Click here to return to the home page.

Prof. Mark Budnitz
mbudnitz@gsu.edu
404/651-2135

CONSUMER PRIVACY DEVELOPMENTS

Compiled by Professor Mark E. Budnitz

 

INTRODUCTION

            The following material is presented as a resource for those wishing to follow developments in consumer privacy.  It is in two sections.  The first section describes privacy invasions and related developments.  The second section describes legislative developments.  No attempt is made to report every development.  The description of developments is derived solely from the sources cited, and no attempt was made to verify the accuracy of the stories reported herein.  It is hoped, however, that this material will be useful for those concerned with this issue.

Privacy Invasions and Related Documents:

Robert O'Harrow, Jr. and Ariana Eunjung Cha, Internet Worm Unearths New Holes (Jan. 29, 2003), Washington Post, available at http://www.washingtonpost.com.

"Sapphire" or "Slammer" worm spread quickly through the Internet attacking millions of computers and overwhelming them with data due to a flaw in a Microsoft program. The problem was partly due to the interdependence of databases and the Internet. The worm, in just a few hours, shut down some Bank of America ATMs, Continental Airlines' online ticketing system and blacked out an emergency call center in Seattle.

Associated Press, PNC Bank Cancels Check Cards Following Hacker Incident (Feb. 21, 2003), USA Today, available at http://www.usatoday.com.

PNC Bank deactivated thousands of check cards after it found out that a hacker gained access to millions of credit card numbers nationwide by breaking into the processing company's computer system. PNC is the second bank (the other is Citizens Financial Group of Providence) that recently announced a similar security failure.

Dennis Fisher, Solaris Flaw Opens Door To Hackers (Jan 22, 2003), EWeek, available at http://www.eweek.com.

There is a serious vulnerability in several versions of the popular Solaris operating system that enables a remote attacker to access any file and obtain root privileges on a remote machine.

Nate Mook and Craig Newell, BetaNews, Security Flaw Exposes AOL Accounts (Jan. 22, 2003), EWeek, available at http://www.eweek.com.

AOL identified an error in its e-mail system that allows users access without properly verifying their passwords. By simply entering an account name, an AOL user can access and read another account's e-mail. AOL solved the problem, but it is unclear how many users were affected. AOL is also concerned about the impact on AOL's Instant Messenger service because anyone having access to AOL e-mail can obtain the Instant Messenger password information.

Toysrus.com, Data Aggregator Coremetrics Settle Suit Over Surreptitious Data Gathering, Banking Report, Vol. 8, No. 1, Jan. 8, 2003, at 25.

Toysrus.com and Coremetrics, Inc. settled a class action lawsuit for $900,000 in which the plaintiffs alleged that Toysrus.com and Internet services provider Coremetrics had unlawfully collected data about Toysrus.com shoppers without their knowledge and contrary to the privacy policies posted on the Toysrus.com website. In addition to the monetary settlement, Toysrus.com also agreed to other provisions, such as providing notice to customers of future material privacy changes and destroying any Toysrus.com data held by Coremetrics.

Majority of Survey Respondents Still Do Not Think Online Financial Transactions Are Safe, Banking Report, Vol. 8, No. 2, Jan. 15, 2003, at 41.

The Conference Board, and international network of more than 2,000 major companies conducted a survey that revealed that only thirty-three percent of respondents feel safe in conducting business over the Internet (up from twenty-seven percent last year).

Andrew M. Ballard, FBI Investigating ‘Sophisticated' Theft of Credit Card Numbers From eBay Users, Banking Report, Vol. 80, No. 7, Feb. 17, 2003, at 318.

A significant number of eBay users were victimized when a bogus email obtained personal information from them after wrongfully stating that their accounts would be suspended unless they verify private information. Federal agents are investigating, but noted that the email originated from the University of North Carolina's computer system.

Adam Clymer, Stolen Data Leave Soldiers Vulnerable to Identity Theft, Atlanta J. - Const., Jan. 12, 2003, at A21.

Five hundred and sixty-two thousand military personnel had data, such as names, addresses, phone numbers, birth dates and Social Security numbers stolen from TriWest, a Pentagon contractor handling medical claims for military personnel and dependents. Thousands of those military personnel are facing deployment for war with Iraq. They were advised to contact credit-reporting agencies and flag their credit reports. TriWest says that thus far, none of those individuals had their identities stolen, but the FBI warns that some times it takes weeks or months for such thefts to become apparent.

Bill Husted and Bob Keefe, World Wide Worn Snarls Web, Business, Atlanta J. - Const., Jan. 26, 2003, at A3.

A fast spreading computer "worm," named "Slammer SQL, slowed internet traffic world-wide on January 25, 2003, by invading Microsoft's SQL Server 2000 data based software, which is used by businesses everywhere. Impact in the United States was substantial, but not "debilitating." For instance, Bank of America ATMs were not functioning for a part of the day. Last year, such "worms" cost companies, government agencies and other s more than $4 billion. Microsoft offers a "patch" that protects companies and individual users from such worm and those who had installed such protections were unaffected.

Caroline Wilbert, Web News Sites Now Often Seek Personal Data, Atlanta J. - Const., Feb. 18, 2003, at D1.

Many on-line newspapers and news sites are requiring registration for their on-line users, who are asked to provide personal information such as age, ZIP code and hobbies in order to access online content. Newspapers do not believe that asking for such information decreases traffic. The newspapers argue that such information is needed in order to personalize advertising on the Internet, but there is no actual data whether such advertising methods are working.

Group Fights Microsoft, ATLANTA J. & CONST., Jan. 30, 2002, at B2.

EPIC (Electronic Privacy Information Center) has complained to the attorneys general in all 50 states claiming that Microsoft's .NET Passport authentication service is gathering personal information in an "unfair and deceptive" manner, which in turn exposes consumers to the sale, release, or theft of that information.

Lee Levis Const., Inc. v. Harrison, 2000 WL 33666911 (Tex.)(Justice Hankinson). JUDICIAL HIGHLIGHTS, pg. JH-7.

In determining a "confidential communication" under the California Privacy Act, the court found relevant whether a participant in a phone call, which was simultaneously recorded by the other, had a "reasonable expectation that his telephone conversation...would be divulged to someone...not a participant in the conversation."

Albertson's Shoppers to Protest Over Cards, ATLANTA J. & CONST., Jan. 24, 2002, at G2.

Consumer group called Consumers Against Supermarket Privacy Invasion and Numbering is protesting Albertson's use of "discount cards" because of concerns they violate consumer cardholder privacy rights.

Customers Duped by Email, ATLANTA J. & CONST., Feb. 15, 2002, at F2.

Thousands of Bank of America customers received phony emails asking them to update personal account information. The email contained a link which sent the unsuspecting customer to a phony website which asked for, among other things, a Social Security number and mother's maiden name. It is not known how the email addresses were obtained. The Bank is presently working with the FBI.

Browsing Tracker Gets Boot, ATLANTA J. & CONST., Feb. 14, 2002, at G2.

Comcast Corp. has unilaterally agreed to stop monitoring the web activities of its 1 mil. high-speed internet subscribers in order to protect against any possible abuses of its customer's privacy rights. Comcast claims no abuses have occurred to date.

Atlantans Feel Victimized by Companies that Require Personal Data, Profit From It: What's for Sale? You, ATLANTA J. & CONST., Mar. 24, 2002, at A1, A16.

Two out of three Atlantans find that merchants purchasing their information an invasion of privacy. 43% of Atlantans feel the tracking of their purchasing habits is also an invasion of privacy. Women and older people are more likely to feel their privacy has been invaded and only 8% of Atlantans say they are not bothered by telemarketers. Conversely, three out of four Atlantans don't mind mounted traffic cameras and only 16% find web sites that require registration an invasion of privacy.

According to Ron Wilcox, a UVA associate business professor, the real problem begins in five to six years due to improving technology. That technology will help merchant's gain information to more accurately match marketing and commercials to specific consumers. Those merchants obtain information either illegally or through product warranty cards and supermarket loyalty programs. The information is compiled in a database and resold to marketers.

Quillman, Tripp. When Confidentiality is Compromised. Newsweek, May 6, 2002, pg. 16.

The Los Angeles Times ran a story last year detailing how 62 psychiatric patients had their medical records accidentally posted on the web. During that same year, a drug company disclosed the names of 600 psychiatric patients in a mass emailing and a large HMO sent confidential patient records to the wrong people.

Calif. court rules DMV under not duty to protect against ID theft. Supplement to: Consumer Financial Services Law Report, May 8, 2002. pg 17, 22.

A California Appeals Court ruled it could not impose liability on the DMV for injury caused by the criminal use by third parties of licensed drivers information. There was no recognized duty applicable to the DMV to protect licensed drivers from identity theft because there was no showing of clear legislative intent as to that duty.

P3P standard gains approval from Web consortium . Supplement to: Consumer Financial Services Law Report, May 8, 2002. pg 17.

The World Wide Web Consortium approved the use of P3P enabled web sites to protect web surfers from unwillingly divulging information. P3P allows the computer user to set their web browser to certain privacy settings, which alert the user if a web page does not meet their settings.

Newman, Bud. Hacker 'Infiltrates' 3,600 Online Accounts of Customers at Republic Bank in Florida. Banking Report, Vol. 78, No. 17. April 29, 2002. pg 739-740.

On April 17, 2002, a hacker broke into the bank computer accessing 3,600 accounts. No balance or transactional information was taken. This was the first incident of this nature at Republic Bank in St. Petersburg, Florida. The bank has taken steps to protect their clients by hiring computer security consultants, reviewing affected files, and requesting clients change passwords and email addresses. The breach in security was discovered when the hacker emailed the bank.

Wasch, Adam. Poll Finds Small Business Owners Concerned About Financial Privacy. Banking Report, Vol. 78, No. 14. April 8, 2002. pg. 606-607.

Small businesses find credit reporting agencies, financial institutions and online vendors the greatest threat to their privacy. The privacy issues that small business is most concerned about include identity theft, financial matters, health issues, purchasing and lifestyle matters, and political activity (listed in declining matter of importance). 61% of small businesses keep a client and prospective client list and only 25% notify those customers. The information is collected from payment records, directories, information provided by customers in return for prizes, discounts, etc., internet tracking, information from compilers, and credit card information. 1/3 of small business owners feel this information is confidential and only 1% report they sell that information.

Heller, Michele. Banks, Credit Agencies Top Poll on Privacy Fears. American Banker. March 28, 2002. pg 4.

Small business owners fear stolen identity and misuse of financial information and health records. 28% reported credit reporting agencies invaded their privacy while financial institutions and online vendors follow closely.

Privacy Groups Balk at License Bills, ATLANTA J. & CONST., May 5, 2002, at A8.

Congress is considering improving state driver's licenses, which scares privacy groups. A bill sponsored by Thomas M. Davis III (R-Va.) and James P. Moran Jr. (D-Va.) and introduced to Congress would require computer chips implanted into the license, holding personal identification information. The bill is also designed to link computer systems in all states in order to flag individuals who were denied a license in another state. Bill supporters point out it is too easy gain a drivers license with false documents as 8 of 19 hijackers on Sept. 11th had false drivers licenses.

Critics are afraid the new license will instead be a tracking device drawing a parallel to the cards issued to citizens of China. Likewise, information on the card may be easily obtainable by businesses for marketing. At the Rack, a bar in Boston, the door-man scans patrons IDs as the enter, downloading the information contained on the license, which they later use to determine their target market.

Browser Security Flaws Labeled 'Critical', Bloomberg News. May 16, 2002. at E4.

Microsoft Corp. has indicated six flaws in their Internet Explorer, which may create security problems for users. Versions 5.1, 5.5 and 6.0 allow web sites to provide pages that have a consistent appearance instead of cascading. This may allow a hacker to obtain personal information.

O'Harrow Jr., Robert. Flier Screening System Raises Privacy Concerns. Washington Post. February 1, 2002 at A12.

The FAA and other technology companies will begin screening and profiling all passengers by linking a reservation system to private and government databases. The FAA will be able to obtain travel history, living arrangements, demographics, etc. The profile creates a score called a threat index and depending on the score, passengers will be flagged for further analysis. The system would allow tighter security without explicitly intruding on passenger activity.

Lilly Privacy Violation Charges are Settled. Associated Press. January 19, 2002 at B3.

Eli Lilly & Co. mistakenly leaked 600 email addresses of people taking Prozac. The FTC stated the privacy promises on the Lilly website were deceptive. All charges have been settled. The settlement includes increased safeguards for confidential information.

Mariano, Gwendolyn. DoubleClick Able to Settle Privacy Suits. CNET News.com, May 21, 2002.

The U.S. District Court for the Southern District of New York approved a settlement for charges against DoubleClick of invasion of privacy against internet surfers. The settlement requires DoubleClick to explicitly describe in "easy to read sentences" its ad-serving service, use of cookies, and other features. DoubleClick must also destroy personal records on previous internet surfers, spend $3.3 million on educating consumers on internet privacy and employ a private accounting firm to audit compliance with the settlement.

Governor Signs Bill Letting Internet Consumers Block Disclosures. SiliconValley.com, St. Paul Associated Press, May 22, 2002.

Governor Jessie Ventura signed a bill requiring internet service providers contact customers before disclosing personal information. It also requires the contracts state in "conspicuous" terms if the customer must opt out of the information sharing or if the internet provider needs permission first. Furthermore, the bill gives internet users a remedy, allowing them to sue for violation of the law. The bill also requires unsolicited emails divulge content if sexual in nature.

Online 'mousetrapping' leads to $1.9M Fine. USAToday.com, Associated Press, May 28, 2002.

John Zuccarini of Andalusia, Pennsylvania was ordered to pay $1.9 million dollars back to victims of his internet scheme. The scheme consisted of setting up websites with misspelled popular names like victoreasecret.com. Once a surfer hit on that website, a hailstorm of popup advertising, gambling, or pornography loaded on the surfer's computer. Mr. Zuccarini was making approximately $1 million from advertisers. Many of the websites target children. Fordahl, Matthew. Requests for Subscriber Information Concern Privacy Advocates. The Nando Times, www.nando.net, May 28, 2002.

Since the passage of the Patriot Act, privacy advocates fear increased police power, lax oversight, and increased sharing between the private and public sectors of once private information, contributing to violating civil liberties. The new laws created to combat terrorism also encompass other crimes as well, contributing to the collection of private information from innocent citizens. The main fear is the potential abuse of the information gathering system. The government stresses that probable cause is still required to gather information.

Since the passage of the new laws, information requests from government agencies to internet providers has increased substantially. Information gathering is allowing for an "emergency" and everything now is an emergency. Agents now can obtain information on what people read, download, buy, their email addresses and they can even watch real time conversations.

MS Privacy Policies Under EU Probe, www.zdnet.com, REUTERS, May 26, 2002.

The EU announced an investigation into whether Microsoft's free.Net Passport service meets EU data protection laws. .Net Passport is designed to collect information on the internet user while they surf the internet. Not having the service may keep those users from gaining access to certain websites.

Schwartz, John. Hackers Steal Credit Reports, New York Times, May 17, 2002 at F3.

Hackers stole 13,000 credit reports from affluent customers of Ford Motor Credit Co., while posing as employees to perpetrate the fraud. The hackers used an authorized code to access the computer system that contained the information. The information obtained included names, addresses, Social Security numbers, bank and credit card accounts, and credit ratings. This information can easily be used to open bank accounts, make purchases, etc.

David Boraks, After "Wake-Up," B of A Spreads Word on ID Theft, American Banker, June 18, 2002, at 2.

Bank of America fell victim to identify theft in February 2002. A hacker sent out an email to customers asking them to disclose account numbers and other personal information at a fake Bank of America Internet site. The bank increased its efforts in educating consumers about identify fraud by offering tips in its web site's "privacy" section.

W.A. Lee, Critics: Privacy Cards Market to Ignorance, American Banker, June 21, 2002, at 12.

Critics argue that Citigroup's and Capital One Financial's credit cards that promise privacy through a no-telemarketing pledge are selling rights that are already available to any customer under the Gramm-Leach-Bliley Act which requires financial institutions to let customers opt-out of data sharing practices. Also, the Telemarketing Sales rule protects any consumer who does not want to be bothered by telemarketers' calls. Critics argue that because customers are "in the dark" about their rights, card companies successfully pitch them these features.

Laura Mandaro, E-Loan Chief Backs CA Privacy Drive, American Banker, Aug. 14, 2002, at 1.

CEO of online lender E-Loan, Inc. is advocating that companies should be required to get their customers' explicit permission before they share their information with other parties. He committed $1 million of his own money to support a state ballot initiative on financial privacy. The CEO also noted that absence of such protection will undermine consumers' comfort in using the Internet for financial transactions. The banks are not supporting this initiative, and are attempting to postpone additional reform.

Ben Jackson and Hon Reosti, Goleta Will Quit Payday Loan Biz in OCC Pact, American Banker, Nov 4, 2002, at 1.

Goleta National Bank in California terminated its 2-year partnership agreement with Ace Cash Express, Inc., a Texas payday lender after a customer discovered 641 customer loan files in a trash bin behind Ace's office in Virginia. OCC generally objects to letting payday lenders use the national bank charter to make loans nationwide. Ace faces possible lawsuits in several states alleging that Ace used Goleta name to get around consumer protection laws, including state usury laws.

Matt Richtel, Black Market in Credit Card Data Booming on Web, Atlanta J. - Const., May 13, 2002, at A10.

Tens of thousands of credit card numbers are stolen and sold each week in membership-only "cyberbazaars," mostly operated by hackers in the former Soviet Union. Credit card numbers can be bought for between $.40 and $5.00 /each. They are obtained by hacking into data programs of on-line merchants and stolen thousands at a time. The numbers are mostly used by "thieves" in Eastern Europe and Asia to make on-line purchases. The financial losses from resulting fraudulent transactions reach into "double-digit" billions.

Ernest Holsendolph, The Rise of Hackers Vs. Colleges, Atlanta J. - Const., May 29, 2002, at D5.

Georgia Tech, among numerous other colleges and universities, is a victim of hacker attacks. Some of the hackers are teenagers, or "Script Kiddies," who have figured out ways to capture computer systems. Federal agencies insist on strict security to protect high priority research and threaten withdrawal of funding if security precautions are not taken.

Bill Husted, Beware: Snoop Software Can Record Your Every Keystroke, Atlanta J. - Const., July 16, 2002, at P1.

"Spy" programs are available for as low as $50. These programs are intended, for example, to allow parents to track their children's activities online. However, they also allow hackers to use them in "twisted" ways. The author warns computer users to track who has access to their computers because once these programs are installed, they are very difficult to track down.

Natalie Obiko Pearson, Japan's ID System Leaks Data From Start, Atlanta J. - Const., Aug. 8, 2002, at A9.

Two days after Japan's new nationwide identification system was launched, (the system resembles the US's social security number system), personal data was sent to the wrong people. Japan's defense agency investigated a possible leak from military computers and warned that sensitive information may have been divulged.

James Rowley, Microsoft to Tighten Passport Security, Atlanta J. - Const., Aug. 9, 2002, at F4.

Microsoft agreed to improve security of its Passport system, which is a convenient way to enter a single user name and password when making on-line purchases, because personal information, including credit-card numbers, wasn't safe from hackers. Microsoft will establish a "security process" by analyzing its weaknesses and taking steps to address the risks.

Microsoft Reports Flaw in Software, Atlanta J. - Const., Aug. 24, 2002, at E2.

Microsoft identified "critical" flaws that make owners vulnerable to data theft in its Office package and made a "patch" available on its Web site to cure the problem.

DoubleClick Settles Complaint by States, Atlanta J. - Const., Aug. 27, 2002, at D2.

DoubleClick, Inc., the largest Internet advertising firm agreed to settle a 10-state investigation of company data collection and ad services that prompted privacy concerns. The conditions of the agreement call for the company to disclose its privacy policy, purge old data and hire an outside firm to monitor compliance.

Dina Bass, Microsoft Discloses New Security Flaws, Atlanta J. - Const., Sep.6, 2002, at F4.

Microsoft announced a security flaw that affects all Microsoft operating systems released since 1996. The new flaw could allow a hacker to steal personal information by either (1) setting up a bogus web-site to attract unsuspecting customers; or (2) steal the user's digital signature, which is used to authenticate e-mail. By gaining access to the user's information, the hacker is able to send viruses via e-mail. The flaw also allows a hacker to mimic a "digital certificate" that proves to the user that the Web site or e-mail is trustworthy. Microsoft released a "patch" that is supposed to solve the problem.

Eileen Alt Powell, New ID Theft Scam Uses Fake IRS Forms, Atlanta J. - Const., Sep. 15, 2002, at G7.

Consumers are receiving fake forms that look like bank and IRS forms asking consumers for personal information, such as name, address and Social Security number.

News Services, Ex-employee Faces Charges in Massive Identity Theft, Atlanta J. - Const., Nov. 26, 2002, at C1.

More than thirty thousand people across the United States are victims of the largest identity fraud scheme ever, masterminded by a former employee, Philip Cummings, of Teledata Communications, a company that helps banks and other businesses gain access to consumer credit data. After obtaining credit information, the employee and other co-conspirators used the information to take out loans in the names of their victims, buy merchandise and order credit cards. Cummings was arrested and indicted. He faces up to thirty years in prison.

Laura Mahoney, et al., Citibank Settles With 26 States Over Sale of Consumer Lists to Telemarketers, Banking Report, Vol. 78, No. 9, Mar. 4, 2002, at 392.

After a two-year investigation, Citibank reached an agreement with twenty-six states after it sold customer lists to telemarketers in exchange for a percentage of the marketers' revenue. The investigation revealed that customers were charged for purchases they did not make. Under the agreement, contracts between Citibank and telemarketers must include, among other things, that a card holder must provide express authorization for purchases before charges may be placed on the account.

State High Court Upholds $500,000 Penalty for Obtaining, Selling Private Financial Data, Banking Report, Vol. 78, No. 9, Mar. 4, 2002, at 394.

Ruling unanimously, the Massachusetts Supreme Judicial Court upheld a $500,000 penalty against Source One Assocs., a New York information broker who sold private bank account information of about 1,000 individuals in violation of Massachusetts' Consumer Protection Act and the federal Fair Credit Reporting Act.

Anandashankar Mazumdar, U.S., EU Re-Engage on Financial Privacy; Industry Argues for Status Quo, Banking Report, Vol. 78, No. 15, Apr. 15, 2002, at 675.

Bush administration wants to start negotiating with the European Union over how to handle transfers of personal data in the financial services industry because until now, American financial services companies have been taking advantage of the lack of regulation. The financial services industry takes the position that the European Union already protects data adequately and no additional safeguards are needed.

Barbara Yuill, Government, Industry Speakers at ABA Panel Describe Balancing Act in Privacy Arena, Banking Report, Vol. 78, No. 15, Apr. 15, 2002, at 663.

An ABA panel discussion entitled, "Customer Information – Asset or Liability" addressed litigation over privacy of personal information. The presenters noted that plaintiffs have success in electronic privacy claims. State claims fare better than federal in part because the courts interpret federal statutes relating to privacy of information more narrowly, while the state causes of actions, such as fraud and misrepresentation, are broader. The FTC takes the position that absent a specific federal statute there is no general duty to disclose. Further, the FTC representative noted that businesses should not rely solely on privacy notices when making decisions whether to disclose, but should also determine if they are causing harm to consumers.

Barbara Yuill, Treasury Receives Some 50 Comments On Early Effect of Consumer Privacy Notices, Banking Report, Vol. 78, No. 19, May 13, 2002, at 834.

Treasury Department took comment on consumer privacy and consumer groups stated that Gramm-Leach-Bliley Act falls short in protecting consumer privacy, while the banking institutions stated that the existing laws are more than adequate to safeguard consumer privacy. The consumer groups, primarily represented by the state attorneys general argue that privacy notices are difficult to understand, resulting in consumer confusion and inability to exercise informed choice. Individual commentators stated that they do not like their financial information shared and that an opt-in scheme is more effective than opt-out. The American Bankers Association stated that current federal law should be given more time to work and that additional regulation is unnecessary.

Consumer Protection – Privacy, Banking Report, Vol. 70, No. 43, May 14, 2002, at 1688.

New York Supreme Court, Appellate Division affirmed the dismissal of a class action privacy lawsuit against Chase Manhattan Bank by customers whose personal information was sold to telemarketers. The court noted that the complaint failed to allege actual harm from receipt of any unwanted telephone solicitation or junk mail.

Arthur Rogers, European Parliament Protects Consumers When Buying Financial Services on Internet, Banking Report, Vol. 78, No. 20, May 20, 2002, at 892.

The European Parliament passed legislation that provides rules for telephone sales in terms of caller identification and other forms of information. However, there was no EU consensus on unsolicited offers across on the Internet. The legislation provides for a "cooling off" period of at least 14 days during which consumers may withdraw from contracts. Further, consumers will be entitled to receive full details of the agreement in writing.

Court Approves DoubleClick Settlement; Net Advertiser to Institute New Protections, Banking Report, Vol. 70, No. 45, May 27, 2002, at 2742.

The U.S. District Court for the Southern District of New York gave final approval to a proposed settlement resolving a class-action lawsuit against DoubleClick, an Internet advertising company. DoubleClick will institute a broad set of consumer privacy protections that will be spelled out in "easy-to-read-sentences." A key provision in the agreement states that the company may only combine personally identifiable information with other information collected from across Web sites after the company provides notice to the customer and receives the customer's opt-in choice.

Numbers Ease Burdens on Government, But Frequent Use Calls For Better Scrutiny, Banking Report, Vol. 78, No. 23, Jun. 10, 2002, at 1015.

Congress issued a report entitled, Social Security Numbers: Government Benefits from SSN Use but Could Provide Better Safeguards, that states that government must improve disclosures to taxpayers and government employees regarding required use of Social Security numbers in order to decrease the possibility of identity fraud.

Derrick Cain, Treasury Orders ACE Cash Express, Goleta Bank to Halt Payday Lending, Banking Report, Vol. 79, No. 17, Nov. 4, 2002, at 892.

The Treasury Department ordered Ace Cash Express and Goleta National Bank to end payday lending activities and to pay a civil fine due to Ace's failure to safeguard 641 customer loan files that were found in a trash dumpster. The article points out privacy concerns associated with potential disclosure of such private information. The agreement also forbids Ace from entering any kind of an agreement to provide any services, including payday lending, without obtaining OCC's consent. As an alternative, Ace plans to offer its own state-regulated loans.

Joyce E. Cutler, Bank of the West Inadvertently Releases Customer E-mail Addresses, Banking Report, Vol. 79, No. 18, Nov. 11, 2002, at 774.

Bank of the West sent out a mass email to its customers and accidentally disclosed email addresses in that email. The company placed recipients' name in the "to" field instead of the blind carbon copy field. The bank states that no financial data was released and is considering installing security software to prevent such future mistakes.

Kip Betz, Privacy Issues Seen in Recording Industry Efforts to Quell File-Sharing of Copyrighted Music, Banking Report, Vol. 71, No. 22, Dec. 10, 2002, at 2371.

Privacy concerns are associated with illegal file-sharing and downloading of copyrighted music. For instance, the Recording Industry Association of America (a trade group representing the US recording industry) is seeking to compel an internet service provider to reveal the identify of a person who allegedly engages in peer-to-peer file-sharing of copyrighted music.

Andrea L. Foster, Russian Mafia May Have Infiltrated Computers at Arizona State and Other Colleges (June 20, 2002), The Chronicle, available at http://chronicle.com/free/2002/06/2002062001t.htm.

Arizona state police seized two desktop computers and at least five hard drives at Arizona State University suspecting that someone, possibly Russian mafia, installed software in those computers that could record users' credit-card numbers and other personal data. More investigations are being conducted in Texas, California, and Florida.

AT&T Says E-mails Bogus, Atlanta J. - Const., Dec. 10, 2002, at F2.

AT&T warns its customers not to respond to bogus e-mails asking for personal information, such as Social Security number, credit card information, etc. AT&T stated that it stopped those messages but that could reappear.

Julie Watson, You, Too, Can Be Summer Redstones (Sep. 23, 2002), Forbes.com, available at http://www.forbes.com/2002/09/23/0923redstone.html.

Many of the documents available through U.S. Securities and Exchange Commission's (SEC) web site include the filer's Social Security number. The SEC does not edit the filings before they are released to the public and therefore some of the wealthiest individuals in the United States may have one of them post private pieces of information exposed. Identify thieves may use that information to obtain lines of credit and perform other frauds.

Bogus Yahoo Email Picks Up Credit Card Numbers, Reuters, (Oct. 17, 2002), Forbes.com, available at http://www.forbes.com/business/newswire/2002/10/17/rtr756849.html.

Yahoo announced that some of its customers had been tricked into giving their credit card numbers to an unaffiliated third party who had posed as Yahoo in a mass e-mail. Yahoo, less then twenty-four hours later sent an e-mail to its users telling them not to respond.

Eli Lilly Settles FTC Charges Concerning Security Breach (Jan. 18, 2002), available at http://www.ftc.gov/opa/2002/01/elililly.htm

Lilly, a pharmaceutical company, agreed to settle FTC charges regarding unauthorized disclosure of sensitive personal information collected from consumers through its Prozac.com Web site. As part of the settlement, Lilly is required to establish and maintain a four-stage information security program designed to maintain reasonable and appropriate administrative, technical, and physical safeguards to protect consumers personal information against reasonably anticipated breaches of security.

Chairman Details Progress Made in Implementing The Federal Trade Commission's New Privacy Agenda (June 11, 2002), available at http://www.ftc.gov/opa/2002/06/neteconspch.htm

The FTC Chairman described the FTC's initiative, originally announced in October 2001, to protect consumer privacy. First, the FTC proposed to establish a national do-not-call registry for consumers to eliminate telemarketing calls. Second, the FTC proposed an amendment to the Telemarketing Sales Rule that would prohibit telemarketers from exchanging credit card numbers and other pre-acquired account information. Third, the FTC described the "remove me" project, a method for consumers to remove themselves from spam lists. Fourth, the FTC addressed pretexting services. In addition, the FTC has been active in enforcing the provisions of the Fair Credit Reporting Act by extending education to landlords nationwide to inform them about the law and how to comply with its provisions. Next, the FTC has been involved in controlling ID theft by educating law enforcement agencies and conducting enforcement sweeps that resulted in 73 criminal prosecutions. In addition, the FTC is enforcing the Children's Online Privacy Protection Act. Also, the FTC finalized the Safeguard Rule to implement the GLB Act requirement that financial institutions establish and maintain a security program to protect the personal information they collect.

Bank Privacy Measure Fails,'/;
Associated Press, (June 12, 2002), Grand Forks Herald, available at http://www.grandforks.com/mld/grandforks/3450535.htm.

North Dakota voters, in a referendum, threw out a new state law that made it easier for banks to sell their customers' personal information. The law allowed financial institutions to sell customer data to outside companies without getting the customer's written permission. Now, the banks are required to get written permission before selling data to other companies.

Laura Kurtzman, Group Pushing for Online Privacy (July 09, 2002), The Mercury News, available at http://www.siliconvalley.com/mld/siliconvalley/3612624.htm.

Privacy advocates, such as Consumers Union, the American Association of Retired Person, the American Civil Liberties Union and other groups, plan to launch an effort backed by a $1 million contribution from a loan executive to pressure lawmakers into giving consumers more control over their personal financial data.

Troy Wolverton, Best Buy Changes Privacy Policy (June 4, 2002), CNET News.Com, available at http://www.news.com.com.

Best buy is changing its online privacy policy, allowing the company to combine customer information with information obtained in the store. Also, the company may share with third parties information collected from surveys or reviews on its site. Such moves are common among other retailers.

Troy Wolverton, Ziff Davis Settles Privacy Probe (Aug. 28, 2002), CNET News.Com, available at http://www.news.com.com.

Ziff Davis Media will pay $125,000 to end a multi-state investigation into a security breach on its computer system that exposed thousands subscription orders last year after the company posted a promotion on its web site for its Electronic Gaming Monthly magazine. The company violated its privacy policy by what the company calls a "coding error" that led to exposure of customers' personal information, such as credit card numbers.

Troy Wolverton, Amazon to Revamp Privacy Policy (Sep. 25, 2002), CNET News.Com, available at http://www.news.com.com.

As a result of concerns raised by customers, consumer advocates and state regulators, Amazon.com plans to clarify its privacy policy and circumstances under which it might sell or share customer information.

Steven Levy, Playing the ID Card, Newsweek, May 13, 2002, at 44.

In light of September 11th and the fact that the highjackers did not have a problem in obtaining valid identification from state authorities in order to board planes, activists proposed an implementation of a national Identification Card system that would, among other things, help fight identify fraud. However, after some time, the urgency passed and the need for such a security measure was placed on hold. The proposed ID system will require individuals to present several trusted documents in a multi-step process. The card itself will contain encrypted chips that are difficult to forge. Opponents argue that the scheme can be beaten and that the proposed system will only take away Americans' freedom because the savviest of hackers and terrorists will find a way to circumvent the system.

Michelle Kessler, Instant Messaging at Work Can Open Door to Hackers (May 29, 2002), USA Today, available at http://www.usatoday.com.

The popular Instant Messaging systems, such as AOL Instant Messenger lack basic security features needed to protect corporate networks and therefore allow hackers to access sensitive information contained in those messages. Many companies erroneously believed that such systems are secure, and upon finding out about the security problems decided to remove these programs from their servers.

Associated Press, Drugmaker to Pay States Over E-mail Privacy Violation (July 26, 2002), USA Today, available at http://www.usatoday.com.

Eight states settled with a pharmaceutical company for $160,000 over allegations that the company unintentionally released e-mail addresses of more than 600 people taking Prozac. A company's employee made the mistake that resulted in disclosure of individual addresses to all subscribers of the Medi-Messenger service, a service that sends automated e-mail reminding the subscriber to take the dose of the medication.

Associated Press, Princeton Condemns Yale Site Infiltration (July 30, 2002), USA Today, available at http://www.usatoday.com.

Princeton University criticized Yale University's policy in allowing prospective students to access the Yale web site and find out their admission status after entering their Social Security number and birth date. Princeton argued that this raised privacy concerns since other schools the students applied to, as well as other individuals also have access to this information.

Ted Bridis, E-Mail Encrypting Program Suffers Flaw (July 10, 2002), Washington Post, available at http://www.washingtonpost.com.

Pretty Good Privacy, the world's most popular software for scrambling sensitive e-mails, suffers from a programming flaw that could allow hackers to attack the user's computer and, in some circumstances, unscramble messages. The flaw allows a hacker to send a specially coded e-mail that would seize control of the victim's computer. The software is used by corporate and government offices, including FBI, and is so powerful that until 1999 the federal government sought to restrict its sale out of fear that criminals may use it. There is no evidence that anyone has successfully accessed information.

David McGuire, Microsoft Settles Privacy Complaint With FTC (Aug. 8, 2002), Washington Post, available at http://www.washingtonpost.com.

FTC claims that Microsoft in its privacy policies made a false claim that it took "reasonable" measures to protect the personal information of millions of Passport users and misled consumers, telling them that Passport transactions are more secure than other online transactions. Under the terms of the settlement, Microsoft could face fines of up to $11,000 per violation.

Robert O'Harrow, Jr., Web Ad Firm to Limit Use of Profiles (Aug. 27, 2002), Washington Post, available at http://www.washingtonpost.com.

DoubleClick, the leading online advertising company agreed to pay $450,000 to 10 states and limit its use of personal information after the states complained that the company inappropriately merged on-line information with off-line purchases to better target advertising. The company will now be forced to provide better information to consumers about how it is collecting personal data through "cookies" and give users a chance to opt-out of data collection.

Government Already Monitoring Modems (Nov. 28, 2002), Wired News, available at http://www.wired.com/news/conflict/0,2100,48711,00.html.

Assistant Attorney General stated that the new powers granted to the government under the Patriot Act to obtain information without court order have allowed the Justice Department to investigate more thoroughly. The government is monitoring cable modem users without requiring permission from a judge.

Brian McWilliams, Navy Sites Spring Security Leaks (Nov. 6, 2002), Wired News, available at http://www.wired.com.

U.S. Navy added additional security measures after officials discovered that Internet surfers could gain access to confidential Navy databases. The exposed files included material designed to support a machine for testing the Consolidated Automated Support weapons system. One of the system's features allowed the user to pull up records on who registered to use the system. The problem was discovered by a group of French security enthusiasts known as Kiteta.

Brian McWilliams, Microsoft Spills Customer Data (Nov. 20, 2002), Wired News, available at http://www.wired.com.

Microsoft took a public file service offline after it discovered that the system contained scores of internal Microsoft documents, including customer databases with millions of entries. The server allowed customers to download drivers, software patches and other files.

Ben Charny, KPNQwest Loses Track of Data (June 12, 2002), ZDNet, available at http://zdnet.com.

For several days, KPNQwest's databases lost an average of four to five percent of all personal data. This company runs Europe's largest fiber-optic network, carrying Europe's one quarter of Internet traffic.

Alorie Gilbert, Is Drkoop Taking Care of Privacy (July 1, 2002), ZDNet, available at http://zdnet.com.

More than six months after filing for bankruptcy, Drkoop, an online health service, warned its members that they have some time to opt-out of having their email addresses added to mailing lists of other health retailers. Privacy advocates object, saying that instead, the information should not be released unless the consumer gives his or her consent. But by taking the opt-out route, which is more common now, Drkoop appears to contradict its privacy policy posted on its Web site.

Reuters, Expert Demonstrates Microsoft Hack (Aug. 27, 2002), ZDNet, available at http://zdnet.com.

A Swedish hacking expert demonstrated how it is possible to hack through security on a Web server software from Microsoft. Microsoft responded that it is working to develop a solution. Experts say that computer banks are vulnerable, but four Swedish banks reported that they were not aware of any break-ins into their systems.

Mike Reagan, P2P Shares More Than Meets The Eye (Oct. 4, 2002), ZDNet, available at http://zdnet.com.

Discussion of the dangers that Peer-to-Peer, or P2P, a file-share program poses for business and other organizations. By installing this software on their PCs, users are vulnerable to hackers because the program allows users to designate certain files on their computers to be accessible to anyone, but the problem arises when the user does not designate the right files or installs default settings that expose vast sections of a user's database. The article also outlines several steps that a user can take to protect information.

Declan McCullagh, Security Holes Exposes Tower Records (Dec. 6, 2002), ZDNet, available at http://zdnet.com.

A computer glitch on Tower Record's website allowed anyone to view Tower Record's databases of customers' orders dating back to 1996. The company claims that no credit card numbers were revealed.

Alan Judd and Kathy Brister, Hope Data Hit By Net Hackers, Atlanta J. - Const., Aug. 2, 2001, at A1.

Hackers invaded Georgia's Hope scholarship computer system. The state officials were aware of the system's vulnerability to such invasion since 1999 and kept quiet for a year and a half about the potential security breaches. It was unclear at first what kind of information the hackers accessed, but officials estimated that thousands of people were affected.

Amy Winn, Microsoft Offers Windows Fix, Atlanta J. - Const., Dec. 21, 2001, at D2.

Microsoft's newest version of Windows has serious flaws that allow hackers to either steal or destroy data files or implant software. Microsoft made available on its web site a fix for the problem, called "universal plug and play."

Scholars Discuss With Federal Lawmakers Constitutional Limits on Privacy Legislation, Banking Report, Vol. 76, No. 10, Mar. 12, 2001, at 434.

Federal Legislators met with legal scholars to discuss the constitutional bounds of a proposed privacy law. According to the legal academics, it would be constitutional for the government to require commercial companies that collect information to disclose how that information is used. One of the scholars commented that broader information privacy rules "are not easily defensible under existing free speech law."

EC Oks Data Transfer Standard Contract Despite U.S. Request to Delay Consideration, Banking Report, Vol. 76, No. 13, Apr. 2, 2001, at 591.

European Commission voted to require U.S. financial services companies to enter into standardized contracts that would permit them to transfer personal data from EU states and expose them to liability overseas, despite opposition to the standardized language from the Bush administration and a request to delay the legislation by the EU's finance services director.

New TRUSTe Guidelines Propose Opt Out Protection for Customers of Failing Entities, Banking Report, Vol. 69, No. 40, Apr. 24, 2001, at 2648.

TRUSTe, a provider of on-line information privacy seals provided a set of guidelines for handling personal information for companies that are undergoing mergers or bankruptcy proceedings: (1) enlist a third party to oversee the process to ensure that customers' privacy expectations are honored; (2) allow consumers to opt in to any database that is transferred to a third party if the original privacy agreement indicated that personal data will not be shared; and (3) notify consumers and allow them to opt-out of inclusion in a database that is sold to a company that is offering similar services, if the company's original privacy policy indicated that consumer information would be shared.

Internet Firm, Head Settle FTC Charges of Misrepresentation in Data Collection, Banking Report, Vol. 77, No. 20, Nov. 26, 2001, at 855.

New Millennium Concepts, Inc., an operator of the web site that offered to pay monthly Internet access fees for consumers who completed monthly surveys and paid a one-time setup fee in exchange for completing monthly surveys, entered into negotiations with the Federal Trade Commission that alleged that the operators made misrepresentations in the advertising, promotion, and sale of products and services in violation of Section 5(a) of the FTC Act (15 U.S.C. § 45(a)). The settlement agreement would require the operator to delete or destroy the personal identifying information that it collected from consumers.

Jay Stanley and Barry Steinhardt, Five Reasons Why National ID Cards Are a Bad Idea (Nov. 29. 2001), Computerworld, available at .

Five reasons why a national identity system is not a good idea, including the "slippery slope of surveillance" and the potential for discrimination and harassment.

Search Engines Dig Too Deep (Nov. 26, 2001), CNETnews.com, available at http://news.cnet.com

Search engines are increasingly discovering private information such as credit card numbers and other information that can be exploited by hackers. Google spokesperson commented that although the primary burden falls on people who are incorrectly exposing this information, Google is exploring different solutions to prevent exposure of information.

Ephraim Schwartz, Vendors Broach End-User Privacy Issues, INFOWORLD, Feb. 14, 2001, at 3.

Several companies are marketing anti-virus and security software, which stores information on the user's computer that alerts the user when privacy is at risk.

Ann Carrns, WebMD Asks Court to Back It In Denying Data to Quintiles, WALL ST. J., Mar. 2, 2001.

As part of WebMD's $840 million acquisition of Quintiles' Envoy Corp, WebMD contracted to provide certain data to Quintiles. "Envoy acts as a clearinghouse, processing millions of medical, pharmacy and other claims over a private electronic network." Quintiles conducts clinical tests, does marketing for pharmaceutical firms and packages health-care data for sale to clients, re-packaging the information provided by Envoy to give its clients "insight into the popularity of various drugs and the conditions for which the drugs are prescribed."

Although Quintile claims that "the data is 'de-identified,' or stripped of details that could link it to a specific patient," Web MD notes that birth dates and zip codes "may be combined with other publicly available databases to determine the identity of individuals." Thus, WebMD, citing patient-privacy concerns, ceased providing electronic health-claims data to Quintile Corp. Quintile obtained a temporary restraining order from state court requiring WebMD to "resume the flow of information," but WebMD filed for removal of the case to federal court.

The case was later settled when WebMD agreed to repurchase 35 million shares of stock from Quintiles for $185 million. The settlement will remove any further obligation of WebMD to provide data to Quintiles. See Martha Brannigan, WebMD, Quintiles Settle Litigation And Sever All Ties, WALL ST. J., Oct. 15, 2001.

Tycoons Targeted in Alleged Identity Fraud Scheme, ATLANTA J. & CONST., Mar. 21, 2001, at E3.

A restaurant worker allegedly engaged in identity theft to raid the bank and brokerage accounts of several celebrities including George Lucas, Steven Spielberg, and Oprah Winfrey. The suspect then transferred the funds to an off-shore account using two free Yahoo e-mail accounts. He was found carrying the social security numbers, addresses and birthdates of more than 200 of America's wealthiest people.

Personal TV Recorder Watches Your Habits, ATLANTA J. & CONST., Mar. 27, 2001, at D3.

The Privacy Foundation reported that the makers of TiVo have been using the units to collect detailed information regarding customers' viewing and recording habits, and even which remote buttons users press. The company admitted that it intends to sell this information to advertisers and TV networks, but that it will no longer collect details on things such as remote usage. The Company also claims that information will be grouped by zip code and will not be tied to any individual user. Consumer experts report that the manual included with TiVo was "extremely misleading" and that the only way a consumer can get updated privacy policy information is through the company's website.

Federal Judge Dismisses Privacy Suit vs. DoubleClick, ATLANTA J. & CONST., Mar. 31, 2001, at F2.

A federal judge in New York dismissed a class-action alleging that DoubleClick's online profiling constituted a privacy violation.

Kate Marquess, Open Court?, ABA JOURNAL, Apr. 2001, at 54.

Electronic access to and filing of court documents is gaining popularity. However, many case files, particularly bankruptcy files, contain personal information such as addresses, social security numbers and bank account information. The current procedure of keeping records available only at the courthouse allowed the clerk to perform a gatekeeping function; Internet access eliminates this check. Consumer advocates are urging that electronic records should be treated differently than paper records in the courthouse. Solutions include limiting access to authorized individuals via password, or for a fee. Colorado was the first state to implement an e-filing system, and its information is only accessible by active members of the state bar. Other documents are available for a fee of $5 per search, which some say does not allow for equal access.

Andrew Roth, VeriSign Security Breach Said Fixed; Banks Wary, AM. BANKER, Apr. 2, 2001, at 17.

VeriSign claimed to have fixed the problem which led it to issue two digital certificates to a computer criminal posing as a Microsoft employee. Critics argue that banks, rather than technology companies, are the proper issuers of security credentials.

Americans Fear Loss of Privacy, Poll Shows, ATLANTA J. & CONST., Apr. 7, 2001, at A8.

A recent survey indicated that American concerns for privacy rival those of health care and that a majority of Americans want their private information protected, "even at the cost of restricting public access and free press."

Amazon.com Unit Closer to Settling Privacy Complaint, ATLANTA J. & CONST., Apr. 28, 2001, at F2.

A judge granted preliminary approval to the settlement of a class action lawsuit alleging that Amazon.com's Alexa Internet tracked and stored usage paths in violation of federal law.

Rob Garver, Banking Groups' Privacy Pledges Seem too Weak, AM. BANKER, June 12, 2001, at 4.

An association of trade groups, expanding a set of eight voluntary guidelines adopted in 1997, agreed not to share customers' medical information and to help fight identity theft. Such voluntary guidelines may not be sufficient, as several consumer privacy protection bills remain pending in Congress.

Don Fernandez, Computer Upgrade Mixes Porn with Legislature's Site, ATLANTA J. & CONST., June 30, 2001, at H1.

Visitors to the Georgia Legislature's Website were bombarded with pornographic images when they attempted to use the archives link. The problem, believed to be the result of hacking, was later rectified.

John Moran, Beware, Downloaded Freeware May Spy, ATLANTA J. & CONST., July 1, 2001, at Q4.

Many freeware/shareware programs are bundled together with spyware, software that secretly collects statistical and on-line usage data. The freeware websites often hide their disclosures in fine-print or engage in silent data uploads.

Car Rental Agency Sued for Fining "Speeder," ATLANTA J. & CONST., July 4, 2001, at D3.

Acme Rent-a-Car was using global-positioning satellites to catch customers speeding, then automatically charging the fines to the customer's ATM cards. One customer is suing under the car rental company under the state's Unfair Trade Practices Act for failing to properly warn of potential fines. While other car rental companies use GPS to give directions or track stolen vehicles, none admit to using GPS to track speed or levy fines. Acme claims that the fines were not a money-making scheme, but rather an attempt to avoid the reckless driving which often results in "catastrophic claims." The company did spell out its procedure in the rental contract, but consumer experts allege that greater disclosure, in the form of an initialed acknowledgement after a verbal exchange, is necessary.

Charles Wilson, Prozac Maker Lets Slip Hundreds of E-Mail Addresses, ATLANTA J. & CONST., July 6, 2001, at A3.

Eli Lilly alleged that a programming error resulted in the dissemination of the e-mail addresses of over 600 Prozac users. The Prozac users had signed up on Eli Lilly's web site to receive dosage reminders, and the company inadvertently included the e-mail addresses of all subscribers in the message header. The mix-up allowed patient's names and some medical history to be traced. The ACLU had requested the FTC to investigate.

Brian Ploskina, Managed Security Deals Leave Networks Vulnerable, INTERACTIVE WEEK, July 9, 2001, at 9.

More companies are hiring security providers to protect their networks, but these providers are not regulated or certified by the government or by the industry. As a result, companies who are unable to pay large up-front sums to develop their own security procedures are paying monthly fees to managed security service providers who may do more harm than good. For example, one security provider bungled a firewall configuration, and another was charging for services it never provided. Experts suggest that before hiring a security provider, companies need to decide what type of protection they want and the maximum amount they can afford to spend. In addition, companies need to check references, find a qualified contact, and enter into a detailed contract.

Don't Get Mad - Get Nasty, INTERACTIVE WEEK, July 9, 2001.

There are a growing number of terminated employees who are resorting to network retaliations such as altering corporate records and stealing company data.

Bob Keefe, Wireless Boom in Tech Helps Hackers, Too, ATLANTA J. & CONST., July 14, 2001, at F1.

Although wireless networking has become increasingly popular, many networking kits do not contain effective security features and few consumers are taking additional steps to ensure security. Wireless networks are easy to hack because they operate via the same radio signals that most cordless phones use. In fact, a group of graduate students at UC Berkeley successfully broke a wireless networking security code. Another expert successfully tapped into several major corporate networks by using wireless technology.

Laura Lorek, Russian Mafia Net Threat, INTERACTIVE WEEK, July 16, 2001, at 11.

Security experts report that numerous U.S. e-commerce and banking websites are being hacked by Russian organized crime rings. The groups have exploited unpatched Microsoft Windows NT operating systems to steal over 1 million credit card numbers. Although patches have been available on Microsoft's website since 1998, many companies have not utilized these resources to repair the problems. The hackers are also downloading trade secrets and customer databases and then engaging in extortion, agreeing to patch the vulnerability for a price or to release the information if no funds are received. Several companies, offering insurance against hacker attacks, have actually paid off the extortionist and then posted rewards for information leading to an arrest. Security experts concede that Eastern European hackers are among the most sophisticated. For example, one ring used internet cafes in Moscow to steal over 300 credit card numbers, another posted 25,000 credit card numbers after his "ransom" demand was denied, and others are selling U.S. trade secrets to the highest bidder. Although Russian law provides for prison sentences of up to ten years for hacking, few cases are prosecuted because these cyber-criminals are difficult to trace.

Dennis Fisher, It Bugs Out Over IIS Security, EWEEK, July 23, 2001, at 26.

Companies who use Microsoft's IIS web servers are growing weary of the servers' growing list of security problems. Since 2000, Microsoft has issued over 201 security bulletins for its IIS 5.o server, and that number increases at a rate of one every three weeks. Because the IIS is the default server for Windows NT and Windows 2000, many companies feel that changing servers would be impractical or unaffordable. While many of the vulnerabilities lead to system crashes, a growing number of flaws would allow hackers to gain control of the servers to execute arbitrary commands. Microsoft officials admit the problem, particularly with older versions which contained numerous default settings that users failed to turn off, thus exposing themselves to additional vulnerabilities. Microsoft's IIS 6.0 will contain a wizard program which will tailor the services to the user's needs.

Dennis Fisher, Code Red: Guard Your Apps, EWEEK, Aug. 9, 2001, at 9.

Experts fear that the Code Red worm, "the first widespread use of an automated tool to deposit DDoS clients on remote machines," shows a trend towards hacking into applications rather than networks. One company experienced over 260 attempted attacks by the Code Red worm within a 24-hour period, which could have led to a compromise of confidential corporate data "with a better written worm." While many companies have invested significant sums in firewalls, anti-virus software, and other defenses against network attacks, these devices are virtually ineffective against attacks on software applications. As a result, security providers are now concentrating on developing software to protect against application-level attacks.

Netscape to Revise Download Program, ATLANTA J. & CONST., Aug. 10, 2001, at G2.

Netscape revised its program for downloading Internet files so that data regarding users' online activities is no longer collected.

Steven Johnson, Sir Cam, I Presume?, THE NEW YORKER, Aug. 13, 2001, at 27.

A computer virus, SirCam, spread by "searching users' address books and then automatically mailing itself to all the addresses" it found. The virus also scanned the browser's cache, which stores addresses of recent web site visits, for additional e-mail addresses. SirCam operated by selecting a random document from each victim's hard drive and forwarding that document to all the e-mail addresses it discovered.

Doug Brown & Brian Ploskina, E-Theft: Who's Liable, INTERACTIVE WEEK, Aug. 13, 2001, at 11.

One consumer advocate estimates that over 3000 stolen credit card numbers are traded in chat rooms each month. However, no existing federal law addresses companies who fail to protect personal information and victims of identity theft are increasingly relying on private suits. Federal regulators have introduced the "Safeguards Rule" which sets standards for how financial institutions must protect consumer's personal information. However, the proposed Rule excludes most online retailers and websites who store private consumer information. As a result, several companies, including Mastercard, Visa and American Express, have instituted their own security measures which merchants must follow or risk losing their processing license.

Charles Babcock, Deluge of Security Threats Overwhelms I-Managers, INTERACTIVE WEEK, Aug. 13, 2001, at 47.

Approximately six or seven system vulnerabilities occur each day. Although many of these problems are easily fixed in the next release of an operating system, others can leave websites vulnerable to attack. Hackers are now attacking Web, database, and applications servers. Although patches are available to correct most vulnerabilities, there are a myriad of such patches, and many administrators don't have time to constantly update their systems.

Brian Ploskina, No Excuses, INTERACTIVE WEEK, Aug. 13, 2001, at 47.

Consumers booking on-line vacations were unaware that the site they were using processed credit cards through a third party with very lax security - RegWeb.com. A hacker found a link to RegWeb's customer database and posted the link to a chat room, allowing other hackers access to over 300 credit numbers.

Todd Spangler, They Know - Roughly - Where You Live, INTERACTIVE WK., Aug. 21, 2001, available at http://www.zdnet.com/intweek/stories/news/0,4164,2806124,00.html (last visited Aug. 22, 2001).

New internet services allow detection of the physical location of an individual user. While some sites are using the technology to custom-tailor advertisements, others are using it to detect credit card fraud and to block illegal content. However, mapping the IP addresses of the more than 1.6 billion Internet users is an imprecise task. Country-level location is 99% accurate, although pinpointing a specific city is only 80% accurate.

Christopher Seward, Sony Game Hacker Nabbed, ATLANTA J. & CONST., Sept. 4, 2001, at E2.

A 17-year-old allegedly hacked into Sony's online game - Everquest - allowing him access to hundreds of players' personal information. The teen also hacked into the home computer of Sony's VP.

Privacy Groups File FTC Complaint over Microsoft's Integration of Passport Service into Windows XP, CONSUMER FIN. PRIVACY, Sept. 14, 2001, at 23.

Privacy groups have requested that the FTC investigate Microsoft's Passport service which allows customers to use a single log-in for various affiliate websites. Microsoft integrated the Passport service into Windows XP, leaving consumers little choice because a "dialog box tells the user they need Passport in order to use the Internet communication features of Windows XP." However, one study suggested that over 90% of consumers valued privacy more than the convenience of single sign-ins offered by services like Passport.

Kathy Brister, EarthLink Wary of FBI's Increasing Use of Surveillance Software, ATLANTA J. & CONST., Sept. 19, 2001, at D1.

In response to the September 11 attacks, the FBI demanded that EarthLink install Carnivore, the FBI's surveillance software. The Internet provider refused, using its software to provide the information the FBI wanted to retrace suspected terrorists. While the Carnivore system captures all information and then discards what's unnecessary, EarthLink's software captures only the necessary information from the start. Smaller ISPs who cannot afford to create their own software may be forced to allow installation of Carnivore.

Brian Bergstein, Yahoo News Pages Shown Vulnerable to Hacker Attack, ATLANTA J. & CONST., Sept. 25, 2001, at C10.

In an alleged attempt to urge Yahoo to fix "a basic mistake in its network setup" a 20-year-old hacker changed the content of Yahoo's news pages by posting phony quotes and incorrect information.

Bob Keefe, Single Web Sign-on Promoted, ATLANTA J. & CONST., Sept. 27, 2001, at D1.

A coalition of 33 companies is creating a system which would allow consumers to use a single password to access multiple Internet sites. The system would also allow the companies to share sensitive personal information, with consumer permission. Members of the Liberty Alliance Project include American Airlines, Bank of America, eBay, General Motors, and Sony. Microsoft and AOL are developing similar systems. The purpose behind such systems is to make the Internet easier to navigate, but consumer experts warn that these systems may permit information-sharing regarding buying habits, financial stability, and other personal information. Unlike Microsoft's system - Passport - which stores information in a central database, the Liberty Alliance system will not use a central database and no single company will control the information. Rather, consumers will be able to choose how their information will be stored and which affiliates may share it.

David Neal, Yahoo Hack Raises Online Security Fear, available at http://www.zdnet.com/zdnn/stories/news/0,4586,2815654,00.html (last visited Oct. 3, 2001).

A hacker entered Yahoo's news site and altered the content of a news story. The hacker claims that the purpose of the attack was to highlight security weaknesses in Yahoo's system. Experts contend that content management systems can reduce the damages caused by these types of attacks.

Farhad Manjoo, Who's Reading Your Resume?, available at http://www.wired.com/news/business/0,1367,46559,00.html (last visited Oct. 14, 2001).

A report by the Privacy Foundation accused Monster.com of discussing the sale of users' private data to marketers, failing to remove deleted resumes promptly, and sharing user information with AOL. Monster denied all allegations.

Matt Loney, EU Votes to Restrict Cookies, available at http://www.zdnet.com/zdnn/stories/news/0,4586,2824264,00.html (last visited Nov. 15, 2001).

The European Union voted to require websites to specifically ask users if they're willing to accept cookies. Consumer experts allege that cookies' technical vulnerabilities raise serious privacy concerns. However, the directive may cost European companies millions. One British company estimates that it could lose $270 million if the directive is ratified.

Amy Winn, Beware E-Mail Attachments, ATLANTA J. & CONST., Nov. 27, 2001, at D2.

The Badtrans Internet Worm, distributed via Microsoft Outlook e-mail attachments, provides hackers access to users' computers and installs a program that can capture and store personal data, including credit card information and passwords.

Caron Carlson & Dennis Callaghan, Holiday Message for E-Com, EWEEK, Dec. 3, 2001, at 23.

In 2000, the FTC fined e-commerce sites over $1.5 million due to failure to meet advertised shipping deadlines during the holiday season. In light of the September 11, 2001 attacks, the FTC further required e-tailers to disclose country of origin and product warranty information. However, many e-tailers are unaware of the FTC requirements, and others find compliance difficult due to voluminous inventories and unknown change of manufacturers by suppliers.

Dennis Fisher, Privacy Quiz Questioned, EWEEK, Dec. 3, 2001, at 41.

Microsoft recently unveiled a web-based tool to assist consumers with determining the level of on-line privacy they desire. The 10-question quiz, available with Internet Explorer 6, categorizes the user based on his answers, and offers privacy protection tips based on the category he was placed in. Critics argue that the quiz is merely an attempt to "redefine privacy as notice and ignore access and use limitations."

Laura K. Thompson, ID Theft Tops State Trade Groups' Agendas, AM. BANKER, Dec. 5, 2001, at 6.

Many state banking associations have launched campaigns to inform consumers, and oftentimes bank employees, how to protect against identity theft. These campaigns include pamphlets, tip cards, radio ads, and educational websites. Identity theft is a federal crime, with the FTC receiving over 1800 calls each week on its identity theft hotline. In addition, every state except Nebraska, New York, and Vermont, has passed legislation making identity theft a crime.

FTC Ends Investigation of DoubleClick's alleged Violation of Own Privacy Policy, 69 BANKING REP. (BNA) 2458 (2001).

After investigation, the FTC concluded that DoubleClick did not disclose personal identifying information "for purposes other than those disclosed in its privacy policy" when it merged with Abacus Direct Corporation.

Richard Cowden, OCC Issues Alert Advising Banks to Take Precautions Against Hackers, 76 BANKING REP. (BNA) 738 (2001).

As a result of a NIPC report of increasing attacks on e-commerce activities, the Office of the Comptroller of the Currency alerted national banks to take additional security measures to protect their information networks.

ABA Surveys Consumers on Awareness of Banks' Privacy Disclosure Statements, 76 BANKING REP. (BNA) 988 (2001).

Under the Gramm-Leach-Bliley Act, banks are required to disclose their privacy polices and to allow customers to "opt out" of information-sharing. A survey indicated that while 42% of customers did not remember receiving a copy of their bank's privacy policy, of the 58% who did recall receiving the policy, 68% actually read it.

FinCen's 2001 Suspicious Activity Review Indicates Dramatic Increase in Identity Theft, 76 BANKING REP. (BNA) 1061 (2001).

A Treasury Department study revealed that identity theft was the number one consumer complaint in 2000, with the FTC receiving 1700 complaints weekly. Identity theft has risen drastically since 1997, when only 44 instances were reported. The study also indicated that "30% of all identity theft reports came from California and North Carolina. Minnesota, Washington, and New York as a group ranked second."

U.S. Multinationals Failing to Meet Standards of EU Privacy Directive, Andersen Study Says, 77 BANKING REP. (BNA) 342 (2001).

A study of fifteen Fortune 500 companies revealed that the companies did not meet the EU's seven safe harbor privacy guidelines. The study assessed the principles of notice, security, choice, data integrity, access and enforcement, but did not address the seventh principle - onward transfer. No company met all six principles. Eighty percent satisfied the choice requirements, and seventy five percent met the data integrity requirements. However, only 25% satisfied the notice principle, and a mere 5% met the enforcement requirements.

Adam Wasch, Judicial Committee Recommends Online Protection of Public Court Data, 77 BANKING REP. (BNA) 399 (2001).

A committee of U.S. Judges recommended that bankruptcy and other civil court documents should be made available electronically, but that personal identifying information should be removed.

Online Banking Privacy Seriously Limited, Study Says, 77 BANKING REP. (BNA) 467 (2001).

In a recent survey of 100 banks, 34 admitted to information sharing with unaffiliated third parties, and 80 banks "offered customers little or no chance to limit affiliate sharing."

FTC Chairman Muris Unveils Agenda on Privacy for Post-Sept. 11 Environment, 77 BANKING REP. (BNA) 551 (2001).

In the wake of the recent terrorist attacks, the FTC is stepping-up its privacy efforts. The FTC revealed its Privacy Agenda: (1) create a national do not call list; (2) increase anti-spamming enforcement; (3) assist victims of identity theft; (4) eradicate pretexting, the practice of fraudulently obtaining personal financial information; (5) encourage credit-reporting accuracy; (6) enforce privacy promises; (7) enforce the FTC's Telemarketing Sales rule and (8) the Gramm-Leach-Bliley Act; (9) restrict the use of pre-acquired account information; (10) increase enforcement of children's online privacy; (11) encourage consumer privacy complaints, and (12) hold privacy protection workshops. The Commissioners are split as to whether additional federal legislation is necessary.

R. Christian Bruce, Banks Need Better Privacy Disclosures, OCC Official Warns, Citing Agency Review, 77 BANKING REP. (BNA) 633 (2001).

OCC officials, warning that banks are not sufficiently explaining their privacy policies to customers, may demand that some banks issue corrective disclosures, particularly those whose notices discourage customers for exercising their right to opt-out of information-sharing.

Mark Cutler, FTC: Don't Rest After Writing Privacy Policy; "Tremendous Undertaking" of Training Looms, 77 BANKING REP. (BNA) 780 (2001).

FTC lawyers caution companies that once a privacy policy is developed and implemented, companies must continue to ensure that they do not violate that policy. This requires training employees in what the policy is and how to comply with it. Allowing consumers to opt-in rather that out-out of the policy is a wise choice. In addition, "under the joint and several liability aspect of the model privacy contract clauses for the transfer of data under the EU directive, if a European data exporter does something wrong but the [US company] does not, the [US company] could still be held liable."

Jake Brown, Vermont Clears Tough New Privacy Rules; Disclosure Requires Prior Consumer Consent, 77 BANKING REP. (BNA) 822 (2001).

Strict new Vermont legislation requires consumers to explicitly consent to information-sharing by financial institutions and other entities. The rule required regulated entities to annually provide clear and conspicuous notice to customers of their privacy policies. No information may be disclosed without affirmative customer consent.

More Bank Customers Opt Out of Financial Data Sharing, Study Says, 77 BANKING REP. (BNA) 930 (2001).

A recent survey indicated that 31% of U.S. bank customers chose to opt out of their bank's information sharing, while another 40% intended to do so within the next year. The banking industry had estimated that only 5% of customers would choose to opt out. Nevertheless, 63% of customers agreed that information sharing prevents fraud and 60% agreed that it prevents identity theft.

Carnivore Protections Needed to Counter Risk of FBI Misuse, Draft of Report Says, 69 U.S.L.W. 2312 (2001).

A Justice Department report indicated that Carnivore does not adequately protect against unauthorized FBI interception of private electronic communications. The report noted that although Carnivore can perform fine-tuned searches, the tool is also capable of performing broad sweeps to collect a wide range of information. The report concluded that Carnivore's risks outweighed its protections and that additional safeguards are necessary.

Federal Study Says Personal Financial Data Need More Protection in Bankruptcy Cases, 69 U.S.L.W. 2441 (2001).

A study by the Treasury and Justice Departments and the Office of Management and Budget emphasized the need for greater privacy controls over the personal information in consumer bankruptcy files. Although bank account numbers and balances are generally excluded from other files, they are available to the public in most consumer bankruptcy proceedings. The study recommends that creditors be given full access to the information necessary to collect their debts, but that the general public be restricted from viewing this information. This task will become increasingly difficult with the onset of electronic availability of bankruptcy records.

Minnesota's AG Privacy Suit Against Fleet Stands, 5 CONSUMER FIN. PRIVACY 19 (2001).

A federal District Court Judge denied Fleet's motion to dismiss a consumer privacy suit filed by the Attorney General of Minnesota. The suit alleges that Fleet shared customers account numbers and loan balances with "telemarketers who deceptively sold membership programs to Fleet customers."

Bankruptcy Judge Orders Essential.com to Keep Records Private, 5 CONSUMER FIN. PRIVACY 22 (2001).

Essential.com, a provider of telephone service to over 70,000 customers, was ordered by a federal bankruptcy judge to restrict the transfer of its personal customer information to third parties. The bankrupt company attempted to raise money by selling its customer list to competing telecommunications providers. The company also intended to sell credit card information in contravention of the privacy policy posted on the company's website. The judge's order requires the company to notify customers that it is going out of business and that the new owner will disclose its own privacy policy. Customers may choose to accept service from the new provider or may transfer their service to a different provider.

California Suit Against DoubleClick Proceeds, 5 CONSUMER FIN. PRIVACY 22 (2001).

A class action suit against DoubleClick survived a motion to dismiss. The case is set for trial in January 2002.

Network Solutions Sells Domain Name Registrant Information (visited Mar. 14, 2001) http://news.cnet.com/news/0-1005-202-4852561-0.html

NSI, a domain name registrar, has been using ads and e-mails to persuade marketers to sign up to use its database of "more than 5 million unique customers."

"Much of the information NSI is making available--including the names, street addresses and telephone numbers of domain name registrants--is already public through the WhoIs database. But NSI is assembling the data into manageable packages that include details such as whether a company is taking security measures or whether it sells products online, letting marketers better target the sites' owners."  NSI maintains that no e-mail addresses will be sold to marketers, however.

Although current registrants may opt out of having their data sold, existing domain name holders did not have that option if they registered several years ago, and their information is still on any list that was distributed prior to their opt out.

EPIC has requested that Congress increase the privacy rights of domain name holders, because current ICANN rules allow (and sometimes require) registrars to sell registrants' information.

Amy Harmon, A Trick to Snoop on E-Mail, N.Y. Times, Feb. 5, 2001, available at (visited March 7, 2001) http://www.nytimes.com/2001/02/05/technology/05JAVA.html

Current technology makes it possible for someone to "essentially bug an e-mail message so that the spy would be privy to any comments that a recipient might add as the message is forwarded to others or sent back and forth."  This spying-technique involves imbedding JavaScript in an HTML message, which  enables the text to be secretly returned to its original sender every time it is forwarded to another recipient whose e-mail program is set up to read JavaScript.  Generally, determining whether a message contains JavaScript requires some familiarity with computer programming language. 

Some e-mail marketers use these types of invisible tags to detect whether an individual has opened an e-mail message. In response, the Congressional Privacy Caucus is planning to hold hearings to investigate the issue.

Microsoft Outlook, Outlook Express and Netscape Messenger 6 are all vulnerable to attack by Web bugs, but AOL and users of Web-based e-mail programs would not be affected.  Microsoft and Netscape do have features that allow users to disable their browser's JavaScript capability, but "a bugged message will still be returned to its original sender if it is replied to or forwarded to someone who reads the message with an e-mail program that is vulnerable."

Carl S. Kaplan, Tough Times for Data Robots, N.Y. Times, Jan. 12, 2001, available at (visited March 7, 2001) http://www.nytimes.com/2001/01/12/technology/12CYBERLAW.html

Recently, a California federal district court ruled that an internet company's use of a software robot to invade and copy auction lists from eBay, constituted trespass to chattels. Trespass to chattels requires an intentional and unauthorized interference with the personal property of another that causes the victim to suffer a degree of harm. eBay offered evidence that the burden on its computer servers from the invasion constituted between one and two percent of the total load, which the court held was a sufficient degree of harm.

Register.com, a company that registers Internet domain names and is required under ICANN to publicly disclose the names and contact information for their domain name customers, recently sued Verio Inc., a Web site hosting and Internet access company.  Verio had used a software robot to search Register.com's customer database for sales leads, which Register.com alleged was an unauthorized violation of its "'terms of use,' which prohibit third parties from using the contact-information for mass marketing purposes."   A New York federal district judge issued a preliminary injunction "barring Verio from using robots to harvest data from Register.com's computers for mass marketing purposes," even though Register.com's evidence was "imprecise" and indicated that "its computer system's resources were diminished by about 2.3 percent" by Verio's robot.  The judge found it sufficient that Verio's robot occupied "some" of Register.com's system capacity, making it unavailable for use.  Verio is appealing the ruling, and has filed a petition with ICANN to terminate Register.com's accreditation.

Experts note that the lesson derived from these cases seems to be that "less and less a showing of harm is required to get an injunction against an unauthorized robot you don't have to prove harm or show any evidence of harm Harm will be presumed."

Robert Lemos, Internet Group Plans Security Information Exchange (visited Mar. 7, 2001) http://news.cnet.com/news/0-1003-202-4697364-0.html

Recently, four security flaws were discovered in the Berkeley Internet Name Domain (BIND) software that could "allow attackers to crash or gain control of any DNS servers running the software."  In response, the Internet Software Consortium (ISC) plans to create an exclusive information exchange to notify its users of any security holes.  Previously, technical discussions about software holes and patches had occurred on public e-mail lists, which allowed hackers to get the information at the same time as the users.

The ISC will charge a fee for membership in its new information service, which is available to "[a]nyone needing legitimate access to the prerelease source code."  However, the fee will be waived for other nonprofit groups.   All members of the new service will be required to register and use encrypted e-mail when discussing issues concerning the BIND software.  "The service will also act as a closed channel for information regarding security and software development, so companies and developers can fix their specific versions of BIND before the general public, and potential attackers, get wind of the problems."  Critics argue that charging for this service is detrimental, and that free public discussion better leads to improved security because it pressures companies into making fixes a high priority.

Grant Lukenbill, Are Privacy Issues Coming Out on the Web for Gay Consumers? (visited Mar. 7, 2001) http://www.onmoney.com/Editorial/plan/luken/gaypriv1.html

The author explores the special on-line privacy concerns facing the gay and lesbian community, particularly in the workplace.

 Online marketing agencies often track musical tastes, investing interests, and visits to certain healthcare sites, giving them volumes of information about "a consumer's creditworthiness, health status and even his or her sex life."  A Georgetown University study revealed that fewer than nine percent of the largest Web sites fully complied with the FTC's "suggested guidelines on disclosure and the right to "opt-out"  [of having] one's name shared with other companies for marketing purposes."  Moreover, most  privacy policies offer very minimal consumer protections, " and virtually none addresses the sensitive issues associated with gay and lesbian marketing, list sharing and protection of highly sensitive, personal information."  Privacy advocates point to the "case of Timothy McVeigh, a highly decorated 17-year Navy veteran who was outed in 1997 at least partly as a result of the improper disclosure of sensitive information by America Online."  AOL eventually settled the case for an undisclosed sum after admitting that it had breached McVeigh's privacy in violation of its own policy.  McVeigh also reached an agreement with the Navy that allowed him to retire with full benefits rather than being discharged. 

Declan McCullagh, The Feds'll Come A-Snoopin' (visited Mar. 7, 2001) http://www.wired.com/news/politics/0,1283,41133,00.html

The U.S. Department of Justice recently published new guidelines regarding encryption, PDAs and secret searches, for use by police and prosecutors in computer crimes cases .   The guidelines are available at cybercrime.gov.

The guidelines allow police, during an arrest, to search through the information on your pager without a warrant.  Courts have not yet addressed the validity of warrantless searches of electronic storage devices that contain more information than pager (e.g. electronic organizers, floppy disks and Palm Pilots) .  If you allow the police to search your car, they are legally able to search the memory or storage of any electronic devices in the car.  Moreover, those who work for a corporation or nonprofit group, are subject to a "private search," which permits the police to go through your belongings without a warrant.

Many hackers use  "hot keys" to instantly destroy evidence when a special button is pressed.  This validates the need for "No knock" searches, because requiring the agents to knock and announce their visit would give the suspect time to destroy vital evidence.  Agents can even conduct a no knock search without a warrant, so long as they have a "reasonable suspicion that the subject of the search could destroy evidence or obstruct the investigation."

In a recent case, federal agents sneaked into the office of a former mob boss' son, who was allegedly involved in a loan sharking operation.  They then secretly installed software which would crack his password so that they could decrypt his communications.  Because federal evidence rules require the government to notify people that their property has been searched, the Justice Department proposed "legislation that would let police obtain surreptitious warrants and postpone notifying the person whose property they entered for 30 days."  The DOJ withdrew its legislation after angry protests by various civil liberties groups.

The manual doesn't address whether a criminal defendant can be compelled to give up his password so that prosecutors may decrypt his files. Under current law, anyone with access to the computer you use -- including your spouse -- can allow the feds to search it without a warrant.

But the DOJ admits that "[i]t appears likely that encryption and password-protection would in most cases indicate the absence of common authority to consent to a search among co-users who do not know the password or possess the encryption key."

Thor Olavsrud, Juno to Establish Virtual Supercomputer Network (visited March 7, 2001) http://www.internetnews.com/isp-news/article/0,,8_577191,00.html

Juno Online Services Inc. recently announced its plans to develop a "Virtual Supercomputer Network," which would have the ability to tap into the processing power its users computers.  Accordingly, Juno amended its service agreement to include "language that would require subscribers to allow it to download 'computational software' to their computers, and which could even require subscribers to leave their computers on at all times."  Juno has also reserved the right to change users' screen savers to "display advertisements or images chosen by Juno," and to have the users' computers automatically dial into the Juno system if it's determined that their use is too infrequent.  Users will also have to agree to bear the maintenance and technical costs of the requirements.

Critics argue that the new language would permit Juno to engage in many other types of invasive activity.  However, Juno claims that it "will not involve subscribers in the program without their consent," and that "if and when the new program is implemented subscribers will have a choice of participating in the program, upgrading to the billable subscriber tier, or choosing another ISP."  And while the revised service agreement currently only applies to new users, not those who are already subscribers to the free service, Juno has indicated that it may eventually be extended to current users, particularly those who use the service frequently.

Juno initially plans to sell its supercomputer time to pharmaceutical companies and medical research facilities, who do a great deal of computer-intensive work.

Richard Smith, Gadgets that Spy (visited Mar. 7, 2001)

http://www.privacyfoundation.org/ commentary/tipsheet.html

Nomad Jukebox from Creative Labs has software which will report back to Creative Labs with the names and artists of all the CDs that the user downloads to their Nomad MP3 player. Creative Labs will then use this information to send the user emails with product offers based on the user's apparent music preferences.

Also, there are several tracking devices which allow virtually anyone to become a cyber-snoop.  Examples include TravelEyes2, a hidden GPS tracking device for cars, and KeyGhost, a "security keyboard to monitor keystrokes."

Toysmart to Destroy Customer Database (visited Mar. 7, 2001)

http://www. usatoday.com/life/cyber/tech/cti977.htm

In exchange for $50,000 from one of Walt Disney's subsidiaries, Toysmart agreed to destroy its customer database rather than sell it.  No company had even attempted to buy the 250,000-customer database anyway.

Monitoring of Australian Phone Records (visited Feb. 20, 2001)