Strengthening the nation’s commitment to privacy is crucial.  But, as Paul Schwartz’s engrossing Preemption and Privacy essay (Yale [...]]]> Privacy has seemingly come center stage.  Companies like Google, Microsoft, and eBay have joined forces to support a federal law that would impose uniform standards for the collection, use, and transfer of information across the private sector.  Activists and officials hope to update the Privacy Act of 1974 for the twenty-first century.  Senator Leahy has a renewed interest in data breach legislation, proposing the Personal Data Privacy and Security Act in July.  The American Recovery and Reinvestment Act of 2009, the stimulus bill, includes a data breach notification requirement for health providers.  The Federal Trade Commission recently published its final rule on data breach notification for e-health records.

Strengthening the nation’s commitment to privacy is crucial.  But, as Paul Schwartz’s engrossing Preemption and Privacy essay (Yale Law Journal) illuminates, a unitary federal information privacy statute should give us pause.  Today’s information privacy law landscape is mainly comprised of federal sector-specific statutes and stronger state regulation.  Schwartz makes a compelling case for remaining on that course, rather than adopting a uniform federal privacy statute.  As Schwartz underscores, a uniform federal approach would likely preempt stronger state law rules, eliminating successful experimentation at the state level.  California exemplifies this trend:  its privacy innovations include allowing consumers to freeze their credit in the face of identity theft among others.  New York and Connecticut are now considering bills that would set limits on companies that track consumers across websites to deliver targeted advertisements based on their online behavior.  A uniform federal law would likely extinguish state-driven innovations whereas most federal sectoral privacy laws, such as the Gramm-Leach-Bliley Act, only provide a federal floor for information privacy and security, not a ceiling.  Schwartz highlights the possibility that a comprehensive information privacy law may ossify, thus making the loss of state experimentation all the more grave.  The piece also spearheads an important discussion about whether the centralizing forces at work today undermines the contributions of competitive federalism.

Schwartz’s piece is a must read.  Here is the abstract for Preemption and Privacy:

A broad coalition, including companies formerly opposed to the enactment of
privacy statutes, has now formed behind the idea of a national information privacy law. Among the benefits that proponents attribute to such a law is that it would harmonize the U.S. regulatory approach with that of the European Union and possibly minimize international regulatory conflicts about privacy. This Essay argues, however, that it would be a mistake for the United States to enact a comprehensive or omnibus federal privacy law for the private sector that
preempts sectoral privacy law. In a sectoral approach, a privacy statute regulates only a specific context of information use. An omnibus federal privacy law would be a dubious proposition because of its impact on experimentation in federal and state sectoral laws, and the consequences of ossification in the statute itself. In contrast to its skepticism about a federal omnibus statute, this Essay views federal sectoral laws as a promising regulatory instrument. The critical question is the optimal nature of a dual federal-state system for information privacy law, and this Essay analyzes three aspects of this topic. First, there are general circumstances under which federal
sectoral consolidation of state law can bring benefits. Second, the choice between federal ceilings and floors is far from the only preemptive decision that regulators face. Finally, there are second-best solutions that become important should Congress choose to engage in broad sectoral preemption.

First neither party represents the public. One cannot expect them to represent the public, and one ought not trust they will do the right thing for the public. To be clear, I am not making a moral judgment here. I expect, as we all should, that each party will seek to maximize its position. Understanding why I refuse to call this situation a settlement helps understand this point. As many know, this action encompasses far more than [...]]]> The Google Book Deal is suspended. Time to cheer, correct? No. As Pam Samuelson noted in the New York Times, that probably is too little time to resolve the issues at hand. In fact I think right now is when the GBD is at quite a dangerous stage.

First neither party represents the public. One cannot expect them to represent the public, and one ought not trust they will do the right thing for the public. To be clear, I am not making a moral judgment here. I expect, as we all should, that each party will seek to maximize its position. Understanding why I refuse to call this situation a settlement helps understand this point. As many know, this action encompasses far more than the claims at issue in the suit. Many think that Google was on strong grounds for its fair use clam and its original use. The Publishers (aka the Registry seeming to be working for authors) saw the chance to get ahead of the digital curve. Unlike music and film, they realized they could look good and capture publishing’s future. They offered Google a deal that Google did not need. Or did it? Although Google is a data vacuum and does well with the ad-based business model, the search giant has been searching for a new revenue stream. Online ads can’t be the only source of revenue from any viewpoint. That is a precarious position. Indeed, the online ad market just took a big dip. The Deal presents Google with the chance to make money from something other than ads.

With this perspective one sees that expecting or trusting either party to look out for the public’s interest is foolish. My guess is that the public choice literature could yield some useful ways to think about the problem too, but I have not thought that through as yet.

Second, Google and the Publishers now have a wave of information from all quarters that they can use to their benefit. Here is the strategy that I expect to see. Assess the most severe and some of the less severe criticisms. Incorporate some of them in changes. Keep the deal as is for the most part (Note that is precisely what the Registry said will be the case “the core agreement is going to stay the same.”). Then when the time to approve, deny, or move the Deal to another form comes, one claims “We acted in good faith. We can’t keep everyone happy. Without this deal no one wins. Can’t we get along, move forward, and sort the details later? That is a more reasonable way to proceed.”

More importantly, those who have kept paying attention to the problem may start to lose focus or fade out. People may become tired or say is this thing still going on?

And that is why I say Danger Will Robinson. The Google Book Deal is at Defcon 2.

This state of affairs may be due to the difficult nature of the task at hand.  Former NSA head General Michael Hayden recently said: [...]]]> Securing our networked environment is both crucial and difficult.  Six months ago, President Obama declared his Administration’s commitment to protect cyberspace from sabotage of all stripes.  For the President, the rise of online theft, electronic espionage, and military-related cyber assaults necessitated the appointment of a cyber czar to protect our cyber “national assets.”  The President has tried to fill that spot: Shane Harris of National Journal explains that “more candidates had declined the job than were still in the running for it.”  And despite our failed efforts at CoOp to recruit Orin Kerr for the job, the cyber czar position remains empty.

This state of affairs may be due to the difficult nature of the task at hand.  Former NSA head General Michael Hayden recently said: “There is no regime for us to work within to respond to cyberattack.  We are in a place where technology has long outstripped policy–let alone law–in term of what’s available.  We are going to have to rely on heroism instead of a plan.”  If Hayden has it right, it is no wonder that no one wants the job.

Nonetheless, the Administration may have already charted its path, one that entrusts the National Security Agency with protecting cyberspace.  According to the National Journal, Lt. General Keith B. Alexander, the NSA’s director, has been “setting up the central nervous system in the government’s campaign to defend cyberspace.”  The NSA will now, unlike the past, help oversee the networks of civilian government and privately-owned, criticial infrastructure (dams, railroads, hospitals, banks, food industry, hotels, telecommunications, postal, shipping, retail, transportation, and well everything else).  This is true even though DHS is charged with defending civilian networks and coordinating private sector protection.  Homeland Security Security Secretary Janet Napolitano said that NSA will provide DHS “technical assistance” on this issue.  In short, DHS will rely on the NSA for the tools, expertise, and resources to protect cyberspace.

So the NSA apparently will be overseeing and securing private networks, the same NSA that engaged in wholesale warrantless surveillance of Americans after 9/11 (and the agency that monitored telegrams coming in and out of the United States to detect individuals with communist ties in the 1950s and 1960s)?  Congress has, of course, limited the NSA’s warrantless wiretapping and the President has promised us greater transparency in government decision-making.  Nonetheless, NSA’s oversight over privately-owned systems and wholesale access to their contents raises serious concerns.  And because the NSA will direct these efforts in the name of national security and intelligence, little transparency will be forthcoming.  On another note, the question remains whether it was agency turf-war antics that led to Melissa Hathaway’s decision to leave government–she was the DHS official and most senior cyber expert in the White House who had been a leading candidate for the cyber czar post.  At the time of her resignation, Hathaway told the Washington Post that she “wasn’t willing to continue to wait any longer,” and she wasn’t “empowered” to make any changes.

As CNET reports, “Independent bloggers who fail to disclose paid reviews or freebies can face up to $11,000 in fines from the Federal Trade Commission, according to revisions to [...]]]> As I argue in my essay Individual Branding the web presents important and amazing new possibilities for individuals to earn money and much of that potential will flow from one’s online reputation. In short, as one blogs or shares information in another form, one becomes a trusted source and can start extract money from those activities. I argue that those acts have the seeds of the possible destruction of Benkler’s world of sharing. Today the FTC has targeted a practice that arguably could increase the reliability of social network endorsements but will also upset many people.

As CNET reports, “Independent bloggers who fail to disclose paid reviews or freebies can face up to $11,000 in fines from the Federal Trade Commission, according to revisions to the agency’s “Guides Concerning the Use of Endorsements and Testimonials in Advertising” published Monday.” The FTC has not updated the Guidelines since 1980. The press release is here. The full text of the Guides are here (pdf). It is 81 pages, and I have not read it as yet but one thing people should know is that the effective date is December 1, 2009.

From the release it appears that the guides take am expansive view of what presents a moment to disclose “The revised Guides specify that while decisions will be reached on a case-by-case basis, the post of a blogger who receives cash or in-kind payment to review a product is considered an endorsement. Thus, bloggers who make an endorsement must disclose the material connections they share with the seller of the product or service.” CNET suggests that celebrities and “mommy bloggers” could be in trouble under the new rules. (Here is my prediction on the riposte to come but that I don’t think is accurate: “The FTC hates moms. In a down economy and with more and more people needing new ways to earn, the FTC actions are a direct attack on the importance of moms.” Now back to our regularly scheduled blogging.)

There are a ton of oddly connected things here. First, I just blogged about CITP and its FedThread project. That project would allow one to track this sort of moment rather quickly. Second, I was just at the Works In Progress Intellectual Property Conference at Seton Hall (which was yet again an excellent conference and for which everyone at Seton Hall deserves many thanks) where Zahr Stauffer presented a fascinating paper called Novels for Hire: Branded Entertainment, Copyright and the Law that I think will have something to say about these changes. As one blog notes, the practice of giving journalists freebies is common. Zahr’s paper shows how advertising and novels have had a rather curious interaction over the years. I think the paper will help understand the way writing and advertising have co-existed in either good or bad ways at different times with the shift to blogging fitting in as part of that history. The paper should be available soon so keep an eye out for it.

Electronics and other big ticket items seem to be where the concerns are. I look forward to finding out whether book, film, and music reviewers have to tell readers whether they received a review copy of the book. In general if one only says nice things about a review subject, one might receive more books etc. I think that non-professional blogs and other online information sources such as rating systems and FaceBook will allow people to find out whether they should buy a product (i.e., one might use a personal network to ask whether a product is good). That practice could undercut the quiet payment model.

Here is a possible way to understand this turn of events. 1) Secret endorsements die out and full disclosure of what has been given is the norm. 2) Small bloggers and big agencies are no longer able to seem credible as reviewers. 3) If people want independent reviews, they must pay magazines or other pay sources who can afford to buy the review items and avoid the taint of being given free stuff. 4) The public does not want to pay and instead reads the blog reviews with the disclosures and augments the research with social networks and user ratings which are more difficult to fake and possibly more reliable. 5) Yet again paid, professional independent news and reviews seems to be squeezed out.

Although the President has proven his mettle on Facebook and MySpace (where he has over 1.8 million friends), Republicans rule the day on the micro-blogging front.  The Congressional Research Service reports that congressional Republicans out-tweeted their Democratic counterparts during two one-week periods this summer.  Nancy Scola attributes Congressional Republicans’ Twitter dominance to their desire to regain the public’s attention and favor [...]]]> During the 2008 election, Democrats effectively used Web 2.0 platforms to garner interest in the campaign and win supporters.  President Obama has been widely hailed as the first “Tech President,” and he seems to have trounced the Facebook landscape.  To date, President Barack Obama has over 6.6 million Facebook friends, while Sarah Palin only has 848, 614 Facebook pals and Mitt Romney has 70, 130.

Although the President has proven his mettle on Facebook and MySpace (where he has over 1.8 million friends), Republicans rule the day on the micro-blogging front.  The Congressional Research Service reports that congressional Republicans out-tweeted their Democratic counterparts during two one-week periods this summer.  Nancy Scola attributes Congressional Republicans’ Twitter dominance to their desire to regain the public’s attention and favor now that they are in the minority.  AMERICAblogs’ John Aravosis worries that Democrats have ceded their online advantage.

No matter the current political victor in this social media landscape, Government 2.0 is here to stay.  It surely has great potential to shine light on government policymaking and to marshal public participation, especially from people who otherwise wouldn’t bother getting involved with government policymaking.  Adding the President as a friend on MySpace and joining live chats may seem to be a relatively costless endeavor as compared to writing letters or commenting on agency rulemakings.  But Government 2.0 also poses privacy risks: social media sites not only give government access to people’s policy insights but also access to all of individuals’ social media data, such as their videos, photos, walls musings, “Top 25 things you don’t know about me” lists, and the like.  Soon, I will be posting on SSRN a draft of my essay “The One-Way Mirror: Enhancing Participation and Securing Privacy for Government 2.0″ (forthcoming George Washington Law Review) and hope to get your feedback.

For a moment, let’s put aside the stark difference between the [...]]]> Every year, my small section reads a New Yorker “On the Town” squib called “Oops” to kick off a discussion on care and professional responsibility in their legal careers.  “Oops” tells the story of a summer associate who, in 2003, mistakenly sent the following email to lawyers with whom he worked on a deal: “I’m buy doing jack shit.  Went to a nice 2hr sushi lunch today at Sushi Zen.  Nice place.  Spent the rest of the day typing e-mails and bullshitting with people.”  The summer associate signed  off the email: “So yeah, Corporate Love hasn’t worn off yet. But give me time.”  The summer associate meant to send the email to his friend.  Oops.

For a moment, let’s put aside the stark difference between the world (and law firm environment) facing the summer associates of 2003 and the one facing the summers of 2009 and turn to Sunday’s New York Times story “A Legal Battle: Online Attitude Vs. Rules of Bar.”  The Times talked about recent cases where lawyers do violence to their careers through their online activities.  Lawyers blog about judges:  one wrote that he thought a named judge was an “Evil, Unfair, Witch” and questioned the judge’s competence.  Another lawyer friended a judge on Facebook and later posted about his/her drinking and motorbiking.  The problem: the lawyer asked the judge to delay a trial because of a death in the family in the same week that the lawyer shared the drinking tales with his/her social network.  The lawyers in those cases have suffered serious consequences (the first is facing a reprimand from the bar, the second faced the wrath of his/her firm–the judge told the lawyer’s bosses what happened).

Now, the 2003 summer associate made a big mistake, but perhaps not on the same order as the lawyers covered in yesterday’s Times.  The summer associate had a slip of the finger perhaps, a hasty moment that changed the way those in his firm saw him.  But the lawyers arguably dove into the pool of their fate head first: one might say that they knowingly risked their careers and should suffer the consequences (to the extent the Bar desires and the First Amendment permits).  Social scientists like Alessandro Acquisti and danah boyd and legal scholars like James Grimmelmann offer an explanation for why people are so foolish online.  People write carelessly not because they have “a reduced sense of privacy” but because they felt anonymous.  As danah boyd explains, social network participants “live by ‘security through obscurity’ where they assume that as long as no one cares about them, no one will come knocking.”  They operate under the norm that people with no social connection to them “could look at your profile, but shouldn’t.”  They assume that only close friends are paying attention to their online activities.  All of this is to say that perhaps President Obama shouldn’t just talk to young people about the perils of oversharing online.  Maybe lawyers need the lesson too.

Wikimedia Commons Image

Some have asked whether this case warrants treatment as a cyber civil rights issue since it “is just a girl cat fight.”  To be sure, women can deprive other women of their right to be free of unequal treatment on the basis of their gender.  But the larger concern is, for me, convincing skeptics to see the blog attacks on Ms. [...]]]> Dan, Kaimi, and Elizabeth have offered some terrific insights on the issues raised by the court’s unmasking of the “Skanks of NYC” blogger.  Kaimi’s post “Cyber Civil Rights vs Privacy in the ‘Skanks in NYC’ case” in particular did a superb job capturing the issue as discrimination.  I write here to follow up on issues related to the case that folks have discussed with me.

Some have asked whether this case warrants treatment as a cyber civil rights issue since it “is just a girl cat fight.”  To be sure, women can deprive other women of their right to be free of unequal treatment on the basis of their gender.  But the larger concern is, for me, convincing skeptics to see the blog attacks on Ms. Cohen as more than just an interpersonal disagreement between two women, something that tort law can handily address on its own, but rather as gender discrimination.  Tort law would not reach the harm experienced by Ms. Cohen, women, and society due to the blog’s interference with her right to equal treatment.  It would not address the stigma that Ms. Cohen experienced a a result of the blog’s message that she had worth only as a sex object.  Much like sexual harassment in the workplace, the blog suggested that Ms. Cohen constitutes an object of sexual derision, not a person worthy of respect.  Moreover, they interfered with Ms. Cohen’s right to work as an equal.  According to Ms. Cohen, potential employers asked her about the blog, which quite possibly deterred them and others from hiring her.  In a world filled with aspiring models, employers might chose to work with someone who comes with less baggage, even if they do not believe the postings a wit.  And the blog postings harm women as a group and a society as a whole by entrenching gender hierarchy in cyberspace.  Whether current law would support such a claim is certainly in dispute, but such a law could be crafted.  Such a law would play an important expressive role–it would change the social meaning of such harassment of women.

Indeed, as privacy scholar Ian Kerr suggested, maybe the media’s attention to the case can be attributed to its leering interest in a “battle” between two beautiful women?  Maybe coverage of the issue reflects a deeper misogyny: the story has attracted so much attention because it produces an image of women as female wrestlers of sorts, battling it out in their bikinis?

A commentator on Dan’s posting asked whether labeling Ms. Cohen “a liar, ho, and skank” could support a defamation claim, at least under the Doe v. Cahill summary judgment standard to warrant unmasking the defendant.  Courts have upheld defamation awards in cases where defendants’ online postings asserted that plaintiffs were “liars.”  The allegations also might have supported an intentional infliction of emotional distress claim.  As my colleague Greg Young wisely noted to me though, even a rigorous standard like the one in Doe v. Cahill (which I support much like Dan) gives leeway to judges to balance values and risks imposing costs on speech.

Hat tip to Ian Kerr and Greg Young.

Attorneys live and die by documents. As I tell my students, you must write well, because lawyers are paid in large part to write. With around 1.1 million attorneys practicing in the U.S., a large amount of paper, a.k.a., courts documents, is generated [...]]]> As some of you know I am a Visiting Fellow this year at Princeton’s Center for Information Technology Policy. When I arrived a couple weeks ago, I heard about a project in the works and have been dying to tell people about it. It is now live and looks great. It is called RECAP and just may change the way people access a major part of the law. We’re talking about the law that lurks outside cases; the actual guts of litigation.

Attorneys live and die by documents. As I tell my students, you must write well, because lawyers are paid in large part to write. With around 1.1 million attorneys practicing in the U.S., a large amount of paper, a.k.a., courts documents, is generated each and every day. Court documents are essentially public documents (there are times when papers are sealed etc., but that is a separate matter). The government runs a system called PACER that allows one to search for and access U.S. Appellate, District, and Bankruptcy court records and documents. But as the Washington Post explains, “The fee to access PACER is $0.08 per page: ‘The per page charge applies to the number of pages that results from any search, including a search that yields no matches (one page for no matches.) The charge applies whether or not pages are printed, viewed, or downloaded.’ For people who do a lot of legal research, those fees add up quickly.”

In an era of transparent government, open source, and access-to-knowledge movements, it was only a matter of time before someone decided to find a way to make court documents available on a broader basis. The folks at Stanford have the IP Litigation Clearing House. That project aims to fill the “critical need for a comprehensive, online resource for scholars, policy makers, industry, lawyers, and litigation support firms in the field of intellectual property litigation.” That project has 23,000 documents and is growing. Pretty darn good, if you ask me. But wait; don’t order yet! Now comes RECAP from the folks at Princeton’s Center for Information Technology Policy. (Specifically, Harlan Yu, Steve Schultze, and Timothy B. Lee developed the project which is led by Prof. Ed Felten). Here is the link to the About Page, but let me tell you a little more.

CITP’s Harlan Yu explains:

RECAP is a plug-in for the Firefox web browser that makes it easier for users to share documents they have purchased from PACER, the court’s pay-to-play access system. With the plug-in installed, users still have to pay each time they use PACER, but whenever they do retrieve a PACER document, RECAP automatically and effortlessly donates a copy of that document to a public repository hosted at the Internet Archive.

In addition, if one is using PACER and RECAP “The documents in this repository are, in turn, shared with other RECAP users, who will be notified whenever documents they are looking for can be downloaded from the free public repository.” So when one searches for a document, one is notified about the availability of a free copy of the document.

There is probably much more to say here, but for now I want to congratulate the folks here at CITP on a great idea that uses information, technology, law, and policy to craft an elegant solution to increasing government transparency. This resource should feed almost anyone interested in practicing or studying the law. Empirical researchers alone should be drooling at this new wealth of information.

Last month, Government Technology had an article entitled “Blurring the Line,” which discussed the increasingly public nature of online social networking sites.  Employers now “friend” employees, leaving the employed likely to accept those friendships out of fear for losing their jobs.  The article discusses the problems attendant to the convergence of of our work, social, and family worlds and asks whether this phenomenon will alter the nature of those spaces from a sharing free-for-all to a more buttoned-down, “not afraid for the boss to see” experience.

In reading the article, I wondered if the story will play out in a different way, one that will meet employers’ desire to harness the connectivity of social networking sites without compromising its current incarnation.  As we have seen in [...]]]>

Last month, Government Technology had an article entitled “Blurring the Line,” which discussed the increasingly public nature of online social networking sites.  Employers now “friend” employees, leaving the employed likely to accept those friendships out of fear for losing their jobs.  The article discusses the problems attendant to the convergence of of our work, social, and family worlds and asks whether this phenomenon will alter the nature of those spaces from a sharing free-for-all to a more buttoned-down, “not afraid for the boss to see” experience.

In reading the article, I wondered if the story will play out in a different way, one that will meet employers’ desire to harness the connectivity of social networking sites without compromising its current incarnation.  As we have seen in the government sector with internal wikis like Intellipedia, we may see employers increasingly adopt in-house social networking sites, say a [Name] Company Connect.org, just as we have seen employers wade into the Twitter space.  We may already be doing this (and it would be really interesting to learn about it), but perhaps such sites would nip in the bud employers/managers/supervisors’ desire to friend their underlings.  This may detract from the goal of monitoring employees, but we surely have enough of that in the workplace already (as well as the ability to view employees’ profiles for the very many people who fail to set rigorous privacy settings, as ACM studies show).  And it may save employers from having looked at employees’ damning wall musings and pictures and figuring out just what to do about it.

The cloud, however, comes with real dangers.

Some are in plain view. If you entrust your data to others, they can let you down or outright betray you. For example, if your favorite music is rented or authorized from an online subscription service rather than freely in your custody as a compact disc or an MP3 file on your hard drive, you can lose your music if you fall behind on your payments — or if the vendor goes bankrupt or loses interest in the service. Last week Amazon apparently conveyed a publisher’s change-of-heart to owners of its Kindle e-book [...]]]> Jonathan Zittrain has a superb Op-Ed in The New York Times on the various risks attendant to cloud computing.  He writes:

The cloud, however, comes with real dangers.

Some are in plain view. If you entrust your data to others, they can let you down or outright betray you. For example, if your favorite music is rented or authorized from an online subscription service rather than freely in your custody as a compact disc or an MP3 file on your hard drive, you can lose your music if you fall behind on your payments — or if the vendor goes bankrupt or loses interest in the service. Last week Amazon apparently conveyed a publisher’s change-of-heart to owners of its Kindle e-book reader: some purchasers of Orwell’s “1984” found it removed from their devices, with nothing to show for their purchase other than a refund. (Orwell would be amused.)

Worse, data stored online has less privacy protection both in practice and under the law. A hacker recently guessed the password to the personal e-mail account of a Twitter employee, and was thus able to extract the employee’s Google password. That in turn compromised a trove of Twitter’s corporate documents stored too conveniently in the cloud. Before, the bad guys usually needed to get their hands on people’s computers to see their secrets; in today’s cloud all you need is a password.

Thanks in part to the Patriot Act, the federal government has been able to demand some details of your online activities from service providers — and not to tell you about it. There have been thousands of such requests lodged since the law was passed, and the F.B.I.’s own audits have shown that there can be plenty of overreach — perhaps wholly inadvertent — in requests like these.

The cloud can be even more dangerous abroad, as it makes it much easier for authoritarian regimes to spy on their citizens. The Chinese government has used the Chinese version of Skype instant messaging software to monitor text conversations and block undesirable words and phrases. It and other authoritarian regimes routinely monitor all Internet traffic — which, except for e-commerce and banking transactions, is rarely encrypted against prying eyes.

With a little effort and political will, we could solve these problems. Companies could be required under fair practices law to allow your data to be released back to you with just a click so that you can erase your digital footprints or simply take your business (and data) elsewhere. They could also be held to the promises they make about content sold through the cloud: If they sell you an e-book, they can’t take it back or make it less functional later. To increase security, companies that keep their data in the cloud could adopt safer Internet communications and password practices, including the use of biometrics like fingerprints to validate identity.

And some governments can be persuaded — or perhaps required by their independent judiciaries — to treat data entrusted to the cloud with the same level of privacy protection as data held personally. The Supreme Court declared in 1961 that a police search of a rented house for a whiskey still was a violation of the Fourth Amendment privacy rights of the tenant, even though the landlord had given permission for the search. Information stored in the cloud deserves similar safeguards.

But the most difficult challenge — both to grasp and to solve — of the cloud is its effect on our freedom to innovate. The crucial legacy of the personal computer is that anyone can write code for it and give or sell that code to you — and the vendors of the PC and its operating system have no more to say about it than your phone company does about which answering machine you decide to buy. Microsoft might want you to run Word and Internet Explorer, but those had better be good products or you’ll switch with a few mouse clicks to OpenOffice orFirefox.

You can read the rest of the Op-Ed here.

Stock Xchange Image

computer vendors storing the confidential, electronic data of others will be able to fully analyze data on their clients’ behalf without expensive interaction with the client, and without seeing any of the private data. With Gentry’s technique, the analysis of encrypted information can yield the same detailed results [...]]]> According to Help Net Security, Craig Gentry, a researcher at IBM, appears to have found a way to allow “the deep and unlimited analysis of encrypted information – data that has been intentionally scrambled – without sacrificing confidentiality.” The solution involves a an “ideal lattice.” I’ll leave the explanation of all the math to the math/computer science folks. As the Help Net article notes, the solution seems to enable some great advantages for anyone providing cloud computing for:

computer vendors storing the confidential, electronic data of others will be able to fully analyze data on their clients’ behalf without expensive interaction with the client, and without seeing any of the private data. With Gentry’s technique, the analysis of encrypted information can yield the same detailed results as if the original data was fully visible to all.

It all sounds wonderful. One could have encrypted data and let others data mine while maintaining anonymity or privacy. Yet, something seemed odd to me. So I did what lawyers do, I called someone who knew more about computer science and asked for some help. That person explained that yes this could mean one could query an encrypted database without decrypting the data. The example to consider is a database of book purchases. One could ask how many people bought both book A and book B and see that result without ever seeing what a specific person purchased. Great, right? Not so fast.

As this person reminded me, with other sources of information one can figure out what a specific person did. That reminded me of the AOL debacle. With a little work, people were able to figure out who the anonymous subjects were.

All of which highlights that privacy is not binary. The cluster of information and the ability to analyze it seems often, if not always, to lead to problems about the use of information. So if this breakthrough allows a company or the government to claim that we should remain calm and all is well, we may want to remain clam but show how all may not be well. A few regulations about the use of the data even if supposedly anonymous, might allow the beneficial aspects of the solution to thrive while limiting the harms that can occur.

Image: WikiCommons
By: Gwenda; License: Public Domain
(My apologies to CS folks if the image does not match the breakthrough’s area of encryption)

Here are some practical concerns: the personal information on MySpace pages could be collected and joined with other data gathered from private data mining companies, public sector databases, etc.  (Oftentimes, data about us collected by third parties is often faulty).  All together, the information could suggest (albeit falsely) that we constitute a threat to society.  Law enforcement could be informed and our names could be put on watch lists.  This is not a hypothetical problem, see here.  [...]]]> Yesterday, I wrote about the public’s expectations regarding privacy when interacting with government on social networking sites such as Facebook, MySpace, Flickr among others.  Why should we care if agencies collect our musings, videos, and pictures that we have willingly shared with online “friends,” both real and imaginary ones?

Here are some practical concerns: the personal information on MySpace pages could be collected and joined with other data gathered from private data mining companies, public sector databases, etc.  (Oftentimes, data about us collected by third parties is often faulty).  All together, the information could suggest (albeit falsely) that we constitute a threat to society.  Law enforcement could be informed and our names could be put on watch lists.  This is not a hypothetical problem, see here.  If federal agencies collected and maintained that data in their systems, it would be covered by the Privacy Act of 1974.  Nonetheless, you would still appear on a watch list or assigned another ignominious fate by an automated government system.

As a normative matter, the absence of privacy vis-a-vis government on online social networking sites is unappealing.  It would likely have an impact on our willingness to friend government agencies.  We would be less likely to join online conversations that the Open Government directive hopes to generate.  Or if we friend a government agency because we want to peer inside its operations, we may edit what we include on our profiles.  As Julie Cohen has elegantly developed in her work, the lack of privacy would chill our creativity and desire to experiment with different aspects of our personalities.  And Patricia Sanchez Abril has a superb piece entitled “A (My)Space of One’s Own: On Privacy and Online Social Networks” that discusses the social implications of a “no privacy” presumption in information we share with our friends on social networking sites.  Justice Douglas’s remark that “monitoring, if prevalent, certainly kills free discourse and spontaneous utterances” should not be lost to us here.

Wikimedia Commons Image

Not surprisingly, the French Constitutional Council struck down the provision of the law that would cut off Internet access to repeated copyright offenders, finding it incompatible with the French Constitution and [...]]]> French President Nicolas Sarkozy recently noted that the Internet is not a lawless zone.  On that, many of us agree.  But then he went a step too far, trumpeting a law that would cut off Internet access to people who repeatedly download copyrighted content  illegally.  The law would have set up a “three-strike” system in which music labels and movie studios would monitor file-sharing web sites to identify computers that have illegally downloaded copyrighted content and then report suspected pirates to a government committee, which in turn would review cases and require ISPs to identify offenders.   

Not surprisingly, the French Constitutional Council struck down the provision of the law that would cut off Internet access to repeated copyright offenders, finding it incompatible with the French Constitution and its due process protections.  The Council ruled that the law will be enacted without the “three-strike” component.  Instead, the government agency can only send out mail and email warnings to suspected pirates.  If the agency wants to further sanction a suspected pirate, it would have to go to court. 

The decision appears to be a narrow one, leaving open the possibility of Internet banning upon judicial review.  On the one hand, this is a wise move given the likelihood that a computer’s involvement in mischief was truly the doings of a neighbor using its wireless router.  Judicial review would address that scenario.  On the other hand, it leaves open the troubling possibility of banning Internet use due to copyright violations.  The protection of artistic creation can surely be accomplished by less extreme measures, i.e., ones that do not cut off a copyright offender’s exercise of basic freedoms in this networked age, from her right to express ideas, create artistic content, associate with religious groups, and make a living.

Wikimedia Commons Image

Aside from the celebrity context, we may see other misuses of Twitter feeds.  Governments increasingly use Twitter to alert the public about car accidents, fires, crime reports, and public health emergencies.  [...]]]> Individuals increasingly use social networking tools to commit fraud.  Philadelphia Eagles player Asante Samuel discovered his Twitter imposter after the Philadelphia Daily News attributed to him comments from his doppleganger’s Twitter feed.  Keith Olbermann was a victim of Twitter impersonation as was Tony La Russa, manager of the St. Louis Cardinals.  Temple professor Susan Jacobson predicts that much like the early days of the Internet when individuals bought the domain names of celebrities to sell it to those notables for a tidy profit, we will likely see variations of such mischief on social networking sites.

Aside from the celebrity context, we may see other misuses of Twitter feeds.  Governments increasingly use Twitter to alert the public about car accidents, fires, crime reports, and public health emergencies.  A tweet about a fabricated fire or car accident could cause dangerous traffic jams and needless panic.  Someone could impersonate a police department, sending tweets about crimes never committed.  This teaches us to be circumspect about all of those Twitter updates.

H/T to Jim Stanton for his blog posting, “Social Media Fraud On the Increase.”

Wikimedia Commons Image

Why do we need to coalesce power in a cyber security czar to oversee the nation’s information security efforts?  Ira Winkler offers an explanation for centralizing this responsibility, rather than [...]]]> President Obama recently announced the creation of a White House cyber security coordinator who will oversee a national strategy for securing American interests in cyberspace.  The coordinator will be a member of the National Security Council, reporting to the national security adviser and the senior White House economic adviser.   President Bush started us in this direction by instituting the Cyber Initiative to overhaul the government’s cyber defenses.  Yet we remain vulnerable to attacks on systems related to government operations, money supply, electric-power distribution, and transportation.  Thus, devoting resources to shoring up cyber security is crucial.

Why do we need to coalesce power in a cyber security czar to oversee the nation’s information security efforts?  Ira Winkler offers an explanation for centralizing this responsibility, rather than spreading it across various agencies.  He considers complications that arise when multiple agencies engage in cyber security efforts of the offensive and defensive variety.  He asks: what if the NSA engages in a long-term project to enter false information into an adversary’s database, unaware that the Army had hacked into the same database to try to track military movements?  According to Winkler, the lack of coordination would allow the NSA’s efforts to mislead the Army.  Divergent defensive efforts could similarly clash, thus undermining cyber security.

The President’s plan raises a number of unresolved issues.  The President hopes to recruit the private sector’s help in devising a comprehensive security strategy.  He has suggested building public and private partnerships around cybersecurity.  How will the Administration accomplish this partnership?  Would it be designed to get input from security professionals regarding government regulation of the private sector’s cyber security efforts?  Will the government have a role in overseeing private networks?  The heart burn involved in solving these issues is worthwhile given the critical importance of our networks to our economy and the real threat of cyber warfare.

Thanks to Wikimedia Commons for the image.