chapter 9 privacy itn 267

Privacy

Two Different ThreatsOther Individuals Invading My PrivacyGovernment Invading My Privacy

(c) 2004 West Legal Studies in Business A Division of Thomson Learning

Examples of Other Individuals Invading My PrivacyCookiesWeb-Bugs or SpyWare: graphic image like a GIF, placed on a web page or an e-mail message to monitor user behavior, functioning as a kind of spyware not like a cookie which can be declined, but is just another graphic image, invisible to the user - can only see it if look at the source version of the page to find an IMG tag that loads from a different web server that the rest of the pageCan be good to track copyright violationsE-Mail Wiretaps: eBlastser software can provide e-mail updates of a persons online activity if installed on their computer


Examples of Government Invading My Privacy: Surveillance without court order (search warrant)WiretapsSeizing disks, hard drives, data basesFBIs Carnivore, DragonWare suite, Packeteer, Coolminer Government was being challenged for invading privacy, but then cameSept. 11thHouse and Senate have both approved bills giving the govt. broad powers of surveillance


U.S. Constitution and its AmendmentsProtects individuals against Government invasion of privacy only - not invasion of privacy by other individuals


U.S. ConstitutionThe right to privacy is not expressly stated in the Constitution or the Amendments, but the Supreme Court has interpreted some of the amendments to mean that there exists a penumbral or implied right of privacy under the U.S. ConstitutionSupreme Court found the right of privacy implied in these Amendments:NinthFourthFifth


Ninth Amendment This enumeration shall not be construed to deny other rights retained by the peopleSo, there must be other rights and privacy could be another right not mentioned in the Amendments.


Fourth Amendmentright of the people to be secure in their persons, houses, papers, and effects.Griswold v. Connecticut (1965)established zones of privacy or areas or locations where privacy is reasonably expectedLater cases: privacy exists when a person exhibits an actual expectation of privacy and society recognizes the expectation is reasonableDoes this mean that personal information being accumulated and used by the government without our permission, especially when used for commercial purposes, is a violation of this amendment? Cookies?


Fifth AmendmentNo person shall be compelled to be a witness against himselfCorporations do not have this protectionDoe v. U.S. (1988) individual has to surrender the key to a strongbox containing incriminating documents, but does not have to reveal the combination to his wall safe Does this mean that a person could not be forced to give up his encryption code or his password?


Fourteenth Amendment Gives the individual the same protection against all state governments in the same way the individual is protected against the federal government invasion of privacy


State Constitutions Usually states copy the 4th Amendment and give an implied protection to the individual from government invasion of privacy

But many state constitutions go further and protect the individuals privacy from the government in other specific areas: medical records, wiretapping, insurance, school records, credit and banking information, privileged communications between attorney and client


Protection Against Other Individuals Invading My Privacy

Federal Statutes State StatutesState Common Law: Tort Law


State Common Law Tort: Invasion of PrivacyGives protection to individual against other individuals invading his privacy

Used when no federal or state statute to protect privacyIntrusion Upon SeclusionPublic Disclosure of Private Facts Causing Injury to ReputationPublicity Placing Another in a False LightMisappropriation of a Persons Name or Likeness Causing Injury to Reputation


Intrusion Upon SeclusionIntent or KnowledgeReasonable Expectation of PrivacyKatz v. United StatesBarnick v. Vopper cell phone privacyPrivacy outweighed by freedom of speech and press rightsSubstantial and Highly Offensive to a Reasonable PersonMichael A. Smyth v. Pillsbury CompanyEmployees email not highly offensive


Public Disclosure of Private Facts Causing Injury to Reputation

Three elements above plusFacts Must Be Private (medical, insurance, etc)


Publicity Placing Another in a False Light

Falsely connecting a person to an immoral, illegal or embarrassing situation resulting in injury to ones reputation


Misappropriation of a Persons Name or Likeness Causing Injury to Reputation

Howard Stern v. Delphi Services CorporationIn the Matter of Eli Lilly (FTC 2002)


Federal StatutesThere are many federal statutes that have been introduced to protect privacy


Privacy Protection Act (PPA) 1980Govt. cant search or seize without a warrant the following: work product reasonably expected to have a purpose of dissemination to the public, like a newspaper, book, broadcast, or other similar form of public communication


Privacy Act 1994Govt. cant disclose records and documents in its possession that contain personal information (name, identification number, photo , fingerprint, voice print about individuals w/o their written consent, giving them a copy, allowing them to correct, inform them their records have been disclosedExceptions: Court order, health and safety exceptions, valid search warrant


Cable Communications Privacy Act (CCPA) 1984

Individual cable companies cant reveal our cable preferences


Video Privacy Protection Act (1988)

Individual video stores cant reveal our video preferences


Telephone Consumer Protection Act (1991)(FCC)

Individual sellers cant use automatic dial telephone solicitations if called person is chargedCant send unsolicited advertisements to fax numbersNot applied to bulk e-mail yet (spammming)Have to have do not call listsCant make unsolicited telemarketing calls to police, fire, or other emergency numbersFeds have given jurisdiction to the states


Fair Credit Reporting Act (FCRA) 1970 (FTC)Consumer credit reporting agencies must be fair, impartial, respect privacyHave to get individuals permission to release infoFTC implements and enforces and adjudicatesConsumers have a right to obtain info about themselvesCan ask for info online from credit reporting agencies and they would have to comply


The Computer Fraud and Abuse Act (CFFA) 1986, 1994Prohibits intentional access of data stored in computers belonging to or benefiting the U.S. governmentProhibits access to info about a consumer contained in the financial records of a financial institution or in a file of a consumer reporting agencyFelony for both of above


Bank Secrecy Act of 1970Illegal to launder money and use secret foreign bank accounts for illegal purposesFinancial institutions must report to U.S. treasury Dept. any cash transaction over $10,000Report any suspicious transaction


Right to Financial Privacy Act of 1978Government must have a search warrant to access financial records and info, except for Patriot Act


Gramm-Leach-Bliley Act (GLB) 1999

Sweeping financial services privacy reformTitle V: Consumer financial privacy: Subtitle A, Disclosure of Nonpublic Personal InformationSubtitle B, Fraudulent Access to Financial Information


GLB ActFinancial institution to provide notice to customers about its privacy policies and practices

Describes the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties

Provides a method for consumers to prevent a financial institution from disclosing that information to most nonaffiliated third parties by Opting Out of that disclosureMust tell exceptions when consumer cannot opt out


GLB continued What is a financial institution?Significantly engaged in financial activities to be considered a financial institutionLending, exchanging, transferring, investing for others or safeguarding money or securities..Vendor credit cards, Master Card, American Express, VisaMany other activities that are similar to a banks activities


GLB continuedIs Your Business Contact a Consumer or a Customer?Consumer is an individual who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family or household purposes


GLB continued.Duty to Consumers:Provide a short-form notice about the availability of the privacy policy if the financial institution shares information outside the permitted exceptions.Provide an opt-out notice prior to sharing infoGive Consumers reasonable opportunity to opt outHonor opt-outIf you change your privacy policy provide new notice


Who are customers?CustomerContinuing relationship with a consumerLoans: customer relationship travels with the servicing rights


Duty to Customers DifferentSame as above except:Provide long form noticeAnnual privacy notice for duration of relationship


Nonpublic Personal Information (NPI)?Personally identifiable informationAny list, description, or other grouping of consumers derived from using PIFI = Personally Identifiable Financial InformationNot publicly available infoAnd on and on and on very long law, with a great many details


PretextingFTC v. Information Search, Inc.,Settlements from three information brokers who the FTC alleged used deceptive practices called pretexting_ to obtain consumers confidential financial informationUsed false pretenses, fraudulent statements, and impersonation to illegally gain access to information such as bank balances and then offered info for sale.


Health Insurance Portability and Accountability Act, 1996 (HIPAA) Full compliance not required until Feb. 21, 2003.Consumer control, accountability w/ finesPublic responsibility balance against protecting public health, conducting research,etc.Boundaries: use only for treatment and payment, need special consent to use for medical purposesBush proposed loosening of regulations to remove requirement that patients have to give written consent for disclosure, only give them notice of their rights.


Childrens Online Privacy Protection Act of 1998 (COPPA) April 21, 2000 Has FTC Rules and Regulations regulating it (Safe Harbors) (Article)Applies to operators of commercial sites targeted to (or knowingly collecting info from) kids Post privacy notices and obtain verifiable parental consent before collecting info from kidsEnforced by FTC and State Attorneys General(NOT COPA Childrens Online Privacy Act which is anti-pornography declared unconstitutional on preliminary injunction in June, 2000)


Requirements of COPPAWho: Anyone whose website is directed at kids. FTC will look at subject matter, visual or audio content, age of models, language used, advertising and promotions featured, use of animated characters or child-oriented activities and incentives, evidence of sites intended audience and actual audience composition

What You Must Do: Must have a prominent and plain privacy statement link on home page and page collecting info: not bottom of page fine printDirect Notice to and Verifiable Parental Consent from parents: sliding scale of verification depending on info use MUST ALLOW OPT OUT of information use!


Exception to COPPA: Safe-harbor of presumptive compliance for those following an FTC-approved system or protocol http://www.ftc.gov//privacy/safeharbor/shp.htm


Litigation

U.S. v. The Ohio Art Co., ( Etch-A Sketch)Company failed to provide notice or get consent from parents, collecting more info than necessary


PII Data Collection and SaleCompanies gather data, including our e-mail addresses, when we visit them Companies sell this data to other companiesThese sales are big business


1986 Electronic Communications Privacy Act (ECPA) Titles I and IIAmendment to the Omnibus Crime Control and Safe Streets Act of 1968Prohibits any one, including government, from wiretapping without search warrant with probable causeHas two parts: 1. TITLE I. interception and disclosure of wire, oral, and electronic communications 2. TITLE II. disclosure of stored wire, transactional, and electronic communications


ECPA: Not Just the Government This amendment applied also to people and ISPs

Only applicable if public network, not internal network and has to be in interstate commerce

Not applicable to information posted on public BBParty transmitted to, the receiver, can reveal info


ECPA: Title I: Communications which are protected from interception include transmission by radio paging, cellular phones, computer generated transmissions, and e-mail

McVeigh v. Cohen: AOL violated ECPA by revealing to Navy that his e-mail which showed he was gay


ECPA: Four Exceptions:ISPs Business Extension rule or Ordinary Course of BusinessPrior consentGovernment has a warrant


ECPA: ISPs Doing maintenance U.S. v. Mullins (American Airlines was service provider for travel agent)


ECPA: Business Extension ExceptionExempts any devise furnished to the subscriber or user by a provider of wire or electronic communication service in the ordinary course of business and being used by the subscriber or user in the ordinary course of business

Employers who furnish the business phones and computers can interceptPhoneComputer


ECPA: Requirements Established by CasesEmployees must know they are going to be monitored in order for employer to make sure the phones and e-mail are being used for business purposes

Sanders v. Rober Boschs Corporation: cant monitor 24 hours a day

Watkins v. L.M. Berry and Co. once the employer hears something personal, he has to stop listening - same with e-mail?


ECPA: Consent of one of the partiesWhen the employer has warned that the employee will be monitored, the employee gives prior consent when he gets on the computer

Good to get it signed when the employee first takes the job


ECPA: Search Warrant Granted for Probable Cause

ISP accidentally sees something illegalMay tell law enforcementLaw enforcement must get a proper warrantCarnivoreFBI like pen register, sift thru email and other Internet traffic to find crimeU.S. Patriot Act increased governmental power to do this


ECPA: Title II Unlawful Access to Stored Communications

Protects data stored in transit ( on servers) and at the point of destination from being accessed and disclosedIn RAMOn floppies, CDs


ECPA: Title II specifically1. Prohibits intentionally accessing without authorization or exceeding authorization a facility through which an electronic communication service is provided and thereby accessing wire or electronic communication while it is in electronic storage.

2. Prohibits ISPs who provide electronic communication service to the public from knowingly divulging the contents of any communication while in storage

3. Prohibits a person providing remote computing services to the public from knowingly divulging any communication that is carried or stored


LitigationSupnick V. Amazon.com, Inc. and Alexa InternetAlleged that Alexa, whose software program monitors surfing habits and then suggests related Web pages, stored and transmitted this information to third parties (including Amazon) without informing users of the practice or obtaining users consent in violation of the ECPA and common law invasion of privacy.Court approved a settlement agreement: Alexa must:Delete four digits of the IP addresses in its databases, add privacy policy to Weg site, require customers to op-in to having their data collected before they can be permitted to download Alexa software, pay up to $40 to each customer whose data is found in Alexas database.


In Re Doubleclick Inc. , Privacy LitigationPlaintiffs argued Doubleclicks practice of placing cookies on users hard drives was an invasion of privacy and violated Title II of the ECPADoubleclicks motion that the case be dismissed was granted


Title III: The Pen Register ActApplies to wiretaps, pen registers, and trap and trace devices

Requires a court order

If more like a wiretap, then need a search warrant

Amended by the U.S. Patriot Act


U.S. Patriot Act: Uniting and strengthening America Act by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism PL 107-56.

Increases the kind of info that law enforcement officials can gain access to, including records of session times and durations, temporary network addresses,means and source of payments, including credit card or bank account numbersPermits service providers to voluntarily release the contents of communications if they reasonably believe that an emergency involving immediate danger of death or serious physical injury to any person requires disclosure of the information without delayPermits service providers to invite law enforcement to assist in tracking and intercepting a computer trespassers communications.


SpammingFederal Law none to regulateFTC has regulated telephone solicitation but has left regulation of spamming to the computer industry


23 States Also Have Statutes Specifically Prohibiting Spamming.

Forbid false headings and routing information, must put ADV and ADV: ADLT,Must have an opt-out choice


FTCHas not endorsed regulation of spam on the federal levelHas charged spammers in the collection of data with unfair and deceptive trade practices andViolation of the GLB ActFTCs Fair Information Practices Notice/Awareness that information is being collectedChoice/Consent to opt in or outAccess/ Participation in correcting or changing ones own personal infoSecurity/Integrity in keeping the person information protected from unauthorized useEnforcement/Redress by submitting to outside monitoring to assure compliance


Govt. Regulation of Data CollectionFTC has authority under Section 5(a) of the FTC Act can regulate unfair and deceptive trade practices1998 FTC announced 4 elements to protect consumer privacyNotice to consumers about how info will be usedChoice for consumers as to what and how usedSecurity of PIIAccess for consumers to see their own PIIMechanisms for consumer to enforce these principlesDoubleclick CaseDecided in favor of Doubleclick: they were only doing what they had said in their privacy policy, so OK.


FTC Also Monitoring Wireless CommunicationFTC: http://www.ftc.gov/bcp/reports/wirelesssummary.pdf The Mobile Wireless Web, Data Services and Beyond: Emerging Technologies and Consumer Issues.


Self Regulation: Industry ProtectionsSeal ProgramsTRUSTe formed by AOL and Microsoft and 600 others; BBB OnlinesMonitor the web sites of its members making sure their information practices are fair & inform users about their privacy practicesP3P: WWW Consortiums Platform for Privacy PreferencesConvey data practices to consumers in standardized machine-readable code, Consumer uses P3P Agent to warn users when a Web sites P3P expressed data practices do not match the users privacy settings.Microsofts Internet Explorer 6.0 is a User AgentNetwork Advertising InitiativeDirect Marketing AssociationNetiquette


Database Transferability in Bankruptcy: Bankruptcy Reform Act of 2001Toysmart caseDot-coms have become dot-bombs: their biggest asset is customer info databaseDisney bought Toysmarts d-base only then to have to destroy itSame with Frys Electronics: did not proceed with sale of Egghead.com


Bankruptcy Code now requiresA consumer privacy ombudsman before the info can be transferred to creditors in a bankruptcy proceeding


Spamming Defended on Basis of 1st am. Freedom of SpeechCyber Promotions, Inc. V. America Online, Inc.Cyber Promotions sent bulk e-mail through AOLAOL sent a letter to stopCyber didntAOL gather all the undeliverable mail and sent it back to CyberThis caused the ISPs who served Cyber to terminate their relationships with CyberCyber sued AOL - AOL counter sued CyberCyber asked for a declaratory judgment that they could spamCt. said AOL not government, so no 1st amendment rights against AOL


Spamming State law use common law trespassCompuServe, Inc. v. Cyber PromotionsCompuServe told Cyber Promotions to stop sending unsolicited e-mailCompuServe implemented software programs designed to screen out messages and block their receiptCyber Promotions still spammedCompuServe sued for trespass to their personal property and asked for a preliminary injunction


Workplace PrivacyGovernmental employer: OConnor v. OrtegaBalance right of employee to privacy against employers needs for supervision, control and the efficient operation of the workplacePrivate employerUse same balancing testNardinelli et al., v. Chevron: harassing emailsBlakey v. Continental Airlines: bulletin board offsiteMichael A. Smyth v. Pillsbury Company: employees emailMcLaren v. Microsoft: employees having password did not give him protection


Impact of the ECPA on Workplace PrivacyRobert Konop v. Hawaiian AirlinesPosted messages on his password-protected bulletin boardOne of his users with a password gave the password to a third partyThird party went online and viewed Roberts BBCt.: no violation of Title I, no interceptionViolation of Title II, not authorized use to give password to third party


Global IssuesEuropean Unions Directive on Privacy Protection 1998Requires member states of EU to adopt legislation that seeks to protect the individuals privacy as it relates to the processing and collection of personal dataAlso applies to non-member states doing business with member states = U.S. to do the following:Process information fairly and accuratelyCollect only for specified and legitimate purposesKeep accurate and updatedKeep it identified with subject only for the needed time


Further Requirements of EUs DirectiveController of data must proveConsent of the data subject has been givenData is necessary for a contract between the partiesProcessing of data is necessary to protect subjectProcessing of data is necessary to protect the public interestProcessing of data is necessary to protect the controllers interest and this is greater than the subjects right to privacy


Article 25Prohibits the export of personal data to nonmember countries that do not have laws that adequately protect personal dataU.S. has Safe Harbors nowSee http://europa.eu.int/comm/internal_market/en/dataprot/news/o2-196_en.pd. EU issued standard contractual clauses


Other Countries Efforts at Regulating Internet Data Privacy

AustraliaCanadaRussia


chapter 9 privacy itn 267

Documents