Digital Privacy

From Youth and Media
Jump to navigation Jump to search

Overview

EU Privacy Law

In March 2006, the European Commission passed the European Data Retention Directive. This directive legally requires all Internet and telephone service providers in the EU to retain records of communication data for up to 2 years. While communication service providers are _not_ allowed to retain records of the _content_ of communications, virtually all other data about the communications is required to be collected and stored, to be turned over to the authorities upon request. The data required to be collected, at each instance of communication, is as follows:


For telephone communications (both mobile and stationary):

  • The telephone number, name, and address of registered user(s) of both call or sms initiator and call or sms recipient.
  • The date, start time, and end time of the communication.
  • Data identifying the type of communication service used (eg. phone call, sms, video message).
  • The geographical location of both parties in the entire duration of the communication.
  • Data identifying user's communication equipment


For Internet communications (including Internet access, e-mail, and Internet telephony):

  • The userID (unique ISP provided ID), telephone number (if dial-up), name and address of registered user of both the internet communication initiator and recipient.
  • The date and time of log-in and log-off to Internet access service, IP address, whether dynamic or static, user ID, date and time of the log-in and log-off of e-mail or VoIP service of both parties.
  • Data identifying the type of communication service used (eg. site access, Sype, AIM).
  • The phone number for dial-up access; the digital subscriber line (DSL) or other end point of the originator of the communication.

U.S. Privacy Law

The History of U.S. Privacy Laws

Legal Decisions:

  • In 1782, the Continental Congress passed a law to protect the confidentiality of letters [1]
  • In 1811, in Denis v. LeClerc a newspaper editor sought to publish an improperly obtained letter. The court prohibited the publication of the letter because just as the defendant could not produce it to his associates, he could also not publish it in the press, due to the “sacredness” of the “confidential letter.” [2]
  • In 1825, Congress enacted another law to protect the confidentiality of letters by criminalizing taking “any letter, postal card, or package out of any post office or any authorized depository for mail matter, or from any letter or mail carrier.” [3]
  • In 1877, in Ex Parte Jackson the Supreme Court concluded that the Fourth Amendment protected letters from government inspection without a warrant. The fact that people willingly gave the government their letters for delivery did not waive protection, as the government was expected to keep them confidential. (SSRN)
  • In 1890 Samuel Warren and Louis Brandeis termed the phrase "the right to be let alone" in their famous article in the Harvard Law Review titled The Right to Privacy. This was one of the earliest legal articles in the U.S relating to privacy issues.
  • In 1891, just a year after the article was published, the “right to be let alone” found its way into constitutional law. The Supreme Court held in Union Pacific Railway Company v. Botsford that a court could not compel a plaintiff in a civil suit to undergo a surgical examination: “As well said by Judge Cooley: ‘The right to one’s person may be said to be a right of complete immunity; to be let alone’ (SSRN)
  • In the famous 1902 case of Roberson v. Rochester Folding Box Company the court rejected the right to privacy. An advertisement for Franklin Mills Flour used a drawing of a young woman, Abigail Roberson, without her consent. The picture was a flattering one, but Roberson sued because she was “humiliated” by it and suffered mental distress as a result. The court concluded that there was “no precedent” to recognize Warren and Brandeis’s tort remedies for invasion of privacy, and that such a right was best left to the legislature to enact [4]
  • In 1905, the Georgia Supreme Court recognized in the common law a tort remedy for invasions of privacy. The case, Pavesich v. New England Life Insurance Company involved a situation similar to that in Roberson – a man’s image was used in an advertisement without his consent. The court concluded that a “right of privacy in matters purely private is . . . derived from natural law.” [5]
  • In 1965, in Griswold v. Connecticut the Court declared that an individual has a right to privacy from the government Griswold v Connecticut.
  • In 1967, in Time, Inc. v. Hill the Court faced the question: Is a publication, containing misrepresentations about the subject of its coverage, protected under the First Amendment's freedom of speech guarantees? They concluded yes because "absent a finding of such malicious intent on the part of a publisher, press statements are protected under the First Amendment even if they are otherwise false or inaccurate" [6].
  • In 1968, in Mancusi v. DeForte the Supreme Court addressed whether a union employee had a legitimate expectation of privacy, and therefore Fourth Amendment standing, in the contents of records that he stored in an office that he shared with several other union officials. The Court held that DeForte had standing to object to the search and that the search was unreasonable, noting that it was clear that “if DeForte had occupied a ‘private’ office in the union headquarters, and union records had been seized from a desk or a filing cabinet in that office, he would have had standing" Mancusi v DeForte.
  • In 1977, in Zacchini v. Scripps-Howard Broadcasting Co the Supreme Court said that a news station violated the Constitution when it videotaped and aired Zacchini's "human-cannonball" stunt without his permission. The logic of the opinion is that even though the the airing was not meant to be malicious and the event took place in a public setting, because the plaintiff asked for his stunt not to be published without payment the actions of the news station were unlawful [7].
  • In 1975 in Cox Broadcasting v. Cohn the question was whether Georgia's law preventing the disclosure of the names of rape victims was constitutional. The Supreme Court held that despite the right to privacy’s “impressive credentials,” when “true information is disclosed in public court documents open to public inspection, the press cannot be sanctioned for publishing it.” The Court declined to address “the broader question” that would implicate the constitutionality of the tort in all its applications – namely, “whether the State may ever define and protect an area of privacy free from unwanted publicity in the press [8]
  • In 1987 in O'Connor ET AL. v. Ortega the Court found that workplace property remains within the control of the employer “even if the employee has placed personal items in [it]" O'Connor ET AL. v. Ortega'
  • Subsequent Supreme Court cases reiterated the Cox rule. In Smith v. Daily Mail the Court held: “If a newspaper lawfully obtains truthful information about a matter of public significance then state officials may not constitutionally punish publication of the information, absent a need to further a state interest of the highest order.” In Florida Star v. B.J.F. the Court reiterated the rule in Daily Mail in concluding that the First Amendment prohibited liability when a newspaper published the name of a rape victim obtained from a police report [9]

Digital Privacy Decisions

  • In United States v. Simons, the ruling was that employees do not have a reasonable expectation of privacy when it comes to their work related electronic communicationsUnited States v. Simons
  • In United States v. Gourde, 440 F.3d 1065, 1077 (9th Cir. 2006) it was found that "for most people, their computers are their most private spaces" United States v. Gourde
  • In 2007, United States v. Zeigler. In this case, an employee had accessed child pornography websites from his workplace computer. His employer noticed his activities, made copies of the hard drive, and gave the FBI the employee's computer. At his criminal trial, Ziegler filed a motion to suppress the evidence because he argued that the government violated his Fourth Amendment rights. The Ninth Circuit allowed the lower court to admit the child pornography evidence. After reviewing relevant Supreme Court opinions on a reasonable expectation of privacy, the Court acknowledged that Ziegler had a reasonable expectation of privacy at his office and on his computer, however, the court found that: "In this context, Ziegler could not reasonably have expected that the computer was his personal property, free from any type of control by his employer. The contents of his hard drive, like the files in Mancusi, 392 U.S. at 369, were work-related items that contained business information and which were provided to, or created by, the employee in the context of the business relationship. Ziegler’s downloading of personal items to the computer did not destroy the employer’s common authority. Ortega, 480 U.S. at 716. Thus...the employer, could consent to a search of the office and the computer that it provided to Ziegler for his work" United States v. Zeigler
  • In 2007, State of New Jersey v. Shirley Reid. In the case, prosecutors asserted that Shirley Reid broke into her employer’s computer system and changed its shipping address and password for suppliers. The police discovered her identity after getting a subpoena to the internet provider, Comcast Internet Service. The lower court suppressed information from the internet service provider that linked Reid with the crime. The New Jersey appellate court agreed with this decision. As a result, New Jersey offers greater privacy rights to computer users than most federal courts. Although this case does not directly discuss the Fourth amendment, it illustrates that some states are providing more privacy protection to computer users than the federal courts. It also illustrates that caselaw on privacy in workplace computers is still evolving State of New Jersey v. Shirley Reid

Examples of Problems Not Yet Taken to Court

  • In early September 2006, Jason Fortuny, a Seattle-area graphic designer and network administrator, posed as a woman and posted an ad to Craigslist Seattle seeking a casual sexual encounter with area men. On September 4, he posted to the internet all 178 of the responses, complete with photographs and personal contact details, describing this as the Cragslist Experiment and encouraging others to further identify the respondents. The posting was later mirrored on the satire website Encyclopædia Dramatica Fortuny Incident

U.S. Privacy Laws:

  • U.S Privacy Act of 1974 mandated a set of fair information practices, including disclosure of private information only with the an individual’s consent (with exceptions for law enforcement, archiving, and routine uses), and established the right of the subject to know what was recorded about her and to offer corrections. While it originally intended to apply to a broad range of public and private databases to parallel the H.E.W. report, the Act was amended before passage to apply only to government agencies’ records (Zittrain chapter 9)

Brief Synopsis of These Laws and Their Relation to Online Privacy/Data Retention

  • Americans are skeptical of having the government have their information but OK having business handle it [1].
  • In the US, privacy protection is essentially liberty protection, i.e. protection from government [2].
  • American privacy law has never fully embraced privacy within relationships; it typically views information exposed to others as no longer private [10].


Therefore, the modern concept of privacy is based on the people’s right to be free from intrusion into their lives by the government and mass media.... The 19th-century concept of privacy was concerned with people’s over their private space and lives against external forces; its main concern was the relationship between a person and authoritative institutions, such as the state or press. Thus, the modern concept of privacy has set as its main goal freedom from these institutions. Although people may say that they are concerned about internet privacy, they then willingly give up their privacy for consumer convenience and other monetary benefits....The right not to be identified should be the most important concept that privacy consists of on the internet and that, by not being blatantly identified, individuals can protect themselves from the potential risk and threat of not easily identifiable entities of surveillance and their activities.[11].

Problems

Choosing between providing one’s personal information and giving up the information and services that an individual wants from the network is particularly difficult in the current technological environment because, in many cases, it is not known what will happen to the personal information once it is out on the network. [12]


Disparities between digital privacy laws of the European Union and those of the United States.

'CHARTER OF FUNDAMENTAL RIGHTS OF THE EUROPEAN UNION'

Article 7 Respect for private and family life Everyone has the right to respect for his or her private and family life, home and communications.

Article 8 Protection of personal data 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.[3] [4]

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [5]


Regulation 45/2001 [6]

U.S. Laws

   * United States Code
         o TITLE 17 - COPYRIGHTS
               + CHAPTER 12 - COPYRIGHT PROTECTION AND MANAGEMENT SYSTEMS 

Section 1205. Savings clause

     Nothing in this chapter abrogates, diminishes, or weakens the
   provisions of, nor provides any defense or element of mitigation in
   a criminal prosecution or civil action under, any Federal or State
   law that prevents the violation of the privacy of an individual in
   connection with the individual's use of the Internet. [7]

Solutions

Therefore, policy measures for network privacy should focus on ensuring individual users’ search for anonymity by recognizing the right to be silent about their identities and the right to disguise their identities rather than providing restrictions on easily identifiable external forces and institutions. [13]

Relevant Research and Articles

Useful Void: The Art of Forgetting in the Age of Ubiquitous Computing (Mayer-Schoenberger, 2007)

How Many Ways You're Being Watched, USA Today (2007)

Enjoying Technologies Conveniences But Not Escaping Its Watchful Eyes, Washington Post (2007)

Mediating the public/private boundary at home : children’s use of the internet for privacy and participation (S. Livingstone, 2005)

Your Identity, Open to All (Wired News, 2005)

Why Web 2.0 will end your privacy (Bit Tech, 2006)

Strong privacy laws may explain data security in Europe (Intl. Herald Tribune, 2005)

OnGuardOnline - provides tips from the federal government and the technology industry on Internet fraud, securing your computer, and protecting your personal information.

COPPA - Children's Online Privacy Protection Act

Imagined Communities: Awareness, Information Sharing, and Privacy on the Facebook (Acquisti and Gross, 2006).

Privacy International, A Race to the Bottom: Privacy Ranking of Internet Service Companies June 9, 2007.

U.S. Privacy Articles

Digital Millenium Copyright Act of 1998

Software lets parents monitor kids' calls

A privacy paradox: Social networking in the United States (Barnes, 2006)

Your first girlfriend -- and the other things search engines store about you

European Privacy

Relevant Legislation

EU Data Retention Directive, Article 5,6,10

EU Directive on Privacy and Electronic Communications, Article 4,5,6,9,12

Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms, Article 8,10

Resources and Articles

Digital Civil Rights in Europe

European Data Protection Supervisor

Data Protection

Legislation

French State Council allows tracing P2P users

The European Parliament voted for stronger data protection

Europe votes to restrict police data sharing

Google may use games to analyse net users

Minister of the Interior renews call for legal online PC search option

German government admits it is already conducting online searches

Google hostile to privacy

ICT lobby says Dutch law protects privacy rights in RFID applications

Privacy in US v. Europe: Comparing conceptions and legislation

‘La difference’ is stark in EU, U.S. privacy laws

Internet privacy law: a comparison between the United States and the European Union

Privacy Law in the United States, the EU and Canada: The Allure of the Middle Ground

N. Richards & D. Solove, PRIVACY’S OTHER PATH: RECOVERING THE LAW OF CONFIDENTIALITY (A comparison of English and American privacy law)

Suddenly, the Paranoids Don't Seem So Paranoid Anymore, Wired, June 2007

Strong privacy laws may explain data security in Europe, The New York Times', August 2005

Reference

  1. SSRN
  2. (SSRN)
  3. (SSRN)
  4. (SSRN)
  5. (SSRN)
  6. [[8]]
  7. [9]
  8. (SSRN)
  9. (SSRN)
  10. SSRN
  11. Woo article
  12. Woo
  13. Woo