Category: Anonymity

1

It’s About Data Hoards – My New Paper Explains Why Data Escrow Won’t Protect Privacy

A core issue in U.S. v. Jones has noting to do with connecting “trivial” bits of data to see a mosaic; it is about the simple ability to have a perfect map of everywhere we go, with whom we meet, what we read, and more. It is about the ability to look backward and see all that information with little to no oversight and in a way forever. That is why calls to shift the vast information grabs to a third party are useless. The move changes little given the way the government already demands information from private data hoards. Yes, not having immediate access to the information is a start. That might mitigate mischief. But clear procedures are needed before that separation can be meaningful. That is why telecom and tech giants should be wary of “The central pillar of Obama’s plan to overhaul the surveillance programs [which] calls for shifting storage of Americans’ phone data from the government to telecom companies or an independent third party.” It does not solve the problem of data hoards.

As I argue in my new article Constitutional Limits on Surveillance: Associational Freedom in the Age of Data Hoarding:

Put differently, the tremendous power of the state to compel action combined with what the state can do with technology and data creates a moral hazard. It is too easy to harvest, analyze, and hoard data and then step far beyond law enforcement goals into acts that threaten civil liberties. The amount of data available to law enforcement creates a type of honey pot—a trap that lures and tempts government to use data without limits. Once the government has obtained data, it is easy and inexpensive to store and search when compared to storing the same data in an analog format. The data is not deleted or destroyed; it is hoarded. That vat of temptation never goes away. The lack of rules on law enforcement’s use of the data explains why it has an incentive to gather data, keep it, and increase its stores. After government has its data hoard, the barriers to dragnet and general searches—ordinarily unconstitutional—are gone. If someone wishes to dive into the data and see whether embarrassing, or even blackmail worthy, data is available, they can do so at its discretion; and in some cases law enforcement has said they should pursue such tactics. These temptations are precisely why we must rethink how we protect associational freedom in the age of data hoarding. By understanding what associational freedom is, what threatens it, and how we have protected it in the past, we will find that there is a way to protect it now and in the future.

10

On the NSA and Media Bias: An Extended Analysis

By Albert Wong and Valerie Belair-Gagnon, Information Society Project at Yale Law School

In a recent article in the Columbia Journalism Review, we reported that major US newspapers exhibited a net pro-surveillance bias in their “post-Edward Snowden” coverage of the NSA. Our results ran counter to the general perception that major media outlets lean “traditionally liberal” on social issues. Given our findings, we decided to extend our analysis to see if the same bias was present in “traditionally conservative” and international newspapers.

Using the same methods described in our previous study, we examined total press coverage in the Washington Times, one of the top “traditionally conservative” newspapers in the US. We found that the Washington Times used pro-surveillance terms such as security or counterterrorism 45.5% more frequently than anti-surveillance terms like liberty or rights. This is comparable to USA Today‘s 36% bias and quantitatively greater than The New York Times‘ 14.1% or the Washington Post‘s 11.1%. The Washington Times, a “traditionally conservative” newspaper, had the same, if not stronger, pro-surveillance bias in its coverage as neutral/”traditionally liberal”-leaning newspapers.

In contrast, The Guardian, the major UK newspaper where Glenn Greenwald has reported most of Snowden’s disclosures, did not exhibit such a bias. Unlike any of the US newspapers we examined, The Guardian actually used anti-surveillance terms slightly (3.2%) more frequently than pro-surveillance terms. Despite the UK government’s pro-surveillance position (similar to and perhaps even more uncompromising than that of the US government), the Guardian‘s coverage has remained neutral overall. (Neutral as far as keyword frequency analysis goes, anyway; the use of other methods, such as qualitative analysis of article tone, may also be helpful in building a comprehensive picture.)

Our extended results provide additional context for our earlier report and demonstrate that our analysis is “capturing a meaningful divide.”

On a further note, as several commenters suggested in response to our original report, the US media’s pro-surveillance bias may be a manifestation of a broader “pro-state” bias. This theory may be correct, but it would be difficult to confirm conclusively. On many, even most, issues, the US government does not speak with one voice. Whose position should be taken as the “state” position? The opinion of the President? The Speaker of the House? The Chief Justice? Administration allies in Congress? In the context of the Affordable Care Act, is there no “pro-state” position at all, since the President, the Speaker, and the Chief Justice each have different, largely irreconcilable views?

14

Bartelt’s Dog and the Continuing Vitality of the Supreme Court’s Tacit Distinction between Sense Enhancement and Sense Creation

Last Term, in an amicus brief in United States v. Jones, 565 U.S. __, several colleagues and I highlighted the Supreme Court’s long, albeit not always clearly stated, history of distinguishing between sense-enhancing and sense-creating technologies for Fourth Amendment purposes.  As a practical matter, the Court has consistently subjected technologies in the latter category to closer scrutiny than technologies that merely bolster natural human senses.  Thus, the use of searchlights, field glasses, and (to some extent) beepers and airplane-mounted cameras was not found to implicate the Fourth Amendment.  As the Court explained, “[n]othing in the Fourth Amendment prohibit[s] the police from augmenting the sensory faculties bestowed upon them at birth with such enhancement as science and technology” may afford.  460 U.S. at 282 (emphasis added).  In contrast, the Court has held that technologies that create a new capacity altogether, including movie projectors, wiretaps, ultrasound devices, radar flashlights, directional microphones, thermal imagers, and (as of Jones) GPS tracking devices, do trigger the Fourth Amendment.  To hold otherwise, as the Court has stated, would “shrink the realm of guaranteed privacy,” leaving citizens “at the mercy of advancing technology.”  533 U.S. at 34-36.

In fact, of the landmark cases involving technology and the Fourth Amendment during the past 85 years (from United States v. Lee, 274 U.S. 559, in 1927 to Jones in 2012), only in one instance did the Supreme Court appear to deviate from this distinction between sense enhancement and sense creation.  In that case, United States v. Place, 462 U.S. 696, and its successors, City of Indianapolis v. Edmond, 531 U.S. 32, and Illinois v. Caballes, 543 U.S. 405, the Court held that the use of trained narcotics-detection dogs (more apparently similar to using a new capacity than merely enhancing a natural human sense) did not implicate the Fourth Amendment.  In our amicus brief in Jones, we rationalized Place, Edmond, and Caballes by arguing that dogs were unique, being natural biological creatures that had long been used by the police, even in the time of the Framers.  Further, we argued, a canine sniff, unlike the use of, say, a wiretap or a thermal imager, “discloses only the presence or absence of narcotics, a contraband item.”  462 U.S. at 707 (emphasis added).  Still, the apparent ‘dog exception’ was rankling. Read More

1

Netflix, Facebook, and Social Sharing

Just as Neil Richards’s The Perils of Social Reading (101 Georgetown Law Journal 689 (2013)) is out in final form, Netflix released its new social sharing features in partnership with that privacy protector, Facebook. Not that working with Google, Apple, or Microsoft would be much better. There may be things I am missing. But I don’t see how turning on this feature is wise given that it seems to require you to remember not to share in ways that make sharing a bit leakier than you may want.

Apparently one has to connect your Netflix account to Facebook to get the feature to work. The way it works after that link is made poses problems.

According to SlashGear two rows appear. One is called Friends’ Favorites tells you just that. Now, consider that the algorithm works in part by you rating movies. So if you want to signal that odd documentaries, disturbing art movies, guilty pleasures (this one may range from The Hangover to Twilight), are of interest, you should rate them highly. If you turn this on, are all old ratings shared? And cool! Now everyone knows that you think March of the Penguins and Die Hard are 5 stars. The other button:

is called “Watched By Your Friends,” and it consists of movies and shows that your friends have recently watched. It provides a list of all your Facebook friends who are on Netflix, and you can cycle through individual friends to see what they recently watched. This is an unfiltered list, meaning that it shows all the movies and TV shows that your friends have agreed to share.

Of course, you can control what you share and what you don’t want to share, so if there’s a movie or TV show that you watch, but you don’t want to share it with your friends, you can simply click on the “Don’t Share This” button under each item. Netflix is rolling out the feature over the next couple of days, and the company says that all US members will have access to Netflix social by the end of the week.

Right. So imagine you forget that your viewing habits are broadcast. And what about Roku or other streaming devices? How does one ensure that the “Don’t Share” button is used before the word goes out that you watched one, two, or three movies on drugs, sex, gay culture, how great guns are, etc.?

As Richards puts it, “the ways in which we set up the defaults for sharing matter a great deal. Our reader records implicate
our intellectual privacy—the protection of reading from surveillance and interference so that we can read freely, widely, and without inhibition.” So too for video and really any information consumption.

2

Revenge Porn and the Uphill Battle to Pierce Section 230 Immunity (Part II)

Plaintiffs’ lawyers have some reason to think that they can convince courts to change their broad-sweeping view of Section 230.  In the rare case, courts have pierced the safe harbor, though not because the site operators failed to engage in good faith attempts to protect against offensive or indecent material.  In 2011, a federal district court permitted a woman to sue the site operator of the Dirty.com for defamation on the grounds that Section 230 is forfeited if the site owner “invites the posting of illegal materials or makes actionable postings itself.”  Sarah Jones v. Dirty World Entertainment Recordings LLC, 766 F. Supp.2d 828, 836 (E.D. Kentucky 2011).

That trial judge relied on a Ninth Circuit decision, Fair Housing Council v. Roommates.com, which involved a classified ad service that helps people find suitable roommates.  To sign up for the site’s service, subscribers had to fill out an online questionnaire that asked questions about their gender, race, and sexual orientation.  One question asked subscribers to choose a roommate preference, such as “Straight or gay males,” only “Gay” males, or “No males.”  Fair housing advocates sued the site, arguing that its questionnaires violated federal and state discrimination laws.  The Ninth Circuit found that Section 230 failed to immunize the defendant site from liability because it created the questions and choice of answers and thus became the “information content provider.”  The court ruled that since the site required users to answer its questions from a list of possible responses of its choosing, the site was “the developer, at least in part, of that information.”  Each user’s profile page was partially the defendant’s responsibility because every profile is a “collaborative effort between [the site] and the subscriber.”

As the Ninth Circuit held (and as a few courts have followed), Section 230 does not grant immunity for helping third parties develop unlawful conduct. The court differentiated the defendant’s site from search engines whose processes might be seen as contributing to the development of content, its search results.  According to the court, ordinary search engines “do not use unlawful criteria to limit the scope of searches conducted on them” and thus do not play a part in the development of unlawful searches.  The court endorsed the view that sites designed to facilitate illegal activity fell outside Section 230’s safe harbor provision.

Here is the rub.  To reach its conclusion, the Ninth Circuit essentially had to rewrite the statute, which defines information content providers as those responsible for the “creation and development of information provided through the Internet,” not the creation and development of illegal information. Read More

4

Revenge Porn and the Uphill Battle to Sue Site Operators

Last week, a group of women filed a lawsuit against the revenge porn site Texxxan.com as well as the hosting company Go Daddy!  Defendant Texxxan.com invites users to post nude photographs of individuals who never consented to their posting.  Revenge porn sites — whether Private Voyeur, Is Anyone Down?, HunterMoore.tv (and the former IsAnyoneUp?), or Texxxan.com — mostly host women’s naked pictures next to their contact information and links to their social media profiles. Much like other forms of cyber stalking, revenge porn ruins individuals’ reputations as the pictures saturate Google searches of their names, incites third parties to email and stalk individuals, causes terrible embarrassment and shame, and risks physical stalking and harm.  In the recently filed suit, victims of revenge porn have brought invasion of privacy and civil conspiracy claims against the site operator and the web hosting company, not the posters themselves who may be difficult to find. More difficult though will be getting the case past a Rule 12(b)(6) motion to dismiss.

In this post, I’m going to explain why this lawsuit is facing an uphill battle under Section 230 of the Communications Decency Act and why extending Section 230’s safe harbor to sites designed to encourage illicit activity seems out of whack with the broader purpose of CDA.  In my next post, I will talk about cases that seemingly open the door for plaintiffs to bring their suit and why those cases provide a poor foundation for their arguments.

Does Section 230 give revenge porn operators free reign to ruin people’s lives (as revenge porn site operator Hunter Moore proudly describes what he does)?  Sad to say, they do.  Read More

15

Stanford Law Review Online: Privilege and the Belfast Project

Stanford Law Review

The Stanford Law Review Online has just published a Note by Will Havemann entitled Privilege and the Belfast Project. Havemann argues that a recent First Circuit opinion goes too far and threatens the idea of academic privilege:

In 2001, two Irish scholars living in the United States set out to compile the recollections of men and women involved in the decades-long conflict in Northern Ireland. The result was the Belfast Project, an oral history project housed at Boston College that collected interviews from many who were personally involved in the violent Northern Irish “Troubles.” To induce participants to document their memories for posterity, Belfast Project historians promised all those interviewed that the contents of their testimonials would remain confidential until they died. More than a decade later, this promise of confidentiality is at the heart of a legal dispute implicating the United States’ bilateral legal assistance treaty with the United Kingdom, the so-called academic’s privilege, and the First Amendment.

He concludes:

Given the confusion sown by Branzburg’s fractured opinion, the First Circuit’s hardnosed decision is unsurprising. But by disavowing the balancing approach recommended in Justice Powell’s concurring Branzburg opinion, and by overlooking the considerable interests supporting the Belfast Project’s confidentiality guarantee, the First Circuit erred both as a matter of precedent and of policy. At least one Supreme Court Justice has signaled a willingness to correct the mischief done by the First Circuit, and to clarify an area of First Amendment law where the Court’s guidance is sorely needed. The rest of the Court should take note.

Read the full article, Privilege and the Belfast Project at the Stanford Law Review Online.

6

The Normative Jurisprudence of Creepshots

My reaction to Robin West’s extraordinary scholarship always includes some mixture of distress and excitement: distress over the failures of law and humanity she describes with such devastating clarity, and excitement about the potential applications of her insights. In this post, I want to discuss how Robin’s critique of both liberal legalism and what she calls “neo-critical” legal theory in Normative Jurisprudence – particularly the former’s fetishization of individual rights and the latter’s decidedly uncritical celebration of consent – usefully illuminates the recent controversy over the outing of Michael Brutsch, aka “Violentacrez,” the man behind some of the most controversial forums on the popular social news website, reddit.com. One of these, the “/r/creepshot” forum (or “subreddit”), which encouraged users to submit surreptitious photographs of women and girls for sexual commentary, garnered national attention when it was discovered that a Georgia schoolteacher was posting pictures of his underage students. Brutsch’s outing (or “doxxing“) sparked outrage from many in the reddit community, and has led to an intriguing online and offline debate over Internet norms and practices. The defense of Brutsch and the forums he helped create – mostly sexual forums targeting women and girls – has been dominated by a highly selective conception of the right to privacy, the insistence on an unintelligibly broad conception of “consent,” and a frankly bewildering conception of the right to free speech. Attempts to criticize or curtail these forms of online abuse have also been primarily framed in terms of “rights,” to uncertain effect. Robin’s critiques of rights fetishism and the ideology of consent offer valuable insights into this developing debate.

I will attempt to briefly summarize (and no doubt oversimplify, though I hope not misrepresent) the points Robin makes that I think are most useful to this conversation. Liberal legalism’s focus on rights rests on a seductive fantasy of individual autonomy: it “prioritizes the liberty and autonomy of the independent individual, shrouds such a person in rights, grants him extraordinary powers within a wide ranging sphere of action, and in essence valorizes his freedom from the ties and bonds of community. It relegates, in turn, the interests, concerns, and cares of those of us who are not quite so autonomous or independent … those of us for whom our humanity is a function of our ties to others rather than our independence from them … to the realm of policy and political whim rather than the heightened airy domain of right, reason, and constitutional protection” (41). The critical legal studies movement attempted to correct some of this rights fetishism by pointing out that “rights” are not only radically indeterminate (i.e. rights can be interpreted and granted in conflicting ways), but that they are also legitimating (that is, bestowing the status of “right” on narrowly drawn freedoms can obscure the injustice and inequality that fall outside of them, thus insulating them from critique).

Robin persuasively demonstrates that neo-critical legal theorists held on to the indeterminacy thesis while jettisoning the critique of legitimation. Concerns about legitimation are concerns about suffering, and neo-crits are largely uninterested in, if not contemptuous of, suffering. Their primary concern is power and pleasure, which is accordingly supported by what Robin calls “the ideology of consent.” To the neo-crits, consent has the power to fully shield any act from either legal or moral critique. Robin addresses the way the ideology of consent plays out in the context of sex by looking to the work of Janet Halley. According to Robin, Halley espouses a view of sex that takes “[c]onsent to sex … as full justification for a collective blindness to both societal and individual pressures to engage in unwanted sex, so long as the sex is short of rape”(142). Sex is presumptively pleasurable, and as such presumptively immune from critique. As Robin describes Halley’s position, “sex is almost always innocent, and when consensual, there can be no ‘legitimate’ basis for criticism. Consensual sex is just too good to be circumscribed, or bound, by claims of its unwelcomeness or unwantedness. The claims that consensual sex is in fact unwelcome or unwanted are likely false in any event. The harms sustained, even if the claims are true, are trivial” (146). (I came to similar conclusions regarding Halley’s work in my review of her book, Split Decisions: How and Why to Take a Break from Feminism).

Now to apply these insights to the Michael Brutsch/creepshot controversy. The moderators of the creepshot subreddit provide this helpful definition of “creepshot” on the “subreddit details” page:

Read More

4

Brin’s “Existence,” the Fermi Paradox, and the Future of Privacy

I just finished David Brin’s “Existence,” his biggest new novel in years.  Brin, as some readers know, has won multiple Hugo and Nebula awards for best science fiction writing.  He also wrote the 1999 non-fiction book “The Transparent Society: Will Technology Force Us to Choose Between Privacy and Freedom?”.  More about that in a bit.

Existence is full of big ideas.  A main focus is on the Fermi Paradox, which observes that we would expect to find other forms of life out there among the hundreds of billions of suns, but we haven’t seen evidence of that life yet.  If you haven’t ever thought through the Fermi Paradox, I think it is a Genuine Big Question, and well worth contemplating.  Fortunately for those who like their science mixed with fiction, Brin weaves fifty or so possible answers to the Fermi Paradox into his 550-page novel.  Does climate change kill off other races?  Nuclear annihilation?  Do aliens upload themselves into computers once they get sophisticated (the “singularity”), so we never detect them across the void?  And a lot, lot more.

It took me a little while to get into the book, but I read the last few hundred pages in a rush.  I’ve had the pleasure to know Brin for a bunch of years, and find him personally and intellectually engaging.  I was pleased to read this, because I think it will intrigue curious minds for a long time as our telescopic views of other planets deepen our puzzlement about the Fermi Paradox.

As for privacy, my own view is that the privacy academics didn’t take his 1999 book seriously enough as an intellectual event.  One way to describe Brin’s insight is to say that surveillance in public becomes cheaper and more pervasive over time.  For Brin, having “control” over your face, eye blinks, location, etc., etc. becomes futile and often counter-productive once cameras and other sensors are pervasive and searchable.  Brin picked up on these themes in his earlier novel, “Earth,” when elderly people used video cameras to film would-be muggers, deterring the attacks.  In the new novel, the pervasive use of the 2060 version of Google Glasses means that each person is empowered to see data overlays for any person they meet.  (This part is similar to the novel “Rainbow’s End” by Brin’s friend Vernor Vinge.)

Surveillance in public is a big topic these days.  I’ve worked with CDT and EFF on USvJones.com, which asked law academics to propose doctrine for surveillance in public.  Facial recognition and drones are two of the hot privacy topics of the year, and each are significant steps towards the pervasive sensor world that Brin contemplated in his 1999 book.

So, if you like thinking about Big Ideas in novel form, buy Existence.  And, if you would like to retain the Fair Information Principles in a near future of surveillance in public, consider Brin more carefully  when you imagine how life will and should be in the coming decades.

6

Bad Idea, in Voting

I’ve been in my book writing fox hole, so much so that when the storm hit Maryland and D.C. and I did not lose power, I had no idea that nearly half of my state and our neighboring ones had none.  But enough about hiding from the world (and the Internet), there are alarming stories about voting worth sharing now with elections coming up, the only time the public seems to sniffle at the issue.  Internet voting.  One might say, in your dreams, pal, never going to happen.  But in truth it is happening, with calls for more.  Nineteen states offer some form of online voting, mostly for soldiers living overseas.  The Military and Overseas Voter Empowerment Act requires states in most cases to get ballots to military and overseas voters well in advance of regularly scheduled federal elections, which has led states to adopt voting via e-mail and online for soldiers.  (Other states like Maryland allow voters to download ballots online and mail them).  Because these experiments have “worked,” more calls for voting online have been forthcoming on the grounds that people might then actually vote.  It’s my understanding from voting activists that election boards are agitating for online voting, and it is a very bad idea.  To state the utterly obvious, all things online are insecure — the infiltration of Pentagon and countless companies, including financial ones, should instill fear about the sophistication of bad actors looking to steal state secrets, trade secrets, credit card numbers, SSNs, you name it.  And online elections–what a target (think about all of the people who would bother–in a word, lots).  Stuffing ballot boxes in a handful of precincts is quaint as compared to the possibilities of malware, distributed denial of service attacks, and the like in a state and federal election.  It is mind blowing, really.

Scott Wolchok, Eric Wustrow, Dawn Isabel, and J. Alex Halderman of the University of Michigan recently released a study on the ease with which they hacked a pilot project on Internet voting run by Washington D.C.  The authors explain that within 48 hours of the system going live, they gained near-complete control of the election server, successfully changed every vote and revealed almost every secret ballot. Two business days later, election officials detected the intrusion, and probably only because the authors deliberately left a prominent clue.  Some respond to these sorts of concerns with “we bank online and it is safe, so we can vote online, if we just work hard enough at it.”  As the authors explain, banking and voting involve very different activities with very different needs for secrecy as between client/voter and bank/voting precinct.  As the authors explain:

While Internet-based financial applications, such as online banking, share some of the threats faced by Internet voting, there is a fundamental difference in ability to deal with compromises after they have occurred. In the case of online banking, transaction records, statements, and multiple logs allow customers to detect specific fraudulent transactions and in many cases allow the bank to reverse them. Internet voting systems cannot keep such fine-grained transaction logs without violating ballot secrecy for voters. Even with these protections in place, banks suffer a significant amount of online fraud but write it off as part of the cost of doing business; fraudulent election results cannot be so easily excused.

The National Institute of Standards and Technology agrees.  Chief among NIST’s concerns are malware and our lack of an infrastructure for secure electronic voter authentication.  Amazingly, countries like Estonia and Switzerland have adopted Internet voting for national elections.