350 likes | 430 Views
Whose Computer Is It, Anyway?. Steven J. McDonald General Counsel Rhode Island School of Design Computer Policy and Law 2006. The Key to Handling Computer Privacy Issues Successfully. Ignore the law. But First, Let's Invade a Little. http://www.facebook.com http://www.myspace.com
E N D
Whose Computer Is It, Anyway? Steven J. McDonald General Counsel Rhode Island School of Design Computer Policy and Law 2006
The Key to Handling Computer Privacy Issues Successfully Ignore the law
But First, Let's Invade a Little • http://www.facebook.com • http://www.myspace.com • http://www.archive.org/web/web.php
What is Privacy? "[T]he right to be let alone – the most comprehensive of rights, and the right most valued by civilized men." Justice Louis Brandeis Olmstead v. U.S.
The Legal Basis for Privacy:A Patchwork Quilt • U.S. and state constitutions • But no explicit reference in U.S. constitution • Fourth amendment (and state versions) • Statutory privacy • Electronic Communications Privacy Act (and state versions) • FERPA and other general privacy statutes • But also federal and state FOIA laws • The common law of privacy
The Fourth Amendment "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
The Fourth Amendmentin Cyberspace "We are satisfied that the Constitution requires that the FBI and other police agencies establish probable cause to enter into a personal and private computer." U.S. v. Maxwell
Publics are Private,Privates are Not "Although individuals have a right under the Fourth Amendment of the United States Constitution to be free from unreasonable searches and seizures by the Government, private searches are not subject to constitutional restrictions." U.S. v. Hall
O'Connor v. Ortega "Fourth Amendment rights are implicated [whenever] the conduct of the [government] officials at issue . . . infringe[s] 'an expectation of privacy that society is prepared to consider reasonable.'"
O'Connor v. Ortega(continued) "[W]e reject the contention . . . that public employees can never have a reasonable expectation of privacy in their place of work. Individuals do not lose their Fourth Amendment rights merely because they work for the government instead of a private employer. The operational realities of the workplace, however, may make some employees' expectations of privacy unreasonable when an intrusion is by a supervisor rather than a law enforcement official. Public employees' expectations of privacy in their offices, desks, and file cabinets, like similar expectations of employees in the private sector, may be reduced by virtue of actual office practices and procedures, or by legitimate regulation."
O'Connor v. Ortega(continued) "Given the great variety of work environments in the public sector, the question whether an employee has a reasonable expectation of privacy must be addressed on a case-by-case basis."
Reasonable Expectationsin Cyberspace • Who owns the system? • Who has access to the system? • How does the system work? • How is the system used? • Is the system password-protected? • What policies apply to the system? • What is the ordinary practice?
The Electronic Communications Privacy Act (ECPA) • "[A] fog of inclusions and exclusions" –Briggs v. American Air Filter Co. (5th Cir. 1980) • "[A] statute . . . which is famous (if not infamous) for its lack of clarity" –Steve Jackson Games, Inc. v. United States Secret Service (5th Cir. 1994) • "[T]he Fifth Circuit . . . might have put the matter too mildly." –U.S. v. Smith (9th Cir. 1998)
ECPA Prohibitions • Generally illegal to: • Intercept an electronic communication while it is in transmission (§2511(1)(a)) • Disclose the contents of an electronic communication that has been illegally intercepted (§2511(1)(c)) • Use the contents of an electronic communication that has been illegally intercepted (§2511(1)(d))
"In Transmission" • "[T]he seizure of a computer on which is stored private e-mail that has been sent to an electronic bulletin board, but not yet read (retrieved) by the recipients" did not violate §2511(1)(a) "because [the] acquisition of the contents of the electronic communications was not contemporaneous with the transmission of those communications". – Steve Jackson Games, Inc. v. United States Secret Service • ECPA "protects electronic communications from interception when stored to the same extent as when in transit." – Konop v. Hawaiian Airlines, Inc. I • "We therefore hold that for a website such as Konop's to be 'intercepted' in violation of the Wiretap Act, it must be acquired during transmission, not while it is in electronic storage." – Konop v. Hawaiian Airlines, Inc. II
"In Transmission" • "We believe that the language of the statute makes clear that Congress meant to give lesser protection to electronic communications than wire and oral communications. Moreover, at this juncture, much of the protection may have been eviscerated by the realities of modern technology. We observe, as most courts have, that the language may be out of step with the technological realities of computer crimes. However, it is not the province of this court to graft meaning onto the statute where Congress has spoken plainly." – United States v. Councilman
"In Transmission" "We therefore conclude that the term 'electronic communication' includes transient electronic storage that is intrinsic to the communication process, and hence that interception of an e-mail message in such storage is an offense under the Wiretap Act." – United States v. Councilman (en banc)
ECPA Exceptions • A provider of electronic communication service may intercept an electronic communication, or disclose or use an intercepted communication, "while engaged in any activity which is a necessary incident to the rendition of [its] service or to the protection of [its] rights or property". (§2511(2)(a)(i))
More ECPA Exceptions • A party to an electronic communication, or a person to whom a party to an electronic communication has given consent, may intercept the communication "unless such communication is intercepted for the purpose of committing any criminal or tortious act". (§2511(2)(d))
More ECPA Exceptions • A party to an electronic communication, or a person to whom a party to an electronic communication has given consent, may intercept the communication "unless such communication is intercepted for the purpose of committing any criminal or tortious act". (§2511(2)(d)) • An exception to the exception: Some states require that all parties consent.
Still More ECPA Prohibitionsand Exceptions • It generally is illegal to access an electronic communication while it is in electronic storage. (§2701(a)) • But a provider of electronic communication service has apparently unlimited authority to access stored communications on its system. (§2701(c)(1)) • But a provider of electronic communication service to the public generally may not divulge the contents of a stored communication. (§2702(a)(1)) • But any provider may divulge the contents of a stored communication with consent or as a necessary incident to the rendition of service or to protects its rights or property. (§2702(b))
Still More ECPA Prohibitionsand Exceptions • It generally is illegal to access an electronic communication while it is in electronic storage. (§2701(a)) • But a provider of electronic communication service has apparently unlimited authority to access stored communications on its system. (§2701(c)(1)) • But a provider of electronic communication service to the public generally may not divulge the contents of a stored communication. (§2702(a)(1)) • But any provider may divulge the contents of a stored communication with consent or as a necessary incident to the rendition of service or to protects its rights or property. (§2702(b))
Still More ECPA Prohibitionsand Exceptions • It generally is illegal to access an electronic communication while it is in electronic storage. (§2701(a)) • But a provider of electronic communication service has apparently unlimited authority to access stored communications on its system. (§2701(c)(1)) • But a provider of electronic communication service to the public generally may not divulge the contents of a stored communication. (§2702(a)(1)) • But any provider may divulge the contents of a stored communication with consent or as a necessary incident to the rendition of service or to protects its rights or property. (§2702(b))
Still More ECPA Prohibitionsand Exceptions • It generally is illegal to access an electronic communication while it is in electronic storage. (§2701(a)) • But a provider of electronic communication service has apparently unlimited authority to access stored communications on its system. (§2701(c)(1)) • But a provider of electronic communication service to the public generally may not divulge the contents of a stored communication. (§2702(a)(1)) • But any provider may divulge the contents of a stored communication with consent or as a necessary incident to the rendition of service or to protects its rights or property. (§2702(b))
"To the Public" "The statute does not define 'public'. The word 'public', however, is unambiguous. Public means the 'aggregate of the citizens' or 'everybody' or 'the public at large' or 'the community at large'. Black's Law Dictionary 1227 (6th ed. 1990). Thus, the statute covers any entity that provides electronic communication service (e.g., e-mail) to the community at large." Andersen Consulting LLP v. UOP
Law Enforcement Access • Voluntary or at government request? • Obtained inadvertently or intentionally? • In transmission or in storage? • In storage more than 180 days? • Contents or log files? • With consent of user or without? • With notice to user or without?
USA PATRIOT Act • A provider of electronic communication service may disclose subscriber information concerning, and the contents of, a stored communication to a law enforcement agency if the provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person requires disclosure of the information without delay (§2702(b)(6)(C) and (c)(4)) • The owner of a computer system may, under certain circumstances, authorize law enforcement to intercept communications of a computer trespasser (§2511(2)(i))
USA PATRIOT Act • Governmental entities may subpoena a provider of electronic communication service for a subscriber's: • Name • Address • Records of session times and durations • Length and types of service • Subscriber number or identity, including any temporarily assigned network address • Means and source of payment, including credit card or bank numbers (§2703(c)(2))
Hmmm . . . • "[A] provider of . . . electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications . . .) to any governmental entity." (§2702(a)(3))
Common LawInvasion of Privacy • Four theories: • Intrusion • Public Disclosure of Private Facts • Misappropriation of Name or Likeness • False Light • Few cases • Room for growth?
In summary . . . "In Hell, there will be nothing but law, and due process will be meticulously observed." Grant Gilmore
Untangling the Privacy Mess • Ignore the law • Establish – and follow – a policy • What expectations are reasonable? • Consent • Options: • No privacy • Total privacy • Somewhere in between
Facing Up to Facebook • Can I? • Privacy issues? • Jurisdiction? • Must I? • Vicarious liability? • CDA? • Should I? • Assumed duty and liability?
Facing Up to Facebook • http://www.cit.cornell.edu/oit/policy/memos/facebook.html • http://www.newscientist.com/article/mg19025556.200