slides
DESCRIPTION
TRANSCRIPT
08-732 LAW OF COMPUTER TECHNOLOGY FALL 2009
COPYRIGHT © 2009 MICHAEL I. SHAMOS
Data Privacy
Michael I. Shamos, Ph.D., J.D.Institute for Software ResearchSchool of Computer ScienceCarnegie Mellon University
08-732 LAW OF COMPUTER TECHNOLOGY FALL 2009
COPYRIGHT © 2009 MICHAEL I. SHAMOS
What is Privacy?
• Many different concepts all collected under the single word “privacy”
• Protection against intrusion into one’s “space” – Protection from Government (4th Amendment)– Freedom from publicity, disclosure of embarrassing
facts (“Invasion of Privacy”)– Protection from telemarketers
• Protection in cyberspace– Anti-spam– Web data collection– Protection from data disclosures and leaks
08-732 LAW OF COMPUTER TECHNOLOGY FALL 2009
COPYRIGHT © 2009 MICHAEL I. SHAMOS
What is Privacy?
• Bodily privacy (Roe v. Wade)• Communications privacy
– Against eavesdropping, wiretapping– Electronic Communications Privacy Act
• Identity privacy– Anonymity
• Data privacy– Right to control collection, use and
dissemination of non-public personal information
08-732 LAW OF COMPUTER TECHNOLOGY FALL 2009
COPYRIGHT © 2009 MICHAEL I. SHAMOS
What is Privacy?
• A bundle of rights recognized by the law protecting against various intrusions into one’s existence
• Why do we need privacy?• It has survival value
• Public desire for privacy is not matched by the law• Laws are incomplete, inconsistent and in flux• Differ by state & country
• Difference between legal and ethical standards
08-732 LAW OF COMPUTER TECHNOLOGY FALL 2009
COPYRIGHT © 2009 MICHAEL I. SHAMOS
What’s a Right?• U.S. Declaration of Independence (1776):
“We hold these Truths to be self-evident, that all Men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty, and the Pursuit of Happiness”
• U.S. Constitution (1789):
“We the People of the United States, in Order to form a more perfect Union … and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America.”
“That to secure these rights, Governments are instituted among Men, deriving their just Powers from the Consent of the governed”
08-732 LAW OF COMPUTER TECHNOLOGY FALL 2009
COPYRIGHT © 2009 MICHAEL I. SHAMOS
Data Privacy• Who “owns” data about you? Can data be owned?
– Facts (residence, phone #, age)e.g. Allegheny County Property
– Sales information– Habits, personal preferences– Message traffic
• Problem: electronic collections are subject to greater abuse than paper ones
• Problem: having everything on line is different from just having records be public
• Policy: is it the data or its use that requires protection?
U.S. Privacy Law• No definition of “privacy”; few legal principles• Federally protected categories: financial, educational, medical• State: limited, usually embarrassing facts or photos• Constitutional basis?
– 4th amendment: government searches– “liberty” as right of privacy
• State constitutions California Const. Art. I, §1: “All people are by nature free and
independent and have inalienable rights. Among these are ... pursuing and obtaining safety, happiness, and privacy.” (Not in the 1849 Constitution)
Hawaii Const. Art. 1, §6: “The right of the people to privacy is recognized and shall not be infringed without the showing of a compelling state interest.” (Added in 1978)
08-732 LAW OF COMPUTER TECHNOLOGY FALL 2009
COPYRIGHT © 2009 MICHAEL I. SHAMOS
Privacy Act of 19745 U.S.C. §552a
• Deals with disclosure of Federal Government records on individuals
• “No agency shall disclose any record … to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains [except … ]”– … the record is to be transferred in a form that is not
individually identifiable; – authorized law enforcement– heath or safety– Congress– court order
08-732 LAW OF COMPUTER TECHNOLOGY FALL 2009
COPYRIGHT © 2009 MICHAEL I. SHAMOS
Privacy Act of 1974
• “No agency shall disclose any record … to any person, or to another agency, except … with the prior written consent of, the individual to whom the record pertains, unless disclosure of the record would be --– … used solely as a statistical research or reporting
record, and the record is to be transferred in a form that is not individually identifiable” (not a defined term)
• Restriction on “matching programs”
– any computerized comparison of -- (i) two or more automated systems of records … [certain exceptions]
08-732 LAW OF COMPUTER TECHNOLOGY FALL 2009
COPYRIGHT © 2009 MICHAEL I. SHAMOS
Privacy on the Web
• Posted privacy policies are legal representations• Violation of privacy policy by a website is deceptive
advertising and an unfair trade practice• The Federal Trade Commission acts on behalf of
consumers• Vigorous enforcement
– Example: In the Matter of Microsoft Corporation
• FTC is the leading U.S. government privacy watchdog– Is this good? (It was never intended.)
08-732 LAW OF COMPUTER TECHNOLOGY FALL 2009
COPYRIGHT © 2009 MICHAEL I. SHAMOS
Family Educational Right to Privacy Act (FERPA, Buckley Amendment)
20 U.S.C. §1232g
• “No [federal] funds shall be made available … to any educational agency or institution which has a policy or practice of permitting the release of educational records … of students without the written consent of their parents to any individual, agency, or organization,” [except]– other school officials (under certain conditions)– schools to which student has applied– financial aid– Comptroller General of the U.S.– health or safety emergency– …
Gramm-Leech-Bliley, 15 U.S.C. §6801
• “It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.”
• Protects “consumers”– “individual who obtains, from a financial institution, financial
products or services which are to be used primarily for personal, family, or household purposes
• Applies to “nonpublic personal information”• Notice
– no disclosure to unaffiliated third party w/o notice to consumer• Opt-out
– consumer may elect to refuse disclosure
08-732 LAW OF COMPUTER TECHNOLOGY FALL 2009
COPYRIGHT © 2009 MICHAEL I. SHAMOS
Remedies for Data Leak
• What happens if a company collects personal data but does not secure it adequately?
• Suppose hackers manage to steal the data (by committing a crime and breaking into the data system?
• Is the data collector liable for negligence?• What are the damages?
08-732 LAW OF COMPUTER TECHNOLOGY FALL 2009
COPYRIGHT © 2009 MICHAEL I. SHAMOS
Pisciotta v. Old National Bancorp (7th Cir. Aug. 23, 2007)
• Pisciotta was a customer of ONB• ONB solicited personal information from Pisciotta online• The ONB site was hosted by NCR Corporation• NCR’s facility was hacked through an intrusion that was
“sophisticated, intentional and malicious”• Pisciotta filed a class action suit against ONB for failing
to adequately protect personal information.”• There was no proof that any personal information had
actually been stolen• No evidence of any identity theft
08-732 LAW OF COMPUTER TECHNOLOGY FALL 2009
COPYRIGHT © 2009 MICHAEL I. SHAMOS
Pisciotta v. Old National Bancorp
• Plaintiffs paid for credit monitoring to see whether their information had been misused
• ONB moved for “judgment on the pleadings,” a legal step in which the court is asked to rule that even if everything the Plaintiff is saying is true there can still be no recovery
• The District Court ruled for ONB because no injury had occurred
• Indiana had a statute requiring notification for information breaches, not compensation or any standards of protection
• Pisciotta appealed to the 7th Circuit
08-732 LAW OF COMPUTER TECHNOLOGY FALL 2009
COPYRIGHT © 2009 MICHAEL I. SHAMOS
Pisciotta v. Old National Bancorp,
• Showing negligence requires proving a compensable injury
• The legislature gave no hint that breaches not leading to provable injury should be compensable
• Dismissal affirmed
08-732 LAW OF COMPUTER TECHNOLOGY FALL 2009
COPYRIGHT © 2009 MICHAEL I. SHAMOS
Employer Surveillance• In general, surveillance by the employer is legal if
– the computer being monitored belongs to the employer; or– the computer is connected to the employer’s network; and– even if communications are encrypted
• McLaren v. Microsoft Corp.,No. 05-97-00824 (Tex. Ct. App. May 28, 1999).– Employee used private password to encrypt email messages
stored on office computer.– Company decrypted and viewed files.– Email account and workstation were provided for business
use, so Microsoft could legitimately access data stored there.
• Notice of Electronic Monitoring Act (CT)– Versions introduced in other states and Congress
08-732 LAW OF COMPUTER TECHNOLOGY FALL 2009
COPYRIGHT © 2009 MICHAEL I. SHAMOS
Tiberino v. Spokane County13 P.3d 1104 (2000)
• Gina Tiberino worked for Spokane County, WA• She misused her office computer for personal email
and was fired• She threatened to sue; Spokane printed out her email
(551 messages; 467 were personal)• The media requested copies• Tiberino sued to prevent disclosure• Held, the emails were “public records” but the
contents were exempt from disclosure. The fact of the emails, not their contents, were of public interest
08-732 LAW OF COMPUTER TECHNOLOGY FALL 2009
COPYRIGHT © 2009 MICHAEL I. SHAMOS
Anonymity (U.S.)
• Freedom to publish anonymously is guaranteed by the First Amendment. McIntyre v. Ohio Elections Comm’n, 514 U.S. 334 (1995). Basis: Federalist Papers (1787-1788)
• Are you anonymous if your ISP can be forced to identify you?
• Currently a VERY HOT topic because of efforts of the recording industry to identify file swappers– Not strictly a privacy rights matter because the Digital Millennium
Copyright Act specifically authorizes such subpoenas
08-732 LAW OF COMPUTER TECHNOLOGY FALL 2009
COPYRIGHT © 2009 MICHAEL I. SHAMOS
Subpoenas to Identify• No privilege between a user and and ISP. But ISP
may have standing to assert user’s rights, especially First Amendment rights
• In re Subpoena Duces Tecum to America Online, Inc. (Anonymous Publicly Traded Co. v. Doe), Va. Cir. Ct., Fairfax Cty., Misc. Law No. 40570, 2/7/00
• Company alleged it was defamed by an anonymous AOL subscriber
• Company did not want to identify itself, but demanded in a subpoena that AOL identify the subscriber
• (Underlying case was in Ohio; AOL is in Virginia)
08-732 LAW OF COMPUTER TECHNOLOGY FALL 2009
COPYRIGHT © 2009 MICHAEL I. SHAMOS
Subpoenas to Identify
• Lower court allowed the subpoena. Opinion.• Gave a test for subpoenas to identify a user:
– are pleadings and evidence supplied to the court satisfactory?
– does the party requesting the subpoena have a legitimate, good faith basis that it may be the victim of actionable conduct?
– is identifying the subscribers central to advancing the claim?
08-732 LAW OF COMPUTER TECHNOLOGY FALL 2009
COPYRIGHT © 2009 MICHAEL I. SHAMOS
America OnLine, Inc. v. Record No. 000974 Anonymous Publicly Traded Company
• The Virginia Supreme Court REVERSED the decision to allow the anonymous subpoena. See opinion
• HELD, anonymous plaintiff could be given subpoena power only if it would suffer exceptional harm, such as social stigma, or extraordinary economic retaliation, as a result of exposing its identity
• Company subsequently dropped the lawsuit
Tattered Cover, Inc. v. City of Thornton Case 01SA205, Colorado Supreme Court, April 8, 2002
• Tattered Cover is bookstore in Denver, CO. Thornton is nearby.• Police believed a home in Thornton was housing drug operations• Search by warrant revealed drug equipment, 2 books on drug
manufacture and a discarded package from the Tattered Cover• Police obtained a search warrant for sales records of the
bookstore to learn who bought the drug books. Bookstore appealed.
• Colorado Supreme Court held: “the First Amendment embraces the individual’s right to purchase and read whatever books she wishes to, without fear that the government will take steps to discover which books she buys, reads, or intends to read.”
• Requires “compelling state need” and prior hearing before a warrant may issue against an “innocent” bookstore
08-732 LAW OF COMPUTER TECHNOLOGY FALL 2009
COPYRIGHT © 2009 MICHAEL I. SHAMOS
Major Ideas
• There is no general agreement on what data privacy is or ought to be
• Privacy laws are a patchwork of incomplete and inconsistent federal and state statutes
• Most state rights of privacy are very narrow• Federal law protects medical, financial and educational
information• Failure to follow an announced privacy policy is a
deceptive trade practice
08-732 LAW OF COMPUTER TECHNOLOGY FALL 2009
COPYRIGHT © 2009 MICHAEL I. SHAMOS
QA&
08-732 LAW OF COMPUTER TECHNOLOGY FALL 2009
COPYRIGHT © 2009 MICHAEL I. SHAMOS
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• A “covered entity” may not use or disclose protected health information, except as permitted or required …– pursuant to … a consent … to carry out treatment, payment, or
health care operations– pursuant to … an authorization– pursuant to … an agreement (opt-in)– [other provisions]
45 CFR §164.502
• Health information that meets … specifications for de-identification … is considered not to be individually identifiable health information
45 CFR §164.502(d)
08-732 LAW OF COMPUTER TECHNOLOGY FALL 2009
COPYRIGHT © 2009 MICHAEL I. SHAMOS
What HIPAA Protects
• “Individually identifiable health information” is information that is a subset of health information, including demographic information collected from an individual, and: …– relates to … physical or mental health or condition of an
individual;… provision of health care to an individual; or… payment for … health care to an individual; and
– identifies the individual; or– with respect to which there is a reasonable basis to believe the
information can be used to identify the individual
45 CFR §164.501
08-732 LAW OF COMPUTER TECHNOLOGY FALL 2009
COPYRIGHT © 2009 MICHAEL I. SHAMOS
De-Identification• A covered entity may determine that health information is not individually identifiable
only if: … the following identifiers of the individual or of relatives, employers, or household members of the individual are removed:
• Names; • All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip
code, …, except for the initial three digits of a zip code if …• All elements of dates (except year) for dates directly related to an individual, including birth date,
admission date, discharge date, date of death; and all ages over 89…• Telephone numbers; Fax numbers; email addresses; URLs; IP addresses• Social security numbers; Medical record numbers; Health plan beneficiary numbers; Account
numbers; • Certificate/license numbers; vehicle identifiers, serial numbers, plate numbers; • Device identifiers and serial numbers; • Biometric identifiers, including finger and voice prints; • Full face photographic images and any comparable images; and • Any other unique identifying number, characteristic, or code; and • The covered entity does not have actual knowledge that the information could be used alone or in
combination with other information to identify an individual who is a subject of the information.
45 CFR §164.514