Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Your Rights Online

Interesting Privacy Decision in New Hampshire 250

TCPALaw writes "A huge decision in privacy law was handed down today by the NH Supreme Court in the Amy Boyer case. Amy was stalked and killed by a man who got her personal information, including SSN, from an on-line information broker. Privacy groups such as EPIC have argued that access to sensitive personal information should carry with it liability for misuse, and can constitute a tort. The NH Supreme Court agreed. Now perhaps you can sue the spyware companies."
This discussion has been archived. No new comments can be posted.

Interesting Privacy Decision in New Hampshire

Comments Filter:
  • by chrisseaton ( 573490 ) on Tuesday February 18, 2003 @03:16PM (#5328259) Homepage
    Someone's been murdered and you're all smiles because you can go after some guys who send adds to your computer.
    • not at all. what's important here is that there is a precedent set in yet another identity-theft case. the more diverse cases that sets precedent, the better legal progress is made.
    • by Mr Guy ( 547690 ) on Tuesday February 18, 2003 @03:23PM (#5328326) Journal
      No, we saying at least we can prevent this from happening to our little sisters if we can sue the bastards that make it possible.
      • Hear me, hear me! This is a good time to pull
        this case - all one need is to connect spyware
        with terrorism, sit back and enjoy the show.

        For starters, terrorists can buy a variety of
        information from spyware crooks, such as one
        needed to create impostor or fake identities
        of government or even (horror, horror!) military
        personnel.

        How about this?
      • by kfg ( 145172 ) on Tuesday February 18, 2003 @03:55PM (#5328640)
        No, it means you can sue "the bastards that make it possible."

        I'm afraid it doesn't necessarily do a thing to prevent anything from happening to your little sister.

        This is simply "Security through feeling good about what you can do after the fact and thinking through some sort of sympathetic magic that that prevents the occurance in the first place."

        It doesn't work, it never has, because it's all about profit margins. Which is why they sell the information in the first place.

        Dealing crack is a risky business. You could even get killed. People do it because of the profit potential. If you can make enough money selling information to cover the potential loses through the off chance of a law suit there are people who will be glad to do it. Hell, they can probably even arrange insurance to cover them for this, not to mention most the profits mysteriously ending up somewhere untouchable by the courts.

        Shit is still going to happen.

        KFG
      • No, we saying at least we can prevent this from happening to our little sisters if we can sue the bastards that make it possible.

        And we can prevent a recurrence of 9/11/01 if we give up our right to take nail clippers on an airplane.

      • You can only sue AFTER the fact. I'd rather prevent it by giving my little sister a .357 magnum and teaching her how to use it.
    • Moderators (Score:4, Insightful)

      by FreeLinux ( 555387 ) on Tuesday February 18, 2003 @03:27PM (#5328373)
      No, the post isn't Offtopic, nor is it Flamebait. The Amy Boyer murder was a tragic event and this case will allow the family some chance of holding the "information clearinghouses" liable for the information that they doled out for a healthy profit and Amy's life.

      It has nothing to do with spyware. Making the connection of spyware to satisfy you personal conspiracy theorist mentality to this case revolving around a real and tragic event is just ridiculous. And, moderating the above comment Offtopic is just too typical.
      • Re:Moderators (Score:3, Informative)

        by Anonymous Coward

        The Amy Boyer [amyboyer.org] site is reachable again and seems to be able to handle the load.

        I would just like to thank the family for hosting the mirror of the Liam Youens stalker site [amyboyer.org]. It must have taken incredible fortitude for them to do that, but I think it's worth it, because I really believe it's possible to learn something from the site. If I had seen this before the murder, I would have pegged this guy as a pathetic poser (in fact, I'm glad I didn't see it then, because I wouldn't have done one single thing that could have changed anything, and I'd feel like shit now). It's a very upsetting read, but it may be worthwhile to some people here.

        At the same time, you don't want everyone assuming their slightly weird friends are all murderers-to-be. Shows how thin the line can be I suppose. But even just talking to someone can defuse almost any situation, if it's done in time.

        This [epic.org] at the EPIC site is also good.

        The legal story here is about lawyers, as always. The real issue is whether you can change people in society.

      • Re:Moderators (Score:2, Insightful)

        by Anonymous Coward
        "It has nothing to do with spyware."

        How exactly did you exclude spyware folks from information brokers?

        This case exactly does not deal with spyware, but the methodologies and form of information collecting and selling, including the damage that can be done, easily correlates logically and legally.
    • Not cold at all (Score:5, Insightful)

      by burgburgburg ( 574866 ) <splisken06.email@com> on Tuesday February 18, 2003 @03:28PM (#5328404)
      It's damn cold for the "information brokers" to freely trade in the most intimate personal information about you that they've gleaned/compiled/extracted. It's damn cold for this particular IB to have sold the info that led to this woman being killed.

      It warms the heart to know that this largely unregulated industry might suddenly have the fear-of-financial ruin checking their irresponsible ways.

      • Re:Not cold at all (Score:5, Insightful)

        by Incongruity ( 70416 ) on Tuesday February 18, 2003 @04:33PM (#5329051)
        It's damn cold for the "information brokers" to freely trade in the most intimate personal information about you that they've gleaned/compiled/extracted.

        Just a thought here... If you consider your SSN, age, address or even specific birthdate to be "intimate personal information" then you've been under a rock or are living in a fantasy world. The fact of the matter is that the SSN has been used and abused to such a point that it is unsafe to think of it as a private piece of information in any way other than an ideal sort of sense. Same thing goes with your birthdate, address, etc.

        This point is illustrated by just how quick most people are to turn over their "personal information" , such as a SSN or birthdate, when asked for it by anyone from a gas-company customer-service phone-rep all the way to doctors offices and insurance agents. If something is so intimate and personal, then why are people so willing to give it out to anyone that asks? The fact of the matter is, in the case of a SSN, the only place it's legally required is in certain financial and employment situations. In all other cases, you have the legal right to decline to give that information...but most people don't.

        As such, things like the SSN, here in America, have become simply publicly held bits of data that act as tokens to identify individuals in the sea of individuals. In many ways, a SSN is no more personal than a name, at least judging by the way its used.

        I'll grant that a lot the current state of affairs comes from the very type of activities that the ruling in question deals with. That does not change the fact that many pieces of information that were once much more "private" are no longer that way in reality. I'll also admit that there is a whole additional realm of personal information that is still personal and that information brokers seek to collect and sell...and that covers such things as shopping or travel habits. Most people still seem to guard that data fairly closely and it still seems to be "private" in nature...but that too is likely to change.

        In the end, no ammount of information control can make up for a lack of good-will or a scewed sense of morality (whatever you define that to be). Suing the information brokers for contributing to the death of that poor woman seems to be only getting at an intermediate variable (and one with big pockets) rather than focusing on the primary cause of the woman's death...that is, the person who stalked her and killed her.

    • it beats the hell out of nothing at all coming from the death but a sentence for the person who did it.
    • Read the big picture (Score:4, Interesting)

      by Anonymous Coward on Tuesday February 18, 2003 @03:32PM (#5328446)
      No, I'm glad that people who deal in raping privacy have to face legal ramifications to their behavior. I'm sorry it has taken many deaths to finally get the courts to start holding people responsible. The stalker that killed Amy was able to do it because information brokers believe they are immune from the law, and will sell ANYTHING to ANYONE. Search for "skip tracer" and see what you can buy.

      I was horrified, but unfortunately not surprised at the death of Amy Boyer, Rebecca Schafer (who's home address was obtained from the DMV by a stalker's PI) and other women attacked by stalkers who were only able to find them through criminally lax data handling practices. My sister deals with sexual abuse victims, and one of the unfortunate pieces of advice she has to give them is to not register to vote, because the guy who may want revenge on them can use the voter registration roles to find the victim again. Other big companies simply don't give a damn about data security as long as they get paid. For example, I was a consultant in a case against Equifax, and it turned out that Equifax - storehouse of extremely personal and private data - never forces password changes on its customers... so if someone gets a userID and password, they can get in undetected for years if they are selective about using it, and it doesn't get noticed on the bill (and at $2 a pop for credit reports, pulling 2 or 3 extra a month for an office that gets hundreds, won't get noticed).

      If people are lax about security of data they collect or use about you, they need to know that they can be prosecuted for it. The wild west of collecting and selling personal information without consent is going to come to a close.
      • by Anonymous Coward

        Interesting way to slashdot the Amy Boyer site. This [imdb.com] can probably handle the load.

        The privileged white male population of slashdot really has no idea how prevalent stalking behaviour is or how threatening certain behaviour can be. Perhaps because half the people here are maladjusted near-stalkers themselves (and I'm not flaming - I've done things in the past where I meant well and thought I was merely being cute, but it wouldn't be perceived that way at all by many reasonable people - I was merely fortunate in retrospect that the people in question were forgiving and open-minded).

        It's an area where people need a LOT of education. All the legal precedent in the world is nothing compared to the potential benefit of simply teaching people how to put themselves in someone else's shoes.

        The murder and rape cases are awful, but few and far between. It's the little tiny near-threats every day that really diminish us as a society. It galls me, because I now see any case where someone's liberty is reduced by quasi-fear and chill as a very serious matter (and yes, I'm aware of the irony given that this case too will be abused against people who did nothing wrong - but for every Type I error there's a Type II error, and there's nothing you can do to change that).

      • Hey, if you want to look at a company that is the KING of data (selling, and cleaning of other's data) look at Acxiom in Arkansas. Their main site seems to be flaky (on my browser) www.acxiom.com, but, this link works: https://www.acxiomdatanetwork.com/adn/home.cfm Equifax and others if not owned by Acxiom, get much of their data from them...they have info on about 98% of the people in the US...and are moving into other parts of the world....
      • This is where the more strict regulation in the EU and other nations is a boon, although even here in NZ there's a lot of stuff that is public information for public policy reasons (voter rolls, land ownership registration and so forth).
    • perhaps if a decsion on this topic had happened long ago, 'brokers' wouldnt be selling this info to begin with and such it woudl not have happened.

      Perhaps you also need to take a valium.
  • by msheppard ( 150231 ) on Tuesday February 18, 2003 @03:19PM (#5328288) Homepage Journal
    In other news, the phone company is being sued becuase they list a person's address next to their name.

    M@
    • Re:Yellow Pages (Score:3, Insightful)

      by chimpo13 ( 471212 )
      The phone company runs what you tell them to run. You can have it run without an address -- they don't force you to.

      The annoying thing about the phone company is that it costs you money to not be in the phone book.
      • Re:Yellow Pages (Score:5, Informative)

        by cdrudge ( 68377 ) on Tuesday February 18, 2003 @03:27PM (#5328376) Homepage
        It however does not cost you anything to put your phone number under a different name. I could put my name under John Smith. Any phone calls that I receive for John Smith can easily be ignored then and it hasn't cost me a cent.
        • Re:Yellow Pages (Score:3, Interesting)

          Thing is that it doesn't cost a cent, but also it is not officially sanctioned either. I've done it in three states myself and each time I've had to claim that the bogus name was that of someone else living at the address. Telling them outright that I wanted to list it under a made-up name always gets me the run-around. Maybe the CSR's just aren't educated, but that's the functional equivalent to making the practice unsupported.
        • I bet tomorrow the phone directory will contain a lot more people named Fook Yu...
          Other suggestions [snpp.com], courtesy of Bart Simpson.
        • I was told that they wouldn't use anything but my real name. To not be listed, I had to pay a fee.

          So I got my home phone disconnected.

          My DSL is through Covad, and my cellphone works fine at home.

          As a bonus, I never get cold calls anymore... far as I'm concerned, telemarketers are a thing of the past.

    • Re:Yellow Pages (Score:4, Informative)

      by rgmoore ( 133276 ) <glandauer@charter.net> on Tuesday February 18, 2003 @03:36PM (#5328477) Homepage

      Actually, the court ruled in a similar matter as part of this case. They ruled that information that can readily be found out by observation of public actions is not covered under privacy laws. The specific example in this case was the victim's work address; the Court ruled that since somebody could easily and legally watch you commute from home to work, you have no reasonable expectation of privacy in your work address. The same thing is undoubtedly true of your home address, license plate number, and any number of similar facets of your life.

      • Re:Yellow Pages (Score:3, Insightful)

        by Greedo ( 304385 )
        the Court ruled that since somebody could easily and legally watch you commute from home to work, you have no reasonable expectation of privacy in your work address.

        To take it to an extreme, they might as well have said "because someone can stalk you, you have no reasonable expectation of privacy wherever you go."

        That can't be good.
      • Don't confuse the data being free with spreading collective information as also free. There is plenty on the books to distinguish between random data being public but that data collected being private.

        More than one researcher has run afoul of the government by collected unclassified information into reports that get classified secret and confiscated.
        • More than one researcher has run afoul of the government by collected unclassified information into reports that get classified secret and confiscated.
          I almost ran into this. We were working on a new whiz-bang modeling tool that would integrate a number of old FORTRAN codes that are used for a classified system. None of the codes or the data we were using were classified, but our security guy started getting nervous when the thing started working (particularly because one of the people working on the project didn't have a clearance yet). We ended up using good physics models with bogus inputs to make sure the models were not classified. Then we pitched to the potential users that they could import the correct data from their classified data bases to get classified runs. Anyway, totally OT, but I guess the moral of the story is that sometimes information that is not terribly useful by itself can become dangerous when combined with other information.
    • The point is that you can tell the phone company to leave you out of the book. It does cost you, but the issue here is that you have the choice; you have some control over use of your personal information.

      Notice that the decision states that people who sell information have responsibilities to the person to whom that information pertains. Particularly in this case, if someone obtains your information through fraudulent means, they can be sued under the MA and NH consumer protection laws. In this case, the plaintiff alleges that someone representing Docusearch called the murder victim and got her work address by lying about who they were and why they wanted it.
    • Re:Yellow Pages (Score:3, Insightful)

      by praedor ( 218403 )

      You can choose to NOT be listed and when you call information, they wont give it out. They will say "that person is unlisted".


      Other details like SSN, and various similar items that can be used to steal your identity or wreck your life through manipulation are NOT public knowledge, deserve to not be available to anyone short of law enforcement in possession of a court order.


      Privacy IS a right. If there was no right to privacy, there would be no logic to the right protecting you from illegal search and seizure and/or self incrimination. No privacy means you are searched without barriers and automatically incriminate yourself. Privacy IS important and if someone gave out my SSN or unlisted data (I am unlisted), they are culpable in any harm done by giving out that information. I would certainly take personal retribution on someone who engaged in this activity (giving out my SSN, etc).

      • If there was no right to privacy, there would be no logic to the right protecting you from illegal search and seizure and/or self incrimination.

        Wrong. Illegal search almost always involves trespass or trespass to chattel. Illegal seizure involves theft. Self-incrimination involves forcing someone to speak. None of them require a right to privacy.

        Privacy IS important and if someone gave out my SSN or unlisted data (I am unlisted), they are culpable in any harm done by giving out that information.

        We're going to have a lot of cease and desist orders then. Search google for 539-60-5125.

        I would certainly take personal retribution on someone who engaged in this activity (giving out my SSN, etc).

        SSNs should be published in the phone book next to people's names. That would solve 100% of the harmful things you can do with them.

    • my local telco lists me as eldridge cleaver [who2.com].

      for the record, i am not he.

  • by Salgak1 ( 20136 ) <salgak AT speakeasy DOT net> on Tuesday February 18, 2003 @03:21PM (#5328311) Homepage
    . . .that "information brokers" of this sort have an implicit obligation to formally notify the objects of such searches, as to the nature of each search and the buyer. This still wouldn't protect someone who was using a "straw" buyer, but would go a long way to protect people from stalkers. . .
    • Information Broker = Private Investigator. PIs won't tell you if you're under surveillance, neither will the IBs. At least we can go after them if they sell our personal information without consent.
      • by iamacat ( 583406 ) on Tuesday February 18, 2003 @04:06PM (#5328748)
        Seeing how everyone is getting rich selling private information, I am putting MY private information on sale right here on slashdot. YES, IT'S 100% LEGAL. You will get a signed, limited edition booklet with my address, phone number, SSN, credit card numbers AND the illustrated history of both my and my cat's love life with an invitation to add a new episode to either one. 10 booklets will be sold to the highest bidders, so take advantage of this unique opportunity and RESERVE YOUR COPY TODAY.
      • by Master of Transhuman ( 597628 ) on Tuesday February 18, 2003 @05:15PM (#5329533) Homepage
        Actually, since I'm planning to start up as an "information broker" I should clarify this misconception.

        Information brokers do not sell people's SSN's. Those are sleazy operations that are more akin to private investigators (sleazy ones) than IB's.

        An IB is more like a freelance librarian - you call them up and ask them how many widgets were sold in Thailand over the last five years and they do the research and find out for you.

        Sometimes they do competitive intelligence research which is a little closer to what the sleazy operations do, but still legal.

        There is a national organization for IB's called
        Association of Independent Information Professionals with a web site here [aiip.org]
        which has the following Code of Ethics:

        An Information Professional bears the following responsibilities:

        Uphold the profession's reputation for honesty, competence, and confidentiality.

        Give clients the most current and accurate information possible within the budget and time frames provided by the clients.

        Help clients understand the sources of information used and the degree of reliability which can be expected from those sources.

        Accept only those projects which are legal and are not detrimental to our profession.

        Respect client confidentiality.

        Recognize intellectual property rights. Respect licensing agreements and other contracts. Explain to clients what their obligations might be with regard to intellectual property rights and licensing agreements.

        Maintain a professional relationship with libraries and comply with all their rules of access.

        Assume responsibility for employees' compliance with this code.

        I have a little problem with the "recognize IP rights" bit, but generally a legit IB ain't gonna sell you somebody's sister's SSN and address.

    • That would be for the best, I think. Of course, the sleazier "brokers" would tell you that someone is looking up your information, and then offer to sell you their information.
      Actually, I would like to see a law that anyone who gathers personally identifiable information on an individual has to gain your permission before selling it. That would put a lot of these people out of business. I know, I know, we shouldn't throw laws at every problem... but I consider personal privacy important enough for legislation.
  • Yes, that comment is borderline morbid, and probably in bad taste. But it would garner media attention, and probably result in the laws being changed...

  • Yes indeed.. (Score:4, Insightful)

    by Lord Bitman ( 95493 ) on Tuesday February 18, 2003 @03:23PM (#5328327)
    Because stalking and murdering someone counts as misuse, obviously, giving your name to a list which randomly sends e-mail also does. There's /. logic.
  • by DuckyExMachina ( 320160 ) on Tuesday February 18, 2003 @03:23PM (#5328332) Homepage
    let alone possible implications for combating spam, this is a good ruling for our safety. there should be some liability for someone looking to obtain information like someone's SSN. I guess if any wackjob with a grudge can buy a social security number and mom's maiden name, it's good that they hold some liability for the actions they take with that information. ...it still doesn't make me feel that much better that any wackjob with a grudge can buy someone's SSN, though.
  • Can of worms (Score:4, Insightful)

    by Pharmboy ( 216950 ) on Tuesday February 18, 2003 @03:24PM (#5328341) Journal
    Yes, in theory we would love to sue spywear authors into oblivion. But I fear we are opening yet another can of worms.

    I agree that companies that have access to your personal information should be held liable if they disclose the information, or are negligent in protecting that information (egghead.com comes to mind).

    IAMAL, but more inportantly, judges are not congressmen, and I always have reservations when judges "create" law that legislators should have in the first place.

    I can't swear that this is the case here, but with two years in the legal field, I still have trouble fully deciphering these rulings. (the fact that law can't be read by persons with average intellegence is yet a whole other subject).
    • Re:Can of worms (Score:3, Insightful)

      by giminy ( 94188 )
      When a judge makes a ruling like this, he's not "creating" a new law, but rather interpreting what the current laws say. So there is either a clear case where you put 2 and 2 together and get information brokers liable for the information they sell (ie by applying current liability laws vis-a-vis private information), or this judge will be overturned by the next highest court (in which case this judge looks like an idjut in court circles).

      #include <disclaimer.h> /* IANAL */
  • by Oculus Habent ( 562837 ) <oculus.habent@g m a il.com> on Tuesday February 18, 2003 @03:24PM (#5328343) Journal
    While an information broker should be responsible for their actions to some extent, I think the killer should be held responsible, and that nothing should dimish the clarity of that matter.
    • Where is anyone suggesting that the murderer is not responsible, or less responsible, just because he got help committing his crime?

      The court ruled that the information broker is responsible for their actions: they spied on this woman, sold her info to someone (but did not bother to find out who the buyer was or what he intended to do with the info), then cashed their check.

      Your inference is incorrect; the court did not rule that responsibility shared is responsibility diminished. If three people are convicted in the same murder, they can all get the same sentence; I don't think the court would impose one sentence divided by 3.
  • A great idea (Score:3, Interesting)

    by Anonymous Coward on Tuesday February 18, 2003 @03:25PM (#5328345)
    I'd love to see companies held liable for damages caused by their keeping huge databases with credit card information just sitting online waiting to be hacked.
  • by teamhasnoi ( 554944 ) <teamhasnoi@yahoo. c o m> on Tuesday February 18, 2003 @03:27PM (#5328389) Journal
    How about full, free disclosure on anyone (including celebrities and politicians, and people who don't want disclosure), and logs of who requests the data?

    If all the info is available to everyone, and the knowledge of who is searching on you is known, what is the danger?

    Obviously, I'm forgetting about identity theft and fraud - but we need better systems in place to prevent that anyhow.

    Just a crazy thought. If everyone knows what they want to about anyone, doesn't that remove some of the reason for identity theft, and 'nosy nellies'?

    • by Psmylie ( 169236 ) on Tuesday February 18, 2003 @03:53PM (#5328621) Homepage
      Coming from a corporate environment, I have to say that "Nosy Nellies" are a pretty big problem. People like to know stuff about their co-workers, bosses, etc. So, they look stuff up, and then they hit the rumor mill.
      I do HR support, and I know of at least five cases where we fired someone for illegally accessing data (off of the HR database). Most of those were tech workers who were supporting HR machines and thought they'd find out what their co-workers made.
      I know of about a dozen more cases where HR had to talk to people who were looking up information on their co-workers, and were harrasing them with it. And this is all very recent (last few years). Five years ago, I'd never heard of this kind of problem.
  • by gpinzone ( 531794 ) on Tuesday February 18, 2003 @03:28PM (#5328396) Homepage Journal
    I like the idea that "personal" information needs to be secure and the mishandling of it could lead to a lawsuit (only if there are damages). However, what constitutes "personal" information? A phone number? SSN? Address? If I inadvertantly gave the stalker directions to this person's house, am I liable?
    • by Sylver Dragon ( 445237 ) on Tuesday February 18, 2003 @04:14PM (#5328823) Journal
      If I inadvertantly gave the stalker directions to this person's house, am I liable?

      Actully they addressed this in the ruling. The judges found that things such as Work and Home address are not considered private. As such, there is no liabity for giving out or selling this information.
      What they did find to be a problem was calling a person, and using a false pretext (a lie) to get or confirm thier work address. Also, they found that obtaining a persons SSN from a credit report header, then selling it was a violation of privacy, and is therefore cause to bring a civil suit against the information broker.
      If you haven't yet, I suggest reading the decision, its a bit heavy, but is very well thought out.

    • Right now 'personal information' is a broad range of stuff - too broad to actually hold anyone accountable for its use. If we can get a classification system in place, then we can start talking about unauthorized uses and punishments.

      Basically, there is a broad division between information that is unique to the person, and information that is assigned. Your fingerprints are unique, your SSN is assigned.

      There has to be some sort of principle to govern the status of these classes. For example, I believe that it is your right to have and maintain exclusive control over the things which are uniquely yours. Within the class of assigned information, disclosures and aggregations must be with the consent of both assigner and assignee - if an information aggregator of any kind wants to warehouse information then they need to have the explicit, informed consent of all involved parties. Some information aggregation activities constitute a search under the Fourth Amendment, basically anything that informs about a particular person or any member of a small enough population, and should be protected as strongly as the physical boundaries of your house or car.

      Once some principles are settled on, following those principles makes it possible to grade out the sensitivity of assigned information and establish guidelines for its use and disclosure.

      Are directions to a street address provided by the inquirer enough to be held liable? Maybe not, but credit reports and real name to username correlations might be. The aggregation of username, real name, e-mail address, homepage URL, street address, city/state/zip, home phone, cell phone, profession, workplace, and job title
      certainly feel like a lot to give to register at an on-line forum - yet many ask for that much info.

      What the service is allowed to do with all that personal information is mostly governed by some pretty flimsy laws and a feel for how far they can push the boundaries of community tolerance and civility. But without some principles to govern the effort, we'll just end up with frivolous litigation and foolish legislation.
  • It's too bad that someone had to die before the courts got involved. You'd think that the right to privacy would be a right.
    • But are they responsible? I think it's a bit harsh to hold them accountable for someone else's actions. I do agree that there is something a little seedy about selling contact details to anyone who asks, but a lot of this information is freely available if you are interested. What about private investigators? Are they accountable if they are asked to trace someone and they do? What if one of they "honeytrap" 'PIs' that get an attractive lady to chat up your spouse? If the wife then killed the cheating husband, would the PI be held responsible for providing information that led to the killing?


      There are too many ramifications to this to just say they were in the wrong, and they should be sued. The killer would most likely have killed someone even if that person had been somone else, regardless of how he got that person's information, if at all. Ultimately, the only person responsible for the killing was the murderer.


      My contact details are available should someone want to find them. There is a tiny risk that some weirdo will get them, but it is far more useful to me to have those who might want to contact me having access to that information.


      What you call your 'right' to privacy has been effectively relinquished to an 'opt-out' system by society wanting to keep in touch, not business of government wanting to pry. It would be a nuisance to get unlisted from all the sources out there, and I doubt anyone is seriously going to consider it anyway, even after this.


      At the end of the day, they are dealing with freely available information, and they could be seen as seedy and morally questionable, but I don't think they did anything illegal; a similar sort of opinion I have to the porn industry, traffic wardens, and middle management.

      • Yes, I think that stalking if done by a PI, or the government or individuals is a bad thing. I think they are responsible. They are giving out private information that they either have special access to, or have gone out of their way to find (stalking).

        What I call a right to privacy is the right to decide whom I want to deal with, and in what situation. From the US constitution... "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particu larly describing the place to be searched, and the persons or things to be seized. ". This right was breached.
        • I don't see anything in what you are quoting that stops anyone from passing on address details to someone else.

          Where do you draw the line? What if I pass a friend's contact details so someone else, in "good faith"? For instance, if a male acquaintance wanted a female acquaintances number to call and ask her out? I would probably feel pretty damn bad if he was to kill or rape her, but I couldn't anticipate it, and I certainly would have a hard time believing myself legally responsible. The lack of monetary exchange does not change anything in legal terms.

          Yes, I do think they are dealing in pretty immoral practice - no, I do not think they can be held legally accountable.

          I don't think they are stalking simply by collecting information about someone. They may have lied to get some of the information, but again, legally I think they are in the clear. What about credit checks? Do you think they should be illegal too, as they contain a lot more information that could be considered personal?

          What about the electoral roll?

          Here in the UK, you can check any doctor's registration online (www.gmc-uk.org I think), and many have their home addresses on it. If, like in the US, anti-abortion wackos kill doctors and print their personal details online ( I seem to remember this was ruled legal despite obvious moral objections), the same happened here, would the GMC be responsible for providing the details? The thought is that it is more important to be able to verify that someone is medically qualified before they treat you.

          • Do you mean you would give a male acquaintance a female acquaintances number? I'm always very careful about that sort of thing, and usually say something like, "it's in the book, look it up". If it's not, then there's probably a good reason for it.

            As as been talked about on slashdot, credit checks can alter your credit rating. In other words you can be directly affected by other people snooping, even if you don't know why. I think credit checks should only happen on me if I authorize it. And as far as I know (Canadian citizen) that is the only way they can happen.

            What about the electoral roll?

            If a doctor has his home address on their registration that is their choice. and as far as printing their personal details I think you're confusing your courtroom drama shows.

            What does a doctors home address have to do with verifying the doctors medical qualifications?

            Obviously different countries have different laws, but in general we all agree that we all deserve the right to decide for ourselves who get's our info. This was the point that I was making.
  • by Anonymous Coward on Tuesday February 18, 2003 @03:30PM (#5328427)
    This is quite limited item; it covers the use of a information broker to call an individual to ask for their work address under the *wrong* pretext (a lie) and then sell the information they got based on this lie. It does not seem to cover stuff like selling information found in a credit report, or anything else like that.
  • by Anonymous Coward on Tuesday February 18, 2003 @03:31PM (#5328436)
    The Estonian ID card project gives away everyone's name and SSN if you have one of these (mandatory) ID cards and you have the web services enabled (most people do).

    Just use your favourite ldap client to browse ldap://ldap.sk.ee (or just pop that into the "run" dialog box in windows) and voila - you got everyone's SSN that has one of these trinkets already. Including mine.

    They claim it was in the contract when I signed it. Havent taken a look.
  • Does this mean ... (Score:5, Interesting)

    by jc42 ( 318812 ) on Tuesday February 18, 2003 @03:32PM (#5328440) Homepage Journal
    ... that when the US gummint's TIA program hands the FBI info about someone with the same name as mine, and they pull a Jackson Games (or Limone/Salvati) caper on me, I can sue the government?

    Thought not.

    OTOH, I've seen an interesting explanation of the curious phenomenon of all those valuable medical studies coming out of Scandinavia in the past couple decades. It seems that they passed laws there that make the medical databases fairly open and accessible to researchers. They understood that this meant that the data would be fairly easily available to essentially anyone willing to hand a few kronor under the table. So they included some fairly severe punishment for misuse of this information. They especially punish employers for [pick your euphemism for firing] employees with medical problems. Supposedly the result has been to make the citizenry fairly supportive of access to medical data, and this is of obvious benefit to society.

    Can't imagine this sort of "onerous government regulation" happening in the US, though. Except for occasional court cases like this, information about you and me is just a commercial commodity.

    Funny this case was in New Hampshire. That's one of the more lassez-faire states. But then, it wasn't the legislature; it was a judge. It'll be interesting to see the followup.

    • that when the US gummint's TIA program hands the FBI info about someone with the same name as mine, and they pull a Jackson Games (or Limone/Salvati) caper on me, I can sue the government?

      Thought not.

      yes, you can.
    • when the US gummint's TIA program hands the FBI info about someone with the same name as mine, and they pull a Jackson Games (or Limone/Salvati) caper on me, I can sue the government?

      Well, you'll have to wait until the TIA gets a budget. Congress recently pulled their money until they can demonstrate that the sort of thing you mention (and, more broadly, violation of the right to privacy) don't happen.

  • by Anonymous Coward
    Now perhaps you can sue the spyware companies.

    After someone killed me ?
  • Would this include liability for charges made on a CC after the number was hacked out of a "secure" database?
  • often, similar information can be pulled just as easily off of popular search engines, if the person is active online. are their search and archiving techniques the next to be contested?
  • Guns. (Score:4, Interesting)

    by dameron ( 307970 ) on Tuesday February 18, 2003 @03:43PM (#5328541)
    The murderer, who "kept firearms and ammunition in his bedroom", purchased information about where the victim worked from a company called Docusearch then proceeded to kill her, them himself.

    The victim's estate goes after the search firm and wins. So we're to conclude that the selling of such vital information to the murderer is a punishable offense, at least in N.H. What about the people who sold him his guns? Seems to me that the weapon was at least as dangerous as the information, and each being fairly useless without the other.

    Also, this guy "maintained a website containing references to stalking and killing Boyer".

    Big lesson here: Google yourself.

    -dameron
    • Two things. (Score:5, Insightful)

      by Dirk Pitt ( 90561 ) on Tuesday February 18, 2003 @03:56PM (#5328654) Homepage
      I think there are at least two issues at hand here:
      (1) You must pass a background check before you buy a gun. This is a legal device for clearing the seller of liability. There is no such equivalent amongst the major info-brokers.
      (2) Apples and oranges. A core issue of privacy advocates is that information specific to me is my proprietary information. You have no right to sell it or otherwise distribute it without my permission. This information can be used to harm *me* specifically, and the fact that anyone can obtain it for a price is innately harmful to me. A gun has no specific target until you point it at someone.

      • A core issue of privacy advocates is that information specific to me is my proprietary information.

        Perhaps so, but that certainly wasn't what the court said.

    • Re:Guns. (Score:3, Insightful)

      by Mechanik ( 104328 )
      What about the people who sold him his guns?

      I can't tell if you're being sarcastic, but assuming you're not...

      Assuming the guns and ammunition were sold in accordance to the law (and not obtained illegally), and the seller had no reason to suspect any wrongdoing, then I don't see how you can blame the seller for the crime. Might as well blame WalMart the next time someone gets stabbed in a domestic dispute on account of the fact that WalMart sold them the steak knife. Or the liquor store for selling someone that 40 of vodka they drank before running down someone in a drunk driving mishap. Or hell, why not sue the dealership that sold him the car?

      Leaving all that aside, there is still a fundamental difference. You don't have a legal right to prevent everyone that knows you from not owning guns. You do however have a right to privacy. The violation of the deceased's right to privacy led to their death, i.e., the search firm acted illegally when they should have known better than to do so, and that negligence led to the victim's death. Unless you can prove that whomever sold the murderer the guns was similarly negligent, then I don't see how they should be at fault.


      Mechanik
      • Points well taken, but...

        seller had no reason to suspect any wrongdoing, then I don't see how you can blame the seller for the crime.

        Well, I think we can agree in this case at least, that the background check left something to be desired, and this guy was as loopy as a fruitcake.

        Or the liquor store for selling someone that 40 of vodka they drank before running down someone in a drunk driving mishap.

        This happens all the time. Liquor stores and bartenders (especially bartenders) are routinely questioned in drunk driving deaths. If a bartender sells someone a drink and then lets them get into a car when the bartender knows or suspects the customer is intoxicated the bartender and the estabilshment that sold the drink can be held negligent. Similary if a car dealership sold a car to someone who was plastered they'd likely be liable the second he got behind the wheel.

        Regarding steak knives, well, I can think of substantial "non-infringing" uses for steak knives, like eating steak, or, apparently, sawing through soda cans then cutting tomato slices. Guns, particularly handguns, have a much more limited range of uses.

        -dameron

      • Assuming the guns and ammunition were sold in accordance to the law (and not obtained illegally), and the seller had no reason to suspect any wrongdoing, then I don't see how you can blame the seller for the crime.

        According to this [amyboyer.org], Liam Youens' gun collection [amyboyer.org] was a big no-no. I'm all for the right to bear arms, but not to the point where any criminal and retard can acquire a gun.
    • Re:Guns. (Score:4, Insightful)

      by YrWrstNtmr ( 564987 ) on Tuesday February 18, 2003 @06:30PM (#5330437)
      What about the people who sold him his guns? Seems to me that the weapon was at least as dangerous as the information, and each being fairly useless without the other.

      Is Mercedes liable for the death of the husband whose wife killed him by running him over? If this murder had been done with a kitchen knife, would Ginsu have been liable?

      The tool he used to kill her is of far less import than the act of doing it. Someone bent on murder will use whatever is available. Gun, car, knife, golfclub, a rock.
  • by Hungus ( 585181 ) on Tuesday February 18, 2003 @03:53PM (#5328626) Journal
    A little background:
    I work with a security and investigations firm and also work as a medical applications developer. This means i see both sides of the privacy issue. On the security and investigations side I routinely find out more information than you ever though was possible in your worst nightmares about people and their relationships. On the medical side I try to make it as difficult as possible (short of destroying the data) for non-authorized people to access information.

    There is a large amount of data that is part of the public record that anyone can access and it is perfectly legal for them to do so.

    Where you were born

    Criminal record

    Drivers license info

    SSN#

    Address

    Tax Records etc.

    I often wonder if people know how much of this information is available. I am not sure what the Justices were thinking as I have not read the case opinions at this point, but teh stalker could have just as easily gone to the public library and courthouse and found out teh same information. I personally would love to be able to have more anonimity. I dont think that the Govt. or anyone else should know where and when I travel, what websites I go to, what my email says or who I live with. But the sad fact is that America has historically been willing to give up these "rights" and "privacies" for temporary security. and this I think may be part of the result.

    • The SSN was obtained from a credit header, which I don't think counts as a publically available means. In fact, I'm curious, where is the SSN part of the public record? Anyway, the court ruled that

      The other issue was obtaining the work address. The court ruled that a work address was not private information, but that obtaining the information using fraudulent means and then selling it constituted commiting fraud in the practice of a buisiness.
  • by stevel ( 64802 ) on Tuesday February 18, 2003 @03:57PM (#5328673) Homepage
    I live in the city where Amy Boyer was murdered, and my wife knows Amy's mother. We've (my wife and I) have talked about this case a lot, especially every time the Remsburgs appeared in a new newspaper article about their fight against the "information" companies.

    As horrible as this crime was, it's not clear to either of us that if Liam Youens hadn't been able to buy the information on where Amy worked that she would be alive today. Youens knew where Amy lived, and he had been obsessed with her for years. It was just a matter of time.

    I think what Docusearch did was slimy, and possibly illegal - especially the use of "social engineering" to trick Helen Remsburg into revealing information about her daughter.

    The issue at hand is whether or not Docusearch, and similar companies, have an obligation to warn people when their personal info is sold to someone, especially when the purpose is unknown. I think it's well established that this sort of information is often used for heinous purposes - remember the case of actress Rebecca Schaffer, who was murdered by someone who bought her address from the California DMV!

    In my opinion, the NH Supreme Court got this one right - Docusearch knows or should know that the primary use of the information they collect is NOT for the benefit of the subjects. They should have an obligation to inform the subject that the information has been collected and sold.

    However, I think it is wrong to assign the blame for Amy's death on Docusearch. They were an "accessory to a crime", but did not commit the crime itself.

    There are so many "what ifs" in cases such as this, that can have people tied up in knots for years. Youens had a web page up which gave fairly solid clues that he had it in for Amy Boyer. Did anyone in a position to do anything see this beforehand? Probably not...

    As for spyware ("spywear"? Is that the watch with a poison dart?), I don't see an obvious connection with this case.
    • by guacamolefoo ( 577448 ) on Tuesday February 18, 2003 @04:40PM (#5329134) Homepage Journal
      However, I think it is wrong to assign the blame for Amy's death on Docusearch. They were an "accessory to a crime", but did not commit the crime itself.

      This case had nothing to do with criminal liability whatsoever. Your whole "criminal accessory" statement is a non sequitur.

      The case at hand is strictly a money damages tort case. Since the decision discussed whether a cause of action could arise for the five circumstances outlined in the decision, I suspect it was before the court on an appeal from a motion for summary judgment. A little procedural history from the court would have helped this decision out a great deal. I will assume that this was a motion for summary judgment which was appealed (although that could be wrong).

      Every case needs three legs to stand up:

      (1) a deep pocket to sue/collect from. The gunman is presumably worth little -- let's go after the business instead, and maybe an umbrella liability policy.

      (2) clear liability. This is now settled by the court.

      (3) good damages. Nothing beats a dead plaintiff except a sympathetic dead plaintiff that wasn't uneducated or black or gay or a drug user or a criminal. It sucks, but not every life is worth the same to a jury.

      This case was missing the liability leg, but now that is in place and there is the potential for decent payday, depending on the assets of the business and/or its insurer.

      Did anyone else notice the amicus brief filed by the New Hampshire Trial Lawyers Association? Do you think that they are trolling for more dead girls killed by stalkers? In some respects, this case is about the Benjamins.

      I have nothing but sympathy for the family of the slain woman. My office does lots of family law, and I sometimes get worried not only about the clients, but the people in my office being targeted by some of these fucking wackos. One guy in my office gets letters regularly from someone who write things like "I know that one day you and your entire family will burn for eternity in a lake of fire for what you do."

      On the other hand, private investigators serve a very useful function in locating people for process serving to initiate divorces and to collect child support. I have one working on finding a serial defrauder right now. I am not anxious for other state courts to adopt positions similar to the one adopted by New Hampshire.

      FWIW, I am not sure of the New Hampshire rules regarding comparative or contributory negligence. I do not know what the joint and several liability rules are. Notably, the gunman was not sued, or at least the caption does not show this.

      Youens knew where Amy lived, and he had been obsessed with her for years. It was just a matter of time.

      This makes me wonder what the damages really were. Also, was tehre a PFA (protection from abuse, or NH's analogous procedure) in place? Did the killer simply ignore these? This case is interesting as a privacy issue, but also it serves as a warning to take bizarre, stalking-type behavior extremely seriously.

      GF.
      • by stevel ( 64802 )

        This makes me wonder what the damages really were. Also, was tehre a PFA (protection from abuse, or NH's analogous procedure) in place? Did the killer simply ignore these?

        No - Liam Youens was unknown to Amy Boyer and her family. She had no idea he was stalking her.

        I understand, and to some extent agree, with your remark that "It's all about the Benjamins", but the larger picture is that Amy's parents have been looking for someone to blame, and they fixed on Docusearch. I don't fault them for this, it's a natural reaction and part of the way they're coping with the tragedy. I was trying to suggest that perhaps some court may later find that actions similar to what Docusearch in this case constitutes criminal liability. I am certainly not a lawyer, so I don't know how that would play out.

        I don't doubt that private investigators have an important role. But I think they can't wash their hands of their responsibility either.

    • "They should have an obligation to inform the subject that the information has been collected and sold."

      I'd personally rather see

      "They should have an obligation to inform the subject that the information has been collected and whether they CAN sell it."

      There's nothing you can do about activites outside the house in public, but who your phone provider is, your bank, your insurance, the calls you make, paying bills on time, etc., should only be between you and any businesses you choose to do business with.

      I'm tired of companies thinking they have a right to my personal life if it makes them some cash.
  • In the decision: (Score:4, Insightful)

    by schaefms ( 633516 ) <`junk' `at' `markschaefer.org'> on Tuesday February 18, 2003 @03:58PM (#5328680)
    IANAL, but it appears that the decision is:

    1) If you have non-public information (SSN, CC#, addresses, etc.) on someone, you are partially liable if you offer that to someone for a fee for what that person does with the information.

    2) You can't obtain information on someone deceitfully and sell it.

    #2 seems pretty obvious. #1 has a lot of implications for all these companies that have your mortgage records, etc., which IMHO is a good thing. In other words, "Quicken Loans" becomes an accomplice to a con artist if they sold that con artist a list of their outstanding loans and contact info.

    This is not in any way talking about public info, though, so if you pay me $25 to get someone's phone number from the white pages, you can harass that person all you want and it won't come back to me. At least based on that decision.
  • Great! (Score:3, Interesting)

    by mlknowle ( 175506 ) on Tuesday February 18, 2003 @04:49PM (#5329240) Homepage Journal
    This is a fantastic way to (help) deal with a nasty problem... Instead of broad, over-reaching laws, make the companies liable for misue of the data, and therefore disinclined to collect it, and therby gain liability, in the first place. Of course, if the data is trully vital, they will still collect it, but will be much more likley to take steps neccesary to protect it properly. I think this approach works much better than a law against colecting it in certain/most cases.
  • Although most of the decision is sound, I think that Duggan et al. got Question 4 of the decision wrong and a bunch of the reasoning of Question 5 wrong. Since they were wholesale changing the law on 4, there's no reason to artificially reserve the misappropriation of a name or likeness to a person's reputation or prestige, i.e., to celebrities. Jeezus, how many celebrities are in NH anyway, 2? They go to pains to talk about how widespread and damaging identity theft is and then close of the cause of action to a scant few. While Question 5 seems to cast an overly broad net. Jeez, anytime you make a call under a false pretext you're subject to a deceptive practices act!? No more calling the video store and asking "how late are you open" when all you wanted to know is if they're open right now. Jeez, no more prank phone calls unless you truly do want them to let Prince Albert out of his can.
    • "there's no reason to artificially reserve the misappropriation of a name or likeness to a person's reputation or prestige, i.e., to celebrities"

      This has nothing to do with celebrity. If I pretend to be you on eBay, say, and sell bad goods, I've misappropriated your reputation. If I apply for a credit card, pretending to be you, I've missappropriated your credit record, which is commercial reputation. What's the court ruled that is that the name itself is not private.

      "Jeez, anytime you make a call under a false pretext you're subject to a deceptive practices act!?"

      Again, no, only if you do it for a commercial purpose. In other words, yes, you are liable if someone pays you to make a crank call. Or if you own a video store, calling other video stores pretending to be a customer so you can figure out what titles they are already out of so you can alter your pricing accordingly.
  • by Master of Transhuman ( 597628 ) on Tuesday February 18, 2003 @05:29PM (#5329733) Homepage
    1) There was no contract between the IB and anyone else (except maybe the stalker client) concerning protection of this information.

    2) While obtaining the information using a pretext is sleazy, I don't see how this constitutes liability for the misuse of the information by a third party.

    3) This seems to me to be just another attempt to spread liability around as a means to compel behavior that the legal system wants to occur without the formality of actually passing a considered law, i.e. bypassing the Constitution (Federal or State) and making law in the court. The criminal justice system doesn't like sleazy IB's, so they make them liable for something they have no control over.

    4) When is the court ready to assign liability to cops and Feds who fake court orders, manufacture evidence, and otherwise abuse their responsibilities on a daily basis and thereby cause thousands of people to spend time in jail for crimes they did not commit? Oh, wait, I forgot - the criminal justice system is immune from prosecution for "screwups"...

    This seems like a typical case of "something bad happened, we can't punish the guilty, so we'll find someone else - anyone else - and punish them.."

    How is an IB supposed to verify their client's intentions? "Oh, excuse me, I really need this info so I can shoot my ex-girlfriend - or stalk Jodie Foster..." "Just check this block on the request form here: Will You Use This Info For Legal Purposes? YES: NO: "...

    Or: "You realize, sir, that we have to ask you to turn over your criminal and mental health history to us, so we can verify that you will use this information only on a legal manner?"

    Or worse, that if you ask for some innocuous info, that they then investigate YOU before investigating the subject...

    Yeah, right...

    • "There was no contract between the IB and anyone else (except maybe the stalker client) concerning protection of this information"

      It's not a matter of contract law, it's a matter of "violation of seclusion". There's no contract saying you won't take pictures through my bedroom window, but you could still be violated for selling them.

      "While obtaining the information using a pretext is sleazy, I don't see how this constitutes liability for the misuse of the information by a third party"

      No part of the ruling said that obtaining information under a pretext gave you liability for misuse. It said it gave you liability for damages under the fraudulent buisness practices act.

      "The criminal justice system doesn't like sleazy IB's, so they make them liable for something they have no control over"

      The court ruled that IB's must take reasonable care in disclosing peoples personal information. Why do you have a problem with this? What would be wrong with having to submit to a criminal background check before you can pay someone for personal information about another person? What legitimate public need would be thwarted by such a scheme?

      "When is the court ready to assign liability to cops and Feds who fake court orders, manufacture evidence, and otherwise abuse their responsibilities on a daily basis and thereby cause thousands of people to spend time in jail for crimes they did not commit? Oh, wait, I forgot - the criminal justice system is immune from prosecution for `screwups'"

      Odd, because they actually aren't immune to liability if you manufacture evidence or falsely imprison someone.
  • Forget CSS and the DMCA. Encrypt DVDs using some girl's social security number and most slashdotter's will support laws against spreading the circumvention key.
  • by grundie ( 220908 ) on Tuesday February 18, 2003 @08:24PM (#5331271)
    In the UK we have the Data Protection Act 1998. Basically it stipulates that if you want to hold personal data on someone you must by law be on the register of data controllers, see here. [dataprotection.gov.uk] It also stipulates you can only hold someones personal information so long as you have a bona fide reason for having that information (e.g. business relationship etc). If you are holding or using personal data without authority you are committing a criminal act and the company's data controller can be held personally liable to criminal action. It is also required that the data controllers tell the registrar what they do with personal data and they are then restricted to doing only what they said they would do. Failure to comply can lead to big fines and payment of compensation to the victim.

    I personally have used the act many times to look at my data, all I do is pay £10 for costs and the company/organisation has to give me everything they have on me, including CCTV footage they may have of me (suitably modified so as to obscure the identifying features of other people). If I find something amiss I can complain to the Information Commisioner who has the legal powers to put it right and award me compensation. It would seem this sort of act would prevent a case like this, by effectively shutting down information brokers. Does no such similar act exist in New Hampshire or other states?

Avoid strange women and temporary variables.

Working...