News Briefs

Ninth Circuit Supports Search Warrant for Web Site Member; But Conservative and Liberal Judges Dissent

The Ninth Circuit Court of Appeals decided that mere membership in a pornographic Web site containing both legal and illegal porn is enough to authorize the FBI to search a home computer (U.S. v. Gourde, No. 03-30262).

The case arose when Micah Gourde, 29, of Castle Rock, WA, paid $19.95 per month for a 2-month membership in a pornographic Web site, www.lolitagurls.com, which contained pictures of legal adult porn as well as illegal child pornography. FBI agents raided the owners of the lolitagurls Web site in Iowa, confiscated the host computer, and prosecuted the owner. They also sought a warrant to search Gourde's computer, arguing that there is a 'fair probability' that customers of child pornography Web sites download the illegal images. Gourde challenged the warrant based on the Fourth Amendment and sought to suppress more than 100 images of child pornography seized from his home computer.

In a 7-2 ruling, the Ninth Circuit said that it 'neither strains logic nor defies common sense to conclude 'that someone who paid for access to a Web site that carries child pornography probably downloaded images.'

However, two judges who are on the liberal and conservative extremes of the court joined forces in strongly dissenting from the ruling. 'The majority concludes that the [search warrant] affidavit made out probable cause by assuming that anyone who subscribes to an internet site with both legal and illegal material must collect illegal material from the site,' wrote Judge Andrew Kleinfeld, a conservative appointee of President George H.W. Bush.

'This assumption stacks inference upon inference until the conclusion is too weak to support the invasion of privacy entailed by a search warrant,' wrote Kleinfeld in dissent.

In an unlikely union, Ninth Circuit Judge Stephen Reinhardt, the appeals court's most liberal voice, dissented along with Kleinfeld, writing: 'In this age of increasing government surveillance, lawful and unlawful, and of the retention of all our deeds and thoughts on computers long after we may believe they have been removed, it is important that courts not grow lax in their duty to protect our right to privacy and that they remain vigilant against efforts to weaken our Fourth Amendment protections.'

Colin Fieman, a defense lawyer with the Tacoma, WA, federal public defender's office, called the ruling 'troubling,' and said he would seek U.S. Supreme Court review. 'I think the key issue that wasn't addressed in the en banc decision was the fact that it was a mixed-content site,' Fieman said. 'Courts' traditional view is that if a search is based entirely on membership, it has to be an organization with a wholly illegitimate purpose.'

 

Jumpstart Technologies to Pay $900,000 Penalty

Internet marketer Jumpstart Tech-nologies LLC agreed to pay a $900,000 civil penalty, the largest assessed under the CAN-SPAM Act to date, to settle a complaint filed by the Federal Trade Commission ('FTC'), the FTC announced on April 3. The consent decree was filed in the Northern District of California on March 21.

The FTC complaint alleged that Jumpstart Technologies sent commercial e-mails for its FreeFlixTix promotion that appeared to be personal messages. The messages contained deceptive subject lines and headers to evade spam filters, according to the FTC. The complaint further alleged that the offer in the e-mail promotions was deceptive and violated '5 of the FTC Act prohibiting unfair and deceptive business practices.

Under the settlement, Jumpstart Technologies admitted to no wrongdoing. In addition to the monetary penalty, the company is barred from violating the law in the future, according to the consent decree.

GAO Finds Government Agencies, Private Resellers Overstep Bounds in Collecting Consumer Information

The Government Accountability Office ('GAO') issued a report on April 4 that states that federal agencies are increasing their purchase of information about individual consumers from resellers in order to support law enforcement, counterterrorism, and other investigations ' but neither the agencies nor their contractors are adequately following federal rules to protect citizens' privacy.

The report, 'Personal Information: Agencies and Resellers Vary in Providing Privacy Protections,' can be read at http://www.gao.gov/new.items/d06609t.pdf.

Among the most common offenses: exceeding legal limits on the information that can be collected and used about law-abiding citizens under the Privacy Act of 1974 and other laws, and insufficient oversight to ensure the accuracy of information that is collected.

Because private information collection agencies operate under less stringent rules than government agencies (or perceive that they can), the erosion in consumer privacy is increasing. One example that the GAO found was that private resellers rarely tell consumers about all of the ways that their information might be shared and utilized.

In fact, the GAO testified at a hearing before a subcommittee of the House Judiciary Committee on April 4 that the very nature of what resellers do is 'largely at odds' with the Fair Information Practices principles to which government agencies are supposed to adhere. These principles define what agencies can collect, how they can use it, and how they are to verify its accuracy. 'For example, the principles that the collection and use of personal information should be limited and its intended use specified are largely at odds with the nature of the information reseller business, which is based on obtaining personal information from many sources and making it available to multiple customers for multiple purposes,' the GAO concluded.

The Departments of Justice, Homeland Security, and State, and the Social Security Administration, are the principal purchasers of information from resellers, said the GAO. They spent about $30 million to purchase consumer data in fiscal year 2005.

The GAO recommended that Congress write new laws to clarify how all parties ' government and private ' should follow Fair Information Practices.

 

Vermont State Colleges System Criticized for Late Public Notification of Theft

Newspapers in New England are reporting that officials in the Vermont State College System delayed notifying students and staff for about 3 weeks after a laptop computer containing potentially thousands of faculty, staff, student, and former student Social Security Numbers was discovered to have been stolen.

The laptop, stolen on Feb. 25, contained 6 years of personal information about as many as 20,000 people who were affiliated in one way or another with five state colleges.

The theft was discovered in 3 days, and access to the network system by the laptop was blocked, said Linda Hilton, chief information officer for the college network. The public was not informed for another 3 weeks because the schools needed time to determine whose data was on the laptop.

In addition to condemning the delay, potential privacy victims criticized the colleges for sending notices solely by e-mail. One former student interviewed by a newspaper said that he does not check his old e-mail address, and that notification by mail would have been a valuable additional security precaution.

To date, the colleges have not received information that any person has been harmed by the potential loss of personal information.

 

Opponents of IRS Proposal Testify

At an April 4 hearing, the Internal Revenue Service ('IRS') heard strong warnings from consumer advocates, attorneys general, and tax preparation firms that its proposal for allowing sharing of taxpayer information by tax preparers has the potential to significantly erode protection of consumers' financial records. The proposed rule would amend '7216 of the Internal Revenue Code; it can be read at www.irs.gov/newsroom/article/0,id=151368,00.html.

Attorneys general from 46 states and Washington, D.C., sent a joint letter dated April 3 to the IRS that outlined their concerns. 'We are greatly concerned that this regulation ' will erode consumer privacy and the security of sensitive personal information, with a consequent increase in such serious problems as identity theft and intrusive or even abusive marketing practices,' they wrote. The letter can be read at http://ag.ca.gov/newsalerts/cms06/06-031_0a.pdf?PHPSESSID=9827f0b68f98ebea47a8c3fa74e78fe5.

The IRS's proposal would allow tax preparers greater latitude in sharing their clients' financial and other information with third parties. In return, the rules would standardize and tighten up disclosure requirements for tax preparers to seek consumers' permission for sharing information.

The IRS views the new regulations as a necessary update of rules that were written long before the Internet made it inexpensive to share tax preparation data, including farming out returns to overseas preparers. But the attorneys general don't see it that way. 'In the guise of increasing taxpayers' control over their return information, the IRS wants to move in exactly the opposite direction,' said California attorneys general Bill Lockyer (D) prior to the hearing. Lockyer and Washington Attorney General Rob McKenna (R) co-wrote the attorneys' general IRS letter.

Opposition to the rule by attorneys general was matched by representatives of tax preparation firm H&R Block and tax software developer Intuit. 'The rule must clearly prohibit the sale or rental of tax return information by the tax preparer to third parties,' declared Barbara Lawler, Intuit's chief privacy officer, at the IRS hearing.

H&R Block's Murray Walton said that his firm also opposes the sharing or selling of consumer financial information to unaffiliated parties, adding that it is 'repugnant.' However, the rule would not affect sharing or selling information to affiliated third parties, such as a mortgage company owned by H&R Block.

The IRS did not issue a statement about when it anticipates finalizing the rule.

 

New House Privacy Bill Generates Kudos from Privacy Groups

Less than 2 weeks after condemning a U.S. House committee for a privacy breach notification bill, privacy advocates praised a different bill that passed the House Energy and Commerce Committee unanimously on March 30. The new bill, The Data Accountability and Trust Act ('DATA' or HR 4127), would require businesses and organizations that experience a data breach to 'notify each individual of the United States whose personal information was acquired by an unauthorized person as a result of such a breach.'

The notification provision is far stronger than that contained in The Financial Data Protection Act of 2005 (HR 3997), which passed the House Financial Services Committee by a 48-17 vote on March 16. That bill was sharply criticized by the Consumers Union and others for setting the notification barrier so high that consumers would rarely be contacted about a breach. Consumer advocates also charged that HR 3997 would negate stronger state regulations and give information brokers a loophole to escape many of its provisions. One California state senator said the bill would 'set the identity theft prevention efforts back 5 years.'

The new DATA bill changes the threshold to a 'reasonable risk' of identity theft, which is a lower 'trigger' for notification. Also, data brokers are covered under the bill, and it defines them as companies that sell non-customer data to non-affiliated third parties.

'We're pleased with the compromise 'trigger' language relating to when a business must notify individuals of a breach of their personal information,' said a joint statement from the same organizations that criticized the earlier bill. 'There are, of course, changes we would like to see to the bill ' However, we believe [it] represents a reasonable compromise.'

DATA is not yet scheduled for a vote in the House, but its 41-0 passage in committee bodes well for final approval. 'The bill sends a clear message: 'If you can't protect it, don't collect it,” said Rep. John Dingell (D-MI), the Energy and Commerce Committee's ranking member, in a statement.

The bill also expands the Federal Trade Commission's authority to regulate privacy breaches and to audit companies for up to 5 years after they have suffered a privacy breach.

Ninth Circuit Supports Search Warrant for Web Site Member; But Conservative and Liberal Judges Dissent

The Ninth Circuit Court of Appeals decided that mere membership in a pornographic Web site containing both legal and illegal porn is enough to authorize the FBI to search a home computer (U.S. v. Gourde, No. 03-30262).

The case arose when Micah Gourde, 29, of Castle Rock, WA, paid $19.95 per month for a 2-month membership in a pornographic Web site, www.lolitagurls.com, which contained pictures of legal adult porn as well as illegal child pornography. FBI agents raided the owners of the lolitagurls Web site in Iowa, confiscated the host computer, and prosecuted the owner. They also sought a warrant to search Gourde's computer, arguing that there is a 'fair probability' that customers of child pornography Web sites download the illegal images. Gourde challenged the warrant based on the Fourth Amendment and sought to suppress more than 100 images of child pornography seized from his home computer.

In a 7-2 ruling, the Ninth Circuit said that it 'neither strains logic nor defies common sense to conclude 'that someone who paid for access to a Web site that carries child pornography probably downloaded images.'

However, two judges who are on the liberal and conservative extremes of the court joined forces in strongly dissenting from the ruling. 'The majority concludes that the [search warrant] affidavit made out probable cause by assuming that anyone who subscribes to an internet site with both legal and illegal material must collect illegal material from the site,' wrote Judge Andrew Kleinfeld, a conservative appointee of President George H.W. Bush.

'This assumption stacks inference upon inference until the conclusion is too weak to support the invasion of privacy entailed by a search warrant,' wrote Kleinfeld in dissent.

In an unlikely union, Ninth Circuit Judge Stephen Reinhardt, the appeals court's most liberal voice, dissented along with Kleinfeld, writing: 'In this age of increasing government surveillance, lawful and unlawful, and of the retention of all our deeds and thoughts on computers long after we may believe they have been removed, it is important that courts not grow lax in their duty to protect our right to privacy and that they remain vigilant against efforts to weaken our Fourth Amendment protections.'

Colin Fieman, a defense lawyer with the Tacoma, WA, federal public defender's office, called the ruling 'troubling,' and said he would seek U.S. Supreme Court review. 'I think the key issue that wasn't addressed in the en banc decision was the fact that it was a mixed-content site,' Fieman said. 'Courts' traditional view is that if a search is based entirely on membership, it has to be an organization with a wholly illegitimate purpose.'

 

Jumpstart Technologies to Pay $900,000 Penalty

Internet marketer Jumpstart Tech-nologies LLC agreed to pay a $900,000 civil penalty, the largest assessed under the CAN-SPAM Act to date, to settle a complaint filed by the Federal Trade Commission ('FTC'), the FTC announced on April 3. The consent decree was filed in the Northern District of California on March 21.

The FTC complaint alleged that Jumpstart Technologies sent commercial e-mails for its FreeFlixTix promotion that appeared to be personal messages. The messages contained deceptive subject lines and headers to evade spam filters, according to the FTC. The complaint further alleged that the offer in the e-mail promotions was deceptive and violated '5 of the FTC Act prohibiting unfair and deceptive business practices.

Under the settlement, Jumpstart Technologies admitted to no wrongdoing. In addition to the monetary penalty, the company is barred from violating the law in the future, according to the consent decree.

GAO Finds Government Agencies, Private Resellers Overstep Bounds in Collecting Consumer Information

The Government Accountability Office ('GAO') issued a report on April 4 that states that federal agencies are increasing their purchase of information about individual consumers from resellers in order to support law enforcement, counterterrorism, and other investigations ' but neither the agencies nor their contractors are adequately following federal rules to protect citizens' privacy.

The report, 'Personal Information: Agencies and Resellers Vary in Providing Privacy Protections,' can be read at http://www.gao.gov/new.items/d06609t.pdf.

Among the most common offenses: exceeding legal limits on the information that can be collected and used about law-abiding citizens under the Privacy Act of 1974 and other laws, and insufficient oversight to ensure the accuracy of information that is collected.

Because private information collection agencies operate under less stringent rules than government agencies (or perceive that they can), the erosion in consumer privacy is increasing. One example that the GAO found was that private resellers rarely tell consumers about all of the ways that their information might be shared and utilized.

In fact, the GAO testified at a hearing before a subcommittee of the House Judiciary Committee on April 4 that the very nature of what resellers do is 'largely at odds' with the Fair Information Practices principles to which government agencies are supposed to adhere. These principles define what agencies can collect, how they can use it, and how they are to verify its accuracy. 'For example, the principles that the collection and use of personal information should be limited and its intended use specified are largely at odds with the nature of the information reseller business, which is based on obtaining personal information from many sources and making it available to multiple customers for multiple purposes,' the GAO concluded.

The Departments of Justice, Homeland Security, and State, and the Social Security Administration, are the principal purchasers of information from resellers, said the GAO. They spent about $30 million to purchase consumer data in fiscal year 2005.

The GAO recommended that Congress write new laws to clarify how all parties ' government and private ' should follow Fair Information Practices.

 

Vermont State Colleges System Criticized for Late Public Notification of Theft

Newspapers in New England are reporting that officials in the Vermont State College System delayed notifying students and staff for about 3 weeks after a laptop computer containing potentially thousands of faculty, staff, student, and former student Social Security Numbers was discovered to have been stolen.

The laptop, stolen on Feb. 25, contained 6 years of personal information about as many as 20,000 people who were affiliated in one way or another with five state colleges.

The theft was discovered in 3 days, and access to the network system by the laptop was blocked, said Linda Hilton, chief information officer for the college network. The public was not informed for another 3 weeks because the schools needed time to determine whose data was on the laptop.

In addition to condemning the delay, potential privacy victims criticized the colleges for sending notices solely by e-mail. One former student interviewed by a newspaper said that he does not check his old e-mail address, and that notification by mail would have been a valuable additional security precaution.

To date, the colleges have not received information that any person has been harmed by the potential loss of personal information.

 

Opponents of IRS Proposal Testify

At an April 4 hearing, the Internal Revenue Service ('IRS') heard strong warnings from consumer advocates, attorneys general, and tax preparation firms that its proposal for allowing sharing of taxpayer information by tax preparers has the potential to significantly erode protection of consumers' financial records. The proposed rule would amend '7216 of the Internal Revenue Code; it can be read at www.irs.gov/newsroom/article/0,id=151368,00.html.

Attorneys general from 46 states and Washington, D.C., sent a joint letter dated April 3 to the IRS that outlined their concerns. 'We are greatly concerned that this regulation ' will erode consumer privacy and the security of sensitive personal information, with a consequent increase in such serious problems as identity theft and intrusive or even abusive marketing practices,' they wrote. The letter can be read at http://ag.ca.gov/newsalerts/cms06/06-031_0a.pdf?PHPSESSID=9827f0b68f98ebea47a8c3fa74e78fe5.

The IRS's proposal would allow tax preparers greater latitude in sharing their clients' financial and other information with third parties. In return, the rules would standardize and tighten up disclosure requirements for tax preparers to seek consumers' permission for sharing information.

The IRS views the new regulations as a necessary update of rules that were written long before the Internet made it inexpensive to share tax preparation data, including farming out returns to overseas preparers. But the attorneys general don't see it that way. 'In the guise of increasing taxpayers' control over their return information, the IRS wants to move in exactly the opposite direction,' said California attorneys general Bill Lockyer (D) prior to the hearing. Lockyer and Washington Attorney General Rob McKenna (R) co-wrote the attorneys' general IRS letter.

Opposition to the rule by attorneys general was matched by representatives of tax preparation firm H&R Block and tax software developer Intuit. 'The rule must clearly prohibit the sale or rental of tax return information by the tax preparer to third parties,' declared Barbara Lawler, Intuit's chief privacy officer, at the IRS hearing.

H&R Block's Murray Walton said that his firm also opposes the sharing or selling of consumer financial information to unaffiliated parties, adding that it is 'repugnant.' However, the rule would not affect sharing or selling information to affiliated third parties, such as a mortgage company owned by H&R Block.

The IRS did not issue a statement about when it anticipates finalizing the rule.

 

New House Privacy Bill Generates Kudos from Privacy Groups

Less than 2 weeks after condemning a U.S. House committee for a privacy breach notification bill, privacy advocates praised a different bill that passed the House Energy and Commerce Committee unanimously on March 30. The new bill, The Data Accountability and Trust Act ('DATA' or HR 4127), would require businesses and organizations that experience a data breach to 'notify each individual of the United States whose personal information was acquired by an unauthorized person as a result of such a breach.'

The notification provision is far stronger than that contained in The Financial Data Protection Act of 2005 (HR 3997), which passed the House Financial Services Committee by a 48-17 vote on March 16. That bill was sharply criticized by the Consumers Union and others for setting the notification barrier so high that consumers would rarely be contacted about a breach. Consumer advocates also charged that HR 3997 would negate stronger state regulations and give information brokers a loophole to escape many of its provisions. One California state senator said the bill would 'set the identity theft prevention efforts back 5 years.'

The new DATA bill changes the threshold to a 'reasonable risk' of identity theft, which is a lower 'trigger' for notification. Also, data brokers are covered under the bill, and it defines them as companies that sell non-customer data to non-affiliated third parties.

'We're pleased with the compromise 'trigger' language relating to when a business must notify individuals of a breach of their personal information,' said a joint statement from the same organizations that criticized the earlier bill. 'There are, of course, changes we would like to see to the bill ' However, we believe [it] represents a reasonable compromise.'

DATA is not yet scheduled for a vote in the House, but its 41-0 passage in committee bodes well for final approval. 'The bill sends a clear message: 'If you can't protect it, don't collect it,” said Rep. John Dingell (D-MI), the Energy and Commerce Committee's ranking member, in a statement.

The bill also expands the Federal Trade Commission's authority to regulate privacy breaches and to audit companies for up to 5 years after they have suffered a privacy breach.