(c) 2004 west legal studies in business a division of thomson learning1 privacy two different...

(c) 2004 West Legal Studies in Business A Division of Thomson Learning

1

Privacy

Two Different Threats Other Individuals Invading My Privacy Government Invading My Privacy


2

Examples of Other Individuals Invading My Privacy

Cookies Web-Bugs or “SpyWare”:

graphic image like a GIF, placed on a web page or an e-mail message to monitor user behavior, functioning as a kind of spyware – not like a cookie which can be declined, but is just another graphic image, invisible to the user - can only see it if look at the source version of the page to find an IMG tag that loads from a different web server that the rest of the page

Can be good to track copyright violations E-Mail Wiretaps:

eBlastser software can provide e-mail updates of a person’s online activity if installed on their computer


3

Examples of Government Invading My Privacy:

Surveillance without court order (search warrant) Wiretaps Seizing disks, hard drives, data bases

FBI’s Carnivore, DragonWare suite, Packeteer, Coolminer – Government was being challenged for invading privacy,

but then came Sept. 11th

House and Senate have both approved bills giving the govt. broad powers of surveillance


4

U.S. Constitution and its Amendments

Protects individuals against Government invasion of privacy only - not invasion of privacy by other individuals


5

U.S. Constitution

The right to privacy is not expressly stated in the Constitution or the Amendments, but the Supreme Court has interpreted some of the amendments to mean that there exists a penumbral or implied right of privacy under the U.S. Constitution

Supreme Court found the right of privacy implied in these Amendments: Ninth Fourth Fifth


6

Ninth Amendment

“This enumeration shall not be construed to deny other rights retained by the people…”

So, there must be other rights and privacy could be another right not mentioned in the Amendments….


7

Fourth Amendment

“right of the people to be secure in their persons, houses, papers, and effects…. Griswold v. Connecticut (1965)

established “zones of privacy” or areas or locations where privacy is reasonably expected

Later cases: privacy exists when a person exhibits an actual expectation of privacy and society recognizes the expectation is reasonable

Does this mean that personal information being accumulated and used by the government without our permission, especially when used for commercial purposes, is a violation of this amendment? Cookies?


8

Fifth Amendment

No person shall be compelled to be a witness against himself Corporations do not have this protection Doe v. U.S. (1988) individual has to surrender

the key to a strongbox containing incriminating documents, but does not have to reveal the combination to his wall safe

Does this mean that a person could not be forced to give up his encryption code or his password?


9

Fourteenth Amendment

Gives the individual the same protection against all state governments in the same way the individual is protected against the federal government invasion of privacy


10

State Constitutions

Usually states copy the 4th Amendment and give an implied protection to the individual from government invasion of privacy

But many state constitutions go further and protect the individual’s privacy from the government in other specific areas:

medical records, wiretapping, insurance, school records, credit and banking information, privileged communications between attorney and client


11

Protection Against Other Individuals Invading My Privacy

Federal Statutes State Statutes State Common Law: Tort Law


12

State Common Law Tort: Invasion of Privacy

Gives protection to individual against other individuals invading his privacy

Used when no federal or state statute to protect privacy Intrusion Upon Seclusion Public Disclosure of Private Facts Causing

Injury to Reputation Publicity Placing Another in a False Light Misappropriation of a Person’s Name or

Likeness Causing Injury to Reputation


13

Intrusion Upon Seclusion

Intent or Knowledge Reasonable Expectation of Privacy

Katz v. United States Barnick v. Vopper – cell phone privacy

Privacy outweighed by freedom of speech and press rights

Substantial and Highly Offensive to a Reasonable Person Michael A. Smyth v. Pillsbury Company

Employee’s email – not highly offensive


14

Public Disclosure of Private Facts Causing Injury to Reputation

Three elements above – plus Facts Must Be Private (medical, insurance,

etc)


15

Publicity Placing Another in a False Light

Falsely connecting a person to an immoral, illegal or embarrassing situation resulting in injury to one’s reputation


16

Misappropriation of a Person’s Name or Likeness Causing Injury to Reputation

Howard Stern v. Delphi Services Corporation In the Matter of Eli Lilly (FTC 2002)


17

Federal Statutes

There are many federal statutes that have been introduced to protect privacy


18

Privacy Protection Act (PPA) 1980

Govt. can’t search or seize without a warrant the following: work product reasonably expected to have a purpose of dissemination to the public, like a newspaper, book, broadcast, or other similar form of public communication


19

Privacy Act 1994

Govt. can’t disclose records and documents in its possession that contain personal information (name, identification number, photo , fingerprint, voice print about individuals w/o their written consent, giving them a copy, allowing them to correct, inform them their records have been disclosed Exceptions: Court order, health and safety exceptions,

valid search warrant


20

Cable Communications Privacy Act (CCPA) 1984

Individual cable companies can’t reveal our cable preferences


21

Video Privacy Protection Act (1988)

Individual video stores can’t reveal our video preferences


22

Telephone Consumer Protection Act (1991)(FCC)

Individual sellers can’t use automatic dial telephone solicitations if called person is charged

Can’t send unsolicited advertisements to fax numbers Not applied to bulk e-mail yet (spammming)

Have to have “do not call” lists Can’t make unsolicited telemarketing calls to police,

fire, or other emergency numbers Feds have given jurisdiction to the states


23

Fair Credit Reporting Act (FCRA) 1970 (FTC)

Consumer credit reporting agencies must be fair, impartial, respect privacy

Have to get individual’s permission to release info FTC implements and enforces and adjudicates Consumers have a right to obtain info about

themselves Can ask for info online from credit reporting

agencies and they would have to comply


24

The Computer Fraud and Abuse Act (CFFA) 1986, 1994

Prohibits intentional access of data stored in computers belonging to or benefiting the U.S. government

Prohibits access to info about a consumer contained in the financial records of a financial institution or in a file of a consumer reporting agency

Felony for both of above


25

Bank Secrecy Act of 1970

Illegal to launder money and use secret foreign bank accounts for illegal purposes

Financial institutions must report to U.S. treasury Dept. any cash transaction over $10,000

Report any suspicious transaction


26

Right to Financial Privacy Act of 1978

Government must have a search warrant to access financial records and info, except for Patriot Act


27

Gramm-Leach-Bliley Act (GLB) 1999

Sweeping financial services privacy reform Title V: Consumer financial privacy:

Subtitle A, Disclosure of Nonpublic Personal Information

Subtitle B, Fraudulent Access to Financial Information


28

GLB Act

Financial institution to provide notice to customers about its privacy policies and practices

Describes the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties

Provides a method for consumers to prevent a financial institution from disclosing that information to most

nonaffiliated third parties by Opting Out of that disclosure Must tell exceptions when consumer cannot opt out


29

GLB continued… What is a financial institution?

Significantly engaged in financial activities to be considered a financial institution Lending, exchanging, transferring, investing for

others or safeguarding money or securities….. Vendor credit cards, Master Card, American

Express, Visa Many other activities that are similar to a bank’s

activities


30

GLB continued…Is Your Business Contact a Consumer or a Customer?

Consumer is an individual who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family or household purposes


31

GLB continued….Duty to Consumers:

Provide a short-form notice about the availability of the privacy policy if the financial institution shares information outside the permitted exceptions.

Provide an opt-out notice prior to sharing info Give Consumers reasonable opportunity to opt out Honor opt-out If you change your privacy policy – provide new

notice


32

Who are customers?

Customer Continuing relationship with a consumer

Loans: customer relationship travels with the servicing rights


33

Duty to Customers – Different

Same as above except: Provide long form notice Annual privacy notice for duration of relationship


34

Nonpublic Personal Information (NPI)?

Personally identifiable information Any list, description, or other grouping of

consumers derived from using PIFI = “Personally Identifiable Financial Information”

Not publicly available info And on and on and on – very long law, with a

great many details


35

Pretexting

FTC v. Information Search, Inc., Settlements from three information brokers who

the FTC alleged used deceptive practices – called pretexting_ to obtain consumers’ confidential financial information

Used false pretenses, fraudulent statements, and impersonation to illegally gain access to information such as bank balances and then offered info for sale.


36

Health Insurance Portability and Accountability Act, 1996 (HIPAA)

Full compliance not required until Feb. 21, 2003. Consumer control, accountability w/ fines Public responsibility – balance against protecting

public health, conducting research,etc. Boundaries: use only for treatment and payment,

need special consent to use for medical purposes Bush proposed loosening of regulations to remove

requirement that patients have to give written consent for disclosure, only give them notice of their rights.


37

Children’s Online Privacy Protection Act of 1998 (COPPA)

April 21, 2000 Has FTC Rules and Regulations regulating it (Safe Harbors)

(Article) Applies to operators of commercial sites targeted to (or

knowingly collecting info from) kids Post privacy notices and obtain verifiable parental consent

before collecting info from kids Enforced by FTC and State Attorneys General (NOT COPA Children’s Online Privacy Act which is anti-

pornography declared unconstitutional on preliminary injunction in June, 2000)


38

Requirements of COPPA

Who: Anyone whose website is directed at kids. FTC will look at subject matter, visual or audio content, age of

models, language used, advertising and promotions featured, use of animated characters or child-oriented activities and incentives, evidence of site’s intended audience and actual audience composition

What You Must Do: Must have a prominent and plain privacy statement link on home

page and page collecting info: not bottom of page fine print Direct Notice to and Verifiable Parental Consent from parents:

sliding scale of verification depending on info use MUST ALLOW OPT OUT of information use!


39

Exception to COPPA:

Safe-harbor of presumptive compliance for those following an FTC-approved system or protocol –http://www.ftc.gov//privacy/safeharbor/shp.htm


40

Litigation

U.S. v. The Ohio Art Co., ( Etch-A Sketch) Company failed to provide notice or get consent

from parents, collecting more info than necessary


41

PII Data Collection and Sale

Companies gather data, including our e-mail addresses, when we visit them –

Companies sell this data to other companies These sales are big business


42

1986 Electronic Communications Privacy Act – (ECPA) Titles I and II

Amendment to the Omnibus Crime Control and Safe Streets Act of 1968

Prohibits any one, including government, from wiretapping without search warrant with probable cause

Has two parts: 1. TITLE I. interception and disclosure of wire, oral, and

electronic communications 2. TITLE II. disclosure of stored wire, transactional, and

electronic communications


43

ECPA: Not Just the Government …

This amendment applied also to people and ISPs

Only applicable if public network, not internal network and has to be in interstate commerce

Not applicable to information posted on public BB

Party transmitted to, the receiver, can reveal info


44

ECPA: Title I:

Communications which are protected from interception include transmission by radio paging, cellular phones, computer generated transmissions, and e-mail

McVeigh v. Cohen: AOL violated ECPA by revealing to Navy that his e-mail which showed he was gay


45

ECPA: Four Exceptions:

ISPs Business Extension rule or “Ordinary Course

of Business” Prior consent Government has a warrant


46

ECPA: ISPs

Doing maintenance U.S. v. Mullins (American Airlines was

service provider for travel agent)


47

ECPA: Business Extension Exception

Exempts any devise furnished to the subscriber or user by a provider of wire or electronic communication service in the ordinary course of business and being used by the subscriber or user in the ordinary course of business

Employers who furnish the business phones and computers can intercept Phone Computer


48

ECPA: Requirements Established by Cases

Employees must know they are going to be monitored in order for employer to make sure the phones and e-mail are being used for business purposes

Sanders v. Rober Boschs Corporation: can’t monitor 24 hours a day

Watkins v. L.M. Berry and Co. once the employer hears something personal, he has to stop listening - same with e-mail?


49

ECPA: Consent of one of the parties

When the employer has warned that the employee will be monitored, the employee gives prior consent when he gets on the computer

Good to get it signed when the employee first takes the job…


50

ECPA: Search Warrant Granted for Probable Cause

ISP accidentally sees something illegal May tell law enforcement Law enforcement must get a proper warrant

Carnivore FBI like pen register, sift thru email and other Internet

traffic to find crime U.S. Patriot Act increased governmental power to do this


51

ECPA: Title II Unlawful Access to Stored Communications

Protects data stored in transit ( on servers) and at the point of destination from being accessed and disclosed

In RAM On floppies, CDs


52

ECPA: Title II specifically

1. Prohibits intentionally accessing without authorization or exceeding authorization a facility through which an electronic communication service is provided and thereby accessing wire or electronic communication while it is in electronic storage.

2. Prohibits ISPs who provide electronic communication service to the public from knowingly divulging the contents of any communication while in storage

3. Prohibits a person providing remote computing services to the public from knowingly divulging any communication that is carried or stored


53

Litigation

Supnick V. Amazon.com, Inc. and Alexa Internet Alleged that Alexa, whose software program monitors

surfing habits and then suggests related Web pages, stored and transmitted this information to third parties (including Amazon) without informing users’ of the practice or obtaining users’ consent in violation of the ECPA and common law invasion of privacy.

Court approved a settlement agreement: Alexa must: Delete four digits of the IP addresses in its databases, add

privacy policy to Weg site, require customers to op-in to having their data collected before they can be permitted to download Alexa software, pay up to $40 to each customer whose data is found in Alexa’s database.


54

In Re Doubleclick Inc. , Privacy Litigation

Plaintiffs argued Doubleclick’s practice of placing “cookies” on user’s hard drives was an invasion of privacy and violated Title II of the ECPA

Doubleclick’s motion that the case be dismissed was granted


55

Title III: The Pen Register Act

Applies to wiretaps, pen registers, and trap and trace devices

Requires a court order

If more like a wiretap, then need a search warrant

Amended by the U.S. Patriot Act


56

U.S. Patriot Act: Uniting and strengthening America Act by

Providing Appropriate Tools Required to Intercept and Obstruct Terrorism PL 107-56.

Increases the kind of info that law enforcement officials can gain access to, including records of session times and durations, temporary network addresses,means and source of payments, including credit card or bank account numbers

Permits service providers to voluntarily release the contents of communications if they reasonably believe that “an emergency involving immediate danger of death or serious physical injury to any person requires disclosure of the information without delay”

Permits service providers to invite law enforcement to assist in tracking and intercepting a computer trespasser’s communications.


57

Spamming

Federal Law – none to regulate FTC has regulated telephone solicitation – but has

left regulation of spamming to the computer industry


58

23 States Also Have Statutes Specifically Prohibiting Spamming.

Forbid false headings and routing information, must put ADV and ADV: ADLT, Must have an opt-out choice


59

FTC

Has not endorsed regulation of spam on the federal level Has charged spammers in the collection of data with

unfair and deceptive trade practices and Violation of the GLB Act

FTC’s Fair Information Practices Notice/Awareness that information is being collected Choice/Consent to opt in or out Access/ Participation in correcting or changing one’s own

personal info Security/Integrity in keeping the person information protected

from unauthorized use Enforcement/Redress by submitting to outside monitoring to

assure compliance


60

Govt. Regulation of Data Collection

FTC has authority under Section 5(a) of the FTC Act – can regulate “unfair and deceptive trade practices”

1998 FTC announced 4 elements to protect consumer privacy Notice to consumers about how info will be used Choice for consumers as to what and how used Security of PII Access for consumers to see their own PII Mechanisms for consumer to enforce these principles

Doubleclick Case Decided in favor of Doubleclick: they were only doing what

they had said in their privacy policy, so OK.


61

FTC Also Monitoring Wireless Communication

FTC: http://www.ftc.gov/bcp/reports/wirelesssummary.pdf “The Mobile Wireless Web, Data Services and

Beyond: Emerging Technologies and Consumer Issues.”


62

Self Regulation: Industry Protections

Seal Programs TRUSTe formed by AOL and Microsoft and 600 others; BBB Onlines

Monitor the web sites of its members making sure their information practices are fair & inform users about their privacy practices

P3P: WWW Consortium’s Platform for Privacy Preferences Convey data practices to consumers in standardized machine-readable

code, Consumer uses P3P Agent to warn users when a Web site’s P3P expressed data practices do not match the users’ privacy settings.

Microsoft’s Internet Explorer 6.0 is a User Agent Network Advertising Initiative Direct Marketing Association Netiquette


63

Database Transferability in Bankruptcy: Bankruptcy Reform Act of 2001

Toysmart case Dot-coms have become dot-bombs: their

biggest asset is customer info database Disney bought Toysmart’s d-base only then to

have to destroy it Same with Fry’s Electronics: did not proceed with

sale of Egghead.com


64

Bankruptcy Code now requires

A consumer privacy ombudsman before the info can be transferred to creditors in a bankruptcy proceeding


65

Spamming Defended on Basis of 1st am. Freedom of Speech

Cyber Promotions, Inc. V. America Online, Inc. Cyber Promotions sent bulk e-mail through AOL AOL sent a letter to stop Cyber didn’t AOL gather all the undeliverable mail and sent it back to

Cyber This caused the ISPs who served Cyber to terminate their

relationships with Cyber Cyber sued AOL - AOL counter sued Cyber Cyber asked for a declaratory judgment that they could spam Ct. said AOL not government, so no 1st amendment rights

against AOL


66

Spamming

State law – use common law trespass CompuServe, Inc. v. Cyber Promotions

CompuServe told Cyber Promotions to stop sending unsolicited e-mail

CompuServe implemented software programs designed to screen out messages and block their receipt

Cyber Promotions still spammed CompuServe sued for trespass to their personal

property and asked for a preliminary injunction


67

Workplace Privacy

Governmental employer: O’Connor v. Ortega Balance right of employee to privacy against employers’

needs for supervision, control and the efficient operation of the workplace

Private employer Use same balancing test

Nardinelli et al., v. Chevron: harassing emails Blakey v. Continental Airlines: bulletin board offsite Michael A. Smyth v. Pillsbury Company: employee’s email McLaren v. Microsoft: employee’s having password did

not give him protection


68

Impact of the ECPA on Workplace Privacy

Robert Konop v. Hawaiian Airlines Posted messages on his password-protected

bulletin board One of his users with a password gave the

password to a third party Third party went online and viewed Robert’s BB

Ct.: no violation of Title I, no interception Violation of Title II, not authorized use to give

password to third party


69

Global Issues

European Union’s Directive on Privacy Protection 1998 Requires member states of EU to adopt legislation that

seeks to protect the individual’s privacy as it relates to the processing and collection of personal data

Also applies to non-member states doing business with member states = U.S. to do the following:

Process information fairly and accurately Collect only for specified and legitimate purposes Keep accurate and updated Keep it identified with subject only for the “needed” time


70

Further Requirements of EU’s Directive

Controller of data must prove Consent of the data subject has been given Data is necessary for a contract between the parties Processing of data is necessary to protect subject Processing of data is necessary to protect the public interest Processing of data is necessary to protect the controller’s

interest and this is greater than the subject’s right to privacy


71

Article 25

Prohibits the export of personal data to nonmember countries that do not have laws that adequately protect personal data

U.S. has Safe Harbors now See

http://europa.eu.int/comm/internal_market/en/dataprot/news/o2-196_en.pd.

EU issued standard contractual clauses


72

Other Countries’ Efforts at Regulating Internet Data Privacy

Australia Canada Russia

(c) 2004 west legal studies in business a division of thomson learning1 privacy two different...

Documents

privacy slide

privacy government

invading privacy

west legal studies

government invasion

implied right of privacy

actual expectation of

established zones of