Archive for category Law and Politics

September 11th, 2011: Create in Bold Defiance

I was not in Washington DC or New York ten years ago on that shattered Tuesday, but the deaths of thousands weighed heavily on us all. I spent the day in college and work, physically exhausted and emotionally wounded. The Eleventh of September was a dark day, and it seemed as though the flame and smoke of that morning had choked every source of inspiration. I had no desire to do anything, and it seemed as though my mind and soul had been smothered.

That afternoon my architecture professor, Julio Bermudez, gave lengthy instructions about a drawing assignment in his thick Brazilian accent. I don’t remember a word of that lecture. None of us cared about drawing, or school, or work. The very mention seemed trivial and sacrilegious. At the end of the lecture, he told us to go outside and draw. For the first time that day, my utter numbness turned to indignation and then anger at his triviality.

Then, sensing our irritation, he paused; and began speaking to us as Architects. “Today we have witnessed the most anti-architectural act conceivable… We are Architects. We do not believe in death and destruction. We believe in life. We create. I know many of you are angry right now. I am angry. You want to retaliate. Right now it seems trivial to go out there and draw. But if you really want to retaliate against what happened today, if you really want to take a stand and make a difference, then go out and do Architecture. Go and create, and you will retaliate in the best way you can. Now, go out and draw!”

No more appropriate words were ever said than at that time. As members of our religions and communities, we do not believe in death and destruction. We believe in life. We believe in peace. We create. Ten years later, that terrible moment inspires me to serve with a purpose, and create in bold defiance of everything that is murderous, destructive and evil.

No Comments

Oral and Written Testimony of Aaron Titus Before the Senate Committee on Homeland Security and Governmental Affairs on May 5, 2010

Oral Testimony of
Aaron Titus
Privacy Director, Liberty Coalition
Attorney, J.C. Neu & Associates
before the
Senate Committee on Homeland Security and Governmental Affairs
May 5, 2010

Click here for Aaron Titus’ Written Testimony on S1317 and S2820 [DOC]


C-Span Link

Chairman Lieberman, Ranking Member Collins and Members of the Committee. Thank you for allowing me to be here.

My name is Aaron Titus. I am the Privacy Director for the Liberty Coalition and an attorney at the law firm, J.C. Neu and Associates. The Liberty Coalition works with more than 80 partner organizations from across the political spectrum to preserve the Bill of Rights, personal autonomy and individual privacy. The Liberty Coalition works with, but does not speak on behalf of our partners.

I am aware that many in this audience have been personally affected by gun violence. Managing guns and other weapons is a matter of public concern. Regardless of one’s position on gun safety and gun control, the Supreme Court has unambiguously ruled that the Right to Keep and Bear Arms is an individual, Constitutionally enumerated right. The Second Amendment is not absolute, and the government may regulate the Right to Keep and Bear Arms in a number of ways.

But Senate Bill 1317 goes too far. The bill should be titled, “The Gun Owners Are Probably All Terrorists Act,” because it strips citizens of their Constitutional Right to Keep and Bear Arms without any meaningful due process. And Senate Bill 2820 should be called, “The National Firearm Registry Act” because it creates a national firearms registry, so let’s call it what it is.

National Firearms Registry

If you want to make a National Firearms Registry, then go through the front door, call it what it is, and have a meaningful public discussion.

Senate Bill 2820 creates a massive database of names and detailed personal information of each law-abiding citizen who purchases a gun.

The bill disingenuously purports to target terrorists, but in fact only one ten-thousandth of one percent of these records will belong to people on watch lists. Every year, only 200 new watch-list records will be created. But the system will generate more than 14 million new records on law-abiding citizens. Once collected, there’s no limit on what the information may be used for, and no legal requirement to ever delete it.

At the very least, we should call this bill what it is: A National Gun Registry Act.

Senate Bill 1317

Reading Senate Bill 1317, one would think that convicted terrorists are allowed to own guns. That is simply not true. Convicted terrorists cannot own guns.

Not only that, but today’s discussion totally misses the point. This committee shouldn’t spend time debating whether to take away Terrorists’ guns, bombs, cell phones, or other instruments of terror. If a person is a dangerous terrorist, then he should be thrown in jail. The only things a real, convicted terrorist should own are an orange jumpsuit and a pair of leg chains.

Assuming, for a moment, that everyone on a watch list is a terrorist as this bill suggests, then I propose that this committee start throwing every single one of those hundreds of thousands of people in jail, starting today.

But you and I know that the Constitution won’t let you do that. And if you can’t throw citizens in jail for being on a watch list, you can’t revoke their Second Amendment rights, either.

How Senate Bill 1317 Works

Right now, a citizen who is denied a firearms purchase has the right to know exactly why, and appeal. Senate Bill 1317 changes that. If a citizen’s name is on a watch list, the Attorney General doesn’t have to tell him why he was denied, if he thinks that tipping off the citizen might compromise national security.

If a citizen is able to appeal the decision in court, things only get harder and more confusing. Neither the citizen nor his attorney can see the evidence against him—they can only see summaries or redacted versions. Not even the judge may consider the unredacted evidence.

A citizen will lose his appeal if the Attorney General can prove, by a preponderance of the evidence, not that the individual poses a risk, or that the person is a terrorist, or even that the person is under investigation; rather, the Attorney General must only demonstrate that the citizen has been placed on a watch list.

Once that has been proven, the appeal is over and the citizen loses his Second Amendment Right to Keep and Bear Arms. The citizen will not have a chance to introduce evidence of innocence, abuse of Executive discretion or mount any other meaningful defense.

You know, I have heard of this type of judicial system applied to non-citizens (“enemy combatants” in Guantanamo Bay), but never to citizens of the United States, especially on a matter of Constitutional importance. Times may have changed, Mr. Chairman, but fortunately the Constitution has not.

Terror Watch Lists

Criminal and terrorist investigations must be kept confidential. But Senate Bill 1317 misunderstands that “investigation” is not “guilt.” Suspicion is not a Conviction. And the law has a technical word for people who have not been convicted of a crime: It’s called “innocent.”

Terror watch lists have no meaningful element of due process, and are therefore fundamentally different from other lists scanned by the National Instant Criminal Background Check System.
Terror watch lists, by their nature, are designed to be over-broad. A name on a terror watch list is evidence of government interest in a person, not proof of terrorism. The bald allegation of a suspicion of terrorist inclinations is insufficient evidence to overcome an individual’s Right to Keep and Bear Arms.
Mr. Chairman, suspicion is not a conviction.

Summary

Senate Bill 1317 takes away a citizen’s right to face his accusers. This bill takes away a citizen’s right to appeal. This bill takes away a citizen’s right to due process. And if you can’t throw them in jail because they’re on a watch list, then you can’t revoke their Second Amendment rights, either. Mr. Chairman, this bill is unconstitutional.
I urge this committee to reject Senate Bills 1317 and 2820. I am happy to respond to questions.

3 Comments

FTC Says Bloggers Must Disclose Freebies

Note: This article originally appeared on the The Security Catalyst Blog

The FTC recently announced new guidelines requiring bloggers to disclose when they get freebies in exchange for reviews. Adopted by a vote of 4-0, this is the first update of the FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising in 29 years. The rules go into effect on December 1, 2009.

The FTC press release emphasizes that under the new rules, “both advertisers and endorsers may be liable for… failure to disclose material connections between [them].” Material connections include payments or free products, which must be disclosed in a “clear and conspicuous” manner. Both bloggers and advertisers may face FTC sanctions without proper disclosure, even if the advertiser contracts with an ad agency.

Here’s the bottom line: Bloggers– Clearly disclose whether you received payment or a free product when giving endorsements. Advertisers– Make sure social media marketing plans require your ad agencies and paid bloggers to disclose whether an endorsement is paid.

But bloggers shouldn’t worry too much. Simply saying something good about a product is not enough to break the new rules. Instead, there must be a “material connection” between the advertiser and endorser. This is generally understood to mean that the advertiser 1. provides consideration (ie, payment or free product), 2. in exchange for an endorsement. When this happens, the editorial independence of the endorser becomes questionable, and the relationship between the advertiser and blogger must be disclosed.

Simply blogging about a free sample will not break the FTC rules. For example, blogging positively about a free product you received from a coupon or free store sample is OK because the article is completely independent and outside the control of the advertiser. In contrast, that same blogger who receives a free product in exchange for a product review must clearly state that he or she has been compensated for their opinion.

The FTC has indicated that they plan to enforce the provisions primarily against advertisers, rather than bloggers. This creates interesting challenges for advertisers, many of whom are already reeling from social media overload. Purely consumer-generated reviews will not create liability for advertisers. However, if the advertiser initiated the process that led to consumer endorsements (for example, by providing free products to bloggers or enrolling word-of-mouth marketing programs), then the advertiser might be liable for whatever those consumers say.

In addition, simply using an ad agency doesn’t break the chain of liability. Unless advertisers are careful, they may incur liability if their advertising agency gives a free product to a blogger, who then fails to disclose the gift. Advertisers should remember that paid bloggers can now incur liability on advertisers, and in this sense, they should treat paid bloggers just like any other employee or company agent.

Tips for Advertisers:

  1. Tell Your Bloggers: Always require bloggers to include standard language such as “PAID ADVERTISEMENT,” “PAID PRODUCT REVIEW,” or similar conspicuous and unambiguous language in their posts whenever you send them free products.
  2. Watch Your Bloggers: Advertisers will be liable for misleading statements from paid bloggers. However, you may mitigate liability if you “advise [paid bloggers] of their responsibilities and… monitor their online behavior.”
  3. Tell Your Advertising Agency: In your advertising agency contract, require them to insist that bloggers disclose gifts.
  4. Ask for Indemnity: Require indemnity from your advertising agency, should they fail to notify the blogger, and treat paid bloggers like employees for liability purposes.

Tips for Advertising Agencies (especially Social Media):

  1. Market Your Knowledge: Advertisers will appreciate that you know about this new regulation. Let advertisers know that your knowledge puts you in a position to decrease their liability.
  2. Tell Your Bloggers: See above.
  3. Watch Your Bloggers: See above.

Tips for Bloggers:

  1. Be Clear: If you got paid, or if you got a free product, disclose it up front. There are no magic words. You may use plain English to describe your relationship with the advertiser in your article. If you would rather opt for the legalese-disclaimer approach, try something catchy like “I shamelessly took a free widget from Acme Co. in exchange for this review,” or “I have sold my soul and this review to Acme Co. And all I got in exchange was a free widget.” The good standby, “Paid Product Review,” should work fine (if you have no personality).
  2. Be Conspicuous: If you choose to take the legalese-disclaimer approach, your disclosure should be somewhere readers can easily see it, such as the top of the page, or before the first sentence of the article. While all-caps or bold words may not be necessary in every circumstance, they may aid in making the text stand out.
  3. Don’t Worry Too Much: First, ethical bloggers already disclose their connections with advertisers. Second, you won’t incur liability unless you are actually acting on behalf of a company when you write a product review. As a truly independent blogger, you can still write anything you want about any product you want (within the limits of the law). Now you just have to disclose whether you got paid for your opinion.

It will be interesting to see how Twitter advertisers react to this new regulation. Perhaps a shorthand for “Paid Product Review” will develop in the Twittersphere, much like “RT” for Retweet. May I be the first to suggest, “PPR,” “Paid,” or my favorite, “:-$”

Note: The author received no free products or services from the FTC (or anyone else, for that matter) in exchange for this blog article.

No Comments

Highlights From the FTC’s Privacy Roundtable Part 3

Note: This article originally appeared on the J.C. Neu & Associates Blog

This is part 3 of highlights from the FTC’s December 7th Privacy Roundtable. Part 1 covered the panel on "Exploring Existing Regulatory Frameworks," and Part 2 covered the panel on "Benefits and Risks of Collecting, Using, and Retaining Consumer Data" This post highlights comments from "Consumer Expectations and Disclosures" and "Information Brokers."

Disclaimer: I took notes using my Twitter account. About halfway through the "Benefits and Risks" panel, Twitter decided that I was a spammer, and shut down my account. I was mad, and it meant that I did not cover the whole session.

Benefits and Risks of Collecting, Using, and Retaining Consumer Data

  • Lorrie Faith Cranor,Associate Professor of Computer Science, Carnegie Mellon University commented on consumers’ state of ignorance regarding how information flows, much like an unseen underground river. "Most people do not understand how information flows," or "what a third-party cookie is."
  • Alan Westin Professor Emeritus of Public Law and Government, Columbia University referenced several of his studies which indicated that "…people are not prepared to equate [the need for] behavioral marketing with [funding] free services, and that "most people believe that they’re being abused," but there was general consensuses that most people surveyed also believed that they were protected by law and regulations that do not actually exist. In the meantime, Mr. Westin’s research also indicates that most people are no longer willing to trade privacy for freebies on the internet, because of the disconnect between "free" services and the fact that personal information pays for most of it.
  • Alan Davidson, Director of U.S. Public Policy and Government Affairs for Google emphasized that the industry is trying to educate consumers and give them the tools they need in order to control their privacy, as evidenced by Google’s dashboard, for instance. He suggested that the audience Bing "Google Dashboard" for more information.
  • Jules Polonetsky Co?Chair and Director of the Future of Privacy Forum made reference to the results of several large surveys conducted by his organization. For instance, one indicated that there is a substantial public misconception about what "Behavioral Advertising" is. Among the handful of survey respondents who had heard the term, all of them mistook "Behavioral Advertising" for the concept of subliminal advertising. His organization is also attempting to generate symbols explaining how personal information is used, an approach endorsed by Privacy Commons and other groups.
  • My apologies to Joel Kelsey, Policy Analyst for the Consumers Union, and Adam Thierer, President of University of Pennsylvania, Annenberg School for Communication. Each of these individuals actively participated, but unfortunately I was unable to capture their thoughts because I was under a temporary Twitter ban at the time.

Information Brokers

Short editorial: This session was by far the least enlightening.

  • Jennifer Barrett, Global Privacy and Public Policy Officer for Acxiom started off the panel by discussing what constituted "sensitive personal information." She replied that Acxiom classifies "sensitive information" is any information which could contribute to identity theft, whereas "restricted information" is an unlisted phone number, for example.
  • Rick Erwin, President of Experian Marketing Services explained that they consider information on children, older Americans, and self-reported ailment data to be "sensitive," adding that Experian has "three decades of experience using sensitive information for marketing," and is able to adequately balance the interests of marketers and consumers. Mr. Erwin also discounted the harms of marketing, saying "we can’t point to deep consumer harm based on bad advertising."
  • Pam Dixon, Executive Director of the World Privacy Forum disagreed. She contended that the definition of "sensitive information" is difficult at best because otherwise benign information can be aggregated to create sensitive information. In regards to health information, getting consent from consumers is almost illusory because consumers have no way of knowing how the information will be used in the future. Informed consent is impossible without telling consumers what "boxes" they will be put in. Consumers need the right to know on what lists they will appear, for how long, and they must have the right to revoke their consent. Pam Dixon contended that "we need to make Opt Out work for consumers," and that opting out should always be free.
  • In response, Jennifer Barrett insisted that the Information Broker industry needs no further regulation: "We’re already very regulated," she said.
  • Jim Adler, Chief Privacy Officer and General Manager of Systems for Intelius explained that they offer special opt-out services to government officials.
  • Chris Jay Hoofnagle, Lecturer in Residence at the University of California Berkeley School of Law was scheduled to participate but was unable due to technical difficulties.

The FTC has posted the webcast if you missed it.  The next Roundtable is scheduled for January 28, 2010 in Berkeley, CA and will also be broadcast online.

No Comments

Highlights From the FTC’s Privacy Roundtable: Part 2

Note: This article originally appeared on the J.C. Neu & Associates Blog

This is part 2 of highlights from the FTC’s December 7th Privacy Roundtable. Part 1 covered the panel on "Exploring Existing Regulatory Frameworks." This post highlights comments from "Benefits and Risks of Collecting, Using, and Retaining Consumer Data." This session was moderated by Jeffrey Rosen of The George Washington University Law School and Chris Olsen, of the FTC’s Division of Privacy and Identity Protection.

  • Leslie Harris, President and CEO of the Center for Democracy & Technology emphasized that information taken out of context can be used to unfairly judge a person, such as a search for "marijuana" or a medical condition. The danger increases when a rich profile of search terms and surfing data is constructed over time.
  • Susan Grant, Director of Consumer Protection for the Consumer Federation of America, said that "privacy is a fundamental human right."
  • Alessandro Acquisti of Carnegie Mellon University, Heinz College, explained that the definition of "sensitive information" continues to change with technology, new uses for information, and new ways to correlate and aggregate personal information. Technology cannot stop re-identification or de-anonymization, but should be used to increase the transaction costs for re-identifying personal information. He also spoke about how companies are bypassing consumer efforts to maintain privacy and anonymity through technologies such as flash cookies.
  • Richard Purcell, CEO of the Corporate Privacy Group, emphasized that citizens’ health depends on anonymized health data used for research, and that privacy must be weighed using a cost-benefit analysis. He further
  • Michael Hintze, Associate General Counsel for Microsoft, explained that companies use log and use information for a number of legitimate reasons, such as security analysis, and search result optimization. However, he admitted that search terms can reveal individuals’ "innermost thoughts," and that anonymization is not a silver bullet to protecting users. Instead, retention and deletion policies such as Microsoft’s policy of deleting IP addresses and cross-cookie session information is designed to truly anonymize search data.
  • David Hoffman, Director of Security Policy and Global Privacy Officer for Intel, stressed that we should focus on data minimization. "We have wasted time arguing about what constitutes PII," when the question should be, "what information will have an impact on an individual?"
  • Jim Harper, Director of Information Policy Studies for The Cato Institute, argued that regulating too early can stifle innovation and prevent consumers from determining what they want themselves. Instead, we should attempt to define the problem set first. Mr. Harper explained that "there is a role for trial and error in determining what the real problems are," and that intellectualizing what consumers really want can lead to problems. Instead, we should "let a thousand flowers bloom" and let the social systems and advocacy draw out and solve the real issues.
  • David Hoffman generally agreed that we don’t want to frustrate innovation, and that we are not currently in a position to understand all of the problems ourselves. He explained that it took a room full of experts the better part of a day to map out data flows. "We can’t expect consumers to understand how the data flows if experts can’t understand it now."
  • Leslie Harris and Alessandro Acquisti said that Notification and transparency is necessary but not sufficient. Mr. Acquisti noted that consumers make decisions which are harmful to long-term privacy because humans are bad at making decisions when the benefits are short-term but harm is long-term. He compared privacy erosive behavior to smoking, since each smoker realizes that smoking causes cancer, but any individual cigarette doesn’t hurt much.
  • Susan Grant explained that consumers don’t realize that their information can be used for other purposes, and that the benefits of marketing do not outweigh privacy concerns and fraud and abuse. Jim Harper countered that advertisers can introduce a new medication to vulnerable populations, and that denying them that opportunity can create silent harms. Michael Hintze added that niche ads aren’t good or bad- they’re responsible or irresponsible
  • Richard Purcell also argued that companies should spend the time and money to train their customers, and create "privacy by design" rather than "privacy by default." Finally, the FTC should "regulate the hell out of" lazy companies and bad actors.
  • Richard Purcell further emphasized that we lack a cohesive taxonomy for discussing privacy, and that we need to better define concepts such as "anonymity," "deidentification," and "sensitive data."
  • The panel was asked to consider widespread customer blacklisting. Susan Grant said that consumers need tools to discover and amend secret "bad customer" lists, since they have none now. Distinctions based upon invisible information is bad for consumers. Leslie Harris agreed, saying that we need a law that provides access and correction for data brokers as well. She also criticized the FTC for failing to investigate privacy violations, saying that all of our bad examples are "accidental," not intentional long-term decisions to violate privacy, outed by the FTC.
  • In the larger context, Jim Harper said that Government access to personal information is the elephant in the room that nobody has yet addressed. Governments are beginning to discover "the cloud" for their own purposes, and when data is available to government on the current terms, it constitutes surveillance on a massive scale.

I’ll do a few more installments in the coming days.

The FTC has posted the webcast if you missed it.  The next Roundtable is scheduled for January 28, 2010 in Berkeley, CA and will also be broadcast online.

No Comments

Highlights From the FTC’s Privacy Roundtable: Part 1

Note: This article originally appeared on the J.C. Neu & Associates Blog

The FTC’s December 7th Privacy Roundtable assembled a Who’s Who of privacy luminaries, academics, advocates, and industry players. This post highlights some of the more interesting comments from the meeting. I also tweeted the event (@aarontitus, #FTC #Privacy or #ftcpriv) and the FTC has posted the webcast if you missed it.  The next Roundtable is scheduled for January 28, 2010 in Berkeley, CA and will also be broadcast online.

The meeting consisted of five panels. This posts highlights "Panel 5: Exploring Existing Regulatory Frameworks:"

  • During Session 5, Intuit’s Chief Privacy Officer Barbara Lawler posited that existing regulatory frameworks unfairly place the entire burden on consumers to protect themselves. "Consumers should expect a safe marketplace. They shouldn’t be the ones to police the marketplace," she said.
  • Barbara Lawler also noted that "Data is never really at rest," because it’s moving between data centers and backups in multiple locations throughout the globe. It is therefore incorrect to think of data, especially Cloud data, as being in one place. Instead, "data is in one place and many places at the same time," potentially in multiple jurisdictions.
  • Evan Hendricks of Privacy Times and Marc Rotenberg of EPIC suggested that the current model of "Notice and Consent" has failed to protect consumers, and that the FTC (and legislation in general) should return to well-established Fair Information Practices (FIPs), including a prohibition on "secret databases." Mr. Rotenberg went so far as to conclude that Notice and Choice principles are not a subset of FIPs, but instead "stand in opposition to fair information practices." He also joked that "the best part of Graham-Leach-Bliley Act is that you get paper notices you can tape on your window and get more privacy."
  • Ira Rubinstein of New York University School of Law proposed that self-regulation is not binary or "monolithic," and that a self-regulatory scheme would be preferable, especially if viewed as a "continuum, based on government intervention." He argued that self-regulation would be especially appropriate in the United States, which has traditionally been very friendly to e-commerce.
  • Michael Donohue of OECD gave an overview of international legal concepts of privacy which generally agreeing with Marc Rotenberg’s observation that "most countries have come to surprisingly similar conclusions about privacy."
  • J. Howard Beales of the GWU School of Business argued in favor of a "harm-based model," because it is impossible to reach the best solution without first defining the harm. Marc Rotenberg responded that privacy harms are almost never financial.
  • Several panelists emphasized that privacy can be highly (and appropriately) subjective. One cited an example from a balding friend of his, "I don’t care if anyone knows that I use Rogaine, but my 70-year-old grandmother would."
  • Fred Cate of the Center for Applied Cybersecurity Research emphasized that the Notice and Consent model is flawed because some activities should not be consentable. For example, one may not "consent" to be served fraudulent or misleading advertising. Likewise, some uses of personal information should be prohibited and non-consentable. Most importantly, Notice and Choice are only tools- not the goal of privacy.
  • After Panel 5 was done, Bureau of Consumer Protection Director David C. Vladeck said the FTC would investigate whether it is better to give consumers notice how their personal information may be used: 1. At the time of collection, or 2. At the time of use.
  • David C. Vladeck also said that the data broker industry warranted FTC attention because it is "largely invisible to the consumer."

More highlights on the other sessions to come.

No Comments

NJ Supreme Court: Attorney-Client Privilege in Personal Email at Work

Note: This article originally appeared on the J.C. Neu & Associates Blog

Yesterday the New Jersey Supreme Court heard arguments in the Stengart v. Loving Care Agency, Inc. case. The issue is whether the New Jersey attorney-client privilege is preserved, when an employee e-mails her attorney from a personal email account, on a company computer.

The first reaction from most lawyers is, "yikes, I hope so."

Maria Stengart was a senior employee at Loving Care, which provides Home Care Services for children and adults. Among other things, Loving Care’s employee handbook states that “Email and voice mail messages, internet use and communication, and computer files are considered part of the company’s business and client records. Such communications are not to be considered private or personal to any individual employee.” Stengart was issued a company laptop, on which she occasionally accessed her personal Yahoo account. She resigned in December, 2007 and shortly thereafter filed suit against Loving Care alleging constructive discharge due to sexual harassment and ethnic discrimination.

In April 2008 Loving Care sent an image of her laptop hard drive to a data recovery company, which recovered at least one personal Yahoo email between Stangart and her attorney, presumably from a recovered browser cache. Of course, this prompted Stengart to assert attorney-client privilege, demanding that all attorney communications be returned or destroyed. The company balked, and in essence argued that Stengart had waived the privilege by using a company computer.

The trial court found in favor of the employer, but the appellate court reversed.

If I were to play armchair quarterback for a second, I think that the New Jersey Supreme Court will probably find in favor of Stengart as a substantive matter, but the case raises several issues of legal, policy, and practical significance, with no apparent easy answers.

In general, employees have a diminished (ie, nearly zero) expectation of privacy on an employer’s network, especially when the employer has put the employee on notice of that fact. The trial court merely extended this well-established principle to attorney-client communications. After all, an employer must be able to control, protect, and secure its network against a range of threats.

On the other hand, most employers allow company computers to be used for personal reasons. It seems to be bad public policy that an employee would waive the attorney-client privilege simply because she uses a browser on her company computer during her lunch break, rather than a home browser. This is especially true if she happens to e-mail her lawyer about an action against the employer. It seems absurd that a distinction so technical should allow the employer to "rummage through and retain the employee’s e-mails to her attorney," as the appellate court put it.

But if an employee does enjoy some expectation of privacy in personal communications over a company network, how much, and how does an employer write a policy to manage it? Does an employee enjoy the same expectation of privacy for personal email transferred via POP3 or IMAP to a local company version of Outlook, compared to a email recovered from an HTTP browser cache? Does the employer have a duty to not attempt to recover deleted personal emails? Are employers allowed to snoop unless communication appears privileged? I don’t have a good answer, and it will be interesting to see what answer the court comes up with.

Surely an employee cannot enjoy an unqualified expectation of privacy by simply using non-company communications, because employers still have an interest in making sure that employees do not use personal accounts to transfer trade secrets, compete against the company, or download a virus.

We’ll keep an eye on this one.

No Comments

Aaron Titus Speaking at ICAMISS

Note: This article originally appeared on the J.C. Neu & Associates Blog

Aaron Titus will be presenting at the International Conference on Applied Modeling & Information Security Systems (ICAMISS) on October 10, 2009 at the University of Alabama, Birmingham.

The speech will focus on the risks associated with personal information management, especially in an institution of higher education, where information is supposed to flow freely.  These are among the policies and behaviors that put information at risk:

  • Administrative Decentralization
  • Naive Office Culture
  • Unprotected “Old” Data
  • Shadow Systems
  • Unregulated Servers
  • Unsophisticated Privacy Policies
  • Improper Use of the SSN
  • Unsanitized Hard Drives and Insecure Laptops

The International Conference on Applied Modeling & Information Security Systems is sponsored by the Department of Defense, Krell Institute, NASA-Ames Research Center, Institute of Applied Science & Computation, Eastern Illinois University and University of Alabama at Birmingham.

 

No Comments