Information Law and Policy Blog

<!–[if gte mso 9]> Normal.dotm 0 0 1 701 3931 University of California, Berkeley 80 17 4913 12.0 <![endif]–><!–[if gte mso 9]> 0 false 18 pt 18 pt 0 0 false false false <![endif]–><!–[if gte mso 9]> <![endif]–>

Jane Doe v XYC Corp (2005)

Overview of the Facts

An Employee of XYC Corporation repeatedly accessed ‘pornographic websites’, including child pornography using his work computer, and some of these incidents were reported to the management. Several of the reports were initially ignored, before the Employee was instructed to stop his misconduct and ‘non-business’ use of company computing and network infrastructure. However this did not result in the Employee permanently refraining from accessing pornographic material at the work site.

The Employee uploaded three nude and semi-nude images of his 10-year-old step daughter (Jill Doe) to gain access to a pornographic website. He had been secretly videotaping and photographing Jill at their home. Photographs of Jill found in a dumpster outside XYC corporation led to the Employees arrest. It was found that he had downloaded several pornographic photos on the work computer, had email correspondences and interactions with various websites regarding child pornography.

Major Issues Discussed

Plaintiff Jane Doe on behalf of her daughter Jill Doe appealed the decision to dismiss the XYC Corporation of its responsibility to monitor and report activities of the Employee, which would have helped to contain the harm to Jill Doe.

The initial summary judgment had dismissed XYC corporation on the grounds that it “had acted as a reasonably prudent corporation” by instructing the Employee to stop the misconduct. The corporation did not have a duty to invade the privacy of the Employee and also because the harm to the plaintiff (Jill Doe) was not inflicted on XYC Corporations property.

These dismissals are reversed by the appellate court, after an extended discussion of issues concerning

<!–[if !supportLists]–>a. <!–[endif]–>ability of XYC corporation to monitor the Employees activities

<!–[if !supportLists]–>b. <!–[endif]–>right of the corporation to monitor the said communications of the Employee

<!–[if !supportLists]–>c. <!–[endif]–>duty of the corporation to know about the activities regarding child pornography

<!–[if !supportLists]–>d. <!–[endif]–>duty to take action to prevent the continuation of the Employee’s activities. and

<!–[if !supportLists]–>e. <!–[endif]–>the harm to Jill, as a failure for the XYC corporation to act appropriately.

The court established the XYC Corporation did have the ability, and did monitor its Employee’s Internet activities, and on several occasions was aware of him surfing pornographic web sites, including those that concerned child pornography. XYC had clearly mentioned that communications and computer use was monitored and cannot be considered to be ‘private communications’, and that the Employee and no reasonable expectation of privacy.

In relation to the duty of XYC to take action to prevent the Employee’s actions, the court highlighted issues relating to a) Employee’s use of equipment owned by XYC for transmitting the images, b) the clear direction to report suspected ‘activities relating to material involving the sexual exploitation of minors’ as part of the Protection of Children from Sexual Predators Act of 1998. The court discussed the applicability of Restatement (Second) of Torts § 317 to computer equipment and Internet use, that have implications for how much Employers are responsible for their Employee’s activities, which bring harm to third parties.

The court found that § 317 was applicable because of the special relationship between the XYC Corporation and the Employee (employer-employee). XYC had ignored the information it had about the actions of the Employee. By investigating the employee, the employer would have discovered that the employee was involved with child pornography that posed threat to others, including (but not necessarily) Jill. This was only a possible action, and the court mentions that the establishment of a proximate cause presents a contested issue for a jury. However the court also stated that the assessment of ‘harm to plaintiff’ is outside of the scope of the current record, and remanded the case.

Some Implications for Employers

Employers need to monitor and assess Internet and computer usage, and take affirmative action and investigate to prevent harm to a third party. There should be clear policies that specify what communications can and which are not monitored, to shield against liabilities involving employee actions. In view of the Doe vs. XYC monitoring and privacy policies of corporations determine which communications are seen as private communications in court, and may affect the liability of an organization. “This case might (even) suggest that an employer’s strict orders regarding Internet policies provide little protection against liability if the employer knows of its employee’s illegal behavior.” (Johnson, Jamila. 2007). A widespread citing of the ruling could possibility have the effect of limiting monitoring and create greater privacy of employees at work.

Related Sources

Tort Law Overview [link]

§ 2252. Certain activities relating to material involving the sexual exploitation of minors [link]

Employee Internet Misuse: How Failing to Investigate Pornography May Lead to Tort Liability [link]

Last semester, I collected data from Facebook for a class project. The collected data was friendship network in each domain.

Generally speaking, I think your friend list should not be exposed to those who are not your friend unless you choose to expose. However, I was able to do that anyway through the API.

The Facebook API provides a function that confirms whether two IDs are friends or not. Another function confirms if an integer is valid ID of Facebook. Since Facebook ID is just an integer, I put two IDs ranging from 1 to 10000 and checked which two are friends. Let me illustrate the process below in detail.

By starting with (1-2), I tested through all possible pairs of IDs. Since CEO Zuckerburg’s ID is 4, he is also included in my collected data. More interestingly, the friend list of some IDs were not visible via a usual web browser.

After this experimental attempt, I realized that privacy could be sometimes compromised through APIs, because APIs could grant the access to private information to third-party entity. The access through API is sometimes freer than the one through normal web pages.

As APIs are more widely used, I think more consideration should be put into privacy concerns in the API area.

• Storing Our Lives Online
• User’s Guide to the Stored Communications Act
• Gonzales v. Google, Inc.
• DOJ Brief
• Google Brief
• CDT Brief
• Shi Tao
• Skype Accused of Complying with Chinese Spying Program
• Supplemental Background Information

“Whenever I tell a layperson, or even a laywer unfamiliar with electronic privacy laws, that the protections for e-mail vary depending upon the duration and location of its storage and whether it has been opened, and that the statutory protections afforded their remotely stored private Web diary or calendar falls short of Fourth Amendment protections, they look at me with disbelief.” (Deirdre K. Mulligan, Reasonable Expectations in Electronic Communications, p. 9)

Storing Our Lives Online: Expanded Email Storage Raises Complex Policy Issues

This article looks at the unintended consequences to a consumer’s privacy protection because of the advancement of computer technology and Internet services. The privacy laws were written when on-line remote storage of consumer’s information was not a common practice because it was expensive. Though many on-line service providers have strict privacy policies, they may be difficult for a consumer to find and understand. There are issues also about how the government can gain access to a consumer’s email accounts and other remotely stored information, and whether the subscriber will be notified of this request for information. Since many people are now using the Internet and remote storage of information it is seems a critical time to understand the current protections provide by the service providers, the law, and develop practices to address these changes.

The advancement of computer technology and Internet services provides a wide range of new services, including free email service, and large storage and searching of personal information. These services enable consumers’ flexible and mobile access to their information, but this raises concerns to privacy protection because the original legal framework for electronic communications did not account for these expansive changes, and the traditional constitutional search and seizure rule and limitations of statutory privacy protections were not developed with the idea that information would be moving from a person’s personal computer onto remote servers.

The changes in communication on the Internet has provided the ability to communicate, store and retrieve information which is very different from telephone communication because emails can be stored for future use, and service providers have access to a consumers stored emails. Starting in 2004, Google, Yahoo, and Hotmail began providing more storage for email subscribers. This change in storage capacity and use was not considered when email privacy laws were written, for at that time email was downloaded to a consumers computer, so the issues were not addressed for the storage of email on third party servers accessible via the web, as remote storage. Most consumers were unaware of the implications of storing their information on third party servers instead of their own computers. The current law at this time offered less privacy of a consumer’s communications and information in electronic storage with an ISP or other service providers than those same communications in ‘transit’ and less if they were stored consumers own computer, or in printed form.

Under the current government rules, access to person is protected under the Fourth Amendment, which “shields individuals from unreasonable search and seizures” (p.601). The court determines if a search violates the Fourth Amendment by asking does an individual’s conduct show an expectation of privacy, and does society recognize this as reasonable. Under these guidelines the Supreme Court has held that the Fourth Amendment protects what is in a person’s home or apartment, and his/her physical person, and the content of his/her telephone calls. The court never explicitly ruled on electronic mail (email), yet it has been assumed that the same protection would apply to email in transit, but in the 1970’s the Supreme Court held that the Fourth Amendment did not apply to personal information held by third parties. The court reasoned that if a person voluntarily disclosed information that they could not expect to have the same privacy considerations. This ‘business records doctrine’ was developed before the courts knew that service providers would store the content of communications.

In response to these changes, Congress adopted the Electronic Communications Privacy Act (ECPA) in 1986, which set rules that it would require a special warrant for access to the interception of real-time electronic communication in transit similar to what is required for wire tapping of voice communications. A subset of the ECPA communications rules, the Stored Communications Act (SCA) set guidelines for how the government could gain access to the content of stored emails, the transactional information such as who sent and received the email, and identifying information about the consumers of email services. Much has changed since the SCA was written and it is out of date with the current Internet environment.

The authors conducted a study of current industry practices to determine: when email is deleted for an inactive account, when email is deleted after a request from a consumer, what do relatives need to produce to get access to deceased family member’s email account, is notice given to a consumer when a civil subpoena has been issued to get their records, and is it clear to consumers whether their email is being read by their service provider. They determined that it is difficult to find and understand all the policies for these issues, and that the practices vary from provider to provider.

In analysis of the issue of consumer privacy protection of communications and information it seems evident that the technology of electronic communication and remote information storage has advanced faster then consumer understanding of the implications, and the laws which were written in response to these changes. The authors recommend it is essential to address the issues by increased consumer education, ISP disclosure of privacy policies, and the development of more comprehensive ECPA guidelines and other privacy protections.

Key Arguments / Issues

• What incentive is there for ISPs to fully disclose what their privacy policy is to their customers?
• What incentive is there for the government to develop more comprehensive guidelines for consumer privacy protections?
• If the ISPs and/or the government choose not to work towards better privacy protection for consumers, what can consumers do to protect themselves against privacy violations?

A User’s Guide to the Stored Communications Act, and a Legislator’s Guide to Amending It

• Stored Communications Act (SCA) : as part of the ECPA
• Why the SCA exists?
  • The Fourth Amendment offers privacy protection in the physical world
  • But this protections may not apply to “virtual homes” in cyberspace; uncertainty over whether and when Internet users can retain a “reasonable expectation of privacy” in information sent to network providers; the government may subpoena the materials from the third party without a warrant based on probable cause; Since most ISPs are private actors, they can search through all of the stored files on their server and disclose them to the government under the private search doctrine : the Fourth Amendment inapplicable
  • SCA : to regulate the relationship between government investigators and service providers in possession of users’ private information
• Entities Regulated by the SCA
  • Two categories of service provider; “electronic communication service” = ECS (send or receive wire or electronic communications); “remote computing services” = RCS (the provision to the public of computer storage or processing services by means of an electronic communications system)
  • Two implications of SCA
    • SCA is not a catch-all statute : the home computer of an end user is not protected by the SCA
    • We need to distinguish between providers of ECS, providers of RCS, and providers that provide neither ECS nor RCS : the classifications of ECS and RCS are context sensitive
• Compelled Disclosure Rules in Section 2703
  • 180 days or less : to compel a provider of ECS, the government must obtain a search warrant
  • greater than 180 days or RCS : the government has three options
    • the government can obtain a search warrant
    • can use either subpoena or court order pursuant to 2703(d), combined with prior notice to the subscriber or customer
  • noncontent records (logs)
    • the government can obtain a 2703(d) order
    • search warrant / consent of the customer or subscriber / formal written request to the provider
  • basic subscriber information (name, address, etc) : the government can obtain with a mere subpoena
• Voluntary Disclosure Rules in Section 2702
  • imposes restrictions only on providers to the public
  • providers are free to disclose noncontent information to nongovernment entities
  • eight exceptional circumstances in which voluntary disclosure is allowed
    • content information
      • 1-4 : common sense exceptions
      • 5-8 : deal with specific circumstances in which an individual’s privacy rights give way to other competing interests
    • noncontent information: can be disclosed to nongovernment without restriction
• upside-down pyramid : allow greater process to include the lesser : the higher up the pyramid you go, the more information the government can obtain (eg. search warrant : compel everything stored in an account)

Key Arguments / Issues:

• In the government perspective, upside-down pyramid looks effective to compel information from providers. However, what about customers? Given that the government only needs an email less than 180 days in the temporary storage and obtains a search warrant, but they can still get more than 180 days information without any effort – it might occur some privacy problems. Does the SCA have to have more granularity of this upside-down process?
• Despite this complexity, is the SCA still workable in that can fill the gap between the Fourth Amendment and protection issue in cyberspace?
• What’s a more relevant metaphor for internet content — a “storage container” or a “business-doctrine-type” document?

Gonzales v. Google (Notion to Compel Compliance with Subpoena)

The Child Online Protection Act (COPA) was enacted in 1998 to protect minors from exposure to sexually explicit materials on the Internet by prohibiting US-based individuals and entities from knowingly making a communication “for commercial purposes that is available to any minor and that includes material that is harmful to minors.” “Material that is harmful to minors” is defined as material that is obscene or:

• That the average person, applying contemporary community standards, would find is designed to appeal to the prurient interest.
• Depicts, describes, or represents, in a manner patently offensive with respect to minors, an actual or simulated sexual act or
  sexual conduct, an actual or simulated normal or perverted sexual act, or a lewd exhibition of the genitals or post-pubescent female breast.
• And, taken as a whole, lacks serious literary, artistic, political, or scientific value for minors.

The ACLU claimed that COPA violated First Amendment rights, and filed suit against the attorney general. A series of court hearings took place on the matter:

• In 2000 (ACLU v. Ashcroft): Preliminary injunction granted against COPA.
• In 2003 (Ashcroft v. ACLU): Judgment vacated and remanded to the court of appeals for further consideration.
• 2004 (ACLU v. Ashcroft): Court affirmed the granting of the preliminary injunction.
• 2005 (Ashcroft v. ACLU): Court upheld the preliminary injunction but said that more evidence was needed to determine that filtering software was less effective than legislation. The Supreme Court requested that each side present evidence of their claim against / for COPA.

In an attempt to gather evidence to prove that legislation was the most effective avenue to protect children from exposure to obscene content, the government requested that various search engines provide a sample of (1) URLs crawled and (2) search terms queried using a “pre-trial discovery subpoena.” All search engines complied with the government’s request except for Google, which claimed that the request was irrelevant, redundant, would disclose customers’ identifying information, would reveal privileged trade secrets, and would place an undue burden on Google.

The government countered Google’s claims by saying that the URLs and search terms would help to characterize the types of websites being queried and the types of queries that were being submitted to search engines. This would in turn help to characterize the extent of obscene content and the effectiveness of filters. The government dismissed Google’s concerns that the search queries would reveal private information or privileged secrets, and said that the request was not burdensome and that the data request was straightforward. The Government ordered that Google comply with the subpoena.

DOJ brief p 20-25

Case No. 5:06-mc-800006-JW Reply Memorandum in Support of the Motion to Compel Compliance with Subpoena Duces Tecum
The Department of Justice decided to investigate whether COPA (Child Online Protection Act) satisfies the requirements of the First Amendment. To do this they chose to study the effectiveness of current filtering software for its effectiveness in preventing minors access to sexually explicit materials on the Internet. The DOJ requested information from various sources, including Google. The other sources complied to the initial request, and Google did not. This brief is the DOJ effort to show the courts that the reasons for Google’s non-compliance are not founded, and compels the Court to make Google give them the data.

A couple of the claims that the DOJ addresses in pages 15-20 are:

1. Google claimed that by giving the requested information they would risk the loss of users’ confidence. The DOJ argued that this is not true because the information they requested could not identify the users’ of their search engine. The DOJ further claimed that Google’s reference to their privacy policy and “personal information” disclosure does not make reference to other kinds of data, including aggregation of non-personal information. DOJ argues that Google’s disclosure of the information requested would not violate their privacy policy.
2. Google claimed that the subpoena for information violates the Electronic Communications Privacy Act (ECPA). The DOJ argued that Google lacks legal support of this claim. The DOJ goes through an extensive explanation of what types of network service providers are covered under the ECPA, both electronic communication services (ECS) and remote computing services (RCS). The DOJ argues that the Google search engine does not fall within either of these categories, and even if they could be considered a RCS, the Government’s subpoena for information does not violate the ECPA.

Key Arguments / Issues:

• Is it necessary to re-evaluate the network services provider categories, as defined by the ECPA in 1986, to expand protection for other online service providers ?
• Currently, does Google have any legal protection against requests for information from the government?
• Besides their stated objections, why might Google have resisted the government’s request for information?
  

Google Brief

1. The Production of the Requested Data will result in a chilling effect on Google’s Business and User Trust

• If Google produce the data to the Government, they will lose credibility among users, because search query content can disclose identities and personally identifiable information

2. Google Should not bear the burden of responding to potentially inadequate process based on ECPA

• As a provider of Electronic communication service (ECS) : cannot disclose the content of such communications absent strict government compliance with the procedures outlined in Section 2703 : mere subpoena is not enough
• As a provider of Remote computing service (RCS)
  • ECPA places similar restrictions on the disclosure of stored communications to the government by providers of remote computing services and makes no exception for anonymous or anonymized content
  • Content is off limits under ECPA except in rare cases when procedural safeguards are followed.

CDT (Center for Democracy & Technology) Brief:

In Support of Google’s Opposition to the Motion to Compel of Attorney General Gonzales
In response to the Gonzales v. Google case, the Center for Democracy & Technology (CDT) wrote a brief arguing that the Attorney General’s motion to compel should have been denied, and that COPA will likely not be effective in protecting children from obscene material.

First, CDT explains that (1) since Google is a “remote computing service” (RCS), and (2) search terms are the contents of a communication, the government must follow the procedures outlined in the ECPA to legally compel Google to surrender search terms by obtaining:

1. A criminal search warrant
2. An administrative subpoena
3. A grand jury subpoena
4. A trial subpoena
5. A court order issued under subdivision (d) of section 2703 (which is issued if the information being sought is relevant to an ongoing criminal investigation).

Google is a RCS in that it provides computer storage and processing of search queries, indexes, and URLs. Search terms are the transmitted contents of a communication because “signs,” “writing,” and “data” are electronically communicated to the Google search engine. Since the government merely held a “pre-trial discovery subpoena,” Google should not have been expected to comply with the government’s request.

Second, in addition to the failure of the government to follow the appropriate ECPA process, CDT also states that the government shouldn’t be granted one of the subpoenas / warrants listed above because the information it’s demanding from Google isn’t relevant to the COPA case. This is because Google provides search services and indexes URLs internationally, resulting in a non-representative sample of US-based websites. Since COPA only has jurisdiction over US-based websites, the fact that the government is seeking information from international websites will not lead to any valid conclusions regarding how minors in the US gain access to sexual content. CDT also cites a National Academy of Sciences report, which stated that:

“Federal legislation cannot readily govern Web sites outside the United States, even though they are accessible within the United States….even the strict enforcement of COPA will likely have only a marginal effect on the availability of such material on the Internet in the United States….even if the Supreme Court upholds COPA…this does not necessarily mean it is good public policy.”

Conclusion: The motion to compel of Attorney General Gonzales should be denied.

Key Arguments / Issues:

• Search terms are contents of a communication; Google is a “remote computing service.”
• Google is being asked to violate Federal Law by complying with the subpoena.
• Due to the global nature of the internet, the government’s data requests are irrelevant and would not convincingly argue in favor of COPA.
• CDT, the National Academy of Sciences, the ACLU, and other parties support filtering technology over COPA to more effectively shield minors from obscene content.

Shi Tao entry Wikipedia

In 2005, Shi Tao, a mainland Chinese journalist, writer and poet, was sentenced to 10 years in prison for providing a document from the Communist Party to an overseas website. Yahoo’s service in Hong Kong released the information, which connected Shi Tao to the Chinese government document, and gave the Chinese authorities information to locate the sender of the post. A controversy arose about Yahoo’s business practices of giving sender information to the Chinese government without asking what the information would be used for.

The Chinese authorities took possession of Shi Tao’s computer and documents without any type of warrant. Shi Tao’s attorney protested that the search and seizure, and arrest of his client were illegal, and was later put under house arrest. Also, the Chinese court held a secret hearing, which charged that Shi Tai had leaked state secrets, sentenced him to 10 years in prison, and have rejected his appeal of the decision without a hearing.

There was much international reaction to Yahoo’s business practices in this incident, and they were accused of being a “police informant.” Congress began an investigation about this and other similar incidents with representatives from many top Internet providers. Congress later criticized Yahoo for not disclosing full details of their activities during the previous investigation. Shi still remains in prison, and Yahoo later settled with Shi for an undisclosed amount of money.

Key Arguments / Issues

• What could Yahoo! have done differently?
• If Shi Tao better understood their privacy policies, might he have acted differently?
• If Yahoo! offers their services in other countries, are U.S. government consumer privacy protections available to their overseas subscribers?

Skype Accused of Complying with Chinese Spying Program

Skype is being accused of helping the China government spying on its citizens by capturing and storing “offensive” chat messages. At the beginning, Skype was distributed in China by local partner TOM, which has established procedures to meet local laws and regulations. Silverman said that uploading and storing chat messages with certain keywords were not TOM’s protocol and that they are inquiring to find out why the protocol changed. As to a security breach issue, Skype fixed it immediately with TOM, but currently addressing the wider issue of the uploading and storage of certain messages with TOM.

Key Arguments / Issues

• Skype seems to evade its responsibility. When the company wants to launch its service to other countries with local partner, how much level the original company should involve in terms of privacy regulation? Is it legitimate to pass its burden to joint venture company?
• Is there any requirement how to design system in order to cope with other countries’ regulation?

Supplemental Background Information

CNET: Supplemental Information about the Google Case

Reasonable Expectation of Privacy & Business Record Cases

Katz v. United States (1967)

• Court held that the Fourth Amendment protects “people not places”
• “reasonable expectation of privacy” notion established, which expanded the scope of Fourth Amendment protections for privacy.

Couch v. United States
Court held that subpoenaing an accountant for tax return records provided by a client raised no Fourth Amendment concerns.

United States v. Miller
Court held that individuals have no legitimate expectation of privacy in the phone numbers they dial, and therefore the installation of a technical devices (a pen register) that captured such numbers on the phone company’s property did not constitute a search.

After yesterday’s discussion about privacy and transparency, I got an interesting piece of mail upon arriving home. I cancelled my car insurance over the weekend, and they wanted me to know that:

Under the California Privacy Act you…have the right to review the recorded personal information about you that is contained in our insurance records or files.

Further on:

…You must provide us, in writing, with proper identification of yourself and a reasonable description of the information you wish to obtain. If this information can be located and obtained with reasonable effort, we will inform you of its nature and substance within 30 business days….We will also tell you to whom this information has been disclosed within the last two years.

Further still:

You have the right to make a written request that we correct, change, or eliminate any recorded personal information we have about you in the records of files.

Very interesting. What information on me might a past insurer have? Who might they have given it to? I will see if I can find out, and will post back….within 30 business days.

Update: My insurance company eventually sent me something, but it appears that nobody at the organization has any idea about the California Privacy Act, and the only thing they have sent me in response to my requests is a list of claims on my insurance. I followed up a couple times, but it always resulted in confused operators and failed deliveries.

Prepared by Michael Lissner, Jessica Santana and Kentaro Suzuki

SUMMARY OF FTC POLICY STATEMENT ON DECEPTION
-Provide a concrete indication of the manner in which FTC will enforce its deception mandate.
(The FTC Act Section 5: unfair or deceptive acts or practices are unlawful. Section 12: specifically prohibit false ads likely to induce the purchase of food, drugs, devices or cosmetics. Section 15 : define a false ad for purposes of Section 12 as one which is “misleading in a material respect.”)

3 Elements of deception
(1)There must be a representation, omission or practice that is likely to mislead the consumer.
(2)Examine the practice from the perspective of a consumer acting reasonably in the circumstances. If the representation or practice affects or is directed primarily to a particular group, the ommission examines reasonableness from the perspective of that group.
(3)The representation, omission, or practice must be a “material” one. A “material” misrepresentation or practice is one which is likely to affect a consumer’s choice of or conduct regarding a product.

SUMMARY OF FTC POLICY STATEMENT ON UNFAIRNESS
- Delineate 3 factors of the concept of consumer unfairness;
(1) Unjustified consumer injury
The injury must satisfy 1)It must be substantial; 2)it must not be outweighed by any countervailing benefits to consumers or competition that the practice produces; and 3)it must be an injury that consumers themselves could not reasonably have avoided.

(2) Violation of public policy
Ask whether the conduct violates public policy as it has been established by statute, common law, industry practice, or otherwise.

(3) Unethical or unscrupulous conduct
Ask whether the conduct was immoral, unethical, oppressive, or unscrupulous.

SUMMARY OF FAIR INFORMATION PRACTICE PRINCIPLES
-5 core principles of privacy protections common to all of fair information practice codes issued by government agencies in US, Canada and Europe.

(1)Notice/Awareness
Consumers should be given notice of an entity’s information practices before any personal information is collected from them.

(2)Choice/Consent
Consumers should be given options as to how any personal information collected from them may be used.

(3)Access/Participation
Consumers should be able to view the data in an entity’s file and to contest that data’s accuracy and completeness.

(4)Integrity/Security
Data should be accurate and secure. Entities must take reasonable steps to assure data integrity. Also, they should take managerial and technical measures to protect the data against loss and the
unauthorized access, destruction, etc.

(5)Enforcement/Redress
A mechanism in place to enforce the core principles is needed, such as self-regulation, private remedies and government enforcement.

-In terms of collecting personal information from children, parents should take an important role. Namely, parents should receive the notice and have the means to control the collection and use of
personal information their children. Also, with respect to choice/consent, access/participation and integrity/security, parents should take a role.

RESPONSE TO FTC PAPERS
(1 IP address and personal information)
Whether IP addresses are personal information or not is a complicated issue. The FTC decision against Sony BMG pointed out that “These facts (i.e. in order to listen CD with PCs, a consumer had to install software submitting IP addresses and a numerical key identifying the album to BMG’s server, etc) would be material to consumers in their purchase or use of the CDs. But the decision didn’t seem to clearly mention that IP addresses were personal information.

IP addresses could be used to identify a person in some cases, but not necessarily so. In addition, according to the FTC’s Online Privacy Protection Rule, IP address would not fall within the definition of “personal information” unless associated with other individually identifiers.

On based on these facts, the reason why submitting IP address was regarded as “material” seems not because the FTC regarded IP address as personal information, but because the fact that, in general, the DRM software was not expected to submit IP addresses, but the Sony BMG’s one did, and submitting not only IP address but also with a numerical key identifying a CD, would possibly “annoy” an “average” consumer who didn’t want to show personal preferences whenever they just only listened to a CD with his/her PC(even if it was actually difficult to identify who listened the CD with IP addresses.) and would possibly influence their purchasing decisions.

Maybe it was a reasonable decision in light of FTC’s concept of a “deceptive practice”. But it may be a little doubtful that a general web user, especially a child, recognizes that his/her IP address is
submitted to a web server when he/she browses web pages and the server administrator can recognize which user with a specific IP address saw when, and what pages.

(2 Used CD)
FTC’s order requires Sony BMG to distribute a patch to uninstall the malicious software “for a period of two years after the date that this order becomes final”. However, it is expected that someone will buy Sony’s CD including the malicious software though used CD stores or Ebay after Sony stopped to sell the CDs. Sony has no responsibility for those consumers to distribute a patch? Also, does a used CD store or a seller at Ebay who sells the CDs or Ebay have no liability?

IN THE MATTER OF SONY BMG SUMMARY AND RESPONSE

In the Sony BMG Rootkit Incident, Sony was found by the FTC to have placed software on their music CDs that would use the Autostart function in Windows to install itself onto consumer’s computers. Once installed, the software would phone home to Sony, and report the user’s IP address and an ID of the song and album that was being played. Beyond this, the rootkit had two other major effects. One, it required that users install and use a certain media player for the CD. Two, it created an easily exploited vector that could be (and was) used by nefarious persons to take control of user’s computers. In some cases, this was all done without the user even having agreed to a EULA, or accepted in any way that software would be installed on their computer.

In the aftermath of the discovery of the rootkit, the FTC cited violations of the Federal Trade Commission Act, and routed Sony BMG through it’s legal apparatus. In addition to Sony BMG having to pay out the nose for its violation of the Act, this incident had disastrous results for the company’s reputation, that of many other companies using DRM, and on DRM itself.

There are a number of issues that are raised in the supplemental reading on this topic, such as the role the DMCA plays in protecting malicious code, the policy dilemma that would lead Sony to make such a decision, the intrigue of Elvis impersonators being hired by one of the top content producers in the world, and the ability of a EULA to give unchecked protection to a product.

Of these issues, a couple questions come to mind. Of course, one must wonder how MediaMax and XCP have survived thus far without Sony destroying them in court. As of the writing of “Magnificence,” Sony BMG and MediaMax were still duking it out. More germane to our class though, the power of the EULA and of the DMCA needs to be addressed. The EULAs used by MediaMax and XCP provided surprisingly good disclosure (all things considered), but is it OK to create a malicious program if it says it what it will do its EULA? So far, the courts seem to say, “Yes, that’s fine.”

With regards to the DMCA, the discussion is around what kinds of protection are granted to security researchers to perform their work. At current, the answer (as we saw in the Ed Felton case) is that security researchers are constantly risking their own livelihood, and that of their organization by running afoul of the DMCA. Are there ways we can change the incentives around this issue?

ANTI-SPYWARE COALITION BEST PRACTICES

“Anti-Spyware Coalition Best Practices”

It is ultimately up to the user to determine whether a technology’s behavior is wanted or unwanted, since it may be unwanted in one context and wanted in another.

Behaviors of potentially unwanted technology include:
-    Tracking
-    Advertising display
-    Remote control
-    Dialing
-    System modifying
-    Security analysis
-    Automatic download
-    Passive tracking

Best Practices for potentially unwanted technology include:
-    Value to the User

-    Notice

-    Consent and Control

-    Security
-    Redress

According to the reading in the last week, the Canadian government pays attention to Google street view in terms of confliction with the Canadian privacy law. The same kind of debates also happen in Japan.

Google street view launched in August 2008 in Japan and Google extends its service in 12 large cities and their neighbors including Tokyo, Osaka and Kyoto.

Google street view in Japan provides as the same service as provided in US. However, the biggest difference between urban environments of US and those of Japan is an average width of streets. In US, most of all streets have basically at least 2 traffic lanes with sidewalks even in residential districts. However, in Japan, streets in residential districts often have only 1 traffic lane, usually without a sidewalk.

In some cases, you can more easily watch name plates of houses, number plates of cars and even inside of houses with Google street view in Japan than with that in US.(Example: Google street view in Arakawa district, in Tokyo. You can see numbers of cars’plates )

In Japan, like Canada, there is also an act for protection of personal information, Act on the Protection of Personal Information [APPI] (Act No. 57 of 2003)(linked to English version).

APPI basically requires a business operator to acquire consents from a person before providing his/her “personal data” to a third party. However, according to the act’s stipulations, whether Google street view violates the act or not seems ambiguous because it is ambiguous whether Google Street view provides “personal data” under the dentition the act stipulated.(If you would like to see the related article of the definition, please see the act, especially the article 2(1)-(4) and article 23(1).)There is no court decision and the central government’s official announcement about whether Google street view conflicts the act or not, as far as I know (Of course, it is possible that Google has already asked the government whether their service conflicts the act or not and it have already affirmed the service is legal.).

But, even if it is legal, people’s concerns about violation of their privacy and about increase of crimes still remain. Several local city councils made resolutions that require Google to acquire consents or/and pre-notification before taking photo, or/and the central government to regulate Google street view in the point of view of privacy protection.

These resolutions have no legal binding force, but Google changed its policy to try to soften residents concerns. It announced that they would notify related municipals before publishing street views in the municipals’ area. However, it is still unclear how Google’s pre-notification delivers to the residents and whether notification is useful for diminishing concerns about privacy.

(Reference news article (in English)

http://mdn.mainichi.jp/mdnnews/national/archive/news/2009/02/04/20090204p2a00m0na017000c.html)