Slashdot Mirror
Interesting Privacy Decision in New Hampshire
TCPALaw writes "A huge decision
in privacy law was handed down today by the NH Supreme Court in the Amy Boyer case. Amy was stalked and killed by a man who got her personal
information, including SSN, from an on-line information broker. Privacy groups such as EPIC have argued that access to sensitive personal information should carry with it liability for misuse, and can constitute a tort. The NH Supreme Court agreed.
Now perhaps you can sue the spyware companies."
In other news, the phone company is being sued becuase they list a person's address next to their name.
M@
Krispy Cream is people
. . .that "information brokers" of this sort have an implicit obligation to formally notify the objects of such searches, as to the nature of each search and the buyer. This still wouldn't protect someone who was using a "straw" buyer, but would go a long way to protect people from stalkers. . .
No, we saying at least we can prevent this from happening to our little sisters if we can sue the bastards that make it possible.
Never confuse volume with power.
While an information broker should be responsible for their actions to some extent, I think the killer should be held responsible, and that nothing should dimish the clarity of that matter.
That what was all this school was for... to teach us how to solve our own problems. -- janeowit
If all the info is available to everyone, and the knowledge of who is searching on you is known, what is the danger?
Obviously, I'm forgetting about identity theft and fraud - but we need better systems in place to prevent that anyhow.
Just a crazy thought. If everyone knows what they want to about anyone, doesn't that remove some of the reason for identity theft, and 'nosy nellies'?
I like the idea that "personal" information needs to be secure and the mishandling of it could lead to a lawsuit (only if there are damages). However, what constitutes "personal" information? A phone number? SSN? Address? If I inadvertantly gave the stalker directions to this person's house, am I liable?
It warms the heart to know that this largely unregulated industry might suddenly have the fear-of-financial ruin checking their irresponsible ways.
The implication is that spyware is where the information brokers get their information and assemble it. You can't data mine without data.
Never confuse volume with power.
The Estonian ID card project gives away everyone's name and SSN if you have one of these (mandatory) ID cards and you have the web services enabled (most people do).
Just use your favourite ldap client to browse ldap://ldap.sk.ee (or just pop that into the "run" dialog box in windows) and voila - you got everyone's SSN that has one of these trinkets already. Including mine.
They claim it was in the contract when I signed it. Havent taken a look.
... that when the US gummint's TIA program hands the FBI info about someone with the same name as mine, and they pull a Jackson Games (or Limone/Salvati) caper on me, I can sue the government?
Thought not.
OTOH, I've seen an interesting explanation of the curious phenomenon of all those valuable medical studies coming out of Scandinavia in the past couple decades. It seems that they passed laws there that make the medical databases fairly open and accessible to researchers. They understood that this meant that the data would be fairly easily available to essentially anyone willing to hand a few kronor under the table. So they included some fairly severe punishment for misuse of this information. They especially punish employers for [pick your euphemism for firing] employees with medical problems. Supposedly the result has been to make the citizenry fairly supportive of access to medical data, and this is of obvious benefit to society.
Can't imagine this sort of "onerous government regulation" happening in the US, though. Except for occasional court cases like this, information about you and me is just a commercial commodity.
Funny this case was in New Hampshire. That's one of the more lassez-faire states. But then, it wasn't the legislature; it was a judge. It'll be interesting to see the followup.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
No, I'm glad that people who deal in raping privacy have to face legal ramifications to their behavior. I'm sorry it has taken many deaths to finally get the courts to start holding people responsible. The stalker that killed Amy was able to do it because information brokers believe they are immune from the law, and will sell ANYTHING to ANYONE. Search for "skip tracer" and see what you can buy.
I was horrified, but unfortunately not surprised at the death of Amy Boyer, Rebecca Schafer (who's home address was obtained from the DMV by a stalker's PI) and other women attacked by stalkers who were only able to find them through criminally lax data handling practices. My sister deals with sexual abuse victims, and one of the unfortunate pieces of advice she has to give them is to not register to vote, because the guy who may want revenge on them can use the voter registration roles to find the victim again. Other big companies simply don't give a damn about data security as long as they get paid. For example, I was a consultant in a case against Equifax, and it turned out that Equifax - storehouse of extremely personal and private data - never forces password changes on its customers... so if someone gets a userID and password, they can get in undetected for years if they are selective about using it, and it doesn't get noticed on the bill (and at $2 a pop for credit reports, pulling 2 or 3 extra a month for an office that gets hundreds, won't get noticed).
If people are lax about security of data they collect or use about you, they need to know that they can be prosecuted for it. The wild west of collecting and selling personal information without consent is going to come to a close.
I say suing spyware companies is a good start. Just because "reputable" companies may not collect info, they almost certainly purchase info collected from disreputable ones.
Method of processing duck feet
I work with a security and investigations firm and also work as a medical applications developer. This means i see both sides of the privacy issue. On the security and investigations side I routinely find out more information than you ever though was possible in your worst nightmares about people and their relationships. On the medical side I try to make it as difficult as possible (short of destroying the data) for non-authorized people to access information.
There is a large amount of data that is part of the public record that anyone can access and it is perfectly legal for them to do so.
Where you were born
Criminal record
Drivers license info
SSN#
Address
Tax Records etc.
I often wonder if people know how much of this information is available. I am not sure what the Justices were thinking as I have not read the case opinions at this point, but teh stalker could have just as easily gone to the public library and courthouse and found out teh same information. I personally would love to be able to have more anonimity. I dont think that the Govt. or anyone else should know where and when I travel, what websites I go to, what my email says or who I live with. But the sad fact is that America has historically been willing to give up these "rights" and "privacies" for temporary security. and this I think may be part of the result.
Bad Panda! No Bamboo for you! In matters of importance ACs will not be responded to. Want to say something critical,OK
No, it means you can sue "the bastards that make it possible."
I'm afraid it doesn't necessarily do a thing to prevent anything from happening to your little sister.
This is simply "Security through feeling good about what you can do after the fact and thinking through some sort of sympathetic magic that that prevents the occurance in the first place."
It doesn't work, it never has, because it's all about profit margins. Which is why they sell the information in the first place.
Dealing crack is a risky business. You could even get killed. People do it because of the profit potential. If you can make enough money selling information to cover the potential loses through the off chance of a law suit there are people who will be glad to do it. Hell, they can probably even arrange insurance to cover them for this, not to mention most the profits mysteriously ending up somewhere untouchable by the courts.
Shit is still going to happen.
KFG
(1) You must pass a background check before you buy a gun. This is a legal device for clearing the seller of liability. There is no such equivalent amongst the major info-brokers.
(2) Apples and oranges. A core issue of privacy advocates is that information specific to me is my proprietary information. You have no right to sell it or otherwise distribute it without my permission. This information can be used to harm *me* specifically, and the fact that anyone can obtain it for a price is innately harmful to me. A gun has no specific target until you point it at someone.
I live in the city where Amy Boyer was murdered, and my wife knows Amy's mother. We've (my wife and I) have talked about this case a lot, especially every time the Remsburgs appeared in a new newspaper article about their fight against the "information" companies.
As horrible as this crime was, it's not clear to either of us that if Liam Youens hadn't been able to buy the information on where Amy worked that she would be alive today. Youens knew where Amy lived, and he had been obsessed with her for years. It was just a matter of time.
I think what Docusearch did was slimy, and possibly illegal - especially the use of "social engineering" to trick Helen Remsburg into revealing information about her daughter.
The issue at hand is whether or not Docusearch, and similar companies, have an obligation to warn people when their personal info is sold to someone, especially when the purpose is unknown. I think it's well established that this sort of information is often used for heinous purposes - remember the case of actress Rebecca Schaffer, who was murdered by someone who bought her address from the California DMV!
In my opinion, the NH Supreme Court got this one right - Docusearch knows or should know that the primary use of the information they collect is NOT for the benefit of the subjects. They should have an obligation to inform the subject that the information has been collected and sold.
However, I think it is wrong to assign the blame for Amy's death on Docusearch. They were an "accessory to a crime", but did not commit the crime itself.
There are so many "what ifs" in cases such as this, that can have people tied up in knots for years. Youens had a web page up which gave fairly solid clues that he had it in for Amy Boyer. Did anyone in a position to do anything see this beforehand? Probably not...
As for spyware ("spywear"? Is that the watch with a poison dart?), I don't see an obvious connection with this case.
IANAL, but it appears that the decision is:
1) If you have non-public information (SSN, CC#, addresses, etc.) on someone, you are partially liable if you offer that to someone for a fee for what that person does with the information.
2) You can't obtain information on someone deceitfully and sell it.
#2 seems pretty obvious. #1 has a lot of implications for all these companies that have your mortgage records, etc., which IMHO is a good thing. In other words, "Quicken Loans" becomes an accomplice to a con artist if they sold that con artist a list of their outstanding loans and contact info.
This is not in any way talking about public info, though, so if you pay me $25 to get someone's phone number from the white pages, you can harass that person all you want and it won't come back to me. At least based on that decision.