Secondary Screening

Archives
By Date
April 2006
March 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
By Category
Airline Security Measures
Bicycles
Book Reviews
Congress
Data Mining
Department of Homeland Security
Freedom of Information
Government Secrecy
Miscellany
Other People's Writing
Privacy
Security Measures
The Courts
The New Web
Threat Level
Recent Entries
Change of Address
Privatized Registered Traveler On Track
Software Bug Shuts Down Nation's Busiest Airport
HostGator Rocks
But some butter is more butter than other butter
TSA Picks Privacy Player
AT&T Loses A Customer Over NSA Lawsuit
Jetsons Video Phone? Deaf Say Yes!
AT&T *69s EFF
Narus Not in the Know
Published articles
Wired News Articles
Links
Wired News
DefenseTech
Practical Nomad
BeSpacific
DHS Privacy Office
Memory Hole Blog
Electronic Privacy Information Center
Privacy Digest
Electronic Frontier Foundation
Homeland Security Institute
Secrecy News
Emergent Chaos
EPIC West's Chris Hoofnagle
Prawfs Blog with Daniel Solove
Ann Harrison
Reuter's Andy Sullivan
Schneier on Security
Talk Left
Reason's Hit & Run
W. David Stephenson
Phillip Carter's Intel Dump
Project on Government Oversight
Technology Liberation Front
Edward Felten's Freedom to Tinker
Contact
Email me
415.375.3150
Subscribe
Feed: Your Reader
Atom
RSS 1.0
RSS 2.0
RSD
About Ryan Singel
I'm a San Francisco-based freelance journalist who covers antiterrorism programs, civil liberties, the Internet and privacy.
« Spy Machine Capabilities? | Main | Narus Not in the Know »
April 11, 2006 | Barbie Says Privacy Is Hard

Daniel Solove has a post today about New York Attorney General Eliot Spitzer settling with Datran Media for $1.1 million for allegedly renting the Freepay/Gratis Internet/Freeipods.com email list while KNOWING that the email list was protected by a privacy policy. The settlement is causing some waves in the direct marketing community, which is now worried it will have to perform "due diligence" before renting lists.

Kirk Nahra's essay essay for Privacy in Focus is a prime example of that hand-wringing. Nahra, a partner at the law firm of Wiley Rein & Fielding, described the settlement holding Datran responsible for checking the privacy policy of the database it wanted to deluge with emails as an "Alice-in-Wonderland result."

The settlement appears to impose a new "due diligence" obligation on the vendor to understand and review the privacy policy of its principals and sub-vendors to make sure that the data supplier isn't doing something wrong in providing data.

How far will this go? Does the vendor have to review underlying consents? Does the vendor have to engage in an audit of the list supplier's privacy practices? How does this new vendor-to-vendor due diligence obligation affect the already growing client-to-vendor oversight obligations?

Obviously, it is too soon to know the full implications of this case-including whether there are any real implications beyond this specific set of facts and companies. It is clear, however, that the Datran settlement adds a new and difficult dimension to vendor contracting, making it even more time consuming and burdensome to retain vendors for any activity that involves personal information. Is that really a result that protects people's privacy?

Weirdly, Nahra mentions the follow-up lawsuit against Gratis Internet, but it seems Nahra couldn't be bothered to read the filings, which might have answered some of his questions.

For instance, according to Spitzer's allegations, which rely heavily on documents and emails obtained during the investigation, Datran employee Susan Weiner asked Gratis Internet to change its privacy policy retroactively, after Datran entered into a contract with Gratis. If true, and Datran's settlement indicates it was, is there any wonder Spitzer considered Datran negligent?

And really, so what if Spitzer sets a precedent that list buyers have to check the privacy policies of the databases they want to buy or rent? Really, how hard is it to check a privacy policy before you buy millions of pieces of intimate information on American citizens? It's at most a couple of clicks. I do that before buying batteries online.

Posted by Ryan Singel at April 11, 2006 11:57 AM

 Trackback Pings

TrackBack URL for this entry:
http://www.secondaryscreening.net/cgi-bin/mt-tb.cgi/282
Powered by
Movable Type 3.2