EFF Breaking News
Tech News World
Chris Rush Cohen
E.D. Tex. Weblog
Hacking the Law
Online Liability Blog
Promote The Progress
Tech Law Advisor
Tech & Marketing
Cocktail Party Physics
Freedom to Tinker
Lawyers Don't Get It
Tech Liberation Front
Numbers Guy, The
Dump & Chase
On Frozen Blog
Off Wing Opinion
View From The Cheap Seats
Regret the Error
TiVo/Gizmo Lovers Blog
Tuesday, 27 February 2007
Posner's GPS society
I finally got around to reading U.S. v. Garcia, Case No. 06-2741 (7th Cir. February 2, 2007). I figured the hysterical blog posts were overstating Judge Posner's opinion for the Seventh Circuit. But I may have been wrong.
In Garcia, the defendant was charged with crimes relating to making methamphetamine. The police had received tips that the defendant was making meth, and they gathered evidence by tracking his car. Instead of assigning an officer to follow the car, they placed a GPS device under the rear bumper.
The police placed a GPS (global positioning system) "memory tracking unit" underneath the rear bumper of the Ford. Such a device, pocket-sized, battery-operated, commercially available for a couple of hundred dollars (see, e.g., Vehicle-Tracking, Incorporated, "GPS Vehicle Tracking with the Tracking Key,"www.vehicle-tracking.com/products/Tracking_Key.html, visited Jan. 21, 2007), receives and stores satellite signals that indicate the device's location. So when the police later retrieved the device (presumably when the car was parked on a public street, as the defendant does not argue that the retrieval involved a trespass), they were able to learn the car's travel history since the installation of the device. One thing they learned was that the car had been traveling to a large tract of land. The officers obtained the consent of the tract's owner to search it and they did so and discovered equipment and materials used in the manufacture of meth. While the police were on the property, the defendant arrived in a car that the police searched, finding additional evidence. [Slip Op. at page 2]
The court held that this did not constitute either a "seizure" or a "search" under the Fourth Amendment. The police therefore were not required to have a warrant or probable cause — or even a reasonable suspicion that Mr. Garcia had committed a crime.
Under this rule, the police are free to attach GPS tracking devices to any car at any time, and they can probably do it for any purpose. So long as they avoid direct harassment or a similar misstep, they can track protesters who exercise their First Amendment rights. They can track citizens with information embarassing public officials. They can track ethnic Arabs. And it's (apparently) legal.
I think I agree with the court on the seizure question. The police installed the device without the defendant's knowledge, so he was not deprived of the free use of the car. The device didn't take up any space in the passenger or storage compartments, so it didn't diminish his enjoyment of the car. I suppose the slight additional weight may reduce the car's gas mileage, so it might have imposed a slightly increased cost of operating the car. But that cost is probably negligible, impossible to measure, and overwhelmed by the weight of other cargo. So I would have a hard time calling this a "seizure" of the car.
I think I disagree on the search question, however. Judge Posner wrote (slip op. at pages 4–6):
The Supreme Court has held that the mere tracking of a vehicle on public streets by means of a similar though less sophisticated device (a beeper) is not a search. United States v. Knotts, 460 U.S. 276, 284-85, 103 S. Ct. 1081, 75 L. Ed. 2d 55 (1983). But the Court left open the question whether installing the device in the vehicle converted the subsequent tracking into a search. Id. at 279 n. 2. […]
Fourth Amendment jurisprudence grew up in an era when practical constraints (like manpower and cost) limited surveillance to situations where crime was reasonably probable. Our society's balance between liberty and government power depended on these practical constraints. When a constraint is removed, the balance is upset. This is one of the most fascinating themes of science fiction literature. Imagine some activity that is limited today by practical constraints. Then imagine a technology that removes the constraint and examine the implications of our current laws and values when the activity is unrestrained. Unfortunately, Judge Posner is writing law and not science fiction.
Judge Posner recognizes that a tipping point will come when some new technology allows police to gather information quickly and cheaply on a massive scale where it would otherwise require expensive efforts. At that time, Judge Posner writes, we will have to reexamine the Fourth and Fifth Amendments to see if sui generis violations occur. He even acknowledges that "programs of mass surveillance of vehicular movements" may require the courts "to decide whether the Fourth Amendment should be interpreted to treat such surveillance as a search." (Slip op. at page 8)
Unfortunately, Garcia precludes this possibility and requires its own reversal whenever Judge Posner feels that day has come. If one instance of an act is not a search under the Fourth Amendment, as Judge Posner insists, then two instances of the same act is also not a search. How many does it take? I can't think of a good reason to pick any number. Either the act has Fourth Amendment implications or it doesn't.
The court expressly ignored the possibility that a trespass occurred because Mr. Garcia didn't raise it. (The court assumed the GPS device was retrieved while the car was parked on a public street.) Initially, I thought this might be the answer to my troubling Fourth Amendment concerns, but it isn't. Even if the police retrieve the device while the car is parked in a public place, the fact of tracking on a private road might provide some basis for finding that a search occurred. I don't think this makes me feel better, however, for two reasons. First, most people simply don't drive on many private roads. Second, I don't think Fourth Amendment rights should be that serendipitous — my rights could be different on Tuesday and Wednesday, depending on my schedule.
I don't have a good answer to these issues yet. The only thing I can say for sure is that Judge Posner's reasoning makes me uncomfortable because it is absolute.
Wednesday, 29 November 2006
Photo ID required to eat pancakes
QUINCY, Mass. — John Russo has been a victim of identity theft. So when he was asked to fork over a photo ID just to be seated at an IHOP pancake restaurant, he flipped. "'You want my license? I'm going for pancakes, I'm not buying the Hope diamond,' and they refused to seat us," Russo said, recounting his experience this week at the Quincy IHOP.
Tuesday, 15 February 2005
ChoicePoint & Privacy
I used to consider myself reasonably well informed about the issues surrounding privacy and information technology. I admit to feeling a little smug when I read Bob Sullivan's article on MSNBC yesterday, about breaches of consumer privacy admitted by ChoicePoint ("Database giant gives access to fake firms"). Mostly, I felt smug about one consumer whom Sullivan quoted as saying she had never heard of ChoicePoint the data mining company that tries to collect and organize information about every consumer, business, and transaction that occurs in the United States.
However, my smugness vanished when I clicked through to a linked article, by Robert O'Harrow, Jr., of the Washington Post, that describes ChoicePoint in some detail ("ChoicePoint finds wealth in information"). I had no idea the company had reached such an enormous size and was still growing so fast. It was pretty humbling.
Monday, 15 March 2004
FBI proposes expansive broadband "wiretap" rules
Declan McCullaugh and Ben Charny report on C|Net that Uncle Fed issued a proposal for expedited rulemaking [pdf] which would grant him new and expansive "wiretapping" powers for broadband Internet services. In this case, Uncle Fed is backed by the Federal Bureau of Investigations (FBI), Department of Justice (DOJ) and the Drug Enforcement Agency (DEA).
Two months ago, Uncle Fed asked the Federal Communications Commission (FCC) to do this dirty work for him. FCC Chairman Michael Powell paid some lip service to security concerns at the time, but he has apparently let the request languish. (At least, I have not seen the media report any subsequent FCC actions.) Around that time, I blogged on the word wiretap and complained that it makes a poor analogy to surveillance of digital communications ("Wiretapping & VoIP"). I would like to make the same comment again now and point out that Uncle Fed's newest proposal supports my point even more clearly.
I promise to write more on this in the near future. Unfortunately, I do not have time today to write a multi-volume treatise on the dangers these regulations would pose to civil liberties.
Sunday, 14 March 2004
The controversial and invasive web site DoctorsKnow.Us has been shut down by its operators. The site claims to have attempted to list every patient who has ever filed a medical malpractice lawsuit. Doctors and insurers might potentially have used this information to deny treatment or coverage to "litigious patients" otherwise known as "patients who had asserted their rights." (Via TechLawAdvisor, via RangelMd.com)
Quoth the site's home page:
DoctorsKnow.Us has permanently ceased operations as of 3/9/04. The controversy this site has ignited was unanticipated and has polarized opinions regarding the medical malpractice crisis. Our hope is that this controversy will spark a serious discussion that results in changes that are equitable to both patients and physicians. All charges that have been collected will be returned to members and trial members.
Wednesday, 14 January 2004
The Winnipeg Sun reports that McDonald's has confirmed that it is using biometrics in a payroll application in about half its restaurants in that city. Instead of punching time cards when they start and finish their shifts, employees run their hands past fingerprint and palm scanners. The devices are plugged directly into the company's computerized payroll system, which records the employee's working hours. The efficiency gains are obvious: "At McDonald's, the scanners are connected to the payroll department and save on paperwork, [McDonald's spokesman Ron] Christianson said. They also free managers from record keeping and get them out working with staff and the public, he added." Unfortunately, the restauranteur has failed to think through the privacy implications of this pilot program.
McDonald's does pay lip service to privacy: "Christianson said McDonald's will only use the prints for the stated purpose and has educated workers about its privacy policies and hired a privacy manager. There have been no complaints from Winnipeg workers about the time clock alternative." However, McDonald's does not appear to have subscribed to the best practices written by the BioPrivacy Initiative or any other published set of best practices. (Despite its name, the BioPrivacy Initiative is a biometrics industry trade group, not a privacy advocate.)
For example, McDonald's does not appear to have clearly and bindingly defined the scope of its biometric program. It is using biometrics solely for payroll purposes right now, but nothing would stop it from expanding the program to encompass other purposes tomorrow. A company spokesman's apology is little consolation for a long-gone former employee who falls victim to identity theft down the line. There is no indication that McDonald's is storing its employees' biometric templates separately from their other personally-identifying information, such as names and addresses. Christianson does not say anything about independent auditing of the company's biometric applications. Most importantly, there does not appear to be any ability for employees to control the use of their biometric data, nor does there seem to be any meaningful alternative for those who would prefer to opt out of the program.
In McDonald's defense, my sole source of knowledge of its biometrics program is the press, and this may simply be a case of newspapers oversimplifying the situation and failing to report all the facts. I have been surprised like that before. Unfortunately, this does not "smell" like such a case.
Monday, 12 January 2004
Wiretapping & VoIP
Last week, Uncle Fed (specifically, the Department of Justice, the FBI, and the Drug Enforcement Administration (DEA)) asked the FCC to force providers of voice-over-Internet protocol (VoIP) services to provide easy "wiretapping" capability to federal and local authorities. See Declan's report on C|Net: "Feds seek wiretap access via VoIP." A few comments are in order before the press mangles this situation and manages to obscure the facts. (Not to impugn Declan; I thought his article was good.)
Lawyers are in the language business, so we should examine the word wiretap to shed some light on exactly what Uncle Fed is asking for. Webster's Dictionary defines wiretap as an intransitive verb meaning "to tap a telephone or telegraph wire in order to get information." This definition is too circular to be useful at first, but this circularity becomes important later. Dictionary.com's nominal definition is a better starting point: "A concealed listening or recording device connected to a communications circuit." This was an accurate physical description when the term arose, during electric telegraphy's youth.
In those days, telegraphic circuits were hard-wired — that is, each pair of telegraph stations was connected by a single wire with one operator at each end. (Busy pairs of stations were connected by multiple wires, each one having operators at both ends.) Each transmission wire was plugged into a magnet-driven apparatus at each end that translated incoming electric signals into audible sounds and generated outgoing electric signals when the operator pressed a button. For an excellent beginner's text on early telegraphic technology and the economic and cultural developments it spawned, see Tom Standage, The Victorian Internet (1998).
In this environment, police had two options for surreptitious surveillance: (1) force the operator to disclose a message's contents after he received it, or (2) intercept the signal between the stations. Option 1 was inefficient because it was slow (the police had to wait for someone else to translate the message from Morse code and deliver it to them), and operators could not always be trusted to keep surveillance secret. Therefore, laws were passed that made option two mandatory. Telegraph companies were required to cooperate with the installation of a device (the "tap") onto their transmission wires that allowed the police to siphon off a tiny amount of the electric signal between two stations and send that signal to a police-operated station.
Later, switching technology made telegraphy more flexible. A switching device made temporary connections between transmission wires coming into the telegraph station. This allowed one operator (or more, at busy stations) connected to the switch to monitor several incoming wires simultaneously. Wiretap devices evolved in lock-step with switches and were quickly moved inside the switches so that fewer taps could monitor more transmissions without being physically reinstalled over and over. Whether this new configuration continued to qualify as "tapping" a "wire" is debatable. Early switching devices made temporary physical connections between telegraph wires by means of a third wire. Early switch tapping devices siphoned the electric signal off this switching wire, so there is a plausible argument that the term was still an accurate physical descriptor. Today we would understand the tapping devices as monitoring the operation of the switch device, not an individual wire within the switch. While wiretapping remained a reasonably good logical description of the tapping device's function, its accuracy as a physical descriptor was highly questionable.
The point to take from this is that wiretap first became an ambiguous term more than a century ago. Now reconsider Webster's circular definition, "to tap a telephone or telegraph wire in order to get information." Webster probably intended to denote the tapping of a circuit, not a wire, but we can forgive lexicographers for not being electrical engineers. However, Webster's definition unambiguously means eavesdropping on a single transmission or group of transmissions between two specified end points. In my experience, this is how law enforcers, laymen, and journalists all use the term. To convey the idea of collecting more than this information, they use such words as surveillance, eavesdropping, or data sniffing.
If the introduction of circuit switching made wiretap an ambiguous term, then the introduction of packet switching renders it positively useless. Packet switching is the transmission technology underlying the Internet Protocol, which is used for all Internet (and most local area network (LAN)) transmissions. Packet switching involves breaking data down into tiny pieces ("packets") and sending each packet across the network individually. This system eliminates the need for circuit switching, which dedicates a circuit to each transmission for the duration of that transmission. Few transmissions use the circuit continuously, so circuit switching inevitably involves inefficient "down time" for active circuits. Consider, for example, how frequently people pause while talking on the telephone. No information is transmitted during these pauses, but their circuit is monopolized nonetheless. Other callers cannot use this circuit until the first call ends — which forces the phone company to install a sufficient number of circuits to carry the maximum foreseeable number of transmissions simultaneously. This extra infrastructure is expensive to install and maintain.
Packet switching allows a small number of circuits to accommodate many transmissions because each one uses the circuit only while information is being actively sent. During each pause, the circuit is used for other transmissions. Additionally, different packets from the same transmission often take different routes across the network. Intermediate nodes will send packets along different routes to bypass busy sections of the network to avoid delays, among other reasons. Since packets must reach the destination individually, it must contain complete addressing information so that intermediate nodes can route it appropriately.
The same features that make packet switching more efficient than circuit switching also make it cheaper. (Sarcastic aside: This is as close to a "law" as the "science" of economics can offer us.) They also make it much more difficult to monitor communications. By definition, packets of information do not all travel through a packet-switched network by the same route. Therefore, there is no central box inside which to install a tapping device, as there is in circuit-switched networks.
The good news for law enforcers is that there does exist a place where all packets of a transmission must pass through before they are dispersed. That place is wherever the sender connects to the Internet backbone. "Backbone" is the name for high-speed networks that carry most Internet data until that data gets very close to its destination, at which time it is moved to a smaller (and usually private) network. All packets must travel from the sender's computer to the backbone through some identifiable means of transmission, be it in a cable or via wireless transmission in a form such as Wi-Fi.
The bad news for law enforcers is that each computer (or network) that connects to the Internet is connected via its own "pipe." They must install "tapping" devices on the connection used by each individual computer whose users' communications they intend to monitor. This requires that they get much closer to the target of the surveillance than they did with circuit-switched networks. In the old days, they could install tapping devices inside the switch at the telephone company's office. Conceivably they might do something similar at the target's Internet service provider (ISP). The FBI's (since-renamed) Carnivore project was an example of this. Unfortunately, this arrangement monitored traffic from all the ISP's customers, not just the intended surveillance target. In order to separate the target's transmissions from everyone else's, Carnivore has to read all packets that pass through. The only real solution to this problem is to install a device very close to the target — for example, in the cable that physically connects him to his ISP or at the antenna via which he transmits information to his ISP. This poses two main problems. First, the target may notice an unfamiliar device outside his house or office and become aware of the surveillance. Second, it is expensive because the police need to build many more devices and pay officers for the time it takes to install them at disparate locations.
By now, the linguistic difficulty of referring to any surveillance of data transmitted via the Internet as "wiretapping" should be obvious. At this point, I would like to shift direction slightly and briefly address a few related problems.
First, it is far from clear that the FCC has the authority to regulate VoIP as if it were a telecommunication service. It was widely reported last October that a federal judge in Minnesota ruled that VoIP companies provide "information" services, not "telecommunication" services, which means that states cannot regulate them under the Telecommunications Act of 1996. On the other hand, the 9th Circuit ruled earlier that month that the FCC erred in classifying cable broadband as an "information" service rather than a "telecommunication" service.
Second, according to Declan, Uncle Fed wants the FCC to require VoIP providers "to rewire their networks to guarantee police the ability to eavesdrop on subscribers' conversations." This is technically possible only for a few such services. In my understanding, Vonage sells black boxes that take input from a telephone and transmit data through the user's broadband ISP connection to Vonage's network, where Vonage routes it to another Vonage device or to a circuit-switched telephone network. Therefore, Vonage may be able to install devices that "tap" a specified user's conversations. Other services, however, operate in a fundamentally different way. Skype, for example, does not have any communications network at all. Its client software transmits voice data using the same decentralized P2P architecture found in Kazaa, the popular file-sharing client. (Skype was, after all, designed by the makers of Kazaa.) Therefore, Skype has no capability to install tapping devices, even if it wanted to cooperate with a hypothetical FCC order.
Third, as discussed above, to surveil transmissions on a packet-switched network, the police must read all data packets that pass through. If they ignore any individual packet, they may miss a piece of the message they intend to intercept. This makes it an unavoidable certainty that any "packet sniffer" will collect data that is not legally subject to surveillance — it would exceed the scope of all but the most expansive warrants. (Never mind that any warrant so expansive is probably unconstitutional because it would fail to state with particularity the information intended to be collected). Depending on the environment where the sniffer is installed, it may also collect data transmitted by third parties, who are not the intended targets of surveillance and who have a reasonable expectation of privacy in their communications. This is a Fourth Amendment problem of enormous magnitude — one that is well beyond the scope of this weblog.
Fourth, Uncle Fed's own statistics for 2002 show that about 80% of all wiretaps — both federal and state — were for criminal investigations in the course of enforcing drug laws. Only the remaining 20% were used for all other types of investigations. One is left to wonder whether the alarmist language in Uncle Fed's letter to the FCC was disingenuous: "criminals, terrorists, and spies (could) use VoIP services to avoid lawfully authorized surveillance." Uncle Fed tries to make it sound as if wiretaps are already an effective tool against such people when his own statistics show that wiretaps are rarely used against them. It would be another matter entirely if Uncle Fed intended to use VoIP monitoring technology to enforce drug laws. Even then, none of the dope dealers I knew of in college even knew what "broadband" meant — so it was unlikely that any of them had the equipment necessary to use VoIP. Even if drug importers are more sophisticated, the police can still monitor their communications through conventional warrants and responsible police work.
In conclusion, the only thing I can really say is that Uncle Fed's request is problematic, at best — and I am just a guy with an interest in Internet law, not an expert in history, technology, or constitutional law. If Uncle Fed was trying to start a national debate on the merits of Internet surveillance, it is about time we had one. If he thought he could slip this in under the radar, shame on him.
Friday, 9 January 2004
Declan explains on C|NET that in March 2003 TTB solicited comments from the general public on "a proposal that could raise the price of malt beverages like Bacardi Breezer and Smirnoff Ice." The Bureau promised: "For the convenience of the public, we will…post comments received in response to this notice on the TTB Web site. All comments posted on our Web site will show the name of the commenter, but will not show street addresses, telephone numbers, or e-mail addresses." Far be it from us to expect an express promise to be kept. Fortunately (for democratic interests) but unfortunately (for TTB), the agency was overwhelmed with comments.
As news of the proposed regulations circulated around malt beverage aficionados online, word-of-mouth took over and comments started flooding in to firstname.lastname@example.org. By October, the Treasury Department had received about 9,900 e-mail messages, plus 4,800 comments sent through the U.S. mail or fax — and decided it could no longer keep its promise.
If a private company pulled a stunt like this and published the addresses of 10,000 people, its executives would go to prison. The government, however, has a long history of treating itself differently. See, for example, Congress' eagerness to spam voters a week after passing the CAN-SPAM Act.
Friday, 2 January 2004
Angry Brazilian judge orders U.S. travelers fingerprinted
In case anyone needed a concrete example of how the Bush administration imperils both U.S. foreign relations and American citizens' privacy at the same time, check out this Reuters article (via Yahoo!):
Federal Judge Julier Sebastiao da Silva, furious at U.S. plans to fingerprint and photograph millions of [Brazilian] visitors on entering the United States, ordered Brazil's authorities do the same to U.S. citizens starting on Thursday.Via BoingBoing.
Monday, 29 December 2003
Cyberbullying and school (in)action
The Christian Science Monitor has a feature article by Amanda Paulson on "cyberbullying." The article outlines the problem, analyzes it as merely a new platform for old-fashioned bullying, and discusses the perils of censoring speach for short-term disciplinary goals. I think that analysis is on the right track, but I would like to add a few points.
The article ignores the grandaddy of all cyberbullying cases and the publicity that surrounded it the case of Jake Baker and the University of Michigan. Mr. Baker's First Amendment defense ultimately led to his exoneration of charges of making threats. (See the EFF case archive for comprehensive information.) The CS Monitor article does, however, discuss the more recent case of "Ghyslain, the Canadian teenager who gained notoriety this year as 'the Star Wars kid.'" This young man videotaped himself goofing around with a broomstick, as if it were a fighting staff.
Some peers got hold of the video, uploaded it to the Internet, and started passing it around. Doctored videos, splicing him into "The Matrix," "The Terminator," or the musical "Chicago," with added special effects and sounds, soon followed. He's now the most downloaded male of the year. According to news reports, he was forced to drop out of school and seek psychiatric help.
The article also mentions that (public) schools may lack the authority to shut down off-campus channels of speech used for bullying. The author seems to divide this into two distinct points, one practical and one legal, but it could stand some clarification. First, schools lack the practical ability to censor such centralized speech channels as web-based bulletin boards and instant messaging networks because the school is not the central entity. These are generally physically controlled by private companies. When it comes to open and decentralized channels (like email, IRC, or usenet), the school has no chance. Second, the legal barriers. Any action that schools take or fail to take can open them up to the modern American passtime, lawsuits. Any course of action necessarily requires the school to make judgments that pit one student's civil rights against another's specifically, the right of the bully to speak vs. the right of the victim to have a public education free from harassment. Schools are understandably reluctant to break any new ground in this context. If I were a school board lawyer, I might recommend the most conservative course of action I could think of.
However, schools are not always so loathe to target Internet speech that is generated off-campus. Some get trigger happy when a student's web site criticizes teachers or administrators. Just the other day, I blogged on a recent case involving the Oceanport School District in New Jersey. I could probably turn up ten more examples in as many minutes on Google.
Finally, I want to highlight a case described in the article that displays the best the First Amendment has to offer. "J. Guidetti, principal of Calabasas High School, did get involved, after comments on schoolscandals.com caused many of his students to be depressed, angry, or simply unable to focus on school." All of Guidetti's initial efforts failed as long as he used a law-enforcement approach. Then, he decided to counter speech with speech:
Eventually, a local radio station got involved and put enough pressure on the people running the site a father-son duo that they took it down in the spring. Already, there's a schoolscandals2 relatively harmless, so far. Guidetti checks it regularly for offensive content, one of the ever-growing tasks of a 21st-century principal.
To be clear, I do not advocate publicly shaming people for their speech. However, opinions that wilt in sunlight are exactly the sort that the Framers of the constitution believed could be controlled by encouraging counter-speech. Guidetti engaged in honest public debate, convinced more people than his opponents, and won the day. By taking his case to the airwaves, Guidetti created speech where he had previously tried to destroy it, and liberty had a rare chance to serve a utilitarian purpose.
Saturday, 20 December 2003
DC Circuit stumps RIAA
By now the world has heard of the D.C. Circuit decision in RIAA v. Verizon. Previously, the D.C. District Court ruled that Verizon must comply with RIAA's subpoenas, issued under § 512 of the Digital Millennium Copyright Act (DMCA). Those subpoenas are designed to force ISPs to disclose the identities of users whom RIAA suspects of illegally making copyrighted music available for others to download. RIAA can trace users by itself as far as their IP addresses (the sets of numbers that uniquely identifies every computer on the Internet), but it needs the cooperation of ISPs to connect an IP address with an individual's name and address. Once it has that information, it can send a cease & desist letter or file a lawsuit.
Yesterday's Circuit decision reverses the District Court's interpretation of the statute. The appeals court gave the statute an extremely close reading in rendering its decision. The relevant section has a complex sentence structure and many cross references, so it is no wonder that the parties (and two different courts) disagreed as to its meaning. Derek Slater makes a few interesting points, including: "I find it fascinating when opinions contrast in this way — when they see the same issue clearly, unambiguously, but oppositely. [District] Judge Bates, just like [Circuit Judge] Ginsburg, claims to stick to the statute's text and go no further, yet their opinions are night and day."
The decision is a victory for privacy, but not a victory for privacy as such. The result was reached on a technical reading of the statute, and turned on the fact that a subpoena can only be sent if a DMCA notice-and-takedown letter can also be sent. […] The constitutional issues that would have made this a victory for privacy as such, or for freedom of expression, were not addressed by the court.
The Circuit panel adopted most of Verizon's statutory argument — that § 512(h) authorizes subpoenas only in cases where the plaintiff alleges that the infringing material is stored on media controlled by the ISP. However, when the ISP is a mere conduit for data stored on media controlled by a third party (the ISP's subscriber, in this case), § 512(h) does not permit subpoenas outside of the context of a lawsuit.
This line of reasoning rests on the cross references between § 512(h) and § 512(c). Subsection (h) permits a copyright owner to apply to the Clerk of the court for a subpoena so long as the application contains "a copy of a notification [of claimed copyright infringement, as] described in [§ 512](c)(3)(A)." The relevant language in § 512(c)(3)(A) is: "To be effective under this subsection, a notification of claimed infringement must be a written communication … that includes substantially the following" six elements. The third enumerated element is "(iii) Identification of the material that is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled, and information reasonably sufficient to permit the service provider to locate the material." (Emphasis added)
The court agreed with Verizon that this language requires the subpoena application to assert that the ISP has the ability to remove or disable access to the allegedly infringing material. However, most current P2P applications use a decentralized architecture. This means that all shared data is stored on users' computers, not on any central server — except for temporary copies incidental to transmission, which the DMCA permits. Therefore, the ISP has no legal right to remove or disable access to the material shared on the P2P network:
No matter what information the copyright owner may provide [in its subpoena application], the ISP can neither "remove" nor "disable access to" the infringing material because that material is not stored on the ISP's servers. Verizon can not remove or disable one user's access to infringing material resident on another user's computer because Verizon does not control the content on its subscribers' computers.
This holding does have some privacy implications, but they are small compared to Verizon's alternative argument. Having decided this case on statutory grounds, the court ducked the larger First Amendment questions.
So what implications does it have? Dozens of people predict that RIAA will lobby Congress to close what it surely sees as a loophole in the DMCA. Ernest quipped, "[T]he RIAA has nearly hosed itself." The trade group has been trying to consolidate all its DMCA subpoena litigation in Washington, D.C. for administrative convenience. Now, however, it cannot be happy with its "success" in transferring the SBC case to the D.C. District from the Northern District of California in San Francisco — because the Verizon decision is now binding precedent in the nation's capital. This will not stop RIAA from getting users' information, however. It will only make the process slower and more expensive. Instead of paying its lawyers simply to draft subpoena applications, it now has to pay them to draft and file complaints and motions in addition to subpoena applications. These costs will be passed on to consumers in the form of higher average settlements.
John Palfrey sees a broader trend: "Add this development to the Grokster opinion, and the trend of the law in favor of digital rights holders is at least in a holding pattern." The trend may be even broader than Palfrey recognizes — this was a banner week for civil liberties everywhere. (It could, however, be just a blip on the post-9/11 radar screen.) The Dutch supreme court ruled that the makers of Kazaa are not liable under Dutch law for copyright infringement committed by the software's users. A day earlier, the Second Circuit ruled that the U.S. government may not classify Jose Padilla as an enemy combatant — which should assure that his constitutional rights are no longer suspended. Just a few hours later, the Ninth Circuit wrote "that the [Bush] administration's policy of imprisoning about 660 non-citizens on a naval base in Guantanamo Bay, Cuba, without access to U.S. legal protections 'raises the gravest concerns under both American and international law'" (source).
If nothing else, we live in interesting times.
Tuesday, 16 December 2003
CRIA Follows Big Brother's Lead
The millions of Canadians who share music files on the Internet should be prepared for the possibility of facing a lawsuit early in the new year, the head of the Canadian Recording Industry Association said yesterday. … [Brian] Robertson would not specify how many lawsuits would be filed, but he did say the legal action would be similar to the lawsuits filed in the United States. For some time, CRIA has been using software that tracks and identifies users involved in trading free music files. "Users should be aware that using file-sharing services is a very public process," Mr. Robertson said.Since Canada has no analog to the Digital Millennium Copyright Act (DMCA), it will be interesting to see whether CRIA's tracking software is anywhere near as effective as RIAA's subpoenas. Neither one, it cannot be pointed out often enough, has any judicial oversight. And both are ripe for abuse.
Monday, 15 December 2003
Spam rage defendant pleads not guilty
Saturday, 13 December 2003
I would like to comment briefly on one post in ATAC's weblog, "Face Recognition and False Positives." This post raises the point of "a classic security mistake: ignoring the false positive problem." I addressed this issue in "Static Measurements & Moving Targets," my law-school thesis paper on biometrics and privacy in the context of consumer banking. In that paper, I looked at the problem from a perspective opposite Ed's. He describes facial recognition in an identification application, where its goals are substantially different from what its goals would be in an authentication application.
The designer of an application that flags passers-by as registered sex offenders has an incentive to overinclude suspects for security reasons — that is, to err on the side of false positives. The designer of an ATM authentication application, on the other hand, has the opposite incentive — to err on the side of false negatives, to prevent fraud. The point is that false positives are not solely a privacy issue: they also represent a security risk, depending on the context.
That said, I do agree with Ed's basic point, as I wrote back in October ("Terrified of Terror Profiling?"). I supported the point there with links to articles by computer security expert Bruce Schneier and mathematician John Allen Paulos.
Friday, 12 December 2003
ECPA permits employer to search stored email
Law.com reports that a Third Circuit panel has interpreted the Electronic Communications Privacy Act (ECPA) to permit an employer to search its employees' email messages that are stored on its network ("Federal Law Allows Employer's Search of Worker's E-Mails"). Such a search, the court held, does not constitute "interception" of messages during "transmission," as prohibited by the ECPA. The full text of the decision in Fraser v. Nationwide Mutual Insurance Co. is available via FindLaw.
Monday, 8 December 2003
CIO on RFID
The 1 December issue of CIO Magazine has an article on the technological and economic hurdles standing in the way of widespread RFID adoption: "The RFID Imperative." The article makes only passing reference to many the social implications of RFID, but the sidebars link to several other recent CIO articles covering those issues. Thanks go to Ernie the Attorney for the heads up.
Mexico threatens 3 with treason charges for data sale
The government of Mexico is threatening to charge three of its citizens with treason. They are executives of a company called Soluciones Mercadologicas en Bases de Datos, which sold a database private information on 65 million Mexican voters to ChoicePoint, an Atlanta-based database company. ChoicePoint bought the data at the behest of the U.S. government shortly after 11 Sept. 2001 to help bolster Uncle Sam's investigation of terrorism.
The database contained such private information as the number of cars owned in households and unlisted phone numbers. If nothing else, this episode highlights the incumbent dangers when a government any government collects massive amounts of data on its citizens without a compelling and clearly articulated purpose. What, for example, does voter registration have to do with the number of cars one owns?
The Macon Telegraph has the story: "Mexican company officials may face treason charges."
Thursday, 4 December 2003
Mechanics of the CAN-SPAM registry
There have been many questions about how a do-not-spam registry should be implemented. This proposal suggests a regime for funding for the registry and the highest level logical operation of its database. My plan would allow consumers to choose (through market forces) an opt-in system while still adhering to the overall opt-out structure of the CAN-SPAM Act. For that reason, I believe it solves some of the nagging First Amendment problems that come with a government-madated opt-in system.
If you have not already seen my summary of the CAN-SPAM Act, I suggest you check it out before reading this.
The registry should not necessarily be funded by taxes, because that would require people without email accounts to share the burden a system that carries no direct benefit for them. ISPs stand to benefit the most (in financial terms, at least), because a successful registry will reduce their bandwidth and other costs substantially. I would hesitate to levy mandatory fees on ISPs because they would look too much like the fees imposed on bell companies to fund rural telephone lines and the 911 system. I would prefer to leave ISPs as unregulated as possible while still having them share in the cost of the registry. I would not be averse to paying a few dollars to get myself into the registry, but ISPs should not have a free ride while consumers fund the entire thing.
My proposal is to make ISPs intermediaries between the FTC, which would manage the registry, and consumers, who will have ultimate control over the status of their addresses.
First, charge ISPs a monthly fee for having their domains listed in the registry. This fee would be assessed according to the number of email addresses at each domain, and those addresses would be automatically opted out of receiving spam. If a user wants to change that status, he would ask his ISP, which would relay the request to the FTC. An ISP would be charged a small transaction fee for each username it changes from its default status, as an incentive to "guess" what most customers will prefer. Individuals whose ISPs do not list their domains in the registry would have the option of opting out individually, paying the same transaction fee directly to the FTC. This option would be available to anyone in the U.S. with an email address, even those who maintain email addresses at their own personal domains and do not use an email address provided by an ISP.
To keep the size of the database's output manageable, it would need to spit out three separate lists. The first list would contain all the domains listed in the registry. The second list would contain all the individual email addresses that have requested opt-out status. Any email address covered by these two lists would be off-limits to spam. The final list would contain the addresses of ISP customers who have decided to switch away from their ISPs' default opt-out status. Addresses on list #3 are fair game for spam.
My plan would require some taxpayer funding for startup costs, although these could be recouped over the first few years by charging slightly higher fees during that time. After that, the monthly fees for listing domains and the per-user transaction fees would cover operational costs. ISPs will inevitably pass some of those costs on to consumers. However, there is harsh competition among ISPs, so the market would quickly allocate those costs efficiently. I believe this is more equitable than a program funded wholly by taxes. The recently-implemented do-not-call registry is funded by taxes because telephone penetration is nearly 100% in this country. However, many fewer people have email accounts than telephones, so full funding by tax dollars seems unfair to me.
The system is national in scope, so it will be large enough that the fees per domain and and per user can be small. Only a few indigent people and organizations could legitimately complain about the cost, and these might be exempted from paying fees. To start, the exemptions might be granted to educational institutions, 501(c)(3) organizations, and individuals below the poverty line. I have little experience in this area of social policy, so I would leave it to others to work out those details.
This structure would allow the market to demonstrate once and for all whether the public really favors an opt-in or an opt-out system. Many people have speculated on this question, but the truth is that nobody knows for sure. We may see a surge of subscriber defections away from ISPs that choose to be listed, or we may see a surge of individuals listing their own addresses. The point is that consumers, not the government and not spammers, would finally have direct control over the marketing they receive.
Wednesday, 3 December 2003
Clarifying my position on opt-out
Some feisty discussion has broken out in the comments section of my blog post where I summarized and explained some features of the CAN-SPAM Act. I have been accused of favoring an opt-out system over opt-in. This is probably my fault for overstating my position as a reaction to most people's knee-jerk favoring of opt-in.
I do not favor opt-out in all its manifestations — I just think that most people decide to favor opt-in without considering the issues thoroughly. There are serious free-speech problems with the government mandating a regime that forbids a certain type of speech to be distributed in a certain channel. Those problems are reduced (although not entirely eliminated) by an opt-out regime that provides consumers with an en mass opt-out mechanism like a do-not-spam registry. The problems are further reduced the more fine-tuned the en mass mechanism becomes. The present FTC/FCC do-not-call registry is a blunt instrument, requiring consumers to choose all or nothing.
Someone may yet convince me that opt-in is the way to go; but, until that happens, I choose to err on the side of free expression.
Friday, 28 November 2003
P2P & anonymity
Four years ago I wrote my senior thesis at Yale, The Futures of e-Politics, in which I complimented several Congressmen and Senators for having done well to educate themselves on digital communications technologies in a relatively short time. Today I may recant that compliment.
I just got around to reading C|Net's coverage of a letter sent last week from several Senators to the executives of several P2P companies. The lawmakers asked the companies to regulate themselves — i.e., to censor their networks for pornography and copyrighted material. C|Net reports (Senators ask P2P companies to police themselves) a quote from Senator Lindsey Graham (R-N.C.) that I did not see reported elsewhere. In a "statement" accompanying the letter, he said (emphasis added):
Purveyors of peer-to-peer technology have a legal and moral obligation to conform to copyright laws, and end the pornographic trade over these networks. These programs expose our children to sexually explicit materials and provide an anonymous venue for child pornographers to hide behind the veil of technology.If we have learned anything from RIAA this year, it is that P2P activity is not anonymous. If you are going to make national policy, or at least pretend to, it is not unreasonable to ask that you pay attention.
Thursday, 27 November 2003
Worm infects Diebold ATMs
Diebold, the very same company being raked over hot coals for its authoritarian response to criticism, now has the ignoble honor of being the first ATM manufacturer to have its machines infected with a worm. (New Scientist: "Cash machines infected with worm")
The controversy over Diebold's electronic voting machines is no longer theoretical (if it ever was). This is a real-world, already-happened, no-excuses problem affecting a Diebold product very similar to its voting machines. How could this happen? Simple — Diebold's ATMs run Windows XP.
Wells Fargo data theft goes into "crooks-are-dumb file"
Yesterday, local authorities and the U.S. Secret Service announced an arrest in the case of the Wells Fargo's stolen customer data. (San Francisco Chronicle's coverage: "Arrest in Wells Fargo data theft") A few weeks ago, Edward Krastof of Concord, California allegedly stole a laptop computer from the office of a consultant hired by Wells Fargo. The hard drive "contained a treasure trove of customer data," including names, addresses, bank account numbers, and social security numbers. Krastof claims that he had no idea that the information was there — he claims to have stolen the computer to use it himself. Do we believe him? Police also found stole driver licenses in Krastof's house. "He said he manufactures forged I.D. cards and checks," said Sgt. Stephen White of the Concord Police Department. "He's kind of a low-level I.D.- theft guy." The Chronicle article also quotes Benjamin Jun, vice president of Cryptography Research: "it looked like the case of the stolen Wells Fargo data came straight from 'the crooks-are-dumb file.'"
Richard Thompson, a Wells Fargo customer who was among those whose information was stolen, talked to reporters last week. "It's outrageous," he said. "As far as I'm concerned, this is as big a breach as they could have. It's like my money being stolen." Wells Fargo's solution? The bank offered to pay $90 for each customer to join PrivacyGuard, a credit-monitoring service, for a one year. Thompson's response? "My Social Security number is now out. This will affect me for the rest of my life."
Wells Fargo tried hard to keep this story from the public eye. When a financial institution's sensitive customer data is compromised, California law requires only that it notify affected customers "in a timely manner." Wells Fargo sent a letter to affected customers two weeks after the theft. The press reported the story only after irate and fearful customers brought it to reporters' attention. The excuse? The bank wanted to avoid tipping off the thief to what he had taken, in the event that he did not already know. After all, the computer was taken from a small, nondescript consultant's office behind a sports bar — not from a bank branch. For now, Krastof's self-serving "I didn't know" defense gives Wells Fargo plausible deniability.
Even before we have all the facts (keep reading over the next few weeks), this case demonstrates one way in which privacy laws are woefully inadequate. Banks are highly regulated, but there is little or no supervision of banking operations that are outsourced. American businesses share an ostrich-like consensus that clerical or consulting work is safe so long as it stays within the country. Barely a month ago, offshore outsourcing made a brief headline splash when a medical transcriptionist in Pakistan held hostage some patient files from the UCSF Medical Center. She threatened to post the files on the Internet unless she was paid hundreds of dollars.
The Wells Fargo episode proves that outsourcing must be treated with greater care wherever it is done. I am by no means advocating an end to outsourcing. Forcing businesses to do all their work in-house would be terribly inefficient. However, customer data should almost never be let out the door, except where data processing or warehousing is being done. Wells Fargo has thus far refused to say what this particular consultant, Peter Gascoyne, was doing, beyond stating that he is a "'data analyst' [who] has a 'special expertise' beyond what the bank was capable of doing in-house" (quoting from the Chronicle). With a proper database infrastructure in place, data analysis does not require the analyst to keep the data locally.
Ideally, consultants should do their work at the bank or dial into the bank's intranet or virtual private network. At the very least, banks should require their strong privacy protections in their consulting contracts with severe consequences for preventable breaches. How was the breach accomplished in this case? Someone left the door to Gascoyne's office suite unlocked.
Wednesday, 26 November 2003
Man charged in "spam rage" case
This seems to be a first. Charles Booher of Sunnyvale, California has been arrested and charged with 11 counts for threats he made to a company he blamed for sending him spam and causing web popup ads on his computer. Wired News reports ("Man Arrested Over 'Spam Rage'"):
Booher threatened to send a "package full of Anthrax spores" to the company, to "disable" an employee with a bullet and torture him with a power drill and ice pick; and to hunt down and castrate the employees unless they removed him from their e-mail list, prosecutors said.
This case presents a good opportunity to mention a recurring a point about defining classes of speech for legal purposes. I have yet to see a case where this was not problematic, but it is never more so than when the communication of words alone constitutes a crime. Mr. Booher's words (as reported in Wired) clearly threatened physical violence, his intent to make a threat seems clear, and he communicated the threat to the threatened person satisfying the basic requirements of most threat statutes. Do prosecutors have a slam dunk case? Maybe. But the inquiry only starts there.
It is what Wired failed to report that I find interesting. The article in Saturday's San Jose Mercury News makes Booher look much more sympathetic. (Article: "Spam sends local man into rage") There, we learn that Booher "is a three-time survivor of testicular cancer" and that the overwhelming flood of spam that triggered his emotional outburst was hawking you guessed it penile enlargement products. Suddenly, his response is understandable.
Before you send me angry email, note that I do not condone what Booher did. My point here is that it is irresponsible to condemn someone based on a small amount of information. When the condemnation implicates the most basic liberties of any free society, we have to be especially careful. Some of you may remember Jake Baker, the University of Michigan student who wrote a revolting rape/torture/murder fantasy story about a classmate and posted it on alt.sex.stories. Baker was charged with making threats, notwithstanding that he had unambiguously stated that the story was fiction. The subsequent uproar ended with his exoneration of all charges of making threats a result demanded by the First Amendment. For those unfamiliar with the case, the Electronic Frontier Foundation (EFF) maintains an archive of relevant documents. (If you have a strong stomach, the story is still available online. However, you have been warned: This is pretty sick stuff.)
Monday, 17 November 2003
File sharing zeitgeist
The Contra Costa Times ran an interesting, yet unsurprising, AP story on Saturday (Music industry mines data from downloads). In a nutshell: "Despite their legal blitzkrieg to stop online song-swapping, many music labels are benefiting from — and paying for — intelligence on the latest trends in Internet trading." That is right, P2P networks are the best tool yet-invented for gathering realtime data on music consumer tastes. By tracking the number of downloads for particular artists and particular songs and the rough geographical distribution of those downloads, the industry can better target its marketing and products.
I would accuse RIAA of batting both ways (like I did H&R Block this morning), but this phenomenon raises an issue more important than copyright law. For the first time in the history of human social interaction, we have the technology to gather realtime information on the thoughts of a cross-section of a nation. P2P file sharing is a specific example, and the Google Zeitgeist is a more general one.
H&R Block bats both ways
SiliconValley.com reprints a story from the Kansas City Star, reporting a defamation lawsuit filed by H&R Block (H&R Block sues anonymous online critic). Essentially, the accounting firm believes that an employee is behind a series of postings on a Yahoo! message board that criticize the company. The article is a bit sketchy, but apparently both the complaint and company a spokesman said that the message board posts constituted (1) false and misleading statements and (2) improper disclosures of confidential information.
H&R Block is trying to bat from both sides here. If the anonymous poster's statements were accurate, they would prove highly embarassing to the company, and he would have disclosed confidential information. If they are not accurate, they would be defamatory. Either way, H&R Block maintains plausible deniability for long enough to force Yahoo! to reveal the anonymous poster's identity. Ultimately, H&R Block may have a difficult time proving either claim because damages (an essential element of both claims) would be too speculative. The author writes, "The defendant's comments don't appear to have had a material effect on Block stock," and goes on to detail the fluctuation of H&R Block's share price during the relevant time period and concluding that it was a mere penny off its 52-week high shortly after the statements. Proving a link between these statements and any trend in revenue would be exceedingly difficult, if not impossible.
This is a SLAPP — a strategic lawsuit against public participation. After Yahoo! breaches the poster's anonymity, we have no guarantee that H&R Block will pursue the lawsuit. More likely, it merely needed a subpoena to learn whether the poster was an employee — and will promptly forget about the suit after getting what it wants. Better to make an example by loudly firing a wayward employee than to waste time and money on a lawsuit against someone who will not have millions of dollars to pay in damages, in the unlikely event that you win. The last portion of the article begins, "Lawsuits aimed at forcing Internet service providers to provide the names of anonymous Internet users have become increasingly common in recent years." Little question exists as to the effect this is having on the freedom of speech.
Saturday, 15 November 2003
Extent of secrecy in Wal-Mart's RFID testing
Controversy over the use of radio frequency identification (RFID) chips in retailing has raged for some time. Although I have not covered RFID developments in this blog, I do follow them closely. Yesterday C|Net published a once-over of the newest RFID front, and I want to highlight one important point that the author glossed over too quickly. (Article: 'Smart shelf' test triggers fresh criticism)
Wal-Mart, the world's largest retailer, stopped a small RFID trial in Boston last year, after CASPIAN (Consumers Against Supermarket Privacy Invasion And Numbering) called public attention to it. Wal-Mart tried again last summer, in Tulsa, with a larger group of products. C|Net reports that company "sold, from March to July, Max Factor Lipfinity products embedded with the special tracking chips. A Wal-Mart representative, who told CNET News.com in July that the company had never sold products with chips in them, now says he only recently became aware of the Lipfinity test." In other words: Not only did Wal-Mart hide its activities from the public, it also hid them from its own spokespeople, causing them to deceive the press.
Wednesday, 22 October 2003
Terrified of Terror Profiling?
Bruce Schneier, the renowned expert in computer security (as well as founder and Chief Technical Officer of Counterpane Internet Security, Inc.) wrote a column this week for Newsday: "Terror Profiles By Computers Are Ineffective." As the title suggests, Schneier argues that all the approaches yet taken to "profiling" terrorists suffer from the same fundamental design flaw. "There's a common belief — generally mistaken — that if we only had enough data we could pick terrorists out of crowds," Schneier writes. He goes on to show that the types of information that we have endeavored to gather — indeed, the types of information that we can gather — bear no statistically significant relationship with terrorist acts, or even propensity toward terrorism.
Schneier's argument is bolstered by the simple, elegant, and compelling mathematical analysis done by Temple University mathematician John Allen Paulos, in the January 2003 installment of his column "Who's Counting?." The article, "Future World: Privacy, Terrorists, and Science Fiction," assumes that a project such as the recently de-funded Terrorist Information Awareness program (née "Total Information Awareness"), has succeeded beyond the wildest dreams of its founders by 2054, the year when the film Minority Report is set. This hypothetical program has a predictive success rate of 99%. Examining this number and assuming that the U.S. has 300 million citizens, Paulos proves that it would imprison just under 1,000 terrorists and just under 3 million innocent people.
Outsourced medical transcription causes privacy snafu
It is common practice for doctors to dictate notes that are later transcribed by clerical staff. This makes healthcare delivery more efficient because it frees doctors to spend more time with patients and less time with paperwork. With the advent of portable tape recorders and, more recently, personal digital recorders, healthcare organizations have found it even more efficient to "outsource" this transcription — to hire someone on a contract basis to record the oral notes in written form. Over time, a network of contractors and subcontractors developed to serve what became a $20 billion dollar medical transcription industry. Naturally, not all of these subcontractors are in the United States.
The Chronicle reports that Lubna Baloch, a medical transcription subcontractor in Pakistan, sent an email to the UCSF Medical Center which complained about her low wages and threatened to post patients' records on the Internet if she was not paid hundreds of dollars. To back up her threat, Ms. Baloch attached two patients' records to the email. "Your patient records are out in the open to be exposed," she wrote, "so you better track that person and make him pay my dues or otherwise I will expose all the voice files and patient records of UCSF Parnassus and Mt. Zion campuses on the Internet."
The records have apparently not been posted to the Internet — yet. A subcontractor between her and the Medical Center paid her $500 on the condition that she withdraw her threat. Shortly thereafter, she sent another email to the medical center, writing, "I verify that I do not have any intent to distribute/release any patient health information out and I have destroyed the said information. I am retracting any statements made by me earlier." A spokesman for the Medical Center points out, however, that "We do not have any evidence that the person has destroyed the files."
The United States has a law known as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Under this law, the Department of Health & Human Services has issued detailed regulations that govern how medical information must be kept confidential. Those rules are difficult or impossible to enforce abroad, however. While Ms. Baloch is at least three subcontracts removed from the UCSF Medical Center, it is not clear whether the hospitals or doctors could be held responsible in the event of a breach of its patients' privacy. The Medical Center claims that it was aware of only two levels of subcontracting and had no idea that its medical files were being sent offshore. The current regulations permit subcontracting of work like transcription, so long as the contracts have provisions requiring confidentiality. Details are still sketchy as to the content of the contract involved in this case. Time will tell if the law has been violated.
Even if the Medical Center did not break the law, this story should send shivers down the spines of all Americans who have ever been treated by a doctor. Economic globalization and digital communications technology have made outsourcing and "offshoring" routine, and no one knows how much of this work is being done outside the United States. Most of the work is going to countries where wages are low — otherwise, there would be no cost savings, and the medical staff would transcribe the notes in-house. Developing countries do not have privacy laws as comprehensive and sophisticated as those in the U.S. and Europe.
Ms. Baloch has come up with the idea for this extortion and it has become public, so it is only a matter of time before someone else tries it. The next person may demand much more than $500, and the next hospital may not be willing to pay. (Note that in this case a subcontractor paid the bribe, not the hospital.) Who loses in this situation? The patients. The most intimate details of our lives will be exposed to everyone with a computer and a telephone line.
How should we respond? Amend HIPAA? Possibly. Perhaps we need more stringent requirements for contracting and subcontracting. Maybe we should bar outsourcing to offshore companies, or at least restrict the countries where outsourcing is permitted to those having strong privacy laws. Maybe we need to do something else. But these problems will not go away — they will only become more pervasive.