Last year, I was co-counsel on an amicus curiae brief (pdf) in IMS Health v. Ayotte, a case about a New Hampshire state law that banned the sale of prescriber-identifiable prescription drug data for marketing purposes. This week, the US Court of Appeals for the First Circuit upheld (pdf) the New Hampshire law. This decision overturns the ruling (pdf) of the lower court, which held that the New Hampshire law violated the free speech rights of data mining companies. 

The First Circuit rejected the free speech argument and based their decision on two points. First:

Second:

Even if the Prescription Information Law amounts to a regulation of protected speech — a proposition with which we disagree — it passes constitutional muster. In combating this novel threat to the cost-effective delivery of health care, New Hampshire has acted with as much forethought and precision as Constitution demands. (more…)

Disclosure: I am currently a Visiting Scholar at the ACLU.

Ars Technica has an interesting story concerning documents released under the Freedom of Information Act to the ACLU and EFF.

Courts in recent years have been raising the evidentiary bar law enforcement agents must meet in order to obtain historical cell phone records that reveal information about a target’s location. But documents obtained by civil liberties groups under a Freedom of Information Act request suggest that “triggerfish” technology can be used to pinpoint cell phones without involving cell phone providers at all.

Triggerfish, also known as cell-site simulators or digital analyzers, are nothing new: the technology was used in the 1990s to hunt down renowned hacker Kevin Mitnick. By posing as a cell tower, triggerfish trick nearby cell phones into transmitting their serial numbers, phone numbers, and other data to law enforcement. Most previous descriptions of the technology, however, suggested that because of range limitations, triggerfish were only useful for zeroing in on a phone’s precise location once cooperative cell providers had given a general location. (more…)

News sources are reporting that AT&T is funding a group to focus on standards for commercial use of consumer data. According to the Washington Post:

The group, the Future of Privacy Forum, will be led by Jules Polonetsky, who until this month was in charge of AOL’s privacy policy, and Chris Wolf, a privacy lawyer for law firm Proskauer Rose. They say the organization, which is sponsored by AT&T, aims to develop ways to give consumers more control over how personal information is used for behavioral-targeted advertising.

The San Francisco Chronicle reports:

The group also is seeking funding from other companies and has a 23-member advisory board that includes people from Facebook, LexisNexis and advocacy groups such as the Center for Democracy and Technology. A professor and privacy adviser to former President Bill Clinton, Peter Swire, who also is advising President-elect Barack Obama, is on the board as well. (more…)

The Privacy Commissioner of Canada and the New York Consumer Protection Board have both issued privacy guides for businesses.

The New York Consumer Protection Board’s “Business Privacy Guide” (pdf) explains “how to handle personal identifiable information and limit the prospects of identity theft.” The guide notes that, “After California, New York leads the nation in the number of data breach incidents each year. And, New York is 6th per-capita in identity theft complaints.” The guide also explains how identity theft affects businesses’ bottom lines.

In 2007, identity theft alone cost businesses over 40 billion. The average data breach today will cost your business $192 per-incident. According to a Ponemon Institute study, almost 33% of customers surveyed stated that they would cut ties with a company that had a data breach. It is not only good business sense for your organization to safeguard personal information, but it should be a core value to promote and retain business. A business plan might not stop data breach and identity theft, but good privacy practice will help to limit its adverse effects and to protect your business from potential liability.

The board also released the “Identity Theft Red Flag Rules Business Alert” (pdf), “a fact sheet for business covering promulgated rules to safeguard data and help banks and financial institutions protect customers against identity theft.” What are red flag rules? (more…)

In October, the Privacy Commissioner of Canada’s office announced it “has prepared a draft guidance document that sets out good practice rules for private sector organizations that are either contemplating or using covert video surveillance.” The Commissioner asked for public comment on the draft guidance, which sets out a test to determine whether an organization may use covert video surveillance. See my original post. The deadline for public comment is tomorrow, November 14.

Any questions about the draft guidelines or comments process can be sent via email to: consultation@privcom.gc.ca. Comments on the guidance document may be sent by postal mail to:

Covert Video Surveillance Consultation
Office of the Privacy Commissioner of Canada
112 Kent Street, 3rd Floor
Ottawa, Ontario
K1A 1H3

Both found via PogoWasRight.org.

Here are two academic articles about privacy issues that might be of interest to readers.

First, an article (pdf) by Jed Rubenfeld, Robert R. Slaughter Professor at Yale Law, entitled, “The End of Privacy.” Rubenfeld raises a number of questions, some of them surprising. I agree with some points but am skeptical of others. From the introduction:

This Article is about the Fourth Amendment. It is an attempt to recover that amendment’s core meaning and core principles.

Why has the Fourth Amendment, despite explicitly governing seizures of the person, played so minimal a role in the judicial response to the “unlawful combatant” detentions? What allows courts to find no Fourth Amendment search or seizure when the government obtains records from telephone companies or Internet service providers showing whom you have communicated with and when and for how long? What allowed the Sixth Circuit last summer to dismiss a challenge to the NSA’s covert wiretapping on grounds implying that the program might never be reviewed under the Fourth Amendment at all? What flaw, in short, in modern doctrine has made the Fourth Amendment so irrelevant to the present search and seizure debates — and how could it reclaim its relevance? This Article tries to answer these questions. (more…)