PRIVACY ON THE NET

DEFINATION & SCOPE OF THE PRIVACY The electronic community is faced with

the dilemma : the tug of war between the desire for a free flow information and the need of privacy.

Privacy has been define as ‘the claim of individuals groups of institutions to determine for themselves when, how and to what extent information about them is communicated to others. The simple definition is “the right to be let alone”.

Generally, the privacy can be defined as the quality or condition of being secluded from the presence or view of others; the state of being concealed; secrecy.

However, it is undesirable to adopt this definition because not every secret information is subjected to privacy protection and not everything that is disclosed loses its privacy characteristic.

It suffices to say that the term ‘privacy’ refers to the privilege owned by an individual from any interference by other(s) with any of his/her private activities so long as these activities are not illegal and do not harm others.

It is claimed that privacy does not need specific legal recognition because when there is illegal intrusion to the right to privacy, the plaintiff can claim for remedy under the existing legal doctrine such as defamation; or breach of intellectual property rights; or breach of confidential information; or even breach of contract or trust.

However, the existing legal doctrine is not sufficient to protect one’s privacy.

THE SOURCE OF THE RIGHT TO PRIVACY The right to privacy is recognized as a

fundamental human rights as declared in Article 12 of the Universal Declaration of Human rights and Article 17 of the International Covenant on Civil & Political Rights. Some countries recognize this right as constitutional right of individuals.

EXAMPLES OF PRIVACY CASES IN DAILY TRANSACTIONS

Computers are able to collect a lot more information in circumstances where few

records were previously gathered. Consider the use of debit and credit cards as opposed to the cash payment. A purchaser using a credit card in retail store will record the amount of transaction, the time, and the date, and the identity and location of the purchaser. Cash

payments normally leave no such trail.

Many automated teller machines operate in this way as part of the system of a financial

institution. Being online permits transactions to be processed immediately, the impact on the

parties to the transaction is instantaneous. This will allow the operator to determine the exact

location of those concerned. Moreover, the sharing of a network may allow the parties to it to

gain access to information not previously available to them.

PROBLEM ARISES IN LIEU OF ONLINE PRIVACY

Cookies

Online services can track and record our activities

Online services can access information in our computer without our knowledge

SOURCE OF RIGHT TO PRIVACY UNDER THE U.S. CONSTITUTION Under the U.S. Constitution, the source

of this right require us to consider the Fourth, Fifth and Nine Amendments to the U.S. Constitution as applied to the states by the Fourteenth Amendments.

The Fourth Amendment provides:“the right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated: and no Warrants shall issues, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.’’

Example Cases of the Fourth Amendments Case 1

o In Griswold v. Connecticut (1965), the U.S. Supreme Court declared unconstitutional a state of law prohibiting the use of birth control devices and the giving of advice concerning their use.

o This case held an important element of this right was to establish the existence of a “reasonable expectation of privacy”.

o Minimum requirements for establishing a “reasonable expectation of privacy”:1. A person exhibits an actual expectation of

privacy. Consider what you expect when entering an area or location, e.g. your bedroom, which you desire to be “off limits” to others. Or consider what level of privacy an employee should anticipate with regards to his office, desk, file cabinet or floppy disk.

2. Society recognizes the expectation as reasonable. In addition to your privacy expectation of privacy when you close the door to your bedroom or your file or your office, enter a public phone booth, send an e-mail, or surf a Web site?

Case 2o Olmstead v. United States, 277 U.S 438

(1928)This is a 1928 U.S Supreme Court case

in which the court examined the question of whether use of wiretapped private telephone conversations, obtained by federal agents without judicial approval, as evidence constituted a violation of the defendant’s rights provided by the Fourth and Fifth Amendments.

Case 3o California v. Greenwood, 486 U.S. 35

(1988)[1], was a case in which the Supreme Court of the United States held that the Fourth Amendment does not prohibit the warrantless search and seizure of garbage left for collection outside the curtilage of a home.

Case 4o Katz v. United States, 389 U.S. 374

(1967) was a U.S Supreme Court decision that extended the Fourth Amendment protection from unreasonable searches and seizure to protect individuals in a telephone booth from wiretaps by authorities without a warrant.

Case 5o Kyllo v. United States, 533 U.S. 27

(2001), held that the use of a thermal imaging device from a public vantage point to monitor the radiation of heat from a persons apartment was a “search” within the meaning of the Fourth Amendment, and thus required a warrant. Because the police in this case did not have a warrant, the Court reversed Kyllo’s conviction for growing marijuana.

Case 6o California v Ciraolo, 476 U.S. 207 (1986), whether the

Forth Amendment is violated by aerial observation without a warrant from an altitude of 1000 feet of a fenced-in backyard within the curtilage of a home…The court held that the area is within the curtilage does not itself bar all police observation…The Forth Amendment protection of the home has never been extended to require law enforcement officers to shield their eyes when passing by a home on public thoroughfares… Such observation is precisely what a judicial officer needs to provide a basis for a warrant…Any member of the public flying in this airspace who glanced down could have seen everything that these officers observed…On this record, we readily conclude that respondent’s expectation that his garden was protected from such observation is unreasonable and is not an expectation that society is prepared to honor.

o In establishing privacy rights associated with cyberspace, these requirements, at the minimum will have to be satisfied concerning the mass of information, some of a personal nature, being disseminated and accumulated over the Internet.

The Fifth Amendment provides:“No person…shall be compelled, in any criminal case, to be a witness against himself.”

o This does not apply when a person voluntarily turns over documents, records, files and papers to a law enforcement agency or official. Similarly, the public records of a corporation are not subject to this provision, even if they contain incriminating evidence.

o Cyber law application of the Fifth Amendment involves the act of encrypting a file that contains possible incriminating information.

o Encryption involves using encoding methods i.e. using key codes and secured passwords to block access to certain documents, for example in the case of Doe v. United States, 487 U.S. 201 (1988).

o The Fifth Amendment’s protections often relate to police interrogations and confessions by suspects. Originally, at common law, any confession, however obtained (even the torture), was admissible in court. In the 18th century, common law in England came to provide that coerced confessions were inadmissible. The common law rule was incorporated into American law by the courts. However, the use of brutal torture to extract confessions was routine in some rural states as late as the 1930’s, and stopped only after the U.S Supreme Court kept throwing out convictions based on such confessions, in cases like Brown v. Mississippi, 297 U.S 278 (1936).

CASES ON FIFTH AMENDMENT

Schmerber v California 384 US 757 (1966)

Hiibel v Sixth Judicial District Court 542 US 177 (2004)

The Ninth Amendment Provides:“The enumeration in the constitution of certain rights shall not be constructed to deny or disparage others retained by the people.”

o This amendment was probably the genesis used by the courts and legal scholars to create a kind of right to privacy.

o Griswold v Connecticut 381 US 479 (1965)

ONLINE PRIVACY AND THE LAW U.S has taken a sectoral approach to

privacy by enacting laws that apply to specific and practices.

This approach is different from the European nations, Canada, Australia, New Zealand and Hong Kong. These countries have enacted omnibus data protection laws which cover the full medium of uses of personal information.

In protecting consumer privacy, the committee that plays a vital role is the Federal Trade Commission (FTC).

U.S. FEDERAL PRIVACY LAWS Privacy Protection Act 1980 (PPA) Privacy Act 1974 Cable Communications Protection Act

1984 (CCPA) Video Privacy Protection Act 1988 (VPPA) Telephone Consumer Protection Act

1991 (TCPA) Fair Credit Reporting Act 1970 (FCRA) Computer Fraud And Abuse Act 1986

(CFAA)

Electronic Communications Privacy Act 1986 (ECPA)

Inbox Privacy Act 1999 Identity Theft and Assumption

Deterrence Act 1998 (ITAD) Right to Financial Privacy Act 1978 Health Insurance Portability and

Accountability Act 1996 (HIPAA) Children’s Online Privacy Protection Act.

1998 (COPPA)

PRIVACY PROTECTION ACT 1980(PPA)

PPA applies to the law enforcement agencies and allows Fourth Amendment Protection against the unreasonable searches and seizure of:“Work product materials possessed by a person reasonably believed to have a purpose to disseminate to the public, a newspaper, book, broadcast, or other similar form of public communication, in or affecting interstate commerce.”

PPA apply to those qualifying as electronic publishers who use the Internet for the interstate transmission of their messages.

PRIVACY ACT 1974 The Privacy Act has been described as a

kind of “omnibus” code of fair information practices designed to regulate the collection, maintenance, use, and disclosure of personal information by federal agencies by establishing requirements that must be satisfied before government agencies or departments can disclose records and documents in their possession that contain personal information about individuals.

This Act applies to records and documents that identify an individual by name, Social Security number, or other means of personal identification such as a photograph, fingerprint, or voiceprint.

In order for the Act to apply to the Internet, personal information about a person would have to be stored in a file containing one of these identifying features.

CABLE COMMUNICATIONS PROTECTION ACT 1984 (CCPA) CCPA applies to cable television

operators and is concerned with the privacy rights a subscriber should expect regarding personal data or information about them that a cable television operator gathers.

VIDEO PRIVACY PROTECTION ACT 1988

(VPPA) VPPA expands the Cable

Communications Protection Act. It prohibits the use and disclosure of personal information about the videocassettes and related products and individuals rents or purchases unless their written permission is obtained.

This Act could be applied to rentals and purchases of videos and related products via the Internet.

TELEPHONE CONSUMER PROTECTION ACT 1991 (TCPA) TCPA was a direct result of the

telemarketing activities arising from the transmission of telephone solicitations originating from automatic dialers.

TCPA provides the following:1. It is illegal to make a phone call by means

of an automatic dialing system or prerecorded voice that results in the party called being charged for the call.

2. It prohibits the use of any device to send an unsolicited advertisement to a telephone facsimile machine.

3. Companies engaging in telephone telemarketing are required to set up “do not call” lists for consumers who do not wish to receive these types of calls.

ELECTRONIC COMMUNICATIONS PRIVACY ACT 1986 (ECPA)

Covers e-mail privacy in a workplace. This Act prohibits unauthorized interception and accessing of e-mail, which fines up to $10,000 and up to one year imprisonment.

The law however includes certain exceptions permitting e-mail services providers to intercept and access e-mail as part of the activity necessary to provide the service.

The employers also are being prevented from monitoring the employee’s e-mail except if the employer’s policy allow this practice and the employees know about it.

ECPA was a major issue before the court in Anderson Consulting LLP v. UOP, 991 Fed. Supp. 1041 (N.D.III. 1998).

In Anderson, the defendant maintained an internal e-mail system and allowed the plaintiff, UOP, to use it. The defendant disclosed some of the plaintiff’s e-mail messages to the newspaper that published them and the plaintiff sued under the ECPA.

INBOX PRIVACY ACT 1999 To prohibit the transmission of

unsolicited commercial electronic mail. A person is prohibited from initiating the transmission of unsolicited commercial electronic mail to another person if such person declines to receive it.

FAIR CREDIT REPORTING ACT 1970 (FCRA)

The purpose of the FCRA is to ensure that the credit reports furnished by consumer credit reporting agencies, including requests sent online are accurate, impartial and respect privacy.

An example would be when a credit card, insurance company or financial institution uses credit information to profile consumers for unsolicited e-mail (spam) marketing offers.

COMPUTER FRAUD AND ABUSE ACT 1986 (CFFA)

The primary purpose of CFFA is to protect national security by prohibiting the international access of data stored in computers belonging to or benefiting the U.S. government.

IDENTITY THEFT AND ASSUMPTION DETERRENCE ACT 1998

The fear of identify theft plagues the information age. Identity theft can range from the unauthorized use of our credit card to someone creating “our duplicate” complete with our birthday and social security number and leaving us with a pile of unpaid bills.

CHILDREN’S ONLINE PRIVACY PROTECTION ACT 1998 (COPPA) COPPA protects children under the age

of 13.

The FTC has established new rules for website operators to make sure that kid’s privacy is protected while they are online.

Under the Act, the websites directed to children or collect information must post notice of their information collection practices that includes; types of personal information they collect, how the site will use the information, whether that information will be forwarded to the third party.

Most importantly, the website operators are required to get parental consent before collecting, using or disclosing personal information about a child.

The other countries legislated the laws on the data protection to protect

the privacy

PRIVACY PROTECTION AND

DATA FLOW

TRANSBORDER DATA FLOW (TBDF) TBDF is defined as all kinds of electronic

transmission of personal information across political and boundaries for processing or storing in computer files.

It concerns the transfer of personal information across sovereign geographic boundaries.

WHY TBDF IS IMPORTANT? Because of its significance to economic

growth and international trade.

Arise from 4 basic principles:

The vital importance of the efficient exchange of information in the

development and growth of modern international trade and production.

The right of business to communicate freely within and outside its corporate

structure.

The vital importance of the efficient exchange of information in the

development and growth of modern international trade and production.

The necessity of recognizing the world-wide interdependence of modern business communication.

Because of this, many parties recommend the government to strike an appropriate balance in privacy and data protection legislation.

Government in doing so, should recognize the world-wide dependence of modern business on transborder flows and not legislate in such a way as to restrict these flow.

DEFINITION OF DATA This term is only used to refer to the

transfer of personal information; that is information relating to individuals rather than information relating to companies or governments. For example, information relating to travel, or credit and health, as well as information about criminal convictions.

Personal data has been defined in the convention and OECD guidelines as:

‘any information relating to an identified or identifiable individual.’

The above definition is extremely broad; it can include a number of data of very varying kinds (social security, bank accounts, etc.) and all kinds of commercial activity.

INTERNATIONAL INSTRUMENTS These are three different international

instruments governing the issue of transborder data flow and privacy protection:Organization for Economic Cooperation and Development Guidelines (OECD)

Council of Europe Convention for the Protection of Individuals with regards to Automatic Processing of Personal Data (Convention)

European Community Directive on the Protection of Individuals (Directives)

OECD PRIVACY GUIDELINES The guidelines seem to be a free data

flow regulation rather than a data protection. OECD Privacy Guidelines useful for establishing legal means to protect privacy on the electronic highway.

“ A member country should refrain from restricting transborder flow of personal data between itself and another member country except where the latter does not yet substantially observe these guidelines. Member countries should avoid developing laws, policies and practices in the name of the protection of privacy which would create obstacles to transborder flows of personal data that would exceed requirements for such protection.”

EIGHT BASIC PRINCIPLES OF OECD

The collection limitation principle requires that information must only be obtained through lawful means and with the knowledge or consent of the data subjects.

The data quality principle provides that only information relevant for the purpose of the collection be required by the collector of the data and such data must be up-to-date, accurate and complete.

The purpose specification principle states that the purpose for which the data is gathered must be disclosed to the data subject at the time it is collected and that such data shall only be used for that purpose or purposes.

The use limitation principle requires that information not be disclosed to the third party by the person who has collected it without the consent of the data subject unless it is demanded by law

The information must be protected by the collector who must take reasonable precautions to guard against loss, destruction and unauthorized use, access, modification or disclosure of it.

The data subjects ought to be able to readily determine the whereabouts, the use and purpose of personal data relating to them.

A data subject can obtain confirmation from the data collector that information is held by it, obtain details of this information within a reasonable time. Data subjects should also be given reasons where access to data is denied. He can also rectify inaccurate information and where necessary erased it.

The data collector ought to be accountable for complying with the above principles.

However, these guidelines do not form part of a binding legal document and accordingly may not be enforced.

However, many countries have put all these guidelines into their legislation.

For examples, Australia, New Zealand, Hong Kong, Singapore and many other countries.

THE CONVENTION The Council of European Convention for

the Protection of Individuals with regard to Automatic Processing of Personal Data was promulgated because data protection has been seen as a question of human rights.

The fundamental ides is to protect privacy rather than to prevent transborder data barriers.

The Convention provides provisions to promote the transfer of personal information between countries which have equivalent data protection laws. Should this not be the case, then the Convention provides for restriction on the transfer of the data concerned.

Unlike the OECD guidelines, these provisions form part of binding legal document to European Countries and can be enforced.

However, it only applies to automated processing of personal information so that the transfer of information in manual form is not be caught.

EUROPEAN UNION DIRECTIVE The Directive initiatives was based on

two reasons:The possibility that different levels of data protection laws could cause obstacles for border crossing data transfer.

The rights and freedoms of persons with regard to the processing of personal data.

It requires EU Member States to ensure that individuals have certain rights and the standards are set for data quality such as how to process the data fairly and lawfully.

The Directive regulates structured collections of manual data as well as data held in computerized form.

The Directive only permits data to be held relating to the individual with their consent, and such consent must be expressed informed and fairly given.

The Directive also covers judicial remedies and penalties. It requires Member States to establish standard appropriate sanctions and remedies for breach of domestic data protection legislation.

The Member states are required to transpose the Directive’s principles into their national legislation within a time limit of three years i.e. by 1998.

By now all Member States have done so.

MALAYSIA POSITION There is no specific provision on the

right to privacy in the Constitutional of Malaysia.

The Personal Data Protection Act drafted by the Ministry of Energy, Communications and Multimedia in the light of the OECD Guidelines and similar laws in the EU, Hong Kong and New Zealand has been passed by the Parliament.

In the area of security of networks and information placed in them, two laws have add direct bearing, namely the Computer Crimes Act 1997 and the Communications and Multimedia Act 1998.

COMPUTER CRIME ACT 1997 Not specifically mentioned about the

protection of data but it may be to protect the owner’s privacy.

Hacking and disclose the password without authorization are among crimes under this Act.

COMMUNICATIONS AND MULTIMEDIA ACT 1998 On security of networks and

communications through them. The offences relating to privacy are:

The use of any device with the intention of obtaining without authority, information on the contents, sender or addresses of any communication;

The possession or creation of a system to gain fraudulent access to network facilities or services

Unlawful interception of any communications; disclosure or use of such intercepted communication