Despite the vast array of spy gear now available to private investigators as well as ordinary citizens, it's not always clear from a legal standpoint what they are allowed to do with it. Laws differ from state to state and from device to device. Some laws apply to everyone — private citizens, PIs and law-enforcement officials. Others only affect specific segments of the spy-gear market. In some jurisdictions, private investigators have more freedom to retrieve certain types of information or to use certain types of equipment.
Lazarus has a rule of thumb: customers are usually allowed to spy on others so long as it happens on their own property or if the gear is planted on a device that they at least partially own. An employer, for instance, can install spy software on a company phone. A mother can track the movements of the family vehicle. Nanny cams can legally be placed in your child's bedroom.
"In the U.S., we use a sectoral approach to privacy," said Paul Stephens, director of policy and advocacy for Privacy Rights Clearinghouse, which seeks to educate people about privacy issues. Unlike in Canada and Europe, which have broad, overarching policies regarding privacy, he explains, in the U.S., "you need to look at very specific privacy laws that apply to different technologies to understand whether something you're doing is legal or not."
Typically, laws governing privacy are created in response to technological advances. In the U.S., this gets down to specific devices. It's almost like a game of Whac-A-Mole: a new technology pops up, someone uses it in ways that invade other people's privacy, people complain to their legislators, and a law specific to that technology and device is created.
The level of specificity of some of these laws is astonishing. One from 1988, for instance, prohibits video-rental stores from disclosing the viewing history of customers, although that law was recently amended to allow users of online streaming services like Netflix to share their viewing history on social media, if they choose to do so. Another law from the same year prohibits most employers from using lie detectors on employees. The Do-Not-Call Implementation Act of 2003 allows individuals to prevent telemarketing companies from contacting them.
Lee Tien, a legal expert from the Electronic Frontier Foundation, which advocates for online consumer privacy, says the specificity of these laws makes them more business-friendly than the blanket approach of Canada and the European Union. That's because a narrowly written law can only be applied in very specific circumstances, and with ever-changing technology, there are always passageways for those who might undermine lawmakers' intentions.
For instance, any phone conversation requires the two parties to use a service provider such as AT&T or Verizon, which in turn creates a record of that phone call within these companies. Making a purchase from a vendor on Amazon with your credit card creates three records of that transaction: one with Amazon, one with the vendor and one with the credit-card company.
"The real big growth has been between individuals and intermediaries," Tien said about the growth of data collection. "The way we do things creates more records."
According to a business report from the MIT Technology Review, a typical American office worker produces about 5,000 MB worth of data per day, merely by downloading movies, Word files, e-mails and by moving data around on the Internet and on mobile networks.