From: <djg2120@columbia.edu>
  To  : <cpc@emoglen.law.columbia.edu>
  Date: Wed, 12 Apr 2006 11:20:13 -0400

[CPC] Spitzer sues Gratis- consumer privacy

Eliot Spitzer is pursuing Gratis for breaching its consumer privacy
policy by distributing confidential information. The suit is
interesting on two levels- first, a state government has taken
interest in protecting consumer data, which is a step in the right
direction. Second, Spitzer is advancing a consumer fraud claim,
based Gratis's failure to comport with its privacy policy. I
question whether a positive outcome on this argument will be
effective for keeping data private in the future, but thought it
was nonetheless an interesting position

Dan
djg2120@columbia.edu
                      
New York Plugs Largest Known Internet Privacy Leak

Consumer Affairs
March 14, 2006
http://www.consumeraffairs.com/news04/2006/03/ny datatran.html

What prosecutors say may have been the largest breach of privacy in
Internet history has been resolved.
The settlement with Datran Media, a leading e-mail marketer, follows
an investigation that identified the improper disclosure of the
personal information of more than six million American consumers.
"With this case, we hope to set a new standard for Internet
marketers and consumer research companies," New York Attorney
General Eliot Spitzer said. "Personal information secured through a
promise of confidentiality must always remain confidential."
Datran was alleged to have used improperly information it had
obtained from several companies that compile and sell information
on consumers.
The largest such company, Gratis Internet, had assured consumers on
several web sites it owned and operated that it would "never lend,
sell or give out for any reason" the information provided by users.
Among the sites on which Gratis collected user information were
"freeipods.com" and "freedvds.com."
The Attorney General's investigation revealed that Datran knew of
Gratis' promise to consumers when it purchased the consumer lists.
But after obtaining these lists, Datran sent millions of
unsolicited e-mails to the listed consumers.
The seven million files that Gratis sold to Datran is believed to be
the largest deliberate breach of a privacy policy discovered by U.S.
law enforcement to date.
Under an Assurance of Discontinuance with the attorney general,
Datran has agreed to pay $1.1 million as penalties, disgorgement
and costs. Datran must also:

• Destroy the information obtained from Gratis and the other list
sellers at issue;

• Avoid acquisition of any personal consumer information without
first independently confirming that such acquisition is permissible
under relevant seller privacy policies; and

• Appoint a Chief Privacy Officer or other employee to oversee
privacy compliance efforts.
Spitzer noted that Datran cooperated fully with his office's
investigation, and that the company began improving its list
purchasing and due diligence practices in April 2005, just prior to
the commencement of the investigation.
Beth Givens, Director of the Privacy Rights Clearinghouse, a
consumer advocacy organization hailed the settlement.
"A privacy policy is more than an empty promise. Companies must be
held to their word. Attorney General Spitzer sends an important
message to any company that would violate the terms of an agreement
of a data seller."
Spitzer said he hoped the case would help establish basic controls
on data compiled and sold by professional consumer research
companies and list builders.
"Companies must adhere to known privacy policies and promises.
Failing to do so constitutes a clear consumer fraud," said Spitzer.
              

Breach of Privacy, Internet, Law Suit

TECHNEWS
Fri, 2006-03-24
http://www.technologynewsdaily.com/node/2325

Attorney General Eliot Spitzer today sued a company responsible for
what is believed to be the largest deliberate breach of privacy in
internet history.
The suit against web site operator Gratis Internet alleges that the
company sold personal information obtained from millions of
consumers under a strict promise of confidentiality.
"Unless checked now, companies that collect and sell information on
consumers will continue to find ways to erode the basic standards
that protect privacy in the internet age," Spitzer said.
Spitzer’s office began an investigation of companies involved in
"data mining" or compilation and sale of marketing lists, early
last year. The focus of the investigation quickly turned to Gratis,
a Washington, D.C. -based company that owns and operates several web
sites that provide consumers with ways to receive free products,
generally through free trials of yet other products. These sites
include or have included: FreeiPods.com; FreeCDs.com; FreeDVDs.com
and FreeVideoGames.com.
From 2000 through 2004 Gratis made numerous explicit promises to the
users of its web sites about protecting personal information. Among
the promises the company made were:
"We will never give out, sell or lend your name or information to
anyone";
"We will never lend, sell or give out for any reason your email
address or personal information";
"We at [Gratis web site] respect your privacy and do not sell, rent
or loan any personally identifiable information regarding our
customers to any third party"; and
"Please note that we do not provide your E-mail address to our
business partners."
Even on its sign-up pages, Gratis promised consumers that it "does
not . . . sell/rent emails."
However, the Attorney General’s investigation confirmed that
Gratis’s owners, Peter Martin and Robert Jewell, repeatedly
violated these promises during 2004 and 2005 by selling access to
lists of millions of Gratis’s customers to three independent email
marketers. The marketers then sent hundreds of millions of email
solicitations to those users, on behalf of their own customers. In
each of these deals, Gratis wrongfully shared between one and seven
million confidential user records. This is believed to be the
largest deliberate breach of a privacy policy ever discovered by
U.S. law enforcement.
Leading privacy advocates praised the lawsuit:
Marc Rotenberg, the Executive Director of the Electronic Privacy
Information Center based in Washington D.C. said: "Without strong
enforcement, privacy policies are meaningless. We support the
efforts of the New York Attorney General to safeguard consumer
privacy."
Beth Givens, Director of the Privacy Rights Clearinghouse, a
consumer advocacy organization said: "Attorney General Spitzer
continues to send a strong message to Gratis and others like it who
would sell their email lists to spammers when their privacy policy
says otherwise: Deception doesn't pay."
The suit also sets forth how, during the course of its
investigation, Gratis repeatedly, but falsely, denied that such
data sharing had even occurred. In one written response to the
Attorney General, for instance, Gratis assured the Attorney General
that "at all times during its existence . . . Gratis has never sold,
rented, or lent email addresses or personal information of its users
to any third-party and the company has always maintained control
over and ownership of such information."
The Attorney General’s suit cites specific data sharing contracts,
as well as testimony and other evidence provided by internet
marketers that did business with Gratis. The suit, filed in New
York State Supreme Court, seeks penalties and injunctive relief,
against Gratis and its principals, under New York’s consumer fraud
statutes
The lawsuit follows the Attorney General’s settlement, earlier this
month, with e-mail marketer Datran Media, to whom Gratis had sold
its user records.
This matter was handled by Assistant Attorney General Karen Geduldig
of the Attorney General’s Internet Bureau, under the direction of
Ken Dreifach, Chief of the Internet Bureau, and with the assistance
of fraud analyst Sibu Thomas.


-----------------------------------------------------------------
Computers, Privacy, and the Constitution mailing list