Privacy began to develop as a legal concept in the late 19th century. In 1881, the Supreme Court for Michigan granted relief to a woman who had been observed during child birth without her consent. In 1902, the New York Court of Appeals declined to recognize a right to privacy in a case where the defendant used a photo of the plaintiff on boxes of flour that was distributed nationwide. The court opined that a cause of action for privacy would lead to a “vast amount of frivolous litigation” and that this issue was a matter for the legislature.
In 1928, the U.S. Supreme Court issued a “landmark” decision in Olmstead v. US. Prior to that time, the court’s concern regarding the 4th Amendment was the protection of property rights. The reasoning generally involved the determination whether a trespass to property had occurred. In Olmstead, the Court held that “use of a wiretap to intercept a private telephone was not a ‘search’ for purposes of the Fourth Amendment.” The court reasoned there had been no physical intrusion into the home. Olmstead did not recognize surveillance as a protected intrusion under the 4th Amendment. This concept was to change post-Olmstead. Justice Brandeis wrote a strong dissent in Olmstead that became the basis for later rulings rejecting the notion that a violation of the 4th Amendment was dependent on a trespass to property. Brandeis believed the condition of privacy is an intellectual tradition that is not dependent on physical intrusion – psychological intrusion was sufficient.
The next landmark opinion came in 1965. The case was Griswold v. Connecticut. In Griswold, the U.S. Supreme Court established a general Constitutional right-of-privacy independent of the 4th and 5th Amendments. Griswold and another employee of Planned Parenthood were convicted as accessories to the crime of violating a Connecticut statute prohibiting the use of contraceptives by married couples. The conviction was upheld in the state courts and Griswold appealed. The issue was whether a constitutional right of privacy exists that prohibits states from making use of contraceptives by a married couple a crime. The Court found that specific guarantees of the Bill of Rights have penumbras, or peripheral rights, that make the specific rights more secure. Since several of the amendments in the Bill of Rights cannot exist unless privacy is respected, privacy is obviously a right that is protected. Thus, a right of privacy exists, and the Connecticut statute was held to be void.
The Katz v. US opinion followed in 1967. In Katz, the court rejected the concept that 4th Amendment protection depends on a trespass to property. In Katz, the government had tapped a phone booth by listening to the conversation through the glass of the booth. There was no physical intrusion into the phone booth. The Supreme Court rejected the “trespass" doctrine of Olmstead and expanded 4th Amendment protections based on the protection of individual privacy. The court held that the 4th Amendment protects people - not places. The court stated that "what a person knowingly exposes to the public, even in his own home or office, is not a subject of 4th Amendment protection. But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected." Thus, because there was a reasonable expectation of privacy in the telephone booth, the conversation was protected by the 4th Amendment.
Justice Harlan wrote a dissenting opinion in Katz that became the test for violations of the 4th amendment. Justice Harlan’s two-part test is: (1) that the person have an actual expectation of privacy (a subjective standard) and (2) that the expectation be one that society is prepared to recognize as ‘reasonable’ (an objective standard).
In 1968, shortly after the Katz opinion, Congress passed Title III of the Omnibus Crime Control and Safe Streets Act. The Act authorized microphone surveillance or wiretapping for law enforcement purposes but required a warrant, based on probable cause, prior to such surveillance or wiretapping.
In 1977, the court again addressed the issue of privacy in Whalen v. Roe. New York had passed a statute that required physicians to provide copies of prescriptions for ‘potentially harmful’ drugs to the state. The information furnished with the prescription included the patients name, age, address, and type and quantity of medication. Public disclosure of the information was prohibited and access to the files was confined to a limited number of health department and investigatory personnel. A group of physicians and patients brought suit challenging the constitutionality of the statute. The contention was that the statute was an invasion of the constitutionally protected ‘zone of privacy.’ The issue as decided by the Supreme Court was ‘whether the State of New York may record, in a centralized computer file, the names and addresses of all persons who have obtained, pursuant to a doctor's prescription, certain drugs for which there is both a lawful and an unlawful market.’ The Supreme Court held that the statue was constitutional. The rationale for this decision was that the statutes constituted a reasonable exercise of the broad police power of the states. Because the states had laid out a plan for ensuring the security of the information, the risk that the information would be mishandled was low. In summary, the privacy arguments presented by the patients and doctors were not sufficient to invalidate the statute.
Kyllo v. United States is a 2001 opinion. In Kyllo, the police used a thermal imaging device to see heat radiating from a man’s home. They used this information as the basis for a search warrant. The search yielded 100 marijuana plants. The defendant argued that this was an unconstitutional search. The court agreed with the defendant and held that an unconstitutional search had occurred. The court stated “we think that obtaining by sense-enhancing technology any information regarding the interior of the home that could not otherwise have been obtained without physical intrusion into a constitutionally protected area (i.e., the home) constitutes a search – at least where (as here) the technology in question is not in general public use.”
In summary, it is apparent the Supreme Court expanded the right of privacy during the 20th century and placed it within the protection of the U.S. Constitution. Next month, we will explore the application of these principles to the world of the Internet and digital information.
PC World had an excellent article about profiling in the March, 2000 issue. PC World detailed how online profiling works. “Let's say I'm looking for a first-edition copy from the wildly popular Harry Potter book series. I go to AltaVista and search for sites that sell rare books. By storing a snapshot of my search, the company that has placed the ever-present banner ad at the top of AltaVista's page -- in this case, DoubleClick -- has taken the first step in building a profile of my surfing habits. From this point on (until I change browsers, buy a new computer, or delete my cookies file), DoubleClick can track my browser's activity across all sites on which it handles banner ad placements.” DoubleClick uses “cookies” to accomplish this tracking.
DoubleClick can then use this information to identify specific consumers and specific email addresses (this is a more elaborate process). This information can then be used to send “targeted” spam to specific consumers. Consumers can visit the websites of companies like DoubleClick to determine their privacy policies but few consumers do so.
The website for the Center for Democracy and Technology (CDT) has an excellent section regarding online privacy at www.cdt.org/privacy/guide/start/track.html The CDT website outlines a number of federal privacy laws, such as privacy of communications (the 1986 Electronic Communications Privacy Act and the Telephone Consumer Protection Act of 1991); privacy of financial information (the 1970 Fair Credit Reporting Act); privacy of government collections (the Privacy Act of 1974); privacy of medical records (the Health Insurance Portability and Accountability Act of 1996); and privacy of other personal records (the Video Privacy Protection Act of 1988). However, none of these laws addresses the issue of profiling and the Internet.
The CDT website reports the efforts of the Federal Trade Commission (FTC) to address this issue. On May 23, 2000, after several years of relying on a self-regulatory approach, the FTC issued a Report to Congress asking for the authority to regulate online privacy. While the report noted that an increasing number of Web sites now post privacy policies, it also noted that only 20% meet the FTC's fair information practices. In June and July of 2000, the FTC issued a two-part report on online profiling and industry self-regulation. The Commissioners unanimously commended the Network Advertising Initiative (NAI) for its self-regulatory proposal that seeks to implement Fair Information Practices for the major Internet advertisers' collection of online consumer data. The July report also asked Congress to enact baseline legislation to protect consumer privacy.
The FTC has information regarding privacy at www.ftc.gov/privacy. “The FTC is educating consumers and businesses about the importance of personal information privacy, including the security of personal information. Under the FTC Act, the Commission guards against unfairness and deception by enforcing companies' privacy promises about how they collect, use and secure consumers' personal information. Under the Gramm-Leach-Bliley Act, the Commission has implemented rules concerning financial privacy notices and the administrative, technical and physical safeguarding of personal information, and it aggressively enforces against pretexting. The Commission also protects consumer privacy under the Fair Credit Reporting Act and the Children's Online Privacy Protection Act.
DoubleClick has been challenged regarding its practice of collecting consumer data through cookies. DoubleClick was sued in a class action in New York. The plaintiffs alleged in that litigation that DoubleClick had consumer information consisting of 100 million consumer profiles.
Inna Fayenson published an article in the New York Law Journal in 2001 that stated, “The three federal statutes on which "cookie" claims have been based, including in the DoubleClick class action, are: (1) Title II of the Electronic Communications Privacy Act (ECPA), which is essentially aimed against computer 'hackers'; (2) the Federal Wiretap Act, which, as its name implies, prohibits intercepting wire, oral or electronic communications for criminal or tortious purposes; and (3) the Computer Fraud and Abuse Act, which is meant to secure the operations of electronic communications service providers. Because none of these statutes was designed to address cookies, applying any one of them would at best be a stretch, which the Southern District Court of New York refused to do in In re DoubleClick, specifically saying that none of these Acts was intended to prohibit conduct like DoubleClick's and that "[furthermore], DoubleClick's practices and consumers' privacy concerns with them are not unknown to Congress," referring to pending legislation.” In summary, DoubleClick won that round.
Fayenson concludes her article with the following recommendation: “Thus, if our new concept of privacy includes the right to some basic anonymity, a right not to be profiled without our consent, and/or a right not to be overloaded with sales pitches, and if this concept of privacy is to be legally protected, then it is this author's recommendation, which appears to be consistent with the current position of the FTC, that these rights be protected, to the extent possible, with technology-neutral statutory language with equal application in the on-line and off-line worlds.”
Fayenson is correct. The consumer should have the right to protect his/her information from online data collection. However, this goal will be difficult to achieve because of the commercial possibilities and the cash flow that this information can generate. This data has commercial value.
John Brewer practices law in Oklahoma City, is a member of the Governor’s and Legislative Task Force for E-Commerce, and enjoys issues relating to eBusiness and cyberspace. Comments and questions are welcome and can be emailed to johnb@jnbrewer.com.
For more information on the Tulsa Computer Society click here