Archive for the ‘Privacy’ Category
UCLA Law Review 57:1 (October)
posted by UCLA Law Review
Volume 57, Issue 1 (October 2009)
Articles
| From Privacy To Liberty: The Fourth Amendment After Lawrence | Thomas P. Crocker | 1 |
| Who Can Sue Over Government Surveillance? | Scott Michelman | 71 |
| Leverage in the Board Room: The Unsung Influence of Private Lenders in Corporate Governance | Frederick Tung | 115 |
Essay
| After the Bailout: Regulating Systemic Moral Hazard | Karl S. Okamoto | 183 |
Comments
| Evaluating The Public Interest: Regulation Of Industrial Hemp Under The Controlled Substances Act | Christine A. Kolosov | 237 |
| Improving The Education Of California’s Juvenile Offenders: An Alternative To Consent Decrees | Stefanie Low | 275 |
| The Right to Control One’s Name | Julia Shear Kushner | 313 |
Discourse
| Getting the Framers Wrong: A Response to Professor Geoffrey Stone | Samuel Calhoun | |
| The Perils of Religious Passion: A Response to Professor Samuel Calhoun | Geoffrey Stone |
Th UCLA Law Review is also pleased to announce the launch of a our new website.
October 30, 2009 at 4:21 pm
Posted in: Civil Rights, Constitutional Law, Corporate Law, Law Rev (UCLA), Privacy, Privacy (Electronic Surveillance), Privacy (Law Enforcement), Uncategorized
Print This Post
2 Comments
Ensuring that We Leave Children Behind
posted by Danielle Citron
Talk about children, their educations, and security abound. Politicians declare their devotion to children’s issues. Singers and actors assure us that “children are our future.” Books enlist villages to raise them. But when the rubber hits the road we routinely fail children in so many ways, including privacy. Today, Joel Reidenberg’s Center on Law and Information Policy released a report attesting to our utter inability to protect the privacy of children’s educational records. Reviewing publicly available information from all 50 states, the CLIP study found that states collect information far in excess of what law requires, including data about pregnancy, mental illness, family wealth, jail sentences, and Social Security numbers. Despite the sensitive nature of the information collected, state databases have weak privacy protections. The study found that oftentimes the flow of information from local schools to state departments of education failed to comply with the privacy requirements of the Family Educational Rights and Privacy Act.
This appalling state of affairs cannot stand. Such databases are ripe for identity thieves and hackers who will enjoy plundering the Social Security numbers. They can lead to discrimination based on inappropriately shared health information. The CLIP study has offered a number of wise recommendations, including the minimization of data collection, adoption of clear retention policies, and maintenance of audit logs. It also suggests the anonymization of data through the use of dual database architectures, which I wonder if Paul Ohm’s important work on the myth of anonymity would question. Otherwise, this study must be read and heeded.
October 28, 2009 at 1:28 pm
Posted in: Current Events, Education, Privacy
Print This Post
No Comments
Privacy’s Zietgeist Moment
posted by Danielle Citron
Privacy has seemingly come center stage. Companies like Google, Microsoft, and eBay have joined forces to support a federal law that would impose uniform standards for the collection, use, and transfer of information across the private sector. Activists and officials hope 
to update the Privacy Act of 1974 for the twenty-first century. Senator Leahy has a renewed interest in data breach legislation, proposing the Personal Data Privacy and Security Act in July. The American Recovery and Reinvestment Act of 2009, the stimulus bill, includes a data breach notification requirement for health providers. The Federal Trade Commission recently published its final rule on data breach notification for e-health records.
Strengthening the nation’s commitment to privacy is crucial. But, as Paul Schwartz’s engrossing Preemption and Privacy essay (Yale Law Journal) illuminates, a unitary federal information privacy statute should give us pause. Today’s information privacy law landscape is mainly comprised of federal sector-specific statutes and stronger state regulation. Schwartz makes a compelling case for remaining on that course, rather than adopting a uniform federal privacy statute. As Schwartz underscores, a uniform federal approach would likely preempt stronger state law rules, eliminating successful experimentation at the state level. California exemplifies this trend: its privacy innovations include allowing consumers to freeze their credit in the face of identity theft among others. New York and Connecticut are now considering bills that would set limits on companies that track consumers across websites to deliver targeted advertisements based on their online behavior. A uniform federal law would likely extinguish state-driven innovations whereas most federal sectoral privacy laws, such as the Gramm-Leach-Bliley Act, only provide a federal floor for information privacy and security, not a ceiling. Schwartz highlights the possibility that a comprehensive information privacy law may ossify, thus making the loss of state experimentation all the more grave. The piece also spearheads an important discussion about whether the centralizing forces at work today undermines the contributions of competitive federalism.
Schwartz’s piece is a must read. Here is the abstract for Preemption and Privacy: Read the rest of this post »
October 27, 2009 at 11:08 am
Posted in: Current Events, Cyberlaw, Privacy
Print This Post
No Comments
Government’s Data Glut
posted by Danielle Citron
Government is increasingly automating its services. From Medicaid coverage to building permits, machines help determine individuals’ ability to take advantage of important governmental benefits and services. Agencies collect huge amounts of data in the process. Mayor Michael Bloomberg recently remarked that the real payoff of such automation is “actually us[ing] the data.” With that mission in mind, agencies emphasize the importance of linking government databases to take full advantage of tools that mine data for insights. In the effort to make its city “smarter,” Dubuque, Iowa is working on a project that will use sensors, software, and networked computing to give its government and individuals the digital tools to measure, monitor, and alter the way that they use water, electricity, and transportation.
To be sure, computer algorithms can analyze linked databases to identify fraud and waste, as well as simply help government make better decisions and policy. But one hopes that government is not following the “adopt first-think later” model (as with e-voting machine purchases) when it comes to privacy, security, and auditability of these linked systems. To what extent are vendors accounting for these concerns? As my work on Technological Due Process and Open Code Governance explores, government’s automated systems overwhelmingly fail to incorporate audit trails that would reveal where information comes from and who has been using it. We see this problem at the state level, where agencies often collect information free of intrusive regulation such as the Privacy Act of 1974 and perhaps even if they did would contend that the merging of data to allow intra-agency access would constitute a “routine use.” No matter, managing this data glut in an accountable and privacy-protective manner is crucial as we move forward.
On a related note, Ken Bamberger’s Technologies of Compliance: Risk and Regulation in a Digital Age does a superb job exploring another side to the automated systems story. His piece addresses firms’ automation of their compliance with laws mandating risk management. Click here to read the abstract. A must read.
October 14, 2009 at 1:12 pm
Posted in: Administrative Law, Privacy, Technology, Uncategorized
Print This Post
No Comments
Making the Internet Safer, the NSA Way
posted by Danielle Citron
Securing our networked environment is both crucial and difficult. Six months ago, President Obama declared his Administration’s commitment to protect cyberspace from sabotage of all stripes. For the President, the rise of online theft, electronic espionage, and military-related cyber assaults necessitated the appointment of a cyber czar to protect our cyber “national assets.” The President has tried to fill that spot: Shane Harris of National Journal explains that “more candidates had declined the job than were still in the running for it.” And despite our failed efforts at CoOp to recruit Orin Kerr for the job, the cyber czar position remains empty.
This state of affairs may be due to the difficult nature of the task at hand. Former NSA head General Michael Hayden recently said: “There is no regime for us to work within to respond to cyberattack. We are in a place where technology has long outstripped policy–let alone law–in term of what’s available. We are going to have to rely on heroism instead of a plan.” If Hayden has it right, it is no wonder that no one wants the job.
Nonetheless, the Administration may have already charted its path, one that entrusts the National Security Agency with protecting cyberspace. According to the National Journal, Lt. General Keith B. Alexander, the NSA’s director, has been “setting up the central nervous system in the government’s campaign to defend cyberspace.” The NSA will now, unlike the past, help oversee the networks of civilian government and privately-owned, criticial infrastructure (dams, railroads, hospitals, banks, food industry, hotels, telecommunications, postal, shipping, retail, transportation, and well everything else). This is true even though DHS is charged with defending civilian networks and coordinating private sector protection. Homeland Security Security Secretary Janet Napolitano said that NSA will provide DHS “technical assistance” on this issue. In short, DHS will rely on the NSA for the tools, expertise, and resources to protect cyberspace.
So the NSA apparently will be overseeing and securing private networks, the same NSA that engaged in wholesale warrantless surveillance of Americans after 9/11 (and the agency that monitored telegrams coming in and out of the United States to detect individuals with communist ties in the 1950s and 1960s)? Congress has, of course, limited the NSA’s warrantless wiretapping and the President has promised us greater transparency in government decision-making. Nonetheless, NSA’s oversight over privately-owned systems and wholesale access to their contents raises serious concerns. And because the NSA will direct these efforts in the name of national security and intelligence, little transparency will be forthcoming. On another note, the question remains whether it was agency turf-war antics that led to Melissa Hathaway’s decision to leave government–she was the DHS official and most senior cyber expert in the White House who had been a leading candidate for the cyber czar post. At the time of her resignation, Hathaway told the Washington Post that she “wasn’t willing to continue to wait any longer,” and she wasn’t “empowered” to make any changes.
October 6, 2009 at 9:12 am
Posted in: Architecture, Cyberlaw, Privacy, Privacy (Law Enforcement), Privacy (National Security), Technology, Uncategorized
Print This Post
One Comment
Consumer Attitudes on Privacy and Behavioral Marketing
posted by Daniel Solove
Joseph Turow, Chris Hoofnagle, Jennifer King, Amy Bleakley, and Michael Hennessy have just issued a very interesting consumer survey on privacy and behavioral marketing entitled, Americans Reject Tailored Advertising and Three Activities that Enable It.
Some of the survey’s findings:
* Even when they are told that the act of following them on websites will take place anonymously, Americans’ aversion to it remains: 68% “definitely” would not allow it, and 19% would “probably” not allow it. (p. 2)
* 69% of American adults feel there should be a law that gives people the right to know everything that a website knows about them. (p. 2)
* 92% agree there should be a law that requires “websites and advertising companies to delete all stored information about an individual, if requested to do so.” (p. 2)
* Signaling frustration over privacy issues, Americans are inclined toward strict punishment of information offenders. 70% suggest that a company should be fined more than the maximum amount suggested ($2,500) “if a company purchases or uses someone’s information illegally.” (p. 3)
* Our survey did find that younger American adults are less likely to say no to tailored advertising than are older ones. Still, more than half (55%) of 18- 24 year-olds do not want tailored advertising. And contrary to consistent assertions of marketers, young adults have as strong an aversion to being followed across websites and offline (for example, in stores) as do older adults. 86% of young adults say they don’t want tailored advertising if it is the result of following their behavior on websites other than one they are visiting, and 90% of them reject it if it is the result of following what they do offline. (p. 2)
These are just a few of the many findings in this fascinating survey. The New York Times has coverage of the survey here.
September 29, 2009 at 6:28 pm
Posted in: Privacy, Privacy (Consumer Privacy)
Print This Post
No Comments
Tweeting for the Party
posted by Danielle Citron
During the 2008 election, Democrats effectively used Web 2.0 platforms to garner interest in the campaign and win supporters. President Obama has been widely hailed as the first “Tech President,” and he seems to have trounced the Facebook landscape. To date, President Barack Obama has over 6.6 million Facebook friends, while Sarah Palin only has 848, 614 Facebook pals and Mitt Romney has 70, 130.
Although the President has proven his mettle on Facebook and MySpace (where he has over 1.8 million friends), Republicans rule the day on the micro-blogging front. The Congressional Research Service reports that congressional Republicans out-tweeted their Democratic counterparts during two one-week periods this summer. Nancy Scola attributes Congressional Republicans’ Twitter dominance to their desire to regain the public’s attention and favor now that they are in the minority. AMERICAblogs’ John Aravosis worries that Democrats have ceded their online advantage.
No matter the current political victor in this social media landscape, Government 2.0 is here to stay. It surely has great potential to shine light on government policymaking and to marshal public participation, especially from people who otherwise wouldn’t bother getting involved with government policymaking. Adding the President as a friend on MySpace and joining live chats may seem to be a relatively costless endeavor as compared to writing letters or commenting on agency rulemakings. But Government 2.0 also poses privacy risks: social media sites not only give government access to people’s policy insights but also access to all of individuals’ social media data, such as their videos, photos, walls musings, “Top 25 things you don’t know about me” lists, and the like. Soon, I will be posting on SSRN a draft of my essay “The One-Way Mirror: Enhancing Participation and Securing Privacy for Government 2.0″ (forthcoming George Washington Law Review) and hope to get your feedback.
September 28, 2009 at 12:11 pm
Posted in: Cyberlaw, Google & Search Engines, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Law Enforcement), Privacy (National Security), Social Network Websites, Technology, Uncategorized
Print This Post
No Comments
Burglars Like Facebook, Too
posted by Danielle Citron
Facebook offers much to law enforcement, perhaps more than many might think. Last week, a Pennsylvania man was arraigned for felony burglary, having allegedly broken into a woman’s home and stolen jewelry. The defendant seemingly played a big role in ensuring his capture: he checked his Facebook page during the burglary. The victim noticed that the defendant’s Facebook account appeared on her computer after the burglary. No joke. This takes harming oneself through social networking to a new level.
September 22, 2009 at 11:53 am
Posted in: Anonymity, Criminal Law, Privacy, Privacy (Consumer Privacy), Privacy (Law Enforcement), Technology, Uncategorized, Weird
Print This Post
No Comments
Facebook Settles Beacon Lawsuit
posted by Daniel Solove
A while ago, I wrote a lot about Facebook’s Beacon on this blog:
* The Facebook-Fandango Connection: Invasion of Privacy?
* Facebook’s Beacon: News Feeds All Over Again?
* Facebook and the Appropriation of Name or Likeness Tort
* The New Facebook Ads — Starring You: Another Privacy Debacle?
* Facebook — the New DoubleClick?
* Facebook Listens and Responds
* Facebook’s Beacon, Blockbuster, and the Video Privacy Protection Act
A class action suit was initiated against Facebook, and recently, a settlement agreement has been reached. According to the WSJ:
Facebook Inc. said Friday it settled a class-action lawsuit related to its Beacon Web product, a controversial service that displayed actions that users took on other Web sites back on Facebook.
As part of the settlement, which is pending approval in the U.S. District Court of the Northern District of California, the social-network concern will shut down the Beacon service, which it has been phasing out but which is still being used by a small number of Web sites, according to a Facebook spokesman.
The company will also pay $9.5 million to create a foundation to fund products that promote online privacy, safety and security, the spokesman said. The settlement was submitted to the court late Friday evening.
September 21, 2009 at 10:00 pm
Posted in: Privacy, Privacy (Consumer Privacy), Social Network Websites, Web 2.0
Print This Post
No Comments
Professional Responsibility Meets Facebook, Another Oops the Bar
posted by Danielle Citron
Every year, my small section reads a New Yorker “On the Town” squib called “Oops” to kick off a discussion on care and professional responsibility in their legal careers. “Oops” tells the story of a summer associate who, in 2003, mistakenly sent the following email to lawyers with whom he worked on a deal: “I’m buy doing jack shit. Went to a nice 2hr sushi lunch today at Sushi Zen. Nice place. Spent the rest of the day typing e-mails and bullshitting with people.” The summer associate signed off the email: “So yeah, Corporate Love hasn’t worn off yet. But give me time.” The summer associate meant to send the email to his friend. Oops.
For a moment, let’s put aside the stark difference between the world (and law firm environment) facing the summer associates of 2003 and the one facing the summers of 2009 and turn to Sunday’s New York Times story “A Legal Battle: Online Attitude Vs. Rules of Bar.” The Times talked about recent cases where lawyers do violence to their careers through their online activities. Lawyers blog about judges: one wrote that he thought a named judge was an “Evil, Unfair, Witch” and questioned the judge’s competence. Another lawyer friended a judge on Facebook and later posted about his/her drinking and motorbiking. The problem: the lawyer asked the judge to delay a trial because of a death in the family in the same week that the lawyer shared the drinking tales with his/her social network. The lawyers in those cases have suffered serious consequences (the first is facing a reprimand from the bar, the second faced the wrath of his/her firm–the judge told the lawyer’s bosses what happened).
Now, the 2003 summer associate made a big mistake, but perhaps not on the same order as the lawyers covered in yesterday’s Times. The summer associate had a slip of the finger perhaps, a hasty moment that changed the way those in his firm saw him. But the lawyers arguably dove into the pool of their fate head first: one might say that they knowingly risked their careers and should suffer the consequences (to the extent the Bar desires and the First Amendment permits). Social scientists like Alessandro Acquisti and danah boyd and legal scholars like James Grimmelmann offer an explanation for why people are so foolish online. People write carelessly not because they have “a reduced sense of privacy” but because they felt anonymous. As danah boyd explains, social network participants “live by ‘security through obscurity’ where they assume that as long as no one cares about them, no one will come knocking.” They operate under the norm that people with no social connection to them “could look at your profile, but shouldn’t.” They assume that only close friends are paying attention to their online activities. All of this is to say that perhaps President Obama shouldn’t just talk to young people about the perils of oversharing online. Maybe lawyers need the lesson too.
Wikimedia Commons Image
September 14, 2009 at 3:58 pm
Posted in: Cyberlaw, Law Practice, Privacy, Psychology and Behavior, Uncategorized
Print This Post
3 Comments
Understanding Privacy in Paperback
posted by Daniel Solove
I’m pleased to announce that my book, Understanding Privacy, has just come out in paperback from Harvard University Press, with a price that’s much more reasonable and affordable than the hardcover.
Understanding Privacy offers a comprehensive overview of the many difficulties involved in discussions of privacy. Drawing from a broad array of interdisciplinary sources, I set forth a framework for understanding privacy that provides clear practical guidance for engaging with privacy issues.
September 14, 2009 at 7:36 am
Posted in: Articles and Books, Book Reviews, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Gossip & Shaming), Privacy (ID Theft), Privacy (Law Enforcement), Privacy (Medical), Privacy (National Security)
Print This Post
No Comments
Reservoirs of Patient Data: Next Generation’s Privacy Problem
posted by Danielle Citron
Patients of rare diseases find that drug companies have little interest in devoting limited R&D budgets to diseases of small populations. As a result, patients have begun to strike out on their own in the search of cures. As The New York Times explains, patients increasingly share their medical information (including details about their everday experiences living with a disease) online in the hopes that other similarly-situated patients will do the same. This would permit interested academic researchers to mine the data for observations about their diseases. Patients see online communities as offering new ways to transform medical research–especially into rare diseases that elude the current model of large-scale studies of widespread conditions.
Some experts are skeptical, asking how these sites will guarantee patient privacy. One imagines that these sites will respond to privacy concerns by employing anonymization practices. For instance, sites might delete personal identifiers like names and social security numbers and remove other potential identifiers, such as names of next of kin or student ID numbers. This ostensibly permits researchers to use the amassed data without concomitant privacy risks. But, as Paul Ohm’s important and engrossing new paper Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization argues, technology renders this privacy-protection option obsolete. Computing advances now permit clever adversaries to reidentify or deanonymize the people hidden in anonymized databases. This means that datasets that were meant to be kept apart are easily rejoined, allowing sensitive secrets to be revealed.
Patients may of course be willing to take that risk if their particpation in open-source research leads to cures of rare diseases. Yet patients also jeopardize their offsprings’ privacy: if medical information can be reidentified with ease and linked with other datasets, a patient’s children may get caught up in that web of re-identification. This may lead to genetic discrimination in the grown-up child’s life. Grown-up children may be willing to bear that risk–it is, however, worth considering this possibility when assessing privacy concerns related to such open-source research efforts.
September 1, 2009 at 4:05 pm
Posted in: Anonymity, Privacy, Privacy (Medical), Technology, Uncategorized
Print This Post
One Comment
Breaching a Child’s Confidentiality
posted by Daniel Solove
Over at the NYT blog is an interesting story about a British writer (Julie Myerson) who has published a memoir about her son’s drug addiction (The Lost Child). Her 20-year old son has criticized the publication of the book. According to the Telegraph (UK):
The 20-year-old said: “What she has done has taken the very worst years of my life and cleverly blended it into a work of art, and that to me is obscene.
“I was only 17, I was a confused teenager, I was too young really to know who I was or what was happening.
“What she describes in her book are a series of incidents, it’s not who I am and I find it very sad that she feels the need to tar me with the ‘drug addict’ brush.
“She’s been writing about me since I was two, and, quite frankly, I’m not surprised by anything she does any more.
The NYT Blog asks:
Is it inappropriate and even harmful to expose the private lives of minor children, in particular? What privacy lines should be observed, if any, in writing about family members and others?
It contains responses from four people, Alison Gopnik (a psychology professor), David Matthews (author), Melanie Gideon (author0, and Michael Greenberg (author). For example, Author David Matthews writes:
Nothing is off limits as far as I’m concerned. Whether an author wants to risk fraying familial and social ties in the pursuit of the truth (as they see it) is a question left up to the writer.
Matthews’ response strikes me as rather extreme. In Britain, family members owe each other duties to keep private information confidential. In the US, the breach of confidentiality tort applies to doctors, lawyers, and others, but hasn’t been extended to friends and family. Perhaps it should be.
According to the Telegraph article, Myerson’s son said:
“I even consulted a lawyer to try to stop it, but was told there wasn’t much I could do, so I made her take out the part where she said I was selling drugs to my 12-year-old brother, which was one of her fantasies.
I’m surprised that he was advised the law didn’t protect him, since the book was published in Britain and he’d likely have a decent case under British precedent.
The Myerson case is increasingly becoming more common. Numerous bloggers are chronicling the lives of their children online, posting photos and a day-by-day account of their lives. What happens when these children grow up and resent having their entire childhood permanently recorded for the world to see?
Should family members owe each other a duty of confidentiality? Should parents write about a child’s life without that child’s consent?
Hat tip: PogoWasRight
September 1, 2009 at 7:40 am
Posted in: Family Law, Privacy, Privacy (Gossip & Shaming), Tort Law
Print This Post
8 Comments
The Revenge of College Gossip Websites
posted by Daniel Solove
A while ago, the notorious college gossip website, Juicy Campus, bit the dust. But according to an article by Jeffrey Young in the Chronicle of Higher Education:
“This is the new JuicyCampus,” says a note at Campus Gossip, which boasts campus-specific message boards for hundreds of colleges and encourages anonymous and racy barbs such as “These Fellas got herpes,” with a list of names attached. Going even further than its predecessor, there’s also a photo section where students can post embarrassing pictures and videos of others.
The site is planning a back-to-school marketing push, including a happy hour near Arizona State University where a rap artist named Sabotage will perform a song about the pleasures of campus gossip.
Another site, CollegeACB (the letters stand for Anonymous Confession Board), paid the defunct JuicyCampus $10,000 to redirect visitors from its Web address to CollegeACB.
For those who want a first-hand look at these sites, the Campus Gossip site is here and the CollegeACB site is here. I’m quoted in the article, as is co-blogger Danielle Citron:
Internet shaming creates an indelible blemish on a person’s identity,” wrote Daniel J. Solove, a professor of law at George Washington University, in his 2007 book, The Future of Reputation: Gossip, Rumor, and Privacy on the Internet (Yale University Press). “It’s similar to being forced to wear a digital scarlet letter or being branded or tattooed. People acquire permanent digital baggage. They are unable to escape their past, which is forever etched into Google’s memory.” . . . .
“I don’t see why it has to be that way,” the law professor told me in a recent interview. “Just like when you drive, it’s not a free-for-all,” he added, equating the current laws governing online forums to a road without traffic lights or stop signs. “It’s like if we looked at the roads and said, There’s just nothing to be done—let’s just abolish all rules of the road.” . . . .
Danielle Citron, a law professor at the University of Maryland at Baltimore, said she hoped that stamping out harassment on campus-gossip Web sites would be considered a matter of civil rights.
She makes the case in an article published in the Michigan Law Review this year called “Law’s Expressive Value in Combating Cyber Gender Harassment.” In it, she argues that law-enforcement officials fail to take seriously complaints about online anonymous comments, and that using “civil-rights remedies” may be the most effective way to pursue such acts.
“Women should not have to wait until cyberharassment fulminates into physical violence for law enforcement to address it,” she wrote. “A civil-rights agenda … would demonstrate that the Internet is not the lawless Wild West, just as court settlements and state legislation made clear that the home does not insulate abusing husbands from societal intervention.”
August 31, 2009 at 9:51 am
Posted in: Anonymity, Privacy, Privacy (Gossip & Shaming), Social Network Websites, Web 2.0
Print This Post
2 Comments
Lori Drew Case Decided
posted by Daniel Solove
The Lori Drew case has finally been decided. Background about the case is here. In previous posts (here and here), I argued that the CFAA should be held to be unconstitutionally vague.
In an opinion released on August 28, Judge George Wu struck down, on unconstitutional vagueness grounds, the prosecution’s attempt to enforce violations of website terms of service as crimes under the Computer Fraud and Abuse Act (CFAA):
[I]f any conscious breach of a website’s terms of service is held to be sufficient by itself to constitute intentionally accessing a computer without authorization or in excess of authorization, the result will be that section 1030(a)(2)(C) becomes a law “that affords too much discretion to the police and too little notice to citizens who wish to use the [Internet].” City of Chicago [v. Morales], 527 U.S. [41] at 64 [(1999)].
Congratulations to Orin Kerr, who assisted in the defense, and who is cited numerous times throughout the court’s opinion.
August 29, 2009 at 10:18 pm
Posted in: Anonymity, Privacy, Privacy (Electronic Surveillance), Privacy (Gossip & Shaming), Web 2.0
Print This Post
No Comments
Seeing With Your Tongue: No Really
posted by Deven Desai
Not much law here, yet. Researchers have taken theoretical work begun decades ago and developed a “brain port,” a device that uses technology to allow people to reorganize how they process sensory data. In the example below, blind people are able to see images. The device takes visual input, processes it, sends impulses to a pad that sits on someone’s tongue, and then the person is able to see some images. It takes quite a bit of training and in some cases folks have been able to use the device such that they actually re-train the brain and can reduce use of the device. Yes in a sense they have “rewired” their brain. This advance is just cool. The video also explains that the advances in this field trace to Professor Paul Bach-y-Rita who apparently had to overcome a fair amount of resistance in his fields of neurobiology and rehabilitation, because he was challenging many accepted beliefs regarding the way the brain works and more (all hail Kuhn). Will the law become involved in this area? It probably already is insofar as patents and copyright are being used to govern the technology. In addition, as I have noted before, the advances in embedded or sensory enhancing devices raise numerous questions regarding privacy, the ownership of data, bioethics, and research ethics. So welcome to the future and take a look at the video. It really is amazing and wonderful that scientists have made these breakthroughs. At the very least, anyone questioning how basic research can lead to unforeseen benefits should pause after seeing this work.
August 28, 2009 at 6:01 am
Tags: Privacy, sensory substitution, singularity
Posted in: Health Law, Intellectual Property, Privacy, Privacy (Medical), Technology
Print This Post
No Comments
I See Code: Plain View and Computer Searches
posted by Deven Desai
The Ninth Circuit has taken a swat computer searches and the plain view doctrine (pdf). I have not yet read the entire opinion but Orin Kerr has a series of posts about the decision here. And Shaun Martin, for whom I have a ton of respect as well, covers the case here. Shaun’s post captures how well-written the opinion is: “In my dreams I could write an opinion this good. It’s clear. It’s concise. It provides meaningful, systemic guidelines. It’s just. It’s got a keen sense of both the practical way the world works as well as the dangers inherent in certain conduct. In short, it’s exactly what I want in a wide-ranging opinion that makes meaningful precedent. … If you only read a dozen Ninth Circuit opinions this year, this should be amongst them.”
Dan and others will likely have more to say, so stay tuned, folks. As Orin notes, “This is really new territory, so it will be interesting to see how it plays out. I suspect we’ll find out soon, as there are a lot of these cases.” In the interim, here are three paragraphs worth reading:
The point of the Tamura procedures is to maintain the privacy of materials that are intermingled with seizable materials, and to avoid turning a limited search for particular information into a general search of office file systems and computer databases. If the government can’t be sure whether data may be concealed, compressed, erased or booby-trapped without carefully examining the contents of every file—and we have no cavil with this general proposition—then everything the government chooses to seize will, under this theory, automatically come into plain view. Since the government agents ultimately decide how much to actually take, this will create a powerful incentive for them to seize more rather than less: Why stop at the list of all baseball players when you can seize the entire Tracey Directory? Why just that directory and not the entire hard drive? Why just this computer and not the one in the next room and the next room after that? Can’t find the computer? Seize the Zip disks under the bed in the room where the computer once might have been. See United States v. Hill, 322 F. Supp. 2d 1081 (C.D. Cal. 2004). Let’s take everything back to the lab, have a good look around and see what we might stumble upon.
This would make a mockery of Tamura and render the carefully crafted safeguards in the Central District warrant a nullity. All three judges below rejected this construction, and with good reason. One phrase in the warrant cannot be read as eviscerating the other parts, which would be the result if the “otherwise legally seized” language were read to permit the government to keep anything one of its agents happened to see while performing a forensic analysis of a hard drive. The phrase is more plausibly construed as referring to any evidence that the government is entitled to retain entirely independent of this seizure.
To avoid this illogical result, the government should, in future warrant applications, forswear reliance on the plain view doctrine or any similar doctrine that would allow it to retain data to which it has gained access only because it was required to segregate seizable from non-seizable data. If the government doesn’t consent to such a waiver, the magistrate judge should order that the seizable and non-seizable data be separated by an independent third party under the supervision of the court, or deny the warrant altogether.
August 27, 2009 at 6:01 am
Tags: Balco, Fourth Amendment, Judge Kozinski, Ninth Circuit
Posted in: Cyberlaw, Privacy, Privacy (Consumer Privacy), Privacy (Electronic Surveillance), Privacy (Law Enforcement), Privacy (National Security)
Print This Post
One Comment
Cyber Gender Harassment: “Skanks of NYC”
posted by Danielle Citron
Dan, Kaimi, and Elizabeth have offered some terrific insights on the issues raised by the court’s unmasking of the “Skanks of NYC” blogger. Kaimi’s post “Cyber Civil Rights vs Privacy in the ‘Skanks in NYC’ case” in particular did a superb job capturing the issue as discrimination. I write here to follow up on issues related to the case that folks have discussed with me.
Some have asked whether this case warrants treatment as a cyber civil rights issue since it “is just a girl cat fight.” To be sure, women can deprive other women of their right to be free of unequal treatment on the basis of their gender. But the larger concern is, for me, convincing skeptics to see the blog attacks on Ms. Cohen as more than just an interpersonal disagreement between two women, something that tort law can handily address on its own, but rather as gender discrimination. Tort law would not reach the harm experienced by Ms. Cohen, women, and society due to the blog’s interference with her right to equal treatment. It would not address the stigma that Ms. Cohen experienced a a result of the blog’s message that she had worth only as a sex object. Much like sexual harassment in the workplace, the blog suggested that Ms. Cohen constitutes an object of sexual derision, not a person worthy of respect. Moreover, they interfered with Ms. Cohen’s right to work as an equal. According to Ms. Cohen, potential employers asked her about the blog, which quite possibly deterred them and others from hiring her. In a world filled with aspiring models, employers might chose to work with someone who comes with less baggage, even if they do not believe the postings a wit. And the blog postings harm women as a group and a society as a whole by entrenching gender hierarchy in cyberspace. Whether current law would support such a claim is certainly in dispute, but such a law could be crafted. Such a law would play an important expressive role–it would change the social meaning of such harassment of women.
Indeed, as privacy scholar Ian Kerr suggested, maybe the media’s attention to the case can be attributed to its leering interest in a “battle” between two beautiful women? Maybe coverage of the issue reflects a deeper misogyny: the story has attracted so much attention because it produces an image of women as female wrestlers of sorts, battling it out in their bikinis?
August 26, 2009 at 12:58 pm
Posted in: Anonymity, Civil Rights, Cyber Civil Rights, Cyberlaw, Privacy, Uncategorized
Print This Post
2 Comments
Interview on Internet Anonymity on Above the Law
posted by Daniel Solove
Over at Above the Law, Kashmir Hill has posted a Q&A with me about the “Skanks in NYC” blogger case. She also discusses with me how and why I became interested in privacy law.
August 25, 2009 at 3:06 pm
Posted in: Privacy, Privacy (Gossip & Shaming), Social Network Websites, Tort Law, Web 2.0
Print This Post
No Comments
Cyber Civil Rights vs Privacy in the “Skanks in NYC” case
posted by Kaimipono D. Wenger
As Dan rightly notes, the recent court order unmasking the anonymous author of the “Skanks in NYC” blog raises serious privacy concerns. He elaborates on those concerns in his post, arguing that the court used too low of a standard, that the lawsuit may have been frivolous, and that anonymity needs greater protection. Dan links to CyberSLAPP, an EFF project which combats abusive lawsuits that seek to unmask anonymous critics of corporations or public figures.
CyberSLAPP’s site contains a spirited defense of a right of anonymous criticism which reads, in part:
Why is anonymous speech important?
There are a wide variety of reasons why people choose to speak anonymously. Many use anonymity to make criticisms that are difficult to state openly to their boss, for example, or the principal of their children’s school. The Internet has become a place where persons who might otherwise be stigmatized or embarrassed can gather and share information and support victims of violence, cancer patients, AIDS sufferers, child abuse and spousal abuse survivors, for example. They use newsgroups, Web sites, chat rooms, message boards, and other services to share sensitive and personal information anonymously without fear of embarassment or harm. Some police departments run phone services that allow anonymous reporting of crimes; it is only a matter of time before such services are available on the Internet. Anonymity also allows “whistleblowers” reporting on government or company abuses to bring important safety issues to light without fear of stigma or retaliation. And human rights workers and citizens of repressive regimes around the world who want to share information or just tell their stories frequently depend on staying anonymous sometimes for their very lives.
Is anonymous speech a right?
Yes. Anonymous speech is presumptively protected by the First Amendment to the Constitution. Anonymous pamphleteering played an important role for the Founding Fathers, including James Madison, Alexander Hamilton, and John Jay, whose Federalist Papers were first published anonymously. And the Supreme Court has consistently backed up that tradition, ruling, for example, that an Ohio law requiring authors to put their names on campaign literature was a violation of the First Amendment. Indeed, the Supreme Court has ruled that protecting anonymous speech has the same purpose as the First Amendment itself: to “protect unpopular individuals from retaliation and their ideas from suppression.”
Of course, any sensible person would be opposed to silencing today’s James Madisons or Alexander Hamiltons. Is this really the correct analogy here, though? Is Skanks in NYC like the Federalist Papers? Read the rest of this post »
August 25, 2009 at 11:40 am
Tags: Cyber Civil Rights, Privacy
Posted in: Blogging, Google & Search Engines, Privacy
Print This Post
3 Comments
