PRIVACY IN PUBLIC AND PRIVATE E-MAIL AND ON-LINE SYSTEMS

Introduction
 
 

With the convenience and ease of sending information via electronic mail (e-mail), its use is expanding at an exponential rate. However, the same technological strides that have made e-mail possible also represent a significant threat to privacy. Electronic eavesdropping, recording, and dissemination of private information can be accomplished with relative ease and thus legal and technical means of protection are coming to the forefront of attention. This discussion addresses the interests in, threats to, and the existing and projected protections of the privacy of e-mail communications and other information as provided by both the public Internet Service Providers (ISPs) and private employers.
 
 

What is Privacy?
 
 

To ultimately evaluate protections of e-mail privacy, it is helpful to analyze the conflicting interests involved. Identification of these interests facilitates an understanding of the policy goals of various protections as well an assessment of how well those goals are being met. At its most basic level, a balance must be struck between the needs of individual privacy and autonomy, and the legitimate needs for access to potentially private information. An understanding of what privacy is may be aided by analyzing the interests and arguments on the sides of both privacy and non-privacy.

1. Interests in Privacy

1. Privacy of Information.

• Interest to prevent access to personal information. Such information includes not only e-mail communications but also personal financial and medical records which are becoming increasingly accessible on-line.

• Interest to prevent disclosure of information. In some circumstances, access to information may have been permitted, however it is still important to maintain control of how that information may be disseminated.

• Interest to ensure accuracy of information. If authorization to disclose information has been given, guarantees are needed to ensure the information is correct. This is especially critical regarding credit and health status.

2. Privacy of Autonomy

• Freedom from observation of personal communications/acts. This is an analog to traditional "Peeping Tom" issues. Regarding e-mail this goes beyond exposure of the information communicated and includes data such as time, frequency, and duration of communications as well identification of the parties involved.

• Anonymity. There may be a strong interest in remaining anonymous when making public statements or when conducting financial transactions. The traditional analog here is the handing out of unsigned leaflets on political or other sensitive issues.

• Freedom from intrusion/interference. In the on-line context, one has an interest in preventing hackers from vandalizing equipment via viruses or otherwise disrupting communications. Another problem in this area is the expanding occurrence of "junk e-mail".

2. Interests in Non-privacy

Notwithstanding the strong interest in protecting the privacy of individuals, there are legitimate reasons why such protection should not be absolute.

1. Law enforcement

• To prevent and investigate hackers from gaining access to information. If law enforcement is to be able to protect an individual’s privacy of information, it is necessary to give up some of that privacy to law enforcement. In order to investigate into the potentially abusive activities of suspected hackers, law enforcement needs the legal and technical means to access private information such as e-mail messages. Thus subject to limiting procedures, law enforcement may need to collect information on not only the hackers themselves, but also on intended victims. Paradoxically, law enforcement needs access to private information in order to protect it.

• To prevent and investigate hackers from disrupting service. As e-mail and Internet access become more ingrained in serving social, educational, and economic functions, law enforcement will have greater responsibility to ensure service is maintained.

• To prevent and investigate the use of e-mail to plan/coordinate crime. This is analogized to traditional wire-tapping of telephone lines. Individual privacy interests must be balanced against society’s need to thwart criminal activity.

2. Employment

• Observation and documentation of employee activities. Employers justify monitoring employee e-mail by claiming that surveillance is necessary to keep track of the affairs of the business. Employers argue that their e-mail systems are provided primarily for business purposes and thus they should have a right to enforce this limitation. In addition, some employers use electronic surveillance to help objectively gauge productivity by logging time spent on-line or on the telephone.

• Protecting the integrity of employee time billed to customers. In industries such as government contracting or the legal profession where employee time is directly billed to the employer’s customer, the employer has an ethical duty to ensure that such time is billed appropriately. Employers thus have a need to verify that customer time is not being mischarged via abuse of company e-mail and telephone systems.

• Protection of property and trade secrets. Just as law enforcement has a need to guard against theft, so do employers. With e-mail providing an extremely easy way to disseminate sensitive company information, the ability to control such dissemination could determine the very viability of an organization.

• Protection against liability for employee acts. E-mail has been abused to perpetrate libel, sexual harassment, hate crimes, and copyright infringement. Employers may be held liable for the illegal acts of their employees and thus must have the means to protect themselves.

3. Marketing

• Narrowly targeting advertising to interested parties. Giving access to personal information promotes more efficient marketing activities. This serves the dual purposes of reducing product costs by avoiding wasteful advertising, and providing interested consumers with product information that might not otherwise be available.

• Web site collection of visitors information. Web sites that provide valuable information to the public for free may be funded by advertising revenues. They may also feed collected demographic information to marketers to promote marketing efficiency.

4. On-line Commerce

• Electronic contracting
• On-line purchases of information and products
• Electronic Data Interchange (EDI), e.g., inventory and shipping transactions.

Who might violate On-Line Privacy?
 
 

1. Government

2. Employers

3. ISPs

4. Site Providers

5. Other Users

1. Threats against Privacy of Information

1. Collecting Clickstream data

2. Cookies / Web site monitoring

1. Cookies. A web site’s server computer can track a user’s activity (e.g., pages visited) within that site and collect / save that data in a file. Then during the communications interchange between the server and the user’s computer, the server may request that this file or "cookie" be placed on the user’s hard disk. The "cookie" may then be reused to identify the user’s preferences based on this historical data the next time she accesses that site. The web site may then present particular advertising targeted at the user, or may route the user through particular pages on the site. In response to this practice, some newer web browsers (e.g., Netscape 3.0) detect when the "cookie" request is made and alert the user. If the user declines acceptance of the cookie, its transmission will be blocked. Cookies, as simple text files, do not contain executable code that could be used to transmit a computer virus or to read information residing on a user's hard disk. However, any information disclosed by a user while visiting a site (e.g. name, address, credit card number) could be stored in a cookie for later access by the web site. A cookie deposited by a particular server generally cannot be accessed or read by a different server.

1. Monitoring. Analysis of packet data can also reveal the "IP Address" of the user’s computer as assigned by the user’s ISP. A request may then be sent to an Internet "name server" computer to map this IP Address to the alphabetic name assigned to a user’s computer. This information may reveal the identity of the user’s ISP and may be used to help ascertain a user’s e-mail address.

3. Collection of data by users via on-line search engines

• Magellan or Webcrawler ( http://voyeur.mckinley.com or http://webcrawler.com). This search engine has a "Voyeur" feature that allows others to see the result of a user’s searches for information. The feature provides a sampling of the key words being used by other users so that the search results based on these keywords can be viewed. Webcrawler states that "the Search Voyeur displays WebCrawler searches done by real users. [However,] WebCrawler receives over 5 million queries a day, making it impossible for anyone, WebCrawler staff included, to make the association between a particular search and the person who initiated it." Given the ingenuity of the hacker community, this may not be an adequate assurance.

• DejaNews (http://www.dejanews.com). This search engine catalogs and indexes more than 15,000 Usenet groups. The members of these groups are required to provide profile data prior to gaining membership to the groups, and thus these profiles are available to searching parties, as are all Usenet postings made by any given user.

• Four 11 (http://www.four11.com). This search engine is dedicated to searching its database of e-mail addresses, however many e-mail addresses are not listed in the database. At present, the database only contains the addresses of individuals that have signed up to be included in its list.

• The Stalker’s Home Page (http://www.glr.com/stalk.html). This web site is devoted to assisting people in collecting information on other people via on-line resources. The site is comprised of links to other databases containing various personal information along with advice and information as to how to conduct searches.

• American Information Network. This is a for-payment service that has access to additional databases and can gain private information not available by the free services.
• Altavista, Yahoo, Excite, Lycos. The most popular standard search engines provide facilities to search for individuals by name. Information provided by such a search may include e-mail address, street address, and phone number.

4. ISP monitoring

5. Collection of data via voluntary means

• Consensual Disclosure. In addition to unauthorized access to personal information, users may provide such information by "consent". Often users must fill out forms disclosing information; however, they may not fully appreciate the extent to which that information will be used. For example, Web sites and on-line vendors may request personal data before a service is provided or before an item is sold / licensed. Once released, the consumer has no further control and the released information may be placed on undesirable mailing lists.
• Opt-in vs. Opt-out approaches. In some cases, users are provided with the option of whether or not they wish to disclose personal information. However, the manner in which this option is presented can make a difference in its effectiveness from a privacy perspective. The approach favored by privacy advocates is the "Opt-in" method whereby no consumer information is used by the requester unless the user affirmatively releases it. The mirror image preferred by business advocates is the "Opt-out" method where such personal information may be freely used unless the users notify marketers otherwise. Obviously the preferred approach depends on which side of the fence one stands. In order for the option to be effective however, notice of the option must be given to users. The opt-in approach ensures that the consumer is aware of the right to choose. Under the opt-out approach, consumers may assume that the option is simply not available, or more likely will not even think about it.
• Sensitive Data (e.g., Medical and Financial). Special concerns are raised when the information collected moves beyond simple identity or address data to more sensitive areas. Disclosure of medical and financial records can have a profound effect on a person’s job security, ability to get insurance, ability to get credit, and numerous other critical affairs. Many medical and financial institutions in possession of private data are now on-line and there are broad concerns about the ethical responsibilities of these entities. On-line access exposes a great potential for both unauthorized access and commercial disclosure of such data and thus strong legal controls are desirable. As noted however, such controls must recognize that the need for privacy is balanced against, for example, the interests of vendors and financial institutions that have a legitimate need to evaluate creditworthiness.
• On-line Discussions. Information voluntarily given out during chat sessions and user group discussions is now available to the world via the search methods described above. Where the Internet was previously comprised of a rather small group of technically oriented individuals, such discussions are now exposed to a much broader audience.

6. Federal Reserve Board.

7. Federal Trade Commission.

8. Social Security Administration.

9. Compromise of Medical Records.

• For health care and payment (however the patient may restrict disclosures of certain information or to certain persons)
• For health oversight to licensed providers, government agencies, and medical organizations
• To protect the public health
• For research, subject to government authorization
• In emergency situations
• To next-of-kin
• To law enforcement
• In judicial proceedings.

2. Threats to Communications

1. Access to private communications

2. Anonymity

3. Intrusion

1. Junk E-mail or "Spamming". While "cookies" and other unauthorized access to one’s computer are obvious forms of intrusion, junk e-mail "bombings" or "spamming" may be a primary threat to the overall usefulness of the e-mail system. In addition to clogging or slowing down the entire system, mass mailings of unwanted messages could distract users from important messages and ultimately make an individual’s e-mail account impractical to use. Junk e-mail may also increase a user’s per minute on-line or telephone charges. While junk e-mail is a potential threat, recent cases have curtailed its use:

• CompuServe, Inc. v. Cyber Promotions, Inc., 962 F.Supp. 1015 (S.D.Ohio 1997). In this case, mass advertising e-mailer Cyber Promotions sent thousands of unsolicited e-mail advertisements to CompuServe customers. In addition, Cyber configured its computers so that the messages falsely appeared to originate from a CompuServe address. This caused large numbers of undeliverable messages to be "returned" to CompuServe for storage. The court granted an injunction to CompuServe based on unfair competition and conversion claims. The excessive storage required for the undeliverable messages consumed the capacity of several of CompuServe’s computers and thus represented an actionable trespass to chattels for which the First Amendment provided no defense.
• Cyber Promotions Inc. v. America Online Inc., 1996 WL 689103 (E.D.Pa. 1996). Cyber used the same tactics against AOL, however, AOL retaliated by blocking the incoming messages from Cyber. In two separate proceedings, a Pennsylvania court found that (1) AOL’s blocking of messages could not deny Cyber’s First Amendment rights because AOL was not a state actor, and (2) AOL had not violated anti-trust laws because its e-mail service was not an "essential facility" under anti-trust law.
• Cyber Promotions, Inc. V. Apex Global Information Services, Inc., 1997 WL 634384 (E.D.Pa.). After the above disputes, ISPs refused to provide service to Cyber as a customer. One such ISP, Apex Global Information Services, Inc., cut off Cyber's existing service without notice. Cyber sued Apex under breach of contract and succeeded in obtaining a preliminary injunction from the court ordering Apex to restore service for a six week period while Cyber made other arrangements for Internet access. As a result, Cyber is now setting itself up as a specialized ISP to send unsolicited mass mailings for its advertising customers. However, several states are considering legislature that would criminalize this sending of unsolicited ads directly to e-mail accounts as a misdemeanor.

1. Usenet Spamming. Another type of on-line advertising spamming abuse occurs when an advertiser posts a commercial message to a large number of Usenet news groups or to the members of an e-mail mailing list. When a pair of lawyers did this to advertise their "Green Card" services for immigrants, the outraged Usenet readers retaliated by publishing protest messages, implementing software to erase future messages by the lawyers, and placing fake pizza orders to the lawyers’ address. While there was never a legal action involved, the on-line social pressure forced the lawyers to cease their activity.

Legal Protections & Limits

1. Federal Constitution

1. 1^st Amendment. Protections here limit the government’s ability to seize data where such intrusiveness would interfere with the ability to publish or distribute speech. The Privacy Protection Act (PPA), discussed further below, was enacted in 1980 to protect publishers’ First Amendment right to freedom of the press against government interference.

2. 4^th Amendment. The primary source of protection in the on-line context stems from the Fourth Amendment prohibition against unreasonable searches and seizures. As a threshold matter, the Fourth Amendment can only afford protection to e-mail communications if the affected party has a reasonable expectation of privacy in such communications.

• United States v. Maxwell, 42 M.J. 568 (A.F.C.C.A. 1995). This expectation was found by a military court in this case where e-mail was being used to transmit child pornography, the court found that the "appellant definitely maintained an objective expectation of privacy in any e-mail transmissions he made so long as they were stored in the America Online computers." Thus a search and seizure of e-mail computers must be made pursuant to probable cause. The ECPA, discussed in detail below, provides further law in the on-line search and seizure area.
• United States v. Charbonneau, 979 F.Supp. 1177 (S.D. Ohio 1997). Conversely, a reasonable expectation of privacy was not found in statements made on-line in a private Internet "chat room." In this case, an FBI operative would enter the "chat room" posing as a pedophile and monitor conversations regarding the transmission of child pornography. When the defendant claimed that his statements made in the chat room were protected by the Fourth Amendment, the court stated that " Defendant could not have a reasonable expectation of privacy in the chat rooms. Accordingly, the e-mail sent by Defendant to others in a 'chat room' is not afforded any semblance of privacy; the government may present the evidence at trial. In addition, all e-mail sent or forwarded to the undercover agents is not protected by the Fourth Amendment". Thus, the expectation of privacy found in Maxwell did not extend to e-mail messages after they had been received by the intended recipient.

2. 2^nd Amendment. While the government has placed restrictions on the export of encryption software, it can be argued that this is a violation of the right to bear arms. Since encryption software has been classified as "munitions," it is arguable that this places such software under Second Amendment protection. There is no case law on this issue to date.

2. State Constitutions

3. Federal Statutes

1. ECPA (Anti-Wiretapping Statute), 18 USC § 2510 et seq.

1. Basic Provisions of the ECPA. The Electronic Communications Privacy Act of 1986, which amended Title III of the Omnibus Crime Control and Safe Streets Act of 1968, is the only federal statute that specifically addresses interception and access of electronic communications. The ECPA prohibits the unauthorized interception, access, disclosure, and use of the contents of electronic and wire communications subject to certain exceptions discussed below. These provisions apply to both government and private actors, and violation may result in criminal, civil, and attorney fee liability. Evidence seized by the government in violation of the ECPA is subject to the exclusionary rule.

1. Title I - Access to Live communications. Title I of the ECPA regulates "interception" of oral, wire, and electronic communication by government, ISPs, and employers (as well as other third parties). In the absence of consent, interception of content is restricted except as a necessary incident to:

• rendering the communications service,
• protecting the service provider’s rights/property, or
• conducting a normal course of business (as discussed further below).

1. The Ordinary Course of Business Exception. Intercept under the ECPA is defined to mean "the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device." In turn, "electronic, mechanical, or other device" is defined to mean "any device or apparatus which can be used to intercept a wire, oral, or electronic communication other than ... any telephone or telegraph instrument, equipment or facility, or any component thereof, (i) furnished to the subscriber or user by a provider of wire or electronic communication service in the ordinary course of its business and being used by the subscriber or user in the ordinary course of its business or furnished by such subscriber or user for connection to the facilities of such service and used in the ordinary course of its business; or (ii) being used by a provider of wire or electronic communication service in the ordinary course of its business, or by an investigative or law enforcement officer in the ordinary course of his duties..." (emphasis added).

• James v. Newspaper Agency Corp., 591 F.2d 579 (10th Cir. 1979). In this tenth circuit case, an employer was held exempt from ECPA liability under the ordinary course of business exception where employees were provided with advance notice of monitoring, monitoring equipment was openly installed, and no employee protested at the time of installation. The employer successfully argued that equipment used to monitor customer phone calls was necessary to address concern over abusive language used by customers regarding their bills and to assist in the training of employees.
• Briggs v. American Air Filter Co., 630 F.2d 414 (5th Cir. 1980). Here a supervisor monitored a business call in which an employee divulged trade secrets to a competitor. In this case, the employee's supervisor had particular suspicions about confidential information being disclosed to a business competitor, had warned employee not to disclose such information, and knew that a particular telephone call was with an agent of the competitor. Thus the court found it within the ordinary course of business for the supervisor to listen in on an extension phone for at least as long as the call involved the type of information he feared was being disclosed. The court further noted that employer monitoring that is limited to specific occasions is less intrusive than a general practice of surreptitious monitoring.
• Watkins v. L.M. Berry & Co., 704 F.2d 577 (11th Cir. 1983). On facts similar to those of James, the eleventh circuit court here held that employer monitoring of personal calls of a telemarketing employee beyond the extent necessary to determine that the calls are personal in nature was not within the ordinary course of business exception. This was considered to be consistent with the holding of Briggs.
• Deal v. Spears, 980 F.2d 1153 (8th Cir. 1992). In this case, a liquor store owner suspected an employee of theft and attached a device to record all her telephone conversations over six weeks. Notwithstanding the legitimate purpose of the monitoring, the court followed Watkins and held that the privacy intrusion was "well beyond the boundaries of the ordinary course of business." The employer argued that as in Briggs, a telephone extension was used to monitor an employee suspected of harmful activity. However, the court noted that the use of a recording device to continuously monitor over an extended period of time went beyond the permissible standards of Briggs.

1. Title II - Access to stored communications. In contrast to Title I, Title II regulates access to communications that are "stored" within ISP or employer facilities. The basic rule for stored communications is that there are virtually no protections or restrictions on ISPs or employers regarding access. A problem here is that this provision essentially overshadows any protections available under Title I. When considering e-mail and other on-line communications, virtually all on-line communications may be technically classified as "stored" at one point or the other. Even during an interactive "chat" session, the communications are generally placed in storage while the session is occurring.


One recent case has provided some guidance with regard to the distinction between interception of live communications under Title I, and access to stored communications under Title II. In United States v. Moriarty, 962 F.Supp. 217 (D. Mass. 1997), the court held that an individual that listened to stored voice mail messages could only be prosecuted under Title II and not Title I. The fact that the defendant had "listened to the human voice" was not sufficient to implicate the interception provisions of Title I, and the court held that charges under both Title I and II were multiplicitous in violation of the double jeopardy clause.

1. Disclosure under the ECPA. In addition to access, both Title I and II regulate the disclosure of wire and electronic communications by ISPs and employers. Under the statute, such accessed communications may be disclosed:

• to an intended recipient
• to anyone with consent of the originator or recipient (which could possibly be the ISP or employer itself)
• to anyone, if such disclosure is necessary to continue providing service or to protect the ISP (such disclosure could be to another ISP if related to providing service)
• to law enforcement pursuant to wiretap order, warrant, or subpoena
• to law enforcement if a criminally suspicious communication was inadvertently obtained (e.g., via random monitoring)

2. Privacy Protection Act of 1980, 42 USC § 2000aa

1. Basic Provisions of the PPA. The PPA was enacted for the purpose of protecting the First Amendment right of freedom of the press so that publishers can investigate and develop sensitive news stories without fear of government interference. It establishes safeguards protecting "publishers" from government search and seizure of materials in their possession in the absence of probable cause. Probable cause here requires a stricter standard than under Fourth Amendment jurisprudence. Under the PPA, a warrant will only issue if there is probable cause to believe that information materials themselves are involved in the commission of a crime. The PPA protects both "work product" (meaning materials prepared by the publisher or author), and "documentary materials" (meaning supporting records, photographs, interviews, and the like).
1. Application to On-line Systems. On-line systems and users are protected by the PPA if they provide publishing services (e.g., electronic newsletters) or engage in publishing related activities (e.g., collection of documentary information via e-mail). Protection extends to the entire on-line system on which publishing materials are kept.
1. Remedies and Defenses. Violation of the PPA can be sanctioned by an award of money damages; however, illegal evidence so seized is not subject to the exclusionary rule. Law enforcement may defend a violation under a claim of a "good faith belief" in the propriety of the seizure. In the Steve Jackson Games case, at least with regard to the initial actions by the Secret Service, the court accepted the defense that the agents did not know that the PPA applied to ISPs. Note that in Steve Jackson Games, the plaintiffs successfully sued under both the PPA and ECPA.

3. Telephone Consumer Protection Act of 1991,

4. Federal Records Act, 44 USC §§ 2101 et seq.

5. Communications Assistance for Law Enforcement Act (CALEA)

• requires a court order for law enforcement to obtain e-mail addresses and other similar transactional data from ISPs.
• specifically excuses ISPs from modifying their equipment to facilitate authorized government interception (however ISPs are still subject to ECPA disclosure requirements regarding messages).
• does not limit rights to use encryption.

6. Privacy Act of 1974, 5 U.S.C. § 552a

1. Background. The Privacy Act of 1974 was an amendment to the Freedom of Information Act (FOIA), 5 U.S.C. § 552, aimed at increasing the privacy protections of the FOIA. While the FOIA primary goal is to make government information available to the public, it also contains exceptions that restrict disclosure of certain information in an effort to protect privacy. The Privacy Act was created to further prevent government from disclosing computer database records maintained on an individual for any other purpose than that originally intended without consent. The act was amended by the Computer Matching and Privacy Act of 1988, 5 U.S.C § 552a (1994) which limits government use of database "matching" techniques to aggregate information on individuals and then terminate benefits without notice and a hearing.
1. Basic Provisions. As stated, the Privacy Act restricts government disclosure of information within its databases. It also allows individuals to examine, correct, and copy their records kept in government databases. The existence of such databases of personal information must be made known to the public. The Privacy Act does allow information in these databases to be disclosed to law enforcement, credit reporting agencies, and to protect the health / safety of the individual. However when information is requested on an individual, that person must be informed of the purpose of the disclosure, and the uses to which the information will be put. The individual may request review and amendment of such records, and disclosure must only be with written consent, unless disclosure is for a "routine use". This "routine use" exception tends to negate much of the act’s privacy protection by allowing an agency to disclose a record concerning an individual, if such disclosure is for a purpose that is specifically compatible with the purpose for which the information was gathered. Violations of the Privacy Act may be redressed by money damages and injunctive relief. However, the Privacy Act is only effective against government disclosure of private facts; it has no effect on private entities.
1. Critics of the Privacy Act. Privacy advocates have criticized the effectiveness of the Privacy Act and have called for stronger protections especially in light of expanding computer networking. The American Civil Liberties Union (ACLU) has charged that the Privacy Act only mildly deters government exploitation of private information. They argue that social security numbers are being increasingly misused and as an example point to the mandatory reporting of children’s Social Security Numbers (SSNs) on tax forms. The act is also criticized because of its specific exception that allows government disclosure without consent if the disclosure is a "routine use" of the information.

7. Acts Protecting Financial Information

1. Fair Credit Reporting Act (FCRA). Although the Privacy Act of 1974 does not provide protections against privacy incursions by non-government actors, other statutes do provide protection in the area of financial information. The Fair Credit Reporting Act of 1970, 15 USC §§ 1681 - 1681t, regulates disclosure of personal information by credit reporting agencies, but not the collection of this information. Under the FCRA, credit bureaus must maintain procedures to protect against reporting inaccurate / obsolete credit information, and allow consumers to review their records and correct inaccuracies. Credit reports may only be disclosed with permission, under court order, or for certain enumerated purposes (e.g., credit, insurance, employment, government benefits eligibility, legitimate business needs). A major weakness of the act from a privacy perspective is that agencies are not required to notify individuals of the existence, content, or use of financial records. Thus enforcement of the FCRA may actually provide little privacy protection.
1. Right to Financial Privacy Act of 1978, 12 USC § 3401 et seq. (1994). This act was passed to overturn United States v. Miller, 425 U.S. 435 (1976), which held that an individual had no reasonable expectation of privacy in records held by a bank. The RFPA response was to set procedural restrictions on federal agency access to a bank’s records of its customers. However, the financial institution may notify law enforcement if it has a suspicion of crime. Disclosure may then be authorized by warrant, subpoena, or consent. The act has no applicability to disclosure to non-government entities.
1. Related Statutes. Other related acts that regulate disclosure and consumer reporting of financial information are the Fair Credit Billing Act of 1974, 15 U.S.C. § 1666 (1994); Fair Debt Collection Practices Act of 1977, 15 U.S.C. § 1692 (1994); Equal Credit Opportunity Act of 1974, 15 U.S.C. § 1691 (1994); and the Electronic Fund Transfer Act of 1978, 15 U.S.C. § 1693 (1994).

8. Acts Protecting Medical Records

9. Other Acts Protecting Private Information

1. Family Educational Rights and Privacy Act of 1974, Pub. L. No. 93-380, 88 Stat. 571 (codified in scattered sections of 47 U.S.C.). This statute regulates the disclosure of and access to educational records and allows students to review their records and prevent disclosure.
1. Driver’s Privacy Protection Act of 1994, 18 U.S.C. § 2721 (1994). This statute makes it a criminal act for state motor vehicle offices to release driving record, age, or address information without a legitimate purpose.
1. Cable Communications Policy Act of 1984, 47 U.S.C. § 551 (1988 & Supp. V 1993). This act imposes restrictions on cable TV systems regarding collection, use and disclosure of subscriber information including the viewing habits of customers. The cable systems must notify customers regarding information collected and may only disclose such data if the customer has first been given the opportunity to prohibit or limit such disclosure.
1. Video Privacy Protection Act of 1988, 18 U.S.C. §§ 2710 - 2711 (1994). This act prohibits the disclosure of information regarding what videos individuals have rented. However, customer lists arranged by subject matter (but not specific title) may be released if the customer has an opportunity to prohibit such disclosure. This law was passed after the public disclosure of Judge Robert Bork’s video rental history while under consideration for the U.S. Supreme Court.

1. Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191 (1996). The main focus of this act is to regulate the health insurance industry to combat waste, fraud, and abuse. It also contains particular provisions to assure that medical information is utilized in a manner that appropriately protects the confidentiality of the information and the privacy of individuals receiving health care services and items.

4. Proposed Legislation

1. Medical Information Privacy and Security Act, S. 1368

2. Fair Health Information Practices Act of 1997, H.R. 52


This bill was sponsored by Rep. Condit (01/07/97) to establish a code of fair information practices for health information. The bill requires, subject to exceptions, health information trustees (e.g., health care providers) to permit individuals to examine their protected health information such as physical or mental health records created or received by health care trustees. Under the bill the trustees may use protected information only for a purpose: (1) that is compatible with and directly related to the purpose for which the information was collected or received by the trustee; or (2) for which the trustee has received disclosure authorization. The bill does make exceptions regarding: (1) next of kin and directory information; (2) public health; (3) health research; (4) emergencies; (5) judicial and administrative purposes; (6) law enforcement; and (7) subpoenas, warrants, and search warrants.

3. Consumer Internet Privacy Protection Act of 1997, H.R. 98

4. Federal Internet Privacy Protection Act of 1997, H.R. 1367


This bill was sponsored by Rep. Barrett (04/17/97) and prohibits any Federal agency from making available through the Internet any record with respect to an individual. The bill permits a civil action to be brought against an agency by an individual suffering harm as a result of any case in which an agency makes available through the Internet a record with respect to the individual (including a case in which a record was made available through the Internet before enactment of this Act).

5. Communications Privacy and Consumer Empowerment Act, H.R. 1964


This bill was re-introduced by Rep. Markey (06/19/97) to require the FTC to determine ways for consumers to stop unauthorized on-line use of, personal information. The bill also directs the FCC to assess whether ISPs adequately protect against unauthorized interception of communications and personal information. It requires ISPs to offer customer screening software designed to limit access to material that is inappropriate for children. Finally, it prohibits the Federal Government or State governments from: (1) restricting or regulating the sale in interstate commerce of encryption or other products for improvement of data security; (2) conditioning the issuance of certificates of authentication or authority upon any escrowing or sharing of private encryption keys; or (3) establishing a licensing or other regulatory scheme that requires key escrow as a condition of regulatory approval.

6. Social Security On-line Privacy Protection Act, H.R. 1287

7. Internet Freedom & Child Protection Act, H.R. 774


This bill was sponsored by Rep. Lofgren (02/13/97) to repeal restrictions on transmitting obscene materials to minors using telecommunications or computer equipment. The bill requires an ISP to offer customer screening software to limit access to material that is unsuitable for children.

8. Unsolicited Com’l E-Mail Choice Act of 1997, S. 771


This bill was sponsored by Sen Murkowski (05/21/97) to require a person who transmits unsolicited commercial e-mail to prominently display the word "Advertisement" along with the sender’s name, e-mail address, and phone number. The bill will not be applied to ISPs unless it was the ISP that initiated the transmission. Consumer requests for termination of unsolicited mail must be honored within 48 hours. The bill empowers the FTC with regulatory authority over such unsolicited e-mail, although the bill authorizes a private right of action within 1 year after receipt of the transmission.

9. Electronic Mailbox Protection Act of 1997, S. 875

10. Netizen Protection Act of 1997, H.R. 1748

1. Intrusion Upon Seclusion. This tort creates liability against one who intentionally intrudes (physically or otherwise) upon the seclusion of another or his private affairs where such intrusion would be highly offensive to a reasonable person. Electronic means of intrusion would fall within the ambit of this tort. Actions here could be brought regarding access to private communications (e-mail), and intrusion via junk e-mail.

• the action must be intentional so that accidental access to e-mail would not give rise to liability
• the matter must be "private" such that the plaintiff would need to show a reasonable expectation of privacy
• the intrusion must be "highly offensive"
• in the employee setting, pre-established consent (including an announced employer policy of non-privacy of all e-mail communications) would work as a defense.

• Flanagan v. Epson America Inc., No. BC 007036 (Sup. Ct. Cal. Jan. 4, 1991). In this case, employees claimed that a tap on the company’s e-mail system violated their expectation of privacy when their messages were read and printed without consent. The court held for defendants because California does not recognize e-mail as a type of communications afforded privacy protection. Other California cases in accord are Shoars v. Epson America Inc., No. BO73243 (Cal. Ct., App.), review denied, No. SO40065, 1994 Cal. LEXIS 3670 (Cal. June 29, 1994), and Bourke v. Nissan Motor Co., No. YC 003979 (Sup. Ct. Cal. 1991).
• Smyth v. Pillsbury Co., 914 F.Supp. 97 (E.D.Pa. Jan. 23, 1996). In this case, an employee claimed an invasion of privacy when his e-mail messages were read and printed after he was repeatedly assured that such communications were to be kept confidential and privileged. The employee was fired after sending messages concerning the sales staff, containing threats to "kill the back-stabbing bastards". In interpreting Pennsylvania law, the federal court found no reasonable expectation of privacy in messages voluntarily communicated over the company e-mail system, regardless of any assurances of confidentiality. In addition, the court found that the employer’s interception of such messages was not offensive, and that the company’s interest in preventing unprofessional comments outweighed any privacy interest on the part of the employee.

1. Publicity Given To Private Life. This tort creates liability against one who gives publicity to private, personal information if the disclosure would be highly offensive to a reasonable person, and if the matter is not of legitimate public concern. Like defamation, this tort is limited by First Amendment concerns regarding the freedom of speech / press to publicize true facts. Since publicity here essentially means disclosure to a large number of people, dissemination of private information via the Internet would qualify. The tort is limited in that the matter must be private and the behavior offensive as noted above.
1. Placing a Party in a False Light. This tort creates liability against one who gives publicity to a matter concerning another that places the other in a false light if the false light would be highly offensive to a reasonable person, and if the actor had knowledge or acted in reckless disregard as to the falsity. This tort could be applied to misinformation published on the web subject to the offensiveness and scienter limitations.

1. Right of Publicity. This tort creates liability against one who appropriates, to his own use or benefit, the name or likeness of another. It is recognized that one has a privacy interest in the exclusive use of his own identity. This interest is restricted however when inconsistent with First Amendment principles as when a newspaper publishes a the name or photograph of someone in connection with a newsworthy event. This principle was tested in the on-line context in Stern v. Delphi Internet Servs. Corp., 626 N.Y.S.2d 694. In this case, radio personality Howard Stern sued the Delphi system for using his photograph without permission in an advertisement for an on-line debate regarding Stern’s candidacy for governor of New York. The court held for Delphi on First Amendment grounds because of the newsworthy quality of the event.

2. Intentional Infliction of Emotional Distress

3. Conversion

4. Trade Secret Laws

5. New Jersey Wiretapping Statute, NJSA 2A:156A et seq.

1. The Industry View


Beyond legal regulation of privacy issues, non-mandatory guidelines and self interest may provide a framework for privacy protection in the on-line world. Government intervention may not be the appropriate solution because of the difficulty of keeping laws current with the technology and because of the possibility of inhibiting technological and commercial progress. In support of this view, industry has argued that: market pressures will force self regulation regarding privacy of information as users make their privacy preferences known. In light of the universal interest in promoting the benefits of networking technology, it is argued that ISPs, employers, and other players will not engage in activity that is so invasive as to frustrate use of e-mail and other systems.

2. The Privacy View

Many individuals and businesses are turning to self-help approaches for solving their privacy and security needs. While the primary technique of ensuring the confidentiality of e-mail information is encryption, other means of hiding identity and transactional information are also in use.

1. Encryption

1. Symmetrical Encryption

3. Confidential Communications on the Internet

• Ethics violations
• Malpractice
• Compromised reputation with clients
• Potential waiver of the attorney-client privilege
• Possible loss of client trade secret protection

5. Legislation

1. Current U.S. Policies


In the United States, up until December 1996, the export of cryptographic products was controlled by the Department of State via the Arms Export Control Act under the department's International Traffic in Arms Regulations (ITAR). Under the ITAR, no cryptographic product could be exported without an export license issued by the Department of State, and licenses were generally not granted for products that provide "strong" encryption (e.g., greater than 40 bit codes). However, in December 1996 under Executive Order 13026, President Clinton transferred the responsibility for control of export of cryptographic products to the Department of Commerce. To this end, the President amended the Export Administration Regulations (EAR) as part of a plan to implement a worldwide key management infrastructure featuring key escrow and key recovery provisions.

To provide for a transition period for the development of this key management infrastructure, the present EAR rule permits the export and re-export of 56-bit key length DES or equivalent strength encryption items under the authority of a License Exception, if an exporter makes satisfactory commitments to build and/or market recoverable encryption items, and to help build the supporting international infrastructure. This policy applies to both hardware and software.

Both privacy and electronic commerce advocates are now calling for legislation to change these restrictive policies.
 
 
 
 
 
 

2. U.S. Government Clipper Initiatives

1. Clipper I. This was a 1993 proposed hardware solution where communications would be uniquely identified using keys permanently embedded in hardware (i.e., the clipper chip). This was intended to provide a "back door" to government to permit legitimate eavesdropping of otherwise confidential communications.
2. Clipper II. This was a 1995 proposed mandatory Commercial Key Escrow (CKE) framework for public key encryption that would allow businesses to select their own encryption algorithms but which also would provide the government with means to gain access to encrypted data.
3. Clipper III. This is also called the Electronic Data Security Act of 1997 (3/12/97) draft legislation, and is a proposal for a Key Management Infrastructure (KMI) for public key encryption whereby private CA and key escrow entities would operate under government policies. To participate in the system, users would have to make sure their private keys were deposited with trusted agents that would be permitted to release the keys to the government for purposes of law enforcement.

1. Secure Public Networks Act, S. 909

1. Security and Freedom Through Encryption (SAFE) Act of 1997, H.R. 695


This bill was sponsored by Rep. Goodlatte (02/12/97) and is intended to relax U.S. export controls on encryption. Several amendments have been proposed The original Goodlatte language has been substantially amended by five House committees to provide law enforcement with easy access to encrypted information. Rep. Solomon (R-NY), chairman of the House Rules Committee, has indicated that he will not send the legislation to the House floor unless it contains domestic controls providing law enforcement access.

2. Encrypted Communications Privacy Act of 1997, S. 376

1. Computer Security Enhancement Act of 1997, H.R. 1903

1. Promotion of Commerce On-Line in the Digital Era (Pro-CODE) Act of 1997, S. 377

2. Pseudonyms

3. Anonymous Remailers

1. If a user accesses the Internet through an ISP such as AOL, CompuServe and others, the ISP’s proxy server acts as an intermediary to protect the user’s identity and e-mail address. Web sites that try to trace the user’s location will only be able to do so as far as the proxy server. In this case, only the ISP could trace the user’s "clickstream" data. Intranets that are protected by firewalls will likewise provide this same protection. A firewall is a piece of software operating on the computer that acts as the gateway from a private network to the Internet. The firewall software provides an intelligent "filter" between networks that monitors message traffic and screens out unauthorized data.
2. The Anonymizer is a special web service at www.anonymizer.com that may be used to block web sites from collecting user information. The user simply goes to that site, and then makes all subsequent links from there. It prevents collection of source and other data, or the introduction of cookies onto the user computer. The only disadvantage is that it will slow down the access time involved in surfing from site to site. The Anonymizer also provides a sample service whereby it can display to you the type of information that can be collected as a result of your visiting that site. For example, it may display your site provider, approximate geographic location, and browser type.
3. There are also software programs available to control the placement of cookies on a user’s computer. As mentioned, browsers such as Netscape and Internet Explorer allow users to set options to provide notice when a web site is attempting to place a cookie. Further, there are programs such as "Cookie Cutter", "Cookie Crusher", and "Cookie Master" that both permit removal of existing cookies and prevent the placement of new cookies.

1. Universal Registration Systems (I/Code system)

The problems involved in maintaining personal privacy will continue to be issues of debate and dispute and the impetus for new laws for the foreseeable future. As society progresses further into the information age, personal data will be collected and exploited at an ever expanding rate. In addition, the technological means to accomplish this will continue to evolve at a pace that will challenge and perhaps confound the legal profession. Our present privacy laws, already out of date, will be further stretched and likely made even less effective in providing protection. As seen, laws like the ECPA have already been severely weakened by on-line communications technology. For example, because the ECPA allows access to stored communication, this means from a practical perspective that all e-mail is accessible by employers and ISPs. Other legal approaches such as tort law have been held to provide little, if any, protection.

At least from the communications perspective, the self help remedy of public key encryption appears to be the best near term solution to privacy concerns. Efforts to limit domestic encryption thus far have failed, and a number of effective and inexpensive software and service packages are now available. The strong societal interest in fostering electronic commerce will likely cause continued support for and a ubiquitous presence of encryption. However, law enforcement will continue to demand a means for access to encrypted data as no satisfactory compromise with privacy advocates has yet been proposed.

Threats to privacy of personal information are not easily solved by self help, and further legal protection is needed. While the PPA and the proposed Consumer Internet Privacy Protection Act are steps in the right direction, stronger regulation must still be considered. Given the propensity and incentives for entities to probe into the personal affairs of the private individual, the need for protection will continue to be critical. The very existence of web sites such as "The Stalker’s Home Page" make this point abundantly clear.
 
 

Sample Company Policies for Control of Computer Information, Voice Mail, E-mail and the Internet

1. Sample Policy: Introduction

• Employee privacy does not extend to work-related conduct or to the use of company-provided facilities such as computers
• Use of any of the Computer Systems in violation of any of the policies herein will result in disciplinary action, up to and including termination

1. Prohibited Uses and Communications

• Gossip, personal attacks, or embarrassing remarks
• Personal information about yourself or others;
• Profanity or obscenity in any form;
• Insensitive language which is derogatory, offensive, threatening, insulting or harmful to morale;
• Sexually-explicit messages, cartoons, or jokes; unwelcome propositions or love letters; ethnic or racial slurs;

1. Monitoring of Computer Systems

• All messages sent and received by the computer systems or information stored in the computer systems are Company records.
• The Company reserves the right to access and disclose all such messages and information for any business purpose
• Employees should ensure that messages sent, received, and stored on Company business or with the use of Company facilities will be available for review without prior notice
• All passwords and encryption keys must be available to management
• You should not use the computer for the communication or storage of anything you would not want read and further disclosed

1. Internet Policy: Permitted Uses

• E-mail for business purposes of the Company
• Support of Company customers in their use of Company services
• Reading and downloading legitimate business data and information
• Downloading bug fixes and patches for authorized commercial software

1. Internet Policy: Prohibited Uses

• for any unlawful activity;
• to make any defamatory remarks, or derogatory remarks based on race, religion, color, sex, handicap, or national origin;
• for distribution, disclosure or selling of proprietary information;
• to download or distribute any copyrighted material without license to do so;
• to advocate a religious or political cause;
• to promote any commercial enterprise other than approved Company business;
• for an employee's off-the-job pursuits, whether or not commercial in nature;
• for sending or soliciting sexually oriented messages or images;
• to seek employment;
• to send viruses or to do any act harmful to another person or his computing resources;
• to send "junk" mail or "spamming" e-mail
• to entrust confidential Company information or property such as trade secrets or proprietary information to this medium without prior permission