Category: Privacy (Electronic Surveillance)

1

How Does the US Rank Among Countries in Privacy Protection?

privacy-intl-ranking2.jpg

privacy-intl-ranking-key.jpgHow does the United States rank among countries in privacy protection? Practically at the bottom according to a ranking by Privacy International, a UK-based privacy advocacy group. The ranking is based on Privacy and Human Rights, an annual report about privacy laws around the world published by Privacy International and the Electronic Privacy Information Center. Here’s the ratings table and here’s the briefing paper for the table. Unfortunately, every time I try to access the PDF file of the briefing paper that explains the rankings, it not only fails to load, but it also crashes my browser, whether Firefox or Explorer.

The press release for the rankings states:

Read More

0

Xoxohth 1.1: The Past and Present

[This is Part I, Section 1, of the project I announced here. The goal of today’s installment is to set out the history of the XO board, and briefly describe its present statistics.]

goldencalf.jpgHugs and Kisses, Hope this Helps

The genesis of XO was less gripping, bloody, tortured, significant and miraculous than the Exodus, a tale which it otherwise resembles in important respects.

The community started as a group of posters at the Princeton Review Discussion Board [PR]. Some individuals began at PR in 1997-1998, as they were applying to college, and continued posting in that forum after matriculation. The reason that people spent time – sometimes 20 hours a week or more – at PR will become familiar:

Before I started law school, I posted on the former incarnation of xoxo (which was then run by the Princeton Review) because it was a wide-open and mostly unmanaged discussion. In one sitting I could have the most sober and serious conversations as well as the most silly and immature b******* sessions, all with the same group of people. The other, more “mature” boards were by comparison intellectual wastelands, partly because they were so “sober” and “mature.” All the really smart people shunned those boring boards in favor of pr (now xoxo).

But not all individuals were looking for information: some were actually, weirdly, (slumming) older alumni.

The standard foundation story holds that in March, 2004, PR switched to a new software format that users found irritating because it (1) enabled IP tracking; (2) discouraged use of multiple aliases; (3) discouraged abusive language through moderation and banning; and (4) eliminated the “‘tree’ format and switching to a vBulletin-type format that was heavily despised by most users.” See here and here and here for some posts from the period. One emailer explains:

The only moderators were Jeff Adams, a Princeton Review employee, and TPR Droid, who was a long-time poster that Jeff hired to moderate the board when he wasn’t around. Anger at TPR Droid’s moderation style was one of the main reasons for the initial rift — while Jeff was even-handed with deletions and bannings, many people felt Droid had an agenda since he would ban people for criticizing his favored posters, or delete racist threads directed at Jews and Christians while refusing to delete equally hateful threads about Muslims.

A group of users decided to leave PR as a group. However,

The law boarders didn’t know about the existence of xoxohth. [A user with the handle Rowan] organized an AIM chat and people were brainstorming ideas of how to re-create the board. I think rk even drafted a letter looking for corporate sponsorship . . . In the very beginning, the law and college boards were one. During those heady first days, all personal wars were called off – Edgar Martinez, Julia, RWA, LawyerBird got along – but soon order was restored and things returned to normal.

Obviously, the domain name had been purchased before problems on the PR board became exigent. According to a WHOIS search, the purchase of the xoxohth domain occurred on January 29, 2004. The buyer was Jarret Cohen, now in business in Pennsylvania. As you can see from this screenshot of the early board, it was intended to be a replacement for the PR community. Contrary to Eugene’s speculations, xoxohth is not a dungeons and dragons reference. It seems to stand for xoxo (hugs and kisses) plus hth (hope this helps).

It is also worth noting that there was an early worry that the former PR community would split into a college (XO) faction and a law faction, located at the JD2B board. A source comments:

[W]hen Marshall [Camp, JD2B’s owner] found out the xo board existed, he not only deleted the JD2B message board, but prominently linked to the board on his site and actively sent traffic our way; basically we were treated as JD2B’s unofficial messageboard.

That site probably accounted for 50-75% of our referring URL traffic in the early days

Organizational Control

Cohen’s – alias Rachmiel – and another user known as Boondocks (from the comics strip?) coded the initial software for the board, which (of course) was unmoderated. Boondocks, I am given to understand, is an African-American man who, though one of XO’s founders, forewent an administrative role after the first two months of the board’s existence.

Instead, in about May, 2004, Anthony Ciolli, a Penn Law student, became partners with Cohen. My sense is that Ciolli – alias “Great Teacher Onizuka” (manga comic reference?) – and Cohen split the board’s revenues 50/50, and share operational control over the permissions on the site.

Read More

7

Hewlett-Packard, Privacy, and Consent

hewlett-packard.jpgThe recent scandal at Hewlett-Packard has had remarkable staying power. Like most others, I was taken aback by the investigatory methods HP officials used to find the source of boardroom leaks. They crossed the line, certainly as a normative matter, and, if the California indictments are any indication, as a legal one too.

Now let’s add a twist: What if members of HP’s Board of Directors had agreed in advance to be spied on? Say they had agreed when they were named to the board that HP could conduct unannounced investigations and surveillance of their personal contacts and communications – including access to personal phone and other records – if necessary to protect firm interests. And suppose this consent was “narrowly tailored” in the sense that such an investigation would occur only after HP officials determined that there had been a leak, it most likely had originated with a board member, and further leaks would potentially harm the legitimate interests of the corporation. I wonder whether such prior consent would change many individuals’ views of at least some of HP’s actions.

Read More

0

The Digital Person: Now in Paperback

digital-person-1.jpgI’m pleased to announce that my book, The Digital Person: Technology and Privacy in the Information Age, is now out in paperback and has a much more affordable price. From the cover blurb:

Seven days a week, twenty-four hours a day, electronic databases are compiling information about you. As you surf the Internet, an unprecedented amount of your personal information is being recorded and preserved forever in the digital minds of computers. For each individual, these databases create a profile of activities, interests, and preferences used to investigate backgrounds, check credit, market products, and make a wide variety of decisions affecting our lives. The creation and use of these databases—which Daniel J. Solove calls “digital dossiers”—has thus far gone largely unchecked. In this startling account of new technologies for gathering and using personal data, Solove explains why digital dossiers pose a grave threat to our privacy.

The Digital Person sets forth a new understanding of what privacy is, one that is appropriate for the new challenges of the Information Age. Solove recommends how the law can be reformed to simultaneously protect our privacy and allow us to enjoy the benefits of our increasingly digital world.

Links to reviews of the book are at The Digital Person website.

8

The Ten Greatest Privacy Disasters

Wired News lists what it considers to be the 10 greatest privacy disasters:

10. ChoicePoint data spill

9. VA laptop theft

8. CardSystems hacked

7. Discovery of data on used hard drives for sale

6. Philip Agee’s revenge

5. Amy Boyer’s murder

4. Testing CAPPS II

3. COINTELPRO

2. AT&T lets the NSA listen to all phone calls

1. The creation of the Social Security Number

See the Wired article for its explanations. It’s a good list, but there are a few problems. Although we still don’t know all the details of the NSA surveillance program, it’s not worse than COINTELPRO, which involved massive surveillance of a wide range of groups, the wiretapping of Martin Luther King, Jr., attempts to blackmail King, and more. The Social Security Number has indeed led a ton of problems, but the fault doesn’t lie with its creation. Rather, the problem is mostly the expanding use of the number and the failure of the government to reign in government agencies and business from using it. CAPPS II, while flawed in its conception, should not be so high on the list.

Some notable omissions: Where’s Total Information Awareness? What about Olmstead v. United States, 277 U.S. 438 (1928), where the Supreme Court held that the Fourth Amendment didn’t regulate wiretapping? Olmstead led to nearly 40 years of extensive abuses of wiretapping before it was overruled. There are countless other Supreme Court 4th Amendment cases that could arguably be listed, but I’d definitely include Miller v. United States, 425 U.S. 435 (1976), which created the third party doctrine which holds that the Fourth Amendment does not apply to personal records possessed by third parties. Another possible inclusion: The birth of J. Edgar Hoover.

Hat Tip: Bruce Schneier

2

NSA Surveillance and the First Amendment

NSA3.jpgEarlier today, a federal district judge struck down the Bush Administration’s NSA surveillance program which involved intercepting international electronic communications without a warrant. The opinion is available here. I have not had time to read the opinion carefully yet, but I am especially intrigued by the court’s use of the First Amendment as one of the grounds to invalidate the program. I just completed an article entitled The First Amendment as Criminal Procedure in which I argue for First Amendment regulation of government information gathering. In the final section, I have a discussion of the NSA surveillance program.

The court’s First Amendment analysis is very brief, and I agree with Jack Balkin who observes that the “first amendment holding is novel although plausible, but it is not supported by very good arguments.” The First Amendment argument is indeed a difficult and complex one and it deserves more than just a few pages to develop. My article attempts to flesh out the First Amendment argument. Here’s the abstract:

This article explores the relationship between the First Amendment and criminal procedure. These two domains of constitutional law have long existed as separate worlds, rarely interacting with each other. But many instances of government information gathering can implicate First Amendment interests such as freedom of speech, association, and religion. The Fourth and Fifth Amendments used to provide considerable protection for First Amendment interests, as in the famous 1886 case, Boyd v. United States, where the Supreme Court held that the government was prohibited from seizing a person’s private papers. Over time, however, Fourth and Fifth Amendment protection shifted, and now countless searches and seizures involving people’s private papers, the books they read, the websites they surf, the pen names they use when writing anonymously, and so on fall completely outside of the protection of constitutional criminal procedure. Professor Solove argues that the First Amendment provides protection against government information gathering implicating First Amendment interests. He contends that there are doctrinal, historical, and normative justifications to develop what he calls “First Amendment criminal procedure.” Solove sets forth an approach to determine when certain instances of government information gathering fall within the regulatory domain of the First Amendment and what level of protection the First Amendment should provide.

I welcome any comments. Eugene Volokh has some interesting analysis of the court’s First Amendment analysis here.

0

Privacy, Information, and Technology

Spinoff Cover 2e.jpgMy new casebook, PRIVACY, INFORMATION, AND TECHNOLOGY (ISBN: 0735562548) (with Marc Rotenberg & Paul M. Schwartz) is now hot off the presses from Aspen Publishers. It is an abridged version (300 pages) of our regular casebook, INFORMATION PRIVACY LAW

(2d ed.), which is about 1000 pages in length.

Privacy, Information, and Technology is designed as a supplement to courses and seminars in technology law, information law, and cyberlaw. It will provide between 2-4 weeks of coverage of information privacy issues pertaining to technology, government surveillance, databases, consumer privacy, and government records.

More information about the book is here. If you’re interested in getting a review copy of the book, please send an email to Daniel Eckroad.

The book will sell for $35 and can be purchased on Aspen’s website.

The book consists of four chapters. Chapter 1 contains an overview of information privacy law, its origins, and philosophical readings about privacy. Chapter 2 covers issues involving law enforcement, technology, and suveillance. Chapter 3 focuses on government records, databases, and identification. Chapter 4 covers business records, financial information, identity theft, privacy policies, anonymity, data mining, and government access to private sector data.

The full table of contents is available here.

2

Employer Liability for Not Monitoring Its Employees’ Computer Use

computer2a.jpgThe United States v. Ziegler case I wrote about in a previous post brings to mind a radical employment law case decided last December in New Jersey. [Thanks to Charlie Sullivan and Timothy Glynn for bringing the case to my attention]. The case is Doe v. XYC, 887 A.2d 1156 (N.J. Super. 2005). Since I couldn’t find a version of it online, I’ve posted a copy here.

In Doe v. XYC, Jane Doe sued XYC Corporation on behalf of her daugher, Jill. XYC Corporation employed Jane’s husband and Jill’s stepfather (referred to in the opinion as the “Employee”). The Employee “had been secretly videotaping and photographing Jill at their home in nude and semi-nude positions. Jill was ten years old at the time.” The Employee “tramsitted three of the clandestinely-taken photos of Jill Doe over the Internet from his workplace computer to a child pron site in order to gain access to the site. Employee later acknowledged that he stored child pornogrpahy, including nude photos of Jill Doe, in his workplace computer.”

The court held that XYC Corporation could be liable:

We hold that an employer who is on notice that one of its employees is using a workplace computer to access pornography, possibly child pornography, has a duty to investigate the employee’s activities and to take prompt and effective action to stop the unauthorized activity, lest it result in harm to innocent third parties. No privacy interest of the employee stands in the way of this duty on the part of the employer.

Here’s how the court reached its conclusion. I’ll try my best to trace the steps of the court’s reasoning.

First, the court noted:

In this case, defendant had an e mail policy which stated that “all messages composed, sent or received on the e mail system are and remain the property of the [defendant]. They are not the private property of any employee.” Further, defendant reserved the “right to review, audit, access and disclose all messages created, received or sent over the e mail system as deemed necessary by and at the sole discretion of [defendant].” Concerning the internet, the policy stated that employees were permitted to “access sites, which are of a business nature only” and provided that:

Any employees who discover a violation of this policy shall notify personnel. Any employee who violates this policy or uses the electronic mail or Internet system for improper purposes shall be subject to discipline, up to and including discharge.

Second, XYC’s computer network administrator discovered that the Employee was visiting porn websites. Company officials told the Employee to stop. The Employee said he would halt this activity. Note that XYC was only on notice that the Employee was viewing porn, not child porn. Therefore, the court concluded, “[w]e impute to defendant knowledge that Employee was using his work computer to access pornography.”

Read More

0

Update on AT&T Surveillance Class Action

Orin Kerr has written about the case:

[T]his is (as far as I know) the first judicial opinion to express a view of the merits of the NSA program. Even if it’s dicta, the reasoning is unimpressive, and it is based only on facts alleged in the EFF’s complaint, Judge Walker’s statement that it “cannot seriously [be] contended” that “the alleged domestic dragnet was legal” based on the complaint seems likely to impact the debate.

You can read how Orin reached this conclusion here.

0

Hide and Seek: Class Action Against AT&T For Alleged Spying To Proceed

hide and seek 2.JPG

I am in the middle of arranging for movers so I can’t give any great detail on this one but CNET reports that:

A federal judge rejected on Thursday both the U.S. government’s and AT&T’s requests to dismiss a class-action suit accusing the telephone giant of assisting the National Security Agency in a sweeping, allegedly illegal terrorist surveillance program.

I hope that Orin Kerr or Dan Solove will provide some thoughts on the opinion. Nonetheless for those who wish to jump in and read the opinion, Judge Vaughn Walker’s 72-page opinion is available here.

A quick scan suggests that Judge Walker addresses many nuances of the program in question. For example, page 38 of the opinion has a chart that “summarizes what the government has disclosed about the scope of these programs in terms of (1) the individuals whose communications are being monitored, (2) the locations of those individuals and (3) the types of information being monitored.”

Examining the chart Judge Walked found that:

The government’s public disclosures regarding monitoring of “communication content” (i e, wiretapping or listening in on a communication) differ significantly from its disclosures regarding “communication records” (i e, collecting ancillary data pertaining to a communication, such as the telephone numbers dialed by an individual). See supra I(C)(1). Accordingly, the court separately addresses for each alleged program whether revealing the existence or scope of a certification would disclose a state secret.

Finally the court stated, “In sum, the court DENIES the government’s motion to dismiss, or in the alternative, for summary judgment on the basis of state secrets and DENIES AT&T’s motion to dismiss.”