Susan E. Gindin[*]

I. INTRODUCTION

II. JUSTICE BRANDEIS REVISITED: HOW PRIVACY MAY BE INVADED ELECTRONICALLY

III. PRIVACY PROTECTION TOOLS & PROCEDURES

IV. ENTER THE LAW: PRIVACY RIGHTS IN PERSONAL INFORMATION

V. FAIR INFORMATION PRACTICES GUIDELINES

VI. CONCLUSION

The computer and the modem have fulfilled Justice Brandeis' 1928 prophesy in his landmark dissent in Olmstead v. United States. Our private lives are now exposed by electronic retrieval and publication of personal information. While Justice Brandeis was primarily concerned about governmental intrusion into private lives, his prophesy and his description of the right to privacy as "the right to be let alone--the most comprehensive of rights and the right most valued by civilized men" (277 U.S. at 478) should apply equally to such intrusion by non-governmental entities.[2] The computer and modem[3] provide both an economical and efficient means of finding needed information. Yet, as increasing amounts of personal information[4] are collected and revealed electronically, there is growing concern over the resulting loss of privacy.

In this article, I will discuss 1) how privacy may be invaded electronically; 2) the tools and procedures that are available to help protect individual privacy; 3) the state of the law regarding the rights[4a] of individuals to control the disclosure of their personal information; and 4) proposed fair information practices guidelines. As will be discussed, what is needed is a comprehensive federal policy that will guarantee individuals the right to control the collection and distribution of their personal information. A vital component of this policy would be an informational privacy protection statute which incorporates the basic tenets of fair information practices:[5] the right to limit data collection, data transfers, and secondary uses; the right to access one's personal data and to make corrections; the right to have one's personal data maintained securely; and the right to be informed of data collection and transfer. Such protections will enable individuals to enjoy more fully the many opportunities available throughout cyberspace.[6]

An individual's privacy may be invaded electronically in several ways: first, by the significant amount of personal information which is available in online databases; second, by the transactional information collected as the individual participates in online activities which specifically identifies the individual; and third, by the massive computerized databases which are maintained by federal, state, and local governments, that may be subject to security breaches.

An individual's privacy may be invaded by the publication of personal information online.[7] A significant amount of personal information is available on the Internet;[8] particularly on the World Wide Web.[9] For example, DatabaseAmerica,[10] which is a nationwide residential and business telephone directory, includes data on about 165 million households. In addition, Database America includes reverse telephone number search capabilities.[11] Four11: Internet White Pages [12] provides e-mail addresses as well as telephone numbers and addresses. Map Blast![13] provides area maps which pinpoint requested addresses.

Much of the information provided on the Internet without charge is directory-type information, not traditionally considered private (and in fact, usually recognized as essential for communication), and is therefore not objectionable to most people. However, some of the fee-based Internet sites raise more concerns. For example, Information America's KnowX,[14] which is a comprehensive source of public record information, includes aircraft and watercraft ownership, death records, bankruptcy, lawsuit, lien, and judgment information regarding individuals. On KnowX, basic information is free; detailed information, including property records and similar information, is available for a per-record fee.[15]

Even more detailed, and often more objectionable, personal information is available on commercial online services which are marketed to legal and business professionals, and journalists. These include Autotrack, CDB Infotek, Information America, IRSC, LEXIS-NEXIS, and U.S. Datalink. The personal information available through these services varies depending on the database, but generally includes name, address, and telephone number, and may include Social Security information, birthdate, and names and birthdates of other people living at the same address. Some databases provide real estate records including data on neighboring properties; approximate household income; plane and boat ownership; motor vehicle records; voter registration records; law suits; liens and judgments; criminal records; and credit information.[16]

The commercial online services purchase the personal information they publish from various sources. Much of the information is obtained from one of the three credit reporting companies, Equifax, Experian (formerly TRW), and Trans Union. The credit reporting companies sell the "credit header" portion of credit histories to commercial online services, as well as to marketers and other users of personal information. The credit header data includes name, address, former addresses, telephone number (sometimes including unlisted numbers), Social Security number, and birthdate. The online services also purchase the personal information they publish from information resellers, such as Metromail, which compile data using census bureau statistics and various sources of marketing information, including warranty card returns and requests for product samples and discount coupons. Another source of personal information is the government. Public records, such as real estate records, are purchased directly from the responsible government agency. [17]

A great deal of personal information is also revealed in electronic medical records, which are often linked to health records kept in various locations. In addition to being available to doctors and hospitals, most patient records are available to health insurers, pharmacists, state health organizations and researchers. Sometimes these records are also available to employers, life insurance companies, marketing firms, pharmaceutical companies and others.[18]

The wide availability of personal information online is beneficial in many ways. The Internet site, Switchboard,[19] a nationwide residential and business directory, includes heartwarming stories of long-lost friends and relatives being reunited through Switchboard. The commercial online services, such as America Online and CompuServe, relate similar stories of reunions accomplished through the use of their services. Similarly, the lower medical costs (which result from elimination of duplicate testing procedures) is just one of the benefits of computerized medical records.[20] From the viewpoint of a business professional trying to locate critical witnesses or parties to a lawsuit in an online people finder search, the online availability of this information is equally beneficial.

However, this wide availability also raises concerns over the potential misuse of confidential or inaccurate information.[21] Inaccurate information can result in the denial of credit or government benefits.[22] Misuse of confidential information, such as an individual's Social Security number and other identifying data can also have severe consequences.[23] As commentators suggest, the profile of an individual which can be compiled using information stored in databases, "could be so complete that it will be like having another self living in a parallel dimension: it is a self you cannot see, but one that affects your life just the same."[24] Another commentator noted that "once the persona is recorded it achieves more credence than the individual."[25] One victim of an impersonator (who violated numerous criminal and civil laws in the name of the victim) was advised that the easiest solution to the problem of someone using his identity, would be for him to change his own name and Social Security number.[26]

In response to privacy concerns, many database providers have eliminated sensitive information from their databases. In 1996, Yahoo eliminated the reverse telephone number search portion from its People Search site.[27] In 1991, in response to consumer complaints, Lotus abandoned its plans to sell "Marketplace: Households", a database containing names, addresses and marketing information on 120 million U.S. residents.[28] In 1997, shortly after the Social Security Administration (SSA) launched its Interactive PEBES (Personal Earnings and Benefit Estimate Statement) service on the Internet,[29] the SSA suspended the service in response to privacy concerns, pending further assurances that the online disclosure of PEBES information would not be compromised by security breaches.[30]

In 1996, LEXIS-NEXIS introduced P-TRAK, which provides up to three addresses, as well as aliases, maiden names, and birthdates for over 300 million people, and which, at the time of its introduction, included Social Security numbers. There was considerable public uproar and discussion in the media and on Internet discussion groups. In response to concerns expressed about the potential misuse of Social Security numbers, LEXIS-NEXIS removed the display of Social Security information from the records within two weeks after its introduction of P-TRAK (although records can still be searched using the Social Security number). Public concern about P-TRAK arose again a few months later when postings appeared on numerous Internet discussion groups incorrectly stating that P-TRAK contains personal financial and medical information, as well as displays of Social Security numbers. This misinformation spread quickly to different Internet discussion groups and eventually to corporate e-mail. LEXIS-NEXIS Customer Service was soon inundated with calls from people requesting removal of personal data from P-TRAK. Also, Congress and the Federal Trade Commission (FTC) were inundated with P-TRAK complaints from constituents. LEXIS-NEXIS responded by providing various means for individuals to have personal information removed from the P-TRAK database. The FTC responded by urging Congress to amend the reporting of consumer information provisions of the Fair Credit Reporting Act.[31]

There are currently no laws regulating the publication of personal information in online databases. Unless steps are taken to regulate the publication of personal information online, the amount will likely increase. Several factors have converged during the second half of the twentieth century to cause this increased availability of personal information. One factor is that society has become dependent on information. Businesses, government, and some individuals[32] need information to function effectively. Personal information is used by federal, state, and local governments for various purposes, including collection of taxes, allocation of government benefits, and law enforcement. Personal information is required by businesses, for instance, in making hiring and credit-granting decisions, and for the successful marketing of products.

Commentators say we have entered an information age, resulting from the transformation of society's economic base from industry to information.[33] One commentator noted that, "[i]nformation has taken on a new character . . . it has passed from being an instrument through which we acquire and manage other assets to being a primary asset itself".[34]

In 1997, information is the product of over 550 private companies, which include credit reporting agencies, interactive online services, database producers, and financial information services,[35] with annual revenues somewhere in the billions.[36] The sale of information is also a source of substantial revenue for government agencies.[37] The information industry has been growing dramatically every year, and shows no signs of slowing down.[38]

Another factor contributing to the wide availability of personal information online is the government's initiative to make government records readily available to the public. Citizen access to government information was assured by the 1966 enactment of the Freedom of Information Act (FOIA),[39] followed by the enactment of similar state statutes, which codified long-standing philosophies that the free flow of information between the government and the public is essential to a democratic society.[40]

The government's initiative took on new significance with the development of the Internet and other online databases which offered a means for widespread dissemination of government records. In 1993, the Office of Management and Budget established an Information Management Policy that included the online dissemination of government records.[41] A number of government agencies have made their records available electronically via commercial online services[42] or via the Internet.[43]

A third factor contributing to the wide availability of personal information online is the development of computer and telecommunication technologies, including the Internet. These technologies have enabled the information industry to flourish by providing the means for government and private industry to collect and manage vast amounts of data, and to transmit the data around the world. Because information can be obtained and transmitted so quickly, heightened expectations regarding information availability are created. It is likely that those in need of personal information will demand even more online access.

Computer technology also provides the means for collecting personal information which is incident to the use of online services and the Internet. The Internet has the capacity to be the most effective data-collector in existence. Concerns about the collection and potential misuse of personal information are multiplying as new ways of electronically collecting personal information emerge. An online user's privacy may also be invaded by his use of electronic mail, online services, and the Internet.

1. E-mail[44]

In 1994, 776 billion electronic-mail (e-mail) messages passed through U.S. based computer networks.[45] Projections are for 2.6 trillion e-mail messages to pass through U.S. networks in 1997, and for 6.6 trillion e-mail messages to pass through U.S. networks in 2000.[46]

One's privacy may be invaded when sending e-mail, which is notably insecure.[47] The Internet functions by sending data from computer to computer in packets until the data reaches its destination. While traveling to the intended recipient, third parties have many opportunities to intercept the data.

One's privacy may also be invaded in the workplace:

In a 1996 survey of 500 executives by the Society for Human Resources Management, 36% said they looked at employee e-mail.[49] A similar survey conducted by MacWorld in 1993 showed that nearly two-thirds of those employers who monitored their employees' e-mail, electronic work files, network messages, or voice mail, did so without warning the employees.[50]

Employers monitor[51] employee e-mail for a number of reasons. Some businesses conduct employee e-mail, telephone, and keystroke monitoring routinely, for instance, to assist in the training of new employees.[52] Others monitor e-mail because of concerns about trade secret misappropriation[53] or liability for employee defamation, harassment, copyright infringement, and other electronic misdeeds of employees.[54]

Many employees feel that their employer's monitoring of their e-mail is an invasion of privacy. As a result, there has been a significant amount of litigation over workplace e-mail privacy.[55] Although the courts have so far ruled that the employees had no reasonable expectation of privacy in their workplace e-mail, this issue will surely engender additional litigation.

E-mail messages can usually be retrieved from a variety of locations, including the network, local hard drives, and backup tapes, even if they have been deleted. E-mail sent or received on an employer's computer system is also discoverable[56] and is subject to review by law enforcement officials in criminal investigations.

In light of the many potential difficulties which can arise with regard to employee e-mail use, many commentators urge that employers prepare carefully drafted policies regarding employee Internet and e-mail use.[57]

One's privacy may be invaded by unsolicited commercial e-mail, also known as junk e-mail, or as spam. Junk e-mail is generated by Internet marketers, which compile their mailing lists using the header information (e-mail address, name, service provider) provided with Internet postings, as well as information provided by users when registering to use certain Web sites.

Junk e-mail can also be intrusive. However, not all unsolicited commercial e-mail is objectionable; some is informative and useful. One 1997 survey by an Internet service provider revealed that 70 percent of its users are not bothered by receiving unsolicited commercial e-mail as long as it is tailored to their interests.[58]

However, the bulk mailing of unsolicited e-mail has become a serious concern for the online service providers. These mailings hinder their ability to process legitimate subscriber mail,[59] and harm their relationships with subscribers.[60] Some service providers have resorted to litigation,[61] directed primarily at the largest commercial e-mailer, Cyber Promotions, which sends out 15-20 million unsolicited e-mail messages a day.[62]

Some legislation has been proposed which would regulate unsolicited e-mail.[63] Four federal bills were introduced in 1997,[64] the state of Nevada enacted legislation regulating unsolicited e-mail in July 1997,[65] and other states have proposed legislation.[66]

In addition, numerous print and Web articles provide suggestions for reducing junk e-mail.[67] Suggestions range from asking the advertiser not to send additional junk e-mail to using an Internet address filter that will block communications from known commercial e-mail sites. Other potential solutions allow individuals to "opt-out" of e-mailings. Apex Global Information Services (AGIS),[68] an Internet service provider which hosts commercial e-mailers, announced a plan in April 1997 to create a master list of users who don't want to receive unsolicited commercial e-mail, and then require any e-mailers who use AGIS's service to remove those names from their e-mailing lists. [69] America Online[70] has devised a system in which subscribers have the opportunity to choose whether or not they want to receive e-mail from known commercial e-mailers.[71]

An Internet user's privacy can also be invaded by search engines.[72] Search engines use "robots" to continually peruse the World Wide Web and Usenet newsgroups,[73] for additions to their databases which attempt to index every word. Deja News,[74] for instance, prides itself on indexing all of the Usenet postings, and keeping them "until the end of time."[75]

Search engines raise privacy worries because of their capacity to capture and preserve every message communicated in Usenet postings and archived listserv[76] postings. Although a Usenet group or listserv may appear to be merely a collegial and confidential exchange of information, postings often achieve Internet-wide distribution when they are archived and/or included in the search engine databases.

An individual's postings to Internet discussion groups and his World Wide Web site can be found through search engines. Thus, those participating on the Internet should be cautious about what they write.[77]

An Internet user's privacy may be invaded by certain features used by some online services and World Wide Web site operators to maintain and improve their service. Some Web sites collect "cookies." A cookie is information about the Web site visit, which the Web browser[78] receives from the Web site, and then stores on the visitor's hard drive. The Web site then "reads" the information each time the user visits the site.[79] This information includes the visitor's Internet service provider, the kind of computer and software used, the Web site linked from, as well as which files were accessed and the amount of time spent on each page. The information is used to track visits to the Web site to learn what visitors like and dislike about the site, and to personalize the site so that options the user selects at the first visit can be used automatically for each successive visit.[80]

As such, the information collected does not usually identify a specific individual. However, when combined with on-site registration data, which the Internet user provides when visiting some sites, cookie data may be used to build a profile of the specific Internet user. Many Web sites require on-site registration, including name, address, e-mail address, and sometimes interests, in order to obtain access or certain benefits.

Internet service providers can also track a user's navigation on the Internet using the electronic records of user activity, also referred to as "clickstream" data.[81] Online service providers track navigational patterns on their services to make improvements. In its Terms of Service, America Online explains that it records users' "navigational and transactional" information to "understand our members' reactions to menu items, content, services and merchandise offered through AOL and to customize AOL based on the interests of our Members."[82]

Of particular concern is the on-site registration information requested on Web sites directed at children.[83] Many Web sites directed at children solicit personal information about the child and child's family, often in exchange for an opportunity to participate in a contest or in the activities offered on the site.[84] The Web site providers use this monitoring information for various reasons. The information is used primarily for marketing,[85] but is also used to improve the Web site.[86] One provider of a Web site for children uses the identity information it obtains to prohibit future access to the Web site for visitors who have behaved inappropriately at prior visits.[87]

The information collected from Web site visits reveals much about the user. Even without providing personal information when registering to use a site, a user's interests can be inferred based on Web site or online service use. Accordingly, there is concern that this information will be misused by marketers and others.

The autonomous software agents that are being developed at the MIT Media Laboratory and elsewhere engender similar concerns due to the personal information these can collect. Software agents, which are being developed to deal with the problems of information overload problems, operate like librarians--after determining the user's interests, they suggest additional resources that might be of interest. MIT's Web browser agent, Letizia, determines the user's interests by "observing" the Web sites and pages accessed by the user, and then recommends additional resources by previewing immediately accessible links. In addition to the Web browser agent, MIT has developed agents that will recommend music and books, and is working on others, including a "Yenta-Matchmaking" agent that will introduce people who share similar interests.[88]

Online commerce via the Internet has enormous potential,[89] but raises additional privacy concerns. Activities such as online purchases and banking necessitate the disclosure of so much personal information, including name, address, and credit card or account information, that they require special security procedures. Use of encryption[90] is necessary, and additional security measures, such as the use of digital signatures[91] are recommended.[92]

One's privacy may also be invaded by the collection, maintenance, and dissemination of government records. For efficiency and economy, government agencies have automated, or are in the process of automating their records.[93] Some government agencies are providing agency records on their Web sites.[94] Although these agencies have been applauded for making this data available on the Internet for free,[95] the security of the information is an important concern.[96]

Certain records such as tax, social welfare, and criminal history information, are considered confidential and are only available to authorized government employees.[97] Other records, including property records, birth, death, and marriage certificates, court records, motor vehicle and voter registration records of many states, are considered public records. The online service providers, as well as direct marketers, obtain much of the personal information they sell from public records.[98]

Computerization of the records has facilitated intergovernmental resource-sharing. The FBI's National Crime Information Center (NCIC) database, which maintains information on federal, state, and local crime convictions, is invaluable for state and local, as well as for federal, law enforcement officials. Also, the federal government's computer-matching program permits agencies to compare records for various reasons, including determining eligibility for benefit programs and collecting unpaid child support or debts owed the government.[99]

However, the computerization of government databases raises several concerns. One concern is the accuracy of the records. Depending on their nature, they may be sold to online service database providers, used by credit reporting agencies in creating credit profiles, or used by another government agency to verify eligibility for certain benefits.

Another concern is the security of government databases, especially the massive federal databases, including the FBI's NCIC and the IRS database. Tax return information, which includes not only name, address, occupation, and income, but also family data, financial data, and medical information, provides a nearly-complete personal profile.

Unauthorized access to these government records is a very real concern. A commentator reported that, "security risks to federal computers and telecommunications systems are worse than ever. Every day the confidentiality, integrity and availability of government information is being threatened by amateur hackers, [viruses], professional eavesdroppers, power outages, natural disasters and human error."[100] Government agencies are aware of security risks and have taken security measures. However, security breaches continue. Computer hackers have broken into computer systems of the Central Intelligence Agency, Justice Department, National Aeronautics and Space Administration, and the World Wide Web page of the Air Force.[101]

There are some tools and procedures that offer some protection for individual privacy. Certain tools can be used by individuals to help protect their online privacy, and specific procedures can be used by the information industry to safeguard the privacy of individuals. These tools and procedures have varying degrees of effectiveness, but are essential components for privacy protection.

A variety of privacy protection tools can be used to help protect online privacy. The most popular and effective is encryption, which is a procedure which scrambles electronic documents so that they can only be unscrambled using the proper key or keys. One of the most popular and powerful software encryption programs is PGP (Pretty Good Privacy).[102]

While encryption is widely recognized as essential for privacy protection and security, encryption is a controversial topic because the federal government has vigorously attempted to regulate encryption standards and technologies, while software manufacturers and some privacy organizations have attempted to minimize government encryption controls.[103] The government is concerned both about national security and that encryption will give criminals the means to frustrate law enforcement efforts. Therefore, the government wants to ensure a means to access encrypted items and to restrict the export of encryption software.[104] In 1993, the Clinton administration announced its Clipper chip proposal as a solution to the government's need to access encrypted data. This proposal involved the use of a microprocessor chip that would encrypt and decrypt data using a private/public key system, requiring that the private keys be held in escrow by the government to allow the government easy access to encrypted data. This proposal was so widely criticized that the government abandoned the original proposal a year later. In October 1996, the Administration announced a plan for "worldwide key management infrastructure with the use of key escrow and key recovery [a system allowing individuals to reclaim lost codes] encryption items" in connection with export control regulations.[105] Later in 1996, control for the export of encryption software was transferred from the U.S. State Department's U.S. Munitions List to the Commerce Department's Commerce Control List,[106] and the Commerce Department Bureau of Export Administration (BXA) issued interim rules for encryption export regulations.[107]

Three recent federal cases have involved challenges to the constitutionality of encryption software export restrictions. In Junger v. Daley [Secretary of Commerce],[108] filed in August 1996 in the U.S. District Court for the Northern District of Ohio, a law professor, who wishes to publish some encryption programs on his Internet site as part of the course materials for his Computing and the Law course, is seeking to enjoin the government's enforcement of encryption software export regulations. The other two cases have produced opposite results, and are pending appeals. In Bernstein v. Dept. of State,[109] the U.S. District Court for the Northern District of California ruled that the Commerce Department export control regulations, which would prevent the plaintiff from distributing his encryption software over the Internet without a license, violate the First Amendment's free speech guarantee.[110] In contrast, the U.S. District Court for the District of Columbia ruled, in Karn v. U.S. Department of State,[111] that the State Department regulations do not raise First Amendment issues. The Karn court further held that the restrictions consist of foreign policy decisions which are not the province of the courts.[112] On appeal to the U.S. Court of Appeals for the D.C. Circuit, Karn was remanded for reconsideration in light of both the late 1996 transfer of regulatory authority for the export of encryption software from the State Department to the Commerce Department, and the Commerce Department's issuance of new regulations.[113]

Another privacy protection tool is the use of an anonymous server to send e-mail or access Internet sites anonymously. An anonymous server acts as a middleman between the Internet user and the document he wants to send or retrieve. The only identifying information available to the site that is contacted is the address of the anonymous server. For example, for Web, FTP[114], and gopher[115] transactions, Community ConneXion, Inc. (whose motto is "Because on today's Internet, people do know you're a dog") provides the Anonymizer.[116] For e-mail and Usenet postings, an anonymous remailer will strip e-mail and Usenet postings of identifying information, and then forward the message to the recipient.[117]

Anonymity also has its critics.[118] In 1996, a Georgia statute took effect prohibiting online users from using pseudonyms or communicating anonymously over the Internet.[119] In response, in September 1996, the A.C.L.U. and the Electronic Frontier Foundation brought suit in federal district court for the Northern District of Georgia, and obtained a preliminary injunction against enforcement of the statute.[120]

Other procedures can be used to prevent the widespread distribution of Usenet postings and Web pages. If a Web site is not for public use, security measures can be utilized, including passwords, domain name filtering, Internet address filtering, or a firewall[121] to prevent access by unauthorized users. Also, by using the "Standard for Robot Exclusion," search engine robots will ignore all or designated parts of the Web site. [122]To avoid having a Usenet posting indexed by a search engine, "X-no-archive: yes" should be added to the header of the message, or made the first line of the message.

In response to questions about "cookies," newer versions of Web browsers, such as Netscape 3.0, have mechanisms which notify the user before a cookie is set.[123] Also, software has been developed to assist users in managing cookies.[124]

With regard to children's privacy, there is software available which gives parents the opportunity to monitor, filter, and prevent information disclosure by their children.[125] For instance, Cyber Patrol,[126] which enables parents to prevent access to inappropriate sites, also enables parents to prevent the disclosure of specific previously identified information. In addition, Microsoft's browser, Internet Explorer, and some online services provide parents with blocking options.[127]

Filtering can also be used to reduce unsolicited commercial e-mail. Filters can be used to block e-mail that matches categories, such as sender or subject. Unfortunately, commercial e-mailers frequently alter the message header to disguise the subject and indicate a different sender.[128]

Additional electronic privacy protection technologies are still in the development stage. Some companies have devised systems to protect user privacy and also satisfy the needs of online marketers for information about current or potential customers. In May 1997, Internet technology companies, Netscape Communications Corp.[129], Firefly Network Inc., [130] and VeriSign Inc.[131] proposed such a system as an industry standard. The Open Profiling Standard (OPS) will give users control over the personal information they reveal online and also enable companies to gather personal information for marketing purposes and to personalize Internet services. Under this system, users enter name, address, and other personal information that is useful to marketers and online services (such as age, gender, marital status, and product preferences) into a file which resides on their hard drive. When accessing a Web site that requests personal information, users will have the opportunity to specify which information should be revealed, and whether their personal information can be shared with other Internet sites. The Open Profiling Standard has the support of about one hundred companies, including advertisers, consumer Web sites, search engine companies, and software and hardware companies.[132]

Also, in June 1997, the World Wide Web Consortium[133] announced its Platform for Privacy Preferences Project (P3P), which will "enable the exchange of privacy practices and preferences by Web sites and users respectively." [134] P3P products will allow users to determine the information that can be collected from them when visiting Web sites, and if they visit a site that collects more than the specified information, the user will be alerted and given the opportunity to agree to the site's terms and continue browsing. [135]

The proposed Open Profiling Standard, Platform for Privacy Preferences Project, and other technological measures developed and implemented by Internet technology companies are examples of the significant role the information industry can take in assuring individual privacy. The information industry may also play a significant role in assuring individual privacy by self-regulating the procedures used in collecting and disseminating personal information.

The procedures used by the information industry in collecting and using personal information determine whether individual privacy is invaded, and many information industry companies have taken steps to ensure that these procedures protect individual privacy.

Information industry organizations have issued industry guidelines for fair information handling, which include privacy protection procedures.[136] In addition, many companies have established privacy protection policies.[137] Also, some companies have abandoned projects that were objectionable to the public, as seen when Lotus abandoned its Marketplace database and LEXIS-NEXIS withdrew Social Security numbers from P-TRAK records.[138]

There is much incentive for information companies to comply with industry guidelines, and to respond to the pressures of the marketplace. Studies have shown that consumers are nervous about electronic privacy and about transacting business via the Internet.[139] As noted by the Interactive Services Association in its guidelines, online service providers need to safeguard subscribers' privacy or else lose subscribers:

By mid-1997, there was substantial industry and governmental support for self-regulatory measures as the preferred means for protecting Internet privacy. In July 1997, the Clinton Administration expressed its support for the use of self-regulatory measures and technological innovations for protecting Internet privacy when the Administration issued its A Framework for Global Electronic Commerce.[141] The Framework generally favors a laissez-faire, market-driven approach to regulating the Internet in an effort to stimulate electronic commerce.

In June 1997, the Federal Trade Commission held a public workshop on consumer information privacy. At this workshop, representatives of the information industry and privacy organizations discussed electronic privacy.[142] Industry representatives urged the use of technological measures and industry self-regulation to safeguard consumer privacy. LEXIS-NEXIS, and seven other information companies which provide personal information, proposed industry procedures which would ensure the accuracy and security of the information provided, limit the availability of non-public information, and educate consumers about the practices of the information companies.[143]. In addition, during the Federal Trade Commission workshop, the Open Profiling Standard proposed by Netscape Communications (and other Internet technology companies)gained additional support from other information industry companies.[144]

Also in June 1997, the U.S. Commerce Department's National Telecommunications and Information Administration published its Privacy and Self-Regulation in the Information Age,[145] in which legal scholars, economists, and numerous representatives of the information industry discussed the effectiveness and legality of industry self-regulation. Various approaches to privacy protection were discussed within the context of industry self-regulation. One contributor discussed using a contractual approach to privacy protection. Individual privacy rights would be established via contracts made with data collection companies.[146] Other contributors discussed using a property approach, through which individuals would be paid for use of their personal information by the data collectors.[147] A number of representatives of large information companies also detailed their companies' existing privacy policies.

Nonetheless, the self-regulatory approach to informational privacy protection in the U.S. may be thwarted by data protection laws in the European Union. The European Union's comprehensive data protection directive, which takes effect in October 1998, both requires member countries to enact statutes which protect individual rights to privacy with respect to the processing of personal data, and requires that personal information may only be transmitted outside the European Union to a country which ensures an adequate level of protection for the subject of the data.[148] The directive will affect all U.S. entities conducting transactions which involve personal data transfers with European entities. In a policy paper issued in June 1997, the European Commission indicated that "adequate protection" should be determined by examining the content of the country's privacy rules as well as the procedural mechanisms in place to ensure the effectiveness of these rules. [149] The European Commission further indicated that the current U.S. privacy protection measures are unlikely to meet the directive's "adequate protection" requirements.[150] Thus, without legislation or some other formal mechanism in place to enforce informational privacy rights, personal data transfers from the European Union to the U.S. may be prohibited after the European Union data protection directive takes effect in October 1998.[151] Such restrictions would have a momentous impact on electronic commerce, especially in light of the directive's all-encompassing approach to data protection. The policy paper specifically mentions credit card payments over the Internet, as well as "transfers involving the collection of data in a particularly covert or clandestine manner (e.g. Internet cookies)" as examples of data transfers which would receive particular scrutiny in terms of "adequate protection."[152]

The European Community clearly questions the adequacy of informational privacy protection in the United States. Although there is much support in the U.S. for self-regulatory measures and technological privacy innovations, there remains substantial doubt as to whether these measures can be completely effective without some type of enforcement mechanism.[153] Unless there are sanctions available for violations of industry guidelines, some information companies may be inclined to ignore industry guidelines or to minimize their significance in their quests for profits.[154]

Whether or not the self-regulatory measures of the U.S. information industry are deemed sufficient in safeguarding the informational privacy of individuals, they should be encouraged. They can be effective when consistently followed, and they offer the significant benefit that issues which arise can be addressed much more quickly than through the legislative process or other methods of redress.

In the United States, there is no comprehensive law guaranteeing privacy rights in personal information. Contrast this to Europe, where the European Union's comprehensive data protection directive takes effect in October 1998.[155] In the United States, informational privacy protections are provided by an assortment of federal and state constitutional law, statutory provisions, and judicially determined case law.

Although a right of privacy is not specifically guaranteed by the Constitution, the U.S. Supreme Court has held that the Constitution protects a right of privacy in making certain intimate personal decisions from governmental interference.[156] The Supreme Court has not yet held that the Constitution protects a right of privacy in personal information. However, some informational privacy protections can be found in the First and Fourth Amendments, and it seems likely the Supreme Court will hold that the Constitution protects a right of informational privacy.

The right to privacy from governmental intrusion is found in the Fourth Amendment's prohibition against unreasonable searches and seizures. The Fourth Amendment to the Constitution provides:

Due to advancing technology and law enforcement capabilities in the Twentieth Century, the Supreme Court has been faced with a number of cases interpreting the Fourth Amendment.[158] When faced with its first electronic surveillance case, Olmstead v. United States[159], the Court ruled that no warrant was necessary in order for federal agents to tap a telephone wire.[160] The majority emphasized that the Fourth Amendment was understood to protect only against "physical invasions" by law enforcement officers.[161] In his famous dissent, Justice Brandeis argued for an expanded notion of the nature of privacy to accommodate new technology.[162] In 1967, the Supreme Court overruled Olmstead in deciding Katz v. United States,[163] and held that the interception of a telephone conversation in a public telephone booth does constitute a search and seizure for Fourth Amendment purposes.[164] The court determined that the threshold question is whether there is a "reasonable expectation of privacy", as opposed to the earlier trespass requirement.[165] The Court wrote:

In 1995, a military court addressed whether an individual has a reasonable expectation of privacy in his private e-mail. [167] Citing Katz, the court held that the individual does have a reasonable expectation of privacy under the Fourth Amendment in his e-mail communications stored and sent via an online service.[168]

The right to informational privacy was first addressed by the U. S. Supreme Court in Whalen v. Roe.[169] This case involved the invasion of patients' privacy by a New York statute requiring physicians to submit copies of prescriptions for abused drugs to the state for inclusion in a centralized computer file.[170] Although the Court upheld the statute, finding that New York's interest in experimenting with solutions to control the distribution of dangerous drugs was a legitimate exercise of the state's police power, the Court re-affirmed the right of an individual to have his personal information kept private.[171] The court stated:

The First Amendment,[173] which protects speech, including commercial speech,[174] from governmental interference, also affects informational privacy. On the one hand, the First Amendment places limitations on the right to informational privacy.[175] The First Amendment free-speech and free-press goal of assuring the free flow of information is antithetical to the idea of privacy in information. Free-speech and free-press considerations imposed by New York Times Co. v. Sullivan[176] limit the applicability of the common law right of privacy torts, even those involving non-governmental actors, where the affected subject is newsworthy.[177]

On the other hand, the First Amendment also provides additional information privacy protections. For instance, the First Amendment-inspired Privacy Protection Act limits governmental seizure of publishers' work product materials.[178] Because anyone posting messages on the Internet or online services can be considered a "publisher," this Act may prove to have special significance.

Some state constitutions include privacy protections which surpass privacy protections in the U.S. Constitution. Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina, and Washington have broader protection.[179] In California, a court has recognized that the constitutional right to privacy extends to private as well as public employers.[180]

As for intrusions by non-governmental means, the common law right to privacy tort may provide some protection.[181] The call for legal recognition of a right to privacy is generally attributed to an 1890 law review article by Louis Brandeis and Samuel D. Warren, The Right to Privacy.[182] In this article, Warren and Brandeis advocated a right to privacy, and warned that technology innovations would decrease the personal dignity of the individual if such privacy protections were not provided. [183]

Subsequently, a common law doctrine of personal privacy has emerged as a group of four invasion of privacy torts delineated by both Dean William L. Prosser[184] and the Restatement (Second) of Torts:[185] 1) the unreasonable intrusion upon the seclusion of another;[186] 2) the unreasonable publicity given to another's private life;[187] 3) publicity that unreasonably places another in a false light before the public;[188] and 4) the appropriation of another's name or likeness.[189]

Under this tort, "[o]ne who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person."[190] Unlike the other common law privacy torts, in which the disclosure of private information is a necessary element, disclosure is not required to establish liability for this tort.[191] There is no liability if the underlying information is public record or if the activity intruded upon is conducted in a public space where one would not reasonably expect privacy.[192]

Because this tort has been applied to wiretaps,[193] liability would likely be imposed for the unauthorized access to or interception of electronic communications and information systems.[194]

Under this form of invasion of privacy:

This tort seems to offer many opportunities for potential recovery in cases in which private facts are revealed electronically. Recovery under this privacy tort, however, is restricted by several judicially imposed requirements. The required publicity must be communicated to enough people that "the matter must be regarded as substantially certain to become one of public knowledge."[196]

In addition, there will be no liability for publicity of facts that are a matter of public concern or of public record because of First Amendment guarantees. The Restatement specifies birthdate, marital status, military record, professional or occupational licenses, and litigation as examples of public records for which there will be no liability for publication; yet, on the other hand, the Restatement specifies income tax returns as records not open to public inspection.[197] Thus, publication of such information is actionable. In Cox Broadcasting Corp. v. Cohn,[198] a case involving publication of a rape victim's identity, the U.S. Supreme Court held that under the First Amendment, publicity of matters of public record are not actionable[199] and further that "[t]he commission of crime, prosecutions resulting from it, and judicial proceedings arising from the prosecutions, however, are without question events of legitimate concern to the public and consequently fall within the responsibility of the press to report the operations of government."[200]

This tort may be a basis for suit in cases in which personal information (i.e., medical condition, tax return, or other confidential information) is disseminated electronically to a significant number of people, for instance, on a public bulletin board or newsgroup.[201]

In Dennis v. Metromail Corporation,[202]a pending case involving the compilation of personal data by direct marketer, Metromail, and former owner, R.R. Donnelley & Sons, suit was brought under this privacy tort. In addition, claims were filed for intentional or reckless disregard of safety, fraud, unjust enrichment, infliction of emotional distress, and negligent entrustment.[203] The suit was initiated by a woman who had given her name, address, sex, age, medical condition, and buying habits to a Metromail survey in exchange for the promise of discount coupons and free products.[204] The survey response was processed by a prison inmate who then sent the plaintiff an offensive, sexually graphic, and threatening letter.[205] This case, which was initiated in April 1996, was later expanded to a class action including plaintiffs from California, Illinois, and New York who also responded to Metromail surveys processed by prison inmates.[206] The complaint was amended to add a claim for breach of contract, and the fraud claim was expanded to include Metromail's "deceptive acquisition" of information by promising to provide coupons, and then selling the information to telemarketers, bill collectors, and others, and also making the information available over a 1-900 number "people locator" service for $3 a minute.[207]

The Metromail case is particularly significant in the electronic privacy area because Metromail is one of the suppliers of the personal information that Four11, the Internet telephone number and address directory database, LEXIS-NEXIS, and other commercial services provide in their "people-finding" databases.[208]

Under this tort,

False light invasion of privacy is similar to defamation. However, a reputation need not be injured in the same way that is necessary for defamation liability.[210]

This tort may provide basis to sue for the online dissemination of erroneous information where the database provider has not taken proper steps to ensure its correctness.[211]

Under this form of invasion of privacy, "[o]ne who appropriates to his own use or benefit the name or likeness of another is subject to liability to the other for invasion of his privacy."[212] Usually this privacy invasion applies to the commercial use of another's name or likeness.[213] Some states have extended this tort to personality, as well.[214]

This tort may be restricted by First Amendment concerns when the appropriation of a person's name or likeness for commercial use is for a newsworthy purpose. In Stern v. Delphi Internet Services Corp.,[215] controversial talk-show host, Howard Stern, brought suit under New York's right to privacy statutes[216] against Delphi Internet Services Corporation after Delphi used Stern's photograph without his consent in an advertisement. Stern had announced his candidacy for governor of New York, and Delphi used Stern's photograph to advertise an online bulletin board service it had set up to debate Stern's candidacy. [217] The court found that, although Delphi had used Stern's name and photograph for a commercial purpose without Stern's consent, Delphi's use was permissible because Stern's candidacy was a matter of public interest. [218] The court analogized Delphi's service to a television network, which is both entertainer and news disseminator, stating that the incidental use by a news disseminator of an individual's name or likeness in an advertisement is protected by the First Amendment: "The newsworthy use of a private person's name or photograph does not give rise to a cause of action . . . as long as the use is reasonably related to a matter of public interest."[219]

The appropriation privacy tort may provide a basis for suit involving the sale of non-public record personal information by commercial online publishers. It may also provide the basis for suit against marketers of names and e-mail addresses for use by unsolicited commercial e-mailers. However, plaintiffs using this tort or similar statutes in suing the distributors of mailing lists have so far been unsuccessful.[220]

The traditional right of privacy torts have not always been persuasive in redressing invasions of informational privacy. Those seeking judicial redress may therefore use other common law bases, including: breach of contract;[221] negligence;[222] breach of confidentiality;[223] intentional or reckless disregard of safety;[224] fraud;[225] infliction of emotional distress;[226] right of publicity;[227] trade secret misappropriation;[228] and trespass to chattels, conversion and unjust enrichment.[229]

Litigation based on common law property concepts might be most successful in redressing informational privacy violations. Property rights have been recognized in certain types of information. The U.S. Supreme Court held in Ruckelshaus v. Monsanto Co.,[230] that persons have a property interest in a trade secret. Other courts have recognized an individual's property right in his medical records[231] and in his polygraph records.[232] The right of publicity, which is similar to the appropriation privacy tort in that it provides a cause of action for the use of an individual's name or likeness without his consent, is considered a property right by the courts.[233] Similarly, some courts finding invasions of privacy, under either the common-law appropriation tort or state appropriation statutes, have found property rights in a person's name or likeness.[234]

A number of commentators favor the extension of property rights to personal information.[235] Extending property rights protection to personal information would give individuals the rights guaranteed in fair information practices guidelines:[236] the right to be informed of data collection and transfer; the right to limit data collection, data transfers, and secondary uses; the right to access one's personal data and to make corrections; and the right to have one's personal data maintained securely. In addition, the individual would have commercial rights in his personal information.[237]

Congress has responded to the need for informational privacy and security protections by enacting statutes in a piecemeal fashion to address specific privacy needs. The Electronic Communications Privacy Act of 1986 (ECPA)[238] and the Computer Fraud and Abuse Act[239] contain provisions to protect electronic privacy. The Privacy Protection Act of 1980.[240] restricts governmental seizure of publishers' investigative work product. The Privacy Act of 1974[241] and the Computer Matching and Privacy Protection Act of 1988[242] regulate government record-keeping and prevent government agencies from divulging certain personal information without proper authorization. The Fair Credit Reporting Act.[243] protects the acquisition and disclosure of information by the credit reporting industry.

1. Electronic Communications Privacy Act[244]

In 1986, the Electronic Communications Privacy Act (ECPA) was enacted to amend Title III of the Omnibus Crime Control and Safe Streets Act of 1968,[245] which authorized court-ordered government wiretapping. The ECPA protects against unauthorized access, interception, or disclosure of private electronic communications by the government as well as by individuals and third parties. In addition, the ECPA provides important protections for online users. The Act imposes potentially stiff penalties for violation of the statute[246] and requires a court-ordered warrant for governmental search of electronic communications.[247] An electronic communication is defined by the statute as "any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce. . . ."[248] Intercept is defined as "the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device."[249]

Title I of the ECPA restricts the interception of oral, wire, and electronic communications while in transit,[250] and Title II pertains to the acquisition and disclosure of stored communications.[251] The ECPA contains numerous exceptions. Some exceptions give online service providers the power to intercept and disclose electronic communications under certain circumstances:[252] situations in which the service providers suspect the sender is attempting to damage the system, or when necessary for the rendition of the service[253] (e.g. the systems operator (sysop) must review the content of the communication before forwarding it). In addition, if the communication seems to pertain to the commission of a crime, the service may disclose an electronic communication to a law enforcement agency.[254]

Another exception is provided for electronic communications made to a system that is "readily accessible to the general public." [255] The ECPA provides that interception of such communications is lawful.[256] Therefore, the ECPA is not violated when postings to Usenet groups, listservs, bulletin board systems, and chat rooms are read and archived.

Yet another exception allows service providers and anyone else to intercept and disclose an electronic communication where either the sender or the recipient of the message consents to the interception or disclosure.[257] Many commercial services require a consent agreement from new members when signing up for the service, and consent may be implied in employment relationships, especially when the employer notifies employees that their e-mail will be monitored.

Finally, the ECPA provides an "ordinary course of business" exception, which may also support employer monitoring of employee e-mail. This exception is found in the definition of "electronic, mechanical, or other device," which exempts from the interception prohibition an entity which provides the electronic communication service "in the ordinary course of its business."[258]

Cases interpreting the "ordinary course of business" provision have involved telephone monitoring, and the courts have generally held that an employer may monitor an employee for as long as the communication is business-related.[259]

In Steve Jackson Games, Inc. v. U.S. Secret Service,[260] a case involving the seizure of e-mail and stored electronic communications, the court held that U.S. Secret Service agents violated Title II of the ECPA and the Privacy Protection Act[261] by seizing plaintiff's computer equipment containing unread e-mail, software, and materials the plaintiff planned to publish, which were outside the scope of the warrant.[262] The agents were searching for a confidential telephone company document that had been stolen by computer hackers and uploaded to a bulletin board operated by Blankenship, an employee of the plaintiff, Steve Jackson Games, Inc. (SJG), which also had a bulletin board.[263] The officers had no information that SJG, which operated the bulletin board system and which also was a publisher of computer games and books, was involved in the illegal activity.[264] However, the officers believed Blankenship may have uploaded the document to SJG's bulletin board, which Blankenship used and helped operate.[265] They obtained a warrant to seize a variety of files and documents from the SJG bulletin board. [266]

The district court found that in seizing unread e-mail and software, which were outside the scope of the search warrant, the Secret Service agents violated Title II of the ECPA's provisions regarding stored communications as well as the Privacy Protection Act.[267] The district court rejected plaintiffs' claim that the seizure of the unread e-mail also violated Title I of the ECPA regarding interception of communications, finding that the communications were not "intercepted" as defined by the statute since they were in storage when they were seized.[268] The Fifth Circuit upheld this issue on appeal.[269]

In Davis v. Gracey,[270] another case involving government seizure of unread e-mail and software from a bulletin board service, the court found that the police officers who seized the items did not violate the ECPA or the Fourth Amendment rights of the plaintiff, a bulletin board operator.[271] Although the circumstances were similar to those in Steve Jackson Games (SJG), they differed sufficiently to produce a different decision. Unlike the SJG bulletin board operator who had no part in the criminal activity which led to the seizure of computer items, the Davis bulletin board operator was selling pornographic CD-ROMS, which could also be accessed via his bulletin board service. The officers obtained a warrant to search for pornographic CD-ROMs and "equipment, order materials, papers, membership lists and other paraphernalia pertaining to the distribution or display of pornographic material. . . ."[272] Included in the seizure were 150,000 e-mail messages and 500 megabytes of software which had been uploaded onto the bulletin board by subscribers.

The court rejected both the plaintiffs' Fourth Amendment claims that the warrant was overbroad, and that the warrant should not have been executed in a manner resulting in the incidental seizure of e-mail and other files stored on the hardware that were outside the scope of the warrant. The court found the term "equipment" in the warrant supported the officers' seizure of the computer equipment.[273] The court also found that the seizure of the e-mail and other files was unavoidable because they were contained within the computer, and the computer was "an instrumentality of the crime."[274] The court further held that the officers were entitled to the ECPA's good faith clause,[275] providing a complete defense to any charges, because there was "good faith reliance on . . . a court warrant or order."[276]

Violation of the ECPA has also been among the claims used in litigation concerning unsolicited e-mail. Internet service providers suing a bulk commercial e-mailer, Cyber Promotions, Inc., have claimed Cyber's techniques violate the ECPA.[277] These ECPA claims have not yet been addressed by the courts.

The Computer Fraud and Abuse Act [278] prohibits unauthorized access of computers under certain circumstances, including:

-- intentional unauthorized access to a nonpublic government computer, which affects the government's use of the computer;[279]

-- knowing unauthorized access to a protected computer (defined as a computer used by or for the use of government agencies or financial institutions as well as a computer "which is used in interstate or foreign commerce or communication"[280]) "with intent to defraud ... and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period";[281]

-- intentional access of a protected computer which causes damage.[282] (Damage is defined as

Also prohibited is knowingly causing "the transmission of a program, information, code, or command," resulting in intentional unauthorized damage to a protected computer.[284]

The Act provides both criminal[285] and civil penalties. Compensatory damages, injunctive relief, and other equitable relief are available in civil actions. [286]

In a well-known case brought under the Computer Fraud and Abuse Act, United States v. Morris,[287] the Second Circuit affirmed that a computer hacker, who was a graduate student in Cornell University's Ph.D. computer science program, was guilty under the Computer Fraud Abuse Act when he released a "worm"[288] onto the Internet.[289]

Violation of the Computer Fraud and Abuse Act has been among the claims used in litigation concerning unsolicited e-mail. Internet service providers suing a bulk commercial e-mailer, Cyber Promotions, Inc. claimed Cyber's techniques violate the Computer Fraud and Abuse Act. In Cyber Promotion's suit against America Online for blocking its e-mailings, Cyber also claimed that AOL's practice violated the Computer Fraud and Abuse Act.[290] The statute's applicability in these types of cases has not yet been addressed by the courts.

The Privacy Protection Act[291] (PPA), which ensures publishers' First Amendment rights of freedom of the press, makes government seizure of publisher's "work product materials" a criminal offense unless there is probable cause to believe that the person possessing such materials is committing the offense to which the materials relate:

"Work product materials" is defined as

The PPA provides money damages for violations.[294] In Steve Jackson Games,[295] the court found that Secret Service agents violated the PPA and ECPA when they seized computer materials outside the scope of the warrant.[296] The court awarded the plaintiffs $8,781 for expenses and $42,259 for damages for the PPA violations. .[297] The illegally-seized materials included work product materials protected by the PPA: drafts of a book intended for immediate publication and of magazines and magazine articles that the company was planning to publish.[298]

As previously noted, this Act may prove to have special significance because anyone posting messages on the Internet or online services can be considered a "publisher".

The Privacy Act of 1974 [299] is the primary statute governing the federal government's acquisition and use of federal agency records containing personal information. The act prohibits disclosure of a record without the written consent of the subject of the record except under certain circumstances. These circumstances include disclosure for a "routine use"[300] (use compatible with the purpose for which the record was collected[301]), for law enforcement purposes, and for protecting the health or safety of an individual.[302] A record is defined as:

Records may contain "only such information about an individual as is relevant and necessary to accomplish" a mandated agency purpose.[304] The statute requires that the public must be advised of the existence of databases containing personal information.[305] Additionally, agencies must provide individuals with access to their records, as well as the opportunity to challenge their contents.[306] The Act requires accurate accounting of disclosures and corrections of records.[307] Records must be maintained "with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual. . . ."[308] Agencies must also "establish appropriate administrative, technical, and physical safeguards to insure security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity. . . ."[309] The statute also applies to government contractors hired to operate agency "system[s] of records."[310] The statute provides money damages and injunctive relief as civil remedies for most violations.[311] In addition, criminal penalties are available for willful violations.[312]

The PrivacyAct was amended by the Computer Matching and Privacy Act of 1988.[313] This amendment governs agencies' computerized comparison of records for the purpose of establishing or verifying an individual's eligibility for benefits or to recoup payments or delinquent debts under benefits programs. The amendment also governs matching of personnel or payroll records among federal agencies or between federal and nonfederal entities.[314] Excluded from the provisions of the amendment are matching of records for:

-- law enforcement purposes;

-- tax collection purposes;

-- foreign counterintelligence purposes;

-- "routine administrative purposes" relating to federal personnel if the match is "not to take any adverse financial, personnel, disciplinary, or other adverse action against Federal personnel;"

-- producing aggregate statistical data without any personal identifiers;

-- research projects for which the specific data will not be used to make decisions concerning the benefits of specific individuals.[315]

The amendment requires certain procedures for matching programs covered by the Act. The agencies involved must prepare written agreements, which specify the purpose and expected benefit of the matching program. [316] The written agreement must describe not only the records to be matched, but also the procedures that will be used both to verify the information and to notify individuals that information they provide in applying for benefits may be subject to matching program verification.[317] Additionally, an agency that decides to deny benefits based on information obtained through data matching, must verify the information, provide notice to the individual, and provide an opportunity to contest the findings.[318]

The Fair Credit Reporting Act (FCRA)[319] dictates the responsibilities of "consumer reporting agencies" in adopting reasonable procedures for supplying credit information. The Act requires these agencies to operate in a manner which is fair and equitable to the consumer, assuring the information's confidentiality, accuracy, relevancy, and proper use.[320] "Consumer reporting agenc[ies]" are those which regularly assemble or evaluate consumer information for the purpose of furnishing consumer reports to third parties.[321] "Consumer report" is defined as

The FCRA restricts both the circumstances under which the disclosure of consumer reports can be properly made and which parties are authorized for disclosure.[323] The Act permits disclosure to persons who intend to use the information for credit-granting, employment, insurance underwriting, governmental license or benefit eligibility, or in connection with a business transaction involving the subject of the report.[324] Consumer reports may also be disclosed upon court order or written request from the subject of the report.[325]The FCRA prohibits the reporting of information more than seven to ten years old.[326] In addition, the Act requires that the subject be advised within three days after an "investigative consumer report" is first requested.[327] An "investigative consumer report" includes information on a consumer's character, general reputation, personal characteristics, or mode of living, and which is obtained through personal interviews with neighbors and friends.[328] The FCRA requires consumer reporting agencies to disclose to the consumer, upon request, the nature, substance, and the source, of the information in the file, as well as recent recipients of any consumer report on the consumer.[329] The Act also provides procedures for dealing with the disputed accuracy of the information.[330]

The FCRA also imposes requirements on users of consumer reports. Users of consumer reports must advise the subjects of the reports when they take adverse actions based on the report.[331] Upon written request from the consumer, users of consumer reports must disclose any basis for adverse action other than the credit report.[332]

The FCRA provides compensatory damages and attorneys' fees for negligent noncompliance[333] and punitive damages for willful noncompliance.[334] Criminal penalties are provided for obtaining credit information under false pretenses,[335] and for the unauthorized disclosure of credit information by employees or officers of a consumer reporting agency.[336]

The FCRA gives the Federal Trade Commission (FTC) administrative powers to enforce the FCRA against violators under the Federal Trade Commission Act.[337]

In recent years some of the FTC's efforts to limit the information collected and sold by the credit bureaus have been weakened by the courts. In a 1996 case, Trans Union Corp. v. FTC,[338] the U.S. Court of Appeals for the D.C. Circuit reviewed an FTC order that Trans Union Corporation's sale of certain "targeted marketing" mailing lists[339] was a communication of "consumer reports" for an impermissible purpose under the FCRA. [340] The decision hinged on the definition of "consumer report." [341] The FTC argued that the mailing lists were consumer reports because they were compiled using credit account data as well as other information in Trans Union's consumer reporting database. [342] The court agreed with Trans Union's argument that its "targeted marketing" lists were not "consumer reports" because the "implicit information conveyed therein" was not collected "to serve as a factor in determining credit eligibility."[343] The court remanded the case to the FTC, stating that "mere inclusion of a fact in a report prepared for credit eligibility purposes" does not make it a "consumer report" as defined in the FCRA.[344]

It seemed that the FCRA's definition of "consumer report" might be amended in 1997. In late 1996, in response to the controversy surrounding the P-TRAK database of LEXIS-NEXIS,[345] the FTC proposed that Congress amend the FCRA to "provide confidentiality protections to the following elements of consumer identification: social security number, mother's maiden name, prior addresses and date of birth" by expanding the definition of "consumer report" to include "any communication by a consumer reporting agency of any identifying information other than the consumer's name, generational designation, current address and telephone number."[346] In April 1997, Senator Dianne Feinstein of California introduced the Personal Information Privacy Act of 1997,[347] which would add to the definition of "consumer report": "The term [consumer report] also includes any other identifying information of the consumer, except the name, address, and telephone number of the consumer if listed in a residential telephone directory available in the locality of the consumer."[348] Such an amendment would limit the amount and type of personal information that information resellers and commercial online services could provide. However, no action was taken on the bill during 1997.

Other acts protecting informational privacy include

• Federal Records Act,[349] which regulates the disposal of federal records ("Federal records" have been held to include the e-mail messages of government employees[350]);

• Right to Financial Privacy Act,[351] which prohibits access to financial records of individuals by government authorities, (except for the Internal Revenue Service and agencies supervising banks);

• Family Educational Rights and Privacy Act of 1974 (FERPA),[352] which protects student records;

• Video Privacy Act,[353]which protects videotape rental records;

• Telephone Consumer Protection Act of 1991,[354]which regulates telemarketing practices;

• Driver's Privacy Protection Act of 1994,[355]which restricts the release of motor vehicle records;

• Cable Communications Policy Act of 1984,[356] which protects cable television subscriber information;

• Telecommunications Act of 1996,[357]which safeguards customer information held by telecommunications carriers;

• Provisions of the Internal Revenue Code which mandate the privacy of taxpayer records;[358]

Most states also have data protection laws which vary in their focus. Several states have laws that are similar to the federal Privacy Act and the federal Freedom of Information Act. Other states have statutes that are similar to the ECPA or the Computer Fraud and Abuse Act,[359] while others have laws that govern only specific sectors (such as the insurance industry).[360]

Although existing federal and state statutes provide varying levels of informational privacy protections, all these statutes fail in some respect. For example, although the Privacy Act is relatively comprehensive, the Act governs only federal government record-keeping. [361] As a result, there are gaps in informational privacy protection which could be rectified by the enactment of a comprehensive federal statute which governs all record-keeping systems.

The issue of whether employer monitoring of employee e-mail is an invasion of privacy has generated much litigation. Courts addressing this issue have so far ruled in favor of employers who read e-mail received over the employer's computer system. Generally these courts have held that the employees did not have reasonable expectations of privacy in their workplace e-mail. In a 1996 decision, Smyth v. Pillsbury Co.,[362] the U.S. District Court for the Eastern District of Pennsylvania held that, under Pennsylvania law, the employee did not have a reasonable expectation of privacy in e-mail communications made voluntarily to his supervisor.[363] Smyth involved the discharge of an at-will employee based on comments he made to his supervisor (regarding the company's sales management, including a threat to "kill the back-stabbing bastards") via the employer's e-mail system.[364] The employee's e-mail was read by company executives in spite of the fact the employer had assured its employees, including the plaintiff, that all e-mail communications would remain confidential and privileged.[365] The court further ruled that "the company's interest in preventing inappropriate and unprofessional comments or even illegal activity over its e-mail system outweighs any privacy rights the employee may have had in those comments."[366]

The holdings were similar in a string of California cases.[367] In Bourke v. Nissan Motor Corp.,[368] the court held that the plaintiffs had no reasonable expectation of privacy in their e-mail communications because they were aware their e-mail was read by the company prior to their terminations. [369] In addition, the employees had signed a statement: "It is company policy that employees and contractors restrict their use of company-owned computer hardware and software to company business."[370] The court rejected plaintiffs' argument that they had an expectation of privacy because they were given system access passwords which they were told to safeguard.[371] The court found that these expectations were not "objectively reasonable."[372] The court further held that the California wiretapping statute[373] and eavesdropping statute[374] did not apply to the employer's actions of retrieving, printing, and reading plaintiffs' e-mail.[375]

In another California case, Shoars v. Epson America, Inc.[376] an Epson America employee also unsuccessfully sued her employer under the California wiretapping statute[377] for the employer's monitoring of employee e-mail. The court ruled for Epson America, finding that provisions of the California wiretapping statutes did not extend to electronic communications.[378]

A similar conclusion was reached in a case involving a government employer. In Bohach v. City of Reno,[379] in which plaintiffs claimed violations of the Fourth Amendment and the federal Electronic Communications Privacy Act, the court found that the employees, whose electronic communications over the employer police department's network computer system were read by the employer police department, had no reasonable expectation of privacy in the communications.[380] The employees' communications, therefore, were not protected by the Fourth Amendment.[381] The court also rejected the employees' claim that the employer violated the federal Electronic Communications Privacy Act by reading their electronic communications.[382] The court held that reading the employee communications did not constitute "interception" as required by the federal act. [383]

However, this issue is not settled. Some state[384] and federal laws[385] may favor employees in some workplace e-mail situations

For example, an employee may prevail in workplace e-mail litigation by claiming that the employer's e-mail monitoring violates the Electronic Communications Privacy Act (ECPA). [386] However, employees claiming employer violations of the ECPA will encounter several hurdles. In the first place, employees may have difficulty convincing the courts that the employers' monitoring constitutes "interception" as required under the ECPA. Courts have so far interpreted the ECPA as requiring that monitored e-mail be in transit in order to constitute "interception," and have refused to find "interception" where the electronic communications have been accessed while in electronic storage.[387]

Other hurdles to be encountered by employees are two exceptions to the ECPA which generally favor employers. One exception permits the interception and disclosure of an electronic communication where either the sender or the recipient of the message consents to the interception or disclosure.[388] Consent may be implied in employment relationships, especially when the employer has notified employees that their e-mail may be monitored. The other ECPA exception which generally favors employers is the "ordinary course of business" exception, which exempts from the interception prohibition an entity which provides the electronic communication service in the "ordinary course of its business."[389] So far the cases interpreting the "ordinary course of business" exception have involved telephone monitoring, and the courts have generally held that an employer may monitor an employee for as long as the communication is business-related. [390] However, some employees have prevailed against employers who have exceeded the "boundaries of the ordinary course of business," [391] and it is possible that courts will rule in favor of employees in similar e-mail monitoring circumstances.

The issue of unsolicited commercial e-mail has resulted in a flurry of litigation based on privacy statutes and common law rights.[392] Internet service providers, America Online, CompuServe, EarthLink, and Concentric Network Corporation, have each sued Cyber Promotions Inc., an online marketer which was sending large amounts of unsolicited e-mail to the online services' subscribers.[393] Cyber Promotions also sued America Online for blocking its e-mailings.[394] and two other Internet service providers for terminating their service agreements with Cyber Promotions.[394a]

In Cyber Promotions Inc. v. America Online Inc.,[395] the U.S. District Court for the Eastern District of Pennsylvania decided that the First Amendment and the state constitutions of Virginia and Pennsylvania did not give Cyber Promotions (Cyber) the right to send unsolicited e-mail to America Online (AOL) members; and therefore, AOL had the right to block the e-mail.[396] In the complaint, AOL alleged Cyber's techniques violated the ECPA, the Computer Fraud & Abuse Act, the Virginia Computer Crimes Act, and the Virginia Consumer Protection Act.[397] AOL further alleged that Cyber's techniques constituted trademark infringement and dilution, unfair competition, false designation of origin, false advertising, misappropriation, conversion, and unjust enrichment.[398] In its suit, Cyber alleged that AOL's blocking of its e-mailings constituted interference with contract and unfair competition, as well as violates the Computer Fraud & Abuse Act and Cyber's First Amendment free speech rights.[399]

The court held that AOL was not subject to First Amendment review because AOL "is not a state actor" and none of its activities constitute state action.[400] The court rejected various arguments used by Cyber to support its contention that, although AOL is a private company, AOL should be treated as a state actor.[401]For instance, Cyber contended that AOL serves an exclusive public function: "'by providing Internet e-mail and acting as the sole conduit to its members' Internet e-mail boxes, AOL has opened up that part of its network and as such, has sufficiently devoted this domain for public use. This dedication of AOL's Internet e-mail accessway performs a public function in that it is open to the public, free of charge to any user, where public discourse, conversations and commercial transactions can and do take place.'"[402] The court responded that "[a]lthough AOL has opened its e-mail system to the public by connecting with the Internet, AOL has not opened its property to the public by performing any municipal power or essential public service, and therefore, does not stand in the shoes of the State."[403]

The court also rejected Cyber's claims that AOL's blocking of its e-mail violates the constitutions of Virginia and Pennsylvania. The court found no Virginia case law to support Cyber's claim and held that Pennsylvania case law was inapplicable to the circumstances of this case.[404]

The court also denied Cyber's later request for a preliminary injunction against AOL's use of its "PreferredMail--The Guard Against Junk E-Mail" system, which allows access to Cyber's e-mail messages only to subscribers who specifically request "I want junk e-mail!".[405] Cyber contended that AOL's ability to advertise to its subscribers over the Internet via e-mail is an "essential facility" and that AOL "refused to deal" with Cyber in violation of the federal antitrust laws.[406] In refusing to issue an injunction, the court held that Cyber failed to demonstrate likelihood of success on the merits of its claim.[407]

In CompuServe Inc. v. Cyber Promotions Inc.,[408] the U. S. District Court for the Southern District of Ohio granted CompuServe's request for a preliminary injunction barring Cyber from sending additional unsolicited e-mail to CompuServe subscribers.[409] The court found that Cyber's e-mailings constituted trespass to personal property.[410] The court emphasized that Cyber's e-mailings, which continued after CompuServe demanded the e-mailings stop, burdened the operation of the CompuServe network, and damaged CompuServe's business reputation and goodwill with its subscribers who were upset by Cyber's e-mailings.[411]

Citing Cyber Promotions, Inc. v. American Online, Inc., the court rejected Cyber's First Amendment claims.[412] Cyber claimed the right to First Amendment protections based on CompuServe's role as "public utility" and as "postmaster."[413] The court rejected these analogies and held that CompuServe was not a state actor for purposes of the First Amendment.[414]

The court also rejected Cyber's claims that CompuServe's decision to connect to the Internet was an implied invitation to the public to enter its property for business purposes.[415] The court held that CompuServe's demand, in October 1995, that Cyber cease the e-mailings was sufficient withdrawal of any implied invitation.[416]

Other cases brought against Cyber and its president, Sanford Wallace by Internet service providers have produced similar results. In Concentric Network Corp. v Wallace,[417] the U.S. District Court for the Northern District of California granted Concentric Network (CNC) a permanent injunction prohibiting Cyber from 1) sending unsolicited e-mail to CNC subscribers; 2) sending or receiving e-mail via CNC; 3) misrepresenting that any Cyber e-mail message was sent from or condoned by CNC; and 4) distributing mailing lists containing the e-mail addresses of CNC subscribers.[418] In EarthLink v. Cyber Promotions, Inc.,[419] the Los Angeles Superior Court granted EarthLink an injunction prohibiting Cyber from sending unsolicited e-mail to EarthLink subscribers.[420]The court determined that Cyber's actions constituted trespass to EarthLink's computer systems.[421]

Cyber has prevailed in one of its cases, which was based on breach of contract against an Internet service provider which terminated its service agreement with Cyber without providing thirty days notice as specified in the contract. The court, in Cyber Promotion, Inc. v. Apex Global Information Services, Inc.[421a] granted a preliminary injunction directing the defendant to restore service for thirty days, in compliance with the contract.

Unsolicited commercial e-mail was also the subject of the first case brought before the Virtual Magistrate Project, an experimental Internet-based arbitration service created to quickly resolve disputes occurring online. Tierney and EMail America[422] involved an advertisement posted on America Online by a marketer, EMail America, which offered for sale five million or more e-mail addresses that could be used for bulk commercial e-mailing. The case was initiated by an America Online subscriber who petitioned for removal of the advertisement on the basis both that that the advertisement was deceptive, and that bulk e-mailings, in general, are against public policy and an invasion of privacy.[423] The Virtual Magistrate recommended that AOL remove the e-mail advertisement.[424] However, because EMail America did not participate in the proceedings, the decision is probably not legally binding.[425]

Members of the U.S. Congress have introduced several bills in response to concerns regarding the use of personal information that is collected and published online. For example, bills introduced in 1997 include:

• Consumer Internet Privacy Protection Act of 1997[426]

In January, Representative Bruce Vento of Minnesota introduced this bill prohibiting the disclosure by interactive computer services of personally identifiable information without written consent of the subscribers.

• Fair Health Information Practices Act of 1997[427]

In January, Representative Gary Condit of California introduced this bill which would establish a code of fair information practices for health information and amend the Privacy Act.

• Children's Privacy Protection and Parental Empowerment Act of 1997[428]

In March, Senator Dianne Feinstein of California introduced this bill to prohibit the sale of personal information about children without their parent's consent.

• Social Security On-Line Privacy Protection Act of 1997[429]

In April, Representatives Bob Franks of New Jersey and Wally Herger of California introduced this bill which would prohibit the disclosure by interactive computer services of Social Security numbers or other personally identifiable information without the written consent of the subject of the information.

• Personal Information Privacy Act of 1997[430]

In April, Senator Dianne Feinstein of California introduced this bill which would prohibit the sale and use of Social Security numbers without the written consent of the subject, and which would amend the Fair Credit Reporting Act to include identifying information such as a mother's maiden name within the definition of confidential credit header information.[431] In June, Representative Gerald Kleczka of Wisconsin introduced the House version.[431a]

• Federal Internet Privacy Protection Act of 1997[432]

In April, Representatives Tom Barrett of Wisconsin and Sue Kelly of New York introduced this bill which would prohibit government disclosure of any personally identifiable educational, financial, medical, or employment record.

• American Family Privacy Act of 1997[433]

In April, Representative Paul Kanjorski of Pennsylvania introduced this bill which would prohibit federal officers and employees from providing access to Social Security account information or tax return information through the Internet, or without the written consent of the individual; and which would establish a commission to study the privacy and protection afforded to government records.

• Communications Privacy and Consumer Empowerment Act[433a]

In June, Representative Edward Markey of Massachusetts introduced this bill which would protect consumer privacy, empower parents, enhance the telecommunications infrastructure for efficient electronic commerce, and safeguard data security.

• Data Privacy Act of 1997[433b]

In July, Representative Billy Tauzin of Louisiana introduced this bill which would promote the privacy of interactive computer service users through self-regulation by the providers of such services.

Concerns about the proper handling of records to ensure their security and privacy[434] have intensified with the advent of computerized record-keeping. In 1973, an advisory committee of the U.S. Department of Health, Education and Welfare (HEW) issued a report, Records, Computers and the Rights of Citizens, in which the committee recommended that a federal code of fair information practices be enacted to encompass all (public and private) computerized record-keeping systems.[435] The proposed code included:

1. There must be no personal data record-keeping systems maintained in secret.

2. There must be a way for an individual to determine what information is in a record and how it is used.

3. Individuals must have a way to prevent personal information that was obtained for one purpose from being used or made available for other purposes without their consent.

4. Individuals must have a way to correct or amend a record of identifiable information about themselves.

5. Organizations creating, maintaining, using or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuses of the data.[436]

Similar principles were incorporated into guidelines adopted on an international basis in 1980, when the Organization for Economic Cooperation and Development (OECD), of which the U.S. is a member, adopted the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.[437]

The fair information practices guidelines recommended by HEW and OECD have been the foundation for guidelines issued by several U.S. committees which were created in the 1990's to address the effect of the Internet and commercial online services on the privacy and security of computerized data systems. U.S. organizations addressing these issues include the Federal Trade Commission,[438] the Commerce Department's National Telecommunications and Information Administration;[439] and two groups appointed by President Clinton: the Information Infrastructure Task Force (IITF)[440]and the National Information Infrastructure Advisory Council (NIIAC).[441]

The NIIAC and IITF guidelines add "education principles" to the HEW's basic tenets of fair information practices. [442] The IITF's Education Principle suggests that personal information users (such as marketers and online services) take steps to educate the public regarding potential hazards of computer use and ways to minimize privacy risks. [443] The IITF recommends that personal information users use privacy telephone hotlines, Internet privacy "help" sites, and comprehensive marketing and publicity campaigns to educate the public.[444] As stated by the IITF:

The implementation of an education principle is necessary due to the novelty of cyberspace technology. Many users of online services and the Internet need to be educated as to the manner in which communication in cyberspace is unlike traditional forms of communication. First, despite the impromptu and impermanent "feel" of cyberspace, online users need to recognize the enduring and potentially widespread nature of what they communicate electronically.[446] For example, an ill-conceived, hastily-composed communication that is posted to a Usenet group may be captured by a search engine and be available for review by Internet users for some time. A similar communication sent via company e-mail may be stored on the network computer, to be retrieved years later in discovery proceedings. Second, online users must be reminded of the potential security breaches inherent in communications technology, including the possibility of interception by Internet service providers, network administrators, and computer hackers. Third, online users should be informed by the online services that the electronic record online they leave by participating online, may be utilized by the online services and third parties.[447]

In addition, online users, as well as those who never use online services or the Internet, should be educated as to how their personal information is used by others. Massive amounts of data are maintained about individuals in government and private sector databases, creating a cyberspace persona, which is used by government, marketers, credit institutions, and others in making decisions that affect their lives.[448]

As suggested by the IITF, education regarding the hazards of online use could take place via privacy telephone hotlines, Internet privacy "help" sites, and comprehensive marketing and publicity campaigns conducted by online services, marketers, and other users of personal information which is collected online.[449]

Additional measures are required to educate individuals regarding the collection and uses of personal information in general. Personal information users should be required to prominently post a "Privacy Warning" on any form requesting personal information. For instance, warranty cards and product sample questionnaires, which request personal information such as family income, ages of family members, hobbies, and product preferences, should contain a prominent "Privacy Warning" explaining how the requested personal information will be used. Similar warnings should be posted on Web sites which collect personal information. The "Privacy Warning" should also offer individuals an opportunity to prevent third-party use of the personal information they provide.

As a result of these efforts to educate individuals about the effect of cyberspace on their lives, individuals will be enabled to make informed decisions regarding the type of personal information they choose to reveal, thereby retaining some control over the fate of their cyberspace persona.

With the addition of an education principle, the proposed fair information practices guidelines are comprehensive, and sufficiently flexible to accommodate issues which arise due to changing technologies. These guidelines should serve as the backbone for privacy legislation. Because of new technologies, this legislation is more urgently needed today than when first proposed by the HEW in 1973.

The right to informational privacy is unsettled. The United States needs a comprehensive federal policy guaranteeing individuals the right to control the collection and distribution of their personal information. Legislation which incorporates the basic tenets of fair information practices is a vital component of this policy. These tenets give individuals the right to limit data collection, data transfers, and secondary uses of the data; the right to access one's personal data and to make corrections; the right to have one's personal data maintained securely; and the right to be informed of data collection and transfer. The legislation would therefore place restrictions on the collection and use of personal data by the users of personal information. Personal information users would be required to explicitly inform individuals when personal information is being collected and how this information might be used. Legislation would require that personal information users give individuals an opportunity to prevent further dissemination of their personal information. Accordingly, there would be appropriate restrictions on the online publication and collection of personal information.

Further, a comprehensive federal policy would provide an enforcement mechanism which would establish sanctions against violators and offer redress for aggrieved individuals. Most effective would be legislation providing a private right of action for aggrieved individuals along with the administrative enforcement powers of a government regulatory authority.

Finally, although such a comprehensive federal privacy policy is necessary to guarantee the individual's right to control the collection and distribution of personal information, the individual must exercise this control. Online users will still need to take responsibility for their electronic communications. They will need to be cautious about the content of these communications, and use appropriate security measures, such as encryption, to safeguard their security. Individuals will also need to decide how much personal information to reveal when registering at Internet sites and participating in commercial transactions. By anticipating the hazards of online use and utilizing the legal protections previously outlined, individuals will be able to take full advantage of the many educational, social, and commercial opportunities available now, and in the future, throughout cyberspace.

 © 1997 San Diego Law Review

[*] Practitioner, Littleton, Colorado; B.A., UCLA; M.S., Drexel University College of Information Science and Technology; J.D., State University of New York at Buffalo. The author thanks the members of her family and Jonathan A. David for their assistance. Go to Susan E. Gindin's Information Law home page

Back to text

[1] Olmstead v. United States, 277 U.S. 438, 473-74 (1928) (Brandeis, J., dissenting). Back to text

[2] Id. at 478 (Brandeis, J., dissenting). Indeed, a "reasonable expectation of privacy" standard is used in the civil privacy arena as well as in the Fourth Amendment context. See, e.g., the workplace e-mail privacy cases discussed infra Part IV.E.1. See also PRIVACY WORKING GROUP, INFORMATION POLICY COMMITTEE, INFORMATION INFRASTRUCTURE TASK FORCE, PRIVACY AND THE NATIONAL INFORMATION INFRASTRUCTURE: PRINCIPLES FOR PROVIDING AND USING PERSONAL INFORMATION, § I.A.3 (June 6, 1995)<http://nsi.org/Library/Comm/niiprivp.htm>;[hereinafter PRIVACY WORKING GROUP REPORT]("What counts as a reasonable expectation of privacy . . . In many instances, society has deemed it reasonable to protect privacy at levels higher than that required by the Fourth Amendment."(citing Electronic Communications Privacy Act, 18 U.S.C. § 2701 (1988); Right to Financial Privacy Act, 12 U.S.C. § 3401 (1988); Privacy Act, 5 U.S.C. § 552a (1988). See also John H. Awerdick, On-Line Privacy, in THE INTERNET AND BUSINESS: A LAWYER'S GUIDE TO THE EMERGING LEGAL ISSUES Ch. 4 n.35 (1996);<http://cla.org/RuhBook/chp4.htm>. Back to text

[3] A modem, or modulator/demodulator, is a device which converts computer data into signals for transmission over telephone lines, and vice versa. Free On-line Dictionary of Computing, <http://wagner.Princeton.EDU/foldoc/>. Back to text

[4] Personal information encompasses any information which identifies or concerns a specific individual. LAURENCE TRIBE, AMERICAN CONSTITUTIONAL LAW, § 15-16 (2d ed., 1988). Back to text

[4a] Some commentators argue that it is wrong to approach the issue of the collection and use of individually identifiable information as one involving privacy rights. They argue that the issue more appropriately involves a societal balancing of interests between information access and restriction. For example, individual financial records are considered more deserving of restriction on access than telephone directory information, which has traditionally not been private, and which is accepted as necessary for the functioning of society. See Martin G. Taschdjian & Kathryn Marie Krause, Grappling With Information Access Issues and Privacy, in National Telecommunications and Information Administration, PRIVACY AND SELF-REGULATION IN THE INFORMATION AGE, 1997, at <http://www.ntia.doc.gov/reports/privacy/selfreg6.htm>. The authors maintain that determining information access and restriction by balancing the various interests in the information is particularly appropriate because this analysis can be applied to all types of information--whether the information is personal data, intellectual property, trade secrets, or national security secrets. Back to text

[5] See discussion of fair information practices guidelines infra Part V. Back to text

[6] Cyberspace is "the decentralized global medium of communications . . . that links people, institutions, corporations, and governments around the world," (ACLU v. Reno, 929 F.Supp. 824, 831 (E.D. Pa. 1996)), which includes the Internet and online services. This global communications medium is also referred to as the Information Superhighway and the Information Infrastructure. Back to text

[7] "Online" refers to a connection to a computer network, such as an online service or the Internet. Back to text

[8] For an excellent explanation of the nature and workings of the Internet and cyberspace, including a detailed description of e-mail, Usenet groups and listservs, and the World Wide Web, see Reno, 929 F.Supp. 824. Back to text

[9] The World Wide Web, also referred to as WWW or simply the Web, is an information service that makes collections of information available across the Internet through hypertext links. Back to text

[10] <http://www.databaseamerica.com>. Back to text

[11] Id. Back to text

[12] <http://www.four11.com>. Back to text

[13] <http://www.mapblast.com>. Back to text

[14]<http://www.knowx.com>. Back to text

[15] For additional information on people-finding tools available on the Internet, see Carole A. Lane, NAKED IN CYBERSPACE: How To Find Personal Information Online; Directory of Internet Resources and Links to Sites, 1997, <http://www.onlineinc.com/pempress/naked/directory.html>; Genie Tyburski, The People Chase, GPLLA NEWSL., (Winter 1996) (includes Foreign Country People Finding Sites) <http://www.virtualchase.com/gplla/nov1596.html>; and Privacy Rights Clearinghouse, People Finding Tools, 1996, <http://www.privacyrights.org/ar/peoptool.html>.

See also The Stalker's Home Page <http://www.glr.com/stalk.html> (providing links to various sources of personal information). Back to text

[16] See Board of Governors of the Federal Reserve System, REPORT TO THE CONGRESS CONCERNING THE AVAILABILITY OF CONSUMER IDENTIFYING INFORMATION AND FINANCIAL FRAUD, app. C, Mar. 1997 <http://www.bog.frb.fed.us/boarddocs/RptCongress/privacy.pdf>(presenting samples of personal information available online. Back to text

[17] Telephone Interview with Steve Emmert, Corporate Counsel, LEXIS-NEXIS (Sept. 1996). Back to text

[18] See Warren E. Leary, Panel Cites Lack of Security on Medical Records, N.Y. TIMES, Mar. 6, 1997, at A1. In March 1997, a National Research Council panel reported that because of widespread use of computerized medical records, security measures should be instituted to increase their privacy and security.Id. In releasing the report, the chairman of the panel, Dr. Paul D. Clayton, said "[m]ost patients would be surprised at the number of organizations that receive information about their health record." Id. The panel cited the 1996 Health Insurance Portability and Accountability Act, which calls for assignment of "universal patient identifiers" which would link medical records nationwide, as an example of a procedure which provides many benefits, such as assuring consistent care, but which has the potential for serious abuse. Id. at B11.

The largest collection of medical records in the United States is maintained by an insurance industry organization, the Medical Information Bureau (MIB). The MIB database contains summaries of health conditions of more than twelve mission Americans and Canadians. The data is derived from insurance applications, doctor records, and hospital records. The database is used by insurance companies for underwriting purposes. Jeffrey Rothfeder, PRIVACY FOR SALE: HOW COMPUTERIZATION HAS MADE EVERYONE'S PRIVATE LIFE AN OPEN SECRET, 1992 at 184.

Equifax, the credit reporting company, is also entering the medical records business. Janet Novack, Lender's Best Friend: What Equifax, Inc. Doesn't Know About Your Finances Probably Isn't Worth Knowing, FORBES, Dec. 18, 1995 at 198. Back to text

[19] <http://www.switchboard.com/stories.htm>. Back to text

[20] Leary, supra n.18 at A13. Back to text

[21] See PRIVACY WORKING GROUP REPORT, supra note2, at para. 5; Ashley Dunn, Think of Your Soul As a Market Niche, CYBERTIMES, N.Y. TIMES ON THE WEB (Sept. 11, 1996) <http://www.mindspring.com/~asdunn1>; Beth Givens, Public Records in a Computerized Network Environment: Privacy Implications, Speech at the USD Privacy Rights Clearinghouse First Amendment Coalition Conference (Sept. 23, 1995) <http://www.privacyrights.org/ar/speech1.html>; and Roy H. Wepner, New Approaches Are Needed To Ensure Privacy, 129 N.J.L.J. 269 (1991).

See also the PRIVACY RIGHTS CLEARINGHOUSE, Privacy in Cyberspace: Rules of the Road for the Information Superhighway, c. 1996, <http://www.privacyrights.org/fs/fs18-cyb.html>

For information provided to the public on privacy issues by public interest organizations and whose Web sites link to source materials and other privacy resources:
Center for Democracy and Technology (CDT)
1634 Eye Street NW, Suite 1100
Washington, DC 20006
(202) 637-9800
<http://www.cdt.org/privacy> 

Electronic Frontier Foundation (EFF)
P.O. Box 170190
San Francisco, CA 94117
415) 668-7171
<http://www.eff.org> 

Electronic Privacy Information Center (EPIC)
666 Pennsylvania Avenue, SE
Suite 301
Washington, DC 20003
(202) 544-9240
<http://www.epic.org>

Privacy Rights Clearinghouse
5384 Linda Vista Rd. #306
San Diego, CA 92110
(619) 298-3396
<http://www.privacyrights.org>

Back to text

[22] Almost the entire town of Norwich, Vermont experienced credit problems after a credit bureau employee erroneously listed everyone who had paid their taxes as delinquent taxpayers. ELLEN ALDERMAN and CAROLINE KENNEDY, THE RIGHT TO PRIVACY 327 (1995). Back to text

[23] For instance, in 1992, a man used the Social Security number of Joe Gutierrez, a retired Air Force chief master sergeant, to open twenty fraudulent accounts. In 1997, Mr. Gutierrez is still being hounded by creditors and their collection agencies. Senator Dianne Feinstein, referred to Mr. Gutierrez' interview with the San Diego Union Tribune, in her statement introducing the Personal Information Privacy Act of 1997 (S. 600). 143 CONG. REC. S3292 (daily ed. April 16, 1997)(statement of Sen. Feinstein).

Terry Dean Rogan was another victim of identity theft. After Rogan lost his wallet, which contained his driver's license and credit cards, an impersonator committed two murders and two robberies. Rogan was arrested as a result of a warrant placed in the National Crime Information Center (NCIC) database. Although Rogan attempted to have the NCIC record corrected as soon as he discovered the problem, he was arrested four more times. Ultimately, Rogan sued the Los Angeles police department and was awarded $55,000." PETER G. NEUMANN, COMPUTER RELATED RISKS 194-195 (1995).

The Privacy Rights Clearinghouse, which maintains a hotline to assist with privacy concerns, reported that identity theft, "the fraudulent use of an individual's identifying data to take over existing credit accounts or apply for new credit accounts and to make purchases of goods and services in the individual's name," was the "number one topic of concern" on the PRC hotline in 1996. Beth Givens, PRIVACY RIGHTS CLEARINGHOUSE, Comments on the Availability of Sensitive Information about Consumers and Its Possible Use for Financial Fraud, BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM DOCKET Doc. NO. R-0953 (Jan. 30, 1997) (comments on "credit header" information as well as the widespread availability of Social Security numbers, made upon request for comments from the Federal Reserve Board) <http://www.privacyrights.org/ar/fedres.html>. Back to text

[24] ALDERMAN and KENNEDY, supra n.22, at 326. Back to text

[25] Patricia Mell, Seeking Shade in a Land of Perpetual Sunlight: Privacy as Property in the Electronic Wilderness, 11 BERKELEY TECH. L.J. 1, 25 (1996). Back to text

[26] NEUMANN, supra n.23 at 195. Back to text

[27] <http://yahoo.four11.com>. Back to text

[28] Lawrence M. Fisher, New Data Base Ended by Lotus and Equifax, N.Y. TIMES, Jan. 24, 1991, at C3. Back to text

[29] See <http://www.ssa.gov>. Back to text

[30] See also Robert Pear, Social Security Shuts Down Internet Site, N.Y.TIMES, Apr. 10, 1997, at A15.

PEBES reports, which detail an individual's Social Security tax contribution and an estimate of retirement and disability benefits, are available by mail upon written request containing full name, Social Security number, date of birth, place of birth, mother's maiden name. Access to an online report required submission of the same information, but there were concerns about the security and confidentiality of the online system. Id. Back to text

[31] See discussion regarding the Fair Credit Reporting Act, infra Part IV.D.5.

LEXIS-NEXIS obtains the data for P-TRAK from the credit reporting agency, Trans Union. The Federal Trade Commission had previously decided that credit header information is not covered by the Fair Credit Reporting Act, and therefore not subject to the FCRA restrictions governing the distribution of credit information. As a result of consumer complaints regarding P-TRAK, the FTC has reconsidered this position.

See also Laurie J. Flynn, Lexis-Nexis Flap Prompts Push for Privacy Rights, N.Y. TIMES CYBERTIMES, Oct. 13, 1996, <http://www.nytimes.com/library/cyber/week/1013nexis.html> and Cindy L. Chick, LEXIS/NEXIS Held Hostage By the Internet: The P-Trak Debacle, SEARCHER MAG. (Nov./Dec. 1996) <http://www.llrx.com/features/ptrak.htm>. Back to text

[32] According to one writer: "when I add up what I spend for newspapers, magazines, books, databases, cable services, and so on, I find I spend about as much for information--food for thought--as I do for food." Michael Crichton, Mediasaurus: Today's Mass Media Is Tomorrow's Fossil Fuel, WIRED (Sept./Oct. 1993) <http://www.wired.com/wired/1.4/features/mediasaurus.html>. Back to text

[33] Mell, supra n.25. See also ANNE WELLS BRANSCOMB, WHO OWNS INFORMATION? FROM PRIVACY TO PUBLIC ACCESS (1994) at 1; and Diane L. Zimmerman, Information as Speech, Information as Goods: Some Thoughts on Marketplaces and the Bill of Rights, 33 WM. & MARY L. REV. 665 (1992). Back to text

[34] BRANSCOMB, supra n.33, at 1. Back to text

[35] In 1997 there were more than 550 member companies in the Information Industry Association, an organization which was established in 1968, and which represents companies "involved in creating, distributing, and facilitating the use of information in print and digital formats." About the Information Industry Association <http://www.infoindustry.org/about/iiabout.htm>. These companies include publishers, database producers, interactive online services, Internet service providers, software publishers, telecommunications companies, and financial information services. Id. Back to text

[36] Revenue estimates vary for the information industry, depending on the particular segment. For instance, according to a report by Sloan Management Review, business information suppliers generated $26 billion in 1993. Marc H. Meyer and Michael H. Zack, The Design and Development of Information Products, SLOAN MGMT REV., Spring 1996 at 43. Credit information companies, TRW (now Experian), Trans Union and Equifax generated $335 million, $300 million, and $259 million in revenues, respectively, from the sale of personal information in 1988. JEFFREY ROTHFEDER, Is Nothing Private? Computers Hold Lots Of Data On You-And There Are Few Limits On Its Use, BUS. WK, Sept. 4, 1989, at 81. Direct marketer, Metromail, reportedly earned $30.6 million in 1995. Dennis v. Metromail Corp., Complaint, No. 9604451 (Tex. Dist. Ct., Travis County, filed Apr. 18, 1996); see also discussion of Metromail case infra Part IV.B.2. Back to text

[37] For instance, the state of Colorado makes about $4.4 million annually by selling its motor vehicle information. Robert Kowalski, Privacy Bills Up Next: Should Sale Of Driver's License Info Continue?, DENV. POST, May 5, 1997 at A1. In 1994, the state of Florida said that it would charge $33 million for copies of its motor vehicle database. Larry Rohter, Florida Weighs Fees for Its Computer Data: Some See Profits, Others Too High a Price, N.Y. TIMES, Mar. 31, 1994 at B9.

Beginning in 1997, the dissemination of state motor vehicle records will be subject to some restrictions under the Driver's Privacy Protection Act of 1994, 18 U.S.C. § 2721-2725. Back to text

[38] John Sculley, former CEO of Apple Computers, has estimated that by the year 2000, the information industry, including computer, telecommunications, television, entertainment and news industries, will be worth $3.5 trillion. Prepared Statement by AMP Incorporated; Presented by Henry Line, Director, Global Product Standards, to the Subcommittee on Technology, Environment, and Aviation Hearing of the House Committee on Science, Space & Technology, FED. NEWS SERV. Sept. 22, 1994 (available in LEXIS-NEXIS, News Library, Allnws File). Back to text

[39] 5 U.S.C. § 552 (1994). Back to text

[40] BRANSCOMB, supra n.33 at 163-64 (quoting President James Madison: "A popular government, without popular information or the means of acquiring it, is but a Prologue to a Farce or a Tragedy or perhaps both. Knowledge will forever govern ignorance, and a people who mean to be their own Governors, must arm themselves with the power knowledge gives."(1822). Back to text

[41] U.S. Office of Management and Budget, Memorandum for Heads of Executive Departments and Establishments, Circular No. A-130, 58 Fed. Reg. 36068 (1993) <http://www.whitehouse.gov/WH/EOP/OMB/html/circulars/a130/a130.html>. Back to text

[42] For example, the U.S. Patent and Trademark Office trademark records are available through DIALOG, LEXIS-NEXIS, MICROPATENT, QUESTEL-ORBIT, and other commercial online services. Back to text

[43] See, e.g., the U.S. Patent and Trademark Office patents database, <http://patents.uspto.gov>. Some state agencies also make their records available via the Internet. Most state records that are available online, however, are only available via the commercial services discussed supra n.18 and accompanying text.

See also discussion of Social Security Administration's withdrawal of its PEBES Internet service amidst information security concerns, supra notes 29-30 and accompanying text. Back to text

[44] E-mail is the electronic version of surface mail. Back to text

[45] S.C. Gwynne and John F. Dickerson, Lost in the E-mail, TIME, Apr. 21, 1997 at 89. Back to text

[46] Id. Back to text

[47] See, e.g., Richard Behar, Who's Reading Your E-Mail?, FORTUNE, Feb. 3, 1997, at 57, 58, quoting from BRUCE SCHNEIER, E-MAIL SECURITY: HOW TO KEEP YOUR ELECTRONIC MESSAGES PRIVATE (1995): "The only secure computer is one that is turned off, locked in a safe, and buried 20 feet down in a secret location--and I'm not completely confident of that one either."

See also G. BURGESS ALLISON, THE LAWYER'S GUIDE TO THE INTERNET 129-131 (1995); and Carl Oppedahl, Security, Privacy, Discovery Issues Stem From E-Mail Communications, N.Y.L.J. at 5 (Apr. 4, 1995). Back to text

[48] Philip Elmer-Dewitt, Who's Reading Your Screen?, TIME, Jan. 18, 1993 at 46. Back to text

[49] E-MAIL SNOOPING Is OK In The Eyes Of The Law, WALL ST. J., Mar. 19, 1996, at A1. Back to text

[50] Charles Piller, Bosses with X-Ray Eyes, MACWORLD, July 1993, at 118, 123. Back to text

[51] L. CAMILLE HÉBERT, EMPLOYEE PRIVACY LAW, § 8A:02 (1997). Back to text

[52] In response to the need of employers to monitor employee electronic communications, several companies now sell "Internet Management Software". This software, which analyzes Internet and intranet usage, can be used to monitor the content of employee electronic communications. See, e.g., Sequel Technology's Website at <http://www.sequeltech.com>. Back to text

[53] See, e.g., Borland Int'l, Inc. v. Eubanks, No. 123059 (Santa Cruz, Cal. County Super. Ct., 1992)(charging trade secret misappropriation because an executive vice president, Eugene Wang, an executive vice president who had recently resigned to join Symantec, a competing company, had sent sensitive Borland information via e-mail to Symantec's president, Gordon Eubanks). See also People v. Eubanks, 927 P.2d 310, 312 n.2 (Cal. 1996) (charging Wang and Eubanks with trade secret theft but subsequently dismissing the case, after oral argument, at the request of the county district attorney); Borland Secrets Suit Ends, N.Y. TIMES (Feb. 17, 1997) at 47 (stating that the civil suit was settled by the parties in April 1997). Back to text

[54] In 1995, four female employees of Chevron sued the company for sexually harrassing e-mail. Although Chevron denied liability, the company settled for $2.2 million plus legal fees and costs. Amie M. Soden, Protect Your Corporation from E-Mail Litigation: Privacy, Copyright Issues Should Be Addressed in Policy, CORPORATE LEGAL TIMES, 19 (May 1995). In 1997, some black employees of Morgan Stanley, R.R. Donnelley & Sons, and Citibank brought suit against their respective employers charging the companies with racial discrimination for allowing the distribution of bigoted e-mail by other employees. Michelle Singletary, Loose Lips an E-Mail Hazard, WASH. POST (Apr. 6, 1997) at F12.

See Karen L. Casser, Employers, Employees, E-mail and The Internet, THE INTERNET AND BUSINESS: A LAWYER'S GUIDE TO THE EMERGING LEGAL ISSUES, Ch. 6 (1996) <http://cla.org/RuhBook/chp6.htm>. See also HENRY H. PERRITT, JR., LAW AND THE INFORMATION SUPERHIGHWAY §4.30A (Supp. 1997) and Joshua Micah Marshall and Susan B. Ross, eds., IPLN Forum on Law Firm Internet Use Policies, INTERNET LEGAL PRACTICE NEWSLETTER, Mar. 24,1997 <http://www.collegehill.com/ilp-news/iup.html>. Back to text

[55] See discussion infra Part IV.E.1.

See generally Mark Dichter and Michael S. Burkhardt, Electronic Interaction in the Workplace: Monitoring, Retrieving and Storing Employee Communications in the Internet Age, The American Employment Law Council, Fourth Annual Conference, Oct. 2-5, 1996 <http://www.mlb.speech1.htm>; William D. Ellis and Brian F. Chase, Look Who's Looking Now; The Use of E-mail Raises New Questions About the Boundary Between Employee Privacy Rights and Employer Business Needs, 19 L.A. LAW. 32 (June 1996); Larry O. Natt Gantt, II, An Affront to Human Dignity: Electronic Mail Monitoring in the Private Sector Workplace, 8 HARV. J.L. TECH. 345 (1995); Thomas R. Greenberg, E-mail and Voice Mail: Employee Privacy and the Federal Wiretap Statute, 44 AM. U. L. REV. 219 (1994); Gayle L. Strong, Employee E-Mail: Creating Employer Liability?, 24 COLO. LAW. 24 (Apr. 1995); and Julie A. Flanagan, Note, Restricting Electronic Monitoring in the Private Workplace, 43 DUKE L.J. 1256 (1994). Back to text

[56] See, e.g., Geanne Rosenberg, Electronic Discovery Proves an Effective Legal Weapon: Looking for Evidence in Discarded E-Mail, N.Y. TIMES, Mar. 31, 1997 at D5. Back to text

[57] For discussion of considerations in drafting company e-mail and Internet use policies, see Casser, supra n.54; Cyberspace Law Institute, Company Email Policy, <http://www.cli.org/emailpolicy/top.html>; Dichter and Burkhardt, supra at 55; Ellis and Chase, supra at 54; Marshall and Ross, supra at 55; and Donald S. Skupsky, Discovery and Destruction of E-mail, THE INTERNET AND BUSINESS: A LAWYER'S GUIDE TO THE EMERGING LEGAL ISSUES, Ch. 5 (1996) <http://cla.org/RuhBook/chp5.htm> (discussing policy considerations in light of Armstrong v. Executive Office of the President, 1 F.3d 1274 (D.C. Cir. 1993)(holding that federal government e-mail is a record as defined by the Federal Records Act, unless excluded under appropriate procedures)).

Adoption of an e-mail policy may be required for some employers. See, e.g., Colorado's statute requiring state government agencies that operate or maintain e-mail systems to adopt written policies on any monitoring of employee electronic mail communications and the circumstances under which it will be conducted. COLO. REV. STAT. § 24-72-204.5. See also Steven J. Dawes and Susan E. Dallas, Privacy Issues in the Workplace for Public Employees--Part II, COLO. LAW., May 1997 at 85. Back to text

[58] John Simons, The Battle Over Spam Gets Ugly, U.S.NEWS & WORLD REP. 55 (May 12, 1997). Back to text

[59] In Spring 1997, for instance, a bulk e-mailing to customers of Netcom, the sixth-largest Internet service provider, shut down Netcom for more than a day. Id. Back to text

[60] In addition to making it difficult for subscribers to connect to the service because the junk e-mail clogs the system, some e-mailers alter the messages' header information so that it appears the message came from the service. Back to text

[61] See discussion infra Part IV.E.2. Back to text

[62] Simons, supra note 58, at 55. Back to text

[63] See generally Michael W. Carroll, Garbage In: Emerging Media and Regulation of Unsolicited Commercial Solicitations, 11 BERKELEY TECH. L.J. (1996) <http://server.berkeley.edu/BTLJ/articles/11-2/carroll.html>. Back to text

[64] These include:

Netizen's Protection Act of 1997, H.R. 1748, 105th Cong., 1st Sess. (1997), which was introduced by Representative Christopher Smith of New Jersey;

Unsolicited Commercial Electronic Mail Choice Act of 1997, S. 771, 105th Cong., 1st Sess. (1997), which was introduced by Senator Frank H. Murkowski of Alaska;

Electronic Mailbox Protection Act of 1997, S. 875, 105th Cong., 1st Sess. (1997), which was introduced by Senator Robert Torricelli of New Jersey;

Data Privacy Act of 1997, H.R. 2368, 105th Cong., 1st Sess. (1997), which was introduced by Representative Billy Tauzin of Louisiana

See also discussions regarding the proposed legislation, and discussions as to whether the Communications Act section banning unsolicited faxes already prohibits unsolicited e-mail, on the NET-LAWYERS listserv from May 22, 1997 (archived at <http://eva.dc.lsoft.com/Archives/net-lawyers.html>). Back to text

[65] S. 13 (1997), <http://www.leg.state.nv.us/97bills/SB/SB13_EN.HTM>. Back to text

[66] See, e.g., Connecticut House Bill 6558 (1997); Kentucky Bill Resolution 337 (1998); Maryland House Bill 778 (1997); Massachusetts House Bill 4581 (1997); New York Senate Bill 3524 (1997); Rhode Island Senate Bill 1073 (1997); and Wisconsin Senate Bill 283 (1997). For additional information, and updates regarding state statutes, see David E. Sorkin, Unsolicited e-mail; Statutes; United States--state; John Marshall Law School, Center for Information Technology & Privacy Law, <http://www.jmls.edu/cyber/statutes/email/index.html>. Back to text

[67] See, e.g. Get That Spammer!: A Tool For Tracking Down Junk E-Mailers, Junk News Posters And Their Internet Service Providers <http://kryten.eng.monash.edu.au/gspam.html> and Net Abuse FAQ <http://www.cybernothing.org/faqs/net-abuse-faq.html>. Back to text

[68] <http://www.agis.net>. Back to text

[69] George Johnson, On the Information Highway, E-Mail Litter Problem Grows, N.Y.TIMES, May 26, 1997, at A1. Back to text

[70] <http://www.aol.com>. Back to text

[71] (Visited Sept. 13, 1997) <http://www.aol.com/only/safety.html>. Back to text

[72] There are numerous search engines. Among them are Altavista <http://www.altavista.digital.com>, Infoseek <http://www.infoseek.com>, Lycos <http://www.lycos.com>, and MetaCrawler <http://www.metacrawler.com>. Back to text

[73] Usenet newsgroups are electronic discussion groups that are similar to bulletin boards where participants use a common location to read and post messages. See DejaNews <http://www.dejanews.com/info/idg.shtml> (providing a detailed explanation of Usenet). Back to text

[74] <http://www.dejanews.com/>. Back to text

[75] Id. Back to text

[76] A listserv is a type of automatic mailing list that permits discussion of particular topics via e-mail communication. A listserv subscriber contributes messages on the topic to the listserv that are forwarded to anyone who has subscribed to the list. Back to text

[77] DejaNews cautions:

Our Position on Usenet Privacy <http://www.dejanews.com/info/policy.shtml>. Back to text

[78] Web browsers, including Netscape Navigator and Microsoft Explorer, allow the user to read hypertext, and to navigate from site to site on the World Wide Web. Back to text

[79] See also Neil Randall, How Cookies Work, PC MAG. ONLINE, 1997, <http://www8.zdnet.com/pcmag/features/cookie/cks1.htm>. Back to text

[80] For a discussion of the need for Website monitoring from a merchandising viewpoint, see Laurence Zuckerman, Who Uses The Internet And How? We'll Get Back To You On That If Someone Figures It Out, N.Y. TIMES, Apr. 21, 1997 at D5: (The director of a company successfully conducting business on the Web reported that his company tracks user visits in order to streamline user visits, and that the company's goal is to get visitors the information they need as quickly as possible-- "[t]he faster we can satisfy their need and get them back to work the better.").

For a summary of various Web monitoring services, see Tracy Swedlow, Are You for Sale?, PC WORLD, Oct. 1996 <http://www.pcworld.com/workstyles/online/articles/oct96/1410forsale.html>. Back to text

[81] See, e.g., William S. Galkin, Your Clickstream is Showing: Privacy of Online Consumer Information, COMPUTER LAW OBSERVER, Jan. 1997 <http://www.lawcircle.com/issue22.html>. Back to text

[82] (Visited Jan. 20, 1997) <http://www.aol.com>. Back to text

[83] FEDERAL TRADE COMMISSION, CONSUMER PRIVACY ON THE GLOBAL INFORMATION INFRASTRUCTURE,Children and Privacy Online, 1996, <http://www.ftc.gov/bcp/conline/pubs/privacy/privacy5.htm>.

[CONSUMER PRIVACY ON THE GLOBAL INFORMATION INFRASTRUCTURE is hereinafter referred to as FTC 1996 REPORT]. Back to text

[84] Id. For example, on the Batman Forever Web site, the cartoon Batman asks children to enter information about their families. Id. at IV.B. n.13. Back to text

[85] Id. at IV.B.1. Back to text

[86] Id. Back to text

[87] Id. at IV.B.1. n.23. Back to text

[88] For information on the MIT project, see MIT Media Laboratory, Agents Group <http://agents.www.media.mit.edu/groups/agents/research.html>. For information on Letizia, see MIT Media Laboratory, Letizia: An Agent That Assists Web Browsing <http://lieber.www.media.mit.edu/people/lieber/Lieberary/Letizia/Letizia-Intro.html>. Back to text

[89] See, e.g., The Online Marketplace: Challenges and Opportunities, FTC 1996 REPORT, supra n.75 <http://www.ftc.gov/bcp/conline/pubs/privacy/privacy2.htm> at 1; and Peter H. Lewis, Attention Shoppers: Internet Is Open, N.Y.TIMES, Aug. 12, 1994 at D1. Back to text

[90] See encryption discussion infra Part III.A. Back to text

[91] Lorijean G. Oei, Digital Signatures, in ONLINE LAW: THE SPA'S LEGAL GUIDE TO DOING BUSINESS ON THE INTERNET (1996) at 41-61. Back to text

[92] See Thomas J. Smedinghoff, Online Payment Options, in ONLINE LAW: THE SPA'S LEGAL GUIDE TO DOING BUSINESS ON THE INTERNET (1996) at 103-119. Back to text

[93] The Internal Revenue Service has been criticized for its significant problems in implementing its $23 billion "Tax System Modernization" (TSM) program which was to have upgraded its computer and information systems by the year 2008. See John Broder, Are I.R.S. Computers Deductible? How an Agency Was Left Behind on the Road Ahead, N.Y. TIMES, Feb. 10, 1997 at D1. See also E. Maria Grace, Privacy vs. Convenience: The Benefits and Drawbacks of Tax System Modernization, 47 FED COMM. L.J. 409 (1994) <http://www.law.indiana.edu/fclj/v47/no2/grace.html> (discussing Tax System Modernization program). Back to text

[94] See, e.g., Michael Taub, Government Data At Your Fingertips, N.Y. TIMES, Feb. 17, 1997 at 29 (discussing Federal Election Commission data available on the Internet). Back to text

[95] Id. Back to text

[96] See, e.g., infra nn. 29-30, and accompanying text (regarding suspension of the Social Security Administration's interactive PEBES Internet service pending assurances that the data would remain secure); see also OMB Watch, A Delicate Balance: the Privacy and Access Practices of Federal Government World Wide Web Sites, 1997, <http://ombwatch.org/ombw/priv11.pdf> (reporting that in a study of the Web sites of seventy federal government agencies, OMB Watch found that 31 of the sites collect information about visitors to their sites; and of those 31, only 35% indicate to users how that information is being used). Back to text

[97] See generally RAYMOND T. NIMMER, INFORMATION LAW, § 8.16 (1996) and PRIVACY RIGHTS CLEARINGHOUSE, From Cradle to Grave: Government Records and Your Privacy, Fact Sheet #11, rev. Nov. 1994, <http://www.privacyrights.org/fs/fs11-pub.html>. Back to text

[98] States make much money on the sale of this public information. See, e.g., supra note 36 (regarding the amount of revenue some states generate from the sale of motor vehicle information). Back to text

[99] See From Cradle to Grave, supra note 97, at 4. Back to text

[100] Grace, supra note 93 (quoting from Security: New Products Are Making It Easier to Safeguard Computers and Telecommunications Equipment, GOV'T EXECUTIVE, Apr. 1993 (Information Technology Guide supplement), at 19.)

Amateur hackers, viruses, professional eavesdroppers, power outages, natural disasters, and human error are not the only challenges to the confidentiality of government records. The General Accounting Office reported to Congress that in 1994 and 1995 alone, there were 1,515 known cases of Internal Revenue Service employees "snooping" through taxpayer files. In response, Congress passed legislation in 1997 that would criminalize unauthorized access to taxpayer files by I.R.S. employees. Congress Passes Anti-Browsing Measure, Prompting Calls for More Reform of IRS, Elec. Info. Policy & Law Rep. (BNA) 434-35 (Apr. 18, 1997). Back to text

[101] Seth Schiesel, Air Force Computer Invaded as Hackers Forge a Web Page, N.Y. TIMES, Dec. 31, 1996, at D18. Back to text

[102] See <http://www.pgp.com>. See also Where to get the latest PGP FAQ, <http://www.cis.ohio-state.edu/hypertext/faq/usenet/pgp-faq/where-is-PGP/faq.html> (providing information about PGP and other encryption programs). Back to text

[103] Some legislators also favor relaxation of current export restrictions. In February 1997 three bills were introduced which would liberalize export laws: the Security and Freedom Through Encryption (SAFE) Act, introduced by Representative Bob Goodlatte of Virginia (H.R. 695); the Encrypted Communications Privacy Act of 1997, introduced by Senator Patrick Leahy of Vermont (S. 376); and Promotion of Commerce On-line in the Digital Era (Pro-CODE), introduced by Senator Conrad Burns of Montana (S. 377). Back to text

[104] Attorney General Janet Reno, Law Enforcement in Cyberspace, Address to Commonwealth Club of California (June 14, 1996) <http://zeus.bna.com/e-law/docs/reno.html>. Back to text

[105] Exec. Order No. 13,026, 61 Fed. Reg. 58767 (Nov. 15, 1996). See also A Michael Froomkin, It Came From Planet Clipper: The Battle over Cryptographic Key "Escrow", 1996 U.CHI. LEGAL F. 15 <http://www.law.miami.edu/~froomkin/articles/planet_clipper.htm> and Dorothy E. Denning, The Cryptography Project web page <http://guru.cosc.georgetown.edu/~denning/crypto>. Back to text

[106] Exec. Order No. 13,026, 61 Fed. Reg. 58767 (Nov. 15, 1996). Back to text

[107] Export Administration Regulations (EAR), 61 Fed. Reg. 68572 (1996) (to be codified at 15 C.F.R. pts. 730-774) (proposed Dec. 30, 1996). Back to text

[108] No. 96 CV 1723 (N.D. Ohio filed Aug. 7, 1996)(case pending). Back to text

[109] 974 F.Supp. 1288 (N.D. Cal.1997). Back to text

[110] Id. at 1310. Back to text

[111] 925 F. Supp. 1 (D. D.C. 1996), remanded by 107 F.3d 923 (table), 1997 U.S. App. LEXIS 3123, 1997 WL 71750 (D.C. Cir. 1997). Back to text

[112] Id. at 8-10. Back to text

[113] Karn v. Dept. of State, 107 F.3d 923 (table), 1997 U.S. App. LEXIS 3123, 1997 WL 71750 (D.C. Cir. 1997), <http://venable.com/oracle/oracle12.htm>. Back to text

[114] FTP (or file transfer protocol), permits an online user to log on to, review, and transfer files to and from another computer. Back to text

[115] "Gopher" is a menu-based information service to identify and access Internet resources. Back to text

[116] <http://www.anonymizer.com>. Back to text

[117] See Raph Levien, Remailer list <http://kiwi.cs.berkeley.edu/~raph/remailer-list.html> and Andre Bacard, Anonymous Remailer FAQ <http://www.eff.org/pub/Security/Pseudonymity/anon_remailer.faq>. Back to text

[118] See generally A. Michael Froomkin, Flood Control on the Information Ocean: Living with Anonymity, Digital Cash, and Distributed Databases, 15 U. PITT. J.L. COM. 395 (1996) <http://www.law.miami.edu/~froomkin/articles/ocean.htm>; and George P. Long, Who Are You?: Identity and Anonymity in Cyberspace, 55 U. PITT. L. REV 1177 (1994) (evaluating arguments for and against anonymity). Back to text

[119] GA. CODE ANN. § 16-9-93.1 (Supp. 1997). See also Jeff Kuester, Georgia Law Resources <http://www.kuesterlaw.com/kgalaw.htm> (containing additional information regarding the statute and the litigation). Back to text

[120] A.C.L.U. v. Miller, 1997 U.S. Dist.LEXIS 14995 (N.D. Ga. 1997). Back to text

[121] A firewall is "a special type of gateway that's used to connect an internal network to the Internet. Its purpose is to prevent unauthorized intrusions into the network, which it does by connecting only a 'boundary' machine to the Internet, then selectively forwarding only approved types of traffic between the internal network and the boundary machine." G. BURGESS ALLISON, THE LAWYER'S GUIDE TO THE INTERNET 333 (1995). Back to text

[122] See description at <http://info.webcrawler.com/mak/projects/robots/norobots.html>. Back to text

[123] <http://home.netscape.com>. Back to text

[124] See, e.g., Cookie Pal, a product of Kookaburra Software, at <http://www.kburra.com>. Back to text

[125] See FTC 1996 REPORT, supra n.83, at nn. 63-70 and accompanying text. Back to text

[126] <http://www.altinet.net/cpatrol.htm>. Back to text

[127] See FTC 1996 REPORT, supra n.83, Appendix F (Internet Filtering Software). <http://www.ftc.gov/bcp/conline/pubs/privacy/APPENDIXf.htm>. Back to text

[128] In the Cyber Promotions cases, in which the e-mail marketers created mass e-mailings, a major complaint of the Internet service providers was Cyber Promotions' practice of altering message headers to disguise their true e-mail address, while sometimes indicating that the commercial e-mail originated with the ISP. See discussion infra Part V.E.2. Back to text

[129] <http://home.netscape.com>. Back to text

[130] <http://www.firefly.net>. Back to text

[131] <http://www.verisign.com>. Back to text

[132] Netscape, Firefly and VeriSign Propose Open Profiling Standard (OPS) to Enable Broad Personalization of Internet Services, NETSCAPE PRESS RELEASE, May 27, 1997 <http://home.netscape.com/flash4/newsref/pr/newsrelease411.html>. Back to text

[133] <http://www.w3.org> Back to text

[134] <http://www.w3.org/P3P/>. Back to text

[135] Id. Back to text

[136] The information industry guidelines which have been issued include:

· Fair Information Practices Guidelines, Information Industry Association (Feb. 26, 1994) <http://www.infoindustry.org/ppgrc/doclib/grdoc003.htm>;

· Fair Information Practices Manual: A Direct Marketer's Guide to Effective Self-Regulatory Action in the Use of Information, Direct Marketing Association (1994);

· Goals for Privacy in Marketing on Interactive Media, Coalition for Advertising Supported Information and Entertainment(1996) <http://www.commercepark.com/AAAA/casie/privacy/goals.html>;

· Guidelines for Online Services: The Renting of Subscriber Mailing Lists, Interactive Services Association, (June 1995);

· Joint Statement on Online Notice and Opt-Out, Direct Marketing Association & Interactive Services Association;

· Principles for Unsolicited Marketing E-mail, Direct Marketing Association & Interactive Services Association;

• Principles on Notice and Choice Procedures for Online Information Collection and Distribution by Online Operators, Interactive Services Association (June 1997). Back to text

[137] See NATIONAL TELECOMMUNICATIONS AND INFORMATION ADMINISTRATION, Corporate Experiences in Privacy Self-regulation, in PRIVACY AND SELF-REGULATION IN THE INFORMATION AGE (1997) <http://www.ntia.doc.gov/reports/privacy/selfreg6.htm>. Back to text

[138] See supra notes 26-31 and accompanying text. Back to text

[139] The TRUSTe Internet Privacy Study, conducted by the Boston Consulting Group in 1997, revealed that consumers' concerns regarding the privacy of personal information on the Internet greatly limits their commercial Internet activity. The Boston Consulting Group estimated that if consumers' concerns are resolved, Internet commerce revenues will increase by at least $6 billion by the year 2000. TRUSTe/BCG Survey, Mar. 1997 <http://www.etrust.org/webpublishers/studies_BCG.html>. See also, FTC 1996 REPORT, supra note 83, at II.B. (Online Privacy: General Practices and Concerns) <http://www.ftc.gov/bcp/conline/pubs/privacy/privacy3.htm> at 2:

[140] INTERACTIVE SERVICES ASSOCIATION, Guidelines for Online Services: The Renting of Subscriber Mailing Lists (June 1995). Back to text

[141] <http://www.iitf.nist.gov/eleccomm/ecomm.htm>. Back to text

[142] Federal Trade Commission, Public Workshop on Consumer Information Privacy, June 10-13, 1997 <http://www.ftc.gov/bcp/privacy2/index.html>. See also Margaret Mannix and Susan Gregory Thomas, Exposed Online: On The Web, Your Personal Life Is Merely Marketable Data, U.S. NEWS & WORLD REP., June 23, 1997 at 59-61. Back to text

[143] CDB Infotek, Database Technologies Inc., Experian, First Data InfoSource/Donnelley Marketing, Information America, IRSC Inc., LEXIS-NEXIS, and Metromail Corp., Individual Reference Services Industry Principles (June 10, 1997) <http://www.bna.com:80/e-law/docs/dbguides.html>: As an example, all available information in a database would be distributed to law enforcement officers for investigative purposes, but sensitive information, such as Social Security numbers, would be truncated or omitted, for other subscribers. Back to text

[144] Steve Lohr, Microsoft Joins Netscape on Software Privacy, N.Y. TIMES, June 12, 1997 at D4. Back to text

[145] <http://www.ntia.doc.gov/reports/privacy/privacy_rpt.htm>. Back to text

[146] Peter P. Swire, Markets, Self-Regulation, and Government Enforcement in the Protection of Personal Information, in PRIVACY AND SELF-REGULATION IN THE INFORMATION AGE (Nat'l Telecomm. & Info. Admin. 1997) <http://www.ntia.doc.gov/reports/privacy/selfreg1.htm>. Back to text

[147] See, e.g. Kenneth C. Laudon, Extensions to the Theory of Markets and Privacy: Mechanics of Pricing Information, in PRIVACY AND SELF-REGULATION IN THE INFORMATION AGE (Nat'l Telecomm. & Info. Admin. 1997) <http://www.ntia.doc.gov/reports/privacy/selfreg1.htm>. Back to text

[148] Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Directive 95/46, 1995 O.J.(L281)31. See <http://aspe.os.dhhs.gov/datacncl/eudirect.htm> for an unofficial text of the Directive.

Among the directive's requirements are that the member country statutes provide individuals with the right to advance notice of a data collector's intent to collect and use their personal data, the right to access and correct data collected about them, and the right to object to certain data transfers. The directive further requires that the statutes require that data collectors maintain the security and confidentiality of personal data; and provide judicial remedies for violations. Back to text

[149] European Commission, First Orientations on Transfers of Personal Data to Third Countries Possible Ways Forward in Assessing Adequacy (June 26, 1997) <http://zeus.bna.com/e-law/docs/eudata1.html>. Back to text

[150] Id. Back to text

[151] Some personal data transfers to U.S. entities may still be allowed. For certain situations, the Directive's Article 26 allows data transfers to a third country which does not meet the adequate protection standards set out in the Directive's Article 25. For instance, personal data transfers will be permitted where the data subject has consented. Personal data transfers may also be permitted, on an ad hoc basis, where the entity receiving the data has taken appropriate steps to ensure individual privacy protection. Article 26(2) indicates that appropriate contractual clauses may constitute the requisite privacy protection guarantees. See also Susan E. Gindin, Everyone Knows You're a Dog: The EU Data Protection Directive and Personal Data, J. INTERNET L., Mar. 1998, <http://www.info-law.com/eupriv.html>. Back to text

[152] European Commission, First Orientations on Transfers of Personal Data to Third Countries Possible Ways Forward in Assessing Adequacy (June 26, 1997) <http://zeus.bna.com/e-law/docs/eudata1.html>. Back to text

[153] See, e.g. FTC 1996 REPORT, supra note 81 at III. (Enhancing Consumer Privacy Online), <http://www.ftc.gov/bcp/conline/pubs/privacy/privacy4.htm>. See also Letter from representatives of the Center for Media Education, Privacy Rights Clearinghouse, Privacy Times, Electronic Frontier Foundation, Consumer Federation of America, Consumer Project on Technology, Electronic Privacy Information Center, and Privacy Journal to U.S. Sen. John McCain, Aug. 1, 1997, <http://www.epic.org/privacy/databases/ftc_letter_0797.html> (challenging the Federal Trade Commission's preliminary findings of the Public Workshop on Consumer Privacy (i.e., the FTC's assessment that the American public favors the employment of self-regulatory measures and that technological approaches are the preferred means for protecting children's online privacy) and questioning the adequacy of self-regulatory privacy protection measures). Back to text

[154] America Online's plan to share its customers' telephone numbers with telemarketers seems to be an example of a privacy policy gone awry in pursuit of marketing opportunities. In mid-1997, with minimal notice to its customers, America Online amended its "Terms of Service" to provide that AOL might make the telephone numbers of AOL members available to AOL partners for telemarketing. Once the amendment was discovered, AOL received an onslaught of complaints from AOL subscribers, politicians, and privacy-rights groups, and as a result, AOL abandoned its plans. See, e.g., Seth Schiesel, America Online Backs Off Plan To Give Out Phone Numbers, N.Y. TIMES, July 25, 1997 at C1. See also AOL CEO Steve Case's letter to members (July 24, 1997) <http://www.news.com/SpecialFeatures/0,5,12794,00.html>.

See also PAUL M. SCHWARTZ and JOEL R. REIDENBERG, DATA PRIVACY LAW 216-17 (1996): "[T]he Direct Marketing Association's (DMA) Code of Fair Information Practices stipulates that marketers should notify individuals of the collection of data for marketing purposes. The marketing departments of many companies belonging to the DMA, however, collect data directly from individuals for sale to third parties without notifying individuals. The code is not systematically honored by companies engaged in direct marketing activities."

Back to text

[155] Directive 95/46, 1995 O.J.(L281)31. See discussion supra Part III.B.

See also BUSINESS GUIDE TO PRIVACY AND DATA PROTECTION LEGISLATION. ed. by Charles E.H. Franklin, International Chamber of Commerce, 1996, for the data privacy policies of sixteen countries. Back to text

[156] See Paul v. Davis, 424 U.S. 643, 713 (1976)(identifying these personal decisions as those concerning "matters relating to marriage, procreation, contraception, family relationships, and child rearing and education"). Back to text

[157] U.S. CONST. amend. IV. Back to text

[158] See WAYNE R. LAFAVE and JEROLD H. ISRAEL, CRIMINAL PROCEDURE § 4.1(2d ed. 1992). Back to text

[159] 277 U.S. 438,466 (1928)(Brandeis, J., dissenting). Back to text

[160] Id. Back to text

[161] Id. Back to text

[162] Id. at 471 (Brandeis, J., dissenting). See also supra note 2 and accompanying text. Back to text

[163] 389 U.S. 347 (1967). Back to text

[164] Id. at 353. Back to text

[165] Id. at 361. Back to text

[166] Id. at 351-52. Back to text

[167] Maxwell v. U.S., 42 M.J. 568 (A.F.C.M.R. 1995)(involving an Air Force colonel, who used his private America Online subscription to transmit pornographic materials). Back to text

[168] Id. at 576. Back to text

[169] 429 U.S. 589 (1977). Back to text

[170] Id. at 589-591. Back to text

[171] Id. at 596-605. Back to text

[172] Id. at 605. See also Id. at 598-600, nn.22-26 (noting that courts have recognized a privacy interest in avoiding disclosure of personal matters). Back to text

[173] The First Amendment reads:

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances. U.S. CONST. amend. I. Back to text

[174] Virginia State Board of Pharmacy v. Virginia Citizens Consumer Council, Inc., 425 U.S. 748 (1976). Back to text

[175] For a different perspective on conflicts between the First Amendment and property claims, see Zimmerman, supra n.33 (arguing that property claims should take a backseat to First Amendment values). Back to text

[176] 376 U.S. 254 (1964). Back to text

[177] See discussion of common law privacy torts infra Part IV.B. Back to text

[178] 42 U.S.C. § 2000aa (1994). See discussion of the Privacy Protection Act infra Part IV.D.3. Back to text

[179] Ruth Hill Bro, E-Mail in the Workplace, ONLINE LAW: THE SPA'S LEGAL GUIDE TO DOING BUSINESS ON THE INTERNET, 415 (1996). Back to text

[180] Porten v. University of San Francisco, 134 Cal. Rptr 839, 842 (Cal. Ct. App. 1976). Back to text

[181] See generally HENRY H. PERRITT, JR., LAW AND THE INFORMATION SUPERHIGHWAY §3.5 (1996); and George B. Trudow, Protecting Informational Privacy in the Information Society, 10 N. ILL. U. L. REV 521 (1990). Back to text

[182] Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 HARV. L. REV. 193 (1890).

See also Mell, supra n.25 at 29; and Richard C. Turkington, Legacy of the Warren and Brandeis Article: The Emerging Unencumbered Constitutional Right to Informational Privacy, 10 NO. ILL. U. L. REV. 479, 482 n.5 (1990) (indicating an 1881 Michigan case and other sources which discussed privacy a few years prior to publication of the Warren and Brandeis article). Back to text

[183] Warren & Brandeis, supra note 180, passim. Brandeis expressed the concerns he later reiterated as Supreme Court Justice in the Olmstead dissent. See 277 U.S. 438, 473-74 (1928)(Brandeis, J., dissenting). See also supra note 2 and accompanying text. Back to text

[184] William L. Prosser, Privacy, 48 CAL. L. REV. 383, 389 (1960). Back to text

[185] RESTATEMENT (SECOND) OF TORTS §§ 652A-652I (1977). Back to text

[186] Id. at § 652B. Back to text

[187] Id. at § 652D. Back to text

[188] Id. at § 652E. Back to text

[189] Id. at § 652C. Back to text

[190] Id. at § 652B. Back to text

[191] Id. at § 652B cmt. a; see, e.g., Roach v. Harper, 105 S.E. 2d 564 (W. Va. 1958). Back to text

[192] RESTATEMENT § 652B cmt. c. Back to text

[193] Id. at § 652B cmt. b; see Rhodes v. Graham, 37 S.W.2d 46 (Ky. 1931). Back to text

[194] See also PERRITT, supra n.181, at § 3.5 (1996). Back to text

[195] RESTATEMENT, supra note 183, at § 652D. Back to text

[196] Id. at § 652D cmt. a. See Tureen v. Equifax, Inc., 571 F.2d 411 (8th Cir. 1978)(discussing a plaintiff who sued under this tort when the consumer credit reporting firm, Equifax, submitted a life and health underwriting history report to plaintiff's health insurer (at the request of insurer) after plaintiff made health insurance benefit claims). The majority of the court held that defendant's disclosure of information to its client, the insurer, without further dissemination, was insufficient publication.

However, Judge Heaney disagreed, stating that "[t]he collection and retention of personal information about a particular consumer by a commercial information broker, such as Equifax makes the dissemination of that information sufficiently likely as to meet any reasonable requirement of 'publicity.'" Id. at 420 (Heaney, dissenting. He emphasized that "[t]he dissemination of private information by a commercial credit broker to insurance companies, banks and other customers requesting such information is no less 'public' than the posting of a debt in a creditor's shop window." Id. at 421.(Heaney, dissenting (citing § 652D cmt.a, ill.2, and providing an example of sufficient publicity).

See also Houghton v. N.J. Mfrs.' Ins. Co., 615 F. Supp. 299 (E.D. Pa. 1985)(holding under similar facts that plaintiff failed to establish sufficient publicity).

See also Beverly v. Reinert, 606 N.E.2d 621 (Ill. App. Ct. 1992)(rejecting an invasion of privacy claim that was based on the unreliability of fax technology and determining that a faxed letter might have gone to (or have been intercepted by) the wrong party was not sufficient public disclosure). Back to text

[197] RESTATEMENT, supra note 185, at § 652D cmt.b. The comments provide further examples of the type of information not of legitimate public interest which, if divulged, would be actionable invasion of privacy: sexual relations, "family quarrels, many unpleasant or disgraceful or humiliating illnesses, most intimate personal letters, most details of a man's life in his home, and some of his past history that he would rather forget." Id. Back to text

[198] 420 U.S. 469 (1975). Back to text

[199] 420 U.S. at 496. Back to text

[200] 420 U.S. at 492. Back to text

[201] See also PERRITT, supra n.181 at § 3.5. Back to text

[202] No. 9604451, (D. Texas, Travis Cty, filed Apr. 18, 1996). Back to text

[203] Id. Back to text

[204] Id. Back to text

[205] Id. Back to text

[206] Class Action Expands Against Metromail and Donnelley Over Privacy Violations; Broader focus, new plaintiffs target deceptive collection and sale of data; return of profits sought, BUS. WIRE (Apr. 30, 1997) NEXIS service (reporting that the case has led to federal and state legislation banning the sale of children's data without parental consent, prohibiting 900 number "look-up" services on children, and prohibiting prisoners from processing children's data). Back to text

[207] Id. Back to text

[208] See supra note 31 and accompanying text. Back to text

[209] RESTATEMENT, supra note 185, at § 652E. Back to text

[210] Id. at §652E cmt. b. Back to text

[211] See Dun & Bradstreet, Inc. v. Greenmoss Builders, 472 U.S. 749 (1985)(rejecting D&B's argument that a credit report was a matter of public interest, which would require a showing of "actual malice" under the First Amendment to be actionable for defamation, and therefore allowing the subject of an inaccurate credit report, prepared by D&B and disseminated to five D&B subscribers, to successfully sue D&B for defamation). The Court held that the particular credit report concerned no public issue in that "[i]t was speech solely in the individual interest of the speaker and its specific business audience." Id. at 762. Back to text

[212] RESTATEMENT, supra note 185, at § 652C. Back to text

[213] Id. at § 652c cmt.b. Back to text

[214] See, e.g., Shibley v. Time, Inc., 341 N.E.2d 337, 339 (Ohio Ct. App. 1975)(recognizing "the unwarranted appropriation or exploitation of one's personality," as a tort in the State of Ohio). Back to text

[215] 626 N.Y.S.2d 694 (Sup. Ct. 1995). Back to text

[216] N.Y. CIV. RIGHTS LAW §§ 50, 51 (McKinney, 1992). Back to text

[217] 626 N.Y.S.2d at 695. Back to text

[218] Id. at 698-701. Back to text

[219] Id at 698-699. Back to text

[220] See Shibley, 341 N.E.2d at 339 (rejecting plaintiff's argument that Time Magazine appropriated his personality when it sold its subscription lists to direct mail advertisers, and holding that defendant's sale of subscription lists did not constitute "appropriation or exploitation of one's personality" as defined by Ohio common law). The Shibley court emphasized that Ohio had a statute permitting the sale of names and addresses of registrants of motor vehicles. Id.

See also Dwyer v. American Express Co., 652 N.E.2d 1351 (Ill. App. 1995), appeal denied, 662 N.E.2d 423 (Ill. 1996)(alleging in a class action suit that defendants' (American Express Company and its related companies) practice of renting information regarding cardholder spending habits constituted an invasion of privacy). The Dwyer court rejected plaintiff's appropriation claim finding that "a single, random cardholder's name has little or no intrinsic value to defendants (or a merchant)" until the "[d]efendants create value by categorizing and aggregating these names [into lists of buyers by type, e.g. "Rodeo Drive Chic" or "Value Oriented]" Id. at 1353. The court further stated that "defendants' practices do not deprive any of the cardholders of any value their individual names may possess." Id. The plaintiffs apparently hoped that a 1992 agreement between American Express and the New York State attorney general, that American Express would disclose to cardholders its use of cardholder spending habits, would be influential in persuading the court. However, this agreement seemed to have no effect on the court's decision. The court, which cited Shibley frequently, also noted that Illinois has a statute, similar to Ohio's, permitting the sale of names and addresses of licensed drivers and registered motor-vehicle owners to direct mail advertisers. Id.

See also Avrahami v. U.S. News & World Report, No. 95-1318 (Va. Cir. Ct. Arlington County, 1995), appeal denied, No. 961837 (Va. Sup. Ct. 1996)(raising similar privacy tort issues and also finding in favor of the defendant magazine). In this case, a U.S. News & World Report subscriber, whose name and address had been traded in a swap of subscriber lists between U.S. News & World Report and Smithsonian Magazine, brought suit under Virginia Code Section 8.01-40 which provides: "Any person whose name, portrait or picture is used without having first obtained the written consent of such person . . ., for advertising purposes or for the purposes of trade, such persons may maintain a suit in equity against such person, firm or corporation so using such person's name, portrait or picture to prevent and restrain the use thereof, ...". The county circuit court ruled that the subscriber had no rights in U.S. News & World Report's use of his name which had been purposely misspelled (he had varied the spelling of his name when subscribing to various publications so that he could determine how junk-mailers got his address) because it was not the correct spelling; and also that inclusion of names on a mailing list does not amount to use for the purpose of trade. Back to text

[221] See, e.g., Concentric Network Corp. v. Wallace, discussed infra Part IV.E.2. Breach of contract is particularly appropriate where there is an express policy protecting user privacy.

See also, Peter P. Swire, Markets, Self-Regulation, and Government Enforcement in the Protection of Personal Information, in National Telecommunications and Information Administration, PRIVACY AND SELF-REGULATION IN THE INFORMATION AGE (1997) <http://www.ntia.doc.gov/reports/privacy/selfreg1.htm> (arguing that a contractual approach to privacy protection should be used, in which individual privacy rights would be established through contracts made with data collection companies). Back to text

[222] For instance, a negligence claim would be appropriate in a situation in which an information provider has failed to use proper techniques to safeguard the security of the data. Back to text

[223] See, e.g., Martin v. Baehler, CIV.A.91C-11-008, 1993 Del. Super. LEXIS 199 (Del. Super. Ct. July 7, 1993), and Behringer v. Medical Center at Princeton, 592 A.2d 1251 (N.J. Super. 1991)(finding liability for breach of patients' confidentiality because reasonable procedures were not implemented to ensure patient confidentiality).

Attorney/client confidentiality issues arise when documents are sent or stored insecurely. See PERRITT, supra n.181 § 3.22. See also ALLISON, supra n.47, at 129-31; Oppedahl, supra n.47, at 5 (discussing risks involved in the electronic transmission of client documents and security measures). Back to text

[224] See, e.g., Dennis v. Metromail Corp., No. 9604451 (D. Texas, Travis City, filed Apr. 18, 1996), discussed supra Part IV.B.2. Back to text

[225] See, e.g. Dennis, discussed supra Part IV.B.2. Back to text

[226] See, e.g. Dennis, discussed supra Part IV.B.2. Back to text

[227] See e.g. Stern v. Delphi Internet Services Corp., 626 N.Y.S.2d 694 (Sup. Ct. 1995), discussed supra note 186. The right of publicity, which is recognized by twenty-four states (and which is quite similar to the appropriation right of privacy tort), involves the right to control and profit from the commercial value of one's identity.

See J. THOMAS MCCARTHY, THE RIGHTS OF PUBLICITY AND PRIVACY (1996); and Elizabeth S. Perdue, Right of Publicity, ONLINE LAW: THE SPA'S LEGAL GUIDE TO DOING BUSINESS ON THE INTERNET 259-265 (1996). Back to text

[228] See Borland v. Eubanks, discussed supra n.53. Back to text

[229] See, e.g., Cyber Promotions, Inc. cases discussed infra Part IV.E.2. Back to text

[230] 467 U.S. 986 (1984). See also Pamela Samuelson, Information as Property: Do Ruskelshaus and Carpenter Signal a Changing Direction in Intellectual Property Law?, 38 CATH. U.L. REV. 365 (1989). Back to text

[231] See, e.g., Bishop Clarkson Mem'l Hosp. v. Reserve Life Ins. Co., 350 F.2d 1006 (8th Cir. 1965); Pyramid Life Ins. Co. v. Masonic Hosp. Ass'n of Payne County, 191 F.Supp. 51 (W.D. Okla. 1961); and Bennett v. Heidinger, 507 N.E.2d 1162 (Ohio Ct. App. 1986). But see Gotkin v. Miller, 514 F.2d 125 (2d Cir. 1975)(holding that a former mental patient does not have a property right in his hospital records). Back to text

[232] Bennett v. Heidinger, 507 N.E.2d 1162 (Ohio Ct. App. 1986). Back to text

[233] Acme Circus Operating Co. v. Kuperstock, 711 F.2d 1538, 1541 (11th Cir. 1983). See also MCCARTHY, supra note 225, § 10.2[A]. Back to text

[234] See, e.g. Canessa v. J.I. Kislak, Inc., 235 A.2d 62 (N.J. Super. 1967); Lavery v. Automation Management Consultants, Inc., 360 S.E.2d 336 (Va. 1987). See also W. PAGE KEETON ET AL., PROSSER AND KEETON ON THE LAW OF TORTS (5th ed. 1984) at 854. Back to text

[235] See, e.g., ALAN F. WESTIN, PRIVACY AND FREEDOM (1967) and Arthur R. Miller, Personal Privacy in the Computer Age: The Challenge of New Technology in an Information-oriented Society, 67 MICH. L. REV. 1089 (1969). See also Mell, supra note 25, AT 180 (proposing a federal statute giving individuals property rights in personal information); BRANSCOMB, supra note 33 (arguing that property rights should extend to all information). But see Samuelson, supra n.230 (questioning the designation of information as property). Back to text

[236] See discussion of fair information practices guidelines infra Part V. Back to text

[237] See BRANSCOMB, supra note 33 at 181. Back to text

[238] Pub. L. No. 99-508, 100 Stat. 1848 (codified in scattered sections of 18 U.S.C.) Back to text

[239] Pub. L. No. 98-473, 98 Atat.2190 (codified as 18 U.S.C. § 1030 (1994). Back to text

[240] Pub. L. 96-440, Stat. 1883 (codified as 42 U.S.C. § 2000aa to aa-12 (1994)) Back to text

[241] Pub. L. 93-579, 88 Stat. 1897 (codified as 5 U.S.C. § 552a (1994)). Back to text

[242] Pub. L. 102 Stat. 2507 (codified as 5 U.S.C. § 552a (1994)). Back to text

[243] Pub. L. 91-508, 84 Stat. 1128 (codified as 15 U.S.C. § 1681-1681(t)(1994)). Back to text

[244] Pub. L. 99-508, 100 Stat. 1851, 1859-1868 (codified at 18 U.S.C. §§ 2510-2522 and §§ 2701-2711 (1994)). Back to text

[245] Pub. L. No. 90-351, 82 Stat. 197-212 (1968). Back to text

[246] 18 U.S.C. §§ 2511, 2520, 2701, 2707. Back to text

[247] §§ 2516-2518, 2703 (1994). See, e.g., Steve Jackson Games, Inc. v. United States Secret Serv., 816 F. Supp. 432 (W.D. Tex. 1993), aff'd36 F.3d 457 (5th Cir. 1994). See also Nicole Giallonardo, Casenote, Steve Jackson Games v. United States Secret Service: The Government's Unauthorized Seizure of Private E-Mail Warrants More Than the Fifth Circuit's Slap on the Wrist, 14 J. COMPUTER & INFO. L. 179 (1995); Terri A. Cutrera, The Constitution in Cyberspace: The Fundamental Rights of Computer Users, 60 U.M.K.C. L. REV. 139 (1991). Back to text

[248] 18 U.S.C. § 2510(12) (1994). Back to text

[249] Id. § 2510(4). Back to text

[250] Id. §§ 2510-2521. Back to text

[251] Id.§§ 2701-2710. Back to text

[252] Id.§ 2702(b). Back to text

[253] Id.§§ 2511(2)(a)(i), 2702(b). Back to text

[254] Id.§ 2702(b)(6). Back to text

[255] Id.§ 2511(2)(g)(i). Back to text

[256] Id. Back to text

[257] Id. §§ 2511(2)(c), 2702(b)(3). Back to text

[258] The definition of "electronic, mechanical, or other device" is: "any device or apparatus which can be used to intercept a wire, oral, or electronic communication other than . . . any telephone or telegraph instrument, equipment or facility, or any component thereof, (i) furnished to the subscriber or user by a provider of wire or electronic communication service in the ordinary course of its business and being used by the subscriber or user in the ordinary course of its business or furnished by such subscriber or user for connection to the facilities of such service and used in the ordinary course of its business; or (ii) being used by a provider of wire or electronic communication service in the ordinary course of its business, or by an investigative or law enforcement officer in the ordinary course of his duties. . . ."§ 2510(5)(a). Back to text

[259] See, e.g. Epps v. St. Mary's Hosp. of Athens, Inc., 802 F.2d 412 (11th Cir. 1986), in which the court found that employer monitoring of a conversation between two employees, during which one employee criticized supervisors, was in the ordinary course of business because the call took place during work hours, and it concerned supervisory employees and the work environment. Id. at 416-17.

See also Briggs v. American Air Filter Co., 630 F.2d 414 (5th Cir. 1980), where the court found an employer's monitoring of a business call in which the employee revealed trade secrets to a business competitor to be within the ordinary course of business because the employer had suspicions that trade secrets were being revealed and listened only long enough to confirm that fact. Id. at 420.

See also Deal v. Spears, 980 F.2d 1153 (8th Cir. 1992), where the court held that the six-week monitoring of the calls of an employee suspected of wrongdoing was "well beyond the boundaries of the ordinary course of business." Id. at 1158. Back to text

[260] 816 F. Supp. 432 (W.D. Tex. 1993), aff'd, 36 F.3d 457 (5th Cir. 1994). Back to text

[261] See 42 U.S.C. § 2000aa (1994). See discussion infra Part IV.D.3. Back to text

[262] 816 F. Supp. At 439-444. Back to text

[263] Id. at 435-36. Back to text

[264] Id. Back to text

[265] Id. Back to text

[266] Id. at 435-38. Back to text

[267] Id. at 439-444.Back to text

[268] Id. at 442. Back to text

[269] This decision was criticized by some commentators. See, e.g., Giallonardo, supra note 247. See also Cutrera, supra note 247. Back to text

[270] 111 F.3d. 1472 (10th Cir. 1997). Back to text

[271] Id. at 1477-1484. Back to text

[272] Id. at 1476. Back to text

[273] Id. at 1478-1479. Back to text

[274] Id. at 1481. Back to text

[275] 18 U.S.C. § 2707(e)(1994). Back to text

[276] Davis, 111 F.3d 1472, 1483 (10th Cir. 1997)(quoting 18 U.S.C. § 2702(e)). Back to text

[277] See discussion infra Part IV.E.2. Back to text

[278] 18 U.S.C. § 1030. Back to text

[279] Id. § 1030(a)(3). Back to text

[280] Id. § 1030(e)(2). Back to text

[281] Id. § 1030(a)(4). Back to text

[282] Id. § 1030(a)(5). Back to text

[283] Id. § 1030(e)(8). Back to text

[284] Id. § 1030(a)(5). Back to text

[285] Id. § 1030(c). Back to text

[286] Id. § 1030(g). Back to text

[287] United States v. Morris, 928 F.2d 504 (2d Cir. 1991), cert. denied 502 U.S. 817 (1991). Morris was found guilty under Section 1030(a)(5) of the Computer Fraud and Abuse Act, as it was written at the time. The section pertained to someone who:

Back to text

[288] A "worm" is a program that travels from one computer to another but does not attach itself to the operating system of the computer it infects. Id. at 505 n.1. Back to text

[289] Morris's goal was to demonstrate the inadequacies of security measures on the Internet. Id. While he instituted certain safeguards intended to prevent widespread damage, the worm replicated itself and infected machines at a much faster rate than he anticipated. Id. at 506. As a result, many computers around the country, including those at major universities, military sites, and medical research facilities, crashed. Id. It cost an estimated $200 to more than $53,000 to deal with the worm at each installation. Id. In finding Morris guilty, the court found that: 1) Morris exceeded the implied authorization he had to access e-mail as well as to the computers of several universities, thereby satisfying the statute's requirement of intentional access without authorization; and 2) the government was not required to demonstrate that Morris intentionally prevented authorized use which thereby caused loss. Id. at 506-511. Back to text

[290] See 18 U.S.C. § 1030. See also further discussion of Cyber Promotions cases infra Part IV.E.2. Back to text

[291] 42 U.S.C. § 2000aa to aa-12 (1994). Back to text

[292] Id. § 2000aa(a). Back to text

[293] § 2000aa-7(b). Back to text

[294] § 2000aa-6. Back to text

[295] Steve Jackson Games, Inc. v. United States Secret Service, 816 F.Supp. 432 (W.D. Tex. 1993) aff'd, 36 F.3d 457 (5th Cir. 1994). See supra note 260 and accompanying text. Back to text

[296] 816 F.Supp. at 438-444. Back to text

[297] Id. at 438. Back to text

[298] Id. at 439-440. Back to text

[299] 5 U.S.C. § 552a et seq. Back to text

[300] Id. § 552a(b)(3). Back to text

[301] Id. § 552a(a)(7). Back to text

[302] Id. § 552a(b). Back to text

[303] Id. § 552a(a)(4). Back to text

[304] Id. § 552a(e)(1). Back to text

[305] Id. § 552a(e)(4). Back to text

[306] Id. § 552a(d). Back to text

[307] Id. § 552a(c). Back to text

[308] Id. § 552a(e)(5). Back to text

[309] Id. § 552a(e)(10). Back to text

[310] Id. § 552a(m)(1). Back to text

[311] Id. § 552a(g). Back to text

[312] Id. § 552a(i). Back to text

[313] Pub. L. 100-503, 102 Stat. 2507-2514 (codified as 5 U.S.C. § 552a (1994)). Back to text

[314] 5 U.S.C. § 552a(a)(8). Back to text

[315] Id. § 552a(a)(8). Back to text

[316] Id. § 552a(o). Back to text

[317] Id. Back to text

[318] Id. § 552a(p). Back to text

[319] 15 U.S.C. § 1681 (1984). Back to text

[320] Id. § 1681(b). Back to text

[321] Id. § 1681a(f). Back to text

[322] Id. § 1681a(d). Back to text

[323] Id. § 1681b. Back to text

[324] Id. § 1681b. Back to text

[325] Id. § 1681b. Back to text

[326] Id. § 1681c. Back to text

[327] Id. § 1681d. Back to text

[328] Id. § 1681a(e). Back to text

[329] Id. § 1681g. Back to text

[330] Id. § 1681i. Back to text

[331] Id. § 1681m. Back to text

[332] Id. § 1681n. Back to text

[333] Id. § 1681o. Back to text

[334] Id. § 1681n. Back to text

[335] Id. § 1681q. Back to text

[336] Id. § 1681r. Back to text

[337] Id. § 1681s. Back to text

[338] 81 F.3d 228 (D.C. Cir. 1996). Back to text

[339] Trans Union's targeted marketing mailing lists are compiled using data from Trans Union's credit reporting database, which contains the following information: name (and aliases), addresses, social security number, phone numbers, occupation, gender, ethnic background, marital status, education, as well as credit account information. See also Dwyer v. American Express Co., 652 N.E.2d 1351 (Ill. App. 1995), appeal denied, 662 N.E.2d 423 (Ill. 1996)(involving an unsuccessful private action in Illinois by American Express Company cardholders who claimed that their common law right to privacy had been invaded by American Express Company's sale of personal information in target-marketing mailing lists). See discussion supra note 220. Back to text

[340] Trans Union, 81 F.3d at 229. Back to text

[341] Id. Back to text

[342] Id. at 231-33. Back to text

[343] Id. at 230. Back to text

[344] Id. at 229. Back to text

[345] Id. See supra note 31 and accompanying text. Back to text

[346] Letter from Robert Pitofsky, FTC Chairman, to Sen. Richard H. Bryan, Ranking Member of U.S. Sen. Subcommittee on Financial Institution and Regulatory Relief (Sept. 20, 1996) <http://zeus.bna.com/e-law/docs/ftclet.html>. Back to text

[347] S. 600, 105th Cong., 1st Sess. (1997). Back to text

[348] Id. Back to text

[349] 44 U.S.C. § 2101-2118 (1994) Back to text

[350] Armstrong v. Executive Office of the President, 1 F.3d 1274 (D.C. Cir. 1993). Back to text

[351] 12 U.S.C. § 3401-13 (1994). Back to text

[352] 20 U.S.C. § 1232g (1994). Back to text

[353] 18 U.S.C. § 2710 (1994). Back to text

[354] 47 U.S.C. § 227(b)(1)(A)(iii)(1994). Back to text

[355] 18 U.S.C. § 2721 (1994). Back to text

[356] 47 U.S.C. § 521, 551 (1994 & Supp. 1997). Back to text

[357] 47 U.S.C. § 153 (1996). Back to text

[358] 26 U.S.C. § 6103 (1994). Back to text

[359] See PERRITT, supra n.181 at § 3.15 (1996). Back to text

[360] See Id. § 3.20. Back to text

[361] 5 U.S.C. § 552a (1994). Back to text

[362] 914 F. Supp. 97 (E.D. Pa. 1996). Back to text

[363] Id. at 101. Back to text

[364] Id. at 98 n.1. Back to text

[365] Id. at 98. Back to text

[366] Id. at 101. Back to text

[367] Workplace e-mail was a peripheral issue in one California case, Thomasson v. Bank of America, No. A061120 (Cal. Ct. App. 1994), app. den. 1995 Cal. LEXIS 1843 (1995). The employee alleged that he was fired after his employer discovered, through e-mail messages that he had left in the output tray of a printer, that he also worked as a gay stripper. He claimed that the employer violated his right to informational privacy by misusing private information contained in the e-mail, but the court held that he had no reasonable expectation of privacy in the information that he was a stripper because a publicity photo of the employee was posted outside the theater. Id. at 15. Back to text

[368] No. B068705 (Cal. Ct. App., July 26, 1993) (unreported decision). In Bourke, the plaintiff and another employee sued Nissan for wrongful termination, invasion of privacy, and violation of wiretapping and eavesdropping statutes after Nissan began monitoring plaintiff's e-mail after an e-mail system trainer randomly accessed one of plaintiff's e-mail messages which was of a personal, sexual nature. Nissan began monitoring the e-mail messages of plaintiff and others in the employee's work group and issued written warnings to several employees. The trial court granted summary judgment in favor of the employer, and the appellate court affirmed. Back to text

[369] Id. Back to text

[370] Id. at 7. Back to text

[371] Id. Back to text

[372] Id. Back to text

[373] CAL. PENAL CODE § 631 (West 1996). Back to text

[374] Id. § 632. Back to text

[375] Bourke, supra note 368, at 8-9. Back to text

[376] Shoars v. Epson America, Inc., No. B 073243 (Cal. Ct. App.) (unreported decision), rev. den., No. S040065, 1994 Cal. LEXIS 3670 (June 29, 1994). Shoars was responsible for employee e-mail training and support at Epson. Shoars had informed her co-workers that e-mail would remain confidential because she believed no one had authority to monitor e-mail. When she learned that her supervisor had been intercepting and reading all e-mail messages received or sent via MCI Mail, she demanded that he stop this practice. When she requested a private e-mail account that her supervisor would not be able to access, she was fired on the basis of insubordination. Shoars then sued the employer. Back to text

[377] CAL. PENAL CODE § 631 (West 1996). Back to text

[378] Shoars, supra note 376, at 4. See also Flanagan v. Epson America, Inc., No. BC007036 (L.A. Sup. Ct. Jan. 4, 1991)(rejecting the class action certification in a related suit brought against Epson under § 631 by about 700 Epson employees whose e-mail was read). Back to text

[379] 932 F. Supp. 1232 (D. Nev. 1996). Back to text

[380] Id. at 1233-37. Back to text

[381] Id. at 1234-35. Back to text

[382] See discussion infra Part IV.D.1. Back to text

[383] Bohach, 932 F.Supp. at 1235-36. Back to text

[384] See, e.g. Ruth Hill Bro, supra note 179, § 26.2.3. Back to text

[385] For example, in 1997 the National Labor Relations Board (NLRB) ruled in favor of an employee who was fired for criticizing the employer's new vacation policy via the company e-mail system. In Timekeeping Systems Inc. v. Leinweber, 323 N.L.R.B. No. 30 (Feb. 27, 1997), the NLRB ruled that the employee's remarks were protected under the National Labor Relations Act as a "concerted activity" and that the employer unlawfully discharged the employee. Id. at 6-7. Back to text

[386] Pub. L. 99-508, 100 Stat. 1851, 1859-1868 (codified as 18 U.S.C. §§ 2510-2522, 2701-2711 (1994). See discussion accompanying notes 244-277. Back to text

[387] See Bohach v. City of Reno, 932 F. Supp. 1232 (D. Nev. 1996), Wesley College v. Pitts, 974 F. Supp. 375 (D. Del. 1997), and Steve Jackson Games, Inc. v. U.S. Secret Service, 816 F. Supp. 432 (W.D. Tex. 1993), aff'd, 36 F.3d 457 (5th Cir. 1994). Back to text

[388] 18 U.S.C. sec. 2511(2), 2702. See supra discussion accompanying note 257. Back to text

[389] 18 U.S.C. 2510(5). See supra discussion accompanying notes 258-59. Back to text

[390] See, e.g., cases cited in note 259, supra. Back to text

[391] For example, in Deal v. Spears, 980 F.2d 1153 (8th Cir. 1992), the court held that the six-week monitoring of the calls of an employee suspected of wrongdoing was "well beyond the boundaries of the ordinary course of business." Id. at 1158. Back to text

[392] See discussion supra Part II.B.1.b. For a comprehensive list of cases involving unsolicited e-mail, see David E. Sorkin, Unsolicited e-mail, John Marshall Law School Center for Information Technology & Privacy Law, <http://www.jmls.edu/cyber/cases/spam.html>. Back to text

[393] In 1997, Cyber Promotions was sending out 15-20 million commercial e-mail messages a day. See Simons, supra note 58, at 55. Back to text

[394] Cyber Promotions, Inc. v. America Online, Inc., 948 F.Supp. 436 (E.D. Pa. 1996); Cyber Promotions, Inc. v. Apex Global Information Services, Inc., No. 97-5931 (E.D. Pa. Sept. 30, 1997); Cyber Promotions, Inc. v. WorldCom Inc., Civ. No. 97-11957 (Pa. C.P., Montgomery County, (filed June 25, 1997). Back to text

[394a] Cyber Promotions, Inc. v. Apex Global Information Services, Inc., No. 97-5931 (E.D. Pa. Sept. 30, 1997); Cyber Promotions, Inc. v. WorldCom Inc., Civ. No. 97-11957 (Pa.C.P., Montgomery County (filed June 25, 1997)). Back to text

[395] 948 F.Supp. 436 (E.D. Pa. 1996).

America Online, Inc. v. Cyber Promotions, Inc., No. 96-462, in U.S. District Court for Eastern District of Virginia was consolidated with Cyber Promotions, Inc. v. America Online, Inc., No. 96-2486, in the U.S. District Court for the Eastern District of Pennsylvania. Back to text

[396] Id. at 445. Back to text

[397] Id. at 437-38. Back to text

[398] Id. Back to text

[399] Id. Back to text

[400] Id. at 445. Back to text

[401] Id. at 442-45. Back to text

[402] Id. at 442 (quoting Cyber's Memorandum in Support of its First Amendment Right to Send Internet E-Mail to Defendant's Members, at 13). Back to text

[403] Id. Back to text

[404] Id. at 445-46. Back to text

[405] Cyber Promotions, Inc. v. America Online, Inc., 948 F.Supp. 456, 459 (E.D. Pa. 1996). Back to text

[406] Id. at 457-58. Back to text

[407] Id. at 458. Back to text

[408] 962 F.Supp. 1015 (S.D. Ohio 1997). Back to text

[409] Id. at 1028. Back to text

[410] Id. at 1027. Back to text

[411] Id. Back to text

[412] Id. at 1025-26. Back to text

[413] Id. Back to text

[414] Id. at 1027. Back to text

[415] Id. at 1024. Back to text

[416] Id. The case was settled later, with Cyber being further enjoined from mislabeling e-mail message headers to indicate messages originated from a CompuServe account, and with Cyber agreeing to pay CompuServe $65,000 in attorneys' fees. See CompuServe Inc. v. Cyber Promotions, Inc., 962 F. Supp. 1015 (E.D. Ohio 1997). Back to text

[417] Concentric Network Corp. v. Wallace, No. C-96 20829-RMW(EAI) (N.D. Cal. Nov. 5, 1996) <http://www.jmls.edu/cyber/cases/concent1.html>. Back to text

[418] Id. (alleging in its complaint, No. C-96-200829 (N.D. Cal. San Jose Div. filed Oct. 2, 1996) that Cyber's techniques violated the ECPA; the Computer Fraud & Abuse Act; and constituted conversion or trespass to personal property; unjust enrichment; tortious interference with contractual relations; unfair competition under the federal Lanham Act and California Business & professional Code; breach of contract; breach of the implied covenant; and fraud. These were dismissed without prejudice. Back to text

[419] Eartlink Network,Inc. v. Cyber Promotions, Inc., No. BC167502 (L.A. Cal. Super. Ct. May 7, 1997)(preliminary injunction). Back to text

[420] Id. Back to text

[421] Briefly, USA TODAY, May 15, 1997 at 6D. See also Press Release from Earthlink Network Company & Services, Earthlink Eats Spammers for Lunch--Wins Injunction Against Cyber Promotions (May 7, 1997), <http://www.earthlink.net/company/press_releases/ELN_eats_spammers.html>. Back to text

[421a] Cyber Promotions, Inc. v. Apex Global Information Services, Inc., No. 97-5931 (E.D. Pa. Sept. 30, 1997), <http://www.jmls.edu/cyber/cases/cp-agis1.html>. Back to text

[422] The Arbitration Before the Virtual Magistrate of the Case Tierney and EMail America, Docket No. 96-0001, May 21, 1996, <http://vmag.vcilp.org/doksys/96-0001/>. Back to text

[423] Id. Back to text

[424] Id. Back to text

[425] Id. Back to text

[426] H.R. 98, 105th Cong., lst Sess. (1997). Back to text

[427] H.R. 52, 105th Cong., 1st Sess. (1997). Back to text

[428] S. 504, 105th Cong., 1st Sess. (1997). Back to text

[429] H.R. 1287, 105th Cong., 1st Sess. (1997). Back to text

[430] S. 600, 105th Cong., 1st Sess. (1997). Back to text

[431] See supra note 31 and accompanying text (regarding the P-TRAK matter which prompted this confidentiality concern); see also discussion supra Part IV.D.5. (regarding the Fair Credit Reporting Act). Back to text

[431a] H.R. 1813, 105th Cong., 1st Sess. (1997). Back to text

[432] H.R. 1367, 105th Cong., 1st Sess. (1997). Back to text

[433] H.R. 1330, 105th Cong., 1st Sess. (1997). Back to text

[433a] H.R. 1964, 105th Cong., 1st Sess. (1997). Back to text

[433b] H.R. 2368, 105th Cong., 1st Sess. (1997). Back to text

[434] See Robert C. Davis, Confidentiality and the Census, 1790-1929 in U.S. DEPT OF HEALTH, EDUCATION & WELFARE, RECORDS, COMPUTERS, AND THE RIGHTS OF CITIZENS: REPORT OF THE SECRETARY'S ADVISORY COMMITTEE ON AUTOMATED PERSONAL DATA SYSTEMS (1973) at 178-201. Back to text

[435] U.S. DEPT OF HEALTH, EDUCATION & WELFARE, RECORDS, COMPUTERS, AND THE RIGHTS OF CITIZENS: REPORT OF THE SECRETARY'S ADVISORY COMMITTEE ON AUTOMATED PERSONAL DATA SYSTEMS at xx (1973). Back to text

[436] Id. at xx-xxi. Back to text

[437] ORGANIZATION FOR ECONOMIC COOPERATION AND DEVELOPMENT, GUIDELINES ON THE PROTECTION OF PRIVACY AND TRANSBORDER FLOWS OF PERSONAL DATA (1981). Back to text

[438] See FEDERAL TRADE COMMISSION, Workshop: Consumer Protection and the Global Information Infrastructure (Apr. 10-11, 1995) <http://www.ftc.gov/opp/trnscrpt.htm>; see also FEDERAL TRADE COMMISSION, BUREAU OF CONSUMER PROTECTION, Workshop on Consumer Privacy on the Global Information Infrastructure (June 4-5, 1996) <http://www.ftc.gov/bcp/privacy/privacy.htm>. Back to text

[439] NAT'L TELECOMM. & INFO. ADMIN., U.S. DEPT. OF COMMERCE, PRIVACY AND THE NII: SAFEGUARDING TELECOMMUNICATIONS-RELATED PERSONAL INFO. (1995). <http://www.ntia.doc.gov/ntiahome/privwhitepaper.html>. Back to text

[440] PRIVACY WORKING GROUP REPORT, supra n.2; and Options for Promoting Privacy in the National Information Infrastructure (Draft for Public Comments, Apr. 1997), <http://www.iitf.nist.gov/ipc/privacy.htm>. Back to text

[441] NAT'L INFO. INFRASTRUCTURE ADVISORY COUNCIL, COMMON GROUND: FUNDAMENTAL PRINCIPLES FOR THE NATIONAL INFORMATION INFRASTRUCTURE (March 1995) <http://nii.nist.gov/pubs/common-ground.txt>. Back to text

[442] PRIVACY WORKING GROUP REPORT supra note 2 at § II.E26. Back to text

[443] Id. § II.E25-26. Back to text

[444] Id. § II.E26. Back to text

[445] Id. § II.E25. Back to text

[446] DejaNews, the search engine for Usenet postings, provides an excellent warning. See DejaNews, Deja News Policies http://www.dejanews.com/info/policy.shtml. However, DejaNews' warning is only seen by those searching DejaNews' search engine, and even then, it is a mouse-click away from the main page, and it is not easy to find. Back to text

[447] The Open Profiling Standard proposed by Netscape Communications and other Internet technology companies in May 1997, would appear to be an answer to this need. See supra notes 132-35 and accompanying text. However, some commentators have questioned the efficacy of the privacy aspect of the Open Profiling Standard. See, e.g., Casey Lide, The Big Cookie: What's Behind Internet Privacy Concerns: Part II, INTERNET LEGAL PRATICE NEWSL. (Aug. 18, 1997), <http://www.collegehill.com/ilp-news/lide2.html> (highlighting the substantial direct/database marketing component of the business of VeriSign, one of the originators of the Open Profiling Standard). Back to text

[448] See supra Part II. Back to text

[449] See, e.g., Online Public Education Network (Project OPEN), Protecting Your Privacy When You Go Online, 1997, <http://www.isa.net/project-open/layout.html> (providing a thorough, well-written online brochure prepared to educate online users as to how to protect their online privacy). Project OPEN was created by the Interactive Services Association and the National Consumers League, and is sponsored by America Online, AT&T, CompuServe, Microsoft, and NETCOM On-line Communications Services. Back to text

Disclaimer 

© 1997 San Diego Law Review

Return to Susan E. Gindin's Information Law home page.