Digital Privacy
Overview
- Digital Privacy is a complex issue because the definition of privacy is on-going and relative, not merely situational. For example, privacy in the colonial period of United States history meant something drastically different from what privacy now means in the U.S. Furthermore, privacy has different meanings across boundaries--as European privacy law differs from U.S privacy law, and both of them differ from Canadian privacy law. As technology, specifically the internet, takes off, issues of privacy are critically important. What is now considered a public domain? Does such a thing as a private domain exist anymore? Should companies be allowed to retain data on individual user's searches? Should Google be allowed to take pictures of people's houses? What happens if someone takes a picture of a private citizen and posts it on the internet? What happens if it is a video? Is there a way to enforce a law even if passed? These are only some of the questions that need answers in this increasingly digital age. The following description and analysis of digital privacy aims to shed light on these questions and addresses possible solutions.
- Shift from analog to digital (see Viktor Mayer-Schoenberger's article and his idea of becoming a society that remembers instead of forgets) - what are the implications?
- Shifting notions of privacy (generation gap) - DNs born and raised in this environment of digital records vs. older generation. How did this environment impact the ways in which natives think about privacy?
Elements of Digital Privacy
Collection - digital tracks
Retention
- related to digital tracks, but how long kept, who's keeping it, what are the laws around retention, how it can be accessed
Visibility
- how technology can organize, highlight, and take out of context info that's already available online
- Private vs. public domains (what happens when the boundaries are blurred? how do you legislate?)
(Facebook News feeds, Address/ tel number look-up)
- Control over posting to the web - (offline to online)
(SSN being posted online as local government put (always) public records online, Google Street View, Posting and naming someone's picture on a MySpace page)
Control over reproduction/duplication
(ex. Washington Post article about pole vaulter)
Protection against whom?
a) Government b) service providers (Google, Facebook, ISP, etc) (what right to keep info, distribute, sell, etc.) c) marketers d) Schools, teachers, etc - what kind of rights do students have? e) others (horizontal interaction - employers, neighbors, health insurers, etc.)
EU Privacy Law
In March 2006, the European Commission passed the European Data Retention Directive. This directive legally requires all Internet and telephone service providers in the EU to retain records of communication data for up to 2 years. While communication service providers are _not_ allowed to retain records of the _content_ of communications, virtually all other data about the communications is required to be collected and stored, to be turned over to the authorities upon request.
The data required to be collected, at each instance of communication, is as follows:
For telephone communications (both mobile and stationary):
- The telephone number, name, and address of registered user(s) of both call or sms initiator and call or sms recipient.
- The date, start time, and end time of the communication.
- Data identifying the type of communication service used (eg. phone call, sms, video message).
- The geographical location of both parties in the entire duration of the communication.
- Data identifying user's communication equipment
For Internet communications (including Internet access, e-mail, and Internet telephony):
- The userID (unique ISP provided ID), telephone number (if dial-up), name and address of registered user of both the internet communication initiator and recipient.
- The date and time of log-in and log-off to Internet access service, IP address, whether dynamic or static, user ID, date and time of the log-in and log-off of e-mail or VoIP service of both parties.
- Data identifying the type of communication service used (eg. site access, Sype, AIM).
- The phone number for dial-up access; the digital subscriber line (DSL) or other end point of the originator of the communication.
U.S. Digital Privacy Court Decisions
- In United States v. Simons, the ruling was that employees do not have a reasonable expectation of privacy when it comes to their work related electronic communicationsUnited States v. Simons
- In United States v. Gourde, 440 F.3d 1065, 1077 (9th Cir. 2006) it was found that "for most people, their computers are their most private spaces" United States v. Gourde
- In 2007, United States v. Zeigler. In this case, an employee had accessed child pornography websites from his workplace computer. His employer noticed his activities, made copies of the hard drive, and gave the FBI the employee's computer. At his criminal trial, Ziegler filed a motion to suppress the evidence because he argued that the government violated his Fourth Amendment rights. The Ninth Circuit allowed the lower court to admit the child pornography evidence. After reviewing relevant Supreme Court opinions on a reasonable expectation of privacy, the Court acknowledged that Ziegler had a reasonable expectation of privacy at his office and on his computer, however, the court found that: "In this context, Ziegler could not reasonably have expected that the computer was his personal property, free from any type of control by his employer. The contents of his hard drive, like the files in Mancusi, 392 U.S. at 369, were work-related items that contained business information and which were provided to, or created by, the employee in the context of the business relationship. Zieglerâs downloading of personal items to the computer did not destroy the employerâs common authority. Ortega, 480 U.S. at 716. Thus...the employer, could consent to a search of the office and the computer that it provided to Ziegler for his work" United States v. Zeigler
- In 2007, State of New Jersey v. Shirley Reid. In the case, prosecutors asserted that Shirley Reid broke into her employerâs computer system and changed its shipping address and password for suppliers. The police discovered her identity after getting a subpoena to the internet provider, Comcast Internet Service. The lower court suppressed information from the internet service provider that linked Reid with the crime. The New Jersey appellate court agreed with this decision. As a result, New Jersey offers greater privacy rights to computer users than most federal courts. Although this case does not directly discuss the Fourth amendment, it illustrates that some states are providing more privacy protection to computer users than the federal courts. It also illustrates that caselaw on privacy in workplace computers is still evolving State of New Jersey v. Shirley Reid
Summary of These Decisions and U.S Privacy Laws
Americans are skeptical of having the government have their information but OK having business handle it [1]. That is, in the US privacy protection is essentially liberty protection, i.e. protection from government [2]. Moreover, American privacy law has never fully embraced privacy within relationships; it typically views information exposed to others as no longer private [1]. This is not that surprising since U.S. Privacy law historically focused on protecting the liberty of each individual citizen from the government. For a more complete list of the history of U.S. Privacy law, please visit :
and
Origins of Divergence of U.S. and European Privacy Laws
- Warren and Brandeis did not write on a nearly blank slate when they crafted their âright to privacy.â Instead of developing and expanding the robust law of confidentiality that already existed, Warren and Brandeis took American privacy law down a different path. (SSRN)
- Before the Warren and Brandeis article, English and American privacy law were on a similar trajectory, being built out of the same materials and concepts. American judges read English precedent and attempted to situate their rulings within the fabric of the common law. Afterwards, the paths diverged. The path Warren and Brandeis charted for American privacy law was not that of developing the law of confidentiality. (SSRN)
- Instead of creating a law of privacy, however, England developed a law of confidentiality, which was explicitly distinguished from privacy. Ironically, both the American law of privacy and the English law of confidentiality emerged from the same source â the Prince Albert case.(SSRN)
Generational Differences in Attitudes about Privacy
What the Experts Think
- Jonathan Zittrain believes U.S. digital privacy law should be in the spirit of Chapman v. United States. In this case, a police search of a rented house for a whiskey still was found to be a violation of the Fourth Amendment rights of the tenant, despite the fact that the landlord had consented to the search. The Court refused to find that the right against intrusion was held only by the absentee owner of the place intruded â rather, it was held by the person who actually lived and kept his effects there.
- Jisuk Woo believes that the right not to be identified should be the most important concept that privacy consists of on the internet. By not being identified, he hopes that individuals can protect themselves from the potential risk and threat of surveillance of their activities. He believes that the modern concept of privacy has set as its main goal freedom from the government, and although citizens may be concerned about internet privacy, they willingly give up their privacy for consumer convenience and other monetary benefits. Therefore, policy measures for network privacy should focus on ensuring individual usersâ search for anonymity by recognizing the right to be silent about their identities and the right to disguise their identities rather than providing restrictions on easily identifiable external forces and institutions. Woo
- Avner Levin and Mary Jo Nicholson write that in Canada, privacy protection is focused on individual autonomy through personal control of information. Therefore, they propose the Canadian model as a conceptual middle ground between the EU and the US, as a basis for future American privacy protection. They find U.S. privacy protection to be primarily motivated by the protection of liberty; In the EU, the protection of privacy is mainly the protection of oneâs dignity. Canadians occupy the middle ground between the EU and the US, sharing American concerns about âBig Brotherâ government, while also having deep concerns about private sector abuse of their personal information. As a result, they find that Canadians identify privacy with a sense of control that enables them as individuals to set limits upon both the public and the private sector. Levin and Nicholson
- Wendy Seltzer
- Richards and Solove's (Privacy's Other Path: Recovering the Law of Confidentiality) explore how and why privacy law developed so differently in America and England. They trace the diverging paths as a result of Samuel Warren and Louis Brandeis' The Right to Privacy as well as William Prosser's Privacy.
- Alessandro Acquisti says âby generating incentives to handle personal information in a new way, appropriate legal intervention can allow the growth of the market for third parties providing solutions that anonymize off-line information but make it possible to share on-line profiles. By designing the appropriate liabilities, that intervention can also fight the tendency of âtrust-meâ or self-regulatory solutions to fail under pressure. If privacy is a holistic concept (Scoglio, 1998), only a holistic approach can provide its adequate protection: economic tools to identify the areas of information to share and those to protect; law to signal the directions the market should thereby take; and technology to make those directions viableâ (http://www.heinz.cmu.edu/~acquisti/papers/acquisti_eis_refs.pdf)
- Viktor Mayer-Schoenberger says that âOnly privacy statutes covering both the private and the public sector and encompassing all stages of the use of personal information - from collection and processing to retention and transferal - are seen as capable of containing and mitigating the danger to our privacy. So-called omnibus data protection is often bolstered with stringent auditing and enforcement procedures. The result is complex legal regimes that private and public sector users of personal information have to comply with in many industrial and post-industrial nations around the world, from Canada, Argentina and Chile to Hong Kong to Australia and New Zealand such legislation has been enacted, partially in response to public fears of large scale data collection and retention; in Europe, the European Union (EU) Data Protection Directive, passed in 1995, obligates all twenty-seven member nations of the EU to pass stringent omnibus privacy laws. In nations where such comprehensive data protection regimes are still absent, like the United States, privacy advocates hope that media reports and general citizen unease over the threat to information privacy ultimately produce the ferment for political and legislative action. At the same token, such a response is fraught with two substantial problems: political inertia due to collective action hurdles and potential structural overreach combined with limited actual impact. (http://ksgnotes1.harvard.edu/Research/wpaper.nsf/rwp/RWP07-022/$File/rwp_07_022_mayer-schoenberger.pdf Mayer-Schoenberger)
Problems
- Choosing between providing oneâs personal information and giving up the information and services that an individual wants from the network is particularly difficult in the current technological environment because, in many cases, it is not known what will happen to the personal information once it is out on the network. [3]
- Googleâs StreetView means that people are visible just walking on the street (http://www.wired.com/culture/lifestyle/commentary/theluddite/2007/06/luddite_0607), in their house, etc.
- What one thinks is private might actually be public (potential employer checking a facebook account) (http://diginatives.blogspot.com/2007/06/dn-specific-takeaways-from-privacy-law.html)
- American business handle consumers private information and sell it to third parties (http://www.iht.com/articles/2005/08/07/news/data.php).
- While market forces might ensure fair use of data connected to the on-line identity, they do not guarantee optimal use and appropriate protection of the off-line identity (http://www.heinz.cmu.edu/~acquisti/papers/acquisti_eis_refs.pdf)
- In early September 2006, Jason Fortuny, a Seattle-area graphic designer and network administrator, posed as a woman and posted an ad to Craigslist Seattle seeking a casual sexual encounter with area men. On September 4, he posted to the internet all 178 of the responses, complete with photographs and personal contact details, describing this as the Cragslist Experiment and encouraging others to further identify the respondents. Fortuny Incident
Solutions
Proposed Solutions
Avner Levin and Mary Jo Nicholson as well as Viktor Mayer-Schoenberger advocate for U.S. legislation to protect citizens from the public and private sectors. Levin and Nicholson propose the Canadian privacy laws as the paradigmâas they are the middle ground between EU and U.S. laws. Levin and Nicholsonâs proposal is that Canadian laws share American concerns about âBig Brotherâ government yet also address European concerns about private sector abuse of personal information.
- Potential Problems:
- Congress would need to pass legislation against the wishes of private-interests (private companies that retain personal information, Google, Yahoo, etc.). Thus, this could be difficult to pass.
- Potential Benefits:
- Seems the best way of protecting individualâs privacy rights.
Jisuk Woo and Jonathan Zittrain (in his forthcoming book) argue that the right not to be identified should be the most important privacy issue on the internet. Woo proposes policy measures that ensure anonymity for individual usersâ.
- Potential Problems:
- Appears to contradict United States v. Zeigler
- Issue: Does individual have right to privacy if committing illegal activities on public domain? (ie company computer, company wireless, etc.)
- Appears to contradict United States v. Zeigler
- Potential Benefits:
- Seemingly the closest to Warren and Brandeis concept of âthe right to be let alone.â
- In the spirit of State of New Jersey v. Shirley Reid
Alessandro Acquisti proposes economic incentives through third parties handling of personal information.
- Potential Problems:
- Market forces can be structurally flawed. Thus, this could potentially lead to money-making schemes at the expense of individual privacy.
- Potential Benefits:
- Presumably easier and quicker to pass into law (than Levin and Nicholsonâs proposal) because less adverse effect on influential special-interest groups.
- Sometimes the market is the most efficient option.
Synthesis: These solutions are not necessarily incompatible. That is, if there is a way of combining the ideal of the Canadian model with Zittrainâs belief that âU.S. digital privacy law should be in the spirit of Chapman v. United Statesâ and also incorporate economic incentives for this to happenâthat may be the answer.
Recent Court Cases Illustrating Views on Digital Privacy
- In United States v. Simons, the ruling was that employees do not have a reasonable expectation of privacy when it comes to their work related electronic communications
- In United States v. Gourde, 440 F.3d 1065, 1077 (9th Cir. 2006) it was found that "for most people, their computers are their most private spaces"
- In 2007, United States v. Zeigler. In this case, an employee had accessed child pornography websites from his workplace computer. His employer noticed his activities, made copies of the hard drive, and gave the FBI the employee's computer. At his criminal trial, Ziegler filed a motion to suppress the evidence because he argued that the government violated his Fourth Amendment rights. The Ninth Circuit allowed the lower court to admit the child pornography evidence. After reviewing relevant Supreme Court opinions on a reasonable expectation of privacy, the Court acknowledged that Ziegler had a reasonable expectation of privacy at his office and on his computer, however, the court found that: "In this context, Ziegler could not reasonably have expected that the computer was his personal property, free from any type of control by his employer. The contents of his hard drive, like the files in Mancusi, 392 U.S. at 369, were work-related items that contained business information and which were provided to, or created by, the employee in the context of the business relationship. Zieglerâs downloading of personal items to the computer did not destroy the employerâs common authority. Ortega, 480 U.S. at 716. Thus...the employer, could consent to a search of the office and the computer that it provided to Ziegler for his work"
- In 2007, State of New Jersey v. Shirley Reid. In the case, prosecutors asserted that Shirley Reid broke into her employerâs computer system and changed its shipping address and password for suppliers. The police discovered her identity after getting a subpoena to the internet provider, Comcast Internet Service. The lower court suppressed information from the internet service provider that linked Reid with the crime. The New Jersey appellate court agreed with this decision. As a result, New Jersey offers greater privacy rights to computer users than most federal courts. Although this case does not directly discuss the Fourth amendment, it illustrates that some states are providing more privacy protection to computer users than the federal courts. It also illustrates that case law on privacy in workplace computers is still evolving.
- Be more like Canadian law
- Levin and Nicholson's solution ties together Europe's fight for privacy as dignity and American's fight for privacy as liberty. Liberty affords control in the political sphere, not giving up control to one's government. Dignity affords control in the social sphere - not giving up control to others with whom one interacts - neighbors, teachers, businesses, employers, etc.
- Their proposed solution is the Canadian model which protects dignity and liberty.
- Levin and Nicholson's solution ties together Europe's fight for privacy as dignity and American's fight for privacy as liberty. Liberty affords control in the political sphere, not giving up control to one's government. Dignity affords control in the social sphere - not giving up control to others with whom one interacts - neighbors, teachers, businesses, employers, etc.
Questions a Solution Should Answer:
- How do we afford individual's control over one's image, one's dignity, etc in this digital age?
- According to past EU laws precedents, new laws regarding, say, someone posting embarassing photos of me on Flickr would be illegal, as it would invade my privacy by offending my dignity. It would not, however, offend my liberty (and it seems that such liberty arguments are largely moot anyways with the introduction of the Patriot Act, which gives the government incredible access to our private information, and hence our liberty) (http://diginatives.blogspot.com/2007/06/dn-specific-takeaways-from-privacy-law.html).
According to the authors, the Candaians "got it right". Consider their definition, and then explanation, of privacy:
" ...the right to control access to oneâs person and information about oneâs self. The right to privacy means that individuals get to decide what and how much information to give up, to whom it is given, and for what uses....A multicultural society does not attempt to impose on its members values, which some elements in it may very well hold dearâsuch as dignity or libertyâbut encourages the development of these values autonomously, within a multicultural framework. Canadians, it seems, perceive their privacy as most importantly protecting this autonomy, and believe that members of society should be free to decide for themselves what is important for them to control."
Should the goal be to give individuals the right to control information about themselves? At the cost of government interference about collecting and posting information? (http://diginatives.blogspot.com/2007/06/dn-specific-takeaways-from-privacy-law.html). Authors argue that "Americans want their government to let them interact freely with one another and to not intervene." But this is changing: "As e-mails, modems, and PCs break down the boundaries between work and home, there are progressively fewer private or public spaces for citizens to express themselves autonomously. The Internet has blurred the distinction between the home and the office, as Americans are spending more time at the office and are using company-owned computers and Internet servers to do their work from home. But as technology poses new challenges to geographic concepts of privacy, courts have not been encouraged to think creatively about how to reconstruct zones of individual privacy and free expression."
the bold is where we come in (http://diginatives.blogspot.com/2007/06/dn-specific-takeaways-from-privacy-law.html) - More broadly, since American privacy law often remains focused around individualistic conceptions of privacy, it has not fully embraced protecting confidentiality in relationships. In many other contexts, such as trade secrets and business confidences, American law readily provides remedies against unwarranted breaches of trust.403 But in the domain of privacy, American law has not progressed nearly as far as English law in recognizing and protecting trust in relationships. An increased recognition of a confidentiality-based conception of privacy might also have significant implications in other areas of American privacy law that developed under the influence of Warren and Brandeis. (SSRN)
- Concerns over such power (and its potential abuse) has prompted three types of reactions â the comprehensive legislative response, the constitutional reinterpretation response and the null response.
a. Comprehensive Privacy Legislation:
Many privacy advocates argue that the comprehensive trail of personal digitized data that are retained requires a similarly comprehensive legislative reaction. While constraining data retention the goal of such legislative action is much broader. Only privacy statutes covering both the private and the public sector and encompassing all stages of the use of personal information - from collection and processing to retention and transferal - are seen as capable of containing and mitigating the danger to our privacy. So-called omnibus data protection is often bolstered with stringent auditing and enforcement procedures. The result is complex legal regimes that private and public sector users of personal information have to comply with 31
In many industrial and post-industrial nations around the world, from Canada31, Argentina32 and Chile33 to Hong Kong34 to Australia35 and New Zealand36 such legislation has been enacted, partially in response to public fears of large scale data collection and retention37; in Europe, the European Union (EU) Data Protection Directive, passed in 1995, obligates all twenty-seven member nations of the EU to pass stringent omnibus privacy laws.38
In nations where such comprehensive data protection regimes are still absent, like the United States, privacy advocates hope that media reports and general citizen unease over the threat to information privacy ultimately produce the ferment for political and legislative action.
At the same token, such a response is fraught with two substantial problems: political inertia due to collective action hurdles and potential structural overreach combined with limited actual impact. (http://ksgnotes1.harvard.edu/Research/wpaper.nsf/rwp/RWP07-022/$File/rwp_07_022_mayer-schoenberger.pdf)
Relevant Research and Articles
Useful Void: The Art of Forgetting in the Age of Ubiquitous Computing (Mayer-Schoenberger, 2007)
How Many Ways You're Being Watched, USA Today (2007)
Enjoying Technologies Conveniences But Not Escaping Its Watchful Eyes, Washington Post (2007)
Your Identity, Open to All (Wired News, 2005)
Why Web 2.0 will end your privacy (Bit Tech, 2006)
Strong privacy laws may explain data security in Europe (Intl. Herald Tribune, 2005)
COPPA - Children's Online Privacy Protection Act
U.S. Privacy Articles
Digital Millenium Copyright Act of 1998
Software lets parents monitor kids' calls
A privacy paradox: Social networking in the United States (Barnes, 2006)
Your first girlfriend -- and the other things search engines store about you
AOL Proudly Releases Massive Amounts of User Search Data, TechCrunch, 2006
European Privacy
Relevant Legislation
EU Data Retention Directive, Article 5,6,10
EU Directive on Privacy and Electronic Communications, Article 4,5,6,9,12
Resources and Articles
Digital Civil Rights in Europe
European Data Protection Supervisor
French State Council allows tracing P2P users
The European Parliament voted for stronger data protection
Europe votes to restrict police data sharing
Google may use games to analyse net users
Minister of the Interior renews call for legal online PC search option
German government admits it is already conducting online searches
ICT lobby says Dutch law protects privacy rights in RFID applications
Privacy in US v. Europe: Comparing conceptions and legislation
âLa differenceâ is stark in EU, U.S. privacy laws
Internet privacy law: a comparison between the United States and the European Union
Privacy Law in the United States, the EU and Canada: The Allure of the Middle Ground
Suddenly, the Paranoids Don't Seem So Paranoid Anymore, Wired, June 2007
Strong privacy laws may explain data security in Europe, The New York Times', August 2005
References
See also: Court Cases on Privacy • History of U.S. Privacy Laws