Can We Stop Zabasearch -- and Similar Personal Information Search Engines?: When Data Democratization Verges on Privacy Invasion

By ANITA RAMASASTRY
Thursday, May. 12, 2005

Please Note: Neither FindLaw nor Professor Ramasastry have any affilliation with ZabaSearch whatsoever. FindLaw and Professor Ramasastry have absolutley no relationship with ZabaSearch, and do not endorse ZabaSearch's services or products. - Ed.

Suppose there were a website that allowed you - at no charge -- to find out the following information for virtually any person in the United States: The addresses where he or she lived over the past ten years or so; what his or her phone numbers were (unlisted or not) over that same period; and what year he or she was born.

Interested in what the houses someone lived in look like - including the current one? The website would let you click on their address, access an overhead satellite photo of their neighborhood, and even zoom in on their particular house.

Even the information of public figures and celebrities would be included. So might the information of crime victims, trial witnesses, judges, jurors, prosecutors, and many others who have good reason to want to keep this information private.

Would such a website be legal? Yes - and, though many people may not know it, it already exists.

It's called Zabasearch.com, and it's legal because, according to the site, its data come from publicly available government records and commercial sources.

In this column, I will address several questions: Why Is Zabasearch currently legal in the United States? And should it remain legal? Or should legislatures and courts prevent such records (or at least some types of personal data) from being searchable online?

How Does ZabaSearch Work, Exactly?

In addition to the free search describe above, on Zabasearch, you can also pay $20 to receive a more detailed background check on any person. Also, Zabasearch, as a whole, while currently free, may eventually become a pay service.

In theory, you can get removed from the Zabasearch database - and/or correct any errors in the data. If you give the company your email address, it will send you an email with instructions for doing so. When you receive the email, you are told that any request to edit or delete your records must be in writing.

One remaining issue, however, is that many people may not know that they are listed in Zabasearch. It is also hard to find the correct link on the Zabasearch website, in order to send an email requesting instructions about how to remove your data from the web site.

It is not clear from the website whether Zabasearch does anything to screen to keep the names of minors out of the database. But it seems likely that if minors' information is in the databases Zabasearch accesses, then that information would be searchable.

Where Is Zabasearch's Information Coming From?

Zabasearch's site describes where its information comes from as follows: "ZabaSearch does not gather or generate information. ZabaSearch quickly accesses public information and displays what is available in the public domain. Many people assume ZabaSearch controls the information found in ZabaSearch results pages. However, ZabaSearch simply serves as a search engine in locating available public records and does not create the records found.

Where does the government keep our data? In many places: court records, county property records, state records. And this information becomes publicly available after you buy a new house, or go to the post office and file a change-of-address form."

The ZabaSearch site also adds, accurately, that there are many companies that make a profit selling such information:

"Unlike ZabaSearch, there are many companies who do gather, generate, compile,house andsell public information, most of which are publicly traded. This practice is, and always has been, legal in the United States and is the basisfor the 2 billion dollarU.S. information industry."

Have you ever got an offer to refinance your current mortgage at a lower interest rate? Ever wonder how they know the principal amount of your loan and who your lender is? The answer is that companies get the information from public records.

In addition to government records, much of the information that is available about individuals is information that they have provided willingly to third parties.

When you apply for a credit card, if you don't check the box saying you don't want your information shared, it will be sold. When you fill out a sweepstakes form to win a car at a shopping mall, chances are that your name will be put into a database and sold. Even an "unlisted" number - while it cannot be published in directory assistance or the telephone book - may be sold for other purposes.

In short, in any situation in which you provide information - to the government, or to a private company -- without a binding assurance that it cannot be sold or distributed, that information, in effect, becomes part of the public domain. (Medical information, however, is an exception; a specific release must be signed).

The Perils of Data Dissemination Via the Internet: "Digital Dossiers"

The founders of Zabasearch have reportedly characterized their service as "data democratization." In other words, if there is information already out there about you, you now have access to it. But, so does everybody else!

True, much information was available publicly before. But now it can be collected together, online, at the press of a button. One scholar, Professor Daniel Solove, calls such collections of data "digital dossiers".

And there's no reason these dossiers must be limited to addresses, phone numbers, birth years, and property information. Digital footprints can be tracked - so that digital dossiers could include Internet activity. In theory, they could also be connected to security camera footage from private stores, identification photos, and much more.

Such dossiers can be permanent, and may be instantaneously disseminated around the world.

They can also be stolen: Collecting information on an individual, and making the dossier publicly accessible, risks making identity theft virtually undetectable. The thief who steals your wallet may not know your mother's maiden name, or the name of your pet - common security questions. But what if that information ends up in your digital dossier?

Beyond a general erosion of our privacy, there may be specific harm from publication of addresses and other personal data. Persons who are in fear for their safety do not want their addresses and phone numbers in the public domain. Victims of domestic violence are a clear example.

And situations change. When you provided your address on a credit card application, you may have had no concerns over your personal security. Later, however, you might be stalked, or have other concerns for your personal safety.

Should Digital Dossiers Be Illegal - And Are They Already Unconstitutional?

Unfortunately, our federal and state constitutions provide us with little guidance when it comes to digital dossiers and sites like Zabasearch, for the contemporary erosion of our privacy was unimaginable two hundred years ago.

Certainly, back-fence gossip among neighbors was a practice that must have been well-known to the Framers, but not the sophisticated information dissemination systems we have today. Accordingly, when constitutions do protect privacy, they typically protect it against invasion by the government - not by other citizens.

Meanwhile, on the other side of the balance, the First Amendment protects a person's right to speak and publish information, absent a compelling governmental interest in silence. So while privacy rights don't help those who find themselves the subject of digital dossiers, free speech rights do help the dossier-makers.

The First Amendment Allows Publication Even of Some Dangerous Information

Indeed, in a recent court case, the First Amendment has been held to allow publication even when it predictably will threaten the safety of particular individuals.

Threats themselves can be made criminal, consistent with the First Amendment. But when information is not itself a threat - but does pose one - courts have recently tended to allow the information to be published, even on the Internet.

In a recent case, City of Kirkland v. Sheehan, a citizen in Washington State, Bill Sheehan, published a website called justicefiles.org. On the site, he published the following information about local police officers from the City of Kirkland and other municipalities in Washington: names, addresses, dates of birth, phone numbers, Social Security numbers, spouses' names and more.

Sheehan said he did this in an effort to make the police more publicly accountable. But the police officers claimed that the listings caused stress to them and their families, and have required them to enhance security measures and expend funds in response.

The court held that the First Amendment protected the site: "[I]n the absence of a credible specific threat of harm, the publication of lawfully obtained addresses and telephone numbers, while certainly unwelcome to those who had desired a greater degree of anonymity, is traditionally viewed as having the ability to promote political speech. Publication may arguably expose wrongdoers and/or facilitate peaceful picketing of homes or worksites and render other communication possible. "

The court did draw the line at publication of the police officers' Social Security numbers, however. As the court noted: "Access to an individual's SSN enables a new holder to obtain access to and to control, manipulate or alter other personal information . . . . In effect, access to an SSN allows a person, agency or company to more efficiently and effectively search for and seize information and assets of another, a power originally available only to the government and one which was subject to direct Constitutional restraint."

This is not to say that one can always publish personally identifiable information in every context. In a close 6-5 decision, in Planned Parenthood of the Columbia/Willamette, Inc., et al., v. American Coalition of Life Activists, et al. an en banc panel of the United State Court of Appeals for the Ninth Circuit upheld an injunction against a web site that did publish personally identifiable information of abortion doctors.

That case involved a website referred to as the "Nuremberg Files," which published the photographs, addresses and other personal information of doctors and others who provided or supported abortion services. The website also struck through the names of those who had been murdered, and grayed out the names of those who had been wounded.

The majority held that the "pattern" in which the posters appeared -- coupled with the fact that other abortion providers had been killed -- transformed the posters into something of a symbolic threat. As such, the information was not protected by the First Amendment.

But the Zabasearch site does not have any specific objective or motive that is in itself threatening. Its purpose it to provide more data to more people

Should the Law Forbid - Or Regulate - Sites Like Zabasearch? And If So, How?

In light of precedents like these, it's extremely likely that any law that simply tried to ban sites like Zabasearch, or "digital dossiers" more generally, would be struck down as contrary to the First Amendment.

But could a more narrow law constitutionally restrict such sites, and dossiers, in certain ways? I think the answer is yes - and that such a law would be desirable.

First, a law could deem certain categories of information off limits. Medical data is already protected, to some extent. Social security numbers should be better protected (for example, from Internet publication). At the same time, the government and others should stop relying on the numbers as the basis for so many sensitive transactions; we should have at least one unique personal identifier that is truly private, except for important government proceedings. Yet the way things are going, the Social Security number will lose that status; perhaps it has lost it already.

Second, a law could prevent certain federal, state, and local government data from being accessible online. (Bankruptcy and divorce records come to mind; they could be redacted ). Government should be wary of putting sensitive personal data into the public domain in electronic format, without thinking through the possible consequences of doing so.

Third, more states could adopt the policy - already used in some, according to Zabasearch - of allowing domestic violence victims and others who fear for their safety to list a post office box alone, and not a street address, as their residence.

Certainly, high-profile government employees whose individual decisions or actions may arouse anger - such as judges and certain executive officials, such as prosecutors -- ought to be able to use this option. So should their families, who might be targets, too.

Finally, legislators should consider regulating how densely information can be collected online - regulating, that is, how thick our digital dossiers really can be. Doubtless, any attempt to do this will raise First Amendment objections. But this is one issue where privacy and the First Amendment truly clash - and the First Amendment cannot win every time.

Until such laws are passed, all you and I can do (besides writing our representatives to ask for more online privacy protection) is to be very cautious about giving out personal information to third parties.


Anita Ramasastry is an Associate Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology.