Archive for the ‘Privacy (Gossip & Shaming)’ Category

Employers and Schools that Demand Account Passwords and the Future of Cloud Privacy

posted by Daniel Solove

In 2012, the media erupted with news about employers demanding employees provide them with their social media passwords so the employers could access their accounts. This news took many people by surprise, and it set off a firestorm of public outrage. It even sparked a significant legislative response in the states.

I thought that the practice of demanding passwords was so outrageous that it couldn’t be very common. What kind of company or organization would actually do this? I thought it was a fringe practice done by a few small companies without much awareness of privacy law.

But Bradley Shear, an attorney who has focused extensively on the issue, opened my eyes to the fact that the practice is much more prevalent than I had imagined, and it is an issue that has very important implications as we move more of our personal data to the Cloud.

The Widespread Hunger for Access

Employers are not the only ones demanding social media passwords – schools are doing so too, especially athletic departments in higher education, many of which engage in extensive monitoring of the online activities of student athletes. Some require students to turn over passwords, install special software and apps, or friend coaches on Facebook and other sites. According to an article in USA Today: “As a condition of participating in sports, the schools require athletes to agree to monitoring software being placed on their social media accounts. This software emails alerts to coaches whenever athletes use a word that could embarrass the student, the university or tarnish their images on services such as Twitter, Facebook, YouTube and MySpace.”

Not only are colleges and universities engaging in the practice, but K-12 schools are doing so as well. A MSNBC article discusses the case of a parent’s outrage over school officials demanding access to a 13-year old girl’s Facebook account. According to the mother, “The whole family is exposed in this. . . . Some families communicate through Facebook. What if her aunt was going through a divorce or had an illness? And now there’s these anonymous people reading through this information.”

In addition to private sector employers and schools, public sector employers such as state government agencies are demanding access to online accounts. According to another MSNBC article: “In Maryland, job seekers applying to the state’s Department of Corrections have been asked during interviews to log into their accounts and let an interviewer watch while the potential employee clicks through posts, friends, photos and anything else that might be found behind the privacy wall.”

Read the rest of this post »

  June 3, 2013 at 10:51 am   Posted in: Constitutional Law, Cyberlaw, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Gossip & Shaming), Social Network Websites   Print This Post   3 Comments

New Edition of Solove & Schwartz’s Privacy Law Fundamentals: Must-Read (and Check out the Video)

posted by Danielle Citron

Privacy leading lights Dan Solove and Paul Schwartz have recently released the 2013 edition of Privacy Law Fundamentals, a must-have for privacy practitioners, scholars, students, and really anyone who cares about privacy.

Privacy Law Fundamentals is an essential primer of the state of privacy law, capturing the up-to-date developments in legislation, FTC enforcement actions, and cases here and abroad.  As Chief Privacy Officers like Intel’s David Hoffman and renown privacy practitioners like Hogan’s Chris Wolf and Covington’s Kurt Wimmer agree, Privacy Law Fundamentals is an “essential” and “authoritative guide” on privacy law, compact and incredibly useful.  For those of you who know Dan and Paul, their work is not only incredibly wise and helpful but also dispensed in person with serious humor.  Check out this You Tube video, “Privacy Law in 60 Seconds,” to see what I mean.  I think that Psy may have a run for his money on making us smile.

  March 8, 2013 at 8:42 am   Posted in: Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Gossip & Shaming), Privacy (ID Theft), Privacy (Law Enforcement), Privacy (Medical), Privacy (National Security)   Print This Post   4 Comments

Revenge Porn Site Operators and Federal Criminal Liability

posted by Danielle Citron

My recent post offered a potential amendment to Section 230 of the CDA that would exempt from the safe harbor operators whose sites are primarily designed to host illegal activity. Even without such legal change, cyber cesspool operators could face criminal liability if prosecutors took matters seriously.  Section 230 does not provide a safe harbor to federal criminal charges.  Consider revenge porn operator Hunter Moore’s statement to the press (Forbes’s Kashmir Hill and Betabeat’s Jessica Roy) that, on his new site, he will overlay maps of individuals’ homes next to their naked pictures and social media accounts (if he does not like them).  If Moore is serious, he might open himself up to criminal charges of aiding and abetting cyber stalking.  Congress, in its 2006 reauthorization of the Violence Against Women Act (VAWA), banned the use of any “interactive computer service” to engage in a “course of conduct” that places a person in another state in reasonable fear of serious bodily injury or death or that is intended to cause, and causes, a victim to suffer substantial emotional distress.  18 U.S.C.A. 2261A(2) (2012).  As the Executive Director of the National Center for Victims of Crime explained in congressional testimony:

[S]talkers are using very sophisticated technology . . . —installing spyware on your computer so they can track all of your interactions on the Internet, your purchases, your e-mails and so forth, and using that against you, forwarding e-mails to people at your job, broadcasting your whereabouts, your purchases, your reading habits and so on, or installing GPS in your car so that you will show up at the grocery store, at your local church, wherever and there is the stalker and you can’t imagine how the stalker knew that you were going to be there. . . . this legislation amends the statute so that prosecutors have more effective tools, I think, to address technology through VAWA.

  January 30, 2013 at 1:09 pm   Posted in: Current Events, Cyber Civil Rights, Cyberlaw, Privacy, Privacy (Gossip & Shaming)   Print This Post   3 Comments

The Importance of Section 230 Immunity for Most

posted by Danielle Citron

Why leave the safe harbor provision intact for site operators, search engines, and other online service providers do not attempt to block offensive, indecent, or illegal activity but by no means encourage or are principally used to host illicit material as cyber cesspools do?  If we retain that immunity, some harassment and stalking — including revenge porn — will remain online because site operators hosting it cannot be legally required to take them down.  Why countenance that possibility?

Because of the risk of collateral censorship—blocking or filtering speech to avoid potential liability even if the speech is legally protected.  In what is often called the heckler’s veto, people may abuse their ability to complain, using the threat of liability to ensure that site operators block or remove posts for no good reason.  They might complain because they disagree with the political views expressed or dislike the posters’ disparaging tone.  Providers would be especially inclined to remove content in the face of frivolous complaints in instances where they have little interest in keeping up the complained about content.  Take, as an illustration, the popular newsgathering sites Digg.  If faced with legal liability, it might automatically take down posts even though they involve protected speech.  The news gathering site lacks a vested interest in keeping up any particular post given its overall goal of crowd sourcing vast quantities of news that people like.  Given the scale of their operation, they may lack the resources to hire enough people to cull through complaints to weed out frivolous ones.

Sites like Digg differ from revenge porn sites and other cyber cesspools whose operators have an incentive to refrain from removing complained-about content such as revenge porn and the like.  Cyber cesspools obtain economic benefits by hosting harassing material that may make it worth the risk to continue to do so.  Collateral censorship is far less likely—because it is in their economic interest to keep up destructive material.  As Slate reporter and cyber bullying expert Emily Bazelon has remarked, concerns about the heckler’s veto get more deference than it should in the context of revenge porn sites and other cyber cesspools.  (Read Bazelon’s important new book Sticks and Stones: Defeating the Culture of Bullying and Rediscovering the Power of Character and Empathy).  It does not justify immunizing cyber cesspool operators from liability.

Let’s be clear about what this would mean.  Dispensing with cyber cesspools’ immunity would not mean that they would be strictly liable for user-generated content.  A legal theory would need to sanction remedies against them.  Read the rest of this post »

  January 25, 2013 at 4:10 pm   Posted in: Cyber Civil Rights, Cyberlaw, Google and Search Engines, Privacy (Consumer Privacy), Privacy (Gossip & Shaming), Technology, Web 2.0   Print This Post   5 Comments

Revenge Porn and the Uphill Battle to Pierce Section 230 Immunity (Part II)

posted by Danielle Citron

Plaintiffs’ lawyers have some reason to think that they can convince courts to change their broad-sweeping view of Section 230.  In the rare case, courts have pierced the safe harbor, though not because the site operators failed to engage in good faith attempts to protect against offensive or indecent material.  In 2011, a federal district court permitted a woman to sue the site operator of the Dirty.com for defamation on the grounds that Section 230 is forfeited if the site owner “invites the posting of illegal materials or makes actionable postings itself.”  Sarah Jones v. Dirty World Entertainment Recordings LLC, 766 F. Supp.2d 828, 836 (E.D. Kentucky 2011).

That trial judge relied on a Ninth Circuit decision, Fair Housing Council v. Roommates.com, which involved a classified ad service that helps people find suitable roommates.  To sign up for the site’s service, subscribers had to fill out an online questionnaire that asked questions about their gender, race, and sexual orientation.  One question asked subscribers to choose a roommate preference, such as “Straight or gay males,” only “Gay” males, or “No males.”  Fair housing advocates sued the site, arguing that its questionnaires violated federal and state discrimination laws.  The Ninth Circuit found that Section 230 failed to immunize the defendant site from liability because it created the questions and choice of answers and thus became the “information content provider.”  The court ruled that since the site required users to answer its questions from a list of possible responses of its choosing, the site was “the developer, at least in part, of that information.”  Each user’s profile page was partially the defendant’s responsibility because every profile is a “collaborative effort between [the site] and the subscriber.”

As the Ninth Circuit held (and as a few courts have followed), Section 230 does not grant immunity for helping third parties develop unlawful conduct. The court differentiated the defendant’s site from search engines whose processes might be seen as contributing to the development of content, its search results.  According to the court, ordinary search engines “do not use unlawful criteria to limit the scope of searches conducted on them” and thus do not play a part in the development of unlawful searches.  The court endorsed the view that sites designed to facilitate illegal activity fell outside Section 230’s safe harbor provision.

Here is the rub.  To reach its conclusion, the Ninth Circuit essentially had to rewrite the statute, which defines information content providers as those responsible for the “creation and development of information provided through the Internet,” not the creation and development of illegal information. Read the rest of this post »

  January 25, 2013 at 3:30 pm   Posted in: Anonymity, Cyber Civil Rights, Cyberlaw, Privacy, Privacy (Gossip & Shaming)   Print This Post   2 Comments

Revenge Porn and the Uphill Battle to Sue Site Operators

posted by Danielle Citron

Last week, a group of women filed a lawsuit against the revenge porn site Texxxan.com as well as the hosting company Go Daddy!  Defendant Texxxan.com invites users to post nude photographs of individuals who never consented to their posting.  Revenge porn sites — whether Private Voyeur, Is Anyone Down?, HunterMoore.tv (and the former IsAnyoneUp?), or Texxxan.com — mostly host women’s naked pictures next to their contact information and links to their social media profiles. Much like other forms of cyber stalking, revenge porn ruins individuals’ reputations as the pictures saturate Google searches of their names, incites third parties to email and stalk individuals, causes terrible embarrassment and shame, and risks physical stalking and harm.  In the recently filed suit, victims of revenge porn have brought invasion of privacy and civil conspiracy claims against the site operator and the web hosting company, not the posters themselves who may be difficult to find. More difficult though will be getting the case past a Rule 12(b)(6) motion to dismiss.

In this post, I’m going to explain why this lawsuit is facing an uphill battle under Section 230 of the Communications Decency Act and why extending Section 230′s safe harbor to sites designed to encourage illicit activity seems out of whack with the broader purpose of CDA.  In my next post, I will talk about cases that seemingly open the door for plaintiffs to bring their suit and why those cases provide a poor foundation for their arguments.

Does Section 230 give revenge porn operators free reign to ruin people’s lives (as revenge porn site operator Hunter Moore proudly describes what he does)?  Sad to say, they do.  Read the rest of this post »

  January 25, 2013 at 3:13 pm   Posted in: Anonymity, Current Events, Cyber Civil Rights, Privacy, Privacy (Gossip & Shaming), Tort Law   Print This Post   4 Comments

“The App from Hell” — A Short Comical Cartoon About Apps and Privacy

posted by Daniel Solove

For my privacy and security training company, TeachPrivacy, I recently created this 2-minute comical cartoon vignette to teach about the importance of privacy and apps.  No login is required.  Click the link above or the image below to see the video.

  December 3, 2012 at 10:17 am   Posted in: Privacy, Privacy (Consumer Privacy), Privacy (Gossip & Shaming), Technology, Web 2.0   Print This Post   No Comments

Ravi Sentenced in Tyler Clementi Case

posted by Daniel Solove

Dharun Ravi was sentenced today for his violations of Tyler  Clementi’s privacy.  From Yahoo:

A New Jersey judge sentenced a former Rutgers student to 30 days in jail for using a webcam to spy on his roommate kissing another man.

Dharun Ravi, 20, was convicted on two second-degree bias intimidation charges in a case that garnered national headlines because his roommate, Tyler Clementi, committed suicide after the spying.

Clementi, 18, jumped from the George Washington Bridge three days after learning that a September 2010 encounter with an older man was seen by a computer-mounted camera Ravi had set up in their dorm room. The case highlighted the issues of gay bullying and teen suicide.

The judge also placed three years of probation. Rave faced a maximum sentence of 10 years in prison. The judge spared the prison time and did not recommend Ravi be deported to India, where he was born and remains a citizen. Ravi was also ordered to get counseling and to pay $10,000 towards a program to help victims of bias crimes.

Update: Just after I posted this, I saw that Danielle Citron got to this first.  Check out her post here.

  May 21, 2012 at 2:39 pm   Posted in: Privacy, Privacy (Gossip & Shaming)   Print This Post   2 Comments

Hey Look at Me! I’m Reading! (Or Not) Neil Richards on Social Reading

posted by Deven Desai

Do you want everyone to know what book you read, film you watch, search you perform, automatically? No? Yes? Why? Why Not? It is odd to me that the ideas behind the Video Privacy Protection Act do not indicate a rather quick extension. But there is a debate about whether our intellectual consumption should have privacy protection, and if so, what that should look like. Luckily, Neil Richards has some answers. His post on Social Reading is a good read. In response to the idea that automatic sharing is wise and benefits all captures some core points:

Not so fast. The sharing of book, film, and music recommendations is important, and social networking has certainly made this easier. But a world of automatic, always-on disclosure should give us pause. What we read, watch, and listen to matter, because they are how we make up our minds about important social issues – in a very real sense, they’re how we make sense of the world.

What’s at stake is something I call “intellectual privacy” – the idea that records of our reading and movie watching deserve special protection compared to other kinds of personal information. The films we watch, the books we read, and the web sites we visit are essential to the ways we try to understand the world we live in. Intellectual privacy protects our ability to think for ourselves, without worrying that other people might judge us based on what we read. It allows us to explore ideas that other people might not approve of, and to figure out our politics, sexuality, and personal values, among other things. It lets us watch or read whatever we want without fear of embarrassment or being outed. This is the case whether we’re reading communist, gay teen, or anti-globalization books; or visiting web sites about abortion, gun control, or cancer; or watching videos of pornography, or documentaries by Michael Moore, or even “The Hangover 2.”

And before you go off and say Neil doesn’t get “it” whatever “it” may be, note that he is making a good distinction: “when we share – when we speak – we should do so consciously and deliberately, not automatically and unconsciously. Because of the constitutional magnitude of these values, our social, technological, professional, and legal norms should support rather than undermine our intellectual privacy.”

I easily recommend reading the full post. For those interested in a little more on the topic, the full paper is forthcoming in Georgetown Law Journal and available here. And, if you don’t know Neil Richards’ work (SSRN), you should. Even if you disagree with him, Neil’s writing is of that rare sort where you are better off by reading it. The clean style and sharp ideas force one to engage and think, and thus they also allow one to call out problems so that understanding moves forward. (See Orwell, Politics and the English Language). Enjoy.

  May 2, 2012 at 5:39 pm   Posted in: Anonymity, Privacy, Privacy (Consumer Privacy), Privacy (Gossip & Shaming), Technology   Print This Post   4 Comments

Why I Don’t Teach the Privacy Torts in My Privacy Law Class

posted by Peter Swire

(Partial disclaimer — I do teach the privacy torts for part of one class, just so the students realize how narrow they are.)

I was talking the other day with Chris Hoofnagle, a co-founder of the Privacy Law Scholars Conference and someone I respect very much.  He and I have both recently taught Privacy Law using the text by Dan Solove and Paul Schwartz. After the intro chapter, the text has a humongous chapter 2 about the privacy torts, such as intrusion on seclusion, false light, public revelation of private facts, and so on.  Chris and other profs I have spoken with find that the chapter takes weeks to teach.

I skip that chapter entirely. In talking with Chris, I began to articulate why.  It has to do with my philosophy of what the modern privacy enterprise is about.

For me, the modern project about information privacy is pervasively about IT systems.  There are lots of times we allow personal information to flow.  There are lots of times where it’s a bad idea.  We build our collection and dissemination systems in highly computerized form, trying to gain the advantages while minimizing the risks.  Alan Westin got it right when he called his 1970′s book “Databanks in a Free Society.”  It’s about the data.

Privacy torts aren’t about the data.  They usually are individualized revelations in a one-of-a-kind setting.  Importantly, the reasonableness test in tort is a lousy match for whether an IT system is well designed.  Torts have not done well at building privacy into IT systems, nor have they been of much use in other IT system issues, such as deciding whether an IT system is unreasonably insecure or suing software manufacturers under products liability law.  IT systems are complex and evolve rapidly, and are a terrible match with the common sense of a jury trying to decide if the defendant did some particular thing wrong.

When privacy torts don’t work, we substitute regulatory systems, such as HIPAA or Gramm-Leach-Bliley.  To make up for the failures of the intrusion tort, we create the Do Not Call list and telemarketing sales rules that precisely define how much intrusion the marketer can make into our time at home with the family.

A second reason for skipping the privacy torts is that the First Amendment has rendered unconstitutional a wide range of the practices that the privacy torts might otherwise have evolved to address.  Lots of intrusive publication about an individual is considered “newsworthy” and thus protected speech.  The Europeans have narrower free speech rights, so they have somewhat more room to give legal effect to intrusion and public revelation claims.

It’s about the data.  Torts has almost nothing to say about what data should flow in IT systems.  So I skip the privacy torts.

Other profs might have other goals.  But I expect to keep skipping chapter 2.

 

  April 15, 2012 at 11:55 pm  Tags: privacy;privacy teaching;torts;intrusion  Posted in: Cyberlaw, First Amendment, Privacy, Privacy (Consumer Privacy), Privacy (Gossip & Shaming), Teaching   Print This Post   4 Comments

Ravi Trial Verdict for Invading the Privacy of Clementi

posted by Daniel Solove

Dharun Ravi was found guilty of invasion of privacy when he used a webcam to watch and broadcast online Clementi’s intimate activities with another man in their shared dorm room.  From CNN:

A former Rutgers University student accused of spying on and intimidating his gay roommate by use of a hidden webcam was found guilty on all counts, including invasion of privacy and the more severe charges of bias intimidation, in a case that thrust cyberbullying into the national spotlight.

Dharun Ravi, 20, could now face up to 10 years in jail and deportation to his native India. He was also found guilty of witness tampering, hindering apprehension and tampering of physical evidence.

The jury was confronted with a series of questions on each charge. Though it found Ravi not guilty on several questions within the verdict sheet, because he was found guilty on at least one question on each main count, he could now face the maximum penalty.

From ABC News:

A New Jersey jury today found former Rutgers student Dharun Ravi guilty on all counts for using a webcam to spy on his roommate, Tyler Clementi, having a gay sexual encounter in 2010.

Ravi, 20, was convicted of invasion of privacy, bias intimidation, witness tampering and hindering arrest, stemming from his role in activating the webcam to peek at Clementi’s date with a man in the dorm room on Sept. 19, 2010. Ravi was also convicted of encouraging others to spy during a second date, on Sept. 21, 2010, and intimidating Clementi for being gay.

Ravi was found not guilty of some subparts of the 15 counts of bias intimidation, attempted invasion of privacy, and attempted bias intimidation, but needed only to be found guilty of one part of each count to be convicted.

I blogged about this case here and here and here.

Here is New Jersey’s invasion of privacy statute:

Read the rest of this post »

  March 16, 2012 at 2:31 pm   Posted in: Privacy, Privacy (Electronic Surveillance), Privacy (Gossip & Shaming)   Print This Post   3 Comments

Cyberbullying and the Cheese-Eating Surrender Monkeys

posted by Derek Bambauer

(This post is based on a talk I gave at the Seton Hall Legislative Journal’s symposium on Bullying and the Social Media Generation. Many thanks to Frank Pasquale, Marisa Hourdajian, and Michelle Newton for the invitation, and to Jane Yakowitz and Will Creeley for a great discussion!)

Introduction

New Jersey enacted the Anti-Bullying Bill of Rights (ABBR) in 2011, in part as a response to the tragic suicide of Tyler Clementi at Rutgers University. It is routinely lauded as the country’s broadest, most inclusive, and strongest anti-bullying law. That is not entirely a compliment. In this post, I make two core claims. First, the Anti-Bullying Bill of Rights has several aspects that are problematic from a First Amendment perspective – in particular, the overbreadth of its definition of prohibited conduct, the enforcement discretion afforded school personnel, and the risk of impingement upon religious and political freedoms. I argue that the legislation departs from established precedent on disruptions of the educational environment by regulating horizontal relations between students rather than vertical relations between students and the school as an institution / environment. Second, I believe we should be cautious about statutory regimes that enable government actors to sanction speech based on content. I suggest that it is difficult to distinguish, on a principled basis, between bullying (which is bad) and social sanctions that enforce norms (which are good). Moreover, anti-bullying laws risk displacing effective informal measures that emerge from peer production. Read the rest of this post »

  February 21, 2012 at 10:20 pm   Posted in: Anonymity, Blogging, Bright Ideas, Civil Rights, Conferences, Constitutional Law, Culture, Current Events, Cyber Civil Rights, Cyberlaw, Education, First Amendment, Media Law, Politics, Privacy (Gossip & Shaming), Psychology and Behavior, Race, Religion, Social Network Websites, Technology, Web 2.0   Print This Post   3 Comments

The Demi Moore 911 Call: A Breach of Medical Confidentiality?

posted by Daniel Solove

I’ve written before on the issue of whether 911 calls should be public.  The recent release of the Demi Moore 911 call raises the issues once again.  From CBS News:

The tape of the frantic 911 call from actress Demi Moore’s Beverly Hills home Monday night is out and, reports CBS News national correspondent Lee Cowan, the scene sounds a lot more dire than her publicist had let on.

After Moore was rushed to the hospital, a statement said she ‘d be seeking professional help for exhaustion and her overall health.

“The 911 tape really indicates that this is a much more serious situation than we were first led to believe,” says US Weekly’s Melanie Bromley. “We’ve been told it’s exhaustion that she’s suffering from, but you can tell from the tape that there’s a very desperate situation there. She’s having convulsions and she’s almost losing consciousness. It’s a very scary tape to listen to.”

Why is this public?   Many 911 calls, like the one with Demi Moore, involve requests for medical treatment.  Typically, whenever any doctor, nurse, or healthcare professional learns information about a person, it is stringently protected.  A healthcare provider who breaches medical confidentiality can face ethical charges as well as legal liability for the breach of confidentiality tort.  In addition, there may be HIPAA violations of the healthcare provider is HIPAA-regulated.  911 call centers are not HIPAA-regulated, but the operators are in a special position of trust and are often providing healthcare advice (and calling for healthcare services such as ambulances).  If the call from Demi Moore’s home had been to a hospital or a doctor or any other type of healhcare provider, public disclosure of the call would be forbidden.  Why isn’t a 911 call seen in the same light?

As I pointed out in my earlier post about the issue, I believe the release of 911 call transcripts to the public violates the constitutional right to information privacy.  The cases generally recognize strong privacy rights whenever health information is involved.  States with laws, policies, or practices that infringe upon the constitutional right to information privacy might be liable in a Section 1983 suit.  I have not seen one yet, but it is about time something sparks states to rethink their policies about making the calls public.

The rationale for making the calls public is to provide transparency about the responsiveness of 911 call centers.  But this can be done in other ways without violating the privacy of individuals.  The main use of the Demi Moore call being public is to serve as grist for the media to learn about her problems.  This doesn’t make the 911 system safer or better; it just makes the tabloids sell faster.

  January 28, 2012 at 11:19 pm   Posted in: Privacy, Privacy (Gossip & Shaming), Privacy (Medical)   Print This Post   2 Comments

Posting about Patients on Social Media Sites

posted by Daniel Solove

An increasing problem is caused when medical personnel post details about patients on their social media websites.  From Daily News:

Providence Holy Cross Medical Center officials are investigating an employee who allegedly posted a patient’s medical information on his Facebook page, apparently to make fun of the woman and her medical condition.

According to a printout of the Facebook page obtained by the Daily News, the employee displayed a photo of a medical record listing the woman’s name and the date she was admitted, and posted the comment: “Funny but this patient came in to cure her VD and get birth control.”

Providence officials said the employee was provided by a staffing agency.

An interesting fact in this article is that most healthcare institutions lack policies for employee use of social media:

Only about a third of all hospitals are believed to have specific policies in place regarding patient information and social media sites, such as Facebook and Twitter, according to published reports.

I expect this to change in the next few years.

Hat Tip: Pogo Was Right

  December 30, 2011 at 9:06 pm   Posted in: Privacy, Privacy (Gossip & Shaming), Privacy (Medical)   Print This Post   No Comments

The Year in Privacy Books 2011

posted by Daniel Solove

Here’s a list of notable privacy books published in 2011.

Previous lists:

Privacy Books 2010

Privacy Books 2009

Privacy Books 2008

 

Saul Levmore & Martha Nussbaum, eds., The Offensive Internet (Harvard 2011)   This is a great collection of essays about the clash of free speech and privacy online.  I have a book chapter in this volume along with Martha Nussbaum, Cass Sunstein, Brian Leiter, Danielle Citron, Frank Pasquale, Geoffrey Stone, and many others.
Daniel J. Solove, Nothing to Hide: The False Tradeoff Between Privacy and Security (Yale 2011)   Nothing to Hide “succinctly and persuasively debunks the arguments that have contributed to privacy’s demise, including the canard that if you have nothing to hide, you have nothing to fear from surveillance. Privacy, he reminds us, is an essential aspect of human existence, and of a healthy liberal democracy—a right that protects the innocent, not just the guilty.” — David Cole, New York Review of Books
Jeff Jarvis, Public Parts: How Sharing in the Digital Age Improves the Way We Work and Live (Simon & Schuster 2011)   I strongly disagree with a lot of what Jarvis says, but the book is certainly provocative and engaging.
Daniel J. Solove & Paul M. Schwartz, Privacy Law Fundamentals (IAPP 2011)   “A key resource for busy professional practitioners. Solove and Schwartz have succeeded in distilling the fundamentals of privacy law in a manner accessible to a broad audience.” – Jules Polonetsky, Future of Privacy Forum
Eli Pariser, The Filter Bubble (Penguin 2011)   An interesting critique of the personalization of the Internet.  We often don’t see the Internet directly, but through tinted goggles designed by others who determine what we want to see.
Siva Vaidhyanathan, The Googlization of Everything (U. California 2011)   A vigorous critique of Google and other companies that shape the Internet.  With regard to privacy, Vaidhyanathan explains how social media and other companies encourage people’s sharing of information through their architecture — and often confound people in their ability to control their reputation.
Susan Landau, Surveillance or Security? The Risk Posed by New Wiretapping Technologies (MIT 2011)   A compelling argument for how designing technologies around surveillance capabilities will undermine rather than promote security.
Kevin Mitnick, Ghost in the Wires (Little Brown 2011)   A fascinating account of the exploits of Kevin Mitnick, the famous ex-hacker who inspired War Games.  His tales are quite engaging, and he demonstrates that hacking is often not just about technical wizardry but old-fashioned con-artistry.
Matt Ivester, lol . . . OMG! (CreateSpace 2011)   Ivester created Juicy Campus, the notorious college gossip website.  After the site’s demise, Ivester changed his views about online gossip, recognizing the problems with Juicy Campus and the harms it caused.  In this book, he offers thoughtful advice for students about what they post online.
Joseph Epstein, Gossip: The Untrivial Pursuit (Houghton Mifflin Harcourt 2011)   A short engaging book that is filled with interesting stories and quotes about gossip.  Highly literate, this book aims to expose gossip’s bad and good sides, and how new media are transforming gossip in troublesome ways.
Anita Allen, Unpopular Privacy (Oxford 2011)   My blurb: “We live in a world of increasing exposure, and privacy is increasingly imperiled by the torrent of information being released online. In this powerful book, Anita Allen examines when the law should mandate privacy and when it shouldn’t. With nuance and thoughtfulness, Allen bravely tackles some of the toughest questions about privacy law — those involving the appropriate level of legal paternalism. Unpopular Privacy is lively, engaging, and provocative. It is filled with vivid examples, complex and fascinating issues, and thought-provoking ideas.”
Frederick Lane, Cybertraps for the Young (NTI Upstream 2011)   A great overview of the various problems the Internet poses for children such as cyberbullying and sexting.  This book is a very accessible overview for parents.
Clare Sullivan, Digital Identity (University of Adelaide Press 2011)   Australian scholar Clare Sullivan explores the rise of “digital identity,” which is used for engaging in various transactions.  Instead of arguing against systematized identification, she sees the future as heading inevitably in that direction and proposes a robust set of rights individuals should have over such identities.  This is a thoughtful and pragmatic book, with a great discussion of Australian, UK, and EU law.

  December 29, 2011 at 11:12 pm   Posted in: Articles and Books, Book Reviews, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Gossip & Shaming), Privacy (ID Theft), Privacy (Law Enforcement), Privacy (Medical)   Print This Post   No Comments

FTC v. Santa

posted by Daniel Solove

Jeff Jarvis has this humorous piece about the FTC vs. Santa:

Federal Trade Commission Chairman Jon Leibowitz today announced a record fine against Santa Claus for violations of the Children’s Online Privacy Protection Act.

“Mr. Claus has flagrantly violated children’s privacy, collecting their consumer preferences for toys and also tracking their behavior so as to judge and maintain a data base of naughtiness and niceness,” Leibowitz said. “Worse, he has tied this data to personally identifiable information, including any child’s name, address, and age. He has solicited this information online, in some cases passing data to third parties so they may fulfill children’s wishes. According to unconfirmed reports, he has gone so far as to invade children’s homes in the dead of night. He has done this on a broad scale, unchallenged by government authorities for too long.”

I also heard that DHS has called for the arrest of Santa for flying over restricted airspace.  The FBI is seeking his records about those who are naughty.  The TSA is upset that he bypassed security screening.  Meanwhile, his reindeer are being charged with cyberbullying Rudolf.  And he’s in trouble with the NLRB for his restrictive social media policy forbidding his elves from blogging about their low pay and inability to unionize. . . .

 

  December 20, 2011 at 10:23 pm   Posted in: Humor, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Gossip & Shaming)   Print This Post   2 Comments

Should Teachers Be Banned from Communicating with Students Online?

posted by Daniel Solove

Increasingly, states and school districts are struggling over how to deal with teachers who communicate with students online via social network websites.  One foolish way to address the issue is via strict bans, such as a law passed in Missouri earlier this year that attempted to ban teachers from friending students on social network websites.  Such laws are likely violations of the First Amendment right to freedom of speech and association, and I blogged at the Huffington Post that the law was unconstitutional.  Soon thereafter, a court quickly struck down the law.

The NY Times now has an article out about the challenges in crafting social media policies for teacher-student interaction, noting that “stricter guidelines are meeting resistance from some teachers because of the increasing importance of technology as a teaching tool and of using social media to engage with students.”

There are a number of considerations that schools should think about when crafting a social media policy:

1. The policy should account for the fact that there are legitimate reasons for students and teachers to communicate online.  A teacher might be related to a student, and certainly a law or policy shouldn’t ban parents from friending their children.  Or a teacher might be a godparent to a child or a close family friend or related in some way.

2. One middle-ground approach is to require parental consent whenever a teacher wants to friend a minor student online.  This greater transparency will address the cases where teachers might have inappropriate communication with minors.

3. Clear guidelines about appropriate teacher expression should be set forth, so teachers know what things will be inappropriate to say.  Teachers need to learn about their legal obligations of confidentiality, as well as avoiding invasions of privacy, defamation, harassment, threats, and other problematic forms of speech.

4. When teachers use social network sites in the classroom — or otherwise use blogs and online posting as a teaching device — they should exercise great care, especially when requiring minors to express themselves publicly online.  I’ve seen some class blogs, where students are asked to post reactions to reading or write online journals.  Making students post their views and opinions to the public, especially at such a young age, strikes me as a problematic practice.  The Children’s Online Privacy Protection Act (COPPA) would protect minors under the age of 13, but teachers should be sensitive to minors 13 and older too.  No minor student should be required to post any personal information or class assignment on a publicly-accessible website without the student’s consent and the parent’s consent.  And all websites that involve student personal information have a privacy policy.

5. Education is key.  I’ve read about a lot of cases involving improper social media use by educators, and they often stem from a lack of awareness.  Teachers think they can say nearly anything and it will be protected by the First Amendment.  The First Amendment law actually gives schools a lot of leeway in disciplining educators for what they say, and educators can also be sued by those whom they write about.  Educators often think that if they post something anonymously, then it is okay or they can get away with it — but anonymity online is often a mirage, and comments can readily be traced back to the speaker.  And educators often set the privacy settings on social media sites incorrectly.  They don’t spend enough time learning the ins and outs of the privacy settings.  These are actually quite tricky — even rocket scientists have trouble figuring them out.

  December 17, 2011 at 9:40 pm   Posted in: Privacy, Privacy (Gossip & Shaming), Social Network Websites   Print This Post   3 Comments

New Edition of Information Privacy Law Casebooks

posted by Daniel Solove

The new edition of my casebook, Information Privacy Law (4th edition) (with Paul M. Schwartz) is hot off the presses.  And there’s a new edition of my casebook, Privacy, Information, and Technology (3rd edition) (with Paul M. Schwartz).   Copies should be sent out to adopters very soon.  If you’re interested in adopting the book and are having any difficulties getting a hold of a copy, please let me know.

You also might be interested in my concise guide to privacy law, also with Paul Schwartz, entitled Privacy Law Fundamentals.   This short book was published earlier this year.  You can order it on Amazon or via IAPP.  It might make for a useful reference tool for students.

 

  December 13, 2011 at 1:31 am   Posted in: Articles and Books, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Gossip & Shaming), Privacy (ID Theft), Privacy (Law Enforcement), Privacy (Medical), Privacy (National Security)   Print This Post   No Comments

Facebook Settles with the FTC

posted by Daniel Solove

Facebook has settled with the FTC over its change to its privacy policies back in 2009. According to the FTC complaint, as summed up by the FTC press release, Facebook engaged in a number of unfair and deceptive trade practices:

• In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn’t warn users that this change was coming, or get their approval in advance.
• Facebook represented that third-party apps that users’ installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data – data the apps didn’t need.
• Facebook told users they could restrict sharing of data to limited audiences – for example with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.
• Facebook had a “Verified Apps” program & claimed it certified the security of participating apps. It didn’t.
• Facebook promised users that it would not share their personal information with advertisers. It did.
• Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
• Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn’t.

 

The settlement, which requires auditing of Facebook for 20 years, makes a number of requirements.  Facebook will be:

Read the rest of this post »

  November 29, 2011 at 4:53 pm   Posted in: Privacy, Privacy (Consumer Privacy), Privacy (Gossip & Shaming), Social Network Websites   Print This Post   No Comments

J.K Rowling, Defamation and Privacy Law, and the Chilling of the Media

posted by Daniel Solove

A common argument made to justify First Amendment restrictions on privacy torts and defamation law is that legal liability will chill the media.  I am generally sympathetic to these arguments, though only to a point.  I think these arguments are often overblown.  An interesting point of comparison is the UK, where there is a much weaker protection of free speech and much stronger defamation law.  Although the UK has not embraced all of the privacy torts recognized in the United States, it has come close, recognizing a robust tort of breach of confidence.  Despite the lack of a First Amendment equivalent, and the stronger legal liability for gossip and libel, the press in the UK seems anything but chilled or cowed.  Consider J.K. Rowling’s recent testimony:

Rowling said a “wholly untrue” Daily Express story, which claimed she had based an unpleasant character on her ex-husband, had meant she had to have a “horrible” conversation with their young daughter to explain that it was not the case.

“This episode caused real emotional hurt,” she said, because her daughter had to cope with other children believing that about her father.

Rowling added: “It portrayed me as a vindictive person who would use a book to vilify anyone against whom I had a grudge.”

Rowling also pointed to a story published in the Sunday Mirror, which claimed her husband had given up his job as a doctor “to be at the beck and call of his obscenely rich wife,” she said.

This was “damaging misinformation” about her husband, who is not a celebrity, she said, because it led colleagues to believe he had abandoned his medical career. The paper subsequently apologized.

Defamatory articles spread like fire and are difficult to contain, she told the inquiry, but she had no “magical answer” to the problem of abuses by the press.

Rowling’s testimony, and that of others, reveals a rabid and fervent media in the UK — in spite of the stronger laws.  This makes me ponder whether the claim that strong privacy and defamation law will chill the media is false — or at least is overblown as I believe.  But another conclusion may be drawn from this — perhaps the law doesn’t do much work at all.  It appears that the media’s behavior is not dramatically affected by the law, and thus the law really fails to shape norms or impact behavior.  I’m not sure I agree with this claim, but it is one that should be pondered.

The situation calls for further thought.  How can it be that the tabloid press is so robust in the UK which appears to have much weaker free speech protections than the US?   I only have guesses, not answers, and this question has always struck me as one worth investigating.

 

  November 24, 2011 at 11:04 pm   Posted in: First Amendment, Privacy, Privacy (Gossip & Shaming)   Print This Post   3 Comments

• « Older Entries