Confidentiality in Online Environments - ADRhub - Creighton NCR2024-03-29T02:04:03Zhttp://www.adrhub.com/forum/topics/confidentiality-in-online-environments?commentId=4905899%3AComment%3A43664&feed=yes&xn_auth=noNot sure I agree, Ethan, that…tag:www.adrhub.com,2012-11-03:4905899:Comment:444722012-11-03T13:21:40.534ZJeff Beanhttp://www.adrhub.com/profile/JeffBean
<p>Not sure I agree, Ethan, that there's a zero-sum game between ODR and true privacy, if by that you're suggesting there's one or the other and that they're mutually exclusive. Unless we're also saying that about any ADR process, which then doesn't advance our understanding about confidentiality much.</p>
<p>In this discussion I think we've been conflating different risks under the general term of <em>confidentiality</em>. (Thank heaven we're not also having to tease out <em>privilege</em> in…</p>
<p>Not sure I agree, Ethan, that there's a zero-sum game between ODR and true privacy, if by that you're suggesting there's one or the other and that they're mutually exclusive. Unless we're also saying that about any ADR process, which then doesn't advance our understanding about confidentiality much.</p>
<p>In this discussion I think we've been conflating different risks under the general term of <em>confidentiality</em>. (Thank heaven we're not also having to tease out <em>privilege</em> in this discussion!) This is why I'm suggesting we need to be clear about the very different confidentiality challenges we face in any ADR process whether online or not. I had used the terms <em>Privacy</em> and <em>Secrecy</em> before to describe our intentions, but maybe that doesn't resonate for everybody. I'll try it differently by labeling the risks of <em>Disclosure</em> and of <em>Discovery</em>.</p>
<p><strong>The Risk of <em>Disclosure</em></strong></p>
<p>In any ADR process there is the risk that a participant - party, non-party, neutral - may disclose beyond the participants to someone outside the process. The Model Standards tell us as neutrals we aren't supposed to do that, binding us ethically. The participants may be bound to not disclose by some law or by contract in their agreement to mediate. But a participant may nonetheless, regardless of law or ethics or morals, choose to disclose. They could disclose by talking about what was said, giving out documents that were created, or hiding a recorder in the meeting. These are all risks in non-ODR ADR processes.</p>
<p>In ODR, there are additional ways the participants could choose to disclose what happened: copying digital files, screenshots or downloading online data, <em>etc.</em></p>
<p><strong>The Risk of <em>Discovery</em></strong></p>
<p>In any ADR process there is the risk that someone outside the ADR process could discover communications inside the process. They may choose to steal a file, break into an office, or plant a listening device in the meeting room. These are all risks in non-ODR processes.</p>
<p>In ODR, there additional ways non-participants could choose to discover what happened: accessing a device left logged-in to an account, hacking into accounts or networks, or an ISP employee abusing their access to server data.</p>
<p><strong>Minimizing the Risks of <em>Disclosure</em> and <em>Discovery</em></strong> </p>
<p>We have a number of different approaches to mitigating these risks. We have various laws that may prohibit disclosure or discovery under threat of criminal penalty or civil liability. But beyond that, the ways to minimize the risk depends on the nature of the risk: whether it's the risk of <em>disclosure</em> or <em>discovery</em>.</p>
<p>To address the risk of <em>discovery</em>, we lock offices, doors and file cabinets. We don't let unauthorized people in. We may close blinds. These are all reasonable security provisions we would implement to secure a non-ODR process.</p>
<p>We could go further, of course. We may sweep meeting rooms for listening devices. We may install state-of-the-art security systems to deter and detect break-in. We could have meeting rooms with mirrored glass windows that were not line-of-sight to anywhere anyone outside could see. We could hire 24/7 guards. But some point the kind of efforts we could take become unreasonable given the likelihood of the risk. There are things we could do to secure our non-ODR processes that we don't do.</p>
<p>In ODR processes, we may log-out of accounts on devices and physically secure them. We may encrypt email or provide SSL security in online connections. We may contractually bind our ISPs to non-disclosure and security agreements and require all their employees to sign them, too. And just like non-ODR processes, there are some things we could do to secure our ODR processes that we don't do, because they just aren't reasonable given the likelihood of the risk.</p>
<p>That's what we can do to minimize the risk of <em>discovery</em>. We have a very different set of approaches to address the very different risk of <em>disclosure</em>.</p>
<p>To address the risk of <em>disclosure</em>, the parties may agree with each other not to disclose (<em>e.g.,</em> contractually in an agreement to mediate). The professionals may have ethical rules that prohibit disclosure. As professionals we may coach the participants on what their agreement not to disclose actually means and what it would mean if they chose to disclose. And, most importantly, we work to build trust among the parties.</p>
<p>We and the parties could go further and agree to protocols. No electronic devices in the room. Having all the participants frisked. Installing scramblers to shut-down cellphone signals. Again, at some point there's things we could do that we don't, because they just aren't reasonable given the likelihood of the risk.</p>
<p>Whether the risk is of <em>disclosure</em> or <em>discovery</em>, the nature of the risk is not changed by the process being online. The mechanisms of the risk have changed, so the specifics of mitigating those risks are different. Yet the main approach to mitigating the risk of <em>discovery</em> - whether online or in-person - will still be taking reasonable steps to secure our offices and devices and accounts. And the main approach to mitigating the risk of <em>disclosure</em> - whether online or in-person - will still be building trust among the parties.</p>
<p></p>
<p></p>
<p><cite>Ethan McNiff said:</cite></p>
<blockquote cite="http://www.adrhub.com/forum/topics/confidentiality-in-online-environments?commentId=4905899%3AComment%3A44533&xg_source=msg_com_forum#4905899Comment44533"><div><div class="xg_user_generated">It appears that many people are in agreement of the zero-sum game between the use of online technology and true privacy. As the use of such technology increases it becomes harder to guarantee confidentiality. Almost anything said or written online is permanent due to the complexity of the technology and the capability of skilled people (like hackers) to retrieve private information. This can make some people vary weary of trying online dispute resolution because of the potential risk of private information being publicly disclosed. In addition to this adding online elements to mediation or another ADR form can make it less personal thus taking away from the experience (I know many have said this already but I strongly agree with this point). That being said their is still a great need for online conflict resolution. Some people have accepted lesser privacy as a necessary and unavoidable risk of the information age in exchange for the benefits it has provided. This attitude along with the practice of taking the highest reasonable security measures possible should encourage the growth of ODR. It can make conflict resolution even more efficient and accessible to a great number of people.</div>
</div>
</blockquote> It appears that many people a…tag:www.adrhub.com,2012-11-03:4905899:Comment:445332012-11-03T02:39:33.190Zwxyhttp://www.adrhub.com/profile/EthanMcNiff
It appears that many people are in agreement of the zero-sum game between the use of online technology and true privacy. As the use of such technology increases it becomes harder to guarantee confidentiality. Almost anything said or written online is permanent due to the complexity of the technology and the capability of skilled people (like hackers) to retrieve private information. This can make some people vary weary of trying online dispute resolution because of the potential risk of private…
It appears that many people are in agreement of the zero-sum game between the use of online technology and true privacy. As the use of such technology increases it becomes harder to guarantee confidentiality. Almost anything said or written online is permanent due to the complexity of the technology and the capability of skilled people (like hackers) to retrieve private information. This can make some people vary weary of trying online dispute resolution because of the potential risk of private information being publicly disclosed. In addition to this adding online elements to mediation or another ADR form can make it less personal thus taking away from the experience (I know many have said this already but I strongly agree with this point). That being said their is still a great need for online conflict resolution. Some people have accepted lesser privacy as a necessary and unavoidable risk of the information age in exchange for the benefits it has provided. This attitude along with the practice of taking the highest reasonable security measures possible should encourage the growth of ODR. It can make conflict resolution even more efficient and accessible to a great number of people. Wow! First off, let me say t…tag:www.adrhub.com,2012-11-02:4905899:Comment:445242012-11-02T23:35:08.126ZEric Tanghttp://www.adrhub.com/profile/EricTang
<p>Wow! First off, let me say thank you to all who contributed to this discussion! It has been a very entertaining and informative conversation, and I enjoyed reading everyone's comments thoroughly. Thank you!</p>
<p></p>
<p>Due to my role as an employee of an ODR provider, I admit I'm fairly biased on this topic. I believe the privacy concerns of online mediation are very much valid, though, which is why I wanted to raise this topic. However, I think the concerns can be overcome. Just as…</p>
<p>Wow! First off, let me say thank you to all who contributed to this discussion! It has been a very entertaining and informative conversation, and I enjoyed reading everyone's comments thoroughly. Thank you!</p>
<p></p>
<p>Due to my role as an employee of an ODR provider, I admit I'm fairly biased on this topic. I believe the privacy concerns of online mediation are very much valid, though, which is why I wanted to raise this topic. However, I think the concerns can be overcome. Just as many pointed out in this thread, a mediator who promises total 100% confidentiality (whether online or face to face) are likely being too ambitious. It really is just a matter of perception.</p>
<p></p>
<p>Technology can be frightening. It's easy to point out the negative consequences and potentials, but I think of technology as double edged. For as many negative and destructive things that a piece of technology can bring to us, it also brings equally positive and inspiring contributions to society. We see this in every advancement; from a hammer to nuclear power, it just depends who is holding the tool. Ultimately, technology has provided us far more good than bad. This fits with my belief that people are basically good and deserving of trust. When it comes to conflict, most want to get it resolved as amicably as possible. I may be wrong, but these beliefs are the foundation of conflict resolution professionals.</p>
<p></p>
<p>So, with that, I say onward into the new frontier!</p>
<p></p>
<p>Eric</p> Hello Everyone! I’m currently…tag:www.adrhub.com,2012-11-02:4905899:Comment:445192012-11-02T22:07:28.755Zsara ismailhttp://www.adrhub.com/profile/saraismail
<p>Hello Everyone! I’m currently a graduate student at Wayne State University. This is my first Cyberweek, in accordance with my communications class with Professor Bill Warters. Also, I think this topic is very important in terms of mediating online.</p>
<p>I do not think that the terms of privacy and confidentiality are the same for mediation online like it is for face-to-face mediation. We really do not have the knowledge of what one of the parties involved is doing online. They could be…</p>
<p>Hello Everyone! I’m currently a graduate student at Wayne State University. This is my first Cyberweek, in accordance with my communications class with Professor Bill Warters. Also, I think this topic is very important in terms of mediating online.</p>
<p>I do not think that the terms of privacy and confidentiality are the same for mediation online like it is for face-to-face mediation. We really do not have the knowledge of what one of the parties involved is doing online. They could be keeping a copy of everything that is being written during the mediation. I do think it is a significant barrier for disputants to use ODR rather than mediation in a neutral setting, knowing that everything being said at the end is destroyed and not kept.</p>
<p>As for a mediation going to court, wouldn’t the same rules apply to the situation whether to was a face-to-face mediation or online. Nothing can be used in court other than an agreement. I’m not exactly sure how states differ as to what can be used in court or not. I do think the rules would apply the same way. </p> Hosting an online dispute rai…tag:www.adrhub.com,2012-11-02:4905899:Comment:444312012-11-02T20:52:48.428ZJustine Hannonhttp://www.adrhub.com/profile/JustineHannon
<p>Hosting an online dispute raises a variety of concerns for the parties involved and the mediator. The main issue that should concern the participants is the presence of written communications that would not exist had the mediation happened in person. While online mediations could be facilitated with the use of programs such as Skype, the option to utilize email and instant messaging either in conjunction with, or in place of, face to face teleconferencing creates essentially, a transcript of…</p>
<p>Hosting an online dispute raises a variety of concerns for the parties involved and the mediator. The main issue that should concern the participants is the presence of written communications that would not exist had the mediation happened in person. While online mediations could be facilitated with the use of programs such as Skype, the option to utilize email and instant messaging either in conjunction with, or in place of, face to face teleconferencing creates essentially, a transcript of what is said. This becomes a concern because it creates the opportunity for others to access this information or for the parties to utilize this information if they ever file a motion for sanctions. With the inherent lack of security that the internet is plagued with, even with the utilization of secure networks and such, everyone involved should be concerned about what they are placing on the internet and who might be able to access it. With this in mind, mediators who are considering hosting on online mediation should make sure that the parties are fully aware of the possible issues with this style of mediation and ensure that if something manages to find its way onto the web that the mediator will not be held liable so long as they exercised the reasonable amount of precautions when setting up the mediation. </p> Information may be transmitte…tag:www.adrhub.com,2012-11-02:4905899:Comment:441982012-11-02T19:22:33.805ZCasey Graveshttp://www.adrhub.com/profile/CaseyGraves
<p>Information may be transmitted to other parties via many different technological means, such as emails, chat rooms, discussion boards or videoconferencing, which, as we have seen, were not created with ‘security and trust in mind. </p>
<p>Many different tools have been developed to achieve the confidentiality described above. Username and passwords, digital signatures and encrypted messages are most commonly used, bearing in mind that the level of security that is appropriate for a…</p>
<p>Information may be transmitted to other parties via many different technological means, such as emails, chat rooms, discussion boards or videoconferencing, which, as we have seen, were not created with ‘security and trust in mind. </p>
<p>Many different tools have been developed to achieve the confidentiality described above. Username and passwords, digital signatures and encrypted messages are most commonly used, bearing in mind that the level of security that is appropriate for a particular mediation will depend on the dispute and the requirements of the parties. In addition to usernames and passwords, which limit access to email addresses, chat rooms or internet discussion boards to authorised and identified parties, the risk of repudiation and alteration of a message can also be reduced by digital signatures. Using symmetric or private keys systems, where the same key encrypts and decrypts the message, or asymmetric or public keys systems, where two different but related keys are needed to encrypt and decrypt, the receiver of an electronically signed message can verify the origin, the integrity of the message and the identity of the sender. To avoid the risk of virus infections, intrusions or disk crashes firewalls, backup policies and intrusion detection systems are the standard mechanisms. Finally, biometrics, like fingerprint, retinal, voice-print or genetic patterns, may involve many possibilities to improve online security in the future.</p>
<p>There are many different technological protections which have been developed to protect and secure online communications in ODR. However, with respect to email, for example, they are not in general use. The current estimate is that only 0.5% of email is encrypted in any way (Smart Settle). In spite of its convenience and its potential to be secure, email is not the main communication method used by modern online ADR systems and web-based communications are preferred. There are certain risks inherent in the technological protections described. Whatever the security tools used, the inherent complexity of technology can create diverse problems that can affect the transmission of communications between the parties.</p> When talking about confidenti…tag:www.adrhub.com,2012-11-02:4905899:Comment:441892012-11-02T19:02:16.863ZJeff Beanhttp://www.adrhub.com/profile/JeffBean
<p>When talking about confidentiality <strong>I've found it helpful to distinguish between <em>Privacy</em> and <em>Secrecy</em></strong>. Let's see if I can flesh it out in a way others might find helpful, too. You'll let me know if it isn't!</p>
<p>When Bill, you describe having that mediated conversation to work out issues with your colleagues, you appreciated having that conversation in <em>private</em>, not necessarily needing it to be <em>secret</em>.</p>
<p>I see <em>privacy</em> as the…</p>
<p>When talking about confidentiality <strong>I've found it helpful to distinguish between <em>Privacy</em> and <em>Secrecy</em></strong>. Let's see if I can flesh it out in a way others might find helpful, too. You'll let me know if it isn't!</p>
<p>When Bill, you describe having that mediated conversation to work out issues with your colleagues, you appreciated having that conversation in <em>private</em>, not necessarily needing it to be <em>secret</em>.</p>
<p>I see <em>privacy</em> as the parties having an intention that we're going to have the conversation just among ourselves. There's a high-level of trust implicit in <em>privacy</em> because any one of the participants can breach that trust in any of a million ways (<em>e.g.,</em> recorder in the pocket in an in-person meeting or taking a screenshot of a document in an ODR process).</p>
<p><em>Secrecy</em> connotes to me that we are doing what we need to do to secure our discussions from being disclosed or discovered. There's a low-level of trust implicit in <em>secrecy</em>, and an expectation that someone has an interest in and will actively try to breach the confidential nature of the discussion, either someone within to disclose it our someone outside to discover it. The the intention in a <em>secret process</em> is a risk-management approach to reducing possible sources of disclosure or discovery.</p>
<p>I think for many disputes, it may be enough that we provide mostly <em>privacy</em> in our processes, working among the parties to ensure the level of trust implicit within that, yet with some thought to providing basic <em>secrecy</em> equivalent to using passwords on computers and locking office doors and the file cabinet. For some disputes, the participants may need a much higher-level of <em>secrecy</em>, as in cases involving trade secrets or intellectual property (<em>e.g.,</em> no electronic devices in the room, encrypted communications, limited copies, <em>etc.</em>)</p>
<p>(BTW, if you're interested in just how extreme concerns about document secrecy can go, I can tell you some stories of the confidentiality agreements I signed and security provisions needed to implement them when we sued tobacco companies in the 1990s. As you can imagine, the emphasis there was on <em>secrecy</em>, not <em>privacy</em>, as the level of trust among the parties went only so far as the disclosing parties - the tobacco companies - would only trust that a reviewing court would enforce and hold the plaintiffs to the terms of the confidentiality agreements. That's obviously not near the level of trust we're trying to form in collaborative dispute resolution processes!)</p>
<p>Is this attempted distinction of two approaches to confidentiality - <em>privacy</em> and <em>secrecy</em> - with the different intentions behind each, helpful?</p>
<p></p>
<p></p>
<p></p> There are extraordinary techn…tag:www.adrhub.com,2012-11-02:4905899:Comment:443332012-11-02T17:41:12.842ZKrista Grace Jessacherhttp://www.adrhub.com/profile/KristaGraceJessacher
<p>There are extraordinary technology/applications available at the fingertips of most participants in a mediation.</p>
<p> </p>
<p>In the past we did have "iron-clad" confidentiality - with the right people, within the budget of most people. </p>
<p> </p>
<p>But now, a collborative approach to confidentiality seems the better fit with reality in today's world, given the budget of most people.</p>
<p> </p>
<p>There are extraordinary technology/applications available at the fingertips of most participants in a mediation.</p>
<p> </p>
<p>In the past we did have "iron-clad" confidentiality - with the right people, within the budget of most people. </p>
<p> </p>
<p>But now, a collborative approach to confidentiality seems the better fit with reality in today's world, given the budget of most people.</p>
<p> </p> The topic of confidentiality…tag:www.adrhub.com,2012-11-02:4905899:Comment:441762012-11-02T17:24:12.273ZJenny Jacobsenhttp://www.adrhub.com/profile/JennyJacobsen
<p>The topic of confidentiality is especially interesting to me as my background is in healthcare and health insurance, and is combined with my "lawyerly" way of thinking. I take a different view than most of the other Cyberweek participants in this particular discussion, in that I do not consider the breach of online mediation confidentiality to be as big of concern as one might first believe. </p>
<p></p>
<p>Although there doesn't seem to be a single, uniform, accepted definition of…</p>
<p>The topic of confidentiality is especially interesting to me as my background is in healthcare and health insurance, and is combined with my "lawyerly" way of thinking. I take a different view than most of the other Cyberweek participants in this particular discussion, in that I do not consider the breach of online mediation confidentiality to be as big of concern as one might first believe. </p>
<p></p>
<p>Although there doesn't seem to be a single, uniform, accepted definition of mediation, it is obvious that it is built upon the premise of facilitating communication between parties to reach an agreement, without the use of the formal court or legal system. However, like the formal legal system, there is an explicit expectation of confidentiality between the parties and the mediator. Many states, including Florida (the Mediation Confidentiality and Privilege Act), have enacted legislation that requires mediation communications to remain confidential, even if a party is called to testify in court. State laws such as this, combined with the general respect for the integrity of the mediation process, in my opinion should continue to flow through online mediation. I believe this is very possible. For example, there are many state and federal laws protecting the confidentiality of personally identifiable health information--you most likely acknowledge your receipt of the federal HIPAA or HITECH laws when you go to the doctor, or sign onto your online health insurance account. The acknowledgement further tells you something to the effect of 'the provider will not share your health information'--thus entering into a written agreement to which it will be bound to follow. Even though the provider and the patient both sign this form, there are unlimited opportunities for the provider to breach, either intentionally or unintentionally. In my opinion, this is no different than when parties enter into a mediation agreement. A strongly written mediation agreement should include the attestation and agreement of the parties to maintain confidentiality and compliance with state and federal laws. By creating a contractual clause to which the parties must agree to before beginning mediation, a contractual chance for remedy has been created for the non-breaching mediation party. Therefore, although I am unfamiliar with the programs mentioned in other discussion threads about copying or recording programs, I do not believe the threat of these programs should facilitate a level of fear and deter parties from considering online mediation. Mediation is meant to amicably and voluntarily help parties reach an agreement over dispute, outside of the courtroom. However, mediation does not excuse the parties from being bound to basic contract law. For a lack of better word, the "threat" of impending litigation for a violation of the confidentiality clause included in the mediation agreement should work to deter parties from breaching mediation confidentiality, regardless of the available opportunities. </p>
<p></p>
<p>In conclusion, with the ever-expanding use of the internet for the exchange of information, be in mediation or health records, there will always be a breach of confidentiality threat, whether intentional or unintentional. Although mediation, for the most part, falls outside of the purview of the legal system, basic contract law still remains as a tool to compel compliance with the confidentiality agreement of a mediation agreement. As mediation is a voluntary process, I believe courts will more likely uphold the language of a well-written confidentiality clause of a mediation agreement. </p> Very interesting topic! It se…tag:www.adrhub.com,2012-11-02:4905899:Comment:442492012-11-02T14:44:38.298ZTom Gerholdhttp://www.adrhub.com/profile/TomGerhold
<p>Very interesting topic! It seems that even if the ODR service properly encrypts and takes all necessary steps to secure the session and its contents that it could still be subject to subpoena because it is stored on an outside server and a reasonable expectation of privacy may not be viewed as existing in some jurisdictions. This possibility is worrisome, and hopefully judges would attempt to protect the ODR process and deny any motions to subpoena the contents, but the best option would be…</p>
<p>Very interesting topic! It seems that even if the ODR service properly encrypts and takes all necessary steps to secure the session and its contents that it could still be subject to subpoena because it is stored on an outside server and a reasonable expectation of privacy may not be viewed as existing in some jurisdictions. This possibility is worrisome, and hopefully judges would attempt to protect the ODR process and deny any motions to subpoena the contents, but the best option would be to get state laws to protect these communications from subpoena and discovery.</p>