Susan E. Gindin[*]

I. INTRODUCTION

II. JUSTICE BRANDEIS REVISITED: HOW PRIVACY MAY BE INVADED ELECTRONICALLY

III. PRIVACY PROTECTION TOOLS & PROCEDURES

IV. ENTER THE LAW: PRIVACY RIGHTS IN PERSONAL INFORMATION

V. FAIR INFORMATION PRACTICES GUIDELINES

VI. CONCLUSION

The computer and the modem have fulfilled Justice Brandeis' 1928 prophesy in his landmark dissent in Olmstead v. United States. Our private lives are now exposed by electronic retrieval and publication of personal information. While Justice Brandeis was primarily concerned about governmental intrusion into private lives, his prophesy and his description of the right to privacy as "the right to be let alone--the most comprehensive of rights and the right most valued by civilized men" (277 U.S. at 478) should apply equally to such intrusion by non-governmental entities.[2] The computer and modem[3] provide both an economical and efficient means of finding needed information. Yet, as increasing amounts of personal information[4] are collected and revealed electronically, there is growing concern over the resulting loss of privacy.

In this article, I will discuss 1) how privacy may be invaded electronically; 2) the tools and procedures that are available to help protect individual privacy; 3) the state of the law regarding the rights[4a] of individuals to control the disclosure of their personal information; and 4) proposed fair information practices guidelines. As will be discussed, what is needed is a comprehensive federal policy that will guarantee individuals the right to control the collection and distribution of their personal information. A vital component of this policy would be an informational privacy protection statute which incorporates the basic tenets of fair information practices:[5] the right to limit data collection, data transfers, and secondary uses; the right to access one's personal data and to make corrections; the right to have one's personal data maintained securely; and the right to be informed of data collection and transfer. Such protections will enable individuals to enjoy more fully the many opportunities available throughout cyberspace.[6]

An individual's privacy may be invaded electronically in several ways: first, by the significant amount of personal information which is available in online databases; second, by the transactional information collected as the individual participates in online activities which specifically identifies the individual; and third, by the massive computerized databases which are maintained by federal, state, and local governments, that may be subject to security breaches.

An individual's privacy may be invaded by the publication of personal information online.[7] A significant amount of personal information is available on the Internet;[8] particularly on the World Wide Web.[9] For example, DatabaseAmerica,[10] which is a nationwide residential and business telephone directory, includes data on about 165 million households. In addition, Database America includes reverse telephone number search capabilities.[11] Four11: Internet White Pages [12] provides e-mail addresses as well as telephone numbers and addresses. Map Blast![13] provides area maps which pinpoint requested addresses.

Much of the information provided on the Internet without charge is directory-type information, not traditionally considered private (and in fact, usually recognized as essential for communication), and is therefore not objectionable to most people. However, some of the fee-based Internet sites raise more concerns. For example, Information America's KnowX,[14] which is a comprehensive source of public record information, includes aircraft and watercraft ownership, death records, bankruptcy, lawsuit, lien, and judgment information regarding individuals. On KnowX, basic information is free; detailed information, including property records and similar information, is available for a per-record fee.[15]

Even more detailed, and often more objectionable, personal information is available on commercial online services which are marketed to legal and business professionals, and journalists. These include Autotrack, CDB Infotek, Information America, IRSC, LEXIS-NEXIS, and U.S. Datalink. The personal information available through these services varies depending on the database, but generally includes name, address, and telephone number, and may include Social Security information, birthdate, and names and birthdates of other people living at the same address. Some databases provide real estate records including data on neighboring properties; approximate household income; plane and boat ownership; motor vehicle records; voter registration records; law suits; liens and judgments; criminal records; and credit information.[16]

The commercial online services purchase the personal information they publish from various sources. Much of the information is obtained from one of the three credit reporting companies, Equifax, Experian (formerly TRW), and Trans Union. The credit reporting companies sell the "credit header" portion of credit histories to commercial online services, as well as to marketers and other users of personal information. The credit header data includes name, address, former addresses, telephone number (sometimes including unlisted numbers), Social Security number, and birthdate. The online services also purchase the personal information they publish from information resellers, such as Metromail, which compile data using census bureau statistics and various sources of marketing information, including warranty card returns and requests for product samples and discount coupons. Another source of personal information is the government. Public records, such as real estate records, are purchased directly from the responsible government agency. [17]

A great deal of personal information is also revealed in electronic medical records, which are often linked to health records kept in various locations. In addition to being available to doctors and hospitals, most patient records are available to health insurers, pharmacists, state health organizations and researchers. Sometimes these records are also available to employers, life insurance companies, marketing firms, pharmaceutical companies and others.[18]

The wide availability of personal information online is beneficial in many ways. The Internet site, Switchboard,[19] a nationwide residential and business directory, includes heartwarming stories of long-lost friends and relatives being reunited through Switchboard. The commercial online services, such as America Online and CompuServe, relate similar stories of reunions accomplished through the use of their services. Similarly, the lower medical costs (which result from elimination of duplicate testing procedures) is just one of the benefits of computerized medical records.[20] From the viewpoint of a business professional trying to locate critical witnesses or parties to a lawsuit in an online people finder search, the online availability of this information is equally beneficial.

However, this wide availability also raises concerns over the potential misuse of confidential or inaccurate information.[21] Inaccurate information can result in the denial of credit or government benefits.[22] Misuse of confidential information, such as an individual's Social Security number and other identifying data can also have severe consequences.[23] As commentators suggest, the profile of an individual which can be compiled using information stored in databases, "could be so complete that it will be like having another self living in a parallel dimension: it is a self you cannot see, but one that affects your life just the same."[24] Another commentator noted that "once the persona is recorded it achieves more credence than the individual."[25] One victim of an impersonator (who violated numerous criminal and civil laws in the name of the victim) was advised that the easiest solution to the problem of someone using his identity, would be for him to change his own name and Social Security number.[26]

In response to privacy concerns, many database providers have eliminated sensitive information from their databases. In 1996, Yahoo eliminated the reverse telephone number search portion from its People Search site.[27] In 1991, in response to consumer complaints, Lotus abandoned its plans to sell "Marketplace: Households", a database containing names, addresses and marketing information on 120 million U.S. residents.[28] In 1997, shortly after the Social Security Administration (SSA) launched its Interactive PEBES (Personal Earnings and Benefit Estimate Statement) service on the Internet,[29] the SSA suspended the service in response to privacy concerns, pending further assurances that the online disclosure of PEBES information would not be compromised by security breaches.[30]

In 1996, LEXIS-NEXIS introduced P-TRAK, which provides up to three addresses, as well as aliases, maiden names, and birthdates for over 300 million people, and which, at the time of its introduction, included Social Security numbers. There was considerable public uproar and discussion in the media and on Internet discussion groups. In response to concerns expressed about the potential misuse of Social Security numbers, LEXIS-NEXIS removed the display of Social Security information from the records within two weeks after its introduction of P-TRAK (although records can still be searched using the Social Security number). Public concern about P-TRAK arose again a few months later when postings appeared on numerous Internet discussion groups incorrectly stating that P-TRAK contains personal financial and medical information, as well as displays of Social Security numbers. This misinformation spread quickly to different Internet discussion groups and eventually to corporate e-mail. LEXIS-NEXIS Customer Service was soon inundated with calls from people requesting removal of personal data from P-TRAK. Also, Congress and the Federal Trade Commission (FTC) were inundated with P-TRAK complaints from constituents. LEXIS-NEXIS responded by providing various means for individuals to have personal information removed from the P-TRAK database. The FTC responded by urging Congress to amend the reporting of consumer information provisions of the Fair Credit Reporting Act.[31]

There are currently no laws regulating the publication of personal information in online databases. Unless steps are taken to regulate the publication of personal information online, the amount will likely increase. Several factors have converged during the second half of the twentieth century to cause this increased availability of personal information. One factor is that society has become dependent on information. Businesses, government, and some individuals[32] need information to function effectively. Personal information is used by federal, state, and local governments for various purposes, including collection of taxes, allocation of government benefits, and law enforcement. Personal information is required by businesses, for instance, in making hiring and credit-granting decisions, and for the successful marketing of products.

Commentators say we have entered an information age, resulting from the transformation of society's economic base from industry to information.[33] One commentator noted that, "[i]nformation has taken on a new character . . . it has passed from being an instrument through which we acquire and manage other assets to being a primary asset itself".[34]

In 1997, information is the product of over 550 private companies, which include credit reporting agencies, interactive online services, database producers, and financial information services,[35] with annual revenues somewhere in the billions.[36] The sale of information is also a source of substantial revenue for government agencies.[37] The information industry has been growing dramatically every year, and shows no signs of slowing down.[38]

Another factor contributing to the wide availability of personal information online is the government's initiative to make government records readily available to the public. Citizen access to government information was assured by the 1966 enactment of the Freedom of Information Act (FOIA),[39] followed by the enactment of similar state statutes, which codified long-standing philosophies that the free flow of information between the government and the public is essential to a democratic society.[40]

The government's initiative took on new significance with the development of the Internet and other online databases which offered a means for widespread dissemination of government records. In 1993, the Office of Management and Budget established an Information Management Policy that included the online dissemination of government records.[41] A number of government agencies have made their records available electronically via commercial online services[42] or via the Internet.[43]

A third factor contributing to the wide availability of personal information online is the development of computer and telecommunication technologies, including the Internet. These technologies have enabled the information industry to flourish by providing the means for government and private industry to collect and manage vast amounts of data, and to transmit the data around the world. Because information can be obtained and transmitted so quickly, heightened expectations regarding information availability are created. It is likely that those in need of personal information will demand even more online access.

Computer technology also provides the means for collecting personal information which is incident to the use of online services and the Internet. The Internet has the capacity to be the most effective data-collector in existence. Concerns about the collection and potential misuse of personal information are multiplying as new ways of electronically collecting personal information emerge. An online user's privacy may also be invaded by his use of electronic mail, online services, and the Internet.

1. E-mail[44]

In 1994, 776 billion electronic-mail (e-mail) messages passed through U.S. based computer networks.[45] Projections are for 2.6 trillion e-mail messages to pass through U.S. networks in 1997, and for 6.6 trillion e-mail messages to pass through U.S. networks in 2000.[46]

One's privacy may be invaded when sending e-mail, which is notably insecure.[47] The Internet functions by sending data from computer to computer in packets until the data reaches its destination. While traveling to the intended recipient, third parties have many opportunities to intercept the data.

One's privacy may also be invaded in the workplace:

In a 1996 survey of 500 executives by the Society for Human Resources Management, 36% said they looked at employee e-mail.[49] A similar survey conducted by MacWorld in 1993 showed that nearly two-thirds of those employers who monitored their employees' e-mail, electronic work files, network messages, or voice mail, did so without warning the employees.[50]

Employers monitor[51] employee e-mail for a number of reasons. Some businesses conduct employee e-mail, telephone, and keystroke monitoring routinely, for instance, to assist in the training of new employees.[52] Others monitor e-mail because of concerns about trade secret misappropriation[53] or liability for employee defamation, harassment, copyright infringement, and other electronic misdeeds of employees.[54]

Many employees feel that their employer's monitoring of their e-mail is an invasion of privacy. As a result, there has been a significant amount of litigation over workplace e-mail privacy.[55] Although the courts have so far ruled that the employees had no reasonable expectation of privacy in their workplace e-mail, this issue will surely engender additional litigation.

E-mail messages can usually be retrieved from a variety of locations, including the network, local hard drives, and backup tapes, even if they have been deleted. E-mail sent or received on an employer's computer system is also discoverable[56] and is subject to review by law enforcement officials in criminal investigations.

In light of the many potential difficulties which can arise with regard to employee e-mail use, many commentators urge that employers prepare carefully drafted policies regarding employee Internet and e-mail use.[57]

One's privacy may be invaded by unsolicited commercial e-mail, also known as junk e-mail, or as spam. Junk e-mail is generated by Internet marketers, which compile their mailing lists using the header information (e-mail address, name, service provider) provided with Internet postings, as well as information provided by users when registering to use certain Web sites.

Junk e-mail can also be intrusive. However, not all unsolicited commercial e-mail is objectionable; some is informative and useful. One 1997 survey by an Internet service provider revealed that 70 percent of its users are not bothered by receiving unsolicited commercial e-mail as long as it is tailored to their interests.[58]

However, the bulk mailing of unsolicited e-mail has become a serious concern for the online service providers. These mailings hinder their ability to process legitimate subscriber mail,[59] and harm their relationships with subscribers.[60] Some service providers have resorted to litigation,[61] directed primarily at the largest commercial e-mailer, Cyber Promotions, which sends out 15-20 million unsolicited e-mail messages a day.[62]

Some legislation has been proposed which would regulate unsolicited e-mail.[63] Four federal bills were introduced in 1997,[64] the state of Nevada enacted legislation regulating unsolicited e-mail in July 1997,[65] and other states have proposed legislation.[66]

In addition, numerous print and Web articles provide suggestions for reducing junk e-mail.[67] Suggestions range from asking the advertiser not to send additional junk e-mail to using an Internet address filter that will block communications from known commercial e-mail sites. Other potential solutions allow individuals to "opt-out" of e-mailings. Apex Global Information Services (AGIS),[68] an Internet service provider which hosts commercial e-mailers, announced a plan in April 1997 to create a master list of users who don't want to receive unsolicited commercial e-mail, and then require any e-mailers who use AGIS's service to remove those names from their e-mailing lists. [69] America Online[70] has devised a system in which subscribers have the opportunity to choose whether or not they want to receive e-mail from known commercial e-mailers.[71]

An Internet user's privacy can also be invaded by search engines.[72] Search engines use "robots" to continually peruse the World Wide Web and Usenet newsgroups,[73] for additions to their databases which attempt to index every word. Deja News,[74] for instance, prides itself on indexing all of the Usenet postings, and keeping them "until the end of time."[75]

Search engines raise privacy worries because of their capacity to capture and preserve every message communicated in Usenet postings and archived listserv[76] postings. Although a Usenet group or listserv may appear to be merely a collegial and confidential exchange of information, postings often achieve Internet-wide distribution when they are archived and/or included in the search engine databases.

An individual's postings to Internet discussion groups and his World Wide Web site can be found through search engines. Thus, those participating on the Internet should be cautious about what they write.[77]

An Internet user's privacy may be invaded by certain features used by some online services and World Wide Web site operators to maintain and improve their service. Some Web sites collect "cookies." A cookie is information about the Web site visit, which the Web browser[78] receives from the Web site, and then stores on the visitor's hard drive. The Web site then "reads" the information each time the user visits the site.[79] This information includes the visitor's Internet service provider, the kind of computer and software used, the Web site linked from, as well as which files were accessed and the amount of time spent on each page. The information is used to track visits to the Web site to learn what visitors like and dislike about the site, and to personalize the site so that options the user selects at the first visit can be used automatically for each successive visit.[80]

As such, the information collected does not usually identify a specific individual. However, when combined with on-site registration data, which the Internet user provides when visiting some sites, cookie data may be used to build a profile of the specific Internet user. Many Web sites require on-site registration, including name, address, e-mail address, and sometimes interests, in order to obtain access or certain benefits.

Internet service providers can also track a user's navigation on the Internet using the electronic records of user activity, also referred to as "clickstream" data.[81] Online service providers track navigational patterns on their services to make improvements. In its Terms of Service, America Online explains that it records users' "navigational and transactional" information to "understand our members' reactions to menu items, content, services and merchandise offered through AOL and to customize AOL based on the interests of our Members."[82]

Of particular concern is the on-site registration information requested on Web sites directed at children.[83] Many Web sites directed at children solicit personal information about the child and child's family, often in exchange for an opportunity to participate in a contest or in the activities offered on the site.[84] The Web site providers use this monitoring information for various reasons. The information is used primarily for marketing,[85] but is also used to improve the Web site.[86] One provider of a Web site for children uses the identity information it obtains to prohibit future access to the Web site for visitors who have behaved inappropriately at prior visits.[87]

The information collected from Web site visits reveals much about the user. Even without providing personal information when registering to use a site, a user's interests can be inferred based on Web site or online service use. Accordingly, there is concern that this information will be misused by marketers and others.

The autonomous software agents that are being developed at the MIT Media Laboratory and elsewhere engender similar concerns due to the personal information these can collect. Software agents, which are being developed to deal with the problems of information overload problems, operate like librarians--after determining the user's interests, they suggest additional resources that might be of interest. MIT's Web browser agent, Letizia, determines the user's interests by "observing" the Web sites and pages accessed by the user, and then recommends additional resources by previewing immediately accessible links. In addition to the Web browser agent, MIT has developed agents that will recommend music and books, and is working on others, including a "Yenta-Matchmaking" agent that will introduce people who share similar interests.[88]

Online commerce via the Internet has enormous potential,[89] but raises additional privacy concerns. Activities such as online purchases and banking necessitate the disclosure of so much personal information, including name, address, and credit card or account information, that they require special security procedures. Use of encryption[90] is necessary, and additional security measures, such as the use of digital signatures[91] are recommended.[92]

One's privacy may also be invaded by the collection, maintenance, and dissemination of government records. For efficiency and economy, government agencies have automated, or are in the process of automating their records.[93] Some government agencies are providing agency records on their Web sites.[94] Although these agencies have been applauded for making this data available on the Internet for free,[95] the security of the information is an important concern.[96]

Certain records such as tax, social welfare, and criminal history information, are considered confidential and are only available to authorized government employees.[97] Other records, including property records, birth, death, and marriage certificates, court records, motor vehicle and voter registration records of many states, are considered public records. The online service providers, as well as direct marketers, obtain much of the personal information they sell from public records.[98]

Computerization of the records has facilitated intergovernmental resource-sharing. The FBI's National Crime Information Center (NCIC) database, which maintains information on federal, state, and local crime convictions, is invaluable for state and local, as well as for federal, law enforcement officials. Also, the federal government's computer-matching program permits agencies to compare records for various reasons, including determining eligibility for benefit programs and collecting unpaid child support or debts owed the government.[99]

However, the computerization of government databases raises several concerns. One concern is the accuracy of the records. Depending on their nature, they may be sold to online service database providers, used by credit reporting agencies in creating credit profiles, or used by another government agency to verify eligibility for certain benefits.

Another concern is the security of government databases, especially the massive federal databases, including the FBI's NCIC and the IRS database. Tax return information, which includes not only name, address, occupation, and income, but also family data, financial data, and medical information, provides a nearly-complete personal profile.

Unauthorized access to these government records is a very real concern. A commentator reported that, "security risks to federal computers and telecommunications systems are worse than ever. Every day the confidentiality, integrity and availability of government information is being threatened by amateur hackers, [viruses], professional eavesdroppers, power outages, natural disasters and human error."[100] Government agencies are aware of security risks and have taken security measures. However, security breaches continue. Computer hackers have broken into computer systems of the Central Intelligence Agency, Justice Department, National Aeronautics and Space Administration, and the World Wide Web page of the Air Force.[101]

There are some tools and procedures that offer some protection for individual privacy. Certain tools can be used by individuals to help protect their online privacy, and specific procedures can be used by the information industry to safeguard the privacy of individuals. These tools and procedures have varying degrees of effectiveness, but are essential components for privacy protection.

A variety of privacy protection tools can be used to help protect online privacy. The most popular and effective is encryption, which is a procedure which scrambles electronic documents so that they can only be unscrambled using the proper key or keys. One of the most popular and powerful software encryption programs is PGP (Pretty Good Privacy).[102]

While encryption is widely recognized as essential for privacy protection and security, encryption is a controversial topic because the federal government has vigorously attempted to regulate encryption standards and technologies, while software manufacturers and some privacy organizations have attempted to minimize government encryption controls.[103] The government is concerned both about national security and that encryption will give criminals the means to frustrate law enforcement efforts. Therefore, the government wants to ensure a means to access encrypted items and to restrict the export of encryption software.[104] In 1993, the Clinton administration announced its Clipper chip proposal as a solution to the government's need to access encrypted data. This proposal involved the use of a microprocessor chip that would encrypt and decrypt data using a private/public key system, requiring that the private keys be held in escrow by the government to allow the government easy access to encrypted data. This proposal was so widely criticized that the government abandoned the original proposal a year later. In October 1996, the Administration announced a plan for "worldwide key management infrastructure with the use of key escrow and key recovery [a system allowing individuals to reclaim lost codes] encryption items" in connection with export control regulations.[105] Later in 1996, control for the export of encryption software was transferred from the U.S. State Department's U.S. Munitions List to the Commerce Department's Commerce Control List,[106] and the Commerce Department Bureau of Export Administration (BXA) issued interim rules for encryption export regulations.[107]

Three recent federal cases have involved challenges to the constitutionality of encryption software export restrictions. In Junger v. Daley [Secretary of Commerce],[108] filed in August 1996 in the U.S. District Court for the Northern District of Ohio, a law professor, who wishes to publish some encryption programs on his Internet site as part of the course materials for his Computing and the Law course, is seeking to enjoin the government's enforcement of encryption software export regulations. The other two cases have produced opposite results, and are pending appeals. In Bernstein v. Dept. of State,[109] the U.S. District Court for the Northern District of California ruled that the Commerce Department export control regulations, which would prevent the plaintiff from distributing his encryption software over the Internet without a license, violate the First Amendment's free speech guarantee.[110] In contrast, the U.S. District Court for the District of Columbia ruled, in Karn v. U.S. Department of State,[111] that the State Department regulations do not raise First Amendment issues. The Karn court further held that the restrictions consist of foreign policy decisions which are not the province of the courts.[112] On appeal to the U.S. Court of Appeals for the D.C. Circuit, Karn was remanded for reconsideration in light of both the late 1996 transfer of regulatory authority for the export of encryption software from the State Department to the Commerce Department, and the Commerce Department's issuance of new regulations.[113]

Another privacy protection tool is the use of an anonymous server to send e-mail or access Internet sites anonymously. An anonymous server acts as a middleman between the Internet user and the document he wants to send or retrieve. The only identifying information available to the site that is contacted is the address of the anonymous server. For example, for Web, FTP[114], and gopher[115] transactions, Community ConneXion, Inc. (whose motto is "Because on today's Internet, people do know you're a dog") provides the Anonymizer.[116] For e-mail and Usenet postings, an anonymous remailer will strip e-mail and Usenet postings of identifying information, and then forward the message to the recipient.[117]

Anonymity also has its critics.[118] In 1996, a Georgia statute took effect prohibiting online users from using pseudonyms or communicating anonymously over the Internet.[119] In response, in September 1996, the A.C.L.U. and the Electronic Frontier Foundation brought suit in federal district court for the Northern District of Georgia, and obtained a preliminary injunction against enforcement of the statute.[120]

Other procedures can be used to prevent the widespread distribution of Usenet postings and Web pages. If a Web site is not for public use, security measures can be utilized, including passwords, domain name filtering, Internet address filtering, or a firewall[121] to prevent access by unauthorized users. Also, by using the "Standard for Robot Exclusion," search engine robots will ignore all or designated parts of the Web site. [122]To avoid having a Usenet posting indexed by a search engine, "X-no-archive: yes" should be added to the header of the message, or made the first line of the message.

In response to questions about "cookies," newer versions of Web browsers, such as Netscape 3.0, have mechanisms which notify the user before a cookie is set.[123] Also, software has been developed to assist users in managing cookies.[124]

With regard to children's privacy, there is software available which gives parents the opportunity to monitor, filter, and prevent information disclosure by their children.[125] For instance, Cyber Patrol,[126] which enables parents to prevent access to inappropriate sites, also enables parents to prevent the disclosure of specific previously identified information. In addition, Microsoft's browser, Internet Explorer, and some online services provide parents with blocking options.[127]

Filtering can also be used to reduce unsolicited commercial e-mail. Filters can be used to block e-mail that matches categories, such as sender or subject. Unfortunately, commercial e-mailers frequently alter the message header to disguise the subject and indicate a different sender.[128]

Additional electronic privacy protection technologies are still in the development stage. Some companies have devised systems to protect user privacy and also satisfy the needs of online marketers for information about current or potential customers. In May 1997, Internet technology companies, Netscape Communications Corp.[129], Firefly Network Inc., [130] and VeriSign Inc.[131] proposed such a system as an industry standard. The Open Profiling Standard (OPS) will give users control over the personal information they reveal online and also enable companies to gather personal information for marketing purposes and to personalize Internet services. Under this system, users enter name, address, and other personal information that is useful to marketers and online services (such as age, gender, marital status, and product preferences) into a file which resides on their hard drive. When accessing a Web site that requests personal information, users will have the opportunity to specify which information should be revealed, and whether their personal information can be shared with other Internet sites. The Open Profiling Standard has the support of about one hundred companies, including advertisers, consumer Web sites, search engine companies, and software and hardware companies.[132]

Also, in June 1997, the World Wide Web Consortium[133] announced its Platform for Privacy Preferences Project (P3P), which will "enable the exchange of privacy practices and preferences by Web sites and users respectively." [134] P3P products will allow users to determine the information that can be collected from them when visiting Web sites, and if they visit a site that collects more than the specified information, the user will be alerted and given the opportunity to agree to the site's terms and continue browsing. [135]

The proposed Open Profiling Standard, Platform for Privacy Preferences Project, and other technological measures developed and implemented by Internet technology companies are examples of the significant role the information industry can take in assuring individual privacy. The information industry may also play a significant role in assuring individual privacy by self-regulating the procedures used in collecting and disseminating personal information.

The procedures used by the information industry in collecting and using personal information determine whether individual privacy is invaded, and many information industry companies have taken steps to ensure that these procedures protect individual privacy.

Information industry organizations have issued industry guidelines for fair information handling, which include privacy protection procedures.[136] In addition, many companies have established privacy protection policies.[137] Also, some companies have abandoned projects that were objectionable to the public, as seen when Lotus abandoned its Marketplace database and LEXIS-NEXIS withdrew Social Security numbers from P-TRAK records.[138]

There is much incentive for information companies to comply with industry guidelines, and to respond to the pressures of the marketplace. Studies have shown that consumers are nervous about electronic privacy and about transacting business via the Internet.[139] As noted by the Interactive Services Association in its guidelines, online service providers need to safeguard subscribers' privacy or else lose subscribers:

By mid-1997, there was substantial industry and governmental support for self-regulatory measures as the preferred means for protecting Internet privacy. In July 1997, the Clinton Administration expressed its support for the use of self-regulatory measures and technological innovations for protecting Internet privacy when the Administration issued its A Framework for Global Electronic Commerce.[141] The Framework generally favors a laissez-faire, market-driven approach to regulating the Internet in an effort to stimulate electronic commerce.

In June 1997, the Federal Trade Commission held a public workshop on consumer information privacy. At this workshop, representatives of the information industry and privacy organizations discussed electronic privacy.[142] Industry representatives urged the use of technological measures and industry self-regulation to safeguard consumer privacy. LEXIS-NEXIS, and seven other information companies which provide personal information, proposed industry procedures which would ensure the accuracy and security of the information provided, limit the availability of non-public information, and educate consumers about the practices of the information companies.[143]. In addition, during the Federal Trade Commission workshop, the Open Profiling Standard proposed by Netscape Communications (and other Internet technology companies)gained additional support from other information industry companies.[144]

Also in June 1997, the U.S. Commerce Department's National Telecommunications and Information Administration published its Privacy and Self-Regulation in the Information Age,[145] in which legal scholars, economists, and numerous representatives of the information industry discussed the effectiveness and legality of industry self-regulation. Various approaches to privacy protection were discussed within the context of industry self-regulation. One contributor discussed using a contractual approach to privacy protection. Individual privacy rights would be established via contracts made with data collection companies.[146] Other contributors discussed using a property approach, through which individuals would be paid for use of their personal information by the data collectors.[147] A number of representatives of large information companies also detailed their companies' existing privacy policies.

Nonetheless, the self-regulatory approach to informational privacy protection in the U.S. may be thwarted by data protection laws in the European Union. The European Union's comprehensive data protection directive, which takes effect in October 1998, both requires member countries to enact statutes which protect individual rights to privacy with respect to the processing of personal data, and requires that personal information may only be transmitted outside the European Union to a country which ensures an adequate level of protection for the subject of the data.[148] The directive will affect all U.S. entities conducting transactions which involve personal data transfers with European entities. In a policy paper issued in June 1997, the European Commission indicated that "adequate protection" should be determined by examining the content of the country's privacy rules as well as the procedural mechanisms in place to ensure the effectiveness of these rules. [149] The European Commission further indicated that the current U.S. privacy protection measures are unlikely to meet the directive's "adequate protection" requirements.[150] Thus, without legislation or some other formal mechanism in place to enforce informational privacy rights, personal data transfers from the European Union to the U.S. may be prohibited after the European Union data protection directive takes effect in October 1998.[151] Such restrictions would have a momentous impact on electronic commerce, especially in light of the directive's all-encompassing approach to data protection. The policy paper specifically mentions credit card payments over the Internet, as well as "transfers involving the collection of data in a particularly covert or clandestine manner (e.g. Internet cookies)" as examples of data transfers which would receive particular scrutiny in terms of "adequate protection."[152]

The European Community clearly questions the adequacy of informational privacy protection in the United States. Although there is much support in the U.S. for self-regulatory measures and technological privacy innovations, there remains substantial doubt as to whether these measures can be completely effective without some type of enforcement mechanism.[153] Unless there are sanctions available for violations of industry guidelines, some information companies may be inclined to ignore industry guidelines or to minimize their significance in their quests for profits.[154]

Whether or not the self-regulatory measures of the U.S. information industry are deemed sufficient in safeguarding the informational privacy of individuals, they should be encouraged. They can be effective when consistently followed, and they offer the significant benefit that issues which arise can be addressed much more quickly than through the legislative process or other methods of redress.

In the United States, there is no comprehensive law guaranteeing privacy rights in personal information. Contrast this to Europe, where the European Union's comprehensive data protection directive takes effect in October 1998.[155] In the United States, informational privacy protections are provided by an assortment of federal and state constitutional law, statutory provisions, and judicially determined case law.

Although a right of privacy is not specifically guaranteed by the Constitution, the U.S. Supreme Court has held that the Constitution protects a right of privacy in making certain intimate personal decisions from governmental interference.[156] The Supreme Court has not yet held that the Constitution protects a right of privacy in personal information. However, some informational privacy protections can be found in the First and Fourth Amendments, and it seems likely the Supreme Court will hold that the Constitution protects a right of informational privacy.

The right to privacy from governmental intrusion is found in the Fourth Amendment's prohibition against unreasonable searches and seizures. The Fourth Amendment to the Constitution provides:

Due to advancing technology and law enforcement capabilities in the Twentieth Century, the Supreme Court has been faced with a number of cases interpreting the Fourth Amendment.[158] When faced with its first electronic surveillance case, Olmstead v. United States[159], the Court ruled that no warrant was necessary in order for federal agents to tap a telephone wire.[160] The majority emphasized that the Fourth Amendment was understood to protect only against "physical invasions" by law enforcement officers.[161] In his famous dissent, Justice Brandeis argued for an expanded notion of the nature of privacy to accommodate new technology.[162] In 1967, the Supreme Court overruled Olmstead in deciding Katz v. United States,[163] and held that the interception of a telephone conversation in a public telephone booth does constitute a search and seizure for Fourth Amendment purposes.[164] The court determined that the threshold question is whether there is a "reasonable expectation of privacy", as opposed to the earlier trespass requirement.[165] The Court wrote:

In 1995, a military court addressed whether an individual has a reasonable expectation of privacy in his private e-mail. [167] Citing Katz, the court held that the individual does have a reasonable expectation of privacy under the Fourth Amendment in his e-mail communications stored and sent via an online service.[168]

The right to informational privacy was first addressed by the U. S. Supreme Court in Whalen v. Roe.[169] This case involved the invasion of patients' privacy by a New York statute requiring physicians to submit copies of prescriptions for abused drugs to the state for inclusion in a centralized computer file.[170] Although the Court upheld the statute, finding that New York's interest in experimenting with solutions to control the distribution of dangerous drugs was a legitimate exercise of the state's police power, the Court re-affirmed the right of an individual to have his personal information kept private.[171] The court stated:

The First Amendment,[173] which protects speech, including commercial speech,[174] from governmental interference, also affects informational privacy. On the one hand, the First Amendment places limitations on the right to informational privacy.[175] The First Amendment free-speech and free-press goal of assuring the free flow of information is antithetical to the idea of privacy in information. Free-speech and free-press considerations imposed by New York Times Co. v. Sullivan[176] limit the applicability of the common law right of privacy torts, even those involving non-governmental actors, where the affected subject is newsworthy.[177]

On the other hand, the First Amendment also provides additional information privacy protections. For instance, the First Amendment-inspired Privacy Protection Act limits governmental seizure of publishers' work product materials.[178] Because anyone posting messages on the Internet or online services can be considered a "publisher," this Act may prove to have special significance.

Some state constitutions include privacy protections which surpass privacy protections in the U.S. Constitution. Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina, and Washington have broader protection.[179] In California, a court has recognized that the constitutional right to privacy extends to private as well as public employers.[180]

As for intrusions by non-governmental means, the common law right to privacy tort may provide some protection.[181] The call for legal recognition of a right to privacy is generally attributed to an 1890 law review article by Louis Brandeis and Samuel D. Warren, The Right to Privacy.[182] In this article, Warren and Brandeis advocated a right to privacy, and warned that technology innovations would decrease the personal dignity of the individual if such privacy protections were not provided. [183]

Subsequently, a common law doctrine of personal privacy has emerged as a group of four invasion of privacy torts delineated by both Dean William L. Prosser[184] and the Restatement (Second) of Torts:[185] 1) the unreasonable intrusion upon the seclusion of another;[186] 2) the unreasonable publicity given to another's private life;[187] 3) publicity that unreasonably places another in a false light before the public;[188] and 4) the appropriation of another's name or likeness.[189]

Under this tort, "[o]ne who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person."[190] Unlike the other common law privacy torts, in which the disclosure of private information is a necessary element, disclosure is not required to establish liability for this tort.[191] There is no liability if the underlying information is public record or if the activity intruded upon is conducted in a public space where one would not reasonably expect privacy.[192]

Because this tort has been applied to wiretaps,[193] liability would likely be imposed for the unauthorized access to or interception of electronic communications and information systems.[194]

Under this form of invasion of privacy:

This tort seems to offer many opportunities for potential recovery in cases in which private facts are revealed electronically. Recovery under this privacy tort, however, is restricted by several judicially imposed requirements. The required publicity must be communicated to enough people that "the matter must be regarded as substantially certain to become one of public knowledge."[196]

In addition, there will be no liability for publicity of facts that are a matter of public concern or of public record because of First Amendment guarantees. The Restatement specifies birthdate, marital status, military record, professional or occupational licenses, and litigation as examples of public records for which there will be no liability for publication; yet, on the other hand, the Restatement specifies income tax returns as records not open to public inspection.[197] Thus, publication of such information is actionable. In Cox Broadcasting Corp. v. Cohn,[198] a case involving publication of a rape victim's identity, the U.S. Supreme Court held that under the First Amendment, publicity of matters of public record are not actionable[199] and further that "[t]he commission of crime, prosecutions resulting from it, and judicial proceedings arising from the prosecutions, however, are without question events of legitimate concern to the public and consequently fall within the responsibility of the press to report the operations of government."[200]

This tort may be a basis for suit in cases in which personal information (i.e., medical condition, tax return, or other confidential information) is disseminated electronically to a significant number of people, for instance, on a public bulletin board or newsgroup.[201]

In Dennis v. Metromail Corporation,[202]a pending case involving the compilation of personal data by direct marketer, Metromail, and former owner, R.R. Donnelley & Sons, suit was brought under this privacy tort. In addition, claims were filed for intentional or reckless disregard of safety, fraud, unjust enrichment, infliction of emotional distress, and negligent entrustment.[203] The suit was initiated by a woman who had given her name, address, sex, age, medical condition, and buying habits to a Metromail survey in exchange for the promise of discount coupons and free products.[204] The survey response was processed by a prison inmate who then sent the plaintiff an offensive, sexually graphic, and threatening letter.[205] This case, which was initiated in April 1996, was later expanded to a class action including plaintiffs from California, Illinois, and New York who also responded to Metromail surveys processed by prison inmates.[206] The complaint was amended to add a claim for breach of contract, and the fraud claim was expanded to include Metromail's "deceptive acquisition" of information by promising to provide coupons, and then selling the information to telemarketers, bill collectors, and others, and also making the information available over a 1-900 number "people locator" service for $3 a minute.[207]

The Metromail case is particularly significant in the electronic privacy area because Metromail is one of the suppliers of the personal information that Four11, the Internet telephone number and address directory database, LEXIS-NEXIS, and other commercial services provide in their "people-finding" databases.[208]

Under this tort,

False light invasion of privacy is similar to defamation. However, a reputation need not be injured in the same way that is necessary for defamation liability.[210]

This tort may provide basis to sue for the online dissemination of erroneous information where the database provider has not taken proper steps to ensure its correctness.[211]

Under this form of invasion of privacy, "[o]ne who appropriates to his own use or benefit the name or likeness of another is subject to liability to the other for invasion of his privacy."[212] Usually this privacy invasion applies to the commercial use of another's name or likeness.[213] Some states have extended this tort to personality, as well.[214]

This tort may be restricted by First Amendment concerns when the appropriation of a person's name or likeness for commercial use is for a newsworthy purpose. In Stern v. Delphi Internet Services Corp.,[215] controversial talk-show host, Howard Stern, brought suit under New York's right to privacy statutes[216] against Delphi Internet Services Corporation after Delphi used Stern's photograph without his consent in an advertisement. Stern had announced his candidacy for governor of New York, and Delphi used Stern's photograph to advertise an online bulletin board service it had set up to debate Stern's candidacy. [217] The court found that, although Delphi had used Stern's name and photograph for a commercial purpose without Stern's consent, Delphi's use was permissible because Stern's candidacy was a matter of public interest. [218] The court analogized Delphi's service to a television network, which is both entertainer and news disseminator, stating that the incidental use by a news disseminator of an individual's name or likeness in an advertisement is protected by the First Amendment: "The newsworthy use of a private person's name or photograph does not give rise to a cause of action . . . as long as the use is reasonably related to a matter of public interest."[219]

The appropriation privacy tort may provide a basis for suit involving the sale of non-public record personal information by commercial online publishers. It may also provide the basis for suit against marketers of names and e-mail addresses for use by unsolicited commercial e-mailers. However, plaintiffs using this tort or similar statutes in suing the distributors of mailing lists have so far been unsuccessful.[220]

The traditional right of privacy torts have not always been persuasive in redressing invasions of informational privacy. Those seeking judicial redress may therefore use other common law bases, including: breach of contract;[221] negligence;[222] breach of confidentiality;[223] intentional or reckless disregard of safety;[224] fraud;[225] infliction of emotional distress;[226] right of publicity;[227] trade secret misappropriation;[228] and trespass to chattels, conversion and unjust enrichment.[229]

Litigation based on common law property concepts might be most successful in redressing informational privacy violations. Property rights have been recognized in certain types of information. The U.S. Supreme Court held in Ruckelshaus v. Monsanto Co.,[230] that persons have a property interest in a trade secret. Other courts have recognized an individual's property right in his medical records[231] and in his polygraph records.[232] The right of publicity, which is similar to the appropriation privacy tort in that it provides a cause of action for the use of an individual's name or likeness without his consent, is considered a property right by the courts.[233] Similarly, some courts finding invasions of privacy, under either the common-law appropriation tort or state appropriation statutes, have found property rights in a person's name or likeness.[234]

A number of commentators favor the extension of property rights to personal information.[235] Extending property rights protection to personal information would give individuals the rights guaranteed in fair information practices guidelines:[236] the right to be informed of data collection and transfer; the right to limit data collection, data transfers, and secondary uses; the right to access one's personal data and to make corrections; and the right to have one's personal data maintained securely. In addition, the individual would have commercial rights in his personal information.[237]

Congress has responded to the need for informational privacy and security protections by enacting statutes in a piecemeal fashion to address specific privacy needs. The Electronic Communications Privacy Act of 1986 (ECPA)[238] and the Computer Fraud and Abuse Act[239] contain provisions to protect electronic privacy. The Privacy Protection Act of 1980.[240] restricts governmental seizure of publishers' investigative work product. The Privacy Act of 1974[241] and the Computer Matching and Privacy Protection Act of 1988[242] regulate government record-keeping and prevent government agencies from divulging certain personal information without proper authorization. The Fair Credit Reporting Act.[243] protects the acquisition and disclosure of information by the credit reporting industry.

1. Electronic Communications Privacy Act[244]

In 1986, the Electronic Communications Privacy Act (ECPA) was enacted to amend Title III of the Omnibus Crime Control and Safe Streets Act of 1968,[245] which authorized court-ordered government wiretapping. The ECPA protects against unauthorized access, interception, or disclosure of private electronic communications by the government as well as by individuals and third parties. In addition, the ECPA provides important protections for online users. The Act imposes potentially stiff penalties for violation of the statute[246] and requires a court-ordered warrant for governmental search of electronic communications.[247] An electronic communication is defined by the statute as "any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce. . . ."[248] Intercept is defined as "the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device."[249]

Title I of the ECPA restricts the interception of oral, wire, and electronic communications while in transit,[250] and Title II pertains to the acquisition and disclosure of stored communications.[251] The ECPA contains numerous exceptions. Some exceptions give online service providers the power to intercept and disclose electronic communications under certain circumstances:[252] situations in which the service providers suspect the sender is attempting to damage the system, or when necessary for the rendition of the service[253] (e.g. the systems operator (sysop) must review the content of the communication before forwarding it). In addition, if the communication seems to pertain to the commission of a crime, the service may disclose an electronic communication to a law enforcement agency.[254]

Another exception is provided for electronic communications made to a system that is "readily accessible to the general public." [255] The ECPA provides that interception of such communications is lawful.[256] Therefore, the ECPA is not violated when postings to Usenet groups, listservs, bulletin board systems, and chat rooms are read and archived.

Yet another exception allows service providers and anyone else to intercept and disclose an electronic communication where either the sender or the recipient of the message consents to the interception or disclosure.[257] Many commercial services require a consent agreement from new members when signing up for the service, and consent may be implied in employment relationships, especially when the employer notifies employees that their e-mail will be monitored.

Finally, the ECPA provides an "ordinary course of business" exception, which may also support employer monitoring of employee e-mail. This exception is found in the definition of "electronic, mechanical, or other device," which exempts from the interception prohibition an entity which provides the electronic communication service "in the ordinary course of its business."[258]

Cases interpreting the "ordinary course of business" provision have involved telephone monitoring, and the courts have generally held that an employer may monitor an employee for as long as the communication is business-related.[259]

In Steve Jackson Games, Inc. v. U.S. Secret Service,[260] a case involving the seizure of e-mail and stored electronic communications, the court held that U.S. Secret Service agents violated Title II of the ECPA and the Privacy Protection Act[261] by seizing plaintiff's computer equipment containing unread e-mail, software, and materials the plaintiff planned to publish, which were outside the scope of the warrant.[262] The agents were searching for a confidential telephone company document that had been stolen by computer hackers and uploaded to a bulletin board operated by Blankenship, an employee of the plaintiff, Steve Jackson Games, Inc. (SJG), which also had a bulletin board.[263] The officers had no information that SJG, which operated the bulletin board system and which also was a publisher of computer games and books, was involved in the illegal activity.[264] However, the officers believed Blankenship may have uploaded the document to SJG's bulletin board, which Blankenship used and helped operate.[265] They obtained a warrant to seize a variety of files and documents from the SJG bulletin board. [266]

The district court found that in seizing unread e-mail and software, which were outside the scope of the search warrant, the Secret Service agents violated Title II of the ECPA's provisions regarding stored communications as well as the Privacy Protection Act.[267] The district court rejected plaintiffs' claim that the seizure of the unread e-mail also violated Title I of the ECPA regarding interception of communications, finding that the communications were not "intercepted" as defined by the statute since they were in storage when they were seized.[268] The Fifth Circuit upheld this issue on appeal.[269]

In Davis v. Gracey,[270] another case involving government seizure of unread e-mail and software from a bulletin board service, the court found that the police officers who seized the items did not violate the ECPA or the Fourth Amendment rights of the plaintiff, a bulletin board operator.[271] Although the circumstances were similar to those in Steve Jackson Games (SJG), they differed sufficiently to produce a different decision. Unlike the SJG bulletin board operator who had no part in the criminal activity which led to the seizure of computer items, the Davis bulletin board operator was selling pornographic CD-ROMS, which could also be accessed via his bulletin board service. The officers obtained a warrant to search for pornographic CD-ROMs and "equipment, order materials, papers, membership lists and other paraphernalia pertaining to the distribution or display of pornographic material. . . ."[272] Included in the seizure were 150,000 e-mail messages and 500 megabytes of software which had been uploaded onto the bulletin board by subscribers.

The court rejected both the plaintiffs' Fourth Amendment claims that the warrant was overbroad, and that the warrant should not have been executed in a manner resulting in the incidental seizure of e-mail and other files stored on the hardware that were outside the scope of the warrant. The court found the term "equipment" in the warrant supported the officers' seizure of the computer equipment.[273] The court also found that the seizure of the e-mail and other files was unavoidable because they were contained within the computer, and the computer was "an instrumentality of the crime."[274] The court further held that the officers were entitled to the ECPA's good faith clause,[275] providing a complete defense to any charges, because there was "good faith reliance on . . . a court warrant or order."[276]

Violation of the ECPA has also been among the claims used in litigation concerning unsolicited e-mail. Internet service providers suing a bulk commercial e-mailer, Cyber Promotions, Inc., have claimed Cyber's techniques violate the ECPA.[277] These ECPA claims have not yet been addressed by the courts.

The Computer Fraud and Abuse Act [278] prohibits unauthorized access of computers under certain circumstances, including:

-- intentional unauthorized access to a nonpublic government computer, which affects the government's use of the computer;[279]

-- knowing unauthorized access to a protected computer (defined as a computer used by or for the use of government agencies or financial institutions as well as a computer "which is used in interstate or foreign commerce or communication"[280]) "with intent to defraud ... and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period";[281]

-- intentional access of a protected computer which causes damage.[282] (Damage is defined as

Also prohibited is knowingly causing "the transmission of a program, information, code, or command," resulting in intentional unauthorized damage to a protected computer.[284]

The Act provides both criminal[285] and civil penalties. Compensatory damages, injunctive relief, and other equitable relief are available in civil actions. [286]

In a well-known case brought under the Computer Fraud and Abuse Act, United States v. Morris,[287] the Second Circuit affirmed that a computer hacker, who was a graduate student in Cornell University's Ph.D. computer science program, was guilty under the Computer Fraud Abuse Act when he released a "worm"[288] onto the Internet.[289]

Violation of the Computer Fraud and Abuse Act has been among the claims used in litigation concerning unsolicited e-mail. Internet service providers suing a bulk commercial e-mailer, Cyber Promotions, Inc. claimed Cyber's techniques violate the Computer Fraud and Abuse Act. In Cyber Promotion's suit against America Online for blocking its e-mailings, Cyber also claimed that AOL's practice violated the Computer Fraud and Abuse Act.[290] The statute's applicability in these types of cases has not yet been addressed by the courts.

The Privacy Protection Act[291] (PPA), which ensures publishers' First Amendment rights of freedom of the press, makes government seizure of publisher's "work product materials" a criminal offense unless there is probable cause to believe that the person possessing such materials is committing the offense to which the materials relate:

"Work product materials" is defined as

The PPA provides money damages for violations.[294] In Steve Jackson Games,[295] the court found that Secret Service agents violated the PPA and ECPA when they seized computer materials outside the scope of the warrant.[296] The court awarded the plaintiffs $8,781 for expenses and $42,259 for damages for the PPA violations. .[297] The illegally-seized materials included work product materials protected by the PPA: drafts of a book intended for immediate publication and of magazines and magazine articles that the company was planning to publish.[298]

As previously noted, this Act may prove to have special significance because anyone posting messages on the Internet or online services can be considered a "publisher".

The Privacy Act of 1974 [299] is the primary statute governing the federal government's acquisition and use of federal agency records containing personal information. The act prohibits disclosure of a record without the written consent of the subject of the record except under certain circumstances. These circumstances include disclosure for a "routine use"[300] (use compatible with the purpose for which the record was collected[301]), for law enforcement purposes, and for protecting the health or safety of an individual.[302] A record is defined as:

Records may contain "only such information about an individual as is relevant and necessary to accomplish" a mandated agency purpose.[304] The statute requires that the public must be advised of the existence of databases containing personal information.[305] Additionally, agencies must provide individuals with access to their records, as well as the opportunity to challenge their contents.[306] The Act requires accurate accounting of disclosures and corrections of records.[307] Records must be maintained "with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual. . . ."[308] Agencies must also "establish appropriate administrative, technical, and physical safeguards to insure security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity. . . ."[309] The statute also applies to government contractors hired to operate agency "system[s] of records."[310] The statute provides money damages and injunctive relief as civil remedies for most violations.[311] In addition, criminal penalties are available for willful violations.[312]

The PrivacyAct was amended by the Computer Matching and Privacy Act of 1988.[313] This amendment governs agencies' computerized comparison of records for the purpose of establishing or verifying an individual's eligibility for benefits or to recoup payments or delinquent debts under benefits programs. The amendment also governs matching of personnel or payroll records among federal agencies or between federal and nonfederal entities.[314] Excluded from the provisions of the amendment are matching of records for:

-- law enforcement purposes;

-- tax collection purposes;

-- foreign counterintelligence purposes;

-- "routine administrative purposes" relating to federal personnel if the match is "not to take any adverse financial, personnel, disciplinary, or other adverse action against Federal personnel;"

-- producing aggregate statistical data without any personal identifiers;

-- research projects for which the specific data will not be used to make decisions concerning the benefits of specific individuals.[315]

The amendment requires certain procedures for matching programs covered by the Act. The agencies involved must prepare written agreements, which specify the purpose and expected benefit of the matching program. [316] The written agreement must describe not only the records to be matched, but also the procedures that will be used both to verify the information and to notify individuals that information they provide in applying for benefits may be subject to matching program verification.[317] Additionally, an agency that decides to deny benefits based on information obtained through data matching, must verify the information, provide notice to the individual, and provide an opportunity to contest the findings.[318]

The Fair Credit Reporting Act (FCRA)[319] dictates the responsibilities of "consumer reporting agencies" in adopting reasonable procedures for supplying credit information. The Act requires these agencies to operate in a manner which is fair and equitable to the consumer, assuring the information's confidentiality, accuracy, relevancy, and proper use.[320] "Consumer reporting agenc[ies]" are those which regularly assemble or evaluate consumer information for the purpose of furnishing consumer reports to third parties.[321] "Consumer report" is defined as

The FCRA restricts both the circumstances under which the disclosure of consumer reports can be properly made and which parties are authorized for disclosure.[323] The Act permits disclosure to persons who intend to use the information for credit-granting, employment, insurance underwriting, governmental license or benefit eligibility, or in connection with a business transaction involving the subject of the report.[324] Consumer reports may also be disclosed upon court order or written request from the subject of the report.[325]The FCRA prohibits the reporting of information more than seven to ten years old.[326] In addition, the Act requires that the subject be advised within three days after an "investigative consumer report" is first requested.[327] An "investigative consumer report" includes information on a consumer's character, general reputation, personal characteristics, or mode of living, and which is obtained through personal interviews with neighbors and friends.[328] The FCRA requires consumer reporting agencies to disclose to the consumer, upon request, the nature, substance, and the source, of the information in the file, as well as recent recipients of any consumer report on the consumer.[329] The Act also provides procedures for dealing with the disputed accuracy of the information.[330]

The FCRA also imposes requirements on users of consumer reports. Users of consumer reports must advise the subjects of the reports when they take adverse actions based on the report.[331] Upon written request from the consumer, users of consumer reports must disclose any basis for adverse action other than the credit report.[332]

The FCRA provides compensatory damages and attorneys' fees for negligent noncompliance[333] and punitive damages for willful noncompliance.[334] Criminal penalties are provided for obtaining credit information under false pretenses,[335] and for the unauthorized disclosure of credit information by employees or officers of a consumer reporting agency.[336]

The FCRA gives the Federal Trade Commission (FTC) administrative powers to enforce the FCRA against violators under the Federal Trade Commission Act.[337]

In recent years some of the FTC's efforts to limit the information collected and sold by the credit bureaus have been weakened by the courts. In a 1996 case, Trans Union Corp. v. FTC,[338] the U.S. Court of Appeals for the D.C. Circuit reviewed an FTC order that Trans Union Corporation's sale of certain "targeted marketing" mailing lists[339] was a communication of "consumer reports" for an impermissible purpose under the FCRA. [340] The decision hinged on the definition of "consumer report." [341] The FTC argued that the mailing lists were consumer reports because they were compiled using credit account data as well as other information in Trans Union's consumer reporting database. [342] The court agreed with Trans Union's argument that its "targeted marketing" lists were not "consumer reports" because the "implicit information conveyed therein" was not collected "to serve as a factor in determining credit eligibility."[343] The court remanded the case to the FTC, stating that "mere inclusion of a fact in a report prepared for credit eligibility purposes" does not make it a "consumer report" as defined in the FCRA.[344]

It seemed that the FCRA's definition of "consumer report" might be amended in 1997. In late 1996, in response to the controversy surrounding the P-TRAK database of LEXIS-NEXIS,[345] the FTC proposed that Congress amend the FCRA to "provide confidentiality protections to the following elements of consumer identification: social security number, mother's maiden name, prior addresses and date of birth" by expanding the definition of "consumer report" to include "any communication by a consumer reporting agency of any identifying information other than the consumer's name, generational designation, current address and telephone number."[346] In April 1997, Senator Dianne Feinstein of California introduced the Personal Information Privacy Act of 1997,[347] which would add to the definition of "consumer report": "The term [consumer report] also includes any other identifying information of the consumer, except the name, address, and telephone number of the consumer if listed in a residential telephone directory available in the locality of the consumer."[348] Such an amendment would limit the amount and type of personal information that information resellers and commercial online services could provide. However, no action was taken on the bill during 1997.

Other acts protecting informational privacy include

• Federal Records Act,[349] which regulates the disposal of federal records ("Federal records" have been held to include the e-mail messages of government employees[350]);

• Right to Financial Privacy Act,[351] which prohibits access to financial records of individuals by government authorities, (except for the Internal Revenue Service and agencies supervising banks);

• Family Educational Rights and Privacy Act of 1974 (FERPA),[352] which protects student records;

• Video Privacy Act,[353]which protects videotape rental records;

• Telephone Consumer Protection Act of 1991,[354]which regulates telemarketing practices;

• Driver's Privacy Protection Act of 1994,[355]which restricts the release of motor vehicle records;

• Cable Communications Policy Act of 1984,[356] which protects cable television subscriber information;

• Telecommunications Act of 1996,[357]which safeguards customer information held by telecommunications carriers;

• Provisions of the Internal Revenue Code which mandate the privacy of taxpayer records;[358]

Most states also have data protection laws which vary in their focus. Several states have laws that are similar to the federal Privacy Act and the federal Freedom of Information Act. Other states have statutes that are similar to the ECPA or the Computer Fraud and Abuse Act,[359] while others have laws that govern only specific sectors (such as the insurance industry).[360]

Although existing federal and state statutes provide varying levels of informational privacy protections, all these statutes fail in some respect. For example, although the Privacy Act is relatively comprehensive, the Act governs only federal government record-keeping. [361] As a result, there are gaps in informational privacy protection which could be rectified by the enactment of a comprehensive federal statute which governs all record-keeping systems.

The issue of whether employer monitoring of employee e-mail is an invasion of privacy has generated much litigation. Courts addressing this issue have so far ruled in favor of employers who read e-mail received over the employer's computer system. Generally these courts have held that the employees did not have reasonable expectations of privacy in their workplace e-mail. In a 1996 decision, Smyth v. Pillsbury Co.,[362] the U.S. District Court for the Eastern District of Pennsylvania held that, under Pennsylvania law, the employee did not have a reasonable expectation of privacy in e-mail communications made voluntarily to his supervisor.[363] Smyth involved the discharge of an at-will employee based on comments he made to his supervisor (regarding the company's sales management, including a threat to "kill the back-stabbing bastards") via the employer's e-mail system.[364] The employee's e-mail was read by company executives in spite of the fact the employer had assured its employees, including the plaintiff, that all e-mail communications would remain confidential and privileged.[365] The court further ruled that "the company's interest in preventing inappropriate and unprofessional comments or even illegal activity over its e-mail system outweighs any privacy rights the employee may have had in those comments."[366]

The holdings were similar in a string of California cases.[367] In Bourke v. Nissan Motor Corp.,[368] the court held that the plaintiffs had no reasonable expectation of privacy in their e-mail communications because they were aware their e-mail was read by the company prior to their terminations. [369] In addition, the employees had signed a statement: "It is company policy that employees and contractors restrict their use of company-owned computer hardware and software to company business."[370] The court rejected plaintiffs' argument that they had an expectation of privacy because they were given system access passwords which they were told to safeguard.[371] The court found that these expectations were not "objectively reasonable."[372] The court further held that the California wiretapping statute[373] and eavesdropping statute[374] did not apply to the employer's actions of retrieving, printing, and reading plaintiffs' e-mail.[375]

In another California case, Shoars v. Epson America, Inc.[376] an Epson America employee also unsuccessfully sued her employer under the California wiretapping statute[377] for the employer's monitoring of employee e-mail. The court ruled for Epson America, finding that provisions of the California wiretapping statutes did not extend to electronic communications.[378]

A similar conclusion was reached in a case involving a government employer. In Bohach v. City of Reno,[379] in which plaintiffs claimed violations of the Fourth Amendment and the federal Electronic Communications Privacy Act, the court found that the employees, whose electronic communications over the employer police department's network computer system were read by the employer police department, had no reasonable expectation of privacy in the communications.[380] The employees' communications, therefore, were not protected by the Fourth Amendment.[381] The court also rejected the employees' claim that the employer violated the federal Electronic Communications Privacy Act by reading their electronic communications.[382] The court held that reading the employee communications did not constitute "interception" as required by the federal act. [383]

However, this issue is not settled. Some state[384] and federal laws[385] may favor employees in some workplace e-mail situations

For example, an employee may prevail in workplace e-mail litigation by claiming that the employer's e-mail monitoring violates the Electronic Communications Privacy Act (ECPA). [386] However, employees claiming employer violations of the ECPA will encounter several hurdles. In the first place, employees may have difficulty convincing the courts that the employers' monitoring constitutes "interception" as required under the ECPA. Courts have so far interpreted the ECPA as requiring that monitored e-mail be in transit in order to constitute "interception," and have refused to find "interception" where the electronic communications have been accessed while in electronic storage.[387]

Other hurdles to be encountered by employees are two exceptions to the ECPA which generally favor employers. One exception permits the interception and disclosure of an electronic communication where either the sender or the recipient of the message consents to the interception or disclosure.[388] Consent may be implied in employment relationships, especially when the employer has notified employees that their e-mail may be monitored. The other ECPA exception which generally favors employers is the "ordinary course of business" exception, which exempts from the interception prohibition an entity which provides the electronic communication service in the "ordinary course of its business."[389] So far the cases interpreting the "ordinary course of business" exception have involved telephone monitoring, and the courts have generally held that an employer may monitor an employee for as long as the communication is business-related. [390] However, some employees have prevailed against employers who have exceeded the "boundaries of the ordinary course of business," [391] and it is possible that courts will rule in favor of employees in similar e-mail monitoring circumstances.

The issue of unsolicited commercial e-mail has resulted in a flurry of litigation based on privacy statutes and common law rights.[392] Internet service providers, America Online, CompuServe, EarthLink, and Concentric Network Corporation, have each sued Cyber Promotions Inc., an online marketer which was sending large amounts of unsolicited e-mail to the online services' subscribers.[393] Cyber Promotions also sued America Online for blocking its e-mailings.[394] and two other Internet service providers for terminating their service agreements with Cyber Promotions.[394a]

In Cyber Promotions Inc. v. America Online Inc.,[395] the U.S. District Court for the Eastern District of Pennsylvania decided that the First Amendment and the state constitutions of Virginia and Pennsylvania did not give Cyber Promotions (Cyber) the right to send unsolicited e-mail to America Online (AOL) members; and therefore, AOL had the right to block the e-mail.[396] In the complaint, AOL alleged Cyber's techniques violated the ECPA, the Computer Fraud & Abuse Act, the Virginia Computer Crimes Act, and the Virginia Consumer Protection Act.[397] AOL further alleged that Cyber's techniques constituted trademark infringement and dilution, unfair competition, false designation of origin, false advertising, misappropriation, conversion, and unjust enrichment.[398] In its suit, Cyber alleged that AOL's blocking of its e-mailings constituted interference with contract and unfair competition, as well as violates the Computer Fraud & Abuse Act and Cyber's First Amendment free speech rights.[399]

The court held that AOL was not subject to First Amendment review because AOL "is not a state actor" and none of its activities constitute state action.[400] The court rejected various arguments used by Cyber to support its contention that, although AOL is a private company, AOL should be treated as a state actor.[401]For instance, Cyber contended that AOL serves an exclusive public function: "'by providing Internet e-mail and acting as the sole conduit to its members' Internet e-mail boxes, AOL has opened up that part of its network and as such, has sufficiently devoted this domain for public use. This dedication of AOL's Internet e-mail accessway performs a public function in that it is open to the public, free of charge to any user, where public discourse, conversations and commercial transactions can and do take place.'"[402] The court responded that "[a]lthough AOL has opened its e-mail system to the public by connecting with the Internet, AOL has not opened its property to the public by performing any municipal power or essential public service, and therefore, does not stand in the shoes of the State."[403]

The court also rejected Cyber's claims that AOL's blocking of its e-mail violates the constitutions of Virginia and Pennsylvania. The court found no Virginia case law to support Cyber's claim and held that Pennsylvania case law was inapplicable to the circumstances of this case.[404]

The court also denied Cyber's later request for a preliminary injunction against AOL's use of its "PreferredMail--The Guard Against Junk E-Mail" system, which allows access to Cyber's e-mail messages only to subscribers who specifically request "I want junk e-mail!".[405] Cyber contended that AOL's ability to advertise to its subscribers over the Internet via e-mail is an "essential facility" and that AOL "refused to deal" with Cyber in violation of the federal antitrust laws.[406] In refusing to issue an injunction, the court held that Cyber failed to demonstrate likelihood of success on the merits of its claim.[407]

In CompuServe Inc. v. Cyber Promotions Inc.,[408] the U. S. District Court for the Southern District of Ohio granted CompuServe's request for a preliminary injunction barring Cyber from sending additional unsolicited e-mail to CompuServe subscribers.[409] The court found that Cyber's e-mailings constituted trespass to personal property.[410] The court emphasized that Cyber's e-mailings, which continued after CompuServe demanded the e-mailings stop, burdened the operation of the CompuServe network, and damaged CompuServe's business reputation and goodwill with its subscribers who were upset by Cyber's e-mailings.[411]

Citing Cyber Promotions, Inc. v. American Online, Inc., the court rejected Cyber's First Amendment claims.[412] Cyber claimed the right to First Amendment protections based on CompuServe's role as "public utility" and as "postmaster."[413] The court rejected these analogies and held that CompuServe was not a state actor for purposes of the First Amendment.[414]

The court also rejected Cyber's claims that CompuServe's decision to connect to the Internet was an implied invitation to the public to enter its property for business purposes.[415] The court held that CompuServe's demand, in October 1995, that Cyber cease the e-mailings was sufficient withdrawal of any implied invitation.[416]

Other cases brought against Cyber and its president, Sanford Wallace by Internet service providers have produced similar results. In Concentric Network Corp. v Wallace,[417] the U.S. District Court for the Northern District of California granted Concentric Network (CNC) a permanent injunction prohibiting Cyber from 1) sending unsolicited e-mail to CNC subscribers; 2) sending or receiving e-mail via CNC; 3) misrepresenting that any Cyber e-mail message was sent from or condoned by CNC; and 4) distributing mailing lists containing the e-mail addresses of CNC subscribers.[418] In EarthLink v. Cyber Promotions, Inc.,[419] the Los Angeles Superior Court granted EarthLink an injunction prohibiting Cyber from sending unsolicited e-mail to EarthLink subscribers.[420]The court determined that Cyber's actions constituted trespass to EarthLink's computer systems.[421]

Cyber has prevailed in one of its cases, which was based on breach of contract against an Internet service provider which terminated its service agreement with Cyber without providing thirty days notice as specified in the contract. The court, in Cyber Promotion, Inc. v. Apex Global Information Services, Inc.[421a] granted a preliminary injunction directing the defendant to restore service for thirty days, in compliance with the contract.

Unsolicited commercial e-mail was also the subject of the first case brought before the Virtual Magistrate Project, an experimental Internet-based arbitration service created to quickly resolve disputes occurring online. Tierney and EMail America[422] involved an advertisement posted on America Online by a marketer, EMail America, which offered for sale five million or more e-mail addresses that could be used for bulk commercial e-mailing. The case was initiated by an America Online subscriber who petitioned for removal of the advertisement on the basis both that that the advertisement was deceptive, and that bulk e-mailings, in general, are against public policy and an invasion of privacy.[423] The Virtual Magistrate recommended that AOL remove the e-mail advertisement.[424] However, because EMail America did not participate in the proceedings, the decision is probably not legally binding.[425]

Members of the U.S. Congress have introduced several bills in response to concerns regarding the use of personal information that is collected and published online. For example, bills introduced in 1997 include:

• Consumer Internet Privacy Protection Act of 1997[426]

In January, Representative Bruce Vento of Minnesota introduced this bill prohibiting the disclosure by interactive computer services of personally identifiable information without written consent of the subscribers.

• Fair Health Information Practices Act of 1997[427]

In January, Representative Gary Condit of California introduced this bill which would establish a code of fair information practices for health information and amend the Privacy Act.

• Children's Privacy Protection and Parental Empowerment Act of 1997[428]

In March, Senator Dianne Feinstein of California introduced this bill to prohibit the sale of personal information about children without their parent's consent.

• Social Security On-Line Privacy Protection Act of 1997[429]

In April, Representatives Bob Franks of New Jersey and Wally Herger of California introduced this bill which would prohibit the disclosure by interactive computer services of Social Security numbers or other personally identifiable information without the written consent of the subject of the information.

• Personal Information Privacy Act of 1997[430]

In April, Senator Dianne Feinstein of California introduced this bill which would prohibit the sale and use of Social Security numbers without the written consent of the subject, and which would amend the Fair Credit Reporting Act to include identifying information such as a mother's maiden name within the definition of confidential credit header information.[431] In June, Representative Gerald Kleczka of Wisconsin introduced the House version.[431a]

• Federal Internet Privacy Protection Act of 1997[432]

In April, Representatives Tom Barrett of Wisconsin and Sue Kelly of New York introduced this bill which would prohibit government disclosure of any personally identifiable educational, financial, medical, or employment record.

• American Family Privacy Act of 1997[433]

In April, Representative Paul Kanjorski of Pennsylvania introduced this bill which would prohibit federal officers and employees from providing access to Social Security account information or tax return information through the Internet, or without the written consent of the individual; and which would establish a commission to study the privacy and protection afforded to government records.

• Communications Privacy and Consumer Empowerment Act[433a]

In June, Representative Edward Markey of Massachusetts introduced this bill which would protect consumer privacy, empower parents, enhance the telecommunications infrastructure for efficient electronic commerce, and safeguard data security.

• Data Privacy Act of 1997[433b]

In July, Representative Billy Tauzin of Louisiana introduced this bill which would promote the privacy of interactive computer service users through self-regulation by the providers of such services.

Concerns about the proper handling of records to ensure their security and privacy[434] have intensified with the advent of computerized record-keeping. In 1973, an advisory committee of the U.S. Department of Health, Education and Welfare (HEW) issued a report, Records, Computers and the Rights of Citizens, in which the committee recommended that a federal code of fair information practices be enacted to encompass all (public and private) computerized record-keeping systems.[435] The proposed code included:

1. There must be no personal data record-keeping systems maintained in secret.

2. There must be a way for an individual to determine what information is in a record and how it is used.

3. Individuals must have a way to prevent personal information that was obtained for one purpose from being used or made available for other purposes without their consent.

4. Individuals must have a way to correct or amend a record of identifiable information about themselves.

5. Organizations creating, maintaining, using or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuses of the data.[436]

Similar principles were incorporated into guidelines adopted on an international basis in 1980, when the Organization for Economic Cooperation and Development (OECD), of which the U.S. is a member, adopted the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.[437]

The fair information practices guidelines recommended by HEW and OECD have been the foundation for guidelines issued by several U.S. committees which were created in the 1990's to address the effect of the Internet and commercial online services on the privacy and security of computerized data systems. U.S. organizations addressing these issues include the Federal Trade Commission,[438] the Commerce Department's National Telecommunications and Information Administration;[439] and two groups appointed by President Clinton: the Information Infrastructure Task Force (IITF)[440]and the National Information Infrastructure Advisory Council (NIIAC).[441]

The NIIAC and IITF guidelines add "education principles" to the HEW's basic tenets of fair information practices. [442] The IITF's Education Principle suggests that personal information users (such as marketers and online services) take steps to educate the public regarding potential hazards of computer use and ways to minimize privacy risks. [443] The IITF recommends that personal information users use privacy telephone hotlines, Internet privacy "help" sites, and comprehensive marketing and publicity campaigns to educate the public.[444] As stated by the IITF: