Our law firm has received thousands of calls from actual or potential clients who were concerned about false, disparaging, or defamatory comments that were made about them on the internet. These comments were made by known or unknown individuals on websites, blogs, or forums such as Twitter, Facebook, Yelp, Reddit, or Instagram. The callers were obviously disconcerted and wanted to know the available legal remedies.

The federal Communications Decency Act (“CDA”) that is codified under 47 U.S.C. Section 230 has a direct effect on online defamatory comments that are made on social media platforms. This federal statute states that Congress finds the following:

(1) The rapidly developing array of Internet and other interactive computer services available to individual Americans represent an extraordinary advance in the availability of educational and informational resources to our citizens.

There are a series of online scams that have been taking place in the recent years. The culprits are becoming more sophisticated as they’re coming up with new schemes. The law enforcement agencies have been trying to keep up with the new schemes. However, given their limited resources, it is a challenging task. Nonetheless, our law firm has been representing clients in state and federal courts who have been victims of online scams.

Online auction scams have become prevalent on the internet. For example, the scammer gets involved in the online auction and purchases the item by overpaying for it via an international money order. Then, the seller who is eager to sell the item to the buyer in good faith, sends the item along with the overpayment. So, at the end, the seller loses the item and the funds.

Online rental and real estate scams involve the same type of practice where the scammer poses as the interested renter or buyer and sends the funds towards the seller or landlord. Then, the scammer reneges on the deal and requests a refund. The seller or landlord returns the funds but later realizes the initial check was counterfeit.

Doxing has become a major problem on the internet since it usually violates the victim’s privacy rights. It is a form of unwarranted harassment and stalking on the web as the culprit shares the victim’s personal information with the general public and encourages them to target the victim. Hence, the victim could feel exposed on the internet and be left without legal protection.

The doxing party reveals personal information about a person or legal entity on the web in a typical case. The doxing party is usually savvy in extracting personal information from third-party websites or in hacking electronic devices. This personal or private information is illegally obtained in violation of the victim’s privacy in an effort to annoy or harass him or her for no legitimate purpose. In other words, it is an act that constitutes “harassment” under the applicable statutes such as California Code of Civil Procedure section 527.6.

There have been many doxing incidents in the past years. For example, there was doxing of abortion providers wherein their personal information was exposed to the general public. The court held this violation was considered an incitement to violence and not subject to free speech rights. Hacktivists called the “Anonymous Group” have been responsible for exposing information of law enforcement agents as an effort to retaliate against investigations. They have also released information about the Ku Klux Klan in reference to the shooting of Michael Brown. In addition, there have been misidentification incidents in connection with the Boston Marathon bombing on Reddit where Sunil Tripathi was mistakenly identified as a suspect.

We’ve already described the definition of doxing in the prior article. We will turn to the various doxing methods and relevant laws. Doxing works by tracking someone’s information by accessing the internet or other databases. Big data has allowed individuals to extract personal information which was impossible to find in the past. Nowadays, the doxing party can track usernames, run a WHOIS search on a domain or website, engage in phishing activities, look into social media profiles, go through state/federal government records, tracking an Internet Protocol (“IP”) address, or conduct a reverse phone number lookup. The doxing party can also engage into what is referred to as “packet sniffing” which can be prevented by using a virtual private network.

The doxing party (i.e., culprit) can release the victim’s sensitive or personal information on the internet and instruct others to harass or intimidate the victim. There have been instances of such transgressions in recent years. For example, a popular adult dating website was hacked and the users’ private information was released into the web. Obviously, this incident was embarrassing for the adult dating website and its members. There have been other incidents where the victim had engaged in questionable conduct and was targeted on the internet.

Is doxing illegal?

The question is what is doxing and what are the laws? Doxing, which is short for dropping documents, takes place when the malicious actor gathers personally identifiable information and publicly discloses it to annoy, harass, intimidate, or stalk the victim for no legitimate purpose. The malicious actors engage in these types of activities to publicly humiliate or target their victims. For example, they may intentionally identify law enforcement personnel or show off their hacking abilities.

How does doxing work?

The malicious actors utilize different techniques for their doxing activities. They can hack, social engineer, or steal personal and confidential information. They can gain access to the victim’s email account and extract private information from the victim’s account. They can break into web-based accounts such as social media, cloud storage, or bank records. They can also use the same email address and password to gain access to other accounts. There have been incidents where the malicious actors used the victim’s Department of Homeland Security username and password to gain access to its network.

We have explored the nature and capabilities of augmented and virtual reality (“AR/VR”) technologies in previous articles. We have discussed how these technologies can collect, store, and share personal or confidential information with third parties. The user information that’s collected may be stored and shared for financial gain in most situations. The third-party service providers (e.g., Google, Microsoft, Facebook, Instagram, Twitter) that have access to these technologies may conduct data analysis to learn more about their users through behavioral marketing. The AR/VR technology manufacturers may implement some type of user surveillance for profit. However, it should be noted that these practices should be conducted with the user’s knowledge and authorization.

Now, with that being said, the users should be protected by the state, federal, and international legislators and policymakers. The legislators and policymakers should consider implementing the proper safeguards within their laws that would protect the consumers. We have mentioned the main issues in previous articles which, include, but may not be limited to, data privacy and cybersecurity. Data privacy is a key component to any kind software and hardware technology. There have been multiple cases where the manufacturer failed to implement user protection safeguards. The Federal Trade Commission (“FTC”) has prosecuted legal actions against manufacturers and other commercial organizations. For example, In the Matter of Zoom Video Communications, Inc., Zoom was required to implement a robust information security program to settle allegations that it had engaged in a series of deceptive and unfair practices that undermined user security. In addition, in another case, LifeLock was forced to pay $100 million to settle contempt charges that it violated the terms of a federal court order that required it to secure consumers’ personal information and prohibited it from deceptive advertising. The FTC has been charged with the task of prosecuting consumer fraud. Please refer to https://www.ftc.gov/enforcement/cases-proceedings/terms/249 for more information.

Regulatory uncertainty plays an important role in the future of AR/VR technology since many of the existing laws do not address each and every issue. Although the existing laws provide certain guidance to the device and application manufacturers, however, there are certain and cognizable loopholes that should be addressed by state, federal, and international legislators. So, for example, there should be clarity on the scope of tracking software that has been implemented in the technology. Also, on a side note, there should be a way to fully disclose the technology’s capabilities and to obtain user consent – i.e., the device and application manufacturers should provide an opt-out option to avoid unfair, deceptive, or misleading advertising. It’s important to note that the FTC Act (codified under 15 U.S.C. §§ 41-48), under Section 5, grants the federal agency the right to file legal actions. The term “unfair or deceptive acts or practices” includes such acts or practices involving foreign commerce that: (i) cause or are likely to cause reasonably foreseeable injury within the United States; or (ii) involve material conduct occurring within the United States. So, in essence, the federal agency promotes transparency and disclosure in order to properly inform and protect consumers.

The technology that we are using on a daily basis provides certain and cognizable advantages and disadvantages. The advantages are great and have allowed the public to have access to a wide range of options. The disadvantages, include, but are not limited to, security and privacy discrepancies. Technology operates to enhance a business model, idea, or operation. This is usually done by collecting and selling information for profit. These types of data collection and marketing activities have been heavily regulated by state and federal agencies in recent years. However, with every new technology, there will be new challenges.

Augmented and virtual reality technologies are no different from other types of technologies in that they are fully capable of being abused when they fall into the wrong hands. Augmented and virtual reality software or hardware applications are designed to enhance user experiences by storing and sharing information across the network. This information may include personal or confidential information that would not otherwise be accessible by third parties. Nonetheless, the designers or manufacturers of these applications make it much easier to gain access and share information with third parties – e.g., marketing or advertising agencies – which pay an incentive for gaining access to them.

The state and federal legislators should pay close attention to these technologies and their operation mechanisms so they can update existing laws and implement new laws that would properly address consumer-related issues. Now, if the AR/VR technologies are collecting health or medical information, the Health Information Portability and Accountability Act (“HIPAA”) comes into play. Also, if the AR/VR technologies are collecting a minor’s information, then the Children’s Online Privacy Protection Act (“COPPA”) would be applicable.

Augmented and virtual realities are cutting-edge technologies that are changing the world. Now, with that comes a significant amount of legal issues such as cybersecurity, privacy and regulations at the state, federal, and international levels.

Augmented reality (“AR”) technology is currently being used by several companies such as Nintendo, IKEA, Instagram and Snapchat. Virtual reality (“VR”) technology has been used by companies such as Oculus Rift, PlayStation, and HTC Vive.

The courts have been grappling with online or offline violations for many years. Now, with the advent with these technologies, they will be facing new issues related to online or e-commerce transactions. The question is how will the courts deal with street crimes in the virtual world? What if a known or unknown individual engages in “indecent exposure” or “virtual groping” against another person? What if the culprit commits a tort (e.g., negligence, invasion of privacy, intentional infliction of emotional distress) against the victim in the AR/VR world? What if the victim’s privacy is invaded by spreading his or her intimate pictures or videos towards unauthorized parties?

Our law firm’s attorneys have been able to manage unexpected data breaches since they take place on a regular basis. Our legal team and group of technology experts have implemented specific protocols to mitigate the damages. One of the most important factors is assessing your company’s security weaknesses which may include proper training of all personnel including full/part-time employees and independent contractors. Training is a key factor and should be conducted in a methodical manner. The information technology department should implement the procedures for setting up personnel training sessions.

The first step is to setup a framework for proper incident responses. Then, incident notification procedures should be published for all personnel and should be part of the hiring process. The company should be able to validate the data breach by examining the information. All sensitive and confidential documents (e.g., trade secrets) should be protected and preserved on a regular basis. The incident response team should immediately investigate and monitor the breach. The company should mitigate the damages by securing electronic devices and the stored information. Also, the company should ensure the existing encryption software is functional, and if not, it should be replaced with another type of encryption software. The data owners should be formally notified since their information has been affected by the data breach. In most cases, law enforcement officials should be notified about the data breach. Finally, the company should assess and improve its data breach and incident response plans to avoid similar problems in the future.

Any organization that collects, stores, or manages sensitive or confidential information is susceptible to cyberattacks. Therefore, it must setup and manage a proper incident response plan. It must be able to engage in preventive and reactive measures such as proper data retention policies. The chain of custody in preserving information is a key factor. So, the data must be located, identified, and protected to avoid unnecessary complications. Data protection and preservation are key components from a legal perspective. The organization should have access to legal counsel to prepare for potential legal actions. The legal team should work closely with the Incident Response Team (“IRT”) to protect confidential client information such as medical or financial records. This way, the attorney-client privilege can be properly established by them.

Data breach incidents require a quick response from the information technology team and their experts. They are responsible for investigating the incident, notifying the affected parties, and contacting law enforcement agencies. The business operations should not be interrupted by these data breach incidents which is a difficult task. In other words, business continuity is one of the main complications that the targets face in these situations.

The hackers use various methods to infiltrate and extract valuable information such as trade secrets and private or confidential information. This information should be protected by using suitable methods. The private and confidential information should be stored on internal and external storage devices. They should be backed up on a regular basis and protected by using encryption technologies. We recommend using strong encryption algorithms which meet the minimal technical requirements that can be implemented by a qualified technology expert. This is important since the confidential information that can be stolen may include sensitive corporate, medical, and financial records. So, obviously, there are mandatory notification protocols in every jurisdiction.

California Civil Code Sections 1798.29(a) and 1798.82(a) require a business or state agency to notify any California resident whose unencrypted personal information was acquired or reasonably believed to have been acquired by an unauthorized person.