I received a notice about this journal issue:
http://idpl.oxfordjournals.org/content/2/4.toc?etoc
I’m not sure why I received it, exactly, but it scanning the articles, many of them look quite interesting. It’s particularly nice to hear from Fred Cate again. I’ve always appreciated his views and discussions. No doubt many of you will recognize many of the other authors, too.
http://blogs.law.stanford.edu/cels2012/
This year’s CELS conference will be at Stanford in november. The program is now available at http://www.law.stanford.edu/sites/default/files/event/265957/media/slspublic/PreliminarySchedule.pdf. Lots of good stuff there!
Here’s an interesting story, public action, and settlement about a company secretly spying on users from their rental computers.From: http://www.ftc.gov/opa/2012/09/designware.shtm
“Seven rent-to-own companies and a software design firm have agreed to settle Federal Trade Commission charges that they spied on consumers using computers that consumers rented from them, capturing screenshots of confidential and personal information, logging their computer keystrokes, and in some cases taking webcam pictures of people in their homes, all without notice to, or consent from, the consumers.
The software design firm collected the data that enabled rent-to-own stores to track the location of rented computers without consumers’ knowledge according to the FTC complaint. The settlements bar the companies from any further illegal spying, from activating location-tracking software without the consent of computer renters and notice to computer users, and from deceptively collecting and disclosing information about consumers.”
In response to congressional requests, the GAO produced a new report on medical device security (http://www.gao.gov/assets/650/647767.pdf). Unlike agencies like NIST, the GAO provided a number of specific recommendations for the FDA (apparently the oversight of medical device security falls to the FDA). And by “specific” I mean very general, almost cliché recommendations:
1) The FDA should increase its focus on manufacturers’ identification of potential unintentional and intentional computer security threats and vulnerabilities and strategies to mitigate these risks during its pre-market approval review process;
2) Utilize available resources, including those from other entities, such as other federal agencies;
3) Leverage its post-market efforts to identify and investigate information security problems; and
4) Establish a specific schedule for completing this review and implementing these changes.
I really have no idea what any of that is really supposed to do. However, despite that, the GAO report is extensive in its detail and description of medical threats and risks.
The FTC may have learned from the backlash over the $25,000 fine the FCC imposed on Google for intercepting wireless traffic with its Street View cars. According to a published report, Google and the FTC are negotiating over how large a fine Google will pay for bypassing default settings in the Safari web browser to install third-party tracking cookies in violation of the browser’s settings. The fine could exceed $10 million, according to Bloomberg — large, but tiny compared to the maximum fine of $16,000 per day per violation under the FTC’s statutory authority.
By: Can Cui
In December 2011, a Michigan employer’s motion for summary judgment on a job applicant’s right to privacy claim was denied over questions asked in a routine pre-employment medical exam conducted by an independently owned medical clinic. Garlitz v. Alpena Regional Medical Center, No. 10-13874-BC., 2011 WL 6016498, at *13 (E.D. Mich. Dec. 2, 2011). See David Goldstein, Hospital’s Post-Offer Medical Questions May Violate ADA, Title VII, and Employee Privacy Rights, Healthcare Employment Counsel (Dec. 12, 2011), http://www.healthcareemploymentcounsel.com/2011/12/12/hospitals_post-offer_medical_questions_may_violate_ada_title_vii_and_employees_privacy_rights/.
Acknowledging that “[w]hen acting as an employer rather than as a sovereign, the government enjoys greater latitude to inquire into personal matters of its employees,” Garlitz, 2011 WL 6016498, at *15 (citing NASA v. Nelson, 131 S. Ct. 746, 757-58 (2011)), the District Court is not willing to let “public employees surrender their constitutional rights when they accept a position with the government,” Id. at *15, and held that “the information sought [by the government employer] regarding Plaintiff’s sexual life [must be] relevant to Plaintiff’s job performance or related to her job functions.” Id. at *16.
This case distinguishes itself from Nelson because, unlike in Nelson, where the information seeking was reasonably aimed at identifying capable employees who would faithfully conduct the Government’s business, the “inquiry into . . . ‘private sexual life’ is [not] ‘related’ to the job.” Id. at *16. Therefore, although the government does not have to show its questions were necessary or the least restrictive means of furthering its interests, as established in Nelson, a minimum level of “relatedness” is required.
One may argue that Norman-Bloodsaw v. Lawrence Berkeley Laboratory, 135 F.3d 1260 (9th Cir. 1998) has made a comeback in this case, at least in the government employer context. This case is different from Norman-Bloodsaw in at least two significant ways. In Norman-Bloodsaw, blood and urine samples were taken and tested for various conditions without the plaintiffs’ knowledge and consent, while in this case, only questions about pregnancy, abortion, sexual activity, birth control and similar subjects were asked in a written form. Indeed, although the 9th Circuit recognized both the right to information privacy and the Fourth Amendment right in Norman-Bloodsaw, it felt that “it would not make sense to examine the collection of medical information under two different approaches,” and analyzed “under the rubric of [the Fourth] Amendment.” Id. Here, a Fourth Amendment argument may not be as strong unless one believes that questioning should be considered a “search” under the Fourth Amendment.
To the extent that some commentators may think that Nelson could be decided merely by concluding that questionnaires to collect information, without any evidence of disclosure, do not implicate the constitutional right to privacy, e.g., Daniel J. Solove & Paul M. Schwartz, Information Privacy Law 1025 (4th ed. 2011), this case seems to have answered that question in the negative.
So the takeaway message for human resources is: HR staff are well advised to review and/or revise their pre-employment medical screening process to make sure that the subject matter of not only tests conducted but also questions asked is related to the job, because courts may be looking more closely at routine policies and procedures concerning screening and hiring. If you cannot find relatedness between a screening question and a specific job function, you’d better leave the question out of the hiring process.
Eastern District of Michigan’s opinion in Garlitz is available here: http://www.healthcareemploymentcounsel.com/examining-room/GarlitzVsAlpena.pdf.
New Telecommunications Provider Aims to Enforce Privacy Rights against Government Surveillance through Consumer Autonomy
By Sofia Rahman
CNET reports that the first ISP executive to challenge the government’s demands for consumer information via national security letters is now in the process of creating what could be the most serious and consistent pushback to government surveillance: “a telecommunications provider designed from its inception to shield its customers from surveillance.”
Nicholas Merrill’s proposed telecommunications provider will provide budget-friendly national mobile and internet service which places consumers first by giving them substantial control over their data and collaborating with public interest organizations like the ACLU and EFF to presumptively challenge seemingly unconstitutional government demands for consumer records. The ISP would be run by Merrill’s non-profit, the Calyx Institute, whose primary goal is to “use every legal and technical means available to protect the privacy of customer data.” The key to Merrill’s approach is making it impossible for the ISP to comply with the FBI’s requests for data, such as stored communications, by allowing consumers to encrypt their information from Calyx itself:
“Through other partnerships, we are poised to offer Internet service in 70 markets in the US using wireless spectrum which we will bundle with end-to-end encrypted Virtual Private Network (VPN) technology in order to keep the customer’s data as private as possible. The next products on the roadmap include hosted email and cloud storage/sync systems that utilize public key cryptography so that only the user possesses the key required to decrypt their email or files. This means that the provider (Calyx) will not be able to read your email or files even if it wanted to. And if Calyx can’t read it, it can’t be targeted by unconstitutional surveillance tactics.”
Calyx would be able to avoid compliance with FBI demands this way because the Communications Assistance for Law Enforcement Act of 1994 (CALEA) states that ISPs cannot be forced to decrypt communications if they don’t actually possess the necessary information. While the FBI has expressed concern about this type of “Going Dark” obstacle inherent to an ISP, the ACLU has embraced Calyx as the rare exception to the major telecommunications providers like Verizon and AT&T which have been unwilling to publicly challenge the government’s demands and have instead handed over billions of consumer records.
Although the government could still evade Calyx’s encryption-based protections by other surveillance methods such as remote installation of spyware or keyloggers, Calyx could still address the government’s controversial ability to prohibit ISPs from providing notice to consumers whose information the government has requested, which renders it near impossible for consumers’ to establish standing in court to assert their privacy rights. With consumers in charge of their own data, the government may be unable to avoid notifying or alerting consumers in the course of surveillance.
Merrill was motivated by his unique experience as a former ISP-executive to confront the government’s ability to restructure the power dynamics of privacy, including the government’s ironic ability to force anonymity in order to acquire confidential information.
In 2004, the FBI sent Merrill a secret NSL (which at the time required no prior judicial review though Congress narrowly addressed this in 2005) demanding that he provide them with confidential customer data and forbidding him from disclosing the FBI’s demand to anyone. Merrill refused to comply and instead sued the FBI and Department of Justice. In order to file suit, Merrill violated the non-disclosure order by hiring the ACLU but litigated the case anonymously and the Washington Post made its first exception to its prohibition on anonymous op-eds in order to publish his piece decrying government secrecy and the usurpation and repression of his identity: “I resent being conscripted as a secret informer for the government and being made to mislead those who are close to me, especially because I have doubts about the legitimacy of the underlying investigation.”
Merrill was prohibited from revealing his identity for six years as the case (known in its most recent form as Doe v. Holder) made its way through the courts and various changes in the Bush and Obama administrations. But Merrill’s persistence led to the first legal victory against the gag orders, with the courts twice finding that they were unconstitutional under the First Amendment: in 2004, because they constituted prior restraints on content-based speech, and in 2008, because they wrongly burdened recipients with challenging the gag orders in the first instance rather than requiring the government to bear the burden of demonstrating the need for non-disclosure. In a 2010 settlement, the FBI allowed Merrill to reveal his identity but kept in place the gag order on the redacted contents of the NSL. In a follow-up Washington Post op-ed, Merrill wrote that the forced anonymity took a debilitating toll on his personal life because he was prohibited from confiding in family and friends.
Calyx may have the potential not only to restore agency of the right of anonymity to recipients of government surveillance demands, but also to assuage consumers who have resorted to anonymous remailers like Hushmail and Mailinator because they lack confidence in the privacy of their standard communications accounts. Calyx has received popular support in forums like Reddit and has a $2 million fundraising goal to start operating later this year.
Emily Millner
As New York Builds Its Health Information Exchange, New And Complex Privacy Issues Arise.
The move towards implementation of health information exchange (HIE) introduces new concerns regarding patient privacy. New York State is building a health information exchange that uploads the entire history of a patient’s medical records to a centralized network. The New York eHealth Collaborative together with the New York State Department of Health have established the Statewide Health Information Network of New York Policy Committee.
The committee’s primary task will be to create and update policies that protect personal health information while expanding the state’s ability to share electronic health records between healthcare providers as well as consumers and other health-related community organizations. The committee was established after The New York Civil Liberties Union issued a report criticizing New York State’s current privacy and security policies and procedures governing computer networks that share electronic medical records.
The committee aims to make health information both accessible and secure. One area of concern, which the committee hopes to address, is the technological infrastructure of the state’s HEI, which has been described as “an all or nothing” approach. Once a patient gives the provider consent to access his or her medical records, the provider can see everything about the patient that was ever entered into the network, regardless of whether the information is relevant to the current treatment. The committee hopes to implement a policy requiring HIEs to have the capacity to sort and segregate information so that both patients and providers have the ability to restrict access to certain portions of a medical record.
The committee works with stakeholders form across the state and from a wide variety of interest groups to develop common policies, procedures and technical approaches through an open and transparent process. The committee will continue to work towards developing a system that strikes the proper balance between accessibility and security of health information.
http://www.informationweek.com/news/healthcare/security-privacy/232800368
OR
By: Fahd Reyaz
Genomic testing is becoming cheaper and companies are able to provide better assessments of risk for complex diseases based on an individual’s genome. As more individual’s purchase these services and have asymmetric information about their own lifestyle, environment, etc. they may consider themselves “genetically healthy” and opt into less comprehensive or lower premium insurance. On the other hand, “genetically unhealthy” individuals would opt into more comprehensive or higher premium insurance. Insurance companies would be unable to raise premiums for the “genetically unhealthy” group as a larger percentage of those “genetically unhealthy” individuals become sick relative to “genetically healthy” individuals.
An example of this is the APOE e4 variant for Alzheimer’s disease – a, from the health insurer’s perspective, expensive disease due to the need for long-term care and nursing – individuals who find out they have the e4 variant, which increases the likelihood of having Alzheimer’s disease later in life, would likely opt into more comprehensive health insurance. Insurance companies would be unable to raise those individuals’ premiums since GINA prohibits insurers from raising health insurance premiums based on genetic risk; one commentator referred to this as an “adverse-selection death spiral“.
The Affordable Health Care Act’s Individual Mandate would solve this issue since individuals, regardless of their prospective genetic health, would purchase insurance side by side. Recently the Supreme Court questioned the constitutionality of not only the Individual Mandate, but also the Affordable Health Care Act.
If the Individual Mandate is struck down while GINA is still enforceable, it seems likely to me that the health insurance industry will have to rethink how they price insurance.
Washington Post – How a $1000 test could destroy the Health insurance Industry