University of Minnesota The author gratefully acknowledges the invaluable assistance of Cary Snyder, a University of Minnesota law student and Silha Center research assistant, in the preparation of this outline. We also utilized research
by Jacob Parsley, a University of Minnesota law
student, and Patrick File, a University of Minnesota Ph.D. student, both Silha Center Fellows.
Table of Contents
I. DATA COLLECTION AND BEHAVIORAL
A. Proposed Congressional Legislation 3
B. FTC on Self-Regulatory Behavioral
Advertising Principles 9
B. Proposed Federal Legislation to Protect
Personal Data, Require Notification 25
C. HIPAA Breach Notification Rule Issued 27
D. Supreme Court Requires a ‘Knowing
Theft’ for Aggravated Sentence 28
E. Social Security Numbers Can Be Guessed 31
F. Massachusetts and Nevada Encryption Laws
Could Become National Standard 34
G. Class Actions in ID Theft and Data Breach Cases 37
H. Hacking: Threats and Consequences 44
III. GOVERNMENT AND PRIVATE SECTOR
SURVEILLANCE AND DATA
A. Unclassified Report on U.S. Wiretapping 52
B. Court Challenges to Wiretapping Program 54
C. Emerging Technology to Monitor
Government Snooping 57
D. Google Street View Seen as Privacy Threat 58
E. RFIDs Can Be Tracked 64
F. Videos Lead to Accusations of Breaking
Privacy Laws 66
G. Entrusting Google, Amazon With Personal,
Public Records 69
H. Bloggers in Court 74
I. Advances in Phone Technology Bring Benefits,
J. Redaction Methods May Not Serve Their Purpose 79
IV. DATA PRIVACY IN THE WORKPLACE AND
ON CAMPUS 81
A. Requests for Passwords to Social Networking
B. Be Wary of Writing Reviews on LinkedIn 83
C. Confusion and Abuses of FERPA 85
D. Split Develops in Application of Computer
Fraud and Abuse Act 88
E. Limits to What Employers Can Know,
Say About Employees 91
F. N.J. Law Would Prohibit Prosecuting
Teens for “Sexting” 95
V. SOCIAL NETWORKING SITES: PRIVACY
CONCERNS AND POTENTIAL PITFALLS OF
A. EU Regulators Recommend Stricter Rules 97
B. Canada Privacy Commissioner Warns
Facebook To Tighten Privacy Controls 100
C. Reporters’ Use of Social Networking Sites 102
D. Sites Offer a Vehicle for Scams and Viruses 106
E. Court Cases Involving Social Networking Sites 107
F. Chinese Social Networking Sites Go Offline 117
When considering online privacy protection, safety, and security, lawmakers and regulators struggle to keep pace with rapidly emerging technologies that raise new challenges. Balancing traditional notions of privacy and the First Amendment with technological advances is further complicated by the need to consider any proposed oversight in light of international regulatory developments. Any discussion of data privacy and security must address comparable initiatives abroad, both as a means to explore emerging regulatory ideas in this country and to understand the rules that will govern entities such as Google and Facebook, headquartered in the United States, but with users around the globe.
I. DATA COLLECTION AND BEHAVIORAL
ADVERTISING A. Proposed Congressional Legislation House lawmakers have announced plans to develop national privacy legislation designed to provide Internet users more control over the information that is being collected about their online activity.1 Rep. Rick Boucher (D-Va.), chairman of the House Internet subcommittee, the entity leading the legislative effort, believes “consumers are entitled to some baseline protections” from behavioral advertising.2 Toward this end, a Senate committee and two House subcommittees have held hearings to learn about the benefits, potential abuses, and privacy concerns arising from Internet use.3 Representatives of Internet service providers (ISPs), online advertisers and consumer groups are among those who have provided insight on the current state of private sector monitoring of Internet use. These individuals and groups have also offered suggestions on what the proposed legislation should include.
1. What is deep packet inspection, or DPI? Deep packet inspection (DPI) is a developing technology that enables ISPs to open every packet of information sent over the Internet, read its entire contents and treat it differently based on what it includes. This treatment could include adding advertising information, collecting data about users or blocking the content altogether. A common analogy used to describe DPI is to think of the United States Postal Service starting a side business to open every letter, read its contents, and sell the information inside without the consent of the sender or recipient. Without the use of DPI, Internet service providers simply read the top level of routing information as it passes through the network, similar to how postal employees read the address on an envelope to ensure it reaches its correct destination.5
Aside from the privacy implications of DPI, some worry that the technology will enable an ISP to block, or at least slow, the transmission of content that does not help its bottom line finances while letting other traffic take priority. “The thought that a network operator could track a user’s every move on the Internet, record the details of every search and read every e-mail or attached document is alarming,” Boucher said at the outset of a subcommittee hearing on April 23, 2009, on recent developments in consumer privacy. Consumers often do not know information is being collected about them online, and if they do, they often do not know who is collecting it or how it will be used. “In the absence of legal rules, companies that are gathering this data will be free to use it for whatever purpose they wish – the data for a targeted ad today could become a detailed personal profile sold to a prospective employer or government agency tomorrow,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center, a non-partisan research organization.6
2. Opt-in or opt-out? A contentious point as Congress drafts Internet privacy legislation is whether to mandate an opt-in or opt-out policy. In general, consumer groups favor a ban against the collection of data on consumers’ online habits unless they explicitly agree to its collection, while Internet companies generally favor opt-out policies.7 Anne Toth, head of privacy for Yahoo! Inc., argued against drawing a bright line between the two options. “The answer is that it’s not one or the other – it’s both. Some services and models should require an opt-in approach, while, for other models, an opt-out is a more appropriate default,” Toth said. She contended that the decision between whether to use an opt-in or opt-out approach for a particular service requires considering “whether everything a user does online is collected through the service.”8 3. Benefits of DPI In addressing the privacy concerns raised by deep packet inspection, Congress must also balance the benefits the technology provides. These benefits go beyond the targeted advertisements that are likely to increase revenues for advertisers and retailers. Kyle McSlarrow, president and CEO of the National Cable and Telecommunications Association, identified several pro-consumer purposes of the technology. First, it can be used to detect viruses and prevent spam to guard against invasions of subscribers’ home computers. Second, it can allow cable operators to plan for network growth by anticipating the needs of their subscribers. Third, it enables network operators to accurately respond to request from law enforcement to intercept communication. McSlarrow also touted packet inspection as a tool in providing more choices and controls as Internet technology evolves, such as advanced parental controls over the streaming videos watched by children.9 4. Use of Behavioral Advertising Companies that employ DPI for targeted advertising often stress that the information intercepted is anonymous in nature and that they only use a limited amount of the available data. “However, the privacy concerns that arise from the use of DPI begin with the interception, diversion, or copying of substantially all of the Internet traffic of all subscribers. Just because ISPs or advertising networks may use only a small portion of what is captured and do not retain other information does not diminish the breadth and intrusiveness of the initial data capture,” said Leslie Harris, president and CEO of the Center for Democracy and Technology.10
Internet companies take varying approaches to collecting and using data for targeted advertising. Facebook claims its use of targeted advertising enables the company to offer the social networking site free of charge. Chris Kelly, Facebook’s privacy officer, explained to lawmakers that Facebook uses information in individual profiles, such as someone’s favorite movies, but that this is transmitted to third parties in non-personally identifying form. For example, Kelly said users may see an advertisement for a film screening based on what they list as their favorite movies, but personally identifying information (name, e-mail address and other contact information) will not be given to advertisers. Kelly acknowledged the company may have previously been “inartful in communicating with our users and the general public about our advertising products,” but that “users should choose what information they share with advertisers.”11
In March 2009, Google announced it would move toward interest-based advertising in which advertisements would be shown to consumers based on the Web pages they visit and the YouTube videos they watch online. Users have the ability to view, add and remove the categories (sports, travel, cooking, etc.) used to show them interest-based ads when they visit Web sites. Users can also opt-out of interest-based ads altogether.12 AT&T Inc. says it is committed to developing an opt-in policy that will require affirmative, advance action by the consumer before his online practices will be tracked for behavioral advertising.13 5. Safeguards in Place Self-regulation may already prevent some abuses of DPI. “Good privacy protection is also good business,” said McSlarrow, who added that cable ISPs have used DPI legitimately “for many years now – and for many good reasons.”14 Some specific uses of DPI may already be prohibited under federal the Wiretap Act, 18 U.S.C. §§ 2510-2522, and Cable Act, 47 U.S.C. § 553. However, the boundaries of the Wiretap Act as it applies to DPI are not clear in all contexts. “Moreover, the Act was last modified more than 20 years ago and has not kept pace with technology. It simply does not provide sufficient protection to consumers against DPI’s risks,” Harris said. She cautioned that there are difficulties in providing adequate notice and consent between consumers and Internet service providers, particularly in instances when more than one person uses a single Internet connection.15 B. FTC on Self-Regulatory Behavioral Advertising Principles On Feb. 12, 2009, the Federal Trade Commission released a report proposing self-regulation guidelines for behavioral advertising.16 The guidelines center on four governing concepts. First, companies should notify consumers they are collecting information for advertising purposes and offer a choice about whether to allow the practice. Second, companies should provide reasonable security measures to protect data from falling into the wrong hands and should retain data only for so long as needed for legitimate business or law enforcement needs. Third, companies should obtain express consent from consumers before using data in a manner that is different than originally promised. Fourth, companies should also obtain express consent from consumers before using sensitive data – such as information about children, health or finances – for behavioral advertising.
1. Details on Principles In response to comments the FTC received after it released an initial draft of proposed self-regulatory principles in December 2007,17 the Commission elaborated on the guidelines in its 2009 report. The updated report proposes to apply the principles, including providing a choice for consumers to consent to data collection, to both personally identifiable information and non-personally identifiable information. Therefore, the principles would apply to any data “that reasonably could be associated with a particular consumer or with a particular computer or device.” The principles do not apply to contextual advertising, or advertising based on the content of a specific Web site rather than on data collected on a user over time. An example of contextual advertising is when a consumer is shown an advertisement for tennis rackets while visiting a tennis-focused Web site.
2. Commissioners React Two FTC commissioners have released statements detailing their personal views about regulating behavioral advertising. Commissioner Pamela Jones Harbour opposes a legislative approach to behavior advertising “at this time” because “there are still more questions than answers” about the industry and “any legislation should be part of a comprehensive policy agenda, rather than fostering the current piecemeal approach to privacy.” Jones Harbour also advocated for more Commission involvement because the results of self-regulation programs were “mixed at best.”18 Commissioner Jon Leibowitz wrote separately to make sure that the report’s “endorsement of self-regulation is viewed neither as a regulatory retreat by the Agency nor an imprimatur for current business practice.”19 3. Consumers, Commission Keep a More
Watchful Eye In addition to issuing the guidelines, the FTC has allocated more staff attorneys to monitor the behavioral advertising industry, said Peder Magee, an attorney who oversees behavioral advertising issues with the FTC’s Bureau of Consumer Protection. “If the industry ignores the principles, they might not like the results,” Magee said.20
Consumers have started to take action when they suspect companies go too far in monitoring their Internet usage to create targeted advertisements. Internet subscribers filed separate class action lawsuits in California federal court against the online advertising companies NebuAd21 and Adzilla.22 The subscribers allege that the companies violated their privacy and Internet security rights by monitoring the content of their online activity without their consent in order to produce targeted ads. Scott Kamber, the plaintiffs’ attorney in both cases, said that as these “deceptive tactics” become more common in a slumping economy, “it’s going to be harder for [companies] to explain to a judge that this is appropriate.”23
C. Advertising Trade Groups Release Self
Regulatory Principles In an effort to ward off federal regulation,24 a consortium of advertising trade groups on July 1 released its own guidelines for how its members should use and collect data.25 The report defines online behavioral advertising as “the collection of data online from a particular computer or device regarding Web viewing behaviors over time and across non-affiliate Web sites for the purpose of using such data to predict user preferences or interests inferred from such Web viewing behaviors.” The guidelines include seven governing principles: education, transparency, consumer control, data security, material changes, sensitive data and accountability.
These principles incorporate many of the self-regulatory measures advanced by the FTC in its Feb. 12, 2009, report, and in some cases go even further to protect consumer privacy. For example, the principles lay out a generally defined means of enforcement by instituting monitoring programs and requiring a way to collect complaints from the public. “Programs will also, at a minimum, publicly report instances of noncompliance and refer entities that do not correct violations to the appropriate government agencies,” the report says. The trade group report flatly prohibits the collection of information about children, and requires consent to collect health and financial data.
Similar to the FTC report, the trade groups would require that consumers be informed information is being collected about them and require their consent to do so. However, it is unclear if the trade groups go as far as the FTC wants by requiring consent to collect all data, including personally identifiable and non-personally identifiable data. The FTC welcomed the report as having “the potential to dramatically advance the cause of consumer privacy,” FTC Commissioner Pamela Jones Harbour said in a statement after the release of the report.26
The principles do not go as far as to require explicit approval of all data collection. Stuart P. Ingis, a partner at Venable LLP, which represents the trade groups, said such a measure would not be feasible. “If you had that as a default, you would wind up undercutting significantly the economic underpinnings for all the stuff the public loves,” Ingis said. “The way, operationally, that would work is every time a consumer’s doing their Web surfing, you’d be requiring them to click through all these options. Consumers would hate that.”27
Marc Rotenberg, executive director of the Electronic Privacy Information Center, called the principles “almost meaningless” and predicted that Congress would pass legislation hemming in information collection by advertisers.”There's very little appetite in Washington today for self-regulation,” said Rotenberg. “People have no idea about how much information is being collected about them online.”28
The groups hope to have the accountability programs in place by the beginning of 2010, which would probably predate any federal legislation. The principles were developed by the American Association of Advertising Agencies, Association of National Advertisers, Council of Better Business Bureaus, Direct Marketing Association, and Interactive Advertising Bureau.
D. European Regulators Aim to Protect Consumers, Retailers and Online Privacy 1. Consumer Rights Directive The European Commission launched a proposal in October 2008 for consumers’ rights throughout the European Union that would apply to shopping both online and in person. The current EU rules on consumer protection result from four EU directives.29 These contain certain minimum requirements, but member states have added rules through the years, making EU consumer contract laws a “patchwork” of 27 sets of differing rules enacted over the past 20 years.30 The proposed Consumer Rights Directive seeks to combine these into a standard set of rules governing contract terms, delivery obligations, a cooling off period, and repairs or replacements for faulty products. 31
The proposal must be approved by the European Parliament and EU governments in the Council of Ministers before becoming law.32 In July 2009, the UK’s House of Lords EU Committee publicly opposed approving the directive.33 The committee questioned the two-year limit on a trader’s responsibility for repairing or replacing faulty goods because of a concern it could lead to the production of less durable items. The Committee did not call for the proposal to be scrapped and recognized the need to update EU consumer law. However, it pointed to other factors, such as culture, language, the cost and distance of delivery, as also playing a role in increasing cross-border trade.
Privacy Principles European Commissioner for Consumer Affairs Meglena Kuneva in March urged the development of policies to regulate online behavioral advertising and safeguard consumer privacy. In her keynote address at the first ever European Consumer Summit in Brussels, Kuneva said, “The status quo is not an option. Currently, consumers have little awareness of what data is being collected, how and when it is being collected and what it is used for. And they are also not able to control this process.”34 Kuneva touted Europe’s existing consumer policy principles and said that the key question moving forward is how to “apply these tested principles in [a] digital world.”
Kuneva urged the industry to develop self-regulating principles. In doing so, she raised many of the concerns shared by the FTC and members of Congress, including the inaccessibility of online privacy policies and the lack of clear opt-out systems to prevent the collection of online data. She called for more transparent privacy policies, meaningful opt-in or opt-out options, and clear identification of commercially sponsored messages. Kuneva also expressed concern for times when beneficial targeted advertisements might turn into “pressure,” such as when a person with high cholesterol views on online advertisement for recommended treatment.
3. UK’s Office of Fair Trading to Examine Internet Advertising
On Aug. 19, 2009, the United Kingdom’s Office of Fair Trading announced that it will study the impact on consumers of potentially misleading advertising and pricing of goods and services, with an emphasis on the Internet.35 The study may also look at how personal information is gathered online for use in behavioral advertising. “The way that businesses advertise and price goods and services constantly evolves, and we need to keep up to date on how consumers view these adverts, and the types of advertising and prices which may mislead,” said Heather Clayton, senior director of the office’s Consumer Market Group.36 The office was seeking input from consumer groups and businesses through Sept. 18, 2009, to determine the precise scope of the study.