(c) 2004 west legal studies in business a division of thomson learning1 privacy two different...
Post on 20-Dec-2015
213 views
TRANSCRIPT
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
1
Privacy
Two Different Threats Other Individuals Invading My Privacy Government Invading My Privacy
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
2
Examples of Other Individuals Invading My Privacy
Cookies Web-Bugs or “SpyWare”:
graphic image like a GIF, placed on a web page or an e-mail message to monitor user behavior, functioning as a kind of spyware – not like a cookie which can be declined, but is just another graphic image, invisible to the user - can only see it if look at the source version of the page to find an IMG tag that loads from a different web server that the rest of the page
Can be good to track copyright violations E-Mail Wiretaps:
eBlastser software can provide e-mail updates of a person’s online activity if installed on their computer
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
3
Examples of Government Invading My Privacy:
Surveillance without court order (search warrant) Wiretaps Seizing disks, hard drives, data bases
FBI’s Carnivore, DragonWare suite, Packeteer, Coolminer – Government was being challenged for invading privacy,
but then came Sept. 11th
House and Senate have both approved bills giving the govt. broad powers of surveillance
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
4
U.S. Constitution and its Amendments
Protects individuals against Government invasion of privacy only - not invasion of privacy by other individuals
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
5
U.S. Constitution
The right to privacy is not expressly stated in the Constitution or the Amendments, but the Supreme Court has interpreted some of the amendments to mean that there exists a penumbral or implied right of privacy under the U.S. Constitution
Supreme Court found the right of privacy implied in these Amendments: Ninth Fourth Fifth
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
6
Ninth Amendment
“This enumeration shall not be construed to deny other rights retained by the people…”
So, there must be other rights and privacy could be another right not mentioned in the Amendments….
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
7
Fourth Amendment
“right of the people to be secure in their persons, houses, papers, and effects…. Griswold v. Connecticut (1965)
established “zones of privacy” or areas or locations where privacy is reasonably expected
Later cases: privacy exists when a person exhibits an actual expectation of privacy and society recognizes the expectation is reasonable
Does this mean that personal information being accumulated and used by the government without our permission, especially when used for commercial purposes, is a violation of this amendment? Cookies?
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
8
Fifth Amendment
No person shall be compelled to be a witness against himself Corporations do not have this protection Doe v. U.S. (1988) individual has to surrender
the key to a strongbox containing incriminating documents, but does not have to reveal the combination to his wall safe
Does this mean that a person could not be forced to give up his encryption code or his password?
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
9
Fourteenth Amendment
Gives the individual the same protection against all state governments in the same way the individual is protected against the federal government invasion of privacy
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
10
State Constitutions
Usually states copy the 4th Amendment and give an implied protection to the individual from government invasion of privacy
But many state constitutions go further and protect the individual’s privacy from the government in other specific areas:
medical records, wiretapping, insurance, school records, credit and banking information, privileged communications between attorney and client
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
11
Protection Against Other Individuals Invading My Privacy
Federal Statutes State Statutes State Common Law: Tort Law
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
12
State Common Law Tort: Invasion of Privacy
Gives protection to individual against other individuals invading his privacy
Used when no federal or state statute to protect privacy Intrusion Upon Seclusion Public Disclosure of Private Facts Causing
Injury to Reputation Publicity Placing Another in a False Light Misappropriation of a Person’s Name or
Likeness Causing Injury to Reputation
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
13
Intrusion Upon Seclusion
Intent or Knowledge Reasonable Expectation of Privacy
Katz v. United States Barnick v. Vopper – cell phone privacy
Privacy outweighed by freedom of speech and press rights
Substantial and Highly Offensive to a Reasonable Person Michael A. Smyth v. Pillsbury Company
Employee’s email – not highly offensive
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
14
Public Disclosure of Private Facts Causing Injury to Reputation
Three elements above – plus Facts Must Be Private (medical, insurance,
etc)
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
15
Publicity Placing Another in a False Light
Falsely connecting a person to an immoral, illegal or embarrassing situation resulting in injury to one’s reputation
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
16
Misappropriation of a Person’s Name or Likeness Causing Injury to Reputation
Howard Stern v. Delphi Services Corporation In the Matter of Eli Lilly (FTC 2002)
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
17
Federal Statutes
There are many federal statutes that have been introduced to protect privacy
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
18
Privacy Protection Act (PPA) 1980
Govt. can’t search or seize without a warrant the following: work product reasonably expected to have a purpose of dissemination to the public, like a newspaper, book, broadcast, or other similar form of public communication
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
19
Privacy Act 1994
Govt. can’t disclose records and documents in its possession that contain personal information (name, identification number, photo , fingerprint, voice print about individuals w/o their written consent, giving them a copy, allowing them to correct, inform them their records have been disclosed Exceptions: Court order, health and safety exceptions,
valid search warrant
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
20
Cable Communications Privacy Act (CCPA) 1984
Individual cable companies can’t reveal our cable preferences
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
21
Video Privacy Protection Act (1988)
Individual video stores can’t reveal our video preferences
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
22
Telephone Consumer Protection Act (1991)(FCC)
Individual sellers can’t use automatic dial telephone solicitations if called person is charged
Can’t send unsolicited advertisements to fax numbers Not applied to bulk e-mail yet (spammming)
Have to have “do not call” lists Can’t make unsolicited telemarketing calls to police,
fire, or other emergency numbers Feds have given jurisdiction to the states
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
23
Fair Credit Reporting Act (FCRA) 1970 (FTC)
Consumer credit reporting agencies must be fair, impartial, respect privacy
Have to get individual’s permission to release info FTC implements and enforces and adjudicates Consumers have a right to obtain info about
themselves Can ask for info online from credit reporting
agencies and they would have to comply
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
24
The Computer Fraud and Abuse Act (CFFA) 1986, 1994
Prohibits intentional access of data stored in computers belonging to or benefiting the U.S. government
Prohibits access to info about a consumer contained in the financial records of a financial institution or in a file of a consumer reporting agency
Felony for both of above
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
25
Bank Secrecy Act of 1970
Illegal to launder money and use secret foreign bank accounts for illegal purposes
Financial institutions must report to U.S. treasury Dept. any cash transaction over $10,000
Report any suspicious transaction
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
26
Right to Financial Privacy Act of 1978
Government must have a search warrant to access financial records and info, except for Patriot Act
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
27
Gramm-Leach-Bliley Act (GLB) 1999
Sweeping financial services privacy reform Title V: Consumer financial privacy:
Subtitle A, Disclosure of Nonpublic Personal Information
Subtitle B, Fraudulent Access to Financial Information
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
28
GLB Act
Financial institution to provide notice to customers about its privacy policies and practices
Describes the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties
Provides a method for consumers to prevent a financial institution from disclosing that information to most
nonaffiliated third parties by Opting Out of that disclosure Must tell exceptions when consumer cannot opt out
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
29
GLB continued… What is a financial institution?
Significantly engaged in financial activities to be considered a financial institution Lending, exchanging, transferring, investing for
others or safeguarding money or securities….. Vendor credit cards, Master Card, American
Express, Visa Many other activities that are similar to a bank’s
activities
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
30
GLB continued…Is Your Business Contact a Consumer or a Customer?
Consumer is an individual who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family or household purposes
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
31
GLB continued….Duty to Consumers:
Provide a short-form notice about the availability of the privacy policy if the financial institution shares information outside the permitted exceptions.
Provide an opt-out notice prior to sharing info Give Consumers reasonable opportunity to opt out Honor opt-out If you change your privacy policy – provide new
notice
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
32
Who are customers?
Customer Continuing relationship with a consumer
Loans: customer relationship travels with the servicing rights
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
33
Duty to Customers – Different
Same as above except: Provide long form notice Annual privacy notice for duration of relationship
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
34
Nonpublic Personal Information (NPI)?
Personally identifiable information Any list, description, or other grouping of
consumers derived from using PIFI = “Personally Identifiable Financial Information”
Not publicly available info And on and on and on – very long law, with a
great many details
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
35
Pretexting
FTC v. Information Search, Inc., Settlements from three information brokers who
the FTC alleged used deceptive practices – called pretexting_ to obtain consumers’ confidential financial information
Used false pretenses, fraudulent statements, and impersonation to illegally gain access to information such as bank balances and then offered info for sale.
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
36
Health Insurance Portability and Accountability Act, 1996 (HIPAA)
Full compliance not required until Feb. 21, 2003. Consumer control, accountability w/ fines Public responsibility – balance against protecting
public health, conducting research,etc. Boundaries: use only for treatment and payment,
need special consent to use for medical purposes Bush proposed loosening of regulations to remove
requirement that patients have to give written consent for disclosure, only give them notice of their rights.
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
37
Children’s Online Privacy Protection Act of 1998 (COPPA)
April 21, 2000 Has FTC Rules and Regulations regulating it (Safe Harbors)
(Article) Applies to operators of commercial sites targeted to (or
knowingly collecting info from) kids Post privacy notices and obtain verifiable parental consent
before collecting info from kids Enforced by FTC and State Attorneys General (NOT COPA Children’s Online Privacy Act which is anti-
pornography declared unconstitutional on preliminary injunction in June, 2000)
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
38
Requirements of COPPA
Who: Anyone whose website is directed at kids. FTC will look at subject matter, visual or audio content, age of
models, language used, advertising and promotions featured, use of animated characters or child-oriented activities and incentives, evidence of site’s intended audience and actual audience composition
What You Must Do: Must have a prominent and plain privacy statement link on home
page and page collecting info: not bottom of page fine print Direct Notice to and Verifiable Parental Consent from parents:
sliding scale of verification depending on info use MUST ALLOW OPT OUT of information use!
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
39
Exception to COPPA:
Safe-harbor of presumptive compliance for those following an FTC-approved system or protocol –http://www.ftc.gov//privacy/safeharbor/shp.htm
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
40
Litigation
U.S. v. The Ohio Art Co., ( Etch-A Sketch) Company failed to provide notice or get consent
from parents, collecting more info than necessary
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
41
PII Data Collection and Sale
Companies gather data, including our e-mail addresses, when we visit them –
Companies sell this data to other companies These sales are big business
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
42
1986 Electronic Communications Privacy Act – (ECPA) Titles I and II
Amendment to the Omnibus Crime Control and Safe Streets Act of 1968
Prohibits any one, including government, from wiretapping without search warrant with probable cause
Has two parts: 1. TITLE I. interception and disclosure of wire, oral, and
electronic communications 2. TITLE II. disclosure of stored wire, transactional, and
electronic communications
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
43
ECPA: Not Just the Government …
This amendment applied also to people and ISPs
Only applicable if public network, not internal network and has to be in interstate commerce
Not applicable to information posted on public BB
Party transmitted to, the receiver, can reveal info
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
44
ECPA: Title I:
Communications which are protected from interception include transmission by radio paging, cellular phones, computer generated transmissions, and e-mail
McVeigh v. Cohen: AOL violated ECPA by revealing to Navy that his e-mail which showed he was gay
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
45
ECPA: Four Exceptions:
ISPs Business Extension rule or “Ordinary Course
of Business” Prior consent Government has a warrant
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
46
ECPA: ISPs
Doing maintenance U.S. v. Mullins (American Airlines was
service provider for travel agent)
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
47
ECPA: Business Extension Exception
Exempts any devise furnished to the subscriber or user by a provider of wire or electronic communication service in the ordinary course of business and being used by the subscriber or user in the ordinary course of business
Employers who furnish the business phones and computers can intercept Phone Computer
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
48
ECPA: Requirements Established by Cases
Employees must know they are going to be monitored in order for employer to make sure the phones and e-mail are being used for business purposes
Sanders v. Rober Boschs Corporation: can’t monitor 24 hours a day
Watkins v. L.M. Berry and Co. once the employer hears something personal, he has to stop listening - same with e-mail?
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
49
ECPA: Consent of one of the parties
When the employer has warned that the employee will be monitored, the employee gives prior consent when he gets on the computer
Good to get it signed when the employee first takes the job…
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
50
ECPA: Search Warrant Granted for Probable Cause
ISP accidentally sees something illegal May tell law enforcement Law enforcement must get a proper warrant
Carnivore FBI like pen register, sift thru email and other Internet
traffic to find crime U.S. Patriot Act increased governmental power to do this
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
51
ECPA: Title II Unlawful Access to Stored Communications
Protects data stored in transit ( on servers) and at the point of destination from being accessed and disclosed
In RAM On floppies, CDs
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
52
ECPA: Title II specifically
1. Prohibits intentionally accessing without authorization or exceeding authorization a facility through which an electronic communication service is provided and thereby accessing wire or electronic communication while it is in electronic storage.
2. Prohibits ISPs who provide electronic communication service to the public from knowingly divulging the contents of any communication while in storage
3. Prohibits a person providing remote computing services to the public from knowingly divulging any communication that is carried or stored
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
53
Litigation
Supnick V. Amazon.com, Inc. and Alexa Internet Alleged that Alexa, whose software program monitors
surfing habits and then suggests related Web pages, stored and transmitted this information to third parties (including Amazon) without informing users’ of the practice or obtaining users’ consent in violation of the ECPA and common law invasion of privacy.
Court approved a settlement agreement: Alexa must: Delete four digits of the IP addresses in its databases, add
privacy policy to Weg site, require customers to op-in to having their data collected before they can be permitted to download Alexa software, pay up to $40 to each customer whose data is found in Alexa’s database.
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
54
In Re Doubleclick Inc. , Privacy Litigation
Plaintiffs argued Doubleclick’s practice of placing “cookies” on user’s hard drives was an invasion of privacy and violated Title II of the ECPA
Doubleclick’s motion that the case be dismissed was granted
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
55
Title III: The Pen Register Act
Applies to wiretaps, pen registers, and trap and trace devices
Requires a court order
If more like a wiretap, then need a search warrant
Amended by the U.S. Patriot Act
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
56
U.S. Patriot Act: Uniting and strengthening America Act by
Providing Appropriate Tools Required to Intercept and Obstruct Terrorism PL 107-56.
Increases the kind of info that law enforcement officials can gain access to, including records of session times and durations, temporary network addresses,means and source of payments, including credit card or bank account numbers
Permits service providers to voluntarily release the contents of communications if they reasonably believe that “an emergency involving immediate danger of death or serious physical injury to any person requires disclosure of the information without delay”
Permits service providers to invite law enforcement to assist in tracking and intercepting a computer trespasser’s communications.
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
57
Spamming
Federal Law – none to regulate FTC has regulated telephone solicitation – but has
left regulation of spamming to the computer industry
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
58
23 States Also Have Statutes Specifically Prohibiting Spamming.
Forbid false headings and routing information, must put ADV and ADV: ADLT, Must have an opt-out choice
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
59
FTC
Has not endorsed regulation of spam on the federal level Has charged spammers in the collection of data with
unfair and deceptive trade practices and Violation of the GLB Act
FTC’s Fair Information Practices Notice/Awareness that information is being collected Choice/Consent to opt in or out Access/ Participation in correcting or changing one’s own
personal info Security/Integrity in keeping the person information protected
from unauthorized use Enforcement/Redress by submitting to outside monitoring to
assure compliance
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
60
Govt. Regulation of Data Collection
FTC has authority under Section 5(a) of the FTC Act – can regulate “unfair and deceptive trade practices”
1998 FTC announced 4 elements to protect consumer privacy Notice to consumers about how info will be used Choice for consumers as to what and how used Security of PII Access for consumers to see their own PII Mechanisms for consumer to enforce these principles
Doubleclick Case Decided in favor of Doubleclick: they were only doing what
they had said in their privacy policy, so OK.
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
61
FTC Also Monitoring Wireless Communication
FTC: http://www.ftc.gov/bcp/reports/wirelesssummary.pdf “The Mobile Wireless Web, Data Services and
Beyond: Emerging Technologies and Consumer Issues.”
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
62
Self Regulation: Industry Protections
Seal Programs TRUSTe formed by AOL and Microsoft and 600 others; BBB Onlines
Monitor the web sites of its members making sure their information practices are fair & inform users about their privacy practices
P3P: WWW Consortium’s Platform for Privacy Preferences Convey data practices to consumers in standardized machine-readable
code, Consumer uses P3P Agent to warn users when a Web site’s P3P expressed data practices do not match the users’ privacy settings.
Microsoft’s Internet Explorer 6.0 is a User Agent Network Advertising Initiative Direct Marketing Association Netiquette
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
63
Database Transferability in Bankruptcy: Bankruptcy Reform Act of 2001
Toysmart case Dot-coms have become dot-bombs: their
biggest asset is customer info database Disney bought Toysmart’s d-base only then to
have to destroy it Same with Fry’s Electronics: did not proceed with
sale of Egghead.com
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
64
Bankruptcy Code now requires
A consumer privacy ombudsman before the info can be transferred to creditors in a bankruptcy proceeding
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
65
Spamming Defended on Basis of 1st am. Freedom of Speech
Cyber Promotions, Inc. V. America Online, Inc. Cyber Promotions sent bulk e-mail through AOL AOL sent a letter to stop Cyber didn’t AOL gather all the undeliverable mail and sent it back to
Cyber This caused the ISPs who served Cyber to terminate their
relationships with Cyber Cyber sued AOL - AOL counter sued Cyber Cyber asked for a declaratory judgment that they could spam Ct. said AOL not government, so no 1st amendment rights
against AOL
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
66
Spamming
State law – use common law trespass CompuServe, Inc. v. Cyber Promotions
CompuServe told Cyber Promotions to stop sending unsolicited e-mail
CompuServe implemented software programs designed to screen out messages and block their receipt
Cyber Promotions still spammed CompuServe sued for trespass to their personal
property and asked for a preliminary injunction
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
67
Workplace Privacy
Governmental employer: O’Connor v. Ortega Balance right of employee to privacy against employers’
needs for supervision, control and the efficient operation of the workplace
Private employer Use same balancing test
Nardinelli et al., v. Chevron: harassing emails Blakey v. Continental Airlines: bulletin board offsite Michael A. Smyth v. Pillsbury Company: employee’s email McLaren v. Microsoft: employee’s having password did
not give him protection
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
68
Impact of the ECPA on Workplace Privacy
Robert Konop v. Hawaiian Airlines Posted messages on his password-protected
bulletin board One of his users with a password gave the
password to a third party Third party went online and viewed Robert’s BB
Ct.: no violation of Title I, no interception Violation of Title II, not authorized use to give
password to third party
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
69
Global Issues
European Union’s Directive on Privacy Protection 1998 Requires member states of EU to adopt legislation that
seeks to protect the individual’s privacy as it relates to the processing and collection of personal data
Also applies to non-member states doing business with member states = U.S. to do the following:
Process information fairly and accurately Collect only for specified and legitimate purposes Keep accurate and updated Keep it identified with subject only for the “needed” time
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
70
Further Requirements of EU’s Directive
Controller of data must prove Consent of the data subject has been given Data is necessary for a contract between the parties Processing of data is necessary to protect subject Processing of data is necessary to protect the public interest Processing of data is necessary to protect the controller’s
interest and this is greater than the subject’s right to privacy
(c) 2004 West Legal Studies in Business A Division of Thomson Learning
71
Article 25
Prohibits the export of personal data to nonmember countries that do not have laws that adequately protect personal data
U.S. has Safe Harbors now See
http://europa.eu.int/comm/internal_market/en/dataprot/news/o2-196_en.pd.
EU issued standard contractual clauses