1
From PLI’s Course Handbook
Communications Law in the Digital Age 2009
#18947
4
PRIVACY PROTECTION, SAFETY AND
SECURITY
Jane E. Kirtley
University of Minnesota
The author gratefully acknowledges the invaluable
assistance of Cary Snyder, a University of Minnesota
law student and Silha Center research assistant, in the
preparation of this outline. We also utilized research
by Jacob Parsley, a University of Minnesota law
student, and Patrick File, a University of Minnesota
Ph.D. student, both Silha Center Fellows.
2
Table of Contents
I.
A.
B.
C.
D.
E.
F.
G.
II.
A.
B.
C.
D.
E.
F.
G.
H.
DATA COLLECTION AND BEHAVIORAL
ADVERTISING
Proposed Congressional Legislation
FTC on Self-Regulatory Behavioral
Advertising Principles
Advertising Trade Groups Release
Self-Regulatory Principles
European Regulators Aim to Protect
Consumers, Retailers and Online Privacy
Maine Enacts Law to Restrict Marketing
to Minors
Google Sees Up and Down Battle in
AdWords Lawsuits
FTC Seeks to Monitor Blogs for Endorsements
IDENTITY THEFT AND DATA
PROTECTION LAWS
‘Red Flags Rule’ Set to Take Effect
Proposed Federal Legislation to Protect
Personal Data, Require Notification
HIPAA Breach Notification Rule Issued
Supreme Court Requires a ‘Knowing
Theft’ for Aggravated Sentence
Social Security Numbers Can Be Guessed
Massachusetts and Nevada Encryption Laws
Could Become National Standard
Class Actions in ID Theft and Data Breach Cases
Hacking: Threats and Consequences
GOVERNMENT AND PRIVATE SECTOR
SURVEILLANCE AND DATA
MANAGEMENT
A. Unclassified Report on U.S. Wiretapping
B. Court Challenges to Wiretapping Program
3
3
9
12
14
16
17
19
22
22
25
27
28
31
34
37
44
III.
52
52
54
3
C.
D.
E.
F.
G.
H.
I.
J.
IV.
A.
B.
C.
D.
E.
F.
V.
A.
B.
C.
D.
E.
F.
Emerging Technology to Monitor
Government Snooping
Google Street View Seen as Privacy Threat
RFIDs Can Be Tracked
Videos Lead to Accusations of Breaking
Privacy Laws
Entrusting Google, Amazon With Personal,
Public Records
Bloggers in Court
Advances in Phone Technology Bring Benefits,
Risks
Redaction Methods May Not Serve Their Purpose
57
58
64
66
69
74
77
79
DATA PRIVACY IN THE WORKPLACE AND
ON CAMPUS
81
Requests for Passwords to Social Networking
Sites
81
Be Wary of Writing Reviews on LinkedIn
83
Confusion and Abuses of FERPA
85
Split Develops in Application of Computer
Fraud and Abuse Act
88
Limits to What Employers Can Know,
Say About Employees
91
N.J. Law Would Prohibit Prosecuting
Teens for “Sexting”
95
SOCIAL NETWORKING SITES: PRIVACY
CONCERNS AND POTENTIAL PITFALLS OF
USE
97
EU Regulators Recommend Stricter Rules
97
Canada Privacy Commissioner Warns
Facebook To Tighten Privacy Controls
100
Reporters’ Use of Social Networking Sites
102
Sites Offer a Vehicle for Scams and Viruses
106
Court Cases Involving Social Networking Sites 107
Chinese Social Networking Sites Go Offline
117
4
When considering online privacy protection, safety, and security,
lawmakers and regulators struggle to keep pace with rapidly emerging
technologies that raise new challenges. Balancing traditional notions of
privacy and the First Amendment with technological advances is further
complicated by the need to consider any proposed oversight in light of
international regulatory developments. Any discussion of data privacy
and security must address comparable initiatives abroad, both as a means
to explore emerging regulatory ideas in this country and to understand
the rules that will govern entities such as Google and Facebook,
headquartered in the United States, but with users around the globe.
I.
DATA COLLECTION AND BEHAVIORAL
ADVERTISING
A. Proposed Congressional Legislation
House lawmakers have announced plans to develop national
privacy legislation designed to provide Internet users more control over
the information that is being collected about their online activity.1 Rep.
Rick Boucher (D-Va.), chairman of the House Internet subcommittee,
the entity leading the legislative effort, believes “consumers are entitled
to some baseline protections” from behavioral advertising.2 Toward this
end, a Senate committee and two House subcommittees have held
hearings to learn about the benefits, potential abuses, and privacy
concerns arising from Internet use.3 Representatives of Internet service
Behavioral Advertising: Industry Practices and Consumers’ Expectations,
Before the House Subcomm. on Communications, Technology and the Internet
and House Subcomm. on Commerce, Trade and Consumer Protection, 111th
Cong. (June 18, 2009) (opening statement of Rep. Rick Boucher, chair of
House Internet Subcommittee).
2
Id.
3
The House Subcommittee on Communications, Technology and the Internet
held a hearing titled, “Communications Networks and Consumer Privacy:
Recent Developments,” on April 23, 2009. The same subcommittee also held a
joint hearing with the House Subcommittee on Commerce, Trade and
Consumer Protection titled, “Behavioral Advertising: Industry Practices and
Consumers’ Expectations,” on June 18, 2009. The House Internet
1
5
providers (ISPs), online advertisers and consumer groups are among
those who have provided insight on the current state of private sector
monitoring of Internet use. These individuals and groups have also
offered suggestions on what the proposed legislation should include.
The reality that consumers’ online activity can be tracked and fed
back to them as targeted advertisements raises privacy concerns, but
lawmakers have been urged to take into consideration the benefits
consumers, ISPs and online retailers receive from the technology,
particularly in a depressed economy. Boucher has tentatively proposed
some “baseline” measures. These include an easy-to-find privacy policy
alerting consumers to what information is collected about them, how it is
used, stored and whether it is sold to third parties, as well as the ability
to opt-out, or prevent parties from using the information.4
1.
What is deep packet inspection, or DPI?
Deep packet inspection (DPI) is a developing technology that
enables ISPs to open every packet of information sent over the Internet,
read its entire contents and treat it differently based on what it includes.
This treatment could include adding advertising information, collecting
data about users or blocking the content altogether. A common analogy
used to describe DPI is to think of the United States Postal Service
starting a side business to open every letter, read its contents, and sell the
information inside without the consent of the sender or recipient.
Without the use of DPI, Internet service providers simply read the top
level of routing information as it passes through the network, similar to
how postal employees read the address on an envelope to ensure it
reaches its correct destination.5
subcommittee held a hearing titled, “Broadband Providers and User Privacy”
on July 17, 2008. In the Senate, these hearings have been held: “Privacy
Implications of Online Advertising” before the S. Comm. on Commerce, Sci.
& Transp., 110th Cong. (July 9, 2008) and “Broadband Providers and
Consumer Privacy” before the S. Comm. on Commerce, Sci. & Transp., 110th
Cong. (Sept. 25, 2008).
4
Boucher, supra note 1.
5
Communications Networks and Consumer Privacy, (April 23, 2009)
(statement of Ben Scott, Policy Director, Free Press).
6
Aside from the privacy implications of DPI, some worry that the
technology will enable an ISP to block, or at least slow, the transmission
of content that does not help its bottom line finances while letting other
traffic take priority. “The thought that a network operator could track a
user’s every move on the Internet, record the details of every search and
read every e-mail or attached document is alarming,” Boucher said at the
outset of a subcommittee hearing on April 23, 2009, on recent
developments in consumer privacy. Consumers often do not know
information is being collected about them online, and if they do, they
often do not know who is collecting it or how it will be used. “In the
absence of legal rules, companies that are gathering this data will be free
to use it for whatever purpose they wish – the data for a targeted ad
today could become a detailed personal profile sold to a prospective
employer or government agency tomorrow,” said Marc Rotenberg,
executive director of the Electronic Privacy Information Center, a nonpartisan research organization.6
2.
Opt-in or opt-out?
A contentious point as Congress drafts Internet privacy
legislation is whether to mandate an opt-in or opt-out policy. In general,
consumer groups favor a ban against the collection of data on
consumers’ online habits unless they explicitly agree to its collection,
while Internet companies generally favor opt-out policies.7 Anne Toth,
head of privacy for Yahoo! Inc., argued against drawing a bright line
between the two options. “The answer is that it’s not one or the other –
it’s both. Some services and models should require an opt-in approach,
while, for other models, an opt-out is a more appropriate default,” Toth
said. She contended that the decision between whether to use an opt-in
or opt-out approach for a particular service requires considering
6
Communications Networks and Consumer Privacy, (April 23, 2009)
(statement of Marc Rotenberg, executive director of the Electronic Privacy
Information Center).
7
Amy Schatz, Lawmakers Blast Internet Data Collection, WALL ST. J., June
19, 2009, at B3.
7
“whether everything a user does online is collected through the service.”
8
3.
Benefits of DPI
In addressing the privacy concerns raised by deep packet
inspection, Congress must also balance the benefits the technology
provides. These benefits go beyond the targeted advertisements that are
likely to increase revenues for advertisers and retailers. Kyle McSlarrow,
president and CEO of the National Cable and Telecommunications
Association, identified several pro-consumer purposes of the technology.
First, it can be used to detect viruses and prevent spam to guard against
invasions of subscribers’ home computers. Second, it can allow cable
operators to plan for network growth by anticipating the needs of their
subscribers. Third, it enables network operators to accurately respond to
request from law enforcement to intercept communication. McSlarrow
also touted packet inspection as a tool in providing more choices and
controls as Internet technology evolves, such as advanced parental
controls over the streaming videos watched by children.9
4.
Use of Behavioral Advertising
Companies that employ DPI for targeted advertising often stress
that the information intercepted is anonymous in nature and that they
only use a limited amount of the available data. “However, the privacy
concerns that arise from the use of DPI begin with the interception,
diversion, or copying of substantially all of the Internet traffic of all
subscribers. Just because ISPs or advertising networks may use only a
small portion of what is captured and do not retain other information
does not diminish the breadth and intrusiveness of the initial data
8
Behavioral Advertising, (June 18, 2009) (statement of Anne Toth, Vice
President for Policy and Head of Privacy at Yahoo! Inc.).
9
Communications Networks and Consumer Privacy, (April 23, 2009)
(statement of Kyle McSlarrow, President and CEO, National Cable and
Telecommunications Association).
8
capture,” said Leslie Harris, president and CEO of the Center for
Democracy and Technology.10
Internet companies take varying approaches to collecting and
using data for targeted advertising. Facebook claims its use of targeted
advertising enables the company to offer the social networking site free
of charge. Chris Kelly, Facebook’s privacy officer, explained to
lawmakers that Facebook uses information in individual profiles, such as
someone’s favorite movies, but that this is transmitted to third parties in
non-personally identifying form. For example, Kelly said users may see
an advertisement for a film screening based on what they list as their
favorite movies, but personally identifying information (name, e-mail
address and other contact information) will not be given to advertisers.
Kelly acknowledged the company may have previously been “inartful in
communicating with our users and the general public about our
advertising products,” but that “users should choose what information
they share with advertisers.”11
In March 2009, Google announced it would move toward
interest-based advertising in which advertisements would be shown to
consumers based on the Web pages they visit and the YouTube videos
they watch online. Users have the ability to view, add and remove the
categories (sports, travel, cooking, etc.) used to show them interestbased ads when they visit Web sites. Users can also opt-out of interestbased ads altogether.12 AT&T Inc. says it is committed to developing an
opt-in policy that will require affirmative, advance action by the
consumer before his online practices will be tracked for behavioral
advertising.13
10
Communications Networks and Consumer Privacy, (April 23, 2009)
(statement of Leslie Harris, President and CEO of the Center for Democracy
and Technology).
11
Behavioral Advertising, (June 18, 2009) (statement of Chris Kelly, Chief
Privacy Officer, Facebook).
12
Behavioral Advertising, (June 18, 2009) (statement of Nicole Wong, Deputy
General Counsel, Google Inc.).
13
Communications Networks and Consumer Privacy, (April 23, 2009)
(statement of Dorothy Atwood, Senior Vice President for Public Privacy and
Chief Privacy Officer at AT&T Inc.)
9
5.
Safeguards in Place
Self-regulation may already prevent some abuses of DPI. “Good
privacy protection is also good business,” said McSlarrow, who added
that cable ISPs have used DPI legitimately “for many years now – and
for many good reasons.”14 Some specific uses of DPI may already be
prohibited under federal the Wiretap Act, 18 U.S.C. §§ 2510-2522, and
Cable Act, 47 U.S.C. § 553. However, the boundaries of the Wiretap Act
as it applies to DPI are not clear in all contexts. “Moreover, the Act was
last modified more than 20 years ago and has not kept pace with
technology. It simply does not provide sufficient protection to
consumers against DPI’s risks,” Harris said. She cautioned that there are
difficulties in providing adequate notice and consent between consumers
and Internet service providers, particularly in instances when more than
one person uses a single Internet connection.15
B. FTC on Self-Regulatory Behavioral Advertising Principles
On Feb. 12, 2009, the Federal Trade Commission released a
report proposing self-regulation guidelines for behavioral advertising.16
The guidelines center on four governing concepts. First, companies
should notify consumers they are collecting information for advertising
purposes and offer a choice about whether to allow the practice. Second,
companies should provide reasonable security measures to protect data
from falling into the wrong hands and should retain data only for so long
as needed for legitimate business or law enforcement needs. Third,
companies should obtain express consent from consumers before using
data in a manner that is different than originally promised. Fourth,
companies should also obtain express consent from consumers before
using sensitive data – such as information about children, health or
finances – for behavioral advertising.
14
Andrew Feinberg, Congress to Reexamine Consumer Privacy on Broadband
Networks, BROADBANDCENSUS.com, April 23, 2009.
15
Harris, supra note 10.
16
FTC Staff, Self-Regulatory Principles For Online Behavioral Advertising
(Feb. 12, 2009), available at
www.ftc.gov/os/2009/02/P085400behavadreport.pdf.
10
1.
Details on Principles
In response to comments the FTC received after it released an
initial draft of proposed self-regulatory principles in December 2007,17
the Commission elaborated on the guidelines in its 2009 report. The
updated report proposes to apply the principles, including providing a
choice for consumers to consent to data collection, to both personally
identifiable information and non-personally identifiable information.
Therefore, the principles would apply to any data “that reasonably could
be associated with a particular consumer or with a particular computer or
device.” The principles do not apply to contextual advertising, or
advertising based on the content of a specific Web site rather than on
data collected on a user over time. An example of contextual advertising
is when a consumer is shown an advertisement for tennis rackets while
visiting a tennis-focused Web site.
2.
Commissioners React
Two FTC commissioners have released statements detailing their
personal views about regulating behavioral advertising. Commissioner
Pamela Jones Harbour opposes a legislative approach to behavior
advertising “at this time” because “there are still more questions than
answers” about the industry and “any legislation should be part of a
comprehensive policy agenda, rather than fostering the current
piecemeal approach to privacy.” Jones Harbour also advocated for more
Commission involvement because the results of self-regulation programs
were “mixed at best.”18 Commissioner Jon Leibowitz wrote separately to
make sure that the report’s “endorsement of self-regulation is viewed
17
FTC Staff, Online Behavioral Advertising: Moving the Discussion Forward
to Possible Self-Regulatory Principles (Dec. 20, 2007), available at
www.ftc.gov/os/2007/12/P859900stmt.pdf.
18
Concurring Statement of FTC Commissioner Pamela Jones Harbour
(February 2009), available at
www.ftc.gov/os/2009/02/P085400behavadharbour.pdf.
11
neither as a regulatory retreat by the Agency nor an imprimatur for
current business practice.”19
3.
Consumers, Commission Keep a More
Watchful Eye
In addition to issuing the guidelines, the FTC has allocated more
staff attorneys to monitor the behavioral advertising industry, said Peder
Magee, an attorney who oversees behavioral advertising issues with the
FTC’s Bureau of Consumer Protection. “If the industry ignores the
principles, they might not like the results,” Magee said.20
Consumers have started to take action when they suspect
companies go too far in monitoring their Internet usage to create targeted
advertisements. Internet subscribers filed separate class action lawsuits
in California federal court against the online advertising companies
NebuAd21 and Adzilla.22 The subscribers allege that the companies
violated their privacy and Internet security rights by monitoring the
content of their online activity without their consent in order to produce
targeted ads. Scott Kamber, the plaintiffs’ attorney in both cases, said
that as these “deceptive tactics” become more common in a slumping
economy, “it’s going to be harder for [companies] to explain to a judge
that this is appropriate.”23
C. Advertising Trade Groups Release Self
Regulatory Principles
19
Concurring Statement of FTC Commissioner Jon Leibowitz (February
2009), available at www.ftc.gov/os/2009/02/P085400behavadleibowitz.pdf.
20
Tresa Baldas, Everybody’s Getting on Case Against Bad Ads, The National
Law Journal, Aug. 19, 2009.
21
Valentine v. NebuAd, Inc., No. 3:08-cv-05113 (N.D. Calif. Nov. 10, 2008).
22
Simon v. Adzilla, Inc., No. C09-00879 (N.D. Calif. Feb. 27, 2009).
23
Baldas, supra note 20.
12
In an effort to ward off federal regulation,24 a consortium of
advertising trade groups on July 1 released its own guidelines for how its
members should use and collect data.25 The report defines online
behavioral advertising as “the collection of data online from a particular
computer or device regarding Web viewing behaviors over time and
across non-affiliate Web sites for the purpose of using such data to
predict user preferences or interests inferred from such Web viewing
behaviors.” The guidelines include seven governing principles:
education, transparency, consumer control, data security, material
changes, sensitive data and accountability.
These principles incorporate many of the self-regulatory
measures advanced by the FTC in its Feb. 12, 2009, report, and in some
cases go even further to protect consumer privacy. For example, the
principles lay out a generally defined means of enforcement by
instituting monitoring programs and requiring a way to collect
complaints from the public. “Programs will also, at a minimum, publicly
report instances of noncompliance and refer entities that do not correct
violations to the appropriate government agencies,” the report says. The
trade group report flatly prohibits the collection of information about
children, and requires consent to collect health and financial data.
Similar to the FTC report, the trade groups would require that
consumers be informed information is being collected about them and
require their consent to do so. However, it is unclear if the trade groups
go as far as the FTC wants by requiring consent to collect all data,
including personally identifiable and non-personally identifiable data.
The FTC welcomed the report as having “the potential to dramatically
advance the cause of consumer privacy,” FTC Commissioner Pamela
Jones Harbour said in a statement after the release of the report.26
The principles do not go as far as to require explicit approval of
all data collection. Stuart P. Ingis, a partner at Venable LLP, which
represents the trade groups, said such a measure would not be feasible.
“If you had that as a default, you would wind up undercutting
24
Stephanie Clifford, Industry Tightens Its Standards for Tracking Web
Surfers, N.Y. TIMES, July 1, 2009, at B4.
25
“Self Regulatory Principles for Online Behavioral Advertising,” available at
www.bbb.org/us/Storage/0/Shared Documents/online-ad-principles.pdf.
26
Clifford, supra note 24.
13
significantly the economic underpinnings for all the stuff the public
loves,” Ingis said. “The way, operationally, that would work is every
time a consumer’s doing their Web surfing, you’d be requiring them to
click through all these options. Consumers would hate that.”27
Marc Rotenberg, executive director of the Electronic Privacy
Information Center, called the principles “almost meaningless” and
predicted that Congress would pass legislation hemming in information
collection by advertisers.”There's very little appetite in Washington
today for self-regulation,” said Rotenberg. “People have no idea about
how much information is being collected about them online.”28
The groups hope to have the accountability programs in place by
the beginning of 2010, which would probably predate any federal
legislation. The principles were developed by the American Association
of Advertising Agencies, Association of National Advertisers, Council
of Better Business Bureaus, Direct Marketing Association, and
Interactive Advertising Bureau.
D. European Regulators Aim to Protect Consumers, Retailers
and Online Privacy
1.
Consumer Rights Directive
The European Commission launched a proposal in October 2008
for consumers’ rights throughout the European Union that would apply
to shopping both online and in person. The current EU rules on
consumer protection result from four EU directives.29 These contain
certain minimum requirements, but member states have added rules
through the years, making EU consumer contract laws a “patchwork” of
27
Id.
Web Advertisers Propose Self-Regulation Principles, REUTERS, July 2, 2009,
www.reuters.com/article/internetNews/idUSTRE5610UE20090702.
29
The four European Union directives that constitute EU consumer protection
are: Council Directive 93/13/EEC on Unfair Contract Terms; Directive
1999/44/EC Sale for Consumer Goods and Associated Guarantees; Directive
97/7/EC Distance Selling; and Council Directive 85/577/EEC Doorstep
Selling.
28
14
27 sets of differing rules enacted over the past 20 years.30 The proposed
Consumer Rights Directive seeks to combine these into a standard set of
rules governing contract terms, delivery obligations, a cooling off
period, and repairs or replacements for faulty products. 31
The proposal must be approved by the European Parliament and
EU governments in the Council of Ministers before becoming law.32 In
July 2009, the UK’s House of Lords EU Committee publicly opposed
approving the directive.33 The committee questioned the two-year limit
on a trader’s responsibility for repairing or replacing faulty goods
because of a concern it could lead to the production of less durable
items. The Committee did not call for the proposal to be scrapped and
recognized the need to update EU consumer law. However, it pointed to
other factors, such as culture, language, the cost and distance of delivery,
as also playing a role in increasing cross-border trade.
2.
Consumer Commissioner Wants Online
Privacy Principles
European Commissioner for Consumer Affairs Meglena Kuneva
in March urged the development of policies to regulate online behavioral
advertising and safeguard consumer privacy. In her keynote address at
the first ever European Consumer Summit in Brussels, Kuneva said,
“The status quo is not an option. Currently, consumers have little
awareness of what data is being collected, how and when it is being
collected and what it is used for. And they are also not able to control
Press Release, European Comm’n, Consumers: Comm’n proposes EU-wide
rights for shoppers (Oct. 8, 2008) available at
http://europa.eu/rapid/pressReleasesAction.do?reference=IP/08/1474.
31
European Commission, Proposal for a Directive of the European Parliament
and of the Council on Consumer Rights, is available at
http://ec.europa.eu/consumers/rights/docs/COMM_PDF_COM_2008_0614_F_
EN_PROPOSITION_DE_DIRECTIVE.pdf.
32
Press Release, supra, note 30.
33
Press Release, United Kingdom Parliament, EU Consumer Rights Directive:
getting it right (July 15, 2009) available at
www.parliament.uk/parliamentary_committees/lords_press_notices/pn150709e
ub.cfm.
30
15
this process.”34 Kuneva touted Europe’s existing consumer policy
principles and said that the key question moving forward is how to
“apply these tested principles in [a] digital world.”
Kuneva urged the industry to develop self-regulating principles.
In doing so, she raised many of the concerns shared by the FTC and
members of Congress, including the inaccessibility of online privacy
policies and the lack of clear opt-out systems to prevent the collection of
online data. She called for more transparent privacy policies, meaningful
opt-in or opt-out options, and clear identification of commercially
sponsored messages. Kuneva also expressed concern for times when
beneficial targeted advertisements might turn into “pressure,” such as
when a person with high cholesterol views on online advertisement for
recommended treatment.
3.
UK’s Office of Fair Trading to Examine Internet
Advertising
On Aug. 19, 2009, the United Kingdom’s Office of Fair Trading
announced that it will study the impact on consumers of potentially
misleading advertising and pricing of goods and services, with an
emphasis on the Internet.35 The study may also look at how personal
information is gathered online for use in behavioral advertising. “The
way that businesses advertise and price goods and services constantly
evolves, and we need to keep up to date on how consumers view these
adverts, and the types of advertising and prices which may mislead,”
said Heather Clayton, senior director of the office’s Consumer Market
Group.36 The office was seeking input from consumer groups and
businesses through Sept. 18, 2009, to determine the precise scope of the
study.
34
Meglena Kuneva, European Commissioner for Consumer Affairs, Keynote
Speech at European Consumer Summit, Roundtable on Online Data Collection,
Targeting and Profiling (Mar. 31, 2009) (transcript available at
http://ec.europa.eu/commission_barroso/kuneva/speeches_en.htm).
35
Press Release, Office of Fair Trading, OFT Seeks Views Ahead of Study
Into Advertising and Pricing (Aug. 19, 2009), available at
http://www.oft.gov.uk/news/press/2009/103-09.
36
Id.
16
E. Maine Enacts Law to Restrict Marketing to
Minors
Maine has enacted a law that places limits on the collection of
minors’ personal information and outlaws the use of such information
for marketing purposes.37 The Act to Prevent Predatory Marketing
Practices Against Minors was set to take effect on Sept. 1, 2009. Section
9552 of the law prohibits knowingly collecting or receiving “healthrelated information or personal information for marketing purposes from
a minor without first obtaining verifiable parental consent.” Section
9553 prohibits using any “health-related information or personal
information regarding a minor for the purpose of marketing a product or
service to that minor.”
Harry A. Valetk, a New York City Internet safety and consumer
privacy attorney, believes ambiguities in the law pose some challenges.
For example, does the law prohibit any Maine resident under age 18
from receiving materials about college prep services or military
service?38 Also, although Facebook bars minors age 12 and younger
from using the site, it requires all users to agree to terms that consent to
Facebook collecting some of their personal information. The Maine law
could require Facebook to alter how it treats the personal information of
many of its teenage users.
The law authorizes the Maine Attorney General’s Office to
establish procedures for investigating alleged violations. A person about
whom information is unlawfully collected can seek an injunction
prohibiting the collection and recover damages up to $250 per violation.
Civil penalties may also be assessed.
F. Google Has Up and Down Battle in AdWords
Lawsuits
37
Act To Prevent Predatory Marketing Practices Against Minors, Chapter 230
LD 1183 (2009), available at
http://www.mainelegislature.org/legis/bills/bills_124th/chappdfs/PUBLIC230.
pdf.
38
Harry A. Valetk, Child Proofing Your Ads: New Maine Law Restricts
Marketing to Minors, Law.com, Aug. 4, 2009,
http://www.law.com/jsp/ihc/PubArticleIHC.jsp?id=1202432718414.
17
Lawsuits against Google Inc. accusing the company of selling
trademarked keywords that affect the display of advertisements have
become more popular after an April 2009 court ruling, but Google has
stepped up its defense of the accusations. Known as AdWords suits after
the name of Google’s targeted advertising program, plaintiffs claim that
Google’s sale of trademarked keywords constitutes infringement
because Google users who search for a particular term could then be
shown competitors’ ads alongside results for the trademarked name.39
Google suffered a setback in April when the Second Circuit
reinstated Rescuecom Corp.’s AdWords case that a district court had
dismissed. 40 Rescuecom alleged violations under §§ 32 and 43 of the
Lanham Act, 15 U.S.C. §§ 1114, 1125, for trademark infringement, false
designation of origin, and dilution of Rescuecom’s eponymous
trademark. The reversal inspired several more lawsuits, so that there
were at least seven pending AdWords cases as of early August.41
However, in response to a class action complaint filed by John Beck
Amazing Profits LLC in federal court in Texas seeking to represent all
trademark owners who have had their words sold,42 Google countersued,
seeking a declaration that its practices do not infringe on trademarks.43
Eric Goldman, a Santa Clara University School of Law professor
who follows the AdWords litigation on his Technology & Marketing
blog, said the plaintiffs face a difficult battle in proving trademark
infringement, including having to combat Google’s extensive financial
resources to defend the suits. In addition to the other elements of
infringement, Goldman said plaintiffs will have to show that consumers
were confused by the appearance of the ad next to a search term so that
39
Zusha Elinson, Google Rebounds in AdWords Lawsuits, THE RECORDER,
Aug. 4, 2009, http://www.law.com/jsp/PubArticle.jsp?id=1202432782096.
40
Rescuecom Corp. v. Google, Inc., 562 F.3d 123 (2nd Cir. 2009).
41
Eric Goldman, Technology & Marketing Law Blog,
http://blog.ericgoldman.org/archives/2009/08/google_goes_on.htm (Aug. 3,
2009, 15:51 EST).
42
John Beck Amazing Profits, LLC v. Google Inc., 2:2009cv00151 (E.D. Tex.
complaint filed May 14, 2009).
43
Google Inc. v. John Beck Amazing Profits, LLC, C09 03459 (N.D. Cal.
complaint filed July 27, 2009).
18
they believed the two companies were connected.44 Google scored
victories in July 2009 when Daniel Jurin45 and Ascentive,46 a software
company, dropped their AdWords suits.47
G. FTC Seeks to Monitor Blogs for Endorsements
The FTC has proposed guidelines that would enable the agency
to go after bloggers for false advertisements for failing to disclose
conflicts of interest, such as being paid or receiving a free product in
exchange for writing a review.48 The FTC is concerned that many
consumers may not realize that online authors of product reviews are
being compensated for their opinions. This knowledge could affect
whether to buy an item or guide how much credibility to give an
endorsement. “If you walk into a department store, you know the (sales)
clerk is a clerk,” said Rich Cleland, assistant director in the FTC’s
division of advertising practices. “Online, if you think that somebody is
providing you with independent advice and . . . they have an economic
motive for what they’re saying, that’s information a consumer should
know.”49
The FTC’s proposal to monitor blogs raises questions about what
constitutes an advertisement, the extent to which a reviewer must
disclose a relationship with a company, and how far the agency will go
to police online reviews and advertisements. Specific enforcement
measures were not included in a draft of the guidelines published in
44
Elinson, supra note 39.
Jurin v. Google Inc., CV 09-03934 (C.D. Cal. complaint filed June 2, 2009).
46
Ascentive, LLC v. Google, Inc., 2:09-cv-02871-JS (E.D. Pa. complaint filed
June 25, 2009).
47
Elinson, supra note 39.
48
Guides Concerning the Use of Endorsements and Testimonials in
Advertising, 73 Fed. Reg. 72374-72395 (Nov. 28, 2008), available at
http://frwebgate5.access.gpo.gov/cgibin/PDFgate.cgi?WAISdocID=919604171022+1+2+0&WAISaction=retrieve.
49
Deborah Yao, Associated Press business reporter, FTC Plans to Monitor
Blogs for Claims, Payments, PANTAGRAPH.COM, June 22, 2009, available at
www.pantagraph.com/business/article_10e2022c-61d4-11de-bb81001cc4c002e0.html.
45
19
November 2008. Some bloggers are concerned that even a casual
mention of a product could grab the agency’s attention. Cleland said that
the FTC would most likely rely on Internet users to judge what
constitutes fair disclosure in lieu of spelling out specific requirements.50
A final version of the guidelines could be approved by the end of 2009.
The guidelines would extend beyond basic reviews on blogs to
cover affiliate marketing, in which bloggers and other Web sites get a
commission when a user clicks on a link that leads to a purchase on a
retailer’s site. In addition, arrangements where advertisers pay users of
Twitter to post short items would also need to be disclosed.51
The FTC’s attempt to monitor the content of online reviews
contrasts with the media industry, in which newspapers and broadcasters
have traditionally self-policed their employees by prohibiting the
acceptance of free products in exchange for reviews. However, just as a
blogger needs to have used a product in order to write an informed
review, some blurring of this ethical line may be unavoidable, such as
when a film critic attends a free advance screening of a movie’s
widespread release.
The New York Times took a firm stand in defense of objectivity
in August 2009, when the newspaper stripped economist and TV
personality Ben Stein of his Sunday business column. Stein also serves
as a pitchman for FreeScore.com, a credit monitoring company, and a
spokeswoman for the Times said it would not be appropriate for Stein to
pitch for the company while writing his column.52
50
Pradnya Joshi, When a Blogger Voices Approval, a Sponsor May Be Lurking,
N.Y. TIMES, July 13, 2009, at B1.
51
Yao, supra note 49.
52
Associated Press, Ben Stein Loses NY Times Column Over Endorsement,
N.Y. TIMES, Aug. 7, 2009.
20
II.
IDENTITY THEFT AND DATA PROTECTION LAWS
A. ‘Red Flags Rule’ Set to Take Effect
The ‘Red Flags Rule’53 promulgated by the Federal Trade
Commission to combat identity theft was scheduled to take effect on
Nov. 1, 2009. The rule requires financial institutions and creditors to
develop written procedures on how to identify and react to relevant
warnings – or ‘red flags’ – of identity theft. In most cases, this means
tracking discrepancies between credit reports and information provided
by or about an individual. Originally set to take effect on Nov. 1, 2008,
the FTC delayed enforcement of the rule three times due to uncertainty
over what industries and entities were covered by the rule.54
53
Identity Theft Red Flags and Address Discrepancies Under the Fair and
Accurate Credit Transactions Act of 2003, 72 Fed. Reg. 63718, 63769-71
(Nov. 9, 2007) (FTC rules codified at 16 C.F.R. § 681.1).
54
Press Release, Federal Trade Commission, FTC Announces Expanded
Business Education Campaign on ‘Red Flags’ Rule (July 29, 2009), available
at www.ftc.gov/opa/2009/07/redflag.shtm.
21
1.
Who Must Comply with the Rule?
The rule applies to “financial institutions” and “creditors” with
“covered accounts.” This includes entities that regularly permit deferred
payments for goods or services, including health care providers, some
retailers, colleges, and a wide range of businesses that invoice their
customers.
Certain law firms with individual clients, such as matrimonial
and trust and estate clients, who bill at the end of a period rather through
an initial retainer, were scheduled to be covered by the rule.55 The
American Bar Association in July threatened to file a lawsuit seeking to
have lawyers exempted from the rule on the grounds that compliance
would be burdensome and establish a precedent for federal agencies to
set other requirements for lawyers.56 At the time of the threatened
litigation, the rule was set to take effect on Aug. 1, 2009. ABA President
H. Thomas Wells Jr. called the delay to November a “temporary
reprieve,” but said the ABA will continue to lobby Congress to
permanently exempt lawyers from the rule.57
a.
Financial institutions
Under the rule, a financial institution is defined as a state or
national bank, a state or federal savings and loan association, a mutual
savings bank, a state or federal credit union, or any other entity that
holds a “transaction account” belonging to a customer. Most of these
institutions are regulated by the federal bank regulatory agencies and the
National Credit Union Administration (NCUA). A transaction account is
Sylvia Hsieh, Warning: Identity theft ‘red flag’ rule enforcement delayed by
FTC, THE MINNESOTA LAWYER, May 11, 2009.
56
Posting of David Ingram to The BLT: The Blog of LegalTimes,
http://legaltimes.typepad.com/blt/2009/07/bar-association-plans-for-litigationover-ftc-rules.html (July 22, 2009, 15:10 EST).
57
Press Release, Statement of ABA President H. Thomas Wells Jr., Re: FTC
Announcement Regarding “Red Flags” Rule and Lawyers, July 29, 2009,
available at
www.abanet.org/abanet/media/statement/statement.cfm?releaseid=731.
55
22
a deposit or other account from which the owner makes payments or
transfers.
b.
Creditors
A creditor is any entity that regularly extends, renews, or
continues credit. Creditors include finance companies, automobile
dealers, mortgage brokers, utility companies and telecommunications
companies. If non-profit and government entities defer payment for
goods or services, they are also considered creditors. Accepting credit
cards as payment does not, by itself, make an entity a creditor.
c.
Covered accounts
A covered account is an account used mostly for personal,
family, or household purposes, and that involves multiple payments or
transactions. These include credit card accounts, mortgage loans,
automobile loans, cell phones accounts, utility accounts, checking
accounts and savings accounts.
2.
How to Comply with the Rule
The FTC says the rule was designed to be risk-based so that the
complexity of an entity’s program would be proportional with the
identity theft risk it encounters. The Commission suspects that most
high-risk entities, such as financial institutions, already take steps to
minimize losses due to fraud. It estimated nearly 270,000 high-risk
entities and 1.6 million low-risk entities will be subject to the rule.
According to the same estimates, high-risk entities can create and
implement a written program in 25 hours while those at low-risk should
be able to develop a streamlined program in about an hour.58
To aid low-risk entities in the process, the FTC developed a
model six-page policy in PDF format. A template of the model policy is
available at www.ftc.gov/redflagsrule and by clicking on the “Create
58
72 Fed. Reg. at 63742.
23
Your Program” tab.59 A company must identify red flags, describe how
the flags will be detected, offer a planned response when flags are found
and describe how relevant staff will be trained to implement the
program. A board of directors or senior-level employee must approve
the program, which is required to be updated periodically.
Failure to comply with the rules can lead to civil penalties, such
as monetary sanctions and enforcement action by the FTC. However, the
FTC said it is unlikely to bring action against entities that “know their
customers or clients individually, or if they perform services in or
around their customers’ homes, or if they operate in sectors where
identity theft is rare and they have not themselves been the target of
identity theft.”60
B. Proposed Federal Legislation to Protect Personal Data,
Require Notification
Two separate, but similar, data privacy bills were introduced in
2009 that seek to preempt the existing data breach notification laws in
45 states and the District of Columbia.61 Both bills propose requiring
entities that possess personal information and engage in interstate
commerce to institute various safeguards to protect the data and notify
individuals when a breach or a suspected breach has occurred. Both bills
would also give state attorneys general the authority to pursue civil
penalties for data breaches in certain instances. As of early August, it
appeared unlikely that either bill would be passed this year, at least in
their proposed form.
1.
59
Personal Privacy and Security Act
The FTC has created a guide for entities subject to the red flags rule.
“Fighting Fraud With The Red Flags Rule: A How-To Guide for Business” can
be found at www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf.
60
Press Release, Federal Trade Commission, FTC Announces Expanded
Business Education Campaign on ‘Red Flags’ Rule (July 29, 2009), available
at www.ftc.gov/opa/2009/07/redflag.shtm.
61
The National Conference of State Legislatures has compiled a list of the
existing state security breach notification laws. The list and links to the laws
are available at http://www.ncsl.org/default.aspx?tabid=13489.
24
Sen. Patrick Leahy (D-Vt.), chairman of the Judiciary
Committee, introduced the Personal Privacy and Security Act, S. 1490,
111th Cong. (2009), on July 22. Leahy introduced similar legislation that
was reported by the committee in the previous two Congressional
sessions.62 This casts doubt on whether this version will have enough
momentum to become law, particularly as House subcommittees
continue to gather information on deep packet inspection with an eye
toward enacting a comprehensive data security and Internet privacy law.
In addition to the national data breach notification provision, the
bill seeks to stiffen criminal penalties for identity theft by adding
intentional access of a computer without authorization to the definition
of racketeering under 18 U.S.C. § 1961(1) and requiring the U.S.
Sentencing Commission to revisit its sentencing guidelines for identity
theft crimes. The bill would give individuals access to any personal
information held by commercial data brokers and impose penalties on
government contractors who fail to meet data privacy and security
requirements.
2.
Data Accountability and Trust Act
Rep. Bobby Rush (D-Ill.), chairman of the Subcommittee on
Commerce, Trade, and Consumer Protection, introduced the Data
Accountability and Trust Act, H.R. 2221, 111th Cong. (2009), on April
30. The bill is similar to the Personal Privacy and Security Act in its data
protection and security requirements for businesses or entities that
possess personal information. In addition, this version authorizes the
FTC to require a standard method for destroying obsolete non-electronic
data.
C. HIPAA Breach Notification Rule Issued
On Aug. 19, 2009, the U.S. Department of Health and Human
Services (HHS) issued new regulations that require entities covered by
62
See Personal Data Privacy and Security Act, S. 495, 110th Cong. (2007);
Personal Data Privacy and Security Act, S. 1789, 109th Cong. (2005).
25
the Health Insurance Portability and Accountability Act (HIPAA)63 to
notify individuals when their unsecured personal health information has
been breached.64 The regulations,65 which could go into effect as early as
Sept. 23, 2009, refine key concepts in a manner that limits the
notification obligations of covered entities.66 In cases where a breach
affects more than 500 individuals, the HHS Secretary and the media
must also be notified. Entities will report to the HHS Secretary breaches
that affect fewer than 500 individuals on an annual basis.67
In addition, HHS also specified that covered entities who secure
health information through encryption or destruction are exempt from
the notification requirement if a breach does occur. This portion of the
regulations was developed in response to public comment received from
an April 2009 request68 and after HHS consulted with the FTC, which
has issued breach notification regulations that apply to vendors of
personal health records and other entities not covered by HIPAA.69 The
regulations include other exemptions. For example, the definition of a
breach is limited to instances where information is used or disclosed in a
manner inconsistent with HIPAA. If the access to information is
63
Health Insurance Portability and Accountability Act (HIPAA)63 42 U.S.C. §§
1320d-1320d-8 (2006).
64
Press Release, U.S. Dept. of Health and Human Services, HHS Issues Rule
Requiring Individuals Be Notified of Breaches of Their Health Information
(Aug. 19, 2009), available at
http://www.hhs.gov/news/press/2009pres/08/20090819f.html.
65
The final interim rule regulations are available at
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/federalreg
isterbreachrfi.pdf.
66
Gina M. Kastel and Maureen M. Maly, HIPAA Security Breach Notification
Rule Refines Key Terms, Faegre & Benson, Aug. 20, 2009, available at
http://www.faegre.com/showarticle.aspx?Show=10116.
67
Id.
68
Guidance Specifying the Technologies and Methodologies That Render
Protected Health Information Unusable, Unreadable or Indecipherable to
Unauthorized Individuals for Purposes of the Breach Notification
Requirements Under Section 13402 of Title XIII (Health Information
Technology for Economic and Clinical Health Act) of the American Recovery
and Reinvestment Act of 2009, 74 Fed. Reg. 19,006 (April 27, 2009).
69
Press Release, U.S. Dept. of Health and Human Services, supra note 64.
26
unauthorized, but use of the information does not violate HIPAA, it is
not considered a reportable breach.70
The regulations preempt contrary state laws, but HHS noted this
only occurs when it is impossible to comply with both a state
notification law and the HIPAA notification regulations. The regulations
will become effective 30 days after publication in the Federal Register.
HHS has said that it will not impose sanctions for violations during the
first six months after the regulations take effect.71 Instead, HHS will
work with the covered entities to bring them into compliance.
D. Supreme Court Requires a ‘Knowing Theft’ for
Aggravated Sentence
The Supreme Court on May 4 ruled unanimously that federal
prosecutors must prove a defendant knew a stolen identity belonged to
an actual person in order to secure a conviction for aggravated identity
theft. 72 The Court rejected the government’s argument that it merely
needed to show an offender knew he used an identity other than his own.
The decision in Flores-Figueroa v. United States clarifies how the
Identity Theft Penalty Enforcement Act73 should be interpreted. The
statute imposes a mandatory consecutive two-year prison term upon
those convicted of certain crimes if, during the crime, the offender
“knowingly transfers possesses, or uses, without lawful authority, a
means of identification of another person.” The law applies to such
predicate crimes as theft of government property, fraud and activities
related to passports, visas and immigration.
The defendant in the case, Ignacio Flores-Figueroa, is a Mexican
citizen who worked illegally at an Illinois steel plant. To gain
employment, Flores-Figueroa first used a false name and Social Security
number, one that did not belong to another person. He later wanted to
use his real name and gave his employer counterfeit Social Security and
alien registration cards bearing numbers assigned to real people.
Customs officials discovered the discrepancy and charged Flores70
Kastel and Maly, supra note 66.
Id.
72
Flores-Figueroa v. United States, 129 S.Ct. 1886 (2009).
73
Identity Theft Penalty Enforcement Act, 18 U.S.C. § 1028A (2006).
71
27
Figueroa with entering the United States without inspection, 8 U.S.C. §
1325(a), and misusing immigration documents, 18 U.S.C. § 1546(a), in
addition to aggravated identity theft.
In his majority opinion, Justice Stephen G. Breyer wrote that the
case should be decided by applying “ordinary English grammar” to the
text of the law, which applies “knowingly” to all of the elements of the
crime that follow.74 Interpreting the statute that way avoids subjecting
offenders to additional penalties for liability that turns on chance. Justice
Samuel A. Alito Jr., in his concurring opinion, considered a defendant
who chooses a Social Security number at random. “If it turns out that the
number belongs to a real person,” Alito wrote, “two years will be added
to the defendant’s sentence, but if the defendant is lucky and the number
does not belong to another person, the statute is not violated.”75
1.
Effect of Decision
The ruling in Flores-Figueroa will probably be most
consequential in guiding the government’s strategy in combating illegal
immigration rather than prosecutions of traditional identity theft cases.
Breyer noted that proving intent is generally not difficult in such classic
identity theft cases as using a person’s identification information to gain
access to a bank account or “dumpster diving” to find discarded credit
card and bank statements.76 Now faced with a diminished threat of a
mandatory and consecutive two-year prison term, the government loses
the possibility of securing an aggravated felony conviction that often
leads to quicker deportations. This could result in fewer mass criminal
prosecutions against illegal workers following workplace enforcement
actions.77
The Obama administration previously announced plans to target
employers who knowingly hire workers who are in the country illegally
74
Flores-Figueroa, 129 S.Ct. at 1890.
Id. at 1896.
76
Id. at 1893.
77
Peter R. Moyers, Butchering Statutes: The Postville Raid and the
Misinterpretation of Federal Criminal Law, 32 SEATTLE U. L. REV. 651, 708
(Spring 2009).
75
28
rather than arrest the workers for eventual deportation.78 In a sign of
furthering this strategy, U.S. Immigration and Customs Enforcement
(ICE) announced on July 1 that it issued notices of inspection to 652
businesses nationwide.79 ICE issued 503 similar notices during the entire
previous fiscal year. The notices alert business owners that ICE will be
inspecting their hiring records to determine whether or not they are
complying with employment eligibility and verification laws and
regulations.
2.
Proposed Legislation
The Employment Eligibility Verification and Anti-Identity Theft
Act would require an employer to take certain measures after receiving
official notice that an employee’s name and social security number does
not match Social Security Administration records.80 The bill, introduced
by Rep. Elton Gallegly (R-Calif.), proposes that once an employer
receives official notice about such a discrepancy, the employer has to
verify employment eligibility within three business days through a
system established by the Secretary of Homeland Security.
The ultimate responsibility to verify proper documentation would
fall on the worker, but the proposal requires an employer to terminate an
employee once a final notice of non-verification is received. An
employer could be found to violate the Immigration and Nationality Act,
8 U.S.C. § 1324a(a)(1)(A), for not dismissing the worker. The bill is cosponsored by nineteen Republicans.
E. Social Security Numbers Can Be Guessed
Researchers at Carnegie Mellon University concluded that it is
relatively easy to figure out the precise nine digits of a person’s Social
Security number. Many numbers can be accurately predicted by
78
David G. Savage, ID theft law limited in cases of illegal workers, CHI. TRIB.,
May 5, 2009, at C12.
79
Press Release, U.S. Immigration and Customs Enforcement, 652 businesses
nationwide served with audit notices today (July 1, 2009), available at
www.ice.gov/pi/nr/0907/090701washington.htm.
80
H.R. 137, 111th Cong. (2009).
29
knowing a person’s birth data, the researchers found in the study
published in the Proceedings of the National Academy of Sciences.81
Alessandro Acquisti and Ralph Gross relied on publicly available
information for their study, principally what is known as the “Death
Master File.” The file lists the SSNs, dates of birth and death, and the
states of application for all individuals whose deaths have been reported
to the Social Security Administration (SSA). Acquisti and Gross also
used data from social networking sites, where users often list their place
of birth and birth date in their profile.
Those born after 1988 – when the government altered its practice
and began issuing numbers at birth – are the most susceptible to having
their numbers discovered because of the method used to assign SSNs,
according to the study. Among people born from 1989 to 2003, the
researchers identified the first five SSN digits for 44 percent of
individuals on a single attempt. They got all nine digits correct for 8.5
percent of those people in fewer than 1,000 attempts.
Acquisti and Gross set out to exploit what is known about how
SSNs are assigned. The first three SSN digits are called its “area
number” and are assigned based on the zip code of the mailing address
provided on the application form. The next two digits are its “group
number,” which transitions slowly and often remains constant in a given
region over a number of years. As a result, applicants in the same state
born on consecutive days are likely to have the same first four or five
digits. The last four digits are its “serial number” and are assigned
sequentially.
The study found that the SSN assignment scheme discriminates
against younger individuals born in less populous states by exposing
them to a higher risk of identity theft. For example, the study accurately
predicted the first five digits of two percent of California records with
1980 birthdays, and 90 percent of Vermont records with 1995 birthdays.
1.
81
Changes to SSNs
Alessandro Acquisti and Ralph Gross, Predicting Social Security Numbers
From Public Data, 106 PROCEEDINGS OF THE NATIONAL ACADEMY OF
SCIENCES 10975-10980 (July 7, 2009).
30
The identity theft risks SSNs now pose could not have been
foreseen when the system was devised in the 1930s, but measures to
further protect the numbers are in the works. For reasons unrelated to the
report, the SSA is in the process of developing a system to randomly
assign the numbers that it expects to be in place in 2010.82 Earlier this
year, Sen. Dianne Feinstein (D-Calif.) and Rep. Rodney Frelinghuysen
(R-N.J.) introduced legislation that would prohibit the display, sale, or
purchase of Social Security numbers without consent, and would bar
businesses from requiring people to provide their number.83
2.
An Unsound Practice
The results of the Carnegie Mellon study may sound alarming,
but the SSA assures the public any notion that the researchers exposed
“a code for predicting an SSN is a dramatic exaggeration.”84 Acquisti
and Gross acknowledge that being able to translate theoretical
predictions from a list of deceased into stealing identities of the living
hinges on a variety of factors. These include the availability of a targeted
person’s birth data and the possibility that a verification service may not
allow an attacker repeated attempts to match an SSN before shutting
down or prohibiting further attempts.
Real world dangers still persist. Many businesses use SSNs as
passwords or for other forms of authentication, a practice that places
consumers at risk. This includes being asked to provide only the final
four digits, or serial number, since these digits are the most unique to an
individual. Both the SSA and the researchers advocate against using
SSNs as forms of identification beyond tracking a Social Security
account. “Everybody who works in this area knows the numbers are bad
passwords,” Acquisti said. “But they still are used that way.”85
82
Brian Krebs, SSNs Not All That Hard to Guess, Study Finds, WASH. POST,
July 7, 2009, at A2.
83
S. 141, 111th Cong. (2009); H.R. 122, 111th Cong. (2009).
84
Randolph E. Schmid, What’s Your Social Security Number? Researchers Say
It’s Surprisingly Easy to figure Out, CHI. TRIB., July 6, 2009.
85
Torsten Ove, CMU Study Finds Social Security IDs Easy to Predict,
PITTSBURGH POST-GAZETTE, July 7, 2009, at A1.
31
F. Massachusetts and Nevada Encryption Laws
Could Become National Standard
Massachusetts and Nevada have taken the lead in mandating
safeguards for consumers’ personal information by requiring companies
that store or transmit personal information to encrypt the data.86 The
regulations formulated by the Massachusetts Office of Consumer Affairs
and Business Regulation under the state’s data protection law,
M.G.L. c. 93H, were intended to take effect Jan. 1, 2009, but
enforcement for most of the law has been extended until Jan. 1, 2010.87
A similar law in Nevada went into effect on Oct. 1, 2008,88 and was later
amended to closely align with the Massachusetts standard by requiring
encryption of information in data storage devices. These data protection
standards are scheduled to go into effect in Nevada on Jan. 1, 2010.89
Michigan and Washington have also considered similar legislation and
the list of states mulling a similar law will continue to grow.
Under both laws, “Personal information” is essentially a
combination of a person’s name and one or more of the following: social
security number, driver’s license number, credit or debit card account
number or another financial account number. “Personal information”
does not include what is lawfully obtained through publicly available
data.
1.
Massachusetts Law
a.
86
To Whom Does it Apply?
Standards for the Protection of Personal Information of Residents of the
Commonwealth, 201 CMR 17.00, Massachusetts Office of Consumer Affairs
and Business Regulation.
87
Press Release, Massachusetts Office of Consumer Affairs and Business
Regulation (OCABR), Business Community Given Additional Time to
Comply with Identity Theft Prevention Regulations, (November 14, 2008).
88
New. Rev. Stat. § 597.790 (2008).
89
Nevada Senate Bill 227, which Nevada Gov. Jim Gibbons signed on May 29,
2009, is available at www.leg.state.nv.us/75th2009/Bills/SB/SB227_EN.pdf.
32
The regulations apply to all persons, businesses and legal entities
that “own, license, store or maintain personal information about a
resident of the Commonwealth.”
b.
Encryption Standard
The regulations define encryption generally without referring to
a particular strength or technology, other than a form “in which meaning
cannot be assigned without the use of a confidential process or key.” The
regulations also require businesses that allow access to or share personal
information with third parties to take “reasonable steps” to make sure
those entities comply with the law.
The state plans to judge compliance on a case-by-case basis
according to the size of a business, its available resources, the amount of
data stored, and the need for confidentiality. State officials warned that
unless a business has its own in-house IT staff, it will probably need to
consult an outsider to determine if its computer system meets the
encryption requirements. 90
c.
Potential Penalties91
Penalties for failing to abide by the regulations could result in
enforcement actions by the state Attorney General and may expose a
business to damages in a private negligence claim or under another legal
theory.
2.
Nevada Law
a.
90
To Whom Does it Apply?
Answers to frequently asked questions about the regulations are available at
www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf.
91
For an overview of state law enforcement of privacy and data protection
laws, see Martha Coakley, Office of the Attorney General of Massachusetts,
Privacy Protection, Safety and Security: A State Law Enforcement Perspective,
2 Communications Law in the Digital Age 2008, 121-41 (2008).
33
The statute applies to data collectors who do business in the
state. A “data collector” means government agencies, colleges,
universities, corporations, financial institutions and retail operators.
b.
Encryption Standard
Nevada law requires the use of encryption software “that has
been adopted by an established standards setting body,” such as the
National Institute of Standards and Technology. The law requires
technology that “renders such data indecipherable in the absence of
associated cryptographic keys necessary to enable decryption of such
data.”
c.
Potential Penalties
Data collectors that comply with the law but suffer a security
breach would have their liability for damages capped at $1,000 per
customer for each occurrence. Companies that do not comply would face
unlimited civil penalties, according to James Earl, executive director of
the state’s task force for technological crimes.92
3.
Ramifications across state lines
The two state laws will inevitably have an impact on businesses
and residents throughout the country and could soon lead to a de facto
national standard. The Massachusetts law applies to any entity that
stores personal information “about a resident of the Commonwealth,”
meaning all companies that have a national customer or employee base
must meet the requirements. The Nevada law applies to data collectors
“doing business in this State” so that the information of some residents
outside of Nevada is also protected.
Many businesses already have encryption requirements that
would meet or come close to meeting the new state laws. However,
many attorneys are advising clients to err on the side of caution and
92
Ben Worthen, New Data Privacy Laws Set For Firms, WALL ST. J., Oct. 16,
2008, at B1.
34
address the encryption issue now rather than later. Doing so, they urge,
will not only expedite compliance with any future laws, but also help
ease fears of events such as stolen laptops that often lead to security
breaches.
G. Class Actions in ID Theft and Data Breach Cases
1.
Lost Laptops Lead to Lawsuits
a.
VA Agrees to Compensate Veterans Who Were
Put at Risk of Identity Theft
On Jan. 27, 2009, the U.S. Department of Veterans Affairs (VA)
agreed to pay $20 million to settle a class action lawsuit that alleged the
VA failed to adequately protect American military personnel from
identity theft.93 A laptop computer and external data storage device was
stolen from the home of a VA employee on May 3, 2006. The computer
and data storage device contained a copy of a collection of personal
information for about 26.5 million people, including active and retired
military veterans and their sources. The plaintiffs, a group of veterans
advocacy groups, alleged that VA Secretary R. James Nicholson
unlawfully allowed the department to maintain a database of veterans’
personal information that was not related to claims for benefits.94
U.S. District Court Judge James Robertson preliminarily
approved the settlement on Feb. 11, 2009.95 According to its terms, all
veterans, their spouses and military personnel who suffered actual
damages as a result of the theft will receive a minimum of $75 and a
maximum of $1,500 on all valid claims. These claims include the costs
to protect or monitor personal financial information, expenses incurred
as a result of physical manifestations of severe emotional distress and
other reasonable expenses. Any remainder of the $20 million settlement
93
Vietnam Veterans of America, Inc. v. Nicholson, Settlement Agreement 43090205-111X (D. D.C. Jan. 27, 2009) (No. 06-0506)
94
Nicholson, Complaint No. 74-060623-002C) (D. D.C. June 13, 2006).
95
Nicholson, Order Granting Motion for Preliminary Approval of Class Action
Settlement, (D. D.C. Feb. 11, 2009).
35
after the payout of valid claims and attorney fees will be paid to veterans
charities.
b.
Starbucks Employee Files Suit After Personal
Information Stolen
A Chicago-area Starbucks employee filed a class action lawsuit
against Starbucks after a laptop containing the personal information of
about 97,000 Starbucks employees was stolen in late October 29, 2008.96
In a security breach notification letter the Seattle-based coffee maker
sent to the Office of the Maryland Attorney General, Starbucks said it
concluded the laptop probably did contain personal information.97
Starbucks offered to pay for credit monitoring services for one year for
its employees whose personal information may be exposed as a result of
the theft, according to the letter.
The lawsuit filed by Laura Krottner on behalf of all Starbucks
employees whose personal information was contained in the stolen
laptop accuses the company of fraud and breach of contract for its
pledge to protect employees’ personal information. The suit asks that
Starbucks be ordered to pay for credit monitoring services for at least
five years and that Starbucks receive periodic compliance audits from an
outside company about the security of its computer systems. According
to the complaint, Starbucks in 2006 lost four laptops that contained the
personal information of 50,000 former and 10,000 then-current
employees.
c.
Mere Risk of Identity Theft Not Enough to
Support Claims
In Ruiz v. Gap, Inc., 622 F. Supp. 2d 908 (N.D. Cal. 2009), a
federal judge dismissed claims of negligence and breach of contract
96
Krottner v. Starbucks Corp., Complaint No. C09-0216 (W.D. Wash. Feb. 19,
2009).
97
Starbucks sent the security breach notification letter to the Office of the
Maryland Attorney General under MD. Com. Law § 14-3504(h), the state’s
security breach notification law. A copy of the letter is available at
http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU-162130.pdf.
36
against a data owner and its service provider because the plaintiffs could
not show they were victimized beyond being exposed to an increased
risk of identity theft. Joel Ruiz filed the class action lawsuit on Nov. 13,
2007, against Gap, Inc. and its service provider, Vangent, Inc., after a
thief stole two laptop computers from Vangent containing unencrypted
Social Security numbers and other personal information of Ruiz and
about 750,000 other Gap job applicants.98
On April 6, 2009, U.S. District Judge Samuel Conti found that
Ruiz had standing to bring his suit because the theft of the laptop
exposed him to an increased risk of identity theft. However, Conti
granted summary judgment to the defendants. On the negligence claim,
Conti noted that Gap had already agreed to pay for one year of credit
monitoring and that any potential risk not mitigated by that monitoring
did not amount to the sort of “appreciable harm necessary to assert a
negligence claim under California law.”99 On the breach of contract
claim, Conti found that “[b]ecause Ruiz has not been a victim of identity
theft, he can present no evidence of appreciable and actual damage as a
result of the theft of the two laptop computers.”100
2.
‘Truncation’ Requirement of FACTA
Many attempted class action lawsuits have been filed in federal
courts alleging “truncation” violations of the Fair Credit Reporting Act,
as amended by the Fair and Accurate Credit Transaction Act (FACTA),
15 U.S.C. § 1681c(g). The law aims to protect consumers against
identity theft by prohibiting businesses from printing more than the last
five digits of a credit or debit card or the card’s expiration date on an
electronic receipt. FACTA provides for civil damages between $100 and
$1,000 per violation and the possibility of punitive damages. Courts
have recognized individual claims to recover amounts within the
98
Ruiz v. Gap, Inc., Complaint No. 43-071206-006C (N.D. Cal. Nov. 13,
2007). See also Posting of Hunton & Williams LLP to Privacy and Information
Security Law Blog,
http://www.huntonprivacyblog.com/2009/04/articles/identity-theft/data-breachidentity-theft-risk-insufficient-to-support-claims/ (Apr. 13, 2009).
99
Ruiz, 622 F. Supp. 2d at 914.
100
Id. at 917.
37
proscribed statutory range, but have issued mixed rulings on granting
class certifications in “truncation” cases where the potential punitive
awards could be disproportionate to the actual harm suffered by
customers.
In Harris v. Best Buy Co., Inc., 254 F.R.D. 82, 90 (N.D. Ill.
2008), the court certified a class of at least 100 members on the basis
that “whether an award is unconstitutionally excessive is best decided
after the class is certified, so that the Court can evaluate the defendant’s
conduct and whether the defendant made an attempt to control its
exposure.” Similarly, in Brittingham v. Cerasimo, Inc., 621 F. Supp. 2d
646, 650 (N.D. Ind. 2009), the court reinstated a proposed class action
based on the merchant failing “to significantly limit the Plaintiffs’ risk of
identity theft” by printing more than five digits of their debit and card
numbers along with the expiration date on their receipts.
However, in Bateman v. American Multi-Cinema, 252 F.R.D.
647, 651 (C.D. Cal. 2008), the court declined to certify a class action
against a movie theater chain that printed eight digits on a credit card
receipt. The action sought potential damages between $29 million and
$290 million and the court was “not persuaded by Plaintiff’s argument
that an increased risk of identity theft, however slight, is sufficient to
constitute actual harm.” Similarly, in Leysoto v. Mama Mia I., Inc., 255
F.R.D. 693 (S.D. Fla. 2009), the court declined to certify a class action
that sought between $4.6 million and $46 million in damages against a
restaurant with $40,000 in net assets. The court reasoned that to certify
the class would give the plaintiffs the ability to “dangle the Sword of
Damocles over Defendant, without any showing of actual economic
harm.”101
3.
Indiana Court Finds ID Theft Concerns
Validate Driver’s License Policy
In Leone v. Commissioner, Indiana Bureau of Motor Vehicles,
906 N.E.2d 172, (Ind. App. 2009), the court found that the Indiana
Bureau of Motor Vehicles did not violate state law by requiring holders
of driver’s licenses and state identification cards to make sure their
101
Leysoto v. Mama Mia I., Inc., 255 F.R.D. 693, 699 (S.D. Fla. 2009).
38
names in the BMV’s database match those on file with the Social
Security Administration.
The Indiana BMV, like similar agencies in at least 45 other
states, has an agreement to verify its records with those of the SSA. In
matching Social Security numbers between the two systems, the BMV
found that the names of some license and card holders did not match
those on file with the SSA. The BMV sent notices to those with name
discrepancies placing the burden on them to correct the information or
risk invalidation of their driver’s license or ID card. The court noted that
discrepancies between the two systems often occurred because of legal
name changes, using a nickname with one agency and not the other, or a
name change due to marriage.
In denying a motion from a certified class seeking an injunction
to prohibit enforcement of the policy, the court wrote that while it agreed
a person is legally entitled to change his or her name, “it does not follow
that all others, including government agencies like the BMV, are
required to simply accept the word of the applicant that he is who he
claims to be.”102
The court did find that the policy violated the due process rights
of card and license holders because of uncertainties in whether a person
should correct their information with the BMV, SSA, or both agencies.
However, the court refused to grant the injunction because “the policy
effectively blocks a well-known avenue for identity theft by making it
much more difficult to appropriate another’s social security number in
order to obtain state identification.”103
4.
‘Undeveloped’ Maine Law Excuses Grocer
From Liability for Data Theft
In re: Hannaford Bros. Co. Customer Data Security Breach, 613
F. Supp. 2d 108 (D. Me. 2009), District Judge D. Brock Hornby applied
what he described as “still undeveloped” Maine law to find a grocery
store chain was not liable for the fraudulent charges to customers’ credit
and debit cards as a result of a third-party stealing the customers’
102
Leone v. Commissioner, Indiana Bureau of Motor Vehicles, 906 N.E.2d
172, 180 (Ind. App. 2009).
103
Leone, 906 N.E.2d at 182.
39
electronic payment data from the chain. In his ruling to dismiss the
contract-related claims against a Maine-based supermarket chain,
Hornby wrote that state law only allows customers whose financial data
is stolen to recover against a merchant when the merchant’s negligence
caused the loss to the consumers’ account.
Hornby wrote that a reasonable jury could not find “an
unqualified guaranty of confidentiality by the merchant is ‘absolutely
essential’ to the contract for a sale of groceries” because there were no
reason to believe customers would stop using their cards in lieu of a 100
percent guaranty of data safety.104 However, Hornby allowed the one
plaintiff whose bank did not reimburse her for the fraudulent charges to
proceed against the grocer on claims of breach of implied contract,
negligence, and a deceptive act under Maine’s Unfair Trade Practices
Act, 5 M.R.S.A. §§ 205-214.
H. Hacking: Threats and Consequences
1.
Hacker Can Be Sued for Fraud Under
Securities Exchange Act
In Securities and Exchange Commission v. Dorozhko, No. 080201-cv, 2009 U.S. App. LEXIS 16057, 2009 WL 2169201 (2nd Cir.
July 22, 2009), the court ruled that a man accused of hacking into a
computer system to gain advance notice of a company’s quarterly
earnings could be sued for fraud under § 10(b) of the Securities
Exchange Act of 1934, 15 U.S.C. § 78j (b). The ruling eliminates the
burden on the SEC to show the alleged hacker violated a fiduciary duty,
which is a part of the generally accepted theories of insider trading.105
104
In re: Hannaford Bros. Co. Customer Data Security Breach, 613 F. Supp. 2d
108, 119 (D. Me. 2009).
105
Securities and Exchange Commission v. Dorozhko, No. 08-0201-cv, 2009
U.S. App. LEXIS 16057 *6 (2nd Cir. July 22, 2009).
40
In early October 2007, Oleksandr Dorozhko, a Ukranian national
and resident, opened an online trading account and spent almost all of
his $42,500 investment on “put” options in IMS Health, Inc., which the
SEC says amounted to a risky bet that the stock price of IMS would
sharply decline. IMS had hired Thomson Financial Inc. for its Webhosting services. The SEC alleges that on Oct. 17, 2007, hours before
the scheduled public release of IMS’s quarterly earnings, Dorozhko
hacked into Thomson’s computer system and that within six minutes of
Thomson receiving the report, Dorozhko sold all of his IMS options for
an overnight profit of $286,456.106
The decision reversed a district court decision that relied on three
Supreme Court cases107 in refusing to grant the SEC an injunction which
would have frozen Dorozhko’s assets from the sale. In his opinion,
Circuit Court Judge Jose A. Cabranes wrote that although breaching a
fiduciary duty satisfies the requirement of a “deceptive device” under §
10(b) of the Act, “what is sufficient is not always what is necessary, and
none of the Supreme Court opinions considered by the district court
require a fiduciary relationship as an element of an actionable securities
claim under § 10(b).”108 The case was remanded to determine “whether
the computer hacking in this case involved a fraudulent
misrepresentation that was ‘deceptive’ within the ordinary meaning of
Section 10(b).”109
2.
Former Secret Service Informant Indicted in
‘Largest’ ID Theft Case Ever
On Aug. 17, 2009, a man who authorities say formerly helped
the Secret Service hunt computer attackers, but also fed information to
criminals, was indicted in what the Department of Justice called the
largest reported data breach in U.S. history.110 According to the U.S.
106
Dorozhko, 2009 U.S. App. LEXIS 16057 *2-4.
See Chiarella v. United States, 445 U.S. 222 (1980); United States v.
O’Hagan, 521 U.S. 642 (1997); SEC v. Zandford, 535 U.S. 813 (2002).
108
Dorozhko, 2009 U.S. App. LEXIS 16057 *18.
109
Id. at *25.
110
Associated Press, Ex-Informant Charged With Even Bigger Data Theft This
Time, CHI. TRIB., Aug. 18, 2009, available at
107
41
Attorney’s Office in Newark, N.J., the indictment describes a scheme
between October 2006 and May 2008 in which more than 130 million
credit and debit card numbers along with account information were
stolen from Heartland Payment Systems, based in Princeton, N.J., 7Eleven Inc., and Hannaford Bros. Co.111
Prosecutors say Albert Gonzalez, of Miami, Fla., acted with two
unnamed Russian conspirators to hack into the computer systems of the
corporate victims after conducting reconnaissance at various retail
locations. The scheme eventually reached a point where the trio
conducted “real-time interception” of credit and debit card data being
processed by the corporations.
The trio had a goal of selling the data to others who would use it
to make fraudulent purchases, but the success of this plan was not
known, according to prosecutors.112 Gonzalez was previously indicted in
New York and Massachusetts in 2008 for his involvement in
conspiracies relating to data breaches of multiple companies. He was
also arrested in 2003 in New Jersey for his role in ATM and debit card
fraud. Gonzalez was being held in the Metropolitan Detention Center in
Brooklyn, New York.113
3.
TechCrunch Stirs Ethical Debate By Publishing
Hacked Documents
In July 2009, the technology Web site TechCrunch published
some of the “more than 300 confidential Twitter documents and
screenshots” that TechCrunch says it received via e-mail from a hacker
http://www.chicagotribune.com/news/nationworld/la-na-hacker182009aug18,0,7514928.story.
111
Press Release, United States Department of Justice, U.S. Attorney, District
of New Jersey, Three Men Indicted for Hacking into Five Corporate Entities,
including Heartland, 7-Eleven, and Hannaford, With Over 130 Million Credit
and Debit Card Numbers Stolen, Aug. 17, 2009, available at
http://www.usdoj.gov/usao/nj/press/press/files/pdffiles/gonz0817%20rel.pdf.
112
Associated Press, supra note 110.
113
Press Release, United States Department of Justice, U.S. Attorney, District
of New Jersey, supra note 111.
42
who swiped the information from Twitter.114 After combing through the
vast amount of information, TechCrunch published documents that
revealed, among other things, Twitter’s goal of becoming the first social
networking site to reach one billion users, a pitch for a Twitter-based TV
show, and plans for future revenue-producing models.115
Media ethicists and commentators debated whether TechCrunch
crossed an ethical line by publishing the stolen documents. Al Tompkins
of Poynter Online framed his concern in the context of a changed media
landscape that he feared could lead to an erosion of journalistic ethics. “I
worry that because we now have new competitive pressures from
nontraditional sources such as bloggers, Twitterers, etc., we will be
tempted to lower our standards and publish under the notion that
confidential documents ‘will get out there anyway,’” Tompkins wrote.116
TechCrunch founder Michael Arrington was forthright in
explaining the Web site’s decision. “We publish confidential
information almost every day on TechCrunch,” Arrington wrote. “This
is stuff that is also ‘stolen,’ usually leaked by an employee or someone
else close to the company, and the company is very much opposed to its
publication. In the past we’ve received comments that this is unethical.
And it certainly was unethical, or at least illegal or tortious, for the
person who gave us the information and violated confidentiality and/or
nondisclosure agreements. But on our end, it’s simply news.”117
Twitter said in its blog that the stolen documents did not reveal
“some big, secret plan for taking over the world,” but that the
publication “could jeopardize relationships with Twitter’s ongoing and
potential partners.” Twitter specified that the hacker retrieved the
114
Posting of Erik Schonfeld to TechCrunch,
http://www.techcrunch.com/2009/07/16/twitters-internal-strategy-laid-bare-tobe-the-pulse-of-the-planet/ (July 16, 2009).
115
Id.
116
Al Tompkins, What TechCrunch’s Publication of Twitter Memos Means for
Journalists, Poynter Online, July 17, 2009,
http://www.poynter.org/column.asp?id=2&aid=166904.
117
Posting of Michael Arrington to TechCrunch,
http://www.techcrunch.com/2009/07/15/our-reaction-to-your-reactions-on-thetwitter-confidential-documents-post/ (July 15, 2009).
43
company documents by accessing an employee’s e-mail account and not
by hacking into the Twitter server.118
4.
Accused Hacker Loses Bid to Prevent
Extradition from UK
An autistic man who a United States prosecutor said was charged
with “the biggest military computer hack of all time” lost his bid to
avoid extradition from the United Kingdom on charges dating back to
2002.119 The England and Wales High Court on July 31, 2009, ruled that
43-year-old Gary McKinnon should face extradition because that is “a
lawful and proportionate response to his offending,” according to the
ruling issued by Judge Stanley Burnton in the Queen’s Bench
Division.120 McKinnon’s family has tried to prevent his extradition by
arguing he has Asperger’s syndrome and that he could be a suicide risk
if sent to the United States.121 McKinnon’s lawyer, Karen Todner, said
she planned to appeal the decision.122
A federal grand jury in Virginia indicted McKinnon in 2002 of
seven counts of computer-related crimes in 14 crimes after he was
accused of breaking into 97 computers belonging to NASA, the
Department of Defense and several branches of the military soon after
the Sept. 11, 2001, terrorist attacks.123 The indictment alleged McKinnon
deleted critical system files and obtained classified information and
118
Twitter, Even More Open Than We Wanted,
http://blog.twitter.com/2009/07/twitter-even-more-open-than-we-wanted.html
(July 15, 2009, 11:15 EST).
119
Meera Selva, Associated Press writer, UK Court Reject’s Hacker’s Bid to
Avoid Extradition, July 31, 2009, available at
http://www.ajc.com/news/nation-world/uk-court-rejects-105047.html.
120
McKinnon v. Sec. of State for Home Affairs, (2009) EWHC 2021 (Q.B.),
available at http://www.bailii.org/ew/cases/EWHC/Admin/2009/2021.html.
121
Id.
122
Id.
123
United States v. McKinnon, Indictment, (E.D. Va. November Term 2002),
available at
http://files.findlaw.com/docviewer/viewer_news.html#http://news.findlaw.com
/hdocs/docs/cyberlaw/usmck1102vaind.pdf.
44
encrypted passwords from the computers. McKinnon claimed he was
searching for evidence of UFO’s and his lawyers portray McKinnon as
an eccentric, but harmless man who did not have any malicious intent.124
5.
British Tabloid Embroiled in Phone
Hacking Scandal
The British tabloid News of the World, published by a subsidiary
of media mogul Rupert Murdoch’s News Corporation, reportedly paid
about $1.6 million to quietly settle various lawsuits involving allegations
of phone-hacking by its reporters, according to a July 8 report by The
Guardian of London.125 Murdoch denies that the newspaper ever made
any settlement payments for alleged phone hacking, and critics and other
media outlets have suggested that The Guardian’s reporting amounts to
little more than media mud-slinging.126
The Guardian reported that News of the World’s publisher, News
Group Newspapers, attempted to settle the lawsuits to avoid revealing
evidence that News of the Word journalists were repeatedly hiring
private investigators to illegally hack into the mobile phone messages of
numerous public figures, including cabinet ministers, members of
Parliament, actors and sports stars. The Guardian claimed to have
discovered the information by researching the 2006 criminal
investigations of News of the World reporters Clive Goodman and Glenn
Mulcaire for alleged phone hacking.
News Group Newspapers is a subsidiary of News International,
which is owned by Murdoch’s News Corporation.
The Guardian report cited a Metropolitan police source who said
that during the investigation of the reporters, officers found evidence of
News Group staff hiring private investigators to hack into “thousands”
of mobile phones, and “another source with direct knowledge of the
police findings” put the figure at “two or three thousand” different
124
Selva, supra note 119.
Nick Davies, Murdoch Papers Paid £1m to Gag Phone-Hacking Victims,
THE GUARDIAN, July 8, 2009, available at
http://www.guardian.co.uk/media/2009/jul/08/murdoch-papers-phone-hacking.
126
Vidya Root and Robert Hutton, Murdoch Newspapers to Be Probed Over
Hacking Claims, BLOOMBERG NEWS, July 9, 2009.
125
45
phones. A subsequent New York Times report cautioned that The
Guardian report could not be independently verified, observing that it
cited unnamed police sources and no sources for its claim that News
International paid $1.6 million in damages and legal costs.127 But on July
21, Bloomberg News reported that News of the World editor Colin
Myler testified before a parliamentary committee that James Murdoch,
Rupert’s son, had authorized the payment of $1.1 million to settle a
claim against the newspaper.128
6.
Apple Drops Legal Threat Against Web
Site With iPhone Hacking Tips
Apple dropped its threat of a lawsuit against BluWiki, a Web site
that hosted discussions about how to use iPods and iPhones without the
company’s iTunes computer software.129 Apple said in a July 8 letter to
BluWiki’s attorneys at the Electronic Frontier Foundation (EFF) that it
would not pursue a lawsuit because it no longer uses the software code
that was mentioned on the Web site, therefore the code “is no longer of
any harm or benefit to anyone.”130 Apple had original alleged the
BluWiki violated anti-circumvention measures of the Digital
Millennium Copyright Act, 17 U.S.C. § 1201.
EFF lawyer Fred von Lohmann believes Apple did not have a
credible claim under the statute. “Apple’s threats were clearly designed
to censor pure speech – there was no software there, there were no tools,
there were no hacking devices – this was just people talking,” he said.
“Apple was well beyond the statute when it made these threats, and
127
John F. Burns, New Inquiry Not Planned on Hacking By Tabloids, N.Y.
TIMES, July 9, 2009, at A4.
128
Robert Hutton, James Murdoch Approved Payment to Phone Tap Victim,
BLOOMBERG NEWS, July 21, 2009.
129
Zusha Elinson, Apple Drops Pursuit of Site With iPhone Hacking Tips, THE
RECORDER, July 23, 2009,
http://www.law.com/jsp/article.jsp?id=1202432469017.
130
Letter from Sadik Huseny to Fred von Lohmann, Re: Odioworks v. Apple,
N.D. Cal. Case No. C 09-1818 (July 8, 2009), available at
http://www.eff.org/files/filenode/odio_v_apple/apple_letter.pdf.
46
apparently they think so now too.”131 After Apple dropped its threat,
EFF and OdioWorks, the company that runs BluWiki, dropped their
lawsuit against Apple that sought a declaratory judgment vindicating the
free speech interests of BluWiki and its users.132
III.
GOVERNMENT AND PRIVATE SECTOR
SURVEILLANCE AND DATA MANAGEMENT
A. Unclassified Report on U.S. Wiretapping
A government review of the Bush administration’s wiretapping
program raised questions about its legality and found that its
effectiveness in fighting terrorism was unclear. Congress mandated the
report last year, which was produced by the inspectors general of five
federal agencies and released to the public on July 10, 2009.133
The report does not describe specific intelligence activities other
than to refer to the “Terrorist Surveillance Program.” The administration
acknowledged in December 2005 that this program included the
interception without a court order of some international communications
in which there was “a reasonable basis” to believe that at least one party
131
Elinson, supra note 129.
OdioWorks LLC v. Apple, Inc., Complaint, No. C 09-1818 (N.D. Cal. July
8, 2009).
133
Unclassified Report on the President’s Surveillance Program, Rep. No.
2009-0013-AS (July 10, 2009). The 38-page report is available online at
www.fas.org/irp/eprint/psp.pdf.
132
47
was a member of al-Qaida or its affiliates. The program was
implemented following the attacks of Sept. 11, 2001.
The report was the result of about 200 interviews with
government and private sector personnel, most of whom were former or
current senior government officials. Many key figures in the surveillance
program – former Attorney General John Ashcroft, Central Intelligence
Agency director George Tenet and deputy assistant attorney general
John Yoo – either declined to be interviewed or did not respond to
interview requests.
1.
Critical of Reauthorization Memos
The report criticized John Yoo, the deputy assistant attorney
general who was granted access to the surveillance program and wrote
what are known as “scary memos” that justified the administration in
reauthorization the program every 45 days. Department of Justice (DOJ)
officials doubted the “factual and legal basis” for Yoo’s memos because
he incorrectly interpreted the Foreign Intelligence Surveillance Act of
1978 (FISA) as inapplicable to wartime operations, according to the
report. DOJ officials pointed out that Yoo failed to analyze a FISA
provision134 that allows the interception of electronic communications
for 15 days following a congressional declaration of war, meaning it is
possible Congress intended FISA to apply to wartime.
Yoo characterized FISA as providing a “safe harbor for
electronic surveillance” and that the Fourth Amendment provides the
appropriate test for whether the government may carry out warrantless
electronic surveillance, the report said. Yoo responded to the
unclassified report in a July 16 op-ed in The Wall Street Journal in
which he labeled FISA “an obsolete law not written with live war with
an international terrorist organization in mind.”135 Yoo accused the five
inspectors general of “responding to the media-stoked politics of
recrimination, not consulting the long history of American presidents
who have lived up to their duty in times of crisis.”
134
See 50 U.S.C. § 1811.
John Yoo, Op-Ed., Why We Endorsed Warrantless Wiretaps, WALL ST. J.,
July 26, 2009.
135
48
Jay Bybee, Yoo’s boss at the time, told investigators he did not
know that Yoo had worked on the surveillance program, the report said.
Some senior DOJ officials criticized the unusual practice of having one
attorney write a memo for the program when the office traditionally has
multiple attorneys review all legal analysis the office issues. The DOJ
found that limiting the number of personnel who had direct knowledge
of the program created several problems, including preventing the DOJ
from “adequately reviewing the program’s legality during the earliest
phase of its operation.”
2.
Varying Conclusions
The inspectors general reached varying conclusions on the
usefulness of the program. The DOJ concluded that while information
the program obtained “had value in some counterterrorism
investigations, it generally played a limited role in the F.B.I.’s overall
counterterrorism efforts.” The CIA considered it “a valuable
counterterrorism tool” while the National Security Agency found the
program’s value was in “the confidence it provided that someone was
looking at the seam between the foreign and domestic intelligence
domains.” The inspectors general of the Department of Defense and the
Office of the Director of National Intelligence also helped compile the
report.
3.
Current Surveillance Authority
Congress restructured the federal surveillance law with the FISA
Amendments Act of 2008, 50 U.S.C. § 1804. The report said this
legislation gave the government “even broader authority to intercept
international communications” than did the original program. The report
said that the wiretapping program should have transferred to
Congressional authority earlier than 2008 “as the program became less a
temporary response to the September 11 attacks and more a permanent
surveillance program.”
B. Court Challenges to Wiretapping Program
49
1.
Judge Dismisses Suits Against
Telecommunications Companies
In the consolidated case In Re: National Security Agency
Telecommunications Records Litigation, MDL No.06-1791 VRW, 2009
U.S. Dist. LEXIS 48283 (N.D. Cal. June 3, 2009), Judge Vaughn R.
Walker dismissed lawsuits against telecommunications companies that
had accused them of improperly participating in the warrantless
wiretapping program launched after the Sept. 11, 2001 terrorist attacks.
Walker ruled that § 802(a) of the Foreign Intelligence Surveillance Act
(FISA) Amendments Act of 2008, 50 U.S.C. § 1885a, properly granted
immunity to the companies, or any individual, that assisted the
government in surveillance authorized by a court order or President
George W. Bush between Sept. 11, 2001, and Jan. 17, 2007. Former
Attorney General Michael Mukasey certified to the court that the claims
in the consolidated cases fell within at least one provision of § 802(a).136
Some of the plaintiffs appealed Walker’s order granting the
government’s motion to dismiss on behalf of the companies.137
The plaintiffs argued that by amending FISA to grant the
companies immunity, the government stripped them of any forum for
their dispute to be heard. However, Vaughn found that the plaintiffs can
still seek action against “governmental actors and entities who are, after
all, the primary actors in the alleged wiretapping activities.”138 Walker’s
ruling did not apply to a handful of cases and he scheduled a Sept. 1,
2009, hearing to listen to arguments from the Al-Haramain Islamic
136
In Re: National Security Agency Telecommunications Records Litigation,
MDL No.06-1791 VRW, 2009 U.S. Dist. LEXIS 48283, at *52-53 (N.D. Cal.
June 3, 2009).
137
In Re: National Security Agency Telecommunications Records Litigation,
MDL Docket No 06-1791 VRW, No C 07-2029,No C 06-5485 VRW, No C
06-5343 VRW,C 07-0464 VRW, 2009 U.S. Dist. LEXIS 62640 (N.D. Cal. July
20, 2009).
138
Id. at *61.
50
Foundation, an Oregon non-profit corporation, about the merits of its
suit against the government over the warrantless wiretapping program.139
2.
Judge Dismisses ACLU Lawsuit
The American Civil Liberties Union, journalists and human
rights groups such as Amnesty International argued in a 2008 lawsuit
that the FISA Amendments Act of 2008, 50 U.S.C. § 1881(a), is
unconstitutional because it permits “the executive branch sweeping and
virtually unregulated authority to monitor the international
communications – and in some cases the purely domestic
communications – of law-abiding U.S. citizens and residents.”140 The
FISA Amendments Act allows the government to seek approval from
the Foreign Intelligence Surveillance Court to gather intelligence
information from people reasonably believed to be located outside the
United States. The government defended the amendments as an “early
warning system” against possible terrorist attacks or strikes against U.S.
troops and said they “cannot be used to target U.S. persons or any
persons inside the United States.”141
On Aug. 20, 2009, Southern District of New York Judge John G.
Koeltl dismissed the lawsuit because he determined that the plaintiffs
lacked standing to attack the FISA Amendments Act as
unconstitutional.142 “The plaintiffs fear that their international
communications will be monitored under the [Act]. They make no claim
that their communications have yet been monitored, and they make no
allegation or showing that the surveillance of their communications has
139
In Re: National Security Agency Telecommunications Records Litigation,
MDL Docket No 06-1791 VRW, 2009 U.S. Dist. LEXIS 49139 (N.D. Cal.
June 5, 2009).
140
Amnesty International v. McConnell, No. 08 Civ. 6259 (S.D.N.Y. July 10,
2008).
141
Mark Hamblett, ACLU, Government Square Off Over Warrantless Wiretaps
Abroad, New York Law Journal, July 23, 2009, available at
http://www.law.com/jsp/article.jsp?id=1202432475095&hbxlogin=1.
142
Amnesty International v. McConnell, No. 08 Civ. 6259, 2009 U.S. Dist.
LEXIS 74008 (S.D.N.Y. Aug. 20, 2009).
51
been authorized or that the Government has sought approval for such
surveillance,” Koeltl wrote in his order dismissing the lawsuit.143 Koeltl
noted that the FISA Amendments Act itself “does not authorize
surveillance of the plaintiffs’ communications.”144
C. Emerging Technology to Monitor
Government Snooping
The uncertainty of precisely what information government
intelligence agencies and law enforcement are legally allowed to collect
continues to bother some privacy advocates. “For example, right now it
is perfectly legal, without any question, for the government to collect
every telephone call, every e-mail, every communication in the world –
as long as it can claim credibly that some part of the communication
involves a person outside of the United States,” said Fred Cate, the
director of the Center for Applied Cybersecurity Research at Indiana
University.145
Palantir Technologies, a Silicon Valley company, claims it has
developed technology that tracks the personal information and
communications these entities collect so that it eliminates the problem of
choosing between fighting terrorism and protecting civil liberties. The
system works by tagging certain information “so the only people who
can see it are those who are allowed to see it, so it takes care of the
problem,” Palantir CEO Alex Karp told National Public Radio.146
As an example of how the technology can safeguard one’s
privacy, Palantir executives pointed to an incident in Massachusetts in
which law enforcement personnel searched for information on New
England Patriots quarterback Tom Brady 968 times, looking for such
things as his home address, driver’s license photo and whether he owned
143
Id. at *3.
144
Id. at *35.
145
A Tech Fix For Illegal Government Snooping (National Public Radio
broadcast July 13, 2009). A print version of this report is available at
www.npr.org/templates/story/story.php?storyId=106479613&sc=emaf.
146
Id.
52
a gun.147 Bob McGrew, director of engineering for Palantir, claims law
enforcement would not have been able to carry out the search
surreptitiously if they were using Palantir’s system because of its
privacy control. “When some of these officials were looking at Tom
Brady’s data, they would be leaving a trail. It is all captured in a long
that you don’t need to be a technical guy to understand,” McGrew told
NPR. “A compliance officer or a civil liberties group would be able to
see exactly who was looking at what information.”
The Federal Bureau of Investigation, Central Intelligence
Agency, Defense Department and New York Police Department have
started using Palantir’s technology to analyze their intelligence data,
according to the NPR report.
D. Google Street View Seen as Privacy Threat
Google Street View has raised privacy concerns, particularly in
Europe where Google has to navigate numerous data protection agencies
in countries that view privacy as a fundamental human right. Street
View has been criticized because of the danger that the offshoot of the
Internet search engine will post unflattering images of passersby or
facilitate crime by allowing would-be criminals an advance look at a
neighborhood. Introduced in May 2007, Street View is part of Google
Maps and permits users to see and navigate within 360-degree street
level images of a number of areas throughout the world, primarily in
densely populated areas. Google obtained the images by using drivers
who traversed the city streets in vehicles equipped with continuously
filming digital panoramic cameras.
1.
Privacy Safeguards in Place
In order to safeguard privacy, Google blurs faces and license
plate numbers captured in the images and includes an option for those
who object to the content of an image to have it removed from Street
View. Once a user is on the offending image within Street View, users
Andrea Estes and Peter Schworm, Police Prying Into Stars’ Data, BOSTON
GLOBE, May 6, 2009.
147
53
can click on the “Report a problem” link in the lower left portion of the
page. That takes users to a screen that asks for the nature of the concern.
Under the privacy category, users can request that images of their face
(or that of their children) be removed along with pictures of their homes
or automobiles. This includes images that have already been blurred.
Users can also request that pictures of faces and license plates be
blurred. The page includes space to describe the nature of the problem
and an image tool to focus on the specific part of the picture that is the
source of the complaint.
2.
Street View in Europe
Street View has received the most scrutiny in Europe, where
Google has been temporarily banned from collecting images in some
countries or threatened with sanctions if it did not comply with privacy
laws. However, the criticism appears to be subsiding after Google
pledged to apply the same privacy protection standards in Europe that it
uses with Street View in the United States. In addition, Google has
coordinated with the Article 29 Working Party, which represents 27
European data protection authorities, to extend additional privacy
safeguards.
Those measures, according to Peter Fleischer, Google’s global
privacy counsel, include providing advance public notice about when
and where Google will be capturing images and taking steps to avoid
holding onto the “unblurred” original images any longer than is needed.
Fleischer explained in a blog post that Google is still perfecting its
technology to avoid “false positives,” or blurring portions of images that
pose no privacy threat, but that the company is committed “to determine
the shortest retention period that also allows for legitimate use under EU
laws.”148
The Information Commissioner’s Office, the main privacy
watchdog in the United Kingdom, concluded that Street View does not
violate the UK’s Data Protection Act of 2008 as long as Google blurs
faces and license plate numbers. David Evans, senior data protection
Posting of Peter Fleischer to Google’s European Public Policy Blog,
http://googlepolicyeurope.blogspot.com/2009/06/street-view-exploringeuropean-streets.html (June 12, 2009, 12:46 EST)
148
54
practice manager for ICO, likened the images used on Street View to
those of people walking past reporters on television, images taken
“without their consent, but perfectly legally.”149 Evans also said that “it
is not in the public interest to turn the digital clock back. In a world
where many people tweet, facebook and blog it is important to take a
common sense approach towards Street View and the relatively limited
privacy intrusion it may cause.”150
Google has had its share of run-ins with collecting Street View
images. In May 2009, the Data Protection Authority in Greece blocked
Google from capturing images in the country until it provided
clarification on its measures to protect privacy, including how long it
stores images.151 In Germany, the country’s highest ranking data official
threatened sanctions against Google if it did not alter its practices to
conform to German privacy laws, which prohibits the dissemination of
photos of people or their property without their consent.152 In response,
Google agreed to erase the raw images of faces, house numbers and
license plates after they have been processed.153
3.
Street View in Canada
Google representatives had ongoing discussions with Canada’s
privacy commissioner and met with members of the House of Commons
ethics committee on June 17, 2009, to prepare for its anticipated launch
Press Release, Information Commissioner’s Office, Common Sense on
Street View Must Prevail, Says the ICO, April 23, 2009, available at
www.ico.gov.uk/upload/documents/pressreleases/2009/google_streetview_220
409_v2.pdf
150
Id.
151
Derek Gatopoulos, Associated Press writer, Google’s Street View Halted in
Greece Over Privacy, Associated Press Financial Wire, May 13, 2009.
152
Kevin O’Brien, A German Bid To Stop Google in Its Tracking,
INTERNATIONAL HERALD TRIBUNE, May 20, 2009, at 17.
153
Associated Press Financial Wire, Google Cedes to German Demand to
Erase Data, June 17, 2009.
149
55
of Street View in the country.154 Google began collecting images in
major Canadian cities in 2007. At the time, Jennifer Stoddart, Canada’s
privacy commissioner, expressed concern that the application would
violate the Personal Information Protection and Electronic Documents
Act, which went into effect in 2004, if the images were clear enough that
individuals could be identified.155
In addition to Google’s standard policy of blurring faces, Google
also vowed to retain the original, unblurred images no longer than is
needed to adjust its software that recognizes and automatically blurs
sensitive components of images. Jacob Glick, Google Canada’s privacy
counsel, said he is confident that Street View was legally compliant and
that it would not launch otherwise. As of June 2009, Google was
collecting images in 32 Canadian towns. The company had yet to release
a planned release date for Street View in Canada.156
4.
Street View and Crime
Some people are concerned that Street View aids criminals,
particularly child predators, by making it easy to identify where children
live due to the presence of playground equipment or toys outside of a
home based on the online images. Others counter that this view is
baseless because it would be more efficient for a would-be criminal to
drive or travel through a specific neighborhood to find children since the
Internet is not needed to find homes, playgrounds or schools where
children play. The online images are also outdated the moment they are
taken.
Street View has been credited for helping lead police to arrest
twin brothers who were robbery suspects in the Netherlands.157 In
154
CBC News, Google Canada Vows to Purge Faces from its Street View
Data, June 17, 2009, available at
http://www.cbc.ca/technology/story/2009/06/17/tech-google-street-view.html.
155
The Canadian Press, Google Street View May Be Illegal, Sept. 12, 2007,
available at http://www.cbc.ca/canada/story/2007/09/11/streetviewcommissioner-privacy.html.
156
CBC News, supra note 154.
157
Associated Press Financial Wire, Thief View: Police Nab Twins Snapped on
Google, June 19, 2009.
56
September 2008, a 14-year-old boy told police that he had been robbed
of about $230 and his cell phone after two men dragged him off of his
bicycle in Groningen, about 110 miles north of Amsterdam. The boy
notified police again in March when he saw an image of himself and two
men he believed were his attackers on Street View. Police had to send a
formal request to Google for the original photo since the faces on Street
View were blurred. When police received the original photo, the robbery
squad recognized one of the twins and arrested both brothers.
5.
Court Challenge
As of August 2009, one lawsuit had been filed in the United
States against Google’s Street View alleging that the publicly available
images constituted an invasion of privacy. In Boring v. Google, Inc., 598
F. Supp. 2d 695 (W.D. Pa. 2009), a magistrate judge dismissed claims
against Google of invasion of privacy, trespass, negligence and unjust
enrichment.
The plaintiffs, Aaron and Christine Boring, lived on a private
road north of Pittsburgh and they filed suit when they discovered photos
of their residence, outbuildings and swimming pool had been included
on Street View. The Borings argued that the road on which they live is
unpaved and clearly marked with “Private Road” and “No Trespassing”
signs. The couple alleged Google invaded their privacy by taking the
photos from their driveway at a point past the signs and then making the
photos available to the public.
The court examined the invasion of privacy claim on grounds of
intrusion upon seclusion and publicity given to private life. The court
found the plaintiffs did not meet the stringent standard under
Pennsylvania law of showing that the intrusion was highly offensive and
could be expected to cause “mental suffering, shame, or humiliation to a
person of ordinary sensibilities.”158 The Borings did not dispute that they
failed to use the available option to have the photos of their property
removed from “Street View.” The court noted that the couple had done
nothing to restrict access to the images, such as filing the lawsuit under
seal. Instead, the suit generated publicity that resulted in even wider
158
Boring v. Google, Inc., 598 F. Supp. 2d 695, 699-700 (W.D. Pa. 2009).
57
dissemination of the Borings’ names and location, leading to republication of the Street View images. The opinion mentioned that
courts are not frequently asked to consider invasion of privacy claims
based on virtual mapping.
E. RFIDs Can Be Tracked
Some privacy groups fear that that the growth of governmentissued IDs embedded with radio frequency identification, or RFID tags,
could allow the movements of people to be tracked without their
knowledge. RFID technology uses radio waves to identify people or
objects by reading information contained in a wireless device or “tag”
from a distance without making any physical contact or requiring a line
of sight.
Government officials assert that the tags will help speed border
crossings, protect against counterfeiters and keep terrorists out of the
country. However, there is a danger that the unique serial number in
each tag could be intercepted while being transmitted. In February 2009,
Chris Paget, a self-described “ethical hacker,” used a Motorola reader he
bought on eBay to scan the unique serial numbers of several people
while driving through San Francisco. “It really does facilitate very wide
scale and very long range tracking of people,” Paget said of the RFID
tags in a video of his tracking activity that appeared on YouTube.159
There is some doubt as to the extent of the privacy threat posed
by the RFID tags. The Department of Homeland Security (DHS) says
RFID-enabled documents can be accurately read by authorized readers
from up to 30 feet away, but there have been reports of a transmission
between an e-passport and a legitimate reader being intercepted from up
to 160 feet.160 DHS acknowledges the potential risk in using the
technology. Neville Pattinson, who serves on DHS’s Data Privacy and
159
A video of Chris Paget using RFID tags to track identities is available at
www.youtube.com/watch?v=9isKnDiJNPk&feature=related (last viewed on
July 23, 2009).
160
Todd Lewan, Associated Press, Chips in Official IDs Raise Privacy Fears,
WASH. POST, July 12, 2009.
58
Integrity Advisory Committee, said that once a tag number is
intercepted, “it is relatively easy to directly associate it with an
individual. If this is done, then it is possible to make an entire set of
movements posing as somebody else without that person’s
knowledge.”161
1.
RFID Tags Rise in Use
On June 1, 2009, it became mandatory for all United States
citizens entering the country by land or sea from Canada, Mexico,
Bermuda and the Caribbean to present documents embedded with RFID
tags, although conventional passports remain valid until they expire.162
This requirement is part of the Western Hemisphere Travel Initiative,
which Congress passed into law in the Intelligence Reform and
Terrorism Prevention Act of 2004 on the recommendation of the 9/11
Commission. DHS has encouraged states to begin using “enhanced”
driver’s licenses which are also embedded with RFID tags. These
licenses are already being issued in the border states of Michigan, New
York, Vermont and Washington.163
2.
States Respond to RFID Tags
Some states have passed legislation that outlaws the
unauthorized reading of an RFID document. In California, someone
caught reading or attempting to read an RFID tag without that person’s
knowledge faces up to one year in prison or a $1,500 fine.164 The
California law contains exemptions in certain circumstances, such as for
health care professionals to identify a patient in an emergency or for law
enforcement at the scene of an accident. The law also does not apply to
161
Id.
For a description of the Western Hemisphere Travel Initiative regulations,
see the U.S. Dept. of State Web site at:
http://travel.state.gov/travel/cbpmc/cbpmc_2223.html
163
See Enhanced Driver’s Licenses: What Are They?, U.S. Dept. of Homeland
Security Web site,
www.dhs.gov/xtrvlsec/crossingborders/gc_1197575704846.shtm
164
CAL. CIVIL CODE § 1798.79 (2009)
162
59
the unintentional reading of an RFID tag unless the identity is later used
or disclosed to another party. Nevada and Washington have also passed
similar laws.165
F. Videos Lead to Accusations of Breaking Privacy
Laws
1.
ESPN Reporter Filmed in the Nude
ESPN reporter Erin Andrews was secretly videotaped in the nude
while she was alone in a hotel room and the video was posted online in
July. An attorney for Andrews, a mainstay on the sidelines for many
college football and basketball games broadcast on the sports network,
said he planned to seek criminal charges and file civil lawsuits against
the person who shot the video and anyone who published the material.166
The grainy video showed Andrews combing her hair and looking in a
mirror and generated a lot of attention when the video was posted online.
The video led to conflicting accounts about whether it is illegal
to watch or download the video. CBS News reported through its legal
analyst Lisa Bloom that such activity was illegal.167 Marc Randazza, a
legal analyst for the blog “Photography is Not a Crime” countered that
viewing and downloading the video is completely legal.168 Sam Bayard,
assistant director of the Citizen Media Law Project at the Berkman
Center for Internet and Society at Harvard University, believes
publishing the video could lead to civil liability for invasion of privacy
165
Nevada Gov. Jim Gibbons signed S.B. 125 on May 26, 2009. The bill
revises NEV. REV. STAT. § 205.461 and is available at
http://leg.state.nv.us/75th2009/Bills/SB/SB125_EN.pdf. See also 2009 Wa.
ALS 66.
166
Pat Eaton-Robb, Associated Press reporter, ESPN Reporter Secretly
Videotaped Nude in Hotel, WASH. POST, July 21, 2009.
167
Edecio Martinez, You’re Busted! Watching Erin Andrews Naked Video is a
Crime, CBS News.com, July 21, 2009,
http://www.cbsnews.com/blogs/2009/07/21/crimesider/entry5177132.shtml
168
So Now it is a Crime to Even Watch the Erin Andrews Video?,
http://carlosmiller.com/2009/07/21/so-now-it-is-a-crime-to-even-watch-theerin-andrews-video/ (July 21, 2009).
60
through the publication of private facts or violate state criminal
surveillance laws that prohibit publication of “video voyeurism”
images.169 For example, Bayard pointed to a New York statute that
criminalizes the publication of images that are known to be unlawfully
obtained.170
Media coverage of the incident also raised ethical questions
about how to report on an incident surrounding an invasion of privacy
claim. ESPN decided not to cover the issue as a news story since it had
no bearing on Andrews’ work as a reporter, but several newspapers and
television stations published or aired images of the video, including the
New York Post.171 In response, ESPN banned all Post staffers from
appearing on the network.172
2.
Google Executives Face Trial in Italy
Four Google executives were scheduled to go on trial September
29 in Italy on accusations of defamation and violating privacy for
allowing a video of an autistic boy being bullied to be posted online. The
result of the case could alter the rules for how far video-sharing Web
sites must go to control content.
“What is at issue is whether or not privacy laws that apply to
newspapers or to the radio also apply on the Web, or whether it is a sort
of free port where anything goes,” said Alfredo Robledo, one of the
169
News Flash: Watching the Erin Andrews Video is Perverted, Not Illegal,
http://www.citmedialaw.org/blog/2009/news-flash-watching-erin-andrewsvideo-perverted-not-illegal (July 22, 2009).
170
N.Y. PENAL §§ 250.55, 250.60.
171
Andy Soltis, ESPN Erin Andrews in Peep Shocker, July 21, 2009, available
at
http://www.nypost.com/seven/07212009/news/nationalnews/espn_hottie_erin_
andrews_in_peep_shocker_180520.htm
172
Pat Eaton-Robb, Associated Press writer, ESPN Bans NY Post Reporters
Over Andrews Video, July 23, 2009.
61
prosecutors in Milan who brought the charges. “We are raising the issue
to show that there are holes in Italian legislation.”173
The charges stem from an incident at a school in Turin in 2006
when four boys were filmed teasing another boy, who has Down’s
syndrome. A three-minute cell phone recording of the incident was
uploaded to Google Video, where it remained for nearly two months
before Google removed it after the Italian government and police
intervened.174
Prosecutors allege the company should have prevented broadcast
of the video and that it did not have enough automatic filters in place or
enough workers in Italy to react to videos flagged as inappropriate by
viewers. Google countered that it removed the video as soon as the
company learned of it and then cooperated with authorities to help
identify the boys involved.175
“We feel that bringing this case to court is totally wrong,”
Google said in a statement. “It’s akin to prosecuting mail service
employees for hate speech letters sent in the post. Seeking to hold
neutral platforms liable for content posted on them is a direct attack on a
free, open Internet.”176
The trial opened in February with the court addressing
procedural matters. The family of the boy withdrew from the trial,
leaving Vivi Down, an advocacy group, as the lead plaintiff in a
corresponding civil case. The trial was scheduled to resume June 22, but
was continued when an interpreter did not show up to court.177
The defendants, who are being tried in absentia, are Google’s
senior vice president and chief legal officer David Drummond, former
chief financial officer George Reyes, senior product marketing manager
Arvind Desikan, and global privacy counsel Peter Fleischer.
173
Elisabetta Povoledo, Google Executives on Trial in Italy, N.Y. TIMES, Feb.
3, 2009, available at http://www.nytimes.com/2009/02/03/technology/03ihtgoogle.4.19904181.html.
174
Vincent Boland and Richard Waters, Google Executives Face Milan Trial,
FINANCIAL TIMES, June 21, 2009.
175
Ariel David, Associated Press writer, Google Trial in Italy: Freedom v.
Responsibility, Associated Press Financial Wire, June 23, 2009.
176
Id.
177
Id.
62
G. Entrusting Google, Amazon With Personal, Public Records
1.
UK Considers Putting Medical Records
Online
The United Kingdom’s Conservative Party proposed transferring
public health records to Google or Microsoft in lieu of a central
database, The Times of London reported July 6 in a story178 that drew the
ire of those skeptical of Google’s commitment to protecting privacy. The
proposal came on the heels of news that Connecting for Health, a
centralized government database of health records, would not be
completed until 2014, four years behind schedule. The newspaper
reported that Conservative Party leaders hoped to give patients a choice
among several private companies to store their records. That plan,
however, would pose practical difficulties such as what would happen to
the records of those who choose not to participate and how to handle the
estimated nine million British households that do not have Internet
access.179
Microsoft and Google launched similar personal health records
services in 2007 on the promise that users can more easily control and
share an electronic record with multiple health care providers. The
services, Google Health and Microsoft’s Health Vault, respectively, are
not alone in the industry, with Web MD and Revolution Health also
offering the ability to build a personal online health record. 180
David Davis, a Conservative Party Member of Parliament,
blasted his own party for the idea of giving Google the reins of patients’
health information because of what he described as the company’s
“cavalier approach to European privacy legislation.”181 Davis supported
transferring health records to private companies, but under the
178
Sam Coates, Tories May Ask Microsoft and Google to Hold NHS Records,
THE TIMES (London), July 6, 2009, at 6-7.
179
Id.
180
Ina Fried, Microsoft Google in Healthy Competition, CNet News, May 18,
2009, available at http://news.cnet.com/Microsoft,-Google-in-healthycompetition/2009-11393_3-6249645.html.
181
David Davis, I Wouldn’t Trust Google With My Personal Info, THE TIMES
(London), July 27, 2009, at 19.
63
conditions that an entity cannot profit from the venture and the data must
be stored on computers within the UK to assure compliance with UK
privacy laws. Peter Fleischer, global privacy counsel for Google, quickly
defended Google’s commitment to privacy and the value of its healthrelated services, including “Flu Trends,” which “offers an early warning
system for flu outbreaks based on the anonymous actions of millions of
people searching for symptoms.”182
2.
Los Angeles Officials Raise Concerns
About Google Apps
The city of Los Angeles proposed replacing its outdated
computer records system by moving government e-mails, reports and
other internal data onto Google Apps, prompting concerns about the
program’s ability to handle records securely for the nation’s secondlargest city. Known as “cloud computing,” the city’s records would be
housed on Google servers off city property, raising fears that hackers
could gain access to confidential information, particularly of ongoing
police investigations.183
“Any time you go to a Web-based system, that puts you just a
little further out than you were before,” said Paul Weber, president of
the Los Angeles Police Protective League. “Drug cartels would pay any
sum of money to be aware of our progress on investigations.”184 Google
has assured users that the application is secure and that more than 1.75
million businesses use the technology. As of July 2009, Google said
Washington, D.C., was the only major city using Google Apps for its email and office applications, although other cities were considering also
182
Peter Fleischer, Letter to the Editor, You Can Trust Google to Protect
Privacy, THE TIMES (London), July 28, at 23.
183
David Zahniser and Phil Willon, L.A. Weighs Plan to Replace Computer
Software With Google Service, L.A. TIMES, July 17, 2009.
184
Michael R. Blood, Associated Press writer, Concerns Raised as L.A. Looks
at Google Apps, July 17, 2009, available at
http://www.msnbc.msn.com/id/31967328/.
64
using it.185
The Los Angeles Times reported that city officials wondered
whether the obligation to respond to public information requests would
fall to Google as host of the city’s records. Peter Scheer, director of the
California First Amendment Coalition, said the switch to Google could
improve access to public information because of Google’s immense
search and storage capabilities. “If you’re asking for information, it’s
more likely you’ll get a more complete and accurate response to your
request, sooner rather than later.”186
3.
Groups Urge Strict Privacy in Google Books
A trio of privacy watchdogs urged Google to implement strict
privacy controls in Google Books, a service that would make a wide
variety of books readily available online. The groups were concerned
that Google can track the books people browse and read in the virtual
library and that the record could be turned over to the government or
another third party. To combat the concern, the group that included the
American Civil Liberties Union of Northern California, urged Google to
adopt several measures. These include releasing browsing information
only in response to a court order, not keeping logging information for
more than 30 days, and giving users the ability to delete their records.187
Google assured potential users that it has a strong privacy policy
in place for Google Books. The company said it could not publicize the
policy until the U.S. District Court for the Southern District of New
York approves a preliminary settlement with book publishers and
authors that would enable Google to provide access to the books.188
185
Id.
Zahniser and Willon, supra note 183.
187
Letter from the American Civil Liberties Union, the Electronic Frontier
Foundation and the Samuelson Law, Technology & Public Policy Clinic at the
University of California Berkeley Law School to Eric Schmidt, Chairman and
CEO of Google Inc., July 23, 2009, available at
http://www.eff.org/files/gbs_privacy_schmidt_letter.pdf.
188
Posting of Dan Clancy, engineering director for Google Books, to Google
Public Policy Blog, http://googlepublicpolicy.blogspot.com/ (July 23, 2009,
13:35 EST).
186
65
However, the Department of Justice informed the court on July 2, 2009,
that it had opened an antitrust investigation into the proposed agreement.
189
4.
Student Leads Suit Against Amazon Over
Deletion of Kindle Books
A Michigan high school student is a lead plaintiff in a proposed
class action suit against Amazon.com after the company deleted George
Orwell books from customers’ Kindles. The student, Justin Gawronski,
purchased a Kindle copy of Orwell’s “1984” in early June 2009 and took
notes in the electronic novel as part of a summer homework assignment,
according to the complaint filed July 30 in federal court in Seattle where
Amazon Digital Services, the distributor of the Kindle device, is
headquartered.190 At some point in July, Gawronski powered into his
Kindle to find that his copy of “1984,” including his notes, had been
deleted, according to the complaint.
Amazon has explained that it deleted copies of “1984” and
“Animal Farm” after it discovered they were added to the Kindle store
by a company that did not own the rights to distribute the novels.
Amazon says it gave customers a refund for the price of the books.191
In addition to those who had digital content deleted, the suit
proposes to represent all people who have owned a Kindle and seeks an
injunction prohibiting Amazon from accessing customers’ Kindles. The
suit alleges various contract claims, including that Amazon violated its
own terms of use by revoking a promise that users can keep a permanent
digital copy of their purchases. The suit also seeks damages for the loss
of work product sustained by the deletion.
H. Bloggers in Court
189
The Authors Guild, Inc. v. Google Inc., No. 05 CV 8136, 2009 U.S. Dist.
LEXIS 63081 (S.D.N.Y. July 2, 2009).
190
Gawronski v. Amazon.com, No. 2:09-cv-01084 (W.D. Wash. July 30,
2009).
191
Francesca Heintz, Class Action Over Deletion of Kindle Content Accuses
Amazon of Acting Like Big Brother, The American Lawyer, Aug. 3, 2009.
66
1.
Blogger Arrested for Inciting Violence
Against Judges
New Jersey blogger and Internet radio host Hal Turner was
charged with violating state and federal laws for separate inflammatory
posts on his blog, including what authorities said amounted to death
threats against three Seventh Circuit judges.192 The posts on Turner’s
now-defunct blog, turnerradionetwork.com, denounced a Seventh
Circuit ruling that upheld two local handgun bans in Chicago. “Let me
be the first to say this plainly: These judges deserve to be killed,” Turner
wrote June 2, 2009, according to a criminal complaint filed against him
June 24 in the U.S. District Court for the Northern District of Illinois.193
“Their blood will replenish the tree of liberty. A small price to pay to
assure freedom for millions.” Turner also posted the photographs, phone
numbers, work addresses and courtroom numbers of the three judges,
William Bauer, Frank Easterbrook, and Richard Posner. The FBI said in
its complaint that it believed Turner’s comments constituted “a threat to
assault or murder a United States judge,” in violation of 18 U.S.C. §
115(a)(1)(B). On Aug. 10, a federal judge denied Turner bail, calling “a
danger to the community.”194
Prior to the federal charges, Turner had surrendered to
Connecticut authorities on state charges of inciting violence against two
state lawmakers – Sen. Andrew McDonald (D-Stamford and Darien) and
Rep. Michael Lawlor (D-East Haven) – who introduced a controversial
bill that would have given lay members of Roman Catholic churches
more control over their parishes’ finances. Law enforcement officials
believe Turner violated CONN. GEN. STAT. § 53a-179a(a), which
criminalizes “inciting injury to persons or property.”
Michael Orozco, Turner’s defense attorney, said Turner worked
for the Federal Bureau of Investigation from 2002 to 2007 during which
192
Eric Lichtblau, Radio Host is Arrested in Threats on 3 Judges, N.Y. TIMES,
June 25, at A16.
193
A copy of the criminal complaint against Hal Turner is available at
http://big.assets.huffingtonpost.com/turner.pdf.
194
Lynne Marek, No Bail for Web Talk Show Host Who Said Judges Deserve
to Die, The National Law Journal, Aug. 11, 2009.
67
time the FBI taught him how to purposefully make comments that would
incite others to act and lead to their arrest. Prosecutors have
acknowledged Turner spied on radical right-wing organizations, but that
he was not working for the FBI when he made the comments that led to
the criminal charges in Illinois and Connecticut.195
It is unclear whether the charges against Turner will hold up in
court. Gene Policinski, vice president and executive director of the First
Amendment Center, mentioned in a June 14 post on the center’s Web
site that the principles in Brandenburg v. Ohio, 395 U.S. 444 (1969),
should prevent any criminal charges against pundits such as Turner.196 In
Brandenburg, the Court held that the First Amendment protected
statements advocating use of force or illegal activity “except where such
advocacy is directed to inciting or producing imminent lawless action
and is likely to incite or produce such action.”197
2.
Blogger Cannot Invoke New Jersey Shield
Law
In Too Much Media LLC v. Hale, MON-L-2736-08 (Monmouth
County Ct. June 30, 2009), a New Jersey trial court judge ruled that a
blogger and online commentator who was sued for defamation could not
claim the state’s journalist shield law to protect the confidential sources
she used as a basis for publishing allegedly defamatory statements about
a corporation. Monmouth County Judge Louis Locascio ruled that
Shellee Hale, a Washington-state based blogger, licensed private
investigator, and “life coach,” could not claim the statutory privilege,
N.J.S.A. 2A:84A-21 -21.8, because Hale did not show that she was “in
any way involved with” any of the “news media” listed in the statute:
195
Katie Nelson, Associated Press writer, Blogger Who Said Judges Deserve to
Die Was Trained by FBI to Incite Others, Attorney Says, Law.com, Aug. 19,
2009.
196
Posting of Gene Policinski, to FirstAmendmentCenter.org,
http://www.firstamendmentcenter.org//commentary.aspx?id=21692&SearchStr
ing=hal_turner (June 14, 2009).
197
Brandenburg v. Ohio, 395 U.S. 444, 447 (1969).
68
“newspapers, magazines, press associations, news agencies, wire
services, radio or television.”
Too Much Media, a computer software company that provides
advertising programming for the online pornography industry, sued Hale
for statements she made in an Internet forum that accused the company,
and two of its officers, of engaging in criminal behavior, including
making physical threats, and profiting from a security breach that
jeopardized the privacy of subscribers to pornography Web sites. The
company planned to compel her to reveal her sources in a deposition.
Locascio wrote that Hale’s online forum statements did not
display accepted practices of journalism that the law was meant to
protect. “There is no fact-checking required, no editorial review and so
little accountability for the statements posted that it is virtually
impossible to discern the author or source of the posts,” Locascio wrote.
“To extend the newspaper’s privilege to such posters would mean
anyone with an email address, with no connection to any legitimate
news publications, could post anything on the internet and hide behind
the Shield Law’s protections.” On July 22, 2009, Hale filed a motion for
reconsideration in Monmouth County Court.
Sam Bayard, Assistant Director of the Citizen Media Law
Project at Harvard’s Berkman Center for Internet and Society, wrote in a
July 9 blog post that it would be “a mistake … to read Judge Locascio’s
opinion broadly as saying that New Jersey’s shield law categorically
does not protect bloggers.”198 Bayard pointed to several “peculiar facts”
in Locascio’s ruling, including that the judge appeared to discount some
of Hale’s testimony because she could not provide specifics about
articles in newspapers and trade journals she claimed to have published,
and because she apparently lied in a previous court document in the
case.
I.
Advances in Phone Technology Bring Benefits, Risks
1.
198
Breach Highlights Security Risk of Smart
Phones
Posting of Sam Bayard to Citizen Media Law Project,
http://www.citmedialaw.org/blog/2009/new-jersey-court-says-blogger-shelleehale-not-protected-shield-law (July 9, 2009).
69
Blackberry users in Dubai and Abu Dhabi in July 2009
unknowingly installed what was probably spy software on their phones
instead of an application they believed would upgrade their phones.
While the circumstances surrounding the breach were not entirely
known, including who ordered the upgrade, the incident reinforced
privacy concerns surrounding the phones. An Associated Press story on
the breach quoted Richard M. Smith, an Internet security and privacy
consultant at Boston Software Forensics as saying that smart phones are
“the perfect personal spying devices” because as tiny computers they
can be programmed to send back a broad range of information.199
The Associated Press reported that the incident occurred after
Etisalat, an Abu Dhabi-based mobile service provider, sent text
messages to BlackBerry customers asking them to follow a link to
update their phones. Customers who installed the software complained
that it quickly drained their batteries. Research in Motion, the Canadian
company that makes the BlackBerry, distanced itself from the request to
install the software and said the application users installed was a
surveillance program that could have possibly allowed access to
personal or private information.200
2.
Google Voice App Not Allowed in iTunes
App Store
In what may be a move to protect itself against a competitor,
Apple refused to allow Google to distribute its Google Voice application
on iTunes, meaning iPhone users cannot use the software.201 The move
Adam Schreck, Associated Press writer, Blackberry Maker: USE Partner’s
Update was Spyware, July 22, 2009, available at
http://tech.yahoo.com/news/ap/20090722/ap_on_hi_te/ml_uae_blackberry_spy
ing.
200
Id.
201
Alex Pham, Apple Bars Google Voice App From iTunes Store, L.A. TIMES,
July 29, 2009.
199
70
prompted the Federal Communications Commission to launch an inquiry
into Apple’s decision.202
Google Voice allows users to make free or low-cost calls and
provides free text messaging, call routing and a universal voice mailbox.
The feature users may find the most beneficial is the ability to
consolidate multiple phone numbers – home, cell phone, office – into
one Google Voice number. Users can then decide which devices will
ring depending on the caller. For example, calls from a boss could be set
to ring only a BlackBerry while calls from a mother-in-law could be sent
straight to voice mail.203 Google Voice was already on BlackBerrys prior
to Apple’s decision to block the application.204
Technology analyst Martin Pyykkonen suggested that Apple’s
move was likely a means to protect its business partner, AT&T Inc.,
from losing money from subscribers who would use Google Voice
instead of its services.205 A New York Times blogger later reported that
Google said it was looking to replace the Voice application with a
specialized Web page that would perform the same functions.206
J.
Redaction Methods May Not Serve Their Purpose
A thick black marker used to suffice for redacting information in
legal documents. Some attorneys may still use that tool even though
electronic redacting technology is available. Both methods, however,
may not accomplish the goal of keeping sensitive information from
view. During a 2008 sexual discrimination suit in Connecticut,207 it was
discovered that the black bars intended to serve as a redaction tool in
PACER’s federal court filing system would disappear when the bars
David Sarno, FCC Looking Into Apple’s Google Move, L.A. TIMES, Aug. 1,
2009, at B2.
203
Pham, supra note 201.
204
Jenna Wortham, Even Google is Blocked With Apps From iPhone, N.Y.
TIMES, July 28, 2009 at B1.
205
Pham, supra note 201.
206
David Pogue, Is Google Voice a Threat to AT&T?, N.Y. TIMES, Aug, 6,
2009, http://pogue.blogs.nytimes.com/.
207
Schaefer v. General Electric Co., 2008 U.S. Dist. LEXIS 37561 (D. Conn.
May 8, 2008).
202
71
were copied and then pasted into Microsoft Windows’ Notepad or
Microsoft Word, allowing the underlying words to be read.208
Redaction remains an important part of many legal offices,
particularly in the public sector as the Obama administration makes a
push for a more transparent government. The Federal Bureau of
Investigation has a redaction tool in its own document management
system that allows judges to privately view redacted information. The
tool reveals the initials of the person who made the redaction along with
margin notes that indicate why the information was hidden.209 Readilyavailable automated redaction software can search for words that may
need to be redacted and automatically obscure certain material such as
Social Security numbers, but the software does have its limitations. It
may miss words in a document that has been scanned and it often cannot
read embedded items in a document such as tables and spreadsheets.
Those who commonly redact information say that human review
should remain a part of any successful redacting process. “Tools can
help, but you can never assume it’s foolproof,” said Christine Musil,
vice president of communication for Informative Graphics Corp., which
makes Redact-It, a redaction tool. “Using a redaction tool can help
demonstrate a good-faith effort to redact information, but you still need
to use it properly.”210
208
Douglas S. Malan, GE Suffers a Redaction Disaster, The Connecticut Law
Tribune, May 28, 2008, available at
http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1202421717785
.
209
Jason Krause, Sloppy Redaction: To Err is Automated, Law.com, Aug. 7,
2009.
210
Id.
72
IV.
DATA PRIVACY IN THE WORKPLACE AND
ON CAMPUS
A. Requests for Passwords to Social Networking Sites
1.
Bozeman, Mont., Stops Asking Job Applicants for
Facebook Passwords
On June 22, 2009, the city of Bozeman, Mont., eliminated its
policy of asking job applicants to give their passwords for all personal
and business Web sites, including social networking sites such as
Facebook and MySpace, during the hiring process.211 Applicants were
required to sign a waiver agreeing to a criminal background and
references check. The bottom of the waiver included this request:
“Please list any and all, current personal or business websites, web pages
or memberships on any Internet-based chat rooms, social clubs, or
forums, to include, but not limited to: Facebook, Google, Yahoo,
YouTube.com, MySpace, etc.”212 The request for passwords to Google
and Yahoo meant city officials had the ability to read applicants’ emails.
Bozeman had previously checked job applicants’ social
networking sites for about three years. City administrators first began
asking for the passwords of police and fire department applicants, but
that procedure was never presented to the city commission for approval
because that body does not typically set hiring policies.213 Bozeman City
Manager Chris Kukulski said the city viewed personal Web sites in
211
Amanda Ricker, Commission Eliminates Facebook Policy, Takes Authority
Over Hiring Procedures, BOZEMAN DAILY CHRONICLE, June 23, 2009.
212
A copy of the city of Bozeman job applicant waiver statement is available at
http://www.citmedialaw.org/sites/citmedialaw.org/files/Background_Check_Fo
rm_Interview_MASTER.pdf.
213
Amanda Ricker, City Requires Facebook Passwords From Job Applicants,
BOZEMAN DAILY CHRONICLE, June 19, 2009.
73
order to make sure applicants were honest and reputable as part of its
background check that includes checking credit reports, criminal history,
references and past employment.214 City officials recalled one instance
in which content of an applicant’s social networking site was a factor in
the person not being hired.
News of the city’s hiring practice prompted a wave of attention
by media outlets and bloggers when it became widely known in June,
prompting the city to revisit the practice. At the meeting to rescind the
practice, city Commissioner Jeff Krauss apologized for not acting more
quickly to avoid “wandering down a road that violated basic rights of
our citizens.”215 The city commission has since approved spending up to
$10,000 to hire an outside investigator to examine the former hiring
practice, including whether an applicants’ refusal to submit the
information negatively affected their chances of being hired and how the
city used its reviews of the Web sites.216
2.
Student Sues Cheerleading Coach, School District for
Facebook Incident
A Mississippi high school cheerleader filed suit against her coach
and school district, claiming that her coach logged into her Facebook
account and distributed material that led to her dismissal from the
team.217 The student, Mandi Jackson, claims Tommie Hill, the
cheerleading coach at Pearl High School in Pearl, Miss., asked each
member of the cheerleading squad on Sept. 10, 2007, to provide her with
the passwords to their Facebook accounts. Jackson claims she did not
know what to do other than to turn over her password to “an authority
214
Id.
Id.
216
Jessica Mayrer, City OKs $10K for Hiring Probe, BOZEMAN DAILY
CHRONICLE, July 28, 2009.
217
Jackson v. Pearl Public School District, No. 3:09 CV353-JCS (S.D. Miss.
June 16, 2009). A copy of the complaint is available at
www.splc.org/pdf/Pearl%20High%20School.pdf.
215
74
figure.”218 Hill then accessed her Facebook account the same day and
“disseminated the information” to other teachers, cheerleading coaches,
the principal and superintendent, according the complaint.
The complaint, filed June 16, 2009, in U.S. District Court for the
Southern District of Mississippi, does not specify the precise content
Hill passed along from Jackson’s Facebook account, other than to say
district officials “publicly reprimanded, punished and humiliated
Jackson for a private discussion between Jackson and another student.”
The Student Press Law Center reported the discussion included “an
exchange of profanity-laced messages between Jackson and the
cheerleading captain in which Jackson asked the student to ‘stop
harassing’ several of the cheerleaders.”219 As a result, Jackson was
forced to sit out of cheer and dance training and other school sponsored
events, according to the complaint.
The suit, filed on behalf of Jackson by her parents, seeks more
than $100 million in damages for violations to Jackson’s constitutional
rights to privacy, free speech, free association and due process. The suit
also includes claims for defamation, intentional infliction of emotional
distress and cruel and unusual punishment.
B. Be Wary of Writing Reviews on LinkedIn
Management-side attorneys are warning employers against
writing reviews on LinkedIn, the business networking site that contains
recommendations for job candidates. The attorneys advise that since
most of the reviews on LinkedIn are positive, plaintiffs lawyers could
use them in wrongful termination suits to dispute claims a worker was
let go for poor performance.220
Julie Straw, Pearl Student Sues After Teacher Logs Into Student’s Facebook
Account, WLBT-TV, July 28, 2009, available at
www.wlbt.com/global/story.asp?s=10806760.
219
Brian Stewart, Student Files Lawsuit After Coach Distributed Private
Facebook Content, Student Press Law Center, July 22,
http://www.splc.org/newsflash.asp?id=1938.
220
Tresa Baldas, Lawyers Warn Employers Against Giving Glowing Reviews
on LinkedIn, The National Law Journal, July 7, 2009,
218
75
“Just don’t do it,” advised Carolyn Plump, an attorney and
partner at Mitts Milavec in Philadelphia. “Generally, my advice is that I
think employers are often better served by merely stating dates of
employment, positions with the company and salary, and staying away
from much more because there are so many potential ramifications if
they say something.”221
A recommendation could also work against a plaintiff in certain
situations. If a supervisor treated all workers equally by writing positives
reviews about everyone, that could help disprove a discrimination claim,
said Linda Friedman, an employee rights attorney at Stowell &
Friedman in Chicago. She added that employers could explain a positive
review as an attempt to help a person who had just lost his job.222
LinkedIn has already been cited in at least one employmentrelated dispute. In Kelly Services Inc. v. Marzullo, 591 F. Supp. 2d 924
(E.D. Mich. 2008), the Michigan-based staffing services company cited
the LinkedIn profile of a former employee who went to work for a
competitor. The company persuaded the court to issue a preliminary
injunction enforcing a non-competition agreement that limited the
worker’s role with his new employer.
C. Confusion and Abuses of FERPA
An investigation by The Columbus (Ohio) Dispatch found that
the nation’s biggest athletic programs interpret the Family Educational
Rights and Privacy Act (FERPA), 20 U.S.C. § 1232(g) et seq., in vastly
different ways.223 Also known as the Buckley Amendment, FERPA was
passed in 1974 to require educational institutions that receive federal
funds to meet privacy requirements regarding the “education records” of
http://www.law.com/jsp/article.jsp?id=1202432052393&rss=newswire&hbxlo
gin=1.
221
Id.
222
Id.
223
Jill Riepenhoff and Todd Jones, Secrecy 101: College Athletic Departments
Use Vague Law to Keep Public Records From Being Seen, COLUMBUS
DISPATCH, May 31, 2009, available at
http://tinyurl.com/ColumbusDispatchFERPA.
76
students or face the loss of that funding. The newspaper’s findings have
sparked a debate over a statute that has long created obstacles for
journalists and led to a movement urging Congress to clarify how
schools should apply the law.224
1.
Findings By the Newspaper
The Dispatch submitted public records requests to 119 colleges
and universities in the National Collegiate Athletic Association’s
Football Bowl Subdivision requesting records that generally would not
pertain to student athletes’ grades or academic performance, but could
offer insight on how the sports programs operate. The newspaper
requested airplane flight manifests for football team travel to road
games, lists of people designated to receive athletes’ complimentary
admission to football games, football players’ summer employment
documents, and reports of NCAA rules violations.
Of the 69 schools that responded to the request, The Dispatch
reported that more than 80 percent released unedited information about
ticket lists, about half did not censor flight manifests, 20 percent gave
full information about football players’ summer jobs, and 10 percent
provided unedited information about rules violations.
2.
What is an ‘Education Record?’
The Dispatch reported that the primary cause for the disparity in
disclosure, sometimes between different schools in the same state, came
from the schools’ interpretations of what qualifies as “education
records.” FERPA defines “education records” as records that “contain
information directly related to a student” and “are maintained by an
educational agency or institution or by a person acting for such agency
or institution.”225 According to the statute, “education records” do not
include administrative or instructional notes or records that are not
available to anyone aside from their creator; records maintained by the
institution’s law enforcement unit; employee records that “related
224
225
Id.
20 U.S.C. § 1232g(a)(4)(A).
77
exclusively to the individual in that individual’s capacity as an
employee” (as opposed to a student’s work-study records, which are
considered “education records” under 34 C.F.R. § 99.3); medical
records; “records created or received by an . . . institution after an
individual is no longer a student in attendance and that are not directly
related to the individual’s attendance as a student;” or “grades on peergraded papers before they are collected and recorded by a teacher.”226
In December 2008, the Department of Education modified its
interpretation of “education records” by expanding the definition of
“personally identifiable information.” The definition under the revised
rule includes not only a student’s name, address, and social security
number, but also information that could lead the requester to identify the
student “with reasonable certainty” and “information requested by a
person who the educational agency or institution reasonably believes
knows the identity of the student to whom the education record
relates.”227
3.
Report Spurs Calls to Clarify FERPA
The Dispatch report prompted an effort to re-examine FERPA.
The author of the law, former Sen. James L. Buckley (R-N.Y.), said that
extending the law to athletes who have gambled or cheated, coaches
who have broken recruiting rules, or boosters who offer free meals or
no-work jobs to players is “not what we intended.” He added that “the
law needs to be revamped” because “institutions are putting their own
meaning into the law.”228
Sen. Sherrod Brown (D-Ohio) sent a letter to the Assistant
Education Secretary Carmel Martin that asked the department to “take
additional steps to clarify for students, parents, colleges, universities,
226
Id.
34 C.F.R. §§ 99.3 and 99.31(b) (2008). The entire Family Educational
Rights and Privacy, Final Rule, including summaries and examples, is
available at http://www.ed.gov/legislation/FedRegister/finrule/20084/120908a.pdf.
228
Riepenhoff and Jones, supra note 223.
227
78
and the public what is an educational record.”229 Paul Gammill, head of
the Education Department’s Family Policy Compliance Office, said the
Dispatch investigation led his office to take a closer look at how schools
apply FERPA because of apparent differences in the interpretation of the
law.230 Gammill added that while his office advises institutions on
compliance, any changes in the law would have to be made by
Congress.231
D. Split Develops in Application of Computer Fraud
and Abuse Act
As companies downsize in the current economic crisis, some
terminated employees steal data to improve their job prospects with a
new employer.232 This may lead to an increase in litigation involving the
Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, and further
expose a split in judicial interpretations of the CFAA. The CFAA
criminalizes the theft of computer data and enables a company that
“suffers damage or loss” through a CFAA violation to pursue damages
and injunctive relief against the violator in a civil action. Four of the
seven violations of the CFAA require an employer to show that the
worker’s access to the company’s computers was “without
authorization” or “exceeds authorized access.” The CFAA does not
define “without authorization,” but defines “exceeds authorized access”
as “to access a computer with authorization and to use such access to
obtain or alter information in the computer that the accesser is not
entitled so to obtain or alter.”233
229
Jill Riepenhoff and Todd Jones, Brown Wants Student Privacy Limits,
COLUMBUS DISPATCH, June 17, 2009.
230
Katie Thomas, Players’ Privacy Law Is Brought Into Question, N.Y. TIMES,
June 30, 2009, at B14.
231
Id.
232
Nick Akerman, When Workers Steal Data to Use at New Jobs, The National
Law Journal, July 7, 2009,
http://www.law.com/jsp/article.jsp?id=1202432036948&hbxlogin=1.
233
18 U.S.C. § 1030(g).
79
Nick Akerman, a partner in Dorsey & Whitney’s New York
office, identified Int’l Airport Centers LLC v. Citrin, 440 F.3d 418 (7th
Cir. 2006) as the leading authority for using the CFAA against workers
who steal their employers’ data.234 In Citrin, the Seventh Circuit held
that an employee’s authorization to use company computers is based on
his “agency relationship” with the employer, and this relationship is
voided when the worker violates “his duty of loyalty” to the employer,
such as by accessing a computer to steal data. Courts have since offered
conflicting rulings on whether an employee’s alleged violation of the
CFAA hinges on his authorization to access the data or his intent in
doing so.
1.
‘Authorized Access’ Does Not Violate
CFAA
Many district courts have departed from Citrin and have held
that “access to a protected computer occurs ‘without authorization’ only
when initial access is not permitted, and a violation for ‘exceeding
authorized access’ occurs only when initial access to the computer is
permitted but the access of certain information is not permitted.”235 This
line of reasoning focuses on the “use” of the access rather than the
“intent” of the departing employee.236
For example, in Shamrock Foods Co. v. Gast, 535 F. Supp. 2d
962, 963 (D. Ariz. 2008), the court dismissed an employer’s claim
against an employee who e-mailed confidential company information to
himself before he went to work for a competitor. Since the employee had
authorization to view the files he e-mailed to himself, the court found
that the worker did not access the information “without authorization” or
in a manner that “exceeded authorized access.”237
234
Ackerman, supra note 232.
U.S. Bioservices Corp. v. Lugo, 595 F. Supp. 2d. 1189, 1192 (D. Kan.
2009).
236
Continental Group, Inc. v. KW Property Management, LLC, 2009 U.S. Dist.
LEXIS 51733, 2009 WL 5244818 *12 (S.D. Fla. April 22, 2009).
237
Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962, 967 (D. Ariz. 2008). See
also Bridal Expo, Inc. v. van Florestein, 2009 U.S. Dist. LEXIS 7388, 2009
WL 255862, at *9-11 (S.D. Tex. Feb. 3, 2009); Condux Int’l, Inc. v. Haugum,
235
80
2.
Personal Gain Can Constitute CFAA Violation
Another line of cases emphasizes the intent of an employee’s
actions so that once he is “working for himself or another, his authority
to access the computer ends, even if he or she is still employed at the
present employer.”238 In addition to Citrin, Akerman believes decisions
in three other circuit courts support “sanctioning use of the CFAA
against employees” when their “agency relationship” with the employer
ends.239
In U.S. v. Nosal, 2009 WL 981336 at *7 (N.D. Calif. 2009), the
court refused to dismiss criminal charges against a former “high level
executive at an international executive search firm” who stole
competitively sensitive data from his employer’s computer before he left
the firm. The defendant argued that the CFAA generally applied to
hackers or other “outsiders,” and not to employees who “abuse computer
access privileges to misuse information derived from their employment.”
The court rejected this argument and instead focused on the worker’s
intent to use the information fraudulently at the time it was accessed.
3.
Judicial Advice to Businesses
2008 U.S. Dist. LEXIS 100949, 2008 WL 5244818, at *4-6 (D. Minn. Dec. 15,
2008); Black & Decker, Inc. v. Smith, 568 F. Supp. 2d 929, 933-36 (W.D.
Tenn. 2008); Diamond Power Int’l, Inc. v. Davidson, 540 F. Supp. 2d 1322,
1341-43 (N.D. Ga. 2007); Brett Senior & Assocs., P.C. v. Fitzgerald, 2007
U.S. Dist. LEXIS 50833, 2007 WL 2043377, at *3-4 (E.D. Pa. July 13, 2007);
Lockheed Martin Corp. v. Speed, 2006 U.S. Dist. LEXIS 53108, 2006 WL
2683058, at *4-7 (M.D. Fla. Aug. 1, 2006).
238
Continental Group at 2009 WL 5244818 *12. (citing Hewlett-Packard Co.
v. Byd:Sign Inc., 2007 WL 275476 (E.D. Tex. Jan. 25, 2007)).
239
Akerman, supra note 232. The cases Akerman cites as support for Citrin
are: U.S. v. Phillips, 477 F.3d 215, 221 n. 5 (5th Cir. 2007); P.C. Yonkers Inc.
v. Celebrations The Party and Season Superstore LLC, 428 F.3d 504, 510 (3rd
Cir. 2005); and EF Cultural Travel B.V. v. Explorica Inc., 274 F.3d 577 (1st
Cir. 2001).
81
With the current uncertainty in how courts will apply the CFAA,
U.S. District Court Judge James I. Cohn of the Southern District of
Florida suggested that businesses can help protect themselves by
drafting detailed policies on the scope of employees’ use of work
computers. “Though the district court decisions on this issue are in
dispute, an employer . . . clearly has a right to control and define
authorization to access its own computer systems,” Cohn wrote, finding
that an employer had a substantial likelihood of succeeding on a CFAA
claim by showing that a worker downloaded files she did not need for
business purposes during a time when she was negotiating to leave her
employer for a competitor.240
E. Limits to What Employers Can Know, Say About Employees
1.
Jury Finds Restaurant Managers Violated Privacy of
Workers
A federal jury in Newark, N.J., found that restaurant managers
who monitored employees’ workplace complaints in a MySpace group
violated federal and state privacy laws that protect Web
communications.241 Brian Pietrylo and Doreen Marino, employees at a
Houston’s restaurant in Hackensack, N.J., created an invitation-only,
password-protected MySpace group designed for workers to “vent about
any BS we deal with [at] work without any outside eyes spying on
us.”242 Comments on the site included sexual remarks about
management and restaurant customers as well as references to violence
and illegal drug use.
Restaurant management learned of the site and asked a greeter at
the restaurant for her password. The circumstances surrounding the
request were critical to the resolution of the case. The greeter testified
that she knew she “was going to get in trouble or something was going
240
Continental Group at 2009 WL 5244818 *12.
Pietrylo v. Hillstone Restaurant Group, Jury Verdict Form, 2009 WL
1867659 (D. N.J. June 16, 2009).
242
Pietrylo v. Hillstone Restaurant Group, No. 06-5754 (FSH), 2008 WL
6085437 (D. N.J. July 25, 2008).
241
82
to happen” if she did not provide her password.243 After managers
accessed the forum multiple times, Pietrylo and Marino were fired. On
its verdict form, the jury answered affirmatively that the MySpace group
was “a place of solitude and seclusion” designed to protect users’ private
affairs. However, the jury answered “No” to the question of whether
users should have a reasonable expectation of privacy in the group. “The
argument of coercion is the only aspect of this that gave the plaintiff
success,” said Bernard W. Bell, a professor at Rutgers Law School who
teaches privacy law. “If you are distributing these comments, or posting
these comments, on a site that is not password protected, there is very
little argument that there is an invasion of privacy.”244
In a July 2008 ruling, U.S. District Court Judge Faith Hochberg
denied summary judgment to the Beverly Hills, Calif.-based Hillstone
Restaurant Group on the workers’ claims of wrongful termination,
invasion of privacy and violations of the Stored Communications Act,
18 U.S.C. §§ 2701-11, and the parallel provision of the New Jersey Act,
N.J.S.A. 2A: 156A-27. Hochberg dismissed a claim that the restaurant
violated the workers’ rights to free speech.245 The jury awarded a total of
$3,400 in back pay and $13,600 in punitive damages.
2.
Workers Had ‘Expectation of Privacy’ in Text
Messages
In Quon v. Arch Wireless, 529 F.3d 892, 910-11 (9th Cir. 2008),
the Ninth Circuit overturned a district court ruling and found that the
city of Ontario, Calif., and Arch Wireless, a provider of text messaging
pagers, violated the privacy rights of police officers under the Fourth
Amendment and California Constitution by searching the content of text
messages on their work-issued pagers without their consent.
The city of Ontario had an informal policy that it would not look
at the content of the messages as long as the officers paid for any
overage charges that accrued as a result of using the text messaging
243
Id. at *4.
Hugh R. Morley, Password-Protected Comments Off Limits to Boss, Jury
Rules, THE RECORD (Hackensack, N.J.), June 26, 2009, available at
www.philly.com/philly/business/technology/062609_password_protected.html.
245
Pietrylo, *7.
244
83
pagers for personal use. When a lieutenant got “tired of being a bill
collector with guys going over the allotted amount of characters on their
text pages,” the police chief ordered an audit of the messages to
determine if officers were sending too many text messages on city time
or an increase was needed in the number of characters allotted to officers
each month.246 The audit revealed one officer had gone over his limit by
15,158 characters and that many of the messages were sexually
explicit.247
The court determined that Arch provided an electronic
communication service (ECS) as opposed to a remote computing service
(RCS). Both an ECS and RCS can release private information to, or with
the lawful consent of, “an addressee or intended recipient of such
communication, while only an RCS can release such information “with
the lawful consent of . . . the subscriber.”248 The court found it
undisputed that the city was not an “addressee or intended” recipient,”
but a “subscriber,” so the officers had “a reasonable expectation of
privacy in the content of their text messages vis-à-vis the service
provider.”249
3.
Fired Worker Claims Employer Accessed Personal Email
A terminated worker claims his employer violated federal and
state privacy laws by accessing his personal e-mail account and using
the contents of e-mails against him in his termination dispute.250 Scott
Sidell was fired from his job as chief executive officer of Structured
Settlement Investments on Aug. 24, 2007. Before he left the company’s
office building in Norwalk, Conn., Sidell accessed his personal Yahoo!
e-mail account, but did not log off, enabling the account to be accessed
for up to two weeks without a password, according to his compliant.
Sidell claims his employer accessed his personal e-mails and shared
246
Quon v. Arch Wireless, 529 F.3d 892, 897-98 (9th Cir. 2008).
Quon, 529 F.3d at 898.
248
Stored Communications Act, 18 U.S.C. § 2702(b)(1),(3).
249
Quon, 529 F.3d at 905-06.
250
Sidell v. Structured Settlement Investments, LP, No. 08CV00710, 2008 WL
2582358 (D. Conn. May 8, 2008).
247
84
them with the attorneys representing the company in his termination
dispute. Sidell alleged violations of the Electronic Communications
Privacy Act, 18 U.S.C. § 2510, the Stored Communications Act, 18
U.S.C. § 2701 and similar Connecticut state laws.
Based on an employment agreement to arbitrate all claims, U.S.
District Court Judge Vanessa L. Bryant on Jan. 14, 2009, ordered that an
arbitrator should first decide whether to exercise jurisdiction over
Sidell’s invasion of privacy claims in addition to the wrongful
termination dispute.251 If the arbitrator declines jurisdiction, Sidell can
re-file his suit. Sidell had yet to re-file his suit as of early August.
F. N.J. Law Would Prohibit Prosecuting Teens for
‘Sexting’
Instead of prosecuting teenagers who e-mail, text message or
post nude or sexually suggestive photos online, a proposed New Jersey
law would give prosecutors the option of placing minors in a
diversionary program. Sponsors of identical bills252 introduced in June
2009 in the New Jersey Assembly and Senate say that teenagers who
distribute such material, a practice known as “sexting,” often do so out
of a need for approval or a lack of confidence, and that the law should
reflect their lack of criminal intent.253
The introductory statements to each of the bills identify “sexting”
and teenagers posting sexual images online as “nationwide problems that
have perplexed parents, school administrators, and law enforcement
officials.” In March 2009, the Passaic County (N.J.) Sheriff’s
Department charged a 14-year-old girl with distribution of child
pornography after she posted nude photos of herself on MySpace.254
251
Sidell v. Structured Settlement Investments, 2009 U.S. Dist. LEXIS 2244
(D. Conn. Jan. 14, 2009).
252
A.B. 4069, 213th Leg., 2d Sess. (N.J. 2009); S.B. 2926, 213th Leg., 2d Sess.
(N.J. 2009).
253
Charles Toutant, N.J. Legislation Would Decriminalize ‘Sexting’ by Teens,
New Jersey Law Journal, July 23, 2009, available at
http://www.law.com/jsp/article.jsp?id=1202432466455.
254
Id.
85
Prosecutors later agreed to drop the charges if the girl received
counseling and stayed out of trouble for six months.255
According to the bills, county prosecutors would have discretion
to admit a minor to the educational program that would focus on the
consequences of sexting, including its affect on relationships and
employment prospects. The New Jersey Attorney General’s Office
would develop the precise makeup of the program that would be an
option for those charged under N.J.S.A. 2C:24-4, which governs
endangering the welfare of a child. Those who successfully complete the
program would be able to avoid prosecution.
State lawmakers also introduced bills in June 2009 that would
require schools to distribute information to students in grades six
through twelve on the dangers of electronically sending sexually explicit
images.256 Other bills would require stores that sell cellular phones to
provide information on sexting to phone purchasers.257
255
Associated Press, Passaic Teen to Undergo Counseling for Posting Nude
Pictures on MySpace, June 23, 2009, available at
http://www.nj.com/news/index.ssf/2009/06/passaic_teen_to_undergo_counse.h
tml.
256
A.B. 4068, 213th Leg., 2d Sess. (N.J. 2009); S.B. 2923, 213th Leg., 2d Sess.
(N.J. 2009).
257
A.B. 4070, 213th Leg., 2d Sess. (N.J. 2009); S.B. 2925, 213th Leg., 2d Sess.
(N.J. 2009).
86
V.
SOCIAL NETWORKING SITES: PRIVACY CONCERNS
AND POTENTIAL
PITFALLS OF USE
A. EU Regulators Recommend Stricter Rules
In June 2009, a group of European Union regulators
recommended social networking sites (SNS) implement a host of
reforms to comply with EU law, including prohibiting users from
posting photos of others without their consent.258 Other measures
highlighted by the council of EU regulators, known as the Article 29
Working Party, involve deleting personal information when a user
deletes an account and setting up a homepage link to a “complaint
handling office” that deals with privacy and data protection issues.
The working party framed its recommendations to require SNS
to comply with the EU’s Data Protection Directive259 “even if their
headquarters are located outside” of the European Economic Area. The
working party’s opinion is not binding, but often serves as an indication
for the future direction of legislation at the national and EU levels.260 If
these recommendations are adopted in their current or slightly altered
terms, SNS such as Facebook and MySpace will have to alter some of
their practices. Facebook has hired Richard Allan, the former head of
258
Article 29 Data Protection Working Party, Opinion 5/2009 on Online Social
Networking, adopted June 12, 2009, available at
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2009/wp163_en.pdf.
259
Council Directive 95/46/EC, 1995 O.J. (L 281), available at http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:NOT.
260
EurActiv.com, EU Privacy Regulators Eye Online Social Networks, June
25, 2009, available at http://www.euractiv.com/en/infosociety/eu-privacyregulators-eye-online-social-networks/article-183486.
87
European regulatory affairs for Cisco, to lobby EU governments on its
behalf.261
In preparing its opinion, the working party drew on previous
recommendations made by the Berlin International Working Group on
Data Protection in Telecommunications,262 the Resolution on Privacy
Protection in Social Network Services,263 and a position paper published
in October 2007 by the European Network and Information Security
Agency.264
1.
Tagging Photos
Facebook users currently do not need permission to post photos
on their personal profiles and “tag,” or identify, friends by name with a
link to the profile of the tagged person. The working party wants SNS to
require users who post pictures or information about others to first get
the individual’s permission. To achieve this, the working party suggests
SNS create space on users’ personal home pages that lists the photos
seeking to tag a user. A user would then be able to review the photos and
consent to be tagged before the photos can be posted for others to view.
2.
Retention of Personal Data
Bobbie Johnson, Facebook is Hiring Lobbyists to Target Europe’s
Politicians, THE GUARDIAN, June 27, 2009, at 8.
262
International Working Group on Data Protection in Telecommunications,
Report and Guidance on Privacy in Social Network Services, a.k.a. “Rome
Memorandum,” March 4, 2008, available at
http://www.datenschutzberlin.de/attachments/461/WP_social_network_services.pdf.
263
Adopted at the 30th International Conference of Data Protection and Privacy
Commissioners in Strasbourg, Oct. 17, 2008, available at
http://www.privacyconference2008.org/adopted_resolutions/STRASBOURG2
008/resolution_social_networks_en.pdf.
264
European Network and Information Security Agency, Security Issues and
Recommendations for Online Social Networks, October 2007, available at
http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_social_networks.pdf
.
261
88
The working party wants SNS to adopt higher standards for the
deletion of personal data. These include deleting personal data “as soon
as either the user or the SNS provider decides to delete the account.” In
addition, when a user updates his profile, the former account information
should not be retained. When a user does not log into a SNS account for
a specific period of time, the profile should be blocked from view of
other users and after another set time period, the account should be
deleted after trying to notify the user.
The recommendations also encouraged setting parameters
regarding the collection of “sensitive data,” which includes data
revealing racial or ethnic origin, political opinions, religious or
philosophical beliefs, and information about one’s health or sex life. The
sites should make clear to users that answering such questions is
voluntary. Facebook currently has options for users to enter their
religious and political preferences; however, doing so is not required to
create a profile.
3.
Minors
The working party suggested several measures for protecting the
privacy of minors. These include not asking for sensitive data in
subscription forms, prohibiting direct marketing aimed at minors and
possible implementation of age-verification software. In April, Viviane
Reding, the EU’s Commissioner for Information Society and Media,
said she believes that profiles of minors “must be private by default and
unavailable to internet search engines.”265
B. Canada Privacy Commissioner Warns Facebook To Tighten
Privacy Controls
Canada’s privacy commissioner found that Facebook violates
Canadian privacy laws in several respects, particularly by not adequately
Press Release, Citizens’ Privacy Must Become Priority in Digital Age, Says
EU Commissioner Reding, April 14, 2009, available at
http://europa.eu/rapid/pressReleasesAction.do?reference=IP/09/571&format=H
TML&aged=0&language=EN&guiLanguage=en.
265
89
protecting users’ personal information from applications developers.266
The inquiry was prompted in response to a complaint filed by the
Canadian Internet Policy and Public Interest Clinic at the University of
Ottawa that alleged Facebook violated provisions of Canada’s Personal
Information Protection and Electronic Documents Act. Facebook has
about 250 million users worldwide, including 12 million in Canada.267
Canada Privacy Commissioner Jennifer Stoddart released the
results of her office’s 13-month investigation on July 16, 2009. Stoddart
gave Facebook until Aug. 24, 2009, to bring its policies into compliance.
If it failed to do so, Stoddart would consider pursuing a court order that
would require Facebook to change its business practices.268 Following
the release of the report, Chris Kelly, Facebook’s chief privacy officer,
said the company would continue its conversation with Canada as part of
its ongoing effort to modify its privacy controls. However, Kelly said,
“We have every confidence that there would not be a finding in
Canadian law if there were to go to a court, but we’re very comfortable
with where things are in our discussion.”269
The report identified privacy concerns in these four areas:
1.
Facebook Applications
When users decide to participate in games, quizzes and other
diversions on Facebook, they agree to give the application developer
access to much of their personal information. Facebook already advises
developers to limit their use of personal information to the application,
but the report recommends going farther by preventing the release of
information other than what is needed to run a specific application.
266
Elizabeth Denham, Assistant Privacy Commissioner of Canada, Report of
Findings Into the Complaint Filed by the Canadian Internet Policy and Public
Interest Clinic, July 16, 2009, available at http://www.priv.gc.ca/cfdc/2009/2009_008_0716_e.pdf.
267
Gillian Shaw, Canadian Commissioner ‘Hopeful’ Facebook Will Close
Privacy Gaps, VANCOUVER SUN, July 16, 2009.
268
Sarah Schmidt, Facebook Must Satisfy Canada’s Privacy Commissioner by
Monday, OTTAWA CITIZEN, Aug. 16, 2009.
269
Susan Delacourt, Canada Tells Facebook It Must Better Protect Users’
Privacy, WATERLOO REGION RECORD, July 17, 2009, at A1.
90
Elizabeth Denham, the assistant Canadian privacy commissioner who
prepared the report, wants users to be informed of the specific
information an application uses and for what purpose.
2.
Deactivated Accounts
Facebook offers users who no longer want to use the site the
option of deactivating or deleting their accounts. Deactivation authorizes
Facebook to retain personal information in case a user wants to use the
account again, while deletion supposedly eliminates all personal data.
Facebook acknowledges it is difficult to guarantee that all personal
information on a deleted account is actually eliminated. However, the
report wants Facebook to set a reasonable time limit on when it will
delete content from deactivated accounts.
3. Accounts of Deceased Users
The privacy office wants Facebook to include in its Privacy
Policy a notice to users that personal information of deceased users will
be retained to keep an account visible as a memorial. The report
complimented Facebook for its commitment to allowing a way for
friends and family to honor the deceased. However, it found that this
nevertheless constitutes an intended use of personal information and
should be communicated to users.
4.
Information of Non-Users
The report urged Facebook to adopt measures to address
concerns about non-users’ lack of consent to being tagged in
photographs. When a user tags a non-user in a photo, the user has the
option of uploading the non-user’s e-mail address. Facebook then uses
the e-mail address to invite the non-user to join the site. The report
recommended Facebook require users to obtain consent before providing
a non-user’s e-mail address, and that Facebook set a reasonable time
limit on the retention of these addresses.
C. Reporters’ Use of Social Networking Sites
91
Celebrities and other newsmakers have begun using social
networking sites (SNS) in increasing numbers. As a result, media outlets
often use postings from the sites as a source to break news or provide
added commentary to a story. For example, in the days after former
Alaska Gov. Sarah Palin announced on July 3, 2009, that she would
resign from office, news outlets analyzed and reported her Facebook and
Twitter posts in an attempt to more fully understand her decision to step
down. Palin’s online chatter appeared at the top of a July 5, 2009, story
in the New York Times: “Gov. Sarah Palin of Alaska offered few hints of
what her next stage in national politics might be when she unexpectedly
announced that she was quitting her job, other than to say on her
Facebook page on Saturday that she was ‘now looking ahead and how
we can advance this country together.’”270
It is a foregone conclusion that references to Facebook posts or
“tweets” will continue to appear in news reports. Use of the sites is too
pervasive to ignore and their popularity shows no sign of slowing down.
Journalists, media organizations and academic scholars must now
consider the proper parameters that should govern reporters’
professional and personal use of what many view as an indispensable
reporting tool.
1.
Ups and Downs of SNS
SNS provide several advantages to journalists. By joining a
Facebook group, reporters can connect with members of the community
or experts in a particular field to generate story ideas and expand their
list of available sources.271 In instances where newsmakers decline to be
interviewed or limit their public comments, posts on SNS may be the
default source for providing a needed perspective. In turn, newsmakers
may prefer authoring a Facebook post or tweet to dodge difficult
270
Adam Nagourney, If Presidency Is Goal, Palin Has Chosen a Risky Route,
N.Y. Times, July 5, 2009, at A14; See also Palin Avoids Press But Speaks
Through Twitter, Facebook, THE VIRGINIAN-PILOT, July 7, 2009, at A4.
271
Leah Betancourt, The Journalist’s Guide to Facebook, Mashable: The
Social Media Guide, Aug. 3, 2009, http://mashable.com/2009/08/03/facebookjournalism/
92
questions and limit the filtering that it is an unavoidable part of the
reporting process.
Journalists, however, must be wary of potential pitfalls, such as
quoting an online post that turns out to be the work of an imposter. Also,
those who use Facebook and comment on news events or offer personal
political views run the risk of jeopardizing their objectivity by being
perceived as biased. J.D. Lasica, founder and editorial director of
Socialmedia.biz and a former editor at the Sacramento Bee, believes this
view of perceiving of journalists as “blank slates” is an outdated notion
and that by participating on Facebook, reporters can help to humanize
themselves and lift the veil of secrecy that surrounds the newsgathering
process for much of the public.272
2.
Spelling Out Ethical Limits
Some news organizations,273 including the Wall Street
Journal,274 have altered their ethics policies to include rules on the use
of social networking sites.275 Such policies can include guidelines
ranging from the tried-and-true reporting mandate to verify the accuracy
of facts and the identity of a poster to more modern reminders like
recognizing that others may misinterpret a reporter’s intention in
accepting or making a “friend” request.
Jane Kirtley, director of the Silha Center and professor of media
ethics and law at the University of Minnesota, offered several
suggestions for maintaining sound journalistic practices while using
Facebook. These include identifying Facebook in a story when used as a
reporting tool and never “friending” an unnamed source. “If you’ve
272
Id.
The social networking policy of the Associated Press is available through
Editor & Publisher,
http://www.editorandpublisher.com/eandp/search/article_display.jsp?vnu_cont
ent_id=1003986853.
274
Policies for Employees of the News Departments of The Wall Street
Journal, Newswires and MarketWatch, available on the American Society of
News Editors Web site at http://asne.org/index.cfm?id=7339.
275
Pamela J. Podger, The Limits of Control, AMERICAN JOURNALISM REVIEW,
Aug./Sept. 2009, available at http://www.ajr.org/Article.asp?id=4798.
273
93
promised confidentiality, you shouldn’t do it, even if the friend uses a
pseudonym.”276
3.
To Tweet or Not to Tweet?
Twitter is likely to vary in its usefulness for journalists as
governments and public and private entities develop policies
encouraging or discouraging its use among employees. Several teams in
the National Football League, including the Green Bay Packers and
Miami Dolphins, have effectively barred players from tweeting over
concerns players will reveal sensitive information about game plans or
injuries. That attitude is not universal in the sports world. National
Basketball Association player Shaquille O’Neal has more than 1.8
million followers on Twitter and cyclist Lance Armstrong tweeted
throughout the 2009 Tour de France.277
In the United Kingdom, the government’s Department for
Business Innovation & Skills compiled a 20-page report in July 2009
that urged department employees to tweet and suggested the practice be
expanded to other areas of government.278 Advantages to tweeting,
according to the report, include the opportunity to put a “human voice”
to a government department and build relationships with certain
audiences, including journalists and bloggers.279
D. Sites Offer a Vehicle for Scams and Viruses
1.
276
Twitter Used for Scams
Betancourt, supra note 271.
Judy Battista, The N.F.L. Has Identified the Enemy and it is Twitter, N.Y.
TIMES, Aug. 3, 2009, at B13.
278
BBC News, Government Advice Urges Tweeting, July 27, 2009, available
at http://news.bbc.co.uk/2/hi/uk_news/8171597.stm.
279
Neil Williams, Department for Business, Innovation and Skills, Template
Twitter Strategy for Government Departments, July 21, 2009, available at
http://blogs.cabinetoffice.gov.uk/digitalengagement/file.axd?file=2009%2f7%2
f20090724twitter.pdf.
277
94
The Better Business Bureau says that online scammers have
begun using Twitter to attract people into “get-rich-quick and work-athome schemes” similar to those that have proliferated e-mail accounts
for years.280 The scams involve companies promising to pay Twitter
users hundreds of dollars a day to tweet after they sign up for a free
training kit. The result is that users can be fleeced of a large monthly
payment if they do not cancel within a certain time. The bureau warns
those looking for jobs to be cautious of claims that they can earn
paychecks by tweeting from home and to avoid Web sites asking for
money upfront for a job tweeting.281
The Web sites began showing up in the spring of 2009 and the
Better Business Bureau had not received any consumer complaints as of
July, according to Alison Southwick, a spokeswoman for the bureau.
“Twitter is the cool thing, the bright, shiny object,” she said. “It’s
unbelievable how widespread this is. And with so many people
vulnerable and looking for jobs, a scheme like this is going to have
people falling for it when they can least afford to.”282
2.
Sites Can Attract Viruses
Authors of computer viruses have increasingly targeted social
networking sites such as Facebook, MySpace and Twitter. In a July 12
story in the Washington Post, Rob Pegoraro reported that these sites
serve as an attractive target because they are premised on the trust
established through a network of friends or known entities.283 This
makes users more vulnerable because they are less likely to ignore a link
to a random Web site when guided there by a friend as opposed to a
stranger.
Some free Web sites use blacklists to block links to hazardous
pages when creating the abbreviated links that often appear in short
280
Tiffany Hsu, Twitter Becoming a Tool for Scams, Bureau Says, CHI. TRIB.,
July 7, 2009.
281
Id.
282
Id.
283
Rob Pegoraro, Social Networks May Provide a Chattering Class for
Viruses, WASH. POST, July 12, 2009.
95
messages on social networking sites. However, Pegoraro theorized that
the steady stream of updated content on a site such as Twitter may
prevent even the best-maintained blacklist from properly identifying all
threats. Pegoraro predicts more viruses will begin to plague these sites
and, in a slight twist to an old saying, he offers this advice: “If your
mother says she loves you on Facebook, check it out.”
E. Court Cases Involving Social Networking Sites
1.
Twitter and Defamation
a.
La Russa Drops Defamation Suit
Tony La Russa, manager of the St. Louis Cardinals, filed suit
against Twitter Inc. on May 6, 2009, for trademark infringement,284
invasion of privacy,285 cyber squatting286 and related claims.287 In what
was to be the first legal challenge against Twitter, La Russa claimed that
his identity had been hijacked by someone else posting “tweets” on the
micro blogging Web site under his name and photo. As a result, he
claimed Twitter damaged his trademark rights to his famous name. La
Russa has managed Major League Baseball teams for 30 years in what is
likely to be a Hall of Fame career. The imposter poked fun at La Russa’s
drunk driving arrest and made light of the death of a Cardinals pitcher in
a car accident. “Lost 2 out of 3, but we made it out of Chicago without
one drunk driving incident or dead pitcher,” one of the disputed posts
read. Twitter removed the fake profile after La Russa filed suit.
La Russa dropped the lawsuit on June 26, 2009, in a terse court
filing that stated Twitter made no payment to La Russa in exchange for
dropping the suit.288 The precise reason for the decision not to pursue the
claims was not reported, but it is possible La Russa decided he would
284
Lanham Act, 15 U.S.C. § 1144.
California Civil Code, § 3344.
286
Anticybersquatting Consumer Protection Act, 15 U.S.C.A. § 1125(d).
287
La Russa v. Twitter Inc., Complaint, No. CGC-09-488101 (May 6, 2009),
filed in California Superior Court in San Francisco County.
288
La Russa v. Twitter Inc., Notice of Dismissal of Complaint With Prejudice,
CV-09—2503-EMC, (N.D. Cal. June 26, 2009).
285
96
not win a legal challenge because Web sites are generally not liable for
the postings of their users under the Communications Decency Act, 47
U.S.C. § 230.
b.
Landlord Sues Ex-tenant For Defamation
A Chicago apartment leasing and managing company filed a
defamation lawsuit against a former resident for a Twitter post that
suggested the company condones tenants living in moldy apartments.
Horizon Group Management LLC filed the suit against Amanda Bonnen
on July 20, 2009, in Cook County Circuit Court in Chicago.289 “Who
said sleeping in a moldy apartment was bad for you? Horizon realty
thinks it’s okay,” Bonnen posted on Twitter the morning of May 12,
2009.
The suit claims Bonnen “maliciously and wrongfully published
the false and defamatory statement, thereby allowing the Tweet to be
distributed throughout the world.” Horizon claims the post damaged its
reputation and Bonnen is therefore automatically liable. Bonnen had a
public Twitter profile at the time of the post, but only 20 registered
followers. The lawsuit invited more attention to the post as “Horizon
Realty” hit as high as No. 3 on Twitter’s list of trending topics after
media outlets reported on the lawsuit.290 Horizon was seeking more than
$50,000 in damages.
2.
MySpace Post = Publicity in MN
A Minnesota appeals court held that posting private information
on a publicly accessible Web site satisfies the publicity element on an
invasion of privacy claim. In Yath v. Fairview Clinics, 767 N.W.2d 34,
(Minn. Ct. App. 2009), the court also upheld a Minnesota statute that
permits a private cause of action for wrongful disclosure of an
individual’s medical records, a decision that runs the risk of encouraging
289
Horizon Group Mgmt., LLC v. Bonnen, 2009 L008675 (Cook County
Superior Court July 20, 2009).
290
Ben Meyerson and Andrew Wang, Tweet Lawsuit: Chicago Landlord Sues
Ex-Tenant Over Tweet Complaining About Apartment, CHI. TRIB., July 29,
2009.
97
health care professionals to take a more guarded attitude toward the
Health Insurance Portability and Accountability Act (HIPAA), 42
U.S.C. §§ 1320d-1320d-8 (2006).
The case originated when a clinic employee noticed an
acquaintance visit the clinic and out of curiosity decided to look at the
patient’s medical file. The employee learned the patient, who is married,
wanted to be tested for a sexually transmitted disease because she had a
new sexual partner. The employee, who is related to the patient’s
husband, revealed the information to friends and other relatives. A page
on MySpace.com with the title “Rotten Candy” revealing the
information from the patient’s file soon appeared online, prompting the
suit.
The court focused on the method used to transmit the private
information—a publicly accessible Web site—rather than the number of
viewers to decide the publicity element had been satisfied. The court
acknowledged the likelihood that only a few friends of the clinic
employee saw the page, particularly because the page was only posted
for between 24 and 48 hours before it was removed. However, the court
found that the number of actual viewers is irrelevant, likening the
MySpace page to a newspaper with a small circulation or a radio
broadcast in the middle of the night that has a small audience. The court
reasoned that the publicity element is triggered “when the
communication is made to the public at large, not to a large number of
the public.”291
In the same case, the court also held that a Minnesota statute is
complementary, not contradictory, to HIPAA because both laws
discourage wrongfully disclosing information from a person’s health
record. A HIPAA violation exposes a person to criminal penalties while
Minn. Stat. § 144.335 (2008) exposes a person to compensatory
damages in a civil action. The Hennepin County District Court
dismissed claims under the state statute by reasoning that the state law is
contrary to HIPAA and is therefore preempted by it. In reversing that
decision, the appeals court noted it is possible to comply with both laws,
and that the Minnesota statute creates “another disincentive to
291
Yath v. Fairview Clinics, 767 N.W.2d 34, 44 (Minn. Ct. App. June 23, 2009).
98
wrongfully disclose a patient’s health care record.”292 It remains to be
seen whether this ruling may have the unintended effect of causing
health care professionals to err on the side of caution and be reluctant to
release information not protected by HIPAA out of fear of being
individually liable in a civil suit.
3.
Judge Issues Facebook Gag Order
A Rhode Island family court judge enjoined a woman from
posting any information on the Internet about a child custody dispute293
she is not a party to. Kent County Family Court Judge Michael Forte
issued the gag order in June 2009 to Michelle Langlois, whose brother is
involved in an ongoing custody dispute with his ex-wife, Tracey
Martin.294 Forte issued the order in response to Martin filing a “domestic
abuse” petition that claimed Langlois’ posts to her Facebook page
served as harassment and could psychologically damage the children
involved in the dispute.
The American Civil Liberties Union filed a motion to dismiss the
order on behalf of Langlois, who said in defense of her postings: “I do
not believe the truth was coming out in Family Court. I was simply
using the internet to publicize my brother’s plight.”295 A potential battle
over Forte’s authority to issue the prior restraint on speech was averted
when Forte dismissed the order after Martin voluntarily dismissed her
petition.296
4.
292
Liability for Hosting Third Party Content
Id. at 50.
Martin v. Bouthillier, No. K20010449 (Kent County Family Court).
294
Posting of Eric Hoffman to Newsroom Law Blog,
http://www.newsroomlawblog.com/2009/07/articles/prior-restraints/rhodeisland-court-bars-woman-from-publishing-details-about-open-courtproceeding/ (July 28, 2009).
295
Id.
296
Posting of Eric Hoffman to Newsroom Law Blog,
http://www.newsroomlawblog.com/2009/07/articles/prior-restraints/update-torhode-island-gag-order/ (July 30, 2009).
293
99
a.
Yahoo! Could Be Liable for Promising, but
Failing, to Remove Content
In Barnes v. Yahoo! Inc., 565 F.3d 560 (9th Cir. 2009), amended,
570 F.3d 1096 (9th Cir. 2009), the court allowed a plaintiff to move
forward on her promissory estoppel claim against Yahoo after the
company failed to follow through on its promise to remove a sexually
explicit Web posting. Attorneys advise that the ruling serves as a
reminder that despite the wide protections afforded by the
Communications Decency Act, 47 U.S.C. § 230(c)(1), there is a risk
involved with hosting third-party content on the Web.297
The case arose when the plaintiff, Cecelia Barnes, broke up with
her boyfriend and he posted nude photographs of the two of them,
without her consent, on a Yahoo Web site along with some sort of
invitation to engage in sex. Barnes repeatedly asked Yahoo to take down
the profile and the company said it “would take care of it.” However, the
profile did not disappear until Barnes filed suit in Oregon state court.
The court determined that Barnes’ promissory estoppel claim did
not depend on the status of Yahoo as a “publisher or speaker.” If it did,
Yahoo would have been precluded from liability under the
Communications Decency Act, which generally precludes courts from
treating Internet service providers as publishers. The court found that
Yahoo’s contract liability came not from its actions as a publisher, but
“from Yahoo’s manifest intention to be legally obligated to do
something, which happens to be removal of material from
publication.”298 The court noted that a general monitoring policy, or
even an attempt to help a specific person, would not be enough to
expose an Internet service provider to contract liability.
b.
297
Argentine Judge Holds Google and Yahoo!
Liable for Photos on Sex Trade Web Sites
Paul Watler and Jeremy Brown, Companies Hosting Third-Party Content
Beware: Promises Can Get You in Trouble, Jackson Walker Media E-Alert,
June 12, 2009, available at http://images.jw.com/ealert/media/2009/0612.html.
298
Barnes v. Yahoo! Inc., 565 F.3d 560, 572 (9th Cir. 2009).
100
On July 29, 2009, an Argentine judge held Google and Yahoo!
liable for pornographic and female escort Web sites that posted pictures
of a model and actress without her consent, according to the Bureau of
National Affairs Electronic Commerce Report.299 The judge in the
National Civil Court No. 75 in Buenos Aires ordered each company to
pay $13,124 in damages to Virginia Da Cunha.300 The judge ruled that
the companies helped increase the damage to Da Cunha by enhancing
the quality of the pictures and that without their participation, accessing
the Web sites might have been extremely difficult.301
“Search engines are responsible due to their activities as websiteaccess facilitators,” the judge wrote. They are “enormous tools that help
amplify the spread of information and have an equal ability to amplify
harm.” BNA reported that Da Cunha’s attorney, Gustavo Tanus, who
has handled 120 similar cases against the two companies, said that this
was the first successful ruling in Argentina. Tanus said that the actress
plans to appeal the ruling because the judge granted her moral, but not
economic damages, and that she is “entitled to payment for the use of
her photos.”302
5.
MySpace Suicide Case Leads to Change in Missouri
Law, Prosecution for Cyber-bullying
a.
Judge Overturns Conviction
In July 2009, a federal judge in Los Angeles threw out a criminal
case against a Missouri woman convicted of computer fraud stemming
from a 2006 hoax on MySpace targeting a teenage girl who later
committed suicide. Lori Drew, of Dardenne Prairie, Mo., was convicted
on Nov. 26, 2008, of three misdemeanor counts of illegally accessing a
299
David Haskel, Argentine Judge Holds Google, Yahoo! Liable for Posting of
Third Party Content, BNA Electronic & Commerce Law Report, Aug. 5, 2009.
300
Da Cunha v. Yahoo de Argentina, Juzg. N., No. 99620/2006, July 29, 2009.
301
Haskel, supra note 299.
302
Id.
101
computer. U.S. District Court Judge George H. Wu issued a direct
acquittal on July 2.303
Thom Mrozek, a spokesman for the U.S. attorney’s office in Los
Angeles, told CNN ahead of Wu issuing a written order that “Wu said in
court if Drew is convicted of illegally accessing computers, the guilty
verdict would set a precedent and anyone who has ever violated
MySpace’s terms of service could also be found guilty of a
misdemeanor.”304 Drew had been accused of participating in a cyberbullying scheme in Missouri against 13-year-old Megan Meier. Drew
created a fictitious profile on MySpace of a young man which she used
to contact, flirt with, and later reject and insult Meier, a former friend of
Drew’s daughter. Meier hanged herself in her home in October 2006.
MySpace’s user agreement requires registrants to provide,
among other things, factual information about themselves, and to refrain
from soliciting personal information from minors and using information
obtained from MySpace services to harass or harm other people.305 Drew
was originally charged with four potential felony counts of unauthorized
computer access under the Computer Fraud and Abuse Act, 18 U.S.C. §
1030, and prosecutors claimed that by allegedly violating the “click-toagree contract,” Drew committed the same crime as any computer
hacker. U.S. Attorney Thomas O’Brien said he filed the case in Los
Angeles because that is where MySpace is based. At the time, Missouri
did not have an online harassment law. Prosecutors said they would wait
to review Wu’s written order before deciding whether to appeal.306
b.
303
Woman Charged With Cyber-bullying Under
New Missouri Law
Alexandra Zavis, MySpace Conviction in Doubt, L.A. Times, July 3, 2009,
at A3.
304
CNN.com, Conviction in MySpace Suicide Case Tentatively Overturned,
July 2, 2009, http://www.cnn.com/2009/CRIME/07/02/myspace.suicide/.
305
Posting of Kim Zeller to Threat Level,
http://www.wired.com/threatlevel/2009/07/drew_court/comment-page-2/ (July
2, 2009, 18:30 EST).
306
Zavis supra note 303.
102
In August 2009, a Missouri woman was charged with felony
harassment for allegedly posting photos and personal information of a
17-year-old girl on the “Casual Encounters” section of Craigslist.
Prosecutors say 40-year-old Elizabeth A. Thrasher posted the girl’s
picture, e-mail address and photo on the Web site in a manner that made
it appear the girl was seeking a sexual encounter. The girl then received
lewd messages and photos from men she did not know. The alleged
victim is the daughter of the girlfriend of Thrasher’s ex-husband and
Thrasher and the girl had apparently been arguing on MySpace before
the post of the girl appeared on Craigslist.307
Thrasher, of St. Peters, Mo., in suburban St. Louis, was the first
woman charged with felony harassment under the state’s updated
harassment law passed in 2008 in response to the death of 13-year-old
Megan Meier, who committed suicide after she was the victim of a
cyber-bullying scheme.308 The revised law eliminated the requirement
that harassing communication be made “in writing or by telephone” so
that now electronic communication, including online postings and text
messages, can constitute harassment.309 The crime becomes a felony
when committed by someone at least 21 years old against a person 17
years old or younger. Misdemeanor cases have been filed under the law.
Thrasher was freed on $10,000 bond, but a judge prohibited her
from having a computer or Internet access at home. Her attorney,
Michael Kielty, likened what Thrasher was accused of doing to someone
posting a telephone number on a bathroom wall, telling people to “call
Jane Doe for a good time.” Kielty believed such action may be “in poor
taste” or “inappropriate,” but that it does not amount to a crime.310
6.
Teenage Girl in England Jailed for Bullying on
Facebook
An 18-year-old girl who posted death threats on Facebook
became the first person in Great Britain to be jailed for bullying on a
307
Betsy Taylor, Associated Press writer, Woman Charged With Harassment
Over Suggestive Post, WASH. POST, Aug. 18, 2009.
308
Id.
309
Mo. Rev. Stat. §§ 565.090, 565.225 (2008).
310
Taylor, supra note 307.
103
social networking site when she pleaded guilty to harassment on Aug.
21, 2009.311 Keeley Houghton, of Malvern, Worcestershire, was
sentenced to three months in a juvenile offenders’ institution.
On July 12, 2009, Houghton had updated her Facebook status to
say: “Keeley is going to murder the bitch. She is an actress. What a
[f***ing] liberty. Emily [F***head] Moore.” Houghton had two
previous convictions in connection with Moore, who is also 18 years
old, dating back to 2005, for assault and damaging Moore’s property.
Houghton told police that she wrote the death threats late at night while
she was drunk and had no memory of doing so. However, police say
Internet records show Houghton wrote the threatening message at 4 p.m.
July 12 and kept it on her page for 24 hours.312 The Daily Mail in
London reported that people in Great Britain have previously been jailed
for harassment and stalking on social networking sites, but that
Houghton is believed to be the first to be jailed for online bullying.313
F. Chinese Social Networking Sites Go Offline
Web sites in China, including some SNS, periodically went
offline during the spring and summer of 2009. Media reports speculated
that the coincidence of so many sites going offline at the same time was
the result of the Chinese government seeking to curtail the vehicles of
free expression. On June 3, Sky Canaves wrote in his Wall Street
Journal blog dedicated to China that Chinese users could not access the
U.S.-based Web services of Twitter and Hotmail. Users of Bing.com,
Microsoft’s search service, and Xiaonei.com, a Chinese SNS similar to
Facebook, also reported an inability to use the sites around the same
time.314
311
Helen Carter, Teenage Girl is First to be Jailed for Bullying on Facebook,
THE GUARDIAN, Aug. 21, 2009.
312
Id.
313
Luke Salkeld, Facebook Bully Jailed: Death Threat Girl, 18, is First Person
Put Behind Bars for Vicious Internet Campaign, THE DAILY MAIL, Aug. 21,
2009.
314
Sky Canaves, Closed for Business: More Chinese Web Sites, China Journal,
Wall Street Journal Blogs, June 3, 2009,
104
Many of the sites that went offline posted messages on their
home pages saying that the sites were down due to maintenance. The
blockages may have been triggered by the government’s desire to stifle
expression commemorating the 20th anniversary of the Tiananmen
Square demonstrations. The periodic shut downs continued into July
when the Associated Press reported that Digu and Zuosa, two Chinese
micro-blogging sites similar to Twitter, had been shut down for
maintenance. A spokeswoman for Digu said, “It’s a sensitive period, so
we are not in a rush to re-open it.” She added that the company recently
had to remove politically sensitive material users posted to the site.315
Canaves wrote that it can be difficult to determine what causes
certain Web sites to be inaccessible to users in China. “Government
officials don’t address the blocking of specific Web sites, and when
Internet companies take themselves offline, authorities can plausibly say
that these are private business decisions that have nothing to do with
them,” Canaves wrote. The Associated Press reported that beginning in
March 2009, users could not access YouTube after a video appeared on
the site allegedly showing Chinese security officials mistreating
Tibetans.316
http://blogs.wsj.com/chinajournal/2009/06/03/closed-for-business-morechinese-web-sites/.
315
Alexa Olesen, Associated Press writer, Chinese Web Sites Close Amid
Tightening Controls, July 21, 2009, available at
http://news.yahoo.com/s/ap/20090721/ap_on_re_as/as_china_internet.
316
Id.