Slashdot Mirror
Interesting Privacy Decision in New Hampshire
TCPALaw writes "A huge decision
in privacy law was handed down today by the NH Supreme Court in the Amy Boyer case. Amy was stalked and killed by a man who got her personal
information, including SSN, from an on-line information broker. Privacy groups such as EPIC have argued that access to sensitive personal information should carry with it liability for misuse, and can constitute a tort. The NH Supreme Court agreed.
Now perhaps you can sue the spyware companies."
Someone's been murdered and you're all smiles because you can go after some guys who send adds to your computer.
In other news, the phone company is being sued becuase they list a person's address next to their name.
M@
Krispy Cream is people
It's too bad supermodels don't fit into the Slashdot stalkers crowd...
~S
Because it involved something akin to identity theft, I thought it interesting, but until now I hadn't seen a real-life version. "Information broker", indeed.
Scary.
. . .that "information brokers" of this sort have an implicit obligation to formally notify the objects of such searches, as to the nature of each search and the buyer. This still wouldn't protect someone who was using a "straw" buyer, but would go a long way to protect people from stalkers. . .
Yes, that comment is borderline morbid, and probably in bad taste. But it would garner media attention, and probably result in the laws being changed...
...and you'll live longer ;-)
Where he got the information isn't important...
The real problem is violent video games and TV! And do you hear what they say in those horrible rap songs? Well, I never! We should just ban this poison once and for all!
"I only speak the truth"
Karma: null(Mostly affected by an unassigned variable)
Because stalking and murdering someone counts as misuse, obviously, giving your name to a list which randomly sends e-mail also does. There's /. logic.
-- 'The' Lord and Master Bitman On High, Master Of All
let alone possible implications for combating spam, this is a good ruling for our safety. there should be some liability for someone looking to obtain information like someone's SSN. I guess if any wackjob with a grudge can buy a social security number and mom's maiden name, it's good that they hold some liability for the actions they take with that information. ...it still doesn't make me feel that much better that any wackjob with a grudge can buy someone's SSN, though.
Yes, in theory we would love to sue spywear authors into oblivion. But I fear we are opening yet another can of worms.
I agree that companies that have access to your personal information should be held liable if they disclose the information, or are negligent in protecting that information (egghead.com comes to mind).
IAMAL, but more inportantly, judges are not congressmen, and I always have reservations when judges "create" law that legislators should have in the first place.
I can't swear that this is the case here, but with two years in the legal field, I still have trouble fully deciphering these rulings. (the fact that law can't be read by persons with average intellegence is yet a whole other subject).
Tequila: It's not just for breakfast anymore!
While an information broker should be responsible for their actions to some extent, I think the killer should be held responsible, and that nothing should dimish the clarity of that matter.
That what was all this school was for... to teach us how to solve our own problems. -- janeowit
I'd love to see companies held liable for damages caused by their keeping huge databases with credit card information just sitting online waiting to be hacked.
What kind of a tort? Strawberry?
This one says it all.
No, the post isn't Offtopic, nor is it Flamebait. The Amy Boyer murder was a tragic event and this case will allow the family some chance of holding the "information clearinghouses" liable for the information that they doled out for a healthy profit and Amy's life.
It has nothing to do with spyware. Making the connection of spyware to satisfy you personal conspiracy theorist mentality to this case revolving around a real and tragic event is just ridiculous. And, moderating the above comment Offtopic is just too typical.
If all the info is available to everyone, and the knowledge of who is searching on you is known, what is the danger?
Obviously, I'm forgetting about identity theft and fraud - but we need better systems in place to prevent that anyhow.
Just a crazy thought. If everyone knows what they want to about anyone, doesn't that remove some of the reason for identity theft, and 'nosy nellies'?
I like the idea that "personal" information needs to be secure and the mishandling of it could lead to a lawsuit (only if there are damages). However, what constitutes "personal" information? A phone number? SSN? Address? If I inadvertantly gave the stalker directions to this person's house, am I liable?
It's too bad that someone had to die before the courts got involved. You'd think that the right to privacy would be a right.
It warms the heart to know that this largely unregulated industry might suddenly have the fear-of-financial ruin checking their irresponsible ways.
AFLAC! AFFLECK! AFLAC!
Belgium mo bizzle pizzle, yo!
This is quite limited item; it covers the use of a information broker to call an individual to ask for their work address under the *wrong* pretext (a lie) and then sell the information they got based on this lie. It does not seem to cover stuff like selling information found in a credit report, or anything else like that.
The Estonian ID card project gives away everyone's name and SSN if you have one of these (mandatory) ID cards and you have the web services enabled (most people do).
Just use your favourite ldap client to browse ldap://ldap.sk.ee (or just pop that into the "run" dialog box in windows) and voila - you got everyone's SSN that has one of these trinkets already. Including mine.
They claim it was in the contract when I signed it. Havent taken a look.
... that when the US gummint's TIA program hands the FBI info about someone with the same name as mine, and they pull a Jackson Games (or Limone/Salvati) caper on me, I can sue the government?
Thought not.
OTOH, I've seen an interesting explanation of the curious phenomenon of all those valuable medical studies coming out of Scandinavia in the past couple decades. It seems that they passed laws there that make the medical databases fairly open and accessible to researchers. They understood that this meant that the data would be fairly easily available to essentially anyone willing to hand a few kronor under the table. So they included some fairly severe punishment for misuse of this information. They especially punish employers for [pick your euphemism for firing] employees with medical problems. Supposedly the result has been to make the citizenry fairly supportive of access to medical data, and this is of obvious benefit to society.
Can't imagine this sort of "onerous government regulation" happening in the US, though. Except for occasional court cases like this, information about you and me is just a commercial commodity.
Funny this case was in New Hampshire. That's one of the more lassez-faire states. But then, it wasn't the legislature; it was a judge. It'll be interesting to see the followup.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
No, I'm glad that people who deal in raping privacy have to face legal ramifications to their behavior. I'm sorry it has taken many deaths to finally get the courts to start holding people responsible. The stalker that killed Amy was able to do it because information brokers believe they are immune from the law, and will sell ANYTHING to ANYONE. Search for "skip tracer" and see what you can buy.
I was horrified, but unfortunately not surprised at the death of Amy Boyer, Rebecca Schafer (who's home address was obtained from the DMV by a stalker's PI) and other women attacked by stalkers who were only able to find them through criminally lax data handling practices. My sister deals with sexual abuse victims, and one of the unfortunate pieces of advice she has to give them is to not register to vote, because the guy who may want revenge on them can use the voter registration roles to find the victim again. Other big companies simply don't give a damn about data security as long as they get paid. For example, I was a consultant in a case against Equifax, and it turned out that Equifax - storehouse of extremely personal and private data - never forces password changes on its customers... so if someone gets a userID and password, they can get in undetected for years if they are selective about using it, and it doesn't get noticed on the bill (and at $2 a pop for credit reports, pulling 2 or 3 extra a month for an office that gets hundreds, won't get noticed).
If people are lax about security of data they collect or use about you, they need to know that they can be prosecuted for it. The wild west of collecting and selling personal information without consent is going to come to a close.
It covers the liability of someone who obtained information using a wrong pretext (a lie), and then reselling that information. It has absolutely nothing to do with the publication of information obtained publically, but instead hinges on someone making private information public by using a lie to obtain said information.
Now perhaps you can sue the spyware companies.
After someone killed me ?
I'm linin' up all those damn spyware companies... What to sue them for... I'm not exactly sure...
-------
"In times of universal deceit, telling the truth becomes a revolutionary act."
-- George Orwell
Would this include liability for charges made on a CC after the number was hacked out of a "secure" database?
THIS SPACE FOR RENT
often, similar information can be pulled just as easily off of popular search engines, if the person is active online. are their search and archiving techniques the next to be contested?
The wise follow a damned path, for to know is to be forsaken.
In the US, anyone can sue anyone else. So "Now you can sue" makes no sense.
Winning is a different matter.
The murderer, who "kept firearms and ammunition in his bedroom", purchased information about where the victim worked from a company called Docusearch then proceeded to kill her, them himself.
The victim's estate goes after the search firm and wins. So we're to conclude that the selling of such vital information to the murderer is a punishable offense, at least in N.H. What about the people who sold him his guns? Seems to me that the weapon was at least as dangerous as the information, and each being fairly useless without the other.
Also, this guy "maintained a website containing references to stalking and killing Boyer".
Big lesson here: Google yourself.
-dameron
Hear me, hear me! This is a good time to pull
this case - all one need is to connect spyware
with terrorism, sit back and enjoy the show.
For starters, terrorists can buy a variety of
information from spyware crooks, such as one
needed to create impostor or fake identities
of government or even (horror, horror!) military
personnel.
How about this?
My other Beowulf cluster is... er...
Perhaps this will force a certain large corporation in Redmond, WA to change its error reporting and information policies within its licensing agreements.
There are the standard disclaimers that they potentially collect any necessary to debug an issue when their software reports back home which could potentially include personal data.
If I'm not wrong, then any developer could read through this data and use it for "bad" purposes.
I work with a security and investigations firm and also work as a medical applications developer. This means i see both sides of the privacy issue. On the security and investigations side I routinely find out more information than you ever though was possible in your worst nightmares about people and their relationships. On the medical side I try to make it as difficult as possible (short of destroying the data) for non-authorized people to access information.
There is a large amount of data that is part of the public record that anyone can access and it is perfectly legal for them to do so.
Where you were born
Criminal record
Drivers license info
SSN#
Address
Tax Records etc.
I often wonder if people know how much of this information is available. I am not sure what the Justices were thinking as I have not read the case opinions at this point, but teh stalker could have just as easily gone to the public library and courthouse and found out teh same information. I personally would love to be able to have more anonimity. I dont think that the Govt. or anyone else should know where and when I travel, what websites I go to, what my email says or who I live with. But the sad fact is that America has historically been willing to give up these "rights" and "privacies" for temporary security. and this I think may be part of the result.
Bad Panda! No Bamboo for you! In matters of importance ACs will not be responded to. Want to say something critical,OK
(1) You must pass a background check before you buy a gun. This is a legal device for clearing the seller of liability. There is no such equivalent amongst the major info-brokers.
(2) Apples and oranges. A core issue of privacy advocates is that information specific to me is my proprietary information. You have no right to sell it or otherwise distribute it without my permission. This information can be used to harm *me* specifically, and the fact that anyone can obtain it for a price is innately harmful to me. A gun has no specific target until you point it at someone.
I bet tomorrow the phone directory will contain a lot more people named Fook Yu...
Other suggestions, courtesy of Bart Simpson.
See charts for twitter trends on Trendistic
I live in the city where Amy Boyer was murdered, and my wife knows Amy's mother. We've (my wife and I) have talked about this case a lot, especially every time the Remsburgs appeared in a new newspaper article about their fight against the "information" companies.
As horrible as this crime was, it's not clear to either of us that if Liam Youens hadn't been able to buy the information on where Amy worked that she would be alive today. Youens knew where Amy lived, and he had been obsessed with her for years. It was just a matter of time.
I think what Docusearch did was slimy, and possibly illegal - especially the use of "social engineering" to trick Helen Remsburg into revealing information about her daughter.
The issue at hand is whether or not Docusearch, and similar companies, have an obligation to warn people when their personal info is sold to someone, especially when the purpose is unknown. I think it's well established that this sort of information is often used for heinous purposes - remember the case of actress Rebecca Schaffer, who was murdered by someone who bought her address from the California DMV!
In my opinion, the NH Supreme Court got this one right - Docusearch knows or should know that the primary use of the information they collect is NOT for the benefit of the subjects. They should have an obligation to inform the subject that the information has been collected and sold.
However, I think it is wrong to assign the blame for Amy's death on Docusearch. They were an "accessory to a crime", but did not commit the crime itself.
There are so many "what ifs" in cases such as this, that can have people tied up in knots for years. Youens had a web page up which gave fairly solid clues that he had it in for Amy Boyer. Did anyone in a position to do anything see this beforehand? Probably not...
As for spyware ("spywear"? Is that the watch with a poison dart?), I don't see an obvious connection with this case.
IANAL, but it appears that the decision is:
1) If you have non-public information (SSN, CC#, addresses, etc.) on someone, you are partially liable if you offer that to someone for a fee for what that person does with the information.
2) You can't obtain information on someone deceitfully and sell it.
#2 seems pretty obvious. #1 has a lot of implications for all these companies that have your mortgage records, etc., which IMHO is a good thing. In other words, "Quicken Loans" becomes an accomplice to a con artist if they sold that con artist a list of their outstanding loans and contact info.
This is not in any way talking about public info, though, so if you pay me $25 to get someone's phone number from the white pages, you can harass that person all you want and it won't come back to me. At least based on that decision.
So I got my home phone disconnected.
My DSL is through Covad, and my cellphone works fine at home.
As a bonus, I never get cold calls anymore... far as I'm concerned, telemarketers are a thing of the past.
Build stuff. Stuff that walks, stuff that rolls, whatever.
Seeing how everyone is getting rich selling private information, I am putting MY private information on sale right here on slashdot. YES, IT'S 100% LEGAL. You will get a signed, limited edition booklet with my address, phone number, SSN, credit card numbers AND the illustrated history of both my and my cat's love life with an invitation to add a new episode to either one. 10 booklets will be sold to the highest bidders, so take advantage of this unique opportunity and RESERVE YOUR COPY TODAY.
Information wants to be free.
We don't want any closed source.
We want privacy.
Mutually exclusive?
Seriously, do you think anyone ever consents to having their private information sold? Get bullied into it because otherwise there is no way to buy online or access some content is more like it.
If this were a genuine anti-war demonstration, why, along with demands on the British and Americans, would there be no demands of the other party to the conflict - Iraq? Commentators on the march were taken by the good order of it. I was taken by the sheer wickedness or naivete.
All those nice middle-aged people from middle England with their children bundled up against the cold, marching for peace; did they have nothing to say to the party that had ignored 17 UN resolutions? A similar silence existed in all the anti-war marches in Europe. One either has to question the good faith of the marchers - or their brains.
You people are as bad as the MPAA/RIAA.
I think that this case (and subsequent appeal to the US Supremes, if that happens) will be a milestone precedent for privacy issues beyond its limited scope. This will be particularly so if/when this decision gets linked with the current government focus on identity theft by the FTC and other agencies. The key, as with many things, will be the timing. It may get lost for awhile behind Iraq, N. Korea, and the eoconomy, but I think the affects from this case will be long-term and far-reaching.
Right now 'personal information' is a broad range of stuff - too broad to actually hold anyone accountable for its use. If we can get a classification system in place, then we can start talking about unauthorized uses and punishments.
Basically, there is a broad division between information that is unique to the person, and information that is assigned. Your fingerprints are unique, your SSN is assigned.
There has to be some sort of principle to govern the status of these classes. For example, I believe that it is your right to have and maintain exclusive control over the things which are uniquely yours. Within the class of assigned information, disclosures and aggregations must be with the consent of both assigner and assignee - if an information aggregator of any kind wants to warehouse information then they need to have the explicit, informed consent of all involved parties. Some information aggregation activities constitute a search under the Fourth Amendment, basically anything that informs about a particular person or any member of a small enough population, and should be protected as strongly as the physical boundaries of your house or car.
Once some principles are settled on, following those principles makes it possible to grade out the sensitivity of assigned information and establish guidelines for its use and disclosure.
Are directions to a street address provided by the inquirer enough to be held liable? Maybe not, but credit reports and real name to username correlations might be. The aggregation of username, real name, e-mail address, homepage URL, street address, city/state/zip, home phone, cell phone, profession, workplace, and job title
certainly feel like a lot to give to register at an on-line forum - yet many ask for that much info.
What the service is allowed to do with all that personal information is mostly governed by some pretty flimsy laws and a feel for how far they can push the boundaries of community tolerance and civility. But without some principles to govern the effort, we'll just end up with frivolous litigation and foolish legislation.
You don't know me (well, you might, you never can tell), I'm a crazed internet stalker.
I pick my victims by reading slashdot everyday and looking for people who get "first post!".
I'm sure you'll hear about me in the news someday -- everybody makes mistakes now and then! ;-)
Until then,
The first post stalker
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
The murderer, who "kept firearms and ammunition in his bedroom", purchased information about where the victim worked from a company called Docusearch then proceeded to kill her, them himself.
The victim's estate goes after the search firm and wins. So we're to conclude that the selling of such vital information to the murderer is a punishable offense, at least in N.H. What about the people who sold him his guns? Seems to me that the weapon was at least as dangerous as the information, and each being fairly useless without the other.
Also, this guy "maintained a website containing references to stalking and killing Boyer".
Big lesson here: Google yourself.
I haven't seen a more blatant attempt to move discussion on a topic onto a personal hobby horse for a while. Take the gun issue and fuck off. This is about privacy, not gun policy, you twit.
GF.
This is a fantastic way to (help) deal with a nasty problem... Instead of broad, over-reaching laws, make the companies liable for misue of the data, and therefore disinclined to collect it, and therby gain liability, in the first place. Of course, if the data is trully vital, they will still collect it, but will be much more likley to take steps neccesary to protect it properly. I think this approach works much better than a law against colecting it in certain/most cases.
Now if I could figure out how to use the /. search facility
:)
Forget the slashdot search utility, a google search for "six degrees of bacon" or "oracle of bacon" will take you to The Oracle of Bacon, where you can find the most up-to-date Bacon# for OBL -- or anyone else -- yourself. (It runs a live IMDB search.) Today, the answer is 3.
BTW, I should give credit to the Onion [theonion.com] for my sig.
Funny, that's what I said when I saw it.
Although most of the decision is sound, I think that Duggan et al. got Question 4 of the decision wrong and a bunch of the reasoning of Question 5 wrong. Since they were wholesale changing the law on 4, there's no reason to artificially reserve the misappropriation of a name or likeness to a person's reputation or prestige, i.e., to celebrities. Jeezus, how many celebrities are in NH anyway, 2? They go to pains to talk about how widespread and damaging identity theft is and then close of the cause of action to a scant few. While Question 5 seems to cast an overly broad net. Jeez, anytime you make a call under a false pretext you're subject to a deceptive practices act!? No more calling the video store and asking "how late are you open" when all you wanted to know is if they're open right now. Jeez, no more prank phone calls unless you truly do want them to let Prince Albert out of his can.
I have a pretty un-pronouncable name but that does not stop telemarketers for a minute.
Only when I learned about Missouri "No Call" list I was able to have a peaceful diner.
I was just going to hijack the next election by allowing the green party in with an overwhelming majority.
This topic and another topic both appeared on the slashdot page today. The first wants to indict Google as Big Brother. The second suggests we can sue companies who try to spy on us discreetly. Coincidence... or foreshadowing?
Libertarians somehow believe that private businesses should be stronger than governments but weaker than individuals.
you must live in NH ??? this place sells you licences to other companies so the state should also be liable.... .. dont you think ?
1) There was no contract between the IB and anyone else (except maybe the stalker client) concerning protection of this information.
2) While obtaining the information using a pretext is sleazy, I don't see how this constitutes liability for the misuse of the information by a third party.
3) This seems to me to be just another attempt to spread liability around as a means to compel behavior that the legal system wants to occur without the formality of actually passing a considered law, i.e. bypassing the Constitution (Federal or State) and making law in the court. The criminal justice system doesn't like sleazy IB's, so they make them liable for something they have no control over.
4) When is the court ready to assign liability to cops and Feds who fake court orders, manufacture evidence, and otherwise abuse their responsibilities on a daily basis and thereby cause thousands of people to spend time in jail for crimes they did not commit? Oh, wait, I forgot - the criminal justice system is immune from prosecution for "screwups"...
This seems like a typical case of "something bad happened, we can't punish the guilty, so we'll find someone else - anyone else - and punish them.."
How is an IB supposed to verify their client's intentions? "Oh, excuse me, I really need this info so I can shoot my ex-girlfriend - or stalk Jodie Foster..." "Just check this block on the request form here: Will You Use This Info For Legal Purposes? YES: NO: "...
Or: "You realize, sir, that we have to ask you to turn over your criminal and mental health history to us, so we can verify that you will use this information only on a legal manner?"
Or worse, that if you ask for some innocuous info, that they then investigate YOU before investigating the subject...
Yeah, right...
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
"They should have an obligation to inform the subject that the information has been collected and sold."
I'd personally rather see
"They should have an obligation to inform the subject that the information has been collected and whether they CAN sell it."
There's nothing you can do about activites outside the house in public, but who your phone provider is, your bank, your insurance, the calls you make, paying bills on time, etc., should only be between you and any businesses you choose to do business with.
I'm tired of companies thinking they have a right to my personal life if it makes them some cash.
No sig for you!!
Privacy and liberty are very close together in my books. It can affect how you vote, how you disseminate information, your work place and your everyday life. Proper laws to protect the individual from contemporary uses slightly curtails mob rule, as well as the individual compulsive.
Forget CSS and the DMCA. Encrypt DVDs using some girl's social security number and most slashdotter's will support laws against spreading the circumvention key.
Basic data mining could have stopped 11 of the 13 hijackers.
If he already knew her home address, why did he need to spend hundreds of dollars to get (among other things), her work address?
from a state whose motto is "Live free or die". Seriously, there are some things you just have to love about New Hampshire's "go away and leave me the hell alone" attitude.
;-)
Back in the day when door-to-door salesmen were popular, I'm sure few courts up there would have convicted anyone if they shot them for tresspassing. I wonder if they could be convinced to adopt a similar attidude to electronic door-to-door salesmen (e.g. spammers)
Disclaimer: Yes, I AM from New Hampshire.
Looks like I moved to Texas just in time!
In the UK we have the Data Protection Act 1998. Basically it stipulates that if you want to hold personal data on someone you must by law be on the register of data controllers, see here. It also stipulates you can only hold someones personal information so long as you have a bona fide reason for having that information (e.g. business relationship etc). If you are holding or using personal data without authority you are committing a criminal act and the company's data controller can be held personally liable to criminal action. It is also required that the data controllers tell the registrar what they do with personal data and they are then restricted to doing only what they said they would do. Failure to comply can lead to big fines and payment of compensation to the victim.
I personally have used the act many times to look at my data, all I do is pay £10 for costs and the company/organisation has to give me everything they have on me, including CCTV footage they may have of me (suitably modified so as to obscure the identifying features of other people). If I find something amiss I can complain to the Information Commisioner who has the legal powers to put it right and award me compensation. It would seem this sort of act would prevent a case like this, by effectively shutting down information brokers. Does no such similar act exist in New Hampshire or other states?
There is another group which suggests that making one's personal information a form of property is the single most privacy destructive legal development we could possibly create.
The entire purpose of creating property rights in something is to make it easier to alienate those rights for valuable consideration. Look at IP. What's a trade secret worth? Well, you can use it to make $$$. Can you sell it? Not really, and if you try you're taking horrible risks. Now, patent that sucker and copyright that code. Can you sell those? You betcha, you can license those to your hearts content.
Make our personal information proprietary and we'll all end up selling our personae to M$ or McDonalds and having to pay royalties to use our own names.
MHO. YMMV. Any resemblance between this post and real persons, or reality in general, was accidental.
First off, I love Duloc, very clean.
I don't like spyware or the fact that you get just about any information on a person on the internet. I don't like the government posting information about the assessed value of my home (which a lot of cities do). I think this was an issue here because people do not want the government or other institutions posting or making available critical PRIVATE information to anyone that asks for it. To me it makes sense.
I do not think this was passed in any relation to spyware, nor do I think you'll be able to sue them due to this law/ruling. I believe it was made so, due to an abundance of irregular people living here. New Hampshire has a lot of very nice friendly people, but we also have quite the share of whack jobs, fanaticals, molesters, etc.
That'll do donkey, that'll do...
A good percentage of private investigations are initiated by jealous lovers to uncover private information. There must be some predictable percentage of clients who use this information for illegal purposes.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
This time you americans should learn from us italians. We have a very strict law about personal data collection and processing.
It's called law 675, we passed it in 1996.
Under this law, you can't do ANYTHING with personal data until you have obtained EXPLICIT WRITTEN CONSENT by the owner.
And personal data is owned by the person itself.
You are not even authorized to go scanning the internet for email addresses, cause you have no written consent to collect those addresses.
An IB is more like a freelance librarian - you call them up and ask them how many widgets were sold in Thailand over the last five years and they do the research and find out for you.
You mean... people will actually pay you to google?