When discussing US cyberlaw and how it impacts privacy, it is important to understand exactly what is meant by the terms ‘cyberlaw’ and ‘privacy’. Cyberlaw has been defined in many ways, but most definitions are vague and do not provide much help. For this article, the definition cyberlaw from yourdictionary.com will be used:
Cyberlaw – n. The area of law dealing with the use of computers and the Internet and the exchange of communications and information thereon, including related issues concerning such communications and information as the protection of intellectual property rights, freedom of speech, and public access to information.
Privacy can be just as nebulous a term. Reading most social network privacy policies quickly teaches that privacy can be a relative term. Googling “define: privacy” returns “The state or condition of being free from being observed or disturbed by other people,” as the first result. That definition will not work online. At the very least, the phrase, “by other people,” will have to go.
The concept of privacy as understood in the physical world does not translate directly into the digital world of the Internet. Without special effort to prevent it, simply visiting a website can reveal the visitors location and recently visited sites as well as the operating system on their computer. Those are only a few of the things revealed just by visiting a website. If you are online, you are observed. By the traditional definition, you have no privacy – and cannot expect it – online.
The expectation of privacy has been the key factor in many cases involving the right to privacy over the past several decades. In the case of Stengart v Loving Care Agency, the entire case was pinned on whether or not Marina Stengart had a reasonable expectation of privacy when using her personal web-based email on her company-issued laptop. This illustrates a difference between privacy in the physical and digital worlds. The physical world definition of privacy assumes the ability to escape observation. Online most people do not even know they can be observed, let alone that they are, constantly. The definition of privacy online will have to include the ability to control the amount of data others can gather about you and what they can do with what they gather.
There have been privacy laws passed that affect the Internet, but most only indirectly. The Health Insurance Portability and Accountability Act (HIPAA) is probably the most pervasive. However, it is not aimed specifically at protecting privacy online. The primary purpose of HIPAA is to protect health information wherever it is. Health information must be private and secure. It must be transmitted over encrypted connections and stored on secure servers.
There are laws regarding financial information that dictate how banks and other financial institutions can send data across the internet, but the primary purpose is security, not privacy and the actual effect on privacy is low. The 1986 revamp of the Electronics Communications Privacy Act of 1968 is the law most directly related to online privacy, but it is over 25 years old and badly in need of revision.
The Children’s Online Privacy Protection Act of 1998 (COPA) limited the amount of information web sites can gather about children and required them to give parents control over the information that sites harvested from their children, but it has no effect on data collection from adults.
Perhaps the law most detrimental to online privacy is the 2001 Patriot Act. Passed in a panicked response to the 9/11/2001 terrorist attacks on New York and Washington DC, it greatly increased the federal governments’ ability to monitor and track online behavior.
With the exception of COPA, there are few US cyberlaws that directly address privacy. Some, like the Computer Fraud and Abuse Act can be stretched in ways that affect privacy, but were not intended to cover it. The case of Robbins v. Lower Merion School District found the school violated the COPA by activating laptop webcams and taking pictures and screenshots while the students were at home with their school-provided laptops. The laptops belonged to the school, but activating the webcams inappropriately violated the students’ privacy and COPA.
At the end of 2011 two bills were proposed in the name of protecting intellectual property. They were the “Stop Online Piracy Act” (SOPA) and the “Protect IP Act” (PIPA). While privacy was not part of their structure, if they had passed they could have been used in conjunction with other laws to force identities of violators from ISP’s and other entities. A third failed bill, the Cyber Intelligence Sharing and Protection Act (CISPA) would have given the government massive new inroads to violate citizens online privacy. The failure of these bills seems to have dimmed the enthusiasm of lawmakers to support legislation that will radically change the online privacy landscape, but it could be just a temporary lull until after the presidential election in November.