Be the First in Your Cubicle: Order a custom green Privacy Journal logo polo shirt, S, M, L, XL, $26.50.
Question: Is there an up-to-date supplement to the compilation of state laws?
Response: All of our supplements and previous books have been incorporated into a brand new 2013 Compilation. Order now. The 2013 edition of the compilation is $35 for hard copy, including postage, and $26.50 for pdf electronic version.
Comment: Can you put some or all of your books and newsletters on Kindle? Then I would buy them. Thanks.
Response: Our two most popular titles, Compilation of State and Federal Privacy Laws and Ben Franklin's Web Site, are available on Kindle, amazon.com's hand-held device for downloading and reading electronic books wherever you go. amazon.com's enhanced Kindle now even reads the text to you!
AND on Kindle - and therefore on your IPad - check out our publisher's newest book, "The Magnetism of Islands." Robert Ellis Smith has extended his advocacy of personal privacy to probe the allure that islands have for many of us in a frenetic, commercial, privacy-invasive culture. Less than $10 if you act soon.
Feedback From You
Comments From Our Readers
Question: Is e-mail an excellent choice for an HR manager who wants to give a short survey to a sample of several thousand individuals who have been with the company for less than a year? The HR manager wants to develop a confidence interval for the portion of new hires.
Response: This depends on the sensitivity of the questions you are asking. Can you assure employees that the responses are anonymous, if they are? Have you looked into tools that offer online surveying, like Survey Monkey? Use of these will reassure respondents.
Click and type in a question or comment
Question: How often will you keep the new 2013 Compilation of State and Federal Privacy Laws up-to-date? Do you add supplements as laws change, does your newsletter contain information on new state and federal legislation, or do you offer a service that keeps people informed on changes and updates to privacy laws? Do you have suggestions for companies looking to keep up-to-date on privacy laws?
Response: We publish supplements to the compilation as state activities warrant, usually in early spring each year. Our monthly newsletter reports on significant new state and federal legislation in this field, yes. Ask us for a sample copy.
And we provide a customized reporting service to keep companies current on privacy legislation of interest to them. The rates are set according to the needs of the client.
From Lee, Mass.:Does the government have a right to know what kind of books we read?
Response: Generally courts have included the confidentiality of our reading materials as protected by the right to free speech and free expression in the First Amendment of the U.S. Constitution. Most states have laws protecting the confidentiality of library borrowers' records from inquiry by government agents or private individuals. But these laws do not always cover private libraries or university libraries, and librarians often must bow to government subpenas for borrowers' records. Only a couple of these laws cover book sellers. None cover music stores. Federal agents, under the USA PATRIOT Act, have access to most borrowers' records.
As a general matter, the government does not have "rights." The Constitution reserves rights to the people and limits governmental activity.
From Djafer, Springfield MA: If somebody lives in an apartment/house/condo owned by some property management, can the person ask Google to remove the street view of the apartment or the property management has to do it?
Response: Google is very loose about honoring requests to delete such images. It is not clear whether owners or merely residents may make such requests.
Question: Everywhere I go lately -- the doctor, the car dealer fixing my car, towing garage -- they want to copy my Drivers License. Why do they need a copy? Most places have your SSN. I am a Department of Defense employee; Personal Identifiable Information has to be safe locked. In the age of hacking why should this information be freely stored and expected?
Response: Our experience has been that auto-repair shops want to see your registration (not your license), both as a convenience and as a check on stolen vehicles. We do not regard this as threatening. We see no reason why a doctor's office would want to see or copy your license. You should resist. If you pay by check, offer to show your health insurance ID or an alternative picture ID. And ask that it not be copied.
In all of these transactions, it's important, where possible, to develop personal relationships with a company's staff so that they recognize you in the future. Say a few words each time so that they remember you and do not need to ask for ID.
Banks are now asking for a copy of your driver's license with a mortgage application.
From our Web site: Boss installed audio device and listened to personal phone calls, anything I said, anywhere in the store, was being listened to by him, and/or other employees in the office
Intimate conversations were being heard by all. All comments by me being heard.
After he would hear that I was unhappy (on my phone. . . on break of my lunch hour. . . or when asked questions about the set up of the store, while on break, he would show up, within minutes (office a few doors down) and just start ripping into me. . . usually for something I didn't do.
Anyway after having a successful history in the resale business, I was terminated from the job.
I quit [a new] job, after only one month. Didn't get another job for over a year.
Do you know what its like to sit and wonder for that month why does my boss hate me, and why is he so cruel to me?
This whole time he was listening to every word I said. Never disrespectful, just . . . not letting me do the job he hired me for.
Listening to my intimate conversations with my husband, including financial information.
Depression hit hard. Feeling like a failure, then traumatized when I found out up to 10 people were listening to my private, intimate conversations.
What would one guess the value of the lawsuit would be? I'm tired, feeling like I have no closure, and I suffered emotionally and financially.
Would like money to go to a counselor. Cant afford it, and my family has watched me become a withdrawn depressed person. Been in the business over 20 years.
Response:: Invasions of privacy, improper eavesdropping, bad situations at work - each of them by themselves is extremely stressful and can provide a basis for a lawsuit. It is illegal for employers to monitor clearly personal telephone calls in the workplace, even though they have wide latitude to overhear business-related calls. The offense is compounded by disclosing information from those overheard conversations.
Inquiry: Can an employer invade my privacy with Facebook and put copies of my post in my work files? Which is my personal away-from-work privacy?
Response: Facebook postings exposed to other users are no different from news clippings or bulletin board paper postings. They are available for others to copy and post unless they are creative works subject to copyright protection. Users should think through the consequences of posting sensitive personal information.
Inquiry: Is it legal for a hospital to add my customer service survey results to my official medical record?
Response: Sounds like an unprofessional action on the part of records administrators, but not illegal. Under federal regulations, you are entitled to seek removal of the information from your file, even though, strictly speaking, it is not inaccurate information.
Send us your questions here and we'll answer them. Give us your comments.
Inquiry: My employer was issued a subpoena for my employee file in regards to a family law case (the ex-husband doesn't want to pay child support). Regardless, the employer complied with the subpoena but in the process also provided my performance reviews on file as well as my W-4 with full SSN and all my check stubs complete with full account and routing numbers. They have since stated that it is their "practice" (as opposed to their "policy") that those personal identifiers should have been redacted, but that they are "sorry" that in this situation, that is not the case. My file at this time has already been given to my ex. .. whom I had an order of protection against for 2 years for stalking and abuse. Do I have any recourse?
Response: It's possible but improbable that you could get a court to declare this a disclosure of "intimate and sensitive" personal information and therefore an actionable invasion of privacy. There are few if any restrictions on what companies may release about an employee. If what happened violated the employee handbook or company rules, you may have an action for a breach of contract or unfair labor practice.
From Kevin, Winooski VT: I like the new look of your Web site, very refreshing. Do you have Facebook or Twitter accounts that people can follow you at? If not, it is time to do so to increase your followers and in turns subscribers to your newsletter.
Comment from New Hartford NY: With many jobs outsourced overseas these days, often some information including Social Security numbers is also sent overseas. What do you think of this? Have you heard any incidents involving identity theft originated overseas?
Response: Think about the dynamic of identity theft, uniquely an American affair. About 60 percent is caused by a fraudster submitting a credit application using the victim's SSN. The credit bureau -- astoundingly -- provides the victim's credit report to the retailer even if the names do not match! Cultures overseas rely a lot less on credit reports, and most people do not submit identity numbers for commercial purposes.
Query: I live in Arizona now. I was involved in a car accident in 2008 in Las Vegasda. In short, the legal case was finished in 2011 in my favor. I am being followed by different people who I believe are with the insurance company I sued and [which was required to pay] compensation for the injuries that I received from this car accident I was in. The other day I went to see an orthopedic surgeon for surgery for my hip. (This hip surgery is not related to the car accident.) As my husband and I were headed in to the surgeon's office we saw this man running in to the doctor's office. We had a meeting with the surgeon and this surgeon's bedside manners were not very kind at all and some of his questions seemed a bit awkward. His attitude toward us was just not normal. He had a really bad attitude toward us and did not even take the time to explain about the disease I was dealing with.
When we were leaving his office we heard a lady get on her cell phone and say, "They are scheduling her for surgery"! After this appointment we went to a store near our home and saw this same man and the same vehicle that we saw at the doctor's office I was just at. It is not a coincidence because where I live and where the doctor's office is located are far apart. During this lawsuit we encountered many different situations with people who were investigating us and the same pattern is continuing. Now these people are going into my doctor's offices and although I have no proof right now I know that these investigators are talking to the doctors that I am going in for my appointments. Is there anything legally I can do?
I am noticing that the quality of care from the doctors I am going to is being affected. The quality of care I should be getting from the doctors that I am going to is being compromised by whatever they are telling the doctors that I am going to.
I suffer from other serious ailments and have seen the quality of my care tainted due to information that I believe is being given by these individuals that were trying to prove me wrong in the car accident case. Can you help me in what direction I should take? I am sure my cell phone is being tracked because how would these individuals know when I am going to my doctor's appointments etc. Thank you!
Response: Insurance companies do indeed hire investigators to follow accident victims and often to videotape them to catch them in circumstances that make a claim seem fraudulent. If you identify them and sue them, a court would use as its standard the famous Nader case in 1975. It is difficult, of course, to determine whether these are investigators or coincidences.
There's evidence now that insurance companies use satellite and drone technology for the same purpose -- or are they merely telling us this?
Email Privacy Journal
From Warwick RI: Does my employee have any legal reasons to see my medical records?
Response I: OOPS. We prepared the following brilliant response, then discovered that you asked about an employee's access to his or her boss' medical records? Is that what you intended?
Response II: Employers of course want to know whether employees have medical conditions that might inhibit their work or might inflate their group-health insurance premiums, and with "consent" they can do so. Employers often want to know whether an employee drinks or smokes at home. They want to verify workers' compensation claims. But there are several federal and state laws that discourage access. In R.I. and other states, employers may not ATTEMPT TO GET ACCESS to information on which they could not legally discriminate. That includes age, marital status, family size, sexual orientation, race, national origin, religion, genetics, and physical limitations. It is hard to see how unfettered access to medical records could not be interpreted as an attempt to get access to this kind of information.
Query: Do the privacy violations or invasion of privacy have statute of limitations? If so can you give a brief explanation?
Answer: The statute of limitation spells out the period of time in which you have to file a civil lawsuit once you have discovered that someone has wronged you. Often this is one year in the case of a tort, which most invasions of privacy are. You have to check the statute in your state. For invasion-of-privacy claims against the government, there may well be no limit of time to file a suit.
Question: If you're the manager, how would you handle the information you got from invading your employees' privacy? Say, you installed hidden cameras and microphones in the workplace to catch a culprit, and you accidentally overheard some information about your employees that you should never know. . . . What consequences will there be? Any laws applicable?
Response: There is no short answer to this question. Listen up:
First, intercepting others' conversations electronically is both a crime and a civil violation, in both federal and state laws. But only audio interception is prohibited; the laws do not cover video alone without audio, unless there is a lewd purpose to the videotaping. Further, under federal and state laws, courts through the years have been generally permissive of employers overhearing verbal conversations on company telephones, so long as the employer is trying to control the quality of the product and of the workplace. We think this rationale would not extend to overhearing an employee's personal cell phone calls in the workplace.
If an employer intercepts clearly non-work related audio conversations (even without recording them), the offense is in the interception itself. Using the content of those conversations, we think, simply compounds the crime or the civil offense.
Query: Someone posted on a non-commercial site my friend's name, address and phone number. Does she have a right to have it removed?
Response: No, there is no right to get information about yourself removed from a Web site (except in the very rare situation where a court rules that the material is defamatory or an invasion of privacy and orders it removed). This is not the kind of sensitive personal information that leads to a successful lawsuit. Still, many Web sites will remove certain information voluntarily upon request. It's worth asking.
Question: Is there a federal law that requires medical professionals to track smoking habits of their patients? The operative word in the question is requires.
Response: No such laws.
From Springfield MA: Do you have any information regarding Massachusetts Privacy Law (201 CMR 17.00)? Any companies prosecuted under this law?
Response: 201 CMR 17.00 refers to the regulations enacted under Massachusetts' stiff data security-breach law, Massachusetts General Laws Chapter 93H. The law requires notification to the state attorney general and individuals involved when there is an unauthorized disclosure of personal information. But "personal information" is narrowly defined as only name with Social Security number, driver's license number or account number, so that an outrageous disclosure of a nude photograph, a medical record, financial data, or family information is not covered by this law.
Three Massachusetts companies have been assessed a total of $132,500 in civil penalties in the past year for violations of the 2008 law.
More than 45 states have similar laws, but the one in Massachusetts goes further. It requires any company anywhere storing this personal data on a Massachusetts resident to implement a data security plan. Privacy Journal, for instance, has done this in compliance with the law, even though it is not located in Massachusetts. The elements of the security plan are spelled out in 201 Code of Massachusetts Regulations 17.00.
You need our book describing and citing all the privacy laws in the 50 states and the federal government.
It's available in a hard-copy book and in formats to download to your desktop, your laptop, your hand-held device, or your eReader. When you are away from home or office, you can still know what your rights are!
You can order it on our "Books" page:
Question: Does federal low prohibit local welfare agencies from asking for banking info due to the probability of identity theft?
Response: We are checking on an answer to this one. Clearly, federal investigators must provide a "formal written request" to get this information and must provide simultaneous notice to the individual involved.
From Massachusetts: Recently on one of my favorite TV shows, Parks and Recreation on NBC-TV, they had a opening scene that applies to you. It's Episode 9 of the current season. Readers of Privacy Journal will find the scene pretty funny. Here's the link:
Do you have a copy of the first issue published?
Yes! Why do you ask? We have an original of the November 1974 issue, and copies of each issue since then ($10, less for full-year sets). Indexed since 1974.
From Cyberspace: What laws protect employees from use of RFID tags?
Response: Missouri bans requiring employees to have Radio Frequency ID or a similar chip implanted in themselves; California and Wisconsin ban requiring any persons to have an implant. Washington State bans remotely scanning an RFID ID device without knowledge for fraudulent purposes.
That’s about it. There are not many laws protecting privacy of employees at all. A dozen or so states permit an employee to inspect his or her own personal data on file, presumably any information generated by RFID technology.
Our view is that RFID was developed for keeping track of inventory and raw materials and is not intended for identifying individuals, is not reliable enough for that purpose, and ought not to be used for that purpose.
Inquiry: I saw that you handle consumer rights. There is this company Proactiv that has been sending solicitations to buy its products. I keep calling to stop mailing the letter to me. One time they even mailed the product which I ended up to pay. When I moved they still sending me stuff and I have no idea how they knew my new address. I opened up a PO Box address and they still sending me their stuff. And every time I receive something from them I call them to stop the solicitations. I said to them I do not want to hear anything about them at all, I am interested in their products at all. I feel they really truly invading my privacy and has crossed the line many times. Do you think I handle this incorrect? Do you know a better way to handle this? I am really really sick and tired of them.
Response: Some people like to return the material to the sender.
From a Reader: Re: previous person's comments. I found thru Google - a person with the same name - and some very odd and unprofessional posts on these social Web sites. I believe it's a practice for employers to search - I'd prefer they not see a photo of a bald shady-type individual (not that there's anything wrong with that) when they search my name. What do I do?
Response: Make sure you tell potential employers that you are not the individual online. Perhaps use a middle name. Include your hometown prominently in your application materials, if the other individual lives in a separate location.
Reader's Comment: A salesman was sent to my home when I called a company to install 2 shutters on my home. Before he left after giving me a quote, he asked me for proof of identity and asked to see my driver's license. I didn't feel secure showing my driver's license to this man that I hardly knew. He said he wanted the information to finalize the quote that I indeed had accepted to go ahead with the work. By the way, I have previously done business with this company and they had never asked me for my driver's license. Why is the rep now wanted to copy my driver's license information? Can you give me some guidance as to how risky is to just show my driver's license on command?
Response: Often, when we get inquiries like this, the questioner says that he or she objected to a demand for personal information and then ends up giving it away anyway. We hope that's not the case here.
We have no idea why a salesman would ask for an identity document (especially for a transaction to be completed at the house he is visiting!). Often it's an idle habit by companies. Perhaps it's to make getting a credit report easier. DON'T GIVE IT. Shop elsewhere.
From Connecticut: How long do posts remain on Google, etc. ?
A lot of incorrect information seems to get placed on Google ... even searches for people. My name comes up stating I have an account with classmates.com with the year I graduated. That could allow someone to figure my age. Anyway to remove this?
Hi, I believe online employment application resources (ICIMS, Taleo, Brassring) are either sharing or passing on incorrect or bad information. I had a successful career 28 yrs, then when our office was closed I changed jobs ... had one bad experience with termination(as moved etc.), could not make successful completion of training and believe this is affecting my future employment. What do I do ?
Response:: Google can search "cached" information that has been removed from Web sites, as well as information that is actively displayed on Web sites.
School graduation dates are generally known in newspaper records, yearbooks, and other off-line sources. We shouldn't be surprised that they are freely available online.
Persons who deal with online services should know that federal and state laws provide confidentiality only for credit and consumer investigation data, school records, federal agency records, patient information, library records, video-rental records, the content of phone calls, state records in fewer than a dozen states, and a few telephone-company records. That's it. No law prohibits exchanges of employment information.
Persons who deal with online services - especially those concerning employment opportunities - should check their spelling, grammar and wording before posting. You are writing for a wide audience, after all.
Question: Who legally has access to your medical records? What about your health benefits provider such as Aetna, Blue Cross Blue Shield, Met Life, etc?
Response: The federal HIPAA regulations say that insurance companies have access to patient information for purposes of paying for treatment.
Patient information may also be released for your treatment and care coordination; to family, relatives, friends, or others you identify who are involved with your health care or your health care bills, unless you object; to make sure doctors give good care and nursing homes are clean and safe; to protect the public's health, such as by reporting when the flu is in your area; to make required reports to the police, such as reporting gunshot wounds. [from HIPAA’s Web site]
Question: Do you think Google Plus can be an invasion to some one's privacy if she/he has the account? At least you could help me with your expertise how to find this.
Do you need to know more? Social-networking sites are not the place to post personal data that you want to keep among yourself and selected others. Listen to the entrepreneurs who have started them: Social-network sites are for disseminating personal information.
Question: What is the protocol in a doctor's office telling a wife of a husband's upcoming doctor's appointment at a geriatric clinic when I went to the doctor with him to have him assessed?
From the HIPAA enforcement office Web site: A health-care provider "may share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment, that the patient does not object." In addition, "when a patient is incapacitated or not present a covered entity may share information with another person when, in exercising professional judgment, it determines that doing so would be in the best interest of the patient."
Question: I have scoured the Internet and read several of your articles and one of your books, but have yet to find an answer to the following question.
Can I legally stop a business that already has my SSN from using, keeping, or otherwise retaining it against my wishes? I am not concerned with the consequences, i.e., they may refuse to do business with me. I am most specifically concerned about credit reporting agencies, credit providers and telecommunications companies.
I have been in the process of trying to secure my privacy for some time, and have been pretty successful, but this one has me stumped. I am hoping there is some law which states something to the effect of "Upon notification in writing, any business entity must cease the use of an individual's SSN."
Response: Alas, there are no federal or state laws like this. One small help is that credit-reporting companies may disclose information about you for only narrowly defined purposes. And you have a right to see your record in all the credit bureaus; you should do so to determine whether they even have an SSN on file for you. An estimated one-third of credit reports have no SSNs in them.
Telephone companies may well agree to remove your SSN, especially after you have established a payment history with them. Try it.
This is the kind of information we provide each month to our readers. You should be subscribing, at our special rate for individuals.
Question: I heard about the national id card act, and how it should be in effect on January 2013. What's the status of this?
Response: You are referring to the 2005 REAL ID Act, which is intended to implement a recommendation of the 911 Commission to make state driver’s licenses uniform and to base them on reliable personal identification. Many persons regard this as a final stepping stone to a required national identification card. Just about every state has resisted the law, on principle or on the basis of cost, and the effective date has been continually postponed. In March the Obama Administration delayed the effective date of regulations to Jan. 15, 2013. Homeland Security Secretary Janet Napolitano opposed REAL ID as governor of Arizona prior to her current job, and she has given it mainly lip service.
In response to Robert Ellis Smith: "The Post 9/11 Assault on Privacy Rights" (link below): Terrorists 1, Sheeple 0. It's the 8th inning, bases loaded and Mr. Ellis Smith was at bat. He hit a line drive off the top of the wall. Two runs could have scored, but Mr. Apathy was on third and wasn't paying attention because he was on his cell talking to his stock broker and selling everything out, including the rest of us. He got caught in a pickle and was tagged out. Nice hit though.
Query: I am a subscriber to your journal. Very informative. Could you please suggest a couple good references (journal articles, books, etc.) that discuss privacy and information retrieval?
From Privacy Journal's staff: Publisher Robert Ellis Smith makes these recommendations:
From New Orleans: Good comments from your publisher on WWL radio this AM about the "data retention" child porn proposal. HR 1981. Dangerous idea.
From Arizona: Wonderful Web site. Thank you. August 2011
Comment: In survey after survey, including a recent MSNBC survey, more than 90 percent of the American people say that workplace discrimination based upon someone’s personal credit report is wrong and should be illegal. The practice was always wrong and from the start has always been a gross invasion of Americans’ privacy. The information has always been used by employers to low-ball wages and intimidate employees based upon the level of desperation depicted in their credit report – while employers use the smoke screen of saying the information is used to protect them from fraud and theft. It’s “the people” that need protection from corrupt politicians and dirty corporate money . . . not the other way around!
NOT ONE SINGLE study or shred of evidence exists to demonstrate that Americans with damaged credit reports steal or commit fraud at a higher percentage than other Americans.
Response: Rep. Steve Cohen, D-Tenn., and several others are pushing a federal law to prohibit use of credit reports in the employment process, even with consent, except for national-security, government, or financial jobs. HR 321 is similar to, perhaps more stringent than, laws passed now in Washington State, Hawaii, Illinois, Oregon, and, effective in October, Maryland.
You should write to your Members of Congress with your views. This is important.
From Providence RI: Seeking a job, I put my resume online using an online job board services. I set up my resume as private, NOT public. One day I entered my name and corresponding email address into Google search engine, I was shocked that my resume at the company website can be seen publicly without even logging in into the company website. I am so upset and thinking to report the company. I however am not sure if I have a good reason to do that and do not know where to report, department of labor? Does your Compilation of State and Federal Privacy Laws cover this matter?
Response: There are no laws prohibiting the disclosure of employment information, including making resumes available to search engines like Google. You should check the terms of service of the resume Web site and ask that it insulate your data from on-line searches. Are you sure that is what you want?
Request: Have you ever thought about re-posting articles from your old newsletters? I believe new readers would be curious of those as I found your reports very accurate, representative and in balance.
Response: Great idea! To see stories from past newsletters, click
We want to stress that it takes time and talent and travel expenses and resources to publish original materials. If we gave them away, we wouldn't be able to continue. To keep track of the latest news, subscribe to our newsletter, in hard copy by U.S. mail or in a pdf attachment by email.
Question: I'm researching how the proposed changes to FERPA to accommodate the state longitudinal data system tracking of students from preschool through the workforce further disseminates private information. Have you any publications on that subject?
Response: We wrote about this on page one of our May 2011 issue. Public-interest groups and educational institutions will be submitting comments to the U.S. Department of Education by May 23. When they are displayed on the department's Web site, that will be your best source. If you are researching in order to submit comments, contact us by email directly, firstname.lastname@example.org. (FERPA is the Family Educational Rights and Privacy Act, which requires confidentiality of some student records.)
Our email address: email@example.com
From New Orleans: I heard you on the local radio station this morning WWL. Almost four years after Katrina a local TV station discovered that our personal information was unsecured in a maintenance warehouse. The files were all over the floor. They did not offer to give us any protection from identity theft. Do you know if there is anything we can do now. I would like to know more about what you said about state law.
Response: Laws in Louisiana and 40+ other states require that you be notified of a breach of security like this unless there is no likelihood of harm. So it's important to know whether the data left the building.
From TC, CT: As a consultant, we are often asked to be a signor for banking purposes. Banks always ask our SSN. Knowing the risk, I have been asking the banks to use other means. They keep saying no. Note that this is not our bank accounts and there is no tax consequences for us. Can you advise how we explain this better to the financial institutions?
Response from the editor: Your entity, even if not incorporated, should have a Federal Employer's Identification Number (FEIN). This should be sufficient for a consultant to provide, and it's not nearly as sensitive as a person's SSN. In fact, PRIVACY JOURNAL publishes its FEIN on its Web site. Find it and win a free book from us when you send us the number and the pass code next to it!
Question: Do you have 2010/2011 War Stories?
Answer: The latest edition was Volume IV in 2004. We began this collection of "horror stories" because journalists, critics, and elected officials kept asking, "Who's hurt by invasions of privacy? Where are the victims?" After we have published collections of more than 1000 case studies and after an epidemic of identity theft, they seem not to ask that question as much now. In fact, many of the doubters have become victims of privacy invasions themselves.
Question: In the March 2011 issue I wasn't even able to finish reading the "Going Dark" piece you had. (Reprint of the FBI testimony to House Subcommittee on Crime and Terrorism.)
How about we talk about the fact that the FBI consistently has broken the law by not getting Judicial approvals of it's actions?
"...the government is unable to obtain communications and related data, even when authorized by a court to do so." That sort of tells the story. Translated "...even in the small number of times in which we follow the law and use the courts."
"Some providers are currently obligated by law to have technical solutions in place ..." That is a great one too.
From Cyberspace: I am registering for a race/game but wouldn't want my personal information (name, etc) displayed publicly. The organizer cannot do my request, instead suggesting to register under a different name, even not a real one. Do you think that is legal? Do I have to declare this fake name I would use one time only for the race every time I fill out forms asking for my other names? Jessica, Boston MA
Response: We have noticed that marathon and similar results show up all over the Internet and provide a means of tracing a person by locality, gender, and interests and often by age bracket. The sources that create this exposure are usually the sponsors' sites, not news organizations.
The general rule in the U.S. is that "a person may select any name he or she wishes so long as there is an intention to use it consistently and exclusively and without fraudulent or improper purpose." No court permission is necessary; that is simply an available option. (From Privacy:How to Protect What's Left of It by Robert Ellis Smith, a still helpful 1979 book still available from us.)
Here, you plan not to use the separate name exclusively or consistently, and so you should simply state on the form that this is a pseudonym for this one situation. Provide a means for the sponsors of the athletic event to find your true identity. Better still, keep working with the sponsors to get them to use initials or chosen nicknames when they post results publicly, or publicly on the Internet. Point out to them the possible dangers of listing your name and results on the Internet.
From Florida: What are the general rules or laws regarding placement of a tracking device on a private vehicle, such as a GPS tracking device? Do you need a court order, the vehicle owner's consent or neither? I'm a private investigator, and I anxiously await your response.
Response: The U.S. Court of Appeals for D.C. says law enforcement needs a warrant. The U.S. courts of appeals for the Ninth Circuit and the Seventh Circuit say no warrant is required. "State courts, however, have not favored the surreptitious use of tracking devices [without a warrant]," according to an authoritative report in our September 2010 issue by correspondent Chisheng Li, which you may get free by sending an email or calling. In short, there is a disagreement among both federal and state courts. Also, more on this in the January 2011 issue.
This is irrespective of a private party's ability to install such a device; this may expose a private investigator to a lawsuit based on invasion of privacy (a tort), not the Fourth Amendment. A court deciding such a case will probably look to these Fourth Amendment cases for guidance. Is government tracking of the whereabouts of a vehicle an unreasonable search and seizure without a warrant or is it no more than observing what anybody may freely observe?
In any case, using a GPS tracking device with the consent of the vehicle owner would not violate privacy or the Constitution.
Reader Comment: Some cameras recently installed in our place of worship. Most of the church goers are not happy with this and ask the cameras to be removed as it is against their privacy. The board members say NO as they said the purpose is for safety. Can you help us here?
Response: Keeping a permanent video record of who attends religious services and when and what they do while they are there is certainly an invasion of privacy. Hiring live human beings to patrol the place is a more effective use of resources and a more benign way to assure freedom of religion.
Comment: My husband and I are more careful now in regard with adult videos posted on the Internet after [we] learned the tragic death of Tyler Clementi. They said an invasion of privacy involved in his death. Can you briefly explained to us DO and DON'T in regard with this matter? Further, do you have any articles related to this in any of your publications that we could read to educate us?
Thanks, Melissa, NY.
Response: Robert Ellis Smith, our publisher and the best person to do this in the U.S., does so in our October issue. Write us at firstname.lastname@example.org, for a free copy (electronic pdf or hard copy) of our October issue with his article in it.
Comment Excellent resources on this site for those interested in online privacy. Nice work!
I would be interested in your thoughts on what we're doing at privacychoice.org, and how we can improve it.
http://www.privacychoice.org Jim Brock
From Andre, Albany, Ga.: I was trying to send money overseas using Moneygram service. It came to my surprise that they asked me for my SSN and they even went beyond that by asking to have my SS card copied for their files. I offered them my driver license but they refused it. They cited the reason was the amount being sent above two thousand dollars.
How do you take at that? Do you think I can fight them?
Response: The USA PATRIOT Act requires financial institutions to "know your customer" and often this means collecting Social Security numbers and asking for ID from new customers. The institution wants to copy the documentation to prove that it complied.
A cash transaction of $10,000 usually triggers a required report to U.S. government authorities, although other aspects of a smaller transaction can trigger a Suspicious Activity Report by the bank.
In general, DON'T provide a Social Security number unless it is for Social Security itself, tax purposes or Medicare. (A transaction involving a significant amount of money usually has tax consequences.)
DON'T provide a Social Security number by telephone or online unless you are positive of the identity of the organization.
Try to persuade the requester of the dangers of identity theft or the indignities of being enumerated. If that doesn't work, shop elsewhere. There are competing money-transfer businesses. (This response was revised June 17.)
Comment: Why don't you have a well publicized Facebook privacy-settings page design competition?
Comment: What can be done about Google, who are now showing search results of old newspaper articles? A search of my name shows articles from a 23-year-old court case for which I was acquitted. This can now be seen by my colleagues, wife, neighbors, acquaintances, etc. It is very embarrassing and could result in my dismissal, ridicule, harassment and even physical harm. My 11-year-old son could be subjected to harassment. It reveals personal medical information and I am outraged over this. Google responded to my complaint suggesting I contact the owner of the Web site. Of course, the newspapers think their poorly written and vindictive articles from the past are above reproach and truthfully represent historical fact. This is hogwash and a present threat to my personal security and privacy. Google claims innocence and in my opinion are culpable for any harm befalling myself or family!
Innocent but still prosecuted.
Response: This is going to be very difficult, because Google does not own the material you are objecting to; it merely points to it, along with billions of other bits of information. The news organization is generally not obligated to remove such information because the First Amendment prevents the government, including a court, from requiring this.
TWO EXCEPTIONS: If elements of the story are untrue and you can prove it, you may sue for libel. If the information is true but puts you in a false light for any reason including the passage of time, you may sue for invasion of privacy. For more on this, see the Supreme Court case of Wolston v. Readers Digest, 443 U.S. 257 (1979). Google it.
If this is your situation, a demand for the news organization to remove the item may be successful. If that doesn't work, (1) ask the news organization to place your short rebuttal with the electronic entry; (2) get your name listed in Google so many times that the damaging entry is reduced in importance and lowered in Google's search results; (3) start a personal Web page or blog that refutes the 23-year-old entry and portrays yourself as you wish to be portrayed now (and this Internet entry will be picked up in a Google search); (4) and certainly anticipate that this old event will continue to come up and so tell family members and employers in advance about it, with documentation on hand to prove the acquittal.
The news organization would seem to have a moral obligation to include reference to the acquittal in any electronic version of the old story and to make sure this shows up in a Google search.
But remember, even if the original entry is removed from the Internet, search engines have previously cached the displayed information. In other words, they have stored it and it will show up in a subsequent search result (labeled "cached.")
From Phoenix: Outlaw the use of our Social Security numbers as identifiers. Thirty years ago it didn't matter if someone had your Social Security number; it was for one purpose only. My Social Security card was shown for only one purpose: employment or collection of benefits.
Ban the sale of personal information for profit; this is your work product, bits of your life, snapshots sold off for profit. Shouldn’t our life’s work information be just like a copyright? Make the credit and information collection companies have to pay a fee to use and sell your information and allow you to opt out completely.
Ban credit and insurance scoring. Credit scores were completely ignored by lenders ready to make a quick buck on what was thought to be a never-ending balloon of home and property values. Insurance scoring penalizes the poor and those who have had financial problems.
From a site visitor: If I feel there are subliminal advertisements in college textbooks as explained in Wilson Brian Keys book "The Age of Manipulation," page 51, where do I get help in rectifying the matter? I wrote to the FTC and the university dean and got nowhere.
Response: The FTC is the proper place to seek an investigation. See the Web address for complaints below.
Inquiry: A few years ago, to protect my privacy, I opted out of ussearch.com. My information has since reappeared and they now demand $10 a year to remove my information. Is there any legal precedence to stop online companies from charging a person to protect their privacy by opting out of their service?
Response: Interesting question. We suggest that you notify the Federal Trade Commission, with as much detail as possible. https://www.ftccomplaintassistant.gov/
And notify the World Privacy Forum, which objected to the FTC about this a year ago. www.worldprivacyforum.org/
Depending on what your agreement was with the company in the beginning, this could be an illegal deceptive practice or a violation of the FTC's opt-out guidelines.
From Florida: Do plaintiffs in a court case owe a duty not to disclose a defendant's Social Security number in a complaint or exhibits filed with the clerk of the court, under either state (Florida) or federal law?
Response: Everyone who has our Compilation of State and Federal Privacy Laws knows where to find the answer:
"Until January 1, 2011, if a social security number or a bank account, debit, charge, or credit card number is included in a court file, such number may be included as part of the court record available for public inspection and copying unless redaction is requested by the holder of such number or by the holder's attorney or legal guardian. On January 1, 2011, and thereafter, the clerk of the court must keep social security numbers confidential and exempt as provided for in s. 119.071(5)(a), and bank account, debit, charge, and credit card numbers exempt as provided for in s. 119.071(5)(b), without any person having to request redaction."
That's the law in Florida. We believe that less specific laws in AZ, CA, CT, HI, IL, KY, MD, MN, MO, NJ, NC, RI, UT, VT, VA, and WA could be interpreted to prohibit this disclosure in court filings, especially if a business is the plaintiff or defendant.
Our email address: email@example.com
Notify us of a typographical or grammatical error on this site and win a free book of your choice.
Comment: We have a highschooler at home and she has started learning about privacy. Can we give her your newsletter? Do you have the electronic edition of the old ones that you could sell us?
Response: We have special discounted rates for students. And our back issues are available. Let us hear from you. 401 274-7861
Privacy for foreigners: I am a foreign student graduated from a state college in NY and received a job offer from a company in RI. My employer told me they have to post my salary on a common area that can be seen by others in the office to follow immigration (USCIS) requirements. I told them that my salary is my privacy. They have no choice if they want to employ me, and I cannot imagine the whole office know how much I would be making. Do you think that immigration rule is against privacy? If yes, can a foreigner write to the immigration about that to get a waiver? Thanks,
Response: Technically, your employer is posting the wages for the position, not for yourself. The H-1B program requires an employer to attempt to recruit U.S. workers for the job before hiring a non-citizen and also requires the posting of the details of the position, including the wage to be paid, as part of that recruitment. An additional rule of the U.S. Department of Labor, not the immigration agency, requires that a non-citizen receive pay comparable to what a citizen would be paid (but this does not necessarily require posting of an individual’s wages).
Anyone legally in the U.S. has the same constitutional rights as citizens, including privacy rights. But complicated rules apply to immigrant employees, as you and everyone else knows. Privacy applies to sensitive personal matters, and so there is a diminished right to privacy in the workplace.
Question: When will the 2011 supplement to the compilation of state laws be published?
Response: It's ready. You may order it now, $25 plus $4 shipping. Specify hard copy or electronic pdf version.
Click and type in a question or comment
Comment: I'm trying to spread awareness of http://www.dirtyphonebook.com among privacy advocates because there's nothing else like it out there. Be very careful about this.
Question: If I wish to view my complete medical records what is the procedure? Do I just ask my doctor, or do I need to make a special appointment? Can a doctor refuse to show me the records or withhold a portion of the records? When I change to a new doctor can they refuse to see me if I do not have my records transferred to them? And if I do have my records transferred do they include all records from birth?
Response: It depends. It depends. If you have seen the same doctor for many years, there will be a large file dating back to your beginning date, but certainly not since birth. Most doctors records do not have information from outside the doctor-patient relationship unless you asked for them to be placed there. Doctors are obligated to transfer records to a new practitioner. If you are seeing a new practitioner for a new condition, there would seem to be no need to transfer records if you wish not to. If for an existing condition, it would make sense. At any rate, there is no law on this one way or another. The HIPAA regulation does not require a special appointment to see your records, but an office has 30 days to arrange for you to see your record and may charge you for copying expenses.
Comment: Awesome story about cloud computing in your October 2007 issue.
Comment: I just ordered the updated supplement to the privacy laws and thought that there was a place where I could order the pdf version. I couldn't locate it so I ended up purchasing the paper copy. The site is much improved over the years I have been a patron.
Response: The text of our 2002 compilation of state privacy laws AND the most recent supplement are both available in pdf format as an email attachment. Same prices as the hard copies, but no shipping charges.
Comment: How can we stop the medical field from using our SSN as an identifier? I live in Florida where there is no law that says they can't use it, and they give me a hard time whenever I don't want to give my number. They must stop this dangerous practice!
Response "A hard time" is a small price to pay for sticking up for your dignity. By objecting to collection of Social Security numbers, you may educate the doctor's office and you may lead others in the medical profession to understand that many Americans object to the practice and therefore the profession should do without Social Security numbers. Just as there is no law preventing them from asking for a SSN, there is no law requiring you to provide it to get medical treatment. Point out to the doctor's office that you will have to forego medical treatment if compelling SSNs is its policy. Maybe you will shame them into waiving the request; most of the time it will. Otherwise report the office to the local medical association. ONE EXCEPTION: The SSN is the Medicare/Medicaid number and there is no way around that presently. In this case, ask the doctor's assistant to write in the file: "The patient does not consent to disclosure of his or her Social Security number."
From Maryland: In this state, there is a law called the Maryland Social Security Number Privacy Act of 2006 which is supposed to prevent the transmission over the internet, mailing, and displaying someone's Social Security Number. But, as me and my family have learned the hard way, a lawyer could care less about the law and can violate this law anytime they want because they feel that no other lawyer would either sue or prosecute them out of profession courtesy. Do you know of any attorneys in Maryland that would want to hold another attorney's feet to the fire in a civil lawsuit regarding a lawyer breaking this law by purchasing, transmitting, and mailing Social Security Numbers WITHOUT someone's permission?
From Massachusetts: On obtaining a search warrant police install a GPS device on a suspects vehicle, can information resulting from the GPS tracking (search) be used or should it be suppressed @ trial under the exclusionary rule, if the warrant went stale? Do you know of any case law relating to GPS searches and monitoring that could be used as support of the argument in Massachusetts. This is a question put to me be my instructor, but is based on a real case, Commonwealth v. Connolly SJC-10355 Fourth Amendment issues firstname.lastname@example.org
Response: An answer will require legal research. If you want our legal research services, email the publisher.
From Minneapolis: We've recently acquired your "Compilation of State and Federal Privacy Laws" for our law firm's library, and it is a very impressive piece of work.
From Fort Wayne Indiana: Worthwhile newsletter.
From Pittsburgh PA:: The state sent my name, address, Social Security number, phone number to someone else. Do I have a claim?
Response: Not in Pennsylvania, which is not one of the dozen states with "fair information practices acts," which prohibit such disclosures in some cases. Still, a court might rule for you if a judge or jury were to find this information private and sensitive AND the disclosure "offensive and objectionable to a reasonable person of ordinary sensibilities."
Question: Can you tell me if there is any current statute in VT addressing consent to record a telephone conversation? CR- Cleveland, OH
Response: Vermont has no law on electronic surveillance, according to our Compilation of State and Federal Privacy Laws. Interstate calls to or from Vermont are covered by the federal law.
Comment: Your analysis of what our government is doing could not be further from the truth. You have no understanding of biometrics much less the real danger they present. You speak about retina scans without having a clue of what you are speaking about. Please research iris scans. Fingerprinting is not the most accurate biometric. Facial recognition is the biometric of choice. You may want to read ICAO 9303, volumes 1, 2 and 3. I know you have no understanding of AAMVA so I would not expect you to know why what is being done is being done or who is promoting the policies. I know you may not believe it but the public needs facts. I have testified in many states on subjects say you are an expert on. What scares me is people actually probably do hire you as an expert. I recommend that you learn what a unique identifying number is before you speak about Enhanced Driver's Licenses and RFID technology. DHS is not the only agency responsible for EDL's. You may want to learn more about WHTI. Also research the State Department's involvement in EDL's. I will provide my name and a site for people to become informed based on fact not speculation. Co-Founder Stop Real ID Coalition. Mark Lerner
More Comments From Our Readers
Click and type in a question or comment
Our email address: email@example.com
From Norwalk CT: Keep up the great work! Continue to keep us informed on our privacy and freedom which seems to be in jeopardy everyday.
From Oak Grove MO: Regarding your converting subscriptions to email, do you realize that not everyone (myself included) has a computer, nor can afford one? If and when you do such, I'll not be able to get your paper, therefore, I'll not renew.
Response: We haven't converted to email delivery yet, but lots of our subscribers have done so, so that they get the newsletter faster and more reliably. They get to store the newsletters in their computers and search them later by keywords at any time. They get live hyperlinks and color graphics too. But we won't abandon our non-computerized friends; we'll try to find a way to fulfill their needs for a hard-copy edition, despite rising printing, paper, and postage rates, which are rapidly and severely cutting into our ability to practice professional journalism.
Of course, if lots of people sign up for our email edition, we'll be able to do this for readers who have not gone high-tech.
From Louisiana: I was very relieved to find your Web site, as I was beginning to believe I am the only person who is uncomfortable with non-stop camera surveillance. On your list of privacy tips you recommend resisting this in our communities, so my question concerns that issue. I live in a very quiet suburb where there has been an explosion of surveillance cameras in every possible location: hospitals just outside patient rooms, restaurant dining rooms, traffic lights. There are no less than five cameras trained on people in line at the post office.
The latest plan is for installation of a widespread camera “security” system throughout all public schools, including elementary schools. As I have a child in this system and thought this was ridiculously over the top and open to potential abuse, I contacted the school board. Their security chief told me that the plan is in response to no specific threat, but to a survey of “concerned” parents and school administrators and the recent news about potential “catastrophic” school events.
I know this is apparently overwhelmingly popular with parents, but since you advise bringing up the cultural impact of constant surveillance on innocent people I would like to at least try to do that and see if it makes a difference. Can you direct me to any studies on this, particularly where schools and such young children are involved? Also, are there any studies on the effectiveness – or lack thereof – of surveillance cameras in schools? I know they did nothing at Columbine.
Response: Send us an email and ask for a copy of our March 2008 issue and October 2008 issue, which documented the studies done.
The consensus was that there is scant evidence of effectiveness. The U.S. Department of Justice said in 2006, “While there is a general perception among system managers and the public that video surveillance cameras are effective in preventing crime, actual evidence is more difficult to find.”
From Zanesville, Ohio: Are there chief privacy officers in the states?
Response: We count five: Joanne McNabb is director of California’s Office of Privacy Protection in the Department of Consumer Affairs. Laurie Beyer-Kropuenske is director of the Information Policy Analysis Division in the Minnesota Department of Administration, which enforces the state’s privacy law affecting all levels of government.
Hawaii has an Office of Information Practices. Sol Berman in the Office of Information Technology is the first chief privacy officer for the State of Ohio. Sallie Hunt, an attorney who is also executive director of the West Virginia Health Information Network, is state privacy officer.
You will find the details you need in our constantly updated DIRECTORY OF PRIVACY PROFESSIONALS.
NOTE: Our publisher, Robert Ellis Smith, serves as an expert witness in lawsuits involving all aspects of privacy. For a list of his engagements, write firstname.lastname@example.org. PRIVACY JOURNAL is also eligible for "cy pres" awards from class-action settlements so that we can further our advocacy and consumer education.
From Portland, Ore.: Is there any specific law that prohibits companies from asking for a Social Security number? I'm not sure where I saw it, but I remember seeing an article which states that the only agencies that can legally require an SSN are the Social Security Administration, the IRS, and the military.
Response: There are no such laws. You may have read advice from us saying that the only legitimate demands for your SSN are when some tax reporting is involved - like payroll, home purchase or sale, bank accounts. The federal Privacy Act prohibits government agencies but not businesses from demanding SSNs unless certain conditions are met. States hav enacted laws prohibiting certain disclosures of SSNs by state agencies and businesses, but these don't affect whether state agencies may demand the number from you.
Exceptions: RI law says merchants may not demand an SSN when a customer makes a purchase. ME disallows denying goods and services to a person who does not provide an SSN, but many industry categories are exempt. NM has a similar law.
DON'T give up your number unless the transaction involves tax reporting or it's for Medicare. And, unfortunately, it's the military ID number. Unwise decision that we are paying for now.
From Connecticut: Great newsletter. I look forward to it every month. and I learn something every month.
Visitor Comment: I understand your point about needless concern about transmitting a credit card number through unencrypted email. I do agree that the chances are rare, but it's just as easy to publish a PGP key for all emails. This failure to take such a simple step concerns me.
Check out this site that helps protect your privacy and reduce junk mail too: proquo.com. It's actually free...
Inquiry: I'm looking for some research that identifies a person's preference for maintaining their location privacy. For example, is there anything that indicates that people are willing to let strangers know where they are with an accuracy of x meters?
Response: Check our December 2007 issue for some answers.
When the public figure Jackie Kennedy Onassis complained in the 1970s about stalking on the streets of Manhattan by a paparazzi photographer, who claimed protection by his First Amendment right to gather news, a federal court successfully barred him from “approaching within 100 yards of the home of her and her children, 100 yards of the schools attended by the children; and at all other places and times 75 yards from the children and 50 yards from her.”
A state law in Massachusetts prevents anti-abortion protesters from approaching within six feet of a person who is within an 18-foot zone around an abortion clinic. The U.S. Supreme Court has declined to question the constitutionality of this restriction. It has upheld a 36-foot demonstration-free zone in Florida. On Nov. 13, Massachusetts expanded the prohibition to a 35-foot zone.
From Rob Mayer, University of Utah: There are several studies in the U.S. that document the prevalence and consequences of ID theft. Have similar studies been conducted in other countries, or is ID theft not much of a problem outside the U.S.?
Response: You need a copy of our March 2005 issue in which we documented that ID theft is mainly a phenomenon in the U.S., and we explained why. Credit bureaus in other nations don't use a Social Security number or its equivalent to confirm identities in their files. "Identity Theft Happens Mainly in America," PJ Mar 05.
From a Reader: The March 2007 issue of PRIVACY JOURNAL states, at the bottom of page 5, that the PATRIOT Act ". . . merely requires banks to have a credible program for verifying identities of its new customers." Could you provide a reference in the PATRIOT Act that supports your statement? I have been having trouble with Washington Mutual over their statement that the PATRIOT Act requires a copy of my driver's license in order to open an account. -- Dan Durham Lacey, WA
Response: It's Section 326 of the Patriot Act. Go to 31 U.S. Code 5318 in a law library or online and scroll to Section l (as in the letter L). See the regulation under the law at http://www.ustreas.gov/press/releases/js335.htm. Banks have discretion, but showing a drivers license is only one way to confirm one's identity. A drivers license is not specifically required.
From Florida: Can you cite specific examples of states with laws that address computer repair services disclosing others' personal data? My story is that instead of fixing my computer, Circuit City installed someone else's files on mine and wiped mine out. The person whose files were installed had also had her hard drive (with files intact) sold. Microsoft, banking institutions, and the FL Retail Federation among others is making a huge lobbing effort to impede our progress.