Archive for the ‘privacy’ Category

Apple, Privacy and Law

ApplePayYesterday Apple had its massive product presentation and one of the products it announced was a new pay system for credit cards, Apple Pay. Load the cards into an iPhone, and then just wave them in front of a techno-gadget at the check-out counter and you’re done. Simple.

Why might this be important? Currently, big business is tripping all over itself to gather as much information on you as possible, taking away big chunks of your privacy.

A 2012 New York Times piece on Target explained how, based on the buying patterns of a teenager — unscented lotions, vitamin supplements and other non-pregnancy related products — it knew she was pregnant early on and sent coupons for maternity clothes to her home. Her father was livid. And unaware of his daughter’s state.

Target is obviously not alone in doing everything possible to create massive data banks about you. Data banks that, perhaps, can then be hacked into (or subpoenaed).

Personally, I find myself using cash more and more often, as I cherish my privacy.

But Apple Pay may reverse that direction. According to CEO Tim Cook, the iPhone encrypts the card numbers, and when you make a purchase, the store can’t attach product information to your purchase.

That’s because the store doesn’t even get your name, much less your card number. Hacking the store’s computers should keep the consumer safe (again, see Target, and its loss of 40M credit card numbers).

And even Apple doesn’t get the information. From the Apple website, two key paragraphs:

Apple doesn’t save your transaction information.With Apple Pay, your payments are private. Apple doesn’t store the details of your transactions so they can’t be tied back to you. Your most recent purchases are kept in Passbook for your convenience, but that’s as far as it goes.

Keep your cards in your wallet. Since you don’t have to show your credit or debit card, you never reveal your name, card number or security code to the cashier when you pay in store. This additional layer of privacy helps ensure that your information stays where it belongs. With you.

If this works as planned, it has the potential to (partially) reverse our headlong dumping of personal information about ourselves into the computers of Big Business, both with respect to the items we buy as well as the cards we use.

The less data that exists in the data banks, the less it can be abused.

Can New Protective Order Law Be Used for Facebook Demands?

Facebook-logoThe New York Law Journal has a short article today on an expansion of New York law regarding protective orders from over-reaching discovery (CPLR 3103(a)). Governor Cuomo signed it yesterday.

While it has long been the law that any person from whom discovery is sought may object to a discovery demand, the new amendment now includes objections regarding others who may merely be mentioned in the discovery being sought.

This can, as I’ll explain in a moment, be used to protect against many aspects of Facebook, social media and email demands.

The rationale for the law, however, didn’t have anything to do with Facebook. This is the simple (and quite logical) reasoning from the memo accompanying the bill:

Not addressed [in the current law] is a person about whom records are being subpoenaed from either a party or another nonparty. By way of example, if an accountant is subpoenaed to produce the records of clients who are not parties to the litigation, it is unclear under the present statute whether the non-party clients would have standing to object to the production of their records.

This is easy to understand if an accountant’s records are sought. Just because there may be a lawsuit regarding one aspect of your accountant’s practice, having nothing to do with you, does that mean that your private records should be disclosable? Shouldn’t you at least have standing to object?

The law was proposed by Chief Administrative Judge A. Gail Prudenti and her Advisory Committee on Civil Practice to fill a procedural gap.

But what if Facebook records are sought? These requests are getting more common as the months go by, and I’ve collected a few New York decisions on the matter.

The scenario in which it would come up is easy to foresee: Joe busts his arm in a car collision (not an accident). He writes about it on Facebook. His friends, who have their privacy settings maxed out, respond. Perhaps one of them jokes in a comment or private message, “You been drinking again?”

Are the comments and messages of the friends discoverable? The law here, of course, is not whether those comments may be admissible at trial, but merely discoverable. Can the defense lawyers go on a fishing expedition through the comments and messages of friends and their lives? These friends clearly have an expectation of privacy, as Facebook has explicitly told them so.

It seems to me that this new law can, will, and should, be used to combat over-reaching Facebook demands. Expect to see decisions on this in a year or two.

What Government Data is Public? What is Private?

My last two posts dealt with Freedom of Information requests to state government for data. Both decisions said that governments were allowed to evaluate the release of information based on the reasons for the requests, balancing out the privacy concerns of those whose information was sought.

The  New York decision prohibited the transfer of mugshots and arrest data to a mugshot website (whereupon fees would be charged for their removal), and then a SCOTUS decision came on lawyers’ requests for Department of Motor Vehicle data so that they could solicit people for a class action against auto dealerships.

In other words, some government information can be made public, some remains private, and some is semi-public depending on who does the asking.

Into the comments came a response  from a long-time commenter and mostly-retired software engineer, Old Geezer (a/k/a Tom Cikoski, bio and head shot at the bottom).  I thought it should be elevated to a guest blog, so with his permission, here it is:

In a sense all this talk of public versus private versus private/public versus public/private data becomes mooter by the day. (Mooter?)

The only data that is and typically remains totally private any more is that which has not ever been rendered into electronic form. Any type of data store that is connected to the internet is subject either to innocent revelation (as in “I forgot to PW that folder”) or to deliberate hacking by folks much smarter than the defenders of the data store.

So the particular data store is not internet connected? Well, for those we have individuals called “leakers” these days who take “thumb drives” and trade them, brimming with data, for money, or for publicity.

And to think, Daniel Ellsberg had to stand over a hot copier for hours in order to leak!

It isn’t just ambulance chasers who go after such data, it’s also the pizza parlor down the street that has discovered the putative value of spam email or junk phone calling.

Two years ago we went from land line telephone to VoIP telephone at home. Within months we became the target of multiple daily telemarket and scam calls — so much so that I had to buy a call blocking device to filter them out. Even now, my call blocker, which holds 80 blocked numbers, must be recycled about every six weeks to deal with the new numbers that attack on an almost daily basis.

Don’t even get me started on spam email.

And this all stems from data which, at least in some sense, should be considered private. How do insurance companies know when I reach certain age milestones? They process the DMV data from the state. How do health insurers know my Medicare status? The government supplies everything they need — with a smile.

So, your “private” data is not only subject to public view, but also to public sale as well.

Note that our home number is on the so-called “Do Not Call” list and has been since the beginning. So every one of those annoying phone calls is in some sense illegal. That does not stop the calls. Legality is irrelevant.

And so, great and gallant judiciary, amuse yourselves by fighting that evil data protection windmill. Unless something takes down that mug shot business as a form of extortion, or the ambulance chasing as an ethical violation, the relevant data, IMHO, won’t stop flowing, SCOTUS or not.

old geezer

Tom Cikoski, who considers himself an Old Geezer, is an avid blog reader and sometime blog commenter using that same sobriquet in a variety of fora. Although mostly retired from software engineering, he still consults on IT issues part-time, and also dabbles in film-making, comedy performance, playing drums in a Scottish pipe band, ranting about various topics, and other assorted forms of geezer foolishness.

SCOTUS KOs Lawyers Trying to Use DMV Data To Solicit

Today’s question:  If the government collects information about you, and makes it public to some people, does that mean it has to make the same data available to everyone?

If the question looks familiar it’s because it was the subject of a post I made last week about mugshots and arrest data that a mugshot website wanted to place on the web (so it could then charge people to take the information down). That answer, according to New York trial judge interpreting a local statute, was no due to the privacy interests of the arrestees.

The post gave rise to a spirited debate in the comments on the issue of whether a government could selectively decide who to disclose this semi-pubic data to. In other words, is there such a thing as semi-public data?

And now, just days later, the United States Supreme Court has weighed in with a similar issue. This time it deals with data about the citizenry from departments of motor vehicles. That data is available to attorneys, but not the general public, under a litigation exception in the law..

In Maracich v. Spears, enterprising lawyers figured they could mine the DMV data of South Carolina to find potential clients for a class action against certain car dealers claiming the dealers violated state consumer potection laws.

But not so fast, sayeth our highest court. Just because some people can get the data (lawyers involved in litigation) doesn’t mean anyone can get it simply because they want to solicit others for a lawsuit. Those folks were not involved in litigation, they were trying instead to drum up business to start litigation. In other words, the Supreme Court says that the idea of semi-public information is not a problem.

These were, of course, different statutes being interpreted; the first being New York’s Freedom of Information Law and the second a federal motor vehicle law designed to protect drivers from exposure of private information. But both dealt with issues of privacy for individuals regarding data that the government had, and in both cases that data was being protected from public dissemination the statutes that the courts enforced.

The various governments we elect and live under have tons of data on us, of course, and the issue of what to disclose and who can access it is an ongoing issue.  Who really wants to government, after all, to release all of our social security numbers, tax returns and Medicare records? And yet, sometimes that data can come out, either in individual or aggregated forms to those doing studies.

But just because the government has data that might be public doesn’t mean the public gets it. The privacy rights of the public sit there on the other side of the scale.

NY Judge KOs Request for Mugshots/Data by Mugshot Company (Updated)

Some of you are aware of a cottage industry whereby “entrepreneurs” scrape the websites of local law enforcement, put mugshots on the web, and then, for a small but tasty fee will take them down when an aggrieved individual complains. I wrote about this last year (as did Scott Greenfield, see also Reuters).

No, I don’t know how such people can live with themselves by creating misery for others just so they can turn a buck. But that is only a secondary point of this post.

As first reported by the New York Law Journal ($), a New York judge shot down the Freedom of Information request of Kyle Prall, who owns one of those extortion-like sites. In Prall v. New York City Department of Corrections, Justice Darrell Gavrin denied the request, which came to her attention when Prall sued for the information after being denied by the Department of Corrections.

The website, (no link, no juice),publishes the names, addresses, dates of birth, arrest records and photos of inmates. The charge is $68 to have the data removed.

Given the problems with identify theft and the fact that much of the information is private, the court ruled that the Department did not act in an arbitrary and capricious manner in using the magic word ‘no.” The court wrote that the Department of Corrections:

demonstrated a particularized and specific justification for withholding the dates of birth and addresses of inmates. Respondents assert that the dates of birth and addresses of inmates are not relevant or essential to their work, as it is primarily charged with the duty of detaining inmates and preparing them for successful reentry into the community. This personal information has been reported to respondents in confidence and the information is not relevant to the ordinary work of the New York City Department of Corrections.

In view of the privacy interests at stake, disclosure of the records of respondents containing dates of birth and home addresses, and other personal information of inmates could easily be used to facilitate identity theft, thereby resulting in both economic and personal hardship to inmates. The dates of birth of inmates, who enjoy a lesser degree of privacy, have been protected from disclosure under FOIL. The decision of respondents to deny petitioner access to dates of birth and addresses of inmates was not arbitrary and capricious nor was it an abuse of discretion.[citations omitted for blog post]

And Prall didn’t get the pictures either, and that was based on his own conduct in trying to use the information to inflict harm. As much as I hate using block quotes from opinions

As to that branch of the petition which seeks photographs, respondents properly withheld photographs of inmates as the disclosure would constitute an unwarranted invasion of privacy resulting in personal and/or economic hardship to inmates. Specifically, respondents contend that “the department is not privy to the circumstances surrounding any trials, court appearances, and possible cooperation with enforcement” and the release of inmate photographs could expose them to harm. Furthermore, inmates will suffer economic hardship if their photographs are released because petitioner intends to post these photographs on his website and then demand a $68.00 fee to remove each photograph. Given the earning capacity of inmates, the $68.00 fee is quite steep. If the fee is not paid, an inmate’s photograph and other information will remain on the website, causing personal and economic hardship due to the notorious nature of the photograph which would be readily available to a prospective employer, creditor, potential landlord, or the like.

Respondents also claim inmate photographs are exempt from FOIL disclosure because disclosure will endanger the lives and safety of inmates and their family members. In support of their argument, respondents submitted the affidavit of E. Perez, Assistant Chief of Security for Department of Corrections. Mr. Perez states that he has more than 20 years experience and explains that the majority of violence in jails is gang-related. He opines that the release of photographs of inmates would increase gang violence targeted at inmates and their family members. Personal information such as names, addresses and photographs of gang members in jail, which is ordinarily not available to gang members outside the prisons, would be more readily available through exposure on the internet; this exposure would endanger the lives and safety of inmates. Interestingly, petitioner did not rebut the affidavit of Mr. Perez.

The only real question I have on this, why would a lawyer be a party do such a scummy project, whose only purpose is the creation of misery so that someone can profit? In this case Prall was represented by John Campbell of Tilem & Campbell. It is one thing to represent someone bad who’s been arrested, but assist him in creating misery by representing him in a civil suit?  As I wrote just yesterday, you have to learn to say no to potential clients.

Update: Just days after this post, the United States Supreme Court weighed in on another case dealing with semi-public governement data: Sometimes the government will give it out and sometimes not, depending on who you are and what the data is being used for.

Docs to Cops: Drop Dead

This story comes via Scott Greenfield, and it is depressing, funny and heartwarming all at the same time.

This is the depressing part:  Police down in Sarasota, Florida thought they had a brilliant idea on how to get information on people they thought were violating the drug laws with respect to abusing prescription medications. All they had to do, the geniuses figured, was have patients sign a form waiving all of their patient-physician privacy rights. This way, if they wanted to investigate someone, they wouldn’t have to bother with all that icky stuff regarding judges and search warrants. The doctors would just have the patient sign the forms, and then the cops could just dance right into the doctor’s office and start nosing around without the patient knowing. Brilliant

The waiver, as originally published in Sarasota’s Herald-Tribune, looks like this:

The local constabulary was obviously hoping that patients wouldn’t bother to read all the legal mumbo-jumbo and challenge their doctor regarding the form. When you go to a doctor, and are in pain, reading forms isn’t exactly high on the list of things to do. Especially when written in legalese.

When people seek out medical attention it is because they need treatment, so they generally sign whatever is placed in front of them. And they don’t want to pick fights about forms with doctors for fear of being shown the exit door.

One of the more comical aspects of this attempted end-run around the constitutional rights of the patients, came from Patrick Duggan, assistant general counsel for the sheriff’s office. He, along with Sgt. Debra Kaspar from the Sheriff’s office, were behind the scheme. Duggan had this to say:

We want to make good cases. We don’t want anyone’s rights violated. We drafted the form to give the doctors a mechanism to contact us. It was really designed more as a safeguard to protect people’s rights than anything else.

His ability to say this without doubling over in laughter qualifies him for political office, where mendacity is king.

Now I did say that this story was also heartwarming. How could something this awful be heartwarming?

Easy. Because the local doctors have told Duggan and Kaspar and their minions to go to hell.

From the Herald Tribune:

Kaspar and Duggan have no explanation for why doctors are not turning in any waivers.

The docs done good.

Facebook Says “Privacy Expectations” On Its Site

Demand in personal injury suits for Facebook details are becoming more common, as I’ve posted about recently. One of the defense arguments is that there is no expectation of privacy for things posted on Facebook, regardless of the privacy settings, so the lawyers should be able to snoop.

Now, just so the record is clear, Facebook says otherwise. In a posting today on its own site, Chief Privacy Officer Erin Egan wrote that there is an expctation of privacy. The reason for her post was a recent story where employers were asking job applicants for their Facebook passwords, or to have one of their managers “friended,” so that the company could go rummaging around in the personal lives of the applicant. Sort of like asking to see someone’s email account, only much worse. She wrote that “This practice undermines the privacy expectations and the security of both the user and the user’s friends.”

Egan wrote with respect to the expectation of privacy and delving into the accounts:

This practice undermines the privacy expectations and the security of both the user and the user’s friends.

There is a clear parallel here to the litigation setting. Users write with an expectation of privacy, and friends of those users do also. So says Facebook. Should a court permit unlimited snooping, it isn’t just the litigant who has been probed by the lawyer, but all of the litigants friends.



Previously Anonymous Actress Suing IMDb/Amazon Refiles Suit

Junie Hoang has agreed to surrender her anonymity to sue IMDb/Amazon for invasion of privacy

Back in November, a suit made national headlines when an anonymous actress sued the Internet Movie Database (owned by Amazon) for invading her privacy. She alleged that Amazon had her credit card information to find her date of birth, and gave it to IMDb to put up on its site. This issue was important given the rampant discrimination in Hollywood against actresses who reach the age of 40. She claimed that IMDb got the date of birth from Amazon.

The lawsuit sounds in fraud and breach of contract given various privacy and consumer protection laws, as well as Amazon’s agreement to handle personal information “carefully and sensibly.”

I predicted back then that Amazon’s lawyers would attack the concept of anonymity, under the theory that the actress would drop the suit if forced to reveal her name. And I said Amazon would win that fight as federal courts have a very high bar for anonymous suits.

Amazon did exactly that, and as I predicted, they persevered and the judge dismissed the suit forcing her to either drop the matter or go public.

And actress Huang Hoang, using the stage name Junie Hoang, likely surprised the hell out of Amazon’s lawyers  by telling them, in substance, vade et caca in pilleum et ipse traheatur super aures tuo (go shit in a hat and pull it down over your ears).  She decided to refile suit under her real name. It’s nice to see that she has the courage of her convictions.

By the way, the underlying basis for why Ms. Hoang wanted to keep her age private, and was outraged at what she believes was the breach of her privacy is here:

Women over 40 make up 24.3 percent of the U.S. population, but a casting analysis by the Screen Actors Guild showed actresses over 40 get just 12.5 percent of roles for television and film. Men of that age are also about a quarter of the population, but nearly equal their ranks in casting.


IMDb Attacks Anonymity of Actress that Sued For Publishing Her Age

Last month a story rocketed around the web of an actress suing the Internet Movie Database (owned by, claiming it used credit card information to find her birth date and publish it on the IMDb site.  Most stories left the invasion of privacy issue alone and focused on an actress suing to keep her age confidential – she says that ageism in Hollywood is a big problem for actresses as they approach 40.

I used my site, however, to talk about whether or not a court would permit her to proceed anonymously, a subject then picked up by The Hollywood Reporter.

And now The Hollywood Reporter follows up with a story saying that IMDb is doing exactly as I  predicted, attacking her anonymity. I bet there is no doubt among the strategists that if she can be forced to reveal her identity,  the suit will be dropped and IMDb will never have to confront the issue of privacy issues and credit cards.

According to THR, IMDb has now filed a nasty motion to dismiss, believing that this actress is the same as another that made a similar complaint:

she first tried to get the service to post a false birthdate so she could fool potential Hollywood employers into thinking she was younger than she actually is. Now a judge is being asked to dismiss the lawsuit so as to not perpetuate a fraud on the public.

Oooooh. Fight back against the actress with a charge of trying to defraud the public. Correct me if I’m wrong, but isn’t that what Hollywood and actors do? Does anyone really believe a giant monkey will climb the Empire State Building? That there’s a giant intergalactic war going on? That Joanie really loves Chachi?

This is the way IMDb approaches the  issue in the Court:

“Truth and justice are philosophical pillars of this Court. The perpetuation of fraud, even for an actor’s career, is inconsistent with these principals. Plaintiff’s attempt to manipulate the federal court system so she can censor iMDb’s display of her birth date and pretend to the world that she is not 40 years old is selfish, contrary to the public interest and a frivolous abuse of this Court’s resources.”

Of course, the actress wasn’t trying to perpetuate a fraud on the court, but trying to stop an invasion of privacy regarding her credit card information. So that is an interesting shift of the real issue.

But not everything is serious in the filing, as THR reports:

The company also claims to be taking the moral high ground in protecting entertainment consumers from an actress who wants to “more easily deceive the public and prospective employers about her age and potentially be considered for more roles.”

Of course, I think that IMDb is being funny when it talks about the public being deceived by an actress, whose very training is doing just that: pretending to be someone else. It’s sort of what makes Hollywood go round and round.

One particularly odd thing about the synopsis of the filing: IMDb is claiming an attempted fraud, yet they claim not to know who the actress actually is. They only think it is someone else who made a similar complaint.

Anyway, when the fighting is all done, I think the actress will lose her bid to be anonymous, but it will have nothing to do with trying to perpetuate frauds. It will be because this type of case doesn’t meet the high bar set for seeking anonymity that I originally discussed.

Actress Wants Anonymity in Suit Against Amazon for Revealing Age (This is Why She Won’t Keep It)

A Texas actress, who wishes to remain anonymous, has sued for revealing her age on the company’s Internet Movie Database. The claim? That Amazon poached her date of birth based on credit card information and published it on IMDb, and that revelations about her age have hindered her ability to get work as she approaches 40. (Suit here)

Leaving aside the merits of the case — which raises interesting questions at least from a privacy standpoint if that is where the date of birth came from — can the actress bring her suit in federal court and remain anonymous while doing so?

The question of a plaintiff wanting to remain anonymous usually comes up in the context of sexual assault cases. Bringing suit on behalf of a “Jane Doe” is something I’ve done in the past, as have many, many others. Because it is one thing to be sexually assaulted. But exposing those details in such a manner that casual court voyeurs also get to see it leaves many people so uncomfortable that they feel they would be victimized a second time just by bringing suit if their real names were used. Thus, the name is kept out of the courthouse files.

Unless you get the wrong judge. Back in late 2006 I wrote about a sexual assault case that landed on the front page of the New York Law Journal, because a judge in the Southern District of New York rejected the use of the Jane Doe pseudonym. I thought the decision was wrongly decided, but no one has given me a black robe so I don’t get to vote.

Which brings us back to the actress that sued Amazon. The smart money from my corner says that, if Amazon makes the motion, the court will not allow the case to proceed in this fashion, in which case she will be forced to disclose her identity or drop the matter. (This matter was first reported on Twitter by @Eric Goldman)

Now this particular case was brought in Seattle, which is part of the area covered by the Court of Appeals for the Ninth Circuit. And this is the Ninth Circuit rule on the subject:

In this circuit, we allow parties to use pseudonyms in the “unusual case” when nondisclosure of the party’s identity “is necessary … to protect a person from harassment, injury, ridicule or personal embarrassment.”

“a party may preserve his or her anonymity in judicial proceedings in special circumstances when the party’s need for anonymity outweighs  prejudice to the opposing party and  the public’s interest in knowing the party’s identity.” Does I Thru XXIII v. Advanced Textile Corp., 214 F.3d 1058, 1068 (9th Cir.2000).

There seems to be little chance, in my opinion, that this actress stays anonymous if she wants to keep litigating.

Of course, the guessing game has started anyway as to who it is:

Which Actress Is Suing IMDb for Revealing Her Age? (Gawker)


Actress Sues Amazon For Publishing Her Age (The Guardian)



« Older Entries