Week 5, Feb 14 ============================== Limits on an employer's ability to do ANYTHING under at-will employment Walsh v Alarm Security Group Walsh was offered a new job. He quit his old one and moved, but was never actually allowed to start. He sued. Decision: should summary judgement be granted to ASG 1. Breach of Contract: summary judgement denied particularly over the issue of moving expenses & loss of prev job 2. fraud: denied; case goes to trial 3. negligent employment: YES: case dismissed 4. Promissory Estoppel: YES/dismissed: cites Paul v Lankenau 5. PA wage law: only applies to wages already earned: YES/dismissed ============================================================================ Technological issues: who decides what "societal expectations" are? Who decides when we have a "reasonable expectation of privacy"? If most people think email privacy is easy to breach, does it lose protection? Is email any easier to spy on than the phone? ============================================================================ Supreme Court, 1963, Katz v United States: US cannot listen in on pay phone conversations: the court adopted a two-pronged test: did you think what you were doing was private? is society willing to accept your belief as objectively reasonable? This is where the Smyth v Pillsbury judge started More email cases: Bourke v. Nissan: California similar: Bourke worked for Nissan; email was reviewed, it was highly personal, she got low evaluation. The email probably but not definitively contributed. Shoars v. Epson: California Alana Shoars was involved in email training at Epson. She found supervisor Hillseth had been printing & reading employee emails. She objected, and removed some of the printouts from Hillseth's office. She also reported the incident to Epson's general manager. Hillseth then had Shoars fired, allegedly because she had asked for a private email account that was not accessible by Hillseth. Epson had informed employees that email was "private & confidential" California had a law prohibiting tapping of telephone lines. *May* have covered other communications, but that part was dismissed on a technicality: tapping alone didn't constitute eavesdropping, and the eavesdropping issue was never brought up. Look at Smyth v Pillsbury another way. Smyth and his lawyers *knew* that he could be fired for any reason, regardless of Pillsbury's promises to the contrary. Smyth was asking for application of the TORT of invasion of privacy to be applied. Tortious invasion of privacy exists, but the standards are high and privacy must be a reasonable exception. In court cases, you can't add 30% of an argument for equitable estoppel and 70% of an argument for tortious invasion of privacy to get 100% of a case. ONE argument must be 100% sound. ============================================================================ Loyola's policy on email: Privacy on University electronic mail systems [1997-1998] http://www.luc.edu/its/policy_email_general.shtml Some protections: Protection against 5,7: If your email is examined because we believe your account has been compromised, any contents implicating you on other matters and associated with your legitimate use of your account will NOT be held against you (except in cases of ????) Protection against 1: If your email is examined accidentally or as part of routine system maintenance, any contents implicating you on any matters will not be held against you (exceptions???) [While these would not be enforceable for staff, they WOULD be for * students: really customers * faculty: if tenured (that is a contract) Legit: 2, 3 [maybe], 4 [but what grounds for suspicion?] Item 6 could be clearer that outside investigations must be part of law enforcement; The University community must recognize that electronic communications are hardly secure and the University cannot guarantee privacy. The University will not monitor electronic mail messages as a routine matter. But the University reserves the right to inspect, access, view, read and/or disclose an individual's computer files and e-mail that may be stored or archived on University computing networks or systems, for purposes it deems appropriate. There may arise situations in which an individual's computer files and e-mail may be inspected, accessed, viewed, read and/or the contents may be revealed or disclosed. These situations include but are not limited to: 1 During ordinary management and maintenance of computing and networking services, 2 During an investigation of indications of illegal activity or misuse, system and network administrators may view an individual's computer files including electronic mail, 3 During the course of carrying out the University's work, to locate substantive information required for University business, e.g., supervisors may be need to view an employee's computer files including electronic mail, 4 If an individual is suspected of violations of the responsibilities as stated in this document or other University policies, 5 To protect and maintain the University computing network's integrity and the rights of others authorized to access the University network. 6 The University may review and disclose contents of electronic mail messages in its discretion in cooperating with investigations by outside parties, or in response to legal process, e.g., subpoenas, ================================================================================ Electronic Communications Privacy Act, 1986: The ECPA has three exceptions that serve to limit its applicability to employer monitoring 1. The provider exception; 2. The ordinary course of business exception 3. The consent exception. Generally, most employer monitoring falls under one of these. Phone surveillance in the workplace Keystroke monitoring Location monitoring Do computers empower workers, or shackle them? =============================================================================== New case: United States v Warshak, 6th circuit Warshak: get a search warrant! US: all we need is subpoena Warshak: spammer promoting "Enzyte" for "natural male enhancement" Are subpoena rules for email overly broad? US argument: users of ISPs don't have a reasonable expectation of privacy. This is clear for employer-provided email, though there's no reason to suppose loss of privacy extends to the government. But what about commercial email? Because a customer acknowledges that Yahoo! has unlimited access to her e-mail, and because she consents to Yahoo! disclosing her e-mail in response to legal process, compelled disclosure of e-mail from a Yahoo! account does not violate the Fourth Amendment. Oops. Lack of confidentiality of banking records was a precedent here. Stored Communications Act, part of ECPA Warshak won, June 2007 Gmail: *all* gmail is "read" at google. Just not necessarily by people. =============================================================================== What if your ISP examined your email? Would it make a difference if the reason was: * to detect terrorism * to detect criminal activity * to detect hacking targeting the ISP * to detect protests about lack of "net neutrality"? ================================================================================ Overarching privacy question: is your personal privacy really being eroded? Does junk mail *really* matter? =============================================================================== Case 3: Westin General social justifications for privacy Autonomy: control of info about oneself Keeping our roles straight: we all play many roles in our lives: Safety valve to allow complaints & expressions of frustration near-universal deviations from social norms: driving too fast padding expense accounts income tax drugs sexual mores setting limits on our communication with others Implicit issue: do we *care* if gov't or anonymous marketers know about us? We do like to regulate what our associates know about u s, though. Need to "not be onstage" sometimes: we need privacy (physical isolation) to reflect on our experiences, and reconsider our moral choices. Havoc done to interpersonal relations by those who are too candid Need to discuss partially formed ideas with a trusted listener friends doctors, lawyers, therapists, pastors What of Westin's issues have to do with electronic monitoring??? =========================================================================== Transparent society / David Brin 1. If you invade privacy, you have to reveal your own personal info. Does this make any sense at all? This is sort of "reciprocity". Tradeoff between provacy and accountability: pseudonymity v anonymity how DO we handle genetic info? Sending "juries" in to listen to the FBI? =============================================================================== =============================================================================== RFID creeping incursions: when do we take notice? Is there a feeling that this "only applies to stores"? no immediate *social* consequences? Is there a *technological* solution? How do we respond to real threats to our privacy? People care about SSNs now; why is that? RFID tags Question: are RFID tags a huge invasion of privacy, touching on our "real personal space", or are they the next PC/cellphone/voip/calculator that will revolutionize daily life for the better by allowing computers to interact with our physical world? all your clothing displays where you bought it "Hello. My underwear comes from Wal*Mart" RFID tags on expensive goods, signaling that I have them Loyola RFID cards RFID v barcodes: unique id for each item, not each type readable remotely without your consent "Kill" function Active and passive tags Are there ways to make us feel better about RFID?? Serious applications: Inventory management Store checkout Access control (eg of people into Lewis Tower, or of cars into a lot) Personnel tracking (knowing where people are) Computer interface to real world Tracking exposure to viral illness embedded in currency as anti-counterfeiting measure [!] Getting devices to detect each other, and interoperate Self-guided museum tours Smart refrigerator: keeps track of dates refrigerator + TV: you only get ads for things you might buy. Smart laundry Where are my keys? Where is my copy of _War and Peace_ consumer recalls compliance monitoring for medications theft reduction Technological elite: those with access to simple RFID readers? Sort of like those with technical understanding of how networks work? 2003 boycott against Benetton over RFID-tagged clothing boycottbenetton.com: "I'd rather go naked" Is the real issue a perception of control? Guenther & Spiekerman Sept 2005 CACM article, p 73 Models: User-control. User implements, in effect, a password Agent model: you delegate access decisions to a software package that understands your privacy preferences Is there a "killer app"? Smart refrigerators don't seem to be it I-Pass is maybe a candidate, despite privacy issues (police-related) Speedpass is another example What about cell phones? They allow us to be tracked, too! What about existing anti-theft tags? They are subject to some of the same misuses. Papers: Eckfeldt: focuses on benefits RFID can bring. Airplane luggage, security [?], casinos, museum visitors Gunther & Spiekermann: it's really about control. We don't want to be broadcasting information about ourselves that we cannot control. But if we *could* control it, perceptions might change. But their actual study doesn't back this up: neither Privacy-Enhancing Technology helped a lot. Fig 2: more interesting RFID applications Ohkubo, et al: leaking information about possessions revealing shopping patterns some technological fixes: eg smart tags if you don't understand these, who will? Stajano: readable only by owner Supports PRICE DISCRIMINATION =============================================================================== =============================================================================== GOVERNMENT privacy ================== Case 4: Patriot II OMIT Patriot 1: allows gov't to search everyone's financial records Patriot 2: DNA database, 15-day warrant-free wiretaps, immunity to businesses providing false information permits spying on american citizens, Old (2001) & new (2006) patriot acts New changes: "Section 215" requests for business/medical records [inc libraries]: must be approved by FBI director or other high-level official also by FISA court must include Statement of Facts Showing Relevance requires minimization procedures for this data adds judicial challenge (by records provider, not subject!) More on National Security Letters: judicial challenge option, etc. Sneak-and-Peek warrants may be issued by Foreign Intelligence Surveillance Court; these warrants are non-public even to the subject. ================================================================== What is "search"? Old-fashioned examples of privacy issues, now kind of quaint: Matching: Should the government be able to do data mining on their databases? In particular, should they be able to compare DBs for: taxes & welfare taxes & social security bank records & welfare? student aid and draft registration? tax & immigration No-fly list, and corrections Other criminal databases; problem of how corrections are made library records - threatened by Patriot I caller ID PATRIOT act: bank records, ISP logs are all things gov't can now demand without a warrant What are our "effects"??? ======================================================================= Govt data collection: what does this really have to do with computing? Govt has resources to keep records on "suspects" even with pencil and paper. Government and e-privacy: * matching between government databases * eavesdropping on internet communications * eavesdropping on the phone (including VOIP) * obtaining commercial records (bank, credit, grocery) * getting search-engine records (google) * transponders: I-Pass, cellphone, RFID * facial recognition * databases of suspicions (Terrorist Information Agency) What if facial recognition were to really take off? What would be the consequences? Do we really have a right to engage in mild rule-breaking? =================================================================== Commercial privacy: How much could merchandisers really DO with lots of info? * people who have recently bought expensive things? * dietary habits, from grocery info * political leanings, based on magazine subscriptions Oscar Gandy and the "panoptic sort": is this really an issue? Web cookies - do they matter? E-bay privacy This one is quite remarkable. What do you think? Fast-food purchases Alcohol purchases Grocery tags To what extent do we really care about any of this? Is it really just about "a few more pieces of junk mail"? Use of databases: credit bureaus for insurance for hiring for apartment leasing apartment-legal-complaints