Sunday, May 25, 2008

Well, he was asking for it...

Normally, someone getting their identity stolen isn't news. It's annoying for the victim, but not of great enough consequence for the rest of the world to bear reporting. However, in this case, the person who's ID was stolen was Todd Davis. While that name might not be immediately familiar, it's a good bet you've seen Mr. Davis in the near-ubiquitous online adds for Lifelock, where he poses with his social security card to show just how confident he is in Lifelock's services. Thus, for him to have his identity stolen is not just news, it's also the trigger for a lawsuit by Lifelock customers saying that David's identity theft shows that he knew his product didn't work, even as he promoted it nationwide.
Of course, the filing of a lawsuit, and a decision by a court that Lifelock is liable for damages are two totally different things. Indeed, I'm not sure that the existence of one identity theft incident shows that Davis knew his service didn't work. Davis has been flashing his complete social security number all over the internet for years. The fact that he was only victimized once in that time seems (to me at least) to show that Lifelock's services really do work to mitigate the threat of identity theft, though they can't eliminate it entirely.

Tuesday, May 13, 2008

More Potential Legal Troubles for Google Streetview

Ever since its introduction, Google Streetview has raised concerns about privacy (see, e.g., here). Now, Streetview is being prepared for Europe, and apparently French law is presenting a problem. According to this article from Computer World, under French law, you are not permitted to publish images of people going about their business without their permission. The article says that that's a problem for Streetview because it could require Google to employ "an army of clipboard-wielding legal assistants asking bystanders to sign release forms as they sip their coffee."

My initial take on it is that something about the article doesn't make sense. While I'm not familiar with French law, it seems unbelievable to me that any country would have regulations that prevent the publication of pictures taken in public. After all, if French law really did include that requirement, it would seem completely incompatible with newspapers publishing pictures of crowds, such as might appear at political rallies and sporting events. In any case though, if the article's portrayal of French law really is correct, then it's an example of where I think giving individuals control over some aspect of their persona (in this case their image) goes too far. The loss of privacy from allowing pictures to be published without permission is slight (if it shows up on Google Streetview it was, by hypothesis, visible to the public). By contrast, the cost is real - loss of a popular product which could spin off potentially interesting follow on technologies. Thus, in this case, assuming the choice is real, I'd have to come down on the side of Google, rather than on the side of individual control of information.

Sunday, May 11, 2008

Pricing Personal Privacy

One perennial problem plaguing plaintiffs pursuing privacy protective pleadings is the difficulty in showing damages. When people have gone to court to try and obtain compensation from companies who exposed their personal data in a security breach incident (e.g., DSW Shoe, TJX, etc...) they have consistently lost because the courts say that they can't show damage, and therefore can't be compensated. One approach to this has been to try and argue that expenditures for dealing with the exposure of personal information (e.g., money spent on credit monitoring) should be compensated. However, courts have by and large rejected that approach, concluding that money spent on credit monitoring is intended to prevent future loss, and therefore isn't damages which the court can compensate.

However, according to this article from C|NET, criminal identity thieves have no problem valuing stolen data which has not yet been used for identity theft. Indeed, there was even a price list found on a server containing stolen business and personal data which said exactly what various accounts were worth (e.g., bank account with $16,040 had an asking price of 700 Euros; bank account with $14,400 had an asking price of 600 Euros, etc...). Now, do I think that courts should start using the price lists of criminal identity thieves to determine how to compensate victims in security breaches? No. I think a much better measure of damages would be quantifiable damages, such as the cost of replacing compromised credit cards (something I discussed here. However, even if the prices given for stolen accounts shouldn't be used as a measure of damages, they should at least be considered evidence that personal data, even if not used in identity theft, has value, and that that value should be recognized, either in current law (where it often isn't) or in future regulatory changes (where it might be).

Sunday, May 4, 2008

Private Information in Court Documents

As described in a pair of articles (here and here) from Computer World, privacy advocate Betty "BJ" Ostergren has been campaigning to have personal data removed from California court websites. BJ claims that she has turned up "complete tax filings, medical reports pertaining to cases handled by the court, and images of checks complete with signatures as well as account and bank-routing numbers" on the court's website. Further, she says that it's possible to retrieve similar documents by entering popular last names at random. The response to this from the court's personnel - that they have tens of millions of documents and finding personal information among them is like looking for a needle in a haystack - is not encouraging. Essentially, everyone who comes into contact with their system is defended through "security through obscurity," and there's nothing that they can do about it.

The question then, is whether the posting of thousands, perhaps tens or hundreds of thousands, of documents containing personal information to the court's website is a problem. As it happens, in my opinion is isn't. I think it is a huge benefit to society for courts to make filings publicly available. Indeed, full access to court records gives people the option of finding out how courts have handled various types of scenarios so that they can plan their actions accordingly. This ability to know (and therefore follow) the law is an indispensable aspect of any system where rule of law is taken seriously. If a court makes tens of millions of document available, I'm not at all surprised that some small percentage of them include information which shouldn't be made publicly available. Certainly that's regrettable, but I think it's a small price to pay for making courts and the law available to all.

Does that mean I think the status quo is optimal? No. I think the response from the court is totally inappropriate. The correct response would have been to to redact the personal information from the identified documents. Even then, the system wouldn't be perfect, since there's no guarantee that personal information would be discovered by privacy advocates who report it to court personnel rather than by criminals who would use it in identity theft. However, it doesn't make sense to expect any system to be perfect, and shutting down something so clearly positive as public access to court filings because they don't perfectly protect privacy would be a terrible mistake.