Archive for January, 2007

Googled to prison?

January 30, 2007

Privacy and data protection in search engine data has taken center stage last year, with the unfortunate revelation by AOL of detailed search records of over 600,000 users (ultimately leading to the resignation of the company’s CTO), and Google’s legal battle with the US government over use of search logs for law enforcement purposes (See US District Court decision, accepting the governments request for data in part, here). Search engines collect a massive amount of highly personal data concerning our interests, hopes, desires, health, finances, travel plans, job searches and more. This invaluable asset attracts the interest not only of the government, but also of private litigants (e.g., copyright enforcement by the music industry, husband-wife custody battles), advertising companies and hackers. Hence, for example, in a recent 7th Circuit Court of Appeals case, a wireless hacker was convicted based on his Google search records. In a North Carolina case last year, a man was found guilty of murder in part because he searched for the words “neck,” “snap,” “break” and “hold” before his wife was killed. The Norwegian press reported yesterday that the Norwegian Data Protection Authority is investigating Google’s vast data storage pratices. Google responded that it can only link a search request to an IP address, not to the individual person behind such address, and in any event is not willing to pass on such information to others. The problem is that Google (and other search engines, for that matter) can personalize the data by use of cookies and additional services, such as the ubiquitous Gmail, and that even anonimized data may be linked to individuals, as illustrated by a NYT reporter in the AOL case. (I am lecturing on the topic at the upcoming annual meeting of the Israeli Internet Association on February 19).

Judges Cite Wikipedia

January 30, 2007

My students must love this: according to the NYT, courts are increasingly citing Wikipedia in judicial decisions. More than 100 judicial rulings have relied on Wikipedia beginning in 2004, including 13 from circuit courts of appeal. The Supreme Court thus far has never cited Wikipedia. As far as judges go, they don’t get much more conservative than Richard Posner of the United States Court of Appeals for the Seventh Circuit in Chicago. So if even Judge Posner says — “Wikipedia is a terrific resource. Partly because it so convenient, it often has been updated recently and is very accurate” — law students can probably be expected to do so too.

Senator Clinton: Putting Privacy on the Agenda

January 29, 2007

Wired reports Hillary Clinton has placed privacy and data protection on her Presidential candidate agenda. Senator Clinton supports a “Privacy Bill of Rights“, which would protect citizens’ right to know what’s being done with their personal information, and offer consumers an unprecedented level of control over how such data are used. Quite a refreshing notion after the Bush administration’s approach to this fundamental right. Indeed, perhaps as a countermeasure to Bush’s notorious USA-PATRIOT Act, Senator Clinton announced she will introduce the PROTECT Act (Privacy Rights and Oversight for Electronic and Commercial Transactions Act) to enact this Bill of Rights. Under the proposed Act,  consumer information will be shared only when consumers “opt-in”, consumers will be notified immediately if their credit or identity is compromised, and they will have a cause of action for damages if their privacy rights are violated. In addition, the Act would recreate the position of a high-level privacy czar, charged with oversight into the workings of government departments and the power to make sure privacy laws are followed. This position was last held by current Ohio State University law professor Peter Swire, under Senator Clinton’s husband’s tenure as president. 

Big Brother’s Little Brother: Your ISP

January 25, 2007

The US is debating proposed legislation requiring Internet service providers to retain data concerning user traffic for law enforcement purposes. Privacy advocates’ strong opposition to such “data retention” requirements aligns them, oddly enough, with ISPs, which fought similar requirements in Europe. ISPs are concerned with the cost burden of the mass storage and with commercial and legal difficulties such retention poses for their relations with customers. The EU adopted a new Data Retention Directive in March 2006, following the UK’s push after the London terrorist attacks. The government usually points to terrorism and child pornography as the ultimate evils which must be eradicated by online snooping. This is true, yet massive data retention subjects the vast majority of Internet users, who are innocent, to serious privacy risks. Indeed, in a precedential decision, a New Jersey state appeals court held yesterday that computer users can expect the personal information they give their ISP to remain private. A three-judge panel held a computer user whose screen name hid her identity has a “legitimate and substantial interest in anonymity,” referring to an “informational privacy” right in the state Constitution.


Foreign Surveillance: Now Near You

January 21, 2007

The New York Times reports the C.I.A. and Pentagon have been issuing “national security letters” to obtain banking and credit records of hundreds of US citizens and others suspected of terrorism or espionage. The letters, which augment thousands of national security letters issued by the FBI since Sept. 11,  are seen as part of an aggressive expansion by the military into domestic intelligence gathering. The NYT quotes John Radsan, a former assistant general counsel at the C.I.A., who said, “The C.I.A. is not supposed to have any law enforcement powers, or internal security functions, so if they’ve been issuing their own national security letters, they better be able to explain how they don’t cross the line.”  Meanwhile, Attorney General Alberto Gonzales provided little new information on Thursday, testifying before a Senate committee about the Bush administration’s sudden revelation that it would seek court approval for its domestic eavesdropping activities. Gonzales said he could reveal only that the orders “meet the legal requirements” under the Foreign Intelligence Surveillance Act. The broader problem illuminated by these revelations is the “importing” of foreign surveillance powers into the domestic sphere as a result of the collapse of the U.S.S.R. and the escalating war on terrorism. During the Cold War, the enemy was on the “outside”, allowing the FBI to concentrate on domestic law enforcement and the Pentagon/C.I.A. to deal with foreign surveillance. Now the enemy is within, blurring the lines between law enforcement and counter-terrorism, in arenas such as money laundering, data retention and data mining.

You leak: let us peek

January 18, 2007

More news on security breaches: California Senator Dianne Feinstein is renewing her push to set national requirements for consumer notification in the event of data security breaches, and to restrict the sale, purchase and display of Social Security numbers. Under her proposed Notification of Risk to Personal Data Act, any federal agency or business that “uses, accesses, transmits, stores, disposes of, or collects sensitive personally identifiable information” would be required to notify any U.S. resident whose data may have been compromised by a security breach “without unreasonable delay.” Her second bill, the Social Security Misuse Prevention Act, would prohibit the sale, purchase or “display” (intentional communication to the general public, including via the Internet) of SSNs without “affirmatively expressed consent of the individual,” either electronically or in writing. The bills feature broad exemptions, which are bound to prove controversial. Across the border, meanwhile, the Canadian Internet Policy and Public Interest Clinic (CIPPIC) published a white paper calling for similar legislation to be introduced into Canadian data protection law (PIPEDA). Data breach notification laws are all the rage, prompting interest of regulators in the EU as well. A big question is what can consumers do with information concerning their data having leaked into unauthorized hands. One option, is, of course, suing. Yet, interestingly enough, while class action law suits have been filed against Choicepoint, LexisNexis and CardSystems Solutions, none have yet to reach judgment as of December 2006.