September 10th, 2014

Apple, Privacy and Law

ApplePayYesterday Apple had its massive product presentation and one of the products it announced was a new pay system for credit cards, Apple Pay. Load the cards into an iPhone, and then just wave them in front of a techno-gadget at the check-out counter and you’re done. Simple.

Why might this be important? Currently, big business is tripping all over itself to gather as much information on you as possible, taking away big chunks of your privacy.

A 2012 New York Times piece on Target explained how, based on the buying patterns of a teenager — unscented lotions, vitamin supplements and other non-pregnancy related products — it knew she was pregnant early on and sent coupons for maternity clothes to her home. Her father was livid. And unaware of his daughter’s state.

Target is obviously not alone in doing everything possible to create massive data banks about you. Data banks that, perhaps, can then be hacked into (or subpoenaed).

Personally, I find myself using cash more and more often, as I cherish my privacy.

But Apple Pay may reverse that direction. According to CEO Tim Cook, the iPhone encrypts the card numbers, and when you make a purchase, the store can’t attach product information to your purchase.

That’s because the store doesn’t even get your name, much less your card number. Hacking the store’s computers should keep the consumer safe (again, see Target, and its loss of 40M credit card numbers).

And even Apple doesn’t get the information. From the Apple website, two key paragraphs:

Apple doesn’t save your transaction information.With Apple Pay, your payments are private. Apple doesn’t store the details of your transactions so they can’t be tied back to you. Your most recent purchases are kept in Passbook for your convenience, but that’s as far as it goes.

Keep your cards in your wallet. Since you don’t have to show your credit or debit card, you never reveal your name, card number or security code to the cashier when you pay in store. This additional layer of privacy helps ensure that your information stays where it belongs. With you.

If this works as planned, it has the potential to (partially) reverse our headlong dumping of personal information about ourselves into the computers of Big Business, both with respect to the items we buy as well as the cards we use.

The less data that exists in the data banks, the less it can be abused.


August 7th, 2013

Can New Protective Order Law Be Used for Facebook Demands?

Facebook-logoThe New York Law Journal has a short article today on an expansion of New York law regarding protective orders from over-reaching discovery (CPLR 3103(a)). Governor Cuomo signed it yesterday.

While it has long been the law that any person from whom discovery is sought may object to a discovery demand, the new amendment now includes objections regarding others who may merely be mentioned in the discovery being sought.

This can, as I’ll explain in a moment, be used to protect against many aspects of Facebook, social media and email demands.

The rationale for the law, however, didn’t have anything to do with Facebook. This is the simple (and quite logical) reasoning from the memo accompanying the bill:

Not addressed [in the current law] is a person about whom records are being subpoenaed from either a party or another nonparty. By way of example, if an accountant is subpoenaed to produce the records of clients who are not parties to the litigation, it is unclear under the present statute whether the non-party clients would have standing to object to the production of their records.

This is easy to understand if an accountant’s records are sought. Just because there may be a lawsuit regarding one aspect of your accountant’s practice, having nothing to do with you, does that mean that your private records should be disclosable? Shouldn’t you at least have standing to object?

The law was proposed by Chief Administrative Judge A. Gail Prudenti and her Advisory Committee on Civil Practice to fill a procedural gap.

But what if Facebook records are sought? These requests are getting more common as the months go by, and I’ve collected a few New York decisions on the matter.

The scenario in which it would come up is easy to foresee: Joe busts his arm in a car collision (not an accident). He writes about it on Facebook. His friends, who have their privacy settings maxed out, respond. Perhaps one of them jokes in a comment or private message, “You been drinking again?”

Are the comments and messages of the friends discoverable? The law here, of course, is not whether those comments may be admissible at trial, but merely discoverable. Can the defense lawyers go on a fishing expedition through the comments and messages of friends and their lives? These friends clearly have an expectation of privacy, as Facebook has explicitly told them so.

It seems to me that this new law can, will, and should, be used to combat over-reaching Facebook demands. Expect to see decisions on this in a year or two.


June 20th, 2013

What Government Data is Public? What is Private?

My last two posts dealt with Freedom of Information requests to state government for data. Both decisions said that governments were allowed to evaluate the release of information based on the reasons for the requests, balancing out the privacy concerns of those whose information was sought.

The  New York decision prohibited the transfer of mugshots and arrest data to a mugshot website (whereupon fees would be charged for their removal), and then a SCOTUS decision came on lawyers’ requests for Department of Motor Vehicle data so that they could solicit people for a class action against auto dealerships.

In other words, some government information can be made public, some remains private, and some is semi-public depending on who does the asking.

Into the comments came a response  from a long-time commenter and mostly-retired software engineer, Old Geezer (a/k/a Tom Cikoski, bio and head shot at the bottom).  I thought it should be elevated to a guest blog, so with his permission, here it is:

In a sense all this talk of public versus private versus private/public versus public/private data becomes mooter by the day. (Mooter?)

The only data that is and typically remains totally private any more is that which has not ever been rendered into electronic form. Any type of data store that is connected to the internet is subject either to innocent revelation (as in “I forgot to PW that folder”) or to deliberate hacking by folks much smarter than the defenders of the data store.

So the particular data store is not internet connected? Well, for those we have individuals called “leakers” these days who take “thumb drives” and trade them, brimming with data, for money, or for publicity.

And to think, Daniel Ellsberg had to stand over a hot copier for hours in order to leak!

It isn’t just ambulance chasers who go after such data, it’s also the pizza parlor down the street that has discovered the putative value of spam email or junk phone calling.

Two years ago we went from land line telephone to VoIP telephone at home. Within months we became the target of multiple daily telemarket and scam calls — so much so that I had to buy a call blocking device to filter them out. Even now, my call blocker, which holds 80 blocked numbers, must be recycled about every six weeks to deal with the new numbers that attack on an almost daily basis.

Don’t even get me started on spam email.

And this all stems from data which, at least in some sense, should be considered private. How do insurance companies know when I reach certain age milestones? They process the DMV data from the state. How do health insurers know my Medicare status? The government supplies everything they need — with a smile.

So, your “private” data is not only subject to public view, but also to public sale as well.

Note that our home number is on the so-called “Do Not Call” list and has been since the beginning. So every one of those annoying phone calls is in some sense illegal. That does not stop the calls. Legality is irrelevant.

And so, great and gallant judiciary, amuse yourselves by fighting that evil data protection windmill. Unless something takes down that mug shot business as a form of extortion, or the ambulance chasing as an ethical violation, the relevant data, IMHO, won’t stop flowing, SCOTUS or not.

old geezer

Tom Cikoski, who considers himself an Old Geezer, is an avid blog reader and sometime blog commenter using that same sobriquet in a variety of fora. Although mostly retired from software engineering, he still consults on IT issues part-time, and also dabbles in film-making, comedy performance, playing drums in a Scottish pipe band, ranting about various topics, and other assorted forms of geezer foolishness.


June 19th, 2013

SCOTUS KOs Lawyers Trying to Use DMV Data To Solicit

Today’s question:  If the government collects information about you, and makes it public to some people, does that mean it has to make the same data available to everyone?

If the question looks familiar it’s because it was the subject of a post I made last week about mugshots and arrest data that a mugshot website wanted to place on the web (so it could then charge people to take the information down). That answer, according to New York trial judge interpreting a local statute, was no due to the privacy interests of the arrestees.

The post gave rise to a spirited debate in the comments on the issue of whether a government could selectively decide who to disclose this semi-pubic data to. In other words, is there such a thing as semi-public data?

And now, just days later, the United States Supreme Court has weighed in with a similar issue. This time it deals with data about the citizenry from departments of motor vehicles. That data is available to attorneys, but not the general public, under a litigation exception in the law..

In Maracich v. Spears, enterprising lawyers figured they could mine the DMV data of South Carolina to find potential clients for a class action against certain car dealers claiming the dealers violated state consumer potection laws.

But not so fast, sayeth our highest court. Just because some people can get the data (lawyers involved in litigation) doesn’t mean anyone can get it simply because they want to solicit others for a lawsuit. Those folks were not involved in litigation, they were trying instead to drum up business to start litigation. In other words, the Supreme Court says that the idea of semi-public information is not a problem.

These were, of course, different statutes being interpreted; the first being New York’s Freedom of Information Law and the second a federal motor vehicle law designed to protect drivers from exposure of private information. But both dealt with issues of privacy for individuals regarding data that the government had, and in both cases that data was being protected from public dissemination the statutes that the courts enforced.

The various governments we elect and live under have tons of data on us, of course, and the issue of what to disclose and who can access it is an ongoing issue.  Who really wants to government, after all, to release all of our social security numbers, tax returns and Medicare records? And yet, sometimes that data can come out, either in individual or aggregated forms to those doing studies.

But just because the government has data that might be public doesn’t mean the public gets it. The privacy rights of the public sit there on the other side of the scale.


June 14th, 2013

NY Judge KOs Request for Mugshots/Data by Mugshot Company (Updated)

Some of you are aware of a cottage industry whereby “entrepreneurs” scrape the websites of local law enforcement, put mugshots on the web, and then, for a small but tasty fee will take them down when an aggrieved individual complains. I wrote about this last year (as did Scott Greenfield, see also Reuters).

No, I don’t know how such people can live with themselves by creating misery for others just so they can turn a buck. But that is only a secondary point of this post.

As first reported by the New York Law Journal ($), a New York judge shot down the Freedom of Information request of Kyle Prall, who owns one of those extortion-like sites. In Prall v. New York City Department of Corrections, Justice Darrell Gavrin denied the request, which came to her attention when Prall sued for the information after being denied by the Department of Corrections.

The website, (no link, no juice),publishes the names, addresses, dates of birth, arrest records and photos of inmates. The charge is $68 to have the data removed.

Given the problems with identify theft and the fact that much of the information is private, the court ruled that the Department did not act in an arbitrary and capricious manner in using the magic word ‘no.” The court wrote that the Department of Corrections:

demonstrated a particularized and specific justification for withholding the dates of birth and addresses of inmates. Respondents assert that the dates of birth and addresses of inmates are not relevant or essential to their work, as it is primarily charged with the duty of detaining inmates and preparing them for successful reentry into the community. This personal information has been reported to respondents in confidence and the information is not relevant to the ordinary work of the New York City Department of Corrections.

In view of the privacy interests at stake, disclosure of the records of respondents containing dates of birth and home addresses, and other personal information of inmates could easily be used to facilitate identity theft, thereby resulting in both economic and personal hardship to inmates. The dates of birth of inmates, who enjoy a lesser degree of privacy, have been protected from disclosure under FOIL. The decision of respondents to deny petitioner access to dates of birth and addresses of inmates was not arbitrary and capricious nor was it an abuse of discretion.[citations omitted for blog post]

And Prall didn’t get the pictures either, and that was based on his own conduct in trying to use the information to inflict harm. As much as I hate using block quotes from opinions

As to that branch of the petition which seeks photographs, respondents properly withheld photographs of inmates as the disclosure would constitute an unwarranted invasion of privacy resulting in personal and/or economic hardship to inmates. Specifically, respondents contend that “the department is not privy to the circumstances surrounding any trials, court appearances, and possible cooperation with enforcement” and the release of inmate photographs could expose them to harm. Furthermore, inmates will suffer economic hardship if their photographs are released because petitioner intends to post these photographs on his website and then demand a $68.00 fee to remove each photograph. Given the earning capacity of inmates, the $68.00 fee is quite steep. If the fee is not paid, an inmate’s photograph and other information will remain on the website, causing personal and economic hardship due to the notorious nature of the photograph which would be readily available to a prospective employer, creditor, potential landlord, or the like.

Respondents also claim inmate photographs are exempt from FOIL disclosure because disclosure will endanger the lives and safety of inmates and their family members. In support of their argument, respondents submitted the affidavit of E. Perez, Assistant Chief of Security for Department of Corrections. Mr. Perez states that he has more than 20 years experience and explains that the majority of violence in jails is gang-related. He opines that the release of photographs of inmates would increase gang violence targeted at inmates and their family members. Personal information such as names, addresses and photographs of gang members in jail, which is ordinarily not available to gang members outside the prisons, would be more readily available through exposure on the internet; this exposure would endanger the lives and safety of inmates. Interestingly, petitioner did not rebut the affidavit of Mr. Perez.

The only real question I have on this, why would a lawyer be a party do such a scummy project, whose only purpose is the creation of misery so that someone can profit? In this case Prall was represented by John Campbell of Tilem & Campbell. It is one thing to represent someone bad who’s been arrested, but assist him in creating misery by representing him in a civil suit?  As I wrote just yesterday, you have to learn to say no to potential clients.

Update: Just days after this post, the United States Supreme Court weighed in on another case dealing with semi-public governement data: Sometimes the government will give it out and sometimes not, depending on who you are and what the data is being used for.