Issue No. 06 - November-December (2004 vol. 2)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2004.107
Scott Forbes , Microsoft
Daniel J. Solove and Marc Rotenberg, Information Privacy Law, Aspen Publishers, 2003, ISBN 0-7355-3382-2, 795 pages, US$63.
Daniel J. Solove and Marc Rotenberg are nationally-recognized privacy scholars; Solove is an associate law professor at George Washington University, and Rotenberg is the executive director of the Electronic Privacy Information Center. Their book provides a balanced overview of domestic and international privacy laws.
Information Privacy Law is divided into eight chapters, with each chapter after the introduction discussing privacy in different contexts. For instance, Chapter 6 is dedicated to the privacy of records and computer databases. It broadly describes—among many other topics—fair information practices, the Gramm-Leach-Bliley Act covering financial information, the Children's Online Privacy Protection Act, and the FTC's role in enforcing privacy regulations. Other chapters are more tightly focused: Chapter 8 limits itself to the European Union's Data Protection Directive and the related safe-harbor framework. The safe-harbor discussion is particularly useful to technical professionals trying to understand their company's global privacy and security responsibilities.
Although excerpts from relevant court cases and privacy legislation comprise substantial portions of the text, the book isn't designed solely for legal professionals. In fact, attorneys and paralegals looking for unabridged court cases, unintelligible legalese, and annotated legislative text should look elsewhere. Rather, the authors aim to introduce the complexities surrounding modern privacy rules and regulations while showing readers how emerging technologies have challenged the world's privacy laws and will continue to do so. Thus, the book provides case law and expert commentary on the privacy implications of biometric devices, cookies, keystroke loggers, computer databases, and myriad other technologies.
The authors helpfully place topics such as workplace email monitoring in larger historical contexts and work diligently to demonstrate the practical implications of sometimes obtuse judicial decisions or politically motivated actions. Chapter 4 summarizes the Clipper Chip debate, ties that debate to encryption export regulations, and discusses the Bernstein case, which resulted in a 1999 court decision finding that encryption software's source code was protected by the First Amendment.
Frequent Notes & Questions sections scattered throughout the chapters are particularly useful and should help organizations critically evaluate their internal privacy projects and challenges. One Notes section asks readers to consider, "Does the Fourth Amendment require a warrant before the government can decrypt an encrypted communication?" and "Can the government compel the production of a private key if it is stored on a personal computer?"
Information Privacy Law was published in 2003, and despite an August 2004 update ( http://privacy.org/casebook), the book doesn't cover some recent privacy legislation that both technical and legal professionals should understand. More obvious omissions include Japan's Personal Information Protection Act of 2003 and California's recently passed law, SB1386, which requires businesses to notify customers whose personal information has been breached.
This book successfully manages to not only tell us what privacy rules exist, but also why they were created and how we as IT security and privacy professionals can succeed in our daily lives while still following the rules.
Scott Forbes is the security and privacy compliance manager in Microsoft's Law and Corporate Affairs group. He has a PhD in telecommunications from Pennsylvania State University and is completing his law degree at George Washington University. He is a member of the IEEE, the American Bar Association, and the Information Systems Audit and Control Association (ISACA). Contact him at email@example.com.