Thanks again to Dan and the other Concurrers (?) for allowing me to visit again. There is much more I wanted to say, but I’ll save it for next time.

In the meantime, I have signed on to blog permanently over at Ed Felten’s Freedom to Tinker, so if you’re interested in tech policy, please add us to your RSS feed reader. (Although Ed introduced me over a week ago, I’ve been too busy to introduce myself to the ftt readers yet.)

I’d be interested to hear from [...]]]> Now that Verizon and AT&T have pledged not to track customer web behavior without explict consent, I feel like my work here is done. (Too bad DOJ still has yet to indict anybody for the Palin e-mail breach.)

Thanks again to Dan and the other Concurrers (?) for allowing me to visit again. There is much more I wanted to say, but I’ll save it for next time.

In the meantime, I have signed on to blog permanently over at Ed Felten’s Freedom to Tinker, so if you’re interested in tech policy, please add us to your RSS feed reader. (Although Ed introduced me over a week ago, I’ve been too busy to introduce myself to the ftt readers yet.)

I’d be interested to hear from anybody who has thoughts about the relative pros and cons of blogging on a website read mostly by non-lawyers. Although I’ll miss the deep comments section conversations about ECPA, I welcome the opportunity to speak directly to (and learn from) the computer science community reading Ed’s blog. Besides, I hope I can come back here from time to time to scratch my ECPA itch.

As usual, Orin Kerr (with some assists from his merry band of commenters) is doing a great job fleshing out the legal analysis. A crime has been committed, there can be no doubt, and Yahoo!’s lawyers will probably be kept up late tonight receiving and responding to incoming subpoenas and court orders.

I wanted to come at this story from a slightly different angle: I predict that some day we will look back on this breach as a watershed event in the history of statutory Internet privacy. As Dan and many others have noted in their [...]]]> As has been widely reported, Sarah Palin’s Yahoo e-mail account has been breached, and its contents have been posted to wikileaks. Gawker.com is posting excerpts from the e-mail messages including photographs.

As usual, Orin Kerr (with some assists from his merry band of commenters) is doing a great job fleshing out the legal analysis. A crime has been committed, there can be no doubt, and Yahoo!’s lawyers will probably be kept up late tonight receiving and responding to incoming subpoenas and court orders.

I wanted to come at this story from a slightly different angle: I predict that some day we will look back on this breach as a watershed event in the history of statutory Internet privacy. As Dan and many others have noted in their articles, Congress often enacts privacy protecting legislation only in the wake of salient, sensationalized, harmful privacy breaches. Thus, Judge Bork’s video rental records begat the Video Privacy Protection Act and the murder of actress Rebecca Schaeffer by a stalker with DMV records led, eventually, to the Drivers’ Privacy Protection Act.

Compared to these examples, the breach of Sarah Palin’s e-mail account is on a higher plane of salience and sensationalization. The most scrutinized woman in the country has dozens of her private correspondences pasted all over the blogs. Even if nothing is found in these messages which damages her or the campaign, and whether or not the perpetrators are caught, many will call for tougher privacy laws, and Congress and state legislatures will feel great pressure to deliver. And they won’t just be targeting the breachers–many will criticize the Gawkers and Wikileaks for helping disseminate the e-mail messages (if not the Kerrs and Ohms and Washington Posts for linking to Gawker), so expect a fierce First Amendment debate. I can even see calls to make IP addresses easier to track. Mandatory data retention, anyone?

If I am right about this, expect the E-mail Privacy Act of 2009, and expect it to be a blockbuster. If you’re an activist, government lawyer, e-mail provider, or scholar with an interest in information privacy, I advise you to start putting together your statutory wish lists.

and the Washington Post highlighted this photo of a trader in Shanghai from Reuters:

There’s something particularly Hitchcockian about the photo from Frankfurt, with the menacing line graph creeping up from behind the harried trader.

Maybe this is the start of a new meme? If you spot other “traders in anguish in front of giant, depth-of-field-blurred, plummeting line graphs,” post them here.

The last post led only to the conclusion that ISPs pose a great threat to privacy, but to call this the greatest threat in society, I need to answer the question, “compared to what?” In particular, the most common response to my article I have heard is, [...]]]> In a prior post, I began to explain why ISPs pose the greatest threat to privacy in modern life. I argued that many ISPs are likely to begin to experiment with new, more invasive forms of surveillance relying, in part, on so-called Deep-Packet Inspection technology. I am grateful for the vigorous debate which followed in the comments, and I know my article will be much stronger once I incorporate what I have learned reading and responding to these comments.

The last post led only to the conclusion that ISPs pose a great threat to privacy, but to call this the greatest threat in society, I need to answer the question, “compared to what?” In particular, the most common response to my article I have heard is, “Doesn’t Google threaten privacy more?” In this post, let me explain why I worry more about the threat to privacy from ISPs than from Google.

You can hide from Google but it is very hard to hide from your ISP. Even though Google collects a lot of information about what its users do when they use its services, it cannot track what it cannot see. Whenever you leave a Google-owned or affiliated website, Google loses track of you. As you surf the New York Times, Yahoo!, Facebook, Amazon, Craigslist, or eBay, Google has no way of knowing what are you doing. When you communicate via VoIP or download files over BitTorrent, Google has no way of monitoring you.

Your ISP, in contrast, never loses sight of you (unless you encrypt your communications or switch to another provider). In a recent radio interview, I called this a “Godlike” view of the network. As a commenter to a New York Times blog post about my article put it, “Deep Packet Inspection is Adware or Spyware ON YOUR NETWORK.”

More directly to the comparative point, your ISP can see nearly everything you do through Google. Virtually no Google service uses encryption by default. Your ISP, if it chooses to watch, can see and record every Google search query, Google Calendar entry, YouTube video stream, and Google Reader request. For this reason, the threat to privacy from Google is merely a subset of the threat from your ISP, assuming of course that your ISP is watching.

This last caveat is the one that frustrates some readers. Sure, the potential threat to an ISP-gone-bad is dire, they might concede, but no ISP is actually collecting this much information. Most ISPs are respectful of user privacy, they would argue, and possess the self-control to refuse to watch most of what their users are doing.

But as I said in the last post, even if no ISPs are collecting this much information today, I predict that they will in the near future thanks to the means, motive, and opportunity at their disposal. A few commenters have rightly pushed me on ISP motive: what proof do I have that ISPs are feeling pressure to collect more information? First, Charter, AT&T, several British ISPs, and others have proposed or implemented new monitoring schemes in the past year. Second, for many years, ISPs have persistently complained about their dire financial prospects, arguing that they cannot afford to upgrade their infrastructure without new strategies for better return on investment (ROI). I know of few other plausible ways for ISPs to improve ROI, except by monetizing user secrets.

I plan to write at least one more post on this topic, but for now, let me turn it back over to the commenters. Please remember that this is a very brief synopsis of a 77 page, 34,000+ word draft, and I urge you to at least skim the article before you respond…

The September 1st issue of the New Yorker includes a fascinating article (not yet available online, but here’s the abstract) by John Colapinto about the high-tech, mini-police departments being set up by department store chains to catch shoplifters. The article, which focuses in particular on Target, veers for a brief moment into one of my areas of interest–computer forensics. Target has hired a “senior computer investigator” named Brent Pack, a former Army computer crime investigator who helped analyze the Abu Ghraib photographs. Why does Target need a computer investigator? Mr. Pack

analyzes digital storage devices seized from suspected retail-crime gangs–BlackBerrys, photo memory cards, cell phones, business servers, and desktop computers. . . . At the moment, Pack was analyzing a hard drive seized by the police [...]]]>

The September 1st issue of the New Yorker includes a fascinating article (not yet available online, but here’s the abstract) by John Colapinto about the high-tech, mini-police departments being set up by department store chains to catch shoplifters. The article, which focuses in particular on Target, veers for a brief moment into one of my areas of interest–computer forensics. Target has hired a “senior computer investigator” named Brent Pack, a former Army computer crime investigator who helped analyze the Abu Ghraib photographs. Why does Target need a computer investigator? Mr. Pack

analyzes digital storage devices seized from suspected retail-crime gangs–BlackBerrys, photo memory cards, cell phones, business servers, and desktop computers. . . . At the moment, Pack was analyzing a hard drive seized by the police in a phony-check-writing operation that had victimized Target stores. “I’m going through here and looking for any evidence of check-writing software on any of their hard drives,” he said, pointing to the computer screen, which showed a JPEG of a blank check

Is it proper for the police to delegate its forensic work to Target? The FBI agents I used to work with as a DOJ computer crimes prosecutor kept a tight leash on the data they had seized and were reluctant to share data with state and local cops, much less private parties. They justifiably worried about ensuring that non-FBI analysts were staying within the scope of the warrant, because courts have suppressed electronic evidence obtained outside of the scope of the warrant and have even thrown out all of the evidence obtained if the warrant was executed in flagrant disregard of its terms. I’m not saying that the use of a third-party forensic analyst should automatically result in a flagrant disregard ruling, but it will invite scrutiny.

And even if one can justify the use of private forensics specialists generally, shouldn’t the police refrain from giving 500 gigabytes of personal information to victims of crimes? Because victims–even corporate victims–have a strong incentive to solve the crimes committed against them, might they not feel more pressure than a cop to look beyond the scope of warrants, peering deeply into the private lives of data owners?

I am even more worried about a much more troubling possibility: Is Target seizing cellphones and laptops from suspected shoplifters? Discussing another, anonymous store, not Target, Colapinto describes how suspected shoplifters get hauled into interrogation rooms and questioned at length by former law enforcement agents. In addition to this, are store security personnel frisking suspects and seizing electronic devices? I can understand how a department store might be entitled to engage in a limited search to look for its stolen property, but does this justify the seizure, retention, and subsequent analysis of cell phones and laptops?

Reading this Article kept bringing me back to David Sklansky’s excellent article, The Private Police, 46 UCLA L. Rev. 1165 (1999) (abstract). A decade ago, Sklansky traced the rise of private police forces, focusing in particular on neighborhood patrol services starting with Pinkertonism in the 1800’s. He noted that as these entities play a greater role in policing society, this might give rise to the kind of invasions the Fourth (and Fifth and Sixth) Amendment was intended to prevent. If Target is seizing cell phones from suspected thieves–and I must stress that it is not clear from this article that they are–it realizes Sklansky’s fears.

Simply put, your ISP has the means, motive, and opportunity to scrutinize nearly every communication departing from and arriving to your Internet-connected computer:

Opportunity: Because your ISP serves as the gateway between your computer and the rest of the Internet, every e-mail message, [...]]]> I have recently posted on SSRN the article that ate my summer, The Rise and Fall of Invasive ISP Surveillance. I make many claims in this article, but the principal one, and the one I want to spend a few posts elaborating and defending, is found in the first sentence of the abstract: “Nothing in society poses as grave a threat to privacy as the Internet Service Provider (ISP).” In this first post, let me explain why ISPs pose an enormous threat to privacy:

Simply put, your ISP has the means, motive, and opportunity to scrutinize nearly every communication departing from and arriving to your Internet-connected computer:

Opportunity: Because your ISP serves as the gateway between your computer and the rest of the Internet, every e-mail message, IM, and tweet you send and receive; every web page and p2p-traded file you download; and every VoIP call you place travels first through your ISP’s routers.

Means: A decade ago, your ISP lacked the tools to efficiently analyze every communication crossing its network, because computers were relatively slow and networks were relatively fast. I use the analogy of the policeman on the side of the road, scrutinizing the passing cars. If the policeman is slow and the road is wide and full of speeding cars, the policeman won’t be able to keep up.

Over the past decade, while network bandwidth has increased, computer processing power has increased at a faster rate, and your ISP can now analyze more information, more inexpensively than before. The roads are wider today, but the policemen are smarter and more efficient. An entire industry–the deep-packet inspection industry–has arisen to provide hardware and software tools for massive, widespread, automated surveillance.

Motive: Third-parties are placing pressure on ISPs to spy on users in unprecedented ways. Advertisers are willing to pay higher rates for behavioral advertising. For example, Ikea will pay more to place an ad in front of people who have been recently surfing furniture websites. To enable behavioral advertising, companies like NebuAd and Phorm have been trying to convince ISPs to collect user web-surfing data they do not collect today. Similarly, the copyrighted content industries seem willing to pay ISPs to detect, report, and possibly block the transfer of copyrighted works.

Because of these three factors, ISPs are scrutinizing more information–and different forms of information–than they ever have before. AT&T has begun to consider monitoring for copyright violations; Charter Communications signed up with NebuAd, sparking a firestorm of publicity and legislative interest which pushed Charter to abandon the deal; and a few British ISPs have begun to use Phorm’s services. I predict that these examples presage a coming storm of unprecedented, invasive ISP monitoring.

In the next post, I will compare the threat to privacy from ISP monitoring to the threat from other entities, in particular, Google and Microsoft.

Last semester I started giving students the option of using the reverse of a pass, which I punnily dubbed a “catch.” When a student feels especially prepared for a given class–perhaps she has had a [...]]]> In honor of the start of the fall semester, I wanted to share a classroom participation technique I started using last semester with encouraging results. I cold call in my classes, but I give every student the opportunity to pass three times during the semester when they don’t feel prepared. (Because of where I teach, I notice a suspicious uptick in passes on Mondays following fresh snowfall in the mountains!) As long as I’m notified of a student’s desire to pass before class begins, I won’t call on him or her.

Last semester I started giving students the option of using the reverse of a pass, which I punnily dubbed a “catch.” When a student feels especially prepared for a given class–perhaps she has had a lot of time to read the night before or maybe she has already read the case before for another class–she can put herself on call by sending me a “catch” before class begins. In return, I promise students who catch that I will not call on them for at least three subsequent classes.

Very few students caught (catched?) last semester, but on those occasions when they did, it led to some of the most productive Q&A I’ve had with students in five-plus years (including two years as an adjunct) of law teaching. The students who caught no doubt benefited by regaining some control over their fate; their classmates benefited from hearing good discussions of the days’ topics; and I gained the benefits of an on-call system without having the rest of the class skip the reading.

If you cold call already, try out this tweak this semester, and let me know how it goes.

When I need to edit an article, I will sometimes park myself at a booth at the local Panera Bread, sipping the decent coffee, snacking on the beautiful (notice I didn’t say tasty) pastries, and using the free WiFi. Long ago, I noticed that Panera had made a stupid technological mistake that probably strips it of the right to manage its network lawfully.

Panera tries to extract consent from its users using what is known as a captive portal, the same method used by most hotel and airport WiFi network providers. When a Panera WiFi user first tries to connect to any website, Panera’s computers redirect her instead to its own web page with a link to its terms of service (ToS). Only when the user [...]]]>

When I need to edit an article, I will sometimes park myself at a booth at the local Panera Bread, sipping the decent coffee, snacking on the beautiful (notice I didn’t say tasty) pastries, and using the free WiFi. Long ago, I noticed that Panera had made a stupid technological mistake that probably strips it of the right to manage its network lawfully.

Panera tries to extract consent from its users using what is known as a captive portal, the same method used by most hotel and airport WiFi network providers. When a Panera WiFi user first tries to connect to any website, Panera’s computers redirect her instead to its own web page with a link to its terms of service (ToS). Only when the user clicks “I agree” may she start surfing.

Compared to some of the other methods Internet providers use for attempting to obtain consent, a captive portal deserves some praise. It is much more likely to be noticed and read than a ToS or privacy policy link buried on a home page (or, as the case may be, not even on the home page). It is better than the paper privacy policies my credit card companies send with their monthly bills, usually along with a half-dozen ads. Unlike either of these methods, a captive portal acts like a virtual stop sign–until you click “I agree,” you can go no further. (Of course, calling even a captive portal meaningful consent seems to stretch things if the ToS offered are dozens of pages long.)

But if Panera ever tried to enforce its WiFi ToS–say it got caught monitoring user communications and had to defend against a wiretapping lawsuit or say it was sued for banning a user suspected of downloading porn in violation of the ToS–a court should probably hold that its ToS are unenforceable. Panera has made a simple web design mistake that introduces doubt about what terms are being agreed to by its users.

Like many sites, Panera displays the ToS within a text box. It probably does this to save screen real estate: with a text box, it can allow the user to scroll through a smallish-square rather than be faced with a dauntingly long web page. But carelessly, Panera made its text box EDITABLE! To see what I mean, compare the two text boxes below:

This text box is marked readonly; you should NOT be able to edit this text.

This text box is NOT marked readonly; you should be able to add, delete, and modify this text.

At the very least, Panera will have a hard time proving to a court that a particular customer didn’t delete all of the ToS before clicking “I agree.” But, there is a crazier possibility: Every time I am faced with Panera’s editable ToS, I delete all of the text and replace it with a proposed contract of my own. Here are some of the contracts I have proposed:

• “By allowing me to surf the web using your network, you agree to give me one free muffin every day for the rest of my life.”
• “By allowing me to surf the web using your network, you agree to name me CEO of Panera Bread for a day. I choose next Tuesday.”
• “By allowing me to surf the web using your network, you agree to change the name of your company to Pantera Bread, and the name of your ‘Frontega Chicken’ sandwich to ‘Cowboys from Hell’ Sandwich.’”

I know enough about the http protocol and cgi-bin to know that my modified ToSes probably get transmitted back to a Panera, er, Pantera web server. Are my contracts enforceable? Probably not. But my arguments for enforceability sound no less ridiculous than some of the arguments made by those seeking to enforce click-wrap and buried ToS “contracts”.

Excuse me while I go try to claim a free muffin.

The problem is, I have no idea whether I have a leg to stand on. Can ECPA really hold a [...]]]> Hearing Sarah Lawsky crack wise so often and so hilariously about the Internal Revenue Code during her visit made me think of a little joke I have used many times when lecturing about the Electronic Communications Privacy Act (ECPA). After warning listeners that ECPA is complex and confusing, I will often say something like, “And I challenge any tax experts in the room to go head-to-head with me in a battle for the title of ‘most confusing part of the U.S. Code.’” The comment usually inspires a few polite titters–from the kind of people who find jokes about comparative statutory complexity funny–so I keep using it.

The problem is, I have no idea whether I have a leg to stand on. Can ECPA really hold a candle to the infamous complexity of the IRC? Is there another part of the U.S. Code that makes both of these seem lucid in comparison?

This connects to James Grimmelmann’s recent series of posts about a new lawyer being a menace to his or her clients. He has been developing the point that mere book larnin’ isn’t enough to prepare a lawyer to represent a client competently, at least not in certain substantive areas, and he offers wills & trusts, bankruptcy, and copyright as examples. What makes a substantive area of law more complicated than another?

Keeping it focused on legislation, what factors conspire to make a statute complex and confusing (and, as an aside, can a statute be complex but not confusing or confusing but not complex?) Within my areas of expertise, here are a few factors that make ECPA complex:

1. ECPA defines many terms, and it defines many terms in ways that are disconnected from ordinary meaning. (I’m looking at you, “electronic storage”!)
2. ECPA (and more generally speaking, the Wiretap Act which predates ECPA) has many parallel definitions that Congress may not have intended to treat alike (yes, I’m talking about you two, “wire communication” and “electronic communication.”).
3. ECPA interacts in mysterious ways with other laws (try to figure out what “readily accessible to the general public” means!)
4. ECPA is rarely litigated. Orin Kerr explains how this has made a mess of the law in Lifting the ‘Fog’ of Internet Surveillance: How a Suppression Remedy Would Change Computer Crime Law, 54 Hastings Law Journal 805 (2003).
5. ECPA regulates technology, so its meaning often shifts as technology changes. This problem is exacerbated because the basic structure and essential definitions are unchanged from 1986, so a law written to regulate mainframes is today applied to Web 2.0 and cloud computing.

So to all of the tax experts out there, what makes the tax code so complicated? Do all of the factors listed above apply to the IRC as well? The IRC is much longer than ECPA, and it is supplemented with reams of CFRs and other regs, but that can’t be enough alone to earn it the title, can it?

And what say you bankruptcy and copyright experts?

And even more generally, what are the objective metrics we can use to calculate comparative statutory complexity. (Yes, I’m picturing a NCAA-style tourney bracket right now.)

Thanks to Dan and company for agreeing to let me blog here again. During my stint, I promise to talk about the law (and in particular, the threat to privacy posed by Internet Service Providers) but let me warm up with some lighter, more navel-gazing fare:

I’m serving for the first time on our Appointments committee this year, which means I get to look at the FAR form database from the other end of the microscope. Rick Garnett asks about the weaknesses of the form itself, but I wanted to comment instead on the awful user interface AALS provides for those of us perusing the forms.

The FAR form database’s user interface recalls the aesthetic of most of the phishing scam websites I have ever seen. It [...]]]>

Thanks to Dan and company for agreeing to let me blog here again. During my stint, I promise to talk about the law (and in particular, the threat to privacy posed by Internet Service Providers) but let me warm up with some lighter, more navel-gazing fare:

I’m serving for the first time on our Appointments committee this year, which means I get to look at the FAR form database from the other end of the microscope. Rick Garnett asks about the weaknesses of the form itself, but I wanted to comment instead on the awful user interface AALS provides for those of us perusing the forms.

The FAR form database’s user interface recalls the aesthetic of most of the phishing scam websites I have ever seen. It is ugly, which itself is not much of a sin for such a utilitarian site, but it makes me wonder whether AALS is putting care into other aspects of the database, such as privacy and security. It is also very hard to use, and I will venture to guess that schools are missing some candidates they might otherwise want to interview because of the lousy interface. Here are some specific criticisms:

1. The site’s search engine interface is bizarrely designed and very hard to use. For one thing, the search page is entitled “Untitled Document.”

Worse, it appears that the search form was once a single page about which someone decided, “wouldn’t this look better with tabs?” Clicking on one of the five tabs–”Personal,” “Education,” “Teaching,” “Employment,” and “Bar”–displays the desired subform but not at the top of the screen; instead, the visible subform floats where it once sat on some gone-but-not-forgotten untabified version of the form. (e.g., the “Education” subform sits approximately two-fifths of the way down the blue field.) (See this screenshot with the “Teaching” tab selected to get a better idea of what I am describing.) On my screen, the last two subforms, “Employment” and “Bar,” fall off of the bottom of the screen, so the user gets what looks like an empty blue field, with the search fields visible only to those who scroll down. I bet quite a few professors have abandoned their searches when faced with this “empty” page.

In addition, the tabbed interface leaves a user wondering whether the search terms specified under one tab (say Education) are “ANDed” with the terms specified under another tab (say Teaching). As it happens, the terms are ANDed, which is good, but this behavior is not obvious without testing it.

2. If you want to search for publications, you look under the “Bar” tab, naturally.

3. For some categories of information (JD-granting institutions, Course preferences) you can select from possible entries in a check-box; for other categories of information (Publication Titles, First Name, Last Name) you can perform text searches; and for yet other categories of information (Employment) you can only search broad categories of information. This inconsistency is maddening. Worse, the third category is especially limiting, because although I can tell that somebody served as a Judicial Clerk or Government employee, I can’t search for a particular judge, court, or agency.

4. While searching or browsing, I can save the FAR forms of interesting candidates in “portfolios,” but it appears that these portfolios are shared with everybody else on my committee. This might be specific to the way we set up our accounts here, but if it is system-wide, this makes portfolios less useful. Committee members aren’t able to keep a scratch pad of their favorite candidates (unless they literally scribble it down somewhere else) unless they want their fellow committee members to be able to watch.

5. The page is NOT hosted at aals.org. This is not unusual, of course, but what is unusual is that the page is hosted by a company called omnicontests.com. Omnicontest’s home page does not scream, “company you should hire to design a web page.” It has the aesthetic appeal of a Microsoft FrontPage-designed website, circa 1998.

6. Omnicontests.com touts itself as “The premier solution that streamlines the registration, payment and judging of your awards contest.” There you have it, folks: the AALS hiring process is at bottom an elaborate sweepstakes with entrants, judges, winners, and losers. Of course, we already knew that, but it’s interesting to see AALS admit it so publicly.

I could go on. What points am I trying to make? First, AALS should probably redesign the site to make it easier to use. For example, every field in the database should be text searchable. Second, AALS should audit the system to make sure they are protecting the privacy of the applicants as best as they can. Third (although this advice won’t help those who have already submitted their forms) next year’s applicants might want to try to “test drive” the search engine, if they can find a current committee member willing to let them, to see the various ways the different parts of the form may be searched. It may surprise Supreme Court Clerks, I imagine, to know that committee members cannot single them out, at least using AALS’ interface. (Although please correct me if I’m wrong about this.)

Point a video camera at a television screen, aim a microphone at a speaker, or run a cable from the “line out” to the “line in” ports on the back of your computer, and you’re ready to exploit the so-called analog hole. Just press “play” on one device and “record” on the other, and you can copy a movie, television show, or song, even if the original is supposedly protected by digital rights management technology designed to prevent copying.

The analog hole–which arises from the fact that relatively-easy-to-protect digital content must be converted into harder-to-protect analog signals if we humans are to [...]]]> I’ve overstayed my welcome, so I’ll be signing off with this post. Thanks to Dan and the other permabloggers for letting me participate.

Point a video camera at a television screen, aim a microphone at a speaker, or run a cable from the “line out” to the “line in” ports on the back of your computer, and you’re ready to exploit the so-called analog hole. Just press “play” on one device and “record” on the other, and you can copy a movie, television show, or song, even if the original is supposedly protected by digital rights management technology designed to prevent copying.

The analog hole–which arises from the fact that relatively-easy-to-protect digital content must be converted into harder-to-protect analog signals if we humans are to see or hear them–has given Hollywood and the recording industry a fair amount of heartache, has led them to displays of public consternation, and has even resulted in some proposed legislation.

Despite its frequent appearance in DRM debates, the analog hole is suprisingly unexplored in legal scholarship. Westlaw’s JLR database contains a mere thirty-seven articles that use the phrase, most in passing, and SSRN returns only three hits. Most of the commentary relies on an empirical assumption that has never before been rigorously tested: Exploiting the analog hole creates copies of such low quality as not to be good substitutes for the originals.

Doug Sicker, an Assistant Professor of Computer Science at my University, together with Shannon Gunaji, a grad student, have tried empirically to test this assumption by conducting a series of surveys assessing, among other things, what the analog hole means for the typical music consumer. Doug asked me to help bring the early results to the legal academy, and our little article, entitled The Analog Hole and the Price of Music: an Empirical Study, has been posted to SSRN and will appear soon in the Journal of Telecommunications & High Technology Law.

Our results after the jump.

We came to three primary conclusions, although none of our survey sizes were large enough to support statistically significant conclusions (we hope to replicate the study on a larger sample):

First, some of our survey respondents could detect the differences between a digital original and an analog hole copy of the same song. The results, however, weren’t dramatic, and many respondents couldn’t tell the two apart. Of course, there is a danger to generalizing too much from this conclusion. There are many ways to create an analog hole copy, and the amount of signal degradation varies widely. Our results apply only to two specific methods.

Second, using an econometric model, we came to a tantalizingly specific conclusion: the analog hole is worth twenty-four cents. We mean by this that our respondents were willing to buy signal-degraded analog hole copies of music, but only if priced twenty-four cents less than a digital original. This builds nicely on Chris Sprigman’s article which attempts to explain why nearly every digital track sold online costs ninety-nine cents.

Third, we ran a second survey of people (all college students) whose music collections contain more non-purchased than purchased music. These, putative “pirates,” surprised us by expressing a willingness to pay for music, but only if it was sold for twenty to forty cents per song. Although this is well below the market rate, it suggests that a shift in pricing might bring some pirates back into the fold.

Please read the paper if you’re interested in the conclusions we draw from these results or to see how this fits into the other writing on the subject.

Everybody knows that the Internet is teeming with super-powerful and nefarious miscreants who are almost impossible to stop and who can cause catastrophic harms. If you need proof, simply pick up any newspaper or watch any “hacker” movie. The problem is, what everybody knows is wrong. Or, at least so I argue in my most recent article, The Myth of the Superuser: Fear, Risk, and Harm Online, which I have posted to SSRN and submitted to a law review intake inbox near you. Here’s the abstract:

Fear of the powerful computer user, “the Superuser,” dominates debates about online conflict. This mythic figure is difficult to find, immune to technological constraints, and aware of legal loopholes. Policymakers, fearful of his power, too often overreact, passing overbroad, [...]]]>

Everybody knows that the Internet is teeming with super-powerful and nefarious miscreants who are almost impossible to stop and who can cause catastrophic harms. If you need proof, simply pick up any newspaper or watch any “hacker” movie. The problem is, what everybody knows is wrong. Or, at least so I argue in my most recent article, The Myth of the Superuser: Fear, Risk, and Harm Online, which I have posted to SSRN and submitted to a law review intake inbox near you. Here’s the abstract:

Fear of the powerful computer user, “the Superuser,” dominates debates about online conflict. This mythic figure is difficult to find, immune to technological constraints, and aware of legal loopholes. Policymakers, fearful of his power, too often overreact, passing overbroad, ambiguous laws intended to ensnare the Superuser, but which are used instead against inculpable, ordinary users. This response is unwarranted because the Superuser is often a marginal figure whose power has been greatly exaggerated.

The exaggerated attention to the Superuser reveals a pathological characteristic of the study of power, crime, and security online, which springs from a widely-held fear of the Internet. Building on the social science fear literature, this Article challenges the conventional wisdom and standard assumptions about the role of experts. Unlike dispassionate experts in other fields, computer experts are as susceptible as lay-people to exaggerate the power of the Superuser, in part because they have misapplied Larry Lessig’s ideas about code.

The experts in computer security and Internet law have failed to deliver us from fear, resulting in overbroad prohibitions, harms to civil liberties, wasted law enforcement resources, and misallocated economic investment. This Article urges policymakers and partisans to stop using tropes of fear; calls for better empirical work on the probability of online harm; and proposes an anti-Precautionary Principle, a presumption against new laws designed to stop the Superuser.

Law Professors who write about the Internet tend to develop facts through a combination of anecdote and secondary-source research, through which information about the conduct of computer users, the network’s structure and architecture, and the effects of regulation on innovation are intuited, developed through stories, or recounted from others’ research. Although I think a lot of legal writing about the Internet is very, very good, I’ve long yearned for more “primary source” analysis.

In other words, there is room and need for Internet law scholars who write code. Although legal scholars aren’t about to break fundamental new ground in computer science, the hidden truths of the Internet don’t run very deep, and some very simple code can elicit some important results. Also, there [...]]]>

Law Professors who write about the Internet tend to develop facts through a combination of anecdote and secondary-source research, through which information about the conduct of computer users, the network’s structure and architecture, and the effects of regulation on innovation are intuited, developed through stories, or recounted from others’ research. Although I think a lot of legal writing about the Internet is very, very good, I’ve long yearned for more “primary source” analysis.

In other words, there is room and need for Internet law scholars who write code. Although legal scholars aren’t about to break fundamental new ground in computer science, the hidden truths of the Internet don’t run very deep, and some very simple code can elicit some important results. Also, there is a growing cadre of law professors with the skills needed to do this kind of research. I am talking about a new form of empirical legal scholarship, and empiricists should embrace the perl script and network connection as parts of their toolbox, just as they adopted the linear regression a few decades ago.

I plan to talk about this more in a subsequent post or two, but for now, let me give some examples of what I’m describing. Several legal scholars (or people closely associated with legal scholarship) are pointing the way for this new category of “empirical Internet legal studies”.

• Jonathan Zittrain and Ben Edelman, curious about the nature and extent of filtering in China and Saudi Arabia, wrote a series of scripts to “tickle” web proxies in those countries to analyze the amount of filtering that occurs.
• Edelman has continued to engage in a particularly applied form of Internet research, for example see his work on spyware and adware.
• Ed Felten—granted, a computer scientist not a law professor—and his graduate students at Princeton have investigated DRM and voting machines with a policy bent and a particular focus on applied, clear results. Although the level of technical sophistication found in these studies is unlikely to be duplicated in the legal academy soon, his methods and approaches are a model for what I’m describing.
• Journalist Kevin Poulsen created scripts that searched MySpace’s user accounts for names and zip codes that matched the DOJ’s National Sex Offender Registry database, and found more than 700 likely matches.
• Finally, security researchers have set up vulnerable computers as “honeypots” or “honeynets” on the Internet, to give them a vantage point from which to study hacker behavior.

What are other notable examples of EILS? Let’s keep with the grand Solovian tradition, and call this a Census. Is this sub-sub-discipline ready to take off, or should we mere lawyers leave the coding to the computer scientists?

Imagine you give an exam with two questions, each supposedly worth 50% of the final grade. Imagine further you grade both questions and properly normalize the scores for each one to a 50 point scale. (I’m not so sure all professors normalize properly, but that’s a different problem.)

What do you do if the standard deviations in the two normalized grade populations vary widely? In other words, imagine that question one elicits a long, flat curve: the lowest score is much lower than the highest score, and there is a lot of [...]]]> Dave’s recent posts about grading have me wondering. Whenever I grade, I encounter the following mathematical choice, and I am often torn about which is the proper, fair choice to make.

Imagine you give an exam with two questions, each supposedly worth 50% of the final grade. Imagine further you grade both questions and properly normalize the scores for each one to a 50 point scale. (I’m not so sure all professors normalize properly, but that’s a different problem.)

What do you do if the standard deviations in the two normalized grade populations vary widely? In other words, imagine that question one elicits a long, flat curve: the lowest score is much lower than the highest score, and there is a lot of variation in the scores in between, while question two elicits a compact curve with a very high peak that drops off quickly in both directions.

Is it legitimate (fair, proper) simply to add the normalized scores for questions one and two to derive the final score? Does this cause the first question to exert an unfairly disproportionate effect on the final curve? First, consider the extreme case. In a class of 50 students, every student gets a different normalized score for question one–from one to fifty points–while every student in the class gets the exact same normalized score–say 20 points–for question two. Simply adding the scores together means the final curve will match the curve for question one exactly, and question two will have been written out of the exam.

This seems to be the fair result. Question two is a bad question. It didn’t differentiate between the students in the class, so it is fair to curve the class based solely on their performance on question one. What is the alternative?

But what if we’re not at the extreme case? Imagine question one’s curve is much flatter than (the standard deviation of the scores is much higher than) question two’s curve, yet question two’s curve nevertheless differentiates between the students. Is it fair simply to add the two, or are you failing to abide by your promise to your students to have each question be worth 50% of the exam?

If you think that it is not fair simply to add, you can apply a transformation to one set of data or the other to bring the standard deviations more in line with one another. Is this proper?

My initial take is that sometimes the transformation is fair and sometimes it is not. It depends on what you think about the objective quality of your grading methods and the uniformity of the difficulty of the questions you wrote. For example, if question one is much more difficult than question two, perhaps the curve should be driven by question one, and the data should not be transformed (you can make the opposite argument). In contrast, if question one is an issue spotter and question two is a policy question, simply adding the normalized scores may not reflect the greater subjectivity in grading policy questions, and a transformation may be in order.

There are no neutral choices here. Unless the scores for questions one and two are highly correlated, many students’ final grades will vary based on the choice made. At the very least, this is yet more proof of the inherent subjectivity of the entire grading process. Have others thought about this, and if so, which choices have you made?

Among the many pleasures of teaching where I do is the opportunity to be on the sidelines for interesting debates about telecomm law and policy, thanks to the presence of scholars like Phil Weiser and Dale Hatfield (among many others). For example, for those of you who can’t get enough of the Net Neutrality debate, this weekend we’re offering two opportunities to hear more about it:

First, Micah Schwalb, a 3L and the EIC of the Journal on Telecomm and High Tech Law noticed that you could trace the history of the Net Neutrality debate by reading the Journal’s back issues and watching footage from our past [...]]]> I first wanted to thank Dan and the rest for allowing me to use a little of their space.

Among the many pleasures of teaching where I do is the opportunity to be on the sidelines for interesting debates about telecomm law and policy, thanks to the presence of scholars like Phil Weiser and Dale Hatfield (among many others). For example, for those of you who can’t get enough of the Net Neutrality debate, this weekend we’re offering two opportunities to hear more about it:

First, Micah Schwalb, a 3L and the EIC of the Journal on Telecomm and High Tech Law noticed that you could trace the history of the Net Neutrality debate by reading the Journal’s back issues and watching footage from our past Silicon Flatirons conferences. So he has put together a new website, neutralitylaw.com, that pulls all of these resources together. Here you’ll find videos of talks by Larry Lessig, Vint Cerf, and others (many of which have never been available online before now), and articles by Tim Wu, Chris Yoo, Barbara van Schewick, Phil, and more.

Second, on Sunday and Monday we are hosting our annual marquee Silicon Flatirons event, the Digital Broadband Migration conference. Every panel is stacked with interesting people, but none is as deep as the one I’m thrilled to moderate, entitled “Network Management: Beyond Net Neutrality.” The panelists include: Jerry Kang, Ed Felten, Howard Shelanski, Robert Pepper, Jim Speta, and Jon Nuechterlein. I know when I’m outclassed, so I’ll do my best to stay out of the way, but in honor of the blog, I may try to ask a question about the role of culture. If you’re anywhere near Boulder, please stop by and say hello.

And in case you can’t make it out, you’ll be able to find the video on neutralitylaw before too long. In the coming weeks, we’ll be adding many other videos from past conferences.

The media’s influence on public fears is well documented, and it will be interesting to see how the “new media” play into or help defuse these fears. Some blogs are not handling this story well, and in particular I disagree with what many techie/lefty/civil-libertarian bloggers have had to say. Many of these bloggers are people I tend to agree with a lot of the time, which has led me to wonder why I don’t this time.

First, some have said that the Boston Police overreacted by shutting down parts of the city. These were kids publicizing a cartoon, [...]]]> Lately, I’ve been thinking a lot about legal and extra-legal responses to fear, so I’ve followed last week’s commentary about the Boston Mooninite scare with some interest.

The media’s influence on public fears is well documented, and it will be interesting to see how the “new media” play into or help defuse these fears. Some blogs are not handling this story well, and in particular I disagree with what many techie/lefty/civil-libertarian bloggers have had to say. Many of these bloggers are people I tend to agree with a lot of the time, which has led me to wonder why I don’t this time.

First, some have said that the Boston Police overreacted by shutting down parts of the city. These were kids publicizing a cartoon, after all! I admit that I’m untrained in bomb identification, but I’m guessing so are most of the other people who have commented. Why is it so hard to believe that a circuit board with batteries, wires, and a few other components (pictured above) might look like a bomb to a reasonable bomb expert? Shouldn’t Turner Broadcasting have even considered the possibility? Shouldn’t they have thought of consulting the authorities before taking three dozen of these things and attaching them to public places (including a bridge)? Is it really a surprise that the police assumed the worst?

(And yes, I know that some other cities’ police departments didn’t react this way when faced with the same devices. Less publicity has been given to the police departments that have corroborated Boston’s reaction. It proves to me only that reasonable police departments may differ.)

To their credit, some bloggers recognized that criticizing the immediate police response might reflect a hindsight bias. But convinced that something worthy of criticism or ridicule happened here, many went in search of other critiques.

The dominant narrative strategy has been to criticize not the immediate police response but the ensuing investigation. Prosecutors and politicians have been portrayed as engaging in a witch hunt. Armchair lawyers have been busily dissecting criminal codes pontificating about the weaknesses of the charges that have been filed.

I’m much more sympathetic to the prosecution. Something went awry in the execution of this stunt, and it sends the wrong message if it goes unpunished, much less uninvestigated. Isn’t a healthy dose of deterrence warranted in a case like this (assuming there’s a law on the books that colorably applies)? Deterring copycat acts seems especially necessary because even with the legal difficulties—or perhaps because of them—some have proclaimed this to be an “unqualified success” of guerilla marketing.

I’m not arguing that the charges that have already been brought are winners. The early evidence suggests that the two men arrested were pawns hired by Turner Broadcasting, so perhaps the focus should be on the Corporation or its executives. Nor am I arguing for prison sentences; a hefty fine and a criminal conviction are probably enough.

This brings me back to my search for why I disagree with the blogger backlash to this story. In some ways, I think these bloggers couldn’t help themselves. This story triggered so many stock fears and fads: claims of terrorism, the maker movement, guerilla art, oppression of the “little guy,” even cartoons! These bloggers were practically meme-baited into assuming the worst, and they raised a furor before they had put their finger exactly on what it was about the story that they feared and opposed. More than a week later, they’re still searching for that elusive argument.

Photo Credit: AP Photo/Todd Vanderlin