The Supreme Court of New Jersey joined a small, but growing, number of state courts who have ruled that individuals have an expectation of privacy in the IP addresses assigned to them by their ISPs.  The unanimous decision in  State v. Reid was based on the New Jersey state Constitution, rather than the U.S. Constitution. 

At base, the court held that a demand for an IP address must be connected with some sort of judicial proceeding, and not a simple subpoena issued by a court without any kind of review.  The court stated that the demand for the IP address must “bear some possible relationship” to an investigation.  That relationship can be demonstrated by requiring that the subpoena be issued as part of the grand jury process, rather than through a process in which a subpoena may be issued without any demonstration of relevance.  The court refused to go further, and require that a subpoena be issued by a grand jury only upon demonstration of probable cause (the standard necessary to issue a warrant).

This decision shows the difference in privacy rights that is developing between state constitutions and the U.S. constitution.  Federal courts have routinely held that there is no Constitutionally based expectation of privacy in IP addresses, while state courts are increasingly interpreting their constitutions the opposite way.   Like many similar state vs. Federal issues, these different interpretations are ironic since most state constitutions are based on the Federal constitution.  However state courts have a long history of interpreting their constitutions differently than the U.S. constitution.

For hosts, this decision reinforces the need to require some sort of service of process prior to disclosing information about your customers.  It’s important to note that the ISP in this case, Comcast, was not a party to the suit, and not held to be liable for its response to the defective subpoena.  However, what this case does illustrate is the growing body of law supporting customer’s expectation of privacy in information generated by their use of technology.

From a micro perspective, hosts should always require that any request for customer information be part of a judicial proceeding, or otherwise authorized by law.  From a macro perspective, it should cause those who are interested in commercializing this information to be careful in how customer information is used.  The line between a host’s ownership of information generated by customer’s use of its technology, and a customer’s expectation of privacy, becomes thinner with every decision in this area.

 

The office2.0 conference began yesterday with a cocktail party.  At the party, I met a doctor from CNMRI who is using technology in two interesting ways.  He’s using Twitter so his staff can figure out what tasks each of them are engaged in throughout the day – this allows them to focus more on patients, and less on locating each other.  The second is a project to build a web based statewide health information network in the State of Delaware.  This will let doctors and patients share medical records across the web.

As interesting as these new applications of technology are, they rang two alarms for me:  privacy and HIPAA.  As I’ve noted in both my columns and on this blog, I believe that privacy is likely to emerge as a regulatory and litigation issue in the next year.  The use of Twitter in a medical capacity has significant privacy implications.  While I was unable to access Twitter to review its contract, I would assume that it has provisions similar to the contracts of most internet infrastructure providers which basically say that the provider has no liability for anything and does not guarantee the security of its network.  So where does that leave the doctor when Twitter accidentally discloses that one of the doctor’s patients is in exam room 3 being treated for a STD, and the doctor is sued when the patient’s wife finds out?  Twitter may have some liability depending on what its privacy policy says.  As I often point out, privacy policies are contracts between companies, their customers, and often third parties.  As a result, they should be reviewed with the same level of scrutiny.

HIPAA is also a big issue.  I inquired whether the doctor had sent Twitter a Business Associate Agreements (BAA) and how these agreements would function in the context of a networked medical records system in which each doctor had their own ISP and likely host who was connected to other hosts and bandwidth providers. 

BAAs are main legal issue for web hosts and other internet infrastructure providers under HIPAA.  BAA’s impose additional contractual obligations on third parties based on a health care provider’s obligations under HIPAA.  In essence you are contractually obligated to follow the terms of the BAA.  HIPAA itself does not contain a form BAA.  As a result, businesses are free to create their own BAAs as long as they conform to the bare minimum required by the statute.  As might be expected, some businesses have been using BAAs to back door contractual provisions that they were unsuccessful at getting in their initial negotiation.  The most common provisions I see are privacy warranties and SLA carve outs, neither of which are required by HIPAA.  Hosts and other internet infrastructure providers need to pay close attention to BAAs they receive to make sure that they are only contractually obligating themselves to things they can actually do.

I recently spoke at, and attended, Layered Technologies summit:  LT Pact.  In addition to a number of excellent presentations, and a very involved audience, there was a great deal of on topic discussions at networking events after the main programs.  I got in a pretty neat discussion  about SaaS and privacy with Ravi Agarwal, CEO of SaaS provider Group Spark, and Nelson Taggart of Microsoft.  Basically both Ravi and Nelson simply asked me: "why aren't you talking about the privacy implications of SaaS?"  That's a good question.

In my work with SaaS clients I'm always careful to follow the data into, through, and out of their organization, as I'm sure most lawyers do.  But there is a much bigger issue here:  who's ultimately going to be on the hook for the data?  I can be reasonably sure that most SaaS providers have contracts that limit their liability to the systems they actually control, and data they actually posses.  Most have also likely entered into agreements with their vendors that clearly delineate responsibility for data, and any liability that flows from a problem with the data.  But is that enough?  Honestly, I'm not sure it is.  As we discussed at LT Pact, there are a huge number of realistic scenarios in which one link in the SaaS chain mishandles data.  Naturally, in many of these scenarios it may be difficult to isolate the one factor that triggered the problem.  

What comes immediately to mind are fiber cuts.  Fiber to your data center gets cut, you call your bandwidth provider, they say it was the cable company's fault.  You call the cable company, they say it was a sub-contractors fault.  The sub-contractor claims that it was the utility marking company's fault.  The utility marking company blames the bandwidth provider's network diagram.  Other than the bandwidth provider and cable company, no one has insurance, and the bandwidth and cable company's insurance carrier is pointing to your agreement with the telco in which your damages are limited to three times your monthly bill.  Meanwhile your customers have been down for a significant amount of time, triggering payments under your SLA.  Are your customers going to stick around if you relating the facts underlying the outage all the while trying to minimize payments under your SLA?  I don't think so.

I can see the same thing happening with privacy in the SaaS context.  Addressing privacy issues with the scenario describe above is going to be a tough legal nut to crack.  The first place I'd look is to decisions made by the Federal Trade Commission.  The FTC has taken the position that with privacy policies, the policy follows the data.  It's not a far stretch to the conclusion that each link in the SaaS data chain is responsible for the data they touch as it moves along the chain.  

But for SaaS providers, is this fair?  Is a hosted exchange provider responsible for a misdirected e-mail that is misdirected by a bandwidth provider who is simply a link in the "Internet cloud?"  I'd argue not.  However, an individual whose credit card number was contained in the e-mail, is not likely to be as sympathetic, nor to be interested in parsing through the steps that took place during processing of the e-mail.

The second place I'd look is to contract law.  I think the fiber cut analogy fits well in a contract analysis.  A court may be more likely to look at the links in the chain of contracts, and attempt to isolate which mistakes were caused by what company, and what their contractual liability is.  So, it is pretty important that you look at the terms of each of your contracts in an SaaS transaction.  It would also be good to get a representation in each of your contracts that upstream and downstream providers will have the same or similar provisions.

Two recent decisions may give your customers additional grounds on which to protest subpoenas for their subscriber information. In McMann v. Doe, the Arizona Superior court held that plaintiffs must specifically and definitely allege the wrongs they have suffered in order to justify a subpoena demanding the names of anonymous individuals and give the targets of the subpoena the opportunity to oppose it.

While this seems to be a pretty low standard, it is important for two reasons. The first is that it acknowledges that many litigants bring suit simply to uncover the names of people who write things about them that they disagree with. This court determined that an individual's right to anonymous speech trumps another's desire to simply see who's disagreeing with them. It also held that the anonymous individual be given the right to oppose the subpoena. This part of the holding is important to web hosts, because at least in Arizona, you may now have an obligation to notify your customers when you receive a subpoena for their identity.

The second case is State of New Jersey v. Reid. In this case, a New Jersey Court of Appeals held that the New Jersey state constitution gives its citizens a constitutional right to privacy in information handed over to third parties. Federal courts have uniformly held that under the U.S. Constitution, citizens have no right to privacy in information voluntarily handed over to third parties. The New Jersey court held that before this type of information could be subject to a subpoena, law enforcement authorities must have probable cause to suspect an unlawful use of the information.

This case is very interesting because the New Jersey court expressly recognized a right informational privacy. This means that data about customers that is turned over to companies for billing, record keeping, and administration, may be private under the New Jersey constitution. It will be interesting to see if Federal courts begin to look at this decision and re-evaluate their interpretation of Smith v. Maryland, the U.S. Supreme Court decision which found no Constitutional right to information privacy.