Forgot your password?
typodupeerror
The Courts Government United States News Your Rights Online

Database Records and "In Plain Sight" Searches 154

Posted by CmdrTaco
from the but-it's-sitting-right-there dept.
chriswaco writes "A federal appeals court ruled that database records are not 'in plain sight' when other records in the same database are subpoenaed. The case involved Major League Baseball drug test results, but the implications are far wider."
This discussion has been archived. No new comments can be posted.

Database Records and "In Plain Sight" Searches

Comments Filter:
  • Makes sense to me (Score:5, Insightful)

    by Stenchwarrior (1335051) on Thursday August 27, 2009 @10:45AM (#29216899)
    Otherwise, what would keep someone from gaining access to information completely irrelevant to the records being subpoenaed in the first place? I'm actually surprised HIPAA didn't get involved sooner since patients' privacy could have been compromised.
    • Otherwise, what would keep someone from gaining access to information completely irrelevant to the records being subpoenaed in the first place?

      Isn't that the whole point of warrants to begin with. They get it on some technicality, then go on a fishing trip. This applies to private companies as well as governments by the way.

    • Re: (Score:3, Informative)

      by RingDev (879105)

      The "P" in HIPAA stands for Portability, not Privacy.

      -Rick

      • Re:Makes sense to me (Score:5, Interesting)

        by DragonWriter (970822) on Thursday August 27, 2009 @11:12AM (#29217247)

        The "P" in HIPAA stands for Portability, not Privacy.

        And the "A" stands for "Accountability" (which refers, in large part, to 'accountability for use of personal information'.) The major regulatorions under HIPAA include the Privacy Rule which controls use and disclosure of protected health information (PHI) by covered entities, the Security Rule which covers the required protection of electronic PHI held and communicated by covered entities, and the Transactions and Code Sets rule which establishes standards for how insurance-related transactions are conducted in electronic media. The first two of those rules are directed at protecting privacy.

        HIPAA isn't all about privacy, but privacy protections are an important part of it (they were incorporated largely because privacy fears were one of the reasons people were resistant to the rest of the pieces aimed at acheiving efficiency by promoting and standardizing use of electronic transactions for health insurance billing and related activities.)

        • Re: (Score:3, Insightful)

          by Lumpy (12016)

          And sarbanes Oxley is defined as a pain in the ass for all the IT people.

        • Re:Makes sense to me (Score:5, Informative)

          by RingDev (879105) on Thursday August 27, 2009 @11:40AM (#29217717) Homepage Journal

          On the Privacy rule, from HIPAA's own web site:

          Who Is Not Required to Follow This Law

          Many organizations that have health information about you do not have to follow this law.

          Examples of organizations that do not have to follow the Privacy Rule include:

                  * life insurers,
                  * employers,
                  * workers compensation carriers,
                  * many schools and school districts,
                  * many state agencies like child protective service agencies,
                  * many law enforcement agencies,
                  * many municipal offices.

          Once your employer has your health information, they are not bound to the Privacy Rule.

          I'm not saying HIPAA is all bad, but a lot of people have the misconception that the "P" in HIPAA stands for Privacy and that HIPAA is designed solely to protect them. Neither of which is true.

          -Rick

          • Re: (Score:2, Insightful)

            I don't care what the "P" stands for. I should have a right to privacy regardless of what acronyms some jackass decides to use to implement bullshit regulations and policies to convey a CYA facade.
          • Re: (Score:3, Interesting)

            by DragonWriter (970822)

            On the Privacy rule, from HIPAA's own web site:

            HIPAA isn't an entity, and doesn't have "its own web site". You appear to be referring the Department of Health and Human Services' Office of Civil Rights web site about HIPAA.

            Once your employer has your health information, they are not bound to the Privacy Rule.

            OTOH, the privacy rule prevents them from getting the information without your consent from your insurer or provider. But, yes, the Health Insurance Portability and Accountability Act (HIPAA) applies al

            • by Hyppy (74366)

              HIPAA isn't an entity, and doesn't have "its own web site". You appear to be referring the Department of Health and Human Services' Office of Civil Rights web site about HIPAA.

              Don't be a pedantic ass.

              disturbing number whose jobs are touched by HIPAA, think that the acronym pronounced 'Hi-pah'

              Can you cite an authoritative source regarding the correct pronunciation? Only use official DHHS or Congress websites, please. Otherwise, again, quit with the pedantry.

              The bigger problem than believing that HIPAA is focussed on "privacy" (which HIPAA rules actually do to a considerable extent) is mistaking the scope of their applicability; It's not that people get the "P" part wrong that misleads them as to the impact of HIPAA, but that they don't appreciate the significance of the "HI" part -- that HIPAA is focussed on health insurance industry, and has little impact outside health care and health insurance industry, even where it concerns health information.

              Good point. Unfortunately, though, the scope is far too narrow with too many holes.

              • by hesiod (111176)

                He's correct. If C-Span has video archives you could go back to when it was being debated and listen to the authors of the bill pronounce it that way. Of course websites aren't going to tell you how it's pronounced, it's irrelevant to what they are trying to tell you.

            • by RingDev (879105)

              HIPAA isn't an entity, and doesn't have "its own web site". You appear to be referring the Department of Health and Human Services' Office of Civil Rights web site about HIPAA.

              What is this, the second grade? You're going to go off on some completely unimportant minuscule semantic that holds no value in the topic of debate? What's next, you'll refuse to debate based on the presence of koodies on your opposition?

              IME (and I work directly with HIPAA rules a lot) more people, including a disturbing number whose jobs are touched by HIPAA, think that the acronym pronounced 'Hi-pah' is spelled HIPPA and have no idea what any of the letters stand for.

              IME (and I worked for a company dealing with specific health services) more people make assumptions about the privacy of their medical information with out knowing how it is protected, how it is shared, and who has access to it. I would venture a guess that the vast majorit

              • You're going to go off on some completely unimportant minuscule semantic that holds no value in the topic of debate?

                A reference to a website should either be a clear and accurate description or a hyperlink; I wasn't "going off" on anything, if anything the clarification to make a meaningful reference to the source of the information reinforced the credibility of the information taken from it rather than attacking it.

                I would venture a guess that the vast majority of the US population believes HIPAA provides

  • by guruevi (827432) <evi@NOSpam.smokingcube.be> on Thursday August 27, 2009 @10:48AM (#29216931) Homepage

    SELECT Results, TestingLab FROM SteroidTests WHERE LastName = 'DiMaggio' AND FirstName = 'Joe' does not mean that SELECT * FROM SteroidTests is in plain sight.

    Especially since large databases keep track of more and more things (like your credit cards, names, address, ssn, what you last purchased, credit scores, ...) legitimate seizures of data should be severely limited by the judges issuing a warrant. Right now the feds can get away with: "Judge, this terrorist location is stored in this companies database, let's seize all the database servers of the company" and the judge not understanding how records are stored or how databases work practically gives a warrant for all the data the feds can find including 'collateral' records.

    • by Dare nMc (468959)

      FYI, according to the wired article, this wasn't about a database, it was about a excel file. I think since "in plain sight" is not in the constitution; it is a interpretation of the Constitution that clearly shouldn't apply to computer data (and thats the only justification I can think of for this ruling.) If we assume we have one row for each name, and we have 10 names to look for, sorted by last name, if those 10 names are each on different pages, we then have 10 pages * 30 results per screen, so ~300

    • This is yet another reason to use encryption to ensure that one has some measure of control over privacy and disclosure. For instance, if they want to actually read the data then they will have to inform you so that you can decrypt the data for them which means that you would at least be aware of the request and probably have an opportunity to present your side to the judge and negotiate the terms and conditions of the disclosure. This is better than the judge meeting privately with the government agents an
  • by carp3_noct3m (1185697) <slashdotNO@SPAMwarriors-shade.net> on Thursday August 27, 2009 @10:53AM (#29216995)

    Oh yeah, a much better article on Wired! [wired.com] Despite the bad link and very short summary, it is still an important issue. They key is that they say "Ideally, when searching a computerâ(TM)s hard drive, the government should cull the specific data described in the search warrant, rather than copy the entire drive, the San Francisco-based appeals court ruled. When thatâ(TM)s not possible, the feds must use an independent third party under the courtâ(TM)s supervision," So basically, they had a warrant for 10 drug results, but happened to find 104 results, and took them all. This ruling is a good one in my eyes. Now, they keyword I see there is "ideally", which seems to mean it could be stretched both ways by a smart lawyer, but still overall good stuff.

    • Re: (Score:3, Interesting)

      by urulokion (597607)
      "Ideally" might be try to be stretched but the courts would have to err to the side of the defendant. IF the Feds do go overboard and grab more data than what their search warrant states, all a defense lawyer is to pose a very plausible method the government could have followed to get the data. Any excess data gathered would become tainted, and therefore inadmissible.

      But I agree with the quoted laywer in teh Wired article. I doubt the ruling would survive scrutiny of the SCOTUS with it's current makeup.
  • by bzzfzz (1542813) on Thursday August 27, 2009 @11:20AM (#29217365)
    While the matter at issue involves celebrity figures, the question at hand applies every bit as much to people in industries like technology where drug tests are used.

    The salient facts of the matter were that:

    1. A group of people took tests, the results of which were guaranteed to be confidential.

    2. The government subpoenaed some of the test results.

    3. Investigators collected substantially more test data than the subpoena allowed, stretching the "plain sight" doctrine to the breaking point to do so.

    4. Investigators leaked the test results to others.

    5. The people who took the tests suffered adverse employment consequences, years after the tests were taken.

    Exactly that same sort of thing could happen to you. Let's imagine. Five years ago you tested positive for THC when a random test was required the day after you were, uncharacteristically, at a party thrown by an old friend where there was a great deal of smoke in the air (You don't remember inhaling). Your employer sent you through the spanking mill for the next year and there were additional tests and you were forced to endure flash presentations on drug abuse against your will. You figured that was the end of it.

    Little did you know that the Anytown Police Department happened to hang onto a list of positives they got from ABC Testing and Compliance Services (where you took the test) as the result of an unrelated investigation into a person you do not know. The list was leaked via a cop's wife to the local Human Resources Disucssion Group that meets every 2nd Wednesday at the Perkins. And guess what? Now you can't get a job in Anytown and you don't know why.

    The ruling at issue is a step in the right direction, because it helps plug one of the holes through which some of this data gets out. If you don't care, you should -- unless you have nothing to hide.

    • do not take these tests. ever.

      nothing good comes from volunteering to be 'examined' for things that nature deems are perfectly normal.

      if enough people took a stand as refuseniks, then change would happen.

      any pre-employment papers that say I have to be tested, I cross those lines out. some employers are ok with you refusing it and those that aren't, well, that's tell about THEIR priorities, isn't it? don't work for them. just say no (lol).

      • by bzzfzz (1542813)

        do not take these tests. ever. nothing good comes from volunteering to be 'examined' for things that nature deems are perfectly normal. if enough people took a stand as refuseniks, then change would happen. any pre-employment papers that say I have to be tested, I cross those lines out. some employers are ok with you refusing it and those that aren't, well, that's tell about THEIR priorities, isn't it? don't work for them. just say no (lol).

        That's a valid strategy if you're willing to constrain your universe of employers to startups and other smaller employers that are not in a highly regulated business. I went for 15 years without having to take a drug test. Then the economy tanked and I had to take a job with one of the companies you read about in the newspaper, and so I got to piss in a plastic cup for them under the supervision of some minimum-wage nursing school dropout. Or welch on my mortgage. It was, frankly, an easy choice to make

    • by mcgrew (92797) *

      Five years ago you tested positive for THC when a random test was required the day after you were, uncharacteristically, at a party thrown by an old friend where there was a great deal of smoke in the air

      Or had eaten some poppy seed cake, which can cause you to test positive for heroin. Some ulcer medications will cause you to test positive for THC.

    • I have mod points, but will refrain from moderating any other comments in this discussion and post a reply instead, because you've nailed it. Wish you could be modded +6

  • by parkrrrr (30782) on Thursday August 27, 2009 @11:36AM (#29217647)

    From the article:

    The players were assured that the results would remain anonymous and confidential

    So the question is, why isn't the players' union suing Major League Baseball for breach of contract? Anonymous and confidential is not the same as identifiable but confidential; if the results actually had been anonymous as promised, this breach never could have happened.

    • Re: (Score:3, Informative)

      by bzzfzz (1542813)

      From the article:

      The players were assured that the results would remain anonymous and confidential

      So the question is, why isn't the players' union suing Major League Baseball for breach of contract? Anonymous and confidential is not the same as identifiable but confidential; if the results actually had been anonymous as promised, this breach never could have happened.

      In order to administer the program, which included retests, MLB had to retain some information about the identity of each person tested. A promise that information will remain anonymous is not a promise to destroy all information relating to identity.

      You can't win a lawsuit alleging that someone permitted law enforcement to conduct a search in compliance with a valid federal subpoena.

      You can't win a lawsuit against a newspaper forcing them to identify anonymous sources.

      You can't win a lawsuit agains

      • by parkrrrr (30782)

        A promise that information will remain anonymous is not a promise to destroy all information relating to identity.

        Well, yeah, actually, it kinda is. That's what anonymous means.

        There are protocols that could allow for retesting without the testing or collecting parties needing to know anything about the identity of the party being tested. The simplest one I can think of off the top of my head: randomly issue a sheet of identically numbered labels to each participating player, without tracking which player

    • They are suing. They are suing the government. The court decision is from that lawsuit.
      • by parkrrrr (30782)

        They're suing over the loss of confidentiality. As near as I can tell, the fact that the loss of confidentiality was able to have any effect on them at all is because there never was any of the promised anonymity. The government is not the only party who did something wrong here.

  • but in this specific case, i would rather these assholes using steroids and destroying the sport of baseball be exposed and embarrassed

    the rule of law is important

    the rule of moral behavior is more important (especially since law and morality are often in conflict, unfortunately)

    outing steroid abusers who are destroying a national pasttime by making it more about artificial enhancement rather than natural skill, and convincing impressionable boys to inject themselves with drugs which put their health in jeo

    • So you are arguing that the rights of individuals should be subservient to the interests of the state. This is equivalent to the "tear up the consitution; there are terrorists out there" argument that has prevailed in a lot of places in recent years.

      Certainly such systems of government (where the individual is subservient to the state) have existed and still do, and there are those who want to restore them, often but not exclusively in the name of religion. A lot of blood has been shed over the last three

    • by curunir (98273) *

      While I agree with your sentiment regarding destroying the game, I disagree that it's the actual steroid abusers who are most to blame for it. To me, those most culpable are the representatives of the Commissioner's office and the MLBPA (basically, Bud Selig and Donald Fehr.) I believe that those people have done a masterful job of making the dirty players the scapegoat to hide their own complicit actions.

      Steroid use rose to prominence as baseball was recovering from the strike. Those in charge of the leagu

  • Makes sense (Score:5, Insightful)

    by ShooterNeo (555040) on Thursday August 27, 2009 @12:38PM (#29218595)

    The "in plain sight" doctrine came about as a result of an old Supreme Court case. What it boils down to is, if the cops execute a search warrant or other lawful search, and they happen to spot evidence of another crime "in plain sight", they can use that evidence to arrest and charge someone. Say the cops are checking your motel room for an escaped prisoner. They can't go rifling through your bag looking for drugs once they've searched the room. But, if you have a meth lab set up in the room, they can get you for that.

    The same thing with this database search. Databases can be any arbitrary size : a database could have records on every citizen in the United States. If the cops were given a warrant to check on the records of a specific citizen, the rest of the database should be off limits. Otherwise, there's no real limit to the games the cops could play, and they would effectively have the power to investigate every citizen in the United Stats for a crime at all times. What if the "database" contained the banking records of every citizen in the U.S.?

    • by Dare nMc (468959)

      Exactly the "in plain sight" is not the constitution, it was a ruling relating to a search for items that were likely to be intentionally hidden, not ones intentionally indexed cross referenced and precisely defined. IE the case of finding kiddie porn while searching for production of false identification cards, on a PC makes some sense as a "in plain site" find, since they needed to be "look around" for things that were likely to be hidden among other images. Finding Alex Rodriguez results while searchin

In 1869 the waffle iron was invented for people who had wrinkled waffles.

Working...