SLIDES

08-732 LAW OF COMPUTER TECHNOLOGY FALL 2009

COPYRIGHT © 2009 MICHAEL I. SHAMOS

Data Privacy

Michael I. Shamos, Ph.D., J.D.Institute for Software ResearchSchool of Computer ScienceCarnegie Mellon University



What is Privacy?

• Many different concepts all collected under the single word “privacy”

• Protection against intrusion into one’s “space” – Protection from Government (4th Amendment)– Freedom from publicity, disclosure of embarrassing

facts (“Invasion of Privacy”)– Protection from telemarketers

• Protection in cyberspace– Anti-spam– Web data collection– Protection from data disclosures and leaks



What is Privacy?

• Bodily privacy (Roe v. Wade)• Communications privacy

– Against eavesdropping, wiretapping– Electronic Communications Privacy Act

• Identity privacy– Anonymity

• Data privacy– Right to control collection, use and

dissemination of non-public personal information



What is Privacy?

• A bundle of rights recognized by the law protecting against various intrusions into one’s existence

• Why do we need privacy?• It has survival value

• Public desire for privacy is not matched by the law• Laws are incomplete, inconsistent and in flux• Differ by state & country

• Difference between legal and ethical standards



What’s a Right?• U.S. Declaration of Independence (1776):

“We hold these Truths to be self-evident, that all Men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty, and the Pursuit of Happiness”

• U.S. Constitution (1789):

“We the People of the United States, in Order to form a more perfect Union … and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America.”

“That to secure these rights, Governments are instituted among Men, deriving their just Powers from the Consent of the governed”



Data Privacy• Who “owns” data about you? Can data be owned?

– Facts (residence, phone #, age)e.g. Allegheny County Property

– Sales information– Habits, personal preferences– Message traffic

• Problem: electronic collections are subject to greater abuse than paper ones

• Problem: having everything on line is different from just having records be public

• Policy: is it the data or its use that requires protection?

http://www2.county.allegheny.pa.us/RealEstate/Search.asp

http://www.searchsystems.net/

U.S. Privacy Law• No definition of “privacy”; few legal principles• Federally protected categories: financial, educational, medical• State: limited, usually embarrassing facts or photos• Constitutional basis?

– 4th amendment: government searches– “liberty” as right of privacy

• State constitutions California Const. Art. I, §1: “All people are by nature free and

independent and have inalienable rights. Among these are ... pursuing and obtaining safety, happiness, and privacy.” (Not in the 1849 Constitution)

Hawaii Const. Art. 1, §6: “The right of the people to privacy is recognized and shall not be infringed without the showing of a compelling state interest.” (Added in 1978)

http://www.leginfo.ca.gov/.const/.article_1



Privacy Act of 19745 U.S.C. §552a

• Deals with disclosure of Federal Government records on individuals

• “No agency shall disclose any record … to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains [except … ]”– … the record is to be transferred in a form that is not

individually identifiable; – authorized law enforcement– heath or safety– Congress– court order

http://www4.law.cornell.edu/uscode/5/552a.html



Privacy Act of 1974

• “No agency shall disclose any record … to any person, or to another agency, except … with the prior written consent of, the individual to whom the record pertains, unless disclosure of the record would be --– … used solely as a statistical research or reporting

record, and the record is to be transferred in a form that is not individually identifiable” (not a defined term)

• Restriction on “matching programs”

– any computerized comparison of -- (i) two or more automated systems of records … [certain exceptions]



Privacy on the Web

• Posted privacy policies are legal representations• Violation of privacy policy by a website is deceptive

advertising and an unfair trade practice• The Federal Trade Commission acts on behalf of

consumers• Vigorous enforcement

– Example: In the Matter of Microsoft Corporation

• FTC is the leading U.S. government privacy watchdog– Is this good? (It was never intended.)

http://www.ftc.gov/privacy/index.html



Family Educational Right to Privacy Act (FERPA, Buckley Amendment)

20 U.S.C. §1232g

• “No [federal] funds shall be made available … to any educational agency or institution which has a policy or practice of permitting the release of educational records … of students without the written consent of their parents to any individual, agency, or organization,” [except]– other school officials (under certain conditions)– schools to which student has applied– financial aid– Comptroller General of the U.S.– health or safety emergency– …

http://www4.law.cornell.edu/uscode/20/1232g.html

Gramm-Leech-Bliley, 15 U.S.C. §6801

• “It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.”

• Protects “consumers”– “individual who obtains, from a financial institution, financial

products or services which are to be used primarily for personal, family, or household purposes

• Applies to “nonpublic personal information”• Notice

– no disclosure to unaffiliated third party w/o notice to consumer• Opt-out

– consumer may elect to refuse disclosure

http://www4.law.cornell.edu/uscode/15/6801.html

http://www4.law.cornell.edu/uscode/15/6801.html



Remedies for Data Leak

• What happens if a company collects personal data but does not secure it adequately?

• Suppose hackers manage to steal the data (by committing a crime and breaking into the data system?

• Is the data collector liable for negligence?• What are the damages?



Pisciotta v. Old National Bancorp (7th Cir. Aug. 23, 2007)

• Pisciotta was a customer of ONB• ONB solicited personal information from Pisciotta online• The ONB site was hosted by NCR Corporation• NCR’s facility was hacked through an intrusion that was

“sophisticated, intentional and malicious”• Pisciotta filed a class action suit against ONB for failing

to adequately protect personal information.”• There was no proof that any personal information had

actually been stolen• No evidence of any identity theft



Pisciotta v. Old National Bancorp

• Plaintiffs paid for credit monitoring to see whether their information had been misused

• ONB moved for “judgment on the pleadings,” a legal step in which the court is asked to rule that even if everything the Plaintiff is saying is true there can still be no recovery

• The District Court ruled for ONB because no injury had occurred

• Indiana had a statute requiring notification for information breaches, not compensation or any standards of protection

• Pisciotta appealed to the 7th Circuit



Pisciotta v. Old National Bancorp,

• Showing negligence requires proving a compensable injury

• The legislature gave no hint that breaches not leading to provable injury should be compensable

• Dismissal affirmed



Employer Surveillance• In general, surveillance by the employer is legal if

– the computer being monitored belongs to the employer; or– the computer is connected to the employer’s network; and– even if communications are encrypted

• McLaren v. Microsoft Corp.,No. 05-97-00824 (Tex. Ct. App. May 28, 1999).– Employee used private password to encrypt email messages

stored on office computer.– Company decrypted and viewed files.– Email account and workstation were provided for business

use, so Microsoft could legitimately access data stored there.

• Notice of Electronic Monitoring Act (CT)– Versions introduced in other states and Congress

http://cyber.law.harvard.edu/privacy/McLaren_v_Microsoft.htm



Tiberino v. Spokane County13 P.3d 1104 (2000)

• Gina Tiberino worked for Spokane County, WA• She misused her office computer for personal email

and was fired• She threatened to sue; Spokane printed out her email

(551 messages; 467 were personal)• The media requested copies• Tiberino sued to prevent disclosure• Held, the emails were “public records” but the

contents were exempt from disclosure. The fact of the emails, not their contents, were of public interest



Anonymity (U.S.)

• Freedom to publish anonymously is guaranteed by the First Amendment. McIntyre v. Ohio Elections Comm’n, 514 U.S. 334 (1995). Basis: Federalist Papers (1787-1788)

• Are you anonymous if your ISP can be forced to identify you?

• Currently a VERY HOT topic because of efforts of the recording industry to identify file swappers– Not strictly a privacy rights matter because the Digital Millennium

Copyright Act specifically authorizes such subpoenas



Subpoenas to Identify• No privilege between a user and and ISP. But ISP

may have standing to assert user’s rights, especially First Amendment rights

• In re Subpoena Duces Tecum to America Online, Inc. (Anonymous Publicly Traded Co. v. Doe), Va. Cir. Ct., Fairfax Cty., Misc. Law No. 40570, 2/7/00

• Company alleged it was defamed by an anonymous AOL subscriber

• Company did not want to identify itself, but demanded in a subpoena that AOL identify the subscriber

• (Underlying case was in Ohio; AOL is in Virginia)



Subpoenas to Identify

• Lower court allowed the subpoena. Opinion.• Gave a test for subpoenas to identify a user:

– are pleadings and evidence supplied to the court satisfactory?

– does the party requesting the subpoena have a legitimate, good faith basis that it may be the victim of actionable conduct?

– is identifying the subscribers central to advancing the claim?



America OnLine, Inc. v. Record No. 000974 Anonymous Publicly Traded Company

• The Virginia Supreme Court REVERSED the decision to allow the anonymous subpoena. See opinion

• HELD, anonymous plaintiff could be given subpoena power only if it would suffer exceptional harm, such as social stigma, or extraordinary economic retaliation, as a result of exposing its identity

• Company subsequently dropped the lawsuit

Tattered Cover, Inc. v. City of Thornton Case 01SA205, Colorado Supreme Court, April 8, 2002

• Tattered Cover is bookstore in Denver, CO. Thornton is nearby.• Police believed a home in Thornton was housing drug operations• Search by warrant revealed drug equipment, 2 books on drug

manufacture and a discarded package from the Tattered Cover• Police obtained a search warrant for sales records of the

bookstore to learn who bought the drug books. Bookstore appealed.

• Colorado Supreme Court held: “the First Amendment embraces the individual’s right to purchase and read whatever books she wishes to, without fear that the government will take steps to discover which books she buys, reads, or intends to read.”

• Requires “compelling state need” and prior hearing before a warrant may issue against an “innocent” bookstore



Major Ideas

• There is no general agreement on what data privacy is or ought to be

• Privacy laws are a patchwork of incomplete and inconsistent federal and state statutes

• Most state rights of privacy are very narrow• Federal law protects medical, financial and educational

information• Failure to follow an announced privacy policy is a

deceptive trade practice



QA&



Health Insurance Portability and Accountability Act of 1996 (HIPAA)

• A “covered entity” may not use or disclose protected health information, except as permitted or required …– pursuant to … a consent … to carry out treatment, payment, or

health care operations– pursuant to … an authorization– pursuant to … an agreement (opt-in)– [other provisions]

45 CFR §164.502

• Health information that meets … specifications for de-identification … is considered not to be individually identifiable health information

45 CFR §164.502(d)



What HIPAA Protects

• “Individually identifiable health information” is information that is a subset of health information, including demographic information collected from an individual, and: …– relates to … physical or mental health or condition of an

individual;… provision of health care to an individual; or… payment for … health care to an individual; and

– identifies the individual; or– with respect to which there is a reasonable basis to believe the

information can be used to identify the individual

45 CFR §164.501



De-Identification• A covered entity may determine that health information is not individually identifiable

only if: … the following identifiers of the individual or of relatives, employers, or household members of the individual are removed:

• Names; • All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip

code, …, except for the initial three digits of a zip code if …• All elements of dates (except year) for dates directly related to an individual, including birth date,

admission date, discharge date, date of death; and all ages over 89…• Telephone numbers; Fax numbers; email addresses; URLs; IP addresses• Social security numbers; Medical record numbers; Health plan beneficiary numbers; Account

numbers; • Certificate/license numbers; vehicle identifiers, serial numbers, plate numbers; • Device identifiers and serial numbers; • Biometric identifiers, including finger and voice prints; • Full face photographic images and any comparable images; and • Any other unique identifying number, characteristic, or code; and • The covered entity does not have actual knowledge that the information could be used alone or in

combination with other information to identify an individual who is a subject of the information.

45 CFR §164.514

SLIDES

Documents

privacy law

privacy policies

definition of privacy

data privacy michael

government privacy watchdog

privacy act ferpa

wade communications

bodily privacy roe