Category: Privacy (Electronic Surveillance)


Employer Liability for Not Monitoring Its Employees’ Computer Use

computer2a.jpgThe United States v. Ziegler case I wrote about in a previous post brings to mind a radical employment law case decided last December in New Jersey. [Thanks to Charlie Sullivan and Timothy Glynn for bringing the case to my attention]. The case is Doe v. XYC, 887 A.2d 1156 (N.J. Super. 2005). Since I couldn’t find a version of it online, I’ve posted a copy here.

In Doe v. XYC, Jane Doe sued XYC Corporation on behalf of her daugher, Jill. XYC Corporation employed Jane’s husband and Jill’s stepfather (referred to in the opinion as the “Employee”). The Employee “had been secretly videotaping and photographing Jill at their home in nude and semi-nude positions. Jill was ten years old at the time.” The Employee “tramsitted three of the clandestinely-taken photos of Jill Doe over the Internet from his workplace computer to a child pron site in order to gain access to the site. Employee later acknowledged that he stored child pornogrpahy, including nude photos of Jill Doe, in his workplace computer.”

The court held that XYC Corporation could be liable:

We hold that an employer who is on notice that one of its employees is using a workplace computer to access pornography, possibly child pornography, has a duty to investigate the employee’s activities and to take prompt and effective action to stop the unauthorized activity, lest it result in harm to innocent third parties. No privacy interest of the employee stands in the way of this duty on the part of the employer.

Here’s how the court reached its conclusion. I’ll try my best to trace the steps of the court’s reasoning.

First, the court noted:

In this case, defendant had an e mail policy which stated that “all messages composed, sent or received on the e mail system are and remain the property of the [defendant]. They are not the private property of any employee.” Further, defendant reserved the “right to review, audit, access and disclose all messages created, received or sent over the e mail system as deemed necessary by and at the sole discretion of [defendant].” Concerning the internet, the policy stated that employees were permitted to “access sites, which are of a business nature only” and provided that:

Any employees who discover a violation of this policy shall notify personnel. Any employee who violates this policy or uses the electronic mail or Internet system for improper purposes shall be subject to discipline, up to and including discharge.

Second, XYC’s computer network administrator discovered that the Employee was visiting porn websites. Company officials told the Employee to stop. The Employee said he would halt this activity. Note that XYC was only on notice that the Employee was viewing porn, not child porn. Therefore, the court concluded, “[w]e impute to defendant knowledge that Employee was using his work computer to access pornography.”

Read More


Update on AT&T Surveillance Class Action

Orin Kerr has written about the case:

[T]his is (as far as I know) the first judicial opinion to express a view of the merits of the NSA program. Even if it’s dicta, the reasoning is unimpressive, and it is based only on facts alleged in the EFF’s complaint, Judge Walker’s statement that it “cannot seriously [be] contended” that “the alleged domestic dragnet was legal” based on the complaint seems likely to impact the debate.

You can read how Orin reached this conclusion here.


Hide and Seek: Class Action Against AT&T For Alleged Spying To Proceed

hide and seek 2.JPG

I am in the middle of arranging for movers so I can’t give any great detail on this one but CNET reports that:

A federal judge rejected on Thursday both the U.S. government’s and AT&T’s requests to dismiss a class-action suit accusing the telephone giant of assisting the National Security Agency in a sweeping, allegedly illegal terrorist surveillance program.

I hope that Orin Kerr or Dan Solove will provide some thoughts on the opinion. Nonetheless for those who wish to jump in and read the opinion, Judge Vaughn Walker’s 72-page opinion is available here.

A quick scan suggests that Judge Walker addresses many nuances of the program in question. For example, page 38 of the opinion has a chart that “summarizes what the government has disclosed about the scope of these programs in terms of (1) the individuals whose communications are being monitored, (2) the locations of those individuals and (3) the types of information being monitored.”

Examining the chart Judge Walked found that:

The government’s public disclosures regarding monitoring of “communication content” (i e, wiretapping or listening in on a communication) differ significantly from its disclosures regarding “communication records” (i e, collecting ancillary data pertaining to a communication, such as the telephone numbers dialed by an individual). See supra I(C)(1). Accordingly, the court separately addresses for each alleged program whether revealing the existence or scope of a certification would disclose a state secret.

Finally the court stated, “In sum, the court DENIES the government’s motion to dismiss, or in the alternative, for summary judgment on the basis of state secrets and DENIES AT&T’s motion to dismiss.”


Template for News Stories on Government Data Gathering

surveillance3.jpgNSA warrantless wiretaps. NSA collection of phone records. CIA gathering of financial records.

The stories are endless. To help out reporters, I thought I’d just write a quick and easy template to make reporting a little bit easier. So here it is:

Under a top secret program initiated by the Bush Administration after the Sept. 11 attacks, the [name of agency (FBI, CIA, NSA, etc.)] have been gathering a vast database of [type of records] involving United States citizens.

“This program is a vital tool in the fight against terrorism,” [Bush Administration official] said. “Without it, we would be dangerously unsafe, and the terrorists would have probably killed you and every other American citizen.” The Bush Administration stated that the revelation of this program has severely compromised national security.

“This program is a threat to privacy and civil liberties,” [name of privacy advocate] said. But [name of spokesperson for Bush Administration] said: “This is a very limited program. It only contains detailed records about every American citizen. That’s all. It does not compromise civil liberties. We have a series of procedures in place to protect liberty.”

“We’re not trolling through the personal data of Americans,” Bush said, “we’re just looking at all of their records.”

The [name of statute] regulates [type of record] and typically requires a [type of court order]. Although the [name of agency] did not obtain a [type of court order], the Bush Administration contends that the progam is “totally legal.” According to the Attorney General, “we can [do whatever we did or want to do]. The program is part of the President’s emergency war powers.”


The NSA Phone Call Database: The European Perspective

Had a European government, instead of the Bush administration, created the NSA’s call database, would that government be in violation of European privacy law? I think so, for the reasons I explore below.

Why should anyone care that the outcome would have been so different under European privacy law? One reason for the comparison with Europe is that it enables us to understand better current developments in American law. It is striking how similar American and European data privacy law was in the early 1970s, how different it is today. The first European database privacy statutes of the 1970s drew on the U.S. Privacy Act of 1974. Alan Westin’s Privacy and Freedom, published in 1967, was read widely by both American and European policymakers. There are many reasons for the divergent paths of the two systems. This latest example of difference highlights one set of reasons: the President’s new constitutional powers in fighting terrorism, post-September 11. Congress, the courts, and the public might very well accept that the NSA program is legal, based on the President’s inherent authority as commander-in-chief. In Europe, that would not be possible.

A more pragmatic reason for caring about the different result under European privacy law is that it could undermine transatlantic cooperation in the fight against terrorism. Some European laws forbid the transfer of public security and law enforcement data to countries without adequate privacy protection. This latest revelation just reinforces the European view that U.S. privacy laws are inadequate—and therefore could make European governments reluctant to turn over information on European citizens to the American government in the fight against terrorism.

Read More


Is There a Good Response to the “Nothing to Hide” Argument?

skeleton-in-closet.jpgOne of the most common attitudes of those unconcerned about government surveillance or privacy invasions is “I’ve got nothing to hide.” I was talking the issue over one day with a few colleagues in my field, and we all agreed that thus far, those emphasizing the value of privacy had not been able to articulate an answer to the “nothing to hide” argument that would really register with people in the general public. In a thoughtful essay in Wired (cross posted at his blog), Bruce Schneier seeks to develop a response to this argument:

The most common retort against privacy advocates — by those in favor of ID checks, cameras, databases, data mining and other wholesale surveillance measures — is this line: “If you aren’t doing anything wrong, what do you have to hide?”

Some clever answers: “If I’m not doing anything wrong, then you have no cause to watch me.” “Because the government gets to define what’s wrong, and they keep changing the definition.” “Because you might do something wrong with my information.” My problem with quips like these — as right as they are — is that they accept the premise that privacy is about hiding a wrong. It’s not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.

As a pragmatist, I’m generally unconvinced by inherent rights talk. But Schneier goes on to discuss a reason for restricting government surveillance that I do agree with — ensuring that government power is appropriately checked, monitored, and limited from potential abuse.

Another argument is that if you look hard enough at someone’s life, in the words of playwright Friedrich Durrenmatt, “a crime can always be found.” With the infinite tangle of criminal laws in this country, Durrenmatt’s line might belong in a work of non-fiction rather than fiction. But this response gets back to Schneier’s objection that we shouldn’t focus on privacy as protection to hide wrongdoing.

Read More


New Casebook (Privacy, Information, and Technology)

Spinoff Cover 2e.jpgApologies for the self-promotion, but in time for this fall semester, Paul Schwartz, Marc Rotenberg, and I will be publishing a short paperback casebook of about 300 pages entitled PRIVACY, INFORMATION, AND TECHNOLOGY (Aspen Publishers, forthcoming mid-July 2006), ISBN: 0735562548.

This book is intended to be an inexpensive volume that adapts the cyberspace and technology materials from our full-length casebook, INFORMATION PRIVACY LAW (Aspen Publishers, 2d ed. 2006). The full-length casebook is about 1000 pages; the shorter paperback book is a more streamlined volume of about 300 pages, focusing exclusively on cyberspace, databases, and technology. Aspen informs me that this shorter paperback adaptation will probably sell at a price between $30 and $35.

The book might be useful as a supplement for cyberlaw or information law courses for instructors who want in-depth coverage of information privacy issues for between 2 to 5 weeks.

More information about the book is here. If you’re interested in getting on the list to obtain a review copy of the book (available in mid-July), please send an email to Daniel Eckroad.

The table of contents is available here. A summary of the book’s contents is after the fold.

Read More


The Technicalities and Complexities of Electronic Surveillance Law

NSA3.jpgCurrently, there’s a debate raging about whether the phone companies violated the law when they supplied phone call records to the NSA. Orin Kerr opines:

The Stored Communications Act, 18 U.S.C. 2701-11, only regulates two kinds of providers: providers of electronic communication service and providers of remote computing service. Everyone agrees that the telephone companies are not acting as providers of remote computing service, so if they are liable they must be acting as providers of electronic communication service. . . .

A local telephone company is clearly a provider of electronic communication service: it literally provides users the ability to send or receive telephone calls. But is a company that only provides long distance service a provider of electronic communication service?

Maybe, but I’m not entirely sure. I don’t know much about how modern telephone networks work, but I am guessing that local carriers carry the first part of the call. In the case of a long-distance call, I assume that the long-distance carrier picks up the call at some point from the local carrier, and sends it to the local carrier at the receiving end of the call. If that’s right, I’m not entirely sure the long-distance carrier is a provider of electronic communications service.

I can see arguments on both sides. . . .

This debate gets to one of the major problems with electronic surveillance law. In my article, Reconstructing Electronic Surveillance Law, 72 Geo. Wash. L. Rev. 1264 (2004), I observed:

Electronic surveillance law has not kept pace with the staggering growth of technology. As discussed earlier, the law currently makes antiquated distinctions that often do not protect what is most important. Electronic surveillance law has lagged behind technological developments and has not been responsive to new surveillance technologies. . . .

Despite . . . dramatic changes since the passage of [The Electronic Communications Privacy Act (“ECPA”) which includes the Stored Communications Act under its umbrella] in 1986, Congress has failed to engage in a major revision of the law [except for some smaller changes here and there, the most notable of which was the USA-Patriot Act]. Under this state of affairs, law enforcement cleverly employs new technologies to try to avoid triggering ECPA. Often, these technologies are quite invasive, but the debate seems to turn on technicalities—whether the surveillance fits into ECPA’s framework. This invites a technological rat race, in which law enforcement uses new technologies designed to fit within ECPA’s less stringent provisions or to fall entirely outside of ECPA’s scope. . . .

Lost amid the labyrinthian task of applying ECPA’s complex provisions is the question of whether new technologies contravene the appropriate balance between effective law enforcement and privacy. . . .

Read More