Chapter 6: Cybertorts, Privacy, and Government Regulation

1
Chapter 6 Cybertorts, Privacy, and Government
Regulation

• David Baumer
• Spring, 2002
• BUS 504 Technology, Law and the Internet

2
Cybertorts

• The notion behind cybertorts is that the Internet
  has created a connectedness that was not present
  previously
• Two areas of tort that are most impacted by the
  Internet
• Defamation
• Invasions of Privacy
• For defamation much of the action pertains to
  liability of third parties for rebroadcasting the
  defamatory comments

3
Defamation in Cyberspace

• Defamation--can be oral or written
• By and large cyberspace defamation is written so
  libel standards apply
• Defamation requires a showing that
• The defendant made or repeated false statements
• Were heard by third parties
• Harmed the reputation of the plaintiff
• If the media is the defendant and the pl. is a
  public figure, the pl. must show that the def.
  knew or should have known that the statements
  were false

4
Defamation in Cyberspace

• The crucial issue in cyberspace defamation cases
  is how to treat ISPs
• If the ISP is treated as a publisher, then they
  have tremendous liability exposure
• If the ISP is treated as a bookstore, then they
  are basically not liable for the contents of
  those using their service
• Bookstores are treated as distributors of the
  material and are not liable unless they knew or
  should have known that the material they transmit
  is defamatory

5
Defamation in Cyberspace

• In the early cases, liability of the ISP was
  based on whether the ISP supervised the content
  of the users of their service
• The unfortunate result was that ISPs that tried
  to clean up content of users in terms of
  obscenity, were liable for defamatory content of
  other users
• Congress did not like this outcome so they passed
  the Communications Decency Act (CDA) of 1996
• Section 230(C) of the CDA provides that no
• provider or user of an interactive computer
  service shall be treated as the publisher or
  speaker of any information provided by another
  information content provider.

6
CDA of 1996

• Congress said in the CDA that there shall be no
  liability if a ISP restricted obscenity
• Inconsistent state laws dealing with defamation
  were preempted by this legislation
• Employer liability
• Given the ease of constructing ISPs, many
  employers are ISPs within the meaning of the CDA
• The CDA could be used to shield employers from
  liability
• Also note that there are an increasing number of
  states that have exempted employers from
  liability unless they knew or had reason to know
  the statements were false

7
Privacy and the Internet

• The value Americans place on privacy is enshrined
  in the 4th Amend.
• The 4th Amend. pertains to govt. intrusions
• For invasions of privacy by private
  (nongovernmental) sources
• Common law torts are available
• Increasingly, statutes are being passed to
  augment the reach of invasion of privacy claims

8
Privacy and the Internet

• The courts use the term reasonable expectation
  of privacy when analyzing whether an invasion of
  privacy has taken place
• The term is used both in 4th Amend. cases and in
  tort suits between citizens
• At common law an unreasonable intrusion into the
  pl.s solitude is considered a tort
• Hidden cameras would be an unreasonable intrusion
  as would wiretaps, listening devices,
• Reasonable expectation of privacy is not
  warranted w.r.t. information given out over the
  Internet

9
Privacy and the Internet

• While it is not reasonable to expect privacy when
  information is given to a third party over the
  Internet
• It is reasonable to expect privacy if the
  recipient guarantees that the information will
  remain private
• Companies that do not adhere to their stated
  privacy policies are subject to invasion of
  privacy lawsuits
• Furthermore if the information is collected
  without knowledge or consent of the person
• Web sites that attach cookies or collect
  information for one purpose such as a contest
  could be liable also
• To date there have been no lawsuits based on the
  act of attaching cookies or web bugs
• Web sites that store sensitive information such a
  medical or financial are subject to statutory
  regulation

10
Privacy On The New Frontier of Cyberspace

• The Federal Trade Commission (FTC) has authority
  to combat unfair and deceptive trade practices
• Much of the FTCs Internet work has been in their
  consumer protection branch
• http//www.ftc.gov/ftc/consumer.htm
• In the Consumer Protection branch there are a
  wide range of activities that the FTC has listed
  as unfair and deceptive trade practices

11
Privacy On The New Frontier of Cyberspace

• FTC Fair Information Practices
• Notice/Awarenessconsumers should be notified as
  to who is gathering the data and the uses that
  will be made of that data
• Choice/Consentconsumers should consent to any
  secondary use for the data. There should be
  opt-in and opt-out provisions.
• Access/Participationconsumers should have the
  right to contest the accuracy of the data
  collected.
• Integrity/Securitythere should be managerial
  mechanisms in place to guard against loss,
  unauthorized access, or disclosures of the data.
• Enforcement/Redressthere should be remedies
  available to victims of information misuse.

12
Privacy On The New Frontier of Cyberspace

• Essentially, the FTC would like all web sites
  that collect consumer information to adhere to
  these principles
• FTC surveys indicate that 97 of web sites
  collect personal information from visitors
• About 50 provide for opt-out provisions on the
  information collected
• About 43 of the web sites provided consumers
  with access to the records collected about them
• Only 20 of the web sites surveyed adhered to all
  of the FTC Fair Information Principles

13
Data Collection and Computers

• As everyone knows more and more records are being
  computerized
• Compared to paper records the opportunity for
  snooping has dramatically increased
• Much of the sensitive information is stored on
  government files
• In some (many?) cases the govt. is extremely lax
  in who they allow access to data collected from
  citizens

14
Internet Data Collection and Cookies

• Note that many web sites advertise their ability
  to equip you with the tools to snoop on
  neighbors, coworkers and relatives
• The FTC has developed information on identity
  thieves
• On a routine basis web sites attach cookies to
  visitors
• Cookies can have beneficial uses for web sites
  and visitors alike, but in general cookies amount
  to an
• involuntary extraction of information
• Web sites that use cookies are most interested in
  the clickstream of the browers--where have the
  brower been to since the last visit

15
Internet Data Collection and Cookies

• Certainly cookies violate some of the FTC Fair
  Information Principles
• More and more web sites are now discussing their
  use of cookies in their privacy statements
• The FTCs actions in the Geocities case
  illustrates some of what the FTC considers unfair
  and deceptive
• Certainly corrective action was taken by Yahoo,
  but there are thousands of violators
• Also third party verifiers have emerged such as
  TRUSTe that certify adherence to certain privacy
  policies

16
Internet Data Collection

• One of the problems is that online vendors are
  forced to collect a lot of information form
  customers in order to verify their identity
• Unless the vendors use commercially reasonable
  attribution procedures, they cannot charge
  customer credit cards
• Commercially reasonable attribution procedures
  include collecting name, credit card, addresses,
  email names and other names

17
Internet Data Collection

• According to the FTC your identity can be stolen
  by
• co-opting your name, Social Security number,
  credit card number, or some other piece of your
  personal information for their own use.
• Identity thieves can
• Use credit cards to defraud victims
• Open bank accounts
• Open cellular phone accounts

18
Internet Data Collection

• Egghead.coms privacy policy reflects the modern
  reality of E-Commerce
• For credit card transactions the transmissions
  are encrypted
• Egghead will refund 50 to you for any liability
  you encounter so long as you are blameless if
  your credit card number is used by a fraudulent
  party
• Egghead does make your email address available to
  third parties they select
• Note that there is an opt-out option
• Egghead claims that they will not sell consumer
  information to third parties

19
Internet Data Collection

• Egghead does collect information obtained from
  customers
• For purposes of reporting to advertisers
• Egghead gets more money from advertisers the more
  traffic they have at their web site.
• They claim not to reveal any unaggregated data to
  the advertisers
• In connection with games and contests information
  is collected and shared with third parties, again
  with an opt out option
• The third parties have to pledge not to resell
  the information

20
Internet Data Collection

• Egghead does attach cookies to your browser to
  assist them in determining your buying
  preferences
• Egghead says it does not sell or rent information
  collected from cookies to third parties

21
Childrens Sites

• Again the FTC has been active in this area
• The Geocities case is just one example
• The FTC considers it an unfair and deceptive
  trade practice to collect information from
  children without parental consent when that
  information will be used for another purpose
• Congress has passed the Childrens Online Privacy
  Protection Act of 1998, which basically requires
  the same safeguards
• Children are considered under 13
• Most of the FTC Fair Information Principles are
  required
• Notice, an opportunity to review, opt out,
  security and confidentiality

22
Financial Records

• Financial Records The Gramm-Leach-Bliley Act,
  1999
• The Privacy aspects of the Act are summarized by
  the beginning of Title V
• It is the policy of the Congress that each
  financial institution has an affirmative and
  continuing obligation to respect the privacy of
  its customers and to protect the security and
  confidentiality of those customers nonpublic
  personal information.
• The Act requires that financial institutions
  insure the privacy and confidentiality of
  customer records and information

23
Financial Records

• The Gramm-Leach-Bliley Act also
• Provide protection against any anticipated
  threats or hazards to the security or integrity
  of those records, and
• Protect against unauthorized access to or use of
  such records or information.
• It is clear that the Act prohibits giving out of
  nonpublic information to 3rd parties without
  notice and an opt out option
• The Act prohibits giving out account numbers and
  credit card information to unaffiliated third
  parties for use in telemarketing, email and
  direct mailings

24
Medical Records

• The Health Insurance Portability and
  Accountability Act of 1996
• There are two parts to this legislation
• One part deals with denial of health insurance
  when a person changes jobs and this part has been
  successful
• The other part deals with the privacy of medical
  records
• Regulations drafted by HHS prohibits
  nonconsensual secondary use of medical records
• It allows transfers of medical records among
  healthcare providers, insurers, and HMOs
• Other transfers of medical information must be
  approved unless they fall into certain exceptions

25
Medical Records

• The HIPAA exceptions include
• Public health authorities
• Medical researchers
• Law enforcement
• Officials performing oversite functions for
  purposes of determining whether fraud has taken
  place
• There are other exceptions
• The revised regs. from HHS have just been
  approved for use, implementation has been stayed

26
European Union and Privacy

• In the U.S. there is a much greater reliance on
  self-regulation than in the EU
• The EU passed a Data Protection Directive that
  prohibits sharing data with any country who does
  not subscribe to their heavily regulated
  standards
• The Department is Commerce has fashioned some
  regulations that seem to satisfy the EU at present