Overview

Digital Privacy is a complex issue because the definition of privacy is on-going and relative, not merely situational. For example, privacy in the colonial period of United States history meant something drastically different from what privacy now means in the U.S. Furthermore, privacy has different meanings across boundaries--as European privacy law differs from U.S privacy law, and both of them differ from Canadian privacy law. As technology, specifically the internet, takes off, issues of privacy are critically important. What is now considered a public domain? Does such a thing as a private domain exist anymore? Should companies be allowed to retain data on individual user's searches? Should Google be allowed to take pictures of people's houses? What happens if someone takes a picture of a private citizen and posts it on the internet? What happens if it is a video? Is there a way to enforce a law even if passed?

What are the implications of growing up in a society that always remembers and never forgets? The life of a Digital Native is constantly recorded through digital tracks. What will the future hold? How does this environment impact the ways in which Digital Natives think about privacy? The generation gap between non-natives and natives highlights the blurring definition of privacy. Previously thought private domains are being public--and public places are no longer parochially public but in fact globally public.

These are only some of the questions that need answers in this increasingly digital age. The following description and analysis of digital privacy aims to shed light on these questions and addresses possible solutions.

Elements of Digital Privacy

Collection & Retention- digital tracks & readily accessible information

• SUMMARY: The life of a Digital Native is constantly being recorded. This information about a Digital Native is retained by and accessible to others. The following are examples of what kind of data is retained, who collects it, and who can view it:

• For example, a search on Google results in a stream of information is sent to, and stored in, the Google servers. This includes the computer IP address, the date and time of the query, the browser used, and the unique cookie ID assigned to the computer. If G-mail users are logged in then Google associates this data with personally identifiable information.

• Microsoft Live Search also records the type of search you conducted (image, Web, local, etc.), while Google additionally stores your browser type and language. And when you click on a link displayed on Google, that may also be recorded and associated with your computer's IP address. While Google Inc. recently announced that it would make its search logs anonymous after 18 months' time by deleting part of the IP address and obfuscating cookies associated with search queries, Microsoft Corp. and Yahoo Inc. haven't yet made their retention policies public. AOL LLC stores this data for just one month.[1]

• Every Internet search resides on a computer somewhere. Comings and goings are monitored by security cameras. Phone calls are logged by telecommunications companies.[2]

• This Washington Post article shows a typical day of an ordinary woman and what kinds of information is collected about her.

• In 2006, AOL released the search data of over 20 million users for the public to view [3]

• ZabaSearch queries return a wealth of info sometimes dating back more than 10 years: residential addresses, phone numbers both listed and unlisted, birth year, even satellite photos of people's homes. ZabaSearch isn't the first or only such service online. Yahoo's free People Search, for example, returns names, telephone numbers and addresses. But the information is nothing more than what's been available for years in the White Pages...Far more personal information is available from data brokers, including aliases, bankruptcy records and tax liens. That access typically requires a fee, however, which has always been a barrier to the casual snooper...But ZabaSearch makes it easier than ever to find comprehensive personal information on anyone.[4]

Visibility

• Technology can organize, highlight, and take out of context info that's already available online. For example, the New York Times recently reported that Rudy Giuliani's daughter supported Barack Obama on Facebook.[5] After this was reported her profile was taken down. This incident shows that much of the information on the internet is available for anyone to see. ZabaSearch provides people's full name, birth date and address.
  • Facebook news feeds, Address & telephone number look-up

• Private vs. Public Domains. What happens when these boundaries are blurred? How do you legislate?

Places once thought private are now becoming public. Places once thought public are now global. On many internet sites, the default is set for the least privacy. Given the increase in accessibility to information and the decrease in privacy are there effective ways to legislate privacy rights? Legal experts provide solutions are available under the subheading 'What the Experts Think'

• Control over posting to the web - (offline to online)

(SSN being posted online as local government put (always) public records online, Google Street View, Posting and naming someone's picture on a MySpace page)

Control over reproduction/duplication

• SUMMARY: This is a tricky issue arising from the internet. Previously thought private information is now becoming public. The following are examples of people's picture/video taken without their permission and circulated throughout the internet. While in the first example the victim is not in the wrong, whereas in the other two people genuinely did immoral acts, nevertheless the issue arises: Does a person control a right to reproduction/duplication of their body and actions from the internet? As of yet, no solution has been found that does grant full autonomy to the individual.

• The Washington Post recently reported a story about Allison Stokke, whose picture was taken at a public venue and then circulated around the internet without her consent. The issue that arises is simple: Does she have a right to protect herself from unauthorized duplication of pictures of her? Currently, U.S. laws do not protect her.

• In 2006 on a bus heading to Hong Kong, a dispute occurred on the bus involving two men. The altercation was filmed by another passenger's cell phone and posted on the internet. The video became the most popular on the internet in May 2006.[6] The incident became known as "bus uncle".

• Then there's the story of Dog Poop Girl whose dog threw up on a subway car. She did not clean it up. A fellow passenger took her picture and posted it online asking for people to identify her. The Washington Post reports that "humiliated in public and indelibly marked, the woman reportedly quit her university."
  • The Dog Poop Girl case "involves a norm that most people would seemingly agree to -- clean up after your dog," wrote Daniel J. Solove, a George Washington University law professor who specializes in privacy issues, on one blog. "But having a permanent record of one's norm violations is upping the sanction to a whole new level . . . allowing bloggers to act as a cyber-posse, tracking down norm violators and branding them with digital scarlet letters."[7]

Protection against whom?

Privacy protection can be broken down to include protection from:

• a) Government: U.S. Privacy laws focus on protecting individual citizens from infringement by the government.
• b) Service Providers (Google, Facebook, ISP, etc) are not specifically regulated by U.S law on issues such as : right to keep info, distribute, sell, etc.
• c) Schools, teachers, etc - what kind of rights do students have?
• d) Employers, neighbors, health insurers, etc.

EU Privacy Law

In March 2006, the European Commission passed the European Data Retention Directive. This directive legally requires all Internet and telephone service providers in the EU to retain records of communication data for up to 2 years. While communication service providers are _not_ allowed to retain records of the _content_ of communications, virtually all other data about the communications is required to be collected and stored, to be turned over to the authorities upon request.

The data required to be collected, at each instance of communication, is as follows:

For telephone communications (both mobile and stationary):

• The telephone number, name, and address of registered user(s) of both call or sms initiator and call or sms recipient.
• The date, start time, and end time of the communication.
• Data identifying the type of communication service used (eg. phone call, sms, video message).
• The geographical location of both parties in the entire duration of the communication.
• Data identifying user's communication equipment

For Internet communications (including Internet access, e-mail, and Internet telephony):

• The userID (unique ISP provided ID), telephone number (if dial-up), name and address of registered user of both the internet communication initiator and recipient.
• The date and time of log-in and log-off to Internet access service, IP address, whether dynamic or static, user ID, date and time of the log-in and log-off of e-mail or VoIP service of both parties.
• Data identifying the type of communication service used (eg. site access, Sype, AIM).
• The phone number for dial-up access; the digital subscriber line (DSL) or other end point of the originator of the communication.

U.S. Privacy Law

Court Cases on Privacy

and

History of U.S. Privacy Laws

Divergence of U.S. and European Privacy Laws

Origins

• Warren and Brandeis did not write on a nearly blank slate when they crafted their “right to privacy.” Instead of developing and expanding the robust law of confidentiality that already existed, Warren and Brandeis took American privacy law down a different path. [8]
  • Before the Warren and Brandeis article, English and American privacy law were on a similar trajectory, being built out of the same materials and concepts. American judges read English precedent and attempted to situate their rulings within the fabric of the common law. Afterwards, the paths diverged. The path Warren and Brandeis charted for American privacy law was not that of developing the law of confidentiality. [9]
  • Instead of creating a law of privacy, however, England developed a law of confidentiality, which was explicitly distinguished from privacy. Ironically, both the American law of privacy and the English law of confidentiality emerged from the same source – the Prince Albert case.[10]

European Privacy Law?

• • According to past EU laws precedents, new laws regarding, say, someone posting embarrassing photos of another on Flickr would be illegal, as it is an invasion of privacy and offends one's dignity. It would not, however, offend liberty (and it seems that such liberty arguments are largely moot anyways with the introduction of the Patriot Act, which gives the government incredible access to our private information, and hence our liberty).

Avner Levin and Mary Jo Nicholson's definition of Canadian Privacy Law:

• " ...the right to control access to one’s person and information about one’s self. The right to privacy means that individuals get to decide what and how much information to give up, to whom it is given, and for what uses....A multicultural society does not attempt to impose on its members values, which some elements in it may very well hold dear—such as dignity or liberty—but encourages the development of these values autonomously, within a multicultural framework. Canadians, it seems, perceive their privacy as most importantly protecting this autonomy, and believe that members of society should be free to decide for themselves what is important for them to control" (Levin, Avner and Nicholson, Mary Jo, "Privacy Law in the United States, the EU and Canada: The Allure of the Middle Ground" . University of Ottawa Law & Technology Journal, Vol. 2, No. 2, pp. 357-395, 2005 Available at SSRN: http://ssrn.com/abstract=894079).

Problems with American Privacy Law

• "Americans want their government to let them interact freely with one another and to not intervene." But this is changing: "As e-mails, modems, and PCs break down the boundaries between work and home, there are progressively fewer private or public spaces for citizens to express themselves autonomously. The Internet has blurred the distinction between the home and the office, as Americans are spending more time at the office and are using company-owned computers and Internet servers to do their work from home. But as technology poses new challenges to geographic concepts of privacy, courts have not been encouraged to think creatively about how to reconstruct zones of individual privacy and free expression." (Levin, Avner and Nicholson, Mary Jo, "Privacy Law in the United States, the EU and Canada: The Allure of the Middle Ground" . University of Ottawa Law & Technology Journal, Vol. 2, No. 2, pp. 357-395, 2005 Available at SSRN: http://ssrn.com/abstract=894079)

• More broadly, since American privacy law often remains focused around individualistic conceptions of privacy, it has not fully embraced protecting confidentiality in relationships. In many other contexts, such as trade secrets and business confidences, American law readily provides remedies against unwarranted breaches of trust. But in the domain of privacy, American law has not progressed nearly as far as English law in recognizing and protecting trust in relationships. An increased recognition of a confidentiality-based conception of privacy might also have significant implications in other areas of American privacy law that developed under the influence of Warren and Brandeis. [11] (Richards, Neil M. and Solove, Daniel J., "Privacy's Other Path: Recovering the Law of Confidentiality" . Georgetown Law Journal, 2007 Available at SSRN: http://ssrn.com/abstract=969495)

Generational Differences in Attitudes about Privacy

What the Experts Think

1. Jonathan Zittrain believes U.S. digital privacy law should be in the spirit of Chapman v. United States. In this case, a police search of a rented house for a whiskey still was found to be a violation of the Fourth Amendment rights of the tenant, despite the fact that the landlord had consented to the search. The Court refused to find that the right against intrusion was held only by the absentee owner of the place intruded — rather, it was held by the person who actually lived and kept his effects there.
2. Jisuk Woo believes that the right not to be identified should be the most important concept that privacy consists of on the internet. By not being identified, he hopes that individuals can protect themselves from the potential risk and threat of surveillance of their activities. He believes that the modern concept of privacy has set as its main goal freedom from the government, and although citizens may be concerned about internet privacy, they willingly give up their privacy for consumer convenience and other monetary benefits. Therefore, policy measures for network privacy should focus on ensuring individual users’ search for anonymity by recognizing the right to be silent about their identities and the right to disguise their identities rather than providing restrictions on easily identifiable external forces and institutions. Woo
3. Avner Levin and Mary Jo Nicholson write that in Canada, privacy protection is focused on individual autonomy through personal control of information. Therefore, they propose the Canadian model as a conceptual middle ground between the EU and the US, as a basis for future American privacy protection. They find U.S. privacy protection to be primarily motivated by the protection of liberty; In the EU, the protection of privacy is mainly the protection of one’s dignity. Canadians occupy the middle ground between the EU and the US, sharing American concerns about “Big Brother” government, while also having deep concerns about private sector abuse of their personal information. As a result, they find that Canadians identify privacy with a sense of control that enables them as individuals to set limits upon both the public and the private sector. Levin and Nicholson
4. Wendy Seltzer
5. Richards and Solove's (Privacy's Other Path: Recovering the Law of Confidentiality) explore how and why privacy law developed so differently in America and England. They trace the diverging paths as a result of Samuel Warren and Louis Brandeis' The Right to Privacy as well as William Prosser's Privacy.
6. Alessandro Acquisti says “by generating incentives to handle personal information in a new way, appropriate legal intervention can allow the growth of the market for third parties providing solutions that anonymize off-line information but make it possible to share on-line profiles. By designing the appropriate liabilities, that intervention can also fight the tendency of “trust-me” or self-regulatory solutions to fail under pressure. If privacy is a holistic concept (Scoglio, 1998), only a holistic approach can provide its adequate protection: economic tools to identify the areas of information to share and those to protect; law to signal the directions the market should thereby take; and technology to make those directions viable” (http://www.heinz.cmu.edu/~acquisti/papers/acquisti_eis_refs.pdf)
7. Viktor Mayer-Schoenberger says that “Only privacy statutes covering both the private and the public sector and encompassing all stages of the use of personal information - from collection and processing to retention and transferal - are seen as capable of containing and mitigating the danger to our privacy. So-called omnibus data protection is often bolstered with stringent auditing and enforcement procedures. The result is complex legal regimes that private and public sector users of personal information have to comply with in many industrial and post-industrial nations around the world, from Canada, Argentina and Chile to Hong Kong to Australia and New Zealand such legislation has been enacted, partially in response to public fears of large scale data collection and retention; in Europe, the European Union (EU) Data Protection Directive, passed in 1995, obligates all twenty-seven member nations of the EU to pass stringent omnibus privacy laws. In nations where such comprehensive data protection regimes are still absent, like the United States, privacy advocates hope that media reports and general citizen unease over the threat to information privacy ultimately produce the ferment for political and legislative action. At the same token, such a response is fraught with two substantial problems: political inertia due to collective action hurdles and potential structural overreach combined with limited actual impact. (http://ksgnotes1.harvard.edu/Research/wpaper.nsf/rwp/RWP07-022/$File/rwp_07_022_mayer-schoenberger.pdf Mayer-Schoenberger)

Problems

• Choosing between providing one’s personal information and giving up the information and services that an individual wants from the network is particularly difficult in the current technological environment because, in many cases, it is not known what will happen to the personal information once it is out on the network. [12]

• Google’s StreetView means that people are visible just walking on the street (http://www.wired.com/culture/lifestyle/commentary/theluddite/2007/06/luddite_0607), in their house, etc.

• What one thinks is private might actually be public (potential employer checking a facebook account) (http://diginatives.blogspot.com/2007/06/dn-specific-takeaways-from-privacy-law.html)

• American business handle consumers private information and sell it to third parties (http://www.iht.com/articles/2005/08/07/news/data.php).

• While market forces might ensure fair use of data connected to the on-line identity, they do not guarantee optimal use and appropriate protection of the off-line identity (http://www.heinz.cmu.edu/~acquisti/papers/acquisti_eis_refs.pdf)

• In early September 2006, Jason Fortuny, a Seattle-area graphic designer and network administrator, posed as a woman and posted an ad to Craigslist Seattle seeking a casual sexual encounter with area men. On September 4, he posted to the internet all 178 of the responses, complete with photographs and personal contact details, describing this as the Cragslist Experiment and encouraging others to further identify the respondents. Fortuny Incident

Solutions

Proposed Solutions

Avner Levin and Mary Jo Nicholson as well as Viktor Mayer-Schoenberger advocate for U.S. legislation to protect citizens from the public and private sectors. Levin and Nicholson propose the Canadian privacy laws as the paradigm—as they are the middle ground between EU and U.S. laws. Levin and Nicholson’s proposal is that Canadian laws share American concerns about “Big Brother” government yet also address European concerns about private sector abuse of personal information.

• Potential Problems:
  • Congress would need to pass legislation against the wishes of private-interests (private companies that retain personal information, Google, Yahoo, etc.). Thus, this could be difficult to pass.
• Potential Benefits:
  • Seems the best way of protecting individual’s privacy rights.

Jisuk Woo and Jonathan Zittrain (in his forthcoming book) argue that the right not to be identified should be the most important privacy issue on the internet. Woo proposes policy measures that ensure anonymity for individual users’.

• Potential Problems:
  • Appears to contradict United States v. Zeigler
    • Issue: Does individual have right to privacy if committing illegal activities on public domain? (ie company computer, company wireless, etc.)
• Potential Benefits:
  • Seemingly the closest to Warren and Brandeis concept of “the right to be let alone.”
  • In the spirit of State of New Jersey v. Shirley Reid

Alessandro Acquisti proposes economic incentives through third parties handling of personal information.

• Potential Problems:
  • Market forces can be structurally flawed. Thus, this could potentially lead to money-making schemes at the expense of individual privacy.
• Potential Benefits:
  • Presumably easier and quicker to pass into law (than Levin and Nicholson’s proposal) because less adverse effect on influential special-interest groups.
  • Sometimes the market is the most efficient option.

Synthesis: These solutions are not necessarily incompatible. That is, if there is a way of combining the ideal of the Canadian model with Zittrain’s belief that “U.S. digital privacy law should be in the spirit of Chapman v. United States” and also incorporate economic incentives for this to happen—that may be the answer.

Recent Court Cases Illustrating Views on Digital Privacy

• In United States v. Simons, the ruling was that employees do not have a reasonable expectation of privacy when it comes to their work related electronic communications
• In United States v. Gourde, 440 F.3d 1065, 1077 (9th Cir. 2006) it was found that "for most people, their computers are their most private spaces"
• In 2007, United States v. Zeigler. In this case, an employee had accessed child pornography websites from his workplace computer. His employer noticed his activities, made copies of the hard drive, and gave the FBI the employee's computer. At his criminal trial, Ziegler filed a motion to suppress the evidence because he argued that the government violated his Fourth Amendment rights. The Ninth Circuit allowed the lower court to admit the child pornography evidence. After reviewing relevant Supreme Court opinions on a reasonable expectation of privacy, the Court acknowledged that Ziegler had a reasonable expectation of privacy at his office and on his computer, however, the court found that: "In this context, Ziegler could not reasonably have expected that the computer was his personal property, free from any type of control by his employer. The contents of his hard drive, like the files in Mancusi, 392 U.S. at 369, were work-related items that contained business information and which were provided to, or created by, the employee in the context of the business relationship. Ziegler’s downloading of personal items to the computer did not destroy the employer’s common authority. Ortega, 480 U.S. at 716. Thus...the employer, could consent to a search of the office and the computer that it provided to Ziegler for his work"
• In 2007, State of New Jersey v. Shirley Reid. In the case, prosecutors asserted that Shirley Reid broke into her employer’s computer system and changed its shipping address and password for suppliers. The police discovered her identity after getting a subpoena to the internet provider, Comcast Internet Service. The lower court suppressed information from the internet service provider that linked Reid with the crime. The New Jersey appellate court agreed with this decision. As a result, New Jersey offers greater privacy rights to computer users than most federal courts. Although this case does not directly discuss the Fourth amendment, it illustrates that some states are providing more privacy protection to computer users than the federal courts. It also illustrates that case law on privacy in workplace computers is still evolving.

Summary of These Decisions and U.S Privacy Laws

Americans are skeptical of having the government have their information but OK having business handle it [13]. That is, in the US privacy protection is essentially liberty protection, i.e. protection from government [14]. Moreover, American privacy law has never fully embraced privacy within relationships; it typically views information exposed to others as no longer private.[15] This is not that surprising since U.S. Privacy law historically focused on protecting the liberty of each individual citizen from the government. For a more complete list of the history of U.S. Privacy law, please visit :

Court Cases on Privacy

and

History of U.S. Privacy Laws

Relevant Research and Articles

Useful Void: The Art of Forgetting in the Age of Ubiquitous Computing (Mayer-Schoenberger, 2007)

How Many Ways You're Being Watched, USA Today (2007)

Enjoying Technologies Conveniences But Not Escaping Its Watchful Eyes, Washington Post (2007)

Mediating the public/private boundary at home : children’s use of the internet for privacy and participation (S. Livingstone, 2005)

Your Identity, Open to All (Wired News, 2005)

Why Web 2.0 will end your privacy (Bit Tech, 2006)

Strong privacy laws may explain data security in Europe (Intl. Herald Tribune, 2005)

OnGuardOnline - provides tips from the federal government and the technology industry on Internet fraud, securing your computer, and protecting your personal information.

COPPA - Children's Online Privacy Protection Act

Imagined Communities: Awareness, Information Sharing, and Privacy on the Facebook (Acquisti and Gross, 2006).

Privacy International, A Race to the Bottom: Privacy Ranking of Internet Service Companies June 9, 2007.

BBC News: Google Calls for Global Web Privacy Laws, 09.14.07.

U.S. Privacy Articles

Digital Millenium Copyright Act of 1998

Software lets parents monitor kids' calls

A privacy paradox: Social networking in the United States (Barnes, 2006)

Your first girlfriend -- and the other things search engines store about you

AOL Proudly Releases Massive Amounts of User Search Data, TechCrunch, 2006

Say what? Nevada judge loses post over MySpace 'bias against prosecutors' (August 2007)

European Privacy

Relevant Legislation

EU Data Retention Directive, Article 5,6,10

EU Directive on Privacy and Electronic Communications, Article 4,5,6,9,12

Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms, Article 8,10

Resources and Articles

Digital Civil Rights in Europe

European Data Protection Supervisor

Data Protection

Legislation

French State Council allows tracing P2P users

The European Parliament voted for stronger data protection

Europe votes to restrict police data sharing

Google may use games to analyse net users

Minister of the Interior renews call for legal online PC search option

German government admits it is already conducting online searches

Google hostile to privacy

ICT lobby says Dutch law protects privacy rights in RFID applications

Privacy in US v. Europe: Comparing conceptions and legislation

‘La difference’ is stark in EU, U.S. privacy laws

Internet privacy law: a comparison between the United States and the European Union

Privacy Law in the United States, the EU and Canada: The Allure of the Middle Ground

N. Richards & D. Solove, PRIVACY’S OTHER PATH: RECOVERING THE LAW OF CONFIDENTIALITY (A comparison of English and American privacy law)

Suddenly, the Paranoids Don't Seem So Paranoid Anymore, Wired, June 2007

Strong privacy laws may explain data security in Europe, The New York Times', August 2005