Week 5, Sept 29 Privacy issues: AOL leak Supreme Court cases College DB event data recorders in automobiles Smyth v Pillsbury, and related cases ================================================================================ Baase's three aspects of privacy (p 45): * freedom from intrusion -- being left alone * control of information about oneself * freedom from surveillance In some sense the first one is really a different category: the need to get away from others. A technological issue here is the prevalence of phones, blackberries, and computers and the difficulty of getting away from work. The third one is to some degree a subset of the second: who gathers information about us, and how is it shared? Another aspect of the third one is freedom from GOVERNMENTAL spying. Privacy is largely about our sense of CONTROL of who knows what about us. We willingly put info onto facebook, and are alarmed only when someone reads it who we did not anticipate. ====================================== Privacy from the government This tends not to be quite as much a COMPUTING issue, though facial recognition might be an exception. "Matching" was an exception once upon a time. To large extent, we'll deal with this one later. Commercial data, based on transaction history Primary use is some sort of marketing Other data legal, workplace, medical, etc Traditional "paper" data; computerized issue is easy/universal access to it personal facebook, etc ====================================== Some data collection that we might not even be aware of: * browser-search data * web cookies * automobile event recorders Event data recorders in cars: lots of cars have them. * fresh-values / preferred card LOTS of people are uneasy about privacy issues here My local Jewel never asks for Preferred cards for alcohol sales * street-level car cameras * street-level pedestrian cameras * bookstore purchases * library records * RFID data ====================================== Baase p 48: search-query data: Google case, AOL leak. AOL leaked 20,000,000 queries from ~650,000 people. MANY of the people involved could be individually identified, because they: * searched for their own name * searched for their car, town, neighborhood, etc Many people searched for medical issues. Google: "aol search data release" Wikipedia: "AOL_search_data_scandal" Thelma Arnold Google strongly resisted releasing "anonymized" search data to the government. What would make search data sufficiently anonymous? What constitutes "consent" to a privacy policy? Are these binding? (Probably yes, legally) ====================================== Event data recorders in automobiles Who owns the data? Should you know it is there? What if it's explained on page 286 of the owners manual? Should it be possible to use it AGAINST you? google: "automobile event data recorder" wikipedia: "Event_data_recorder" ====================================================================== ====================================================================== SCOTUS cases on privacy -- Baase pp 69ff 1928: Olmstead v United States: 4th amendment does NOT apply to wiretaps 1967: Katz v United States 4th amendment does too apply to wiretaps! Privacy may still exist in a public area "reasonable expectation of privacy" (REoP) Problem with REoP: as technology marches on, isn't our reasonable expectation diminished? And does this then give the government more license to spy? 1976: US v Miller info we share with others (eg our bank) is NOT private. Government can ask the bank, and get this information, without a warrant. (However, the bank could in those days refuse.) 1979: Smith v Maryland: it is not SUPPOSED to. However, in that case the supreme court ruled that "pen registers" to record who you were calling did NOT violate the 4th amendment. 2001: Kyllo v United States Thermal imaging of your house IS a 4th-amendment search! Video surveillance -- Baase p 72 Big issue in Chicago: there are both "obvious" and "hidden" cameras 2001 Super Bowl: Tampa police used facial-recognition software on all 100,000 fans. London: heavy camera use to: * charge tolls for driving into central london during rush hour * enforce youth curfews London in 2005: * report indicating cameras had little effect on crime * (after the report) cameras helped identify subway bombers ============================================================================== Facebook/MySpace: When did Facebook stop being "closed"? Did anyone care? Facebook, MySpace, google, deja news, and dating deja.com (now run by google) Facebook mini-feeds, Baase p 55 Allowed active notification to your friends whenever you change your page. Why is this a privacy issue? ====================================== Baase p 61: case study on federal DB on all US college students. Benefits: * tracking graduation records * tracking how programs & funding affect student performance Drawbacks: * cradle-to-grave tracking of behavior issues, sometimes unsubstantiated * identity theft * errors Is such a database a good idea? Related "database-matching" issue: should the government be able to link databases of: * men receiving student aid * men registered with the selective service (draft)? ====================================================================== ====================================================================== Workplace privacy of email ========================== One fairly basic principle the courts have used is whether or not one has a "reasonable expectation of privacy". Smyth v Pillsbury, 1996 Summary: Michael Smyth worked for Pillsbury, which had a privacy policy governing emails that said Pillsbury would NOT use emails against employees, and that emails "would remain confidential and privileged" Specifically, Pillsbury promised that e-mail communications could not be use against its employees as grounds for termination or reprimand. Federal District Court within Pennsylvania, 1996 Case was dismissed after a preliminary hearing (not a trial) Smyth and his boss exchanged emails in which marketing employees were discussed in an unflattering light. The phrase "kill the backstabbing bastards" appeared. Smyth sued for wrongful termination. He lost. Whatever happened to the CONTRACTUAL issue? Hint: long history of cases upholding "employment at will" doctrine. Judge: Charles Weiner How would the case have been different if: pillsbury had an email policy allowing such access? pillsbury had no policy at all? What are employers' interests in email exchange? Were the emails read out-of-context? (that is, Smyth and his boss were just being aggressive) Circumstances when you CANNOT just fire someone: contractual or union protections firing for refusal to do illegal acts firing for racial, ethnic, & religious discrimination (civil rights act) firing for age discrimination whistleblower protection Americans with Disabilities Act protections Does OWNERSHIP matter? No!! ownership of a phone ownership of stationery ownership of an apartment building ========================================================================== # Smyth v. Pillsbury: Pennsylvania # Bourke v. Nissan: California similar: Bourke worked for Nissan; email was reviewed, it was highly personal, she got low evaluation. The email probably but not definitively contributed. # Shoars v. Epson: California Alana Shoars was involved in email training at Epson. She found supervisor Hillseth had been printing & reading employee emails. She objected, and removed some of the printouts from Hillseth's office. She also reported the incident to Epson's general manager. Hillseth then had Shoars fired, allegedly because she had asked for a private email account that was not accessible by Hillseth. Epson had informed employees that email was "private & confidential" California had a law prohibiting tapping of telephone lines. The law may have covered other communications, but that part was dismissed on a technicality: tapping alone didn't constitute eavesdropping, and the eavesdropping issue was never brought up. Discuss Smyth v Pillsbury: Contract v Tort Judge held that corporate eavesdropping is not offensive. Duh. (Could it be offensive IF the company had promised not to??) Judge says Smyth lost because email was "utilized by entire company" and Smyth's emails were "voluntary". Were they? Reasonable expectation of privacy does NOT mean the search is "offensive" Only searches that are "offensive" would allow legal action regarding firing of an "at-will" employee. Judge: Pillsbury's actions did not "tortuously" invade privacy unstated by judge: prevention of sexual harassment as justification. Arguably, though, this kind of talk between "buddies", with the self-image projected to fit that context, is EXACTLY what some interpretations of privacy are about. Not all context is "professional". What if Pillsbury recorded water-cooler or bathroom conversation? What the heck *is* a "reasonable expectation of privacy"??? "In the absence of a reasonable expectation of privacy, there can be no violation of the right to privacy." Could Smyth have sued for DAMAGES, instead of reinstatement? Footnote to judge's ruling: [eh-STOP-uhl] FN2. Although plaintiff does not affirmatively allege so in his Complaint ... the allegations in the Complaint might suggest that plaintiff is alleging an exception to the at-will employment rule based on estoppel, i.e. that defendant repeatedly assured plaintiff and others that it would not intercept e-mail communications and reprimand or terminate based on the contents thereof and plaintiff relied on these assurances to his detriment when he made the "inappropriate and unprofessional" e-mail communications in October 1994. The law of Pennsylvania is clear, however, that an employer may not be estopped from firing an employee based upon a promise, even when reliance is demonstrated. Paul v. Lankenau Hospital, 524 Pa. 90, 569 A.2d 346 (1990). Jurisdiction problems: what if one party to an email lives in a state that grants statutory privacy protections? This problem comes up all the time with phone calls: Plaintiffs: Kelly Kearney, Mark Levy; worked for company acquired by Worldcom. Worldcom case: Plaintiffs calls were recorded in Georgia, but plaintiffs were calling from California, which forbids that without notification of ALL parties. Massachusetts case: jurisdiction depends on *where* wiretapping physically took place, not where the speakers were. How does telephony relate to email? What *is* our expectation of privacy? What about personal use of gmail account, while at work? What about use of, say, a personal gmail account while at work? If employer monitors transactions with gmail.com? If employer obtains email from google directly? luc.edu/its/policy_email_general.shtml Persistence: email sticks around, although people USE it as if it were like the phone. ============================== Paul v Lankenau Hospital 524 Pa. 90, 93, 569 A.2d 346,348 (1990) ============== ======================= PA court Atlantic Reporter reference 2nd Series, vol 569 Starts page 346, actual reference on page 348 Dr Parle Paul, MD, would take home discarded hospital equipment. He would sell it or send it to clinics in Yugoslavia, his homeland. He got permission to take five discarded refrigerators. Unfortunately, he apparently did not have the RIGHT permission. Oops. He was fired, and filed suit for reinstatement and for defamation. A jury trial resulted in a verdict in Paul's favor, both for damages and reinstatement. Superior court affirmed. From the appellate decision: Equitable estoppel is not an exception to employment at-will. The law does not prohibit firing of an employee for relying on an employer's promise. Exceptions to the [at-will firing] rule have been recognized in only the most limited curcumstances, where discharges of at-will employees would threaten clear mandates of public policy. [some such: racial/ethnic discrimination, whistleblowing, refusal to commit illegal acts, unionizing, ...] Look at this another way. Smyth and his lawyers *knew* that he could be fired for any reason, regardless of Pillsbury's promises to the contrary. Smyth was asking for application of the TORT of invasion of privacy to be applied. A "tort" is essentially a common-law right that has been breached, as opposed to a contractual right. Tortious invasion of privacy exists, but the standards are high and privacy must be a reasonable exception. In court cases, you can't add 30% of an argument for equitable estoppel and 70% of an argument for tortious invasion of privacy to get 100% of a case. ONE argument must be 100% sound. ======================================== Who decides when we have a "reasonable expectation of privacy"? If most people think email privacy is easy to breach, does it lose protection? Is email any easier to spy on than the phone? ============================================================================