addressing such questions, courts distinguish the situation where disclosure of a nonparty patient’s identity would reveal nothing more than the fact that the person was a patient from the situation where such disclosure would reveal the nature of the person’s ailment or treatment.

Thus, an Arizona court allowed discovery of the identity of a hospitalized patient who may have witnessed events relevant to a malpractice claim brought on behalf of his hospital roommate. The court allowed such discovery on the basis that revealing that a person was a patient in a particular hospital room on a particular day would not reveal anything of importance about the nature of his ailments or treatment.1 Along similar lines, a New York court allowed discovery of the identities of nonparty patients in an emergency room because, due to wide range of services and medical conditions treated in emergency room, disclosure of their identities would not violate their right to keep their personal health information confidential.2

In contrast, a New York court did not allow discovery of the identities of patients in a cardiac rehabilitation center who may have witnessed an injury that was the subject of a lawsuit.3 This court did not allow such discovery because it necessarily would have revealed the nature of their ailment. It would have revealed “that they were undergoing treatment for cardiac-related conditions.” One might expect a court following this reasoning to bar discovery of the identity of a nonparty patient if it required revealing that they were receiving treatment in a particular part of a hospital (such as cancer radiation) or were hospitalized in a facility that provided a particular kind of care (such as a cancer or orthopedic specialty hospital).
_______________________________________________________________________
1 Carondelet Health Network v. Miller, 221 Ariz. 614, 212 P.3d 952 (App. 2009).
2 Rabinowitz v. St. John’s Episcopal Hospital, 24 A.D.3d 530, 808 N.Y.S.2d 280, 282 (2005).
3 Gunn v. Sound Shore Med. Ctr., 5 A.D.3d 435, 772 N.Y.S.2d 714, 715 (2004).

3rd Circuit Ruling in FTC v. Wyndham Affirms Broad Governmental Authority Under Section 5

In a much anticipated decision, the Third Circuit recently upheld the Federal Trade Commission’s exercise of authority to fine and take other measures against businesses that fail to abide by the “standard of care” for data security. Federal Trade Commission v. Wyndham Worldwide Corporation, No. 14-3514 (3d Cir. Aug. 24, 2015). Wyndham challenged the FTC’s actions arguing that negligent security practices were not an “unfair practice” and that the FTC failed to provide adequate notice of what constituted the standard of care in this context. The Third Circuit, like the trial court before it, disagreed. It held that Wyndham’s negligent data security practices were an “unfair” business practice under 15 U.S.C. § 45(a), otherwise known as § 5 of the FTC Act, because it “publishe[d] a privacy policy to attract customers who are concerned about data privacy, fail[ed] to make good on that promise by investing inadequate resources in cyber security, and thereby expose[d] its unsuspecting customers to substantial financial injury, and retains the profits of their business.”

The Third Circuit rejected Wyndham’s due process, lack of notice of standard of care argument, holding that Wyndham was not entitled to know with ascertainable certainty the FTC’s interpretation of what cyber security practices are required by § 45(a) – to know what practices are required by the standard of care. The Court explained that Wyndham had adequate notice of the standard of care because § 45(n) of the Act defines it using usual tort cost-benefit analysis. See United States v. Carroll Towing Co., 159 F.2d 169, 173 (2d Cir.1947). Nothing more is required to satisfy due process concerns in this context.

Prior to the Wyndham decision, courts generally held that the economic loss rule precludes a claim for negligent data security practices. E.g., Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 967-973 (S.D. Cal. 2014) (dismissing such claims under both Massachusetts and California law on the basis of lack of a “special relationship”). The question remains open whether Wyndham defines a special relationship and tort duty that would preclude application of the economic loss rule. Keep an eye on this space for further developments.

Privacy and Security on the Internet of Things

Like it or not, technology is becoming inextricably entwined with the fabric of our lives. Our cars, our homes, even our bodies, are collecting, storing and streaming more personal data than ever before. In 2015, Gartner, Inc. forecasts the number of connected “things” will reach 4.9 billion, up 30 percent from 2014. By the year 2020, that number is expected to reach 25 billion.

We are moving toward a world where just about everything will be connected. Yes, this will include smartphones, computers and tablets. It will also include everyday objects like car keys, thermostats and washing machines. Google is even developing ingestible microchips that could serve as “electronic tattoos.” This disruptive shift, known as the Internet of Things (IoT), will be a powerful force for business transformation. Soon all industries and all areas of society will be impacted directly by the transition.

As companies evolve to adapt to meet the consumer expectations in this new uber-connected world, they must be aware of the risks involved. No, I’m not talking about machine turning on man in a Terminator-like scenario. But make no mistake, the challenges and risks for both businesses and consumers are no less scary than a shape-shifting cyborg.

In the rush to jump into this connectivity, companies will face multiple considerations. Strategic decisions might involve an upgrade in technology, a move to cloud-based storage, or network integration of all new products or services. However before taking any action, it is essential to weigh the privacy and security risks that go hand in hand with the collection of personal data.

While data breach might be the first risk that comes to mind, there are a number of legal issues that could become major problems if not addressed.

Data Security

The IoT will create massive amounts of data that will necessarily be linked to personal identifying information to be useful. Employees, customers and affiliates will be interacting with countless devices all day long, usually without being aware they are doing so. There will be many new and perhaps unforeseen opportunities for data breaches.

Unintended Consequences

Designers and manufacturers of devices for the IoT may be accountable for unintended consequences. We have already seen instances of persons taking over video cameras connected to computers to “spy” on people. It’s not a stretch to think that these spies will also monitor devices connected to the internet to find out when a home is unoccupied.

Liability

The IoT will rely on devices to perform many tasks that are now subject to the risks of human error. Even with the best of designs there will be issues of where liability falls when, for example, a self-driving car or some other automatous device malfunctions or is otherwise involved in an untoward outcome. There will likely be an evolving body of law establishing the allocation of fault in such circumstances.

Regulation

The federal and perhaps state governments will regulate the IoT. Such regulations will impact how organizations design and use IoT devices. As in other fields, regulation can both strengthen and impair an organization’s position in its market. Proactively addressing such issues can save an organization considerable expense and allow it to better control its risk.

Companies and organizations must plan for the regulations, potential liabilities, and consumer privacy issues related to the IoT now to avoid crippling legal nightmares later. In the absence of regulations, corporations will need to be cognizant of the need to self-regulate by developing and enforcing an effective set of best practices. While the “Internet of Things” may sound futuristic, in reality… the future is now.

Leon Silver is a co-managing partner at Gordon & Rees’ Phoenix office, Chair of the firm’s Retail & Hospitality Practice Group and a member of the firm’s Commercial Litigation, and Privacy & Data Security Practice Groups. Andy Jacob is a member of the Appellate and Commercial Litigation Practice Groups.