Two years ago, the Supreme Court upheld an injunction blocking the enforcement of the 1998 Child Online Protection Act, a law allowing the operators of online pornography sites to be punished for making their content accessible to minors. The case was sent back to a district court, leaving the government responsible for proving that the law was needed and constitutional. As part of their effort to resurrect the law, the government sent subpoenas last year to three major search engines and one online provider: Google, Yahoo, MSN, and AOL. The subpoenas requested “all URLs that are available to be located through a search query on [company's] search engine as of July 31, 2005″, as well as a week’s worth of recorded queries. The subpoena specifically requested that none of this information was to be linked to individuals. Yahoo, MSN, and AOL complied. Google did not.

The San Jose Mercury News reported yesterday that Google is fighting the injunction, claiming that “the demand for the information is overreaching” and threatened their users’ privacy as well as the company’s trade secrets. But wait, you might say, if the records weren’t supposed to contain any information that might identify a particular user, where does privacy come in to the equation?

From The New York Times:

“Google’s acceding to the request would suggest that it is willing to reveal information about those who use its services,” it said in an October letter to the Justice Department. “This is not a perception Google can accept. And one can envision scenarios where queries alone could reveal identifying information about a specific Google user, which is another outcome that Google cannot accept.”

While this particular request does not ask for identifying information, the next one could, and there is a lot of identifying information to be had. (SearchEngineWatch has previously covered search engine privacy concerns.) Given the recent revelations of NSA domestic wiretapping and previous demands for information such as library records, it wouldn’t be surprising if they started asking for search engine user profiles as well. If Google ends up complying with the subpoena, they risk losing the public’s trust, and for a company that lives by the motto “Don’t be evil,” that’s a very grave risk indeed.

SearchEngineWatch also has some excellent posts on this story, including a summary of the court precedings as well as an ongoing commentary.

The New York Times ran an interesting article earlier this week contrasting American and European personal data protection practices. In Europe, the right to privacy is considered fundamental, and accordingly most European countries have passed extensive privacy laws and established governmental agencies to specifically deal with data protection. The United States government tends to treat privacy as an afterthought, enacting laws as a form of damage control. Americans tend to treat privacy as a consumer issue, placing their trust in business more often than they do the government. This has been a key factor in the growth of commercial databases such as ChoicePoint.

Those wishing to get a more in-depth look at international privacy laws and attitudes should take a look at EPIC and Privacy International’s joint 2003 Privacy and Human Rights report. Over fifty-five countries are included in the report, which also attempts to document the privacy-related responses to the September 11 terrorist attacks.

In 1996, Walt Disney World in Orlando, Florida started using finger geometry scans to identify annual and season pass holders. Over the past six months, they have quietly extended this requirement to all ticket holders, meaning that anyone coming into the park must have their fingers scanned and verified. Disney officials say that records are not kept after the tickets expire, but it’s not clear if they are immediately purged from the system.

The scan does not make a record of a person’s fingerprints. Guests place their index and middle fingers on the scanner and the system recognizes certain characteristics such as finger thickness and length. A number is assigned based on these measurements, and this number is stored in the system for future comparisons. Injuries to the index and/or middle fingers can cause the system to falsely reject a guest’s profile, as can more mundane changes such as the presence of a ring that was not worn during the initial scan. AllEarsNet, an unofficial Walt Disney World guide, has an online FAQ about the scan. At present, the system is only being used in Walt Disney World, and not in Disneyland in California or any of Disney’s international theme parks. Universal Studios Orlando and SeaWorld are said to be planning to introduce similar verification systems in the future.

Larry Spalding of the American Civil Liberties Union was quoted as saying that while the Disney system, known as Ticket Tag, had been brought to the ACLU’s attention, no one had yet filed a complaint. Spalding expressed concern about the system, saying “Slowly but surely we’re just giving away our right of privacy, and the question is what are we getting in return?” Even if the records aren’t kept and can’t be matched to other biometric identifiers such as fingerprints, it still seems a bit disconcerting. As Civil Liberties Union spokesman George Crossley said, “I think it is a step toward collection of personal information on people regardless of what Disney says.”

Slashdot discussion here.

Even being head of the Federal Trade Commission is no guarantee against identity theft. FTC chair Deborah Platt Majoras was recently notified by shoe retailer DSW that she was among 1.4 million people whose credit card numbers were in a database breached by thieves. The DSW breach, discovered in March, affected customers of 108 DSW retail stores nationwide. While the compromised data did not include social security numbers, it did include credit card numbers, checking account numbers, and drivers license numbers. A suit has been filed by Ohio Attorney General Jim Petro seeking the notification of every individual affected by the breach.

Majoras could potentially join other high-profile victims of identity theft such as Bill Gates, Tiger Woods, and Ross Perot (among others).