The FTC is seeking comments on its new (just released!) revisions to their rules for administering the Children’s Online Privacy Protection Act (COPPA).   The current Rule has been in place since 2005, and a few things have transpired online in the meantime (things like geolocation, the rise of social media, and a host of other things now too pervasive even to warrant a mention).  This most recent review began in 2010, and is genuinely a big deal for any industry that either deals with kids under the age of 13, or specifically does not want to deal with kids under the age of 13.  In other words, pretty much anyone doing anything online.

The big changesinclude definitions that take geolocation and tracking cookies into account, new parental notice mechanisms (a long-needed change), and increased oversight of safe harbor programs. 

Obviously, the comment periodwill bear watching (comments are due by November 28, 2011), and we will all look closely as the Rule comes into being sometime in the next few months.  Privacy on the Internet is always a major concern for adults, but regulator focus on children’s privacy cannot be overstated.

Apparently, while I was spending several months in a courtroom and away from this blog (although not from Twitter!) the state of California officially became ambivalent about social media and the Internet Age more generally.   Of course, as is usually the case, California’s discomfort may create rules for the rest of us.

Allow me to explain.

This next paragraph represents a completely simplistic and borderline inaccurate description of our government, but is important to understand why California has such an out-sized impact in our country: In the United States, we like to think of ourselves as having a federalist system: the individual states make most of the rules unless there’s a law or regulatory scheme at the Federal level.  But implicit in all of this is that the laws of one state don’t have much of an impact on the laws of another state — that’s why, for example, states can’t collect the sales tax spent on companies with no presence in their borders, permitting Amazon and Zappos to thrive and local merchants to seethe with anger.

But some states are more important than others.  It doesn’t behoove companies to have 50 different approaches to their customers, so they often craft their policies to fit the states with the most customers, or the most significant risks.  Thus, a single state can often impact how the rest of us interact with our consumer experience.

California is often that state.  And now, in two separate bills, California’s legislature is trying to get out in front of the national debate on Internet privacy by creating rules that will, in all likelihood (and for better or worse) affect us all.

The first bill, SB242, would force social networking sites to let users set their privacy settings when they register, rather than after they’ve already joined (and often never will).  The bill would also force those same sites to default to certain privacy settings to keep more information private.   Of course, the social media sites are opposed, saying that all of this limits consumer choice, but the legislators who introduced the bill are not impressed, and a $10,000 fine per violation could easily add up to real money for even the largest sites.

The other bill, SB761, would create the “do not track” rules that privacy advocates have hoped for on the Federal level for some time.  The bill, which is far reaching in its scope, would effectively prevent websites from tracking their users.

At all.

In other words, you can effectively opt out of any of the benefits that companies get from interacting with you, even as you interact with them.  This goes quite a bit further than, say, Jay Rockefeller’s proposal in the U.S. Senate introduced this week, a bill that does include exceptions that industry believes to be necessary for modern e-commerce.

Now will these California proposals become law? Probably not in their current forms, but in this atmosphere of paranoia about Internet privacy it is not at all a bad bet that something will pass.  And if it does, social media sites (and, in fact, almost everyone who does business on the ‘net) will have to decide how far they can go in carving out California customers for special treatment, and whether they will simply have to give America the rules that California has chosen.

Having served on the hiring committee at my law firm for many moons, and having interviewed law students for far too many years to admit to in a public forum, I was struck by this article:

While most of the focus has been on the marketing potential of data captured by Internet data companies such as Experian and Rapleaf, not many users of social networking sites have yet considered the impact of companies using it to build a snapshot of their lives for assessing credit or insurance applications or employment prospects.

Should employers be looking at Facebook pages or other social networking sites?  How much of a background check is appropriate, or worthwhile?  At what point does a brief perusal of publicly available information become an exercise in trying to live your own episode of the Rockford Files? 

This is, of course, less a question with a single answer for everyone than a question with different answers for different companies and even different states (and different positions — you might reasonably take greater care in hiring someone to handle large cash transactions than someone who will be raking your leaves).  But the really critical issue raised by this article and many others like it is not, really, what anyone should individually do as an employer — different companies will make decisions based on a variety of issues some of which are unique to their industry.  Instead, the issue to consider is that an entire generation (and presumably, all  generations after this) is being raised in an atmosphere where mistakes are never forgotten, and oversharing is the norm.

Teenagers, by definition, are error prone.  They make mistakes of judgment, and have since time immemorial.  Until recently, most of those mistakes were cleansed by the passage of time.  If a 19 year-old in 1956 did something foolish, in most cases they could put it behind them.  In fact, if someone did something foolish at any time prior to 1995, they could probably put it behind them, so long as they weren’t going into politics.

Today’s teenagers are not so lucky.  While teenagers today are just as oblivious as to the impact of their behavior as they always were, now, as the Violent Femmes might sing, there really is a Permanent Record.  Worse, the permanence of the Internet appears to be largely ignored by users of social media, who don’t seem to know or care that they are potentially creating an archive of ill-advised activity for future employers (or spouses!) to peruse. 

I suspect that the legal impact of this development will fade over time — when the teenagers of today are the senior managers of 2046.  They’ll be able to properly empathize with those who drunk-Tweeted 140 uncomfortable characters about their date last night.  In the meantime, and for the next several decades, we can expect a variety of troubling stories of jobs lost, or never obtained, because of poor social media hygiene.

The Wikileaks controversy has quite a bit to say about the future of social media, and about information culture more generally.  In particular, this controversy tells us that in the future there may be more secrets, rather than fewer ones.

I’m sure that conclusion seems quite counterintuitive: after all, didn’t Julian Assange just rock the diplomatic world with his dump of hundreds of thousands of diplomatic cables?  Doesn’t the easy electronic transfer of documents render this type of thing more likely in the future?  Isn’t this just the beginning of a new age where transparency is the norm?

Well, yes and no.  We are entering a new age of transparency – for you.  Everyone will know more about you, and your secrets, and every detail of your private existence (just check out Gary Shteyngart’s  hilarious Super Sad True Love Story to see this notion taken to its logical and horrific conclusion).  But perversely, the inclination will now be for governments and large commercial institutions to hold real secrets about themselves even more tightly to their chests.  With data security a more pressing issue, fewer people will be permitted to see real confidential information.  More telephone calls and less documentation may become the norm.   The trend towards fewer secrets may render real secrets all the more difficult to know.

Nearly every technological development over the past several years has been devoted to capturing data.  Document management systems and data mining, e-mail archives and browser cookies — all of these things and so many more are devoted to finding and maintaining data.  But if the growth of electronic media has resulted in the dawn of an age where nothing is ever forgotten, it is suddenly becoming apparent that a lot of folks miss that option.  People want to have their mistakes erased, they want to be able to step away from that drunk moment on Twitter.  But they can’t.  Individuals are becoming like flies caught in amber, a series of embarrassing moments frozen in time forever.  Companies and governments, however, can act with a bit more intentionality.  With an understanding of how e-discovery works, and the knowledge that Wikileaks is out there as an option for disgruntled ex-employees, many folks will see an advantage to holding cards closer than ever to their chests, which can make the process of public disclosure far more challenging, and perhaps impossible.

So our two futures may exist in paraellel — one, where everything is known, and another where everything is disclosed but the real secrets are never revealed.

The Federal Trade Commission has been busy.  Hot on the heels of a new set of Green Guides regulating environmental claims, yesterday the FTC unveiled a new proposed framework for consumer privacy.  Entitled (appropriately enough): “Protecting Consumer Privacy In An Era of Rapid Change,” this document is the result of many months of roundtable meetings with industry and consumer groups.  While this is just a proposal (public comments are being sought until January 31, 2011) there is little question that new guidelines of some kind will be put in place next year, and will probably follow some (although not all) of this document.  So what does it mean?

The proposals from range from the banal (everyone should have clearer, more concise privacy policies) to the potentially dramatic (the idea of a “do not track” button on websites to protect against data mining).  Of course, that last item is the one that drew the headlines.  But how much of this will actually become a reality?

Be assured that the banal items will all become elements of the future guidelines.  Companies will almost certainly need to become more transparent and clear in their privacy practices, and the FTC’s long-standing concerns in this regard are likely to remain a continuing element of its enforcement approach.  The dramatic elements of the report are, however, far less likely.  To begin with, it is not clear that the FTC even has the power to enact something like “Do Not Track” on its own authority, and David Vladeck, director of the FTC’s consumer protection bureau, said “I do not think that under the F.T.C.’s existing authority we could mandate unilaterally a system of ‘do not track.”  Given the fact that Congress will be shared by two parties with quite different views of balance between business and consumer interests, it seems unlikely that Congress will act on that point anytime soon.

So while this is an important document, and reveals much about the way in which the FTC staff is thinking about privacy issues online, neither businesses nor consumers should presume that the most significant proposals will become industry requirements in the near term.  However, they do reflect the tension that continues to build between the benefits of data mining for business and the concerns of consumers.  That tension is unlikely to dissipate, and will almost certainly result in more enforcement and more litigation in the coming years — whether Do Not Track becomes a reality or not.

As always, there have been a variety of new stories swirling around social media and its discontents over the past week.  This week, the big stories have been all about security:

1. Firesheep: A software developer created a Firefox extension that allows users to easily abscond with cookie information over Wi-Fi networks.  The creator claims that his invention is harmless.  Others argue that it violates wiretapping statutes.  Everyone agrees that it is a dramatic development, especially because half a million people downloaded it in the first week.  Perhaps that open Wi-Fi network doesn’t look so appealing anymore…
2. A report circulatedthat Twitter, Facebook and others in the industry are not doing enough to combat security threats like, um, Firesheep.
3. Sensing a theme, another developer announced “Idiocy” designed to hijack the computers of “unsafe” Twitter users and tell them that they’re…well…idiots.
4. Random journalists and bloggers are now hijacking accounts, just to show that they can.  Now that waterboarding yourself has become passe, journalists have been forced to actually become tech savvy, apparently.  I will predict that we can look forward to Katie Couric using Firesheep to look at the Facebook account of Glenn Beck sometime during sweeps week.

So what does all of this mean?  It means that users of social media and — quite frankly — any non-encrypted website through public Wi-Fi networks need to strongly consider either using VPNs (virtual private networks) or encrypted connection programs like HTTPS Everywhere. 

This should hardly be a surprise, of course.  The earliest cyberspace sagas (like Neuromancer) were focused on hackers breaking into secured computer networks.  At this point, the hacker is a cultural archetype.  Now that everyone is on a computer network (social media has sped the trend to an almost surreal extent), it only makes sense that these efforts would be further democratized.  Now everyone can be a hacker.

This is not one of those stories that has a simple, happy ending.  Everyone needs to be aware, and everyone needs to be cognizant of the risks.  The sophistication of security measures increases no faster than the sophistication of folks who want to look at or steal your information.  As Prof. Moody would tell us, “constant vigilance” is the only recommended course of action — for all of us.