Reinhardt Buys
BLC LLB (Pret) LLM (UCT)
Sonnenberg Hoffman & Galombik Attorneys, Cape Town
Introduction | The right to privacy | Right to information | Privacy issues on the Internet | Author biography
1. Introduction

The rapid growth and increasing use of the Internet give rise to many and complex privacy issues. In every electronic communication an Internet user gives away some form of personal information. Every e-mail message contains a header with information about the sender and the recipient. Virtually every electronic transaction will involve the transfer of personal data such as credit card numbers, telephone numbers, physical addresses and e-mail addresses.

  365

The key to further Internet growth, especially as far as electronic commerce is concerned, is the attainment of privacy through technology and law. Unauthorised access to communications and personal information on the Internet remains relatively easy in the absence of encryption technology. Whether or not the vulnerability of privacy on the Internet is exaggerated, it is undisputed that there are security risks associated with its use. As a result, it is safer to assume, for the present, that the Internet is not yet a secure medium over which to communicate financial and personal information without having due consideration of the risks and legal issues involved.

Apart from traditional privacy concerns like surveillance and unauthorised access to information, the Internet also creates new concerns relating to the use of cookies and spamming. This chapter examines the jurisprudence in a number of jurisdictions as it relates to the privacy of electronic communications travelling across the Internet and personal information stored on computer data banks.

Get hyperlinks to Privacy on the Internet reading at
http://gahtan.com/cyberlaw/privacy/
2. The right to privacy

The right to privacy is guaranteed expressly in the Universal Declaration of Human Rights,1 the European Convention on Human Rights,2 the International Covenant on Civil and Political Rights,3 the American Convention on Human Rights4 and a number of countries’ constitutions.

366

The privacy right has been defined in various ways, among others the following:

  • The right to privacy includes the right to be free from intrusions and interference by the state and others in one’s personal life and freedom from unauthorised disclosures of information about one’s personal life.5
  • Privacy is the voluntary and temporary withdrawal of a person from the general society through physical and psychological means, either in a state of solitude or small group intimacy, or, when among larger groups, in a condition of anonymity or reserve.6
  • The right to be let alone to live one’s life with the minimum degree of interference.7
  • The right to be let alone – the most comprehensive of rights and the right most valued by civilised men.8
  • The right to privacy encompasses the right to determine the destiny of private facts, which includes the right to decide when and under what conditions private facts may be made public.9
These definitions indicate the importance of the individual’s choice between keeping information private and making it public. This choice or personal determination should guide the legislature and the South African courts as they consider privacy matters related to the Internet. Some Internet users may prefer the use of cookies to identify them on the Internet. Some might want to receive loads of commercial e-mail. Others may choose to encrypt messages to send over the Internet, employ filters to regulate the content that their computers can access or disable and delete cookies on their browsers.
 
It would be impossible and dangerous to regulate the technology that threatens privacy. The legislature and the courts should rather be interested in giving Internet users the control over their own information and to provide measures to enable every user to make an informed decision on the question of how private and confidential personal information should be in the digital age.
2.1 Information privacy in South Africa
2.1.1 Constitutional protection of privacy
Section 14 of the South African Constitution10 provides that:

Everyone has the right to privacy, which includes the right not to have:  
a) their person or home searched;
b) their property searched;
c) their possessions seized; or
d) the privacy of their communications infringed.

Although section 14 mentions specific privacy rights, the list is not exhaustive. It extends to any other method of obtaining information or making unauthorised disclosures.11 For example, in Klein v Attorney-General WLD,12 the restoration of computer information that had been deleted or erased by its owner and the handing over of it to the state for use in criminal prosecution was held to be a violation of the owner’s privacy right.

367

2.1.1.1 Limitations to the privacy right
The privacy right in the Constitution protects information to the extent that it limits the ability of people, organisations and the government to gain, publish, disclose or use information about others.13 The right itself is not absolute14 and can be limited by a law of general application to the extent that the limitation is reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom.15 In this respect, demands of the government for information which is reasonably required for official statistical,16 census17 and tax18 purposes are likely to be regarded as reasonable limitations to the privacy right. Likewise, statutory reporting requirements concerning child abuse19 and mental patients who are dangerous20 would be regarded as constitutional.

Infringements of private communications through eavesdropping and surveillance would be regarded as reasonable if authorised by a judge where a serious offence is concerned, or where the security of the country is at risk.21 Searches and seizures without a search warrant would generally be an unconstitutional violation of the privacy right.22 In terms of the Criminal Procedure Act23 a person may be searched if he/she has been arrested or the person conducting the search has been issued with a search warrant.24 Where a person’s private possessions, such as a computer terminal, were seized by the police without a warrant when a warrant could have been issued had it been applied for, such a search and seizure would be an unconstitutional invasion of privacy.25

  368

2.1.1.2 Evidence obtained in violation of a constitutional right
Section 35(5) of the Constitution requires evidence obtained in violation of the Bill of Rights to be excluded:
  • if its admission would render the trial unfair
  • if its admission would otherwise be detrimental to the administration of justice
The first of these two criteria focuses on the need for fairness in a particular trial, while the second protects the integrity of the administration of justice. They are, however, also interrelated and both seek to serve the public interest.26
 
In Key v Attorney General CPD27 Kriegler J ruled that:
“In any democratic criminal justice system there is tension between, on the one hand, the public interest in bringing criminals to book and, on the other hand, the equally great public interest in ensuring that justice is manifestly done to all, even those suspected of conduct which would put them beyond the pale ... What the Constitution demands is that the accused be given a fair trial. Ultimately, as was held in Ferreira v Levin, fairness is an issue that has to be decided upon the facts of each case, and the trial judge is the person best placed to take this decision. At times, fairness might require that evidence unconstitutionally obtained be excluded. But there will also be times when fairness requires that evidence, albeit obtained unconstitutionally, nevertheless be admitted.”
Following Kriegler J, the courts have been at pains to emphasise that the fairness inquiry must turn on the facts of each case28 and follow arguments similar to those developed in Canadian courts.29 Evidence of admissions and pointings out made by an accused were excluded when the accused had shown30 that the evidence was obtained in violation of his right to privacy.31

As pointed out above, evidence obtained in violation of the Bill of Rights could also be excluded if allowing it would be detrimental to the administration of justice. In considering this ground, the approach of the courts is to strike a balance between the public interest in the detection and punishment of crime and the public interest that justice is done to all.32 For example, in S v Naidoo33 the court held that it would be detrimental to the administration of justice to admit evidence of a monitored telephone conversation when the directive authorising the monitoring had been obtained on the basis of deliberate misstatements made under oath by the investigating policemen.

  369

Although section 35(5) of the Constitution is not expressly limited to criminal proceedings, its context indicates that it is so limited. However, section 34 of the Constitution expressly entrenches fairness in civil litigation. It follows that unconstitutional, illegal or improperly obtained evidence would render the trial unfair. The criteria for fairness would, however, not be the same as in criminal proceedings, as fairness in civil litigation demands greater emphasis on the need to strike a balance between the parties.34
 
2.1.1.3 Suspension of the privacy right
The right to privacy may be suspended in consequence of the declaration of a state of emergency, but only to the extent that the derogation is strictly required by the emergency and the legislation enacting the state of emergency is consistent with South Africa’s obligations under international law applicable to states of emergency.35
 
2.1.1.4 Privacy before the Constitution
In South Africa the privacy right has often been violated by the legislature and the executive through laws conferring wide powers of search and seizure on the police36 and interference with correspondence without court authorisation.37 However, even before the introduction of the Bill of Rights the courts have recognised infringements of private communications as an invasion of privacy.38 In S v A39 the court held that eavesdropping and electronic surveillance by private detectives during matrimonial disputes may result in a criminal invasion of privacy if the methods used were unreasonable. In Janit v Motor Industrial Fund Administrators (Pty) Ltd,40 the stealing of tape recordings of confidential business meetings and offering them to a third party has been held to be an unlawful invasion of privacy.

2.1.2 Statutory limitations to the privacy right in South Africa
A great number of statutes limit the right to privacy41 and very few of them have been scrutinised by the Constitutional Court. In relation to the Internet the Criminal Procedure Act42 and the Interception and Monitoring Prohibition Act43 are of particular importance. The former potentially threatens the privacy of information stored on a computer while the latter potentially impairs the privacy of information as it travels across the Internet.

  369

2.1.2.1 The Criminal Procedure Act44
Chapter 2 of the Act provides for a general power of search and seizure of certain articles by the state. The articles that can be seized are divided in three broad categories:
  • articles concerned with the commission of an offence
  • articles that may afford evidence of the commission of an offence
  • articles intended to be used in the commission of an offence45

As a general rule the search and seizure of the article must be authorised by a search warrant which authorises a police official to search any person identified in the warrant or to enter and search any premises identified in the warrant.46 A search may be undertaken without a warrant when the person concerned consents to the search for and seizure of the article in question, or where the police official believes that a search warrant will be issued if applied for and that the delay in obtaining such warrant would defeat the object of the search.47

  370

From the use of words like “anything”,48 “article” and “premises”, it is unclear whether the Act refers only to physical items or not. This means that a computer terminal may be seized in terms of a warrant, but it is doubtful whether a warrant can be issued for the search and seizure of specific information stored on a computer.49

The search and seizure of information stored on computers raise a number of unique issues:

  • Computers are increasingly linked to other computers in networks that can span a building50 or a city or even the whole globe, like the Internet, and information could be stored on any singe computer in the network. As a warrant will normally authorise a search in respect of specific premises, it will be very difficult to determine which computer holds the required information.
  • The possibility that information may be stored in remote locations raises jurisdictional questions. A specific network could span more than one magisterial district or could even span different countries. In an extreme example parts of the information could be in different jurisdictions or even on the open sea.
  • It is furthermore likely that the information, if it is eventually found, is protected by a security system such as a password or encryption. The question arises whether the authority of the investigating officer is wide enough to attempt to break the security system and to what extent such an attempt would be allowed.
  • It is not clear whether information is an “article” in terms of the Act and whether the storage space of a computer could be regarded as “premises”.
  • The ownership of the computer and the ownership of the information could vest in different people or organisations. Could the innocent owner be deprived of his/her legitimate ownership of the computer?
  • In computer networks users generally share a common storage space, such as an open F drive. It could be difficult to determine which person placed information in such a common place.

371

2.1.2.2 The Interception and Monitoring Prohibition Act51
On 1 February 1993 the Interception and Monitoring Prohibition Act52 came into operation.53 This Act prohibits the intentional interception of communications54 or monitoring of conversations by monitoring devices unless so authorised by a judge. In terms of section 2 of the Act no person is allowed to intentionally and without the knowledge or permission of the dispatcher intercept a communication which has been, is being, or is intended to be, transmitted by telephone or in any other manner over a telecommunications line.

Get the Interception and Monitoring Prohibition Act at
http://www.polity.org.za/govdocs/legislation/doclaw.html

A communication line is defined to include any apparatus, instrument, pole, mask, wire, pipe, pneumatic or other tube, thing or means which is used or may be used for or in connection with the sending, conveying, transmitting or receiving of signals, signs, sounds, communications or other information.
It is therefore clear that this prohibition will cover all Internet communications.

A judge may, however, give permission for either the interception or monitoring of communications if convinced on grounds mentioned in a written application that:

  • an offence has been or will probably be committed and that the offence is of such a nature that it cannot be properly investigated in any other manner than through interception and monitoring of communications55
  • the security of the Republic is threatened56
  • the gathering of information concerning a threat to the security of the Republic is necessary57
The Act has not been scrutinised by the Constitutional Court to determine whether or not its provisions are reasonable and justifiable. The seeming requirement that the interception is not allowed only when it is intentional58 could create problems. There could be no reason why the legislature would allow the negligent or incidental interception of communications. It is furthermore unclear whether a directive by a judge would allow for encrypted information to be decrypted. The Act was obviously drafted at a time when today’s Internet technologies were not yet expected.
 
Even if the provisions satisfy the limitation clause an injured party may still have an action for invasion of his/her right to privacy if the requirements of the Act have not been carefully followed.59
2.2 Information privacy in the United States of America

2.2.1 Constitutional protection of information privacy
The privacy right is not mentioned expressly in the American Constitution but has been held to be guaranteed implicitly in several of its provisions.60 To determine whether a specific privacy right ought to be recognised the Supreme Court usually asks itself whether such a right is implicit in the concept of orderly liberty in such a way that neither liberty nor justice would exist if it was sacrificed and whether it is deeply rooted in the nation’s history and tradition.61 This inherent limitation of the scope of the privacy right has resulted in a narrower understanding of it than in other jurisdictions such as South Africa.

373

Get hyperlinks to Privacy issues in the US at
http://www.epic.org/privacy/

Apart from the inherent limitations, privacy may also justifiably be infringed if a compelling state interest so requires. A statute infringing the privacy right must be necessary and not merely rationally related to the accomplishment of a permissible state policy. To establish that, the strict scrutiny test is applied.62

Constitutional protection of information privacy in the United States is a thorny issue. According to Tribe,63 the Fourth Amendment more than any other constitutional provision reflects the existence of such a right. The Fourth Amendment provides:
“The right of the people to be secure in their persons, houses, paper, and effects, against unreasonable searches and seizure, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the person or thing to be seized.”

In Katz v United States64 electronic eavesdropping on private communications was held to constitute a search and seizure impinging on the privacy of communicator and therefore subject to Fourth Amendment requirements. The sphere of privacy protected by the Fourth Amendment does however not extend very far with respect to the gathering and use of information. In United States v Miller65 the court concluded that an individual has no Fourth Amendment protection expectation of privacy with respect to cheques and deposit slips that he voluntary conveys to a bank, and that the depositor takes the risk that the information will be conveyed to the government. In Smith v Maryland66 the court found Katz to be irrelevant unless actual interception is at stake. The court ruled that no warrant was required before a telephone company could electronically monitor the numbers dialled from a private telephone, at the behest of law-enforcement officials, and reasoned that the numbers were transmitted to a third party (the telephone company) and that the dialler could not have had any reasonable expectation of privacy. Therefore the monitoring did not constitute a Fourth Amendment search.

  374

US courts have also examined whether the control of personal information by individuals to whom it relates is a fundamental right protected by the Fourteenth Amendment (due process). In Paul v Davis67 the Supreme Court held that individual control of personal information was not a fundamental right protected by the Fourteenth Amendment and held that fundamental private privacy rights include only those relating to marriage, procreation, contraception, family relationships, child rearing and education. In subsequent cases, the court has been equally reluctant to create an individual right to information privacy. For example, in Nixon v Administrator of General Services68 the Supreme Court held that the President’s interest in the informational privacy of his official records was outweighed by a public interest in the documents.
 
The position is possibly best summarised by Tribe:69  
“In an information-dense technological era, when living inevitably entails leaving not just informational footprints but parts of one’s self in myriad directories, files, records and computers, to hold that the Fourteenth Amendment does not reserve to individuals some power to say when and how and by whom that information and those confidences are to be used would be to denigrate the central role that informational autonomy must play in any developed concept of the self.”
Tribe70 has gone as far as calling for a constitutional amendment to deal with information privacy in the digital age. His proposed 27th Amendment reads as follows:  
“This Constitution’s protections for the freedom of speech, press, petition, and assembly, and its protections against unreasonable search and seizure and deprivation of life, liberty, or property without due process of law shall be construed as fully applicable without regard to the technological method or medium through which information is generated, stored, altered, transmitted or controlled.”
  375

2.2.2 Statutory protection of information privacy in the United States
Unlike the European Union, which has become the global pace setter on the protection of personal information, the United States does not have a single overarching privacy law. Several federal and state laws protect the privacy of certain forms of personal information. At the federal level information is protected by, among others, the Privacy Act of 1975,71 the Fair Credit Reporting Act,72 The Freedom of Information Act,73 the Privacy Protection Act of 198074 and the Electronic Communications Privacy Act of 1986.75
 
2.2.2.1 The Electronic Communications Privacy Act
Before 1987, the interception of digital communications was not a federal crime. However, with the enactment of the Electronic Communications Privacy Act of 198676 the intentional interception, use and disclosure of electronic communications not readily accessible to the public is a criminal act. The Act is a lengthy and complex statute containing exceptions and providing different degrees of privacy depending on the circumstances. Basically the Act:
  • covers digital communications as well as voice communications
  • prohibits both private and government eavesdropping and surveillance
  • covers both electronic communications and electronic communications systems, including electronic storage systems
  • punishes as a federal felony the intentional interception, intentional disclosure, or intentional use of the contents of a message without authorisation
  • provides for civil remedies

Get the Electronic Communications Privacy Act at
http://www.lawresearch.com/v2/ctprivacy.htm

The Act sets forth detailed procedures that must be followed by a government agency in order to intercept or disclose and use intercepted wire, oral, or electronic communications. Application must be made to a court and an ex parte order issued.

2.2.2.2 Cases in terms of the Electronic Communications Privacy Act
Since the enactment of the Act it has received attention in several court cases. In Stone Jackson Games Incorporated v United States Secret Service,77 the 5th Circuit held that seizure by the US Secret Service of a computer containing private stored electronic mail was not an unlawful interception under the Act. The court reasoned that the seizure was not prohibited because the e-mail was not in the process of being transmitted when it was taken. In Davis et al. v Gracey et al.78 the 10th Circuit held that the incidental seizure of electronic mail, stored in a computer that was confiscated by the police under valid search warrant was not an illegal search and seizure under the Fourth Amendment, nor a violation of it. Davis argued that the warrant only authorised the search of equipment pertaining to the distribution of pornographic material. The court, however, noted the difficulty of separating the contents of electronic storage from the hardware and found no legal or practical basis for requiring the police to avoid seizing the electronic contents to preserve the legality of the hardware seizure. In McVeigh v Cohen,79 a district court enjoined the discharge of an enlisted navy officer. The navy had ascertained that the naval officer was a homosexual by obtaining subscriber information from America Online without first obtaining the required court order and warrant, in violation of the Act. The court commended that in these days of “big brother”, where through technology the privacy interest of individuals is being ignored or marginalised, it is imperative that laws explicitly protecting these rights be strictly observed.

376
2.3 Information privacy in the European Union

On 24 October 1995 the European Union finally adopted its long awaited Directive on Data Protection80 which has been effective since 24 October 1998.81 Member countries of the EU were required to enact the Directive’s provisions before the effective date and to this extent the UK enacted a new and more comprehensive Data Protection Act in 1998.

Rosenoer The Privacy Directive (1995) at
http://www.cyberlaw.com/cylw0895.html

 

The EU Directive seeks to prevent abuse of personal data and lays down
comprehensive rules, including an obligation to collect data only for specified, explicit and legitimate purposes, as well as to only hold data if it is relevant, accurate and up to date. The Directive requires all data processing to have a proper legal basis and grants subjects a number of important rights, including the right of access to the data, the right to know where the data originated from, the right to have inaccurate data rectified, a right of recourse in the event of unlawful processing and the right to withhold permission to use data in certain circumstances.

377

The Directive expressly sets forth the only instances in which personal data may be stored and collected. These include situations where:

  • The data subject has given consent unambiguously.
  • Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject entering into a contract.
  • Processing is necessary for compliance with a legal obligation to which the controller is a subject.
  • Processing is necessary in order to protect the vital interests of the data subject.
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed.
  • Processing is necessary for the purpose of the legitimate interest perused by the controller or by the third party or parties to whom the data are disclosed, except where such interest is overridden by the interests of fundamental rights and freedoms of that data subject who requires protection under article 1(1).
In addition the Directive creates a Supervisory Authority (SA) for every member state and requires all collectors of personal data to register with the SA of each member state before processing information on data subjects located in that state. After such registration the collector must make extensive disclosures to the SA concerning the use of personal information. The SA furthermore, has the power to monitor compliance with the Directive within a member state’s territory.
 
Finally, Article 26 of the Directive requires that:  
“Member States shall provide that the transfer, whether temporary or permanent, to a third country of personal data which are undergoing processing or which have been collected with a view to processing may take place only if the third country in question ensures an adequate level of protection.” (our emphasis) 
Thus companies operating in the 15 EU member states and transmitting data outside the EU are not allowed to do so unless the third country protects personal information at standards acceptable to the EU. As the EU and the United States hold very different views on information privacy protection, the Directive spurred trade meetings on acceptable standards, congressional activity and calls from the White House for progress.82
2.4 Information privacy and juristic persons (companies)

At common law it was argued that companies and other organisations could not have a right to privacy because of the human nature inherent to the right.83 In Financial Mail (Pty) Ltd v Sage Holdings Ltd84 the Appellate Division held that an artificial person, e.g. a company, might have a right to privacy.

  377

There can however not be an invasion of privacy unless a reasonable expectation of privacy exists.85 This view accords with the information privacy of companies protected under the common law in Financial Mail86 and the rights juristic persons were assumed to possess in AK Entertainment CC v Minister of Safety and Security.87
 
Section 8(4) of the Constitution88 furthermore provides that juristic persons are entitled to the rights in the Bill of Rights to the extent required by the nature of the rights and of the juristic person.
3. Right to information
In terms of section 32 (1) of the Constitution:

Everyone has the right of access to –

a) any information held by the state; and
b) any information that is held by another person and that is required for the exercise or the protection of any rights.
Although the right to privacy and the right to information seem to be competing rights at first glance, section 32 (1)(b) makes it clear that the right to information can be used to protect the right to privacy. It could therefore be imagined that an Internet user could invoke the right to information to obtain information that could prove that an infringement of the right to privacy occurred and to prevent such information being misused.

The operation of section 32 is in effect suspended for a period to allow Parliament to comply with section 32(2), which states that Parliament must enact legislation to give effect to a right to access of information. In this regard, the Open Democracy Bill89 was introduced in Parliament in 1998 and was the subject of submissions to the Justice Parliamentary Portfolio Committee. However, it was withdrawn, presumably for reintroduction in 1999.

Get the Open Democracy Bill at
http://www.polity.org.za/govdocs/bills/1998/

379

This Bill, even in its draft form, has been used to give effect to the right of access to information.90 In broad terms the Bill regulates:

  • public access to government records and the grounds on which access could be refused91
  • personal access to personal information held by both government and private bodies92
  • the correction of personal information held by government and
    private bodies93
  • the use of personal information by government and private bodies94
  • the collection of personal information by government bodies95
  • the disclosure of personal information by government and private bodies96

The pressing question to be answered is whether the Bill provides adequate data protection, especially in light of the EU data export requirements.97 Bennet98 has identified a number of principles, referred to as “fair information principles”, that have come to be accepted internationally as the essential ingredients of an adequate data protection policy:

  • The principle of openness. This principle entails that the existence of data banks, record-keeping systems and registers should be publicly known. The Bill complies with this principle as far as government records are concerned,99 but excludes public enterprises that operate systems of financial administration and all private bodies.
  • The principle of individual access and correction. The Bill provides for the access and correction of personal records held by both government and private bodies.100
  • The principle of collection limitation. This principle envisages that there should be limits to the collection of data. Data should be collected by legal and fair means and, where appropriate, with the consent of the data subject.101 The Bill places limits on government collection of information,102 but there are regrettably no limits on data collection by private bodies.
  • The principle of use limitation. This principle requires that there must be limits on the use of collected personal data. The Bill limits the use of personal data by both government and private bodies to the extent that it may only be used with the consent of the data subject, for the purpose for which the data was obtained or compiled103 or for the purpose to conform with the disclosure requirements of the Bill.104
  • The principle of disclosure limitation. Information should only be disclosed for purposes relevant to the purpose for which it was collected. For example, information gathered for income tax purposes should not be used to determine eligibility for social assistance.105 To this extent the Bill details the situations where personal information may be disclosed.106

380

Most internationally accepted fair information principles are protected by the Bill, but whether they are adequate in protecting the individual’s right to privacy will largely depend on how these provisions are applied and interpreted in practice.107
4. Privacy issues on the Internet
Personal information is vulnerable in different forms and in different situations on the Internet.

The type of information could vary. It could be in the form of a personal e-mail message between two Internet users or a confidential contract between two companies sent via e-mail. Such information is vulnerable to unauthorised access and use by third parties. The information could furthermore be in a form requested for an e-commerce transaction and provided voluntarily by the user, e.g. a credit card number, physical address, telephone number, e-mail address, occupation or income. This information is vulnerable in the sense of its unauthorised use or sale to third parties. Finally, electronic identification technology such as cookies could be used to build up profiles of the browsing and buying habits of Internet users. This information could be matched with other information and used by marketing agencies to personalise their marketing and advertisements or by governments for security concerns.

381

Sim Privacy on the Information Highway (1994) at http://www.mbnet.mb.ca/~psim/privacy.html
 
Kirsh, Phillips & McIntyre Recommendations for the Evolution of Cyberlaw (1998) at http://www.ascusc.org/jcmc/vol2/issue2/kirsh.html
4.1 Spamming

4.1.1 What is spamming?
Spamming108 refers to the bulk sending of unsolicited e-mail advertisements to huge numbers of Internet users. As e-mail addresses can be obtained from a number of sources on the Internet, a lucrative trade is developing in mailing lists. Unlike the use of traditional post, the sending and receiving of e-mail is generally free. This enables advertisers and marketing agencies to send hundreds of thousands of advertisements to target audiences. Spamming burdens the e-mail user with unwanted advertising or long downloading times and also damages ISPs, as it slows down their services and causes resentment by subscribers who expect the ISP to control the practice.

  382

4.1.2 Regulation of spamming in the United States of America
In the United States a number of ISPs have successfully sued the largest spammer in America, Cyber Promotions Inc. In the first such case, Cyber Promotions Inc. v America Online Inc.,109 the court held that the First Amendment’s protection of speech did not stop the ISP from preventing unsolicited e-mail from being sent over the Internet to its subscribers. In so ruling, the court determined that the ISP’s computer system was not a public forum in which Cyber Promotions Inc. had a right to speak. The court furthermore noted that Cyber Promotions had numerous other advertising alternatives, such as creating a web site or advertising in traditional channels through radio, television and newspapers. In CompuServe Inc. v Cyber Promotions Inc.,110 the ISP alleged that Cyber trespassed on its personal property, i.e. CompuServe’s equipment. In finding an actionable tort, the court noted that the use of personal property without consent is a trespass.
 
In Parker et al. v CN Enterprises et al.111 the District Court granted judgment against the defendant, which was ordered to pay damages to the amount of US$13 000 and forbidden to engage in spam activities in the future. CN Enterprises, a Californian spammer, used the domain name of flowers.com without permission as a return address in a large-scale electronic mailing. This resulted in the shutdown of the ISP that hosted the flowers.com domain for some time, due to the volume of e-mail replies.

Legislation has been introduced in Congress to ban or regulate spamming in the absence of a pre-existing business relationship.112 This legislation collectively aims at:

  • creating a scheme through which potential recipients must consent to receiving unsolicited e-mail
  • allowing recipients to use opt-out options that must be implemented by the spammers
  • allowing ISPs to block unsolicited e-mail
  • forcing spammers to use the word “advertisement” in the subject line of their e-mail
  • creating a cause of action against spammers who use return addresses other than their own, avoid responses and try to avoid
    filtering mechanisms
  • creating a Standards Setting Body for the spamming industry
Get existing and emerging laws on junk e-mail and spamming at http://www.tigerden.com/junkmail/laws.html
 
4.1.3 Regulation of spamming in South Africa
Spammers have the constitutional right to commercial expression.113 The US Supreme Court114 also extended First Amendment protection to pure economic advertising and stated that the dissemination of commercial information through advertising performs important public interest functions of ensuring the free flow of information indispensable to proper resource allocation in a free market.
  383

The Advertising Standards Authority regulates advertising in South Africa. It is an independent body set up by the advertising industry to ensure lawful, honest and informative advertising. The purpose of its Code of Advertising Practice is to regulate commercial advertising and to deal with complaints from the public. In both Canada115 and the United States116 industry regulation of advertising should still be justified in terms of their respective constitutions and the same would apply in South Africa.117 It is therefore clear that both legislative and industry restrictions on spamming would have to be reasonable and justifiable limitation on free expression in terms of the limitation clause of the Constitution.118
 
It should however be kept in mind that where spamming is concerned, it is not the content of the advertising that causes the resentment, but rather the methods employed to distribute such advertising. Any form of advertising could be the subject of spamming techniques. Possible restrictions should therefore not limit the underlying expression right of the spammer. To deliver their advertising, spammers make use of the property of others, such as the servers of an ISP. It could therefore be asked to what extent private property owners may exercise their common law right to determine what forms of expression are permissible on their property. Conversely, do spammers have the right to express themselves on private property without the consent of the owner? Local jurisprudence on this topic is non-existent. In Cyber Promotions Inc. v America Online Inc.,119 the court held that the ISP’s property was not a public forum in which Cyber Promotions Inc. had a right to speak. In Hudgens v NLRD120 it was held that no citizen had a First Amendment (free speech) right of access to a private shopping centre over the objections of the owner. It is suggested the South African courts would allow ISPs to restrict and regulate spammers as a justifiable limitation to their free speech rights.

Spamming may also raise trademark concerns when spammers use return addresses consisting of domain names and trademarks owned by other entities.121 This misleads the recipient into believing that the owner of the trademark sent or endorsed the mail, thereby causing confusion and potential damage to the reputation of the trademark owner. In the US case of Hotmail Corp v Van$ Money Pie Inc.,122 Hotmail was granted an injunction against the defendant which sent spam electronic messages advertising pornographic material with return Hotmail electronic mail addresses.

  384

A mailing list used by a spammer would be a data bank containing personal information in terms of the Open Democracy Bill.123 Spammers must therefore either obtain the consent of the individual or prove that the original list was compiled for marketing purposes or a consistent purpose.124
 
It is furthermore suggested that an ISP whose server is damaged by spamming might have a delictual claim for pure economic loss against the spammer who caused such damage.

In light of the above, marketing agencies using unsolicited e-mail to deliver their advertising should:

  • obtain the consent of the individual to be included in a mailing list that would be used to send unsolicited e-mail advertising
  • use their own return addresses
  • provide and respond to opt-out options by removing those who want to be removed from a mailing list within a reasonable time
  • consult the user policies of ISPs to determine whether unsolicited mail would be tolerated
  • confirm postings to a mailing list to avoid individuals being placed on it without their consent
  • refrain from using technologies that would avoid filtering software employed by ISPs and individuals
  • compile and maintain mailing lists in terms of the provisions of the Open Democracy Bill125
Get an example of guidelines for spammers at
http://www.ietf.org/internet-drafts/draft-ietf-run-spew-08.txt
4.2 Cookies and “little brothers”

The existence and use of cookies, or as they are sometimes referred to, “little brothers”, create serious privacy concerns for Internet users. Cookies can track electronic footprints on the Internet, such as the sites a user accesses and the time spent on such sites. This information could be linked to the e-mail address of the user and sold to direct marketers, collection agencies, private investigators, mortgage brokers and even the government. This is admittedly an extreme example, but it is quite possible.

  385

4.2.1 What is a cookie?
A cookie is an HTTP header that consists of a text-only string. The string is
usually a set of random-looking letters long enough to be unique to every user. The cookie is sent from the server of the web site the user accessed the first time and is saved on the user’s hard drive. When the user accesses that site again, a copy of the cookie is sent with the request to that site. In this way the remote server knows who the user is and that he/she visited the site before.126
 
One of the popular myths about cookies is that they can scan a user’s hard drive and gather information such as passwords, credit card numbers and more. That is impossible. A cookie can only determine a user’s IP address, the type of browser being used and the operating system of the user’s computer. The only other information a cookie can “remember” is information a user gave a web site, such as an e-mail number, name or address. It is important to realise that cookies cannot read an Internet user’s hard drive to find information, they cannot fill up all the space on a hard drive and they cannot be used as or carry viruses.127
 
4.2.2 Why were cookies developed and what do they do?
Cookies were originally developed as a mechanism to make it easier for users to access a web site without going through a lengthy process of identification. For instance, during a user’s first visit to a given site, the user might be asked to reveal his/her name, e-mail address and some other personal information required to access the site. That site will then place a cookie containing this information on the user’s computer and when he/she returns to the site, the site will use the cookie to determine who the user is and give access.128

Cookies were later used to personalise web sites and customise homepages or portals. Whenever a user requests a customised homepage, the cookie is sent along to identify the user. The custom page then knows, for example, how to greet the user by his/her first name and display the user’s favourite newspaper. Without cookies, a user will have to identify him/herself every time the site is accessed, or the server of the remote site will have the impossible task of saving all the custom page settings of every visiting user. Furthermore, cookies are used by Internet shopping sites to keep track of users’ shopping and carts. When a user first uses a shopping site, the site sends a cookie containing the ID number of the user’s shopping cart. When the user is finished shopping, the checkout page lists all the shopping items in the cart. Without cookies, a user would have to keep track of every item he/she wants to buy and type in the list at the checkout page.

  386

It is therefore clear that the use of cookies makes the Internet more accessible and easier to use. But unfortunately that is not the end of the story – one of the less admirable uses of cookies, and the one that is causing all the controversy, is its use as a device for tracking the browsing and buying habits of individual Internet users. On multiple client sites being served by the same marketing site, cookies can be used to track browsing habits of users – the sites they visit, the amount of time spent there and sites accessed from and before that specific site.
 
This is possible because a marketing firm contracts with multiple client sites to display its advertising. The client sites simply put an <IMG> tag on their web pages to display the image containing the marketing firm’s advertisement. The tag does not point to an image file on the client’s web site but contains the URL of the marketing firm’s advertisement server and includes the URL of the client’s page. Thus, when a user accesses a page on the client’s site the advertisement is actually obtained from the advertising firm’s site. The advertising firm sends a cookie along with the advertisement and that cookie is sent back to its site the next time a user views any page containing one of its advertisements. In this way the advertising firm knows what web sites a user views, how often they are viewed, for how long they are viewed and the IP address of the user’s computer. This information is used to infer the topics the user is interested in and to target advertising based on the inferences.129 These cookies are referred to as persistent cookies, as they have expiry dates way into the future. In the worst case scenario, this information can be sold to other marketing firms or governments.

4.2.3 Regulation of cookies in the EU and United States of America
Governments react differently to the cookie issue. The EU is of the opinion that no personal data should be collected from Internet users without their express consent. In terms of the Directive on Data Protection,130 the national Data Regulators of EU member countries have wide powers to control what data can be obtained from users and to halt the export of data to countries deemed to have inadequate data protection.

  387

The US relies primarily on industry and user self-regulation. On 9 March 1999 the US Energy Department’s Computer Incident Advisory Capability (CIAC) issued a statement that the hype about cookies far outweighs the actual
hazards of the technology and that cookies do not compromise the privacy or safety of Internet users.131 In March 1999 both Intel and Microsoft were forced by public outcry to remove and disarm embedded tracking mechanisms from Intel’s Pentium III microprocessor and Microsoft’s Windows 98 operating
system.132 It is, furthermore, not difficult for Internet users themselves to delete, disarm and not allow their browsers to accept cookies.
 
4.2.4 Regulation of cookies in South Africa
In South Africa, the Open Democracy Bill133 will, once it is enacted, have serious consequences for local web sites and their owners obtaining and using information obtained through cookies. In terms of section 53 of the Bill a private body may not use personal information, except:
  • if the person to whom or which the information relates has consented to its use134
  • the information is used for the purpose it was obtained or compiled for
  • where the Bill allows for the use of the information135
It is therefore clear that, in the absence of express consent by an Internet user, a local organisation (e.g. an ISP) that uses cookies for the purpose of customising its homepage cannot sell that information to marketing companies for advertising purposes without the consent of the user concerned. Although the Bill places restrictions on the government to collect information,136 no such restrictions exist for private bodies.
 
It is suggested that web site owners state whether their sites use cookies in a privacy policy that could be viewed through a link from their homepages. Such a policy should also state the reason for which the information is collected and whether such information would be regarded as confidential or released to others such as marketing agencies.

All Internet browsers allow users to disarm and disable cookies, and it is therefore suggested that the legislature should leave the choice of accepting cookies or not in the hands of individual users.

388

 
Get The Unofficial Cookie FAQ at
http://www.cookiecentral.com/faq/ index.shtml
 
Get more information on Internet Cookies from the US Department of Energy at
http://www.ciac.org/ciac/ bulletins/i-034.shtml
 
A step-by-step guide on how to
disable cookies at
http://www.junkbusters.com/ht/en/cookies.html
Author biography  
Reinhardt Buys grew up on the farm Beerlaagte outside Grootvlei (Mpumalanga) and matriculated from the Hoër Volkskool Heidelberg in 1989. He completed BLC and LLB degrees at the University of Pretoria where he was also elected to the Student Representative Council in 1994. After completion of his articles at Weavind & Weavind Attorneys in Pretoria, Reinhardt completed an LLM degree at the University of Cape Town, focusing on electronic commerce and civil liberties in cyberspace. He currently heads the IT/Internet Law unit at Sonnenberg Hoffmann & Galombik in Cape Town and enrolled for a Postgraduate Diploma in Company Law at the University of Stellenbosch. Reinhardt frequently publishes articles on Internet law and Y2K-related legal issues.

 
388
  1. Article 12 (Back)
  2. Article 8
  3. Article 17
  4. Article 11
  5. Case v Minister of Safety and Security 1996 (3) SA 617 (CC) (Back)
  6. Westfin Privacy and Freedom (1967) 7
  7. International Commission of Jurists Conclusions of the Nordic Conference on the Right to Privacy (1967)
  8. Brandeis J (dissenting) in Olmstead v United States 277 US 438
  9. National Media Ltd & another v Jooste 1996 (3) SA 262 (A) at 271
  10. 108 of 1996 (Back)
  11. McQuoid-Mason in Constitutional Law of South Africa Privacy (1998) 18­11
  12. 1995 (3) SA 848 (W)
  13. McQuoid-Mason in Constitutional Law of South Africa Privacy (1998) 18­11
  14. Case v Minister of Safety and Security 1996 (3) SA 617 (CC)
  15. Section 36 (Back)
  16. Statistics Act 66 of 1976
  17. Ibid.
  18. E.g. the Income Tax Act 58 of 1962
  19. Child Care Act 74 of 1984; Prevention of Family Violence Act 133 of 1993
  20. Mental Health Act 18 of 1973 (Back)
  21. Interception and Monitoring Prohibition Act 127 of 1992
  22. S v Motloutsi 1996(1) SA 584 (C)
  23. 51 of 1977
  24. Sections 23 & 21 (2)
  25. S v Motloutsi 1996 (1) SA 584 (C); see also S v Madiba & Another 1998 (1) BCLR 38 (D) and S v Kumendi 1998 (5) BCLR 530 where evidence was allowed in spite of constitutional right of privacy being breached (Back)
  26. Chaskalson in Constitutional Law of South Africa Evidence (1998)
    26-18
  27. 1996 (4) SA 187 (CC), 1996 (6) BCLR 788 (CC) at para 13
  28. See, for example, S v Soci 1998 (3) BCLR 376 (E) at 393, S v Gumede & others 1998 (5) BCLR 530 (D) at 541 and S v Van der Merwe 1997 (10) BCLR 1470 (O), 1998 (1) SACR 194 (O) at 201
  29. R v Wray (1971) 11 DLR (3d) 673; R v Collins 28 CRR 122 at 137; Sopinka, Lederman & Briant The Law of Evidence in Canada 401 et seq
  30. The accused bears the onus of proving all the requirements of section 35(5) (Back)
  31. S v Naidoo & another 1998 (1) BCLR 46 (D)
  32. S v Motloutsi 1996 (2) BCLR 220 (C) at 226-8; S v Mayekiso 1996 (9) BCLR (C) at 1174
  33. 1998 (1) BCLR 46 (D) at 91E
  34. Chaskalson in Constitutional Law of South Africa Evidence (1998) 26-20A
  35. Section 37 (Back)
  36. See for example section 25 of the Criminal Procedure Act 51 of 1977
  37. See for example section 71 of the Internal Security Act 74 of 1982 and section 118A of the Post Office Act 44 of 1958
  38. S v A 1971 (2) SA 293 T at 297
  39. Ibid
  40. 1995 (4) SA 293 (A) (Back)
  41. For example section 51 of the Marine Living Resources Act 18 of 1998, section 1 of the Domestic Violence Act 116 of 1998, section 54 of the Aliens Control Act 96 of 1991 and subsection 26, 27, 52 & 68 of the Correctional Services Act 11 of 1998
  42. 51 of 1977
  43. 127 of 1992
  44. Supra
  45. Section 20 (Back)
  46. Section 21(2)
  47. Section 22
  48. Section 20 & 21
  49. SA Law Commission Issue Paper 14: Computer Related Crime (1998) 13
  50. For example a Local Area Network (LAN) (Back)
  51. Supra
  52. 127 of 1997
  53. RN 10 GG 5026 dd 1/2/1993
  54. “Communication” is not defined in the Act, but there is no suggestion that any transmission of electronic information is excluded.
  55. Section 3(b), a “serious offence” is defined in section 1 as any offence mentioned in schedule 1 of the Criminal Procedure Act 1951 of 1977
  56. Section 3(b) (Back)
  57. Ibid
  58. Section 2
  59. S v Naidoo & Another 1998 (1) BCLR 46 (N) at 72
  60. Such as the First, Third, Fourth, Fifth, Ninth and Fourteenth Amendments; Griswold v Connecticut 381 US 479; Roe v Wade 410 US 113 (Back)
  61. Bowers v Hardwick 478 US 186
  62. Per Goldberg J in Griswold v Connecticut 14 LEd 2nd 510
  63. Tribe American Constitutional Law 2ed (1988) 1390
  64. 389 US 347 (1967)
  65. 425 US 435 (1976) (Back)
  66. 442 US 735
  67. 424 US 693 712 (1976)
  68. 433 US 425 (1970)
  69. Tribe American Constitutional Law 2ed (1988) 1400
  70. Roditti Computer Contracts (1998) 15-108 (Back)
  71. 5 USC§ 552a
  72. 15 USC§ 1681
  73. 5 USC§ 552
  74. 42 USC§ 2000aa et seq
  75. 47 USC§ 551 (Back)
  76. Supra
  77. 36F.3D 457 (5th Circuit) 1994
  78. No 95­6245 (10th Circuit) 21 April 1997
  79. 983F Supp 215 (D) DC 1998
  80. 95/46/EC; the formal name of the Directive is the “European Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data”. (Back)
  81. 95/46/EC
  82. Roditti Computer Contracts (1998) 14-40
  83. Universiteit van Pretoria v Tommie Meyer Films 1977 (4) SA 376 (T); Universiteit van Pretoria v Tommie Meyer Films (Edms) Bpk 1979 (1) SA 441 (A)
  84. 1993 (2) SA 451 (A), where it was held that a company had the right to sue for invasion of privacy where a newspaper had obtained information from a private memorandum and unlawful tape recordings of director’s meetings.
  85. Bernstein v Bester NO 1996 (2) SA 751 (CC) (Back)
  86. Supra
  87. 1995 (1) SA 783 (E)
  88. Supra
  89. B67 of 1998
  90. Klaaren in Constitutional Law of South Africa Access to Information (1998) 24-2 (Back)
  91. Chapter 1­2
  92. Section 50
  93. Section 51­52
  94. Section 53­54
  95. Section 61 (Back)
  96. Section 55­56
  97. Section 26 EU Data Directive (1998)
  98. Bennet Regulating Privacy (1992) 101
  99. Section 6
  100. Section 9, section 50, section 51 & section 52 (Back)
  101. Bennet Regulating Privacy (1992) 106
  102. Section 61
  103. Section 53 & 54
  104. In terms of section 55 & 56
  105. Bennet Regulating Privacy (1992) 106 (Back)
  106. Section 55 & 56
  107. Roos Data protection provisions in the Open Democracy Bill, 1997 THRHR (1998) 497 at 505
  108. The term “spam” was derived from a Monty Python sketch set in a movie studio cafeteria, where the word “spam” takes over each item on the menu until the entire dialogue consists of “spam, spam, spam.” Apparently this so closely resembles what happens when mass unsolicited mail takes over mailing lists that the term has been put into common usage; Malkin & Hambridge Don’t spew (1999) http://www.ietf.org/internet-drafts/draft-ietf-run-spew-08.txt
  109. 1996 WL 633701 (ED PA 1996)
  110. 962 F Supp 1015 (SD OH 1997) (Back)
  111. Unreported, see http://www.tigerden.com/junkmail/cases/
    flowersjudgement.html
  112. The Netizen Protection Act of 1997
    http://tigerden.com/junkmail/Smith.bill.html; The Unsolicited Commercial Electronic Mail Choice Act of 1997; The Electronic Mail Box Protection Act of 1997 http://www.vtw.org/uce/
  113. Section 16(1)(b) of the Constitution 108 of 1996
  114. Virginia State Board of Pharmacy v Virginia Citizens Consumer Council 425 US 748 (1976)
  115. See e.g. Griffen v College of Dental Surgeons, Ontario (1990) 71 DLR (4th) 68 (SCC) (Back)
  116. See e.g. In Re Primus 436 (US) 412 (1978)
  117. Marcus & Spitz in Constitutional Law of South Africa Expression (1998) 20-51
  118. Section 36
  119. Supra
  120. 424 US 507 (1976) (Back)
  121. Chissick & Kelman Electronic Commerce Law and Practice (1999) 34
  122. [1998] WL 388389, 47 USPQ 2nd 1020 (NA Cal., April 16, 1998)
  123. B67 of 1998
  124. Section 53
  125. Supra (Back)
  126. US Department of Energy: Computer Incident Advisory Capability Internet Cookies (1998) http://www.ciac.org/ciac/bulletins/i-034.shtml
  127. Whalen The Unofficial Cookie FAQ (1999) http://www.cookiecentral.com/faq/index.shtml
    http://www.ciac.org/ciac/bulletins/i-034.shtml
    http://www.techweb.com/wire/story/TWB19980 316S0015; Festa in Enterprise Computing Government OK’s cookies (16 March 1998)
  128. Cookie Central What went wrong? (1998) http://www.cookiecentral.com/cookie5.htm
  129. US Department of Energy: Computer Incident Advisory Capability Internet Cookies (1998)
  130. Supra (Back)
  131. Craig in TechWeb Cookie Worries are Unfounded, US Government says (16 March 1999)
  132. Schenkler in Time magazine Who Watches the Web? (19 April 1999) 56
  133. B67 of 1998
  134. Section 58 deals with the way in which consent should be obtained.
  135. Section 55 deals with the circumstances in which a private body may disclose personal information. (Back)
  136. Section 61