This episode is definitely the most controversial and insightful in Season 5. In this article, I try to do some legal analysis of the schemes that I found intriguing in this show. This is NOT legal advice.

Data Privacy

The most incisive parts of the show follow the ways in which Smithereen’s vast data-mining operation envelops Chris as the company tries to figure out what he really wants from Bauer.

Image for post
Image for post

Privacy. Something you feel right about but your legs walk in a different direction. People like to complain about privacy and the commercialization of data, but it’s very difficult for them to switch from a major social media platform to a privacy-focused one. In order for privacy social apps to thrive and become mainstream, market competing and user gain is the key.

We get used to exposing our personal information including locations, connections, what we are doing and thinking on social media. Big companies control our data. After GDPR, tech companies are required to disclose a bunch of things including the information they collect, the business and commercial purpose for the collecting, and the third parties with which the information is shared, but still, the protection is insufficient. We can’t even prevent our data from being sold or transferred unless we delete the data or opt out. It’s difficult to cut out data consumption from social media companies, as the nature of them is profiting from data and ad. (Maybe we can fuel the platform/content production with cryptocurrencies? Will see)

In the movie, one thing that caught my eyes was the power that Smithereens own over Chris’ personal information. Legally speaking, Smithereens has the right to share the information, and even refuse to delete it on the basis that they feel necessary to maintain the personal information for “detecting security incidents and preventing fraud”, “completing the transaction,” or for“internal uses reasonably aligned with consumer expectations”. The staffs in Smithereens had a solid reason to access and use such information when their employee is in danger.

Image for post
Image for post

On the other hand, tech companies usually would comply with legal requests for data and use the data for law enforcement. I.e. Facebook, Twitter, Google all have policy terms of disclosure or data usage for the public good or law enforcement. As Smithereens is headquartered in California, they would find it very compelling to comply with the request from their home government. By far, the government most commonly use subpoena, followed by search warrants, pursuant to the Electronic Communications Privacy Act which regulates how a government agency can use these types of legal process to compel companies like Google to disclose information about users. If Smithereens is based in the UK, they would find it very difficult to comply with requests from the US government, as handing over data to a government that doesn’t have the same strict data-protection rules as the 27 member-state blocs of the European Union.

But wait, tech companies don’t necessarily have to comply with legal requests for data, and in fact, they have already refused to do so. Sometimes such request could be so broad and unnecessary, and tech companies might stick to their own standard of review. The courts have interpreted many times what the 4th amendment protects. In the digital age, this includes cellphone data, cellphone metadata, GPS car data, so by extension by extension it is possible that social media data is protected by the 4th amendment against unlawful searches and seizures by the government.

Anyways, Smithereens apparently voluntarily disclosed user information to government agencies before they even asked for it, for the purpose of protecting the safety and interest of the intern, the CEO and the company.

Password Security and Online Account as Property

A mom who tried to access her daughter’s Persona account got the password from Persona in the end. The password is given to her in plaintext, which reminds me of the news that Facebook has stored some user passwords in plaintext for years due to a string of error, so as to Twitter and G Suite.

Image for post
Image for post

How are your passwords stored? Generally speaking, they could be plain text, encryption or hashing, with safety levels range from the lowest on the left to strongest on the right. The girl’s password in the movie was apparently plaintext, which means that Persona internal staff can read the password and log in her account if they’d choose to do so. Also, her account would be subject to malicious attack if Persona database is hacked. In real life, tech companies usually hash or “salt” the passwords, using functions like scrypt as well as a cryptographic key that irreversibly replace the actual password with a random set of characters. However, it still happens from time to time that they have bugs (?!?) that fuck this up and expose millions of users’ password in a readable format.

Probate and intestacy laws’ relevance to social media is further complicated by the fact that social-media assets’ “property” status remains unclear. In re Estate of Ellsworth, Yahoo! provided the copies of the decedent’s email to his father complying with a court order, however, the court did not grant the father’s request of accessing the account. We don’t know whether social media accounts are properties, but if they are, we still need to know if these account are transferable. Some ToS include terms such as “No Right of Survivorship and Non-Transferability”, in which case it’s very difficult to inherit the accounts from the decedent. If there’s no such term, then her spouse/children/parent might get the intestate estate. The mom here could claim that her daughter’s Persona account is an intestate estate, in which case that the mom would legally inherit it from her because there’s no will, she doesn’t have a spouse or any children. Also, the fact that the content in the account would substantially facilitate estate administration might favor the mom’s request of getting copies of her daughter’s social media content.

Is Persona liable for giving the mom her daughter’s account password? If the above “intestate estate” statement can’t hold up in court, the account would not become the mom’s property. By giving a password to a third person without the user’s permission, Persona might face an allegation of data breach, as they infringed the user’s right of privacy under the 4th amendment, also they breached the contract where the ToS usually specifies how the data should be shared and who to share with.

To be continued:

Written by

Adding meat to a skeleton

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store