Privacy Law and Policy : Privacy Lawyer & Attorney : Kevin Whitaker Law Firm : Patient Confidentiality, Defamation, Identity Theft : Privacy Law & Policy Blog

The Massachusetts Supreme Judicial Court recently reversed four indictments of Matt H. Zubiel for an attempt to disseminate matter harmful to a minor, under M.G. L. c. 272, § 28, and as defined in M.G. L. c. 272, § 31. Each indictment was based on Internet conversations between Zubiel and an undercover police officer on different days.

Deputy Sheriff Melissa Marino, a member of the "high-tech evidence analysis team" in the Plymouth County sheriff's department, conducted undercover investigations of crimes, including child pornography and child enticement. Marino created an undercover screen name, "Melissa QT 1995 and set up a Yahoo profile describing herself as "Meliss Smith" from the South Shore, age thirteen, and in the eighth grade. Her profile invited others to "PM" her (a form of instant messaging) if they wanted to send her a "private message."
 

On February 8, 2006, Zubiel with a screen name of "Ilikesports04," said, "Hi, how are you?" Marino informed Zubiel she was thirteen years old. He indicated he was age twenty-five. Their first online chat lasted forty-two minutes with Zubiel asking Marino for a photograph.  She emailed him photographs of herself when she was thirteen years old. They discussed where each lived and they gave physical descriptions of themselves. Zubiel asked Marino, "[You] ever fool around with boys?" and other questions regarding what she had done with boys, how old the boys were, and additional details about those events.

• Email This
• Print
• Comments
• Trackbacks

Ross Clark's book, The Road to Big Brother, One Man's Struggle Against the Surveillance Society, involves Clark's experience in avoiding CCTV cameras and surveillance efforts in England. PrivacyDigest's review of the book, states (in part):

Ross Clark lays bare the astonishing amount of personal data which is hoarded by the state and by commercial organizations, and asks whom should we fear most: the government agencies who are spying on us - or the criminals who seem to prosper in the swirling fog of excessive data-collection.

As a city councilor, I was surprised to see surveillance cameras recently installed on new sets of local traffic lights. I wondered, "Who decides where these go and who will have access? Why are they there?" "Why didn't I have to approve these?"

I realize there's a practical argument for the potential advantages, such as recording accident data, raising compliance with safe driving laws, and, of course, avoiding traffic. In fact, the Connecticut Department of Transportation site lets you view traffic camera images that are updated every five minutes. The Boston SmarTraveler site offers several views, too.

But are things like Google Earth, government surveillance, and private webcams streaming on the web taking us into unchartered territories? I was excited to use Google Earth to see where my wife lived in Spain or others' travels. I've been on guided tours from the comfort of our home and they were fun experiences. But is there a trade off for fun?

• Email This
• Print
• Comments
• Trackbacks

Massachusetts Senate Bill No. 173 (PDF file) introduced earlier this year, would amend M.G.L. 93H (Massachusetts data protection law) and effectively water down the Office of Consumer Affairs and Business Regulation's (OCABR) authority (as well as their data protection regulations) on a few fronts. I'm reviewing four of the proposed changes in separate posts. Today, I'll examine a proposed change which requires different strokes for different folks, or rather different legal standards for protecting people's personal data. The proposed change adds,

Notwithstanding the rules adopted by the department [OCABR] ..., said department shall create separate regulations for small businesses ... that reflect said small businesses unique situation and resources.

Thus, under this proposed change, the law would not apply evenly, but would depend on the size of the business and require separate standards be promulgated for small businesses. Perhaps it sounds reasonable when looked at from the perspective of protecting small businesses, but this change implies a person's privacy rights matter less depending on who is allowing them to be trampled upon. Should the law allow for different standards when it comes to individuals' rights or should the emphasis be on protecting the absolute rights held by individuals instead?

• Email This
• Print
• Comments (2)
• Trackbacks

Does privacy matter? I was recently reviewing excerpts from an earlier interview by International Association of Privacy Professionals with Bruce Schneier where he was asked, "Is privacy the new environmentalism?" Schneier's reply was prescient,

Yes, and data is the pollution problem of the Information Age. Think about it. All computer-mediated processes produce data. Unless dealt with, it stays around. And its after-effects can be pretty toxic. And, just as 100 years ago we ignored pollution in our rush to build the Industrial Age, today we're ignoring data in our rush to build the Information Age. And, I believe, 100 years from now our great-grandchildren will look back at the decisions we made and wonder how we could have been so ignorant and short-sighted.

• Email This
• Print
• Comments
• Trackbacks

Thank you to the folks at e-Justice Blog for including Privacy Law and Policy in their 50 Best Blogs for Privacy Nuts. It's an honor to be included and also to be among the top ten blogs in the Law and Policies category.

e-Justice covers issues from cyber-law to personal security and aims to promote a more pro-active and informed citizenry by tackling issues of justice that affect people's safety and well-being.

• Email This
• Print
• Comments
• Trackbacks

In my recent post, Encryption and the Right to Maybe Remain Silent, I discussed the government's efforts to obtain encrypted evidence on a laptop. The issue was whether an individual can be forced to decrypt incriminating information. While this area of law has many new questions, there's always more than one way to skin a cat.

Even in cases, where a encryption was not ordered, the government may have taken actions to find encryption keys through a keylogger (which records keystrokes) or other devices. Declan McCullagh discussed this in his 2007 cnet post, Feds use keylogger to thwart PGP, Hushmail -

A recent court case provides a rare glimpse into how some federal agents deal with encryption: by breaking into a suspect's home or office, implanting keystroke-logging software, and spying on what happens from afar.

• Email This
• Print
• Comments
• Trackbacks

If data is encrypted, can the police force you to decrypt it or provide them with an unprotected copy? What about self-incrimination and abrogating one's right to remain silent? 

• Email This
• Print
• Comments
• Trackbacks (1)

In NY, there's been some back and forth on the issue, but it now appears the police may not approach your car, attach a GPS tracking device to it, and then monitor your whereabouts without a warrant (unless an exception to a warrant exists.) In Does Technology Have to Trump Privacy Right,Nicole Black previously discussed the recently decided NY case of People v. Weaver (PDF).

Previously in Weaver (decided June 5, 2008) the State of New York Supreme Court Appellate Division [the Appellate division sits below State Court of Appeals] found a vehicle owner's reasonable expectation of privacy was not violated when a GPS device was placed under the bumper of the defendant's van while it was parked on a public street. Data retrieved from the GPS was later used as evidence in Weaver's criminal convictions. See PDF.

• Email This
• Print
• Comments
• Trackbacks

A three member U.S. District Appeals Court for the District of New Mexico finds a familial (family) connection to a suspect supports neither probable cause for a search warrant, nor reasonable suspicion for an investigative detention of a relative. Further, officers who get this wrong can't raise "qualified immunity" as a defense in a § 1983 lawsuit.

This case demonstrates the difficulties that often arise between police powers and individuals' privacy rights. Those who favor broader police powers will decry this ruling and argue it will have a chilling effect on law enforcement. Alternatively, others will celebrate a ruling which recognizes individuals' protections from unreasonable search and seizures (due primarily to a familial relationship) and that also gives these rights a civil remedy which has some teeth.

In this case (PDF here), officers obtained a warrant and ordered the search of a murder suspect's in-laws' property. Later, officers also stopped the suspect's sister-in-law in an investigative detention. The court held the officers actions in both cases violated the in-laws' Fourth Amendment rights and ruled,

we hold that a familial relationship is insufficiently particularized to justify invading an individual's reasonable expectation of privacy. ... Applying this rule to the present case, we conclude that the...status as...in-laws, combined with the meager additional facts..., were insufficient to support a finding of either probable cause to search the property or reasonable suspicion to detain [the sister-in-law.]

• Email This
• Print
• Comments
• Trackbacks

The Massachusetts Supreme Judicial Court is expected to hear arguments today on the use of recorded jailhouse calls in the prosecution of John Odgren. Odgren is accused of murdering a 15 year-old student at Lincoln-Sudbury High School. A lower court ruling had excluded tapes of Odgren's jailhouse phone calls which had been obtained by the prosecution through a subpoena. The SJC's opinion could have far-reaching implications in future prosecutions throughout the Commonwealth of Massachusetts.

• Email This
• Print
• Comments
• Trackbacks

The Computer Fraud and Abuse Act (CFAA) prohibits accessing a computer without authorization. The law has been used in civil cases in a variety of contexts for some time. The CFAA drew attention last year, however, when it was applied in the criminal prosecution of Lori Drew in the suicide of Meghan Taylor Meier, a 13 year old girl, who committed suicide after being cyber-bullied and harassed by Drew.

The cyber-bullying involved Drew pretending to be someone else on a fictitious MySpace account created by Drew. The account's use was "unauthorized" under the MySpace terms of service. The breach of MySpace's terms of service was used to apply the CFAA and support Drew's criminal conviction. This use of a private company's terms of service agreement to apply criminal liability under the CFAA led many to argue the case has far reaching consequences. A number of critics of the case asserted the case went too far while others hailed it as a positive step toward protecting children online. Regardless, the case illustrates the changing nature of our laws, technology, and the emerging attempts to apply existing laws in novel ways, especially in those areas where the law may be lagging behind technology's pace.

Orin Kerr, at The Volokh Conspiracy blog, posts about a case seeking to test or expand the CFAA criminal liability theory even further.  In Lori Drew, Take2? The Government's Computer Fraud and Abuse Act Prosecution in United States v. Nosal, Kerr offers,

... the government is testing a similarly broad theory of the CFAA, if not an even broader one. The case is United States v. Nosal, No. CR 08-0237 MHP, ....

• Email This
• Print
• Comments (1)
• Trackbacks