This is a paper one of our attorneys wrote in 2010, but a lot of it still holds true today. This is aged information, but it shows where we were 15 years ago, and since this time a lot has changed, but the concerns addressed herein have only gotten worse.
Introduction:
Businesses, the government, our banks, utility companies and an ever-increasing number of other sources collect information on their customers from purchases, business records and an unimaginable number of other sources. Personal datum is generally any information available about a person; but normally includes a person’s name, e-mail address and social security number. Catherine Dwyer, Behavioral Targeting: A Case Study of Consumer Tracking on Levis.com, (2009), available at, http://www.ftc.gov/os/comments/privacyroundtable/544506-00046.pdf. Datum is generally broken down into two types of information, personally identifiable information (PII), and non-personally identifying information (Non-PII). Id. Non-PII generally includes a person’s “age, gender, ethnicity, what sites [they] visit, and what pages [they] view.” Id. The only real difference between the two types of information collected is that, with PII, no identifiable information, such as a person’s name, that will tie back to a specific person is supposed to be collected. However, when Non-PII is collected, identifiable data still exists, most obviously in the form of a person’s Internet Protocol (IP) address. See Office Depot v. Zuccarini, 2010 WL 669263 (2010 9th Circuit) (Discussing how IP addresses are uniquely identifiable to any computer connected to the Internet). Although not necessarily public knowledge, a person’s IP address is traceable back to an Internet access account, then to the persons Internet Service Provider (ISP) and finally to a computer connected to the Internet. Id. The knowledge of who is behind an IP address presents further issues when a person accesses the Internet through a cellular-enabled device[1]. Other issues still can exist, as exemplified in an older Gmail account verification process where Google required a user provide a cellular telephone number with “text messaging” capabilities to create a new Gmail account[2]. Furthermore, the collection of seemingly innocuous “password verification tests” presents the possibility of even more security breaches[3].
The government, utility companies, websites and almost all businesses collect personal data. People provide information for a variety of reasons, sometimes; relinquishing personal data is a requirement for a service and in other instances, when people volunteer their information, especially in online forums. An example of this occurs when people want a telephone or a loan, or when people post information on social networking websites on the Internet.
Personal information such as your social security number is a requirement for a cell phone, electricity services, a home telephone, credit cards and loans. Although no person is required to provide a social security number, it is often required before a person can purchase a service or obtain credit. Along with a person’s social security number, companies collect a slew of other information for a variety of business reasons. Companies use some of this information to verify credit worthiness. However, collecting information ensures the company can contact their customers, provide services and enables market research. When providing a service or a loan, to avoid damaging losses, companies verify the credit worthiness of their potential customers. Social security numbers are the primary means of verification, telling the potential lender the likelihood the customer will repay the loan or pay for services. Data collected to provide services is also very important to many companies. Without collecting valid address and other customer location information, companies would be unable to set up utility services, ensure product delivery or even maintain contact for future business transactions. Without collecting personal information, companies would be unable to bill for services and would have trouble contacting their customers. Market research is a very important tool for companies, and much of the information collected helps companies figure out what products are selling, which sales campaigns are effective, and what types of customers are buying their products. Companies that collect detailed personal information are able to conduct market research and may significantly reduce their marketing costs, enabling them to offer tailored solutions to their customers while decreasing costs. Finally, many Internet users currently submit their personal information through various websites, specifically Facebook, MySpace and Twitter. Robert Richards, Symposium: Cyberspeech: Article: Sex, Lies and the Internet: Balancing First Amendment Interests, Reputational Harm, and Privacy in the age of Blogs and Social Networking Sites, 8 First Amend. L. Rev. 176, 178 (2009). By using these websites, users post a variety of “user-generated content” in a format that offers little or no privacy, allowing anyone to view their content while creating issues of “reputation, privacy, and… physical safety”. Richards, Symposium: Cyberspeech: Article: Sex, Lies and the Internet: Balancing First Amendment Interests, Reputational Harm, and Privacy in the age of Blogs and Social Networking Sites, 8 First Amend. L. Rev., at 179.
Due to increasing concerns of privacy and data collection, Congress has enacted a series of statutes that protect a variety of these sources. These statutes are not sweeping reforms, and Congress narrowly tailored these protections to meet specific objectives and address limited challenges they deemed important enough to restrict data collection while balancing privacy. Therefore, these reactionary legislative policies left the average person’s privacy with little or no statutory protection.
Why should you be concerned about your privacy? The average citizen faces two core threats. The first concern stems from other companies purchasing your information and selling this to a third party who in turn looks at it and makes decisions about you as a person from this limited set of information. The second concern is that the government will do the same.
A hypothetical situation exemplifies what happens when companies retrieve information on their customers. Most of us have nothing to hide, but imagine that a friend of yours is sick. Being the good friend, after that person tells you what is wrong with him, you look up that person’s illness online. Now, you are in a job interview, and the company purchases your web searches through illegal channels, or has access to them from their own internal databases. Maybe they purchase other information about you, or even go to your Facebook and look up your postings.[4] Whether you get this job may hinge on what information they discover. Currently, many employers circumvent the costs associated with background checks and immediately look online for publicly available information on a candidate[5]. See Clark, Employers look at Facebook too, June 20, 2006. Viewing information users post on Facebook has also resulted in criminal convictions. See, Eric Tucker, Facebook used as Character Evidence, Lands Some in Jail, USA Today, July 16, 2008, archived, available at http://www.usatoday.com/tech/webguide/internetlife/2008-07-19-facebook-trials_N.htm. (Discussing how courts used photos a person posted on Facebook to amend a prison sentence because photos showed that defendant was not “remorseful”). Other’s have faired better, and have been acquitted of crimes because of their posting information on Facebook. See Vanessa Juarez, Facebook Status Provides Alibi, CNN, November 13, 2009, archived, available at http://www.cnn.com/2009/CRIME/11/12/facebook.alibi/index.html.
The government collects data through a variety of sources, including collecting information through websites and a massive monitoring initiative through the NSA[6]. This information is available in a variety of formats, and potential issues exist concerning the misuse of this information. An extreme example is a gardener who uses the Internet to research and purchase early growing supplies to start his plants indoors before planting his garden in the spring. Government agents, pursuant to the war on drugs, might look for people purchasing tools to aid in growing marijuana or other drugs. Therefore, government agents searching for people who have looked for this type of information may investigate the hypothetical gardener. The reason for concern in short, it is that third parties eavesdrop on this personal information in a vacuum. They only see an audit trail of where you have been, what you have purchased. They do not understand your logic, thoughts or methodology. Third parties record specific results and draw conclusions based on a very limited amount of information, opening the door for embarrassment, wrongful convictions, improper hiring practices, credit abuse and more.
Recent viruses allow child pornographers to use viruses to take over random computers and store child pornography on their hard drives. Larry Magid, Child Porn Virus: Threat or Bad Defense?, CBS News, Nov. 11, 2009, available at, http://www.cbsnews.com/stories/2009/11/11/scitech/pcanswer/main5610506.shtml. Computers infected by these viruses download copious volumes of child pornography on an unsuspecting person’s computer. Id. Law enforcement then views search results for child pornography, and investigates the person owning the infected computer, and in several cases, these people received charges of possessing child pornography. Id. Although many have proven their innocence, these arrests are enough to cause financial ruin, destroy their career, and cause these victims to lose their friends. Id.
Part I: Personal Information and Privacy:
Who collects information and how is it collected:
The collection of personal data creates four issues. First, companies that collect personal data found that market research is valuable for other businesses, and other companies are willing to pay premium prices for a company’s information. See Direct Media Millard, Customer List Management, 2010 available at, http://www.dmminfo.com/Monetize-Customer-Base/Consumer.aspx. Additionally, these companies will sell information lists for a price to other entities. For example, anyone can purchase a list of 30,000,000 people that maintain a healthy lifestyle from Direct Media Millard. Id, available at, http://datacards.dmminfo.com/market?page=research/search_results. Direct Media Millard defines “healthy” people as those who “purchase merchandise, read, travel and vacation”. Id. Direct Media Millard generates the lists automatically by “combining direct response and purchasing data” and sells for $65.00 per thousand people selected. Id,available at, http://datacards.dmminfo.com/market?page=research/datacard&id=183128. Additionally, companies like Media Millard also actively solicit new records and look for ways to market other customers to the existing customers of other companies. Therefore, when one company collects information on their customer, they often will sell it to interested parties for the purposes of market research. Unfortunately, there are few limitations on who can sell this information. Therefore, these companies frequently sell this private data to other parties.
Second, computer crime and security of personal data is a continuing problem for companies that collect this information. Private company records containing a wealth of personal information are frequently hacked by domestic and international criminals from both inside and outside these companies. Cybercriminals target personal information because thieves easily sell this stolen information and quickly profit by stealing the customer’s identity and other committing other crimes.
Third, the federal government continues to catalog, request and store personal data in a variety of databases. Finally, the companies and the government data mine this information. Data mining is a mechanical process where computer programs summarize the results of large volumes of data. However, data analysis is a powerful tool that easily leads to erroneous results, especially when used improperly.
Part II: Overview of federal protections and personal privacy:
The Fourth Amendment:
The Fourth Amendment provides powerful protection for a person’s home and ensures protection from “unreasonable government intrusion”. Payton v. New York, 445 U.S. 573, 589-90 (1980). The Fourth Amendment protects “people not places”. Katz, 389 U.S.at 511. However, what a person “knowingly exposes to the public” is not subject to Fourth Amendment protection. Id. Additionally, the Fourth Amendment protection extends to where a person has a reasonable expectation of privacy. Id. at 516. For a reasonable expectation of privacy to occur, a person must exhibit a subjective expectation of privacy and this expectation must be “one that society is prepared to recognize.” Id. (Harlan, J., concurring). When a person exposes “objects, activities, or statements… to the ‘plain view’ of outsiders”, there is no protection because the person has not exhibited an intention to keep them to themselves. Katz, 389 U.S.at 511 (Harlan, J., concurring). Therefore, a person’s data and other personal information, as long as society has the requisite expectation of privacy, is covered and protected under the Fourth Amendment. However, the average expectation of privacy surrounding information submitted on the Internet is non-existent. See Tyler v. Berodt, 877 F.2d 705, 706-707, (8th Cir, 1990) (Cert. denied, holding that interception by police and private citizens of cordless telephone conversations were proper because no expectation of privacy existed in information where speaker was aware “that their conversation was being transmitted by cordless telephone”). Similar to a cordless telephone, conversations transmitted by a wireless router are also public broadcasts in which the transmitter retains no expectation of privacy. Additionally, when users provide information to businesses, they usually authorize the company to disclose that information to third parties and for data collection. Finally, when users post information on websites (Facebook, MySpace and other social networking websites), they have no expectation of privacy, because when people post their private information, they are intentionally broadcasting this information to anyone on the website.
Federal government data collection and privacy:
There is little privacy legislation concerning the federal government, and “no overall U.S. privacy law”. Arnulf Gubitz, Note: The U.S. Aviation and Transportation Security Act of 2001 in Conflict with the E.U. Data Protection Laws: How Much Access to Airline Passenger Data Does the United States Need to Combat Terrorism?, 39 New Eng. L. Rev. 431, 447 (2005). There are two core statutes that relate to privacy and consumer data collection; the Privacy Act and the Freedom of Information Act (FOIA). Id. The Privacy Act essentially protects individuals from disclosure of personal data, collected by the government and housed within government databases. Doe v. Chao, 540 U.S. 614, 618 (2004). The point of the Privacy Act though is to protect individuals from government disclosure of collected information. Id at 618 -619. However, the Act merely provides people with access to the information the government collects and provides a civil remedy if the government breaches the Privacy Act requirements. Id.
In addition to the Privacy Act, Congress enacted several other protections for personal privacy, most notably, the Freedom of Information Act (“FOIA”) and the Electronic Communications Protections Act (“ECPA”). Valerie Kraml, Note: Symbol of Freedom: ATSA and International Efforts to Increase Security, 32 Hastings Int’l & Comp. L. Rev. 731, 743 (2009). Additionally, most of the privacy protections are limited in scope to protect the individual’s privacy from government intrusion. Id. Unfortunately, these protections are largely reactionary, and limited to serve the specific needs created by unique privacy threats. Id. An example of Congress’s reactionary approach is the Graham-Leach-Bliley Act, which deals with protecting banking records. Pub.L. 106-102, 113 Stat. 1338 (1999). Another example is the Health Insurance Portability and Accountability Act (“HIPAA”). Pub.L. 104-191, 110 Stat. 1936 (1996).
Theft of personal information:
Identity theft is a monumental issue confronting this country, and is increasing in costs, crime and scope. In 2008, 285 million business records compromised, exceeding all of the data theft that occurred between 2004 through 2007. Verizon Business RISK Team, 2009 Data Breach Investigations Report, Verizon Business, 2009. This indicates that there is a substantial and increasing problem for data theft within the US. Five different types of threats exist that enabled this data theft. Id at 15. These data theft methods, as they ranked in prevalence in 2008 are hacking, malware, misuse, deceit and physical[7]. Id. Data theft is a lucrative business, and even though the price of a single customer’s record has decreased from $10 – $16 a record in 2007 to less than $.50, the overall value of the records stolen in 2008 was $142.5 million. Id at 5. However, of the three main types of breaches; internal[8], external[9] or partner[10], breaches originating within the company are clearly the most lucrative, as the mean average is over 100,000 records per breach internally and only 37,000 per external and 27,000 for a partner breach. Id at 11. Cyber crime and data theft are not only increasing, but the “industry” is becoming more lucrative as intrusion methods become more sophisticated. This increase in theft is creating more problems and whittling away at the foundation of individual privacy.
In addition to identity theft and credit card fraud, national security concerns are very prevalent; these thieves are not necessarily just individuals who are motivated by making a quick illegal dollar. In 2007, the Congressional Research Service (CRS) notes that several terrorist organizations funded some of their “events… through online credit card fraud.” John Rollins, Terrorist Capabilities for Cyberattack: Overview and Policy Issues, Congressional Research Service, 1/22/2007, CRS-2, available at http://www.fas.org/sgp/crs/terror/RL33123.pdf . Additionally, the CRS found that there is a blurring between “crime, terrorism and war” when looking at the details of a computer network attack. Id. The CRS first notes that the Internet is the primary recruiting tool for insurgents in Iraq. Id at CRS-3. Additionally, the CRS found that most businesses are lax in maintaining security protocols[11]. Id at CRS-6.
Electronic Interception:
Data interception occurs when a third party that is “not the intended recipient” of the communication collects data in transit. 18 U.S.C.A. § 2511. The core statutes that protect electronic data interception are the Electronic Communications Protection Act (ECPA) and the Wiretap Acts. The ECPA prohibits “any person” from intercepting, using or disseminating personal information that falls within its broad definitions of “wire, oral or electronic communications”. See generally 18 U.S.C.A. § 2511. Prior to the ECPA, the sole protection from governmental interception of personal information was the Federal Wiretap Act. Id. However, the Wiretap Act generally focused on Fourth Amendment protections, and did not have the general consumer protections of the ECPA. Id. Courts generally agree the ECPA only prevents the interception of information two parties are transmitting it, but does not protect it in a stored state. Bailey v. Bailey, No. 07-11672, 2008 WL 324156, at *4 (E.D. Mich. Feb. 6, 2008, discussing details about multiple circuit holdings and how the ECPA applies only to intercepted communications and not stored information). The Wiretap Act’s purpose is generally to prohibit this intentional, knowing and purposeful dissemination of the contents of an intercepted communication. However, there are substantial limits on the types of interceptions protected. For example, eavesdropping or monitoring of cordless telephone conversations is not an infringement on privacy. Tyler, 877 F.2d at 706. The Federal Wiretap Act and the ECPA do not protect electronic communications stored in electronic format. Steve Jackson Games, Inc. v. U.S. Secret Service, 36 F.3d, 457, 458 (5th Circuit, 1994). Additionally, the Games court noted that access to stored electronic communications, held in storage for less than 180 days requires a warrant; however, communications in storage longer than 180 days merely requires a subpoena or court order. Id, at n.463.
The core modern legislation for the collection and security of electronic data is the Electronic Communications Protection Act (ECPA). The ECPA amended the Wiretap Act and extended its protections to “oral and wire communications”. In Re Pharmatek, Inc. 329 F.3d, 9, 18 (1st Circuit, 2003). The ECPA is broad, and encompasses almost all types of electronic communications, specifically a person’s “name, date of birth, and medical condition.” Id. The ECPA provides a general prohibition on intercepting electronic communications, but includes a variety of statutory exceptions, including consent. Id. The most important portion of the ECPA for this discussion is that a party can give consent to allow another company to disseminate their information. Furthermore, the Supreme Court expressly prohibits the interception or electronic monitoring of telephone calls by the government without a warrant. See Katz v. U.S., 389 U.S. 347 at 357.
Stored Communication Privacy:
The Stored Communications Act (SCA) prevents companies which provide electronic communication storage from disclosing the contents of “a communication while in electronic storage.” 18 U.S.C. § 2702(a)(1) (2002). This act protects any communications that are in electronic storage, and their subsequent dissemination to “certain entities and/or individuals”. Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 892, 2008 (9th Cir. rehearing en banc denied, quoting 72 Geo. Wash. L. Rev. 1208, 1209-13 (2004)). The SCA provides civil penalties for disclosing information obtained from the contents of electronic communications by service providers. 18 U.S.C. § 2702(a)(1). However, Quon exemplifies some of the SCA’s shortcomings specifically; that the statute does not define what is a service provider and what constitutes disclosure to a third party. Alyssa DaCunha, Casenote and Comment: TXTS R Safe 4 2 Day: Quon v. Arch Wireless and the Fourth Amendment Applied to Text Messages, 17 Geo. Mason L. Rev. 295, 297 (Fall 2009). Additionally, the SCA allows customers to consent either by the recipient of the message or the sender to nullify its provisions. Therefore, the SCA, has little effect on the broad scope of personal privacy concerning data storage. Id.
Self-Governed Privacy:
The privacy protections offered by the federal government do not fully protect the average consumer. However, a hodgepodge of the aforementioned privacy statutes and general contract law create some limited privacy protections. Therefore, most companies collecting information generally only face liability for violations of their published privacy policies. Many companies violate their privacy policies by collecting more information then they admit to, reselling the information, or by providing facially illegal privacy policies.
However, most privacy drafters have wide latitude with what they can disclose and disseminate. An example of this is the popular social networking site, Facebook. Facebook’s privacy policy has recently been the subject of litigation. Brad Stone, Privacy Group Files Complaint on Facebook Changes, The New York Times, December 17, 2009, archived, available at, http://bits.blogs.nytimes.com/2009/12/17/privacy-group-files-complaint-on-facebook-privacy-changes/. Generally, Facebook allows users to choose whether information is publically available, and claims not to collect PII or to sell this information to third parties. Facebook, Facebook’s Privacy Policy, December 9, 2009, available at http://www.facebook.com/?ref=logo#!/policy.php?ref=pf. However, Facebook says that other companies may access the PII Facebook collects and disclose or sell that information to any other party. Id. This renders Facebook’s privacy policy essentially irrelevant. Third parties providing applications on Facebook collect this user information and then disseminate and sell this data to other parties, or offer “lead generating” ads. Doug Gross, The Facebook Games that Millions Love (and Hate), CNN, February 23, 2010, available at, http://www.cnn.com/2010/TECH/02/23/facebook.games/index.html. General security settings for users create many risks. For example, in January 2010, Facebook added a new feature that allows people to import friends via their e-mail addresses. Ryan Singel, Marketers can mine your Facebook info, (2010) available at, http://www.cnn.com/2010/TECH/01/06/wired.facebook.marketers/index.html?iref=allsearch. The issue is that anyone can upload any e-mail addresses, and then Facebook allows for downloads of this information. Id. Therefore, anyone can upload anyone else’s e-mail address and download their profile information, and will have a full-fledged “marketing profile” of the user. Id. People exploiting privacy issues within the site are not merely the only threats associated with posting your information online, and many users voluntarily consent to allowing other companies to store, catalog and sell their personal information. Applications such as “Farmville” and “Mafia Wars” provide users with interactive games where they compete against their “friends” who are on the website. Gross, The Facebook Games that Millions Love (and Hate), CNN. One such example of a third party application is Electronic Arts, which generally states, “we will never share your personal information with third parties”. Electronic Arts Privacy Policy, 11/16/2009, available at, http://www.ea.com/1/privacy-policy. However, Electronic Arts applies their privacy policy to PII, and not to non-PII. Id. The collection of non-personal information includes zip code, gender, Media Access Control (MAC) address, mobile device and that device’s ID, IP address and other information. Id. The issue with this type of data collection is that even though a name is not collected, a MAC address[12], IP address[13] and mobile device IDs[14] are unique identifiers, traceable to a specific device or computer.
Another example of market research data collection occurs when people present a “membership card” at the grocery store or drug store. Every time a customer presents this card to make a purchase, the store keeps a record of all of the purchases, for the purpose of “respond[ing] to your request.” See CVS Privacy Policy, available at, http://www.cvs.com/CVSApp/help/privacy_policy.jsp. Again, stores use this information for marketing purposes, however, what happens to their data? An example is CVS Caremark, and their collection of information of purchases and prescriptions. Although HIPAA covers prescription information, this information is still stored in databases that are accessed by employees of CVS and potentially accessible through security breaches and the government. CVS vows never to disclose PII, however, there are many disclaimers, including if CVS is sold, and then PII “may be transferred or shared with third parties as part of that transaction or negotiation”. Id.
Finally, companies collect information about where you go online, what you do while online, and even what is in your e-mail messages. Much of this information is collected through web beacons. Web beacons, web bugs and pixel tags are a “collection of techniques” used to collect information from website visitors “without their knowledge”. Carlos Jensen, Chandan Sarkar, Christian Jensen & Colin Potts, Tracking Website Data-Collection and Privacy Practices with the iWatch Web Crawler, at 37, 2007, available at http://eecs.oregonstate.edu/research/hci/publications/privacy2007.pdf. Web beacons often are small images, normally a “1×1 pixel transparent gif” image that is essentially invisible to a user. Jensen, et all, Tracking Website Data-Collection and Privacy Practices with the iWatch Web Crawler at 37. Web beacons are similar to cookies, in that they collect PII and other information, but they are discrete and can log much more information. Id. These web beacons, which are present on each Yahoo mail message, track a large amount of information, including potential PII. Yahoo, Web Beacons, available at, http://info.yahoo.com/privacy/us/yahoo/webbeacons/. In Yahoo’s case, these messages attach to all e-mails and record who sends the message, who receives it, the contents, when it is read and deleted. Id.
Part III: Why collect data?
The first reason is market research. Companies collect information on their customer base to fulfill customer requests, understand product sales and trends and for many other business-related reasons. However, an abundance of issues exists surrounding the collection of information for market research. The first issue is what these companies do with this information. For example, CVS, despite their regulations has relationships with third party partners. CVS shares information with these organizations, however, CVS provides this disclaimer,
“You are under no obligation to provide your information to these partners of CVS.com. You may choose not to share your information with such partners by not using that service or viewing that content.”
CVS, Privacy Policy, 2010, available at http://www.cvs.com/CVSApp/help/privacy_policy.jsp#thirdPartyPartners.
The CVS policy is an example of how many companies’ privacy policies work. The company agrees to protect a user’s privacy; however, based on the policy, a visitor to the site provides affirmative consent to the “collection and use” of information disclosed to the company. CVS, Privacy Policy, 2010. Instead of controlling the information itself, the privacy policy simply warns users that other parties can collect the user’s information and use it. These policies leave it up to the user to decide whether they will share their information. The problem continues through the cryptic contents of the privacy policy, that the user may simply choose not to “share [their] information with such partners by not using that service or viewing that content”. Id. However, within the website, CVS declines to identify which content might be related to third parties, nor does it point out to users that they are volunteering their information to other parties. Under the federal privacy guidelines, this policy and procedure is clearly legal because users make a conscious choice to “share” their information by agreeing to the CVS privacy policy. Id. When navigating this website, there is no indication if you are viewing content that would subject your personal information to sharing to a third party. See generally, CVS Website, www.cvs.com, 2010.
Voluntary disclosure:
Many of the privacy protections the federal government offers consumers have an inherent flaw that the carefully drafted privacy policy easily exploits – user consent. See Facebook, Facebook’s privacy policy, 12/9/2009, available at http://www.facebook.com/policy.php. Facebook’s privacy policy is an example of other websites, and other policies, including MySpace are very similar. See MySpace, Privacy Policy, 2/28/2008, available at http://www.myspace.com/index.cfm?fuseaction=misc.privacy. The key element in these policies is that users consent to the collection of PII for both sites when using the core site. Id. The federal privacy statutes are either narrowly tailored to reach specific goals, or generally leave it up to the consumer to decide via contract whether a company can disclose their information or not. This is especially problematic with recent trends in the Internet and its use generally. Websites, especially user-submitted or “social networking” websites allow users to post a slew of personal information. This content ranges from photos of users to authoring stories and posting comments. Generally, free speech extends to most content posted on a website by its users; however, legal issues such as copyright infringement, defamation, harassment and other violations have the potential to create liabilities for website owners. See Fair Housing Council of San Fernando Valley v. Roomates.com, 521 F.3d 1157, 1162 (2008, 9th Circuit). Under the Communications Decency Act (“CDA”), protections extend as long as the owner is not an “information content provider”. Id (Quoting 47 U.S.C. § 230(c)). However, website owners may be content providers and services providers, and despite this immunity, may still be liable for some of the content posted on their site. Id at 1162-63. However, if a web provider polices their content, they may still be subject to liability regardless of whether the immunity under the CDA applies. Id at 1163. In these instances, it is imperative for a website owner to record as much information as they can to defer potential liability to the true poster if liability were to attach.
However, in another example, website owners allowing users to upload content that could be illegal or violate copyrights need to record information to protect themselves. Protections for online service providers exist in the form of the “good samaritan”(sic) provision of the Communications Decency Act (CDA) of 1996 that treat online content providers as facilitators instead of as the “publisher or speaker”. Fair Housing Council of San Fernando, 521 F.3d at 1179 (Quoting 47 U.S.C. §230(c)). The CDA allows service providers to police their online content without being liable as the author of illegal speech. Id. The same holds true for instances of defamation. See Universal Comm. Sys., Inc. v. Lycos, Inc. 478 F.3d 413, 419 (1st Circuit, 2007). However, in instances where a company is both an information and service provider, liability may attach, and proving that the content is user submitted is key to a company’s defense. Fair Housing Council of San Fernando Valley, 521 F.3d at 1162.
Part IV: Accessing the Data and Data Use:
Internal Access:
Entities that gather data from customers store the information in databases such as mainframes, SQL Servers[15], DB2 Data warehouses[16] and a variety of other sources. Additionally, software and programs such as SAS[17], SPSS[18] and others allow for simple reporting – or making sense of the information contained in these databases. These databases normally consist of massive amounts of information. See IMS Health Inc. v. Ayotte, 550 F.3d 42, 46 (1st Cir. 2008). Therefore, finding one record out of a database containing millions of records is a monumental task. Even distilling the information to mere patterns is also quite difficult[19]. However, there are many commercial applications designed specifically for this task, and the computer science industry creates new methods of accessing, “mining” and attempts to preserve privacy on their data on a regular basis. See E. Magkos, M. Maragoudakis, V. Chrissikopoulos, S. Gritzalis, Accurate and Large-Scale Privacy-Preserving Data Mining Using the Election Paradigm, Data & Knowledge Engineering, Vol. 68, (2009) pp 1224 – 36.
Many companies simply generate reports with this type of information. For example, if company A wants to find out the age of everyone who purchased product X, they just need to write a simple program, usually in Structured Query Language (SQL), and this will return the information the programmer requests. Another example, is the mining and collection of prescription and physician information for non-profit use. IMS Health Inc., 550 F.3d at 45-46. However, issues arise, specifically with the commercial nature of the use of information, even if collected with the purpose of preserving privacy. See Id. The commercial nature exists, as in IMS Health, where there is the distinct possibility of “exploitation” by companies in the industry. Id.
Companies are developing increasingly sophisticated procedures for the collection and aggregation of consumer information, and the amount of information stored by these companies is increasing exponentially as the cost of data storage plummets. Patricia Bellia, Symposium: Surveillance: The Memory Gap in Surveillance Law, 75 U. Chi. L. Rev. 137, 143 (Winter 2008). Companies use data mining to identify novel patterns in collected data. Tal Zarsky, “Mine Your Own Business!”: Making the Case for the Implications of the Data Mining of Personal Information in the Forum of Public Opinion, 5 Yale J. L. & Tech. 4 (2002/2003). When performing data mining, the most important element is discovering “answers to questions [you] didn’t know to ask”. Id. Companies use data mining in two core methods, “clustering” and “association rules”. Id at 7-9. Clustering is the process of dividing the data into several “homogenous sub-groups” that include people that have similar, targeted traits to others in the database. Id at 7. Association rules are parameters that reveal “patterns of variables that typically associate with each other.” Id at 8. By using these two types of data mining, companies are able to draw conclusions based on one set of observed data by a specific person, and conclude, “with probability” additional, follow-up behavior. Id. A prime issue concerning this type of data mining is found through several banks adjusting interest rates of their customers, simply because they shop at “low credit stores”. Bob Sullivan, What Will Talking Power Meters Say About You?. This is the “guilt by association” model, and it is prevalent within the data mining industry. Id. In short, regardless of what information you retrieve, data mining categorizes people into groups they clearly may not belong in, thus the potential for exploitation is real.
For many consumers, many of the resulting issues created by data mining are minor inconveniences with SPAM, junk mail and the occasional telemarketer calling. Other examples include companies providing targeted advertisements based upon past behavior or search results. However, this type of data mining operates at a very high level, and ignores most of the detail contained within the data warehouse. Most scholars analyze data mining at a high level; however, an impressive and extensive amount of detail on individual people exists in private and public databases, and many organizations give access to anyone, as long as they demonstrate some form of need to access the information.
The author worked for a major telecommunications provider as a data analyst and wrote this type of software. Normally these programs found problems with customer accounts, discovered metrics relating to customer service or customers, and this information proved invaluable for forecasting and revenue studies. However, the databases the telephone company housed contained a vast amount of detail on each one of their customers. The detail included customer’s credit scores, social security numbers, credit cards and bank account information, up to nine addresses including past addresses, physical addresses, addresses of family members and much more. Additionally, these databases provided full local and long distance records, complete bill payment history, and other services[20]. The systems the author worked with only dealt with wireline (landline) telephone services, but the company also had wireless services. The wireless services provided more information, including records of the cell tower, or the location where the telephone call originated, and the location of where the call terminated. An example is in Verizon’s Field Force Manager, which allows a manager to monitor, in real time, “where workers are now, where they’ve been, even how fast they are driving”[21]. Verizon Wireless, Field Force Manager, 2010, archived, available at http://b2b.vzw.com/productsservices/customapplications/fieldforcemanager.html. What is important about this is it shows what kind of information telephone companies collect on their customers. This product shows that Verizon can, and does, collect information about the use and location of their cellular handsets.
Companies that collect data control who has access and how a person accesses this information. Although somewhat bounded by their privacy policies, employees working on databases may have little-to-no privacy training, may be entry level workers and most will have no training in privacy law matters. As a trainer for a telephone company, the author saw this first hand. The author normally trained front-line call center representatives on the different data warehouses. The company had three methods of accessing the data. The Company stored data in a DB2 warehouse and Oracle database. The author taught classes showing anyone how to use SQL[22] to retrieve any amount of information from the entire billing and customer information databases. The access to information was staggering, and with a 3-day class, the author trained people from every type of position within the company to be able to retrieve any information housed within these vast databases.
Telephone company records are only a small source of information. Other companies house similar records. Banks contain much more “sensitive” information than mere billing records, which GLBA protects, but again the protections are minimal and force banks to comply with a series of provisions to protect against identity theft. Pub.L. 106-102, 113 Stat. 1338 (1999). A major problem exists for the theft or misuse of personal information stored by these companies, as internal data breaches account for 20% of all data theft. Verizon, 2009 Data Breach Investigations Report, supra at 9. Although internal breaches account for only 20% of data thefts, the median number of records stolen per breach is a staggering 100,000 records, compared with 37,487 for external breaches and 27,000 for when partner companies breach these datasets. Id at 11.
Another issue with the collection of information within a company is the usage of National Security Letters (“NSLs”). NSLs seek “customer and consumer transaction information in national security investigations from communications providers, financial institutions and credit agencies”. Charles Doyle, National security letters in foreign intelligence investigations: legal background and recent amendments, Congressional Research Service, September 1, 2009. The FBI and NSA use NSLs to request information without a judicial subpoena. Stephen Dycus, Arthur Berney, William Banks, Peter Raven-Hansen, National Security Law, Wolters Kluwer, Austin, 2007, at 559. The government frequently uses NSLs, and statistics from 2006, demonstrate the government used NSLs on “more than 11,500 U.S. citizens and resident aliens”. Terry Frieden, Report: FBI Abuse of Investigative Tool Continued in 2006, CNN, March 13, 2008, archived, available at, http://www.cnn.com/2008/POLITICS/03/13/fbi.nsl/index.html?iref=allsearch. Additionally, the FBI admitted to abusing the process, including lacking proper authorization, making improper requests, and “unauthorized collection of telephone or Internet e-mail records”. Id. Although the NSL process received criticism and their legality came into issue, legislative changes allowed this method of data collection to remain legal. See Doe v. Gonzalez, 449 F.3d 415, 420-21 (2nd Cir. 2006) (Holding that NSLs are valid, as long as the former secrecy requirements are lifted, and entity receiving NSL can disclose their identity). The core issue with NSLs, and government collection of private records, is what level of information is collected. When the government issues an NSL, the recipient voluntarily discloses the requested private information to the requesting authority. The level of granularity existing in private databases, and the evident incompetence of companies responding to NSLs creates a large margin of error, and therefore potential likelihood of categorizing and collecting information on people brought into the data collection erroneously.
External Access:
Not all information catalogued by users is accessible internally. At least 74% of data breaches originate from external sources. Verizon, 2009 Data Breach Investigations Report, at 9. However, not all external methods of accessing data are per se illegal. The most obvious external source of accessing data is hacking. This is clearly illegal, and conflicts with the CFAA, § 1030(a)(5), “the primary tool to investigate and prosecute hacking crimes.” Decker, Cyber Crime 2.0: An Argument to Update the United States Criminal Code to Reflect the Changing Nature of Cyber Crime, 81 S. Cal. L.Rev. 959, 980-81 (2008). The term “hackers” used to apply to “computer geeks” who would steal music or disrupt websites. However, now major governments have begun to engage in this form of cyber-warfare. Recently, the Chinese government hacked into Google’s databases, specifically, into Google’s users Gmail accounts. Bruce Schneier, U.S. enables Chinese Hacking of Google, January 23, 2010, available at http://www.cnn.com/2010/OPINION/01/23/schneier.google.hacking/index.html?iref=allsearch. Evidently, external sources are not only targeting Google, but China’s hacking efforts have targeted, with success, the Pentagon and NASA. Raj Aggarwal, Business Strategies for Multinational Intellectual Property Protection, Thunderbird International Business Journal, forthcoming, 2010.
External hacking of private databases is not limited only to government entities. Hackers access databases to procure private information, such as social security numbers to commit identity theft. This is a sizable problem, and according to the FTC, in 2005, there were 8.3 million victims of identity theft. Federal Trade Commission, Security in Numbers; SSNs and ID Theft, December 2008, accessible at http://www.ftc.gov/os/2008/12/P075414ssnreport.pdf. Although lucrative, identity theft is not the only illegal reason for external security breaches. External attacks target databases with information enabling competition to catch up on R&D, steal trade secrets, or otherwise infringe IP. See Raj Aggarwal, Business Strategies for Multinational Intellectual Property Protection. Private companies are not the only victims, even NASA from April 2005 through December 2005 experienced several external data breaches accounting for the transfer of “at least 20 gigabytes of information”. Epstein, Keith, “The taking of NASA’s Secrets”, Business Week December 1, 2006. Furthermore, the government left NASA’s network security in the hands of private companies, Boeing and Lockheed Martin managed the violated network. Id.
Another alarming trend is the emergence of companies that allow cellular telephone spying. Many companies allow a user to receive constant notifications, eavesdrop on telephone calls and completely invade another person’s privacy. See Joris Evers, Spy Program Snoops on Cell Phones, CNET News, March 30, 2006, archived, available at http://news.cnet.com/Spy-program-snoops-on-cell-phones/2100-1029_3-6055760.html. These programs run without the knowledge of the phone’s owner, and the software is installed via text messaging and other seeming innocuous manners. Id. Whenever the cell phone receives a phone call, the software automatically records or dials a third-party telephone where someone can listen to the entirety of the conversation. Id. Another program goes a step further, and actually gives you the GPS location of the cell phone the software is installed on. Mobile Spy, Welcome to Mobile Spy, 2010, archived, available at http://www.mobile-spy.com. Other providers do not even require that you directly install the software, you can “force beam” the software to a phone left lying around. ParentalSoftware.org, Monitoring your Teen’s Cell Phone, available at, http://www.parentalsoftware.org/cellphone-spy.html. This software is obviously targeted towards parents, but again, the possibility of abuse is clearly evident. Finally, the vendor Cell Spy Pro allows users to view and eavesdrop on laptops, cell phones and Bluetooth devices. Cell Spy Pro, Home Page, available at http://www.cellspypro.com. This software is force-downloaded remotely, meaning you do not have to possess the phone the software is installing on. Cell Spy Pro, Home Page. Unlike the other programs, this one clearly leaves the biggest room for abuse of privacy. These companies provide carefully crafted legal disclaimers that are careful to keep the company legally compliant, even though these companies designed and marketed these products to abuse privacy. The disclaimers warn that the use of the software on a phone not owned by a customer is illegal. Mobile Spy, Policies Mobile Spy, 2010, archived, available at http://www.mobile-spy.com/legal.html. However, the site clearly markets the software for illegal purposes. See generally, Mobile Spy, Welcome to Mobile Spy. This type of software creates potent privacy challenges, and serves very few legal and useful purposes.
Part V: Government Data Collection Procedures and Techniques:
One of the core issues with personal privacy protections is how much and what type of information the government collects about citizens. Issues for citizens range from telephone monitoring and recording to satellite surveillance[23] to potential abuses of FISA[24]. In the post 9/11 world, the government collects data in various forms, with many tools that obliterate personal privacy rights.
After the World Trade Center attacks, the NSA began gathering data in a series of databases for data mining US citizens’ information. See Leslie Cauley, NSA Has Massive Database of Americans’ Phone Calls: 3 Telecoms Help Government Collect Billions of Domestic Records, USA Today, May 11, 2006, at A1. After this information became public, the Senate denied the original NSA program, Total Information Awareness (“TIA”). Daniel Solove, Symposium: Surveillance: Data Mining and the Security-Liberty Debate, 75 U. Chi. L. Rev. 343, 343, (Winter 2008). The NSA continued to collect information on citizens, under programs named, “Basketball, Genoa II, and Topsail”. Daniel Solove, Symposium: Surveillance: Data Mining and the Security-Liberty Debate at 75. These databases house a “massive amount of telephone customer records”, and the database is the largest in the world. Id at 345. The purpose is to “assemble a massive database consisting of financial, educational, health, and other information on US citizens, which would later be analyzed to single out people matching a terrorist profile.” Id at 343. This data collection is just one example of the records the government collects. These collection efforts detect patterns and trends, but another goal of these collections is to be able to trace trends down to specific individuals. Id at 345. Therefore, the potential exists for individuals to get lost in the mix, and there are risks for all individuals. However, the chances of wrongful identification and violations of people’s 4th Amendment rights must balance with threats to national security. Id.
Another area of monitoring is through cellular telephones. State and federal governments monitor cell phones to pinpoint persons conducting illegal business, and other issues. Traditional eavesdropping technologies, known as a pen register, record the numbers dialed from a telephone line subscriber’s location. See Smith v. Maryland, 442 U.S. 735, 737 (1979). The Supreme Court has held that there is no expectation of privacy for the contents of pen registers. Id at 745. Cellular phones present a challenge, but law enforcement generally works with the telephone company to locate cellular phones after obtaining a warrant. However, a new device, called a “triggerfish”, allows the government to independently, and without a warrant, pinpoint and monitor all cellular phones within a specific area. Andrew Ungberg, Note: Protecting Privacy Through a Responsible Decryption Policy, 22 Harv. J. Law & Tec 537, 550-51 (Spring, 2009). The triggerfish program is an interesting development, because it allows law enforcement to, on their own accord, trap all cell phone conversations within a given area. Andrew Ungberg, Note: Protecting Privacy Through a Responsible Decryption Policy, 550 – 551. Triggerfish is not the only monitoring program, another is a sniffer called “Carnivore” that gathers the routing and content information of e-mails. Id at 551. Warrants are not required because these surveillance systems are likened to pen registers, because they intercept the mechanical processes and not the contents of a communication. See Smith, 442 U.S. at 737. However, the issue with these devices is that they trap all communications within an area, and erroneous and accidental monitoring of unintended persons will occur.
Part VI: National Security Concerns:
Cybercrime is increasing exponentially because of two core factors; more people have access to technology and the Internet, and private companies’ house ever-increasing amounts of information in outdated and insecure environments[25]. For example, in 2008, there were 54,640 attacks against the Department of Defense, and in the first half of 2009, there were 43,785 attacks, a trend that if it continued throughout 2009 would represent a 60% increase over 2008. Sarmad Ali, Washington Group Tests Security in ‘Cyber ShockWave’, The Wall Street Journal, 2/16/2010, available at http://blogs.wsj.com/digits/2010/02/16/washington-group-tests-security-in-cyber-shockwave/tab/article. Attacks occur on private corporations, and hackers exploit these databases on a regular basis. These private databases contain information on most of the people in this country, and arguably, these companies have access to far less security tools than the government. In 2008, hackers exploited private databases with a method called SQL Injection. Verizon, 2009 Data Breach Investigations Report, at 17. According to Microsoft, and at least on Microsoft’s SQL Server database platform, SQL Injection is completely preventable with updated source code and proper database security techniques. See, Microsoft, MSDN: Microsoft Patterns and Practices, 2010, available at http://msdn.microsoft.com/en-us/library/ms998271.aspx. However, despite proper practices and software engineering, a massive amount of data theft occurred in 2008 because companies are not following these practices. Hacking is not the only method of exploitation, and although in 2008 internal breaches were minimal, they represented the largest amount of data stolen per breach. Verizon, 2009 Data Breach Investigations Report, at 11 (2009).
A huge concern exists with the amount of information housed, the detail of and the contents of this personal information, and theft occurs because companies are not following security practices. Microsoft, MSDN: Microsoft Patterns and Practices. The amount of detailed personal information is present, and exemplified in the form of tailored mailing lists containing names, addresses and other information about a specific person that is commercially available. See generally, Direct Media Millard, Direct Media Millard, an Infogroup company, 2010. The DMM database is just an example of what is available, and massive amounts of customer data exists for sale through a plethora of sources. Id. Even if a terrorist organization cannot purchase this information, it is clear that they can hack into the database of a company that possesses private data. Furthermore, if a terrorist wanted to blackmail or even find a person in a key position, there are many resources available to them. Hacking into private databases is just one method, but there are other websites available where anyone can purchase details about anyone they want to. See, Docusearch.com, Statewide bankruptcy filings by name $29.00, 2010, available at http://www.docusearch.com/find.html (Offering searches of recent bankruptcy filings by first and last name, if you pay $29.00). Another resource is the federal court’s PACER system, which provides access to anyone, as long as that person is willing to pay the $0.08 per page charges. PACER, Administrative of the U.S. Courts PACER service center, 2010, available at http://pacer.psc.uscourts.gov. Additionally, there are many methods for blackmail, and many frauds originating from Nigeria demonstrate how easy it is to blackmail a person. See IdentityTheft.org, Specific Scam Warnings, 2010, available at, http://www.idtheftcenter.org/artman2/publish/s_specific/Specific_Scam_Warnings_printer.shtml, (Discussing a variety of online scams where people are blackmailed or kidnapped and held for ransom from multiple sources throughout the globe). The weapon of fear usually supersedes reason, and may coerce a person with a position of key importance to do the bidding of an evil entity, especially if the evil entity asks only a small, insignificant task. Simply put, a terrorist organization could easily blackmail many people into performing small, seemingly innocuous acts, but with the involvement of all of these victims, the terrorist organization may achieve their goals. Other methods besides paying for research exist and mining publicly available information could be used to an evildoer’s benefit. A recent study at MIT used a complex algorithm to retrieve information on a person’s friends, and this software was able to predict who is homosexual based upon information available on a person’s Facebook pages. See Carolyn Johnson, Project ‘Gaydar’, Boston Globe, 9/20/2009, available at http://www.boston.com/bostonglobe/ideas/articles/2009/09/20/project_gaydar_an_mit_experiment_raises_new_questions_about_online_privacy. Again, another potent option for blackmail exists simply by running a program on a variety of person’s Facebook profile. With a policy of don’t ask, don’t tell[26], a homosexual in the US military may find himself on the wrong end of a terrorist attack simply because a person threatens to “out” him. Still other online trends, where users post all of their personal details could prove more fruitful for those wishing to commit crime against the US. A new website, Blippy.com allows users to post all of their purchases online for the public to see. John Sutter, Blippy Tells the World What You Buy, CNN, January 21, 2010, archived, available at http://www.cnn.com/2010/TECH/01/21/blippy.philip.kaplan/index.html.
Infiltrating a position of “trust” takes a lot of time, and recently the government brought the exploitation of someone within a position of trust into pseudo-reality. In a recent war-games demonstration by the US Government, a cyber-attack took down the nation’s telecom infrastructure, then with assistance, IED’s[27] crippled the US’s power grid. CNN.Com, CNN Presents: We Were Warned, Cyber Shockwave, 2010, available at http://transcripts.cnn.com/TRANSCRIPTS/1002/20/se.01.html. With evidence that foreign entities hacked secured, military databases, including the Pentagon and NASA, it is evident that they can access private company databases[28]. Using this data in a terrorist plot to attack the U.S., these people would know whom to strike and may be able to find whom they can blackmail into cooperation. Furthermore, this recent US government exercise illustrated two core issues with modern cyber warfare; first, there is little ability to combat a widespread attack and second, ethical and international law issues exist if the government acts against a cyber terrorist. Jamie Goerlick, Deputy Attorney General 1994 – 1999 illustrated the second point during the Cyber Shockwave war-games exercise by saying;
“We have authorities in place to do what’s called renditions[29]. We have done them in the past. There would be some constraints, with regard to where you could take him and what you could do with him when you’ve got him. But we do have authorities to do renditions. And I’m sure that John’s[30] people are up to it.”
CNN Presents: We Were Warned, Cyber Shockwave, 2010. National security issues with computers can arise from anywhere, posing unique and difficult responsive problems for the government, and in this exercise, Michael Chertoff, the Former U.S. Secretary of Homeland Security said,
“The fact is this is going to take us in and out of our borders. The servers may be in Russia, the actual originator may be in Sudan or may be next door here somewhere in suburban Virginia. So we are going to have to find a way to assemble all the tools in the tool kit.”
CNN Presents: We Were Warned, Cyber Shockwave, 2010. The Cyber Shockwave simulation escalated, and left the panel of advisors without many solutions or abilities to determine if this was an act of war, and this demonstrated we were unable to stop the spread of the virus, or to restore our vital communications and electronic networks. Id. In short, the virus crippled the infrastructure of the U.S. and our policymakers had no solutions.
Future concerns that may increase these risks derive from exploration of “smart grid” technology. In the Cyber Shockwave simulation, terrorists needed IEDs to disable the power grid but when the grids are connected and part of the Internet this type of attack could be much simpler, allowing someone to just hack into a network. Id. The smart grid movement has Power companies looking to interconnect the power network with the telecommunications network. Smart grids allow the power company to remotely-monitor what devices in a home consume power. Bob Sullivan, What Will Talking Power Meters Say About You?, MSNBC, October 9, 2009, archived. Smart grids are new technology, and may save the power companies vast amounts of power, but they pose unique threats to privacy and national security. Bob Sullivan notes that a car insurance agent might want to know that a person usually comes home around the time the bars close on Friday and Saturday nights. Id. This is something most people would not want their insurer to know, but even worse, what if you coincidentally leave work each night at that time. From a national security standpoint, this increases what amount of information the government monitors. This information is likely useful from a counter-terrorism standpoint, but innocent Americans will be the most likely collection targets.
Part VII: Conclusion:
In conclusion, the US lacks any real, centralized data collection and privacy protection for its citizens. Congress is in a defensive posture when considering privacy legislation, and addresses serious issues and threats only as they arise. Data collection occurs in many forms, and businesses and the government actively collect vast amounts of business records, phone calls, and other personally identifiable information on all of us. Businesses house this information in databases that are prone to, and frequently hacked. The government is frequently a victim of hacking, and this information easily may wind up in the hands of enemies of the US. When this information is stored in databases, data miners can use simple software to distill information down to individual people, categorize them, and sort through them. The issue is that the government and other businesses look over this information in a vacuum. Decisions are made about the people in this country on a daily basis without meeting a person, and making judgments based on a series of potentially inaccurate data entries, or by mere association with others deemed “undesirable”.
In the end, legislation must balance national security interests with personal freedom. However, as long as the government allows and people in general submit their personal information to companies, who in turn collect and store this information in unsecure databases, this country is at risk from a new kind of terrorism, the cyber attack that could cripple its infrastructure. Data theft is a real risk, as domestic and foreign thieves steal hundreds of millions of records each year. To protect this, Congress needs to enact legislation that protects personal privacy, forces businesses to store data in encrypted or other protected formats, and to focus the federal government’s data collection activities either overseas, or to force them to follow the formal warrant requirements.
[1] When a person uses a cellular-based device to access the web, such as a smart phone or cellular card, an Electronic Serial Number (ESN) is attached to each device that connects, and this is a unique identifier for all cellular devices. U.S v. Fletcher, 635 F.Supp.2d 1253, 1256 (2009 W.D. Okla) (Holding that insufficiency of wiretap evidence did not warrant suppression of the evidence).
[2] Google requires some members to provide a telephone number either for voice confirmation or for SMS (text message) confirmation prior to establishing a new e-mail address with their Gmail e-mail service. See generally, Google, Account Verification via SMS or Voice Call, 2010, archived, available at, http://mail.google.com/support/bin/answer.py?hl=en&answer=114129.
[3] An example of this is a password challenge selection that included asking for a frequent flyer number and library card number when establishing an e-mail account with Google. Therefore, a person breaching the security of one of these services would be able to potentially trace someone’s information back to a cell phone number, library card or frequent flyer card to establish a true identification. See Google Gmail new account signup procedures, 2010, available at http://www.google.com/newaccounts/.
[4] Many employers look at whatever information is available to them, and many users of online social networks, such as Facebook, fail to restrict their profiles, thus enabling almost anyone to view all of the information they post online. Amy Clark, Employers look at Facebook, too, June 20, 2006, available at http://www.cbsnews.com/stories/2006/06/20/eveningnews/main1734920.shtml.
[5] A hiring manager at a Fleishman Hilliard disclosed that normally HR personnel immediately look to see what information is available online about a prospective candidate before looking to interviews.
[6] A recent example of this came to light when China exploited a government mandated backdoor in Google’s Gmail service, allowing China to download a significant amount of records. Bruce Schneirr, “U.S. Enables Chinese Hacking of Google”, (2009) available at http://www.cnn.com/2010/OPINION/01/23/schneier.google.hacking/index.html. Additionally, the NSA and other government organizations use several programs to collect general information. Leslie Cauley, NSA has massive database of Americans’ Phone Calls, 2006, available at http://www.usatoday.com/news/washington/2006-05-10-nsa_x.htm.
[7] Physical breaches are breaches that occur by someone accessing the machines that personally store the information a thief steals. Id.
[8] Internal breaches are breaches that originate by “human assets” from “within the organization”. Id at 8.
[9] External breaches originate from outside the organization and include, “hackers, organized crime groups, and government entities”. Id.
[10] Partners are business partners and include any “third party sharing a business relationship with the organization”, basically where some level of “trust and privilege” exists between the organization and third party. Id.
[11] The CRS found that of the 236,000 PCs used in 251 selected businesses, only 9% were upgraded to appropriate security levels, in this case it was a package released by Microsoft called SP2. Id.
[12] A MAC address pinpoints a specific computer and is unique to a single device; however, cyber criminals have found ways to clone these addresses. See U.S. v. Schuster, 467 F.3d 614, 618, (2007 7th Circuit)
[13] IP Addresses are uniquely assigned to every computer connected to the Internet. See Office Depot v. Zuccarini, 2010 WL 669263 (2010 9th Circuit).
[14] Mobile device IDs, often called Electronic Serial Numbers (ESNs) are unique, and will identify a specific cellular-enabled device. This includes cell phones, and will be linkable to a physical account or telephone number.
[15] SQL Server is a Microsoft Product that allows users to create, store, manage and manipulate data. Microsoft, SQL Server 2008, 2010, available at, http://www.microsoft.com/everybodysbusiness/en/us/products/sql-server-2008.aspx?CR_CC=100193181&WT.srch=1&WT.mc_id=Search&CR_SCC=100193181.
[16] DB2 is an IBM product that enables users to write SQL procedures that retrieve any information a company has. IBM, IBM DB2 Software, 2010, available at, http://www-01.ibm.com/software/data/db2/.
[17] SAS is a data warehousing program that allows for complete statistical analysis of large amounts of data. SAS, SAS Home Page, 2010, available at http://www.sas.com/.
[18] SPSS is a statistical software package allowing for data mining and the creation of predictive analysis. SPSS, SPSS Home Page, 2010, available at http://www.sas.com/.
[19] There is a lot of concern about the trustworthiness of databases, especially when they are used to create profiles and obtain information about the average citizen. A minority of the Supreme Court noted this in Herring v. U.S. See Herring v. U.S. 129 Sct 695, 709 (2009) (Justice Stevens Dissenting).
[20] For example, many customers purchased satellite TV service, roadside assistance, pre-paid calling cards for family members and other third party services that the company then billed the customer for through a Billing and Collections (B&C) agreement. This also provided a full detail of 900 (premium toll) services, and allowed a customer to bill a variety of other services to their phone bills, which this created an entire history.
[21] Verizon also offers a similar service to enable real-time tracking of family members. Verizon Wireless, Family Locator, archived, available at, http://products.verizonwireless.com/index.aspx?id=fnd_familylocator&lid=//global//entertainment+and+apps//family+locator.
[22] SQL is a very basic programming language that allows a user to use simple statements to retrieve broad amounts of information, or narrow down to single records very quickly. See W3Schools, 2010, available at http://www.w3schools.com/sql/default.asp.
[23] See generally, Richard Best, Satellite Surveillance: Domestic Issues, Congressional Research Service, 3/21/08.
[24] See generally, Elizabeth Bazan, The Foreign Intelligence Surveillance Act: An Overview of Selected Issues, Congressional Research Service, 7/72008.
[25] Only 9% of computers within 241 American companies utilized appropriate security procedures in a recent CRS survey. John Rollins, Terrorist Capabilities for Cyberattack: Overview and Policy Issues, at CRS-6.
[26] The U.S. military’s policy of “don’t ask, don’t tell” with regards to homosexuals prevents discrimination against homosexuals in the military and prescribes a policy of strict scrutiny when presented with a homosexual in the military, but the policy forbids a person who “outs” themselves from being in the U.S. military. Witt v. Dep’t of the Air Force, 527 F. 3d 806, 823-26 (9th Cir. 2008).
[27] Improvised Explosive Device, see Boone v. MVM, Inc. 572 F.3d 809, 811 (10th Cir. 2009).
[28] If you consider the fact that military and government databases, contain secret encryptions that private companies do not have, the information these private entities possess and catalog can be breached at any point by these same trespassers. However, breaching may not be necessary, as most of this information is available for sale, at a minimal rate. Dr. Raj Aggarwal details a slew of recent breaches by the US government in his paper, Business Strategies for Multinational Intellectual Property Protection, Thunderbird International Business Journal, Forthcoming, 2010.
[29] Rendering a person traditionally means that the U.S. will in essence grab a foreign citizen and bring them into custody. In the example of extraordinary rendition, a person is captured by the U.S. and then transferred to another sovereign state for interrogation and / or torture. See Arar v. Ashcroft, 585 F.3d 559, 567 – 68 (2nd Cir. 2009) (Holding that individual taken in custody in the U.S., then transferred to Syrian prison where he was tortured was unable to state a claim under the Torture Victims Protection Act, 28 U.S.C. § 1350 because the government, although had knowledge that torture was likely, did not partake in the torturing themselves.)
[30] Mr. Goerlick is referring to Mr. John McClaughlin, Acting Director of the CIA as of 2004.
No responses yet