Privacy Law and Policy

Right to Bear Arms? Massachusetts Supreme Judicial Court & U.S. Supreme Court--Recent Activity

Kevin Whitaker — Sat, 13 Mar 2010 07:14:27 -0500

Days ago, the Massachusetts Supreme Judicial Court affirmed the Second Amendment to the United States Constitution imposes no limitations on the Massachusetts Legislature to regulate the possession of firearms. See Commonwealth v. Richard Runyan (slip opinion).

The Second Amendment reads,

A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed.

This case brings up the national debate on the right to bear arms and the Second Amendment. Is it a private individual’s right or, in the alternative, is it a State’s right--so the State may maintain a militia to defend itself? Grossly simplifying the theories, if it’s a State’s right, then the States can regulate it. If it’s an individual right, then that leads to a different analysis.

The SJC’s is an interesting decision in the wake of the U.S. Supreme Court’s 5-4 decision in Heller where the Supreme Court held the Second Amendment protects an individual’s right to possess a firearm in D.C. (D.C. is unique as it is a federal enclave and not a “free State.”)

The MA SJC reasoned the protection of the Second Amendment does not apply to the States as a matter of substantive due process under the Fourteenth Amendment to the United States Constitution. That is, the Second Amendment only prevents Congress, not the MA Legislature (until the Supreme Court says otherwise) from imposing limitations on the right to keep and bear arms.

We recognize that each of the cited cases limiting the application of the Second Amendment to the Federal government preceded the Supreme Court's selective incorporation of some provisions of the Bill of Rights under the due process clause of the Fourteenth Amendment, and that each was decided without reference to or consideration of the requirements of substantive due process. …

It's interesting to note that the much talked about case of McDonald vs. Chicago was also recently heard before the U.S. Supreme Court on March 2, 2010. Here the U.S. Supreme Court will likely decide the question of whether the Second Amendment becomes recognized as being incorporated into the the Fourteenth Amendment and therefore becomes applicable to the States.

Indications suggest the Court will recognize the right as being incorporated, but with questions arising as to what limitations might apply. If the Court does incorporate the Second Amendment and articulate rights held by individuals, then the SJC decision of earlier this week may ultimately provide short-lived precedent in Massachusetts. Perhaps the SJC sensed this, too, when it wrote:

Nonetheless, these cases are the law of the land until the Supreme Court decides otherwise, and we are therefore bound by them. …

Only time will tell, but the result will likely have far reaching implications. For in-depth coverage of McDonald vs. City of Chicago visit the SCOTUS Wiki for a wealth of information, resources, and always thoughtful analysis on Supreme Court cases.

New Data Security Regulations to Take Effect in Massachusetts on March 1st, 2010

Kevin Whitaker — Thu, 25 Feb 2010 16:29:29 -0500

The scramble in on as companies seek to comply with the identity theft regulations adopted in Massachusetts and touted as 'the first of their kind in the country' which are scheduled to take effect on March 1, 2010.

The effective date’s announcement followed a report indicating there have been over one million instances of Massachusetts residents’ personal information being exposed in two years. “We hope these regulations will make it harder for information to get into the wrong hands, and lower the number of instances of data being lost or stolen,” said Barbara Anthony, the Undersecretary of the Office of Consumer Affairs and Business Regulation (OCABR).

While M.G.L. c. 93H was passed in 2007, controversy emerged over how to pursue some of the law’s objectives under the regulations. After repeated postponements and revisions—brought upon largely by changes in the economic climate as well as compliance concerns of businesses— the regulations are now set to take effect on March 1st.

“We heard testimony from a wide range of sources, and the message was that we have struck the right balance. We created regulations that are protective of consumers without being onerous to businesses,” Undersecretary Anthony said.

The regulations, known as 201 CMR 17 (PDF file), are designed to help preserve privacy by increasing the level of security on personal information. These regulations apply to those that own or license “personal information” about a Massachusetts resident. Personal information includes a resident’s first name and last name (or first initial and last name) in combination with their: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, that would permit access to a resident’s financial account.

The regulations require businesses take a risk-based approach and develop, implement, and maintain a written comprehensive information security program containing administrative, technical, and physical safeguards appropriate to the size, scope, and type of business. The written security plan takes into account the amount of resources available; the amount of stored data; and the need for security and confidentiality of both consumer and employee information. Further, the written security plan also requires a comprehensive security system be included which covers computers with access to the stored personal information (including any wireless system.)

The regulations set minimum requirements to the extent they are technologically feasible. For instance, encryption of personal information is required for: a) transmitted records and files that will travel across public networks, b) data transmitted wirelessly, and c) information stored on laptops or other portable devices. Further, the security system requirements for computers require other protocols be adopted and followed (e.g. passwords, training, restrictive and monitoring efforts, as well as firewall, malware, and other updated protections.)

In examining reported data breach incidents, OCABR found that less than 3% involved data that was encrypted when breached. In addition, they found 60% of the reported incidents were the result of criminal/unauthorized acts, with a high frequency of laptops or hard-drives being stolen, and that roughly 40% of the total incidents were the result of “employee error or sloppy internal handling of personal information or other data.”

The OCABR report adds, “[t]his confirms that any regulatory regime must include both measures that protect against intentional wrongdoing and measures that focus on establishing internal protocols that set minimum standards for handling sensitive paper and electronic records.” These concerns, and others, lie at the foundation of the adopted regulations.

In sum, the new regulations seek to balance consumer protections with business concerns. Business owners should review the regulations fully as the requirements are comprehensive and may require time and effort to comply with. In addition, there are also extended deadlines and requirements for businesses that contract with third parties. To learn more about identity theft protection, visit the Office of Consumer Affairs and Business Regulation website at www.mass.gov/consumer.

Children Deserve Laws That Protect Them From Online Pedophiles, Not Laws, As Written, That Serve to Invite Them In

Kevin Whitaker — Sat, 06 Feb 2010 15:23:02 -0500

The Massachusetts Supreme Judicial Court recently reversed four indictments of Matt H. Zubiel for an attempt to disseminate matter harmful to a minor, under M.G. L. c. 272, § 28, and as defined in M.G. L. c. 272, § 31. Each indictment was based on Internet conversations between Zubiel and an undercover police officer on different days.

Deputy Sheriff Melissa Marino, a member of the "high-tech evidence analysis team" in the Plymouth County sheriff's department, conducted undercover investigations of crimes, including child pornography and child enticement. Marino created an undercover screen name, "Melissa QT 1995 and set up a Yahoo profile describing herself as "Meliss Smith" from the South Shore, age thirteen, and in the eighth grade. Her profile invited others to "PM" her (a form of instant messaging) if they wanted to send her a "private message."

On February 8, 2006, Zubiel with a screen name of "Ilikesports04," said, "Hi, how are you?" Marino informed Zubiel she was thirteen years old. He indicated he was age twenty-five. Their first online chat lasted forty-two minutes with Zubiel asking Marino for a photograph. She emailed him photographs of herself when she was thirteen years old. They discussed where each lived and they gave physical descriptions of themselves. Zubiel asked Marino, "[You] ever fool around with boys?" and other questions regarding what she had done with boys, how old the boys were, and additional details about those events.

A second online conversation occurred on February 13, 2006. Zubiel brought up several intimate topics asking questions about her physical appearance and her sexual experience and requested she send him a nude photograph of herself. Zubiel also asked if she was a police officer, acknowledging that they could get in trouble for what they talked about.

The next day, February 14, 2006, Zubiel e-mailed Marino a photograph of himself. Again, they discussed sexual topics online and Marino told Zubiel her mother would be working that weekend and she would be home alone. Zubiel questioned Marino further on her sexual history, telling her he would like to visit and “teach [her] everything."

On February 15, 2006, they had an online conversation regarding Zubiel's potential visit. They also spoke on the telephone because Zubiel wanted to make sure Marino was not a police officer. Again they discussed sexual topics, and Zubiel said, "I will show you the right way."

The final online conversation occurred two day later on February 17, 2006. Afterwards, Marino telephoned Zubiel (upon his request) and Zubiel said he would visit her the next day. Marino gave him an apartment complex address in Marshfield. The next day, Zubiel telephoned Marino for directions as he was entering Marshfield. Zubiel arrived, began walking toward the apartment building, and was arrested.

Following his arrest, Zubiel reportedly admitted the following: his "screen name" was "Ilikesports04,” he had conducted all of the online conversation with Marino, "it was a possibility that he would have sex with this girl if -- if, indeed, she was a real girl, and that the thought was there for him to have sex with this minor." Zubiel gave the police permission to seize his computer and a forensic examination revealed searches for Marshfield High School, directions to the apartment complex, the profile page of "Melissa QT 1995," the photographs that Marino and Zubiel sent to each other, as well as portions of the online conversations.

So why did the Massachusetts Supreme Judicial Court reverse the indictments? Because online electronically transmitted conversations are not explicitly included under the law’s definitions and the court wasn’t going to update the definitions for the Legislature. Under the law, there are four broad categories of criminally disseminated matter that are covered: 1) any handwritten or printed material; 2) any visual representation; 3) any live performance; and 4) any sound recording. The Court found none of these categories applied in the present case. In sum, this case comes down to a matter of words—words the Legislature should quickly correct.

The Court states, “If the Legislature wishes to include instant messaging or other electronically transmitted text in the definition of "[m]atter" […], it is for the Legislature, not the court, to do so.” A footnote indicates the Legislature considered amending the law in 2000 to include computer-generated writing, but it has not acted. The court’s tone here suggests that it’s time for the Legislature to take action. At least, I hope that is the message received.

The Legislature should enact enforceable child privacy protection laws quickly. Updated laws are necessary to combat the growing threats dangerously lurking online. Our advancing Information Age, with its evolving communication mediums, requires modern laws that protect children from online sexual predators. Until then, the existing outdated and technologically silent laws only serve to invite these same predators in, and not guard against them.

See Commonwealth vs. Matt H. Zubiel, Slip Opinion, SJC Docket No.: SJC-10454

Work Emails and Reasonable Expectations of Privacy - Is the Divide Ripening for the Supreme Court

Kevin Whitaker — Wed, 23 Dec 2009 09:29:42 -0500

As indicated by my prior posts, You've Got Email, But Is It Private At Work? and Is Einstein Reading Your Email for the Government?, the questions and arguments about privacy and email are heating up. A recent case in point covered by the ABA Journal in Martha Neal's article, Prosecutor’s E-Mail Sent to His Lawyer on a Work Account is Privileged, Court Says, presents an interesting case. Here Neal reports,

A federal prosecutor's e-mail to his own lawyer is privileged, even though he sent it from work on a government computer, a federal court has ruled.

As pointed out in the article, this is in contrast to similar cases and interpretations. A comparison of this case and the government's arguments reviewed in, Is Einstein Reading Your Email for the Government? shows how the divide in these matters is growing.

Attorney-client privilege is a fiercely guarded area of privacy and this case may present the opportunity for the Supreme Court to reaffirm the attorney-client privilege in the the context of email and the information age. Of course, if taken up, how they go about this could have far wider implications for privacy rights and email communications. If heard, would they focus on the rule (reasonable expectation of privacy) or rather focus on the exceptions or privileges. If examined, will they look at the totality of the circumstances and thus leave the law to be advanced case-by-case as the circumstances come before courts or could they take a more holistic approach that offers guidance in this uncertain arena. Time will tell, but the issue seems to be ripening with each "send" button pressed.

You've Got Email, But Is It Private At Work?

Kevin Whitaker — Mon, 30 Nov 2009 16:17:21 -0500

Not that long ago I blogged, Is Einstein Reading Your Email for the Government? The issue there was email and the government's argument about its right to read it. In short, they suggest you don't have a reasonable expectation of privacy in your email sent to (or read by) government employees. In sum, while computer users generally have a legitimate expectation of privacy in the content of Internet communications (such as an e-mail) while it is in transmission, the government argues there are things they can do to eliminate a person's reasonable expectation of privacy and thus remove any of email's privacy protections. It stands to reason that if certain things and conduct implemented by the government can remove privacy protections, then why not employers, too?

A recent Wall Street Journal article, Some Courts Raise Bar on Reading Employee Email, Companies Face Tougher Tests to Justify Monitoring Workers' Personal Accounts; Rulings Hinge on 'Expectation of Privacy' was summarized by Debra Cassens Weiss in an ABA Journal post, May Employers Monitor Personal E-Mail? Cases Turn on Disclosure.

The articles and comments at each post raise good points. Some comments from Weiss' post touch upon, email retention policies and duties to preserve email as evidence, otherwise privileged communications (example, an email to your attorney), ownership or control of the computer, private vs. company email, and more.

Nonetheless, the takeaway lesson for employers sounds a lot like the government's arguments about Einstein 2.0, be very explicit in informing your employees about your monitoring activities and those employees don't have a reasonable expectation of privacy anymore. Thus, as an employer, if you don't have an email and electronics' communications policy, then it's time to consistently adopt, implement, and enforce one. While this is no guarantee that you are on safe ground in monitoring all email, it appears to be the direction things are heading. As for employees, you should know what monitoring is taking place at your work. Take the time to review the email and other company policies and to understand what each means. Also, think twice before sending that email with your resume attached from your office computer or before checking your personal email while at work or on a work computer. Stop, think, and remember--there's a good chance your boss, as well as big brother, may be watching what you send and what you read.

While this post discusses email, don't forget about blogs, comments, tweets on twitter, text messages, Instant Messages (IM), or others, too.

Predicting Medical Conditions with Data: Promising Model if Privacy is Protected

Kevin Whitaker — Thu, 01 Oct 2009 10:32:23 -0500

A tweet from @AbbieCitron brought me to the Medical News Today post Electronic Medical Records Could Help Predict Domestic Abuse. The article discusses forecasting patients' risks by using electronic medical records. Specifically, the article deals with domestic abuse screening or predictions.

Dr Ben Reis of the Children’s Hospital Informatics Program at the Harvard-MIT Division of Health Sciences and Technology, Children’s Hospital Boston; and Harvard Medical School, co-authored the study, Longitudinal histories as predictors of future diagnoses of domestic abuse: modelling study. The study concluded,

Commonly available longitudinal diagnostic data can be useful for predicting a patient’s future risk of receiving a diagnosis of abuse. This modelling approach could serve as the basis for an early warning system to help doctors identify high risk patients for further screening.

The study pointed out the emphasis would not be on diagnosing, but instead, identifying, high risk patients and suggest it might work as follows:

A patient’s longitudinal medical history accumulates over time inside an electronic health record system. Whenever new information is recorded for the patient, the intelligent histories model re-analyses the information accumulated to date to estimate the patient’s risk of receiving a future diagnosis of abuse. The patient’s physician is notified if the patient is at high risk of abuse. The physician uses the visualisation to quickly review the patient’s past diagnoses and identify important long term trends in the patient’s history. The risk estimate, together with the high level view of the patient’s diagnostic history, enables the physician to make a better informed decision about whether to proceed with further screening of the patient. In this way, the intelligent histories model could improve screening by helping physicians to identify high risk patients who might otherwise be missed.

The study notes the possibilities ahead and that,

vast quantities of longitudinal data accumulating in electronic health information systems present an untapped opportunity for improving medical screening and diagnosis.

While I agree the opportunities for using this information are impressive, the consequences of exposing peoples' personal medical privacy must also be factored into and protected against. Here, the study discussed the anonymous data collected and analyzed,

...longitudinal diagnostic histories of patients aged over 18 who had at least four years between their earliest and latest diagnoses recorded in an anonymised state-wide claims database covering six years of admissions to hospital, stays at hospitals for observation, and emergency department encounters. Some 561, 216 patients met the inclusion criteria, having a total of 16,785,977 diagnoses among them.

On the privacy front, as data collection and modeling uses increase, the risk of removing the anonymous element of the database increases. If patients are being tracked based on the time between visits or (geographic factors) and this becomes part of the model, then when does the data begin to point to a smaller subset of identifiable people?

In social networks, for instance, mathematical models are available that can lead to identifying an individual based on his or her network. The math applies despite the information being observed. For example, an article by Kun Liu and Evimaria Terzi, Toward Identity anonnmizton on graphs, (Abstract) states,

The proliferation of network data in various application domains has raised privacy concerns for the individuals involved. Recent studies show that simply removing the identities of the nodes before publishing the graph/social network data does not guarantee privacy. The structure of the graph itself, and in its basic form the degree of the nodes, can be revealing the identities of individuals.

Given the data involved in medical histories, diagnoses, and geographical variables, any future models would need to account for privacy concerns as well as the model's predictive usefulness. This isn't an impossibility, but simply a consideration in designing future tools. Our future may soon hold the opportunity for robust predictive modeling and DNA data to be coupled in useful ways. This type of endeavor, however, must be advanced in ways that protect individuals and their privacy rights. In addition, and as the study also suggests, I agree these tools must be used to assist us in evaluating risks, and not become an ends in themselves or be used to label individuals based solely on predictions.

Friend or Foe: Friending Your Bill Collector

Kevin Whitaker — Tue, 29 Sep 2009 12:08:14 -0500

An ABA Journal post by Martha Neil, Could Your New Facebook ‘Friend’ Be a Bill Collector? notes there is little regulation of collection practices on the Internet because current laws are focused on traditional technology.

As the number of consumers giving up landlines increases, and while the information age continues advancing, consumer protections will need to continue undergoing changes in order to keep up with the times. The Congressional Findings and Declaration of Purpose found in The Fair Debt Collections Practices Act (PDF) notes:

There is abundant evidence of the use of abusive, deceptive, and unfair debt collection practices by many debt collectors. Abusive debt collection practices contribute to the number of personal bankruptcies, to marital instability, to the loss of jobs, and to invasions of individual privacy.

In addition, Subsection (b) adds:

Existing laws and procedures for redressing these injuries are inadequate to protect consumers.

Interestingly, consumers are not the only ones who may be interested in reform. Forbes.com posted a letter from the President of a Debt Collection company who also believes reform is needed:

The Fair Debt Collection Practices Act (FDCPA) is over 30 years old and largely regulates communication pertaining to debt collecting. Keep in mind, when FDCPA was crafted over 30 years ago, answering machines were not even used, let alone faxing, e-mailing, texting, etc. ... The FDCPA is in desperate need of being updated

Without clear rules, debt collectors interested in collecting debts ethically will be disadvantaged against those who look to collect consumer debts any way they can, including through abusive tactics. This argument that debt collectors trying to follow the rules should not be prejudiced against those that are abusive is referenced in Subsection (e) of the FDCPA:

It is the purpose of this title to eliminate abusive debt collection practices by debt collectors, to insure that those debt collectors who refrain from using abusive debt collection practices are not competitively disadvantaged, and to promote consistent State action to protect consumers against debt collection abuses.

With benefits to both consumers and collection companies available by updating collection laws, this should be an area that is ripe for review and change.

Federal law does allow states to impose higher standards than those found in the FDCPA and it will be interesting to see whether legislative changes come from the states or federal government. If neither, then I'd keep an eye on unfair and deceptive trade practices claims, as well as others, to emerge in this area as courts wrestle with trying to fit today's tactics into yesterday's laws.

Is Einstein Reading Your Email for the Government?

Kevin Whitaker — Fri, 25 Sep 2009 02:17:14 -0500

Ways may someday be developed by which the government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home. - Justice Louis Brandeis (1928)

A recent ABA Journal article on privacy law (Feds Can Monitor Personal E-Mail Sent Privately to Gov’t Workers, DOJ) began as follows:

You might think that a private-mail sent to another U.S. citizen's personal account isn't subject to government monitoring. But that assumption could be wrong if the recipient is a federal government employee.

Both recipients and senders have no reasonable expectation of privacy if an e-mail is opened by a federal employee logged into a work computer network, according to an Aug. 14 legal opinion from the U.S. Department of Justice that was released Friday.

The Memorandum (PDF file) begins,

Operation of the EINSTEIN 2.0 intrusion-detection system complies with the Fourth Amendment to the Constitution, title III of the Omnibus Crime Control and Safe Streets Act of 1968, the Foreign Intelligence Surveillance Act, the Stored Communications Act, and the pen register and trap and trace provisions of chapter 206 of title 18, United States Code, provided that certain log-on banners or computer-user agreements are consistently adopted, implemented, and enforced by executive departments and agencies using the system. Operation of the EINSTEIN 2.0 system also does not run afoul of state wiretapping or communications privacy laws.

The Memorandum “briefly summarizes the current views of the Office of Legal Counsel on the legality of the EINSTEIN 2.0 intrusion-detection system.” The arguments presented are basically:

There is no "search" under the 4th Amendment;
If there is a "search", then it is reasonable; and
Federal laws trump any state laws.

The central premise of the Memorandum is this, while computer users generally have a legitimate expectation of privacy in the content of Internet communications (such as an e-mail) while it is in transmission over the Internet, the deployment, testing, and use of EINSTEIN 2.0 technology complies with the Fourth Amendment where each agency participating in the program consistently adopts, implements, and enforces the model log-on banner or model computer-user agreements, or their substantial equivalents.

The government's position (which methinks goes too far) is summarized below.

No Search Under the 4th Amendment

The government argues there is no search for Fourth Amendment purposes because “the adoption, implementation, and enforcement of model log-on banners or model computer-user agreements eliminates federal employees’ reasonable expectation of privacy in their uses of Government-owned information systems…."

[Further]… individuals in the private sector who communicate directly with federal employees of agencies participating in the EINSTEIN 2.0 program through Government-owned information systems do not have a legitimate expectation of privacy in the content of those communications provided that model log-on banners or agreements are adopted and implemented by the agency.

… By clicking through the model log-on banner or agreeing to the terms of the model computer-user agreement, a federal employee gives ex ante permission to the Government to intercept, monitor, and search “any communications” and “any data” transiting or stored on a Government-owned information system for any “lawful purpose,” including the purpose of protecting federal computer systems against malicious network activity. Therefore, an individual who communicates with a federal employee who has agreed to permit the Government to intercept, monitor, and search any personal use of the employee’s Government-owned information systems has no Fourth Amendment right against the Government activity of protecting federal computer systems against malicious network activity, as the employee has consented to that activity.

The Memorandum goes on to say this applies even when the email was sent to the employee’s non-governmental or personal account. When the,

sender of an email to an employee’s personal, Web-based email account (such as Gmail or Hotmail) does not know of the recipient’s status as a federal employee or does not anticipate that the employee might read, on a federal Government system, an email sent to a personal email account at work or that the employee has agreed to Government monitoring of his communications on that system. A person communicating with another assumes the risk that the person has agreed to permit the Government to monitor the contents of that communication.

But if it is a "Search," then it's Reasonable anyway

The Memorandum argues, even if EINSTEIN 2.0 operations were to constitute a “search” under the Fourth Amendment, …those operations would be consistent with the Amendment’s “central requirement” that all searches be reasonable [because] the Government has a lawful, work-related purpose for the use of EINSTEIN 2.0’s intrusion-detection system that brings the EINSTEIN 2.0 program within the “special needs” exception to the Fourth Amendment’s warrant and probable cause requirements."

State Privacy Laws vs. The Supremacy Clause

The Memoradum’s final argument is the EINSTEIN 2.0 program does not run afoul of state wiretapping or communication privacy laws due to Supremacy clause.

To the extent that such laws purported to apply to the conduct of federal agencies and agents conducting EINSTEIN 2.0 operations and imposed requirements that exceeded those imposed by the federal statutes discussed above, they would “stand as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress,” and be unenforceable under the Supremacy Clause.

What do you think? Do you buy the argument that if you send an email to a government employee's private gmail or yahoo account, then the government may have the right to read the email?

Preceding the last presidential election, Condoleezza Rice was apologizing to presidential candidates for government intrusions into their private passport records. President Obama, a candidate at the time, called for hearings on the matter. Watergate, Hoover, and McCarthyism should remind us as to what ends government intrusions into personal privacy can have. Deeper historic reflections illuminate this point even more. Benjamin Franklin, offered, "they who would give up an essential liberty for temporary security deserve neither liberty nor security." Of a more local flavor, Boston's Samuel Adams, stated:

Driven from every other corner of the earth, freedom of thought and the right of private judgment in matters of conscience, direct their course to this happy country as their last asylum.

Smile, We're All On Candid Camera

Kevin Whitaker — Mon, 24 Aug 2009 10:21:14 -0500

Ross Clark's book, The Road to Big Brother, One Man's Struggle Against the Surveillance Society, involves Clark's experience in avoiding CCTV cameras and surveillance efforts in England. PrivacyDigest's review of the book, states (in part):

Ross Clark lays bare the astonishing amount of personal data which is hoarded by the state and by commercial organizations, and asks whom should we fear most: the government agencies who are spying on us - or the criminals who seem to prosper in the swirling fog of excessive data-collection.

As a city councilor, I was surprised to see surveillance cameras recently installed on new sets of local traffic lights. I wondered, "Who decides where these go and who will have access? Why are they there?" "Why didn't I have to approve these?"

I realize there's a practical argument for the potential advantages, such as recording accident data, raising compliance with safe driving laws, and, of course, avoiding traffic. In fact, the Connecticut Department of Transportation site lets you view traffic camera images that are updated every five minutes. The Boston SmarTraveler site offers several views, too.

But are things like Google Earth, government surveillance, and private webcams streaming on the web taking us into unchartered territories? I was excited to use Google Earth to see where my wife lived in Spain or others' travels. I've been on guided tours from the comfort of our home and they were fun experiences. But is there a trade off for fun?

Where is all of this surveillance stuff going and what societal costs are associated with it. Are we, as people with privacy rights and elected representatives, having a say in this, or is it something that is just evolving on its own? Who benefits and who loses if we do nothing but react, or worse, don't react?

I'll admit my bias, I don't think the simple retort, "If you haven't done anything wrong, then you don't have anything to worry about" can apply when criminals begin using technology or online tools to watch you and your property and to aid them in committing crime. While not a surveillance issue (but an online one), I recently read a report that the incidence of rape in a community had increased by double-digit percentage-points allegedly due to online dating encounters. Might always-on surveillance issues be creating similar problems too, whether it's stalking or, I fear, worse. But crime is not my only objection to this development. On a theoretical level, do people still have the right to be left alone?

Doesn't constant tracking of people and their private lives reach beyond our reasonable expectations of privacy. Of course, should you actively place something into the public realm, that is one thing. I don't expect privacy on my blog posts, tweets on twitter, LinkedIn discussions, or Facebook postings; but should we expect some privacy in our comings and goings?

I discussed this in a NY case involving GPS surveillance of one's car. One of the arguments presented was, why not let the police use warrantless GPS when all it does it track what they could track themselves? But what if the GPS (now usually not allowed in NY) is no longer needed because anyone can be tracked almost anywhere at anytime, without GPS? While the movie, A Scanner Darkly, is a bit out there, does it touch on something that's not so far out there? I believe the movie takes place in a future "seven years from now" or something like that--an interesting choice.

While it's fun to visit the New England Aquarium from my computer and see a live stream of the giant ocean tank, do the people going by Boston University's Marsh Plaza realize they are being recorded and streamed live? What about the people living near a camera where the camera is interactive and users can zoom in and move the camera around to get a better look? Would you like to be a unknowing neighbor there? Seeing this in action (no, I won't post this link) makes me have second thoughts about having a skylight in the bathroom, at minimum.

In the Future of Reputation, Daniel Solove, writes,

Today data is gathered about us at every turn. Surveillance cameras are sprouting up everywhere. There are twenty-four-hour surveillance cameras in public linked to websites for anybody to view.

Solove points to EarthCam as an example, but many others exist. See this MA example on Earthcam or Opentopia to see other Massachusetts webcam offerings. Will we all soon work in workplaces (like this one) where your workspace seems to be streamed all day long (warning this one can make you dizzy on several fronts)? What about your home? Besides neighbors with streaming webcams, I've also noted accounts of others using streaming video to monitor telecommuters to ensure they are working.

Don't get me wrong. I'm a fan of technology and innovation. I think emerging and developing advances hold great promise on many fronts, especially in this information age. Innovation may make our lives more informed, perhaps easier, and arguably better. However, if individuals' rights are to be respected, law and policy discussions need to be occurring, not with just an eye toward today, but with an eye toward the future as well. As we've seen, the information age isn't slowing, and, yet, it appears the policy debates are already behind or being sidestepped by interested groups. Seven years from now, who knows... For now, however, remember to smile, because, to be candid, you're probably already on camera.

Massachusetts Privacy Law Stalled-Out Again and Weakening

Kevin Whitaker — Tue, 18 Aug 2009 23:45:55 -0500

In previous posts, I discussed the legislative amendment being kicked around that would weaken the MA data security law (M.G.L. 93H).

Well, it appears the legislative change may not be necessary as the latest and ungreatest regulatory scheme changes appear to do the hatchet job for them. Too bad. In short, it's not good news for Massachusetts consumers or their privacy rights as privacy rights seem, once again, to be taking a backseat to political influences.

The Official Website of the Office of Consumer Affairs & Business Regulation (OCABR) states:

BOSTON – Aug. 17, 2009 – ... The updated regulations will take effect March 1, 2010. The regulations make clear that their approach to data security is a risk-based approach that is especially important to small businesses that may not handle a lot of personal information about customers. Under a risk-based approach, a business, in developing a written security program, should take into account its size, nature of its business, the kinds of records it maintains, and the risk of identity theft posed by its operations.

...

New language in the regulations recognizes that the size of a business and the amount of personal information it handles plays a role in the data security plan the business creates. The new language requires safeguards that are appropriate to the size, scope and type of business handling the information; the amount of resources available to the business; the amount of stored data; and the need for security and confidentiality of both consumer and employee information.

The changes, Anthony said, make clear the regulations are risk-based in implementation, not just in enforcement as had been the case in earlier versions of the regulations. In addition, the regulations are technology neutral and acknowledge that technical feasibility plays a role in what many businesses, especially small businesses can do to protect data. The overall approach is more consistent with federal law, she said.
...
The Office of Consumer Affairs and Business Regulation today sent to the Secretary of State notice of public hearing on the changes. That hearing will be held on Tuesday, Sept. 22, at 10 a.m. at the Transportation Building, 10 Park Plaza, Boston.

For more information about identity theft protection, visit the Office of Consumer Affairs and Business Regulation website, www.mass.gov/consumer.

An Act Ensuring Less Privacy of Massachusetts Residents' Data: Part 5 of 5

Kevin Whitaker — Wed, 05 Aug 2009 10:14:27 -0500

Massachusetts Senate Bill No. 173 (PDF file or see full text below) introduced this year, would amend M.G.L. 93H and effectively water down the Office of Consumer Affairs and Business Regulation's (OCABR) authority on a few fronts. I've addressed a few of these in past posts.

After a short vacation, today I'll briefly be addressing the fourth proposed change, but more importantly the sum of all the proposed changes, because I fear they fail to protect consumers and their privacy rights, but instead seem very good at protecting certain business interest aided by powerful lobbying efforts

Briefly, under the fourth proposed change, employees could be terminated for willful violations of the law, regulations, or written information security plans.

While I'm not going to attack this language (although you can see the proverbial passing of the buck coming here), it make me ask, "As a group, did any of the four proposed changes help consumers while guarding individuals' privacy rights?"

Let's review a summary of the three changes I've previously discussed:

Businesses would not have to comply with any Massachusetts state regulations with stricter standards than federal law
Ensures OCABR is prevented from requiring specific technology or methods be employed. Thus, the proposed amendment effectively guts OCABR's encryption requirement (and its power to do so in regulations).
The law would not apply evenly, but would depend on the size of the business and require separate standards be promulgated for small businesses, thus implying a person's privacy rights matter less depending on who is allowing them to be infringed upon. This would also add more delay as more layers of regulations are adopted.

The answer to my earlier question, I'm afraid, is a resounding "No," none of the four four proposed changes help consumers while guarding individuals' privacy rights--thus the title of this series of posts, "An Act Ensuring Less Privacy of Massachusetts Resident's Data" which is a play on the proposed act's title "An Act Ensuring the Privacy of Certain Data."

As stated in other posts, privacy rights simply aren't being treated as rights held by individuals but rather as things or issues to be regulated. With economic considerations, lobbying, and political influence guiding the outcome, it appears that short-term economic arguments may continue trumping individuals' privacy concerns. In the end, so long as economic incentives and business interests are placed before individuals' rights, then privacy rights can't really exist, no matter what we call or title them.

The full text of Senate Bill 173, An Act Ensuring the Privacy of Certain Data, is below. Funny, I don't think this is available anywhere else on the web except in PDF. Why is that?

SECTION 1. Section 2 of Chapter 93H of the General 1 Laws, as appearing in the 2006 Official Edition, is hereby amended by striking out subsection (a) and inserting in place thereof the following:(a) The department of consumer affairs and business regulation may adopt regulations relative to any person or agency that owns or licenses personal information about a resident of the commonwealth. Such regulations shall be designed to safeguard the personal information of residents of the commonwealth and shall be consistent with the safeguards for protection of personal information set forth in the federal regulations by which the person or agency is regulated. The objectives of the regulations shall be to: insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer. The department shall not in its regulations, however, require covered persons to use a specific technology or technologies, or a specific method or methods for protecting personal information.

The regulations shall take into account the person’s size, scope and type 15 of business, the amount of resources available to such person, the amount of stored data, and the need for security and confidentiality of both consumer and employee information. Notwithstanding the rules adopted by the department pursuant to the provisions above, said department shall create separate regulations for small businesses covered by this chapter that reflect said small businesses unique situation and resources.

Any person who is required to comply with federal laws, rules, regulations, guidance, or guidelines safeguarding personal information is deemed to be in compliance with this chapter.

SECTION 2. Section 6 of Chapter 93H of the General Laws is hereby amended by adding at the end thereof the following: A willful violation of this chapter or regulations implementing this chapter, or a written information security plan issued by a person covered by state or federal privacy laws shall provide just cause for the termination of an employee, whether the employee is employed by a private person, public agency or political subdivision of the state.

For more posts from this Series see:

If you are interested in tracking Senate Bill 173 or others, perhaps this resource from the University of Iowa law library may be helpful. Here are a few of the helpful offerings or resources available there.

Massachusetts Legislative History Guide
Guide to Tracing a Massachusetts Law
Senate Bills (2007 - present)
House Bills (2005 - present)
Bill Histories (2005 - present)
Senate Journals (1998 - present)
House Journals (2001 - present)

An Act Ensuring Less Privacy of Massachusetts Residents' Data: Part 4 of 5

Kevin Whitaker — Mon, 13 Jul 2009 10:48:05 -0500

Massachusetts Senate Bill No. 173 (PDF file) introduced earlier this year, would amend M.G.L. 93H (Massachusetts data protection law) and effectively water down the Office of Consumer Affairs and Business Regulation's (OCABR) authority (as well as their data protection regulations) on a few fronts. I'm reviewing four of the proposed changes in separate posts. Today, I'll examine a proposed change which requires different strokes for different folks, or rather different legal standards for protecting people's personal data. The proposed change adds,

Notwithstanding the rules adopted by the department [OCABR] ..., said department shall create separate regulations for small businesses ... that reflect said small businesses unique situation and resources.

Thus, under this proposed change, the law would not apply evenly, but would depend on the size of the business and require separate standards be promulgated for small businesses. Perhaps it sounds reasonable when looked at from the perspective of protecting small businesses, but this change implies a person's privacy rights matter less depending on who is allowing them to be trampled upon. Should the law allow for different standards when it comes to individuals' rights or should the emphasis be on protecting the absolute rights held by individuals instead?

If your identity is stolen because a company you do business with collects your personal identifying information and negligently fails to protect it, do you care what size company they are or do you feel that perhaps the offending company shouldn't be held accountable because of their "unique situation and resources." Peoples' privacy rights shouldn't be protected a little bit--depending on who is violating them--they should be protected, period.

Recall, the first set of regulations have been delayed again and again--now more delays will likely be needed for new regulations to be adopted for small businesses. On November 12, 2008, the Office of Consumer Affairs and Business Regulation (OCABR) extended the deadline for compliance with its standards for how businesses protect and store consumers' personal information. On February 12, 2009, they filed revised ID theft regulations that would take effect, Jan. 1, 2010, stating in their press release,

The regulations will take effect Jan. 1, 2010, and mandate that personal information – a combination of a name along with a Social Security number, bank account number, or credit card number – be encrypted when stored on portable devices, or transmitted wirelessly or on public networks. Encryption of personal information on portable devices carrying identity data like laptops, PDAs and flash drives must also be completed by Jan. 1, 2010, and will ensure better protection of personal information.

“It is time for businesses and other holders of personal information to ensure that consumers’ information is kept safe,” said Daniel C. Crane, the Undersecretary of the Office of Consumer Affairs and Business Regulation. “These new safeguards are fundamental standards that will keep information safer and will help businesses reinforce a vital sense of trust with customers.”

The regulations are a product of the identity theft prevention law signed by Gov. Deval Patrick. In keeping with the administration’s commitment to protecting consumers, Patrick signed an executive order last September requiring all state agencies to implement security measures consistent with the requirements in the regulations.

Since November 2007, there have been over 450 reported cases of stolen or lost personal information that have affected nearly 700,000 Massachusetts residents. The regulations are the first of their kind in the country, and had originally been scheduled to take effect on Jan. 1, 2009. A sharp change in the business climate, along with the business community’s increased understanding of what is required to protect their customers’ identity, led to the new date.

“Businesses are becoming more aware of the urgency of this issue. To achieve the full benefit for consumers as quickly as possible, it’s worth making sure every business in the state has time to make the necessary changes to comply with these regulations,” Crane said. “We understand the impact of the current business environment, and feel this is an appropriate timeframe for companies to implement the necessary protections.”

OCABR's approach has seemed and continues to seam reasonable. This proposed legislative change (requiring new standards for small businesses), by contrast, seems rather odd. As my last post discussed a proposed legislative change which would prevent OCABR from even requiring encryption or any other specific methods in its regulations. If the regulators can't require specific methods in their regulations, in what way will the small business standards be any different that the other regulations being watered-down?

Unfortunately, enacting changes that lead to further delay simply ignores the real problem of consumer privacy invasions occurring today and which will continue while the time consuming task of formulating new regulatory schemes unfolds. Perhaps this change, however, is more about the added timing element and the further delay required to adopt, advertise, and implement new regulations. Otherwise, it's perplexing, why would legislators pass a law in the first place and not even allow the adopted data protection regulations be implemented before tinkering with the enabling law?

Time, energy, and resources have already been expended to put a consumer data protection law in place. Why wouldn't the legislature first see how it goes before gutting it? Were the lawmakers unaware of what they were doing when they passed the law in the first place? Or have certain lobbying efforts made the difference in a law that hasn't even gotten out of the starting blocks?

Many legislators had the courage to pass a consumer protection law to help protect people from some of the perils of the information age we find ourselves living in. The law they passed will help to safeguard peoples' personal identities and to bring protective measures into the forefront of the entire business community nationwide. I hope our legislators have the conviction to stick to their guns and to let their efforts lead the way. While no legislation by itself will be a panacea against identity theft or other data protection woes, allowing an enforceable law to proceed as currently written and planned demonstrates political conviction as well as a commitment to Massachusetts consumers.

Other parts of this series:

An Act Ensuring Less Privacy of Massachusetts Resident's Data: Part 3 of 5

Kevin Whitaker — Thu, 09 Jul 2009 11:37:19 -0500

Massachusetts Senate Bill No. 173 (PDF file) introduced by Senator Michale W. Morrissey this year, would amend M.G.L. 93H and effectively water down the Office of Consumer Affairs and Business Regulation's (OCABR) authority on a few fronts. I'm taking each one up in a separate post. Today, I'll address a proposed change that involves encryption and specific technologies and adds the following language,

The department [OCABR] shall not in its regulations, however, require covered persons to use a specific technology or technologies, or a specific method or methods for protecting personal information.

To put this proposed change in the proper context, you must know OCABR's current regulations require data be encrypted. Unlike today, this proposed change would ensure OCABR is prevented from requiring specific technology or methods be employed. Thus, the proposed amendment effectively guts OCABR's encryption requirement (and its power to do so in regulations). Not only does this weaken the agency helping protect consumers' data, but it takes the bright lines out of the regulations and makes the revised law effectively fuzzy at best. In sum, the change leads to foreseeable ambiguity and real world enforcement problems.

Who does this change really protect?

An Act Ensuring Less Privacy of Massachusetts Resident's Data, Part 2 of 5

Kevin Whitaker — Wed, 01 Jul 2009 14:17:14 -0500

Massachusetts Senate Bill No. 173 (PDF file) introduced this year, would amend M.G.L. 93H and effectively water down the Office of Consumer Affairs and Business Regulation's (OCABR) authority on a few fronts. I'm taking each one up in a separate post and today, I'll address the first proposed change.

If SB 173 is enacted, businesses would not have to comply with any state regulations with stricter standards than federal law. While businesses need to comply with federal law, this should not stop states from implementing higher standards to protect their residents. This suggested revision hurts individuals' privacy rights as compliance is limited to the lowest common denominator and doesn't aspire to improve safeguards beyond minimum standards.

While some commentators previously commended MA for leading the way on data privacy protections, this proposal brings us back, at best, to the status quo--a review of data breach news headlines demonstrates the status quo simply isn't working or protecting peoples' privacy. MA has a chance to take the lead in protecting individuals' privacy rights and punting isn't the best option.

In the end, so long as economic incentives and business interests are placed before individuals' rights, then privacy rights are at risk. I hope Massachusetts opts to lead the way on protecting privacy and doesn't adopt the proposed amendment.

The timing of this proposed amendment baffles me, why gut a law the state legislature passed that hasn't even been given a chance to work?

Next, I'll discuss the data encryption and data protection methods that are being stripped away under the proposed change.

An Act Ensuring Less Privacy of Massachusetts Residents' Data: Part One

Kevin Whitaker — Thu, 25 Jun 2009 16:45:05 -0500

Massachusetts Senate Bill No. 173 (PDF file), introduced earlier this year, would amend M.G.L. 93H (MA Data Security Law) and effectively water down the law while reducing the Office of Consumer Affairs and Business Regulation's (OCABR) authority to protect Massachusetts consumers' privacy rights.

These proposed changes to the data protection law are a timely topic as the original MA law was passed following TJX's large-scale data breach. TJX has recently entered into a $9.75 million settlement with 41 states over their data breach. According to the Boston Herald in, TJX to pay states $9.75M in data breach settlement,

The $9.75 million settlement payment includes $2.5 million to establish a data security fund for the states and $1.75 million to cover the states’ investigations into the data breach. Massachusetts will receive more than $950,000 of that money.

The Herald reports, Attorney General Martha Coakley, who was a driving force for all states' involved, said in a statement

Protecting consumers’ personally-identifiable information is of paramount importance to prevent fraudulent use of credit and identity theft.

All retailers and companies that hold or use personally-identifiable information must employ data security systems that guard against the improper disclosure or use of that information. This settlement ensures that companies cannot write-off the risk of a data breach as a cost of doing business.

The Identity Theft Assistance Center (ITAC) blog, in TJX Agrees to Pay $9.75 million to 41 States in Data Breach Case, states:

The company [TJX] also stated in an official news release that it “firmly believes it did not violate any consumer protection or data security laws.” However, California Attorney General Jerry Brown had a different POV [point of view] and cited the company’s 2004 internal audit, which found security vulnerabilities. ... "TJX ignored flaws in its credit card database, until hackers broke into it, gaining access to the personal information of almost 50 million people..."

In the wake of the TJX settlement, under MA Attorney General Coakley's and other attorney generals' realized efforts, it's disappointing to see present attempts to water down the Massachusetts data protection law by state legislators. In coming posts I'll discuss four changes being proposed and how each fails to help consumers or protect individual privacy rights. Thus the title of this series, "An Act Ensuring Less Privacy of Massachusetts Resident's Data" which plays off of the proposed act's title "An Act ensuring the privacy of certain data."

City Says Job Applicants No Longer Asked To Provide Online Account User Names and Passwords

Kevin Whitaker — Wed, 24 Jun 2009 08:11:18 -0500

Paul McNamara at Buzzblog posts in Bozeman backs down on demanding passwords that the flood of complaints over Bozeman, Montana's policy of requesting online account names and passwords of potential hires has led to that practice being discontinued. I commented on his blog as it reminded me of the discussion I recently had with a Patriot Ledger's Reporter, Julie Onufrak. During a recent interview, we were discussing the limits of industry self-regulation when it comes to privacy rights and the need for laws that protect them. I don't think self-regulation works when it comes to peoples' rights and whether it's demonstrated by a Sears' settlement or Bozeman's practices, my point is that we need clear laws that protect individuals and their privacy rights.

Here are my comments on buzzblog about the Bozeman situation:

It's good to see the policy change go into effect, but there's always another issue to consider anytime a privacy invasion occurs. What happens to the data that was collected? Recently the FTC entered into an agreement with Sears that required they stop collecting private consumer data in a certain manner, but also that they destroy the data which had been collected that way. This gets even trickier, however, when government agencies are the ones collecting private data as there are Freedom of Information Act and other sunshine laws that can give citizens access to government records. While it's good to see a policy change in Bozeman, it would be even better to see legal standards in place that go beyond self-policing or self-regulation.

To me the unifying theme is one that keeps popping up in privacy issues, if individual privacy rights are not being treated as recognized rights which are held by an individual, then efforts to protect them will fail. In order to protect privacy, bright-line laws giving individuals the right to enforce those rights must to be enacted and not left for government enforcement, but provide private remedies as well. Unfortunately, I don't think government see it that way, FTC Provides Views on Behavioral Advertising to House Subcommittee. I think this is true in Washington and as recent legislative efforts indicate, here in Massachusetts, too--which I'll post about shortly.

Privacy Pollution and Does Privacy Matter?

Kevin Whitaker — Thu, 18 Jun 2009 23:52:00 -0500

Does privacy matter? I was recently reviewing excerpts from an earlier interview by International Association of Privacy Professionals with Bruce Schneier where he was asked, "Is privacy the new environmentalism?" Schneier's reply was prescient,

Yes, and data is the pollution problem of the Information Age. Think about it. All computer-mediated processes produce data. Unless dealt with, it stays around. And its after-effects can be pretty toxic. And, just as 100 years ago we ignored pollution in our rush to build the Industrial Age, today we're ignoring data in our rush to build the Information Age. And, I believe, 100 years from now our great-grandchildren will look back at the decisions we made and wonder how we could have been so ignorant and short-sighted.

Anyone who's been on Facebook, reviewed the MySpace postings' cases, or "googled" a job applicant only to be stunned by what they found would have a hard time arguing against Schneier's assessment. But sometimes it's hard to see the forest through the trees, especially when the trees have surveillance cameras and are keeping track of almost everything you are doing.

In a forum post that caught my attention as I browsed my alert feeds tonight, one poster remarked, "Think about it:

If you drive to work and use an electronic toll pass it's recorded. All of your stops and even the speed you are going is recorded in a box within the car that can be admissible in court (i.e.; you don't own the data).
If you use a computer at work all your emails are recorded and probably the keys you type too.
If you're in a secure building your access is tracked and they take pictures too.
If you shop and use either a debit, credit or loyalty card your purchases are recorded.
Government buildings (and most commercial buildings and stores now) record your presence on cameras and may require ID before you are allowed to enter.
If you travel by train, plane or ship your travel is recorded.
If you buy drugs at your local pharmacy, it's recorded regardless of whether you use cash or not.
If you buy a house, car or anything that requires financing, it's recorded.
If you get a paycheck, bank or file a tax return it's recorded.
If you give marry, divorce, give birth or die, it's recorded.
If you are arrested or convicted it's recorded.
Does it not feel a bit like "The Truman Show" already?
Now they can aggregate all that information into one place and even produce predictability models on what your future behavior will be.
Does it matter?
Do you care if your [curious] employer, friends, neighbors or co-workers can pay to find out how much you make, how much you paid for your house, what your political affiliation is, if you're taking paxil or get all the gritty details of your unfortunate divorce or sexually transmitted disease?
Do you care if your partner can track your whereabouts?
Do you care if the government can track your whereabouts?
Do you care if the information is accurate?
Maybe it just does[n]'t matter?

The commenter's argument demonstrates it's easy to see protecting privacy rights is an uphill battle, but I'd argue privacy always has and continues to matter. Orwell's 1984, James Joyce in several works, today's movies such as Minority Report or Eagle Eye tap into our worse fears in abandoning privacy and giving up control over our private lives. While these works capture the mind and our attention when examining them, they don't, by themselves, move privacy into the realm of policy, law, and legal protections. This is one reason why I think a Privacy Law and Policy Blog matters, too (and why I've associated both law and policy in this blog's title.) This conversation about privacy isn't new one, however, but it's a conversation which needs to be occurring some place, especially given the speed and economic incentives that today favor weakening individual's privacy protections.

Schneier's environmental analogy is a good one. While the environmental fight is hardly over or been won, it's an example of a movement that has taken years of efforts by many to raise its level of awareness and to work its way into moral, policy, and legal discussions. While not comparing the two on any substantive level, privacy rights, like environmental rights, seems to have difficult forces working against it today much like the environmentalists have faced for years. At times it was obvious to see the frustration in Al Gore's efforts to bring the environment front and center, even on cases that just made sense. Privacy rights seem to be facing similar opposition and a misalignment with common sense.

For instance, do we really need laws that allow schools to prevent a parent from being contacted and then allow a school nurse and administrator to strip search a 13 year old honor roll student to see if she has any Ibuprofen in her bra or underwear? This is a recent case before the Supreme Court. During oral arguments on this case, some members of the Supreme Court seemed to dismiss this girl's notion of privacy right's altogether. If this is the state of affairs today, what's going to happen when social network sites, sexting, data breaches, international phishing, and other matters continue to arise. The courts aren't keeping pace with technology or with the way a younger society is living. In some ways it's ironic that an institution shrouded in privacy misses the public's interest in privacy. Recently in MA, a federal district court judge was told she can't allow a RIA hearing to be streamed live over the internet. The judge wanted to stream the hearing live, but was appealed and told "no."

Technology and the law are not strangers and, again, this debate isn't new, but the blistering pace and extent of changes in today's social communications seems far greater than those occurring before these times--but perhaps the principles being fought for aren't all that new.

On December 15, 1880 Warren and Brandeis published, The Right to Privacy, in the Harvard Law Review, and wrote

Of the desirability -- indeed of the necessity -- of some such [privacy] protection, there can, it is believed, be no doubt. The press is overstepping in every direction the obvious bounds of propriety and of decency. Gossip is no longer the resource of the idle and of the vicious, but has become a trade, which is pursued with industry as well as effrontery. To satisfy a prurient taste the details of sexual relations are spread broadcast in the columns of the daily papers. To occupy the indolent, column upon column is filled with idle gossip, which can only be procured by intrusion upon the domestic circle. The intensity and complexity of life, attendant upon advancing civilization, have rendered necessary some retreat from the world, and man, under the refining influence of culture, has become more sensitive to publicity, so that solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury. Nor is the harm wrought by such invasions confined to the suffering of those who may be the subjects of journalistic or other enterprise. In this, as in other branches of commerce, the supply creates the demand. Each crop of unseemly gossip, thus harvested, becomes the seed of more, and, in direct proportion to its circulation, results in the lowering of social standards and of morality. Even gossip apparently harmless, when widely and persistently circulated, is potent for evil. It both belittles and perverts. It belittles by inverting the relative importance of things, thus dwarfing the thoughts and aspirations of a people. When personal gossip attains the dignity of print, and crowds the space available for matters of real interest to the community, what wonder that the ignorant and thoughtless mistake its relative importance. Easy of comprehension, appealing to that weak side of human nature which is never wholly cast down by the misfortunes and frailties of our neighbors, no one can be surprised that it usurps the place of interest in brains capable of other things. Triviality destroys at once robustness of thought and delicacy of feeling. No enthusiasm can flourish, no generous impulse can survive under its blighting influence.

...

It would doubtless be desirable that the privacy of the individual should receive the added protection of the criminal law, but for this, legislation would be required. Perhaps it would be deemed proper to bring the criminal liability for such publication within narrower limits; but that the community has an interest in preventing such invasions of privacy, sufficiently strong to justify the introduction of such a remedy, cannot be doubted. Still, the protection of society must come mainly through a recognition of the rights of the individual. Each man is responsible for his own acts and omissions only. If he condones what he reprobates, with a weapon at hand equal to his defence, he is responsible for the results. If he resists, public opinion will rally to his support. Has he then such a weapon? It is believed that the common law provides him with one, forged in the slow fire of the centuries, and to-day fitly tempered to his hand. The common law has always recognized a man's house as his castle, impregnable, often, even to his own officers engaged in the execution of its command. Shall the courts thus close the front entrance to constituted authority, and open wide the back door to idle or prurient curiosity?

I'll end this post (which started off with the intent of being short) with a short Benjamin Franklin quote,

They who would give up an essential liberty for temporary security, deserve neither liberty nor security.

Privacy Law and Policy Makes e-Justice's List of Top Privacy Blogs

Kevin Whitaker — Wed, 10 Jun 2009 09:46:14 -0500

Thank you to the folks at e-Justice Blog for including Privacy Law and Policy in their 50 Best Blogs for Privacy Nuts. It's an honor to be included and also to be among the top ten blogs in the Law and Policies category.

e-Justice covers issues from cyber-law to personal security and aims to promote a more pro-active and informed citizenry by tackling issues of justice that affect people's safety and well-being.

Sometimes Privacy Seems Like the Titanic

Kevin Whitaker — Thu, 04 Jun 2009 12:15:59 -0500

I recall a law professor telling me that when the Titanic sank it was lawful to not have enough lifeboats to hold the ships' occupants. I quickly checked on Wikipedia and it states,

The Titanic carried 20 lifeboats with a total capacity of 1,178 people. While not enough to hold all of the passengers and crew, the Titanic carried more boats than was required by the British Board of Trade Regulations. At the time, the number of lifeboats required was determined by a ship's gross register tonnage, rather than her human capacity.

Additional research indicates the Titanic had the potential to carry 48 lifeboats (as suggested by Alexander Carlisle) but cost-cutting resulted in only 20 being carried (albeit still more than the 16 required.) The NY Times headline on April 17, 1912 read, "LIFEBOATS FOR ALL NOT ORDERED BY LAW; Apparent Security of Modern Liners Kept Out-of-Date, Requirements in Force. The first paragraph states,

The disaster to the Titanic may bring about a change in the British Laws establishing the requirements in regard to appliances for the saving of life on modern liners, a development of marine architecture which was apparently not contemplated by those who framed the laws and amended them.

Sometimes privacy law seems like the Titanic to me. A U.S. District Court in the Northern District of California recently held the alleged risk of identity theft is enough to grant standing to an identity theft victim, but that the risk alone is not enough to survive summary judgment.

Joel Ruiz, the plaintiff, filed a complaint for negligence and other theories under California law because Ruiz was one of approximately 750,000 Gap job applicants whose personal information was stored on laptops owned by Vangent (a Gap vendor) which were stolen. In this lost-data case, the court found Ruiz had standing because of his increased risk of identity theft (due to the stolen personal data.) Winning the standing argument, however, proved to be an empty victory as the court found the threat of speculative harm was not enough to proceed under a cause of action for negligence.

While Ruiz has standing to sue based on his increased risk of future identity theft, this risk does not rise to the level of appreciable harm necessary to assert a negligence claim under California law.

While not binding on the court, the court surveyed several similar rulings that it found both persuasive and consistent with its decision:

[O]nline applicant whose personal information was compromised had standing to sue ... [but] this compromise of the applicant's personal information did not rise to the level of a compensable injury and damages required ... under Indiana law.
Without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy.
[N]o evidence that this plaintiff's data has been accessed or used by anyone as a result of the theft.
[M]ere possibility that personal information may be at increased risk does not constitute actual injury sufficient to maintain a claim for negligence.
[W]ithout direct evidence that the information was accessed or specific evidence of identity fraud this Court can not find the cost of obtaining . . . credit monitoring to amount to damages in a negligence claim.
[E]xpenditure of time and money monitoring their credit did not establish the essential element of damages.
[P]laintiff could not sustain a claim for negligence because he had experienced no instance of identity theft.

Is stolen property not valuable until it's shown someone else is using it to the owner's detriment? Or is it a real loss simply when it's taken, regardless of what the thief does with it? I don't agree that your privacy rights only matter when someone uses it to your proven detriment, to me, one's privacy rights are harmed when someone invades it and takes it, regardless of what they do with it. As long as convenience and commerce trump privacy, however, then privacy is unlikely to be taken seriously by the companies it's entrusted to.

While today much discussion and focus is being placed on notification and encryption legislation (and even these seem to be in retreat), at the end of the day, unless people have rights and laws with some real teeth, privacy will become a topic that gets into papers and perhaps gets you into court, but it's not likely to become a seriously protected or respected right. That is, unless real recovery and damages are allowed under privacy torts. While the government may find ways to collect fees or revenue for large-scale privacy transgressions, the public remains at a collective loss. As our modern travels have taken us from ships at sea and into the "cloud" of computing and data, must the Titanic of privacy rights sink before we protect against foreseeable harm? The NY Times article of 1912 referenced above stated the following which has an element of timelessness to it,

...there was no pretense of carrying enough lifeboats to save the lives of all if a vessel should go down. The only reason given for this lack of facilities is that the law does not demand it,...

Keylogging for Evidence

Kevin Whitaker — Tue, 19 May 2009 10:59:14 -0500

In my recent post, Encryption and the Right to Maybe Remain Silent, I discussed the government's efforts to obtain encrypted evidence on a laptop. The issue was whether an individual can be forced to decrypt incriminating information. While this area of law has many new questions, there's always more than one way to skin a cat.

Even in cases, where a encryption was not ordered, the government may have taken actions to find encryption keys through a keylogger (which records keystrokes) or other devices. Declan McCullagh discussed this in his 2007 cnet post, Feds use keylogger to thwart PGP, Hushmail -

A recent court case provides a rare glimpse into how some federal agents deal with encryption: by breaking into a suspect's home or office, implanting keystroke-logging software, and spying on what happens from afar.