Companies rethink Net privacy after attacks
Companies are scrambling to ensure their online privacy policies do not run afoul of the sprawling investigation into last month's terrorist attacks.
Most online privacy policies contain provisions for sharing customer information with law enforcement agencies in the event of a criminal investigation or suspected illegal activity. Nevertheless, some companies that have been cooperating with authorities investigating the Sept. 11 suicide hijackings that destroyed the World Trade Center and damaged the Pentagon are now reviewing their actions for possible privacy violations, according to people familiar with their concerns.
A key issue, privacy advocates say, has come from companies that worry they may have gone too far in handing over complete databases to law enforcement in the immediate aftershocks of the attacks without requiring a court order or a subpoena.
"I've never seen a privacy policy that says that we will make all of our records available to authorities in a case of national emergency, and I think as a result of this, you're probably going to see companies adjust their privacy policies to take this into consideration," said Ray Everett-Church, senior privacy strategist at the Los Angeles-based ePrivacy Group.
While companies typically require a warrant or a court order before relinquishing the contents of e-mail or electronic files to federal authorities or in civil cases--procedures mandated under the Electronic Communications Privacy Act--Internet companies can provide information about consumer identities without a court order.
Many major companies have legal departments to handle such requests. But in the aftermath of the terrorist attacks, some companies may have ignored normal procedures for working with law enforcement, privacy experts said. Some experts see an imminent and worrisome shift in the debate over online privacy toward greater surveillance.
Larry Ponemon, CEO of the Dallas-based Privacy Council and former head of PricewaterhouseCoopers' privacy practice, said he's spoken with some companies that admitted giving over their databases to authorities wholesale, without a valid court order or subpoena. He declined to disclose the names of the companies but said consumers may soon begin receiving notifications and apologies informing them of possible privacy violations.
"In some cases, trying to participate and cooperate with authorities led to the other extreme of actually violating all the privacy rights of customers and employees," said Ponemon. "It's scary. We have no assurances they are going to delete (this information). Are they going to return it? Are they going to make any warranty that they won't use it again?"
Legal experts said that the risks of liability in such cases are small.
"Suppression of evidence would be the most serious consequence of the government obtaining information in violation of privacy rights," said Dave Kramer, a partner in the Internet counseling group at Wilson Sonsini. "The likelihood of there being financial consequences...is limited."
In the event that the FBI obtained information from a company without probable cause and a search warrant, the evidence would most likely be inadmissible in court under Fourth Amendment rights, lawyers say. But if the company volunteered the data, particularly in the event the act did not contradict its privacy policy, the evidence would be acceptable.
Nevertheless, some companies seem to be taking precautions in their cooperation with authorities.
Dave Steer of Truste, a company that vouches for Internet privacy policies, said his company is getting calls from members inquiring about the need to revise their policies after the attacks.
"Members are asking, 'Does what happened impact our privacy policy, and does that change the way we should communicate to customers?' (Also), 'How do we insert a clause into the privacy statement that allows for such national incidents?'"