ILI Student Blog

Author: DCherubin

  • Leave my e-mail alone!

    Catalina Carmona

     

    For quite some time now, both industry and privacy advocates have pointed out the need of reforming the Electronic Communications Privacy Act (ECPA). The main argument is that the act, which was passed in 1986, cannot adequately respond to new technologies, and leaves important loopholes for privacy to be disrupted.

     

    For example, ECPA only requests law enforcement authorities to have a warrant when searching through email that has not been opened, and is less than 180 days old. For older emails, no warrant is required. In times in which people no longer store their emails in their hard drives, but on the cloud or a server, this poses serious threats to privacy.

     

    In November 2012, the Senate Judiciary Committee approved a reform to ECPA, which would now require law enforcement authorities to obtain a warrant in all cases when searching through email.

    http://www.nytimes.com/2012/11/30/technology/senate-committee-approves-stricter-privacy-for-e-mail.html?_r=0

     

    The Committee approved this bill despite strong opposition from enforcement agencies. In fact, just a few days before this proposal was approved, Patrick Leahy, the Democratic chairman of the Senate Judiciary Committee, who also took part in the drafting of the original version of ECPA, was ready to go through with a version that would allow several agencies –including the Securities and Exchange Commission and the Federal Communications Commission– to access email without a warrant. The FBI and Homeland Security would have even greater powers under the Act, as they could even fully access online accounts without a judge authorization, or notification to the owner of the account.

    http://news.cnet.com/8301-13578_3-57552225-38/senate-bill-rewrite-lets-feds-read-your-e-mail-without-warrants/?part=rss&subj=news

     

    The online community has enthusiastically received the reforms to ECPA, and now awaits the final vote on the Senate, which is expected to happen some time this year.

    (See, for example: https://www.cdt.org/pr_statement/senate-committee-takes-historic-step-privacy and https://www.netnanny.com/blog/the-ecpa-and-your-online-privacy/ )

     

    But the bill will still need to overcome the resistance from more conservative groups, who believe that public safety should have a stronger stance when analyzing online privacy.

  • Mistakes By Credit Reporting Agencies

    Zachary King

     

    This past Sunday 60 Minutes aired a report about the enormous amount of mistakes made by credit reporting agencies.  (http://www.cbsnews.com/8301-18560_162-57567957/40-million-mistakes-is-your-credit-report-accurate/).

     

    In the report Steve Kroft cites to a newly released 8-year long study conducted by the FTC into the big 3 credit reporting agencies (Experian, TransUnion, and Equifax) saying that 40 million Americans have an error on their credit reports and 20 million have a mistake significant enough to lower their credit score. This translates to one in every five adults with an error, which the Ohio attorney general has called “unconscionable.”

     

    The segment explains the harms faced by individuals with mistakes on their credit records. The show concentrates on one woman who had a six year battle with the big three companies. She was denied credit and couldn’t refinance her mortgage or undersign a loan for her children. When she ordered her credit reports there was nothing alarming. She only found out what the problem was by peaking at her file at a bank when nobody was looking. She learned that the credit reports that banks get are different from what the consumer can get. In her case the large debts of a woman with the same first name, but a completely different last name from a different state somehow got added to her file. While it seems like this would be easy to fix, it turns out that it was impossible. The companies refuse to undergo the reasonable investigations required by the FCRA. 60 Minutes interviewed former employees of Experian who said that they did not have the power to do even the most basic investigation and were instructed to always take the word of the creditor to be true. The only way that she was able to finally prevail was by filing a lawsuit. The show says that the credit reporting companies are not interested in improving their policies. They reason that it is cheaper to every so often pay $ 1 million in punitive damages than it would be to implement a system that is in line with the basic fair information practice principles.

     

    60 Minutes explained this story as “a horror story worthy of Hitchcock or Kafka.” While these analogies aren’t bad, what is more apt is the movie Brazil, where a fly gets jammed in a typewriter causing a slight change in a name printed on a government document, which sets into place a very unfortunate series of events. Rather than give spoilers, you should watch the movie (http://www.imdb.com/title/tt0088846/). In any event, now that there is some press about the practices of the credit reporting agencies, perhaps changes will be made and we can avoid the path that is currently set towards Terry Gilliam’s dystopian bureaucratic vision captured in Brazil.

  • Understanding Facebook Privacy

    Jessica Heimler

     

    http://www.nytimes.com/2013/02/07/technology/personaltech/protecting-your-privacy-on-the-new-facebook.html?smid=tw-nytimes

     

    With Facebook consistently rolling out new features and subsequent privacy settings, many people may be unaware as to how to best protect their online information. This article, which appeared on February 6, 2013 in the New York Times. The article suggests four questions to ask yourself so as to best be able to format your privacy settings. First is “How You Would Like To Be Found.” It gives tips on how to disable search engines from linking to your facebook timeline and how to determine what the privacy settings are for something posted by a friend. The next question is “what do you want the world to know about you?” It urges readers to reconsider including seemingly harmless pieces of information, such as gender and birthday, which can be exploited by hackers. The article also identifies online tools which can identify pieces of information, such as profanity, and gives you the option of deleting it from your profile. Third asks “do you mind being tracked by advertisers?” and explains how to remove targeted advertising from your homepage. Finally, the article asks “Whom do you want to befriend?” and asks readers to carefully consider who they create connections with over Facebook. It identifies two more pieces of software that can prevent a Facebook friend’s actions from displaying pieces of your own information publicly.

     

    This article is an important read even for those who think they have a good handle on Facebook’s privacy settings. The new version of Facebook, released this past December, will allow all users–including strangers–to search for pieces of information such as what you do and where you go. It is imperative that users know how to protect this information in the best way possible.

  • US Interests behind proposed amendments to the EU’s planned General Data Protection Regulation.

    Akiva Miller

     

    The approaches to privacy regulation taken by Europe and the United States are often seen as being at odds with one another. The European regulatory scheme is characterized as overarching, comprehensive, principled, centrally-controlled, and more protective of citizen’s rights, whereas the US regulatory system is characterized as a patchwork of sector-specific laws and regulations, lacking in unitary concepts, driven by a combination of FTC action and self-regulation by the industries, and less-protective of citizens’ rights. (See, for example: http://www.nytimes.com/2013/02/03/technology/consumer-data-protection-laws-an-ocean-apart.html?_r=1& ,  which was featured in last week’s PRG blog post).

     

    However, this impression may need to be revisited following closer scrutiny of the drafting process of the EU’s new Data Protection Regulation.  As technology news site GigaOm reports, a recent examination of the proposed amendments to the draft Data Protection Regulation conducted by Max Schmers, and Austrian Law student and vocal critic of Facebook, casts light on the extent to which US commercial interests are influencing the drafting process.  Schmers’s examination shows how language coming from from lobbyists for US-based commercial giants Amazon and eBay, as well as the American Chamber of Commerce, have been copy-and-pasted directly into the opinion submitted by the European Parliament’s Committee on the Internal Market and Consumer Protection to amend the proposed General Data Protection Regulation. According to the report, these suggested changes water-down the original protections of European citizens’ rights in favor of American business.

     

    http://gigaom.com/2013/02/11/amazon-ebay-privacy-lobbying-sparks-cut-and-paste-crowdsourcing-drive/

     

     

    So perhaps the guiding hands behind privacy regulation in the US and Europe are not so vastly different after all? If true, this information is a vivid reminder that Europe’s principled approach to privacy does not necessarily translate into tougher privacy safeguards for citizens. It should also serve as a food for thought for advocates of comprehensive privacy legislation in the United States and elsewhere around the world.

     

     

    Information on the proposed General Data Protection Regulation can be found at: http://ec.europa.eu/justice/newsroom/data-protection/news/130206_en.htm

     

    The proposed amendments by the Committee on the Internal Market and Consumer Protection  can be found at: http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-%2f%2fEP%2f%2fNONSGML%2bCOMPARL%2bPE-496.497%2b02%2bDOC%2bPDF%2bV0%2f%2fEN

     

  • FTC uses the Fair Credit Reporting Act to protect social media users

    Peter Kauffman

     

    http://www.nytimes.com/2012/06/13/technology/ftc-levies-first-fine-over-internet-data.html

    Last June, the Federal Trade Commission assessed an $800,000 penalty on Spokeo, a data collection agency, for distributing personal information as a way for potential employers to screen job applicants. According to the above New York Times article, this was “the F.T.C.’s first case addressing the sale of Internet and social media data for use in employment screening.” Like the Google buzz case and the Path settlement discussed in the “FTC is getting serious about regulating mobile privacy” blog post, this indicates the FTC’s willingness to aggressively curb social media sites’ abilities to disseminate their users’ private information. Unlike those two cases, the FTC assessed the fine against Spokeo under the Fair Credit Reporting Act.

    Based on this case, institutions can be considered consumer reporting agencies despite their best attempts to not fall under that label. In 2010, Spokeo changed its terms of service to state that it “was not a ‘consumer reporting agency’ and that consumers could not use its profiles for purposes that were covered by the Fair Credit Reporting Act.” Similar to the Google Buzz case, the FTC faulted the company for insufficient notice to subscribers about such a change in its practice. The FTC then argued that the “coherent people profiles” Spokeo made available—which included an individual’s marital status, hobbies, ethnicity, religion, and photos—constituted a “consumer report” under the definition in 15 U.S.C. § 1681b(d). This case highlighted an interesting strategy the FTC can employ in its quest to protect dissemination of social media users’ private information.

  • No Asking Sexual Activity: NASA v. Nelson Qualified by Federal District Court

    By: Can Cui

    In December 2011, a Michigan employer’s motion for summary judgment on a job applicant’s right to privacy claim was denied over questions asked in a routine pre-employment medical exam conducted by an independently owned medical clinic.  Garlitz v. Alpena Regional Medical Center, No. 10-13874-BC., 2011 WL 6016498, at *13 (E.D. Mich. Dec. 2, 2011).  See David Goldstein, Hospital’s Post-Offer Medical Questions May Violate ADA, Title VII, and Employee Privacy Rights, Healthcare Employment Counsel (Dec. 12, 2011), http://www.healthcareemploymentcounsel.com/2011/12/12/hospitals_post-offer_medical_questions_may_violate_ada_title_vii_and_employees_privacy_rights/.

     

    Acknowledging that “[w]hen acting as an employer rather than as a sovereign, the government enjoys greater latitude to inquire into personal matters of its employees,” Garlitz, 2011 WL 6016498, at *15 (citing NASA v. Nelson, 131 S. Ct. 746, 757-58 (2011)), the District Court is not willing to let “public employees surrender their constitutional rights when they accept a position with the government,” Id. at *15, and held that “the information sought [by the government employer] regarding Plaintiff’s sexual life [must be] relevant to Plaintiff’s job performance or related to her job functions.”  Id. at *16.

     

    This case distinguishes itself from Nelson because, unlike in Nelson, where the information seeking was reasonably aimed at identifying capable employees who would faithfully conduct the Government’s business, the “inquiry into . . . ‘private sexual life’ is [not] ‘related’ to the job.”  Id. at *16.  Therefore, although the government does not have to show its questions were necessary or the least restrictive means of furthering its interests, as established in Nelson, a minimum level of “relatedness” is required.

     

    One may argue that Norman-Bloodsaw v. Lawrence Berkeley Laboratory, 135 F.3d 1260 (9th Cir. 1998) has made a comeback in this case, at least in the government employer context.  This case is different from Norman-Bloodsaw in at least two significant ways.  In Norman-Bloodsaw, blood and urine samples were taken and tested for various conditions without the plaintiffs’ knowledge and consent, while in this case, only questions about pregnancy, abortion, sexual activity, birth control and similar subjects were asked in a written form.  Indeed, although the 9th Circuit recognized both the right to information privacy and the Fourth Amendment right in Norman-Bloodsaw, it felt that “it would not make sense to examine the collection of medical information under two different approaches,” and analyzed “under the rubric of [the Fourth] Amendment.”  Id.  Here, a Fourth Amendment argument may not be as strong unless one believes that questioning should be considered a “search” under the Fourth Amendment.

     

    To the extent that some commentators may think that Nelson could be decided merely by concluding that questionnaires to collect information, without any evidence of disclosure, do not implicate the constitutional right to privacy, e.g., Daniel J. Solove & Paul M. Schwartz, Information Privacy Law 1025 (4th ed. 2011), this case seems to have answered that question in the negative.

     

    So the takeaway message for human resources is: HR staff are well advised to review and/or revise their pre-employment medical screening process to make sure that the subject matter of not only tests conducted but also questions asked is related to the job, because courts may be looking more closely at routine policies and procedures concerning screening and hiring.  If you cannot find relatedness between a screening question and a specific job function, you’d better leave the question out of the hiring process.

     

    Eastern District of Michigan’s opinion in Garlitz is available here: http://www.healthcareemploymentcounsel.com/examining-room/GarlitzVsAlpena.pdf.

  • New Telecommunications Provider Aims to Enforce Privacy Rights against Government Surveillance through Consumer Autonomy

    New Telecommunications Provider Aims to Enforce Privacy Rights against Government Surveillance through Consumer Autonomy

    By Sofia Rahman

    CNET reports that the first ISP executive to challenge the government’s demands for consumer information via national security letters is now in the process of creating what could be the most serious and consistent pushback to government surveillance: “a telecommunications provider designed from its inception to shield its customers from surveillance.”

    http://news.cnet.com/8301-31921_3-57412225-281/this-internet-provider-pledges-to-put-your-privacy-first-always/

    Nicholas Merrill’s proposed telecommunications provider will provide budget-friendly national mobile and internet service which places consumers first by giving them substantial control over their data and collaborating with public interest organizations like the ACLU and EFF to presumptively challenge seemingly unconstitutional government demands for consumer records. The ISP would be run by Merrill’s non-profit, the Calyx Institute, whose primary goal is to “use every legal and technical means available to protect the privacy of customer data.” The key to Merrill’s approach is making it impossible for the ISP to comply with the FBI’s requests for data, such as stored communications, by allowing consumers to encrypt their information from Calyx itself:

    “Through other partnerships, we are poised to offer Internet service in 70 markets in the US using wireless spectrum which we will bundle with end-to-end encrypted Virtual Private Network (VPN) technology in order to keep the customer’s data as private as possible. The next products on the roadmap include hosted email and cloud storage/sync systems that utilize public key cryptography so that only the user possesses the key required to decrypt their email or files. This means that the provider (Calyx) will not be able to read your email or files even if it wanted to. And if Calyx can’t read it, it can’t be targeted by unconstitutional surveillance tactics.”

    Calyx would be able to avoid compliance with FBI demands this way because the Communications Assistance for Law Enforcement Act of 1994 (CALEA) states that ISPs cannot be forced to decrypt communications if they don’t actually possess the necessary information. While the FBI has expressed concern about this type of “Going Dark” obstacle inherent to an ISP, the ACLU has embraced Calyx as the rare exception to the major telecommunications providers like Verizon and AT&T which have been unwilling to publicly challenge the government’s demands and have instead handed over billions of consumer records.

    Although the government could still evade Calyx’s encryption-based protections by other surveillance methods such as remote installation of spyware or keyloggers, Calyx could still address the government’s controversial ability to prohibit ISPs from providing notice to consumers whose information the government has requested, which renders it near impossible for consumers’ to establish standing in court to assert their privacy rights.  With consumers in charge of their own data, the government may be unable to avoid notifying or alerting consumers in the course of surveillance.

    Merrill was motivated by his unique experience as a former ISP-executive to confront the government’s ability to restructure the power dynamics of privacy, including the government’s ironic ability to force anonymity in order to acquire confidential information.

    In 2004, the FBI sent Merrill a secret NSL (which at the time required no prior judicial review though Congress narrowly addressed this in 2005) demanding that he provide them with confidential customer data and forbidding him from disclosing the FBI’s demand to anyone. Merrill refused to comply and instead sued the FBI and Department of Justice.  In order to file suit, Merrill violated the non-disclosure order by hiring the ACLU but litigated the case anonymously and the Washington Post made its first exception to its prohibition on anonymous op-eds in order to publish his piece decrying government secrecy and the usurpation and repression of his identity: “I resent being conscripted as a secret informer for the government and being made to mislead those who are close to me, especially because I have doubts about the legitimacy of the underlying investigation.”

    Merrill was prohibited from revealing his identity for six years as the case (known in its most recent form as Doe v. Holder) made its way through the courts and various changes in the Bush and Obama administrations. But Merrill’s persistence led to the first legal victory against the gag orders, with the courts twice finding that they were unconstitutional under the First Amendment: in 2004, because they constituted prior restraints on content-based speech, and in 2008, because they wrongly burdened recipients with challenging the gag orders in the first instance rather than requiring the government to bear the burden of demonstrating the need for non-disclosure. In a 2010 settlement, the FBI allowed Merrill to reveal his identity but kept in place the gag order on the redacted contents of the NSL. In a follow-up Washington Post op-ed, Merrill wrote that the forced anonymity took a debilitating toll on his personal life because he was prohibited from confiding in family and friends.

    Calyx may have the potential not only to restore agency of the right of anonymity to recipients of government surveillance demands, but also to assuage consumers who have resorted to anonymous remailers like Hushmail and Mailinator because they lack confidence in the privacy of their standard communications accounts. Calyx has received popular support in forums like Reddit and has a $2 million fundraising goal to start operating later this year.

  • New York Moves To Protect Health Data Privacy

    Emily Millner

    As New York Builds Its Health Information Exchange, New And Complex Privacy Issues Arise.

     

    The move towards implementation of health information exchange (HIE) introduces new concerns regarding patient privacy. New York State is building a health information exchange that uploads the entire history of a patient’s medical records to a centralized network. The New York eHealth Collaborative together with the New York State Department of Health have established the Statewide Health Information Network of New York Policy Committee.

    The committee’s primary task will be to create and update policies that protect personal health information while expanding the state’s ability to share electronic health records between healthcare providers as well as consumers and other health-related community organizations. The committee was established after The New York Civil Liberties Union issued a report criticizing New York State’s current privacy and security policies and procedures governing computer networks that share electronic medical records.

    The committee aims to make health information both accessible and secure. One area of concern, which the committee hopes to address, is the technological infrastructure of the state’s HEI, which has been described as “an all or nothing” approach. Once a patient gives the provider consent to access his or her medical records, the provider can see everything about the patient that was ever entered into the network, regardless of whether the information is relevant to the current treatment. The committee hopes to implement a policy requiring HIEs to have the capacity to sort and segregate information so that both patients and providers have the ability to restrict access to certain portions of a medical record.

    The committee works with stakeholders form across the state and from a wide variety of interest groups to develop common policies, procedures and technical approaches through an open and transparent process. The committee will continue to work towards developing a system that strikes the proper balance between accessibility and security of health information.

     

    http://www.informationweek.com/news/healthcare/security-privacy/232800368

    OR

    http://www.ihealthbeat.org/articles/2012/4/6/ny-forms-health-data-exchange-policy-panel-after-recent-criticism.aspx

     

  • Genomic Testing and the Affordable Health Care Act

    By: Fahd Reyaz

    Genomic testing is becoming cheaper and companies are able to provide better assessments of risk for complex diseases based on an individual’s genome. As more individual’s purchase these services and have asymmetric information about their own lifestyle, environment, etc. they may consider themselves “genetically healthy” and opt into less comprehensive or lower premium insurance. On the other hand, “genetically unhealthy” individuals would opt into more comprehensive or higher premium insurance. Insurance companies would be unable to raise premiums for the “genetically unhealthy” group as a larger percentage of those “genetically unhealthy” individuals become sick relative to “genetically healthy” individuals.

    An example of this is the APOE  e4 variant for Alzheimer’s disease – a, from the health insurer’s perspective, expensive disease due to the need for long-term care and nursing – individuals who find out they have the  e4 variant, which increases the likelihood of having Alzheimer’s disease later in life, would likely opt into more comprehensive health insurance. Insurance companies would be unable to raise those individuals’ premiums since GINA prohibits insurers from raising health insurance premiums based on genetic risk; one commentator referred to this as an “adverse-selection death spiral“.

    The Affordable Health Care Act’s Individual Mandate would solve this issue since individuals, regardless of their prospective genetic health, would purchase insurance side by side. Recently the Supreme Court questioned the constitutionality of not only the Individual Mandate, but also the Affordable Health Care Act.

    If the Individual Mandate is struck down while GINA is still enforceable, it seems likely to me that the health insurance industry will have to rethink how they price insurance.

     

    Washington Post – How a $1000 test could destroy the Health insurance Industry

  • Online Privacy

    Julia Angwin & Jeremy Singer-Vine, Selling You on Facebook, Wall St. J. (Apr. 10, 2012), http://online.wsj.com/article/SB10001424052702303302504577327744009046230.html.

    By: Randall Norman

    Online privacy is a hotly debated topic right now.  Some of this attention stems from the recent release of the Obama Administration’s Consumer Privacy Bill of Rights and the other issuances of proposed methods to regulate Internet privacy by various groups.  Hopefully, at least part of the current interest in online privacy can be attributed to the awareness and concern of Internet users about the collection of their data.  Different websites and applications utilize an impressive array of techniques to monitor the online behavior and collect the personal information of users.

    While the extent to which companies engage in the collection of user data varies greatly, some websites are notorious for gathering the personal information of its users.  One such infamous collector is Facebook.  Both the social networking website itself and many of the applications offered on the website are attractive to users because of the seemingly free status.  However, such websites and applications that do not charge a monetary fee are profiting from the popularity of their products by collecting the personal information of users and selling this data to online advertising companies.

    Although many sites track the behavior of users, Facebook is particularly tailored to collect personal information as a social networking website.  On Facebook, users voluntarily choose to share all kinds of details about themselves, allowing the website to cater to the $28 billion online advertising industry.  Additionally, Facebook boasts over 800-million users, who provide massive amounts of personal data for collection.

    Facebook largely derives its revenues either directly, or indirectly through the quizzes, games, and other applications offered, from the advertising services that use the collected data to target users with customized ads based on profile and online behavior.  In May 2012, when the company plans to go public, Facebook could potentially boast an initial public offering of more than $100 billion on the Nasdaq Stock Market.  This value illustrates the substantial demand for collected user data and underscores the extensive effect that new regulations for online privacy will have, regardless of the form adopted.