Slashdot Mirror
Interesting Privacy Decision in New Hampshire
TCPALaw writes "A huge decision
in privacy law was handed down today by the NH Supreme Court in the Amy Boyer case. Amy was stalked and killed by a man who got her personal
information, including SSN, from an on-line information broker. Privacy groups such as EPIC have argued that access to sensitive personal information should carry with it liability for misuse, and can constitute a tort. The NH Supreme Court agreed.
Now perhaps you can sue the spyware companies."
Someone's been murdered and you're all smiles because you can go after some guys who send adds to your computer.
In other news, the phone company is being sued becuase they list a person's address next to their name.
M@
Krispy Cream is people
. . .that "information brokers" of this sort have an implicit obligation to formally notify the objects of such searches, as to the nature of each search and the buyer. This still wouldn't protect someone who was using a "straw" buyer, but would go a long way to protect people from stalkers. . .
Because stalking and murdering someone counts as misuse, obviously, giving your name to a list which randomly sends e-mail also does. There's /. logic.
-- 'The' Lord and Master Bitman On High, Master Of All
let alone possible implications for combating spam, this is a good ruling for our safety. there should be some liability for someone looking to obtain information like someone's SSN. I guess if any wackjob with a grudge can buy a social security number and mom's maiden name, it's good that they hold some liability for the actions they take with that information. ...it still doesn't make me feel that much better that any wackjob with a grudge can buy someone's SSN, though.
Yes, in theory we would love to sue spywear authors into oblivion. But I fear we are opening yet another can of worms.
I agree that companies that have access to your personal information should be held liable if they disclose the information, or are negligent in protecting that information (egghead.com comes to mind).
IAMAL, but more inportantly, judges are not congressmen, and I always have reservations when judges "create" law that legislators should have in the first place.
I can't swear that this is the case here, but with two years in the legal field, I still have trouble fully deciphering these rulings. (the fact that law can't be read by persons with average intellegence is yet a whole other subject).
Tequila: It's not just for breakfast anymore!
While an information broker should be responsible for their actions to some extent, I think the killer should be held responsible, and that nothing should dimish the clarity of that matter.
That what was all this school was for... to teach us how to solve our own problems. -- janeowit
I'd love to see companies held liable for damages caused by their keeping huge databases with credit card information just sitting online waiting to be hacked.
No, the post isn't Offtopic, nor is it Flamebait. The Amy Boyer murder was a tragic event and this case will allow the family some chance of holding the "information clearinghouses" liable for the information that they doled out for a healthy profit and Amy's life.
It has nothing to do with spyware. Making the connection of spyware to satisfy you personal conspiracy theorist mentality to this case revolving around a real and tragic event is just ridiculous. And, moderating the above comment Offtopic is just too typical.
Just wait till they make Pacemakers that work with an integrated TCP/IP stack. Someone could die from a DOS attack. (Having one my self I don't relish the idea of embedded computers regulating critical functions of the human body) .. OT yes I know.
If all the info is available to everyone, and the knowledge of who is searching on you is known, what is the danger?
Obviously, I'm forgetting about identity theft and fraud - but we need better systems in place to prevent that anyhow.
Just a crazy thought. If everyone knows what they want to about anyone, doesn't that remove some of the reason for identity theft, and 'nosy nellies'?
I like the idea that "personal" information needs to be secure and the mishandling of it could lead to a lawsuit (only if there are damages). However, what constitutes "personal" information? A phone number? SSN? Address? If I inadvertantly gave the stalker directions to this person's house, am I liable?
It warms the heart to know that this largely unregulated industry might suddenly have the fear-of-financial ruin checking their irresponsible ways.
This is quite limited item; it covers the use of a information broker to call an individual to ask for their work address under the *wrong* pretext (a lie) and then sell the information they got based on this lie. It does not seem to cover stuff like selling information found in a credit report, or anything else like that.
The Estonian ID card project gives away everyone's name and SSN if you have one of these (mandatory) ID cards and you have the web services enabled (most people do).
Just use your favourite ldap client to browse ldap://ldap.sk.ee (or just pop that into the "run" dialog box in windows) and voila - you got everyone's SSN that has one of these trinkets already. Including mine.
They claim it was in the contract when I signed it. Havent taken a look.
... that when the US gummint's TIA program hands the FBI info about someone with the same name as mine, and they pull a Jackson Games (or Limone/Salvati) caper on me, I can sue the government?
Thought not.
OTOH, I've seen an interesting explanation of the curious phenomenon of all those valuable medical studies coming out of Scandinavia in the past couple decades. It seems that they passed laws there that make the medical databases fairly open and accessible to researchers. They understood that this meant that the data would be fairly easily available to essentially anyone willing to hand a few kronor under the table. So they included some fairly severe punishment for misuse of this information. They especially punish employers for [pick your euphemism for firing] employees with medical problems. Supposedly the result has been to make the citizenry fairly supportive of access to medical data, and this is of obvious benefit to society.
Can't imagine this sort of "onerous government regulation" happening in the US, though. Except for occasional court cases like this, information about you and me is just a commercial commodity.
Funny this case was in New Hampshire. That's one of the more lassez-faire states. But then, it wasn't the legislature; it was a judge. It'll be interesting to see the followup.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
No, I'm glad that people who deal in raping privacy have to face legal ramifications to their behavior. I'm sorry it has taken many deaths to finally get the courts to start holding people responsible. The stalker that killed Amy was able to do it because information brokers believe they are immune from the law, and will sell ANYTHING to ANYONE. Search for "skip tracer" and see what you can buy.
I was horrified, but unfortunately not surprised at the death of Amy Boyer, Rebecca Schafer (who's home address was obtained from the DMV by a stalker's PI) and other women attacked by stalkers who were only able to find them through criminally lax data handling practices. My sister deals with sexual abuse victims, and one of the unfortunate pieces of advice she has to give them is to not register to vote, because the guy who may want revenge on them can use the voter registration roles to find the victim again. Other big companies simply don't give a damn about data security as long as they get paid. For example, I was a consultant in a case against Equifax, and it turned out that Equifax - storehouse of extremely personal and private data - never forces password changes on its customers... so if someone gets a userID and password, they can get in undetected for years if they are selective about using it, and it doesn't get noticed on the bill (and at $2 a pop for credit reports, pulling 2 or 3 extra a month for an office that gets hundreds, won't get noticed).
If people are lax about security of data they collect or use about you, they need to know that they can be prosecuted for it. The wild west of collecting and selling personal information without consent is going to come to a close.
Now perhaps you can sue the spyware companies.
After someone killed me ?
often, similar information can be pulled just as easily off of popular search engines, if the person is active online. are their search and archiving techniques the next to be contested?
The wise follow a damned path, for to know is to be forsaken.
The murderer, who "kept firearms and ammunition in his bedroom", purchased information about where the victim worked from a company called Docusearch then proceeded to kill her, them himself.
The victim's estate goes after the search firm and wins. So we're to conclude that the selling of such vital information to the murderer is a punishable offense, at least in N.H. What about the people who sold him his guns? Seems to me that the weapon was at least as dangerous as the information, and each being fairly useless without the other.
Also, this guy "maintained a website containing references to stalking and killing Boyer".
Big lesson here: Google yourself.
-dameron
Hear me, hear me! This is a good time to pull
this case - all one need is to connect spyware
with terrorism, sit back and enjoy the show.
For starters, terrorists can buy a variety of
information from spyware crooks, such as one
needed to create impostor or fake identities
of government or even (horror, horror!) military
personnel.
How about this?
My other Beowulf cluster is... er...
Man crushed by immense penis. Film at eleven.
Where does the school board find them and why do they keep sending them to ME?
I work with a security and investigations firm and also work as a medical applications developer. This means i see both sides of the privacy issue. On the security and investigations side I routinely find out more information than you ever though was possible in your worst nightmares about people and their relationships. On the medical side I try to make it as difficult as possible (short of destroying the data) for non-authorized people to access information.
There is a large amount of data that is part of the public record that anyone can access and it is perfectly legal for them to do so.
Where you were born
Criminal record
Drivers license info
SSN#
Address
Tax Records etc.
I often wonder if people know how much of this information is available. I am not sure what the Justices were thinking as I have not read the case opinions at this point, but teh stalker could have just as easily gone to the public library and courthouse and found out teh same information. I personally would love to be able to have more anonimity. I dont think that the Govt. or anyone else should know where and when I travel, what websites I go to, what my email says or who I live with. But the sad fact is that America has historically been willing to give up these "rights" and "privacies" for temporary security. and this I think may be part of the result.
Bad Panda! No Bamboo for you! In matters of importance ACs will not be responded to. Want to say something critical,OK
(1) You must pass a background check before you buy a gun. This is a legal device for clearing the seller of liability. There is no such equivalent amongst the major info-brokers.
(2) Apples and oranges. A core issue of privacy advocates is that information specific to me is my proprietary information. You have no right to sell it or otherwise distribute it without my permission. This information can be used to harm *me* specifically, and the fact that anyone can obtain it for a price is innately harmful to me. A gun has no specific target until you point it at someone.
I bet tomorrow the phone directory will contain a lot more people named Fook Yu...
Other suggestions, courtesy of Bart Simpson.
See charts for twitter trends on Trendistic
I live in the city where Amy Boyer was murdered, and my wife knows Amy's mother. We've (my wife and I) have talked about this case a lot, especially every time the Remsburgs appeared in a new newspaper article about their fight against the "information" companies.
As horrible as this crime was, it's not clear to either of us that if Liam Youens hadn't been able to buy the information on where Amy worked that she would be alive today. Youens knew where Amy lived, and he had been obsessed with her for years. It was just a matter of time.
I think what Docusearch did was slimy, and possibly illegal - especially the use of "social engineering" to trick Helen Remsburg into revealing information about her daughter.
The issue at hand is whether or not Docusearch, and similar companies, have an obligation to warn people when their personal info is sold to someone, especially when the purpose is unknown. I think it's well established that this sort of information is often used for heinous purposes - remember the case of actress Rebecca Schaffer, who was murdered by someone who bought her address from the California DMV!
In my opinion, the NH Supreme Court got this one right - Docusearch knows or should know that the primary use of the information they collect is NOT for the benefit of the subjects. They should have an obligation to inform the subject that the information has been collected and sold.
However, I think it is wrong to assign the blame for Amy's death on Docusearch. They were an "accessory to a crime", but did not commit the crime itself.
There are so many "what ifs" in cases such as this, that can have people tied up in knots for years. Youens had a web page up which gave fairly solid clues that he had it in for Amy Boyer. Did anyone in a position to do anything see this beforehand? Probably not...
As for spyware ("spywear"? Is that the watch with a poison dart?), I don't see an obvious connection with this case.
IANAL, but it appears that the decision is:
1) If you have non-public information (SSN, CC#, addresses, etc.) on someone, you are partially liable if you offer that to someone for a fee for what that person does with the information.
2) You can't obtain information on someone deceitfully and sell it.
#2 seems pretty obvious. #1 has a lot of implications for all these companies that have your mortgage records, etc., which IMHO is a good thing. In other words, "Quicken Loans" becomes an accomplice to a con artist if they sold that con artist a list of their outstanding loans and contact info.
This is not in any way talking about public info, though, so if you pay me $25 to get someone's phone number from the white pages, you can harass that person all you want and it won't come back to me. At least based on that decision.
There are too many ramifications to this to just say they were in the wrong, and they should be sued. The killer would most likely have killed someone even if that person had been somone else, regardless of how he got that person's information, if at all. Ultimately, the only person responsible for the killing was the murderer.
My contact details are available should someone want to find them. There is a tiny risk that some weirdo will get them, but it is far more useful to me to have those who might want to contact me having access to that information.
What you call your 'right' to privacy has been effectively relinquished to an 'opt-out' system by society wanting to keep in touch, not business of government wanting to pry. It would be a nuisance to get unlisted from all the sources out there, and I doubt anyone is seriously going to consider it anyway, even after this.
At the end of the day, they are dealing with freely available information, and they could be seen as seedy and morally questionable, but I don't think they did anything illegal; a similar sort of opinion I have to the porn industry, traffic wardens, and middle management.
This idea was invented by Shampoo.
Seeing how everyone is getting rich selling private information, I am putting MY private information on sale right here on slashdot. YES, IT'S 100% LEGAL. You will get a signed, limited edition booklet with my address, phone number, SSN, credit card numbers AND the illustrated history of both my and my cat's love life with an invitation to add a new episode to either one. 10 booklets will be sold to the highest bidders, so take advantage of this unique opportunity and RESERVE YOUR COPY TODAY.
Right now 'personal information' is a broad range of stuff - too broad to actually hold anyone accountable for its use. If we can get a classification system in place, then we can start talking about unauthorized uses and punishments.
Basically, there is a broad division between information that is unique to the person, and information that is assigned. Your fingerprints are unique, your SSN is assigned.
There has to be some sort of principle to govern the status of these classes. For example, I believe that it is your right to have and maintain exclusive control over the things which are uniquely yours. Within the class of assigned information, disclosures and aggregations must be with the consent of both assigner and assignee - if an information aggregator of any kind wants to warehouse information then they need to have the explicit, informed consent of all involved parties. Some information aggregation activities constitute a search under the Fourth Amendment, basically anything that informs about a particular person or any member of a small enough population, and should be protected as strongly as the physical boundaries of your house or car.
Once some principles are settled on, following those principles makes it possible to grade out the sensitivity of assigned information and establish guidelines for its use and disclosure.
Are directions to a street address provided by the inquirer enough to be held liable? Maybe not, but credit reports and real name to username correlations might be. The aggregation of username, real name, e-mail address, homepage URL, street address, city/state/zip, home phone, cell phone, profession, workplace, and job title
certainly feel like a lot to give to register at an on-line forum - yet many ask for that much info.
What the service is allowed to do with all that personal information is mostly governed by some pretty flimsy laws and a feel for how far they can push the boundaries of community tolerance and civility. But without some principles to govern the effort, we'll just end up with frivolous litigation and foolish legislation.
This is a fantastic way to (help) deal with a nasty problem... Instead of broad, over-reaching laws, make the companies liable for misue of the data, and therefore disinclined to collect it, and therby gain liability, in the first place. Of course, if the data is trully vital, they will still collect it, but will be much more likley to take steps neccesary to protect it properly. I think this approach works much better than a law against colecting it in certain/most cases.
Although most of the decision is sound, I think that Duggan et al. got Question 4 of the decision wrong and a bunch of the reasoning of Question 5 wrong. Since they were wholesale changing the law on 4, there's no reason to artificially reserve the misappropriation of a name or likeness to a person's reputation or prestige, i.e., to celebrities. Jeezus, how many celebrities are in NH anyway, 2? They go to pains to talk about how widespread and damaging identity theft is and then close of the cause of action to a scant few. While Question 5 seems to cast an overly broad net. Jeez, anytime you make a call under a false pretext you're subject to a deceptive practices act!? No more calling the video store and asking "how late are you open" when all you wanted to know is if they're open right now. Jeez, no more prank phone calls unless you truly do want them to let Prince Albert out of his can.
1) There was no contract between the IB and anyone else (except maybe the stalker client) concerning protection of this information.
2) While obtaining the information using a pretext is sleazy, I don't see how this constitutes liability for the misuse of the information by a third party.
3) This seems to me to be just another attempt to spread liability around as a means to compel behavior that the legal system wants to occur without the formality of actually passing a considered law, i.e. bypassing the Constitution (Federal or State) and making law in the court. The criminal justice system doesn't like sleazy IB's, so they make them liable for something they have no control over.
4) When is the court ready to assign liability to cops and Feds who fake court orders, manufacture evidence, and otherwise abuse their responsibilities on a daily basis and thereby cause thousands of people to spend time in jail for crimes they did not commit? Oh, wait, I forgot - the criminal justice system is immune from prosecution for "screwups"...
This seems like a typical case of "something bad happened, we can't punish the guilty, so we'll find someone else - anyone else - and punish them.."
How is an IB supposed to verify their client's intentions? "Oh, excuse me, I really need this info so I can shoot my ex-girlfriend - or stalk Jodie Foster..." "Just check this block on the request form here: Will You Use This Info For Legal Purposes? YES: NO: "...
Or: "You realize, sir, that we have to ask you to turn over your criminal and mental health history to us, so we can verify that you will use this information only on a legal manner?"
Or worse, that if you ask for some innocuous info, that they then investigate YOU before investigating the subject...
Yeah, right...
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
In the UK we have the Data Protection Act 1998. Basically it stipulates that if you want to hold personal data on someone you must by law be on the register of data controllers, see here. It also stipulates you can only hold someones personal information so long as you have a bona fide reason for having that information (e.g. business relationship etc). If you are holding or using personal data without authority you are committing a criminal act and the company's data controller can be held personally liable to criminal action. It is also required that the data controllers tell the registrar what they do with personal data and they are then restricted to doing only what they said they would do. Failure to comply can lead to big fines and payment of compensation to the victim.
I personally have used the act many times to look at my data, all I do is pay £10 for costs and the company/organisation has to give me everything they have on me, including CCTV footage they may have of me (suitably modified so as to obscure the identifying features of other people). If I find something amiss I can complain to the Information Commisioner who has the legal powers to put it right and award me compensation. It would seem this sort of act would prevent a case like this, by effectively shutting down information brokers. Does no such similar act exist in New Hampshire or other states?
Hey... Nice to meet someone from NH!
I actually knew Amy... Not well mind you, but I did know her years ago.
Things ARE run a little differently up here.. and it's a breath of fresh air. I wouldn't have it any other way. No helmets for Motorcycles if you don't want to, no seat belt laws if your over 18, No income tax.
Linuxrunner
www.slightlycrewed.com - Because aren't we all?