Ethics week 5

Ethics Week 5

Privacy

Dozier Law and Sue Scheff

Sue Scheff was a client of Dozier Internet Law, which we looked at last week. She won an $11.3 million dollar verdict in her internet-defamation case; she later wrote a book Google Bomb. The defendant was Carey Bock of Louisiana.

But see http://www.usatoday.com/tech/news/2006-10-10-internet-defamation-case_x.htm. It turns out Ms Bock couldn't afford an attorney, as she was at the time of the case a displaced person due to Hurricane Katrina, and she did not appear in the case at all.

So we don't really know what happened. However, it is clear that at this point Ms Scheff has become a master at reversing being google-bombed; if you google for her name, her multiple blogs touting her book will likely lead the list.

Kindle case

see:
    http://online.wsj.com/article/SB123419309890963869.html
    http://www.engadget.com/2009/02/11/know-your-rights-does-the-kindle-2s-text-to-speech-infringe-au
    http://mbyerly.blogspot.com/2009/02/authors-guild-versus-amazon-kindle-2.html

The kindle is intended primarily for letting people read e-books. However, it also has a feature to read the book to you, using a synthesized voice. This potentially affects the audiobook market.

The Authors Guild has protested vehemently. They may or may not have filed a lawsuit against Amazon.

pro-kindle arguments:

Book publishers have already agreed to kindle distribution
the synthetic voice has no inflection or emotion
The synthetic voice does not constitute a "performance"
No copy is made [is this a legitimate argument?]
Amazon is a leading seller of audiobooks; arguably they don't see a negative effect on the market.
what about reading for the blind?
what about conventional-text-to-braille scanners?
existing audiobook formats (CDs) are unsatisfactory
use is transformative

anti-kindle arguments

The kindle infringes on the right to create audio recordings of books
creation of a spoken "performance" is not a right that was granted by purchasing the text.
publishers thought this was a text-only deal
people who buy e-books to listen to while driving now may not buy the audio book.

Privacy

Some things we want to keep private:

past lives
life setbacks
medical histories
mental health histories, including counseling
support groups we attend
organizations of which we are members
finances
legal problems (certainly criminal, and often civil too)
alcohol/drug use
tobacco or alcohol purchases
most sexual matters, licit or not
pregnancy-test purchases; contraceptive purchases
private digressions from public facade
different facades in different settings [friends, work, church]
comments we make to friends in context
the fact that we went to the bar twice last week
the fact that we did not go to the gym at all last week
minor transgressions (tax deductions, speeding, etc)

In keeping these sorts of things private, are we hiding something?

Why do we care about privacy? Is it true that we wouldn't care if we had nothing to hide? What about those "minor transgressions" on the list? Are they really minor?

Or is is true that "we live 'in a nation whose reams of regulations make almost everyone guilty of some violation at some point'" [Baase p 69]

Once upon a time (in the 1970's) there was some social (and judicial) consensus that private recreational drug use was reasonably well protected: police had to have some specific evidence that you were lighting up, before they could investigate. Now, police are much more free to use aggressive tactics (eg drug-sniffing dogs without a warrant, though they can't use thermal imaging without a warrant).

Is this a privacy issue?

On page 47, Baase quotes Edward J Bloustein as saying that a person who is deprived of privacy is "deprived of his individuality and human dignity". Dignity? maybe. Individuality? Is there some truth here? Or is this overblown?

On page 67, Baase quotes Justice William O. Douglas as saying, in 1968,

In a sense a person is defined by the checks he writes. By examining them agents get to know his doctors, lawyers, creditors, political allies, social connections, religious affiliation, educational interests, the papers and magazines he reads, and so on ad infinitum.

Nowadays we would add credit-card records. Is Douglas's position true?

Privacy from the government

This tends not to be quite as much a COMPUTING issue, though facial recognition might be an exception. "Matching" was an exception once upon a time. Interception of electronic communications generally fits into this category; the government has tried hard to make sure that new modes of communication do not receive the same protections as older modes. They have not been entirely successful.

To large extent, we'll deal with this one later.

One of the biggest issues with government data collection is whether the government can collect data on everyone, or whether they must have some degree of "probable cause" to begin data collection. On p 73 of Baase there is a paragraph about how the California Department of Transportation photographed vehicles in a certain area and then looked up the registered owners and asked them to participate in a survey on highway development in that area. Why might that be a problem?

Canadian position: government must have a "demonstrable need for each piece of personal information collected".

Commercial data, based on transaction history
    Primary use is some sort of marketing

Other data
    legal, workplace, medical, etc
    Traditional "paper" data;
    The computerization issue is easy/universal access to such data

personal
    facebook, etc

Some data collection that we might not even be aware of:

browser-search data from google
ISPs and browser-search data
web cookies
automobile event recorders
Event data recorders in cars: lots of cars have them.
fresh-values / preferred card
LOTS of people are uneasy about privacy issues here, but specific issues are hard to point to.
My local Jewel never asks for Preferred cards for alcohol sales
street-level car cameras
street-level pedestrian cameras
bookstore purchases
library records
RFID data

Baase p 48: search-query data: Google case, AOL leak.
In August 2006, AOL leaked 20,000,000 queries from ~650,000 people. MANY of the people involved could be individually identified, because they:

searched for their own name
searched for their car, town, neighborhood, etc

Many people searched for medical issues.

Wikipedia: "AOL_search_data_scandal"
Thelma Arnold

Mirror site: http://gregsadetsky.com/aol-data/

Google strongly resisted releasing "anonymized" search data to the government.

What would make search data sufficiently anonymous?

What constitutes "consent" to a privacy policy?
Are these binding? (Probably yes, legally, though that is still being debated)

Have we in any way consented to having our search data released?

Event data recorders in automobiles

Who owns the data? Should you know it is there?

What if it's explained on page 286 of the owners manual?

Should it be possible to use it AGAINST you?

See wikipedia: "Event_data_recorder"

Caller ID

When it first came out in the early 1990's, Caller ID was widely seen as a privacy intrusion. That is, it took away your "right" to call someone anonymously. Actually, that is a plausible right if you're calling a commercial enterprise; if you don't want them calling you back, you should be able to refuse to give them your number.

Within a decade, Caller ID was widely seen as a privacy boost: you could control who could interrupt you. This is privacy in sense #2 above; the original issue was privacy in sense #1.

Caller ID never caught on with stores; it did catch on with ordinary people.

Is there any right to phone someone anonymously? What if you're trying to give the police a tip? What if you're a parole officer?

RFID

This makes a lot of sense for inventory management. But suppose the tags are not deactivated when you leave. Then anyone with a portable scanner can identify all the tagged items you have with you:

electronics
eyeglasses
clothing
passport
???

You might carry such broadcasting tags because you didn't know about them. But you might carry them even if you did, if that was the only (or most convenient) way to be sure of being able to return things.

Personalization

We understand that all sorts of online purchasing information is collected about us in order for the stores to sell to us again. Whenever I go to amazon.com, I am greeted with book suggestions based on past purchases. But at what point does this information cross the line to become "personalized pitches"?

What if the seller has determined that we are in the category "price-sensitive shopper", and they then call/mail/email us with pitches that offer us the "best price" or "best value"? (See the box on Baase, p 78, for a related example.)

Political parties do this kind of personalization all the time: they tailor their pre-election canvassing to bring up what they believe are the hot-button issues for you personally.

SCOTUS cases on privacy -- Baase pp 69ff

1928: Olmstead v United States: 4th amendment does NOT apply to wiretaps

1967: Katz v United States
4th amendment does too apply to wiretaps! Privacy may still exist in a public area.
Katz was using a pay phone; the FBI had a microphone just outside the phone booth. To the appellate court, the fact that the microphone did not intrude into the phone booth was significant in finding for the FBI, but the supreme court reversed.
Doctrine of "reasonable expectation of privacy" (REoP) replaced the doctrine of "physical intrusion"

Problem with REoP: as technology marches on, isn't our reasonable expectation diminished? And does this then give the government more license to spy?

1976: US v Miller
information we share with others (eg our bank) is NOT private. Government can ask the bank, and get this information, without a warrant. (However, the bank could in those days refuse.)

1979: Smith v Maryland: reduction of REoP by the police is not SUPPOSED to diminish our 4th-amendment rights. However, in that case the supreme court ruled that "pen registers" to record who you were calling did NOT violate the 4th amendment.

http://caselaw.lp.findlaw.com/scripts/getcase.pl?navby=CASE&court=US&vol=442&page=735

Application of the Fourth Amendment depends on whether the person invoking its protection can claim a "legitimate expectation of privacy" that has been invaded by government action. This inquiry normally embraces two questions: first, whether the individual has exhibited an actual (subjective) expectation of privacy; and second, whether his expectation is one that society is prepared to recognize as "reasonable."

First, we doubt that people in general entertain any actual expectation of privacy in the numbers they dial. All telephone users realize that they must "convey" phone numbers to the telephone company, since it is through telephone company switching equipment that their calls are completed. All subscribers realize, moreover, that the phone company has facilities for making permanent records of the numbers they dial....

If you want to keep a number private, don't call it!

Note the crucial issue that the defendant voluntarily shared the number with the phone company!

Justices Stewart & Brennan dissented

The telephone conversation itself must be electronically transmitted by telephone company equipment, and may be recorded or overheard by the use of other company equipment. Yet we have squarely held that the user of even a public telephone is entitled "to assume that the words he utters into the mouthpiece will not be broadcast to the world." Katz v. United States

What do you think of this distinction? Is there a difference between sharing your phone number with the phone company and sharing your actual conversation with them?

2001: Kyllo v United States
Thermal imaging of your house IS a 4th-amendment search! This is a very important case in terms of how evolution in technology affects what is a REoP

http://www.law.cornell.edu/supct/html/99-8508.ZS.html

Held: Where, as here, the Government uses a device that is not in general public use, to explore details of a private home that would previously have been unknowable without physical intrusion, the surveillance is a Fourth Amendment “search,” and is presumptively unreasonable without a warrant.

How long into the future will this hold? Could it be that part of the issue was that the general public was not very aware of the possibility of thermal imaging?

I believe there was a trial-level civil case in which a judge ruled that eavesdropping on someone else's phone call made on an old-fashioned cordless phone (remember those?) was not an invasion of privacy because no one had a "reasonable expectation of privacy" when using a cordless phone because "everyone" knew that it was easy to listen in to someone else's call simply by playing with the channel button. However, I cannot find this case.

Video surveillance -- Baase p 72

This is a big issue in Chicago, where there are both "obvious" and "hidden" cameras.

2001 Super Bowl: Tampa police used facial-recognition software on all 100,000 fans.

London: heavy camera use to:

charge tolls for driving into central london during rush hour
enforce youth curfews

London in 2005:

report indicating cameras had little effect on crime
(after the report) cameras helped identify subway bombers

What about the rate of false positives?

Should the London cameras be used to track lesser crimes, such as pickpocketing?

Facebook/MySpace:

When did Facebook stop being "closed", ie access was limited to your "network"? Did anyone care?

Facebook, MySpace, google, deja news, and dating

deja.com (now run by google)

Facebook mini-feeds, Baase p 55
Allowed active notification to your friends whenever you change your page. Why is this a privacy issue?

I note that lots of people have left these enabled.

ChoicePoint and Acxiom

Look at the websites. Are these sites bad?

What if you are hiring a youth worker?

ChoicePoint sells to government agencies data that those agencies are often not allowed to collect directly. Is this appropriate?

ChoicePoint might argue that it is similar to a credit bureau, though exempt from the rules of the Fair Credit Act because they don't actually deal with credit information.

Baase p 60: "At least 35 government agencies are or were clients of ChoicePoint". Some of the data collected (again from Baase):

credit data
divorce, bankruptcy, and other legal records
criminal records
employment history
education
liens
deeds
home purchases
insurance claims
driving records
professional licenses.

From the Acxiom website (http://www.acxiom.com/products_and_services/background_screening/faq/Pages/FAQs.aspx)

Must I supply applicants’ dates of birth?

Date of birth is critical to the criminal record search process. The majority of courts use date of birth as a primary identifier, but please note that a handful actually require this piece of information to process requests. However, Acxiom offers alternative options to customers who are unable to supply this information. Our toll-free Applicant Date of Birth Line allows applicants to call and register date of birth information via a touchtone answering system. Acxiom then retrieves this information for use in the search process, subsequently reporting “match” or “non-match” record results to the customer while never divulging the specifics of the date of birth. Additionally, date of birth information may be confidentially submitted via a specially dedicated URL (www.acxiomdob.com) that forwards applicants to an internal 128-bit SSL encrypted website where they are prompted to enter the needed information.

Why is this an issue?

Baase p 61: case study on federal DB on all US college students. The database would list all courses taken, with grades; it would also include loan and scholarship records.

Good example of a fairly common situation: creation of a new database containing confidential information.

Benefits:

tracking graduation records
tracking how programs & funding affect student performance

Drawbacks:

cradle-to-grave tracking of behavior issues, sometimes unsubstantiated
potential availability to employers, etc
identity theft
errors

Is such a database a good idea?

What if in 2012 a law is passed giving prospective employers access to the data, if the job applicant signs a consent form? What do you think would happen if you refused to sign?

Related "database-matching" issue: should the government be able to link databases of:

men receiving student aid
men registered with the selective service (draft)?

Joe the Plumber

aka Samuel Joseph Wurzelbacher

He went to an Obama rally and asked a serious question about Obama's tax plan (in which he apparently confused income with profit). Obama made his "spread the wealth" remark in response. After this was in the press, McCain ran with it, and referred to him multiple times in the debate, as a symbol of middle-america and small businesses.

One reporter (in a print newspaper column I failed to save) argued that Wurzelbacher should have no expectation of privacy. At what point does this become true? Is it true of Obama? Was it true for Palin, or McCain? Wurzelbacher did try to capitalize on his sudden fame, and some might argue that in doing so he lost his expectation of privacy. But suppose he had tried to remain a private citizen?

Allegations about him:

no license (but he wasn't a contractor; he might need a journeyman's license; this is unclear)
back taxes: $1,182 to Ohio
child support: Helen Jones-Kelly: director of Ohio Dept of Job & Family Services, authorized a check on Wurzelbacher's child-support payments. Julie McConnell, of the Toledo Police Dept, was charged also. Apparently neither case went anywhere, but Jones-Kelly later resigned.
divorce records: 2006 income was $40K
voter records: he's registered, but his last name was misspelled "Worzelbacher"
related to Robert Wurzelbacher (not!), son-in-law of Charles Keating & convicted of Savings & Loan fraud; RW served 40 months in prison

Lucas county clerk of courts: http://apps.co.lucas.oh.us/onlinedockets/Default.aspx

Search for "Wurzelbacher".

Is the availability of this kind of search appropriate?

See also Baase, §2.3.5, on Public Records. Her examples include:

records on everyone who gave more than $100 to a political candidate
records on flight plans of executive aircraft, as a way of tracking the position of the CEO
judges financial-disclosure forms. Formerly, you had to show your ID to get access; now it's online. These forms show where judges' family members work and go to school.

What of the above is legitimate to talk about for a private citizen?
At what point did Wurzelbacher stop being a private citizen?

Wurzelbacher asked Obama a financial question. Does this make W's income and taxes fair game? What about his child-support records?

Aw, to hell with facts: see http://www.slate.com/id/2202480

Search records and computer forensics

In 2002, Justin Barber was found shot four times on a beach in Florida. None of his injuries were serious. His wife April, however, had been shot dead. Barber described the event as an attempted robbery.

There were some other factors though:

Barber had recently taken out a large life-insurance policy on his wife
Barber was having an affair
Barber was heavily in debt
April Barber's family was sure Justin did it

Police searched Barber's computer for evidence of past google searches. They apparently did not contact google directly. Barber had searched for information on gunshot wounds, specifically to the chest, and under what circumstances they were less serious. Barber was convicted.

More at: http://news.cnet.com/8301-13578_3-10150669-38.html

Case of Lee Harbert:
Harbert's vehicle struck and killed Gurdeep Kaur in 2005. Harbert fled the scene. When arrested later, his defense was that he thought he had hit a deer. But his on-computer searches were for
    "auto glass reporting requirements to law enforcement"
    "auto glass, Las Vegas" (the crime was in California)
    "auto theft"
He also searched for information on the accident itself. Harbert too was convicted.


more at http://news.cnet.com/8301-13578_3-10143275-38.html

How does this relate to the AOL search-data leak, and Thelma Arnold?
While none of those individuals was charged with anything, some of their searches (particularly those related to violent pornography) are rather disturbing.

Articles:
http://www.techcrunch.com/2006/08/06/aol-proudly-releases-massive-amounts-of-user-search-data
href="http://en.wikipedia.org/wiki/AOL_search_data_scandal

See http://gregsadetsky.com/aol-data for the actual data.

Question: Is it ethical to use the actual AOL data in research? What guidelines should be in place?

Are there other ways to get legitimate search data for sociological research?

Where is google-search-history stored on your computer?

Theories of Privacy

Is it obsolete?

See Baase, p 92. Is it true that "young people of today" are not as concerned about privacy?

Warren and Brandeis, 1890

(Louis Brandeis later became a supreme-court justice.) They argue for the prinicple of "inviolate personality" that gives everyone specific rights regarding their personal information. Their primary concern was apparently newspaper gossip columns. Their argument was that repeating "private" information about someone violated a fundamental right. Baase, p 106.

Problems arise here because Warren and Brandeis were not able to formulate precisely what was meant by an "inviolate personality", or to explain at what point your rights to your inviolate personality give way to the Public's Right To Know. For government officials, for example, the right of the voters to know what they are really like might be very important.

Another issue is that WB seemed most concerned with publication of data that violated our privacy. What if it is just made available to a selected few? Employers? People on some committee at our church? Car-rental agencies? People with some self-defined Need To Know, such as our annoying neighbors? This is not normally understood to be publication.

Thomson, 1975

Judith Jarvis Thomson argued against the WB position, claiming that every time a privacy right is violated, there is in fact some other, more concrete, right being violated. Hence, we do not need special privacy rules. One of her examples is the Magazine Scenario: if you don't want people to read it, you can keep it private. If they break into your house, they have broken the law. If someone interrogates you violently and thus obtains private information, the real issue is the violence and not the privacy invasion. If a company reveals information about you in a way that is contrary to their own privacy policy that you accepted, they are violating your contractual rights. A less-clear example is the Shower Scenario: she argues that if someone peeps at you while you shower, they have violated your "right to your person". Is this just a WB-style privacy right, or is the "right to your person" more concrete and limited?

Others have tried to find examples where your right to privacy was violated, but no other rights were. What if someone reads your email? Are there other rights involved besides your right to privacy?

Transactions

On pp 108-109, Baase describes a scenario involving Joe, Maria, and some potatoes. Joe buys the potatoes from Maria; Maria sells the potatoes to Joe. Who owns the information about the transaction? Either party might want the information kept private; does the other party then have an obligation to keep it so? Or does the privacy-concerned party have to add that into the contract up-front, so that if Joe wants it private then he might have to pay more, or if Maria wants it private then she might have to charge less?

Who is the transaction about?

In the real world, sellers are often large corporations. When we as individuals buy things, the balance of power is skewed in favor of the larger seller. Does this change things?

Property Rights to Personal Information

Do we have such rights? What about "negative" information, such as

tenant payment information or activism
driving records
credit information

One immediate issue is the transactions one: is a tenant's late-payment history their property, or the landlord's? Judge Richard Posner argued that personal information that is not "expensive" in the economic sense should receive more protection.

Free-market privacy

[Baase 114] The argument here is that our information is something we have a right to sell. We are informed consumers, and if we want to sign up for a Dominick's Preferred Card, we have a right to. Similarly, we have the ability not to share our personal information with websites that do not have good privacy policies, and Baase has argued that many websites have as a result of this become very interested in their privacy policies [Baase p 77, p 104]. Or is it just that companies don't want the bad publicity that comes with a bad privacy policy plus an incident?

This approach to privacy means that we just accept that we can't get the lowest prices and privacy, or we can't get certain websites without advertising, or certain jobs without waiving our rights to certain private information.

In terms of protection of our personal data in the hands of corporations, this approach suggests that businesses will protect our data because they don't want the liability that comes with accidental release. Specific regulations are not necessary.

Our right to privacy here is the negative right, or liberty, not to share our personal information.

Consumer protection and privacy (not started week 6)

[Baase 115] The alternative approach is that we need lots of government regulations to protect ourselves, because we just can't keep track of all the implications of revealing each data item about us. There should be rules against keeping certain data, even with our consent, because society can't be sure such consent is freely given.

Large corporations with our data have an unequal share of the power. We need fundamental positive rights that say others have an obligation to us not to do certain things with our data (like share it).

This approach is likely to lead to an "opt-in" requirement for use of private data, rather than an "opt-out".

Are we hiding something?

Well, are we? If we do not consent to surveillance of everything we're doing, are we hiding something? The obvious answer is "yes", but are we hiding something that our neighbors or the government have a right to know?