Privacy Law and Policy : Privacy Lawyer & Attorney : Kevin Whitaker Law Firm : Patient Confidentiality, Defamation, Identity Theft : Privacy Law & Policy Blog

As indicated by my prior posts, You've Got Email, But Is It Private At Work? and Is Einstein Reading Your Email for the Government?, the questions and arguments about privacy and email are heating up.  A recent case in point covered by the ABA Journal in Martha Neal's article, Prosecutor’s E-Mail Sent to His Lawyer on a Work Account is Privileged, Court Says, presents an interesting case. Here Neal reports,

A federal prosecutor's e-mail to his own lawyer is privileged, even though he sent it from work on a government computer, a federal court has ruled.

As pointed out in the article, this is in contrast to similar cases and interpretations. A comparison of this case and the government's arguments reviewed in, Is Einstein Reading Your Email for the Government? shows how the divide in these matters is growing.

Attorney-client privilege is a fiercely guarded area of privacy and this case may present the opportunity for the Supreme Court to reaffirm the attorney-client privilege in the the context of email and the information age. Of course, if taken up, how they go about this could have far wider implications for privacy rights and email communications. If heard, would they focus on the rule (reasonable expectation of privacy) or rather focus on the exceptions or privileges. If examined, will they look at the totality of the circumstances and thus leave the law to be advanced case-by-case as the circumstances come before courts or could they take a more holistic approach that offers guidance in this uncertain arena. Time will tell, but the issue seems to be ripening with each "send" button pressed.

• Email This
• Print
• Comments
• Trackbacks

Not that long ago I blogged, Is Einstein Reading Your Email for the Government? The issue there was email and the government's argument about its right to read it. In short, they suggest you don't have a reasonable expectation of privacy in your email sent to (or read by) government employees. In sum, while computer users generally have a legitimate expectation of privacy in the content of Internet communications (such as an e-mail) while it is in transmission, the government argues there are things they can do to eliminate a person's reasonable expectation of privacy and thus remove any of email's privacy protections. It stands to reason that if certain things and conduct implemented by the government can remove privacy protections, then why not employers, too?

A recent Wall Street Journal article, Some Courts Raise Bar on Reading Employee Email, Companies Face Tougher Tests to Justify Monitoring Workers' Personal Accounts; Rulings Hinge on 'Expectation of Privacy' was summarized by Debra Cassens Weiss in an ABA Journal post, May Employers Monitor Personal E-Mail? Cases Turn on Disclosure.

The articles and comments at each post raise good points. Some comments from Weiss' post touch upon, email retention policies and duties to preserve email as evidence, otherwise privileged communications (example, an email to your attorney), ownership or control of the computer, private vs. company email, and more.

Nonetheless, the takeaway lesson for employers sounds a lot like the government's arguments about Einstein 2.0, be very explicit in informing your employees about your monitoring activities and those employees don't have a reasonable expectation of privacy anymore. Thus, as an employer, if you don't have an email and electronics' communications policy, then it's time to consistently adopt, implement, and enforce one. While this is no guarantee that you are on safe ground in monitoring all email, it appears to be the direction things are heading. As for employees, you should know what monitoring is taking place at your work. Take the time to review the email and other company policies and to understand what each means. Also, think twice before sending that email with your resume attached from your office computer or before checking your personal email while at work or on a work computer. Stop, think, and remember--there's a good chance your boss, as well as big brother, may be watching what you send and what you read.

While this post discusses email, don't forget about blogs, comments, tweets on twitter, text messages, Instant Messages (IM), or others, too.

• Email This
• Print
• Comments
• Trackbacks

Ways may someday be developed by which the government, without removing papers from secret drawers, can reproduce them in court, and by which it will be enabled to expose to a jury the most intimate occurrences of the home. - Justice Louis Brandeis (1928)

A recent ABA Journal article on privacy law (Feds Can Monitor Personal E-Mail Sent Privately to Gov’t Workers, DOJ) began as follows:

You might think that a private-mail sent to another U.S. citizen's personal account isn't subject to government monitoring. But that assumption could be wrong if the recipient is a federal government employee.

Both recipients and senders have no reasonable expectation of privacy if an e-mail is opened by a federal employee logged into a work computer network, according to an Aug. 14 legal opinion from the U.S. Department of Justice that was released Friday.

The Memorandum (PDF file) begins,

Operation of the EINSTEIN 2.0 intrusion-detection system complies with the Fourth Amendment to the Constitution, title III of the Omnibus Crime Control and Safe Streets Act of 1968, the Foreign Intelligence Surveillance Act, the Stored Communications Act, and the pen register and trap and trace provisions of chapter 206 of title 18, United States Code, provided that certain log-on banners or computer-user agreements are consistently adopted, implemented, and enforced by executive departments and agencies using the system. Operation of the EINSTEIN 2.0 system also does not run afoul of state wiretapping or communications privacy laws.

The Memorandum “briefly summarizes the current views of the Office of Legal Counsel on the legality of the EINSTEIN 2.0 intrusion-detection system.” The arguments presented are basically:

1. There is no "search" under the 4th Amendment;
2. If there is a "search", then it is reasonable; and
3. Federal laws trump any state laws.

The central premise of the Memorandum is this, while computer users generally have a legitimate expectation of privacy in the content of Internet communications (such as an e-mail) while it is in transmission over the Internet, the deployment, testing, and use of EINSTEIN 2.0 technology complies with the Fourth Amendment where each agency participating in the program consistently adopts, implements, and enforces the model log-on banner or model computer-user agreements, or their substantial equivalents.

The government's position (which methinks goes too far) is summarized below.

No Search Under the 4th Amendment

The government argues there is no search for Fourth Amendment purposes because “the adoption, implementation, and enforcement of model log-on banners or model computer-user agreements eliminates federal employees’ reasonable expectation of privacy in their uses of Government-owned information systems…."

[Further]… individuals in the private sector who communicate directly with federal employees of agencies participating in the EINSTEIN 2.0 program through Government-owned information systems do not have a legitimate expectation of privacy in the content of those communications provided that model log-on banners or agreements are adopted and implemented by the agency.

… By clicking through the model log-on banner or agreeing to the terms of the model computer-user agreement, a federal employee gives ex ante permission to the Government to intercept, monitor, and search “any communications” and “any data” transiting or stored on a Government-owned information system for any “lawful purpose,” including the purpose of protecting federal computer systems against malicious network activity. Therefore, an individual who communicates with a federal employee who has agreed to permit the Government to intercept, monitor, and search any personal use of the employee’s Government-owned information systems has no Fourth Amendment right against the Government activity of protecting federal computer systems against malicious network activity, as the employee has consented to that activity.

The Memorandum goes on to say this applies even when the email was sent to the employee’s non-governmental or personal account. When the,

sender of an email to an employee’s personal, Web-based email account (such as Gmail or Hotmail) does not know of the recipient’s status as a federal employee or does not anticipate that the employee might read, on a federal Government system, an email sent to a personal email account at work or that the employee has agreed to Government monitoring of his communications on that system. A person communicating with another assumes the risk that the person has agreed to permit the Government to monitor the contents of that communication.

But if it is a "Search," then it's Reasonable anyway

The Memorandum argues, even if EINSTEIN 2.0 operations were to constitute a “search” under the Fourth Amendment, …those operations would be consistent with the Amendment’s “central requirement” that all searches be reasonable [because] the Government has a lawful, work-related purpose for the use of EINSTEIN 2.0’s intrusion-detection system that brings the EINSTEIN 2.0 program within the “special needs” exception to the Fourth Amendment’s warrant and probable cause requirements."

State Privacy Laws vs. The Supremacy Clause

The Memoradum’s final argument is the EINSTEIN 2.0 program does not run afoul of state wiretapping or communication privacy laws due to Supremacy clause.

To the extent that such laws purported to apply to the conduct of federal agencies and agents conducting EINSTEIN 2.0 operations and imposed requirements that exceeded those imposed by the federal statutes discussed above, they would “stand as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress,” and be unenforceable under the Supremacy Clause.

What do you think? Do you buy the argument that if you send an email to a government employee's private gmail or yahoo account, then the government may have the right to read the email?

Preceding the last presidential election, Condoleezza Rice was apologizing to presidential candidates for government intrusions into their private passport records. President Obama, a candidate at the time, called for hearings on the matter. Watergate, Hoover, and McCarthyism should remind us as to what ends government intrusions into personal privacy can have. Deeper historic reflections illuminate this point even more. Benjamin Franklin, offered, "they who would give up an essential liberty for temporary security deserve neither liberty nor security." Of a more local flavor, Boston's Samuel Adams, stated:

Driven from every other corner of the earth, freedom of thought and the right of private judgment in matters of conscience, direct their course to this happy country as their last asylum.

• Email This
• Print
• Comments
• Trackbacks

Ross Clark's book, The Road to Big Brother, One Man's Struggle Against the Surveillance Society, involves Clark's experience in avoiding CCTV cameras and surveillance efforts in England. PrivacyDigest's review of the book, states (in part):

Ross Clark lays bare the astonishing amount of personal data which is hoarded by the state and by commercial organizations, and asks whom should we fear most: the government agencies who are spying on us - or the criminals who seem to prosper in the swirling fog of excessive data-collection.

As a city councilor, I was surprised to see surveillance cameras recently installed on new sets of local traffic lights. I wondered, "Who decides where these go and who will have access? Why are they there?" "Why didn't I have to approve these?"

I realize there's a practical argument for the potential advantages, such as recording accident data, raising compliance with safe driving laws, and, of course, avoiding traffic. In fact, the Connecticut Department of Transportation site lets you view traffic camera images that are updated every five minutes. The Boston SmarTraveler site offers several views, too.

But are things like Google Earth, government surveillance, and private webcams streaming on the web taking us into unchartered territories? I was excited to use Google Earth to see where my wife lived in Spain or others' travels. I've been on guided tours from the comfort of our home and they were fun experiences. But is there a trade off for fun?

• Email This
• Print
• Comments
• Trackbacks

Massachusetts Senate Bill No. 173 (PDF file) introduced this year, would amend M.G.L. 93H and effectively water down the Office of Consumer Affairs and Business Regulation's (OCABR) authority on a few fronts. I'm taking each one up in a separate post and today, I'll address the first proposed change.

If SB 173 is enacted, businesses would not have to comply with any state regulations with stricter standards than federal law.  While businesses need to comply with federal law, this should not stop states from implementing higher standards to protect their residents. This suggested revision hurts individuals' privacy rights as compliance is limited to the lowest common denominator and doesn't aspire to improve safeguards beyond minimum standards.

While some commentators previously commended MA for leading the way on data privacy protections, this proposal brings us back, at best, to the status quo--a review of data breach news headlines demonstrates the status quo simply isn't working or protecting peoples' privacy. MA has a chance to take the lead in protecting individuals' privacy rights and punting isn't the best option.

In the end, so long as economic incentives and business interests are placed before individuals' rights, then privacy rights are at risk. I hope Massachusetts opts to lead the way on protecting privacy and doesn't adopt the proposed amendment. 

The timing of this proposed amendment baffles me, why gut a law the state legislature passed that hasn't even been given a chance to work?

Next, I'll discuss the data encryption and data protection methods that are being stripped away under the proposed change.

• Email This
• Print
• Comments
• Trackbacks

Massachusetts Senate Bill No. 173 (PDF file), introduced earlier this year, would amend M.G.L. 93H (MA Data Security Law) and effectively water down the law while reducing the Office of Consumer Affairs and Business Regulation's (OCABR) authority to protect Massachusetts consumers' privacy rights.

These proposed changes to the data protection law are a timely topic as the original MA law was passed following TJX's large-scale data breach. TJX has recently entered into a $9.75 million settlement with 41 states over their data breach. According to the Boston Herald in, TJX to pay states $9.75M in data breach settlement,

The $9.75 million settlement payment includes $2.5 million to establish a data security fund for the states and $1.75 million to cover the states’ investigations into the data breach. Massachusetts will receive more than $950,000 of that money.

The Herald reports, Attorney General Martha Coakley, who was a driving force for all states' involved, said in a statement

Protecting consumers’ personally-identifiable information is of paramount importance to prevent fraudulent use of credit and identity theft.

All retailers and companies that hold or use personally-identifiable information must employ data security systems that guard against the improper disclosure or use of that information. This settlement ensures that companies cannot write-off the risk of a data breach as a cost of doing business.

The Identity Theft Assistance Center (ITAC) blog, in TJX Agrees to Pay $9.75 million to 41 States in Data Breach Case, states:

The company [TJX] also stated in an official news release that it “firmly believes it did not violate any consumer protection or data security laws.” However, California Attorney General Jerry Brown had a different POV [point of view] and cited the company’s 2004 internal audit, which found security vulnerabilities. ... "TJX ignored flaws in its credit card database, until hackers broke into it, gaining access to the personal information of almost 50 million people..."

In the wake of the TJX settlement, under MA Attorney General Coakley's and other attorney generals' realized efforts, it's disappointing to see present attempts to water down the Massachusetts data protection law by state legislators. In coming posts I'll discuss four changes being proposed and how each fails to help consumers or protect individual privacy rights. Thus the title of this series, "An Act Ensuring Less Privacy of Massachusetts Resident's Data" which plays off of the proposed act's title "An Act ensuring the privacy of certain data."

• Email This
• Print
• Comments
• Trackbacks

Paul McNamara at Buzzblog posts in Bozeman backs down on demanding passwords that the flood of complaints over Bozeman, Montana's policy of requesting online account names and passwords of potential hires has led to that practice being discontinued. I commented on his blog as it reminded me of the discussion I recently had with a Patriot Ledger's Reporter, Julie Onufrak. During a recent interview, we were discussing the limits of industry self-regulation when it comes to privacy rights and the need for laws that protect them. I don't think self-regulation works when it comes to peoples' rights and whether it's demonstrated by a Sears' settlement or Bozeman's practices, my point is that we need clear laws that protect individuals and their privacy rights.

Here are my comments on buzzblog about the Bozeman situation:

It's good to see the policy change go into effect, but there's always another issue to consider anytime a privacy invasion occurs. What happens to the data that was collected? Recently the FTC entered into an agreement with Sears that required they stop collecting private consumer data in a certain manner, but also that they destroy the data which had been collected that way. This gets even trickier, however, when government agencies are the ones collecting private data as there are Freedom of Information Act and other sunshine laws that can give citizens access to government records. While it's good to see a policy change in Bozeman, it would be even better to see legal standards in place that go beyond self-policing or self-regulation.

To me the unifying theme is one that keeps popping up in privacy issues, if individual privacy rights are not being treated as recognized rights which are held by an individual, then efforts to protect them will fail. In order to protect privacy, bright-line laws giving individuals the right to enforce those rights must to be enacted and not left for government enforcement, but provide private remedies as well. Unfortunately, I don't think government see it that way, FTC Provides Views on Behavioral Advertising to House Subcommittee. I think this is true in Washington and as recent legislative efforts indicate, here in Massachusetts, too--which I'll post about shortly.

• Email This
• Print
• Comments
• Trackbacks

Does privacy matter? I was recently reviewing excerpts from an earlier interview by International Association of Privacy Professionals with Bruce Schneier where he was asked, "Is privacy the new environmentalism?" Schneier's reply was prescient,

Yes, and data is the pollution problem of the Information Age. Think about it. All computer-mediated processes produce data. Unless dealt with, it stays around. And its after-effects can be pretty toxic. And, just as 100 years ago we ignored pollution in our rush to build the Industrial Age, today we're ignoring data in our rush to build the Information Age. And, I believe, 100 years from now our great-grandchildren will look back at the decisions we made and wonder how we could have been so ignorant and short-sighted.

• Email This
• Print
• Comments
• Trackbacks

Thank you to the folks at e-Justice Blog for including Privacy Law and Policy in their 50 Best Blogs for Privacy Nuts. It's an honor to be included and also to be among the top ten blogs in the Law and Policies category.

e-Justice covers issues from cyber-law to personal security and aims to promote a more pro-active and informed citizenry by tackling issues of justice that affect people's safety and well-being.

• Email This
• Print
• Comments
• Trackbacks

The Computer Fraud and Abuse Act (CFAA) prohibits accessing a computer without authorization. The law has been used in civil cases in a variety of contexts for some time. The CFAA drew attention last year, however, when it was applied in the criminal prosecution of Lori Drew in the suicide of Meghan Taylor Meier, a 13 year old girl, who committed suicide after being cyber-bullied and harassed by Drew.

The cyber-bullying involved Drew pretending to be someone else on a fictitious MySpace account created by Drew. The account's use was "unauthorized" under the MySpace terms of service. The breach of MySpace's terms of service was used to apply the CFAA and support Drew's criminal conviction. This use of a private company's terms of service agreement to apply criminal liability under the CFAA led many to argue the case has far reaching consequences. A number of critics of the case asserted the case went too far while others hailed it as a positive step toward protecting children online. Regardless, the case illustrates the changing nature of our laws, technology, and the emerging attempts to apply existing laws in novel ways, especially in those areas where the law may be lagging behind technology's pace.

Orin Kerr, at The Volokh Conspiracy blog, posts about a case seeking to test or expand the CFAA criminal liability theory even further.  In Lori Drew, Take2? The Government's Computer Fraud and Abuse Act Prosecution in United States v. Nosal, Kerr offers,

... the government is testing a similarly broad theory of the CFAA, if not an even broader one. The case is United States v. Nosal, No. CR 08-0237 MHP, ....

• Email This
• Print
• Comments (1)
• Trackbacks