FEDERAL INTERNET"In this increasingly

electronic age, we are allrequired in our everydaylives to rely on moderntechnology to communicatewith one another. Thisreliance on electronic com-munication, however, hasbrought with it a dramaticdiminution in our ability tocommunicate privately.

Cellular phones aresubject to monitoring, e-mailis easily intercepted andtransactions over the Internetare often less than secure.Something as commonplace

as furnishing our credit cardnumber, social securitynumber or bank accountnumber puts each of us atrisk. Moreover, when weemploy electronic methodsof communication, we oftenleave electronic "finger-prints" behind, fingerprintsthat can be traced back to us.

Whether we are sur-veilled by the government,criminals or neighbors, it isfair to say that never has ourability to shield our affairsfrom prying eyes been atsuch a low ebb." Bernstein v.

32

Dept of Justice, 176F.3d 1132,1145-1146(9thCir. 1999).

Invasion of privacy onthe Internet encompassesmany different areas—thecollection and distribution ofpersonal information (in-cluding "data mining" and" online profiling"), intercep-tion of online transmissionsand certain common lawinvasions like "intrusioninto seclusion" and "publi-cation of private facts." Thereis no comprehensive federallaw governing Internetprivacy.

South Carolina Lawyer

PRIVACY LAWSimilarly, there is no

comprehensive federal lawgoverning privacy in general.Internet privacy (and privacyin general) in the UnitedStates is protected by meansof a "sectoral" system,combining legislation, self-regulation, federal and stateConstitutional provisions,and common law. Moreover,since many Internet privacyissues are still relatively new,the law in the area is in astate of flux. Nearly everyweek a new statute, regula-tion, policy statement or

January/February 2001

agreement is announced thatsignificantly affects thetreatment of Internet privacy.

PERSONALINFORMATION

ON THE INTERNET"Data mining," "online

profiling" and "cookies"have all been major topics ofdiscussion recently, at both alegislative and commerciallevel. "Data mining" is thecollection of personalinformation on the Internet."Online profiling "is the

practice of recording onlinebehavior for the productionof tailored advertising. Thisprofiling is done in part byreading "cookies"—smalltext files that are generatedby the Web server of the sitevisited, and then stored onthe visitor's computer forfuture reference by the Website when the visitor visitsthe site again.

Cookies contain infor-mation about what Webpages the Internet user (surf-er) viewed, what language heor she speaks and what

ac

JDCO

'1—4•*— |

S-*-»cfl

By Edward Fenno

33

selections the surfer made whenvisiting a particular site. Internetservice providers (ISPs) like AmericaOnline can also track a surfer's navi-gation on the Internet using "click-stream" data—electronic records ofuser activity.

Due to the lack of a comprehensivefederal Internet privacy law, corpora-tions, legislators and litigants havebeen struggling with issues concerningwhat personal information can becollected about someone online, howthe information is collected, whetherthe person should be notified about thecollection and how the person candelete the information collected.

CONSTITUTIONALPRINCIPLES

There is no explicit general right toprivacy set forth in the U.S. Constitu-tion. Several provisions of the Constitu-tion have been held to protect certain"privacy" rights of individuals, how-ever. Still, these provisions do notencompass all types of privacy. More-over, the protections afforded by theConstitution are only with regard togovernmental invasion of privacy(including lawmaking), not invasionby other people.

The Fourth Amendment to theConstitution may provide someprotection from collection and distribu-tion of online personal data by thegovernment. For information to beprotected by the Fourth Amendment,the individual must have a "legitimateexpectation of privacy" that has beeninvaded by government action. To findthis "legitimateexpectation," theindividual must satisfy a two part test:(1) "the individual, by his conduct,[must have] exhibited an actual (sub-jective) expectation of privacy... [i.e.,]the individual has shown that he seeksto preserve something as private"; and(2) "the individual's subjective expecta-tion of privacy [must be] one that societyis prepared to recognize as 'reasonable'... [i.e.,] the individual's expectation,viewed objectively, is justifiable' underthe circumstances." Smith v. Maryland,442 U.S. 735, 740 (1979).

Certain information on the Internetmay pass this test. In 1996, a military

34

court held that an individual does havea legitimate expectation of privacyunder the Fourth Amendment in his orher e-mail communications stored andsent via an online service.

The U.S. Supreme Court has held,however, that there is no FourthAmendment protection of personalinformation conveyed to third partiesfor commercial use. Id. at 743-744; U.S.v. Miller, 425 U.S. 435, 442-444 (1976).People are seen to have "assumed therisk" that the receiver of the informa-tion will disclose it to the government.Since Internet users voluntarily makemuch of their personal informationavailable to third parties in the flow ofcommerce (e.g., credit card and socialsecurity numbers, names, addresses, e-mail addresses), Fourth Amendmentprotection from government review anduse of such information is likely to belimited.

On the other hand, constitutionalprovisions such as the CommerceClause and the First Amendment havealready been used to strike down statelaws concerning Internet privacy. See,e.g., A CLU of Georgia v. Miller, F. Supp.1228 (N.D. Ga. 1997) (Georgia statuteprecluding anonymous use of Internetstruck down as violative of FirstAmendment); State v. Heckel, SuperiorCourt of the State of Washington, KingCounty, March 10, 2000 (Washington'santi-spam statute struck down pursu-ant to Commerce Clause).

FEDERALSTATUTES

Even though there is no compre-hensive federal Internet privacy law,there are a number of federal statutesthat may affect the collection anddistribution of personal information onthe Internet. Several of these statutesprimarily concern the interception ofonline transmissions and will bediscussed later. Of the remainingstatutes, the Children's Online PrivacyProtection Act, the Gramm-Leach-Bliley[financial institutions privacy] Act, thePrivacy Act, the Freedom of InformationAct, the Fair Credit Reporting Act andthe Privacy Protection Act are the mostlikely to affect collection and distribu-tion of personal information.

In 1998, Congress passed theChildren's Online Privacy ProtectionAct(COPPA),15U.S.C.§6501,etseg.,which went into effect in April 2000.The Act requires that all commercialWeb sites "directed to" children underthe age of 13, or that have "actualknowledge" that they collect "personalinformation" from children (includingnames, addresses, hobbies, telephonenumbers, e-mail addresses and otheritems), comply with numerous notice,parental consent and disclosurerequirements. "Collection" includes notonly the requesting of personal infor-mation, but also the passive receptionof personal information using a mes-sage board, chat room or passivetracking device (like a cookie).

If COPPA is found to apply to aWeb site or online service, the operatormust: (1) provide notice on the Web siteor online service of what information itcollects from children, how it uses suchinformation and its disclosure practicesfor such information; (2) obtain verifi-able parental consent prior to anycollection, use or disclosure of personalinformation from children; (3) provide areasonable means for a parent to reviewthe personal information collected froma child and to refuse to permit itsfurther use or maintenance; (4) notcondition a child's participation in agame, the offering of a prize or anotheractivity on the child disclosing morepersonal information than is reason-ably necessary to participate in suchactivity; and (5) establish and maintainreasonable procedures to protect theconfidentiality, security and integrity ofpersonal information collected fromchildren. See, 16 C.F.R. § 312.3.

The Gramm-Leach-Bliley Act(GLBA) is a new federal law thatcontains extensive privacy provisionsconcerning the collection and distribu-tion of personal and financial informa-tion by banks, insurers, securities firmsand other "financial institutions." (Theprivacy provisions of the Act can befound at 15 U.S.C. § 6801, et. seq., withcorresponding regulations at 12 C.F.R.§ 40.) Under the Act, subject to certainexceptions, financial institutions must:(1) establish appropriate safeguards forthe protection and confidentiality ofcustomer records; (2) provide an "opt

South Carolina Lawyer

out" notice to "consumers" (under theAct, "consumers" include people whohave applied for a loan or used thefinancial institution's automatic tellermachines but who have not become"customers" of the financial institutionby opening an account, having the loanapproved, etc.) before sharing theirpersonally identifiable financial infor-mation with nonaffiliated third parties;(3) adopt a privacy policy for consum-ers, and provide it to all customers of thefinancial institution upon establishing acustomer relationship; and (4) includein the privacy policy: (a) the categoriesof people to whom the non-publicpersonal information collected by theinstitution can be disclosed, (b) thepolicies and practices of the institutionwith respect to disclosing nonpublicpersonal information of people whohave ceased to be customers, (c) thecategories of nonpublic personalinformation collected, and (d) theinstitution's confidentiality and infor-mation security policies, among otherthings. See, 15 U.S.C. §§ 6801-6809; 12C.F.R. § 40.

Pursuant to the provisions of theGLBA, customers of financial institu-tions would thus be able to prevent theinstitutions from providing theirpersonal financial information to e-mailmarketers or online profilers. Impor-tantly, financial institutions need notcomply with these privacy provisionsuntil July 1,2001, even though theeffective date of the provisions isNovember 13,2000.

The Privacy Act, 5 U.S.C § 552a,protects United States citizens andaliens lawfully admitted for permanentresidence against unauthorized disclo-sure of information about them that is

held by government agencies. The Actprohibits the disclosure by governmentagencies of any "records" concerningpersonal information about an indi-vidual to any person or governmentagency without the prior writtenconsent of the individual. The prohibi-tion is subject to several importantexceptions, including: (1) use compat-ible with the purposes for which theinformation was collected, (2) civil orcriminal law enforcement activity and(3) the health or safety of an individual.

"Records" are defined as "anyitem, collection or grouping of informa-tion about an individual that is main-tained by an agency, including, but notlimited to, his education, financialtransactions, medical history andcriminal or employment history andthat contains his name, or the identify-ing number, symbol or other identifyingparticular assigned to the individual,such as a finger or voice print or aphotograph."

The Act additionally requires thatagencies provide individuals withaccess to their records, as well as theopportunity to challenge their contents.Moreover, agencies must "establishappropriate administrative, technicaland physical safeguards to insuresecurity and confidentiality of recordsand to protect against any anticipatedthreats or hazards to their security orintegrity...." See,5U.S.C.§§552a(d),552a(e).

The Freedom of Information Act(FOIA), 5 U.S.C. § 552, permits broadpublic access to government records."Records" are defined in the Act toinclude information in "electronicformat." "To the extent required to pre-vent a clearly unwarranted invasion of

The Fourth Amendment to the Constitutionmay provide some protection from collection and

distribution of online personal data by thegovernment For information to be protectedby the Fourth Amendment, the individual

must have a "legitimate expectation of privacy"that has been invaded by government action.

personal privacy," however, thegovernment may "delete identifyingdetails" when it makes available manyof its records. 5 U.S.C. § 552(a)(2)(E).This deletion must be justified inwriting. Furthermore, FOIA does notpermit access to records concerning"trade secrets and commercial orfinancial information obtained from aperson and privileged or confidential."Id. at § 552(b) (4). Nor does the Actauthorize access to "personnel andmedical files and similar files thedisclosure of which would constitute aclearly unwarranted invasion ofpersonal privacy." Id. at § 552(b)(6).

The Fair Credit Reporting Act(FCRA), 15 U.S.C. §§ 1681, etseq.,regulates the use of data associatedwith personal credit and credit reports.The Act essentially prohibits consumerreporting agencies from disclosing"consumer reports" unless the recipi-ent either has a legitimate businesspurpose for the information or thereporting agency has received theconsent of the individual who is thesubject of the reports. 15 U.S.C. §§1681 a, 1681b. Legitimate businesspurposes for disclosure include courtorders, evaluations for credit, insur-ance reasons and employment matters.

The FCRA also imposes require-ments on users of consumer reports.Users of consumer reports must advisethe subjects of the reports when theytake adverse actions based on thereport. Id. at § 1681m. Upon writtenrequest from the consumer, users ofconsumer reports must disclose anybasis for adverse action other than thecredit report. Id. at § 168In.

The Privacy Protection Act (PP A),42 U.S.C. §§ 2000aa, etseq., makesgovernment seizure of "work productmaterials" from "a person reasonablybelieved to have a purpose to dissemi-nate to the public a newspaper, book,broadcast or other similar form ofpublic communication in or affectinginterstate or foreign commerce" acriminal offense, unless there isprobable cause to believe that theperson possessing such materials iscommitting the offense to which thematerials relate. 42 U.S.C. § 2000aa(a).The PP A may prove important inInternet privacy cases in the United

January/February 2001 35

States since it appears facially thatnearly everyone posting messages onthe Internet or with online services iscovered by the Act.

SELF-REGULATIONRather than enacting a compre-

hensive federal statue regulating thecollection of all personal informationfrom adults, the federal governmenthas encouraged self-regulation. In thisregard, the Federal Trade Commissionhas recently approved a self-regulatoryagreement by a consortium of majorInternet advertisers to regulate whatinformation they gather from Websurfers and how they use it.

The agreement sets forth threestandards for how such companieswill gather information anonymouslyfrom Web users and use it to profileconsumers. Pursuant to the agreement,consumers will be: (1) allowed to optout of the collection of anonymousdata on the Internet for the purpose ofprofiling; (2) given a chance to deter-mine if they want to allow previouslycollected anonymous data to bemerged with personally identifyinginformation; and (3) allowed to givepermission for the collection of person-ally identifying information at the timeand place it is gathered on the Internet.

Many companies not subject tothis agreement also maintain "privacypolicies" on their Web sites—includ-ing notice, choice (opt in/out), accessand security provisions—to engendertrust with consumers in hopes ofmaking them customers. A studyrecently quoted in the Wall StreetJournal reveals that 38 percent of Webusers surveyed claim always to readprivacy policies and as many as 61percent of users of financial servicessites chose not to use such sites

because the users were unsure abouthow their personal information wouldbe handled by the site.

Further incentive for self-regulationis the European Union's Data Protec-tion Directive. Under this Europeanlaw, U.S. companies are only entitled tocollect, record or disclose onlinepersonal data concerning Europeannationals if the U.S. companies complywith strict privacy "principles" con-cerning notification, choice, disclosure,security, access and enforcement. See,Directive 95/46/EC of the EuropeanParliament and of the Council of 24October 1995, Eur.OJ.L281/31 (Nov.23,1995), and subsequent "SafeHarbor" principles of July, 2000. TheU.S. companies must register their intentto comply with these principles with theU.S. Federal Trade Commission, whichthen monitors the compliance.

A final incentive for careful self-regulation is the common law. Whilebeyond the scope of this article, itshould be noted that Internet privacy issubject to common law invasion ofprivacy tort actions such as publicationof private facts, intrusion into seclu-sion, misappropriation of name orlikeness and false light publicity(although the tort of false light has notbeen recognized in South Carolina).

Other common law causes ofaction, such as breach of duty ofconfidentiality, breach of contract,breach of fiduciary duty, negligence,fraud, trespass, conversion and inflic-tion of emotional distress may alsoapply.

INTERCEPTION OFONLINE TRANSMISSIONSUnlike the privacy concerns in the

collection and distribution of onlinepersonal data, the privacy concerns in

Unlike the privacy concerns in the collectionand distribution of online personal data, theprivacy concerns in computer hacking and

other interceptions of online transmissions havebeen heavily legislated by the federal government

computer hacking and other intercep-tions of online transmissions havebeen heavily legislated by the federalgovernment. Two important federalstatutes in this area are the ElectronicCommunications Privacy Act and theComputer Fraud and Abuse Act.

The Electronic CommunicationsPrivacy Act (ECPA), 18U.S.C. §§ 2510-2522, 2701-2709, prohibits the inter-ception of electronic communications,as well as the disclosure or use ofintercepted communications. It alsoprotects electronically stored commu-nications from unauthorized accessand disclosure, whether by the govern-ment or by individuals.

One exception to the statutepermits interception of electroniccommunications made to a system thatis "readily accessible to the generalpublic." Thus, the ECPA is not violatedwhen postings to Usenet groups,listservs, bulletin board systems andchat rooms are read and archived. See,Susan Gindin, "Lost and Found inCyberspace," http://www.info-law.com/lost.html, §IV.D.l (1997).

Another exception allows serviceproviders and anyone else to interceptand disclose an electronic communica-tion where either the sender or therecipient of the message consents tothe interception or disclosure. Manycommercial services require a consentagreement from new members whensigning up for the service, and consentmay be implied in employment rela-tionships, especially when the em-ployer notifies employees that their e-mail will be monitored. Id.

Finally, the ECPA provides an"ordinary course of business" excep-tion, which may also support employermonitoring of employee e-mail. Thisexception is found in the definition of"electronic, mechanical or otherdevice," which exempts from theinterception prohibition an entity thatprovides the electronic communicationservice "in the ordinary course of itsbusiness." Cases interpreting the"ordinary course of business" provi-sion have involved telephone monitor-ing, and the courts have generally heldthat an employer may monitor an em-ployee for as long as the communicationis business-related. Id. at n. 259.

36 South Carolina Lawyer

The ComputerFraud and AbuseAct (CFAA), 18U.S.C. §1030, isprimarily intendedto prevent unautho-rized access tocomputer networksto protect theprivacy of commu-nications associ-ated with thosenetworks. It is alsointended to protect the networks fromacts of sabotage, such as alteration ofdata. 18 U.S.C. § 1030. While the CFAAis used primarily against hackers, somelitigants have alleged causes of actionfor violation of the CFAA in spam(unsolicited e-mail) cases as well.Gindin, supra, § IV.D.2.

PROTECTING PERSONALINFORMATION ONLINE

One technique that many Internetsurfers use to try to prevent the collec-tion and distribution of their personalinformation is to use a pseudonym. Theright to publish anonymously isprotected by the First Amendment. See,Mclntyre v. Ohio Elections Commissions,514 U.S. 334 (1995). As noted above,this right has already prevented theenforcement of a state statute that madeanonymous Internet communicationillegal. Many ISPs will reveal theidentity of a subscriber, however, whenfaced with a subpoena in a lawsuit.Thus, anonymity cannot be relied uponfor the protection of an Internet surfer'spersonal information.

Encryption is another commonmethod by which Internet users protecttheir privacy. Encryption is the practiceof making messages unintelligible to allexcept the intended recipients. Inaddition to ensuring secrecy, encryp-tion can be employed to ensure dataintegrity, authenticate users andfacilitate nonrepudiation (e.g., linking aspecific message to a specific sender).

Encryption is used on the Internetto protect the privacy of much of theinformation transmitted online, includ-ing credit card numbers. For years, thefederal government has restricted thepublication of encryption software for

January/February 2001

fear that foreignerscould use the moreeffective encryptionsoftware to concealfrom the governmentcommunications ofterrorists, drugsmugglers or othersintent on takinghostile actionagainst the UnitedStates. The govern-ment has recently

eased its restrictions, however, as aresult of a number of successfullawsuits challenging the restrictions asviolative of the First Amendment.

CONCLUSIONWhile there is no comprehensive

federal law governing the collectionand distribution of personal informa-tion of adults on the Internet, theChildren's Online Privacy ProtectionAct offers broad protection for childrenunder the age of 13. Adults andteenagers must turn to the common lawand to marketplace self-regulation forprotection in most instances, althoughfinancial institutions and the govern-ment are subject to federal laws in thisarea.

With respect to computer hackingand other interceptions of onlinetransmissions, federal protection underthe Electronic Communications PrivacyAct and the Computer Fraud andAbuse Act are relatively pervasive.Finally, while encryption has provento be a strong shield against invasionof privacy on the Internet, anonymityhas not.

This article is reprinted with permis-sion from materials published by Mooreand Van Allen. Copyright © 2000 byMoore and Van Allen.

Edward Fenno is a lawyer with Moore& Van Allen in Charleston. He leads thefirm's South Carolina media and Internetlaw practice and is a member of the firm'sIn tellectual Property and InformationTechnology practice groups.

37