Archive for the ‘Cyberlaw’ Category

Privacy’s Zietgeist Moment

posted by Danielle Citron

Privacy has seemingly come center stage.  Companies like Google, Microsoft, and eBay have joined forces to support a federal law that would impose uniform standards for the collection, use, and transfer of information across the private sector.  Activists and officials hope to update the Privacy Act of 1974 for the twenty-first century.  Senator Leahy has a renewed interest in data breach legislation, proposing the Personal Data Privacy and Security Act in July.  The American Recovery and Reinvestment Act of 2009, the stimulus bill, includes a data breach notification requirement for health providers.  The Federal Trade Commission recently published its final rule on data breach notification for e-health records.

Strengthening the nation’s commitment to privacy is crucial.  But, as Paul Schwartz’s engrossing Preemption and Privacy essay (Yale Law Journal) illuminates, a unitary federal information privacy statute should give us pause.  Today’s information privacy law landscape is mainly comprised of federal sector-specific statutes and stronger state regulation.  Schwartz makes a compelling case for remaining on that course, rather than adopting a uniform federal privacy statute.  As Schwartz underscores, a uniform federal approach would likely preempt stronger state law rules, eliminating successful experimentation at the state level.  California exemplifies this trend:  its privacy innovations include allowing consumers to freeze their credit in the face of identity theft among others.  New York and Connecticut are now considering bills that would set limits on companies that track consumers across websites to deliver targeted advertisements based on their online behavior.  A uniform federal law would likely extinguish state-driven innovations whereas most federal sectoral privacy laws, such as the Gramm-Leach-Bliley Act, only provide a federal floor for information privacy and security, not a ceiling.  Schwartz highlights the possibility that a comprehensive information privacy law may ossify, thus making the loss of state experimentation all the more grave.  The piece also spearheads an important discussion about whether the centralizing forces at work today undermines the contributions of competitive federalism.

Schwartz’s piece is a must read.  Here is the abstract for Preemption and Privacy: Read the rest of this post »

  October 27, 2009 at 11:08 am   Posted in: Current Events, Cyberlaw, Privacy   Print This Post   No Comments

Danger Will Robinson: Google Book Deal Is at DEFCON 2

posted by Deven Desai

The Google Book Deal is suspended. Time to cheer, correct? No. As Pam Samuelson noted in the New York Times, that probably is too little time to resolve the issues at hand. In fact I think right now is when the GBD is at quite a dangerous stage.

First neither party represents the public. One cannot expect them to represent the public, and one ought not trust they will do the right thing for the public. To be clear, I am not making a moral judgment here. I expect, as we all should, that each party will seek to maximize its position. Understanding why I refuse to call this situation a settlement helps understand this point. As many know, this action encompasses far more than the claims at issue in the suit. Many think that Google was on strong grounds for its fair use clam and its original use. The Publishers (aka the Registry seeming to be working for authors) saw the chance to get ahead of the digital curve. Unlike music and film, they realized they could look good and capture publishing’s future. They offered Google a deal that Google did not need. Or did it? Although Google is a data vacuum and does well with the ad-based business model, the search giant has been searching for a new revenue stream. Online ads can’t be the only source of revenue from any viewpoint. That is a precarious position. Indeed, the online ad market just took a big dip. The Deal presents Google with the chance to make money from something other than ads.

With this perspective one sees that expecting or trusting either party to look out for the public’s interest is foolish. My guess is that the public choice literature could yield some useful ways to think about the problem too, but I have not thought that through as yet.

Second, Google and the Publishers now have a wave of information from all quarters that they can use to their benefit. Here is the strategy that I expect to see. Assess the most severe and some of the less severe criticisms. Incorporate some of them in changes. Keep the deal as is for the most part (Note that is precisely what the Registry said will be the case “the core agreement is going to stay the same.”). Then when the time to approve, deny, or move the Deal to another form comes, one claims “We acted in good faith. We can’t keep everyone happy. Without this deal no one wins. Can’t we get along, move forward, and sort the details later? That is a more reasonable way to proceed.”

More importantly, those who have kept paying attention to the problem may start to lose focus or fade out. People may become tired or say is this thing still going on?

And that is why I say Danger Will Robinson. The Google Book Deal is at Defcon 2.

  October 8, 2009 at 2:59 pm  Tags: Google, Google Book Settlement, Registry  Posted in: Cyberlaw, Google & Search Engines, Intellectual Property, Media Law, Politics, Technology   Print This Post   No Comments

Making the Internet Safer, the NSA Way

posted by Danielle Citron

Securing our networked environment is both crucial and difficult.  Six months ago, President Obama declared his Administration’s commitment to protect cyberspace from sabotage of all stripes.  For the President, the rise of online theft, electronic espionage, and military-related cyber assaults necessitated the appointment of a cyber czar to protect our cyber “national assets.”  The President has tried to fill that spot: Shane Harris of National Journal explains that “more candidates had declined the job than were still in the running for it.”  And despite our failed efforts at CoOp to recruit Orin Kerr for the job, the cyber czar position remains empty.

This state of affairs may be due to the difficult nature of the task at hand.  Former NSA head General Michael Hayden recently said: “There is no regime for us to work within to respond to cyberattack.  We are in a place where technology has long outstripped policy–let alone law–in term of what’s available.  We are going to have to rely on heroism instead of a plan.”  If Hayden has it right, it is no wonder that no one wants the job.

Nonetheless, the Administration may have already charted its path, one that entrusts the National Security Agency with protecting cyberspace.  According to the National Journal, Lt. General Keith B. Alexander, the NSA’s director, has been “setting up the central nervous system in the government’s campaign to defend cyberspace.”  The NSA will now, unlike the past, help oversee the networks of civilian government and privately-owned, criticial infrastructure (dams, railroads, hospitals, banks, food industry, hotels, telecommunications, postal, shipping, retail, transportation, and well everything else).  This is true even though DHS is charged with defending civilian networks and coordinating private sector protection.  Homeland Security Security Secretary Janet Napolitano said that NSA will provide DHS “technical assistance” on this issue.  In short, DHS will rely on the NSA for the tools, expertise, and resources to protect cyberspace.

So the NSA apparently will be overseeing and securing private networks, the same NSA that engaged in wholesale warrantless surveillance of Americans after 9/11 (and the agency that monitored telegrams coming in and out of the United States to detect individuals with communist ties in the 1950s and 1960s)?  Congress has, of course, limited the NSA’s warrantless wiretapping and the President has promised us greater transparency in government decision-making.  Nonetheless, NSA’s oversight over privately-owned systems and wholesale access to their contents raises serious concerns.  And because the NSA will direct these efforts in the name of national security and intelligence, little transparency will be forthcoming.  On another note, the question remains whether it was agency turf-war antics that led to Melissa Hathaway’s decision to leave government–she was the DHS official and most senior cyber expert in the White House who had been a leading candidate for the cyber czar post.  At the time of her resignation, Hathaway told the Washington Post that she “wasn’t willing to continue to wait any longer,” and she wasn’t “empowered” to make any changes.

  October 6, 2009 at 9:12 am   Posted in: Architecture, Cyberlaw, Privacy, Privacy (Law Enforcement), Privacy (National Security), Technology, Uncategorized   Print This Post   One Comment

FTC and Blogger Disclosure Rules

posted by Deven Desai

As I argue in my essay Individual Branding the web presents important and amazing new possibilities for individuals to earn money and much of that potential will flow from one’s online reputation. In short, as one blogs or shares information in another form, one becomes a trusted source and can start extract money from those activities. I argue that those acts have the seeds of the possible destruction of Benkler’s world of sharing. Today the FTC has targeted a practice that arguably could increase the reliability of social network endorsements but will also upset many people.

As CNET reports, “Independent bloggers who fail to disclose paid reviews or freebies can face up to $11,000 in fines from the Federal Trade Commission, according to revisions to the agency’s “Guides Concerning the Use of Endorsements and Testimonials in Advertising” published Monday.” The FTC has not updated the Guidelines since 1980. The press release is here. The full text of the Guides are here (pdf). It is 81 pages, and I have not read it as yet but one thing people should know is that the effective date is December 1, 2009.

From the release it appears that the guides take am expansive view of what presents a moment to disclose “The revised Guides specify that while decisions will be reached on a case-by-case basis, the post of a blogger who receives cash or in-kind payment to review a product is considered an endorsement. Thus, bloggers who make an endorsement must disclose the material connections they share with the seller of the product or service.” CNET suggests that celebrities and “mommy bloggers” could be in trouble under the new rules. (Here is my prediction on the riposte to come but that I don’t think is accurate: “The FTC hates moms. In a down economy and with more and more people needing new ways to earn, the FTC actions are a direct attack on the importance of moms.” Now back to our regularly scheduled blogging.)

There are a ton of oddly connected things here. First, I just blogged about CITP and its FedThread project. That project would allow one to track this sort of moment rather quickly. Second, I was just at the Works In Progress Intellectual Property Conference at Seton Hall (which was yet again an excellent conference and for which everyone at Seton Hall deserves many thanks) where Zahr Stauffer presented a fascinating paper called Novels for Hire: Branded Entertainment, Copyright and the Law that I think will have something to say about these changes. As one blog notes, the practice of giving journalists freebies is common. Zahr’s paper shows how advertising and novels have had a rather curious interaction over the years. I think the paper will help understand the way writing and advertising have co-existed in either good or bad ways at different times with the shift to blogging fitting in as part of that history. The paper should be available soon so keep an eye out for it.

Electronics and other big ticket items seem to be where the concerns are. I look forward to finding out whether book, film, and music reviewers have to tell readers whether they received a review copy of the book. In general if one only says nice things about a review subject, one might receive more books etc. I think that non-professional blogs and other online information sources such as rating systems and FaceBook will allow people to find out whether they should buy a product (i.e., one might use a personal network to ask whether a product is good). That practice could undercut the quiet payment model.

Here is a possible way to understand this turn of events. 1) Secret endorsements die out and full disclosure of what has been given is the norm. 2) Small bloggers and big agencies are no longer able to seem credible as reviewers. 3) If people want independent reviews, they must pay magazines or other pay sources who can afford to buy the review items and avoid the taint of being given free stuff. 4) The public does not want to pay and instead reads the blog reviews with the disclosures and augments the research with social networks and user ratings which are more difficult to fake and possibly more reliable. 5) Yet again paid, professional independent news and reviews seems to be squeezed out.

  October 5, 2009 at 1:44 pm  Tags: Blogging, FTC, guides  Posted in: Blogging, Consumer Protection Law, Cyberlaw, First Amendment, Media Law, Web 2.0   Print This Post   7 Comments

Tweeting for the Party

posted by Danielle Citron

During the 2008 election, Democrats effectively used Web 2.0 platforms to garner interest in the campaign and win supporters.  President Obama has been widely hailed as the first “Tech President,” and he seems to have trounced the Facebook landscape.  To date, President Barack Obama has over 6.6 million Facebook friends, while Sarah Palin only has 848, 614 Facebook pals and Mitt Romney has 70, 130.

Although the President has proven his mettle on Facebook and MySpace (where he has over 1.8 million friends), Republicans rule the day on the micro-blogging front.  The Congressional Research Service reports that congressional Republicans out-tweeted their Democratic counterparts during two one-week periods this summer.  Nancy Scola attributes Congressional Republicans’ Twitter dominance to their desire to regain the public’s attention and favor now that they are in the minority.  AMERICAblogs’ John Aravosis worries that Democrats have ceded their online advantage.

No matter the current political victor in this social media landscape, Government 2.0 is here to stay.  It surely has great potential to shine light on government policymaking and to marshal public participation, especially from people who otherwise wouldn’t bother getting involved with government policymaking.  Adding the President as a friend on MySpace and joining live chats may seem to be a relatively costless endeavor as compared to writing letters or commenting on agency rulemakings.  But Government 2.0 also poses privacy risks: social media sites not only give government access to people’s policy insights but also access to all of individuals’ social media data, such as their videos, photos, walls musings, “Top 25 things you don’t know about me” lists, and the like.  Soon, I will be posting on SSRN a draft of my essay “The One-Way Mirror: Enhancing Participation and Securing Privacy for Government 2.0″ (forthcoming George Washington Law Review) and hope to get your feedback.

  September 28, 2009 at 12:11 pm   Posted in: Cyberlaw, Google & Search Engines, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Law Enforcement), Privacy (National Security), Social Network Websites, Technology, Uncategorized   Print This Post   No Comments

Professional Responsibility Meets Facebook, Another Oops the Bar

posted by Danielle Citron

Every year, my small section reads a New Yorker “On the Town” squib called “Oops” to kick off a discussion on care and professional responsibility in their legal careers.  “Oops” tells the story of a summer associate who, in 2003, mistakenly sent the following email to lawyers with whom he worked on a deal: “I’m buy doing jack shit.  Went to a nice 2hr sushi lunch today at Sushi Zen.  Nice place.  Spent the rest of the day typing e-mails and bullshitting with people.”  The summer associate signed  off the email: “So yeah, Corporate Love hasn’t worn off yet. But give me time.”  The summer associate meant to send the email to his friend.  Oops.

For a moment, let’s put aside the stark difference between the world (and law firm environment) facing the summer associates of 2003 and the one facing the summers of 2009 and turn to Sunday’s New York Times story “A Legal Battle: Online Attitude Vs. Rules of Bar.”  The Times talked about recent cases where lawyers do violence to their careers through their online activities.  Lawyers blog about judges:  one wrote that he thought a named judge was an “Evil, Unfair, Witch” and questioned the judge’s competence.  Another lawyer friended a judge on Facebook and later posted about his/her drinking and motorbiking.  The problem: the lawyer asked the judge to delay a trial because of a death in the family in the same week that the lawyer shared the drinking tales with his/her social network.  The lawyers in those cases have suffered serious consequences (the first is facing a reprimand from the bar, the second faced the wrath of his/her firm–the judge told the lawyer’s bosses what happened).

Now, the 2003 summer associate made a big mistake, but perhaps not on the same order as the lawyers covered in yesterday’s Times.  The summer associate had a slip of the finger perhaps, a hasty moment that changed the way those in his firm saw him.  But the lawyers arguably dove into the pool of their fate head first: one might say that they knowingly risked their careers and should suffer the consequences (to the extent the Bar desires and the First Amendment permits).  Social scientists like Alessandro Acquisti and danah boyd and legal scholars like James Grimmelmann offer an explanation for why people are so foolish online.  People write carelessly not because they have “a reduced sense of privacy” but because they felt anonymous.  As danah boyd explains, social network participants “live by ‘security through obscurity’ where they assume that as long as no one cares about them, no one will come knocking.”  They operate under the norm that people with no social connection to them “could look at your profile, but shouldn’t.”  They assume that only close friends are paying attention to their online activities.  All of this is to say that perhaps President Obama shouldn’t just talk to young people about the perils of oversharing online.  Maybe lawyers need the lesson too.

Wikimedia Commons Image

  September 14, 2009 at 3:58 pm   Posted in: Cyberlaw, Law Practice, Privacy, Psychology and Behavior, Uncategorized   Print This Post   3 Comments

Twits, As In The NFL Management Folks and Twitter

posted by Deven Desai

Although I despise those who twitter as a general matter (and will thus likely embrace the odd medium any day now), it has moments where it is useful. Short bursts of information updates for natural disasters, airport shut downs, and possible revolutionary mayhem come to mind. Today a less major (depending on how you look at it) issue, gmail going down, has shown that Twitter is again useful but barely. As TechCrunch notes, Twitter may have come close to crashing but held up well as thousands upon thousands of folks expressed frustration and ore about the great Google in the sky going down. And yes some Google folks used the medium to communicate bland statements about how Google was addressing the problem (probably asking some extraordinarily smart people about some obscure math issue and then finding that such knowledge may not help them figure out email service).

Now the NFL has come along and has regulated the use of Twitter as CNET describes:

[The NFL has] modified its social-media policy to limit Twitter and social-networking use by players, coaches, league officials, and even the media. The NFL said that it will let players, coaches, and other team personnel engage in social networking during the season. However, they will be prohibited from using Twitter and from updating profiles on Facebook and other social-networking sites during games. In addition, they will not be allowed to tweet or update social-networking profiles 90 minutes before a game and until post-game interviews are completed. The rules even extend to people “representing” a player or coach on their personal accounts. The NFL didn’t just stop with the league itself, though. The organization also said that media attending games will be prohibited from providing game updates through social networks.

I love the NFL’s reason and think that it is trying to assert that even fans ought not be able to share play-by-play:

“Longstanding policies prohibiting play-by-play descriptions of NFL games in progress apply fully to Twitter and other social media platforms,” the National Football League said in its statement. “Internet sites may not post detailed information that approximates play-by-play during a game. “While a game is in progress, any forms of accounts of the game must be sufficiently time-delayed and limited in amount (e.g., score updates with detail given only in quarterly game updates) so that the accredited organization’s game coverage cannot be used as a substitute for, or otherwise approximate, authorized play-by-play accounts.”

This position seems to suggest that one, players, etc. twittering has something to do with approximating play-by-play when most likely the NFL wants to regulate the way in which all those connected with a team communicate and represent themselves around a game. One might agree that being in the NFL requires following its odd ethics. How those goals havve anything to do with play-by-play recounting is beyond me. If fans start to share exuberant moments in almost real time, as I did via text in the glorious game to of the NBA finals this past season, but instead of using text, fans used Twitter, the NFL might assert that such sharing is not allowed. At least the quoted logic above seems to point to such nonsense. As CNET notes enforcement even at the team level will be quite difficult as the nFL won’t know who posted what. Of course the NFL could require some sort of disclosure of Twitter and other social networking aliases which raises a host of standard objections that readers here can easily figure out while the NFL may not. All of which makes me wonder, should the twits who came up with these positions love Twitter?

  September 1, 2009 at 2:17 pm  Tags: gmail, NFL, Twitter  Posted in: Cyberlaw, First Amendment, Social Network Websites   Print This Post   One Comment

I See Code: Plain View and Computer Searches

posted by Deven Desai

The Ninth Circuit has taken a swat computer searches and the plain view doctrine (pdf). I have not yet read the entire opinion but Orin Kerr has a series of posts about the decision here. And Shaun Martin, for whom I have a ton of respect as well, covers the case here. Shaun’s post captures how well-written the opinion is: “In my dreams I could write an opinion this good. It’s clear. It’s concise. It provides meaningful, systemic guidelines. It’s just. It’s got a keen sense of both the practical way the world works as well as the dangers inherent in certain conduct. In short, it’s exactly what I want in a wide-ranging opinion that makes meaningful precedent. … If you only read a dozen Ninth Circuit opinions this year, this should be amongst them.”

Dan and others will likely have more to say, so stay tuned, folks. As Orin notes, “This is really new territory, so it will be interesting to see how it plays out. I suspect we’ll find out soon, as there are a lot of these cases.” In the interim, here are three paragraphs worth reading:

The point of the Tamura procedures is to maintain the privacy of materials that are intermingled with seizable materials, and to avoid turning a limited search for particular information into a general search of office file systems and computer databases. If the government can’t be sure whether data may be concealed, compressed, erased or booby-trapped without carefully examining the contents of every file—and we have no cavil with this general proposition—then everything the government chooses to seize will, under this theory, automatically come into plain view. Since the government agents ultimately decide how much to actually take, this will create a powerful incentive for them to seize more rather than less: Why stop at the list of all baseball players when you can seize the entire Tracey Directory? Why just that directory and not the entire hard drive? Why just this computer and not the one in the next room and the next room after that? Can’t find the computer? Seize the Zip disks under the bed in the room where the computer once might have been. See United States v. Hill, 322 F. Supp. 2d 1081 (C.D. Cal. 2004). Let’s take everything back to the lab, have a good look around and see what we might stumble upon.

This would make a mockery of Tamura and render the carefully crafted safeguards in the Central District warrant a nullity. All three judges below rejected this construction, and with good reason. One phrase in the warrant cannot be read as eviscerating the other parts, which would be the result if the “otherwise legally seized” language were read to permit the government to keep anything one of its agents happened to see while performing a forensic analysis of a hard drive. The phrase is more plausibly construed as referring to any evidence that the government is entitled to retain entirely independent of this seizure.

To avoid this illogical result, the government should, in future warrant applications, forswear reliance on the plain view doctrine or any similar doctrine that would allow it to retain data to which it has gained access only because it was required to segregate seizable from non-seizable data. If the government doesn’t consent to such a waiver, the magistrate judge should order that the seizable and non-seizable data be separated by an independent third party under the supervision of the court, or deny the warrant altogether.

  August 27, 2009 at 6:01 am  Tags: Balco, Fourth Amendment, Judge Kozinski, Ninth Circuit  Posted in: Cyberlaw, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Law Enforcement), Privacy (National Security)   Print This Post   One Comment

Cyber Gender Harassment: “Skanks of NYC”

posted by Danielle Citron

Dan, Kaimi, and Elizabeth have offered some terrific insights on the issues raised by the court’s unmasking of the “Skanks of NYC” blogger.  Kaimi’s post “Cyber Civil Rights vs Privacy in the ‘Skanks in NYC’ case” in particular did a superb job capturing the issue as discrimination.  I write here to follow up on issues related to the case that folks have discussed with me.

Some have asked whether this case warrants treatment as a cyber civil rights issue since it “is just a girl cat fight.”  To be sure, women can deprive other women of their right to be free of unequal treatment on the basis of their gender.  But the larger concern is, for me, convincing skeptics to see the blog attacks on Ms. Cohen as more than just an interpersonal disagreement between two women, something that tort law can handily address on its own, but rather as gender discrimination.  Tort law would not reach the harm experienced by Ms. Cohen, women, and society due to the blog’s interference with her right to equal treatment.  It would not address the stigma that Ms. Cohen experienced a a result of the blog’s message that she had worth only as a sex object.  Much like sexual harassment in the workplace, the blog suggested that Ms. Cohen constitutes an object of sexual derision, not a person worthy of respect.  Moreover, they interfered with Ms. Cohen’s right to work as an equal.  According to Ms. Cohen, potential employers asked her about the blog, which quite possibly deterred them and others from hiring her.  In a world filled with aspiring models, employers might chose to work with someone who comes with less baggage, even if they do not believe the postings a wit.  And the blog postings harm women as a group and a society as a whole by entrenching gender hierarchy in cyberspace.  Whether current law would support such a claim is certainly in dispute, but such a law could be crafted.  Such a law would play an important expressive role–it would change the social meaning of such harassment of women.

Indeed, as privacy scholar Ian Kerr suggested, maybe the media’s attention to the case can be attributed to its leering interest in a “battle” between two beautiful women?  Maybe coverage of the issue reflects a deeper misogyny: the story has attracted so much attention because it produces an image of women as female wrestlers of sorts, battling it out in their bikinis?

Read the rest of this post »

  August 26, 2009 at 12:58 pm   Posted in: Anonymity, Civil Rights, Cyber Civil Rights, Cyberlaw, Privacy, Uncategorized   Print This Post   2 Comments

Opening Up the Law: Pacer, CITP, and the RECAP the Law Project

posted by Deven Desai

As some of you know I am a Visiting Fellow this year at Princeton’s Center for Information Technology Policy. When I arrived a couple weeks ago, I heard about a project in the works and have been dying to tell people about it. It is now live and looks great. It is called RECAP and just may change the way people access a major part of the law. We’re talking about the law that lurks outside cases; the actual guts of litigation.

Attorneys live and die by documents. As I tell my students, you must write well, because lawyers are paid in large part to write. With around 1.1 million attorneys practicing in the U.S., a large amount of paper, a.k.a., courts documents, is generated each and every day. Court documents are essentially public documents (there are times when papers are sealed etc., but that is a separate matter). The government runs a system called PACER that allows one to search for and access U.S. Appellate, District, and Bankruptcy court records and documents. But as the Washington Post explains, “The fee to access PACER is $0.08 per page: ‘The per page charge applies to the number of pages that results from any search, including a search that yields no matches (one page for no matches.) The charge applies whether or not pages are printed, viewed, or downloaded.’ For people who do a lot of legal research, those fees add up quickly.”

In an era of transparent government, open source, and access-to-knowledge movements, it was only a matter of time before someone decided to find a way to make court documents available on a broader basis. The folks at Stanford have the IP Litigation Clearing House. That project aims to fill the “critical need for a comprehensive, online resource for scholars, policy makers, industry, lawyers, and litigation support firms in the field of intellectual property litigation.” That project has 23,000 documents and is growing. Pretty darn good, if you ask me. But wait; don’t order yet! Now comes RECAP from the folks at Princeton’s Center for Information Technology Policy. (Specifically, Harlan Yu, Steve Schultze, and Timothy B. Lee developed the project which is led by Prof. Ed Felten). Here is the link to the About Page, but let me tell you a little more.

CITP’s Harlan Yu explains:

RECAP is a plug-in for the Firefox web browser that makes it easier for users to share documents they have purchased from PACER, the court’s pay-to-play access system. With the plug-in installed, users still have to pay each time they use PACER, but whenever they do retrieve a PACER document, RECAP automatically and effortlessly donates a copy of that document to a public repository hosted at the Internet Archive.

In addition, if one is using PACER and RECAP “The documents in this repository are, in turn, shared with other RECAP users, who will be notified whenever documents they are looking for can be downloaded from the free public repository.” So when one searches for a document, one is notified about the availability of a free copy of the document.

There is probably much more to say here, but for now I want to congratulate the folks here at CITP on a great idea that uses information, technology, law, and policy to craft an elegant solution to increasing government transparency. This resource should feed almost anyone interested in practicing or studying the law. Empirical researchers alone should be drooling at this new wealth of information.

  August 14, 2009 at 6:06 am  Tags: access to knowledge, access to law, open source, PACER, RECAP  Posted in: Civil Procedure, Constitutional Law, Cyberlaw, Intellectual Property, Sociology of Law, Technology, Web 2.0   Print This Post   7 Comments

The Convergence of the Public and Private in Online Spaces

posted by Danielle Citron

Last month, Government Technology had an article entitled “Blurring the Line,” which discussed the increasingly public nature of online social networking sites.  Employers now “friend” employees, leaving the employed likely to accept those friendships out of fear for losing their jobs.  The article discusses the problems attendant to the convergence of of our work, social, and family worlds and asks whether this phenomenon will alter the nature of those spaces from a sharing free-for-all to a more buttoned-down, “not afraid for the boss to see” experience.

In reading the article, I wondered if the story will play out in a different way, one that will meet employers’ desire to harness the connectivity of social networking sites without compromising its current incarnation.  As we have seen in the government sector with internal wikis like Intellipedia, we may see employers increasingly adopt in-house social networking sites, say a [Name] Company Connect.org, just as we have seen employers wade into the Twitter space.  We may already be doing this (and it would be really interesting to learn about it), but perhaps such sites would nip in the bud employers/managers/supervisors’ desire to friend their underlings.  This may detract from the goal of monitoring employees, but we surely have enough of that in the workplace already (as well as the ability to view employees’ profiles for the very many people who fail to set rigorous privacy settings, as ACM studies show).  And it may save employers from having looked at employees’ damning wall musings and pictures and figuring out just what to do about it.

  August 5, 2009 at 7:02 am   Posted in: Cyberlaw, Google & Search Engines, Privacy, Privacy (Consumer Privacy), Technology, Uncategorized   Print This Post   2 Comments

Computer Clouds, Promise and Perils

posted by Danielle Citron

Jonathan Zittrain has a superb Op-Ed in The New York Times on the various risks attendant to cloud computing.  He writes:

The cloud, however, comes with real dangers.

Some are in plain view. If you entrust your data to others, they can let you down or outright betray you. For example, if your favorite music is rented or authorized from an online subscription service rather than freely in your custody as a compact disc or an MP3 file on your hard drive, you can lose your music if you fall behind on your payments — or if the vendor goes bankrupt or loses interest in the service. Last week Amazon apparently conveyed a publisher’s change-of-heart to owners of its Kindle e-book reader: some purchasers of Orwell’s “1984” found it removed from their devices, with nothing to show for their purchase other than a refund. (Orwell would be amused.)

Worse, data stored online has less privacy protection both in practice and under the law. A hacker recently guessed the password to the personal e-mail account of a Twitter employee, and was thus able to extract the employee’s Google password. That in turn compromised a trove of Twitter’s corporate documents stored too conveniently in the cloud. Before, the bad guys usually needed to get their hands on people’s computers to see their secrets; in today’s cloud all you need is a password.

Thanks in part to the Patriot Act, the federal government has been able to demand some details of your online activities from service providers — and not to tell you about it. There have been thousands of such requests lodged since the law was passed, and the F.B.I.’s own audits have shown that there can be plenty of overreach — perhaps wholly inadvertent — in requests like these. Read the rest of this post »

  July 27, 2009 at 9:46 am   Posted in: Cyberlaw, Privacy, Technology, Uncategorized   Print This Post   3 Comments

Surveillance Facebook-Style: It’s Your Party and You Can Cry If You Want To

posted by Danielle Citron

The U.K.’s Register reports that British police stormed a man’s birthday barbeque party because his invite to 15 Facebook friends advertised an “all night party.”  Before the party could really begin, police showed up in four cars, a riot van, and a helicopter, ordering the birthday boy to shut the party down or face arrest.  With an appropriate amount of humor, Andrew Poole, the birthday trouble-maker, explained: “What the police did was come in and stop 15 people eating hamburgers.”  What would possess the Facebook Precinct to bother here?  Section 63 of the Criminal Justice and Public Order Act 1994 grants police powers to remove individuals attending or preparing for a “rave,” defined as playing amplified music “wholly or predominantly characterised by the emission of a succession of repetitive beats.”

This incident demonstrates the perils of a society that monitors and mines Facebook communications.  The costs to liberty include blows to free expression and association.  Brits will surely think twice about wall messages and “what I am doing now” missives that include talk of parties and other activities subject to misinterpretation.  The costs to society: the misdirection of police from real threats to society and wasted resources spent breaking up a birthday bash (the helicopter time apparently cost 200 pounds and tack on the police efforts, including any investigation they conducted and time at the party, and gas for the four cars and van).  So with Facebook surveillance the British may get less liberty and less security.

Commentators on the Register story noted their relief at living in the United States.  They suggested that law enforcement and security officials would never be so foolish as to monitor Facebook traffic.  Think again.  The NSA’s Advanced Research Development Activity (ARDA) has funded research on the “Semantic Analytics on Social Networks: Experiences in Addressing the Problem of Conflict of Interest Detection,” which discusses how  intelligence about people can be extracted from social networks.  ARDA’s role is to spend NSA money on research that can “solve some of the most critical problems facing the U.S. intelligence community.”  ARDA’s function is to make sense of the massive amount of data that the NSA collects.

Should Americans be worried about intelligence profiling a la Facebook?  Many might think that the use of privacy settings on social networking sites would obviate the problem.  First, studies suggest that most social networking site users use the default privacy settings, which are often the least privacy protecting and may reveal much of a user’s musings.  Second, this assumption presumes that third party sites will not turn over social networking data, which they own, to the government, either for a pretty price or in the face of a subpoena or warrant.  This assumption may be faulty.  So what is all of the fuss?  Automated intelligence profiling has obvious costs, such as the ones posed by the birthday party bust.  It also has less apparent ones, such as mining misleading social networking data with other not-so reliable private and public database date and, poof, people end up on government watchlists.

Stock Xchange Photo

  July 19, 2009 at 4:01 am   Posted in: Anonymity, Architecture, Cyberlaw, Google & Search Engines, Privacy, Privacy (Electronic Surveillance), Privacy (Law Enforcement), Privacy (National Security), Technology, Uncategorized   Print This Post   2 Comments

New Developments in Cryptography and Privacy

posted by Deven Desai

According to Help Net Security, Craig Gentry, a researcher at IBM, appears to have found a way to allow “the deep and unlimited analysis of encrypted information – data that has been intentionally scrambled – without sacrificing confidentiality.” The solution involves a an “ideal lattice.” I’ll leave the explanation of all the math to the math/computer science folks. As the Help Net article notes, the solution seems to enable some great advantages for anyone providing cloud computing for:

computer vendors storing the confidential, electronic data of others will be able to fully analyze data on their clients’ behalf without expensive interaction with the client, and without seeing any of the private data. With Gentry’s technique, the analysis of encrypted information can yield the same detailed results as if the original data was fully visible to all.

It all sounds wonderful. One could have encrypted data and let others data mine while maintaining anonymity or privacy. Yet, something seemed odd to me. So I did what lawyers do, I called someone who knew more about computer science and asked for some help. That person explained that yes this could mean one could query an encrypted database without decrypting the data. The example to consider is a database of book purchases. One could ask how many people bought both book A and book B and see that result without ever seeing what a specific person purchased. Great, right? Not so fast.

As this person reminded me, with other sources of information one can figure out what a specific person did. That reminded me of the AOL debacle. With a little work, people were able to figure out who the anonymous subjects were.

All of which highlights that privacy is not binary. The cluster of information and the ability to analyze it seems often, if not always, to lead to problems about the use of information. So if this breakthrough allows a company or the government to claim that we should remain calm and all is well, we may want to remain clam but show how all may not be well. A few regulations about the use of the data even if supposedly anonymous, might allow the beneficial aspects of the solution to thrive while limiting the harms that can occur.

Image: WikiCommons
By: Gwenda; License: Public Domain
(My apologies to CS folks if the image does not match the breakthrough’s area of encryption)

  June 30, 2009 at 11:35 am  Tags: cloud computing, cryptography, Privacy  Posted in: Cyberlaw, Google & Search Engines, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Law Enforcement), Technology   Print This Post   7 Comments

Responsibility and Duty Meet Social Networking

posted by Deven Desai

In light of the events in Iran, many may laud the power of tools such as Twitter and Facebook as they allow information to reach the world. Here in the United States, however, a few stories highlight how social networking tools and blogs run into ideas of fairness, honesty, and even justice. First, the FTC is planning on investigating bloggers who are paid for their posts but who do not disclose their affiliation. The article claims “The common practice of posting a graphical ad or a link to an online retailer — and getting commissions for any sales from it — would be enough to trigger oversight.” Second, the Ninth Circuit has just ruled that a woman’s blog posts about her co-workers and job environment were not protected speech. As such, her demotion was lawful. Third, a recent Law.com article makes a strong argument that tweeting while on a jury should not be allowed and jeopardizes the fairness of a trial.

The FTC action seems too aggressive, yet it shows that the idea of blogs having some sort of purity is not always the case. But if it prompts bloggers to be more forthcoming about their affiliations and to develop some best practices (as the article suggests), that could be a good outcome. It also seems to embrace the idea of more information is better which may keep many online happy. Those who think tweeting is some sort of anointed right err. The trial context shows that rather well. As for the blog and speech case, I need to find the decision. The article claims that the court “concluded that [the plaintiff's] speech was not a ‘public concern’ but rather was ‘racist, sexist, and bordered on vulgar,’ and it characterized her behavior, in part, as ’salacious’ and ‘mean spirited.’” I leave it to the First Amendment folks to unravel that one, but I wonder whether this case will be appealed to the Supreme Court.

In any event, these three events show that while we can say that tools that enhance free speech are wonderful in the extreme cases such as the situation in Iran, the more subtle cases raise on-going questions about the contours of speech. As always the issues are familiar. Now, however, simply saying keep your hands off the Internet or keep it free is an insufficient guideline. Too many people are online and too much online behavior tracks offline experiences and problems. In other words, although the technologies seem to make the questions different and requiring special treatment, they may only make the old questions and responses more salient.

  June 22, 2009 at 11:22 am  Tags: Blogging, free speech, FTC, juries, regulation, Twitter  Posted in: Cyberlaw, First Amendment   Print This Post   No Comments

Why We Should Care About Privacy in a Government 2.0 World

posted by Danielle Citron

Yesterday, I wrote about the public’s expectations regarding privacy when interacting with government on social networking sites such as Facebook, MySpace, Flickr among others.  Why should we care if agencies collect our musings, videos, and pictures that we have willingly shared with online “friends,” both real and imaginary ones?

Here are some practical concerns: the personal information on MySpace pages could be collected and joined with other data gathered from private data mining companies, public sector databases, etc.  (Oftentimes, data about us collected by third parties is often faulty).  All together, the information could suggest (albeit falsely) that we constitute a threat to society.  Law enforcement could be informed and our names could be put on watch lists.  This is not a hypothetical problem, see here.  If federal agencies collected and maintained that data in their systems, it would be covered by the Privacy Act of 1974.  Nonetheless, you would still appear on a watch list or assigned another ignominious fate by an automated government system.

As a normative matter, the absence of privacy vis-a-vis government on online social networking sites is unappealing.  It would likely have an impact on our willingness to friend government agencies.  We would be less likely to join online conversations that the Open Government directive hopes to generate.  Or if we friend a government agency because we want to peer inside its operations, we may edit what we include on our profiles.  As Julie Cohen has elegantly developed in her work, the lack of privacy would chill our creativity and desire to experiment with different aspects of our personalities.  And Patricia Sanchez Abril has a superb piece entitled “A (My)Space of One’s Own: On Privacy and Online Social Networks” that discusses the social implications of a “no privacy” presumption in information we share with our friends on social networking sites.  Justice Douglas’s remark that “monitoring, if prevalent, certainly kills free discourse and spontaneous utterances” should not be lost to us here.

Wikimedia Commons Image

  June 19, 2009 at 9:34 am   Posted in: Cyberlaw, Privacy, Privacy (Consumer Privacy), Privacy (Law Enforcement), Technology, Uncategorized   Print This Post   2 Comments

Talking About a Revolution: The Clue Train Manifesto’s Imprint Ten Years Later

posted by Danielle Citron

Just over ten years ago, Rick Levine, Christopher Locke, Doc Searls, and David Weinberger posted The Cluetrain Manifesto where they implored the public to see the Web as far more than a networked shopfest.  It was a place where individuals could project and connect their voices in an ongoing conversation free from the “dehumanization of the Mass Age.”  Today, Berkman Center co-founder and Harvard Law Professor Jonathan Zittrain will be talking to Doc Searls and David Weinberger about their Manifesto’s legacy.  In a talk that will be webcast here, Zittrain will ask how cyberutopianism and Internet exceptionalism fares in the face of online harassment, identity theft, cyber warfare, spam, and Craigslist killers.  Can we retain our optimism?   Do the Cluetrain lessons (or “theses” as the manifesto described them) and limitations provide insights to addressing current dilemmas?  This will be an interesting discussion to be sure.

Wikimedia Commons Image.

  June 16, 2009 at 9:59 am   Posted in: Culture, Current Events, Cyberlaw, Technology, Uncategorized   Print This Post   No Comments

Three Strikes and You’re Offline

posted by Danielle Citron

French President Nicolas Sarkozy recently noted that the Internet is not a lawless zone.  On that, many of us agree.  But then he went a step too far, trumpeting a law that would cut off Internet access to people who repeatedly download copyrighted content  illegally.  The law would have set up a “three-strike” system in which music labels and movie studios would monitor file-sharing web sites to identify computers that have illegally downloaded copyrighted content and then report suspected pirates to a government committee, which in turn would review cases and require ISPs to identify offenders.   

Not surprisingly, the French Constitutional Council struck down the provision of the law that would cut off Internet access to repeated copyright offenders, finding it incompatible with the French Constitution and its due process protections.  The Council ruled that the law will be enacted without the “three-strike” component.  Instead, the government agency can only send out mail and email warnings to suspected pirates.  If the agency wants to further sanction a suspected pirate, it would have to go to court. 

The decision appears to be a narrow one, leaving open the possibility of Internet banning upon judicial review.  On the one hand, this is a wise move given the likelihood that a computer’s involvement in mischief was truly the doings of a neighbor using its wireless router.  Judicial review would address that scenario.  On the other hand, it leaves open the troubling possibility of banning Internet use due to copyright violations.  The protection of artistic creation can surely be accomplished by less extreme measures, i.e., ones that do not cut off a copyright offender’s exercise of basic freedoms in this networked age, from her right to express ideas, create artistic content, associate with religious groups, and make a living.

Wikimedia Commons Image

  June 14, 2009 at 7:39 am   Posted in: Culture, Current Events, Cyberlaw, Intellectual Property, Uncategorized   Print This Post   One Comment

Twitter Fraud

posted by Danielle Citron

Individuals increasingly use social networking tools to commit fraud.  Philadelphia Eagles player Asante Samuel discovered his Twitter imposter after the Philadelphia Daily News attributed to him comments from his doppleganger’s Twitter feed.  Keith Olbermann was a victim of Twitter impersonation as was Tony La Russa, manager of the St. Louis Cardinals.  Temple professor Susan Jacobson predicts that much like the early days of the Internet when individuals bought the domain names of celebrities to sell it to those notables for a tidy profit, we will likely see variations of such mischief on social networking sites.

Aside from the celebrity context, we may see other misuses of Twitter feeds.  Governments increasingly use Twitter to alert the public about car accidents, fires, crime reports, and public health emergencies.  A tweet about a fabricated fire or car accident could cause dangerous traffic jams and needless panic.  Someone could impersonate a police department, sending tweets about crimes never committed.  This teaches us to be circumspect about all of those Twitter updates.

H/T to Jim Stanton for his blog posting, “Social Media Fraud On the Increase.”

Wikimedia Commons Image

  June 10, 2009 at 11:11 am   Posted in: Anonymity, Criminal Law, Culture, Current Events, Cyberlaw, Privacy (Law Enforcement), Technology, Uncategorized   Print This Post   No Comments

At Long Last, A Cyber Security Czar

posted by Danielle Citron

President Obama recently announced the creation of a White House cyber security coordinator who will oversee a national strategy for securing American interests in cyberspace.  The coordinator will be a member of the National Security Council, reporting to the national security adviser and the senior White House economic adviser.   President Bush started us in this direction by instituting the Cyber Initiative to overhaul the government’s cyber defenses.  Yet we remain vulnerable to attacks on systems related to government operations, money supply, electric-power distribution, and transportation.  Thus, devoting resources to shoring up cyber security is crucial.

Why do we need to coalesce power in a cyber security czar to oversee the nation’s information security efforts?  Ira Winkler offers an explanation for centralizing this responsibility, rather than spreading it across various agencies.  He considers complications that arise when multiple agencies engage in cyber security efforts of the offensive and defensive variety.  He asks: what if the NSA engages in a long-term project to enter false information into an adversary’s database, unaware that the Army had hacked into the same database to try to track military movements?  According to Winkler, the lack of coordination would allow the NSA’s efforts to mislead the Army.  Divergent defensive efforts could similarly clash, thus undermining cyber security.

The President’s plan raises a number of unresolved issues.  The President hopes to recruit the private sector’s help in devising a comprehensive security strategy.  He has suggested building public and private partnerships around cybersecurity.  How will the Administration accomplish this partnership?  Would it be designed to get input from security professionals regarding government regulation of the private sector’s cyber security efforts?  Will the government have a role in overseeing private networks?  The heart burn involved in solving these issues is worthwhile given the critical importance of our networks to our economy and the real threat of cyber warfare.

Thanks to Wikimedia Commons for the image.

  June 3, 2009 at 9:08 am   Posted in: Current Events, Cyberlaw, Privacy (Electronic Surveillance), Technology, Uncategorized   Print This Post   2 Comments

• « Older Entries