Chapter 9 Privacy ITN 267

Privacy
Two Different Threats

Other Individuals Invading My Privacy
Government Invading My Privacy
(c) 2004 West Legal S
Examples of Other Individuals

Invading My Privacy
Cookies
Web-Bugs or SpyWare:
graphic image like a GIF, placed on a web page or an e-mail message
to monitor user behavior, functioning as a kind of spyware not like a
cookie which can be declined, but is just another graphic image,
invisible to the user - can only see it if look at the source version of the
page to find an IMG tag that loads from a different web server that the
rest of the page
Can be good to track copyright violations
E-Mail Wiretaps:
eBlastser software can provide e-mail updates of a persons online
activity if installed on their computer
Examples of Government Invading

My Privacy:
Surveillance without court order (search warrant)
Wiretaps
Seizing disks, hard drives, data bases
FBIs
Carnivore, DragonWare suite, Packeteer, Coolminer
Government was being challenged for invading privacy,
but then came
Sept. 11th
House and Senate have both approved bills giving the govt. broad
powers of surveillance
U.S. Constitution and its

Amendments
Protects individuals against Government
invasion of privacy only - not invasion of
privacy by other individuals
U.S. Constitution
The right to privacy is not expressly stated in the
Constitution or the Amendments, but the
Supreme Court has interpreted some of the
amendments to mean that there exists a
penumbral or implied right of privacy under the
U.S. Constitution
Supreme Court found the right of privacy implied
in these Amendments:
Ninth
Fourth
Fifth
Ninth Amendment
This enumeration shall not be construed
to deny other rights retained by the
people
So, there must be other rights and privacy
could be another right not mentioned in
the Amendments.
Fourth Amendment
right of the people to be secure in their persons,
houses, papers, and effects.
Griswold v. Connecticut (1965)
established zones of privacy or areas or locations where
privacy is reasonably expected
Later cases: privacy exists when a person exhibits an

actual expectation of privacy and society recognizes
the expectation is reasonable
Does this mean that personal information being
accumulated and used by the government without our
permission, especially when used for commercial
purposes, is a violation of this amendment? Cookies?
Fifth Amendment
No person shall be compelled to be a witness
against himself
Corporations do not have this protection
Doe v. U.S. (1988) individual has to surrender the key
to a strongbox containing incriminating documents,
but does not have to reveal the combination to his
wall safe
Does this mean that a person could not be forced to
give up his encryption code or his password?
Fourteenth Amendment
Gives the individual the same protection
against all state governments in the same
way the individual is protected against the
federal government invasion of privacy
State Constitutions
Usually states copy the 4th Amendment and give
an implied protection to the individual from
government invasion of privacy
But many state constitutions go further and protect
the individuals privacy from the government in other
specific areas:
medical records, wiretapping, insurance, school records,
credit and banking information, privileged communications
between attorney and client
10
Protection Against Other Individuals

Invading My Privacy
Federal Statutes
State Statutes
State Common Law: Tort Law
11
State Common Law Tort:

Invasion of Privacy
Gives protection to individual against other
individuals invading his privacy
Used when no federal or state statute to protect
privacy
Intrusion Upon Seclusion
Public Disclosure of Private Facts Causing Injury to
Reputation
Publicity Placing Another in a False Light
Misappropriation of a Persons Name or Likeness
Causing Injury to Reputation
12
Intrusion Upon Seclusion

Intent or Knowledge
Reasonable Expectation of Privacy
Katz v. United States
Barnick v. Vopper cell phone privacy
Privacy outweighed by freedom of speech and press rights
Substantial and Highly Offensive to a

Reasonable Person
Michael A. Smyth v. Pillsbury Company
Employees email not highly offensive
13
Public Disclosure of Private Facts Causing

Injury to Reputation
Three elements above plus
Facts Must Be Private (medical, insurance,
etc)
14
Publicity Placing Another in a

False Light
Falsely connecting a person to an immoral,
illegal or embarrassing situation resulting in
injury to ones reputation
15
Misappropriation of a Persons Name or

Likeness Causing Injury to Reputation
Howard Stern v. Delphi Services Corporation
In the Matter of Eli Lilly (FTC 2002)
16
Federal Statutes
There are many federal statutes that have
been introduced to protect privacy
17
Privacy Protection Act (PPA) 1980

Govt. cant search or seize without a warrant
the following: work product reasonably
expected to have a purpose of dissemination to
the public, like a newspaper, book, broadcast,
or other similar form of public communication
18
Privacy Act 1994

Govt. cant disclose records and documents in its
possession that contain personal information (name,
identification number, photo , fingerprint, voice print
about individuals w/o their written consent, giving
them a copy, allowing them to correct, inform them
their records have been disclosed
Exceptions: Court order, health and safety exceptions,
valid search warrant
19
Cable Communications Privacy Act

(CCPA) 1984
Individual cable companies cant reveal our
cable preferences
20
Video Privacy Protection Act

(1988)
Individual video stores cant reveal our video
preferences
21
Telephone Consumer Protection

Act (1991)(FCC)
Individual sellers cant use automatic dial telephone
solicitations if called person is charged
Cant send unsolicited advertisements to fax numbers
Not applied to bulk e-mail yet (spammming)
Have to have do not call lists

Cant make unsolicited telemarketing calls to police,
fire, or other emergency numbers
Feds have given jurisdiction to the states
22
Fair Credit Reporting Act (FCRA)

1970 (FTC)
Consumer credit reporting agencies must be fair,
impartial, respect privacy
Have to get individuals permission to release info
FTC implements and enforces and adjudicates
Consumers have a right to obtain info about
themselves
Can ask for info online from credit reporting agencies
and they would have to comply
23
The Computer Fraud and Abuse

Act (CFFA) 1986, 1994
Prohibits intentional access of data stored in
computers belonging to or benefiting the U.S.
government
Prohibits access to info about a consumer
contained in the financial records of a
financial institution or in a file of a consumer
reporting agency
Felony for both of above
24
Bank Secrecy Act of 1970

Illegal to launder money and use secret foreign
bank accounts for illegal purposes
Financial institutions must report to U.S.
treasury Dept. any cash transaction over
$10,000
Report any suspicious transaction
25
Right to Financial Privacy Act of 1978

Government must have a search warrant to
access financial records and info, except for
Patriot Act
26
Gramm-Leach-Bliley Act (GLB)

1999
Sweeping financial services privacy reform
Title V: Consumer financial privacy:
Subtitle A, Disclosure of Nonpublic Personal
Information
Subtitle B, Fraudulent Access to Financial
Information
27
GLB Act
Financial institution to provide notice to customers about its
privacy policies and practices
Describes the conditions under which a financial institution
may disclose nonpublic personal information about consumers
to nonaffiliated third parties
Provides a method for consumers to prevent a financial
institution from disclosing that information to most
nonaffiliated third parties by Opting Out of that disclosure
Must tell exceptions when consumer cannot opt out
28
GLB continued What is a

financial institution?
Significantly engaged in financial activities to
be considered a financial institution
Lending, exchanging, transferring, investing for
others or safeguarding money or securities..
Vendor credit cards, Master Card, American Express,
Visa
Many other activities that are similar to a banks

activities
29
GLB continuedIs Your Business Contact

a Consumer or a Customer?
Consumer is an individual who obtains or has
obtained a financial product or service from a
financial institution that is to be used primarily
for personal, family or household purposes
30
GLB continued.Duty to
Consumers:
Provide a short-form notice about the availability of
the privacy policy if the financial institution shares
information outside the permitted exceptions.
Provide an opt-out notice prior to sharing info
Give Consumers reasonable opportunity to opt out
Honor opt-out
If you change your privacy policy provide new
notice
31
Who are customers?

Customer
Continuing relationship with a consumer
Loans: customer relationship travels with the servicing
rights
32
Duty to Customers Different

Same as above except:
Provide long form notice
Annual privacy notice for duration of relationship
33
Nonpublic Personal Information

(NPI)?
Personally identifiable information
Any list, description, or other grouping of
consumers derived from using PIFI =
Personally Identifiable Financial
Information
Not publicly available info
And on and on and on very long law, with a
great many details
34
Pretexting
FTC v. Information Search, Inc.,
Settlements from three information brokers who
the FTC alleged used deceptive practices called
pretexting_ to obtain consumers confidential
financial information
Used false pretenses, fraudulent statements, and
impersonation to illegally gain access to information
such as bank balances and then offered info for sale.
35
Health Insurance Portability and

Accountability Act, 1996 (HIPAA)
Full compliance not required until Feb. 21, 2003.
Consumer control, accountability w/ fines
Public responsibility balance against protecting
public health, conducting research,etc.
Boundaries: use only for treatment and payment, need
special consent to use for medical purposes
Bush proposed loosening of regulations to remove
requirement that patients have to give written consent
for disclosure, only give them notice of their rights.
36
Childrens Online Privacy Protection

Act of 1998 (COPPA)
April 21, 2000
Has FTC Rules and Regulations regulating it (Safe Harbors)
(Article)
Applies to operators of commercial sites targeted to (or
knowingly collecting info from) kids
Post privacy notices and obtain verifiable parental consent
before collecting info from kids
Enforced by FTC and State Attorneys General
(NOT COPA Childrens Online Privacy Act which is antipornography declared unconstitutional on preliminary
injunction in June, 2000)
37
Requirements of COPPA
Who:
Anyone whose website is directed at kids.
FTC will look at subject matter, visual or audio content, age of models,
language used, advertising and promotions featured, use of animated
characters or child-oriented activities and incentives, evidence of sites
intended audience and actual audience composition
What You Must Do:

Must have a prominent and plain privacy statement link on home page
and page collecting info: not bottom of page fine print
Direct Notice to and Verifiable Parental Consent from parents: sliding
scale of verification depending on info use MUST ALLOW OPT OUT
of information use!
38
Exception to COPPA:
Safe-harbor of presumptive compliance for
those following an FTC-approved system or
protocol
http://www.ftc.gov//privacy/safeharbor/shp.ht
m
39
Litigation
U.S. v. The Ohio Art Co., ( Etch-A Sketch)
Company failed to provide notice or get consent from
parents, collecting more info than necessary
40
PII Data Collection and Sale

Companies gather data, including our e-mail
addresses, when we visit them
Companies sell this data to other companies
These sales are big business
41
1986 Electronic Communications Privacy

Act (ECPA) Titles I and II
Amendment to the Omnibus Crime Control and Safe
Streets Act of 1968
Prohibits any one, including government, from
wiretapping without search warrant with probable
cause
Has two parts:
1. TITLE I. interception and disclosure of wire, oral, and
electronic communications
2. TITLE II. disclosure of stored wire, transactional, and
electronic communications
42
ECPA: Not Just the Government

This amendment applied also to people and ISPs
Only applicable if public network, not internal
network and has to be in interstate commerce
Not applicable to information posted on public BB
Party transmitted to, the receiver, can reveal info
43
ECPA: Title I:
Communications which are protected from
interception include transmission by radio
paging, cellular phones, computer generated
transmissions, and e-mail
McVeigh v. Cohen: AOL violated ECPA by
revealing to Navy that his e-mail which
showed he was gay
44
ECPA: Four Exceptions:

ISPs
Business Extension rule or Ordinary Course
of Business
Prior consent
Government has a warrant
45
ECPA: ISPs
Doing maintenance
U.S. v. Mullins (American Airlines was service
provider for travel agent)
46
ECPA: Business Extension

Exception
Exempts any devise furnished to the subscriber or user
by a provider of wire or electronic communication
service in the ordinary course of business and being
used by the subscriber or user in the ordinary course of
business
Employers who furnish the business phones and
computers can intercept
Phone
Computer
47
ECPA: Requirements Established

by Cases
Employees must know they are going to be monitored in
order for employer to make sure the phones and e-mail
are being used for business purposes
Sanders v. Rober Boschs Corporation: cant monitor 24
hours a day
Watkins v. L.M. Berry and Co. once the employer hears
something personal, he has to stop listening - same with
e-mail?
48
ECPA: Consent of one of the

parties
When the employer has warned that the
employee will be monitored, the employee
gives prior consent when he gets on the
computer
Good to get it signed when the employee first
takes the job
49
ECPA: Search Warrant Granted for

Probable Cause
ISP accidentally sees something illegal
May tell law enforcement
Law enforcement must get a proper warrant
Carnivore
FBI like pen register, sift thru email and other Internet traffic
to find crime
U.S. Patriot Act increased governmental power to do this
50
ECPA: Title II Unlawful Access to

Stored Communications
Protects data stored in transit ( on servers) and
at the point of destination from being accessed
and disclosed
In RAM
On floppies, CDs
51
ECPA: Title II specifically

1. Prohibits intentionally accessing without authorization or
exceeding authorization a facility through which an electronic
communication service is provided and thereby accessing wire
or electronic communication while it is in electronic storage.
2. Prohibits ISPs who provide electronic communication
service to the public from knowingly divulging the contents of
any communication while in storage
3. Prohibits a person providing remote computing services to
the public from knowingly divulging any communication that
is carried or stored
52
Litigation
Supnick V. Amazon.com, Inc. and Alexa Internet
Alleged that Alexa, whose software program monitors
surfing habits and then suggests related Web pages, stored
and transmitted this information to third parties (including
Amazon) without informing users of the practice or
obtaining users consent in violation of the ECPA and
common law invasion of privacy.
Court approved a settlement agreement: Alexa must:
Delete four digits of the IP addresses in its databases, add privacy
policy to Weg site, require customers to op-in to having their data
collected before they can be permitted to download Alexa software,
pay up to $40 to each customer whose data is found in Alexas
database.
53
In Re Doubleclick Inc. , Privacy

Litigation
Plaintiffs argued Doubleclicks practice of
placing cookies on users hard drives
was an invasion of privacy and violated
Title II of the ECPA
Doubleclicks motion that the case be
dismissed was granted
54
Title III: The Pen Register Act

Applies to wiretaps, pen registers, and trap and trace
devices
Requires a court order
If more like a wiretap, then need a search warrant
Amended by the U.S. Patriot Act
55
U.S. Patriot Act: Uniting and strengthening

America Act by Providing Appropriate Tools Required to Intercept
and Obstruct Terrorism PL 107-56.
Increases the kind of info that law enforcement officials can

gain access to, including records of session times and
durations, temporary network addresses,means and source of
payments, including credit card or bank account numbers
Permits service providers to voluntarily release the contents
of communications if they reasonably believe that an
emergency involving immediate danger of death or serious
physical injury to any person requires disclosure of the
information without delay
Permits service providers to invite law enforcement to
assist in tracking and intercepting a computer trespassers
communications.
56
Spamming
Federal Law none to regulate
FTC has regulated telephone solicitation but has
left regulation of spamming to the computer
industry
57
23 States Also Have Statutes

Specifically Prohibiting Spamming.
Forbid false headings and routing information,
must put ADV and ADV: ADLT,
Must have an opt-out choice
58
FTC
Has not endorsed regulation of spam on the federal level
Has charged spammers in the collection of data with
unfair and deceptive trade practices and
Violation of the GLB Act
FTCs Fair Information Practices
Notice/Awareness that information is being collected

Choice/Consent to opt in or out
Access/ Participation in correcting or changing ones own personal info
Security/Integrity in keeping the person information protected from
unauthorized use
Enforcement/Redress by submitting to outside monitoring to assure
compliance
59
Govt. Regulation of Data

Collection
FTC has authority under Section 5(a) of the FTC Act can
regulate unfair and deceptive trade practices
1998 FTC announced 4 elements to protect consumer
privacy
Notice to consumers about how info will be used

Choice for consumers as to what and how used
Security of PII
Access for consumers to see their own PII
Mechanisms for consumer to enforce these principles
Doubleclick Case
Decided in favor of Doubleclick: they were only doing what they
had said in their privacy policy, so OK.
60
FTC Also Monitoring Wireless

Communication
FTC:
http://www.ftc.gov/bcp/reports/wirelesssumma
ry.pdf
The Mobile Wireless Web, Data Services and
Beyond: Emerging Technologies and Consumer
Issues.
61
Self Regulation: Industry Protections

Seal Programs
TRUSTe formed by AOL and Microsoft and 600 others; BBB Onlines
Monitor the web sites of its members making sure their information
practices are fair & inform users about their privacy practices
P3P: WWW Consortiums Platform for Privacy

Preferences
Convey data practices to consumers in standardized machine-readable
code, Consumer uses P3P Agent to warn users when a Web sites P3P
expressed data practices do not match the users privacy settings.
Microsofts Internet Explorer 6.0 is a User Agent
Network Advertising Initiative

Direct Marketing Association
Netiquette
62
Database Transferability in Bankruptcy:

Bankruptcy Reform Act of 2001
Toysmart case
Dot-coms have become dot-bombs: their
biggest asset is customer info database
Disney bought Toysmarts d-base only then to
have to destroy it
Same with Frys Electronics: did not proceed with
sale of Egghead.com
63
Bankruptcy Code now requires

A consumer privacy ombudsman before the
info can be transferred to creditors in a
bankruptcy proceeding
64
Spamming Defended on Basis of 1st am.

Freedom of Speech
Cyber Promotions, Inc. V. America Online, Inc.
Cyber Promotions sent bulk e-mail through AOL

AOL sent a letter to stop
Cyber didnt
AOL gather all the undeliverable mail and sent it back to Cyber
This caused the ISPs who served Cyber to terminate their
relationships with Cyber
Cyber sued AOL - AOL counter sued Cyber
Cyber asked for a declaratory judgment that they could spam
Ct. said AOL not government, so no 1st amendment rights against
AOL
65
Spamming
State law use common law trespass
CompuServe, Inc. v. Cyber Promotions

CompuServe told Cyber Promotions to stop
sending unsolicited e-mail
CompuServe implemented software programs
designed to screen out messages and block their
receipt
Cyber Promotions still spammed
CompuServe sued for trespass to their personal
property and asked for a preliminary injunction
66
Workplace Privacy
Governmental employer: OConnor v. Ortega
Balance right of employee to privacy against employers
needs for supervision, control and the efficient operation of
the workplace
Private employer
Use same balancing test
Nardinelli et al., v. Chevron: harassing emails

Blakey v. Continental Airlines: bulletin board offsite
Michael A. Smyth v. Pillsbury Company: employees email
McLaren v. Microsoft: employees having password did not give
him protection
67
Impact of the ECPA on Workplace

Privacy
Robert Konop v. Hawaiian Airlines
Posted messages on his password-protected
bulletin board
One of his users with a password gave the
password to a third party
Third party went online and viewed Roberts BB
Ct.: no violation of Title I, no interception

Violation of Title II, not authorized use to give
password to third party
68
Global Issues
European Unions Directive on Privacy Protection
1998
Requires member states of EU to adopt legislation that
seeks to protect the individuals privacy as it relates to the
processing and collection of personal data
Also applies to non-member states doing business with
member states = U.S. to do the following:
Process information fairly and accurately

Collect only for specified and legitimate purposes
Keep accurate and updated
Keep it identified with subject only for the needed time
69
Further Requirements of EUs

Directive
Controller of data must prove
Consent of the data subject has been given

Data is necessary for a contract between the parties
Processing of data is necessary to protect subject
Processing of data is necessary to protect the public interest
Processing of data is necessary to protect the controllers
interest and this is greater than the subjects right to privacy
70
Article 25
Prohibits the export of personal data to
nonmember countries that do not have laws
that adequately protect personal data
U.S. has Safe Harbors now
See
http://europa.eu.int/comm/internal_market
/en/dataprot/news/o2-196_en.pd
.
EU issued standard contractual clauses
71
Other Countries Efforts at

Regulating Internet Data Privacy
Australia
Canada
Russia
72

Chapter 9 Privacy ITN 267

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 9 Privacy ITN 267

Uploaded by

Copyright:

Available Formats

Privacy

Two Different Threats

(c) 2004 West Legal S

Examples of Other Individuals

(c) 2004 West Legal S

Examples of Government Invading

(c) 2004 West Legal S

U.S. Constitution and its

(c) 2004 West Legal S

(c) 2004 West Legal S

Later cases: privacy exists when a person exhibits an

(c) 2004 West Legal S

(c) 2004 West Legal S

(c) 2004 West Legal S

Protection Against Other Individuals

(c) 2004 West Legal S

State Common Law Tort:

(c) 2004 West Legal S

Intrusion Upon Seclusion

Substantial and Highly Offensive to a

(c) 2004 West Legal S

Public Disclosure of Private Facts Causing

(c) 2004 West Legal S

Publicity Placing Another in a

(c) 2004 West Legal S

Misappropriation of a Persons Name or

(c) 2004 West Legal S

(c) 2004 West Legal S

Privacy Protection Act (PPA) 1980

(c) 2004 West Legal S

Privacy Act 1994

(c) 2004 West Legal S

Cable Communications Privacy Act

(c) 2004 West Legal S

Video Privacy Protection Act

(c) 2004 West Legal S

Telephone Consumer Protection

Have to have do not call lists

Fair Credit Reporting Act (FCRA)

(c) 2004 West Legal S

The Computer Fraud and Abuse

Bank Secrecy Act of 1970

(c) 2004 West Legal S

Right to Financial Privacy Act of 1978

(c) 2004 West Legal S

Gramm-Leach-Bliley Act (GLB)

(c) 2004 West Legal S

(c) 2004 West Legal S

GLB continued What is a

Many other activities that are similar to a banks

(c) 2004 West Legal S

GLB continuedIs Your Business Contact

(c) 2004 West Legal S

(c) 2004 West Legal S

Who are customers?

(c) 2004 West Legal S

Duty to Customers Different

(c) 2004 West Legal S

Nonpublic Personal Information

(c) 2004 West Legal S

Health Insurance Portability and

Childrens Online Privacy Protection

What You Must Do:

(c) 2004 West Legal S