Net Breeds Privacy Issues

The law frequently can't keep pace with technology, and the Internet is no exception.

Other than on a handful of college campuses, the Net didn't exist in 1986 when the Electronic Communications Privacy Act was enacted. Written mainly to extend the protections against wiretapped telephone calls, the law divided electronic communications into "stored content" and "stored records."

"Back then you didn't have real-time electronic communications like e-mail or chat rooms," said Terry Thompson, who specializes in technology-related business issues at Gallagher & Kennedy.

"The courts have tried to shoehorn these activities into ECPA and they don't quite fit."

As written, the law considers the text of an e-mail message to be stored content, while the electronic footprint left by users is stored records. The "footprint" can include the routing information - also known as the header - of an e-mail, as well as a record of Web sites visited and the specific location from where the user logged on.

The result has been a confusing set of rules that alarm some privacy advocates. For example, police and other government agencies need a subpoena before they can read someone's e-mail, but the legal threshold is not as stringent as when a wiretap is requested.

Private parties can't get a subpoena to read e-mail, but they don't need one to ask an Internet service provider for the personal information - the "stored records" - of its subscribers.

"Going online is like driving down the street with a license plate on your vehicle," said Terry Fenzl, a high-tech attorney at Brown and Bain. "Other parties can know where you're going if they care to look."

Adding to the privacy concerns is the use of server farms, large rooms filed with heavy-duty servers that recall the mainframe-computer era of the 1960s and 1970s. IBM, Microsoft, American Online and other companies have invested millions of dollars in centralized servers that store, distribute and route data to millions of users.

"The ability to capture information is quite widespread, but right now it's limited by the storage capability," Thompson said.

"It's not practical for a service provider to save and capture every e-mail because it would gobble up too much space. That's not to say that 10 to 20 years down the road, as digital storage becomes cheaper and cheaper, they might want to try and save it."

The fuzzy boundaries prompted the Federal Trade Commission last year to ask the online industry to explain their privacy policies in more detail.

"Web sites had not been good about posting privacy statements," Thompson said. The FTC request "was a shot across the bow. Unless the industry took steps to educate the public, then additional legislation might be necessary."

Some of the industry's major players, such as IBM and Microsoft, responded by forming an alliance called TRUSTe, which promotes what it calls "fair information practices." An example is the privacy statement created by MSN Hotmail, Microsoft's Web-based e-mail service.

The statement includes a commitment to keeping the personal information of Hotmail users private and not sharing it with third parties. However, the service acknowledges that information be can disclosed "to conform to legal requirements or comply with legal process."

Hotmail also gathers anonymous information through "cookies," which are transferred by Web sites onto a computer's hard drive to keep track of user preferences and subsequent visits to the site. Although a browser can be set to disable cookies, Thompson says it can slow the trip through cyberspace.

"If you use the disable function, a pop-up question appears on your screen any time a Web site wants to leave a cookie," he said. "Almost every site wants to do that, and it becomes annoying when the question keeps coming up. You have a hard time moving through the site."

As long as online providers demonstrate a good-faith commitment to addressing privacy issues, Thompson and Fenzl believe an updated law won't be needed.

"There's an awful lot of information that can be subpoenaed - some of which is electronic, like cell-phone records - but just because it's the Net, people get spooked," Fenzl said.

"The FTC would like to see the industry regulate itself," Thompson said. "We don't know if that will always be adequate because the Net keeps changing. If someone discloses the wrong information, you'd have a public outcry.

"But that could happen with paper records too. The nature of storage may have changed, but the issues haven't."

Reprinted with permission of Arizona Business Gazette.