PRIVACY AND THE INTERNET:

^[1] See U.S. Dep't of Commerce, The Emerging Digital Economy 4 (1998) ( "The Internet's pace of adoption eclipses all other technologies that preceded it."). The legal literature on privacy and the Internet is vast – in fact, overwhelming. For a small sampling, see Eric Sinrod, Jeffrey W. Reyna & Barak D. Jolish, The New Wave of Speech and Privacy Developments in Cyberspace, 21 Hastings Comm./Ent. L.J. 583 (1999); Andrew L. Shapiro, Privacy for Sale: Peddling Data on the Internet, 26 Hum. Rts. 10 (1999); Jerry Berman & Deirdre Mulligan, Privacy in the Digital Age: Work in Progress, 23 Nova L. Rev. 551 (1999); Joel R. Reidenberg. Restoring Americans’ Privacy in Electronic Commerce, 14 Berkeley Tech. L.J. 771 (1999); Erika S. Koster, Zero Privacy: Personal Data on the Internet, 16 Computer Law. 7 (1999); Karl D. Belgum, Who Leads at Half-Time?: Three Conflicting Visions of Internet Privacy Policy, 6 Rich. J.L. & Tech. 1 (1999); Jeff Sovern, Opting In, Opting Out, or No Options at All: The Fight for Control of Personal Information, 74 Wash. L. Rev. 1033 (1999).

^[2] See Perry H. Roth, Internet Industry, Value Line, June 4, 1998, at 2219.

^[3] 5 U.S.C. § 552a (1994).

^[4] Id. § 552a(a)(4).

^[5] Id.

^[6] See Paul M. Schwartz & Joel R. Reidenberg, Data Privacy Law: A Study of United States Data Protection 92 (1996); Paul M. Schwartz, Privacy and Democracy in Cyberspace, 52 Vand. L. Rev. 1609 (1999). For a list of Web sites with information on Internet privacy issues, see < http://www.gahtan.com/cyberlaw>.

^[7] See Reno v. ACLU, 521 U.S. 844, 868‑73 (1997) (describing some of the forms of on-line behavior); Sherry Turkle, Life on the Screen: Identity in the Age of the Internet 186‑209 (1995).

^[8] Federal Trade Commission, Privacy Online: A Report to Congress (June 4, 1998).

^[9] See Jerry Kang, Information Privacy in Cyberspace Transactions, 50 Stanford L. Rev. 1193, 1238 (1998).

^[10] See Federal Trade Comm’n, Privacy Online: A Report to Congress (June 4, 1998).

^[11] Georgetown Internet Privacy Policy Survey (1999), conducted by Professor Mary Culnan, McDonough School of Business, Georgetown University.

^[12] Online Privacy Alliance, Privacy and the Top 100 Sites: A Report to the Federal Trade Commission (1999). This survey also was conducted by Professor Culnan.

^[13] 1999 FTC Report at 7.

^[14] Id. at 12.

^[15] Electronic Commerce: FTC Can Find No Need for Congress to Pass Legislation to Protect Online Privacy, 77 Antitrust & Trade Reg. Rep. (BNA) 58 (July 15, 1999).

^[16] See Jeffrey P. Cunard, Jennifer B. Coplan & George Vradenburg, III, Communications Law 1999, 581 PLI/Pat 853 (Nov. 1999); Electronic Privacy Information Center, Report 94‑1, Privacy Guidelines for the National Information Infrastructure: A Review of the Proposed Principles of the Privacy Working Group <http:www.epic.org/privacy/internet/EPIC_NII_privacy.txt>.

^[17] See Federal Trade Comm’n, Privacy Online: Fair Information Practices in the Electronic Marketplace, A Report to Congress (May 2000), <htttp://www.ftc.gov/os/2000/05/index.htm#22>.

^[18] Monica Lewinsky's experience demonstrates how computer files can be deleted, but not destroyed. The Office of Independent Counsel's report to the House of Representatives includes e‑mails and draft letters, including messages to President Clinton that Lewinsky never intended to send, which were recovered from deleted files on Lewinsky's computer. This recovery was possible because use of a "delete" button on a computer does not destroy the information, but merely hides it from view. See The Starr Report: The Evidence 448‑59 (Phil Kuntz ed., 1998)

^[19] See Brian Underdahl & Edward Willett, Internet Bible 124‑26, 147 (1998).

^[20] See Bryan Pfaffenberger, Protect Your Privacy on the Internet 182‑91 (1997); David S. Bennahum, Daemon Seed: Old email never dies, Wired, May 1999, at 100, 102. The Office of the Independent Counsel appears to have used such a software program in recovering, for example, drafts of documents that Monica Lewinsky wrote and then deleted from her computer's hard drive. See Starr Report Evidence, supra note 8, at 431. See also Jerry Adler, When E‑ Mail Bites Back, Newsweek, Nov. 23, 1998, at 45 (noting that in its investigation of Microsoft, the Justice Department has obtained "an estimated 3.3 million Microsoft documents, including megabytes of e‑mail messages dating from the early 1990s‑‑and is using them to contradict Gate's own videotaped testimony in the most significant antitrust case of the decade").

^[21] See James N. Thurman, Here’s one `cookie’ many consumers don’t want, Christian Sci. Monitor, at 2, April 18, 2000.

^[22] See Netscape, Cookies and Privacy Frequently Asked Questions <http:// www.home.netscape.com/products/security/resources/faq.cookies.html> (explaining that "cookies can be used to store any information that the user volunteers").

^[23] See Lawrence Lessig, The Path of Cyberlaw, 104 Yale L.J. 1743, 1748‑49 (1995) (noting how a systems operator at a university can monitor activities of students and faculty on the Internet).

^[24] See Edward C. Baig, Privacy, Bus. Wk., Apr. 5, 1999, at 84 ("Personal details are acquiring enormous financial value. They are the new currency of the digital economy.").

^[25] Fed. Trade Comm’n, Self‑Regulation and Privacy Online: A Report to Congress (July 1999) (hereinafter FTC Self‑Regulation Report) (available at <http:// www.ftc.gov/opa/1999/9907/‑report‑1999.htm/>); Georgetown Internet Privacy Policy Survey <http:// www.msb.edu/faculty/culnan/gippshome.html>.

^[26] See Center for Democracy and Tech., Behind the Numbers: Privacy Problems on the Web <http:www.cdt.org/privacy>.

^[27] For a sampling of these sites and sales policies, see Dig Dirt Inc. <http://www.digdirt.com>; WeSpy4U.com <http://www.wespy4u.com>; Snoop Collection <http://www.spycave.com/spy.html>. For example, the Snoop Collection promises "for one low fee" to provide the "enchantment of finding out a juicy tidbit about a co‑worker" or checking "on your daughter's new boyfriend."

For an FTC report on these traditional look up services, see FTC, Individual Reference Services: A Report to Congress

< http:www.ftc.gov/bcp/privacy/wkshp97/‑irsdoc1.htm>. Following the FTC's investigation, this industry made adjustments to its privacy practices. See FTC, Information Industry Voluntarily Agrees to Stronger Protections for Consumers, <http://www.ftc.‑gov/opa/1997/9712/inrefser.‑htm>.

¹⁸ See Hall Adams, III, Suzanne M. Scheuing, & Stacey A. Feeley, E-Mail Monitoring in the Workplace: The Good, the Bad, and the Ugly, 65 Def. Couns. J. 32 (2000).

¹⁹ Electronics Communications Privacy Act of 1986, codified at 18 U.S.C. §§ 2510‑2521, 2701‑ 2711, 3117 & 3121‑3127. See Micalyn S. Harris, E-Mail Privacy: An Oxymoron? 78 Neb. L. Rev. 386 (1999).

²⁰ Smyth v. Pillsbury Co., 914 F. Supp. 97 (E.D. Pa. 1996). The employer promised that "all e‑mail communications would remain confidential and privileged" and that "e‑mail communications could not be intercepted and used by defendant against its employees as grounds for termination or reprimand." Id. at 98.

²¹ 18 U.S.C. § 2511(1).

²² See 18 U.S.C. § 2510(5)(a)(1).

²³ Watkins v. L.M. Berry & Co., 704 F.2d 577 (11th Cir. 1983).

²⁴ Epps v. St. Mary's Hosp. of Athens, Inc., 802 F.2d 412 (11th Cir. 1986).

²⁵ Briggs v. Am. Air Filter Co., 630 F.2d 414 (5th Cir. 1980).

²⁶ Simmons v. Southwestern Bell Telephone Co., 452 F. Supp. 392 (W.D. Okla. 1978).

²⁷ See U.S. v. Lanoue, 71 F.3d 966 (1st Cir. 1995).

²⁸ See Williams v. Poulos, 11 F.3d 271 (1st Cir. 1993).

²⁹ See Deal v. Spears, 980 F.2d 1153. (8th Cir. 1992).

³⁰ See 18 U.S.C. § 2511(2)(d).

³¹ 18 U.S.C. § 2701(a).

³² See Steve Jackson Games v. U.S. Secret Service, 816 F. Supp. 432, 460 n.5 (W.D. Tex. 1993).

³³ See generally Horton v. California, 496 U.S. 128, 133 (1990) (stating if evidence is in plain view, then observing it or seizing it would not infringe on the right of privacy).

³⁴ Katz v. United States, 389 U.S. 347, 361 (1967) (Harlan, J., concurring).

³⁵ See Bohach v. City of Reno, 932 F. Supp. 1232, 1234‑35 (D. Nev. 1996); see also Scott A. Sundstrom, You've Got Mail! (and the Government Knows It): Applying the Fourth Amendment to Workplace E‑mail Monitoring, 73 N.Y.U. L. Rev. 2064, 2085 (1998) (citing Bohach v. City of Reno, 932 F. Supp. at 1234‑35 in support of a similar proposition involving privacy and paging systems).

³⁶ See 1 Wayne R. LaFave, Jerold H. Israel & Nancy J. King, Criminal Procedure § 2.6(f)(1999) (stating that users of multi‑user systems still maintain an expectation of privacy despite the fact that those who operate the system may need to access that user's information in order to appropriately bill the user and to make occasional back‑ups of the information to protect against accidental data loss).

³⁷ See generally Raphael Winick, Searches and Seizures of Computers and Computer Data, 8 Harv. J.L. & Tech. 75, 83 (1994).

³⁸ United States v. Matlock, 415 U.S. 164, 170 (1974). The Court further noted "common authority" is not defined by traditional notions of property law, but: rests rather on mutual use of the property by persons generally having joint access or control for most purposes, so that it is reasonable to recognize that any of the co‑inhabitants has the right to permit the inspection in his own right and that the others have assumed the risk that one of their numbers might permit the common area to be searched. Id. at 171 n.7.

³⁹ United States v. Turner, 169 F.3d 84, 87 (1st Cir. 1999).

⁴⁰ United States v. Simons, 29 F. Supp. 2d 324, 327 (E.D. Va. 1998), aff’d, 2000 WL 223332 (4^th Cir. 2000).

⁴¹ 2000 WL 223332, at 4. The applicable section of the FBIS policy provided:

Audits. Electronic auditing shall be implemented within all FBIS unclassified networks that connect to the Internet or other publicly accessible networks to support identification, termination, and prosecution of unauthorized activity. These electronic audit mechanisms shall . . . be capable of recording:

‑‑ Access to the system, including successful and failed login attempts, and logouts;

‑‑ Inbound and Outbound file transfers;

‑‑ Sent and received e‑mail messages;

‑‑ Web sites visited, including uniform resource locator (URL) of pages retrieved;

‑‑ Date, Time, and user associated with each event.

⁴² O'Connor v. Ortega, 480 U.S. 709 (1987).

⁴³ See Electronic Privacy Information Center, Surfer Beware: Personal Privacy and the Internet, at <http://www.epic.org/reports/surfer-beware.html>.

⁴⁴ 18 U.S.C. § 2710.

⁴⁵ 18 U.S.C. §§ 2510‑2522, 2701‑2709, 3121‑3126.

⁴⁶ See id. §§ 2510‑2521.

⁴⁷ See id. § 2510.

⁴⁸ See 18 U.S.C. § 2701(a).

⁴⁹ 18 U.S.C.A. §§ 2511, 2517(4), 2516.

⁵⁰ See id. § 2511.

⁵¹ See id. §§ 2510‑2521.

⁵² See id. §§ 2510‑2522; 2701‑2709; 3121‑3126.

⁵³ See id. § 2703.

⁵⁴ See id. § 2702(b).

⁵⁵ See id.

⁵⁶ See id.

⁵⁷ See id. § 2702(b)(6).

⁵⁸ See id. § 2703.

⁵⁹ See id. §§ 2520, 2707.

⁶⁰ See id.

⁶¹ See id. §§ 2520(b)(3), 2707(b)(3).

⁶² See id. § 2701(b).

⁶³ 909 F. Supp. 137, 145 (S.D.N.Y. 1995) (application of ECPA denied because party does not "provide[ ] a communication service to the public, but ... is in the business of financing and ... merely uses fax machines and computers as necessary tools of almost any business today").

⁶⁴ Kang, supra note 9, at 1234‑35.

⁶⁵ 18 U.S.C. § 2701(c)(1).

⁶⁶ 18 U.S.C. § 2703(c)(1). See Tucker v. Waddell, 83 F.3d 688, 691 (4th Cir. 1996) (noting ECPA's private cause of action against governmental entities that violate it).

⁶⁷ 983 F. Supp 215 (D.D.C. 1998).

⁶⁸ See Seth Schiesel, American Online Backs Off Plan to Give Out Phone Numbers, N.Y. Times On the Web 1‑3 (July 25, 1997) <http:// www.nytimes.com/library/cyber/week/‑072597aol.htm>; Evan Hendricks, American Online Snoops Into Subscribers' Incomes, Children, Privacy Times, Dec. 15, 1997, at 1‑3.

⁶⁹ McVeigh v. Cohen, 983 F. Supp. 215, 219‑20 (D.D.C. 1998).

⁷⁰ 18 U.S.C. § 2073(c)(1)(B).

⁷¹ 83 F.3d 688 (4th Cir. 1996).

⁷² See AOL Admits Error in Gay Sailor Case, N.Y. Times on the Web 1 (Jan. 21, 1998) <http://www.nytimes.com/aponline/w/AP‑Navy‑Gay‑ Dismissal.html>;

[FN179]. See Carl S. Kaplan, Sailor's Case Leaves Question of Liability, N.Y. Times on the Web 2‑3 <http://www.nytimes.com/library/cyber/law/012998law.html>.

⁷³ See also United States v. Hambrick, 55 F. Supp. 2d 504, 507 (W.D. Va. 1999)(ECPA concern for privacy extends only to government invasions of privacy; ISPs are free to turn stored data and transactional records over to nongovernmental entities).

⁷⁴ 521 U.S. 844, 868‑73 (1997).

⁷⁵ In ACLU v. Reno, 31 F. Supp. 2d 473 (E.D. Pa. 1999), the district court issued a preliminary injunction enjoining enforcement of the obscenity provisions of COPPA.

⁷⁶ H.R. Rep. No. 105‑775, at 5 (1998).

⁷⁷ See Dorothy A. Hertzel, Don’t Talk to Strangers: An Analysis of Government and Industry Efforts to Protect a Child’s Privacy Online, 52 Fed. Comm. L.J. 429 (2000).

⁷⁸ 47 U.S.C.A. § 231(a)(1).

⁷⁹ The COPPA provides:

(a) Requirement to restrict access. (1) Prohibited conduct. Whoever knowingly and with knowledge of the character of the material, in interstate or foreign commerce by means of the World Wide Web, makes any communication for commercial purposes that is available to any minor and that includes any material that is harmful to minors shall be fined not more than $50,000, imprisoned not more than 6 months, or both.

(b) (2) Intentional violations. In addition to the penalties under paragraph (1), whoever intentionally violates such paragraph shall be subject to a fine of not more than $50,000 for each violation. For purposes of this paragraph, each day of violation shall constitute a separate violation.

(3) Civil Penalty. In addition to the penalties under paragraphs (1) and (2), whoever violates paragraph (1) shall be subject to a civil penalty of not more than $50,000 for each violation. For purposes of this paragraph, each day of violation shall constitute a separate violation.

⁸⁰ Id. § 231(c)(1).

⁸¹ See 16 C.F.R. § 312.1 (2000).

⁸² See id. § 312.3.

⁸³ See id. § 312.5.

⁸⁴ 16 C.F.R. § 312.5(b)(2).

⁸⁵ 16 C.F.R. § 312.10 provides:

Safe harbors.

(a) In general. An operator will be deemed to be in compliance with the requirements of this part if that operator complies with self‑regulatory guidelines, issued by representatives of the marketing or online industries, or by other persons, that, after notice and comment, are approved by the Commission.

⁸⁶ See GeoCities, File No. 9823015 (Fed. Trade Comm. 1998) (agreement containing consent order). The GeoCities Consent Order can also be found at < http://www.ftc.gov/os/1998/‑9808/geo‑ord.htm>. For a discussion, see FTC, Analysis of Proposed Consent Order to Aid Public Comment <http:www.ftc.gov/os/1998/9808/9823015.‑ ana.htm>. The GeoCities Web site is located at <http://www.geocities.com>.

⁸⁷ See GeoCities Proposed Consent Agreement, 63 Fed. Reg. 44,624 (1998) (final approval Feb. 12, 1999); FTC, Internet Site Agrees to Settle FTC Charges of Deceptively Collecting Personal Information in Agency's First Internet Privacy Case <http://www.ftc.gov/‑opa/1998/9808/geocitie.htm>; Saul Hansell, Amid Downturn, Another Internet Company's IPO Catches Fire N.Y. Times on the Web (Aug. 12, 1998) <http:www.nytimes.com/library/tech/98/‑ 08/biztech/articles/12geocities‑ipo.html>.

⁸⁸ See Jeffrey P. Cunard, Jennifer B. Coplan & George Vradenburg, III, Communications Law 1999, 581 PLI/Pat 853 (Nov. 1999).

⁸⁹ Liberty Fin. Serv. Co., 64 Fed. Reg. 29,031 (1999) (proposed May 28, 1999).

⁹⁰ 15 U.S.C. § 45(n). For an interpretation of the circumstances under which "substantial injury" to consumers has been found under the FTC statute, see Thompson Med. Co. v. FTC, 791 F.2d 189, 196 (D.C. Cir. 1986); International Harvester Co., 104 F.T.C. 949, 1041 (1984); Peter C. Ward, Federal Trade Commission: Law, Practice and Procedure § 5.04(2) (1999).

⁹¹ See Robert Gellman, What Policy Does FTC Set In Its GeoCities Decision?, DM News, Sept. 21, 1998, at 15. For a claim of broad enforcement authority over commerce on the Internet by the Chairman of the FTC, see FTC, Consumer Privacy on the World Wide Web, <http://www.ftc.gov/‑os/1998/9807/privac98.htm (prepared statement before the subcommittee on telecommunications trade and consumer protection)>.

⁹² See Gregory Dalton, Pressure for Better Privacy – Business Moves to Fend Off Regulation of Internet Data, Information Week, at <http://www.techweb.com/se/directlink.cgi?IWK19980622S0040>.

⁹³ See Anonymity on the Internet (last modified Feb. 13, 1999) <http:// www.dis.org/ erehwon/anonymity.html>.

⁹⁴ 115 S. Ct. 1511 (1995).

⁹⁵ See generally Francis A. Gilligan & Edward J. Imwinkelreid, Cyberspace: The Newest Challenge for Traditional Legal Doctrine, 24 Rutgers Computer & Tech. L.J. 305, 320 (1998).

⁹⁶ See United States v. Maxwell, 45 M.J. 406, 419 (C.A.A.F. 1996) (stating in dicta "[m]essages sent to the public at large in the 'chat room' . . . lose any semblance of privacy").

⁹⁷ Id. at 417.

⁹⁸ Id. at 418.

⁹⁹ Id. at 418‑19.

¹⁰⁰ United States v. Charbonneau, 979 F. Supp. 1177 (S.D. Ohio 1997).

¹⁰¹ United States v. Jacobsen, 466 U.S. 109, 113 (1984).

¹⁰² United States v. Hall, 142 F.3d 988, 993 (7th Cir. 1998).

¹⁰³ Id.

¹⁰⁴ 142 F.3d 988, 993 (7th Cir. 1998).

¹⁰⁵ 26 F. Supp. 2d 929 (W.D. Tex. 1998).

¹⁰⁶ The independent source doctrine allows admission of evidence that has been discovered by means wholly independent of any constitutional violation. Nix v. Williams, 467 U.S. 431, 443 (1984).

¹⁰⁷ See Schneckloth v. Bustamonte, 412 U.S. 218, 219 (1973).

¹⁰⁸ 415 U.S. 164 (1974).

¹⁰⁹ Id. at 171 n.7 (citations omitted).

¹¹⁰ 27 F. Supp. 2d 1111 (C.D. Ill. 1998).

¹¹¹ See Kelly Hearn, Will US crack down on rising volume of e-mail `spam’? Christian Sci. Monitor, April 17, 2000, at 13.

¹¹² Davis v. Monroe County Board of Educ., 526 U.S. 629, 644 (1999).

¹¹³ Council Directive 95/46/EC of the European Parliament and of the Council of the European Union of 24 October 1995 (available at <http:// www.europa.eu.int/eur‑lex/en/lif/dat/1995/en_395L0046.html>).

¹¹⁴ "Personal data" are broadly defined as "any information relating to an identified or identifiable natural person," and an "identifiable person" "is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity." Id. at art. 2(a). The directive also relies on the concept of "data controller," defined as the "person, public authority, agency, or other body which alone or jointly determines the purposes and means of the processing of personal data."

¹¹⁵ Council Directive 95/46, art. 25, 1995 O.J. (L281) 1, 31. For a discussion, see Gregory Shaffer, Globalization and Social Protection: The Impact of EU and Intgernational Rules in the Ratrcheting Up of U.S. Privacy Standards, 25 Yale J. Int’l L. 1 (2000); Spiros Simitis, From the Market to the Polis: The EU Directive on the Protection of Personal Data, 80 Iowa L. Rev. 445, 463‑66 (1995).

¹¹⁶ European Directive, art. 26.

¹¹⁷ For a report on the EU's views, see, e.g., Thomas Weyr, US‑Europe Privacy Truce Buys Time, But EU May Target Directive Violators Early, DMNews Int'l, Nov. 9, 1998, at 1. To make matters more complicated, the EU Directive's provisions on data transfers are enforced by the Member States, which makes their current views and future action of critical importance. See U.S.‑EC Deal on Data Privacy No Guarantee of Peace with Member States, Expert Says, 67 U.S.L.W. 2367 (Dec. 22, 1998).

¹¹⁸ The International Safe Harbor Privacy Principles and comments on them are available on the Web site of the Department of Commerce's International Trade Administration, Electronic Commerce Task Force <http://www.ita.doc.gov/td/ecom/menu1.html>. For criticisms of these principles, see Commerce’s Safe Harbor Effort Praised, But Beneficiaries Want Latest Draft Tweaked, 17 Int’l Trade Rep. (BNA) 691 (May 4, 2000); Administration Diplomacy on Data Privacy May Not Satisfy FTC's Policy Expectations, 67 U.S.L.W. 2331 (Dec. 9, 1998).

¹¹⁹ EC Approves U.S. Safe Harbor Principles as Consistent with EU Data Privacy Rule, 17 Int’l Trade Rep. (BNA) 569 (April 6, 2000); U.S., EU Leaders Expected to Endorse Privacy Protection Pact Later This Month, 17 Int’l Trade Rep. (BNA) 727 (May 11, 2000).

¹²⁰ The "Safe Harbor Principles" are:

1) Notice: An organization must inform individuals about what types of information it collects about them, how it collects that information, the purposes for which it collects such information, the types of organizations to which it discloses the information, and the choices and means the organization offers individuals for limiting its use and disclosure.

2) Choice: An organization must give individuals the opportunity to choose (opt out choice) whether and how personal information they provide is used.

3) Onward Transfer: Individuals must be given the opportunity to choose the manner in which a third party uses the personal information they provide.

4) Security: Organizations creating, maintaining, using or disseminating records of personal information must take reasonable measures to assure its reliability for its intended use and must take reasonable precautions to protect it from loss, misuse, unauthorized access or disclosure, alteration, or destruction.

5) Data Integrity: An organization must keep personal data relevant for the purposes for which it has been gathered only. To the extent necessary for those purposes, the data should be accurate, complete, and current.

6) Access: Individuals must have reasonable access to information about them derived from non‑public records that an organization holds and be able to correct or amend that information where it is inaccurate.

7) Enforcement: Effective privacy protection must include mechanisms for assuring compliance with the principles, recourse for individuals, and consequences for the organization when the principles are not followed.

¹²¹ Europe and the U.S. International Safe Harbor Privacy Principles (draft dated April 19, 1999)<http://www.ita.doc.gov/ecom/shprin.html>.

¹²² The full set of safe harbor documents constituting the U.S.-EU agreement on data privacy may be seen on the Commerce Department's Web site at

<http://www.doc.gov>.

¹²³ Alastair Tempest, The Globalization of Data Privacy, DMNews Int'l, Mar. 15, 1999, at 5. For a survey of Internet privacy regulation in other countries, see David Banisar & Simon Davies, Global Trends in Privacy Protection: An International Survey of Privacy, Data Protection, and Surveillance Laws and Developments, 18 J. Marshall Computer & Info. L. 1 (1999).

¹²⁴ See Colin J. Bennett, The Canadian Standards Association Model Code for the Protection of Personal Information: Reaching Consensus on Principles and Developing Enforcement Mechanisms, in Privacy and Self‑Regulation in the Information Age 157, 157 (U.S. Dep't Commerce, 1997) (explaining that Canada, with the exception of Quebec, has traditionally protected privacy of information in the private sector by implementing voluntary codes of fair information practice principles).

¹²⁵ See Model Code for the Protection of Personal Information, CAN/CSA‑ Q830‑96 (Canadian Standards Ass'n 1996) (providing a standard voluntary code for the management of personal identifiable information by Canadian businesses), available at <http:// www.bild.acad.bg/dataprCa.htm>. The Canadian Standards Association is the premier "standards development and certification organization" in Canada. See Bennett, supra note 124, at 157.

¹²⁶ See Bill C‑54, Personal Information Protection and Electronic Documents Act, 1st Sess., 36th Parl., 1996 [hereinafter Bill C‑54] (proposing "to support and promote electronic commerce by protecting personal information that is collected, used or disclosed"), available at <http:// www.parl.gc.ca/36/1/parlbus/chambus/house/bills/government/C‑54/C54_2/90052bE. html>.

¹²⁷ See UK moving to open all (e-)mail, Christian Sci. Monitor, May 8, 2000, at 1, 9.

¹²⁸ See Jonathan P. Cody, Protecting Privacy Over the Internet: Has the Time Come to Abandon Self-Regulation? 48 Cath. U.L. Rev. 1183 (1999); Tom Regan, Privacy protection – or fox in the hen house, Christian Sci. Monitor, April 20, 2000, at 19.

¹²⁹ Information on the OPA is available at <wwwprivacyalliance.org>. See generally Courtney Macavinta, Net Industry Reacts to FTC Threat <http://www.news.com/News/Item/0,4,22762,00.html> (discussing the submission of a nine‑point privacy protection plan to President Clinton by twelve high‑tech trade groups representing more than 11,000 companies); Industry Presses For On‑line Privacy Self‑Regulation, Post‑Newsweek Bus. Info., Inc., July 21, 1998, available in LEXIS, News Library, Curnws File (describing a broad‑based coalition of on‑line companies and associations proposed framework to enforce on‑line privacy).

¹³⁰ See U.S. Still Pushing for Self‑Regulation of the Internet Regarding Privacy Issues, Reuters (Apr. 9, 1999); Communications Media Center at New York Law School, <http://www.cmcnyls.edu/public/bulletins/usspsrip.html‑ssi>.

¹³¹ Information on the TRUSTe program is available at <http:// www.truste.org>.

¹³² Information on the BBBOnLine program is available at <http:// www.bbbonline.com>.

¹³³ Information on the CPA WebTrust program is available at <http:// www.cpawebtrust.org>.

¹³⁴ Protect Privacy or Feds Will ‑ Daley, Post‑Newsweek Bus. Info., Inc., June 23, 1998, available in LEXIS, News Library, Curnws File.

¹³⁵ Mark Suzman, FTC Chief Warns of Internet Privacy Action, Fin. Times Limited (London), July 22, 1998, at 3.

¹³⁶ See Tom Regan, Privacy protection – or fox in the hen house, Christian Sci. Monitor, April 20, 2000, at 19.

¹³⁷ See, e.g., Bernstein v. Dep’t of Justice, 176 F.3d 1132 (9^th Cir. 1999)(mathematician’s

encryption software, in its source code form and as employed by those in the field of cryptography, is expression for First Amendment purposes; mathematician could bring facial challenge against regulations on prior restraint grounds; and Commerce Dep't regulations imposes prior restraint that violates First Amendment).

¹³⁸ See In re Application of United States, 36 F. Supp. 2d 430 (D. Mass. 1999)(granting Government's application for order directing cable television operator‑ISP to disclose information regarding certain subscribers, despite conflict between Cable Communications Policy Act provision imposing liability on cable operator for disclosing personally identifiable subscriber information without notifying subscriber and Electronic Communications Privacy Act section providing that no notice was required for disclosure of records related to ISP subscriber's electronic communications).

¹³⁹ See Barry v. Dep’t of Justice, 63 F. Supp. 2d 25 (D.D.C. 1999)(Office of the Inspector General for the Department of Justice (OIG‑DOJ) did not "disclose" report critical of former government employee, within meaning of Privacy Act, by posting the report on the OIG's Internet web site, where the report had already been fully released to the media and discussed in a Congressional hearing, though some Internet users might encounter the report for the first time on the OIG web site).

¹⁴⁰ See 47 U.S.C. § 222(f)(1) (1994) (Telecommunications Act's provisions for Customer Proprietary Network Information (CPNI)). See generally U.S. West, Inc. v. FCC, 182 F.3d 1224 (10^th Cir. 1999)(invalidating FCC regulations that required telecommunications companies to obtain approval from customer before company uses customer's "customer proprietary network information" (CPNI) for marketing purposes because they fail to advance FCC's asserted interests in privacy and increased competition).

¹⁴¹ See 47 U.S.C. § 522(7) (1994) (Cable Communications Policy Act's provisions for "cable system"). As currently interpreted, this statute is not likely to be extended to ISPs. See United States v. Kennedy, 81 F. Supp. 2d 1003 (D. Kan. 2000)(even if the government obtained defendant's subscriber information from ISP in violation of the Cable Communications Policy Act, the statute affords him no suppression remedy). See also Peter W. Huber, The Telecommunications Act of 1996 54‑55 (1996).

¹⁴² See, e.g., America Online, Inc. v. LCGM, Inc., 46 F. Supp. 2d 444 (E.D. Va.. 1998)(under Virginia law, web site operators' transmission of unsolicited bulk e‑mails to customers of Internet service provider, using provider's computers and computer network, constituted trespass to chattels); Jessup-Morgan v. America Online, Inc., 20 F. Supp. 2d 1105 (E.D. Mich. 1998)(subscriber’s action against ISP alleging violation of ECPA, breach of contract, breach of express and implied warranties, negligence fraud and misrepresentation, and invasion of privacy arising out of provider's disclosure of her identity pursuant to subpoena did not constitute breach of contract or of express and implied warranties; subscriber could not bring action for invasion of privacy and failed to plead fraud and misrepresentation claim with sufficient particularity); Zeran v. Diamond Broadcasting, Inc., 203 F.3d 714, 720 (10^th Cir. 2000)(conduct of radio talk show hosts in accepting at face value a hoax internet electronic bulletin board posting advertising items with slogans glorifying bombing of Oklahoma City federal building, and failing to verify its authenticity before reading the listed phone number over air and encouraging listeners to call the number, did not meet the standard of recklessness required to recover for false light invasion of privacy under Oklahoma law).

¹⁴³ 1999 FTC Report (separate statement of Commissioner Orson Swindle).