Right to Bear Arms? Massachusetts Supreme Judicial Court & U.S. Supreme Court--Recent Activity

Days ago, the Massachusetts Supreme Judicial Court affirmed the Second Amendment to the United States Constitution imposes no limitations on the Massachusetts Legislature to regulate the possession of firearms. See Commonwealth v. Richard Runyan (slip opinion).

The Second Amendment reads,

A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed.

This case brings up the national debate on the right to bear arms and the Second Amendment. Is it a private individual’s right or, in the alternative, is it a State’s right--so the State may maintain a militia to defend itself?  Grossly simplifying the theories, if it’s a State’s right, then the States can regulate it. If it’s an individual right, then that leads to a different analysis.

Continue Reading...

New Data Security Regulations to Take Effect in Massachusetts on March 1st, 2010

The scramble in on as companies seek to comply with the identity theft regulations adopted in Massachusetts and touted as 'the first of their kind in the country' which are scheduled to take effect on March 1, 2010.

The effective date’s announcement followed a report indicating there have been over one million instances of Massachusetts residents’ personal information being exposed in two years. “We hope these regulations will make it harder for information to get into the wrong hands, and lower the number of instances of data being lost or stolen,” said Barbara Anthony, the Undersecretary of the Office of Consumer Affairs and Business Regulation (OCABR).

While M.G.L. c. 93H was passed in 2007, controversy emerged over how to pursue some of the law’s objectives under the regulations. After repeated postponements and revisions—brought upon largely by changes in the economic climate as well as compliance concerns of businesses— the regulations are now set to take effect on March 1st.

Continue Reading...

Children Deserve Laws That Protect Them From Online Pedophiles, Not Laws, As Written, That Serve to Invite Them In

The Massachusetts Supreme Judicial Court recently reversed four indictments of Matt H. Zubiel for an attempt to disseminate matter harmful to a minor, under M.G. L. c. 272, § 28, and as defined in M.G. L. c. 272, § 31. Each indictment was based on Internet conversations between Zubiel and an undercover police officer on different days.

Deputy Sheriff Melissa Marino, a member of the "high-tech evidence analysis team" in the Plymouth County sheriff's department, conducted undercover investigations of crimes, including child pornography and child enticement. Marino created an undercover screen name, "Melissa QT 1995 and set up a Yahoo profile describing herself as "Meliss Smith" from the South Shore, age thirteen, and in the eighth grade. Her profile invited others to "PM" her (a form of instant messaging) if they wanted to send her a "private message."

On February 8, 2006, Zubiel with a screen name of "Ilikesports04," said, "Hi, how are you?" Marino informed Zubiel she was thirteen years old. He indicated he was age twenty-five. Their first online chat lasted forty-two minutes with Zubiel asking Marino for a photograph.  She emailed him photographs of herself when she was thirteen years old. They discussed where each lived and they gave physical descriptions of themselves. Zubiel asked Marino, "[You] ever fool around with boys?" and other questions regarding what she had done with boys, how old the boys were, and additional details about those events.

Continue Reading...

Work Emails and Reasonable Expectations of Privacy - Is the Divide Ripening for the Supreme Court

As indicated by my prior posts, You've Got Email, But Is It Private At Work? and Is Einstein Reading Your Email for the Government?, the questions and arguments about privacy and email are heating up.  A recent case in point covered by the ABA Journal in Martha Neal's article, Prosecutor’s E-Mail Sent to His Lawyer on a Work Account is Privileged, Court Says, presents an interesting case. Here Neal reports,

A federal prosecutor's e-mail to his own lawyer is privileged, even though he sent it from work on a government computer, a federal court has ruled.

As pointed out in the article, this is in contrast to similar cases and interpretations. A comparison of this case and the government's arguments reviewed in, Is Einstein Reading Your Email for the Government? shows how the divide in these matters is growing.

Attorney-client privilege is a fiercely guarded area of privacy and this case may present the opportunity for the Supreme Court to reaffirm the attorney-client privilege in the the context of email and the information age. Of course, if taken up, how they go about this could have far wider implications for privacy rights and email communications. If heard, would they focus on the rule (reasonable expectation of privacy) or rather focus on the exceptions or privileges. If examined, will they look at the totality of the circumstances and thus leave the law to be advanced case-by-case as the circumstances come before courts or could they take a more holistic approach that offers guidance in this uncertain arena. Time will tell, but the issue seems to be ripening with each "send" button pressed.

You've Got Email, But Is It Private At Work?

Not that long ago I blogged, Is Einstein Reading Your Email for the Government? The issue there was email and the government's argument about its right to read it. In short, they suggest you don't have a reasonable expectation of privacy in your email sent to (or read by) government employees. In sum, while computer users generally have a legitimate expectation of privacy in the content of Internet communications (such as an e-mail) while it is in transmission, the government argues there are things they can do to eliminate a person's reasonable expectation of privacy and thus remove any of email's privacy protections. It stands to reason that if certain things and conduct implemented by the government can remove privacy protections, then why not employers, too?

A recent Wall Street Journal article, Some Courts Raise Bar on Reading Employee Email, Companies Face Tougher Tests to Justify Monitoring Workers' Personal Accounts; Rulings Hinge on 'Expectation of Privacy' was summarized by Debra Cassens Weiss in an ABA Journal post, May Employers Monitor Personal E-Mail? Cases Turn on Disclosure.

The articles and comments at each post raise good points. Some comments from Weiss' post touch upon, email retention policies and duties to preserve email as evidence, otherwise privileged communications (example, an email to your attorney), ownership or control of the computer, private vs. company email, and more.

Nonetheless, the takeaway lesson for employers sounds a lot like the government's arguments about Einstein 2.0, be very explicit in informing your employees about your monitoring activities and those employees don't have a reasonable expectation of privacy anymore. Thus, as an employer, if you don't have an email and electronics' communications policy, then it's time to consistently adopt, implement, and enforce one. While this is no guarantee that you are on safe ground in monitoring all email, it appears to be the direction things are heading. As for employees, you should know what monitoring is taking place at your work. Take the time to review the email and other company policies and to understand what each means. Also, think twice before sending that email with your resume attached from your office computer or before checking your personal email while at work or on a work computer. Stop, think, and remember--there's a good chance your boss, as well as big brother, may be watching what you send and what you read.

While this post discusses email, don't forget about blogs, comments, tweets on twitter, text messages, Instant Messages (IM), or others, too.

Predicting Medical Conditions with Data: Promising Model if Privacy is Protected

A tweet from @AbbieCitron brought me to the Medical News Today post Electronic Medical Records Could Help Predict Domestic Abuse. The article discusses forecasting patients' risks by using electronic medical records. Specifically, the article deals with domestic abuse screening or predictions.

Dr Ben Reis of the Children’s Hospital Informatics Program at the Harvard-MIT Division of Health Sciences and Technology, Children’s Hospital Boston; and Harvard Medical School, co-authored the study, Longitudinal histories as predictors of future diagnoses of domestic abuse: modelling study. The study concluded,

Commonly available longitudinal diagnostic data can be useful for predicting a patient’s future risk of receiving a diagnosis of abuse. This modelling approach could serve as the basis for an early warning system to help doctors identify high risk patients for further screening.

Continue Reading...

Friend or Foe: Friending Your Bill Collector

An ABA Journal post by Martha Neil, Could Your New Facebook ‘Friend’ Be a Bill Collector? notes there is little regulation of collection practices on the Internet because current laws are focused on traditional technology.

As the number of consumers giving up landlines increases, and while the information age continues advancing, consumer protections will need to continue undergoing changes in order to keep up with the times. The Congressional Findings and Declaration of Purpose found in The Fair Debt Collections Practices Act (PDF) notes:

There is abundant evidence of the use of abusive, deceptive, and unfair debt collection practices by many debt collectors. Abusive debt collection practices contribute to the number of personal bankruptcies, to marital instability, to the loss of jobs, and to invasions of individual privacy.

In addition, Subsection (b) adds:

Existing laws and procedures for redressing these injuries are inadequate to protect consumers.


Interestingly, consumers are not the only ones who may be interested in reform. Forbes.com posted a letter from the President of a Debt Collection company who also believes reform is needed:

The Fair Debt Collection Practices Act (FDCPA) is over 30 years old and largely regulates communication pertaining to debt collecting. Keep in mind, when FDCPA was crafted over 30 years ago, answering machines were not even used, let alone faxing, e-mailing, texting, etc. ... The FDCPA is in desperate need of being updated

Without clear rules, debt collectors interested in collecting debts ethically will be disadvantaged against those who look to collect consumer debts any way they can, including through abusive tactics. This argument that debt collectors trying to follow the rules should not be prejudiced against those that are abusive is referenced in Subsection (e) of the FDCPA:


It is the purpose of this title to eliminate abusive debt col­lection practices by debt collectors, to insure that those debt collectors who refrain from using abusive debt col­lection practices are not competitively disadvantaged, and to promote consistent State action to protect consumers against debt collection abuses.


With benefits to both consumers and collection companies available by updating collection laws, this should be an area that is ripe for review and change.

Federal law does allow states to impose higher standards than those found in the FDCPA and it will be interesting to see whether legislative changes come from the states or federal government. If neither, then I'd keep an eye on unfair and deceptive trade practices claims, as well as others, to emerge in this area as courts wrestle with trying to fit today's tactics into yesterday's laws.

Is Einstein Reading Your Email for the Government?

Ways may someday be developed by which the government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home. - Justice Louis Brandeis (1928)

A recent ABA Journal article on privacy law (Feds Can Monitor Personal E-Mail Sent Privately to Gov’t Workers, DOJ) began as follows:

You might think that a private-mail sent to another U.S. citizen's personal account isn't subject to government monitoring. But that assumption could be wrong if the recipient is a federal government employee.

Both recipients and senders have no reasonable expectation of privacy if an e-mail is opened by a federal employee logged into a work computer network, according to an Aug. 14 legal opinion from the U.S. Department of Justice that was released Friday.

The Memorandum (PDF file) begins,

Operation of the EINSTEIN 2.0 intrusion-detection system complies with the Fourth Amendment to the Constitution, title III of the Omnibus Crime Control and Safe Streets Act of 1968, the Foreign Intelligence Surveillance Act, the Stored Communications Act, and the pen register and trap and trace provisions of chapter 206 of title 18, United States Code, provided that certain log-on banners or computer-user agreements are consistently adopted, implemented, and enforced by executive departments and agencies using the system. Operation of the EINSTEIN 2.0 system also does not run afoul of state wiretapping or communications privacy laws.

The Memorandum “briefly summarizes the current views of the Office of Legal Counsel on the legality of the EINSTEIN 2.0 intrusion-detection system.” The arguments presented are basically:

  1. There is no "search" under the 4th Amendment;
  2. If there is a "search", then it is reasonable; and
  3. Federal laws trump any state laws.

The central premise of the Memorandum is this, while computer users generally have a legitimate expectation of privacy in the content of Internet communications (such as an e-mail) while it is in transmission over the Internet, the deployment, testing, and use of EINSTEIN 2.0 technology complies with the Fourth Amendment where each agency participating in the program consistently adopts, implements, and enforces the model log-on banner or model computer-user agreements, or their substantial equivalents.

The government's position (which methinks goes too far) is summarized below.

No Search Under the 4th Amendment

The government argues there is no search for Fourth Amendment purposes because “the adoption, implementation, and enforcement of model log-on banners or model computer-user agreements eliminates federal employees’ reasonable expectation of privacy in their uses of Government-owned information systems…."

[Further]… individuals in the private sector who communicate directly with federal employees of agencies participating in the EINSTEIN 2.0 program through Government-owned information systems do not have a legitimate expectation of privacy in the content of those communications provided that model log-on banners or agreements are adopted and implemented by the agency.

… By clicking through the model log-on banner or agreeing to the terms of the model computer-user agreement, a federal employee gives ex ante permission to the Government to intercept, monitor, and search “any communications” and “any data” transiting or stored on a Government-owned information system for any “lawful purpose,” including the purpose of protecting federal computer systems against malicious network activity. Therefore, an individual who communicates with a federal employee who has agreed to permit the Government to intercept, monitor, and search any personal use of the employee’s Government-owned information systems has no Fourth Amendment right against the Government activity of protecting federal computer systems against malicious network activity, as the employee has consented to that activity.

The Memorandum goes on to say this applies even when the email was sent to the employee’s non-governmental or personal account. When the,

sender of an email to an employee’s personal, Web-based email account (such as Gmail or Hotmail) does not know of the recipient’s status as a federal employee or does not anticipate that the employee might read, on a federal Government system, an email sent to a personal email account at work or that the employee has agreed to Government monitoring of his communications on that system. A person communicating with another assumes the risk that the person has agreed to permit the Government to monitor the contents of that communication.

But if it is a "Search," then it's Reasonable anyway

The Memorandum argues, even if EINSTEIN 2.0 operations were to constitute a “search” under the Fourth Amendment, …those operations would be consistent with the Amendment’s “central requirement” that all searches be reasonable [because] the Government has a lawful, work-related purpose for the use of EINSTEIN 2.0’s intrusion-detection system that brings the EINSTEIN 2.0 program within the “special needs” exception to the Fourth Amendment’s warrant and probable cause requirements."

State Privacy Laws vs. The Supremacy Clause

The Memoradum’s final argument is the EINSTEIN 2.0 program does not run afoul of state wiretapping or communication privacy laws due to Supremacy clause.

To the extent that such laws purported to apply to the conduct of federal agencies and agents conducting EINSTEIN 2.0 operations and imposed requirements that exceeded those imposed by the federal statutes discussed above, they would “stand as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress,” and be unenforceable under the Supremacy Clause.

What do you think? Do you buy the argument that if you send an email to a government employee's private gmail or yahoo account, then the government may have the right to read the email?

Preceding the last presidential election, Condoleezza Rice was apologizing to presidential candidates for government intrusions into their private passport records. President Obama, a candidate at the time, called for hearings on the matter. Watergate, Hoover, and McCarthyism should remind us as to what ends government intrusions into personal privacy can have. Deeper historic reflections illuminate this point even more. Benjamin Franklin, offered, "they who would give up an essential liberty for temporary security deserve neither liberty nor security." Of a more local flavor, Boston's Samuel Adams, stated:

Driven from every other corner of the earth, freedom of thought and the right of private judgment in matters of conscience, direct their course to this happy country as their last asylum.

Smile, We're All On Candid Camera

Ross Clark's book, The Road to Big Brother, One Man's Struggle Against the Surveillance Society, involves Clark's experience in avoiding CCTV cameras and surveillance efforts in England. PrivacyDigest's review of the book, states (in part):

Ross Clark lays bare the astonishing amount of personal data which is hoarded by the state and by commercial organizations, and asks whom should we fear most: the government agencies who are spying on us - or the criminals who seem to prosper in the swirling fog of excessive data-collection.

As a city councilor, I was surprised to see surveillance cameras recently installed on new sets of local traffic lights. I wondered, "Who decides where these go and who will have access? Why are they there?" "Why didn't I have to approve these?"

I realize there's a practical argument for the potential advantages, such as recording accident data, raising compliance with safe driving laws, and, of course, avoiding traffic. In fact, the Connecticut Department of Transportation site lets you view traffic camera images that are updated every five minutes. The Boston SmarTraveler site offers several views, too.

But are things like Google Earth, government surveillance, and private webcams streaming on the web taking us into unchartered territories? I was excited to use Google Earth to see where my wife lived in Spain or others' travels. I've been on guided tours from the comfort of our home and they were fun experiences. But is there a trade off for fun?

Continue Reading...

Massachusetts Privacy Law Stalled-Out Again and Weakening

In previous posts, I discussed the legislative amendment being kicked around that would weaken the MA data security law (M.G.L. 93H).

Well, it appears the legislative change may not be necessary as the latest and ungreatest regulatory scheme changes appear to do the hatchet job for them.  Too bad.  In short, it's not good news for Massachusetts consumers or their privacy rights as privacy rights seem, once again, to be taking a backseat to political influences.

The Official Website of the Office of Consumer Affairs & Business Regulation (OCABR) states:

BOSTON – Aug. 17, 2009 – ... The updated regulations will take effect March 1, 2010. The regulations make clear that their approach to data security is a risk-based approach that is especially important to small businesses that may not handle a lot of personal information about customers. Under a risk-based approach, a business, in developing a written security program, should take into account its size, nature of its business, the kinds of records it maintains, and the risk of identity theft posed by its operations.


New language in the regulations recognizes that the size of a business and the amount of personal information it handles plays a role in the data security plan the business creates. The new language requires safeguards that are appropriate to the size, scope and type of business handling the information; the amount of resources available to the business; the amount of stored data; and the need for security and confidentiality of both consumer and employee information.

The changes, Anthony said, make clear the regulations are risk-based in implementation, not just in enforcement as had been the case in earlier versions of the regulations. In addition, the regulations are technology neutral and acknowledge that technical feasibility plays a role in what many businesses, especially small businesses can do to protect data.  The overall approach is more consistent with federal law, she said.


The Office of Consumer Affairs and Business Regulation today sent to the Secretary of State notice of public hearing on the changes. That hearing will be held on Tuesday, Sept. 22, at 10 a.m. at the Transportation Building, 10 Park Plaza, Boston.

For more information about identity theft protection, visit the Office of Consumer Affairs and Business Regulation website, www.mass.gov/consumer.