Online Privacy

Subscribe to Online Privacy via RSS

FTC staff issued a statement today proposing four “self-regulatory” principles to guide businesses engaged in online behavioral advertising. FTC staff also seeks public comments on these principles as well as additional information on what other uses businesses are making of online tracking data. Interested parties can submit comments by February 22, 2008.

The statement, titled “Online Behavioral Advertising: Moving the Discussion Forward to Possible Self-Regulatory Principles” follows from the FTC’s town hall meeting held in early November 2007. There, FTC considered privacy issues raised by behavioral advertising and heard from consumer interest groups and businesses’ alike.

In a case of first impression, the Arizona Court of Appeals recently considered the ability of a litigant to determine the identity of an anonymous Internet user. Mobilisa, Inc v. Doe, Case No 1-CA-CV 06-0521, 2007 Ariz. App. LEXIS 225 (Ariz. Ct. App., November 27, 2007). While the Court did not require disclosure of an anonymous Internet user’s identity (as the lower court had done), it set forth a balancing test to consider whether or not the user’s identity should remain anonymous. Thus, the Arizona court recognized that there may indeed be circumstances where anonymity must fall and a user’s identity must be disclosed in litigation.

According to a recent federal court ruling, a telephone customer is bound by the terms of an online business’s privacy policy and terms of use to which the salesperson referred during the call. In Greer v. 1-800-Flowers.com, Inc., No. H-07-2543 (S.D. Tex. Oct. 3, 2007), the U.S. District Court for the Southern District of Texas enforced a forum selection clause contained in the website’s terms of use against a consumer who ordered flowers for his girlfriend on the telephone. Before placing his order, the plaintiff inquired as to the company’s privacy practices and a 1-800-Flowers.com representative referred him to the company’s online privacy policy. Plaintiff claimed he relied on this policy when he completed his order. The privacy policy clearly stated that it was part of the website’s terms of use, which the plaintiff did not read and which included a forum selection clause.

In follow-up to our earlier blog post regarding recent pressure on social networking sites from law enforcement, New York Attorney General Andrew Cuomo announced yesterday that his office had entered into a settlement with Facebook. The settlement resolves the Attorney General’s investigation of Facebook’s failure to fulfill public claims it made about protecting minors, which the Attorney General believed were deceptive acts and practices and false advertising in violation of New York consumer protection laws. Facebook did not admit to any wrongdoing.

Kids like social networking sites, most notably MySpace and Facebook. So it is not surpising that law enforcement is scrutinizing how the sites protect children. Recent subpoenas issued to Facebook by New York Attorney General Andrew Cuomo and New Jersey Attorney General Anne Milgram are illustrative.

Both subpoenas sought information about Facebook’s Internet safety and security policies. The New York subpoena, issued last month, also sought information concerning Facebook’s complaint resolution procedures. In its subpoena cover letter to Facebook, Attorney General Cuomo noted Facebook’s public representations concerning how it responds to reports of pornographic material and inappropriate contact with minors.  It also described its undercover investigation of Facebook. According to the letter, the investigation revealed pornographic and other inappropriate content readily available on the site. In addition, after investigators set up profiles as young teenage users, they received inappropriate sexual advances. The investigators filed complaints about these issues through Facebooks’ complaint procedures. The letter notes various instances of non-responsiveness or delayed response to such complaints. The New Jersey subpoena issued earlier this month, described here, sought information from Facebook concerning convicted New Jersey sex offenders that Facebook has identified as site users.  Facebook previously informed the New Jersey Attorney General it had removed sex offenders with profiles matching individuals listed on the New Jersey sex offender registry. Attorney General Milgram also sent letters to eleven other social networking sites requesting they compare their registrants against the state’s sex offender list.

In a novel case, the Ninth Circuit ruled on July 6, as amended July 25, that government surveillance of Internet Protocol (“IP”) addresses visited, to/from addresses of emails, and the total volume of information sent to or from an email account does not violate the Fourth Amendment. United States v. Forrester, No. 05-50410, — F.3d — (9th Cir. July 6, 2007). The ruling does not affect the requirement that the government obtain a search warrant before searching the actual content of that Internet traffic.

The defendant in United States v. Forrester, Dennis Louis Alba, was charged and convicted of various federal offenses relating to the operation of an Ecstasy-manufacturing laboratory. During the government’s investigation of Alba, it installed a device on Alba’s computer that gathered the IP addresses of the websites he visited, the to/from addresses of his emails, and the total volume of information sent to or from his email account. In his appeal, Alba contended that the surveillance constituted a warrantless search in violation of the Fourth Amendment and fell outside of the then-applicable pen register statute. The Ninth Circuit addressed the merits of Alba’s first contention, but found it unnecessary to address the second.

The Ninth Circuit applied the Supreme Court’s analysis in Smith v. Maryland, 442 U.S. 735 (1979), in which the Court held that a pen register does not constitute a Fourth Amendment search. The Court so held because pen registers merely track phone numbers dialed and do not reveal the actual contents of conversations. Cf. Katz v. United States, 289 U.S. 347 (1967) (holding that one can have legitimate expectation of privacy in the contents of one’s phone conversations).  The Ninth Circuit reasoned that the government’s surveillance of Alba’s activity was “constitutionally indistinguishable” from surveillance via a pen register because accessing IP addresses involves the transmission and receipt of a unique identifier, which does not reveal actual content, via the third-party equipment of an internet service provider.  An Internet user therefore does not have a legitimate expectation of privacy in the IP addresses he or she accesses.

Last month, a group of eight Republican lawmakers introduced H.R. 837, the Internet Stopping Adults Facilitating the Exploitation of Today’s Youth (SAFETY) Act 2007. The bill would give the Attorney General very broad authority to enact rules requiring Internet Service Providers (“ISPs”) to retain records so law enforcement could access their customers’ online activities.