MONEY privacy

Will the New Consumer Privacy Bill Protect You?

person using smartphone in dark
Kohei Hara—Getty Images

A proposed law would beef up your rights when your data is leaked or stolen.

Legislation that would establish new nationwide privacy protections for American consumers was introduced by a group of high-profile Democratic senators on Thursday, including Pat Leahy (Vermont) and Elizabeth Warren (Massachusetts). The Consumer Privacy Protection Act would establish federal standards for notification of consumers when their data is lost or stolen, greatly expand the definition of private information beyond financial data, and allow existing state privacy laws to remain in force. Geolocation data and images would be covered by its data leak disclosure rules, for example.

“Today, data security is not just about protecting our identities and our bank accounts, it is about protecting our privacy. Americans want to know not just that their bank account and credit cards are safe and secure, they want to know that their emails and their private pictures are protected as well,” Sen. Leahy said. “Companies who benefit financially from our personal information should be obligated to take steps to keep it safe, and to notify us when those protections have failed.”

Consumer groups cheered the proposal, saying it offered a fresh approach to consumer privacy.

“This is a step forward. This is the first time you get something new in federal legislation. Usually it scales back (protections) in state law,” said Justin Brookman, director of consumer privacy at the Center for Democracy and Technology. “It’s good to see some new thinking on the issue, something that actually adds new protections for a lot of people.”

“Everyone from the NSA to the local grocer has become a consumer of our data. So many pieces of our data are being collected, stored, shared and sold, either without our knowledge or ability to understand the process,” said Adam Levin, privacy expert and chairman and founder of Credit.com. “It is long overdue that we expand the definition of ‘personally identifying information’ as well as the protections necessary to safeguard our privacy and data security and require quick notification when our PII is exposed.”

The legislation would require social media firms or cloud email providers to notify consumers if their accounts are compromised, Brookman said. Currently, most disclosure rules apply only to financial information such as credit card numbers.

The legislation comes on the heels of a similar White House proposal called “The Consumer Privacy Bill of Rights Act of 2015,” but goes several steps further than the administration’s proposal, said Susan Grant of the Consumer Federation of America. The White House proposal would allow federal law to supersede state laws, potentially diminishing consumer rights. It also requires demonstration of actual harm before requiring notice.

“(We believe) that federal legislation will only be helpful to consumers if it provides them with greater privacy and security protection than they have today. Most of the bills that we have seen in Congress would actually weaken existing consumer rights and the ability of state and federal agencies to enforce them,” Grant said. “(This bill) takes the right approach, requiring reasonable security measures, providing strong consumer protection and enforcement, and only pre-empting state laws to the extent that they provide less stringent protection.”

Most significant: The legislation creates entire new classes of protected information. Private information is divided into seven categories. Compromise of any one of them would require companies to notify consumers. They are:

  1. Social Security numbers and other government-issued identification numbers;
  2. Financial account information, including credit card numbers and bank accounts;
  3. Online usernames and passwords, including email addresses and passwords;
  4. Unique biometric data, including fingerprints;
  5. Information about a person’s physical and mental health;
  6. Information about a person’s geolocation;
  7. Access to private digital photographs and videos.

Leahy has repeatedly proposed legislation since 2005 that would establish a nationwide notification standard called the Personal Data Privacy and Security Act; it has not passed. While co-sponsors of this new bill include Al Franken (Minn.), Richard Blumenthal (Conn.), Ron Wyden (Ore.) and Edward J. Markey (Mass.), there are, notably, no Republican co-sponsors. That probably dooms the bill, says Brookman.

“They didn’t get a GOP co-sponsor, and that’s not a great sign. Still, having the bill out there is good for dialog on the issue,” he said.

More from Credit.com

This article originally appeared on Credit.com.

TIME Advertising

YouTube Is Targeting Kids With ‘Deceptive’ Ads, Advocates Say

Groups have filed an FTC complaint over ads on new video app

Google’s new child-friendly version of YouTube has too many ads that target kids, consumer advocates say.

The new app, YouTube Kids, offers a streamlined version of the massive video site with a focus on kids’ content. But consumer advocates say the large number of ads and ad-like programming in the app run afoul of rules that regulate how advertisers can market to children on television.

In a complaint filed with the Federal Trade Commission, advocates say YouTube Kids ignores television advertising safeguards that prevent businesses from jamming kids’ television shows full of marketing messages. For example, YouTube Kids hosts branded channels for corporations such as McDonald’s and Fisher-Price that feature programming that could be thought of as commercials, which is a practice that is limited on traditional TV, according to the complaint. Advertising and programming are too intermixed within the app for developing children to distinguish between the two, the complaint says. “There is nothing ‘child friendly’ about an app that obliterates long-standing principles designed to protect kids from commercialism,” Josh Golin, associate director of Campaign for a Commercial-Free Childhood, said in a press release that calls YouTube Kids “deceptive.”

YouTube has pushed back against the complaint, arguing that an ad-supported, free platform is a great offering for kids. “We worked with numerous partners and child advocacy groups when developing YouTube Kids. While we are always open to feedback on ways to improve the app, we were not contacted directly by the signers of this letter and strongly disagree with their contentions,” a YouTube spokesperson said in an email.

Signatories of the complaint included the Center for Digital Democracy, the Campaign for a Commercial-Free Childhood and the American Academy of Child and Adolescent Psychiatry.

TIME apps

Everything You Need to Know About Snapchat’s New Emoji Feature

Different levels of emojis show a hierarchy of friendships

Snapchat has launched a major update that allows users to recognize their closest friends, but it’s based on a fairly complicated tier system of emojis.

A series of Friend Emojis will now appear on incoming snaps from people you connect with the most, reports Tech Crunch.

The new feature replaces the public ‘Best Friends’ list, which was ditched last year after privacy concerns. Previously, anyone in a user’s contact list could see who they sent the most snaps to. But Friends Emojis are totally private and only the user can see them.

To break it down, there are six possible emojis that will appear next to the six people you snap with the most, including a gold heart next to your absolute BF. You’ll see a smirk if you are their BF but they are not yours. Here are others explained:

There’s also a ‘Needs Love’ section that reminds you to connect with old friends you haven’t snapped with in a while. And as part of the same update, Snapchat has introduced a new camera mode that can be used in low-light.

[Tech Crunch]

Read next: This Poo Emoji Dress Is Perfect for Your Next Date

Listen to the most important stories of the day.

TIME celebrities

Get Out of Your Car Within 100m of George Clooney’s Italian Villas and You’ll Be Fined Up to $550

A lakeside view of George Clooney's villa Oleandra on Lake Como, northern Italy, taken Thursday, July 8, 2004.
Antonio Calanni—Associated Press A lakeside view of George Clooney's villa Oleandra on Lake Como, northern Italy, taken Thursday, July 8, 2004.

Drive on sir, nothing to see here

The mayor of Laglio, Italy has warned that anyone who sets foot within 100 meters of George and Amal Clooney’s twin luxury villas overlooking Lake Como will be fined up to €500 ($550.)

Robert Pozzi, mayor of the small picturesque village in northern Italy, issued the ordinance to protect Clooney, his wife Amal and their guests’ privacy while they vacation in their glitzy properties, reports the Telegraph.

Anyone who leaves their car or boat within 100 meters of Clooney’s Villa Oleandra and adjoining Villa Margherita will be liable to pay the hefty fine.

The Gravity and Oceans 11 star bought one of the exclusive villas in 2002, but after fans and paparazzi flooded the town and set up camp near his home, Clooney bought the adjoining property to ensure his privacy.

Before the couple’s wedding last year, a similar exclusion zone was enforced around the homes to protect the pair from snooping photographers

[Telegraph]

MONEY privacy

It Took Just One Email to Compromise the Leaders of the Free World

G20 Summit Leaders
Reuters

Many of the world leaders who attended last year’s G20 summit in Brisbane had their personal data compromised. The cause? Human error.

Whether an autofill mishap or a “What in the name of God were you thinking?” move, somebody’s shrimp is on the barbie at Australia’s immigration department after an officer there emailed President Obama’s passport number and other personal information to an organizer at the Asian Cup football tournament. And before you think otherwise: Yeah, it matters.

An Australian freedom of information request recently revealed that the personally identifiable information (PII) of many of the world leaders who attended last year’s G20 summit in Brisbane — including President Obama, Russian President Vladimir Putin, German Chancellor Angela Merkel, China’s President Xi Jinping, India’s Prime Minister Narendra Modi, Japan’s Prime Minister Shinzo Abe and UK Prime Minister David Cameron — was accidentally leaked by a government employee. Worse, there was an attempt to sweep this mess under the rug.

The freedom of information request revealed that an immigration official notified Australia’s privacy commissioner about the walkabout presidential/prime ministerial PII shortly after the misdirected email was received by its startled recipient.

“The personal information which has been breached,” an email notifying the privacy commissioner stated, “is the name, date of birth, title, position nationality, passport number, visa grant number and visa subclass held relating to 31 international leaders (i.e., prime ministers, presidents and their equivalents) attending the G20 leaders summit.”

“The cause of the breach was human error. [Redacted] failed to check that the autofill function in Microsoft Outlook had entered the correct person’s details into the email ‘To’ field. This led to the email being sent to the wrong person.

“The matter was brought to my attention directly by [redacted] immediately after receiving an email from [the recipient] informing them that they had sent the email to the wrong person.

“The risk remains only to the extent of human error, but there was nothing systemic or institutional about the breach.”

The decision not to inform any of the world leaders was based on the fact that the recipient of the wayward email had deleted it from their computer and then deleted the deleted email from the “deleted items” folder.

The Inevitable Weak Link

Unlike code, with its right/wrong, open/closed approach to data, humans make a lot of mistakes. Sometimes those mistakes have catastrophic results. The Target breach is a good example of this. The retailing icon didn’t properly segment data, and someone at a heating and air conditioning company with a Target contract, and unknowing access to far more systems than anyone could have imagined, clicked on a phishing link in a fraudulent email that ultimately allowed hackers to access its point-of-sale systems — in other words, human error. Subsequently, multiple warnings from Target’s own security protocols — indicating the presence of malware — were overridden by someone(s), also human error.

In the G20 instance, the damage was most likely not great — at least to the world leaders in question. That said, Steve Wilson, a principal analyst focusing on digital identity and privacy at Constellation Research told the Guardian, “What I’d be worried about is whether that level of detail could be used to index those people in different databases to find out more things about them.”

Wilson went on to hypothesize: “If you had access to other commercial data sources you could probably start to unpack their travel details, and that would be a security risk.”

Now comes the unavoidable question: When it involves the protection of a president or prime minister, is “most likely safe” an acceptable standard? For a government employee to send out such internationally sensitive information in an email and for a privacy commissioner to decide not to notify anyone that the breach had occurred needs to get tagged as “human error” as well. (If anyone should know better, one would assume it might be the “privacy” commissioner, yes?) One of the more crucial protocols in a data compromise is transparency, at least with respect to those who have been exposed. If you’re not aware of the fact that you are in harm’s way, how can you possibly protect yourself?

You may remember the scene in the 2006 remake of the Pink Panther where Clouseau, played by Steve Martin, gets his hand stuck inside a vase. He asks the casino owner if the item is valuable, and is told that it’s a worthless imitation. Mindful of that information, Clouseau slams the vase on a desk to free his hand, breaking both in the process.

“But that desk,” the casino owner says, “was priceless.”

So now anyone wanting to get their hands on that PII knows where it isn’t, but they also have some clues as to how to piece it together, and where it might be. (Of course, no hacker has ever raised deleted files from the dead.) They also now know that Australia has porous defenses, even if their vulnerabilities exist only at the level of a human resources failure to properly train employees on data security best practices. But then there’s the question of the privacy commissioner’s handling of the situation, which none of this explains. Sigh…

The leak of PII belonging to world leaders is an extremely serious matter. For years many have warned that any system is only as secure as its weakest link … and that humans are almost always the weakest link. So the beat goes on.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.

More from Credit.com

This article originally appeared on Credit.com.

MONEY

You’ll Be Freaked Out to Learn How Often Your Apps Share Your Location

using smartphone at night
Alamy

Most of us are unaware of just how much location sharing is going on with our smartphones.

Even for researchers experienced at examining technology that might be invasive, this warning was alarming: “Your location has been shared 5,398 times with Facebook, Groupon, GO Launcher EX and seven other apps in the last 14 days.”

The warning was sent to a subject as scientists at Carnegie Mellon University were studying the impact of telling consumers how often their mobile phones shared their location and other personal data. Software was installed on users’ phones to better inform them of the data being sent out from their gadgets, and to offer a “privacy nudge” to see how consumers reacted. Here’s how one anonymous subject responded when informed a phone shared data 4,182 times:

“Are you kidding me?… It felt like I’m being followed by my own phone. It was scary. That number is too high.”

Mobile phone users are told about the kinds of things that might be shared when they install apps on their phones, but they have a tendency to “set and forget” the options. That means a single privacy choices, usually made in haste when clicking “install,” governs thousands of subsequent privacy transactions.

“The vast majority of people have no clue about what’s going on,” said Norman Sadeh, a professor in the School of Computer Science’s Institute for Software Research, who helped conduct the study.

But when consumers are reminded about the consequences of choices they make, “they rapidly act to limit further sharing,” the researchers found.

The study covered three weeks. During week one, app behavior data was merely collected. In week two, users were given access to permissions manager software called AppOps. In week three, they got the daily “privacy nudges” detailing the frequency at which their sensitive information was accessed by their apps.

Researchers found that the privacy managing software helped. When the participants were given access to AppOps, they collectively reviewed their app permissions 51 times and restricted 272 permissions on 76 distinct apps. Only one participant failed to review permissions. The “set and forget” mentality continued, however. Once the participants had set their preferences over the first few days, they stopped making changes.

But privacy reminders helped even more. During the third week, users went back and reviewed permissions 69 times, blocking 122 additional permissions on 47 apps.

Nudges Lead to Action

“The fact that users respond to privacy nudges indicate that they really care about privacy, but were just unaware of how much information was being collected about them,” Sadeh said. “App permission managers are better than nothing, but by themselves they aren’t sufficient … Privacy nudges can play an important role in increasing awareness and in motivating people to review and adjust their privacy settings.”

Of course, it’s hard to say if the research participants would have kept futzing with their privacy settings, even inspired by nudges, as time wore on. Sadeh suspected they would not: Privacy choices tend to wear people down. Given the new types and growing numbers of apps now in circulation, “even the most diligent smartphone user is likely to be overwhelmed by the choices for privacy controls,” the study’s authors said.

The findings will be presented at the Conference on Human Factors in Computing Systems in Seoul, South Korea, next month. The research is supported by the National Science Foundation, Google, Samsung and the King Abdulaziz City for Science and Technology.

For now, what can smartphone users do to better protect themselves? It’s not easy. For example: A study by IBM earlier this year found that roughly two-thirds of dating apps were vulnerable to exploitation, and in many cases, would give attackers location information. The AppOps software used in the Carnegie Mellon study used to be available to Android users, but was pulled by Google in 2013. The firm said the experimental add-on to the Android operating system had a tendency to break apps. So Android users are left to manually review app permissions one at a time — not a bad way to spend time the next time you are waiting for a bus. It’s always a good idea to turn off location sharing unless you know the software really needs it, such as map applications. IPhone users have the benefit of privacy manager software, but it doesn’t offer great detail on how data is used, and it doesn’t offer privacy nudges or any other kinds of reminders. A manual review is best for iPhone users, too.

More from Credit.com

This article originally appeared on Credit.com.

TIME privacy

Twitter Rolls Out ‘Quality Filter’ to Combat Abuse

Feature targets spam and threatening tweets

Some lucky Twitter users soon won’t have to see tweets that are spammy or abusive.

The social network is rolling out a new feature called the “quality filter,” which will automatically screen out Twitter mentions that come from suspicious accounts, are abusive or threatening or contain duplicate content. The tweets won’t be deleted from Twitter but they will no longer show up in the recipient’s list of notifications. The feature will only be available to verified users, according to Mashable.

The move marks the latest step in Twitter’s campaign to combat abuse on the social network. In December the company introduced new tools to let users more easily report instances of abuse.

[Mashable]

 

TIME privacy

Privacy Group: ‘Eavesdropping’ WiFi Barbie is Seriously Creepy

Check In Barbie
Douglas Graham—CQ-Roll Call,Inc. Check In Barbie greets visitors to the Senate Gallery Check In in the Capitol Visitors Center of the U.S. Capitol on January 15, 2014.

The Internet-connected doll collects children's voice patterns on the web

An advocacy group protested on Wednesday a so-called “eavesdropping” Barbie, which records children’s speech and sends that data over the Web.

Calling the Barbie “creepy,” Campaign for a Commercial-Free Childhood launched a petition Wednesday urging the doll’s maker, Mattel to stop the doll from being sold, the Washington Post reports.

The Doll records children’s speech with an embedded microphone and sends it over the web, which leaves kids vulnerable to stealth advertising tactics, the group said.

Chief executive Oren Jacob of ToyTalk, the San Francisco-based startup that created the technology in the doll, told the Journal that the captured audio files is “never used for anything to do with marketing or publicity or any of that stuff. Not at all.” Instead, the technology is used to improve speech recognition, Jacob said.

Children press a button to chat with Hello Barbie, which “listens” to their speech and sends the audio recording over a WiFi connection to ToyTalk’s cloud-based servers, where that speech is recognized and processed. The Barbie can then make a response.

For example, in a Mattel demonstration, “Welcome to New York, Barbie” elicited the response, “I Love New York! Don’t you?”

The doll is set to hit stores this fall.

[Washington Post]

Read next: The Barbie Doll’s Not-for-Kids Origins

Listen to the most important stories of the day.

TIME 2016 Election

Everything We Know About Hillary Clinton’s Email

And what we don't know

The new political headache afflicting Hillary Clinton is all about email.

The New York Times reported Monday that the presumptive Democratic presidential candidate had exclusively used a private email account for her government business during her tenure as Secretary of State, rather than a government email account. And an Associated Press report Wednesday said Clinton used her own email servers, rather than a third-party provider like Gmail or Yahoo Mail. That’s raised questions about whether Clinton was making a deliberate attempt to prevent her messages from being disclosed by open records requests or subpoenas.

Clinton’s campaign has said she followed both “letter and spirit of the rules,” but the snafu has played into Republican criticisms of her as secretive and politically calculating. Clinton tried to contain the damage in a tweet late Wednesday saying she supports the release of more emails.

Here’s everything to know about the controversy.

Wait. What’s the big deal?

A top U.S. diplomat working only on a personal email account raises an obvious question: Did Clinton stay off government email to hide something? Federal regulations are meant to prevent a situation in which officials, by keeping emails “off the record,” could thwart information requests made by the public or the government. When Clinton took office in 2009, federal rules required that government employees using a non-government email account “must ensure that Federal records sent or received on such systems are preserved in the appropriate agency recordkeeping system.” (It was only last year, one year after Clinton’s tenure had ended, that President Obama signed a explicitly limiting U.S. officials’ use of private email accounts for business matters.) But Clinton aides are the only ones who have determined what amounts to official correspondence and what doesn’t, and others might come to different conclusions.

Did Clinton break the law?

Probably not, but we’re still in a legal grey area. The Federal Records Act—passed in November, after Clinton left the State Department—requires government officials’ emails that are sent from personal account to be forwarded to an official account within 20 days. But during Clinton’s tenure, it was never explicitly required that top-level officials like Clinton use government-issued accounts. “What she did was not technically illegal,” Patrice McDermott, a former National Archives staffer and the head of the transparency group Open The Government coalition, told The Hill newspaper. But, she said, “it was highly inappropriate and it was inappropriate for the State Department to let this happen.”

Because her official emails were sequestered on her private email address, much of her correspondence was not openly available via the Freedom of Information Act (FOIA), which gives the public right to access information from the federal government.

Will we ever see Clinton’s official emails? Or have they simply disappeared?

Clinton’s team turned over more than 50,000 pages of emails from her personal email account to the State Department late last year, when the Federal Records Act was passed, at the department’s request.

How do we know that she turned over all required emails?

We don’t. For several years, media outlets have filed requests for Clinton’s official correspondences during her tenure under FOIA. These requests have remained unreturned or unfulfilled, though the State Department has acknowledged their receipt. Theoretically, all of Clinton’s emails concerning government matters during her tenure fall under FOIA’s domain—but they are inaccessible if they were sent between Clinton’s private account and a third-party agency, such as a nonprofit foundation or a private consultancy. Clinton would need to provide these emails herself.

Have other U.S. officials used private email accounts?

Yes. Several officials in the Bush Administration, such as Karl Rove, were heavily criticized for using personal e-mail accounts to send emails from the White House. While Clinton herself has not commented on the situation, Nick Merrill, a Clinton spokesman, noted that former Secretaries of State in both parties had also used their own email accounts when engaging with U.S. officials.

Were they punished?

We don’t know. There haven’t been reports outlining specific repercussions against those officials who used private accounts for business emails. The White House has repeatedly made its e-mail policy clear each time the issue arises. “Very specific guidance has been given to agencies all across the government, which is specifically that employees in the Obama administration should use their official e-mail accounts when they’re conducting official government business,” White House Press Secretary Josh Earnest said Wednesday.

How much do high-ranking officials like Clinton really use email?

It varies. Janet Napolitano, the former Secretary of Homeland Security, was known for never using email at all. It’s unclear exactly how often Clinton emailed, but certainly enough for her team to turn over 50,000 pages worth of emails. During her time as Secretary of State she was often spotted looking down at her BlackBerry—the image of her doing so in sunglasses inspired a Texts from Hillary meme.

So what Internet service did she use?

Clinton used a private email server registered back to her family’s home in Chappaqua, N.Y., the AP reports. That means she or someone working for her physically ran her own email, giving her wide-ranging control over her message archives. It also could have made her emails more vulnerable to hackers or physical disasters like fires or floods. The Secret Service would have been able to protect an email server in Clinton’s home from physical theft, however.

Clinton reconfigured her email account in November 2012 to use Google servers as a backup . Five months after she resigned as Secretary of State, her email server was reconfigured again, switching her backup provider to a Denver-based email provider called MX Logic.

Who’s this Eric Hoteham figure?

Eric Hoteham is the mysterious name associated with Clinton’s private server account. But no public records of “Eric Hoteham” appear to exist, and the name wasn’t found in campaign contribution records or elsewhere, the AP reports. Politico reported on Wednesday that Hoteham is a Washington stockbroker and former aide to the Clintons.

What email address did she use?

One of her private email addresses was hrd22@clintonemail.com. HRD appears to stand for her premarital initials (Hillary Diane Rodham, as opposed to now Hillary Rodham Clinton). But it’s unclear what the 22 is for. She was sworn in on Feb. 2—or 2/2.

Read next: 5 Things You Didn’t Know About Using Personal Email at Work

Listen to the most important stories of the day.

MONEY privacy

5 Things You Didn’t Know About Using Personal Email at Work

Former Secretary of State Hillary Rodham Clinton
Jason DeCrow—AP Former Secretary of State Hillary Rodham Clinton

Hillary Clinton is in trouble for mixing up her personal and business accounts—and you could get in trouble too.

Hillary Clinton has come under scrutiny for exclusively using her personal email account for all of her work communications when she was secretary of state, according to a report in the New York Times. That’s actually a huge problem. Under federal law, Clinton was required to preserve all of her communications.

But you don’t have to be a former secretary of state and favorite for the Democratic presidential nomination for your work emails to be preserved for posterity, and someone might be interested in their contents: your boss.

Here’s what you should know about the privacy of your work emails—namely, that you don’t have any.

1) Your employer can monitor pretty much anything you access on the company’s computer system, even your personal email account.

In most cases, courts have taken the position that employers have the right to monitor what employees do on the employer’s computer systems and equipment, says Catherine E. Reuben, employment lawyer at the firm Hirsch Roberts Weinstein LLP.

To start, that means your boss can see any messages you send using your work email. But that’s not all. “When you send an email from work, the company server doesn’t know or care whether this email is on your company email account or your personal Yahoo account—it monitors everything,” says Lewis Maltby, president of the National Workrights Institute. And that’s completely legal.

One gray area: A recent National Labor Relations Board case ruling found that employees have a presumptive right to use their employer’s email system for union organizing, although labor laws restrict employers from surveillance of union organizing activities. That means the NLRB may eventually conclude that employers are not able to monitor emails related to union organizing, even if they are sent using the employer’s server or equipment. “That is an unsettled issue,” Reuben says.

2) Assume any email, text message, or other electronic communication you send on your employer’s system can be used against you.

“In my personal experience, employers will monitor email when there is a business reason to do so,” Reuben says. “For example, if an employee accuses another employee of sending sexually harassing emails, the employer would naturally want, as part of its investigation, to review all of the email communications between the two employees.”

Adverse consequences are not uncommon. In 2007, a survey by the American Management Association found that 28% of employers had fired employees over “e-mail misuse.” The most common kinds of misuse: violation of company policies, inappropriate language, excessive personal use, or breaking confidentiality. (“Internet misuse” was even more common; another 30% of employers said they had terminated employees for excessive personal use of the Internet at work, viewing inappropriate content at work, or other violations of the employer’s electronic use policy.)

And your emails could cause a problem long after you send them. “Remember that emails, text messages, other electronic documents can live on forever, even if you delete them,” Reuben says.

3) Beware of “George Carlin software.”

You probably assume your boss doesn’t have time to monitor every email you send. That’s true, Maltby says, but you’re forgetting about the IT department. “People in IT can look at anything, anytime they want to, for any reason they want to,” Maltby says. “They are agents of the employer, and it’s the employer’s system.”

One very common practice: Some employers have keyword software to detect sexual harassment. Maltby calls it “George Carlin software” (note: that link is NSFW) because it can flag certain inappropriate words. But the software can pick up false positives. “If a female employee sends an email with the word ‘breast’ to her oncologist through the company system, it’s going to be read,” Maltby says.

The simple solution: Send any sensitive, personal messages from your own device.

4) Emailing company documents to your personal account could get you in trouble.

You have more work to do, but you just want to go home—and accessing your employer’s email remotely is a huge hassle. So you just forward your files from your work email account to your personal account and finish your work at home.

The problem? That could later create the impression that you are trying to steal the company’s confidential information.

“Make sure you read and understand your employer’s policies, and don’t download company information without permission,” Reuben says. “Do your best to protect the company’s trade secrets, confidential information, and data.”

5) When you set up your company’s email on your personal phone, you often give your employer the right to delete all of your personal data.

Want to check your work email on your personal iPhone? Your employer probably asked you to sign a “bring-your-own-device” agreement. If you didn’t read it, do that now—you likely waived some of your rights.

There’s good reason for that: Companies need to secure their information systems. “What the policy is essentially saying is, if you want the privilege of accessing our proprietary, confidential systems and the convenience of accessing those systems on your personal device, you’ve got to waive your right to privacy,” Reuben says. “Many employers in such a policy will reserve the employer’s right to monitor the employee’s activities on the device and to remote-wipe the device if there is a security risk, for example, if the device is lost or stolen.”

You read that right: You probably gave your employer permission to delete all of your personal data. Your company might want to do that if your device could be compromised—or if you just no longer work there. “When you leave the company, the company will probably wipe your cell phone, and they’ll probably wipe everything,” Maltby says. “Pictures of your kids, bank records, and God knows what else have been erased forever.”

The takeaway: Actually read your employer’s electronic use and BYOD policies. And back up those photos somewhere else.

Your browser is out of date. Please update your browser at http://update.microsoft.com