Slashdot Mirror
Interesting Privacy Decision in New Hampshire
TCPALaw writes "A huge decision
in privacy law was handed down today by the NH Supreme Court in the Amy Boyer case. Amy was stalked and killed by a man who got her personal
information, including SSN, from an on-line information broker. Privacy groups such as EPIC have argued that access to sensitive personal information should carry with it liability for misuse, and can constitute a tort. The NH Supreme Court agreed.
Now perhaps you can sue the spyware companies."
. . .that "information brokers" of this sort have an implicit obligation to formally notify the objects of such searches, as to the nature of each search and the buyer. This still wouldn't protect someone who was using a "straw" buyer, but would go a long way to protect people from stalkers. . .
I'd love to see companies held liable for damages caused by their keeping huge databases with credit card information just sitting online waiting to be hacked.
I like the idea that "personal" information needs to be secure and the mishandling of it could lead to a lawsuit (only if there are damages). However, what constitutes "personal" information? A phone number? SSN? Address? If I inadvertantly gave the stalker directions to this person's house, am I liable?
The Estonian ID card project gives away everyone's name and SSN if you have one of these (mandatory) ID cards and you have the web services enabled (most people do).
Just use your favourite ldap client to browse ldap://ldap.sk.ee (or just pop that into the "run" dialog box in windows) and voila - you got everyone's SSN that has one of these trinkets already. Including mine.
They claim it was in the contract when I signed it. Havent taken a look.
... that when the US gummint's TIA program hands the FBI info about someone with the same name as mine, and they pull a Jackson Games (or Limone/Salvati) caper on me, I can sue the government?
Thought not.
OTOH, I've seen an interesting explanation of the curious phenomenon of all those valuable medical studies coming out of Scandinavia in the past couple decades. It seems that they passed laws there that make the medical databases fairly open and accessible to researchers. They understood that this meant that the data would be fairly easily available to essentially anyone willing to hand a few kronor under the table. So they included some fairly severe punishment for misuse of this information. They especially punish employers for [pick your euphemism for firing] employees with medical problems. Supposedly the result has been to make the citizenry fairly supportive of access to medical data, and this is of obvious benefit to society.
Can't imagine this sort of "onerous government regulation" happening in the US, though. Except for occasional court cases like this, information about you and me is just a commercial commodity.
Funny this case was in New Hampshire. That's one of the more lassez-faire states. But then, it wasn't the legislature; it was a judge. It'll be interesting to see the followup.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
No, I'm glad that people who deal in raping privacy have to face legal ramifications to their behavior. I'm sorry it has taken many deaths to finally get the courts to start holding people responsible. The stalker that killed Amy was able to do it because information brokers believe they are immune from the law, and will sell ANYTHING to ANYONE. Search for "skip tracer" and see what you can buy.
I was horrified, but unfortunately not surprised at the death of Amy Boyer, Rebecca Schafer (who's home address was obtained from the DMV by a stalker's PI) and other women attacked by stalkers who were only able to find them through criminally lax data handling practices. My sister deals with sexual abuse victims, and one of the unfortunate pieces of advice she has to give them is to not register to vote, because the guy who may want revenge on them can use the voter registration roles to find the victim again. Other big companies simply don't give a damn about data security as long as they get paid. For example, I was a consultant in a case against Equifax, and it turned out that Equifax - storehouse of extremely personal and private data - never forces password changes on its customers... so if someone gets a userID and password, they can get in undetected for years if they are selective about using it, and it doesn't get noticed on the bill (and at $2 a pop for credit reports, pulling 2 or 3 extra a month for an office that gets hundreds, won't get noticed).
If people are lax about security of data they collect or use about you, they need to know that they can be prosecuted for it. The wild west of collecting and selling personal information without consent is going to come to a close.
The murderer, who "kept firearms and ammunition in his bedroom", purchased information about where the victim worked from a company called Docusearch then proceeded to kill her, them himself.
The victim's estate goes after the search firm and wins. So we're to conclude that the selling of such vital information to the murderer is a punishable offense, at least in N.H. What about the people who sold him his guns? Seems to me that the weapon was at least as dangerous as the information, and each being fairly useless without the other.
Also, this guy "maintained a website containing references to stalking and killing Boyer".
Big lesson here: Google yourself.
-dameron
Coming from a corporate environment, I have to say that "Nosy Nellies" are a pretty big problem. People like to know stuff about their co-workers, bosses, etc. So, they look stuff up, and then they hit the rumor mill.
I do HR support, and I know of at least five cases where we fired someone for illegally accessing data (off of the HR database). Most of those were tech workers who were supporting HR machines and thought they'd find out what their co-workers made.
I know of about a dozen more cases where HR had to talk to people who were looking up information on their co-workers, and were harrasing them with it. And this is all very recent (last few years). Five years ago, I'd never heard of this kind of problem.
psmylie's dictionary: Godzillion (noun) Any number large enough to destroy Tokyo
I work with a security and investigations firm and also work as a medical applications developer. This means i see both sides of the privacy issue. On the security and investigations side I routinely find out more information than you ever though was possible in your worst nightmares about people and their relationships. On the medical side I try to make it as difficult as possible (short of destroying the data) for non-authorized people to access information.
There is a large amount of data that is part of the public record that anyone can access and it is perfectly legal for them to do so.
Where you were born
Criminal record
Drivers license info
SSN#
Address
Tax Records etc.
I often wonder if people know how much of this information is available. I am not sure what the Justices were thinking as I have not read the case opinions at this point, but teh stalker could have just as easily gone to the public library and courthouse and found out teh same information. I personally would love to be able to have more anonimity. I dont think that the Govt. or anyone else should know where and when I travel, what websites I go to, what my email says or who I live with. But the sad fact is that America has historically been willing to give up these "rights" and "privacies" for temporary security. and this I think may be part of the result.
Bad Panda! No Bamboo for you! In matters of importance ACs will not be responded to. Want to say something critical,OK
Thing is that it doesn't cost a cent, but also it is not officially sanctioned either. I've done it in three states myself and each time I've had to claim that the bogus name was that of someone else living at the address. Telling them outright that I wanted to list it under a made-up name always gets me the run-around. Maybe the CSR's just aren't educated, but that's the functional equivalent to making the practice unsupported.
When information is power, privacy is freedom.
There are too many ramifications to this to just say they were in the wrong, and they should be sued. The killer would most likely have killed someone even if that person had been somone else, regardless of how he got that person's information, if at all. Ultimately, the only person responsible for the killing was the murderer.
My contact details are available should someone want to find them. There is a tiny risk that some weirdo will get them, but it is far more useful to me to have those who might want to contact me having access to that information.
What you call your 'right' to privacy has been effectively relinquished to an 'opt-out' system by society wanting to keep in touch, not business of government wanting to pry. It would be a nuisance to get unlisted from all the sources out there, and I doubt anyone is seriously going to consider it anyway, even after this.
At the end of the day, they are dealing with freely available information, and they could be seen as seedy and morally questionable, but I don't think they did anything illegal; a similar sort of opinion I have to the porn industry, traffic wardens, and middle management.
This idea was invented by Shampoo.
Right now 'personal information' is a broad range of stuff - too broad to actually hold anyone accountable for its use. If we can get a classification system in place, then we can start talking about unauthorized uses and punishments.
Basically, there is a broad division between information that is unique to the person, and information that is assigned. Your fingerprints are unique, your SSN is assigned.
There has to be some sort of principle to govern the status of these classes. For example, I believe that it is your right to have and maintain exclusive control over the things which are uniquely yours. Within the class of assigned information, disclosures and aggregations must be with the consent of both assigner and assignee - if an information aggregator of any kind wants to warehouse information then they need to have the explicit, informed consent of all involved parties. Some information aggregation activities constitute a search under the Fourth Amendment, basically anything that informs about a particular person or any member of a small enough population, and should be protected as strongly as the physical boundaries of your house or car.
Once some principles are settled on, following those principles makes it possible to grade out the sensitivity of assigned information and establish guidelines for its use and disclosure.
Are directions to a street address provided by the inquirer enough to be held liable? Maybe not, but credit reports and real name to username correlations might be. The aggregation of username, real name, e-mail address, homepage URL, street address, city/state/zip, home phone, cell phone, profession, workplace, and job title
certainly feel like a lot to give to register at an on-line forum - yet many ask for that much info.
What the service is allowed to do with all that personal information is mostly governed by some pretty flimsy laws and a feel for how far they can push the boundaries of community tolerance and civility. But without some principles to govern the effort, we'll just end up with frivolous litigation and foolish legislation.
This is a fantastic way to (help) deal with a nasty problem... Instead of broad, over-reaching laws, make the companies liable for misue of the data, and therefore disinclined to collect it, and therby gain liability, in the first place. Of course, if the data is trully vital, they will still collect it, but will be much more likley to take steps neccesary to protect it properly. I think this approach works much better than a law against colecting it in certain/most cases.
After I graduated highschool, I started getting flooded with calls from varius credit card companies and the military. Finally, one day I got fed up and started asking where they got my info from. After a few tries, I finally got an answer. It went something along the lines of "I don't know specifically how we got your contact information, sir. But, usually, we get them from stuff like college applications."
Any sufficiently advanced influence is indistinguishable from control.
This makes me wonder what the damages really were. Also, was tehre a PFA (protection from abuse, or NH's analogous procedure) in place? Did the killer simply ignore these?
No - Liam Youens was unknown to Amy Boyer and her family. She had no idea he was stalking her.
I understand, and to some extent agree, with your remark that "It's all about the Benjamins", but the larger picture is that Amy's parents have been looking for someone to blame, and they fixed on Docusearch. I don't fault them for this, it's a natural reaction and part of the way they're coping with the tragedy. I was trying to suggest that perhaps some court may later find that actions similar to what Docusearch in this case constitutes criminal liability. I am certainly not a lawyer, so I don't know how that would play out.
I don't doubt that private investigators have an important role. But I think they can't wash their hands of their responsibility either.