A policy of this magnitude should be given at least a 90 day public comment period. However, public discussion has been limited and the discussion period is almost over. Therefore, we request that the public comment period be extended for at least 30 days to facilitate more robust public discussion. We also request that subsequent public comment periods on this topic extend for at least 90 days.

We are concerned that the NSTIC is silent on an implementation timeline and other significant details currently missing from the draft. We request clarification on the agency’s proposed timeline and process. We also request an opportunity to convene an in-person discussion with an appropriate White House or DHS official to discuss this important matter and engage in further public discussion.

We look forward to supporting your efforts to engage a robust public discussion on the NSTIC.

Chairman Lieberman, Ranking Member Collins and Members of the Committee. Thank you for allowing me to be here.

My name is Aaron Titus. I am the Privacy Director for the Liberty Coalition and an attorney at the law firm, J.C. Neu and Associates. The Liberty Coalition works with more than 80 partner organizations from across the political spectrum to preserve the Bill of Rights, personal autonomy and individual privacy. The Liberty Coalition works with, but does not speak on behalf of our partners.

I am aware that many in this audience have been personally affected by gun violence. Managing guns and other weapons is a matter of public concern. Regardless of one’s position on gun safety and gun control, the Supreme Court has unambiguously ruled that the Right to Keep and Bear Arms is an individual, Constitutionally enumerated right. The Second Amendment is not absolute, and the government may regulate the Right to Keep and Bear Arms in a number of ways.

But Senate Bill 1317 goes too far. The bill should be titled, “The Gun Owners Are Probably All Terrorists Act,” because it strips citizens of their Constitutional Right to Keep and Bear Arms without any meaningful due process. And Senate Bill 2820 should be called, “The National Firearm Registry Act” because it creates a national firearms registry, so let’s call it what it is.

National Firearms Registry

If you want to make a National Firearms Registry, then go through the front door, call it what it is, and have a meaningful public discussion.

Senate Bill 2820 creates a massive database of names and detailed personal information of each law-abiding citizen who purchases a gun.

The bill disingenuously purports to target terrorists, but in fact only one ten-thousandth of one percent of these records will belong to people on watch lists. Every year, only 200 new watch-list records will be created. But the system will generate more than 14 million new records on law-abiding citizens. Once collected, there’s no limit on what the information may be used for, and no legal requirement to ever delete it.

At the very least, we should call this bill what it is: A National Gun Registry Act.

Senate Bill 1317

Reading Senate Bill 1317, one would think that convicted terrorists are allowed to own guns. That is simply not true. Convicted terrorists cannot own guns.

Not only that, but today’s discussion totally misses the point. This committee shouldn’t spend time debating whether to take away Terrorists’ guns, bombs, cell phones, or other instruments of terror. If a person is a dangerous terrorist, then he should be thrown in jail. The only things a real, convicted terrorist should own are an orange jumpsuit and a pair of leg chains.

Assuming, for a moment, that everyone on a watch list is a terrorist as this bill suggests, then I propose that this committee start throwing every single one of those hundreds of thousands of people in jail, starting today.

But you and I know that the Constitution won’t let you do that. And if you can’t throw citizens in jail for being on a watch list, you can’t revoke their Second Amendment rights, either.

How Senate Bill 1317 Works

Right now, a citizen who is denied a firearms purchase has the right to know exactly why, and appeal. Senate Bill 1317 changes that. If a citizen’s name is on a watch list, the Attorney General doesn’t have to tell him why he was denied, if he thinks that tipping off the citizen might compromise national security.

If a citizen is able to appeal the decision in court, things only get harder and more confusing. Neither the citizen nor his attorney can see the evidence against him—they can only see summaries or redacted versions. Not even the judge may consider the unredacted evidence.

A citizen will lose his appeal if the Attorney General can prove, by a preponderance of the evidence, not that the individual poses a risk, or that the person is a terrorist, or even that the person is under investigation; rather, the Attorney General must only demonstrate that the citizen has been placed on a watch list.

Once that has been proven, the appeal is over and the citizen loses his Second Amendment Right to Keep and Bear Arms. The citizen will not have a chance to introduce evidence of innocence, abuse of Executive discretion or mount any other meaningful defense.

You know, I have heard of this type of judicial system applied to non-citizens (”enemy combatants” in Guantanamo Bay), but never to citizens of the United States, especially on a matter of Constitutional importance. Times may have changed, Mr. Chairman, but fortunately the Constitution has not.

Terror Watch Lists

Criminal and terrorist investigations must be kept confidential. But Senate Bill 1317 misunderstands that “investigation” is not “guilt.” Suspicion is not a Conviction. And the law has a technical word for people who have not been convicted of a crime: It’s called “innocent.”

Terror watch lists have no meaningful element of due process, and are therefore fundamentally different from other lists scanned by the National Instant Criminal Background Check System.
Terror watch lists, by their nature, are designed to be over-broad. A name on a terror watch list is evidence of government interest in a person, not proof of terrorism. The bald allegation of a suspicion of terrorist inclinations is insufficient evidence to overcome an individual’s Right to Keep and Bear Arms.
Mr. Chairman, suspicion is not a conviction.

Summary

Senate Bill 1317 takes away a citizen’s right to face his accusers. This bill takes away a citizen’s right to appeal. This bill takes away a citizen’s right to due process. And if you can’t throw them in jail because they’re on a watch list, then you can’t revoke their Second Amendment rights, either. Mr. Chairman, this bill is unconstitutional.
I urge this committee to reject Senate Bills 1317 and 2820. I am happy to respond to questions.

Robert E. Glenn, President
Virginia Board of Bar Examiners
c/o Julie O’Kelly
2201 W. Broad Street, Suite 101
Richmond, VA 23220

Mr. Glenn:
I recently took the Virginia Bar Exam. I received a letter dated January 27, 2010 which contained instructions for the February exam. To my horror, I saw that the letter contained my full name, date of birth, social security number, school, MPRE score, results of my Character and Fitness Questionnaire, address, and email address on the form. This single piece of paper contains enough information for someone to impersonate me and commit identity theft. I count myself lucky that someone else didn’t check my mailbox the day this letter arrived.

I was sure that such an oversight was an isolated error, so I called the Board of Bar Examiners’ office to find out how a mistake like this could happen, to ask for a copy of the board’s privacy policy, and asked who changed my authorization to put my identity at such substantial risk.

I was informed that the mailing of my sensitive personal information in a single letter was deliberate, the Board has no privacy policy, and that the Board authorized this reckless use of my personal information, against my wishes and authorization.

This letter is to object to some of the Board’s more dangerous privacy practices as I currently understand them, and request additional information.
Please send a copy of the Board’s privacy policy. If one does not exist, please send the following information:

• How long will the Board keep my personal information on file, and for what purposes?
• Does the Board store my personal information on encrypted hard drives?
• On how many computers does the Board store copies of my personal information, and where do the hard drives go when the computers are retired or replaced?
• With what entities does the Board share my personal information, and under what conditions?
• What security measures, if any, does the Board use to detect intrusion or improper use by employees?

I understand that the Board needs to verify personal information with examinees. However, even minor common-sense steps would substantially increase security. These may include:

• Sending separate mailings, each of which lacks a full set of personal information.
• Omit digits of the social security number.
• Write and disseminate a Privacy Policy, and update your organization’s privacy practices.

I hope that the Board takes these matters seriously, and updates its privacy policies and practices immediately. The Board of Bar Examiners has violated my trust, and I fear that the Board will continue to put me at risk of identity theft and other harms.

I look forward to answers on these most pressing issues. I also stand ready to assist in your effort to improve your privacy practices.

Sincerely,
Aaron Titus

Avoid a Legal 500 Error. Debug your privacy policy.

Legal Programming

By Aaron Titus

I’m an awesome programmer. The only thing keeping me from Python, PHP, or Ruby coding awesomeness is knowledge… and skill… and training… and, um practice. OK, I may not be a Ruby all-star, but I could be if I wanted to. Likewise, you can do anything for yourself that an attorney can do for you, including writing legal documents. Lawyers just happen to have knowledge, skill, and training. And if I wanted an iPhone app, I’d talk to a programmer. If I wanted legal documents, I’d talk to a lawyer.

In fact, lawyers are programmers. Writing legal documents—like privacy policies—is just like writing code.

Imagine that your boss tells you, “I need a widget. I’m sure other people in the open source community have done similar things. Just go grab some code and slap it together by the end of the day.” Of course, that’s crazy. You can’t just slap code together. In what language is the code written? Will it play well with existing code? How complete is the API? What are the requirements? What about security? What about debugging?

Yet this is exactly how we treat privacy policies. We go grab some “open source” or “boilerplate” privacy policy, slap it together with a boilerplate Terms of Service, and think we’re good to go. But unlike poorly-written code which will cause an error as soon as it is compiled, you won’t know whether you’ve created a Legal 500 error for months or years—long after it’s too late to fix.

Privacy Policy Principles

The purposes of a privacy policy are to: 1. Help inform and train your employees about your privacy practices, 2. Inform your customers about your privacy practices, and 3. Avoid liability and FTC action. As I explained previously, adhering to the following principles will allow you to accomplish all three goals:

• Be Honest. Your mamma was right: Honesty is the best (privacy) policy.
  • Don’t Over-Promise. Statements like “privacy is our top priority” may be enforced by the FTC as a privacy promise. Don’t box yourself into a corner.
  • Don’t Under-Promise. Under-promising can violate regulations and more importantly, scare off customers.
  • Tell the Whole Truth. Failure to talk about less-desirable privacy practices may be a misleading business practice.
• Be Complete and Conspicuous.
• Adapt to Changing Business Practices. A privacy policy which was accurate six months ago may not be today.
• Get it Right the First Time. Allowing yourself room to change will save headaches long-term, as material changes to privacy policies require additional consent.
• If you Say it, Do it. Generally no magic words are required in privacy policies. The best approach to avoid liability is to stick to your policy.
• It’s Your Business. As an executive, it’s your responsibility to make sure that your privacy policy is accurate and complete.

Custom Programming Your Privacy Policy

Nobody, especially the legislature, has solved your problems for you. If you create an innovative product or service, then it will raise new questions of law, ethics, and privacy which have never been asked or answered. You can’t expect that somebody else’s recycled privacy policy will meet your needs, any more than you can expect that recycling old code will yield innovation. Imagine for a moment that you have just developed an iPhone app. The app communicates with a smart scale using Bluetooth technology, then interfaces with the Google Health API to transfer a user’s weight history to the Weight Watchers website, then optionally posts the summarized results of the user’s weight loss to his Facebook page and Twitter account. Which of the following is true:

1. You can adopt HIPPA as your privacy policy. HIPPA privacy rules apply.
2. The FTC is interested in your privacy policy and practices.
3. You can later use the weight & contact information to market your next iPhone app, “Smart Dieter.”

The answers may surprise you:

1. False on both accounts: 1. HIPPA is not a privacy policy. Nobody, especially Congress has written your privacy policy for you. 2. Your customers are not protected by HIPPA regulations, because they probably don’t apply to you.
2. True. The FTC is always interested in your privacy policies and practices, and even passing assurances of privacy like “Privacy is our Number 1 Priority” may be enforced as a privacy promise.
3. Probably Not. Unless you have written a clear privacy policy that puts your customers on notice, you may be prohibited from reusing their personal information for any reason, even if they would have consented to such a use.

Your privacy policy must reflect your unique business processes, your unique business model, and your unique user needs. If you think that Congress (or anybody, for that matter) have answered the new questions of privacy raised by your iPhone app, then I have a bridge in Brooklyn I’d like to sell you. Even if HIPPA privacy regulations applied (which they don’t), I can guarantee that they were not written with your app in mind. Likewise, if you are doing anything truly innovative, any canned privacy will fail to meet your needs.

Boilerplate legal documents can get people and companies in trouble. Although sometimes there are magic words from a statute or regulation that should be quoted to order to protect your rights, most boilerplate is not magic—it’s lazy. Lawyers do a lot of legal debugging, because improper boilerplate language can be downright harmful. Unless you do your own legal programming to meet your individual needs, you are sure to accidentally waive a right, break the law, incur the ire of the FTC, or create a contradiction and cause a “Legal 500 Error.”

A Living Document

Because technology, business needs, and information demands constantly change, you must consistently update your privacy policy to reflect those changes. Fortunately, privacy policies are extremely flexible documents, with very few formal legal language or “magic words” requirements, so updating them is easy… if you remember to do it. CEOs often find that adapting a business plan to changing market conditions is time-consuming, and privacy policies can fall by the way side.

Before you update your privacy policy, though, keep in mind that there may be consequences to making material changes. When you revise a policy, information collected under the former policy must still be treated according to the terms of the original Privacy Policy, unless you get some sort of assent from your customers, or face the potential ire of the FTC. It is always better to get it right the first time.

Take Charge

As an executive, do these three things:

1. Read Your Privacy Policy. First, do you understand what the policy means? Second, how does the privacy policy translate to concrete business practices in each of your departments? Third, does the policy match actual practice? Fourth, what is missing from your privacy policy that a reasonable customer would want to know about? Fifth, what changes must you make to your business practices (or the privacy policy) to make them the same?
2. Regularly Update Your Privacy Policy. Many companies have internal processes to regularly review and update business plans, department objectives, security, and compliance. Make sure that your privacy policy is on your list of documents to review.
3. Do a Privacy Policy Legal Review. Avoid a “Legal 500 Error” by making sure that your privacy policy is complete and compliant.

Your meeting was supposed to last just 45 minutes, but the first 35 have been devoted to the first agenda item. Most eyes have glazed over and you are the only one speaking. Just as tired as everyone else you say, “OK, so we all agree that we’re going to do that?” Hearing no objection, you move on to the next subject.

You are relieved to move on, but don’t be surprised when you have to rehash the same subject at the next meeting. Do not mistake movement for progress; your discussion was an utter failure because it lacked the fundamental element to any progress: An Action Item.

Every action item is comprised of three things:

• A Person
• A Deliverable
• A Date

Absent one of these three things, a decision is not an action item. It is a wish. All would-be “action items,” “goals,” or “decisions” which fail to include one or more of these components were a waste of your breath and their time. Action items must be clear, measurable, and have accountability. Unless you want to rehash the same issue at the next meeting, never walk away without identifying a person, a deliverable and a date for each action item, regardless of the subject matter. Let’s analyze some would-be “action items” from actual meetings:

Assignment 1: “Development of a power point presentation to train staff.”

The three components of action are a person, a deliverable, and a date. Here’s your assignment: Next time you lead a meeting, don’t rest until you identify the three elements of action for every assignment. It’s the single most effective thing you can do to shorten meetings and avoid rehashing the same issue again in the future.

So let’s evaluate my assignment:

Writing a privacy policy is a careful balance: Being realistic about what you can perform, protecting and instilling confidence in your customers, facilitating business growth and adaptation, complying with law, and above all, being honest.

Your privacy policy and security practices are the subject of federal, state and international laws, as well as FTC regulation. The FTC regulates unfair and deceptive consumer practices, and has a history of privacy policy enforcement actions. In fact, it is currently hosting a series of “Privacy Roundtable” discussions, focusing on behavioral advertising, social networking, mobile marketing, data aggregation and correlation, data brokering, cloud computing, and other now-common practices.

With increasing scrutiny on privacy policies and practices, here are six things every CEO should know about their company’s privacy policy.

Be Honest

Your mamma was right: Honesty is the best (privacy) policy. Be up front about what you do (or may do in the future) with your customer’s personal information. Many privacy policies make one of three “honesty” mistakes: 1. Over-Promising, 2. Under-Promising, 3. Omission. Each carries liability, so it is better to avoid any of the three.

Don’t over-promise. Your company may be held responsible for the representations in your privacy policy. Look out for phrases like “state-of-the-art,” “everything in our power,” or “our highest priority.” If your company really does use “state-of-the-art” technology to protect privacy, good for you. But you probably don’t, so be honest about it. While you may think that such phrases are just feel-good fluff, the FTC has brought actions against companies who fail to provide the state-of-the-art consumer protections they promised, even though they used otherwise reasonable practices.

Don’t under-promise. FTC guidelines and many state laws require that your company takes reasonable and appropriate measures on a case-by-case basis. It may be tempting to try and disclaim all duties to protect your customers, especially if you’ve had a breach. But this approach has pitfalls. First, it is impossible to disclaim all duties to your customers’ privacy. Second, you may scare away potential customers, or invite scrutiny (as Facebook well knows). Third, FTC actions have indicated that businesses cannot take a “wait-and-see” approach to consumer privacy. Instead, companies have a duty to act reasonably and detect problems before they cause loss, particularly if the they have made privacy promises to their employees or customers.

Tell the whole truth. Another temptation is to remain conveniently silent on a privacy issue you’d rather not talk about. This is also a risky strategy, because state laws (such as California, Texas, and soon-to-be Massachusetts, to name a few) impose specific disclosure requirements. Whether or not required by law, failure to disclose important privacy practices can spark FTC enforcement action as a deceptive consumer practice.

Be Complete & Conspicuous

Aside from potential FTC action, California law requires any company which holds personal information about a Californian to identify the types of information it collects about customers, explain how the consumer may change or update the personal information, and identify an effective date. The law also imposes an affirmative duty to disclose whether information will be disclosed to third parties for marketing purposes. California law also requires that a link to your company’s privacy policy be conspicuous. Most of the time, a link from the home page or in the footer will be sufficient.

A privacy policy is legally compliant when it addresses all of the various legal and regulatory requirements, but it is only complete when it addresses the full range of your unique business practices. For some organizations, that may be broader than you think. For example, a typical University engages in educational, financial, healthcare, network provider, non-profit, and goods and services activities on behalf of their students. That’s why there can be no such thing as a “boilerplate” privacy policy.

Privacy Policy Must Reflect (Changing) Practices

Like Ying and Yang, privacy Policy and Practice are complementary and inseparable. One consistent pattern of FTC actions is that updated information security practices are necessary to protect consumers’ privacy. As FTC guidelines indicate, “Good security is an ongoing process of assessing risks and vulnerabilities… Your business practices and privacy policy must be consistently updated to reflect current best practices and available technology.”

Get it Right the First Time

Even though your privacy policy must adapt to changing business needs, privacy policies cannot be retroactively modified. This issue is important in the following scenario: Suppose that your company decides it wants to sell customer personal information to marketers, but your privacy policy states that personal information “will not be shared with third parties without [customers'] explicit consent.” Changing the policy to allow you to sell personal information may apply prospectively, but new policy provisions will not apply to existing customers, without their consent. This can even apply to a transfer of personal information in a bankruptcy proceeding.

That’s why it’s important to get it right the first time. Your company’s privacy policy must allow you enough wiggle-room to adapt to future conditions, be complete, and still protect your customers. If you need to materially change your policy, make sure that you have the infrastructure to determine which version of your policy applies to which customer. It matters.

If You Say it, Do it

We’re all familiar with the Miranda phrase, “anything you say can and will be used against you …” by the FTC. If you make a representation in your privacy or security policy, you’d better be able to live up to it. FTC enforcement actions demonstrate that website owners must adhere to any statements of privacy or security, whether the statement is made online or offline.

Each representation about privacy or security is treated as a “privacy promise.” Feel-good marketing fluff does not belong in a privacy policy, because even “fluff” can create duties or liability, even if the duty is not required by law. Explicit security-related promises (such as a promise to use “state-of-the-art technology”) requires that the company take affirmative and ongoing steps to ensure that sufficient security is provided.

For example, in 2004 Gateway Learning Corp found itself the target of an FTC Deceptive Practice enforcement action for renting its customer list to marketers, even though their privacy policy said they wouldn’t. In recent years the FTC has taken similar action against Eli Lilly & Co., Microsoft, Guess, Inc., Tower Records, and Petco.com to name a few.

If your privacy policy says it, then do it.

It’s Your Business

As a soon-to-be attorney, I can say that you should have a lawyer review your privacy policy. Lawyers help the privacy policy comply with legal and regulatory requirements, but it’s your responsibility to make sure that the policy is complete. In fact, I would go so far as to say that 30% of a privacy policy is compliance, and the other 70% is completeness.

If those numbers are any indication, they mean that your privacy policy should have 70% of its input from the Customer Service Department, the Accounting Department, Sales, Marketing, and perhaps even R&D. Without their feedback it will be impossible to document your important privacy practices and create a complete privacy policy. Privacy policies are not legalese and magic words. They are a blueprint of vital business processes. There is one sure way to get in trouble: Relegate your privacy policy to the legal department, and fail to get cross-departmental participation in its drafting. Banishing your privacy policy just to the lawyers may get you in trouble because the end result may be compliant, but incomplete And ironically, an incomplete privacy policy is a non-compliant policy.

Take Charge

As a CEO, COO, or Managing Director, you should do three things:

1. First, read your privacy and security policy. If it confuses you, it will confuse your customers. If it confuses your customers, it might be interpreted as deceptive by the FTC.
2. Second, make sure you can live up to your privacy policy. Watch out for buzzwords like “state-of-the-art,” “everything within our power,” “always,” and “never.” Make sure that you haven’t painted yourself, your customers, or your employees into a corner.
3. Third, update your privacy policy to reflect your business practices, or update your business practices to match your policy. Being honest and complete about your business practices is tough work, but will pay dividends long-term.

“Unconferences” (hat tip to identitywoman) are great opportunities to network, gather and share information. They attract bleeding-edge leaders on emerging problems and technologies. My most recent unconference was Congress Camp 2009, organized by the Open Forum Foundation. The gathering focused (broadly) on social networking tools and Web 2.0 for government. It was well attended by advocates who want to reach Congress, and over-worked hill staffers who use IE6 and must cope with information overload. We also got a preview of GovLuv.org. If you have an interest in social networking and government, I highly recommend looking at some of the blog articles.

Here’s my report: Don’t hold your breath for Congress to go Social-Web crazy in the immediate future.

I hosted a discussion on developing a Privacy Commons framework for government. In short, Privacy Commons will be a series of Privacy Policy Frameworks: A list of required, optional, and prohibited subject matter for privacy policies. Each framework will be tailored to particular industries (i.e., medical, financial, goods and services, social media, government, etc.). Adoption of a Privacy Commons Framework will require that your Privacy Policy address all subject matter in the framework, and make certain high-level disclosures in the form of iconography (i.e., a “$” symbol to indicate that you sell personal information to third parties).

I already knew that a government Privacy Commons policy would have to include disclosures about how personal information may be transmitted to other federal agencies, for example. But I was surprised to hear from staffers that Congressional privacy policies should also disclose how personal anecdotes may be used. Many constituents e-mail their elected representatives with poignant personal stories that often support draft legislation. Staffers must decide whether they can or should use the stories in a press release, on the House or Senate floor, or whether they can use the story and change the names.

A government Privacy Commons framework will also need to address the different rules that elected officials and their campaigns must follow. Elected officials must follow strict rules governing sharing personal and contact information. In contrast, campaigns (which may run full-time, even after an official is elected) can do almost anything with personal information. The distinction between “Congressman Jones” and “Congressman Jones’ Campaign” may be lost on the average constituent; but the effects on privacy might be substantial.

As I make the transition to full-time attorney (after I pass the bar… wish me luck), I’ll be able to continue developing Privacy Commons. In fact, at Congress Camp I hooked up with the ECitizen Foundation, which might help host Privacy Commons working groups. Stay tuned.

The FTC recently announced new guidelines requiring bloggers to disclose when they get freebies in exchange for reviews. Adopted by a vote of 4-0, this is the first update of the FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising in 29 years. The rules go into effect on December 1, 2009.

The FTC press release emphasizes that under the new rules, “both advertisers and endorsers may be liable for… failure to disclose material connections between [them].” Material connections include payments or free products, which must be disclosed in a “clear and conspicuous” manner. Both bloggers and advertisers may face FTC sanctions without proper disclosure, even if the advertiser contracts with an ad agency.

Here’s the bottom line: Bloggers– Clearly disclose whether you received payment or a free product when giving endorsements. Advertisers– Make sure social media marketing plans require your ad agencies and paid bloggers to disclose whether an endorsement is paid.

But bloggers shouldn’t worry too much. Simply saying something good about a product is not enough to break the new rules. Instead, there must be a “material connection” between the advertiser and endorser. This is generally understood to mean that the advertiser 1. provides consideration (ie, payment or free product), 2. in exchange for an endorsement. When this happens, the editorial independence of the endorser becomes questionable, and the relationship between the advertiser and blogger must be disclosed.

Simply blogging about a free sample will not break the FTC rules. For example, blogging positively about a free product you received from a coupon or free store sample is OK because the article is completely independent and outside the control of the advertiser. In contrast, that same blogger who receives a free product in exchange for a product review must clearly state that he or she has been compensated for their opinion.

The FTC has indicated that they plan to enforce the provisions primarily against advertisers, rather than bloggers. This creates interesting challenges for advertisers, many of whom are already reeling from social media overload. Purely consumer-generated reviews will not create liability for advertisers. However, if the advertiser initiated the process that led to consumer endorsements (for example, by providing free products to bloggers or enrolling word-of-mouth marketing programs), then the advertiser might be liable for whatever those consumers say.

In addition, simply using an ad agency doesn’t break the chain of liability. Unless advertisers are careful, they may incur liability if their advertising agency gives a free product to a blogger, who then fails to disclose the gift. Advertisers should remember that paid bloggers can now incur liability on advertisers, and in this sense, they should treat paid bloggers just like any other employee or company agent.

Tips for Advertisers:

1. Tell Your Bloggers: Always require bloggers to include standard language such as “PAID ADVERTISEMENT,” “PAID PRODUCT REVIEW,” or similar conspicuous and unambiguous language in their posts whenever you send them free products.
2. Watch Your Bloggers: Advertisers will be liable for misleading statements from paid bloggers. However, you may mitigate liability if you “advise [paid bloggers] of their responsibilities and… monitor their online behavior.”
3. Tell Your Advertising Agency: In your advertising agency contract, require them to insist that bloggers disclose gifts.
4. Ask for Indemnity: Require indemnity from your advertising agency, should they fail to notify the blogger, and treat paid bloggers like employees for liability purposes.

Tips for Advertising Agencies (especially Social Media):

1. Market Your Knowledge: Advertisers will appreciate that you know about this new regulation. Let advertisers know that your knowledge puts you in a position to decrease their liability.
2. Tell Your Bloggers: See above.
3. Watch Your Bloggers: See above.

Tips for Bloggers:

1. Be Clear: If you got paid, or if you got a free product, disclose it up front. There are no magic words. You may use plain English to describe your relationship with the advertiser in your article. If you would rather opt for the legalese-disclaimer approach, try something catchy like “I shamelessly took a free widget from Acme Co. in exchange for this review,” or “I have sold my soul and this review to Acme Co. And all I got in exchange was a free widget.” The good standby, “Paid Product Review,” should work fine (if you have no personality).
2. Be Conspicuous: If you choose to take the legalese-disclaimer approach, your disclosure should be somewhere readers can easily see it, such as the top of the page, or before the first sentence of the article. While all-caps or bold words may not be necessary in every circumstance, they may aid in making the text stand out.
3. Don’t Worry Too Much: First, ethical bloggers already disclose their connections with advertisers. Second, you won’t incur liability unless you are actually acting on behalf of a company when you write a product review. As a truly independent blogger, you can still write anything you want about any product you want (within the limits of the law). Now you just have to disclose whether you got paid for your opinion.

It will be interesting to see how Twitter advertisers react to this new regulation. Perhaps a shorthand for “Paid Product Review” will develop in the Twittersphere, much like “RT” for Retweet. May I be the first to suggest, “PPR,” “Paid,” or my favorite, “:-$”

Note: The author received no free products or services from the FTC (or anyone else, for that matter) in exchange for this blog article.

To track down the source, I started by changing out the AC power for battery power, switching USB cords, switching mic cords, switching microphones, switching interfaces, turning on and off the wireless network, unplugging my wireless router, changing rooms, and even moving to a location several miles away. None of these things had any consistent effect on the whine. After a lot of trial and error, I have narrowed the problem down to two three variables: Temperature, Phantom Power and the MIC/LINE-GUITAR select switch.

The whine appears with the phantom power on, while the interface is cold (ie, less than about 65 degrees Fahrenheit). It gets worse when the MIC/LINE-GUITAR select switch is set to “Guitar.” Setting the MIC/LINE-GUITAR select switch to “Guitar” makes it act as an unbalanced input jack, which probably explains the noise. But turning on the phantom power while the interface is cold produces a lot of noise.

The solution: Sit on the interface to warm it up. My home “studio” is in a very cold room with two exterior walls, and it’s the middle of winter. So in order to warm up the interface—no joke—I actually put it under my thigh for a good 10-15 minutes. I didn’t read that helpful work-around in the manual. I thought about using an electric blanket, but I was afraid that might cause some induction damage.

The Test

I conducted a test to demonstrate the whine, which I have included here. For the test I had the following setup: I plugged an Audio-Technica AT 2020 condenser mic into the MIC IN L XLR balanced jack. I also plugged a crappy old dynamic mic into the LINE IN R/GUITAR IN jack TRS 1/4″ jack. For the “Cold” test, I left the interface in a box in my car for 30 minutes, where the outside temperature is around 25° Fahrenheit. For the “Warm” test, I basically sat on the interface for about 15 minutes until the interface housing was noticeably warmer than room temperature.

I then recorded a systematic test of the phantom power, left and right input levels, and the MIC/LINE-GUITAR select switch in 10-second intervals. I included the results in a table below, with each numbered setting corresponding to a period of time on the non-normalized .mp3 file. You can skip around to compare the different settings if you’d like. Please ignore the ambient noise of the HVAC system, as well as the lousy line quality for my crappy dynamic mic.

My home studio is in the basement near an outside wall, so it’s usually around 65°. Every morning the whine reappears until I physically warm the unit to around 75°+.

At lower temps, the phantom power whines and bleeds over into the 1/4″ inputs, which surprises me because most electronics are happier when they’re cold. I’d chalk it up to a defective unit, except that I purchased two 144 mkII’s, and both units display the same behavior. Regardless, I’m not looking forward to the hassle of returning or exchanging the interface. It’s going to put me back several weeks.

I wonder if anyone else has experienced these same problems. The helpful guys at Sweetwater didn’t seem to have bumped into the problem before.

[Update Jan 14, 2010]

I have decided to return the mkII’s to Sweetwater in favor of another brand, perhaps an M-Audio. I haven’t decided. At first I was content to swap them out for non-defective mkIIs, but apparently TASCAM has temporarily stopped shipping the US-144 mkII. More precisely, they are taking orders without providing a firm ETA. This is apparently quite unusual, and in the estimation of the guy I talked to it likely indicates that they are doing some re-tooling.

I decided that I’m probably better off not being the guinea pig for the “fixed” version (if, in fact they are re-tooling). And even if they’re not re-tooling, I don’t want to wait indefinitely for TASCAM to fill the order.

I am so glad that I purchased from Sweetwater instead of Guitar Center. Sweetwater has much better support. Let me correct that: Sweetwater offers any type of support.

[Update Jan 25, 2010]

I decided to go with a Lexicon Omega instead. So far (in some preliminary recordings) I haven’t had any noise problems, thought the levels are significantly lower than the Tascam 144 mkII. I’ll just have to do more post-normalization. I hope the noise levels stay tolerable.

This is part 3 of highlights from the FTC’s December 7th Privacy Roundtable. Part 1 covered the panel on "Exploring Existing Regulatory Frameworks," and Part 2 covered the panel on "Benefits and Risks of Collecting, Using, and Retaining Consumer Data" This post highlights comments from "Consumer Expectations and Disclosures" and "Information Brokers."

Disclaimer: I took notes using my Twitter account. About halfway through the "Benefits and Risks" panel, Twitter decided that I was a spammer, and shut down my account. I was mad, and it meant that I did not cover the whole session.

Benefits and Risks of Collecting, Using, and Retaining Consumer Data

• Lorrie Faith Cranor,Associate Professor of Computer Science, Carnegie Mellon University commented on consumers’ state of ignorance regarding how information flows, much like an unseen underground river. "Most people do not understand how information flows," or "what a third-party cookie is."
• Alan Westin Professor Emeritus of Public Law and Government, Columbia University referenced several of his studies which indicated that "…people are not prepared to equate [the need for] behavioral marketing with [funding] free services, and that "most people believe that they’re being abused," but there was general consensuses that most people surveyed also believed that they were protected by law and regulations that do not actually exist. In the meantime, Mr. Westin’s research also indicates that most people are no longer willing to trade privacy for freebies on the internet, because of the disconnect between "free" services and the fact that personal information pays for most of it.
• Alan Davidson, Director of U.S. Public Policy and Government Affairs for Google emphasized that the industry is trying to educate consumers and give them the tools they need in order to control their privacy, as evidenced by Google’s dashboard, for instance. He suggested that the audience Bing "Google Dashboard" for more information.
• Jules Polonetsky Co‐Chair and Director of the Future of Privacy Forum made reference to the results of several large surveys conducted by his organization. For instance, one indicated that there is a substantial public misconception about what "Behavioral Advertising" is. Among the handful of survey respondents who had heard the term, all of them mistook "Behavioral Advertising" for the concept of subliminal advertising. His organization is also attempting to generate symbols explaining how personal information is used, an approach endorsed by Privacy Commons and other groups.
• My apologies to Joel Kelsey, Policy Analyst for the Consumers Union, and Adam Thierer, President of University of Pennsylvania, Annenberg School for Communication. Each of these individuals actively participated, but unfortunately I was unable to capture their thoughts because I was under a temporary Twitter ban at the time.

Information Brokers

Short editorial: This session was by far the least enlightening.

• Jennifer Barrett, Global Privacy and Public Policy Officer for Acxiom started off the panel by discussing what constituted "sensitive personal information." She replied that Acxiom classifies "sensitive information" is any information which could contribute to identity theft, whereas "restricted information" is an unlisted phone number, for example.
• Rick Erwin, President of Experian Marketing Services explained that they consider information on children, older Americans, and self-reported ailment data to be "sensitive," adding that Experian has "three decades of experience using sensitive information for marketing," and is able to adequately balance the interests of marketers and consumers. Mr. Erwin also discounted the harms of marketing, saying "we can’t point to deep consumer harm based on bad advertising."
• Pam Dixon, Executive Director of the World Privacy Forum disagreed. She contended that the definition of "sensitive information" is difficult at best because otherwise benign information can be aggregated to create sensitive information. In regards to health information, getting consent from consumers is almost illusory because consumers have no way of knowing how the information will be used in the future. Informed consent is impossible without telling consumers what "boxes" they will be put in. Consumers need the right to know on what lists they will appear, for how long, and they must have the right to revoke their consent. Pam Dixon contended that "we need to make Opt Out work for consumers," and that opting out should always be free.
• In response, Jennifer Barrett insisted that the Information Broker industry needs no further regulation: "We’re already very regulated," she said.
• Jim Adler, Chief Privacy Officer and General Manager of Systems for Intelius explained that they offer special opt-out services to government officials.
• Chris Jay Hoofnagle, Lecturer in Residence at the University of California Berkeley School of Law was scheduled to participate but was unable due to technical difficulties.

The FTC has posted the webcast if you missed it.  The next Roundtable is scheduled for January 28, 2010 in Berkeley, CA and will also be broadcast online.

This is part 2 of highlights from the FTC’s December 7th Privacy Roundtable. Part 1 covered the panel on "Exploring Existing Regulatory Frameworks." This post highlights comments from "Benefits and Risks of Collecting, Using, and Retaining Consumer Data." This session was moderated by Jeffrey Rosen of The George Washington University Law School and Chris Olsen, of the FTC’s Division of Privacy and Identity Protection.

• Leslie Harris, President and CEO of the Center for Democracy & Technology emphasized that information taken out of context can be used to unfairly judge a person, such as a search for "marijuana" or a medical condition. The danger increases when a rich profile of search terms and surfing data is constructed over time.
• Susan Grant, Director of Consumer Protection for the Consumer Federation of America, said that "privacy is a fundamental human right."
• Alessandro Acquisti of Carnegie Mellon University, Heinz College, explained that the definition of "sensitive information" continues to change with technology, new uses for information, and new ways to correlate and aggregate personal information. Technology cannot stop re-identification or de-anonymization, but should be used to increase the transaction costs for re-identifying personal information. He also spoke about how companies are bypassing consumer efforts to maintain privacy and anonymity through technologies such as flash cookies.
• Richard Purcell, CEO of the Corporate Privacy Group, emphasized that citizens’ health depends on anonymized health data used for research, and that privacy must be weighed using a cost-benefit analysis. He further
• Michael Hintze, Associate General Counsel for Microsoft, explained that companies use log and use information for a number of legitimate reasons, such as security analysis, and search result optimization. However, he admitted that search terms can reveal individuals’ "innermost thoughts," and that anonymization is not a silver bullet to protecting users. Instead, retention and deletion policies such as Microsoft’s policy of deleting IP addresses and cross-cookie session information is designed to truly anonymize search data.
• David Hoffman, Director of Security Policy and Global Privacy Officer for Intel, stressed that we should focus on data minimization. "We have wasted time arguing about what constitutes PII," when the question should be, "what information will have an impact on an individual?"
• Jim Harper, Director of Information Policy Studies for The Cato Institute, argued that regulating too early can stifle innovation and prevent consumers from determining what they want themselves. Instead, we should attempt to define the problem set first. Mr. Harper explained that "there is a role for trial and error in determining what the real problems are," and that intellectualizing what consumers really want can lead to problems. Instead, we should "let a thousand flowers bloom" and let the social systems and advocacy draw out and solve the real issues.
• David Hoffman generally agreed that we don’t want to frustrate innovation, and that we are not currently in a position to understand all of the problems ourselves. He explained that it took a room full of experts the better part of a day to map out data flows. "We can’t expect consumers to understand how the data flows if experts can’t understand it now."
• Leslie Harris and Alessandro Acquisti said that Notification and transparency is necessary but not sufficient. Mr. Acquisti noted that consumers make decisions which are harmful to long-term privacy because humans are bad at making decisions when the benefits are short-term but harm is long-term. He compared privacy erosive behavior to smoking, since each smoker realizes that smoking causes cancer, but any individual cigarette doesn’t hurt much.
• Susan Grant explained that consumers don’t realize that their information can be used for other purposes, and that the benefits of marketing do not outweigh privacy concerns and fraud and abuse. Jim Harper countered that advertisers can introduce a new medication to vulnerable populations, and that denying them that opportunity can create silent harms. Michael Hintze added that niche ads aren’t good or bad- they’re responsible or irresponsible
• Richard Purcell also argued that companies should spend the time and money to train their customers, and create "privacy by design" rather than "privacy by default." Finally, the FTC should "regulate the hell out of" lazy companies and bad actors.
• Richard Purcell further emphasized that we lack a cohesive taxonomy for discussing privacy, and that we need to better define concepts such as "anonymity," "deidentification," and "sensitive data."
• The panel was asked to consider widespread customer blacklisting. Susan Grant said that consumers need tools to discover and amend secret "bad customer" lists, since they have none now. Distinctions based upon invisible information is bad for consumers. Leslie Harris agreed, saying that we need a law that provides access and correction for data brokers as well. She also criticized the FTC for failing to investigate privacy violations, saying that all of our bad examples are "accidental," not intentional long-term decisions to violate privacy, outed by the FTC.
• In the larger context, Jim Harper said that Government access to personal information is the elephant in the room that nobody has yet addressed. Governments are beginning to discover "the cloud" for their own purposes, and when data is available to government on the current terms, it constitutes surveillance on a massive scale.

I’ll do a few more installments in the coming days.

The FTC has posted the webcast if you missed it.  The next Roundtable is scheduled for January 28, 2010 in Berkeley, CA and will also be broadcast online.

The FTC’s December 7th Privacy Roundtable assembled a Who’s Who of privacy luminaries, academics, advocates, and industry players. This post highlights some of the more interesting comments from the meeting. I also tweeted the event (@aarontitus, #FTC #Privacy or #ftcpriv) and the FTC has posted the webcast if you missed it.  The next Roundtable is scheduled for January 28, 2010 in Berkeley, CA and will also be broadcast online.

The meeting consisted of five panels. This posts highlights "Panel 5: Exploring Existing Regulatory Frameworks:"

• During Session 5, Intuit’s Chief Privacy Officer Barbara Lawler posited that existing regulatory frameworks unfairly place the entire burden on consumers to protect themselves. "Consumers should expect a safe marketplace. They shouldn’t be the ones to police the marketplace," she said.
• Barbara Lawler also noted that "Data is never really at rest," because it’s moving between data centers and backups in multiple locations throughout the globe. It is therefore incorrect to think of data, especially Cloud data, as being in one place. Instead, "data is in one place and many places at the same time," potentially in multiple jurisdictions.
• Evan Hendricks of Privacy Times and Marc Rotenberg of EPIC suggested that the current model of "Notice and Consent" has failed to protect consumers, and that the FTC (and legislation in general) should return to well-established Fair Information Practices (FIPs), including a prohibition on "secret databases." Mr. Rotenberg went so far as to conclude that Notice and Choice principles are not a subset of FIPs, but instead "stand in opposition to fair information practices." He also joked that "the best part of Graham-Leach-Bliley Act is that you get paper notices you can tape on your window and get more privacy."
• Ira Rubinstein of New York University School of Law proposed that self-regulation is not binary or "monolithic," and that a self-regulatory scheme would be preferable, especially if viewed as a "continuum, based on government intervention." He argued that self-regulation would be especially appropriate in the United States, which has traditionally been very friendly to e-commerce.
• Michael Donohue of OECD gave an overview of international legal concepts of privacy which generally agreeing with Marc Rotenberg’s observation that "most countries have come to surprisingly similar conclusions about privacy."
• J. Howard Beales of the GWU School of Business argued in favor of a "harm-based model," because it is impossible to reach the best solution without first defining the harm. Marc Rotenberg responded that privacy harms are almost never financial.
• Several panelists emphasized that privacy can be highly (and appropriately) subjective. One cited an example from a balding friend of his, "I don’t care if anyone knows that I use Rogaine, but my 70-year-old grandmother would."
• Fred Cate of the Center for Applied Cybersecurity Research emphasized that the Notice and Consent model is flawed because some activities should not be consentable. For example, one may not "consent" to be served fraudulent or misleading advertising. Likewise, some uses of personal information should be prohibited and non-consentable. Most importantly, Notice and Choice are only tools- not the goal of privacy.
• After Panel 5 was done, Bureau of Consumer Protection Director David C. Vladeck said the FTC would investigate whether it is better to give consumers notice how their personal information may be used: 1. At the time of collection, or 2. At the time of use.
• David C. Vladeck also said that the data broker industry warranted FTC attention because it is "largely invisible to the consumer."

More highlights on the other sessions to come.

Some Problems With Privacy Policies

As Christopher, myself, and many others have pointed out, the problems with privacy policies are myriad. Here are a few:

• Inaccessible or Unintelligible. many privacy policies are not easily understood or even physically accessible; so complicated and wrapped in legalese that they are “nigh useless” to the average consumer.
• Complicated Solution. Unless we’re careful, a Privacy Commons may end up equally or more complicated than the status quo.
• Non-Standard. Privacy Policies are not standardized, making it impossible to compare apples-to-apples.
• Incomplete. They often fail to address important privacy issues or fail to consider all potential parties
• Unsophisticated. Many boilerplate privacy policies demonstrate a fundamental lack of understanding of how privacy policies translate to privacy and business practices. Some simply don’t address the most salient issues, which may be unique to their industry. Consequently, many of the policies never translate to practice.
• Treated as Only Legal Documents. Privacy policies are often treated as “compliance” documents and relegated to the legal department. Consequently, many fail to address or actually contradict field practices.
• Privacy Waiver. Many privacy policies waive, rather than confer, privacy rights. The medical industry is extremely efficient at this practice.
• Technology-Dependent. Privacy policies which strictly enumerate technologies quickly become outdated in the face of emerging technologies.
• Non-Binding. Most importantly, US courts have consistently interpreted privacy policies to be unbinding notices, rather than contracts. As a result, privacy policies generally create no enforceable rights or enforceable expectations of privacy. In this sense, privacy policies can create a false expectation of confidentiality, privacy, or even fiduciary responsibility.

Some Assumptions About Privacy Policies

Based on my experience in technology, advocacy, and the law, I want to air some of my basic assumptions about Privacy Policies. Of course, I invite challenges to these assumptions:

1. Mitigate Liability. Privacy is the subject of dozens of laws and regulations. The present primary business case for developing, maintaining, and conforming to a privacy policy is to mitigate liability.
2. Inform Data Subjects. Data Subjects include consumers, employees, or any individual about whom information is collected, stored, or aggregated.
3. Empower Data Subjects. Mere information is not enough. A privacy policy which produces information overload without actionable intelligence is counter-productive.
4. Articulate Privacy Practices. For the benefit of both data subjects and the data stewards who must execute the privacy policy, it must explain and reflect real business practices.
5. People Don’t Read. Anything more than about two paragraphs will never be read. That’s why high-level iconography is so appealing (and achievable).
6. Must Be Easy-to Understand. Because people don’t read. Fewer words and easy-to-grasp iconography are better.
7. Short Policies Are Inherently Incomplete. Two paragraphs and pretty pictures may be sufficient to inform consumers on the portions of the privacy policy they find most important, but will always be incomplete. More on this below.
8. Adoption & Enforcement. A Privacy Commons must be optimized for adoption, rather than enforcement. That’s simply because despite the Federal Government, the states and the FTC’s regulation in the area, a privacy commons must be market-driven to be successful.
9. Sector-Specific. Different sectors/activities collect different sets of personal information, are regulated differently. In order to ensure that privacy policies are relevant, they must be taylored to specific activities.
10. Living Documents. A privacy policy which was correct six months ago may not be correct today.
11. Privacy Policies are Complex. Deal with it. Privacy Policies are complex, just like Creative Commons or the Telephone. More on that below.
12. Business Documents. Privacy Policies are business documents with legal, practical, business, and ramifications for corporations, their agents and employees, and data subjects.

Thinkers like Christopher Parsons worry that a Privacy Commons will be unnecessarily complex. Non-attorneys are often (justifiably) baffled at why lawyers take 3,000 words to say what can be said in 300 and a handshake. It turns out that a simple handshake is not as simple as most people think. Behind each handshake there is a wide range of assumptions which are not as standard as one might believe. Many (if not most) disputes arise when there is a misunderstanding about an unspoken assumption—the meaning of a word, or silence on a particular issue. That’s why it takes lawyers so many words to say something so simple; simple things are not as simple as we thought.

To demonstrate this point, we need look no further than Creative Commons. While the human-readable version of the “Attribution Non-Commercial Share Alike” creative commons license consists of 5 images and 286 words, the legal version contains 3,384 words. Clearly the unnecessary work of a verbose lawyer who needed to justify his existence, right?

Not so fast. The full Attribution Non-Commercial Share Alike license covers a whole bunch of other stuff that consumers don’t usually take time to think about, unless of course there is a dispute. It’s only at that point that we’re glad we included it. The legalese version covers essential topics like media and language translation, public performance, DRM, collections of works, waiver of compulsory license fees, preservation of moral rights, representations and warranties, limitation on author’s liability, termination, severability, waiver, and entire agreement, just to name a few. Consumers don’t (and shouldn’t) think about this kind of stuff when they proverbially “shake hands” with a licensee. Creative Commons is simple on the surface, but look under the hood and you’ll see the complexity necessary to create the elegance that most people associate with the CC licenses. Saying that the legalese version of a Creative Commons License (or Privacy Commons Policy) is a “necessary evil” is incorrect and misses the point. It’s not evil at all; it’s just necessary.

It’s like a telephone—an elegant piece of equipment which is exceedingly easy to use. The end-user only cares about a few things: Connectivity, line quality, cost, and accessibility. Yet the infrastructure and technology supporting telephony and networking is extremely robust and complex. Consumers pay the telcos to worry about all of the other stuff so they can focus on the four or five things that consumers care about. The millions of miles of copper, routers, substations and central offices aren’t a “necessary evil,” they’re just necessary.

Some Conclusions About Privacy Policies

We’re just going to have to deal with the fact that privacy policies are complex, and will continue to be complex. The best solution (as I see it) is to do three things: ID c.

• Require Thoroughness. A Privacy Commons-compliant policy is thorough
• Identify Cultural Notions of Privacy. Identify culturally important notions of privacy, and embody them in easy-to-understand iconography. Christopher Parsons suggests these notions might center on Data Collection, Data Sharing, Data Identification, Data Tracking, Data Deletion, and Aggregation, which I think is a good start. And Ralf Bendrath offers these excellent icons, which are more elegant than any I’ve seen.
• Embody the Cultural Notions of Privacy in Iconography. Then let the legalese version fill in the (necessary) gaps.

A privacy policy which conforms to Privacy Commons requirements will be complete, informative, easy to understand, and easy to adopt. Like Creative Commons, Privacy Commons seeks to identify common cultural notions of privacy, and embody them in easy-to-understand policy frameworks, with simple high-level iconography.

Note: I usually blog on securitycatalyst.com and jeffreyneu.com, but this post doesn’t fit very well on either.

Yesterday the New Jersey Supreme Court heard arguments in the Stengart v. Loving Care Agency, Inc. case. The issue is whether the New Jersey attorney-client privilege is preserved, when an employee e-mails her attorney from a personal email account, on a company computer.

The first reaction from most lawyers is, "yikes, I hope so."

Maria Stengart was a senior employee at Loving Care, which provides Home Care Services for children and adults. Among other things, Loving Care’s employee handbook states that “Email and voice mail messages, internet use and communication, and computer files are considered part of the company’s business and client records. Such communications are not to be considered private or personal to any individual employee.” Stengart was issued a company laptop, on which she occasionally accessed her personal Yahoo account. She resigned in December, 2007 and shortly thereafter filed suit against Loving Care alleging constructive discharge due to sexual harassment and ethnic discrimination.

In April 2008 Loving Care sent an image of her laptop hard drive to a data recovery company, which recovered at least one personal Yahoo email between Stangart and her attorney, presumably from a recovered browser cache. Of course, this prompted Stengart to assert attorney-client privilege, demanding that all attorney communications be returned or destroyed. The company balked, and in essence argued that Stengart had waived the privilege by using a company computer.

The trial court found in favor of the employer, but the appellate court reversed.

If I were to play armchair quarterback for a second, I think that the New Jersey Supreme Court will probably find in favor of Stengart as a substantive matter, but the case raises several issues of legal, policy, and practical significance, with no apparent easy answers.

In general, employees have a diminished (ie, nearly zero) expectation of privacy on an employer’s network, especially when the employer has put the employee on notice of that fact. The trial court merely extended this well-established principle to attorney-client communications. After all, an employer must be able to control, protect, and secure its network against a range of threats.

On the other hand, most employers allow company computers to be used for personal reasons. It seems to be bad public policy that an employee would waive the attorney-client privilege simply because she uses a browser on her company computer during her lunch break, rather than a home browser. This is especially true if she happens to e-mail her lawyer about an action against the employer. It seems absurd that a distinction so technical should allow the employer to "rummage through and retain the employee’s e-mails to her attorney," as the appellate court put it.

But if an employee does enjoy some expectation of privacy in personal communications over a company network, how much, and how does an employer write a policy to manage it? Does an employee enjoy the same expectation of privacy for personal email transferred via POP3 or IMAP to a local company version of Outlook, compared to a email recovered from an HTTP browser cache? Does the employer have a duty to not attempt to recover deleted personal emails? Are employers allowed to snoop unless communication appears privileged? I don’t have a good answer, and it will be interesting to see what answer the court comes up with.

Surely an employee cannot enjoy an unqualified expectation of privacy by simply using non-company communications, because employers still have an interest in making sure that employees do not use personal accounts to transfer trade secrets, compete against the company, or download a virus.

We’ll keep an eye on this one.

Aaron Titus will be presenting at the International Conference on Applied Modeling & Information Security Systems (ICAMISS) on October 10, 2009 at the University of Alabama, Birmingham.

The speech will focus on the risks associated with personal information management, especially in an institution of higher education, where information is supposed to flow freely.  These are among the policies and behaviors that put information at risk:

• Administrative Decentralization
• Naive Office Culture
• Unprotected “Old” Data
• Shadow Systems
• Unregulated Servers
• Unsophisticated Privacy Policies
• Improper Use of the SSN
• Unsanitized Hard Drives and Insecure Laptops

The International Conference on Applied Modeling & Information Security Systems is sponsored by the Department of Defense, Krell Institute, NASA-Ames Research Center, Institute of Applied Science & Computation, Eastern Illinois University and University of Alabama at Birmingham.