Most online privacy policies contain provisions for sharing customer information with law enforcement agencies in the event of a criminal investigation or suspected illegal activity. Nevertheless, some companies that have been cooperating with authorities investigating the Sept. 11 suicide hijackings that destroyed the World Trade Center and damaged the Pentagon are now reviewing their actions for possible privacy violations, according to people familiar with their concerns.
A key issue, privacy advocates say, has come from companies that worry they may have gone too far in handing over complete databases to law enforcement in the immediate aftershocks of the attacks without requiring a court order or a subpoena.
While companies typically require a warrant or a court order before relinquishing the contents of e-mail or electronic files to federal authorities or in civil cases--procedures mandated under the Electronic Communications Privacy Act--Internet companies can provide information about consumer identities without a court order.
Many major companies have legal departments to handle such requests. But in the aftermath of the terrorist attacks, some companies may have ignored normal procedures for working with law enforcement, privacy experts said. Some experts see an imminent and worrisome shift in the debate over online privacy toward greater surveillance.
Larry Ponemon, CEO of the Dallas-based Privacy Council and former head of PricewaterhouseCoopers' privacy practice, said he's spoken with some companies that admitted giving over their databases to authorities wholesale, without a valid court order or subpoena. He declined to disclose the names of the companies but said consumers may soon begin receiving notifications and apologies informing them of possible privacy violations.
"In some cases, trying to participate and cooperate with authorities led to the other extreme of actually violating all the privacy rights of customers and employees," said Ponemon. "It's scary. We have no assurances they are going to delete (this information). Are they going to return it? Are they going to make any warranty that they won't use it again?"
Legal experts said that the risks of liability in such cases are small.
"Suppression of evidence would be the most serious consequence of the government obtaining information in violation of privacy rights," said Dave Kramer, a partner in the Internet counseling group at Wilson Sonsini. "The likelihood of there being financial consequences...is limited."
Nevertheless, some companies seem to be taking precautions in their cooperation with authorities.
Dave Steer of Truste, a company that vouches for Internet privacy policies, said his company is getting calls from members inquiring about the need to revise their policies after the attacks.