Table of Contents



From PLI’s Course Handbook

Communications Law in the Digital Age 2009

#18947

4

Privacy protection, Safety and Security

Jane E. Kirtley

University of Minnesota

The author gratefully acknowledges the invaluable assistance of Cary Snyder, a University of Minnesota law student and Silha Center research assistant, in the preparation of this outline. We also utilized research

by Jacob Parsley, a University of Minnesota law

student, and Patrick File, a University of Minnesota Ph.D. student, both Silha Center Fellows.

Table of Contents

I. DATA COLLECTION AND BEHAVIORAL

ADVERTISING 3

A. Proposed Congressional Legislation 3

B. FTC on Self-Regulatory Behavioral

Advertising Principles 9

C. Advertising Trade Groups Release

Self-Regulatory Principles 12

D. European Regulators Aim to Protect

Consumers, Retailers and Online Privacy 14

E. Maine Enacts Law to Restrict Marketing

to Minors 16

F. Google Sees Up and Down Battle in

AdWords Lawsuits 17

G. FTC Seeks to Monitor Blogs for Endorsements 19

II. IDENTITY THEFT AND DATA

PROTECTION LAWS 22

A. ‘Red Flags Rule’ Set to Take Effect 22

B. Proposed Federal Legislation to Protect

Personal Data, Require Notification 25

C. HIPAA Breach Notification Rule Issued 27

D. Supreme Court Requires a ‘Knowing

Theft’ for Aggravated Sentence 28

E. Social Security Numbers Can Be Guessed 31

F. Massachusetts and Nevada Encryption Laws

Could Become National Standard 34

G. Class Actions in ID Theft and Data Breach Cases 37

H. Hacking: Threats and Consequences 44

III. GOVERNMENT AND PRIVATE SECTOR

SURVEILLANCE AND DATA

MANAGEMENT 52

A. Unclassified Report on U.S. Wiretapping 52

B. Court Challenges to Wiretapping Program 54

C. Emerging Technology to Monitor

Government Snooping 57

D. Google Street View Seen as Privacy Threat 58

E. RFIDs Can Be Tracked 64

F. Videos Lead to Accusations of Breaking

Privacy Laws 66

G. Entrusting Google, Amazon With Personal,

Public Records 69

H. Bloggers in Court 74

I. Advances in Phone Technology Bring Benefits,

Risks 77

J. Redaction Methods May Not Serve Their Purpose 79

IV. DATA PRIVACY IN THE WORKPLACE AND

ON CAMPUS 81

A. Requests for Passwords to Social Networking

Sites 81

B. Be Wary of Writing Reviews on LinkedIn 83

C. Confusion and Abuses of FERPA 85

D. Split Develops in Application of Computer

Fraud and Abuse Act 88

E. Limits to What Employers Can Know,

Say About Employees 91

F. N.J. Law Would Prohibit Prosecuting

Teens for “Sexting” 95

V. SOCIAL NETWORKING SITES: PRIVACY

CONCERNS AND POTENTIAL PITFALLS OF

USE 97

A. EU Regulators Recommend Stricter Rules 97

B. Canada Privacy Commissioner Warns

Facebook To Tighten Privacy Controls 100

C. Reporters’ Use of Social Networking Sites 102

D. Sites Offer a Vehicle for Scams and Viruses 106

E. Court Cases Involving Social Networking Sites 107

F. Chinese Social Networking Sites Go Offline 117

When considering online privacy protection, safety, and security, lawmakers and regulators struggle to keep pace with rapidly emerging technologies that raise new challenges. Balancing traditional notions of privacy and the First Amendment with technological advances is further complicated by the need to consider any proposed oversight in light of international regulatory developments. Any discussion of data privacy and security must address comparable initiatives abroad, both as a means to explore emerging regulatory ideas in this country and to understand the rules that will govern entities such as Google and Facebook, headquartered in the United States, but with users around the globe.

I. DATA COLLECTION AND BEHAVIORAL

ADVERTISING

A. Proposed Congressional Legislation

House lawmakers have announced plans to develop national privacy legislation designed to provide Internet users more control over the information that is being collected about their online activity.[1] Rep. Rick Boucher (D-Va.), chairman of the House Internet subcommittee, the entity leading the legislative effort, believes “consumers are entitled to some baseline protections” from behavioral advertising.[2] Toward this end, a Senate committee and two House subcommittees have held hearings to learn about the benefits, potential abuses, and privacy concerns arising from Internet use.[3] Representatives of Internet service providers (ISPs), online advertisers and consumer groups are among those who have provided insight on the current state of private sector monitoring of Internet use. These individuals and groups have also offered suggestions on what the proposed legislation should include.

The reality that consumers’ online activity can be tracked and fed back to them as targeted advertisements raises privacy concerns, but lawmakers have been urged to take into consideration the benefits consumers, ISPs and online retailers receive from the technology, particularly in a depressed economy. Boucher has tentatively proposed some “baseline” measures. These include an easy-to-find privacy policy alerting consumers to what information is collected about them, how it is used, stored and whether it is sold to third parties, as well as the ability to opt-out, or prevent parties from using the information.[4]

1. What is deep packet inspection, or DPI?

Deep packet inspection (DPI) is a developing technology that enables ISPs to open every packet of information sent over the Internet, read its entire contents and treat it differently based on what it includes. This treatment could include adding advertising information, collecting data about users or blocking the content altogether. A common analogy used to describe DPI is to think of the United States Postal Service starting a side business to open every letter, read its contents, and sell the information inside without the consent of the sender or recipient. Without the use of DPI, Internet service providers simply read the top level of routing information as it passes through the network, similar to how postal employees read the address on an envelope to ensure it reaches its correct destination.[5]

Aside from the privacy implications of DPI, some worry that the technology will enable an ISP to block, or at least slow, the transmission of content that does not help its bottom line finances while letting other traffic take priority. “The thought that a network operator could track a user’s every move on the Internet, record the details of every search and read every e-mail or attached document is alarming,” Boucher said at the outset of a subcommittee hearing on April 23, 2009, on recent developments in consumer privacy. Consumers often do not know information is being collected about them online, and if they do, they often do not know who is collecting it or how it will be used. “In the absence of legal rules, companies that are gathering this data will be free to use it for whatever purpose they wish – the data for a targeted ad today could become a detailed personal profile sold to a prospective employer or government agency tomorrow,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center, a non-partisan research organization.[6]

2. Opt-in or opt-out?

A contentious point as Congress drafts Internet privacy legislation is whether to mandate an opt-in or opt-out policy. In general, consumer groups favor a ban against the collection of data on consumers’ online habits unless they explicitly agree to its collection, while Internet companies generally favor opt-out policies.[7] Anne Toth, head of privacy for Yahoo! Inc., argued against drawing a bright line between the two options. “The answer is that it’s not one or the other – it’s both. Some services and models should require an opt-in approach, while, for other models, an opt-out is a more appropriate default,” Toth said. She contended that the decision between whether to use an opt-in or opt-out approach for a particular service requires considering “whether everything a user does online is collected through the service.” [8]

3. Benefits of DPI

In addressing the privacy concerns raised by deep packet inspection, Congress must also balance the benefits the technology provides. These benefits go beyond the targeted advertisements that are likely to increase revenues for advertisers and retailers. Kyle McSlarrow, president and CEO of the National Cable and Telecommunications Association, identified several pro-consumer purposes of the technology. First, it can be used to detect viruses and prevent spam to guard against invasions of subscribers’ home computers. Second, it can allow cable operators to plan for network growth by anticipating the needs of their subscribers. Third, it enables network operators to accurately respond to request from law enforcement to intercept communication. McSlarrow also touted packet inspection as a tool in providing more choices and controls as Internet technology evolves, such as advanced parental controls over the streaming videos watched by children.[9]

4. Use of Behavioral Advertising

Companies that employ DPI for targeted advertising often stress that the information intercepted is anonymous in nature and that they only use a limited amount of the available data. “However, the privacy concerns that arise from the use of DPI begin with the interception, diversion, or copying of substantially all of the Internet traffic of all subscribers. Just because ISPs or advertising networks may use only a small portion of what is captured and do not retain other information does not diminish the breadth and intrusiveness of the initial data capture,” said Leslie Harris, president and CEO of the Center for Democracy and Technology.[10]

Internet companies take varying approaches to collecting and using data for targeted advertising. Facebook claims its use of targeted advertising enables the company to offer the social networking site free of charge. Chris Kelly, Facebook’s privacy officer, explained to lawmakers that Facebook uses information in individual profiles, such as someone’s favorite movies, but that this is transmitted to third parties in non-personally identifying form. For example, Kelly said users may see an advertisement for a film screening based on what they list as their favorite movies, but personally identifying information (name, e-mail address and other contact information) will not be given to advertisers. Kelly acknowledged the company may have previously been “inartful in communicating with our users and the general public about our advertising products,” but that “users should choose what information they share with advertisers.”[11]

In March 2009, Google announced it would move toward interest-based advertising in which advertisements would be shown to consumers based on the Web pages they visit and the YouTube videos they watch online. Users have the ability to view, add and remove the categories (sports, travel, cooking, etc.) used to show them interest-based ads when they visit Web sites. Users can also opt-out of interest-based ads altogether.[12] AT&T Inc. says it is committed to developing an opt-in policy that will require affirmative, advance action by the consumer before his online practices will be tracked for behavioral advertising.[13]

5. Safeguards in Place

Self-regulation may already prevent some abuses of DPI. “Good privacy protection is also good business,” said McSlarrow, who added that cable ISPs have used DPI legitimately “for many years now – and for many good reasons.”[14] Some specific uses of DPI may already be prohibited under federal the Wiretap Act, 18 U.S.C. §§ 2510-2522, and Cable Act, 47 U.S.C. § 553. However, the boundaries of the Wiretap Act as it applies to DPI are not clear in all contexts. “Moreover, the Act was last modified more than 20 years ago and has not kept pace with technology. It simply does not provide sufficient protection to consumers against DPI’s risks,” Harris said. She cautioned that there are difficulties in providing adequate notice and consent between consumers and Internet service providers, particularly in instances when more than one person uses a single Internet connection.[15]

B. FTC on Self-Regulatory Behavioral Advertising Principles

On Feb. 12, 2009, the Federal Trade Commission released a report proposing self-regulation guidelines for behavioral advertising.[16] The guidelines center on four governing concepts. First, companies should notify consumers they are collecting information for advertising purposes and offer a choice about whether to allow the practice. Second, companies should provide reasonable security measures to protect data from falling into the wrong hands and should retain data only for so long as needed for legitimate business or law enforcement needs. Third, companies should obtain express consent from consumers before using data in a manner that is different than originally promised. Fourth, companies should also obtain express consent from consumers before using sensitive data – such as information about children, health or finances – for behavioral advertising.

1. Details on Principles

In response to comments the FTC received after it released an initial draft of proposed self-regulatory principles in December 2007,[17] the Commission elaborated on the guidelines in its 2009 report. The updated report proposes to apply the principles, including providing a choice for consumers to consent to data collection, to both personally identifiable information and non-personally identifiable information. Therefore, the principles would apply to any data “that reasonably could be associated with a particular consumer or with a particular computer or device.” The principles do not apply to contextual advertising, or advertising based on the content of a specific Web site rather than on data collected on a user over time. An example of contextual advertising is when a consumer is shown an advertisement for tennis rackets while visiting a tennis-focused Web site.

2. Commissioners React

Two FTC commissioners have released statements detailing their personal views about regulating behavioral advertising. Commissioner Pamela Jones Harbour opposes a legislative approach to behavior advertising “at this time” because “there are still more questions than answers” about the industry and “any legislation should be part of a comprehensive policy agenda, rather than fostering the current piecemeal approach to privacy.” Jones Harbour also advocated for more Commission involvement because the results of self-regulation programs were “mixed at best.”[18] Commissioner Jon Leibowitz wrote separately to make sure that the report’s “endorsement of self-regulation is viewed neither as a regulatory retreat by the Agency nor an imprimatur for current business practice.”[19]

3. Consumers, Commission Keep a More

Watchful Eye

In addition to issuing the guidelines, the FTC has allocated more staff attorneys to monitor the behavioral advertising industry, said Peder Magee, an attorney who oversees behavioral advertising issues with the FTC’s Bureau of Consumer Protection. “If the industry ignores the principles, they might not like the results,” Magee said.[20]

Consumers have started to take action when they suspect companies go too far in monitoring their Internet usage to create targeted advertisements. Internet subscribers filed separate class action lawsuits in California federal court against the online advertising companies NebuAd[21] and Adzilla.[22] The subscribers allege that the companies violated their privacy and Internet security rights by monitoring the content of their online activity without their consent in order to produce targeted ads. Scott Kamber, the plaintiffs’ attorney in both cases, said that as these “deceptive tactics” become more common in a slumping economy, “it’s going to be harder for [companies] to explain to a judge that this is appropriate.”[23]

C. Advertising Trade Groups Release Self

Regulatory Principles

In an effort to ward off federal regulation,[24] a consortium of advertising trade groups on July 1 released its own guidelines for how its members should use and collect data.[25] The report defines online behavioral advertising as “the collection of data online from a particular computer or device regarding Web viewing behaviors over time and across non-affiliate Web sites for the purpose of using such data to predict user preferences or interests inferred from such Web viewing behaviors.” The guidelines include seven governing principles: education, transparency, consumer control, data security, material changes, sensitive data and accountability.

These principles incorporate many of the self-regulatory measures advanced by the FTC in its Feb. 12, 2009, report, and in some cases go even further to protect consumer privacy. For example, the principles lay out a generally defined means of enforcement by instituting monitoring programs and requiring a way to collect complaints from the public. “Programs will also, at a minimum, publicly report instances of noncompliance and refer entities that do not correct violations to the appropriate government agencies,” the report says. The trade group report flatly prohibits the collection of information about children, and requires consent to collect health and financial data.

Similar to the FTC report, the trade groups would require that consumers be informed information is being collected about them and require their consent to do so. However, it is unclear if the trade groups go as far as the FTC wants by requiring consent to collect all data, including personally identifiable and non-personally identifiable data. The FTC welcomed the report as having “the potential to dramatically advance the cause of consumer privacy,” FTC Commissioner Pamela Jones Harbour said in a statement after the release of the report.[26]

The principles do not go as far as to require explicit approval of all data collection. Stuart P. Ingis, a partner at Venable LLP, which represents the trade groups, said such a measure would not be feasible. “If you had that as a default, you would wind up undercutting significantly the economic underpinnings for all the stuff the public loves,” Ingis said. “The way, operationally, that would work is every time a consumer’s doing their Web surfing, you’d be requiring them to click through all these options. Consumers would hate that.”[27]

Marc Rotenberg, executive director of the Electronic Privacy Information Center, called the principles “almost meaningless” and predicted that Congress would pass legislation hemming in information collection by advertisers.”There's very little appetite in Washington today for self-regulation,” said Rotenberg. “People have no idea about how much information is being collected about them online.”[28]

The groups hope to have the accountability programs in place by the beginning of 2010, which would probably predate any federal legislation. The principles were developed by the American Association of Advertising Agencies, Association of National Advertisers, Council of Better Business Bureaus, Direct Marketing Association, and Interactive Advertising Bureau.

D. European Regulators Aim to Protect Consumers, Retailers and Online Privacy

1. Consumer Rights Directive

The European Commission launched a proposal in October 2008 for consumers’ rights throughout the European Union that would apply to shopping both online and in person. The current EU rules on consumer protection result from four EU directives.[29] These contain certain minimum requirements, but member states have added rules through the years, making EU consumer contract laws a “patchwork” of 27 sets of differing rules enacted over the past 20 years.[30] The proposed Consumer Rights Directive seeks to combine these into a standard set of rules governing contract terms, delivery obligations, a cooling off period, and repairs or replacements for faulty products. [31]

The proposal must be approved by the European Parliament and EU governments in the Council of Ministers before becoming law.[32] In July 2009, the UK’s House of Lords EU Committee publicly opposed approving the directive.[33] The committee questioned the two-year limit on a trader’s responsibility for repairing or replacing faulty goods because of a concern it could lead to the production of less durable items. The Committee did not call for the proposal to be scrapped and recognized the need to update EU consumer law. However, it pointed to other factors, such as culture, language, the cost and distance of delivery, as also playing a role in increasing cross-border trade.

2. Consumer Commissioner Wants Online

Privacy Principles

European Commissioner for Consumer Affairs Meglena Kuneva in March urged the development of policies to regulate online behavioral advertising and safeguard consumer privacy. In her keynote address at the first ever European Consumer Summit in Brussels, Kuneva said, “The status quo is not an option. Currently, consumers have little awareness of what data is being collected, how and when it is being collected and what it is used for. And they are also not able to control this process.”[34] Kuneva touted Europe’s existing consumer policy principles and said that the key question moving forward is how to “apply these tested principles in [a] digital world.”

Kuneva urged the industry to develop self-regulating principles. In doing so, she raised many of the concerns shared by the FTC and members of Congress, including the inaccessibility of online privacy policies and the lack of clear opt-out systems to prevent the collection of online data. She called for more transparent privacy policies, meaningful opt-in or opt-out options, and clear identification of commercially sponsored messages. Kuneva also expressed concern for times when beneficial targeted advertisements might turn into “pressure,” such as when a person with high cholesterol views on online advertisement for recommended treatment.

3. UK’s Office of Fair Trading to Examine Internet Advertising

On Aug. 19, 2009, the United Kingdom’s Office of Fair Trading announced that it will study the impact on consumers of potentially misleading advertising and pricing of goods and services, with an emphasis on the Internet.[35] The study may also look at how personal information is gathered online for use in behavioral advertising. “The way that businesses advertise and price goods and services constantly evolves, and we need to keep up to date on how consumers view these adverts, and the types of advertising and prices which may mislead,” said Heather Clayton, senior director of the office’s Consumer Market Group.[36] The office was seeking input from consumer groups and businesses through Sept. 18, 2009, to determine the precise scope of the study.

E. Maine Enacts Law to Restrict Marketing to

Minors

Maine has enacted a law that places limits on the collection of minors’ personal information and outlaws the use of such information for marketing purposes.[37] The Act to Prevent Predatory Marketing Practices Against Minors was set to take effect on Sept. 1, 2009. Section 9552 of the law prohibits knowingly collecting or receiving “health-related information or personal information for marketing purposes from a minor without first obtaining verifiable parental consent.” Section 9553 prohibits using any “health-related information or personal information regarding a minor for the purpose of marketing a product or service to that minor.”

Harry A. Valetk, a New York City Internet safety and consumer privacy attorney, believes ambiguities in the law pose some challenges. For example, does the law prohibit any Maine resident under age 18 from receiving materials about college prep services or military service?[38] Also, although Facebook bars minors age 12 and younger from using the site, it requires all users to agree to terms that consent to Facebook collecting some of their personal information. The Maine law could require Facebook to alter how it treats the personal information of many of its teenage users.

The law authorizes the Maine Attorney General’s Office to establish procedures for investigating alleged violations. A person about whom information is unlawfully collected can seek an injunction prohibiting the collection and recover damages up to $250 per violation. Civil penalties may also be assessed.

F. Google Has Up and Down Battle in AdWords

Lawsuits

Lawsuits against Google Inc. accusing the company of selling trademarked keywords that affect the display of advertisements have become more popular after an April 2009 court ruling, but Google has stepped up its defense of the accusations. Known as AdWords suits after the name of Google’s targeted advertising program, plaintiffs claim that Google’s sale of trademarked keywords constitutes infringement because Google users who search for a particular term could then be shown competitors’ ads alongside results for the trademarked name.[39]

Google suffered a setback in April when the Second Circuit reinstated Rescuecom Corp.’s AdWords case that a district court had dismissed. [40] Rescuecom alleged violations under §§ 32 and 43 of the Lanham Act, 15 U.S.C. §§ 1114, 1125, for trademark infringement, false designation of origin, and dilution of Rescuecom’s eponymous trademark. The reversal inspired several more lawsuits, so that there were at least seven pending AdWords cases as of early August.[41] However, in response to a class action complaint filed by John Beck Amazing Profits LLC in federal court in Texas seeking to represent all trademark owners who have had their words sold,[42] Google countersued, seeking a declaration that its practices do not infringe on trademarks.[43]

Eric Goldman, a Santa Clara University School of Law professor who follows the AdWords litigation on his Technology & Marketing blog, said the plaintiffs face a difficult battle in proving trademark infringement, including having to combat Google’s extensive financial resources to defend the suits. In addition to the other elements of infringement, Goldman said plaintiffs will have to show that consumers were confused by the appearance of the ad next to a search term so that they believed the two companies were connected.[44] Google scored victories in July 2009 when Daniel Jurin[45] and Ascentive,[46] a software company, dropped their AdWords suits.[47]

G. FTC Seeks to Monitor Blogs for Endorsements

The FTC has proposed guidelines that would enable the agency to go after bloggers for false advertisements for failing to disclose conflicts of interest, such as being paid or receiving a free product in exchange for writing a review.[48] The FTC is concerned that many consumers may not realize that online authors of product reviews are being compensated for their opinions. This knowledge could affect whether to buy an item or guide how much credibility to give an endorsement. “If you walk into a department store, you know the (sales) clerk is a clerk,” said Rich Cleland, assistant director in the FTC’s division of advertising practices. “Online, if you think that somebody is providing you with independent advice and . . . they have an economic motive for what they’re saying, that’s information a consumer should know.”[49]

The FTC’s proposal to monitor blogs raises questions about what constitutes an advertisement, the extent to which a reviewer must disclose a relationship with a company, and how far the agency will go to police online reviews and advertisements. Specific enforcement measures were not included in a draft of the guidelines published in November 2008. Some bloggers are concerned that even a casual mention of a product could grab the agency’s attention. Cleland said that the FTC would most likely rely on Internet users to judge what constitutes fair disclosure in lieu of spelling out specific requirements.[50] A final version of the guidelines could be approved by the end of 2009.

The guidelines would extend beyond basic reviews on blogs to cover affiliate marketing, in which bloggers and other Web sites get a commission when a user clicks on a link that leads to a purchase on a retailer’s site. In addition, arrangements where advertisers pay users of Twitter to post short items would also need to be disclosed.[51]

The FTC’s attempt to monitor the content of online reviews contrasts with the media industry, in which newspapers and broadcasters have traditionally self-policed their employees by prohibiting the acceptance of free products in exchange for reviews. However, just as a blogger needs to have used a product in order to write an informed review, some blurring of this ethical line may be unavoidable, such as when a film critic attends a free advance screening of a movie’s widespread release.

The New York Times took a firm stand in defense of objectivity in August 2009, when the newspaper stripped economist and TV personality Ben Stein of his Sunday business column. Stein also serves as a pitchman for , a credit monitoring company, and a spokeswoman for the Times said it would not be appropriate for Stein to pitch for the company while writing his column.[52]

II. IDENTITY THEFT AND DATA PROTECTION LAWS

A. ‘Red Flags Rule’ Set to Take Effect

The ‘Red Flags Rule’[53] promulgated by the Federal Trade Commission to combat identity theft was scheduled to take effect on Nov. 1, 2009. The rule requires financial institutions and creditors to develop written procedures on how to identify and react to relevant warnings – or ‘red flags’ – of identity theft. In most cases, this means tracking discrepancies between credit reports and information provided by or about an individual. Originally set to take effect on Nov. 1, 2008, the FTC delayed enforcement of the rule three times due to uncertainty over what industries and entities were covered by the rule.[54]

1. Who Must Comply with the Rule?

The rule applies to “financial institutions” and “creditors” with “covered accounts.” This includes entities that regularly permit deferred payments for goods or services, including health care providers, some retailers, colleges, and a wide range of businesses that invoice their customers.

Certain law firms with individual clients, such as matrimonial and trust and estate clients, who bill at the end of a period rather through an initial retainer, were scheduled to be covered by the rule.[55] The American Bar Association in July threatened to file a lawsuit seeking to have lawyers exempted from the rule on the grounds that compliance would be burdensome and establish a precedent for federal agencies to set other requirements for lawyers.[56] At the time of the threatened litigation, the rule was set to take effect on Aug. 1, 2009. ABA President H. Thomas Wells Jr. called the delay to November a “temporary reprieve,” but said the ABA will continue to lobby Congress to permanently exempt lawyers from the rule.[57]

a. Financial institutions

Under the rule, a financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a customer. Most of these institutions are regulated by the federal bank regulatory agencies and the National Credit Union Administration (NCUA). A transaction account is a deposit or other account from which the owner makes payments or transfers.

b. Creditors

A creditor is any entity that regularly extends, renews, or continues credit. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies and telecommunications companies. If non-profit and government entities defer payment for goods or services, they are also considered creditors. Accepting credit cards as payment does not, by itself, make an entity a creditor.

c. Covered accounts

A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. These include credit card accounts, mortgage loans, automobile loans, cell phones accounts, utility accounts, checking accounts and savings accounts.

2. How to Comply with the Rule

The FTC says the rule was designed to be risk-based so that the complexity of an entity’s program would be proportional with the identity theft risk it encounters. The Commission suspects that most high-risk entities, such as financial institutions, already take steps to minimize losses due to fraud. It estimated nearly 270,000 high-risk entities and 1.6 million low-risk entities will be subject to the rule. According to the same estimates, high-risk entities can create and implement a written program in 25 hours while those at low-risk should be able to develop a streamlined program in about an hour.[58]

To aid low-risk entities in the process, the FTC developed a model six-page policy in PDF format. A template of the model policy is available at redflagsrule and by clicking on the “Create Your Program” tab.[59] A company must identify red flags, describe how the flags will be detected, offer a planned response when flags are found and describe how relevant staff will be trained to implement the program. A board of directors or senior-level employee must approve the program, which is required to be updated periodically.

Failure to comply with the rules can lead to civil penalties, such as monetary sanctions and enforcement action by the FTC. However, the FTC said it is unlikely to bring action against entities that “know their customers or clients individually, or if they perform services in or around their customers’ homes, or if they operate in sectors where identity theft is rare and they have not themselves been the target of identity theft.”[60]

B. Proposed Federal Legislation to Protect Personal Data, Require Notification

Two separate, but similar, data privacy bills were introduced in 2009 that seek to preempt the existing data breach notification laws in 45 states and the District of Columbia.[61] Both bills propose requiring entities that possess personal information and engage in interstate commerce to institute various safeguards to protect the data and notify individuals when a breach or a suspected breach has occurred. Both bills would also give state attorneys general the authority to pursue civil penalties for data breaches in certain instances. As of early August, it appeared unlikely that either bill would be passed this year, at least in their proposed form.

1. Personal Privacy and Security Act

Sen. Patrick Leahy (D-Vt.), chairman of the Judiciary Committee, introduced the Personal Privacy and Security Act, S. 1490, 111th Cong. (2009), on July 22. Leahy introduced similar legislation that was reported by the committee in the previous two Congressional sessions.[62] This casts doubt on whether this version will have enough momentum to become law, particularly as House subcommittees continue to gather information on deep packet inspection with an eye toward enacting a comprehensive data security and Internet privacy law.

In addition to the national data breach notification provision, the bill seeks to stiffen criminal penalties for identity theft by adding intentional access of a computer without authorization to the definition of racketeering under 18 U.S.C. § 1961(1) and requiring the U.S. Sentencing Commission to revisit its sentencing guidelines for identity theft crimes. The bill would give individuals access to any personal information held by commercial data brokers and impose penalties on government contractors who fail to meet data privacy and security requirements.

2. Data Accountability and Trust Act

Rep. Bobby Rush (D-Ill.), chairman of the Subcommittee on Commerce, Trade, and Consumer Protection, introduced the Data Accountability and Trust Act, H.R. 2221, 111th Cong. (2009), on April 30. The bill is similar to the Personal Privacy and Security Act in its data protection and security requirements for businesses or entities that possess personal information. In addition, this version authorizes the FTC to require a standard method for destroying obsolete non-electronic data.

C. HIPAA Breach Notification Rule Issued

On Aug. 19, 2009, the U.S. Department of Health and Human Services (HHS) issued new regulations that require entities covered by the Health Insurance Portability and Accountability Act (HIPAA)[63] to notify individuals when their unsecured personal health information has been breached.[64] The regulations,[65] which could go into effect as early as Sept. 23, 2009, refine key concepts in a manner that limits the notification obligations of covered entities.[66] In cases where a breach affects more than 500 individuals, the HHS Secretary and the media must also be notified. Entities will report to the HHS Secretary breaches that affect fewer than 500 individuals on an annual basis.[67]

In addition, HHS also specified that covered entities who secure health information through encryption or destruction are exempt from the notification requirement if a breach does occur. This portion of the regulations was developed in response to public comment received from an April 2009 request[68] and after HHS consulted with the FTC, which has issued breach notification regulations that apply to vendors of personal health records and other entities not covered by HIPAA.[69] The regulations include other exemptions. For example, the definition of a breach is limited to instances where information is used or disclosed in a manner inconsistent with HIPAA. If the access to information is unauthorized, but use of the information does not violate HIPAA, it is not considered a reportable breach.[70]

The regulations preempt contrary state laws, but HHS noted this only occurs when it is impossible to comply with both a state notification law and the HIPAA notification regulations. The regulations will become effective 30 days after publication in the Federal Register. HHS has said that it will not impose sanctions for violations during the first six months after the regulations take effect.[71] Instead, HHS will work with the covered entities to bring them into compliance.

D. Supreme Court Requires a ‘Knowing Theft’ for

Aggravated Sentence

The Supreme Court on May 4 ruled unanimously that federal prosecutors must prove a defendant knew a stolen identity belonged to an actual person in order to secure a conviction for aggravated identity theft. [72] The Court rejected the government’s argument that it merely needed to show an offender knew he used an identity other than his own. The decision in Flores-Figueroa v. United States clarifies how the Identity Theft Penalty Enforcement Act[73] should be interpreted. The statute imposes a mandatory consecutive two-year prison term upon those convicted of certain crimes if, during the crime, the offender “knowingly transfers possesses, or uses, without lawful authority, a means of identification of another person.” The law applies to such predicate crimes as theft of government property, fraud and activities related to passports, visas and immigration.

The defendant in the case, Ignacio Flores-Figueroa, is a Mexican citizen who worked illegally at an Illinois steel plant. To gain employment, Flores-Figueroa first used a false name and Social Security number, one that did not belong to another person. He later wanted to use his real name and gave his employer counterfeit Social Security and alien registration cards bearing numbers assigned to real people. Customs officials discovered the discrepancy and charged Flores-Figueroa with entering the United States without inspection, 8 U.S.C. § 1325(a), and misusing immigration documents, 18 U.S.C. § 1546(a), in addition to aggravated identity theft.

In his majority opinion, Justice Stephen G. Breyer wrote that the case should be decided by applying “ordinary English grammar” to the text of the law, which applies “knowingly” to all of the elements of the crime that follow.[74] Interpreting the statute that way avoids subjecting offenders to additional penalties for liability that turns on chance. Justice Samuel A. Alito Jr., in his concurring opinion, considered a defendant who chooses a Social Security number at random. “If it turns out that the number belongs to a real person,” Alito wrote, “two years will be added to the defendant’s sentence, but if the defendant is lucky and the number does not belong to another person, the statute is not violated.”[75]

1. Effect of Decision

The ruling in Flores-Figueroa will probably be most consequential in guiding the government’s strategy in combating illegal immigration rather than prosecutions of traditional identity theft cases. Breyer noted that proving intent is generally not difficult in such classic identity theft cases as using a person’s identification information to gain access to a bank account or “dumpster diving” to find discarded credit card and bank statements.[76] Now faced with a diminished threat of a mandatory and consecutive two-year prison term, the government loses the possibility of securing an aggravated felony conviction that often leads to quicker deportations. This could result in fewer mass criminal prosecutions against illegal workers following workplace enforcement actions.[77]

The Obama administration previously announced plans to target employers who knowingly hire workers who are in the country illegally rather than arrest the workers for eventual deportation.[78] In a sign of furthering this strategy, U.S. Immigration and Customs Enforcement (ICE) announced on July 1 that it issued notices of inspection to 652 businesses nationwide.[79] ICE issued 503 similar notices during the entire previous fiscal year. The notices alert business owners that ICE will be inspecting their hiring records to determine whether or not they are complying with employment eligibility and verification laws and regulations.

2. Proposed Legislation

The Employment Eligibility Verification and Anti-Identity Theft Act would require an employer to take certain measures after receiving official notice that an employee’s name and social security number does not match Social Security Administration records.[80] The bill, introduced by Rep. Elton Gallegly (R-Calif.), proposes that once an employer receives official notice about such a discrepancy, the employer has to verify employment eligibility within three business days through a system established by the Secretary of Homeland Security.

The ultimate responsibility to verify proper documentation would fall on the worker, but the proposal requires an employer to terminate an employee once a final notice of non-verification is received. An employer could be found to violate the Immigration and Nationality Act, 8 U.S.C. § 1324a(a)(1)(A), for not dismissing the worker. The bill is co-sponsored by nineteen Republicans.

E. Social Security Numbers Can Be Guessed

Researchers at Carnegie Mellon University concluded that it is relatively easy to figure out the precise nine digits of a person’s Social Security number. Many numbers can be accurately predicted by knowing a person’s birth data, the researchers found in the study published in the Proceedings of the National Academy of Sciences.[81]

Alessandro Acquisti and Ralph Gross relied on publicly available information for their study, principally what is known as the “Death Master File.” The file lists the SSNs, dates of birth and death, and the states of application for all individuals whose deaths have been reported to the Social Security Administration (SSA). Acquisti and Gross also used data from social networking sites, where users often list their place of birth and birth date in their profile.

Those born after 1988 – when the government altered its practice and began issuing numbers at birth – are the most susceptible to having their numbers discovered because of the method used to assign SSNs, according to the study. Among people born from 1989 to 2003, the researchers identified the first five SSN digits for 44 percent of individuals on a single attempt. They got all nine digits correct for 8.5 percent of those people in fewer than 1,000 attempts.

Acquisti and Gross set out to exploit what is known about how SSNs are assigned. The first three SSN digits are called its “area number” and are assigned based on the zip code of the mailing address provided on the application form. The next two digits are its “group number,” which transitions slowly and often remains constant in a given region over a number of years. As a result, applicants in the same state born on consecutive days are likely to have the same first four or five digits. The last four digits are its “serial number” and are assigned sequentially.

The study found that the SSN assignment scheme discriminates against younger individuals born in less populous states by exposing them to a higher risk of identity theft. For example, the study accurately predicted the first five digits of two percent of California records with 1980 birthdays, and 90 percent of Vermont records with 1995 birthdays.

1. Changes to SSNs

The identity theft risks SSNs now pose could not have been foreseen when the system was devised in the 1930s, but measures to further protect the numbers are in the works. For reasons unrelated to the report, the SSA is in the process of developing a system to randomly assign the numbers that it expects to be in place in 2010.[82] Earlier this year, Sen. Dianne Feinstein (D-Calif.) and Rep. Rodney Frelinghuysen (R-N.J.) introduced legislation that would prohibit the display, sale, or purchase of Social Security numbers without consent, and would bar businesses from requiring people to provide their number.[83]

2. An Unsound Practice

The results of the Carnegie Mellon study may sound alarming, but the SSA assures the public any notion that the researchers exposed “a code for predicting an SSN is a dramatic exaggeration.”[84] Acquisti and Gross acknowledge that being able to translate theoretical predictions from a list of deceased into stealing identities of the living hinges on a variety of factors. These include the availability of a targeted person’s birth data and the possibility that a verification service may not allow an attacker repeated attempts to match an SSN before shutting down or prohibiting further attempts.

Real world dangers still persist. Many businesses use SSNs as passwords or for other forms of authentication, a practice that places consumers at risk. This includes being asked to provide only the final four digits, or serial number, since these digits are the most unique to an individual. Both the SSA and the researchers advocate against using SSNs as forms of identification beyond tracking a Social Security account. “Everybody who works in this area knows the numbers are bad passwords,” Acquisti said. “But they still are used that way.”[85]

F. Massachusetts and Nevada Encryption Laws

Could Become National Standard

Massachusetts and Nevada have taken the lead in mandating safeguards for consumers’ personal information by requiring companies that store or transmit personal information to encrypt the data.[86] The regulations formulated by the Massachusetts Office of Consumer Affairs and Business Regulation under the state’s data protection law,

M.G.L. c. 93H, were intended to take effect Jan. 1, 2009, but enforcement for most of the law has been extended until Jan. 1, 2010.[87] A similar law in Nevada went into effect on Oct. 1, 2008,[88] and was later amended to closely align with the Massachusetts standard by requiring encryption of information in data storage devices. These data protection standards are scheduled to go into effect in Nevada on Jan. 1, 2010.[89] Michigan and Washington have also considered similar legislation and the list of states mulling a similar law will continue to grow.

Under both laws, “Personal information” is essentially a combination of a person’s name and one or more of the following: social security number, driver’s license number, credit or debit card account number or another financial account number. “Personal information” does not include what is lawfully obtained through publicly available data.

1. Massachusetts Law

a. To Whom Does it Apply?

The regulations apply to all persons, businesses and legal entities that “own, license, store or maintain personal information about a resident of the Commonwealth.”

b. Encryption Standard

The regulations define encryption generally without referring to a particular strength or technology, other than a form “in which meaning cannot be assigned without the use of a confidential process or key.” The regulations also require businesses that allow access to or share personal information with third parties to take “reasonable steps” to make sure those entities comply with the law.

The state plans to judge compliance on a case-by-case basis according to the size of a business, its available resources, the amount of data stored, and the need for confidentiality. State officials warned that unless a business has its own in-house IT staff, it will probably need to consult an outsider to determine if its computer system meets the encryption requirements. [90]

c. Potential Penalties[91]

Penalties for failing to abide by the regulations could result in enforcement actions by the state Attorney General and may expose a business to damages in a private negligence claim or under another legal theory.

2. Nevada Law

a. To Whom Does it Apply?

The statute applies to data collectors who do business in the state. A “data collector” means government agencies, colleges, universities, corporations, financial institutions and retail operators.

b. Encryption Standard

Nevada law requires the use of encryption software “that has been adopted by an established standards setting body,” such as the National Institute of Standards and Technology. The law requires technology that “renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data.”

c. Potential Penalties

Data collectors that comply with the law but suffer a security breach would have their liability for damages capped at $1,000 per customer for each occurrence. Companies that do not comply would face unlimited civil penalties, according to James Earl, executive director of the state’s task force for technological crimes.[92]

3. Ramifications across state lines

The two state laws will inevitably have an impact on businesses and residents throughout the country and could soon lead to a de facto national standard. The Massachusetts law applies to any entity that stores personal information “about a resident of the Commonwealth,” meaning all companies that have a national customer or employee base must meet the requirements. The Nevada law applies to data collectors “doing business in this State” so that the information of some residents outside of Nevada is also protected.

Many businesses already have encryption requirements that would meet or come close to meeting the new state laws. However, many attorneys are advising clients to err on the side of caution and address the encryption issue now rather than later. Doing so, they urge, will not only expedite compliance with any future laws, but also help ease fears of events such as stolen laptops that often lead to security breaches.

G. Class Actions in ID Theft and Data Breach Cases

1. Lost Laptops Lead to Lawsuits

a. VA Agrees to Compensate Veterans Who Were Put at Risk of Identity Theft

On Jan. 27, 2009, the U.S. Department of Veterans Affairs (VA) agreed to pay $20 million to settle a class action lawsuit that alleged the VA failed to adequately protect American military personnel from identity theft.[93] A laptop computer and external data storage device was stolen from the home of a VA employee on May 3, 2006. The computer and data storage device contained a copy of a collection of personal information for about 26.5 million people, including active and retired military veterans and their sources. The plaintiffs, a group of veterans advocacy groups, alleged that VA Secretary R. James Nicholson unlawfully allowed the department to maintain a database of veterans’ personal information that was not related to claims for benefits.[94]

U.S. District Court Judge James Robertson preliminarily approved the settlement on Feb. 11, 2009.[95] According to its terms, all veterans, their spouses and military personnel who suffered actual damages as a result of the theft will receive a minimum of $75 and a maximum of $1,500 on all valid claims. These claims include the costs to protect or monitor personal financial information, expenses incurred as a result of physical manifestations of severe emotional distress and other reasonable expenses. Any remainder of the $20 million settlement after the payout of valid claims and attorney fees will be paid to veterans charities.

b. Starbucks Employee Files Suit After Personal Information Stolen

A Chicago-area Starbucks employee filed a class action lawsuit against Starbucks after a laptop containing the personal information of about 97,000 Starbucks employees was stolen in late October 29, 2008.[96] In a security breach notification letter the Seattle-based coffee maker sent to the Office of the Maryland Attorney General, Starbucks said it concluded the laptop probably did contain personal information.[97] Starbucks offered to pay for credit monitoring services for one year for its employees whose personal information may be exposed as a result of the theft, according to the letter.

The lawsuit filed by Laura Krottner on behalf of all Starbucks employees whose personal information was contained in the stolen laptop accuses the company of fraud and breach of contract for its pledge to protect employees’ personal information. The suit asks that Starbucks be ordered to pay for credit monitoring services for at least five years and that Starbucks receive periodic compliance audits from an outside company about the security of its computer systems. According to the complaint, Starbucks in 2006 lost four laptops that contained the personal information of 50,000 former and 10,000 then-current employees.

c. Mere Risk of Identity Theft Not Enough to Support Claims

In Ruiz v. Gap, Inc., 622 F. Supp. 2d 908 (N.D. Cal. 2009), a federal judge dismissed claims of negligence and breach of contract against a data owner and its service provider because the plaintiffs could not show they were victimized beyond being exposed to an increased risk of identity theft. Joel Ruiz filed the class action lawsuit on Nov. 13, 2007, against Gap, Inc. and its service provider, Vangent, Inc., after a thief stole two laptop computers from Vangent containing unencrypted Social Security numbers and other personal information of Ruiz and about 750,000 other Gap job applicants.[98]

On April 6, 2009, U.S. District Judge Samuel Conti found that Ruiz had standing to bring his suit because the theft of the laptop exposed him to an increased risk of identity theft. However, Conti granted summary judgment to the defendants. On the negligence claim, Conti noted that Gap had already agreed to pay for one year of credit monitoring and that any potential risk not mitigated by that monitoring did not amount to the sort of “appreciable harm necessary to assert a negligence claim under California law.”[99] On the breach of contract claim, Conti found that “[b]ecause Ruiz has not been a victim of identity theft, he can present no evidence of appreciable and actual damage as a result of the theft of the two laptop computers.”[100]

2. ‘Truncation’ Requirement of FACTA

Many attempted class action lawsuits have been filed in federal courts alleging “truncation” violations of the Fair Credit Reporting Act, as amended by the Fair and Accurate Credit Transaction Act (FACTA), 15 U.S.C. § 1681c(g). The law aims to protect consumers against identity theft by prohibiting businesses from printing more than the last five digits of a credit or debit card or the card’s expiration date on an electronic receipt. FACTA provides for civil damages between $100 and $1,000 per violation and the possibility of punitive damages. Courts have recognized individual claims to recover amounts within the proscribed statutory range, but have issued mixed rulings on granting class certifications in “truncation” cases where the potential punitive awards could be disproportionate to the actual harm suffered by customers.

In Har

Harris v. Best Buy Co., Inc., 254 F.R.D. 82, 90 (N.D. Ill. 2008), the court certified a class of at least 100 members on the basis that “whether an award is unconstitutionally excessive is best decided after the class is certified, so that the Court can evaluate the defendant’s conduct and whether the defendant made an attempt to control its exposure.” Similarly, in Brittingham v. Cerasimo, Inc., 621 F. Supp. 2d 646, 650 (N.D. Ind. 2009), the court reinstated a proposed class action based on the merchant failing “to significantly limit the Plaintiffs’ risk of identity theft” by printing more than five digits of their debit and card numbers along with the expiration date on their receipts.

However, in Bateman v. American Multi-Cinema, 252 F.R.D. 647, 651 (C.D. Cal. 2008), the court declined to certify a class action against a movie theater chain that printed eight digits on a credit card receipt. The action sought potential damages between $29 million and $290 million and the court was “not persuaded by Plaintiff’s argument that an increased risk of identity theft, however slight, is sufficient to constitute actual harm.” Similarly, in Leysoto v. Mama Mia I., Inc., 255 F.R.D. 693 (S.D. Fla. 2009), the court declined to certify a class action that sought between $4.6 million and $46 million in damages against a restaurant with $40,000 in net assets. The court reasoned that to certify the class would give the plaintiffs the ability to “dangle the Sword of Damocles over Defendant, without any showing of actual economic harm.”[101]

3. Indiana Court Finds ID Theft Concerns

Validate Driver’s License Policy

In Leone v. Commissioner, Indiana Bureau of Motor Vehicles, 906 N.E.2d 172, (Ind. App. 2009), the court found that the Indiana Bureau of Motor Vehicles did not violate state law by requiring holders of driver’s licenses and state identification cards to make sure their names in the BMV’s database match those on file with the Social Security Administration.

The Indiana BMV, like similar agencies in at least 45 other states, has an agreement to verify its records with those of the SSA. In matching Social Security numbers between the two systems, the BMV found that the names of some license and card holders did not match those on file with the SSA. The BMV sent notices to those with name discrepancies placing the burden on them to correct the information or risk invalidation of their driver’s license or ID card. The court noted that discrepancies between the two systems often occurred because of legal name changes, using a nickname with one agency and not the other, or a name change due to marriage.

In denying a motion from a certified class seeking an injunction to prohibit enforcement of the policy, the court wrote that while it agreed a person is legally entitled to change his or her name, “it does not follow that all others, including government agencies like the BMV, are required to simply accept the word of the applicant that he is who he claims to be.”[102]

The court did find that the policy violated the due process rights of card and license holders because of uncertainties in whether a person should correct their information with the BMV, SSA, or both agencies. However, the court refused to grant the injunction because “the policy effectively blocks a well-known avenue for identity theft by making it much more difficult to appropriate another’s social security number in order to obtain state identification.”[103]

4. ‘Undeveloped’ Maine Law Excuses Grocer

From Liability for Data Theft

In re: Hannaford Bros. Co. Customer Data Security Breach, 613 F. Supp. 2d 108 (D. Me. 2009), District Judge D. Brock Hornby applied what he described as “still undeveloped” Maine law to find a grocery store chain was not liable for the fraudulent charges to customers’ credit and debit cards as a result of a third-party stealing the customers’ electronic payment data from the chain. In his ruling to dismiss the contract-related claims against a Maine-based supermarket chain, Hornby wrote that state law only allows customers whose financial data is stolen to recover against a merchant when the merchant’s negligence caused the loss to the consumers’ account.

Hornby wrote that a reasonable jury could not find “an unqualified guaranty of confidentiality by the merchant is ‘absolutely essential’ to the contract for a sale of groceries” because there were no reason to believe customers would stop using their cards in lieu of a 100 percent guaranty of data safety.[104] However, Hornby allowed the one plaintiff whose bank did not reimburse her for the fraudulent charges to proceed against the grocer on claims of breach of implied contract, negligence, and a deceptive act under Maine’s Unfair Trade Practices Act, 5 M.R.S.A. §§ 205-214.

H. Hacking: Threats and Consequences

1. Hacker Can Be Sued for Fraud Under

Securities Exchange Act

In Securities and Exchange Commission v. Dorozhko, No. 08-0201-cv, 2009 U.S. App. LEXIS 16057, 2009 WL 2169201 (2nd Cir. July 22, 2009), the court ruled that a man accused of hacking into a computer system to gain advance notice of a company’s quarterly earnings could be sued for fraud under § 10(b) of the Securities Exchange Act of 1934, 15 U.S.C. § 78j (b). The ruling eliminates the burden on the SEC to show the alleged hacker violated a fiduciary duty, which is a part of the generally accepted theories of insider trading.[105]

In early October 2007, Oleksandr Dorozhko, a Ukranian national and resident, opened an online trading account and spent almost all of his $42,500 investment on “put” options in IMS Health, Inc., which the SEC says amounted to a risky bet that the stock price of IMS would sharply decline. IMS had hired Thomson Financial Inc. for its Web-hosting services. The SEC alleges that on Oct. 17, 2007, hours before the scheduled public release of IMS’s quarterly earnings, Dorozhko hacked into Thomson’s computer system and that within six minutes of Thomson receiving the report, Dorozhko sold all of his IMS options for an overnight profit of $286,456.[106]

The decision reversed a district court decision that relied on three Supreme Court cases[107] in refusing to grant the SEC an injunction which would have frozen Dorozhko’s assets from the sale. In his opinion, Circuit Court Judge Jose A. Cabranes wrote that although breaching a fiduciary duty satisfies the requirement of a “deceptive device” under § 10(b) of the Act, “what is sufficient is not always what is necessary, and none of the Supreme Court opinions considered by the district court require a fiduciary relationship as an element of an actionable securities claim under § 10(b).”[108] The case was remanded to determine “whether the computer hacking in this case involved a fraudulent misrepresentation that was ‘deceptive’ within the ordinary meaning of Section 10(b).”[109]

2. Former Secret Service Informant Indicted in ‘Largest’ ID Theft Case Ever

On Aug. 17, 2009, a man who authorities say formerly helped the Secret Service hunt computer attackers, but also fed information to criminals, was indicted in what the Department of Justice called the largest reported data breach in U.S. history.[110] According to the U.S. Attorney’s Office in Newark, N.J., the indictment describes a scheme between October 2006 and May 2008 in which more than 130 million credit and debit card numbers along with account information were stolen from Heartland Payment Systems, based in Princeton, N.J., 7-Eleven Inc., and Hannaford Bros. Co.[111]

Prosecutors say Albert Gonzalez, of Miami, Fla., acted with two unnamed Russian conspirators to hack into the computer systems of the corporate victims after conducting reconnaissance at various retail locations. The scheme eventually reached a point where the trio conducted “real-time interception” of credit and debit card data being processed by the corporations.

The trio had a goal of selling the data to others who would use it to make fraudulent purchases, but the success of this plan was not known, according to prosecutors.[112] Gonzalez was previously indicted in New York and Massachusetts in 2008 for his involvement in conspiracies relating to data breaches of multiple companies. He was also arrested in 2003 in New Jersey for his role in ATM and debit card fraud. Gonzalez was being held in the Metropolitan Detention Center in Brooklyn, New York.[113]

3. TechCrunch Stirs Ethical Debate By Publishing Hacked Documents

In July 2009, the technology Web site TechCrunch published some of the “more than 300 confidential Twitter documents and screenshots” that TechCrunch says it received via e-mail from a hacker who swiped the information from Twitter.[114] After combing through the vast amount of information, TechCrunch published documents that revealed, among other things, Twitter’s goal of becoming the first social networking site to reach one billion users, a pitch for a Twitter-based TV show, and plans for future revenue-producing models.[115]

Media ethicists and commentators debated whether TechCrunch crossed an ethical line by publishing the stolen documents. Al Tompkins of Poynter Online framed his concern in the context of a changed media landscape that he feared could lead to an erosion of journalistic ethics. “I worry that because we now have new competitive pressures from nontraditional sources such as bloggers, Twitterers, etc., we will be tempted to lower our standards and publish under the notion that confidential documents ‘will get out there anyway,’” Tompkins wrote.[116]

TechCrunch founder Michael Arrington was forthright in explaining the Web site’s decision. “We publish confidential information almost every day on TechCrunch,” Arrington wrote. “This is stuff that is also ‘stolen,’ usually leaked by an employee or someone else close to the company, and the company is very much opposed to its publication. In the past we’ve received comments that this is unethical. And it certainly was unethical, or at least illegal or tortious, for the person who gave us the information and violated confidentiality and/or nondisclosure agreements. But on our end, it’s simply news.”[117]

Twitter said in its blog that the stolen documents did not reveal “some big, secret plan for taking over the world,” but that the publication “could jeopardize relationships with Twitter’s ongoing and potential partners.” Twitter specified that the hacker retrieved the company documents by accessing an employee’s e-mail account and not by hacking into the Twitter server.[118]

4. Accused Hacker Loses Bid to Prevent

Extradition from UK

An autistic man who a United States prosecutor said was charged with “the biggest military computer hack of all time” lost his bid to avoid extradition from the United Kingdom on charges dating back to 2002.[119] The England and Wales High Court on July 31, 2009, ruled that 43-year-old Gary McKinnon should face extradition because that is “a lawful and proportionate response to his offending,” according to the ruling issued by Judge Stanley Burnton in the Queen’s Bench Division.[120] McKinnon’s family has tried to prevent his extradition by arguing he has Asperger’s syndrome and that he could be a suicide risk if sent to the United States.[121] McKinnon’s lawyer, Karen Todner, said she planned to appeal the decision.[122]

A federal grand jury in Virginia indicted McKinnon in 2002 of seven counts of computer-related crimes in 14 crimes after he was accused of breaking into 97 computers belonging to NASA, the Department of Defense and several branches of the military soon after the Sept. 11, 2001, terrorist attacks.[123] The indictment alleged McKinnon deleted critical system files and obtained classified information and encrypted passwords from the computers. McKinnon claimed he was searching for evidence of UFO’s and his lawyers portray McKinnon as an eccentric, but harmless man who did not have any malicious intent.[124]

5. British Tabloid Embroiled in Phone

Hacking Scandal

The British tabloid News of the World, published by a subsidiary of media mogul Rupert Murdoch’s News Corporation, reportedly paid about $1.6 million to quietly settle various lawsuits involving allegations of phone-hacking by its reporters, according to a July 8 report by The Guardian of London.[125] Murdoch denies that the newspaper ever made any settlement payments for alleged phone hacking, and critics and other media outlets have suggested that The Guardian’s reporting amounts to little more than media mud-slinging.[126]

The Guardian reported that News of the World’s publisher, News Group Newspapers, attempted to settle the lawsuits to avoid revealing evidence that News of the Word journalists were repeatedly hiring private investigators to illegally hack into the mobile phone messages of numerous public figures, including cabinet ministers, members of Parliament, actors and sports stars. The Guardian claimed to have discovered the information by researching the 2006 criminal investigations of News of the World reporters Clive Goodman and Glenn Mulcaire for alleged phone hacking.

News Group Newspapers is a subsidiary of News International, which is owned by Murdoch’s News Corporation.

The Guardian report cited a Metropolitan police source who said that during the investigation of the reporters, officers found evidence of News Group staff hiring private investigators to hack into “thousands” of mobile phones, and “another source with direct knowledge of the police findings” put the figure at “two or three thousand” different phones. A subsequent New York Times report cautioned that The Guardian report could not be independently verified, observing that it cited unnamed police sources and no sources for its claim that News International paid $1.6 million in damages and legal costs.[127] But on July 21, Bloomberg News reported that News of the World editor Colin Myler testified before a parliamentary committee that James Murdoch, Rupert’s son, had authorized the payment of $1.1 million to settle a claim against the newspaper.[128]

6. Apple Drops Legal Threat Against Web

Site With iPhone Hacking Tips

Apple dropped its threat of a lawsuit against BluWiki, a Web site that hosted discussions about how to use iPods and iPhones without the company’s iTunes computer software.[129] Apple said in a July 8 letter to BluWiki’s attorneys at the Electronic Frontier Foundation (EFF) that it would not pursue a lawsuit because it no longer uses the software code that was mentioned on the Web site, therefore the code “is no longer of any harm or benefit to anyone.”[130] Apple had original alleged the BluWiki violated anti-circumvention measures of the Digital Millennium Copyright Act, 17 U.S.C. § 1201.

EFF lawyer Fred von Lohmann believes Apple did not have a credible claim under the statute. “Apple’s threats were clearly designed to censor pure speech – there was no software there, there were no tools, there were no hacking devices – this was just people talking,” he said. “Apple was well beyond the statute when it made these threats, and apparently they think so now too.”[131] After Apple dropped its threat, EFF and OdioWorks, the company that runs BluWiki, dropped their lawsuit against Apple that sought a declaratory judgment vindicating the free speech interests of BluWiki and its users.[132]

III. GOVERNMENT AND PRIVATE SECTOR SURVEILLANCE AND DATA MANAGEMENT

A. Unclassified Report on U.S. Wiretapping

A government review of the Bush administration’s wiretapping program raised questions about its legality and found that its effectiveness in fighting terrorism was unclear. Congress mandated the report last year, which was produced by the inspectors general of five federal agencies and released to the public on July 10, 2009.[133]

The report does not describe specific intelligence activities other than to refer to the “Terrorist Surveillance Program.” The administration acknowledged in December 2005 that this program included the interception without a court order of some international communications in which there was “a reasonable basis” to believe that at least one party was a member of al-Qaida or its affiliates. The program was implemented following the attacks of Sept. 11, 2001.

The report was the result of about 200 interviews with government and private sector personnel, most of whom were former or current senior government officials. Many key figures in the surveillance program – former Attorney General John Ashcroft, Central Intelligence Agency director George Tenet and deputy assistant attorney general John Yoo – either declined to be interviewed or did not respond to interview requests.

1. Critical of Reauthorization Memos

The report criticized John Yoo, the deputy assistant attorney general who was granted access to the surveillance program and wrote what are known as “scary memos” that justified the administration in reauthorization the program every 45 days. Department of Justice (DOJ) officials doubted the “factual and legal basis” for Yoo’s memos because he incorrectly interpreted the Foreign Intelligence Surveillance Act of 1978 (FISA) as inapplicable to wartime operations, according to the report. DOJ officials pointed out that Yoo failed to analyze a FISA provision[134] that allows the interception of electronic communications for 15 days following a congressional declaration of war, meaning it is possible Congress intended FISA to apply to wartime.

Yoo characterized FISA as providing a “safe harbor for electronic surveillance” and that the Fourth Amendment provides the appropriate test for whether the government may carry out warrantless electronic surveillance, the report said. Yoo responded to the unclassified report in a July 16 op-ed in The Wall Street Journal in which he labeled FISA “an obsolete law not written with live war with an international terrorist organization in mind.”[135] Yoo accused the five inspectors general of “responding to the media-stoked politics of recrimination, not consulting the long history of American presidents who have lived up to their duty in times of crisis.”

Jay Bybee, Yoo’s boss at the time, told investigators he did not know that Yoo had worked on the surveillance program, the report said. Some senior DOJ officials criticized the unusual practice of having one attorney write a memo for the program when the office traditionally has multiple attorneys review all legal analysis the office issues. The DOJ found that limiting the number of personnel who had direct knowledge of the program created several problems, including preventing the DOJ from “adequately reviewing the program’s legality during the earliest phase of its operation.”

2. Varying Conclusions

The inspectors general reached varying conclusions on the usefulness of the program. The DOJ concluded that while information the program obtained “had value in some counterterrorism investigations, it generally played a limited role in the F.B.I.’s overall counterterrorism efforts.” The CIA considered it “a valuable counterterrorism tool” while the National Security Agency found the program’s value was in “the confidence it provided that someone was looking at the seam between the foreign and domestic intelligence domains.” The inspectors general of the Department of Defense and the Office of the Director of National Intelligence also helped compile the report.

3. Current Surveillance Authority

Congress restructured the federal surveillance law with the FISA Amendments Act of 2008, 50 U.S.C. § 1804. The report said this legislation gave the government “even broader authority to intercept international communications” than did the original program. The report said that the wiretapping program should have transferred to Congressional authority earlier than 2008 “as the program became less a temporary response to the September 11 attacks and more a permanent surveillance program.”

B. Court Challenges to Wiretapping Program

1. Judge Dismisses Suits Against

Telecommunications Companies

In the consolidated case In Re: National Security Agency Telecommunications Records Litigation, MDL No.06-1791 VRW, 2009 U.S. Dist. LEXIS 48283 (N.D. Cal. June 3, 2009), Judge Vaughn R. Walker dismissed lawsuits against telecommunications companies that had accused them of improperly participating in the warrantless wiretapping program launched after the Sept. 11, 2001 terrorist attacks. Walker ruled that § 802(a) of the Foreign Intelligence Surveillance Act (FISA) Amendments Act of 2008, 50 U.S.C. § 1885a, properly granted immunity to the companies, or any individual, that assisted the government in surveillance authorized by a court order or President George W. Bush between Sept. 11, 2001, and Jan. 17, 2007. Former Attorney General Michael Mukasey certified to the court that the claims in the consolidated cases fell within at least one provision of § 802(a).[136] Some of the plaintiffs appealed Walker’s order granting the government’s motion to dismiss on behalf of the companies.[137]

The plaintiffs argued that by amending FISA to grant the companies immunity, the government stripped them of any forum for their dispute to be heard. However, Vaughn found that the plaintiffs can still seek action against “governmental actors and entities who are, after all, the primary actors in the alleged wiretapping activities.”[138] Walker’s ruling did not apply to a handful of cases and he scheduled a Sept. 1, 2009, hearing to listen to arguments from the Al-Haramain Islamic Foundation, an Oregon non-profit corporation, about the merits of its suit against the government over the warrantless wiretapping program.[139]

2. Judge Dismisses ACLU Lawsuit

The American Civil Liberties Union, journalists and human rights groups such as Amnesty International argued in a 2008 lawsuit that the FISA Amendments Act of 2008, 50 U.S.C. § 1881(a), is unconstitutional because it permits “the executive branch sweeping and virtually unregulated authority to monitor the international communications – and in some cases the purely domestic communications – of law-abiding U.S. citizens and residents.”[140] The FISA Amendments Act allows the government to seek approval from the Foreign Intelligence Surveillance Court to gather intelligence information from people reasonably believed to be located outside the United States. The government defended the amendments as an “early warning system” against possible terrorist attacks or strikes against U.S. troops and said they “cannot be used to target U.S. persons or any persons inside the United States.”[141]

On Aug. 20, 2009, Southern District of New York Judge John G. Koeltl dismissed the lawsuit because he determined that the plaintiffs lacked standing to attack the FISA Amendments Act as unconstitutional.[142] “The plaintiffs fear that their international communications will be monitored under the [Act]. They make no claim that their communications have yet been monitored, and they make no allegation or showing that the surveillance of their communications has been authorized or that the Government has sought approval for such surveillance,” Koeltl wrote in his order dismissing the lawsuit.[143] Koeltl noted that the FISA Amendments Act itself “does not authorize surveillance of the plaintiffs’ communications.”[144]

C. Emerging Technology to Monitor

Government Snooping

The uncertainty of precisely what information government intelligence agencies and law enforcement are legally allowed to collect continues to bother some privacy advocates. “For example, right now it is perfectly legal, without any question, for the government to collect every telephone call, every e-mail, every communication in the world – as long as it can claim credibly that some part of the communication involves a person outside of the United States,” said Fred Cate, the director of the Center for Applied Cybersecurity Research at Indiana University.[145]

Palantir Technologies, a Silicon Valley company, claims it has developed technology that tracks the personal information and communications these entities collect so that it eliminates the problem of choosing between fighting terrorism and protecting civil liberties. The system works by tagging certain information “so the only people who can see it are those who are allowed to see it, so it takes care of the problem,” Palantir CEO Alex Karp told National Public Radio.[146]

As an example of how the technology can safeguard one’s privacy, Palantir executives pointed to an incident in Massachusetts in which law enforcement personnel searched for information on New England Patriots quarterback Tom Brady 968 times, looking for such things as his home address, driver’s license photo and whether he owned a gun.[147] Bob McGrew, director of engineering for Palantir, claims law enforcement would not have been able to carry out the search surreptitiously if they were using Palantir’s system because of its privacy control. “When some of these officials were looking at Tom Brady’s data, they would be leaving a trail. It is all captured in a long that you don’t need to be a technical guy to understand,” McGrew told NPR. “A compliance officer or a civil liberties group would be able to see exactly who was looking at what information.”

The Federal Bureau of Investigation, Central Intelligence Agency, Defense Department and New York Police Department have started using Palantir’s technology to analyze their intelligence data, according to the NPR report.

D. Google Street View Seen as Privacy Threat

Google Street View has raised privacy concerns, particularly in Europe where Google has to navigate numerous data protection agencies in countries that view privacy as a fundamental human right. Street View has been criticized because of the danger that the offshoot of the Internet search engine will post unflattering images of passersby or facilitate crime by allowing would-be criminals an advance look at a neighborhood. Introduced in May 2007, Street View is part of Google Maps and permits users to see and navigate within 360-degree street level images of a number of areas throughout the world, primarily in densely populated areas. Google obtained the images by using drivers who traversed the city streets in vehicles equipped with continuously filming digital panoramic cameras.

1. Privacy Safeguards in Place

In order to safeguard privacy, Google blurs faces and license plate numbers captured in the images and includes an option for those who object to the content of an image to have it removed from Street View. Once a user is on the offending image within Street View, users can click on the “Report a problem” link in the lower left portion of the page. That takes users to a screen that asks for the nature of the concern. Under the privacy category, users can request that images of their face (or that of their children) be removed along with pictures of their homes or automobiles. This includes images that have already been blurred. Users can also request that pictures of faces and license plates be blurred. The page includes space to describe the nature of the problem and an image tool to focus on the specific part of the picture that is the source of the complaint.

2. Street View in Europe

Street View has received the most scrutiny in Europe, where Google has been temporarily banned from collecting images in some countries or threatened with sanctions if it did not comply with privacy laws. However, the criticism appears to be subsiding after Google pledged to apply the same privacy protection standards in Europe that it uses with Street View in the United States. In addition, Google has coordinated with the Article 29 Working Party, which represents 27 European data protection authorities, to extend additional privacy safeguards.

Those measures, according to Peter Fleischer, Google’s global privacy counsel, include providing advance public notice about when and where Google will be capturing images and taking steps to avoid holding onto the “unblurred” original images any longer than is needed. Fleischer explained in a blog post that Google is still perfecting its technology to avoid “false positives,” or blurring portions of images that pose no privacy threat, but that the company is committed “to determine the shortest retention period that also allows for legitimate use under EU laws.”[148]

The Information Commissioner’s Office, the main privacy watchdog in the United Kingdom, concluded that Street View does not violate the UK’s Data Protection Act of 2008 as long as Google blurs faces and license plate numbers. David Evans, senior data protection practice manager for ICO, likened the images used on Street View to those of people walking past reporters on television, images taken “without their consent, but perfectly legally.”[149] Evans also said that “it is not in the public interest to turn the digital clock back. In a world where many people tweet, facebook and blog it is important to take a common sense approach towards Street View and the relatively limited privacy intrusion it may cause.”[150]

Google has had its share of run-ins with collecting Street View images. In May 2009, the Data Protection Authority in Greece blocked Google from capturing images in the country until it provided clarification on its measures to protect privacy, including how long it stores images.[151] In Germany, the country’s highest ranking data official threatened sanctions against Google if it did not alter its practices to conform to German privacy laws, which prohibits the dissemination of photos of people or their property without their consent.[152] In response, Google agreed to erase the raw images of faces, house numbers and license plates after they have been processed.[153]

3. Street View in Canada

Google representatives had ongoing discussions with Canada’s privacy commissioner and met with members of the House of Commons ethics committee on June 17, 2009, to prepare for its anticipated launch of Street View in the country.[154] Google began collecting images in major Canadian cities in 2007. At the time, Jennifer Stoddart, Canada’s privacy commissioner, expressed concern that the application would violate the Personal Information Protection and Electronic Documents Act, which went into effect in 2004, if the images were clear enough that individuals could be identified.[155]

In addition to Google’s standard policy of blurring faces, Google also vowed to retain the original, unblurred images no longer than is needed to adjust its software that recognizes and automatically blurs sensitive components of images. Jacob Glick, Google Canada’s privacy counsel, said he is confident that Street View was legally compliant and that it would not launch otherwise. As of June 2009, Google was collecting images in 32 Canadian towns. The company had yet to release a planned release date for Street View in Canada.[156]

4. Street View and Crime

Some people are concerned that Street View aids criminals, particularly child predators, by making it easy to identify where children live due to the presence of playground equipment or toys outside of a home based on the online images. Others counter that this view is baseless because it would be more efficient for a would-be criminal to drive or travel through a specific neighborhood to find children since the Internet is not needed to find homes, playgrounds or schools where children play. The online images are also outdated the moment they are taken.

Street View has been credited for helping lead police to arrest twin brothers who were robbery suspects in the Netherlands.[157] In September 2008, a 14-year-old boy told police that he had been robbed of about $230 and his cell phone after two men dragged him off of his bicycle in Groningen, about 110 miles north of Amsterdam. The boy notified police again in March when he saw an image of himself and two men he believed were his attackers on Street View. Police had to send a formal request to Google for the original photo since the faces on Street View were blurred. When police received the original photo, the robbery squad recognized one of the twins and arrested both brothers.

5. Court Challenge

As of August 2009, one lawsuit had been filed in the United States against Google’s Street View alleging that the publicly available images constituted an invasion of privacy. In Boring v. Google, Inc., 598 F. Supp. 2d 695 (W.D. Pa. 2009), a magistrate judge dismissed claims against Google of invasion of privacy, trespass, negligence and unjust enrichment.

The plaintiffs, Aaron and Christine Boring, lived on a private road north of Pittsburgh and they filed suit when they discovered photos of their residence, outbuildings and swimming pool had been included on Street View. The Borings argued that the road on which they live is unpaved and clearly marked with “Private Road” and “No Trespassing” signs. The couple alleged Google invaded their privacy by taking the photos from their driveway at a point past the signs and then making the photos available to the public.

The court examined the invasion of privacy claim on grounds of intrusion upon seclusion and publicity given to private life. The court found the plaintiffs did not meet the stringent standard under Pennsylvania law of showing that the intrusion was highly offensive and could be expected to cause “mental suffering, shame, or humiliation to a person of ordinary sensibilities.”[158] The Borings did not dispute that they failed to use the available option to have the photos of their property removed from “Street View.” The court noted that the couple had done nothing to restrict access to the images, such as filing the lawsuit under seal. Instead, the suit generated publicity that resulted in even wider dissemination of the Borings’ names and location, leading to re-publication of the Street View images. The opinion mentioned that courts are not frequently asked to consider invasion of privacy claims based on virtual mapping.

E. RFIDs Can Be Tracked

Some privacy groups fear that that the growth of government-issued IDs embedded with radio frequency identification, or RFID tags, could allow the movements of people to be tracked without their knowledge. RFID technology uses radio waves to identify people or objects by reading information contained in a wireless device or “tag” from a distance without making any physical contact or requiring a line of sight.

Government officials assert that the tags will help speed border crossings, protect against counterfeiters and keep terrorists out of the country. However, there is a danger that the unique serial number in each tag could be intercepted while being transmitted. In February 2009, Chris Paget, a self-described “ethical hacker,” used a Motorola reader he bought on eBay to scan the unique serial numbers of several people while driving through San Francisco. “It really does facilitate very wide scale and very long range tracking of people,” Paget said of the RFID tags in a video of his tracking activity that appeared on YouTube.[159]

There is some doubt as to the extent of the privacy threat posed by the RFID tags. The Department of Homeland Security (DHS) says RFID-enabled documents can be accurately read by authorized readers from up to 30 feet away, but there have been reports of a transmission between an e-passport and a legitimate reader being intercepted from up to 160 feet.[160] DHS acknowledges the potential risk in using the technology. Neville Pattinson, who serves on DHS’s Data Privacy and Integrity Advisory Committee, said that once a tag number is intercepted, “it is relatively easy to directly associate it with an individual. If this is done, then it is possible to make an entire set of movements posing as somebody else without that person’s knowledge.”[161]

1. RFID Tags Rise in Use

On June 1, 2009, it became mandatory for all United States citizens entering the country by land or sea from Canada, Mexico, Bermuda and the Caribbean to present documents embedded with RFID tags, although conventional passports remain valid until they expire.[162] This requirement is part of the Western Hemisphere Travel Initiative, which Congress passed into law in the Intelligence Reform and Terrorism Prevention Act of 2004 on the recommendation of the 9/11 Commission. DHS has encouraged states to begin using “enhanced” driver’s licenses which are also embedded with RFID tags. These licenses are already being issued in the border states of Michigan, New York, Vermont and Washington.[163]

2. States Respond to RFID Tags

Some states have passed legislation that outlaws the unauthorized reading of an RFID document. In California, someone caught reading or attempting to read an RFID tag without that person’s knowledge faces up to one year in prison or a $1,500 fine.[164] The California law contains exemptions in certain circumstances, such as for health care professionals to identify a patient in an emergency or for law enforcement at the scene of an accident. The law also does not apply to the unintentional reading of an RFID tag unless the identity is later used or disclosed to another party. Nevada and Washington have also passed similar laws.[165]

F. Videos Lead to Accusations of Breaking Privacy

Laws

1. ESPN Reporter Filmed in the Nude

ESPN reporter Erin Andrews was secretly videotaped in the nude while she was alone in a hotel room and the video was posted online in July. An attorney for Andrews, a mainstay on the sidelines for many college football and basketball games broadcast on the sports network, said he planned to seek criminal charges and file civil lawsuits against the person who shot the video and anyone who published the material.[166] The grainy video showed Andrews combing her hair and looking in a mirror and generated a lot of attention when the video was posted online.

The video led to conflicting accounts about whether it is illegal to watch or download the video. CBS News reported through its legal analyst Lisa Bloom that such activity was illegal.[167] Marc Randazza, a legal analyst for the blog “Photography is Not a Crime” countered that viewing and downloading the video is completely legal.[168] Sam Bayard, assistant director of the Citizen Media Law Project at the Berkman Center for Internet and Society at Harvard University, believes publishing the video could lead to civil liability for invasion of privacy through the publication of private facts or violate state criminal surveillance laws that prohibit publication of “video voyeurism” images.[169] For example, Bayard pointed to a New York statute that criminalizes the publication of images that are known to be unlawfully obtained.[170]

Media coverage of the incident also raised ethical questions about how to report on an incident surrounding an invasion of privacy claim. ESPN decided not to cover the issue as a news story since it had no bearing on Andrews’ work as a reporter, but several newspapers and television stations published or aired images of the video, including the New York Post.[171] In response, ESPN banned all Post staffers from appearing on the network.[172]

2. Google Executives Face Trial in Italy

Four Google executives were scheduled to go on trial September 29 in Italy on accusations of defamation and violating privacy for allowing a video of an autistic boy being bullied to be posted online. The result of the case could alter the rules for how far video-sharing Web sites must go to control content.

“What is at issue is whether or not privacy laws that apply to newspapers or to the radio also apply on the Web, or whether it is a sort of free port where anything goes,” said Alfredo Robledo, one of the prosecutors in Milan who brought the charges. “We are raising the issue to show that there are holes in Italian legislation.”[173]

The charges stem from an incident at a school in Turin in 2006 when four boys were filmed teasing another boy, who has Down’s syndrome. A three-minute cell phone recording of the incident was uploaded to Google Video, where it remained for nearly two months before Google removed it after the Italian government and police intervened.[174]

Prosecutors allege the company should have prevented broadcast of the video and that it did not have enough automatic filters in place or enough workers in Italy to react to videos flagged as inappropriate by viewers. Google countered that it removed the video as soon as the company learned of it and then cooperated with authorities to help identify the boys involved.[175]

“We feel that bringing this case to court is totally wrong,” Google said in a statement. “It’s akin to prosecuting mail service employees for hate speech letters sent in the post. Seeking to hold neutral platforms liable for content posted on them is a direct attack on a free, open Internet.”[176]

The trial opened in February with the court addressing procedural matters. The family of the boy withdrew from the trial, leaving Vivi Down, an advocacy group, as the lead plaintiff in a corresponding civil case. The trial was scheduled to resume June 22, but was continued when an interpreter did not show up to court.[177]

The defendants, who are being tried in absentia, are Google’s senior vice president and chief legal officer David Drummond, former chief financial officer George Reyes, senior product marketing manager Arvind Desikan, and global privacy counsel Peter Fleischer.

G. Entrusting Google, Amazon With Personal, Public Records

1. UK Considers Putting Medical Records

Online

The United Kingdom’s Conservative Party proposed transferring public health records to Google or Microsoft in lieu of a central database, The Times of London reported July 6 in a story[178] that drew the ire of those skeptical of Google’s commitment to protecting privacy. The proposal came on the heels of news that Connecting for Health, a centralized government database of health records, would not be completed until 2014, four years behind schedule. The newspaper reported that Conservative Party leaders hoped to give patients a choice among several private companies to store their records. That plan, however, would pose practical difficulties such as what would happen to the records of those who choose not to participate and how to handle the estimated nine million British households that do not have Internet access.[179]

Microsoft and Google launched similar personal health records services in 2007 on the promise that users can more easily control and share an electronic record with multiple health care providers. The services, Google Health and Microsoft’s Health Vault, respectively, are not alone in the industry, with Web MD and Revolution Health also offering the ability to build a personal online health record. [180]

David Davis, a Conservative Party Member of Parliament, blasted his own party for the idea of giving Google the reins of patients’ health information because of what he described as the company’s “cavalier approach to European privacy legislation.”[181] Davis supported transferring health records to private companies, but under the conditions that an entity cannot profit from the venture and the data must be stored on computers within the UK to assure compliance with UK privacy laws. Peter Fleischer, global privacy counsel for Google, quickly defended Google’s commitment to privacy and the value of its health-related services, including “Flu Trends,” which “offers an early warning system for flu outbreaks based on the anonymous actions of millions of people searching for symptoms.”[182]

2. Los Angeles Officials Raise Concerns

About Google Apps

The city of Los Angeles proposed replacing its outdated computer records system by moving government e-mails, reports and other internal data onto Google Apps, prompting concerns about the program’s ability to handle records securely for the nation’s second-largest city. Known as “cloud computing,” the city’s records would be housed on Google servers off city property, raising fears that hackers could gain access to confidential information, particularly of ongoing police investigations.[183]

“Any time you go to a Web-based system, that puts you just a little further out than you were before,” said Paul Weber, president of the Los Angeles Police Protective League. “Drug cartels would pay any sum of money to be aware of our progress on investigations.”[184] Google has assured users that the application is secure and that more than 1.75 million businesses use the technology. As of July 2009, Google said Washington, D.C., was the only major city using Google Apps for its e-mail and office applications, although other cities were considering also using it.[185] The Los Angeles Times reported that city officials wondered whether the obligation to respond to public information requests would fall to Google as host of the city’s records. Peter Scheer, director of the California First Amendment Coalition, said the switch to Google could improve access to public information because of Google’s immense search and storage capabilities. “If you’re asking for information, it’s more likely you’ll get a more complete and accurate response to your request, sooner rather than later.”[186]

3. Groups Urge Strict Privacy in Google Books

A trio of privacy watchdogs urged Google to implement strict privacy controls in Google Books, a service that would make a wide variety of books readily available online. The groups were concerned that Google can track the books people browse and read in the virtual library and that the record could be turned over to the government or another third party. To combat the concern, the group that included the American Civil Liberties Union of Northern California, urged Google to adopt several measures. These include releasing browsing information only in response to a court order, not keeping logging information for more than 30 days, and giving users the ability to delete their records.[187] Google assured potential users that it has a strong privacy policy in place for Google Books. The company said it could not publicize the policy until the U.S. District Court for the Southern District of New York approves a preliminary settlement with book publishers and authors that would enable Google to provide access to the books.[188] However, the Department of Justice informed the court on July 2, 2009, that it had opened an antitrust investigation into the proposed agreement. [189]

4. Student Leads Suit Against Amazon Over

Deletion of Kindle Books

A Michigan high school student is a lead plaintiff in a proposed class action suit against after the company deleted George Orwell books from customers’ Kindles. The student, Justin Gawronski, purchased a Kindle copy of Orwell’s “1984” in early June 2009 and took notes in the electronic novel as part of a summer homework assignment, according to the complaint filed July 30 in federal court in Seattle where Amazon Digital Services, the distributor of the Kindle device, is headquartered.[190] At some point in July, Gawronski powered into his Kindle to find that his copy of “1984,” including his notes, had been deleted, according to the complaint.

Amazon has explained that it deleted copies of “1984” and “Animal Farm” after it discovered they were added to the Kindle store by a company that did not own the rights to distribute the novels. Amazon says it gave customers a refund for the price of the books.[191]

In addition to those who had digital content deleted, the suit proposes to represent all people who have owned a Kindle and seeks an injunction prohibiting Amazon from accessing customers’ Kindles. The suit alleges various contract claims, including that Amazon violated its own terms of use by revoking a promise that users can keep a permanent digital copy of their purchases. The suit also seeks damages for the loss of work product sustained by the deletion.

H. Bloggers in Court

1. Blogger Arrested for Inciting Violence

Against Judges

New Jersey blogger and Internet radio host Hal Turner was charged with violating state and federal laws for separate inflammatory posts on his blog, including what authorities said amounted to death threats against three Seventh Circuit judges.[192] The posts on Turner’s now-defunct blog, , denounced a Seventh Circuit ruling that upheld two local handgun bans in Chicago. “Let me be the first to say this plainly: These judges deserve to be killed,” Turner wrote June 2, 2009, according to a criminal complaint filed against him June 24 in the U.S. District Court for the Northern District of Illinois.[193] “Their blood will replenish the tree of liberty. A small price to pay to assure freedom for millions.” Turner also posted the photographs, phone numbers, work addresses and courtroom numbers of the three judges, William Bauer, Frank Easterbrook, and Richard Posner. The FBI said in its complaint that it believed Turner’s comments constituted “a threat to assault or murder a United States judge,” in violation of 18 U.S.C. § 115(a)(1)(B). On Aug. 10, a federal judge denied Turner bail, calling “a danger to the community.”[194]

Prior to the federal charges, Turner had surrendered to Connecticut authorities on state charges of inciting violence against two state lawmakers – Sen. Andrew McDonald (D-Stamford and Darien) and Rep. Michael Lawlor (D-East Haven) – who introduced a controversial bill that would have given lay members of Roman Catholic churches more control over their parishes’ finances. Law enforcement officials believe Turner violated Conn. Gen. Stat. § 53a-179a(a), which criminalizes “inciting injury to persons or property.”

Michael Orozco, Turner’s defense attorney, said Turner worked for the Federal Bureau of Investigation from 2002 to 2007 during which time the FBI taught him how to purposefully make comments that would incite others to act and lead to their arrest. Prosecutors have acknowledged Turner spied on radical right-wing organizations, but that he was not working for the FBI when he made the comments that led to the criminal charges in Illinois and Connecticut.[195]

It is unclear whether the charges against Turner will hold up in court. Gene Policinski, vice president and executive director of the First Amendment Center, mentioned in a June 14 post on the center’s Web site that the principles in Brandenburg v. Ohio, 395 U.S. 444 (1969), should prevent any criminal charges against pundits such as Turner.[196] In Brandenburg, the Court held that the First Amendment protected statements advocating use of force or illegal activity “except where such advocacy is directed to inciting or producing imminent lawless action and is likely to incite or produce such action.”[197]

2. Blogger Cannot Invoke New Jersey Shield

Law

In Too Much Media LLC v. Hale, MON-L-2736-08 (Monmouth County Ct. June 30, 2009), a New Jersey trial court judge ruled that a blogger and online commentator who was sued for defamation could not claim the state’s journalist shield law to protect the confidential sources she used as a basis for publishing allegedly defamatory statements about a corporation. Monmouth County Judge Louis Locascio ruled that Shellee Hale, a Washington-state based blogger, licensed private investigator, and “life coach,” could not claim the statutory privilege, N.J.S.A. 2A:84A-21 -21.8, because Hale did not show that she was “in any way involved with” any of the “news media” listed in the statute: “newspapers, magazines, press associations, news agencies, wire services, radio or television.”

Too Much Media, a computer software company that provides advertising programming for the online pornography industry, sued Hale for statements she made in an Internet forum that accused the company, and two of its officers, of engaging in criminal behavior, including making physical threats, and profiting from a security breach that jeopardized the privacy of subscribers to pornography Web sites. The company planned to compel her to reveal her sources in a deposition.

Locascio wrote that Hale’s online forum statements did not display accepted practices of journalism that the law was meant to protect. “There is no fact-checking required, no editorial review and so little accountability for the statements posted that it is virtually impossible to discern the author or source of the posts,” Locascio wrote. “To extend the newspaper’s privilege to such posters would mean anyone with an email address, with no connection to any legitimate news publications, could post anything on the internet and hide behind the Shield Law’s protections.” On July 22, 2009, Hale filed a motion for reconsideration in Monmouth County Court.

Sam Bayard, Assistant Director of the Citizen Media Law Project at Harvard’s Berkman Center for Internet and Society, wrote in a July 9 blog post that it would be “a mistake … to read Judge Locascio’s opinion broadly as saying that New Jersey’s shield law categorically does not protect bloggers.”[198] Bayard pointed to several “peculiar facts” in Locascio’s ruling, including that the judge appeared to discount some of Hale’s testimony because she could not provide specifics about articles in newspapers and trade journals she claimed to have published, and because she apparently lied in a previous court document in the case.

I. Advances in Phone Technology Bring Benefits, Risks

1. Breach Highlights Security Risk of Smart

Phones

Blackberry users in Dubai and Abu Dhabi in July 2009 unknowingly installed what was probably spy software on their phones instead of an application they believed would upgrade their phones. While the circumstances surrounding the breach were not entirely known, including who ordered the upgrade, the incident reinforced privacy concerns surrounding the phones. An Associated Press story on the breach quoted Richard M. Smith, an Internet security and privacy consultant at Boston Software Forensics as saying that smart phones are “the perfect personal spying devices” because as tiny computers they can be programmed to send back a broad range of information.[199]

The Associated Press reported that the incident occurred after Etisalat, an Abu Dhabi-based mobile service provider, sent text messages to BlackBerry customers asking them to follow a link to update their phones. Customers who installed the software complained that it quickly drained their batteries. Research in Motion, the Canadian company that makes the BlackBerry, distanced itself from the request to install the software and said the application users installed was a surveillance program that could have possibly allowed access to personal or private information.[200]

2. Google Voice App Not Allowed in iTunes

App Store

In what may be a move to protect itself against a competitor, Apple refused to allow Google to distribute its Google Voice application on iTunes, meaning iPhone users cannot use the software.[201] The move prompted the Federal Communications Commission to launch an inquiry into Apple’s decision.[202]

Google Voice allows users to make free or low-cost calls and provides free text messaging, call routing and a universal voice mailbox. The feature users may find the most beneficial is the ability to consolidate multiple phone numbers – home, cell phone, office – into one Google Voice number. Users can then decide which devices will ring depending on the caller. For example, calls from a boss could be set to ring only a BlackBerry while calls from a mother-in-law could be sent straight to voice mail.[203] Google Voice was already on BlackBerrys prior to Apple’s decision to block the application.[204]

Technology analyst Martin Pyykkonen suggested that Apple’s move was likely a means to protect its business partner, AT&T Inc., from losing money from subscribers who would use Google Voice instead of its services.[205] A New York Times blogger later reported that Google said it was looking to replace the Voice application with a specialized Web page that would perform the same functions.[206]

J. Redaction Methods May Not Serve Their Purpose

A thick black marker used to suffice for redacting information in legal documents. Some attorneys may still use that tool even though electronic redacting technology is available. Both methods, however, may not accomplish the goal of keeping sensitive information from view. During a 2008 sexual discrimination suit in Connecticut,[207] it was discovered that the black bars intended to serve as a redaction tool in PACER’s federal court filing system would disappear when the bars were copied and then pasted into Microsoft Windows’ Notepad or Microsoft Word, allowing the underlying words to be read.[208]

Redaction remains an important part of many legal offices, particularly in the public sector as the Obama administration makes a push for a more transparent government. The Federal Bureau of Investigation has a redaction tool in its own document management system that allows judges to privately view redacted information. The tool reveals the initials of the person who made the redaction along with margin notes that indicate why the information was hidden.[209] Readily-available automated redaction software can search for words that may need to be redacted and automatically obscure certain material such as Social Security numbers, but the software does have its limitations. It may miss words in a document that has been scanned and it often cannot read embedded items in a document such as tables and spreadsheets.

Those who commonly redact information say that human review should remain a part of any successful redacting process. “Tools can help, but you can never assume it’s foolproof,” said Christine Musil, vice president of communication for Informative Graphics Corp., which makes Redact-It, a redaction tool. “Using a redaction tool can help demonstrate a good-faith effort to redact information, but you still need to use it properly.”[210]

IV. DATA PRIVACY IN THE WORKPLACE AND

ON CAMPUS

A. Requests for Passwords to Social Networking Sites

1. Bozeman, Mont., Stops Asking Job Applicants for Facebook Passwords

On June 22, 2009, the city of Bozeman, Mont., eliminated its policy of asking job applicants to give their passwords for all personal and business Web sites, including social networking sites such as Facebook and MySpace, during the hiring process.[211] Applicants were required to sign a waiver agreeing to a criminal background and references check. The bottom of the waiver included this request: “Please list any and all, current personal or business websites, web pages or memberships on any Internet-based chat rooms, social clubs, or forums, to include, but not limited to: Facebook, Google, Yahoo, , MySpace, etc.”[212] The request for passwords to Google and Yahoo meant city officials had the ability to read applicants’ e-mails.

Bozeman had previously checked job applicants’ social networking sites for about three years. City administrators first began asking for the passwords of police and fire department applicants, but that procedure was never presented to the city commission for approval because that body does not typically set hiring policies.[213] Bozeman City Manager Chris Kukulski said the city viewed personal Web sites in order to make sure applicants were honest and reputable as part of its background check that includes checking credit reports, criminal history, references and past employment.[214] City officials recalled one instance in which content of an applicant’s social networking site was a factor in the person not being hired.

News of the city’s hiring practice prompted a wave of attention by media outlets and bloggers when it became widely known in June, prompting the city to revisit the practice. At the meeting to rescind the practice, city Commissioner Jeff Krauss apologized for not acting more quickly to avoid “wandering down a road that violated basic rights of our citizens.”[215] The city commission has since approved spending up to $10,000 to hire an outside investigator to examine the former hiring practice, including whether an applicants’ refusal to submit the information negatively affected their chances of being hired and how the city used its reviews of the Web sites.[216]

2. Student Sues Cheerleading Coach, School District for Facebook Incident

A Mississippi high school cheerleader filed suit against her coach and school district, claiming that her coach logged into her Facebook account and distributed material that led to her dismissal from the team.[217] The student, Mandi Jackson, claims Tommie Hill, the cheerleading coach at Pearl High School in Pearl, Miss., asked each member of the cheerleading squad on Sept. 10, 2007, to provide her with the passwords to their Facebook accounts. Jackson claims she did not know what to do other than to turn over her password to “an authority figure.”[218] Hill then accessed her Facebook account the same day and “disseminated the information” to other teachers, cheerleading coaches, the principal and superintendent, according the complaint.

The complaint, filed June 16, 2009, in U.S. District Court for the Southern District of Mississippi, does not specify the precise content Hill passed along from Jackson’s Facebook account, other than to say district officials “publicly reprimanded, punished and humiliated Jackson for a private discussion between Jackson and another student.” The Student Press Law Center reported the discussion included “an exchange of profanity-laced messages between Jackson and the cheerleading captain in which Jackson asked the student to ‘stop harassing’ several of the cheerleaders.”[219] As a result, Jackson was forced to sit out of cheer and dance training and other school sponsored events, according to the complaint.

The suit, filed on behalf of Jackson by her parents, seeks more than $100 million in damages for violations to Jackson’s constitutional rights to privacy, free speech, free association and due process. The suit also includes claims for defamation, intentional infliction of emotional distress and cruel and unusual punishment.

B. Be Wary of Writing Reviews on LinkedIn

Management-side attorneys are warning employers against writing reviews on LinkedIn, the business networking site that contains recommendations for job candidates. The attorneys advise that since most of the reviews on LinkedIn are positive, plaintiffs lawyers could use them in wrongful termination suits to dispute claims a worker was let go for poor performance.[220]

“Just don’t do it,” advised Carolyn Plump, an attorney and partner at Mitts Milavec in Philadelphia. “Generally, my advice is that I think employers are often better served by merely stating dates of employment, positions with the company and salary, and staying away from much more because there are so many potential ramifications if they say something.”[221]

A recommendation could also work against a plaintiff in certain situations. If a supervisor treated all workers equally by writing positives reviews about everyone, that could help disprove a discrimination claim, said Linda Friedman, an employee rights attorney at Stowell & Friedman in Chicago. She added that employers could explain a positive review as an attempt to help a person who had just lost his job.[222]

LinkedIn has already been cited in at least one employment-related dispute. In Kelly Services Inc. v. Marzullo, 591 F. Supp. 2d 924 (E.D. Mich. 2008), the Michigan-based staffing services company cited the LinkedIn profile of a former employee who went to work for a competitor. The company persuaded the court to issue a preliminary injunction enforcing a non-competition agreement that limited the worker’s role with his new employer.

C. Confusion and Abuses of FERPA

An investigation by The Columbus (Ohio) Dispatch found that the nation’s biggest athletic programs interpret the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232(g) et seq., in vastly different ways.[223] Also known as the Buckley Amendment, FERPA was passed in 1974 to require educational institutions that receive federal funds to meet privacy requirements regarding the “education records” of students or face the loss of that funding. The newspaper’s findings have sparked a debate over a statute that has long created obstacles for journalists and led to a movement urging Congress to clarify how schools should apply the law.[224]

1. Findings By the Newspaper

The Dispatch submitted public records requests to 119 colleges and universities in the National Collegiate Athletic Association’s Football Bowl Subdivision requesting records that generally would not pertain to student athletes’ grades or academic performance, but could offer insight on how the sports programs operate. The newspaper requested airplane flight manifests for football team travel to road games, lists of people designated to receive athletes’ complimentary admission to football games, football players’ summer employment documents, and reports of NCAA rules violations.

Of the 69 schools that responded to the request, The Dispatch reported that more than 80 percent released unedited information about ticket lists, about half did not censor flight manifests, 20 percent gave full information about football players’ summer jobs, and 10 percent provided unedited information about rules violations.

2. What is an ‘Education Record?’

The Dispatch reported that the primary cause for the disparity in disclosure, sometimes between different schools in the same state, came from the schools’ interpretations of what qualifies as “education records.” FERPA defines “education records” as records that “contain information directly related to a student” and “are maintained by an educational agency or institution or by a person acting for such agency or institution.”[225] According to the statute, “education records” do not include administrative or instructional notes or records that are not available to anyone aside from their creator; records maintained by the institution’s law enforcement unit; employee records that “related exclusively to the individual in that individual’s capacity as an employee” (as opposed to a student’s work-study records, which are considered “education records” under 34 C.F.R. § 99.3); medical records; “records created or received by an . . . institution after an individual is no longer a student in attendance and that are not directly related to the individual’s attendance as a student;” or “grades on peer-graded papers before they are collected and recorded by a teacher.”[226]

In December 2008, the Department of Education modified its interpretation of “education records” by expanding the definition of “personally identifiable information.” The definition under the revised rule includes not only a student’s name, address, and social security number, but also information that could lead the requester to identify the student “with reasonable certainty” and “information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.”[227]

3. Report Spurs Calls to Clarify FERPA

The Dispatch report prompted an effort to re-examine FERPA. The author of the law, former Sen. James L. Buckley (R-N.Y.), said that extending the law to athletes who have gambled or cheated, coaches who have broken recruiting rules, or boosters who offer free meals or no-work jobs to players is “not what we intended.” He added that “the law needs to be revamped” because “institutions are putting their own meaning into the law.”[228]

Sen. Sherrod Brown (D-Ohio) sent a letter to the Assistant Education Secretary Carmel Martin that asked the department to “take additional steps to clarify for students, parents, colleges, universities, and the public what is an educational record.”[229] Paul Gammill, head of the Education Department’s Family Policy Compliance Office, said the Dispatch investigation led his office to take a closer look at how schools apply FERPA because of apparent differences in the interpretation of the law.[230] Gammill added that while his office advises institutions on compliance, any changes in the law would have to be made by Congress.[231]

D. Split Develops in Application of Computer Fraud

and Abuse Act

As companies downsize in the current economic crisis, some terminated employees steal data to improve their job prospects with a new employer.[232] This may lead to an increase in litigation involving the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, and further expose a split in judicial interpretations of the CFAA. The CFAA criminalizes the theft of computer data and enables a company that “suffers damage or loss” through a CFAA violation to pursue damages and injunctive relief against the violator in a civil action. Four of the seven violations of the CFAA require an employer to show that the worker’s access to the company’s computers was “without authorization” or “exceeds authorized access.” The CFAA does not define “without authorization,” but defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”[233]

Nick Akerman, a partner in Dorsey & Whitney’s New York office, identified Int’l Airport Centers LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006) as the leading authority for using the CFAA against workers who steal their employers’ data.[234] In Citrin, the Seventh Circuit held that an employee’s authorization to use company computers is based on his “agency relationship” with the employer, and this relationship is voided when the worker violates “his duty of loyalty” to the employer, such as by accessing a computer to steal data. Courts have since offered conflicting rulings on whether an employee’s alleged violation of the CFAA hinges on his authorization to access the data or his intent in doing so.

1. ‘Authorized Access’ Does Not Violate

CFAA

Many district courts have departed from Citrin and have held that “access to a protected computer occurs ‘without authorization’ only when initial access is not permitted, and a violation for ‘exceeding authorized access’ occurs only when initial access to the computer is permitted but the access of certain information is not permitted.”[235] This line of reasoning focuses on the “use” of the access rather than the “intent” of the departing employee.[236]

For example, in Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962, 963 (D. Ariz. 2008), the court dismissed an employer’s claim against an employee who e-mailed confidential company information to himself before he went to work for a competitor. Since the employee had authorization to view the files he e-mailed to himself, the court found that the worker did not access the information “without authorization” or in a manner that “exceeded authorized access.”[237]

2. Personal Gain Can Constitute CFAA Violation

Another line of cases emphasizes the intent of an employee’s actions so that once he is “working for himself or another, his authority to access the computer ends, even if he or she is still employed at the present employer.”[238] In addition to Citrin, Akerman believes decisions in three other circuit courts support “sanctioning use of the CFAA against employees” when their “agency relationship” with the employer ends.[239]

In U.S. v. Nosal, 2009 WL 981336 at *7 (N.D. Calif. 2009), the court refused to dismiss criminal charges against a former “high level executive at an international executive search firm” who stole competitively sensitive data from his employer’s computer before he left the firm. The defendant argued that the CFAA generally applied to hackers or other “outsiders,” and not to employees who “abuse computer access privileges to misuse information derived from their employment.” The court rejected this argument and instead focused on the worker’s intent to use the information fraudulently at the time it was accessed.

3. Judicial Advice to Businesses

With the current uncertainty in how courts will apply the CFAA, U.S. District Court Judge James I. Cohn of the Southern District of Florida suggested that businesses can help protect themselves by drafting detailed policies on the scope of employees’ use of work computers. “Though the district court decisions on this issue are in dispute, an employer . . . clearly has a right to control and define authorization to access its own computer systems,” Cohn wrote, finding that an employer had a substantial likelihood of succeeding on a CFAA claim by showing that a worker downloaded files she did not need for business purposes during a time when she was negotiating to leave her employer for a competitor.[240]

E. Limits to What Employers Can Know, Say About Employees

1. Jury Finds Restaurant Managers Violated Privacy of Workers

A federal jury in Newark, N.J., found that restaurant managers who monitored employees’ workplace complaints in a MySpace group violated federal and state privacy laws that protect Web communications.[241] Brian Pietrylo and Doreen Marino, employees at a Houston’s restaurant in Hackensack, N.J., created an invitation-only, password-protected MySpace group designed for workers to “vent about any BS we deal with [at] work without any outside eyes spying on us.”[242] Comments on the site included sexual remarks about management and restaurant customers as well as references to violence and illegal drug use.

Restaurant management learned of the site and asked a greeter at the restaurant for her password. The circumstances surrounding the request were critical to the resolution of the case. The greeter testified that she knew she “was going to get in trouble or something was going to happen” if she did not provide her password.[243] After managers accessed the forum multiple times, Pietrylo and Marino were fired. On its verdict form, the jury answered affirmatively that the MySpace group was “a place of solitude and seclusion” designed to protect users’ private affairs. However, the jury answered “No” to the question of whether users should have a reasonable expectation of privacy in the group. “The argument of coercion is the only aspect of this that gave the plaintiff success,” said Bernard W. Bell, a professor at Rutgers Law School who teaches privacy law. “If you are distributing these comments, or posting these comments, on a site that is not password protected, there is very little argument that there is an invasion of privacy.”[244]

In a July 2008 ruling, U.S. District Court Judge Faith Hochberg denied summary judgment to the Beverly Hills, Calif.-based Hillstone Restaurant Group on the workers’ claims of wrongful termination, invasion of privacy and violations of the Stored Communications Act, 18 U.S.C. §§ 2701-11, and the parallel provision of the New Jersey Act, N.J.S.A. 2A: 156A-27. Hochberg dismissed a claim that the restaurant violated the workers’ rights to free speech.[245] The jury awarded a total of $3,400 in back pay and $13,600 in punitive damages.

2. Workers Had ‘Expectation of Privacy’ in Text Messages

In Quon v. Arch Wireless, 529 F.3d 892, 910-11 (9th Cir. 2008), the Ninth Circuit overturned a district court ruling and found that the city of Ontario, Calif., and Arch Wireless, a provider of text messaging pagers, violated the privacy rights of police officers under the Fourth Amendment and California Constitution by searching the content of text messages on their work-issued pagers without their consent.

The city of Ontario had an informal policy that it would not look at the content of the messages as long as the officers paid for any overage charges that accrued as a result of using the text messaging pagers for personal use. When a lieutenant got “tired of being a bill collector with guys going over the allotted amount of characters on their text pages,” the police chief ordered an audit of the messages to determine if officers were sending too many text messages on city time or an increase was needed in the number of characters allotted to officers each month.[246] The audit revealed one officer had gone over his limit by 15,158 characters and that many of the messages were sexually explicit.[247]

The court determined that Arch provided an electronic communication service (ECS) as opposed to a remote computing service (RCS). Both an ECS and RCS can release private information to, or with the lawful consent of, “an addressee or intended recipient of such communication, while only an RCS can release such information “with the lawful consent of . . . the subscriber.”[248] The court found it undisputed that the city was not an “addressee or intended” recipient,” but a “subscriber,” so the officers had “a reasonable expectation of privacy in the content of their text messages vis-à-vis the service provider.”[249]

3. Fired Worker Claims Employer Accessed Personal E-mail

A terminated worker claims his employer violated federal and state privacy laws by accessing his personal e-mail account and using the contents of e-mails against him in his termination dispute.[250] Scott Sidell was fired from his job as chief executive officer of Structured Settlement Investments on Aug. 24, 2007. Before he left the company’s office building in Norwalk, Conn., Sidell accessed his personal Yahoo! e-mail account, but did not log off, enabling the account to be accessed for up to two weeks without a password, according to his compliant. Sidell claims his employer accessed his personal e-mails and shared them with the attorneys representing the company in his termination dispute. Sidell alleged violations of the Electronic Communications Privacy Act, 18 U.S.C. § 2510, the Stored Communications Act, 18 U.S.C. § 2701 and similar Connecticut state laws.

Based on an employment agreement to arbitrate all claims, U.S. District Court Judge Vanessa L. Bryant on Jan. 14, 2009, ordered that an arbitrator should first decide whether to exercise jurisdiction over Sidell’s invasion of privacy claims in addition to the wrongful termination dispute.[251] If the arbitrator declines jurisdiction, Sidell can re-file his suit. Sidell had yet to re-file his suit as of early August.

F. N.J. Law Would Prohibit Prosecuting Teens for

‘Sexting’

Instead of prosecuting teenagers who e-mail, text message or post nude or sexually suggestive photos online, a proposed New Jersey law would give prosecutors the option of placing minors in a diversionary program. Sponsors of identical bills[252] introduced in June 2009 in the New Jersey Assembly and Senate say that teenagers who distribute such material, a practice known as “sexting,” often do so out of a need for approval or a lack of confidence, and that the law should reflect their lack of criminal intent.[253]

The introductory statements to each of the bills identify “sexting” and teenagers posting sexual images online as “nationwide problems that have perplexed parents, school administrators, and law enforcement officials.” In March 2009, the Passaic County (N.J.) Sheriff’s Department charged a 14-year-old girl with distribution of child pornography after she posted nude photos of herself on MySpace.[254] Prosecutors later agreed to drop the charges if the girl received counseling and stayed out of trouble for six months.[255]

According to the bills, county prosecutors would have discretion to admit a minor to the educational program that would focus on the consequences of sexting, including its affect on relationships and employment prospects. The New Jersey Attorney General’s Office would develop the precise makeup of the program that would be an option for those charged under N.J.S.A. 2C:24-4, which governs endangering the welfare of a child. Those who successfully complete the program would be able to avoid prosecution.

State lawmakers also introduced bills in June 2009 that would require schools to distribute information to students in grades six through twelve on the dangers of electronically sending sexually explicit images.[256] Other bills would require stores that sell cellular phones to provide information on sexting to phone purchasers.[257]

V. SOCIAL NETWORKING SITES: PRIVACY CONCERNS AND POTENTIAL

PITFALLS OF USE

A. EU Regulators Recommend Stricter Rules

In June 2009, a group of European Union regulators recommended social networking sites (SNS) implement a host of reforms to comply with EU law, including prohibiting users from posting photos of others without their consent.[258] Other measures highlighted by the council of EU regulators, known as the Article 29 Working Party, involve deleting personal information when a user deletes an account and setting up a homepage link to a “complaint handling office” that deals with privacy and data protection issues.

The working party framed its recommendations to require SNS to comply with the EU’s Data Protection Directive[259] “even if their headquarters are located outside” of the European Economic Area. The working party’s opinion is not binding, but often serves as an indication for the future direction of legislation at the national and EU levels.[260] If these recommendations are adopted in their current or slightly altered terms, SNS such as Facebook and MySpace will have to alter some of their practices. Facebook has hired Richard Allan, the former head of European regulatory affairs for Cisco, to lobby EU governments on its behalf.[261]

In preparing its opinion, the working party drew on previous recommendations made by the Berlin International Working Group on Data Protection in Telecommunications,[262] the Resolution on Privacy Protection in Social Network Services,[263] and a position paper published in October 2007 by the European Network and Information Security Agency.[264]

1. Tagging Photos

Facebook users currently do not need permission to post photos on their personal profiles and “tag,” or identify, friends by name with a link to the profile of the tagged person. The working party wants SNS to require users who post pictures or information about others to first get the individual’s permission. To achieve this, the working party suggests SNS create space on users’ personal home pages that lists the photos seeking to tag a user. A user would then be able to review the photos and consent to be tagged before the photos can be posted for others to view.

2. Retention of Personal Data

The working party wants SNS to adopt higher standards for the deletion of personal data. These include deleting personal data “as soon as either the user or the SNS provider decides to delete the account.” In addition, when a user updates his profile, the former account information should not be retained. When a user does not log into a SNS account for a specific period of time, the profile should be blocked from view of other users and after another set time period, the account should be deleted after trying to notify the user.

The recommendations also encouraged setting parameters regarding the collection of “sensitive data,” which includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, and information about one’s health or sex life. The sites should make clear to users that answering such questions is voluntary. Facebook currently has options for users to enter their religious and political preferences; however, doing so is not required to create a profile.

3. Minors

The working party suggested several measures for protecting the privacy of minors. These include not asking for sensitive data in subscription forms, prohibiting direct marketing aimed at minors and possible implementation of age-verification software. In April, Viviane Reding, the EU’s Commissioner for Information Society and Media, said she believes that profiles of minors “must be private by default and unavailable to internet search engines.”[265]

B. Canada Privacy Commissioner Warns Facebook To Tighten Privacy Controls

Canada’s privacy commissioner found that Facebook violates Canadian privacy laws in several respects, particularly by not adequately protecting users’ personal information from applications developers.[266] The inquiry was prompted in response to a complaint filed by the Canadian Internet Policy and Public Interest Clinic at the University of Ottawa that alleged Facebook violated provisions of Canada’s Personal Information Protection and Electronic Documents Act. Facebook has about 250 million users worldwide, including 12 million in Canada.[267]

Canada Privacy Commissioner Jennifer Stoddart released the results of her office’s 13-month investigation on July 16, 2009. Stoddart gave Facebook until Aug. 24, 2009, to bring its policies into compliance. If it failed to do so, Stoddart would consider pursuing a court order that would require Facebook to change its business practices.[268] Following the release of the report, Chris Kelly, Facebook’s chief privacy officer, said the company would continue its conversation with Canada as part of its ongoing effort to modify its privacy controls. However, Kelly said, “We have every confidence that there would not be a finding in Canadian law if there were to go to a court, but we’re very comfortable with where things are in our discussion.”[269]

The report identified privacy concerns in these four areas:

1. Facebook Applications

When users decide to participate in games, quizzes and other diversions on Facebook, they agree to give the application developer access to much of their personal information. Facebook already advises developers to limit their use of personal information to the application, but the report recommends going farther by preventing the release of information other than what is needed to run a specific application. Elizabeth Denham, the assistant Canadian privacy commissioner who prepared the report, wants users to be informed of the specific information an application uses and for what purpose.

2. Deactivated Accounts

Facebook offers users who no longer want to use the site the option of deactivating or deleting their accounts. Deactivation authorizes Facebook to retain personal information in case a user wants to use the account again, while deletion supposedly eliminates all personal data. Facebook acknowledges it is difficult to guarantee that all personal information on a deleted account is actually eliminated. However, the report wants Facebook to set a reasonable time limit on when it will delete content from deactivated accounts.

3. Accounts of Deceased Users

The privacy office wants Facebook to include in its Privacy Policy a notice to users that personal information of deceased users will be retained to keep an account visible as a memorial. The report complimented Facebook for its commitment to allowing a way for friends and family to honor the deceased. However, it found that this nevertheless constitutes an intended use of personal information and should be communicated to users.

4. Information of Non-Users

The report urged Facebook to adopt measures to address concerns about non-users’ lack of consent to being tagged in photographs. When a user tags a non-user in a photo, the user has the option of uploading the non-user’s e-mail address. Facebook then uses the e-mail address to invite the non-user to join the site. The report recommended Facebook require users to obtain consent before providing a non-user’s e-mail address, and that Facebook set a reasonable time limit on the retention of these addresses.

C. Reporters’ Use of Social Networking Sites

Celebrities and other newsmakers have begun using social networking sites (SNS) in increasing numbers. As a result, media outlets often use postings from the sites as a source to break news or provide added commentary to a story. For example, in the days after former Alaska Gov. Sarah Palin announced on July 3, 2009, that she would resign from office, news outlets analyzed and reported her Facebook and Twitter posts in an attempt to more fully understand her decision to step down. Palin’s online chatter appeared at the top of a July 5, 2009, story in the New York Times: “Gov. Sarah Palin of Alaska offered few hints of what her next stage in national politics might be when she unexpectedly announced that she was quitting her job, other than to say on her Facebook page on Saturday that she was ‘now looking ahead and how we can advance this country together.’”[270]

It is a foregone conclusion that references to Facebook posts or “tweets” will continue to appear in news reports. Use of the sites is too pervasive to ignore and their popularity shows no sign of slowing down. Journalists, media organizations and academic scholars must now consider the proper parameters that should govern reporters’ professional and personal use of what many view as an indispensable reporting tool.

1. Ups and Downs of SNS

SNS provide several advantages to journalists. By joining a Facebook group, reporters can connect with members of the community or experts in a particular field to generate story ideas and expand their list of available sources.[271] In instances where newsmakers decline to be interviewed or limit their public comments, posts on SNS may be the default source for providing a needed perspective. In turn, newsmakers may prefer authoring a Facebook post or tweet to dodge difficult questions and limit the filtering that it is an unavoidable part of the reporting process.

Journalists, however, must be wary of potential pitfalls, such as quoting an online post that turns out to be the work of an imposter. Also, those who use Facebook and comment on news events or offer personal political views run the risk of jeopardizing their objectivity by being perceived as biased. J.D. Lasica, founder and editorial director of and a former editor at the Sacramento Bee, believes this view of perceiving of journalists as “blank slates” is an outdated notion and that by participating on Facebook, reporters can help to humanize themselves and lift the veil of secrecy that surrounds the newsgathering process for much of the public.[272]

2. Spelling Out Ethical Limits

Some news organizations,[273] including the Wall Street Journal,[274] have altered their ethics policies to include rules on the use of social networking sites.[275] Such policies can include guidelines ranging from the tried-and-true reporting mandate to verify the accuracy of facts and the identity of a poster to more modern reminders like recognizing that others may misinterpret a reporter’s intention in accepting or making a “friend” request.

Jane Kirtley, director of the Silha Center and professor of media ethics and law at the University of Minnesota, offered several suggestions for maintaining sound journalistic practices while using Facebook. These include identifying Facebook in a story when used as a reporting tool and never “friending” an unnamed source. “If you’ve promised confidentiality, you shouldn’t do it, even if the friend uses a pseudonym.”[276]

3. To Tweet or Not to Tweet?

Twitter is likely to vary in its usefulness for journalists as governments and public and private entities develop policies encouraging or discouraging its use among employees. Several teams in the National Football League, including the Green Bay Packers and Miami Dolphins, have effectively barred players from tweeting over concerns players will reveal sensitive information about game plans or injuries. That attitude is not universal in the sports world. National Basketball Association player Shaquille O’Neal has more than 1.8 million followers on Twitter and cyclist Lance Armstrong tweeted throughout the 2009 Tour de France.[277]

In the United Kingdom, the government’s Department for Business Innovation & Skills compiled a 20-page report in July 2009 that urged department employees to tweet and suggested the practice be expanded to other areas of government.[278] Advantages to tweeting, according to the report, include the opportunity to put a “human voice” to a government department and build relationships with certain audiences, including journalists and bloggers.[279]

D. Sites Offer a Vehicle for Scams and Viruses

1. Twitter Used for Scams

The Better Business Bureau says that online scammers have begun using Twitter to attract people into “get-rich-quick and work-at-home schemes” similar to those that have proliferated e-mail accounts for years.[280] The scams involve companies promising to pay Twitter users hundreds of dollars a day to tweet after they sign up for a free training kit. The result is that users can be fleeced of a large monthly payment if they do not cancel within a certain time. The bureau warns those looking for jobs to be cautious of claims that they can earn paychecks by tweeting from home and to avoid Web sites asking for money upfront for a job tweeting.[281]

The Web sites began showing up in the spring of 2009 and the Better Business Bureau had not received any consumer complaints as of July, according to Alison Southwick, a spokeswoman for the bureau. “Twitter is the cool thing, the bright, shiny object,” she said. “It’s unbelievable how widespread this is. And with so many people vulnerable and looking for jobs, a scheme like this is going to have people falling for it when they can least afford to.”[282]

2. Sites Can Attract Viruses

Authors of computer viruses have increasingly targeted social networking sites such as Facebook, MySpace and Twitter. In a July 12 story in the Washington Post, Rob Pegoraro reported that these sites serve as an attractive target because they are premised on the trust established through a network of friends or known entities.[283] This makes users more vulnerable because they are less likely to ignore a link to a random Web site when guided there by a friend as opposed to a stranger.

Some free Web sites use blacklists to block links to hazardous pages when creating the abbreviated links that often appear in short messages on social networking sites. However, Pegoraro theorized that the steady stream of updated content on a site such as Twitter may prevent even the best-maintained blacklist from properly identifying all threats. Pegoraro predicts more viruses will begin to plague these sites and, in a slight twist to an old saying, he offers this advice: “If your mother says she loves you on Facebook, check it out.”

E. Court Cases Involving Social Networking Sites

1. Twitter and Defamation

a. La Russa Drops Defamation Suit

Tony La Russa, manager of the St. Louis Cardinals, filed suit against Twitter Inc. on May 6, 2009, for trademark infringement,[284] invasion of privacy,[285] cyber squatting[286] and related claims.[287] In what was to be the first legal challenge against Twitter, La Russa claimed that his identity had been hijacked by someone else posting “tweets” on the micro blogging Web site under his name and photo. As a result, he claimed Twitter damaged his trademark rights to his famous name. La Russa has managed Major League Baseball teams for 30 years in what is likely to be a Hall of Fame career. The imposter poked fun at La Russa’s drunk driving arrest and made light of the death of a Cardinals pitcher in a car accident. “Lost 2 out of 3, but we made it out of Chicago without one drunk driving incident or dead pitcher,” one of the disputed posts read. Twitter removed the fake profile after La Russa filed suit.

La Russa dropped the lawsuit on June 26, 2009, in a terse court filing that stated Twitter made no payment to La Russa in exchange for dropping the suit.[288] The precise reason for the decision not to pursue the claims was not reported, but it is possible La Russa decided he would not win a legal challenge because Web sites are generally not liable for the postings of their users under the Communications Decency Act, 47 U.S.C. § 230.

b. Landlord Sues Ex-tenant For Defamation

A Chicago apartment leasing and managing company filed a defamation lawsuit against a former resident for a Twitter post that suggested the company condones tenants living in moldy apartments. Horizon Group Management LLC filed the suit against Amanda Bonnen on July 20, 2009, in Cook County Circuit Court in Chicago.[289] “Who said sleeping in a moldy apartment was bad for you? Horizon realty thinks it’s okay,” Bonnen posted on Twitter the morning of May 12, 2009.

The suit claims Bonnen “maliciously and wrongfully published the false and defamatory statement, thereby allowing the Tweet to be distributed throughout the world.” Horizon claims the post damaged its reputation and Bonnen is therefore automatically liable. Bonnen had a public Twitter profile at the time of the post, but only 20 registered followers. The lawsuit invited more attention to the post as “Horizon Realty” hit as high as No. 3 on Twitter’s list of trending topics after media outlets reported on the lawsuit.[290] Horizon was seeking more than $50,000 in damages.

2. MySpace Post = Publicity in MN

A Minnesota appeals court held that posting private information on a publicly accessible Web site satisfies the publicity element on an invasion of privacy claim. In Yath v. Fairview Clinics, 767 N.W.2d 34, (Minn. Ct. App. 2009), the court also upheld a Minnesota statute that permits a private cause of action for wrongful disclosure of an individual’s medical records, a decision that runs the risk of encouraging health care professionals to take a more guarded attitude toward the Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C. §§ 1320d-1320d-8 (2006).

The case originated when a clinic employee noticed an acquaintance visit the clinic and out of curiosity decided to look at the patient’s medical file. The employee learned the patient, who is married, wanted to be tested for a sexually transmitted disease because she had a new sexual partner. The employee, who is related to the patient’s husband, revealed the information to friends and other relatives. A page on with the title “Rotten Candy” revealing the information from the patient’s file soon appeared online, prompting the suit.

The court focused on the method used to transmit the private information—a publicly accessible Web site—rather than the number of viewers to decide the publicity element had been satisfied. The court acknowledged the likelihood that only a few friends of the clinic employee saw the page, particularly because the page was only posted for between 24 and 48 hours before it was removed. However, the court found that the number of actual viewers is irrelevant, likening the MySpace page to a newspaper with a small circulation or a radio broadcast in the middle of the night that has a small audience. The court reasoned that the publicity element is triggered “when the communication is made to the public at large, not to a large number of the public.”[291]

In the same case, the court also held that a Minnesota statute is complementary, not contradictory, to HIPAA because both laws discourage wrongfully disclosing information from a person’s health record. A HIPAA violation exposes a person to criminal penalties while Minn. Stat. § 144.335 (2008) exposes a person to compensatory damages in a civil action. The Hennepin County District Court dismissed claims under the state statute by reasoning that the state law is contrary to HIPAA and is therefore preempted by it. In reversing that decision, the appeals court noted it is possible to comply with both laws, and that the Minnesota statute creates “another disincentive to wrongfully disclose a patient’s health care record.”[292] It remains to be seen whether this ruling may have the unintended effect of causing health care professionals to err on the side of caution and be reluctant to release information not protected by HIPAA out of fear of being individually liable in a civil suit.

3. Judge Issues Facebook Gag Order

A Rhode Island family court judge enjoined a woman from posting any information on the Internet about a child custody dispute[293] she is not a party to. Kent County Family Court Judge Michael Forte issued the gag order in June 2009 to Michelle Langlois, whose brother is involved in an ongoing custody dispute with his ex-wife, Tracey Martin.[294] Forte issued the order in response to Martin filing a “domestic abuse” petition that claimed Langlois’ posts to her Facebook page served as harassment and could psychologically damage the children involved in the dispute.

The American Civil Liberties Union filed a motion to dismiss the order on behalf of Langlois, who said in defense of her postings: “I do not believe the truth was coming out in Family Court. I was simply using the internet to publicize my brother’s plight.”[295] A potential battle over Forte’s authority to issue the prior restraint on speech was averted when Forte dismissed the order after Martin voluntarily dismissed her petition.[296]

4. Liability for Hosting Third Party Content

a. Yahoo! Could Be Liable for Promising, but Failing, to Remove Content

In Barnes v. Yahoo! Inc., 565 F.3d 560 (9th Cir. 2009), amended, 570 F.3d 1096 (9th Cir. 2009), the court allowed a plaintiff to move forward on her promissory estoppel claim against Yahoo after the company failed to follow through on its promise to remove a sexually explicit Web posting. Attorneys advise that the ruling serves as a reminder that despite the wide protections afforded by the Communications Decency Act, 47 U.S.C. § 230(c)(1), there is a risk involved with hosting third-party content on the Web.[297]

The case arose when the plaintiff, Cecelia Barnes, broke up with her boyfriend and he posted nude photographs of the two of them, without her consent, on a Yahoo Web site along with some sort of invitation to engage in sex. Barnes repeatedly asked Yahoo to take down the profile and the company said it “would take care of it.” However, the profile did not disappear until Barnes filed suit in Oregon state court.

The court determined that Barnes’ promissory estoppel claim did not depend on the status of Yahoo as a “publisher or speaker.” If it did, Yahoo would have been precluded from liability under the Communications Decency Act, which generally precludes courts from treating Internet service providers as publishers. The court found that Yahoo’s contract liability came not from its actions as a publisher, but “from Yahoo’s manifest intention to be legally obligated to do something, which happens to be removal of material from publication.”[298] The court noted that a general monitoring policy, or even an attempt to help a specific person, would not be enough to expose an Internet service provider to contract liability.

b. Argentine Judge Holds Google and Yahoo! Liable for Photos on Sex Trade Web Sites

On July 29, 2009, an Argentine judge held Google and Yahoo! liable for pornographic and female escort Web sites that posted pictures of a model and actress without her consent, according to the Bureau of National Affairs Electronic Commerce Report.[299] The judge in the National Civil Court No. 75 in Buenos Aires ordered each company to pay $13,124 in damages to Virginia Da Cunha.[300] The judge ruled that the companies helped increase the damage to Da Cunha by enhancing the quality of the pictures and that without their participation, accessing the Web sites might have been extremely difficult.[301]

“Search engines are responsible due to their activities as website-access facilitators,” the judge wrote. They are “enormous tools that help amplify the spread of information and have an equal ability to amplify harm.” BNA reported that Da Cunha’s attorney, Gustavo Tanus, who has handled 120 similar cases against the two companies, said that this was the first successful ruling in Argentina. Tanus said that the actress plans to appeal the ruling because the judge granted her moral, but not economic damages, and that she is “entitled to payment for the use of her photos.”[302]

5. MySpace Suicide Case Leads to Change in Missouri Law, Prosecution for Cyber-bullying

a. Judge Overturns Conviction

In July 2009, a federal judge in Los Angeles threw out a criminal case against a Missouri woman convicted of computer fraud stemming from a 2006 hoax on MySpace targeting a teenage girl who later committed suicide. Lori Drew, of Dardenne Prairie, Mo., was convicted on Nov. 26, 2008, of three misdemeanor counts of illegally accessing a computer. U.S. District Court Judge George H. Wu issued a direct acquittal on July 2.[303]

Thom Mrozek, a spokesman for the U.S. attorney’s office in Los Angeles, told CNN ahead of Wu issuing a written order that “Wu said in court if Drew is convicted of illegally accessing computers, the guilty verdict would set a precedent and anyone who has ever violated MySpace’s terms of service could also be found guilty of a misdemeanor.”[304] Drew had been accused of participating in a cyber-bullying scheme in Missouri against 13-year-old Megan Meier. Drew created a fictitious profile on MySpace of a young man which she used to contact, flirt with, and later reject and insult Meier, a former friend of Drew’s daughter. Meier hanged herself in her home in October 2006.

MySpace’s user agreement requires registrants to provide, among other things, factual information about themselves, and to refrain from soliciting personal information from minors and using information obtained from MySpace services to harass or harm other people.[305] Drew was originally charged with four potential felony counts of unauthorized computer access under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, and prosecutors claimed that by allegedly violating the “click-to-agree contract,” Drew committed the same crime as any computer hacker. U.S. Attorney Thomas O’Brien said he filed the case in Los Angeles because that is where MySpace is based. At the time, Missouri did not have an online harassment law. Prosecutors said they would wait to review Wu’s written order before deciding whether to appeal.[306]

b. Woman Charged With Cyber-bullying Under New Missouri Law

In August 2009, a Missouri woman was charged with felony harassment for allegedly posting photos and personal information of a 17-year-old girl on the “Casual Encounters” section of Craigslist. Prosecutors say 40-year-old Elizabeth A. Thrasher posted the girl’s picture, e-mail address and photo on the Web site in a manner that made it appear the girl was seeking a sexual encounter. The girl then received lewd messages and photos from men she did not know. The alleged victim is the daughter of the girlfriend of Thrasher’s ex-husband and Thrasher and the girl had apparently been arguing on MySpace before the post of the girl appeared on Craigslist.[307]

Thrasher, of St. Peters, Mo., in suburban St. Louis, was the first woman charged with felony harassment under the state’s updated harassment law passed in 2008 in response to the death of 13-year-old Megan Meier, who committed suicide after she was the victim of a cyber-bullying scheme.[308] The revised law eliminated the requirement that harassing communication be made “in writing or by telephone” so that now electronic communication, including online postings and text messages, can constitute harassment.[309] The crime becomes a felony when committed by someone at least 21 years old against a person 17 years old or younger. Misdemeanor cases have been filed under the law.

Thrasher was freed on $10,000 bond, but a judge prohibited her from having a computer or Internet access at home. Her attorney, Michael Kielty, likened what Thrasher was accused of doing to someone posting a telephone number on a bathroom wall, telling people to “call Jane Doe for a good time.” Kielty believed such action may be “in poor taste” or “inappropriate,” but that it does not amount to a crime.[310]

6. Teenage Girl in England Jailed for Bullying on Facebook

An 18-year-old girl who posted death threats on Facebook became the first person in Great Britain to be jailed for bullying on a social networking site when she pleaded guilty to harassment on Aug. 21, 2009.[311] Keeley Houghton, of Malvern, Worcestershire, was sentenced to three months in a juvenile offenders’ institution.

On July 12, 2009, Houghton had updated her Facebook status to say: “Keeley is going to murder the bitch. She is an actress. What a [f***ing] liberty. Emily [F***head] Moore.” Houghton had two previous convictions in connection with Moore, who is also 18 years old, dating back to 2005, for assault and damaging Moore’s property. Houghton told police that she wrote the death threats late at night while she was drunk and had no memory of doing so. However, police say Internet records show Houghton wrote the threatening message at 4 p.m. July 12 and kept it on her page for 24 hours.[312] The Daily Mail in London reported that people in Great Britain have previously been jailed for harassment and stalking on social networking sites, but that Houghton is believed to be the first to be jailed for online bullying.[313]

F. Chinese Social Networking Sites Go Offline

Web sites in China, including some SNS, periodically went offline during the spring and summer of 2009. Media reports speculated that the coincidence of so many sites going offline at the same time was the result of the Chinese government seeking to curtail the vehicles of free expression. On June 3, Sky Canaves wrote in his Wall Street Journal blog dedicated to China that Chinese users could not access the U.S.-based Web services of Twitter and Hotmail. Users of , Microsoft’s search service, and , a Chinese SNS similar to Facebook, also reported an inability to use the sites around the same time.[314]

Many of the sites that went offline posted messages on their home pages saying that the sites were down due to maintenance. The blockages may have been triggered by the government’s desire to stifle expression commemorating the 20th anniversary of the Tiananmen Square demonstrations. The periodic shut downs continued into July when the Associated Press reported that Digu and Zuosa, two Chinese micro-blogging sites similar to Twitter, had been shut down for maintenance. A spokeswoman for Digu said, “It’s a sensitive period, so we are not in a rush to re-open it.” She added that the company recently had to remove politically sensitive material users posted to the site.[315]

Canaves wrote that it can be difficult to determine what causes certain Web sites to be inaccessible to users in China. “Government officials don’t address the blocking of specific Web sites, and when Internet companies take themselves offline, authorities can plausibly say that these are private business decisions that have nothing to do with them,” Canaves wrote. The Associated Press reported that beginning in March 2009, users could not access YouTube after a video appeared on the site allegedly showing Chinese security officials mistreating Tibetans.[316]

-----------------------

[1] Behavioral Advertising: Industry Practices and Consumers’ Expectations, Before the House Subcomm. on Communications, Technology and the Internet and House Subcomm. on Commerce, Trade and Consumer Protection, 111th Cong. (June 18, 2009) (opening statement of Rep. Rick Boucher, chair of House Internet Subcommittee).

[2] Id.

[3] The House Subcommittee on Communications, Technology and the Internet held a hearing titled, “Communications Networks and Consumer Privacy: Recent Developments,” on April 23, 2009. The same subcommittee also held a joint hearing with the House Subcommittee on Commerce, Trade and Consumer Protection titled, “Behavioral Advertising: Industry Practices and Consumers’ Expectations,” on June 18, 2009. The House Internet subcommittee held a hearing titled, “Broadband Providers and User Privacy” on July 17, 2008. In the Senate, these hearings have been held: “Privacy Implications of Online Advertising” before the S. Comm. on Commerce, Sci. & Transp., 110th Cong. (July 9, 2008) and “Broadband Providers and Consumer Privacy” before the S. Comm. on Commerce, Sci. & Transp., 110th Cong. (Sept. 25, 2008).

[4] Boucher, supra note 1.

[5] Communications Networks and Consumer Privacy, (April 23, 2009) (statement of Ben Scott, Policy Director, Free Press).

[6] Communications Networks and Consumer Privacy, (April 23, 2009) (statement of Marc Rotenberg, executive director of the Electronic Privacy Information Center).

[7] Amy Schatz, Lawmakers Blast Internet Data Collection, Wall St. J., June 19, 2009, at B3.

[8] Behavioral Advertising, (June 18, 2009) (statement of Anne Toth, Vice President for Policy and Head of Privacy at Yahoo! Inc.).

[9] Communications Networks and Consumer Privacy, (April 23, 2009) (statement of Kyle McSlarrow, President and CEO, National Cable and Telecommunications Association).

[10] Communications Networks and Consumer Privacy, (April 23, 2009) (statement of Leslie Harris, President and CEO of the Center for Democracy and Technology).

[11] Behavioral Advertising, (June 18, 2009) (statement of Chris Kelly, Chief Privacy Officer, Facebook).

[12] Behavioral Advertising, (June 18, 2009) (statement of Nicole Wong, Deputy General Counsel, Google Inc.).

[13] Communications Networks and Consumer Privacy, (April 23, 2009) (statement of Dorothy Atwood, Senior Vice President for Public Privacy and Chief Privacy Officer at AT&T Inc.)

[14] Andrew Feinberg, Congress to Reexamine Consumer Privacy on Broadband Networks, , April 23, 2009.

[15] Harris, supra note 10.

[16] FTC Staff, Self-Regulatory Principles For Online Behavioral Advertising (Feb. 12, 2009), available at os/2009/02/P085400behavadreport.pdf.

[17] FTC Staff, Online Behavioral Advertising: Moving the Discussion Forward to Possible Self-Regulatory Principles (Dec. 20, 2007), available at os/2007/12/P859900stmt.pdf.

[18] Concurring Statement of FTC Commissioner Pamela Jones Harbour (February 2009), available at os/2009/02/P085400behavadharbour.pdf.

[19] Concurring Statement of FTC Commissioner Jon Leibowitz (February 2009), available at os/2009/02/P085400behavadleibowitz.pdf.

[20] Tresa Baldas, Everybody’s Getting on Case Against Bad Ads, The National Law Journal, Aug. 19, 2009.

[21] Valentine v. NebuAd, Inc., No. 3:08-cv-05113 (N.D. Calif. Nov. 10, 2008).

[22] Simon v. Adzilla, Inc., No. C09-00879 (N.D. Calif. Feb. 27, 2009).

[23] Baldas, supra note 20.

[24] Stephanie Clifford, Industry Tightens Its Standards for Tracking Web Surfers, N.Y. Times, July 1, 2009, at B4.

[25] “Self Regulatory Principles for Online Behavioral Advertising,” available at us/Storage/0/Shared Documents/online-ad-principles.pdf.

[26] Clifford, supra note 24.

[27] Id.

[28] Web Advertisers Propose Self-Regulation Principles, Reuters, July 2, 2009, article/internetNews/idUSTRE5610UE20090702.

[29] The four European Union directives that constitute EU consumer protection are: Council Directive 93/13/EEC on Unfair Contract Terms; Directive 1999/44/EC Sale for Consumer Goods and Associated Guarantees; Directive 97/7/EC Distance Selling; and Council Directive 85/577/EEC Doorstep Selling.

[30] Press Release, European Comm’n, Consumers: Comm’n proposes EU-wide rights for shoppers (Oct. 8, 2008) available at .

[31] European Commission, Proposal for a Directive of the European Parliament and of the Council on Consumer Rights, is available at .

[32] Press Release, supra, note 30.

[33] Press Release, United Kingdom Parliament, EU Consumer Rights Directive: getting it right (July 15, 2009) available at parliament.uk/parliamentary_committees/lords_press_notices/pn150709eub.cfm.

[34] Meglena Kuneva, European Commissioner for Consumer Affairs, Keynote Speech at European Consumer Summit, Roundtable on Online Data Collection, Targeting and Profiling (Mar. 31, 2009) (transcript available at ).

[35] Press Release, Office of Fair Trading, OFT Seeks Views Ahead of Study Into Advertising and Pricing (Aug. 19, 2009), available at .

[36] Id.

[37] Act To Prevent Predatory Marketing Practices Against Minors, Chapter 230 LD 1183 (2009), available at .

[38] Harry A. Valetk, Child Proofing Your Ads: New Maine Law Restricts Marketing to Minors, , Aug. 4, 2009, .

[39] Zusha Elinson, Google Rebounds in AdWords Lawsuits, The Recorder, Aug. 4, 2009, .

[40] Rescuecom Corp. v. Google, Inc., 562 F.3d 123 (2nd Cir. 2009).

[41] Eric Goldman, Technology & Marketing Law Blog, (Aug. 3, 2009, 15:51 EST).

[42] John Beck Amazing Profits, LLC v. Google Inc., 2:2009cv00151 (E.D. Tex. complaint filed May 14, 2009).

[43] Google Inc. v. John Beck Amazing Profits, LLC, C09 03459 (N.D. Cal. complaint filed July 27, 2009).

[44] Elinson, supra note 39.

[45] Jurin v. Google Inc., CV 09-03934 (C.D. Cal. complaint filed June 2, 2009).

[46] Ascentive, LLC v. Google, Inc., 2:09-cv-02871-JS (E.D. Pa. complaint filed June 25, 2009).

[47] Elinson, supra note 39.

[48] Guides Concerning the Use of Endorsements and Testimonials in Advertising, 73 Fed. Reg. 72374-72395 (Nov. 28, 2008), available at .

[49] Deborah Yao, Associated Press business reporter, FTC Plans to Monitor Blogs for Claims, Payments, , June 22, 2009, available at business/article_10e2022c-61d4-11de-bb81-001cc4c002e0.html.

[50] Pradnya Joshi, When a Blogger Voices Approval, a Sponsor May Be Lurking, N.Y. Times, July 13, 2009, at B1.

[51] Yao, supra note 49.

[52] Associated Press, Ben Stein Loses NY Times Column Over Endorsement, N.Y. Times, Aug. 7, 2009.

[53] Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, 72 Fed. Reg. 63718, 63769-71 (Nov. 9, 2007) (FTC rules codified at 16 C.F.R. § 681.1).

[54] Press Release, Federal Trade Commission, FTC Announces Expanded Business Education Campaign on ‘Red Flags’ Rule (July 29, 2009), available at opa/2009/07/redflag.shtm.

[55] Sylvia Hsieh, Warning: Identity theft ‘red flag’ rule enforcement delayed by FTC, The Minnesota Lawyer, May 11, 2009.

[56] Posting of David Ingram to The BLT: The Blog of LegalTimes, (July 22, 2009, 15:10 EST).

[57] Press Release, Statement of ABA President H. Thomas Wells Jr., Re: FTC Announcement Regarding “Red Flags” Rule and Lawyers, July 29, 2009, available at abanet/media/statement/statement.cfm?releaseid=731.

[58] 72 Fed. Reg. at 63742.

[59] The FTC has created a guide for entities subject to the red flags rule. “Fighting Fraud With The Red Flags Rule: A How-To Guide for Business” can be found at bcp/edu/pubs/business/idtheft/bus23.pdf.

[60] Press Release, Federal Trade Commission, FTC Announces Expanded Business Education Campaign on ‘Red Flags’ Rule (July 29, 2009), available at opa/2009/07/redflag.shtm.

[61] The National Conference of State Legislatures has compiled a list of the existing state security breach notification laws. The list and links to the laws are available at .

[62] See Personal Data Privacy and Security Act, S. 495, 110th Cong. (2007); Personal Data Privacy and Security Act, S. 1789, 109th Cong. (2005).

[63] Health Insurance Portability and Accountability Act (HIPAA)[64] 42 U.S.C. §§ 1320d-1320d-8 (2006).

[65] Press Release, U.S. Dept. of Health and Human Services, HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information (Aug. 19, 2009), available at .

[66] The final interim rule regulations are available at .

[67] Gina M. Kastel and Maureen M. Maly, HIPAA Security Breach Notification Rule Refines Key Terms, Faegre & Benson, Aug. 20, 2009, available at .

[68] Id.

[69] Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009, 74 Fed. Reg. 19,006 (April 27, 2009).

[70] Press Release, U.S. Dept. of Health and Human Services, supra note 64.

[71] Kastel and Maly, supra note 66.

[72] Id.

[73] Flores-Figueroa v. United States, 129 S.Ct. 1886 (2009).

[74] Identity Theft Penalty Enforcement Act, 18 U.S.C. § 1028A (2006).

[75] Flores-Figueroa, 129 S.Ct. at 1890.

[76] Id. at 1896.

[77] Id. at 1893.

[78] Peter R. Moyers, Butchering Statutes: The Postville Raid and the Misinterpretation of Federal Criminal Law, 32 Seattle U. L. Rev. 651, 708 (Spring 2009).

[79] David G. Savage, ID theft law limited in cases of illegal workers, Chi. Trib., May 5, 2009, at C12.

[80] Press Release, U.S. Immigration and Customs Enforcement, 652 businesses nationwide served with audit notices today (July 1, 2009), available at pi/nr/0907/090701washington.htm.

[81] H.R. 137, 111th Cong. (2009).

[82] Alessandro Acquisti and Ralph Gross, Predicting Social Security Numbers From Public Data, 106 Proceedings of the National Academy of Sciences 10975-10980 (July 7, 2009).

[83] Brian Krebs, SSNs Not All That Hard to Guess, Study Finds, Wash. Post, July 7, 2009, at A2.

[84] S. 141, 111th Cong. (2009); H.R. 122, 111th Cong. (2009).

[85] Randolph E. Schmid, What’s Your Social Security Number? Researchers Say It’s Surprisingly Easy to figure Out, Chi. Trib., July 6, 2009.

[86] Torsten Ove, CMU Study Finds Social Security IDs Easy to Predict, Pittsburgh Post-Gazette, July 7, 2009, at A1.

[87] Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 CMR 17.00, Massachusetts Office of Consumer Affairs and Business Regulation.

[88] Press Release, Massachusetts Office of Consumer Affairs and Business Regulation (OCABR), Business Community Given Additional Time to Comply with Identity Theft Prevention Regulations, (November 14, 2008).

[89] New. Rev. Stat. § 597.790 (2008).

[90] Nevada Senate Bill 227, which Nevada Gov. Jim Gibbons signed on May 29, 2009, is available at leg.state.nv.us/75th2009/Bills/SB/SB227_EN.pdf.

[91] Answers to frequently asked questions about the regulations are available at Eoca/docs/idtheft/201CMR17faqs.pdf.

[92] For an overview of state law enforcement of privacy and data protection laws, see Martha Coakley, Office of the Attorney General of Massachusetts, Privacy Protection, Safety and Security: A State Law Enforcement Perspective, 2 Communications Law in the Digital Age 2008, 121-41 (2008).

[93] Ben Worthen, New Data Privacy Laws Set For Firms, Wall St. J., Oct. 16, 2008, at B1.

[94] Vietnam Veterans of America, Inc. v. Nicholson, Settlement Agreement 43-090205-111X (D. D.C. Jan. 27, 2009) (No. 06-0506)

[95] Nicholson, Complaint No. 74-060623-002C) (D. D.C. June 13, 2006).

[96] Nicholson, Order Granting Motion for Preliminary Approval of Class Action Settlement, (D. D.C. Feb. 11, 2009).

[97] Krottner v. Starbucks Corp., Complaint No. C09-0216 (W.D. Wash. Feb. 19, 2009).

[98] Starbucks sent the security breach notification letter to the Office of the Maryland Attorney General under MD. Com. Law § 14-3504(h), the state’s security breach notification law. A copy of the letter is available at .

[99] Ruiz v. Gap, Inc., Complaint No. 43-071206-006C (N.D. Cal. Nov. 13, 2007). See also Posting of Hunton & Williams LLP to Privacy and Information Security Law Blog, (Apr. 13, 2009).

[100] Ruiz, 622 F. Supp. 2d at 914.

[101] Id. at 917.

[102] Leysoto v. Mama Mia I., Inc., 255 F.R.D. 693, 699 (S.D. Fla. 2009).

[103] Leone v. Commissioner, Indiana Bureau of Motor Vehicles, 906 N.E.2d 172, 180 (Ind. App. 2009).

[104] Leone, 906 N.E.2d at 182.

[105] In re: Hannaford Bros. Co. Customer Data Security Breach, 613 F. Supp. 2d 108, 119 (D. Me. 2009).

[106] Securities and Exchange Commission v. Dorozhko, No. 08-0201-cv, 2009 U.S. App. LEXIS 16057 *6 (2nd Cir. July 22, 2009).

[107] Dorozhko, 2009 U.S. App. LEXIS 16057 *2-4.

[108] See Chiarella v. United States, 445 U.S. 222 (1980); United States v. O’Hagan, 521 U.S. 642 (1997); SEC v. Zandford, 535 U.S. 813 (2002).

[109] Dorozhko, 2009 U.S. App. LEXIS 16057 *18.

[110] Id. at *25.

[111] Associated Press, Ex-Informant Charged With Even Bigger Data Theft This Time, Chi. Trib., Aug. 18, 2009, available at .

[112] Press Release, United States Department of Justice, U.S. Attorney, District of New Jersey, Three Men Indicted for Hacking into Five Corporate Entities, including Heartland, 7-Eleven, and Hannaford, With Over 130 Million Credit and Debit Card Numbers Stolen, Aug. 17, 2009, available at .

[113] Associated Press, supra note 110.

[114] Press Release, United States Department of Justice, U.S. Attorney, District of New Jersey, supra note 111.

[115] Posting of Erik Schonfeld to TechCrunch, (July 16, 2009).

[116] Id.

[117] Al Tompkins, What TechCrunch’s Publication of Twitter Memos Means for Journalists, Poynter Online, July 17, 2009, .

[118] Posting of Michael Arrington to TechCrunch, (July 15, 2009).

[119] Twitter, Even More Open Than We Wanted, (July 15, 2009, 11:15 EST).

[120] Meera Selva, Associated Press writer, UK Court Reject’s Hacker’s Bid to Avoid Extradition, July 31, 2009, available at .

[121] McKinnon v. Sec. of State for Home Affairs, (2009) EWHC 2021 (Q.B.), available at .

[122] Id.

[123] Id.

[124] United States v. McKinnon, Indictment, (E.D. Va. November Term 2002), available at .

[125] Selva, supra note 119.

[126] Nick Davies, Murdoch Papers Paid £1m to Gag Phone-Hacking Victims, The Guardian, July 8, 2009, available at .

[127] Vidya Root and Robert Hutton, Murdoch Newspapers to Be Probed Over Hacking Claims, Bloomberg News, July 9, 2009.

[128] John F. Burns, New Inquiry Not Planned on Hacking By Tabloids, N.Y. Times, July 9, 2009, at A4.

[129] Robert Hutton, James Murdoch Approved Payment to Phone Tap Victim, Bloomberg News, July 21, 2009.

[130] Zusha Elinson, Apple Drops Pursuit of Site With iPhone Hacking Tips, The Recorder, July 23, 2009, .

[131] Letter from Sadik Huseny to Fred von Lohmann, Re: Odioworks v. Apple, N.D. Cal. Case No. C 09-1818 (July 8, 2009), available at .

[132] Elinson, supra note 129.

[133] OdioWorks LLC v. Apple, Inc., Complaint, No. C 09-1818 (N.D. Cal. July 8, 2009).

[134] Unclassified Report on the President’s Surveillance Program, Rep. No. 2009-0013-AS (July 10, 2009). The 38-page report is available online at irp/eprint/psp.pdf.

[135] See 50 U.S.C. § 1811.

[136] John Yoo, Op-Ed., Why We Endorsed Warrantless Wiretaps, Wall St. J., July 26, 2009.

[137] In Re: National Security Agency Telecommunications Records Litigation, MDL No.06-1791 VRW, 2009 U.S. Dist. LEXIS 48283, at *52-53 (N.D. Cal. June 3, 2009).

[138] In Re: National Security Agency Telecommunications Records Litigation, MDL Docket No 06-1791 VRW, No C 07-2029,No C 06-5485 VRW, No C 06-5343 VRW,C 07-0464 VRW, 2009 U.S. Dist. LEXIS 62640 (N.D. Cal. July 20, 2009).

[139] Id. at *61.

[140] In Re: National Security Agency Telecommunications Records Litigation, MDL Docket No 06-1791 VRW, 2009 U.S. Dist. LEXIS 49139 (N.D. Cal. June 5, 2009).

[141] Amnesty International v. McConnell, No. 08 Civ. 6259 (S.D.N.Y. July 10, 2008).

[142] Mark Hamblett, ACLU, Government Square Off Over Warrantless Wiretaps Abroad, New York Law Journal, July 23, 2009, available at .

[143] Amnesty International v. McConnell, No. 08 Civ. 6259, 2009 U.S. Dist. LEXIS 74008 (S.D.N.Y. Aug. 20, 2009).

[144] Id. at *3.

[145] Id. at *35.

[146] A Tech Fix For Illegal Government Snooping (National Public Radio broadcast July 13, 2009). A print version of this report is available at templates/story/story.php?storyId=106479613&sc=emaf.

[147] Id.

[148] Andrea Estes and Peter Schworm, Police Prying Into Stars’ Data, Boston Globe, May 6, 2009.

[149] Posting of Peter Fleischer to Google’s European Public Policy Blog, (June 12, 2009, 12:46 EST)

[150] Press Release, Information Commissioner’s Office, Common Sense on Street View Must Prevail, Says the ICO, April 23, 2009, available at .uk/upload/documents/pressreleases/2009/google_streetview_220409_v2.pdf

[151] Id.

[152] Derek Gatopoulos, Associated Press writer, Google’s Street View Halted in Greece Over Privacy, Associated Press Financial Wire, May 13, 2009.

[153] Kevin O’Brien, A German Bid To Stop Google in Its Tracking, International Herald Tribune, May 20, 2009, at 17.

[154] Associated Press Financial Wire, Google Cedes to German Demand to Erase Data, June 17, 2009.

[155] CBC News, Google Canada Vows to Purge Faces from its Street View Data, June 17, 2009, available at .

[156] The Canadian Press, Google Street View May Be Illegal, Sept. 12, 2007, available at .

[157] CBC News, supra note 154.

[158] Associated Press Financial Wire, Thief View: Police Nab Twins Snapped on Google, June 19, 2009.

[159] Boring v. Google, Inc., 598 F. Supp. 2d 695, 699-700 (W.D. Pa. 2009).

[160] A video of Chris Paget using RFID tags to track identities is available at watch?v=9isKnDiJNPk&feature=related (last viewed on July 23, 2009).

[161] Todd Lewan, Associated Press, Chips in Official IDs Raise Privacy Fears, Wash. Post, July 12, 2009.

[162] Id.

[163] For a description of the Western Hemisphere Travel Initiative regulations, see the U.S. Dept. of State Web site at:

[164] See Enhanced Driver’s Licenses: What Are They?, U.S. Dept. of Homeland Security Web site, xtrvlsec/crossingborders/gc_1197575704846.shtm

[165] Cal. Civil Code § 1798.79 (2009)

[166] Nevada Gov. Jim Gibbons signed S.B. 125 on May 26, 2009. The bill revises Nev. Rev. Stat. § 205.461 and is available at . See also 2009 Wa. ALS 66.

[167] Pat Eaton-Robb, Associated Press reporter, ESPN Reporter Secretly Videotaped Nude in Hotel, Wash. Post, July 21, 2009.

[168] Edecio Martinez, You’re Busted! Watching Erin Andrews Naked Video is a Crime, CBS , July 21, 2009,

[169] So Now it is a Crime to Even Watch the Erin Andrews Video?, (July 21, 2009).

[170] News Flash: Watching the Erin Andrews Video is Perverted, Not Illegal, (July 22, 2009).

[171] N.Y. Penal §§ 250.55, 250.60.

[172] Andy Soltis, ESPN Erin Andrews in Peep Shocker, July 21, 2009, available at

[173] Pat Eaton-Robb, Associated Press writer, ESPN Bans NY Post Reporters Over Andrews Video, July 23, 2009.

[174] Elisabetta Povoledo, Google Executives on Trial in Italy, N.Y. Times, Feb. 3, 2009, available at .

[175] Vincent Boland and Richard Waters, Google Executives Face Milan Trial, Financial Times, June 21, 2009.

[176] Ariel David, Associated Press writer, Google Trial in Italy: Freedom v. Responsibility, Associated Press Financial Wire, June 23, 2009.

[177] Id.

[178] Id.

[179] Sam Coates, Tories May Ask Microsoft and Google to Hold NHS Records, The Times (London), July 6, 2009, at 6-7.

[180] Id.

[181] Ina Fried, Microsoft Google in Healthy Competition, CNet News, May 18, 2009, available at .

[182] David Davis, I Wouldn’t Trust Google With My Personal Info, The Times (London), July 27, 2009, at 19.

[183] Peter Fleischer, Letter to the Editor, You Can Trust Google to Protect Privacy, The Times (London), July 28, at 23.

[184] David Zahniser and Phil Willon, L.A. Weighs Plan to Replace Computer Software With Google Service, L.A. Times, July 17, 2009.

[185] Michael R. Blood, Associated Press writer, Concerns Raised as L.A. Looks at Google Apps, July 17, 2009, available at .

[186] Id.

[187] Zahniser and Willon, supra note 183.

[188] Letter from the American Civil Liberties Union, the Electronic Frontier Foundation and the Samuelson Law, Technology & Public Policy Clinic at the University of California Berkeley Law School to Eric Schmidt, Chairman and CEO of Google Inc., July 23, 2009, available at .

[189] Posting of Dan Clancy, engineering director for Google Books, to Google Public Policy Blog, (July 23, 2009, 13:35 EST).

[190] The Authors Guild, Inc. v. Google Inc., No. 05 CV 8136, 2009 U.S. Dist. LEXIS 63081 (S.D.N.Y. July 2, 2009).

[191] Gawronski v. , No. 2:09-cv-01084 (W.D. Wash. July 30, 2009).

[192] Francesca Heintz, Class Action Over Deletion of Kindle Content Accuses Amazon of Acting Like Big Brother, The American Lawyer, Aug. 3, 2009.

[193] Eric Lichtblau, Radio Host is Arrested in Threats on 3 Judges, N.Y. Times, June 25, at A16.

[194] A copy of the criminal complaint against Hal Turner is available at .

[195] Lynne Marek, No Bail for Web Talk Show Host Who Said Judges Deserve to Die, The National Law Journal, Aug. 11, 2009.

[196] Katie Nelson, Associated Press writer, Blogger Who Said Judges Deserve to Die Was Trained by FBI to Incite Others, Attorney Says, , Aug. 19, 2009.

[197] Posting of Gene Policinski, to , (June 14, 2009).

[198] Brandenburg v. Ohio, 395 U.S. 444, 447 (1969).

[199] Posting of Sam Bayard to Citizen Media Law Project, (July 9, 2009).

[200] Adam Schreck, Associated Press writer, Blackberry Maker: USE Partner’s Update was Spyware, July 22, 2009, available at .

[201] Id.

[202] Alex Pham, Apple Bars Google Voice App From iTunes Store, L.A. Times, July 29, 2009.

[203] David Sarno, FCC Looking Into Apple’s Google Move, L.A. Times, Aug. 1, 2009, at B2.

[204] Pham, supra note 201.

[205] Jenna Wortham, Even Google is Blocked With Apps From iPhone, N.Y. Times, July 28, 2009 at B1.

[206] Pham, supra note 201.

[207] David Pogue, Is Google Voice a Threat to AT&T?, N.Y. Times, Aug, 6, 2009, .

[208] Schaefer v. General Electric Co., 2008 U.S. Dist. LEXIS 37561 (D. Conn. May 8, 2008).

[209] Douglas S. Malan, GE Suffers a Redaction Disaster, The Connecticut Law Tribune, May 28, 2008, available at .

[210] Jason Krause, Sloppy Redaction: To Err is Automated, , Aug. 7, 2009.

[211] Id.

[212] Amanda Ricker, Commission Eliminates Facebook Policy, Takes Authority Over Hiring Procedures, Bozeman Daily Chronicle, June 23, 2009.

[213] A copy of the city of Bozeman job applicant waiver statement is available at .

[214] Amanda Ricker, City Requires Facebook Passwords From Job Applicants, Bozeman Daily Chronicle, June 19, 2009.

[215] Id.

[216] Id.

[217] Jessica Mayrer, City OKs $10K for Hiring Probe, Bozeman Daily Chronicle, July 28, 2009.

[218] Jackson v. Pearl Public School District, No. 3:09 CV353-JCS (S.D. Miss. June 16, 2009). A copy of the complaint is available at pdf/Pearl%20High%20School.pdf.

[219] Julie Straw, Pearl Student Sues After Teacher Logs Into Student’s Facebook Account, WLBT-TV, July 28, 2009, available at global/story.asp?s=10806760.

[220] Brian Stewart, Student Files Lawsuit After Coach Distributed Private Facebook Content, Student Press Law Center, July 22, .

[221] Tresa Baldas, Lawyers Warn Employers Against Giving Glowing Reviews on LinkedIn, The National Law Journal, July 7, 2009, .

[222] Id.

[223] Id.

[224] Jill Riepenhoff and Todd Jones, Secrecy 101: College Athletic Departments Use Vague Law to Keep Public Records From Being Seen, Columbus Dispatch, May 31, 2009, available at .

[225] Id.

[226] 20 U.S.C. § 1232g(a)(4)(A).

[227] Id.

[228] 34 C.F.R. §§ 99.3 and 99.31(b) (2008). The entire Family Educational Rights and Privacy, Final Rule, including summaries and examples, is available at .

[229] Riepenhoff and Jones, supra note 223.

[230] Jill Riepenhoff and Todd Jones, Brown Wants Student Privacy Limits, Columbus Dispatch, June 17, 2009.

[231] Katie Thomas, Players’ Privacy Law Is Brought Into Question, N.Y. Times, June 30, 2009, at B14.

[232] Id.

[233] Nick Akerman, When Workers Steal Data to Use at New Jobs, The National Law Journal, July 7, 2009, .

[234] 18 U.S.C. § 1030(g).

[235] Ackerman, supra note 232.

[236] U.S. Bioservices Corp. v. Lugo, 595 F. Supp. 2d. 1189, 1192 (D. Kan. 2009).

[237] Continental Group, Inc. v. KW Property Management, LLC, 2009 U.S. Dist. LEXIS 51733, 2009 WL 5244818 *12 (S.D. Fla. April 22, 2009).

[238] Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962, 967 (D. Ariz. 2008). See also Bridal Expo, Inc. v. van Florestein, 2009 U.S. Dist. LEXIS 7388, 2009 WL 255862, at *9-11 (S.D. Tex. Feb. 3, 2009); Condux Int’l, Inc. v. Haugum, 2008 U.S. Dist. LEXIS 100949, 2008 WL 5244818, at *4-6 (D. Minn. Dec. 15, 2008); Black & Decker, Inc. v. Smith, 568 F. Supp. 2d 929, 933-36 (W.D. Tenn. 2008); Diamond Power Int’l, Inc. v. Davidson, 540 F. Supp. 2d 1322, 1341-43 (N.D. Ga. 2007); Brett Senior & Assocs., P.C. v. Fitzgerald, 2007 U.S. Dist. LEXIS 50833, 2007 WL 2043377, at *3-4 (E.D. Pa. July 13, 2007); Lockheed Martin Corp. v. Speed, 2006 U.S. Dist. LEXIS 53108, 2006 WL 2683058, at *4-7 (M.D. Fla. Aug. 1, 2006).

[239] Continental Group at 2009 WL 5244818 *12. (citing Hewlett-Packard Co. v. Byd:Sign Inc., 2007 WL 275476 (E.D. Tex. Jan. 25, 2007)).

[240] Akerman, supra note 232. The cases Akerman cites as support for Citrin are: U.S. v. Phillips, 477 F.3d 215, 221 n. 5 (5th Cir. 2007); P.C. Yonkers Inc. v. Celebrations The Party and Season Superstore LLC, 428 F.3d 504, 510 (3rd Cir. 2005); and EF Cultural Travel B.V. v. Explorica Inc., 274 F.3d 577 (1st Cir. 2001).

[241] Continental Group at 2009 WL 5244818 *12.

[242] Pietrylo v. Hillstone Restaurant Group, Jury Verdict Form, 2009 WL 1867659 (D. N.J. June 16, 2009).

[243] Pietrylo v. Hillstone Restaurant Group, No. 06-5754 (FSH), 2008 WL 6085437 (D. N.J. July 25, 2008).

[244] Id. at *4.

[245] Hugh R. Morley, Password-Protected Comments Off Limits to Boss, Jury Rules, The Record (Hackensack, N.J.), June 26, 2009, available at philly/business/technology/062609_password_protected.html.

[246] Pietrylo, *7.

[247] Quon v. Arch Wireless, 529 F.3d 892, 897-98 (9th Cir. 2008).

[248] Quon, 529 F.3d at 898.

[249] Stored Communications Act, 18 U.S.C. § 2702(b)(1),(3).

[250] Quon, 529 F.3d at 905-06.

[251] Sidell v. Structured Settlement Investments, LP, No. 08CV00710, 2008 WL 2582358 (D. Conn. May 8, 2008).

[252] Sidell v. Structured Settlement Investments, 2009 U.S. Dist. LEXIS 2244 (D. Conn. Jan. 14, 2009).

[253] A.B. 4069, 213th Leg., 2d Sess. (N.J. 2009); S.B. 2926, 213th Leg., 2d Sess. (N.J. 2009).

[254] Charles Toutant, N.J. Legislation Would Decriminalize ‘Sexting’ by Teens, New Jersey Law Journal, July 23, 2009, available at .

[255] Id.

[256] Associated Press, Passaic Teen to Undergo Counseling for Posting Nude Pictures on MySpace, June 23, 2009, available at .

[257] A.B. 4068, 213th Leg., 2d Sess. (N.J. 2009); S.B. 2923, 213th Leg., 2d Sess. (N.J. 2009).

[258] A.B. 4070, 213th Leg., 2d Sess. (N.J. 2009); S.B. 2925, 213th Leg., 2d Sess. (N.J. 2009).

[259] Article 29 Data Protection Working Party, Opinion 5/2009 on Online Social Networking, adopted June 12, 2009, available at .

[260] Council Directive 95/46/EC, 1995 O.J. (L 281), available at .

[261] , EU Privacy Regulators Eye Online Social Networks, June 25, 2009, available at .

[262] Bobbie Johnson, Facebook is Hiring Lobbyists to Target Europe’s Politicians, The Guardian, June 27, 2009, at 8.

[263] International Working Group on Data Protection in Telecommunications, Report and Guidance on Privacy in Social Network Services, a.k.a. “Rome Memorandum,” March 4, 2008, available at

.

[264] Adopted at the 30th International Conference of Data Protection and Privacy Commissioners in Strasbourg, Oct. 17, 2008, available at .

[265] European Network and Information Security Agency, Security Issues and Recommendations for Online Social Networks, October 2007, available at .

[266] Press Release, Citizens’ Privacy Must Become Priority in Digital Age, Says EU Commissioner Reding, April 14, 2009, available at .

[267] Elizabeth Denham, Assistant Privacy Commissioner of Canada, Report of Findings Into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic, July 16, 2009, available at .

[268] Gillian Shaw, Canadian Commissioner ‘Hopeful’ Facebook Will Close Privacy Gaps, Vancouver Sun, July 16, 2009.

[269] Sarah Schmidt, Facebook Must Satisfy Canada’s Privacy Commissioner by Monday, Ottawa Citizen, Aug. 16, 2009.

[270] Susan Delacourt, Canada Tells Facebook It Must Better Protect Users’ Privacy, Waterloo Region Record, July 17, 2009, at A1.

[271] Adam Nagourney, If Presidency Is Goal, Palin Has Chosen a Risky Route, N.Y. Times, July 5, 2009, at A14; See also Palin Avoids Press But Speaks Through Twitter, Facebook, The Virginian-Pilot, July 7, 2009, at A4.

[272] Leah Betancourt, The Journalist’s Guide to Facebook, Mashable: The Social Media Guide, Aug. 3, 2009,

[273] Id.

[274] The social networking policy of the Associated Press is available through Editor & Publisher, .

[275] Policies for Employees of the News Departments of The Wall Street Journal, Newswires and MarketWatch, available on the American Society of News Editors Web site at .

[276] Pamela J. Podger, The Limits of Control, American Journalism Review, Aug./Sept. 2009, available at .

[277] Betancourt, supra note 271.

[278] Judy Battista, The N.F.L. Has Identified the Enemy and it is Twitter, N.Y. Times, Aug. 3, 2009, at B13.

[279] BBC News, Government Advice Urges Tweeting, July 27, 2009, available at .

[280] Neil Williams, Department for Business, Innovation and Skills, Template Twitter Strategy for Government Departments, July 21, 2009, available at .

[281] Tiffany Hsu, Twitter Becoming a Tool for Scams, Bureau Says, Chi. Trib., July 7, 2009.

[282] Id.

[283] Id.

[284] Rob Pegoraro, Social Networks May Provide a Chattering Class for Viruses, Wash. Post, July 12, 2009.

[285] Lanham Act, 15 U.S.C. § 1144.

[286] California Civil Code, § 3344.

[287] Anticybersquatting Consumer Protection Act, 15 U.S.C.A. § 1125(d).

[288] La Russa v. Twitter Inc., Complaint, No. CGC-09-488101 (May 6, 2009), filed in California Superior Court in San Francisco County.

[289] La Russa v. Twitter Inc., Notice of Dismissal of Complaint With Prejudice, CV-09—2503-EMC, (N.D. Cal. June 26, 2009).

[290] Horizon Group Mgmt., LLC v. Bonnen, 2009 L008675 (Cook County Superior Court July 20, 2009).

[291] Ben Meyerson and Andrew Wang, Tweet Lawsuit: Chicago Landlord Sues Ex-Tenant Over Tweet Complaining About Apartment, Chi. Trib., July 29, 2009.

[292] Yath v. Fairview Clinics, 767 N.W.2d 34, 44 (Minn. Ct. App. June 23, 2009).

[293] Id. at 50.

[294] Martin v. Bouthillier, No. K20010449 (Kent County Family Court).

[295] Posting of Eric Hoffman to Newsroom Law Blog, (July 28, 2009).

[296] Id.

[297] Posting of Eric Hoffman to Newsroom Law Blog, (July 30, 2009).

[298] Paul Watler and Jeremy Brown, Companies Hosting Third-Party Content Beware: Promises Can Get You in Trouble, Jackson Walker Media E-Alert, June 12, 2009, available at .

[299] Barnes v. Yahoo! Inc., 565 F.3d 560, 572 (9th Cir. 2009).

[300] David Haskel, Argentine Judge Holds Google, Yahoo! Liable for Posting of Third Party Content, BNA Electronic & Commerce Law Report, Aug. 5, 2009.

[301] Da Cunha v. Yahoo de Argentina, Juzg. N., No. 99620/2006, July 29, 2009.

[302] Haskel, supra note 299.

[303] Id.

[304] Alexandra Zavis, MySpace Conviction in Doubt, L.A. Times, July 3, 2009, at A3.

[305] , Conviction in MySpace Suicide Case Tentatively Overturned, July 2, 2009, .

[306] Posting of Kim Zeller to Threat Level, (July 2, 2009, 18:30 EST).

[307] Zavis supra note 303.

[308] Betsy Taylor, Associated Press writer, Woman Charged With Harassment Over Suggestive Post, Wash. Post, Aug. 18, 2009.

[309] Id.

[310] Mo. Rev. Stat. §§ 565.090, 565.225 (2008).

[311] Taylor, supra note 307.

[312] Helen Carter, Teenage Girl is First to be Jailed for Bullying on Facebook, The Guardian, Aug. 21, 2009.

[313] Id.

[314] Luke Salkeld, Facebook Bully Jailed: Death Threat Girl, 18, is First Person Put Behind Bars for Vicious Internet Campaign, The Daily Mail, Aug. 21, 2009.

[315] Sky Canaves, Closed for Business: More Chinese Web Sites, China Journal, Wall Street Journal Blogs, June 3, 2009, .

[316] Alexa Olesen, Associated Press writer, Chinese Web Sites Close Amid Tightening Controls, July 21, 2009, available at .

[317] Id.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download