Internet privacy

From today's Chron, via the AP wire:

In the days after his stepdaughter's murder, Tim Remsburg funneled his fury into phone calls to anyone he thought might help explain her death.

"At two o'clock in the morning, I was trying to get President Clinton's number. I couldn't sleep. I just wanted to rattle everyone's cages and get some answers," he said.

His stepdaughter, Amy Boyer, was 20 when she was shot to death Oct. 15, 1999, by a former high school classmate, Liam Youens, who had paid an Internet information broker to track her down.

For the three years since the murder, her parents have fought to protect other potential victims, most recently by suing the broker for negligence and invasion of privacy.

I'm always a little nervous when I tune in to a story about people who claim their privacy has been violated by "the Internet". I know there's plenty of data out there about all of us that we'd prefer didn't exist in any organized fashion, but blaming "the Internet" is often an exercise in misdirected blame, just as is blaming "pornography" for serial killers.

Generally speaking, the sort of information about you that is freely available on the Internet was freely available long before the Internet entered the public consciousness. I can find all sorts of useful information at the Harris County Tax Assessor web page, for example, but it's all stuff that's public record. I could also get it by taking a trip downtown, or calling them on the phone, and asking for it. The Internet makes it easy for me to get this information, but it didn't make it possible for me to get it.

Getting back to the story, I see that "the Internet" is not really the focus of this lawsuit:

Youens paid Docusearch Inc. of Boca Raton, Fla., about $150 to get Boyer's Social Security number and other information, including her work address.

"Docusearch pulled through (amazingly) it's like a dream," Youens wrote on his Web site.

A few weeks later, Youens pulled alongside Boyer's car after she left her job at a dental office and shot her 11 times before killing himself.

[...]

The Remsburgs filed a federal lawsuit against Docusearch in April 2000. The case is on hold while the state Supreme Court clears up several legal questions, including whether private investigators or information brokers have any legal obligations to the people whose information they sell.

The Remsburgs argue Docusearch should have notified Boyer that Youens was requesting the information, and made sure he had a legitimate reason.

But a Docusearch lawyer said the company has such a duty only if it knows the sale would significantly increase the risk of a violent attack. In this case, Youens already knew Boyer's home address and didn't need her work address to kill her, Andrew Schulman said at a hearing last month.

The court also is deciding whether someone whose Social Security number was obtained without permission can argue invasion of privacy, and whether the same argument can be made about a work address.

The facts of the case are pretty horrible, but I'm not sure why the private investigator is liable. Again, unless they obtained non-public information by illicit means, all they did was facilitate. Liam Youens could have found that information on his own had he chosen to. And what constitutes a "legitimate" reason to find out someone's work address? What if he'd said he was an old friend who wanted to send her flowers for her birthday? What if he said he'd met her at a convention and wanted to send her a resume? Seems to me this is a pretty low hurdle to clear.

Schulman did not immediately return calls seeking comment, but at the hearing, he argued that none of the information Docusearch provided was private. Docusearch had hired a woman who called Boyer and her family to get her work address without revealing why she was calling, a technique known as "pretexting."

In hacker circles, this is known as social engineering, though that usually refers to getting information that's supposed to be secret, such as passwords. This may sound sleazy, but let's face it: Once they know where she works, all it takes is a phone book for the rest.

My heart goes out to Amy Boyer's family and friends, but I don't think they have a legal leg to stand on. I certainly favor efforts to keep private data private, but only if those efforts focus on availability. I fear they are casting too broad a net, and I don't think any good law will result from it.

Posted by Charles Kuffner on December 30, 2002 to Legal matters | TrackBack