Monday, May 7, 2007
Shooting the messenger : Taking the Internet to court
Just for a moment, put yourself in the shoes of these two men:Case No. 1: You’re just an average guy who meets a nice girl and you begin dating. After a few months, the new relationship sours and you decide to move on. But your ex-girlfriend doesn’t move on. She is angry and decides to warn everyone about you on a website called dontdatehimgirl.com. Using an anonymous username, she posts a photo of you, along with your full name, city and state and writes an invective-laden comment, accusing you of being a herpes-infected homosexual or bisexual, who passed on a sexually transmitted disease, and fathered numerous illegitimate children. You ask the website owner to pull the post, but learn that your only recourse is to post a comment as rebuttal to the offending post. The original post will remain, searchable to anyone who accesses the site, just by looking up your name.
Case No. 2: You’re a prominent businessman, with clients primarily in the legal and judicial profession. You decide to join a fledgling political party and soon become the party’s campaign manager and financier. You make some decisions that aren’t popular with some of the party members and they use websites such as Wikipedia and P2Pnet to criticize your decisions. But some go further, posting anonymous statements which you maintain are untrue and which you fear will seriously damage your professional and political reputation. You ask the site hosts to remove the offending posts, but they are either unable or unwilling to comply with your requests, or they do not comply quickly enough.
What would you – what could you – do next? Ignore the posts? Put up your own website to refute the libelous statements against you? Try to track down the anonymous posters and sue them? Or, sue the site hosts?
In both cases, the men at the centre of these attacks decided to fight back in court by suing the site hosts.
In the first scenario, Todd Hollis took the owner of website dontdatehimgirl.com, Tasha Cunningham to court for allowing the posts in the first place and for refusing to pull them down. (Shout out to one-eyed view for bringing this site to my attention. He has an interesting post about it here). The factors leading to the judge’s decision to dismiss the case were not about the damage that may have been done to the plaintiff, nor about the fact that Ms. Cunningham is merely the messenger, not the originator of the message. The decision was made based on old-fashioned jurisdictional law: because the website originates in Florida and the lawsuit was filed in Pennsylvania, it was determined, through statistics from the site’s on-line shop, that few people in Pennsylvania would have seen the site. Therefore, the contacts in Pennsylvania were limited. It seems the door is open for Hollis to re-file his suit in Florida. In the meantime, he is planning to sue the woman who anonymously made the posting, which remains to this day on dondatehimgirl.com.
In the second scenario, Wayne Crookes decided last month to file suit against three sites: Google, P2Pnet.net and openpolitics.ca. Because Crookes is Canadian, this case has been filed in British Columbia, Canada. In a recent interview with the Globe and Mail, Crookes says that he is holding the site hosts responsible for the offending anonymous posts:
"I hope that the outcome is that people will realize they have obligations
and that they will be forced to accept responsibility for their actions. The
larger the organization, the greater the expectation that they will be held
accountable for their actions."
Both of these cases have wide implications for site hosts, free speech and anonymity.
Already, the Wikipedia article about Wayne Crookes has been all but expunged to the point that it is challenging to find the posts which ignited the lawsuit in the first place. What chilling effect will this particular lawsuit and others like it have on site hosts, as the laws vary from one jurisdiction to another?
Will more individuals feel less inclined to put their names to posts, even if they strongly feel they are serving a wider public good? Should there be a looser set of criteria for libel if one is a public figure, working in the public trust, such as Mr. Crookes, versus a more rigorous standard for the average citizen, like Mr. Hollis?
Anonymity on the internet is essential to giving a voice to those who might otherwise be silenced. We don’t all live in truly democratic nations, and the Internet is a global community. Even in Western democratic nations, whistleblowers still need extraordinary protections if they choose to go public.
It will be interesting to follow these two cases on both sides of the border – one private citizen, one public figure. How will the judges decide what is more important – the greater good, or the rights of the individual? The odds seem to favour the greater good, which will likely be small comfort to Mr Hollis and Mr. Crookes.
Just put yourself in their shoes.
Thursday, April 26, 2007
Google Search Blocks Canadian's Entry into U.S.
An alarming report from Tuesday’s Globe and Mail:Nearly 40 years ago, a young psychotherapist embraced two-thirds of LSD guru Timothy Leary's advice to the Sixties generation to "turn on, tune in and drop out." Curious how LSD and other hallucinogens might be used in treating patients, Andrew Feldmar turned on and tuned in himself. But he never dropped out. And, no fan of the late Dr. Leary, Mr. Feldmar took his last hit of acid in 1974.
Thirty-two years, however, turned out to be but an instant in the long, unrelenting U.S. war on drugs. Last summer, in an incident that has just come to light, Mr. Feldmar, now 66, was banned from entering the United States because of his long-ago use of LSD. Because Mr. Feldmar had never been charged with possession of the once-popular illegal drug, privacy advocates are even more alarmed by the way U.S. border guards at the busy Peace Arch crossing near Vancouver found out about it.
The guards simply looked up Mr. Feldmar on the Internet and discovered his own article about using LSD, written for the scholarly, peer-reviewed journal Janus Head.
Eugene Oscapella, an Ottawa lawyer involved in privacy issues for 20 years, said the incident sends a frightening message to Internet users, particularly those who bare their souls online. "Don't ever put anything about any illegal activity on the Internet," Mr. Oscapella warned yesterday. "It leaves a digital footprint for all to see, and it's there forever. "We've gone beyond Orwellian measures. The state can now do things with a flick of the switch that used to be incredibly labour intensive."
A major blow to free speech and another reason to think twice before putting any of your personal information on the Internet.Mr. Feldmar was held at the border for five hours, before being allowed to return to Canada after signing an admission that he had once violated the U.S. Controlled Substance Act. He said he signed out of fear that he might be kept in custody even longer if he refused.
Willie Hicks, public affairs officer for the border crossing, said yesterday that Mr. Feldmar admitted violating U.S. drug laws "in a sworn statement. "I don't make the laws. That's the policy, and we enforce the laws at the border. It is up to the discretion of our officers who gets to go across."
Wednesday, April 18, 2007
Was your privacy breached today?
Consider these scenarios:- Your new husband’s ex-wife, who works for a medical office, looks up your medical records.
- The mail delivery cart in a government office is left unattended in a public area while the mail clerk takes a coffee break.
- You drop by your boss’s office to update her on your project and notice a disciplinary report on her desk, with the name of a fellow manager showing prominently on the front page
- You open your annual pension plan update and discover someone else’s report is in the envelope instead of your own
- A major retailer discovers that their network has been hacked, with potentially hundreds of thousands of customer credit card numbers accessed
- Your friend in the benefits department tells you at lunch that a co-worker and mutual friend has been submitting claims for visits to a psychiatrist for the past several months.
Which of these scenarios would you consider to be a privacy breach? If you answered all of them, you would be right. According to Canadian privacy legislation, data that is collected or disclosed without authorization is considered a privacy breach. It doesn’t matter that the breach was overt, inadvertent or accidental; the consequences and implications are equally severe.
Security is a means to achieve privacy. Security is established through rigid policies and procedures, a code of ethics and regular training for staff. Security is also established on the information technology side by restricting data access to only those who need it. For example, the government health minister, responsible for overseeing policy direction for his jurisdiction does not require access to citizen health records to do his job, while a clerk responsible for verifying medical claims does require access to those records. While one might expect the health minister to understand the importance of ensuring the privacy of medical records, it is the staff member who actually accesses the records who is in most need of training. And often, these front-line staff are the least-trained in the organization, yet they have the greatest potential to cause a security breach, the majority of which will be accidental or inadvertent.
Organizations need to ensure that the staff who assume the greatest risk through their exposure to confidential information receive annual training about their obligations with respect to privacy legislation and the potential consequences of a privacy breach. Organizations also need a clear set of policies and procedures for dealing with privacy breaches.
Organizations need to ensure that their I.T. departments have adequate budgets to ensure regular upgrades to hardware and software, as well as regular training for their staff.
Governments also need to strengthen privacy legislation to ensure that organizations are accountable to the public in the event of a privacy breach. In the case of the recent TJ Maxx hacking, for example, most U.S. states and Canadian provinces had no legal requirement for the retailer to inform customers that their credit card data had been compromised. Monday's session at the Prairie health information privacy conference highlights the ongoing challenge that privacy breaches, inadvertent or otherwise, present to the public and private sector.
So think back on where you were today – where you work, where you shop, where you ate lunch, where you live – do you know if your privacy was breached today?
