How to Respect Privacy in a Social Media Investigation

Privacy Impact Assessment

Social networks like Facebook hold so much information about our thoughts, our behavior, our relationships that official investigations naturally seek to uncover it.

Privacy on the Ascendancy

But as technology collects more data, powerful voices are championing greater respect for the privacy of the data. These voices arise from around the world; I’ll point to two voices from the US.

The White House has published a Consumer Privacy Bill of Rights, broadly declaring, “Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.” Although this document focuses on the rights of consumers, it is consistent with rising expectations that the privacy of individuals be respected at a time when technology is enabling an unprecedented accumulation of personal data.

The US Supreme Court recently ruled, for the first time under the Fourth Amendment, that citizens have a right to privacy when in public. United States v. Jones held that police must obtain a search warrant in order to track the public movements of a suspect with a GPS device.

A Rift in Society

A rift has emerged in society. On one side are the forces of justice that seek to discover the truth about disputes and compliance with law. These forces are represented by all the means through which our legal system supports the gathering of evidence -- subpoenas . . . safety inspections . . . inquiries by police . . .e-discovery in civil litigation . . . due diligence by prospective employers . . . evidence collection in divorces and child custody battles . . . probes by disciplinary officials at schools and colleges . . . audits by government tax or regulatory officials . . . and much more. These forces rightfully wish to access the mountains of relevant data stored in social networks.

On the other side of the rift are the forces of privacy.

As a consequence of this deepening rift, those people who wear the hat of "investigator" face emerging risk and responsibility. An example of the risk is Pietrylo v. Hillstone Restaurant Group, 2009 WL 3128420 (D.N.J. 2009). Management at a restaurant believed, with reason, that it needed to investigate allegations of workplace-misbehavior recorded in a forum on Myspace. Management obtained, through certain employee cooperation, access to the content of the forum and then terminated some employees based on what they posted in the forum. But the court found that by looking at the content of the forum management violated the privacy of employees; the court awarded damages in favor of employees.

Prudent Investigator

For investigators, coping with privacy risk and responsibility is not easy. But I have a recommendation. Prudence dictates that all investigators explicitly consider privacy when seeking data through technology, such as social media. What does that mean in practice?

The investigator needs evidence that she thoughtfully weighed privacy concerns as she designed and executed her investigation. This evidence can be provided in a “privacy impact assessment.” A privacy impact assessment is a written statement, stored in the investigator’s file, showing rational deliberation about the effect of the investigation on the privacy of the target of the investigation, as well as on the privacy of bystanders.

A persuasive privacy impact assessment will articulate the justification for the investigation and evaluate alternative methods for getting the needed information. It will assess methods for minimizing the impositions on privacy, while pursuing the legitimate goals of the investigation. It will display a conscious weighing of factors, so as to balance need against cost.

Demonstrate Serious Contemplation

A privacy impact assessment need not necessarily be a lengthy document. For less substantial investigations, it might be only a paragraph.

But it needs to be thorough enough to demonstrate that the investigator diligently contemplated the facts and methods of the case. It might specify, for example, steps to limit the quantity of data collected, the number of people who have access to the investigation file, and the length of time data is stored before it is destroyed.

The impact assessment will be more persuasive if the investigator consults a colleague or superior in the course of drafting it.

No Perfect Solution

A competent impact assessment will not guarantee that law will determine that the investigator complied with privacy interests. But it can be powerful evidence that the investigator performed responsibly in the presence of conflicting interests.

I would be honored to hear your comments on this idea.

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Related: Complying with the Internet's tsunami of laws

About

Benjamin Wright is an attorney in private practice. He teaches the Law of Data Security and Investigations for the SANS Institute. He is author of The Law of Electronic Commerce (published by Wolters Kluwer) and Business Law and Computer Security (published by SANS). He helps others navigate the law of data compliance, including privacy, e-commerce, e-discovery, cloud contracts, records management and cyber investigations.

He is spotlighted in the book The Devil Inside the Beltway for his uncommonly insightful advice to LabMD in its now famous information security law dispute.

Public Statements Are Not Legal Advice

None of Mr. Wright's public statements, such as remarks on blogs, twitter, youtube web pages, social media and the like, are guaranteed for accuracy or are legal advice for any particular situation. You use the ideas in those statements at your own risk. If you need legal advice, you should consult a lawyer.

Mr. Wright's blogs, updates, tweets, web comments, youtube videos, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer.

Mr. Wright does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Wright has done anything illegal or unethical, he asks that person promptly to telephone him at 1.214.403.6642. Promptness helps mitigate damage.

Any person accessing any of Mr. Wright's blogs, tweets, profiles, comments, web pages or other public activities or statements agrees not to use data from them in a way that is adverse to Wright's interests.

No Advertisement

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Communication with Mr. Wright via private message does not, in itself, create an attorney-client relationship.

Privacy/Security Vision

Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

IMPORTANT Confidentiality Notice

Benjamin Wright is licensed as an attorney. Some of Mr. Wright's non-public records stored in the cloud are confidential and subject to protections associated with attorney work and communications. The laws of many countries recognize such protections. Mr. Wright insists that you recognize those protections with respect to his records and communication.

Relationships

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has earned money from some organizations he mentions online, such as Messaging Architects/Netmail, SANS Institute and LabMD.

Attribution

Some images, sounds and font output associated with Wright's work and comments are copyrighted by Corel Corporation or its licensors or partners like iStockphoto; they reserve all their rights. Some images are declared on wikimedia to be public domain. Mr. Wright strives to respect IP rights, but sometimes technology behaves in surprising ways. If you are an IP owner and you have a problem with something published by Mr. Wright, please telephone him promptly. Trademarks are property of their respective owners.

Dallas, Texas. Tel: +1.214.403.6642

InfoSec & Forensics Law

How to Respect Privacy in a Social Media Investigation

No comments:

Post a Comment

SANS Quote

How to Get Electronic Evidence

Government Agency & School Records