Your data online: safe as houses
In an earthquake
A decision by a federal court in Minnesota may have profound repercussions for the ability of consumers and others to rely upon promises of security and privacy made on corporate or governmental websites - and that's just for starters.
On 21 June, 2004, the United States Senate Governmental Affairs Committee was told that a number of US airlines had routinely collected data about travelers on their flights. This information included dates of travel, origin and destination, credit card and payment data, seat preference, and even whether they wanted a kosher, low-fat, vegetarian, or Atkins-friendly meal (remember when you got meals?) on the flight. Moreover, the airlines that collected this information had privacy policies like that of American Airlines, which states:
Information Security is one of our highest priorities at American. We limit access to personal information about you to those authorized employees and agents who need to know the information to provide products and services to you.
We maintain strict physical, electronic and procedural safeguards that comply with federal regulations to protect personal information and we regularly review our security standards and procedures to protect against unauthorized access to personal information.
Based on this language, it might be reasonable to conclude that any personal information you shared with American Airlines would be secure. From a legal perspective, such an assumption would be misplaced.
First, what American giveth, American can taketh away. On a separate part of its webpage, under the sinisterly named moniker "legal," American Airlines' policy disclaims any warranty. In short, they say that even though information security is "one of their highest priorities," if they screw up and leak your information, you are out of luck. They state:
While American Airlines takes reasonable steps to safeguard and to prevent unauthorized access to your private information, we cannot be responsible for the acts of those who gain unauthorized access, and we make no warranty, express, implied, or otherwise, that we will prevent unauthorized access to your private information. IN NO EVENT SHALL AMERICAN AIRLINES OR ITS AFFILIATES BE LIABLE FOR ANY DAMAGES (WHETHER CONSEQUENTIAL, DIRECT, INCIDENTAL, INDIRECT, PUNITIVE, SPECIAL OR OTHERWISE) ARISING OUT OF, OR IN ANY WAY CONNECTED WITH, A THIRD PARTY'S UNAUTHORIZED ACCESS TO YOUR INFORMATION, REGARDLESS OF WHETHER SUCH DAMAGES ARE BASED ON CONTRACT, STRICT LIABILITY, TORT OR OTHER THEORIES OF LIABILITY, AND ALSO REGARDLESS OF WHETHER AMERICAN AIRLINES WAS GIVEN ACTUAL OR CONSTRUCTIVE NOTICE THAT DAMAGES WERE POSSIBLE.
So, if the sharing is "authorized," it's ok, and if it's "unauthorized" it's also ok. You gotta love these lawyers.
It's okay to give your personal data to the government. And ultimately, this is exactly what American Airlines did, along with Delta, Continental, America West, JetBlue, Frontier Airlines and travel reservation firms Galileo International and Sabre Holdings. In all, tens of millions of passenger records were transferred in violation of express privacy and security policies. Among these revelations, Northwest Airlines admitted that it shared records with NASA in a similar program.
But in the end, very little of this matters, because even the restrictive privacy language may not be enforceable.
You see, Northwest customers sued the airline for revealing their data, and on 6 June, 2004, US District Judge Paul Magnuson, in Northwest's home turf of Minnesota, dismissed the case (PDF) without a trial. First, the court held that when the US Congress deregulated the airline industry, it didn't want the states to tell the airlines what to do, and prohibited states from passing laws related to the "service of an air carrier." Thus, if an airline commits fraud, deception, larceny, theft, invasion of privacy, or any other civil or criminal wrong, the state can't prosecute the airline under ordinary consumer protection or theft laws (or torts) that would apply to other entities. The airlines as an industry are free to deceive without fear of accountability under state law.
Next, the court went on to state that the customer's "personally identifiable information" - the stuff that the airline agreed to protect - did not belong to the customer, because the customer "voluntarily provided some information that was included" in the information given to the government, and that when Northwest "compiled and combined" this information with other data it "became Northwest's property."
The court concluded "Northwest cannot wrongfully take its own property."
This analysis is not limited to airlines. Any company or entity is now free to say anything in order to induce you to part with your personal information (don't worry, it's secure, or we won't sell it), because once you give it up, it "belongs" to them.
The Fine Print
This court's reasoning overlooks the fact that the consumers only "voluntarily" provided this information to Northwest because the airline made certain promises and representations about its privacy and security. It's also wholly inconsistent with a series of deceptive trade practice cases brought by the United States Federal Trade Commission against companies like Guess Jeans, Microsoft, Eli Lilly, and Tower Records, as well as New York State consumer protection enforcement actions against Barnes and Nobel, Ziff Davis Publishing, and Victoria's Secret.
In each of these cases, the government's theory was that the personal information obtained by the companies was obtained wrongfully (and therefore constituted a deceptive trade practice) because the individuals were promised that their data would be secure when it was not. Ownership of the personal data did not transfer to the companies - well at least not voluntarily. The Minnesota decision, if more widely adopted, threatens to derail all of this privacy and security related case law.
Now the reasoning is not without some intellectual merit. After all, you can't be harmed by a breach of terms of an agreement you never knew existed. You also can't claim a "quid pro quo" - that you agreed to give up your personal information in exchange for a promise of privacy or security that you never saw and never knew about.
The problem with this reasoning is its unilateral nature. Certainly Northwest would seek to enforce all kinds of terms of its website, or the microprint on the back of paper tickets, irrespective of whether the consumer actually "read" the contract. Under click-wrap, click-through, or other Web-based contracts, it has generally been deemed sufficient to bind the party if the terms of the contract were "available" to be read - whether or not they were actually read. Would the American Airlines legal disclaimer of warranty only apply to those who read it? What if I only read the privacy and security policy but not the legal disclaimer? Could I claim breach of only the parts of the contract I chose to read?
More troubling was the fact that the language that Northwest sought to avoid was written by Northwest itself, posted on Northwest's own website. Clearly, they knew about it. So it was binding only on the people who booked online and read the policy? Did Northwest segregate its data - those who booked after reading the site get privacy, but those who booked without reading the policy have their privacy data shipped to the government? This is caveat emptor in reverse. If a promise is made in a forest, and nobody is around to hear it, is it binding?
I think it is - or at least it should be. If you make a promise to the general public that you will make their data secure, then by God, you should do so - for everyone. Otherwise, by default, everyone who fails to read a HIPPA, GLBA, or Data Privacy notice has "opted in" to any use the company wants to make of their data. Promises of privacy become, if not completely meaningless, at least meaning less.
As a final insult, the Northwest airlines judge essentially resorted to the "so-what" defense. The court said that even if you read the policy, relied on it as a contract, agreed to part with your personal information in return for the promise of privacy and security, and then Northwest knowingly and deliberately breached this promise and shared your data with the government, you suffer no contractual damages as a result. Your real damages, according to the judge, are for invasion of privacy, not breach of contract, and since you no longer own that data, you have no privacy rights at all. A classic no-win situation.
The basis for this decision potentially undermines the ability to contract in cyberspace. It also means a lot more reading of fine print by all of us. Get your reading glasses ready.
SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.