The Common Data Project

The Datatrust Privacy Guarantee: Protecting the Datatrust from Compelled Disclosure

III. IMPLICATIONS FOR DATA COLLECTORS TODAY

Every large corporation is kept busy with requests for personal information via subpoena, court order, or warrant from law enforcement officials.

Google has published all of the government requests for data they've received.

Any business or organization potentially has to deal with such requests, but online businesses that collect a lot of personal information clearly have more data, making them particularly tempting for law enforcement. A policeman may walk into a local grocery store and ask questions about what you buy; the police can ask a search engine company what you search for.

Many companies (Microsoft, Comcast, Facebook, and MySpace) have created documents that describe what is available to law enforcement. These policies were recently published online, albeit not necessarily with the companies’ enthusiastic consent. What they gloss over in their privacy policies is outlined clearly in these documents. Reading them can be surprising, as they state pretty starkly how much information is available to the government. But they are complying with existing laws, and the frustration of dealing with outdated laws has led many of them to join the Digital Due Process coalition.

As troubling as all this might be, the relationship between a user and Facebook is at least relatively straightforward. The user knows his or her data has been placed in Facebook, and legislation could be updated relatively easily to protect his or her expectation of privacy in that data.

More complicated is the situation in which the government seeks information from a party that does not have a direct relationship with the user.

Increasingly, the companies that have data about you aren’t even the companies you initially transacted with.

For example, if I am a customer of Company A, and Company A gives “anonymized” data that includes me to Company B, and the government seeks that data from Company B, how are my rights implicated? Could the government seek that kind of data and avoid getting even a subpoena? What kind of recourse would I have? What if I am not identifiable in that dataset, but could be identified if crossed with other data? What if I’m not even the suspect they’re looking for? I might still care that the government has data on me. How would even proposed reforms by the Digital Due Process coalition deal with this reality?

This isn’t a hypothetical question. Recently, Gawker published a story involving the vulnerability of the AT&T website which exposed the email addresses of iPad owners. The FBI recently came to Gawker asking it to retain documents related to this story. The FBI in this case may not be looking for a suspect among these email addresses, but the privacy rights of those individuals are arguably at issue should Gawker hand the addresses it has over to the FBI.

A recent Third Circuit case suggested that privacy rights could reside in a legal entity, and not just an individual. In AT&T v. Federal Communications Commission, the court ruled that AT&T was protected by an exemption in the Freedom of Information Act (FOIA) that applies to “unwarranted invasions of personal privacy.”

However, building up protections around corporate privacy rights may not be the best way to protect individual privacy interests when data is held by corporations.

Public Citizen, EFF and other groups have filed an amicus brief in the government's appeal to the Supreme Court, arguing that FOIA is not meant to protect these kinds of corporate interests, as that would greatly limit information in situations such as “records about safety violations at a coal mine, environmental problems at an offshore oil rig, filthy conditions at a food manufacturing plant, financial shenanigans at an investment bank.”

But the case suggests that privacy rights, as personal as they are, may not be sufficiently protected by focusing solely on the individual.