Archive for the ‘Anonymity’ Category
posted by Priscilla Smith
By Priscilla Smith, Nabiha Syed & Albert Wong, Information Society Project at Yale Law School
There was exciting news from the Supreme Court yesterday. By a rare 9-0 vote, in United States v. Jones, No. 10-1259, the Court held that the Government should have obtained a warrant before placing a GPS surveillance device on the defendant’s car and monitoring his movements. This result was not completely unexpected, especially considering the Justices’ interest at oral argument in the Government’s position that GPS surveillance technology could be used without a warrant to track the movements of any car — even the Justices’ own cars — for an unlimited period of time. The Government argued — unsuccessfully — that this result was compelled because citizens have no privacy interests in their public movements.
Of particular note, the three opinions in the case and the unusual line-up make for a broader ruling than is apparent at the outset. The most narrow rule comes from the Court’s opinion written by Justice Scalia and joined by Justices Roberts, Kennedy, Thomas, and — wait for it — Sotomayor, holding that that “the Government’s installation of a GPS device on a target’s vehicle,2 and its use of that device to monitor the vehicle’s movements, constitutes a “search.” Slip op. at 3. Scalia notes that the Fourth Amendment protects the “right of the people to be secure in their . . . effects,” and it “is beyond dispute that a vehicle is an ‘effect’ as that term is used in the [Fourth] Amendment.” Id. at 3. Ergo, he holds the installation done with the intent to “use … th[e] device to monitor the vehicle’s movements” was a search. Id. at 3. He describes the action at issue, saying “[t]he Government physically occupied private property for the purpose of obtaining information.” He holds that since this form of physical trespass and monitoring would have been a search within the meaning of the Fourth Amendment at the time it was adopted, it is a search now. Hello, original application guy.
On first glance, it seems that Scalia might be returning to old interpretations of the Fourth Amendment that required a physical trespass to have occurred before an action could be considered a search. But what Scalia is actually doing here is defining the Court’s task, which is “at a minimum, is to decide whether the action in question would have constituted a ‘search’ within the original meaning of the Fourth Amendment,” and because it would have, it is a search now. Just because in 1967 Katz said that the Fourth Amendment protects more than physical trespass, doesn’t mean that the Fourth Amendment doesn’t protect physical trespass. See slip op. at 6-7 (noting Katz did not erode the principle that a search occurs where the Government “does engage in physical intrusion of a constitutionally protected area in order to obtain information.”) (emphasis in original). So Scalia establishes and emphasizes a threshold for determining when a search has occurred — a threshold that is not comprehensive, but sufficient to resolve the issue at hand.
And thus Scalia declines to go further and consider what would happen if, hypothetically, there was no physical trespass. He does hold open the possibility that “achieving the same result through electronic means [as they achieved here with physical trespass], without an accompanying trespass, is an unconstitutional invasion of privacy.” Id. at 11. Simple enough. Why decide the harder issue with all its accompanying “vexing problems” that would arise in a case involving electronic surveillance without an accompanying trespass? Scalia argues that there is no reason to “rush forward” to resolve them now. Slip op. at 12. Put aside for a minute that he encouraged the Court in United States v. Kyllo, a case holding that the use of heat-seeking technology required a warrant, to adopt rules that “take account of more sophisticated systems that are already in use or in development,” Kyllo, 533 U.S. at 37.
But Scalia has a problem. As he points out, in its opinion in United States v. Knotts, the Court upheld the use of beeper technology to track a target’s movements, holding there was no invasion of privacy. He distinguishes Knotts from this case because Knotts did not involve physical trespass. The beeper there was placed inside a container with consent of the then-owner of the container, and only then was the container placed in the driver’s car. Moreover, Knotts didn’t challenge the installation. Right. But the Court didn’t decide there was no search in Knotts based on an absence of a physical trespass; the Court decided the case holding there was no invasion of privacy. So shouldn’t Scalia explain to us why he holds open the possibility that “achieving the same result through electronic means [as they achieved here with physical trespass], without an accompanying trespass, [like they did in Knotts] is an unconstitutional invasion of privacy?” Id. at 11. Saying that GPS is a different technology, as he does in a footnote, is not enough. Doesn’t he owe us an explanation of why Knotts doesn’t preclude that possibility, as the Government so vehemently argued it did and the Ninth Circuit in a similar case agreed? See Pineda-Moreno v. United States.
Of course he does — or so says Justice Alito, with Justices Ginsburg, Breyer and Kagan joining. See Alito’s concurrence, slip op. at 13. In fact, not only did Alito think the Court should reach the Katz expectation of privacy test, he didn’t buy the physical trespass holding at all, and lists its many flaws. Justice Alito then evaluates the GPS surveillance here, noting that “devices like the one used in the present case … make long-term monitoring relatively easy and cheap.” “[T]he best we can do in this case,” reasons Alito, “is to apply existing Fourth Amendment doctrine” and “ask whether the use of GPS tracking in a particular case involved a degree of intrusion that a reasonable person would not have anticipated.” Alito at 13. Under this inquiry, “the use of longer term GPS monitoring in investigations of most offenses impinges on expectations of privacy,” because “society’s expectation has been that law enforcement agents and others would not — and indeed, in the main, simply could not — secretly monitor and catalogue every single movement of an individual’s car for a very long period.” Id. Now, Justice Alito recognizes the “degree of circularity” inherent in Katz’s expectation of privacy test — i.e., the problem that, if read literally, the test would permit a situation in which the government takes away your privacy so that one no longer has an“expectation” of it — and in so doing, one no longer has a constitutionally protected interest in it. Hello, 1984. Unfortunately, though, his concurrence does nothing to address, and instead relies exactly on, that circular part of it — the intrusion you would or would not have anticipated. The concurrence is also remarkably skimpy in its explication of why exactly the surveillance is “intrusive” — you know, the point that is the actual crux of the case.
The only Justice who doesn’t avoid the issues is Justice Sotomayor. Although she joins the narrow majority opinion because she buys Scalia’s argument that the physical trespass here suffices to decide the case, she writes separately to make clear that “physical intrusion is now unnecessary to many forms of surveillance,” her slip op. at 2, a statement that Scalia certainly does not deny.
Moreover, and making this a much broader ruling than it appears on first glance, unlike Scalia, Sotomayor explains the distinction between Jones and Knotts. She agrees with the Alito Four that “’longer term GPS monitoring in investigation of most offenses impinges on expectations of privacy.’” Sotomayor concurrence at 3, quoting Alito concurrence at 13. Rather than relying on whether citizens “anticipate” invasions of their privacy, her opinion reflects the concerns of the D.C. Circuit, New York Court of Appeals, and C.J. Kozinski writing in dissent from denial of rehearing en banc in a similar case in the Ninth Circuit, that the information collected by GPS monitoring generates a “comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious, and sexual associations.” Id. at 3. (In fact, unless we missed something, she appears to be the only one who cites to Chief Judge Kozinski’s dissenting opinion in the Pineda-Moreno case; no one seems to cite the DC Circuit opinion, scared off perhaps by some folks’ misplaced railing against its “mosaic” language). She further discusses the concerns raised in a brief filed by some of us at the ISP on behalf of a group of privacy scholars that GPS surveillance, as she says, “evades the ordinary checks that constrain abusive law enforcement practices” and is susceptible to abuse, and that awareness of government monitoring chills associational and expressive freedoms. Id. She summarizes:
I would also consider the appropriateness of entrusting to the Executive, in the absence of any oversight from a coordinate branch, a tool so amenable to misuse, especially in light of the Fourth Amendment’s goal to curb arbitrary exercises of police power to and prevent “a too permeating police surveillance,” United States v. Di Re, 332 U. S. 581, 595 (1948).
Finally, Sotomayor suggests a more fundamental change in the jurisprudence to “reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties,” and notes that the rule is “ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks,” Sotomayor at 5, questioning the notion at the heart of the rule that “secrecy [is] a prerequisite to privacy.”
The long and the short of it is that by agreeing with the Alito Four that the use of GPS surveillance technology for a prolonged period violates a reasonable expectation of privacy, Sotomayor’s concurrence means that five justices agree to veer away from the inside/outside distinction relied upon by the Government. It seems that we may have some privacy interests in our public movements after all.
posted by Biella Coleman
Anonymous, most recently known for their digital protest interventions, are tough to pin down with definitive definitions. Perhaps one of the most uncontroversial statements one can nail on them is that they and their tactics are controversial. After yesterday’s extensive Anon-led distributed denial of service attacks prompted by the take-down of the popular file sharing site Megaupload, I thought I would ask CO readers to reflect on the DDoS as a political tactic. I have complied a few basic questions to help kick-start the discussion.
- Is it reasonable to compare a DDoS with civil disobedience or direct action?
- What might be an appropriate legal response for those campaigns that are deemed by courts as political protest? (Perhaps not answerable)
- How does the media and the public misunderstand these events? (and perhaps the media are the ones are responsible for the “success” of a DDoS campaign)
- Is the political effect of the DDoS primarily symbolic and a way for people to very quickly and collectively express their position on a matter?
- Is there anything lulzy about the DDoS? (Does that even matter?)
- How might the DDoS be deployed more ethically as political protest? Under what conditions or configurations might it be more permissible, palatable or effective? Or i it just too noxious and problematic to use for political purposes?
I will admit the DDoS is not what interests me the most about Anonymous, a bias clearly reflected in this piece I just published on them, but definitely worth pausing on for a bit after yesterday’s actions.
Parents Facilitating Facebook Use for the Under 13 Set: The False Promise of Minimum Age Requirements
posted by Danielle Citron
The Child Online Privacy Protection Act (COPPA), enacted in 1998 and finalized in 2000, requires commercial websites that target children under 13 or have actual knowledge that users are under 13 to ask for parental permission before collecting and using their information. Legislators hoped to protect children from predatory marketing, safety risks such as stalking or kidnapping, and other abuses related to the use of children’s private data. They also wanted more parental involvement in online data-collection practices and to encourage the development of technologies designed to give parents better tools to protect their kids’ online privacy. Although COPPA has succeeded in stopping egregious predatory data practices, it has fallen short of its core goals. The Federal Trade Commission (FTC), tasked with implementing and enforcing COPPA, admits that online industries have neither innovated nor emphasized mechanisms for obtaining verifiable parental consent. Instead, to avoid costs associated with obtaining parental consent including potential fines for inappropriately dealing with children’s data, many sites just limit their services to children 13 and older. Sites typically include the age restriction in their Terms of Service agreements (ToS), to which users must consent when they create an account. Many sites ask users for their age or birth date to ascertain if they are 13 or over. Facebook does, for instance, and reserves the right to terminate accounts of users who “violate the letter or spirit” of its ToS. To protect itself from possible legal exposure, Facebook employs cookies to prevent users from changing their minds about their age to evade the site’s requirements and actively deletes accounts where evidence suggests that the users are not in fact 13 or older. This spring, the FTC called for comments on a proposed amendment to its Child Online Privacy Protection Rule, enacted in 2000 and renewed without change in 2005. As FTC Chairman Jon Leibowitz explained: “In this era of rapid technological change, kids are often tech savvy but judgment poor. We want to ensure that the COPPA Rule is effective in helping parents protect their children online, without unnecessarily burdening online businesses. We look forward to the continuing thoughtful input from industry, children’s advocates, and other stakeholders as we work to update the Rule.”
A study released this week by danah boyd, Eszter Hargittai, Jason Schultz, and John Palfrey sheds new light on COPPA’s failings. Given the current regulatory attention to COPPA, the study could not be more timely or more important. The authors surveyed a national sample of 1,007 parents and guardians who have children ages 10-14 living with them. They found that although many sites restrict access to children, many parents knowingly allow their children to lie about their age–indeed, they often help them do so– to gain access to age-restricted sties in violation of the sites’ ToS. This is true for some of the most popular social media sites and services, such as Facebook, Gmail, and Skype. Specifically, the study revealed that 55% of 12 year olds had Facebook accounts while 32% of 11 year olds and 19% of 10 year olds did as well. Seventy-eight percent of the parents of 10 year olds helped their kids set up their Facebook accounts; 68% of the parents of 11 year olds helped their kids sign up; and 76% of the parents of 12 year olds did the same. Of those parents who reported that their child joined Facebook underage and helped create the child’s account, 74% knew that Facebook had a minimum age that their kids failed to meet. Although Facebook’s minimum age is a requirement, just over a third of the those parents believed the minimum age was a recommendation. Over three-quarters of parents believed that there are circumstances that make it okay for their child to sign up for a service even if their child fell short of the age requirement. Those reasons included communicating with parents, other family members, and friends; use of the service for educational purposes; and because classmates used the service. Half of the parents indicated that their child could violate the restriction only if under parental supervision. As the authors explained, those parents felt as though the violation was acceptable because they were monitoring their children’s online practices. Importantly, most parents either did not understand the reason for the age requirement or failed to appreciate its privacy goals. While most parents had no idea what animated the requirement, some offered explanations such as concerns about the adult content or language on the site, “children don’t need to have a social media presence,” and “to protect minors from perverts.” A small fraction of the parents referred to legal issues. Only two parents referenced privacy.
What does all of this tell us? Rather than providing parents and children with greater options for controlling the use of youth’s personal information, COPPA has actually encouraged the adoption of formal limits on children’s access to online services. Those limits are rather meaningless, though. As the authors explain, parents are “taking matters into their own hands to circumvent the restrictions . . . at the cost of their children’s privacy and at the risk of acting unethically and potentially in violation of the law.” While providers and parents together circumvent COPPA’s requirements, the true losers are the parents who don’t get the chance to audit and delete their children’s data, as COPPA mandates when sites have actual knowledge that they are collecting and using data from kids under 13. We are also seeing parents help their children engage in public deceit because they think their kids would benefit from online services. This creates a serious parenting conflict among those who wish to encourage honesty. Because children pretend that they are far older than they actually are in online interactions, they also may open themselves up to other risks including stalking, something the statute sought to avoid. In the end, COPPA has accomplished very little and risked a lot. Kids under 13 do not end up with privacy protections afforded by COPPA and may even put themselves at risk. Providers get around COPPA’s requirements with age cutoffs that are routinely violated. Innovation for greater parental controls remains illusive. As the study’s authors urge, policy-makers should “shift away from privacy regulation models that are based on age or other demographic categories and instead develop universal privacy protections for online users.”
More broadly, the study shows us that parents are involved in their kids’ social media use, whether it’s deceptive and in violation of ToS or not. One might say that parents are increasingly taking over the role of Chief Family Privacy Officer, but, as we now appreciate, without COPPA’s protections. What’s needed is far more education for parents and kids about the privacy risks associated with social media. That’s of course true for the under 13 set and for those 13 and older. But since parents are helping expose their kids to social media services without COPPA’s protections, we need to work on education as early as elementary/lower school. High school students, their parents, and educators often don’t appreciate the potential privacy risks of social media so one can imagine that kids in lower school, their parents, and teachers don’t as well. Do students really want to spend hundreds of thousands of dollars on a college education and then end up unemployable due to something they posted on Facebook (which now is at greater risk for being indexed and searched online due to changes in Google’s algorithm)? Do they know that colleges may someday look at their social media activity, to their detriment? A new survey done by Kaplan Test Prep of admissions officers at 359 selective colleges and universities revealed that 24 percent of respondents reported using Facebook or other social networking pages to research an applicant, see here too. All of this also reinforces the lessons of Ryan Calo’s important work on the flaws of current notice regimes and the potential for improvement through thoughtful design–parents neither get that ToS requirements are not just suggestions nor appreciate the privacy concerns animating those requirements. Intermediaries can and should do better in that regard. The study has contributed much to our appreciation of COPPA and the regulation of privacy online more generally. I am hoping that legislators and regulators are paying attention.
posted by Danielle Citron
I’d like to pick up on Olivier Sylvain’s post on the cyber mob Anonymous and take it in a slightly different direction. Let’s step back to get a sense of the group dubbed Anonymous. The group originated on 4Chan’s /b/ forums and now has a serious presence on the wiki Encyclopedia Dramatica, YouTube, and Internet Relay Chat forums. The group may now compromise several groups with different aims (see here for a discussion of splinter group more interested in so-called “pranks”, or in my view bigoted attacks, than strident “political activism” like DDos on PayPal, Visa, and the like).
It’s difficult to see how the group and its various permutations warrant the breathless admiration of journalists who dub them “hacktivists.” A little step back to the original hackers of the early 1960s. As Howard Rheingold explains (and Patricia Wallace concurs in her work), the term was coined to describe people who “create computer systems.” The first people to call themselves hackers ascribed to an informal social contract called the “hacker ethic.” This ethic included these principles:
“Access to computers should be unlimited and total. Always yield to the Hands-On Imperative. All information should be free. Mistrust authority–promote decentralization.”
The original hackers were motivated by altruistic concerns. Indeed, we owe a debt of gratitude to their broader community for helping design the Internet. Our guest blogger and celebrity computer scientist Steve Bellovin was a key player in that community: in 1979, Bellovin, then at UNC for graduate school, and Jim Ellis and Tom Truscott, Duke grad students, created the first link between Duke and UNC, which later became Usenet, the oldest global virtual community.
Let’s compare the original hackers to the group(s) Anonymous, which exemplifies the destructive side of cyber anonymity. From its beginnings, the group took its name because it believes its collective identity serves as a mask, letting them do and say things that would otherwise be out of bounds. According to a YouTube posting from a group member, “We are Anonymous, a “people devoid of any type of soul or conscience” who form “a nameless, faceless, unforgiving mafia”—“we ruin the lives of other people simply because we can.” Anonymous members describe themselves as “unencumbered by pointless ethics, foolish moralities, or arbitrary laws or restrictions.” When Anonymous members engage in offline “raids,” they hide behind the Guy Fawkes mask design made famous by the film of Alan Moore’s graphic novel V for Vendetta.
The group (or part of it) has been rightly called an “Internet Hate Machine.” Much of what it does is for the “lulz.” It has attacked African Americans, women, LGBT individuals, Jews, and Muslims. It urged members to “search and destroy” a popular female video blogger’s online identity. The group hacked into her online accounts, posted doctored photographs of her being raped, and took down her videos. On Encyclopedia Dramatica, group members listed feminist websites that should be shut down with distributed denial-of-service attacks and “image reaping”—flooding sites with traffic to use up their allocated bandwidth. Members updated the wiki as they accomplished their goal. Read the rest of this post »
posted by Olivier Sylvain
On Friday evening, within hours of posting U.S. Marshal Service mugshots of alleged members of Internet “hacktivist” group Anonymous, TalkingPointsMemo.com became the target of a relentless “distributed denial of service” or DDoS attack. According to a statement released by TPM founder and publisher Josh Marshall on TPM’s Facebook page, visitors could not access the site a little after 5 p.m. eastern time. While no one knows for sure, TPM has inferred that Anonymous or people affiliated with the group are probably responsible for the attack. (That TPM turned to Facebook to publish a statement is ironic because Anonymous has vowed to shutdown the social networking site later this fall.)
The TPM site remains down as of this posting.
According to Marshall, TPM filed a Freedom of Information Act request for the mugshots earlier this summer, and posted them as soon as they obtained them. For the past six years, according to Marshall, the news site has routinely “published mugshots of numerous people accused or convicted of various crimes” that are the subject of its reporting. I’ve clicked through the photos of hypocrites and hucksters in elective office as well as random mugshots of mobsters and celebrities to satiate an admittedly morbid curiosity. TPM, as with many other major news organizations, knows this. The questions for TPM are ethical and legal: what is it about these admittedly alluring photos of the smirks, glares, and shock typical of mugshots that adds to the story, and justifies the ostensible invasion of privacy?
posted by Danielle Citron
In what can only be described as the worst side of humanity, the bulletin board Dreamboard hosted a members-only sharing of child pornography, particularly of children under 12. New members could join the board only if they posted child pornography. Members had to continue to post images of child porn every 50 days or face removal. The rules of the board, printed in English, Russian, Japanese, and Spanish, included: (1) “Keep the girls under 13, in fact, I really need to see 12 or younger to know your[sic] a brother,” (2) “don’t avoid nudity in previews. I will NOT accept you if there’s no nudity. And my definition of nudity is pussy or anal in the shot. You just waste your own time if you don’t do this. Because you will not get in, if you don’t follow the rules.” One section of Dreamboard was titled “Super Hardcore,” and the rules required images and videos of “very young kids, getting fucked, and preteens in distress, and or crying. . . . If a girl looks totally comfortable, she’s not in distress, and it does NOT belong in this section.” This part of the site featured images of adults having violent sexual intercourse with very young children, including infants. One file was entitled “2yo assfuck she cries for mommy nasty pthc pedo 1 yo 3 yo 4 yo.” The board amassed over 120 terabytes of violent sexual rape and abuse of children.
According to the rules of the site, members were to use encryption technologies to prevent detection. The rules specified precisely which encryption technologies and proxy servers should be used and which should be avoided. Members did not use their real names, but instead screen names to conceal their identities. All of this suggests that the board went to great lengths to secure their anonymity.
Early this month, Attorney General Eric Holder, Jr. announced that federal investigators has charged 72 people for violating child pornography laws and more than 50 people have been arrested in the United States. The defendants included doctors, lawyers, police officers, and a Navy commander, according to the Ellis County Observer. Thirteen of those charged have pled guilty, and four members have been sentenced between 20 and 30 years. Around 600 people from around the world were members of the bulletin board, which has been shut down. The bulletin board used a server in Atlanta. As Assistant Attorney General Lanny Breuer explained, the site “was a living horror.” John Morton, director of Immigration and Customs Enforcement, declined to say how investigators overcame the technological precautions used by some of the members. He did tell the New York Times: “To those inclined to abuse small children, know this: this isn’t a place on the Internet or the planet in which you are truly safe. It may take us some time, it may take us some effort, but we will find you regardless of a screen name, a proxy server or an encryption effort, period.” Read the rest of this post »
August 18, 2011 at 11:48 am Posted in: Anonymity, Architecture, Criminal Law, Criminal Procedure, Cyber Civil Rights, Privacy, Privacy (Law Enforcement), Social Network Websites Print This Post 7 Comments
posted by Lawrence Cunningham
Outside reviews of manuscripts are important to many publishing enterprises, from scholarly books and articles to general interest works of nonfiction. Honest, objective and impersonal assessments are vital.
That is best promoted when the identity of the reviewers is held strictly confidential, by editors and reviewers alike, with editors sharing only the substance of reviews to enable improving a manuscript.
Contrary to this normative ideal, reviewers often seem to feel free to identify themselves, and even editors are sometimes sloppy in leaking identifiying data. In just the past year, I have personally had several different unfortunate examples. The upshot is the same: outside reviewers must stay anonymous.
posted by Ari Waldman
An important part of my current (and, to me, really exciting) project is the concept of anonymity on the Internet, or lack thereof. Co-Op’s own, Daniel Solove, whose amazing work I have devoured poured over and over read and analyzed many times, has written about this at length, coining the term “traceable anonymity” to refer to this one element of privacy vis-a-vis our Internet selves — I could call myself “youwillneverknowitsme” on my Wikipedia account, but Jimmy Wales could know it’s me by following my IP address.
Traceable anonymity seems to me the baseline for Web 2.0, with the Internet only getting less anonymous as we progress to newer and even more exciting technologies. Social media, for example, already despises anonymity: Facebook has more than 500 million users; 1 in 5 relationships begin through online dating sites, none of which are anonymous; an increasing number of media websites are requiring their users to log in and provide a valid email address in order to comment on posted news stories; and even interactions that might start out anonymous can end in picture and email exchanges, both of which link your online self to your physical self.
The most basic debate is whether this is a good thing. That fascinating discussion is probably more about our individual values than anything else. But, there are at least two more interesting questions (at least to me):
First, is no anonymity the same as no expectation/right of privacy? I don’t think so, though this is a topic I have just started thinking about and reserve the right to change my mind when I learn more and smarter people teach me more. Sometimes privacy means anonymity — John and Jane Doe filings for domestic abuse victims, for example, a topic that Co-Op’s own, the fantastic Danielle Citron, has worked on. But, privacy is not always synonymous with anonymity, as such. We have privacy rights in our person, but the existence of those rights does not depend on us being cloaked from the law entirely.
Second, what are the costs of less (or no) anonymity? One of the frustrating things about online hate and harassment is that it is cheap — there are no transaction costs to hate and little personal and contingent costs after harassing. In other words, it is safer to harass online than in person. The less anonymity, then, the higher the costs of harassing, and that might be a good thing. I could also argue that less anonymity raises the costs of online speech, in general, by snuffing out robust online conversations about politics. But, what exactly would be snuffed out? Things you would never say in person? Again, maybe that’s a good thing.
Of course, I am playing a little bit of the devil’s advocate here, but the conversation is worth having.
Another tid bit I find worth discussing.
When I discuss this lack of anonymity on the Internet with others, I notice a pattern. Older interlocutors, say over 40 (though let me be clear: I do not consider 40 to be “old”) generally agree, but never really thought the Internet was anonymous to begin with. My peers, say 26-40, are the most agreeable. We remember when American Online had chat rooms that you could enter anonymously after creating a pseudonym (thanks to Co-Op reader and hopefully future prof AG for reminding me about that) and have seen the Internet change over the years. But, kids today, say under 25, do not have any conception of anonymity on the Internet. Even if they have a pseudonym here or there, they nonchalantly say something like this: “oh, yeah, ive given people my email or shown them my pictures, im sure they could find me if they wanted.” I am no English major, but that’s hardly what Walt Whitman thought of when he referred to “perfect nonchalance.” At a minimum, that cavalier behavior is something we as parents/aunts/uncles/grandparents have to deal with when our young charges start spending time online.
posted by Frank Pasquale
A small corner of the world of search took another step toward personalization today, as Bing moved to give users the option to personalize their results by drawing on data from their Facebook friends:
Research tells us that 90% of people seek advice from family and friends as part of the decision making process. This “Friend Effect” is apparent in most of our decisions and often outweighs other facts because people feel more confident, smarter and safer with the wisdom of their trusted circle.
Today, Bing is bringing the collective IQ of the Web together with the opinions of the people you trust most, to bring the “Friend Effect” to search. Starting today, you can receive personalized search results based on the opinions of your friends by simply signing into Facebook. New features make it easier to see what your Facebook friends “like” across the Web, incorporate the collective know-how of the Web into your search results, and begin adding a more conversational aspect to your searches.
The announcement almost perfectly coincides with the release of Eli Pariser’s book The Filter Bubble, which argues that “as web companies strive to tailor their services (including news and search results) to our personal tastes, there’s a dangerous unintended consequence: We get trapped in a “filter bubble” and don’t get exposed to information that could challenge or broaden our worldview.” I have earlier worried about both excessive personalization and integration of layers of the web (such as social and search, or carrier and device). I think Microsoft may be reaching for one of very few strategies available to challenge Google’s dominance in search. But I also fear that this is one more example of the “filter bubble” Pariser worries about.
Read the rest of this post »
posted by Danielle Citron
Facebook and other social network sites offer much to celebrate. They have given new life to long-standing relationships and cemented new ones while providing innovative means to share ideas and engage with different communities. Offline relationships are extended online. Student groups meet in classrooms as well as on YouTube channels. Employees talk in the office and online (sometimes even to critique their bosses with co-workers, see Kashmir Hill‘s always- thought-provoking commentary).
Naturally, with all of this socializing comes the far darker side of human relationships. Social network sites sponsor threats, harassment, and hatred, leading to important, though always outmatched, voluntary efforts to address destructive behaviors. Given the scale of these sites, the Chief Safety Officers of those social network sites need help identifying malicious activity that their Terms of Service prohibit. This summer, Facebook and the police learned about another disturbing case: a Chester County man tried to use Facebook to hire a hit man to kill a woman who accused him of rape. In July, the woman called the police after seeing a posting on the man’s Facebook page that offered $500 for “a girls head.” The man later updated the posting, saying that he “needed the girl knocked off right now.” As the Huffington Post recently reported, the man pleaded guilty to rape, criminal solicitation of murder, and other counts.
posted by Danielle Citron
Time magazine recently did a true-to-form story on Wikipedia, where guest editors (and our very own featured author) Jonathan Zittrain (see here too), Robert McHenry, Benjamin Mako Hill, and Mike Schroepfer assisted in writing/editing/re-writing a feature entitled Wikipedia’s “Ten Years of Inaccuracy and Remarkable Detail.” As the piece explained, Wikipedia just celebrated its 10th birthday. The site has 17 million entries in more than 250 languages, quite a feat given that Encyclopedia Brittanica only has 120,000 and only in English. The Time wiki-like piece notes that Wikipedia has a “diverse, international body of contributors.”
According to The New York Times, most contributors are male. More specifically, “less than 15 percent of its hundreds of thousands of contributors are female.” This, in turn, has skewed the gender disparity of topics and emphasis. Wikimedia’s executive director Sue Gardner explains that topics favored by girls such as friendship bracelets can seem short when compared with lengthy articles on something boys typically like such as toy soldiers or baseball cards. The New York Times notes that a category with five Mexican feminist writers might not seem so impressive when compared with 45 articles on characters in “The Simpsons.”
Why is this so? Joseph Reagle, a fellow at the Berkman Center for Internet and Society at Harvard and author of “Good Faith Collaboration: The Culture of Wikipedia,” explains that Wikipedia’s early contributors shared “many characteristics with the hard-driving hacker crowd,” including an ideology that “resists any efforts to impose rules or even goals like diversity, as well as a culture that may discourage women.” He notes that adopting an ideology of openess means being “open to very difficult, high-conflict people, even misogynists.” The demographics of Wikipedia’s editors may also stem, in part, from the tendency of women to be “less willing to assert their opinions in public.”
How Wikipedia is now, and has been, responding is worth noting. Sue Gardner told the Times that she hopes to raise the share of women contributors through subtle persuasion and outreach to welcome newcomers to Wikipedia. Dave Hoffman and Salil Mehra’s terrific piece Wikitruth Through Wikiorder demonstrates that the site has already fostered efforts to create a more inclusive environment. As Hoffman and Mehra explain, Wikipedia has an Arbitration Committee whose volunteer members rule on disputes and set forth concrete rules on how users should behave. The Arbitration Committee has sanctioned users who make homophobic, ethnic, racial or gendered attacks or who stalk and harass others. According to Hoffman and Mehra’s empirical study, in cases when either impersonation or anti-social conduct like hateful attacks occur, the Administrative Committee will ban the user in 21% of cases. Wikipedia’s more than 1,500 administrators, in turn, enforce those rules. Wikipedia also permits users to report impolite, uncivil, or other difficult communications with editors in its Wikiquette alerts notice board.
posted by Danielle Citron
The U.K.’s freedom of information commissioner, Christopher Graham, recently told The Guardian that the WikiLeaks disclosures irreversibly altered the relationship between the state and public. As Graham sees it, the WikiLeaks incident makes clear that governments need to be more open and proactive, “publishing more stuff, because quite a lot of this is only exciting because we didn’t know it. . . WikiLeaks is part of the phenomenon of the online, empowered citizen . . . these are facts that aren’t going away. Government and authorities need to wise up to that.” If U.K. officials take Graham seriously (and I have no idea if they will), the public may see more of government. Whether that more in fact provides insights to empower citizens or simply gives the appearance of transparency is up for grabs.
In the U.S., few officials have called for more transparency after the release of the embassy cables. Instead, government officials have successfully pressured internet intermediaries to drop their support of WikiLeaks. According to Wired, Senator Joe Lieberman, for instance, was instrumental in persuading Amazon.com to kick WikiLeaks off its web hosting service. Senator Lieberman has suggested that Amazon, as well as Visa and and PayPal, came to their own decisions about WikiLeaks. Lieberman noted:
“While corporate entities make decisions based on their obligations to their shareholders, sometimes full consideration of those obligations requires them to act as responsible citizens. We offer our admiration and support to those companies exhibiting courage and patriotism as they face down intimidation from hackers sympathetic to WikiLeaks’ philosophy of irresponsible information dumps for the sake of damaging global relationships.”
Unlike the purely voluntary decisions that Internet intermediaries make with regard to cyber hate, see here, Amazon’s response raises serious concerns about what Seth Kreimer has called “censorship by proxy.” Kreimer’s work (as well as Derek Bambauer‘s terrific Cybersieves) explores American government’s pressure on intermediaries to “monitor or interdict otherwise unreachable Internet communications” to aid the “War on Terror.”
Legislators have also sought to ensure opacity of certain governmental information with new regulations. Proposed legislation (spearheaded by Senator Lieberman) would make it a federal crime for anyone to publish the name of U.S. intelligence source. The Securing Human Intelligence and Enforcing Lawful Dissemination (SHIELD) Act would amend a section of the Espionage Act that forbids the publication of classified information on U.S. cryptographic secrets or overseas communications intelligence. The SHIELD Act would extend that prohibition to information on human intelligence, criminalizing the publication of information “concerning the identity of a classified source or information of an element of the intelligence community of the United States” or “concerning the human intelligence activities of the United States or any foreign government” if such publication is prejudicial to U.S. interests.
Another issue on the horizon may be the immunity afforded providers or users of interactive computer services who publish content created by others under section 230 of the Communications Decency Act. An aside: section 230 is not inconsistent with the proposed SHIELD Act as it excludes federal criminal claims from its protections. (This would not mean that website operators like Julian Assange would be strictly liable for others’ criminal acts on its services; the question would be whether a website operator’s actions violated the SHIELD Act). Now for my main point: Senator Lieberman has expressed an interest in broadening the exemptions to section 230′s immunity to require the removal of certain content, such as videos featuring Islamic extremists. Given his interest and the current concerns about security risks related to online disclosures, Senator Lieberman may find this an auspicious time to revisit section 230′s broad immunity.
January 7, 2011 at 1:25 pm Posted in: Anonymity, Architecture, Current Events, Cyberlaw, First Amendment, Google & Search Engines, Government Secrecy, Privacy (Electronic Surveillance), Privacy (National Security), Technology Print This Post 2 Comments
posted by Danielle Citron
Harvard University Press recently published The Offensive Internet: Speech, Privacy, and Reputation, a collection of essays edited by Saul Levmore and Martha Nussbaum. Frank Pasquale, Dan Solove, and I have chapters in the book as do Saul Levmore, Martha Nussbaum, Cass Sunstein, Anupam Chander, Karen Bradshaw and Souvik Saha, Brian Leiter, Geoffrey Stone, John Deigh, Lior Strahilevitz, and Ruben Rodrigues. Stanley Fish just reviewed the book at New York Times.com.
posted by Danielle Citron
At Balkanization, Professor Marvin Ammori has a thoughtful post on the Wikileaks story. Professor Ammori, who will be guest blogging with us soon, gave me the thumbs up on reproducing his post. Hopefully, it will spark some interesting discussion on CoOp. Here is Ammori’s post:
Many of our nation’s landmark free speech decisions are not about heroes–several are about flag-burners, racists, Klansmen, and those with political views outside the mainstream. And yet we measure our commitment to freedom of speech, in part, by our willingness to protect even their rights despite disagreement with what they say, and why they say it.
The story of Wikileaks publishing U.S. diplomatic cables has become the story of Julian Assange: is he a hero or villain, a high-tech terrorist or enemy combatant? Should the U.S., which may have already empanelled a grand jury in Virginia, prosecute him as a criminal under the Espionage Act of 1917 or under the computer fraud and abuse act?
Though I have spent years advocating for Internet freedom, I don’t think Assange is a hero for leaking these diplomatic cables. According to plausible reports, the leaks have harmed U.S. interests, made the work of U.S. diplomats more difficult, likely endangered lives of allies, and may have set back democracy in Zimbabwe and perhaps elsewhere. Even some of Assange’s friends at Wikileaks are doubting Assange’s heroism: a few left him to launch a rival site and to write a tell-all book. Whatever the harms of secrecy and over-classification, Assange’s actions have caused tremendous damage. No wonder polls show nearly 60% of Americans believe the U.S. should arrest Assange and charge him with a crime.
My initial reaction was similar. I thought that if a case could be made against Assange, one should be made.
But, as time passed, the political and legal downsides of prosecution came into clearer focus, and I am rethinking that initial reaction. Despite still believing Assange’s actions have been harmful, I have now come to the opposite conclusion—not for the benefit of Assange, but for the benefit of Americans and of the United States.
Prosecuting Assange could do more harm than good for our freedom of the press and would inflict further harm on diplomatic effectiveness. Despite the appeal of prosecuting Assange, it is not worth the cost. We will not get the cables back. We will not deter aspiring Wikileakers, as both our allies and our enemies know. We will, as Dean Geoffrey Stone has best articulated, likely sacrifice established principles of freedom of the press in doing so.
Here are some thoughts on why we should think twice about prosecuting Assange, categorized by harms to the U.S.’s freedom of the press and then harms to America’s diplomatic effectiveness. And, in advance, I thank the many scholars, policy experts, and friends who took the time to give me thoughts on earlier drafts of this post. Read the rest of this post »
posted by Frank Pasquale
Don’t worry, it’s not another prolix post from me, just commentary on Jack Goldsmith’s Seven Thoughts on Wikileaks and Lovink & Riemens’s Twelve theses on WikiLeaks. (And here’s an FAQ for those confused by the whole controversy.)
Goldsmith, who takes cybersecurity very seriously, nevertheless finds himself “agreeing with those who think Assange is being unduly vilified.” He believes that “it is not obvious what law he has violated,” and Geoff Stone today said that many Lieberman-inspired efforts to expand the Espionage Act to include Assange’s conduct would be unconstitutional. Goldsmith asks:
What if there were no wikileaks and Manning had simply given the Lady Gaga CD to the Times? Presumably the Times would eventually have published most of the same information, with a few redactions, for all the world to see. Would our reaction to that have been more subdued than our reaction now to Assange? If so, why?
Lovink & Riemens provide something of an answer:
Read the rest of this post »
December 11, 2010 at 9:39 pm Posted in: Anonymity, Current Events, Cyber Civil Rights, First Amendment, Google & Search Engines, Government Secrecy, Privacy, Privacy (Electronic Surveillance), Privacy (National Security), Science Fiction, Wiki Print This Post 2 Comments
posted by Danielle Citron
Although intermediaries’ services can facilitate and reinforce a citizenry’s activities, they pose dangers that work to undermine them. Consider the anonymous and pseudonymous nature of online discourse. Intermediaries permit individuals to create online identities unconnected to their legal identities. Freed from a sense of accountability for their online activities, citizens might engage in productive discourse in ways that they might not if directly correlated with their offline identities. Yet the sense of anonymity breeds destructive behavior as well. Social science research suggests that people behave aggressively when they believe that they cannot be observed and caught. Destructive online behavior spills offline, working a fundamental impairment of citizenship.
For instance, digital expressions of hatred helped inspire the 1999 shooting of African-Americans, Asian-Americans, and Jews in suburban Chicago by Benjamin Smith, a member of the white supremacist group World Church of the Creator (WCOTC) that promotes racial holy war. Just months before the shootings, Smith told documentary filmmaker Beverly Peterson that: “It wasn’t really ‘til I got on the Internet, read some literature of these groups that . . . it really all came together.” More recently, the Facebook group Kick a Ginger Day urged members to get their “steel toes ready” for a day of attacking individuals with red hair. The site achieved its stated goal: students punched and kicked children with red hair and dozens of Facebook members claimed credit for attacks.
Cyber hate can produce so much psychological damage as to undermine individuals’ ability to engage in public discourse. For instance, posters on a white supremacist website targeted Bonnie Jouhari, a civil rights advocate and mother of a biracial girl. They revealed Ms. Jouhari’s home address and her child’s picture. The site showed a picture of Ms. Jouhari’s workplace exploding in flames next to the threat that “race traitors” are “hung from the neck from the nearest tree or lamp post.” Posters included bomb-making instructions and a picture of a hooded Klansman holding a noose. Aside from moving four times, Ms. Jouhari and her daughter have withdrawn completely from public life; neither has a driver’s license, a voter registration card or a bank account because they don’t want to create a public record of their whereabouts.
Search engines also ensure the persistence and production of cyber hate that undermines citizens’ capability to engage in offline and online civic engagement. Because search engines reproduce information cached online, people cannot depend upon time’s passage to alleviate the damage that online postings cause. Unlike leaflets or signs affixed to trees that would decay or disappear not long after their publication, now search engines index all of the content hosted by social media intermediaries, producing it instantaneously. Read the rest of this post »
November 27, 2010 at 3:49 pm Posted in: Anonymity, Cyber Civil Rights, Cyberlaw, Google & Search Engines, Law and Inequality, Legal Ethics, Legal Theory, Politics, Psychology and Behavior, Race, Social Network Websites, Technology, Web 2.0 Print This Post 3 Comments
posted by Danielle Citron
In a move that recalls the postings on the now-defunct Juicy Campus, Facebook groups devote themselves to vulgar descriptions of female high school students. As Donna St. George of the Washington Post reported on November 11, a Facebook page targeted 30 female students from the T.C. Williams High School in Alexandria, Virginia. It featured photographs of the students accompanied by “offensive or sexual comments.” Another similar page included a picture of the school’s female principal. The Daily Beast recently reported that Choate Rosemary Hall boarding school banned access to Facebook through campus computers after discovering a 200-plus-page-long threat penned by female students that disparaged fellow female students. The Facebook page described Choate students as “hos” and “gross and faked and spray tanned.”
Facebook’s Terms of Service requires users to agree to refrain from bullying, intimidating, or harassing other users.” Pursuant to that policy (or so we can guess), Facebook took down the page of the 30 girls with the sexually demeaning comments five days after T.C. Williams High School’s principal filed a complaint with Facebook. Despite Facebook’s real-name culture, the author of the Facebook page has not been identified, an unsurprising result given the advantages provided ill-meaning individuals who want to evade responsibility for online activity. In the boarding school matter, it seems that a student copied the thread, publishing it for the consumption of students (and everyone else) who were not privy to the Facebook page. According to the Daily Beast, school administrators “hired a computer forensics expert to track how it had been made public.” Two of the girls who wrote the post were expelled and four were suspended.
In the T.C. Williams High School matter, the principal went on the school’s PA system for two days in a row to let students know that she thought the page was “totally offensive.” The Washington Post reports that the principal also asked students to avoid accessing it: “We’re better than this,” she told the students. If that is all the principal did, it seems a weak showing of moral leadership and civic education. Hopefully, the incident began a longer-term conversation about many things, including bullying, gender harassment, the risks of online activities, and the responsibilities of students while online. Now, the school officials’ response in the Choate matter is worth discussing. Norm Pattis, a Connecticut trial lawyer, contends that the school’s response is too harsh given the dire consequences of a school expulsion on a student’s chances of getting into college. Prohibiting Facebook on campus may also be an empty gesture. On the one hand, Choate students have continued to tweet and tumbl on their school accounts. They also can access social media including Facebook on their mobile devices, raising the same concerns of online civility. On the other, as Pattis suggests, the school missed a crucial teaching opportunity (beyond a 90-minute discussion with students) on how to be leaders, rather than the quick fix of banning Facebook on the campus network. That sounds right to me, too.
November 26, 2010 at 5:06 pm Posted in: Anonymity, Current Events, Cyber Civil Rights, Feminism and Gender, First Amendment, Privacy, Privacy (Gossip & Shaming), Technology, Web 2.0 Print This Post 3 Comments
posted by Danielle Citron
Reviewing the movie The Social Network and Jaron Lanier’s book You Are Not a Gadget: A Manifesto in this month’s New York Review of Books, Zadie Smith warns readers of the perils of social network sites like Facebook where “life is turned into a database.” According to Smith, Facebook “locks us” into a system designed by a college nerd to resemble “a Noosphere, an Internet with one mind, a uniform environment in which it genuinely doesn’t matter who you are, as long as you make ‘choices’ (which means, finally, purchases).” Smith writes:
“When a human being becomes a set of data on a website like Facebook, he or she is reduced. Everything shrinks. Individual character. Friendships. Language. Sensibility. In a way, it’s a transcendent experience: we lose our bodies, our messy feelings, our desires, our fears. It reminds me that those of us who turn in disgust from what we consider an overinflated liberal-bourgeois sense of self should be careful what we wish for: our denuded networked selves don’t look more free, they just look more owned.”
Smith worries about her students and other “2.0 kids.” She contrasts “1.0 people” who use social media tools to connect with others in an outward-facing way with “2.0 kids” who employ them to turn inward and towards the trivial. 2.0 people, Smith fears, are embedded in the software, avatars who don’t realize that “what makes something fully real is that it is impossible to represent it to completion.” She wonders: “what if 2.0 people feel their socially networked selves genuinely represent them to completion?” In Smith’s view, Mark Zuckerberg tamed “the wild west of the Internet” to “fit the suburban fantasies of a suburban soul,” risking the extinction of the “private person who is a mystery to the world and–which is more important — to herself.”
Smith’s review recalls Neil Postman’s critique of television culture and Benjamin Barber’s warnings about contemporary consumerism. While television helped us amuse ourselves to death and pervasive pop culture produces shoppers, not thinkers, social network sites turn youth culture into over-sharing, unthinking, eager-to-please avatars who “watch the reality-TV show Bride Wars because their friends are.” Yet this can’t be the whole story. Whether 41 or 21, social network participants live in the real world, integrating their online activities seamlessly into their daily lives. Far more goes on in social network sites like Facebook than sharing information to “make others like you” as Smith suggests. On Facebook and other popular social media sites, people join groups of every stripe. They work, as Miriam Cherry’s terrific new article Virtual Work addresses. They build reputations in ways that can enhance offline careers. They join study groups. In many respects, social media sites provide platforms for genuine participation far more than just Government 2.0 engagement. Far from deadening the everyday citizen, social media platforms can resemble Alexis de Toqueville’s town meeting, John Dewey’s schools, and Cynthia Estlund’s workplace. Of course, citizenship participation online is different–it is not the face-to-face interaction envisioned by Toqueville, Dewey, and Estlund. But even with the challenges brought by internet-mediated interactions, 2.0 kids are more than denuded avatars.
posted by Scott Peppet
The biometric technologies firm Hoyos (previously Global Rainmakers Inc.) recently announced plans to test massive deployment of iris scanners in Leon, Mexico, a city of over a million people. They expect to install thousands of the devices, some capable of picking out fifty people per minute even at regular walking speeds. At first the project will focus on law enforcement and improving security checkpoints, but within three years the plan calls for integrating iris scanning into most commercial locations. Entry to stores or malls, access to an ATM, use of public transportation, paying with credit, and many other identity-related transactions will occur through iris-scanning & recognition. (For more details, see Singularity’s post with videos.) Hoyos has the backing to make this happen: on October 12th they also announced new investment of over $40M to fund their growth.
There are obviously lots of interesting privacy- and tech-related issues here. I’ll focus on one: the company’s roll-out strategy is explicitly premised on the unraveling of privacy created by the negative inferences & stigma that will attach to those who choose not to participate. Criminals will automatically be scanned and entered into the database upon conviction. Jeff Carter, Chief Development Officer at Hoyos, expects law abiding citizens to participate as well, however. Some will do so for convenience, he says, and then he expects everyone to follow: “When you get masses of people opting-in, opting out does not help. Opting out actually puts more of a flag on you than just being part of the system. We believe everyone will opt-in.” (For the full interview, see Fast Company’s post on the project.)
In a forthcoming article, I’ve written at length about the unraveling effect and why it now poses a serious threat to privacy. This biometric deployment is one of many examples, but it most explicitly illustrates that unraveling has moved beyond unexpected consequence to become corporate strategy.
November 6, 2010 at 4:05 pm Tags: Privacy Posted in: Anonymity, Economic Analysis of Law, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Law Enforcement), Uncategorized Print This Post 4 Comments
posted by Frank Pasquale
Computational innovation may improve health care by creating stores of data vastly superior to those used by traditional medical research. But before patients and providers “buy in,” they need to know that medical privacy will be respected. We’re a long way from assuring that, but new ideas about the proper distribution and control of data might help build confidence in the system.
William Pewen’s post “Breach Notice: The Struggle for Medical Records Security Continues” is an excellent rundown of recent controversies in the field of electronic medical records (EMR) and health information technology (HIT). As he notes,
Many in Washington have the view that the Health Insurance Portability and Accountability Act (HIPAA) functions as a protective regulatory mechanism in medicine, yet its implementation actually opened the door to compromising the principle of research consent, and in fact codified the use of personal medical data in a wide range of business practices under the guise of permitted “health care operations.” Many patients are not presented with a HIPAA notice but instead are asked to sign a combined notice and waiver that adds consents for a variety of business activities designed to benefit the provider, not the patient. In this climate, patients have been outraged to receive solicitations for purchases ranging from drugs to burial plots, while at the same time receiving care which is too often uncoordinated and unsafe. It is no wonder that many Americans take a circumspect view of health IT.
Privacy law’s consent paradigm means that, generally speaking, data dissemination is not deemed an invasion of privacy if it is consented to. The consent paradigm requires individuals to decide whether or not, at any given time, they wish to protect their privacy. Some of the brightest minds in cyberlaw have focused on innovation designed to enable such self-protection. For instance, interdisciplinary research groups have proposed “personal data vaults” to manage the emanations of sensor networks. Jonathan Zittrain’s article on “privication” proposed that the same technologies used by copyrightholders to monitor or stop dissemination of works could be adopted by patients concerned about the unauthorized spread of health information.
Read the rest of this post »