Slashdot Mirror

The problem with public records is that their effect was far more localized before the internet. Now you don't have to go down to the courthouse and ask to review the records; you can find out everything about everyone with a browser. This is an excellent read that discusses the problems with public records and the internet explosion far better than I can do in a single Slashdot comment.

Posting as AC because I'm technically a felon. No, really. Now get off my lawn.

It's a train he has no right to privacy.

Not strictly true at least with regard to being monitored by an employer. There are Federal and often State laws regarding whether recording is permitted in some circumstances. While employers usually have wide latitude they cannot legally record anywhere without limitation. Furthermore when a union gets involved then the right of the company to record may be subject to a collective bargaining agreement.

I doubt it. I think it is far more likely that the pharmacy sells this information to insurance, pharmaceutical, and marketing companies. Big data is big business these days. So long patient confidentiality.

Definitely not. Pharmacies and PBMs are prohibited from selling patient health information. PBMs sell aggregated information to pharma companies, so they can understand the drug trends in an area. They sell doctor-identified data as well. This is a pretty good summary of the data that PBMs and pharmacies can and cannot sell

I suspect that this was information retrieved by the ePrescribe network. The NCPDP SCRIPT standard defines a transaction to retrieve a prescription history. The standard is not publicly available so we can't see what data elements are required to request a medication history, but I'm guessing that this is how PillPack retrieved the info.

It's not illegal, but it should be. Spokeo, I think actually has opt-outs, but others don't. Exactly how in America you don't have the right to say no to having your address published is beyond me. Don't make any enemies in this world, they sure won't have any trouble finding you. There is way too much personal info available through public records. This 1970s era pseudo honor system we have is unprepared for the age of the internet, big data and sophisticated cyber crime.

Data Brokers and Your Privacy
https://www.privacyrights.org/...

270 Current Data Brokers
https://www.privacyrights.org/...

It's not illegal, but it should be. Spokeo, I think actually has opt-outs, but others don't. Exactly how in America you don't have the right to say no to having your address published is beyond me. Don't make any enemies in this world, they sure won't have any trouble finding you. There is way too much personal info available through public records. This 1970s era pseudo honor system we have is unprepared for the age of the internet, big data and sophisticated cyber crime.

Data Brokers and Your Privacy
https://www.privacyrights.org/...

270 Current Data Brokers
https://www.privacyrights.org/...

No, you may not. Under what exact circumstances the police may or may not is more dicey, but not too relevant to this case.

Stingrays are not collecting voice data, but metadata. More like a pen register than a phone line tap, but legally those require

The real truth is we don't have any real legal precedent on whether these are legal with or without warrants or not, as they and their workings have been systematically hidden from the courts. The FBI has been confiscating both the hardware and all details about them whenever people discover local law enforcement has been using them, sometimes in defiance of local judicial rulings.

stuff they never did end up in their name. Seen that a lot lately where workers were wrongfully dismissed because of murder or fraud conviction turn up but later were proven false.

FYI Criminal Identity Theft is the most dangerous form of identity theft:

https://www.privacyrights.org/...

I'm puzzled; I'd think that this was covered by the Medical Records Privacy laws.

Personal information you give to your doctor is shared with insurance companies, pharmacies, researchers, and employers based on specific regulations.

http://www.hhs.gov/ocr/privacy/index.html
https://www.privacyrights.org/fs/fs8-med.htm

Tax ID == SSN - it still doesn't solve the actual issue of using it (TID or SSN) as authentication, whereas all it is is identification material. And yes, banks DO have the right to demand your SSN, as does your employer, your retirement fund, and any other company where you may make, store or transport money, as they have to report that to the IRS. While insurance companies (and doctors offices) can't use HIPAA to require your SSN (look up the 837P and I specs - SSN is explicitly not required and may not be required), most still put it on their form. Just write "NOT GIVEN - CALL ME" and have yet to be called about it in 10 years of doing so.

Sure:

https://www.privacyrights.org/fs/fs9-wrtp.htm

https://www.cdt.org/wiretap/wiretap_overview.html

...this isn't even controversial, though -- it's been this way for many years. They even made it illegal to sell a radio that could receive in the bands where the cellphone transmissions are made.

The phone company receives and sends a copy of everything I say. If they record it without a warrant they have violated federal wiretapping laws. Why would the internet be any different?

I was going to file a complaint against every website on the internet that requires a "registration" in order to use the fucking thing and then I clicked on the online form link and decided against it.

In bold text on that page: "You do not have to register to file a complaint."

I was going to file a complaint against every website on the internet that requires a "registration" in order to use the fucking thing and then I clicked on the online form link and decided against it.

When you collect information on people, it will be abused. Somehow, someday, somewhere ... some entity, usually corporate, will get a hold of it and use it to your detriment. The entire credit industry is a perfect example of this. And they spawned the corporate Big Brother, ChoicePoint, that our government uses to spy on Americans to get around that pesky Constitution and the "activist" judiciary.

Another example is the health insurance industry. Get prescribed an anti-depressant for any reason you become uninsurable. How do they know? Pharmacies share all that data about your prescriptions with the insurance companies, among others.

Goddamn them all.

There was an outcry. Complete with allegations of wiretap violations.

I am becoming convinced that this talk about "privacy" completely misses the mark about what's really going on. Someone wants privacy they want secrecy. He or she is afraid that exposing a secret will injure him or her in someway. The injury is greatest if it's exposed someone the person knows, or to someone that has power over them. In social network mining (email being the oldest online social network) no one actually reads the messages. A machine does. The secrets are never actually exposed to anyone.

So what is happening? Your social actions, you, your friends, and that very low fidelity copy of what makes you "you," (your soul if you want to get a bit melodramatic) is commodified and sold. You provide the value, and yet you receive nothing in return.. I believe it's this idea: that humans are simply goods to exploited and sold is what really underpins this talk about "privacy."

.

In the 90's and early 00's it was the Frontier, where everyone gave everyone else a hand. Now, we need to start walking around with six shooters.

The amount of data breaches alone are frightening: http://www.privacyrights.org/data-breach#CP , http://www.databreaches.net/

IANAL but as I understand an employer may search through my company provided phone at any time. http://www.privacyrights.org/fs/fs7-work.htm

Utah's elected officials believe that their Utah State provided cell phones are private and should not be monitored by their employers, the Utah tax payers. http://www.facebook.com/video/video.php?v=117045128372479

It really rubs me wrong that they think they're above Utah tax payers, and don't extend the same privacy protection they're trying to give themselves, to everyone else.

Lots of US laws already prohibit or limit SSN use:
http://epic.org/privacy/ssn/
http://www.privacyrights.org/fs/fs10-ssn.htm
If it's illegal to collect and use in whole, is it illegal to cadge in part, and then reassemble and use?
Or does the law have holes?
As rwa2 points out above, deriving the whole SSN ID number from a partial one might be within the reach of a lot of people, not just huge datafarms.

While that makes sense in theory, merchants do have the right to verify the identity of a customer attempting to use a credit card. Won't they just request to see a driver's license instead? Then they would have access to much more personal information than just a zip code. I don't really see how this law ends up protecting anyone.

No they don't have the right, and in fact is usually goes against the credit card merchant agreement. http://www.privacyrights.org/ar/Alert-FS15.htm

For instance, one can request a customer's driver's license to verify his or her identity.

They can ask, but not require it for most credit cards. Some Credit Card agreements actually prohibit the merchant from asking to see ID.
http://www.privacyrights.org/ar/Alert-FS15.htm

Corporate laptops, not their property, and why so mad? You do realize that this was far less invasive than what happens nowadays? Now there are turn key solutions that allow them to look into every email you send not only through the corporate email server but any unencrypted web-based email service as well to see if you are talking to competitors, headhunters etc.

I disagree that wifi data meets the definition of a broadcast; rather, it is a non-public communication transmitted without encryption. The only definitions of 'broadcast' I could find at the FCC website were related to specific broadcast services (AM, FM, TV, etc)

47CFR73 Sec. 73.14 AM broadcast definitions.
A broadcast station licensed for the dissemination of radio communications intended to be received by the public and operated on a channel in the AM broadcast band.

Also there are rules in the Amateur service (Part 97) that forbid broadcast transmissions intended for the public.

The crux of the biscuit is that broadcasts are, by definition, intended for public receipt. Wifi data is not intended for public receipt and the service under which Wifi equipment operates is not licensed as a broadcast service (it is unlicensed, in fact).

Remember back in the day when HBO, etc were transmitted in-the-clear over C band satellites? I could tune in and watch it with no trouble, but the law said even though it was transmitted in-the-clear you could not legally watch it unless you were a subscriber.

Did you know that the old-school pagers used in-the-clear transmissions? I could've easily transcribed every single pager transmission in the greater Richmond area (as well as ones intended for those with 'satellite' pagers that worked nationwide). It would not have been legal, however.

How about the old 49 MHz cordless phones/baby monitors, analog cell phones, etc? They were all in the clear, and special federal legislation was enacted to prevent eavesdropping - they forced scanner manufacturers to block the analog cell frequencies.

What google did by collecting anything other that the SSID was equivalent to transcribing private pager data and making it publicly available - that certainly would be illegal.

References:
Communications Act of 1934, as Amended (pdf)

http://www.privacyrights.org/fs/fs2-wire.htm

Yes, you do get your money back eventually. According to one of my sources, the banks are obligated to replace the funds in two weeks.

In practice, it may take longer.

I was hit by a card skimmer last year. It took over three weeks for Bank of America to replace the $500 stolen from my account. (I never got the $3 foreign ATM fee back, FWIW.)

As LostCluster points out, having an empty checking account when you're not expecting it can put you in a tight spot with your landlord/mortgage holder, etc.

My first reaction was like most here - it's an employer-provided device, so why would you expect privacy? However, the Electronic Communications Privacy Act says that while employers have the right to monitor employee's phone conversations, they must stop if/when they realize that the conversation is personal, not business.

http://www.privacyrights.org/fs/fs7-work.htm#2a

So this is a mobile phone, not a landline, and it's texting not talking, which just complicates an already murky law.

After you've told him he does not have your legal permission to contact you, it IS illegal in most states -- it's called "harassment". See this page

Translation: Bullshit

The only time that has ever held true is when a company has specifically said the conversation ARE private.

Translation: suck my iPenis.
The company does not get to say when the conversation is private - if it isn't company business, it is personal.

Under federal case law, when an employer realizes the call is personal, he or she must immediately stop monitoring the call. (Watkins v. L.M. Berry & Co., 704 F.2d 577, 583 (11th Cir. 1983)).

Are they prohibited from listening to personal calls made on a company phone?

Linky

"An important exception is made for personal calls. Under federal case law, when an employer realizes the call is personal, he or she must immediately stop monitoring the call. (Watkins v. L.M. Berry & Co., 704 F.2d 577, 583 (11th Cir. 1983)) However, when employees are told not to make personal calls from specified business phones, the employee then takes the risk that calls on those phones may be monitored."

So if they tell you not to do it, they can monitor if you make calls. Decidedly a gray area me thinks which means, yes they can.

Re-read what I wrote. A policy which says SSN is required is a lot different from a company which never provides product or service unless you provide an SSN.

Private companies can *effectively* require your SSN, by denying you service arbitrarily. They cannot truly require it without laws explicitly granting such a requirement. As Shakrai posted, the local PSC told Verizon to suck it after a complaint. Sure Verizon "requires" your SSN. If Verizon were truly able to require SSN, the PSC would have had no ability to overrule Verizon's requirement. If you don't provide your SSN, the company has the option of refusing service, but you also have the option to file a complaint and get around this requirement, making it simply a "strongly encouraged" piece of data. There are companies which are *required* to obtain your SSN, because of various laws, but they are not the majority.

If you make a big deal about the SSN being for tax and Social Security purposes only, you'll find that most companies (except those legally required) will accept an alternate ID instead of your SSN. You actually can get service without supplying your SSN, despite documented company policy to the contrary, meaning that it is not actually required.

http://www.privacyrights.org/fs/fs10-ssn.htm#17

My point still stands - call the company on it, ask what rules allow them to gather your SSN, and let them know you'd prefer not to give it out. Mention a competitor if you want to. But don't be afraid to find out whether the company falls under one of the relevant identity verification laws.

Personally, I don't go this far, I just tell them I'm going to leave it blank and if they want me to go to another company they'll let me know. After that, they tend to allow an alternate number. It's disappointing, because I intend to refuse to end the conversation until they acknowledge this much: "So what you're saying is you'd rather I go to someone else?" Eventually I hope they will get pissed off and just say "Yes, please go somewhere else." That has never happened, because an alternate number suffices.

This is misunderstood a lot. Companies are not allowed to require your SSN for service. They often ask for it, just to be able to track you down if you fail to pay. (alert: USA-centric info follows). The loophole is, most companies are not required to offer service to everyone. So they can refuse to provide service to you without explanation (usually "incomplete application" or something similar), while technically following the law. That's why there's usually no state (or fed) regulation which allows this behaviour specifically.

Semi-related: I recently applied for a membership at Hollywood Video, when I lived 100 feet away from the store. They wouldn't give me a membership without a phone number, because they couldn't call me and tell me my movies were late. I told them it would be more convenient for me to rent there than somewhere else, but if they felt that driving 100 feet to get their movies back was a hardship, I'd take my business somewhere else. It's not required to have a phone number, but since my application was not complete I was denied.

The only workaround is as you said, contact someone and complain. More people need to do this. There are several companies which ask for my SSN and I level-set, look them directly in the eye, and say "You are not an agent of the Social Security administration, therefore you are not allowed to ask for that." They pause for a bit, say "uhhh, ok, I'll just leave that blank," and continue. By stating it that way, there is no question that I know my rights under the law, and they usually aren't prepared to fight it because they don't know the relevant law, being the front-line grunts just following orders. It amuses me.

Of course, recent IRS and anti-terrorism laws have changed this slightly, but it's still a small portion of companies.

http://www.privacyrights.org/fs/fs10a-SSNFAQ.htm
http://www.privacyrights.org/fs/fs31-CIP.htm

Partial list of who might legitimately be required to retain SSN:
        * Commercial banks.
        * Agencies and branches of foreign banks in the United States.
        * Thrifts (savings and loan institutions).
        * Credit unions.
        * Private banks.
        * Trust companies.
        * Investment companies.
        * Brokers and dealers in securities.
        * Futures commission merchants.
        * Insurance companies.
        * Travel agents.
        * Pawnbrokers.
        * Dealers in precious metals.
        * Check cashers.
        * Casinos.
        * Telegraph companies.

As always, know your rights. In my opinion, casinos require SSNs for tax enforcement under the guise of covering money laundering. Telegraph companies? Maybe "money by wire" makes sense for tracking financial terrorist support, but if I'm sending a telegraph, they are allowed to ask for my SSN for no apparent reason.

This is misunderstood a lot. Companies are not allowed to require your SSN for service. They often ask for it, just to be able to track you down if you fail to pay. (alert: USA-centric info follows). The loophole is, most companies are not required to offer service to everyone. So they can refuse to provide service to you without explanation (usually "incomplete application" or something similar), while technically following the law. That's why there's usually no state (or fed) regulation which allows this behaviour specifically.

Semi-related: I recently applied for a membership at Hollywood Video, when I lived 100 feet away from the store. They wouldn't give me a membership without a phone number, because they couldn't call me and tell me my movies were late. I told them it would be more convenient for me to rent there than somewhere else, but if they felt that driving 100 feet to get their movies back was a hardship, I'd take my business somewhere else. It's not required to have a phone number, but since my application was not complete I was denied.

The only workaround is as you said, contact someone and complain. More people need to do this. There are several companies which ask for my SSN and I level-set, look them directly in the eye, and say "You are not an agent of the Social Security administration, therefore you are not allowed to ask for that." They pause for a bit, say "uhhh, ok, I'll just leave that blank," and continue. By stating it that way, there is no question that I know my rights under the law, and they usually aren't prepared to fight it because they don't know the relevant law, being the front-line grunts just following orders. It amuses me.

Of course, recent IRS and anti-terrorism laws have changed this slightly, but it's still a small portion of companies.

http://www.privacyrights.org/fs/fs10a-SSNFAQ.htm
http://www.privacyrights.org/fs/fs31-CIP.htm

Partial list of who might legitimately be required to retain SSN:
        * Commercial banks.
        * Agencies and branches of foreign banks in the United States.
        * Thrifts (savings and loan institutions).
        * Credit unions.
        * Private banks.
        * Trust companies.
        * Investment companies.
        * Brokers and dealers in securities.
        * Futures commission merchants.
        * Insurance companies.
        * Travel agents.
        * Pawnbrokers.
        * Dealers in precious metals.
        * Check cashers.
        * Casinos.
        * Telegraph companies.

As always, know your rights. In my opinion, casinos require SSNs for tax enforcement under the guise of covering money laundering. Telegraph companies? Maybe "money by wire" makes sense for tracking financial terrorist support, but if I'm sending a telegraph, they are allowed to ask for my SSN for no apparent reason.

Using encryption has its drawbacks:
* you must provide a meaningful key management
* you lose speed of your machines for number crunching
* you can easily lose data in the event of hardware corruption
* access to data is a bit harder even for legitimate purposes
* many systems (for example Active Directory domain controller .vs. ipsec) doesn't work well with encryption
* skills of your systems management must be higher

I know you probably mean well, but every one of those statements is basically false.

- Active Directory + Bitlocker OR AD + Encrypting File System (EFS) both do automatic key management, key escrow, etc...
- Bitlocker has no performance impact, it uses the TPM chip. Also, most CPUs are MUCH faster at encryption than disks are at reading or writing data, so it's not a bottleneck even for software-only systems.
- hardware corruption causes data loss anyway, encryption just ensures that you only ever get valid data. In that respect, it's a little like ZFS -- encryption also provides integrity, as well as security.
- Access to data on encrypted volumes is NOT harder. It's usually transparent. If you have proper backup procedures in place, you need never access data in non-standard ways. Speaking of which, your backups should be encrypted too!
- AD works well with encryption, and has its own built in. It's already reasonably secure for most applications, and doesn't really need further encryption. The only AD related protocol that had issues with ipsec is DNS, but Windows 7 and 2008 R2 now support that as well.
- If you're already deploying Windows Vista or 7 SOEs, adding in Bitlocker trivial, it's basically a checkbox. Deploying ipsec is admittedly a little harder, but it's not exactly rocket science.

I've implemented extensive encryption before, and it wasn't hard, and the users never noticed. From what I've seen, the lack of encryption is not caused by technical issues, but laziness and politics.

Security is one of those things that's not a problem day to day, just like backups. The users don't notice, and nobody complains to the managers about it, so it must not be a problem, right?

You only need security on those rare occasions when there's a hack, or a laptop gets stolen, or some intern sells 10 petabytes of old backup tapes full of customer data on eBay for $35. Of course, when those things happen, it's already too late to implement security. The breach has already occurred. There's no going back in time to tick checkboxes.

In case you're wondering just how common data breaches are, check out this list of the publicly known ones:

http://www.privacyrights.org/ar/ChronDataBreaches.htm

If that doesn't scare you, think about how many more there are that the public didn't find out about. Chances are good that your personal data has been leaked to God-knows-who, probably several times, because of lazy IT admins and inept managers.

Yes, I was poking a little fun and trying to make the author really think about if the info is worth the risk of going unencrypted.

Referencing.....

http://www.privacyrights.org/ar/ChronDataBreaches.htm

Be careful about checking your credit too often though. When you check your credit too often, it dings your credit score.

Not true. Applying for new lines of credit will lower your score, but checking it yourself will not. See http://www.privacyrights.org/fs/fs6c-CreditScores.htm#5

HIPAA only covers medical practitioners, insurance companies, and the like.
http://www.privacyrights.org/fs/fs8a-hipaa.htm#3

A little lower indicates that school nurses visits explicitly don't count.

According to the Supreme Court, FERPA doesn't allow individuals to sue.
http://www.privacyrights.org/fs/fs29-education.htm

HIPAA only covers medical practitioners, insurance companies, and the like.
http://www.privacyrights.org/fs/fs8a-hipaa.htm#3

A little lower indicates that school nurses visits explicitly don't count.

According to the Supreme Court, FERPA doesn't allow individuals to sue.
http://www.privacyrights.org/fs/fs29-education.htm

HIPAA only covers medical practitioners, insurance companies, and the like.
http://www.privacyrights.org/fs/fs8a-hipaa.htm#3

A little lower indicates that school nurses visits explicitly don't count.

According to the Supreme Court, FERPA doesn't allow individuals to sue.
http://www.privacyrights.org/fs/fs29-education.htm

http://www.privacyrights.org/fs/fs14-stk.htm

http://www.privacyrights.org/fs/fs10a-SSNFAQ.htm

This provides useful information about SSNs and their usage.

If they are a publicly funded school and utilize parts of your SSN on your student ID, or display it on class rosters, and other places, then they may be in violation of the law. Specifically the Family Educational Rights and Privacy Act restrictions:

One of FERPA's provisions requires written consent for the release of âoeeducational recordsâ or personally identifiable information, with some exceptions. The courts have stated that SSNs fall within this provision. (See Krebs v. Rutgers, 797 F. Supp. 1246 (D.N.J. 1992)).

Also

Many states now have laws banning public universities and colleges from using SSNs as student IDs.

History of SSN usage. When Social Security numbers were first issued in 1936, the federal government assured the public that use of the numbers would be limited to Social Security programs such as calculating retirement benefits. Today, however, the Social Security number (SSN) has become the de facto national identifier. (Read a history of the SSN at www.socialsecurity.gov/history/ssn/ssncards.html .)

http://www.privacyrights.org/fs/fs10-ssn.htm#2

I'm too young to remember when this was the case, but SS cards originally contained verbiage to the effect that "this card is not to be used for identification". Check with your parents or grandparents to see if any still have a "vintage" card. Of course that designation as since been removed and something that the government had originally assured us they wouldn't do is now standard operating procedure. Sound familiar, anyone?

if you live in the USA, your credit card number should not be on the receipt. That is not legal.

http://www.privacyrights.org/fs/fs6a-facta.htm

A merchant may ask for ID, but they may not conditionally process the transaction based on the ID. I.e. if someone is holding the credit card they must accept it as payment. This is true for "buyer's instruments" like Visa, Mastercard, and Discover. This is however not true for "owner instruments" like American Express where the owner of the card must make the transaction.

For more information on this subject check this http://www.privacyrights.org/fs/fs15-mt.htm#2b

Also, when have government agencies ever restrained themselves in favor of privacy among citizens? The government in 1936 said that social security numbers were never supposed to be used for identification*...

Oops.

(* http://www.privacyrights.org/fs/fs10-ssn.htm not a good source, so take it with a grain of salt, could be an urban myth)

We also had a few constitutional provisions that seem to say you can't spy on innocent civilians. Hard to believe now I know. And of course the FBI wildly overstepped it's bounds from day one.

We really need to start drilling "Protecting public privacy is the most important thing for your job" into the heads of law enforcement types for a few generations, and making sure it sticks, before we start tearing down what few barriers they respect. Otherwise we may as well cut to the chase and put RFID chips under our skin.

I haven't read the full article yet, but it could be that insider breaches account for 20% of breaches, and 80% of records breached. Since insiders would have access to much more information, that wouldn't surprise me at all.

Also in question is the definition of "insider breach." Is an employee leaving a laptop on a train an insider breach, or not? Is an employee accidentally posting personal information on a public web server an insider breach, or not? It's not malicious by the insider, but it's certainly caused by the insider.

Besides, if you look at http://www.privacyrights.org/ar/ChronDataBreaches.htm, you won't see a lot of insiders, but you will see some insider breaches with huge record totals.

This is not true. Every financial institution in the US must collect a SS number as part of its Customer Identification Program.

According to provisions of the USA Patriot Act, all financial institutions must verify the identity of individuals wishing to conduct financial transactions.

A SS number must be obtained as part of the Customer Identification Program.

The CIP Rules establish the minimum identification information a financial institution must collect from you before opening a new account. Beyond this, financial institutions have flexibility to adopt CIP procedures appropriate to the business operations of each.

Four data items are required for all new accounts. These are:

        * Name.
        * Date of birth (for an individual).
        * Address.
        * Identification number.

IANAL, but here's what I've found that may help you:

Employers may monitor employees' phone calls and location (using cell towers or GPS).

(from the same link) Cell phone companies are required by the FCC to have the ability to track your location to within 100 meters for the purposes of 911 calls.

From this page: Telephone company employees may listen to your conversations when it is necessary to provide you with service, to inspect the telephone system, to monitor the quality of telephone service or to protect against service theft or harassment. Also, employers may monitor and even record their employees' phone conversations with few restrictions (18 USC 2511(2)(a); California Penal Code 631(b)).

Note that the above paragraph gives telephone companies free license to listen to phone conversations, they simply need to do it under the premise of "monitoring the quality of service".

I don't think there are any laws regulating ISPs inspecting customers' packets; if there were, we wouldn't be having the trouble we have now with companies doing it; for example, Comcast not only used Sandvine to do DPI, they actively interfered with connections, and lied to customers about it - but none of that was illegal.

IANAL, but here's what I've found that may help you:

Employers may monitor employees' phone calls and location (using cell towers or GPS).

(from the same link) Cell phone companies are required by the FCC to have the ability to track your location to within 100 meters for the purposes of 911 calls.

From this page: Telephone company employees may listen to your conversations when it is necessary to provide you with service, to inspect the telephone system, to monitor the quality of telephone service or to protect against service theft or harassment. Also, employers may monitor and even record their employees' phone conversations with few restrictions (18 USC 2511(2)(a); California Penal Code 631(b)).

Note that the above paragraph gives telephone companies free license to listen to phone conversations, they simply need to do it under the premise of "monitoring the quality of service".

I don't think there are any laws regulating ISPs inspecting customers' packets; if there were, we wouldn't be having the trouble we have now with companies doing it; for example, Comcast not only used Sandvine to do DPI, they actively interfered with connections, and lied to customers about it - but none of that was illegal.

IANAL, but here's what I've found that may help you:

Employers may monitor employees' phone calls and location (using cell towers or GPS).

(from the same link) Cell phone companies are required by the FCC to have the ability to track your location to within 100 meters for the purposes of 911 calls.

From this page: Telephone company employees may listen to your conversations when it is necessary to provide you with service, to inspect the telephone system, to monitor the quality of telephone service or to protect against service theft or harassment. Also, employers may monitor and even record their employees' phone conversations with few restrictions (18 USC 2511(2)(a); California Penal Code 631(b)).

Note that the above paragraph gives telephone companies free license to listen to phone conversations, they simply need to do it under the premise of "monitoring the quality of service".

I don't think there are any laws regulating ISPs inspecting customers' packets; if there were, we wouldn't be having the trouble we have now with companies doing it; for example, Comcast not only used Sandvine to do DPI, they actively interfered with connections, and lied to customers about it - but none of that was illegal.

Google says "much less". "7 million U.S. adults or 3.4 percent of U.S. consumers were identity theft victims in the past 12 months."

The First Amendment doesn't require that the government force catalog companies to allow you to opt-out. Rather, the First Amendment allows the government to do that.

The First Amendment is only a restriction on government power. It does not create any responsibilities on private citizens. The government may regulate postal junk mail, but there is no law regulating postal junk mail until the government writes one. Same for electronic spam: The First Amendment (probably) allows the government to regulate electronic spam, but there is no law about it until the government writes one.

As it happens, you can opt-out of postal mailings and the government will enforce your rights to do so. To get off a lot of junk mail lists, go here Or you can remove your name some of the lists that become junk mail lists for a fee.

Remember, the First Amendment is a restriction on government not on individual actors. To use the cliche example, the First Amendment doesn't make it illegal to yell "fire" in a crowded theater. Instead, the First Amendment has been interpreted to mean that a state legislature is allowed to write a law making it illegal to yell "fire" in a crowded theater.

Or laws that don't adequately punish companies for losing personal data, or at least allow for civil suits. My SSN was lost twice last year, both by large organizations, and I had no choice in giving either of them my SSN. One of them had it for health insurance reasons from when I was a child, and the other one was a school I attended. I think it's ridiculous. There's no reason that companies, schools, and other organizations should be able to lose tens of thousands of social security numbers and basically just shrug and say "oops". I bet if they had to pay a $10,000 fine for every SSN they lose, they'd start encrypting the data really quickly. There's a great Chronology of Data Breaches here that shows some staggering numbers