You are on page 1of 72

Privacy

Two Different Threats


Other Individuals Invading My Privacy
Government Invading My Privacy

(c) 2004 West Legal S

Examples of Other Individuals


Invading My Privacy
Cookies
Web-Bugs or SpyWare:
graphic image like a GIF, placed on a web page or an e-mail message
to monitor user behavior, functioning as a kind of spyware not like a
cookie which can be declined, but is just another graphic image,
invisible to the user - can only see it if look at the source version of the
page to find an IMG tag that loads from a different web server that the
rest of the page
Can be good to track copyright violations

E-Mail Wiretaps:
eBlastser software can provide e-mail updates of a persons online
activity if installed on their computer

(c) 2004 West Legal S

Examples of Government Invading


My Privacy:
Surveillance without court order (search warrant)
Wiretaps
Seizing disks, hard drives, data bases

FBIs
Carnivore, DragonWare suite, Packeteer, Coolminer
Government was being challenged for invading privacy,
but then came
Sept. 11th
House and Senate have both approved bills giving the govt. broad
powers of surveillance

(c) 2004 West Legal S

U.S. Constitution and its


Amendments
Protects individuals against Government
invasion of privacy only - not invasion of
privacy by other individuals

(c) 2004 West Legal S

U.S. Constitution
The right to privacy is not expressly stated in the
Constitution or the Amendments, but the
Supreme Court has interpreted some of the
amendments to mean that there exists a
penumbral or implied right of privacy under the
U.S. Constitution
Supreme Court found the right of privacy implied
in these Amendments:
Ninth
Fourth
Fifth
(c) 2004 West Legal S

Ninth Amendment
This enumeration shall not be construed
to deny other rights retained by the
people
So, there must be other rights and privacy
could be another right not mentioned in
the Amendments.

(c) 2004 West Legal S

Fourth Amendment
right of the people to be secure in their persons,
houses, papers, and effects.
Griswold v. Connecticut (1965)
established zones of privacy or areas or locations where
privacy is reasonably expected

Later cases: privacy exists when a person exhibits an


actual expectation of privacy and society recognizes
the expectation is reasonable
Does this mean that personal information being
accumulated and used by the government without our
permission, especially when used for commercial
purposes, is a violation of this amendment? Cookies?
(c) 2004 West Legal S

Fifth Amendment
No person shall be compelled to be a witness
against himself
Corporations do not have this protection
Doe v. U.S. (1988) individual has to surrender the key
to a strongbox containing incriminating documents,
but does not have to reveal the combination to his
wall safe
Does this mean that a person could not be forced to
give up his encryption code or his password?

(c) 2004 West Legal S

Fourteenth Amendment
Gives the individual the same protection
against all state governments in the same
way the individual is protected against the
federal government invasion of privacy

(c) 2004 West Legal S

State Constitutions
Usually states copy the 4th Amendment and give
an implied protection to the individual from
government invasion of privacy
But many state constitutions go further and protect
the individuals privacy from the government in other
specific areas:
medical records, wiretapping, insurance, school records,
credit and banking information, privileged communications
between attorney and client

(c) 2004 West Legal S

10

Protection Against Other Individuals


Invading My Privacy
Federal Statutes
State Statutes
State Common Law: Tort Law

(c) 2004 West Legal S

11

State Common Law Tort:


Invasion of Privacy
Gives protection to individual against other
individuals invading his privacy
Used when no federal or state statute to protect
privacy
Intrusion Upon Seclusion
Public Disclosure of Private Facts Causing Injury to
Reputation
Publicity Placing Another in a False Light
Misappropriation of a Persons Name or Likeness
Causing Injury to Reputation

(c) 2004 West Legal S

12

Intrusion Upon Seclusion


Intent or Knowledge
Reasonable Expectation of Privacy
Katz v. United States
Barnick v. Vopper cell phone privacy
Privacy outweighed by freedom of speech and press rights

Substantial and Highly Offensive to a


Reasonable Person
Michael A. Smyth v. Pillsbury Company
Employees email not highly offensive

(c) 2004 West Legal S

13

Public Disclosure of Private Facts Causing


Injury to Reputation
Three elements above plus
Facts Must Be Private (medical, insurance,
etc)

(c) 2004 West Legal S

14

Publicity Placing Another in a


False Light
Falsely connecting a person to an immoral,
illegal or embarrassing situation resulting in
injury to ones reputation

(c) 2004 West Legal S

15

Misappropriation of a Persons Name or


Likeness Causing Injury to Reputation
Howard Stern v. Delphi Services Corporation
In the Matter of Eli Lilly (FTC 2002)

(c) 2004 West Legal S

16

Federal Statutes
There are many federal statutes that have
been introduced to protect privacy

(c) 2004 West Legal S

17

Privacy Protection Act (PPA) 1980


Govt. cant search or seize without a warrant
the following: work product reasonably
expected to have a purpose of dissemination to
the public, like a newspaper, book, broadcast,
or other similar form of public communication

(c) 2004 West Legal S

18

Privacy Act 1994


Govt. cant disclose records and documents in its
possession that contain personal information (name,
identification number, photo , fingerprint, voice print
about individuals w/o their written consent, giving
them a copy, allowing them to correct, inform them
their records have been disclosed
Exceptions: Court order, health and safety exceptions,
valid search warrant

(c) 2004 West Legal S

19

Cable Communications Privacy Act


(CCPA) 1984
Individual cable companies cant reveal our
cable preferences

(c) 2004 West Legal S

20

Video Privacy Protection Act


(1988)
Individual video stores cant reveal our video
preferences

(c) 2004 West Legal S

21

Telephone Consumer Protection


Act (1991)(FCC)
Individual sellers cant use automatic dial telephone
solicitations if called person is charged
Cant send unsolicited advertisements to fax numbers
Not applied to bulk e-mail yet (spammming)

Have to have do not call lists


Cant make unsolicited telemarketing calls to police,
fire, or other emergency numbers
Feds have given jurisdiction to the states
(c) 2004 West Legal S

22

Fair Credit Reporting Act (FCRA)


1970 (FTC)
Consumer credit reporting agencies must be fair,
impartial, respect privacy
Have to get individuals permission to release info
FTC implements and enforces and adjudicates
Consumers have a right to obtain info about
themselves
Can ask for info online from credit reporting agencies
and they would have to comply

(c) 2004 West Legal S

23

The Computer Fraud and Abuse


Act (CFFA) 1986, 1994
Prohibits intentional access of data stored in
computers belonging to or benefiting the U.S.
government
Prohibits access to info about a consumer
contained in the financial records of a
financial institution or in a file of a consumer
reporting agency
Felony for both of above
(c) 2004 West Legal S

24

Bank Secrecy Act of 1970


Illegal to launder money and use secret foreign
bank accounts for illegal purposes
Financial institutions must report to U.S.
treasury Dept. any cash transaction over
$10,000
Report any suspicious transaction

(c) 2004 West Legal S

25

Right to Financial Privacy Act of 1978


Government must have a search warrant to
access financial records and info, except for
Patriot Act

(c) 2004 West Legal S

26

Gramm-Leach-Bliley Act (GLB)


1999
Sweeping financial services privacy reform
Title V: Consumer financial privacy:
Subtitle A, Disclosure of Nonpublic Personal
Information
Subtitle B, Fraudulent Access to Financial
Information

(c) 2004 West Legal S

27

GLB Act
Financial institution to provide notice to customers about its
privacy policies and practices
Describes the conditions under which a financial institution
may disclose nonpublic personal information about consumers
to nonaffiliated third parties
Provides a method for consumers to prevent a financial
institution from disclosing that information to most
nonaffiliated third parties by Opting Out of that disclosure
Must tell exceptions when consumer cannot opt out

(c) 2004 West Legal S

28

GLB continued What is a


financial institution?
Significantly engaged in financial activities to
be considered a financial institution
Lending, exchanging, transferring, investing for
others or safeguarding money or securities..
Vendor credit cards, Master Card, American Express,
Visa

Many other activities that are similar to a banks


activities

(c) 2004 West Legal S

29

GLB continuedIs Your Business Contact


a Consumer or a Customer?
Consumer is an individual who obtains or has
obtained a financial product or service from a
financial institution that is to be used primarily
for personal, family or household purposes

(c) 2004 West Legal S

30

GLB continued.Duty to
Consumers:
Provide a short-form notice about the availability of
the privacy policy if the financial institution shares
information outside the permitted exceptions.
Provide an opt-out notice prior to sharing info
Give Consumers reasonable opportunity to opt out
Honor opt-out
If you change your privacy policy provide new
notice

(c) 2004 West Legal S

31

Who are customers?


Customer
Continuing relationship with a consumer
Loans: customer relationship travels with the servicing
rights

(c) 2004 West Legal S

32

Duty to Customers Different


Same as above except:
Provide long form notice
Annual privacy notice for duration of relationship

(c) 2004 West Legal S

33

Nonpublic Personal Information


(NPI)?
Personally identifiable information
Any list, description, or other grouping of
consumers derived from using PIFI =
Personally Identifiable Financial
Information
Not publicly available info
And on and on and on very long law, with a
great many details
(c) 2004 West Legal S

34

Pretexting
FTC v. Information Search, Inc.,
Settlements from three information brokers who
the FTC alleged used deceptive practices called
pretexting_ to obtain consumers confidential
financial information
Used false pretenses, fraudulent statements, and
impersonation to illegally gain access to information
such as bank balances and then offered info for sale.

(c) 2004 West Legal S

35

Health Insurance Portability and


Accountability Act, 1996 (HIPAA)
Full compliance not required until Feb. 21, 2003.
Consumer control, accountability w/ fines
Public responsibility balance against protecting
public health, conducting research,etc.
Boundaries: use only for treatment and payment, need
special consent to use for medical purposes
Bush proposed loosening of regulations to remove
requirement that patients have to give written consent
for disclosure, only give them notice of their rights.
(c) 2004 West Legal S

36

Childrens Online Privacy Protection


Act of 1998 (COPPA)
April 21, 2000
Has FTC Rules and Regulations regulating it (Safe Harbors)
(Article)
Applies to operators of commercial sites targeted to (or
knowingly collecting info from) kids
Post privacy notices and obtain verifiable parental consent
before collecting info from kids
Enforced by FTC and State Attorneys General
(NOT COPA Childrens Online Privacy Act which is antipornography declared unconstitutional on preliminary
injunction in June, 2000)
(c) 2004 West Legal S

37

Requirements of COPPA
Who:
Anyone whose website is directed at kids.
FTC will look at subject matter, visual or audio content, age of models,
language used, advertising and promotions featured, use of animated
characters or child-oriented activities and incentives, evidence of sites
intended audience and actual audience composition

What You Must Do:


Must have a prominent and plain privacy statement link on home page
and page collecting info: not bottom of page fine print
Direct Notice to and Verifiable Parental Consent from parents: sliding
scale of verification depending on info use MUST ALLOW OPT OUT
of information use!

(c) 2004 West Legal S

38

Exception to COPPA:
Safe-harbor of presumptive compliance for
those following an FTC-approved system or
protocol
http://www.ftc.gov//privacy/safeharbor/shp.ht
m

(c) 2004 West Legal S

39

Litigation
U.S. v. The Ohio Art Co., ( Etch-A Sketch)
Company failed to provide notice or get consent from
parents, collecting more info than necessary

(c) 2004 West Legal S

40

PII Data Collection and Sale


Companies gather data, including our e-mail
addresses, when we visit them
Companies sell this data to other companies
These sales are big business

(c) 2004 West Legal S

41

1986 Electronic Communications Privacy


Act (ECPA) Titles I and II
Amendment to the Omnibus Crime Control and Safe
Streets Act of 1968
Prohibits any one, including government, from
wiretapping without search warrant with probable
cause
Has two parts:
1. TITLE I. interception and disclosure of wire, oral, and
electronic communications
2. TITLE II. disclosure of stored wire, transactional, and
electronic communications
(c) 2004 West Legal S

42

ECPA: Not Just the Government


This amendment applied also to people and ISPs
Only applicable if public network, not internal
network and has to be in interstate commerce
Not applicable to information posted on public BB
Party transmitted to, the receiver, can reveal info

(c) 2004 West Legal S

43

ECPA: Title I:
Communications which are protected from
interception include transmission by radio
paging, cellular phones, computer generated
transmissions, and e-mail
McVeigh v. Cohen: AOL violated ECPA by
revealing to Navy that his e-mail which
showed he was gay
(c) 2004 West Legal S

44

ECPA: Four Exceptions:


ISPs
Business Extension rule or Ordinary Course
of Business
Prior consent
Government has a warrant

(c) 2004 West Legal S

45

ECPA: ISPs
Doing maintenance
U.S. v. Mullins (American Airlines was service
provider for travel agent)

(c) 2004 West Legal S

46

ECPA: Business Extension


Exception
Exempts any devise furnished to the subscriber or user
by a provider of wire or electronic communication
service in the ordinary course of business and being
used by the subscriber or user in the ordinary course of
business
Employers who furnish the business phones and
computers can intercept
Phone
Computer

(c) 2004 West Legal S

47

ECPA: Requirements Established


by Cases
Employees must know they are going to be monitored in
order for employer to make sure the phones and e-mail
are being used for business purposes
Sanders v. Rober Boschs Corporation: cant monitor 24
hours a day
Watkins v. L.M. Berry and Co. once the employer hears
something personal, he has to stop listening - same with
e-mail?
(c) 2004 West Legal S

48

ECPA: Consent of one of the


parties
When the employer has warned that the
employee will be monitored, the employee
gives prior consent when he gets on the
computer
Good to get it signed when the employee first
takes the job

(c) 2004 West Legal S

49

ECPA: Search Warrant Granted for


Probable Cause
ISP accidentally sees something illegal
May tell law enforcement
Law enforcement must get a proper warrant
Carnivore
FBI like pen register, sift thru email and other Internet traffic
to find crime
U.S. Patriot Act increased governmental power to do this

(c) 2004 West Legal S

50

ECPA: Title II Unlawful Access to


Stored Communications
Protects data stored in transit ( on servers) and
at the point of destination from being accessed
and disclosed
In RAM
On floppies, CDs

(c) 2004 West Legal S

51

ECPA: Title II specifically


1. Prohibits intentionally accessing without authorization or
exceeding authorization a facility through which an electronic
communication service is provided and thereby accessing wire
or electronic communication while it is in electronic storage.
2. Prohibits ISPs who provide electronic communication
service to the public from knowingly divulging the contents of
any communication while in storage
3. Prohibits a person providing remote computing services to
the public from knowingly divulging any communication that

is carried or stored

(c) 2004 West Legal S

52

Litigation
Supnick V. Amazon.com, Inc. and Alexa Internet
Alleged that Alexa, whose software program monitors
surfing habits and then suggests related Web pages, stored
and transmitted this information to third parties (including
Amazon) without informing users of the practice or
obtaining users consent in violation of the ECPA and
common law invasion of privacy.
Court approved a settlement agreement: Alexa must:
Delete four digits of the IP addresses in its databases, add privacy
policy to Weg site, require customers to op-in to having their data
collected before they can be permitted to download Alexa software,
pay up to $40 to each customer whose data is found in Alexas
database.

(c) 2004 West Legal S

53

In Re Doubleclick Inc. , Privacy


Litigation
Plaintiffs argued Doubleclicks practice of
placing cookies on users hard drives
was an invasion of privacy and violated
Title II of the ECPA
Doubleclicks motion that the case be
dismissed was granted

(c) 2004 West Legal S

54

Title III: The Pen Register Act


Applies to wiretaps, pen registers, and trap and trace
devices
Requires a court order
If more like a wiretap, then need a search warrant
Amended by the U.S. Patriot Act
(c) 2004 West Legal S

55

U.S. Patriot Act: Uniting and strengthening


America Act by Providing Appropriate Tools Required to Intercept
and Obstruct Terrorism PL 107-56.

Increases the kind of info that law enforcement officials can


gain access to, including records of session times and
durations, temporary network addresses,means and source of
payments, including credit card or bank account numbers
Permits service providers to voluntarily release the contents
of communications if they reasonably believe that an
emergency involving immediate danger of death or serious
physical injury to any person requires disclosure of the
information without delay
Permits service providers to invite law enforcement to
assist in tracking and intercepting a computer trespassers
communications.
(c) 2004 West Legal S

56

Spamming
Federal Law none to regulate
FTC has regulated telephone solicitation but has
left regulation of spamming to the computer
industry

(c) 2004 West Legal S

57

23 States Also Have Statutes


Specifically Prohibiting Spamming.
Forbid false headings and routing information,
must put ADV and ADV: ADLT,
Must have an opt-out choice

(c) 2004 West Legal S

58

FTC
Has not endorsed regulation of spam on the federal level
Has charged spammers in the collection of data with
unfair and deceptive trade practices and
Violation of the GLB Act

FTCs Fair Information Practices

Notice/Awareness that information is being collected


Choice/Consent to opt in or out
Access/ Participation in correcting or changing ones own personal info
Security/Integrity in keeping the person information protected from
unauthorized use
Enforcement/Redress by submitting to outside monitoring to assure
compliance

(c) 2004 West Legal S

59

Govt. Regulation of Data


Collection
FTC has authority under Section 5(a) of the FTC Act can
regulate unfair and deceptive trade practices
1998 FTC announced 4 elements to protect consumer
privacy

Notice to consumers about how info will be used


Choice for consumers as to what and how used
Security of PII
Access for consumers to see their own PII
Mechanisms for consumer to enforce these principles

Doubleclick Case
Decided in favor of Doubleclick: they were only doing what they
had said in their privacy policy, so OK.

(c) 2004 West Legal S

60

FTC Also Monitoring Wireless


Communication
FTC:
http://www.ftc.gov/bcp/reports/wirelesssumma
ry.pdf
The Mobile Wireless Web, Data Services and
Beyond: Emerging Technologies and Consumer
Issues.

(c) 2004 West Legal S

61

Self Regulation: Industry Protections


Seal Programs
TRUSTe formed by AOL and Microsoft and 600 others; BBB Onlines
Monitor the web sites of its members making sure their information
practices are fair & inform users about their privacy practices

P3P: WWW Consortiums Platform for Privacy


Preferences
Convey data practices to consumers in standardized machine-readable
code, Consumer uses P3P Agent to warn users when a Web sites P3P
expressed data practices do not match the users privacy settings.
Microsofts Internet Explorer 6.0 is a User Agent

Network Advertising Initiative


Direct Marketing Association
Netiquette

(c) 2004 West Legal S

62

Database Transferability in Bankruptcy:


Bankruptcy Reform Act of 2001
Toysmart case
Dot-coms have become dot-bombs: their
biggest asset is customer info database
Disney bought Toysmarts d-base only then to
have to destroy it
Same with Frys Electronics: did not proceed with
sale of Egghead.com

(c) 2004 West Legal S

63

Bankruptcy Code now requires


A consumer privacy ombudsman before the
info can be transferred to creditors in a
bankruptcy proceeding

(c) 2004 West Legal S

64

Spamming Defended on Basis of 1st am.


Freedom of Speech
Cyber Promotions, Inc. V. America Online, Inc.

Cyber Promotions sent bulk e-mail through AOL


AOL sent a letter to stop
Cyber didnt
AOL gather all the undeliverable mail and sent it back to Cyber
This caused the ISPs who served Cyber to terminate their
relationships with Cyber
Cyber sued AOL - AOL counter sued Cyber
Cyber asked for a declaratory judgment that they could spam
Ct. said AOL not government, so no 1st amendment rights against
AOL

(c) 2004 West Legal S

65

Spamming
State law use common law trespass

CompuServe, Inc. v. Cyber Promotions


CompuServe told Cyber Promotions to stop
sending unsolicited e-mail
CompuServe implemented software programs
designed to screen out messages and block their
receipt
Cyber Promotions still spammed
CompuServe sued for trespass to their personal
property and asked for a preliminary injunction
(c) 2004 West Legal S

66

Workplace Privacy
Governmental employer: OConnor v. Ortega
Balance right of employee to privacy against employers
needs for supervision, control and the efficient operation of
the workplace

Private employer
Use same balancing test

Nardinelli et al., v. Chevron: harassing emails


Blakey v. Continental Airlines: bulletin board offsite
Michael A. Smyth v. Pillsbury Company: employees email
McLaren v. Microsoft: employees having password did not give
him protection

(c) 2004 West Legal S

67

Impact of the ECPA on Workplace


Privacy
Robert Konop v. Hawaiian Airlines
Posted messages on his password-protected
bulletin board
One of his users with a password gave the
password to a third party
Third party went online and viewed Roberts BB

Ct.: no violation of Title I, no interception


Violation of Title II, not authorized use to give
password to third party
(c) 2004 West Legal S

68

Global Issues
European Unions Directive on Privacy Protection
1998
Requires member states of EU to adopt legislation that
seeks to protect the individuals privacy as it relates to the
processing and collection of personal data
Also applies to non-member states doing business with
member states = U.S. to do the following:

Process information fairly and accurately


Collect only for specified and legitimate purposes
Keep accurate and updated
Keep it identified with subject only for the needed time

(c) 2004 West Legal S

69

Further Requirements of EUs


Directive
Controller of data must prove

Consent of the data subject has been given


Data is necessary for a contract between the parties
Processing of data is necessary to protect subject
Processing of data is necessary to protect the public interest
Processing of data is necessary to protect the controllers
interest and this is greater than the subjects right to privacy

(c) 2004 West Legal S

70

Article 25
Prohibits the export of personal data to
nonmember countries that do not have laws
that adequately protect personal data
U.S. has Safe Harbors now
See
http://europa.eu.int/comm/internal_market
/en/dataprot/news/o2-196_en.pd
.
EU issued standard contractual clauses
(c) 2004 West Legal S

71

Other Countries Efforts at


Regulating Internet Data Privacy

Australia
Canada
Russia

(c) 2004 West Legal S

72