Citing the Federal Educational Rights and Privacy Act (FERPA), the Houston Independent School District has refused a request for baseball statistics it gathers during publicly attended baseball games.

FERPA prohibits a federally funded educational institution from allowing the disclosure of students' educational records without each student's parent's consent. A straight reading of the statute suggests that any student information regularly maintained by the school qualifies as education records. Although this is a ridiculous result, the baseball statistics are information about the students and they are regularly maintained by the school. Unfortunately, there are not many cases interpreting FERPA, so it is difficult to tell how broadly the law will be enforced. In the few reported cases, the courts disagree over whether a student's daily assignments are considered "educational records" for FERPA purposes. Whether or not records of extra curricular activities maintained by the school qualify has not been addressed, much less records from publicly attended events such as baseball games.

Sources are reporting that an SSN protection bill has been proposed in the House. The bill would attempt to limit the use of SSNs by government and private entities. New criminal and civil penalties, including prison time, are included in the bill along with higher penalties for repeat offenders. Law enforcement and emergency services exceptions are granted, but the government will be prevented from using SSNs on checks, Medicare cards and government ID cards. See the related stories here and here.

Another ID theft prevention bill is also reportedly being proposed in Congress.

The government can legally obtain IP addresses of websites a person has visited and to/from addresses from a person's emails without a warrant according to a new Ninth Circuit ruling. The case, United States v. Forrester, is the first to hold that unlike the content of those communications, the header information does not violate a reasonable expectation of privacy under the Fourth Amendment.

Ohio is reporting a compromise of the personal data of over one million people and businesses. An intern left a "data device" in an unlocked car and discovered it missing. The state is offering free identity theft protection from Debix for up to a year. So far almost 60,000 people have signed up, which will cost the state just under a million dollars, according to an estimate.

A Sixth Circuit panel recently held that users have a reasonable expectation of privacy in the content of their email, even where the ISP has a contractual right to look at the emails. Unless the user policy provides for monitoring, inspecting or auditing of the account, "there is a societal expectation that the ISP or the phone company will not read the contents as a matter of course." The court, influenced by amici, analogized to telephone calls and letters, where the provider of the services has access to the content but does not typically read it. Even though the ISP may scan emails for child pornography or spam, the court likened that to the Post Office scanning for drugs or explosives. Neither process involves invasive parsing of the content of the communication. The government may still obtain "subscriber information and related records" that are part of the ISP's records (one imagines the court meant things like amount of storage space used and information about the person registering the account, although the court failed to specify), but not the content of email communications.

A personal lubricant company allowed Google to indiscriminately roam through intimate sensitive information about people who requested free samples of its products.

Google's newly announced Web History product has pushed the "Google is Big Brother" camp into overdrive.

Several sources, including The New York Times, are reporting that the Department of Agriculture inadvertently published the Social Security numbers of individuals who receive federal aid in a publicly available online database.

Thinking about carrying confidential information through U.S. Customs on a laptop? Be aware that in at least two cases, U.S. v. Romm, No. 04-10648 (9th Cir.) and U.S. v. Ickes, 393 F.3d 501 (4th Cir.), courts determined that it is acceptable for customs agents to conduct a comprehensive search of the contents of a notebook computer.

Some attorneys say the ruling goes too far, invading the privacy of anyone who crosses into the United States. And the ruling may pose special problems for attorneys who need to keep client information confidential when they go on business trips overseas.