The FBI illegally collected more than 2,000 U.S. telephone call records between 2002 and 2006 by invoking terrorism emergencies that did not exist or simply persuading phone companies to provide records, according to internal bureau memos and interviews. FBI officials issued approvals after the fact to justify their actions.

E-mails obtained by The Washington Post detail how counterterrorism officials inside FBI headquarters did not follow their own procedures that were put in place to protect civil liberties. The stream of urgent requests for phone records also overwhelmed the FBI communications analysis unit with work that ultimately was not connected to imminent threats.

A Justice Department inspector general’s [...]]]> The Washington Post reports that the FBI engaged in severe violations of the Electronic Communications Privacy Act between 2002 and 2006:

The FBI illegally collected more than 2,000 U.S. telephone call records between 2002 and 2006 by invoking terrorism emergencies that did not exist or simply persuading phone companies to provide records, according to internal bureau memos and interviews. FBI officials issued approvals after the fact to justify their actions.

E-mails obtained by The Washington Post detail how counterterrorism officials inside FBI headquarters did not follow their own procedures that were put in place to protect civil liberties. The stream of urgent requests for phone records also overwhelmed the FBI communications analysis unit with work that ultimately was not connected to imminent threats.

A Justice Department inspector general’s report due out this month is expected to conclude that the FBI frequently violated the law with its emergency requests, bureau officials confirmed.

ECPA allows the FBI to issue National Security Letters (NSLs) to obtain information from communications service providers.  I’ve criticized NSLs in the past for providing too minimal a protection of privacy:  “A NSL is a demand letter issued to a particular entity or organization to turn over various record and data pertaining to individuals. They do not require probable cause, a warrant, or even judicial oversight. They also come with a gag order, preventing the recipient of the letter from disclosing that the letter was ever issued. Compliance is mandatory.”

Apparently, the FBI found NSLs to be too cumbersome because they required an open case, so they devised a work-around.  According to the Washington Post:

The USA Patriot Act expanded the use of national security letters by letting lower-level officials outside Washington approve them and allowing them in wider circumstances. But the letters still required the FBI to link a request to an open terrorism case before records could be sought.

Shortly after the Patriot Act was passed in October 2001, FBI senior managers devised their own system for gathering records in terrorism emergencies.

A new device called an “exigent circumstances letter” was authorized. It allowed a supervisor to declare an emergency and get the records, then issue a national security letter after the fact.

Over at the Volokh Conspiracy, Orin Kerr has a thoughtful post about the issue.   He posits some circumstances in which the FBI may have not been violating the law, and his theories seem plausible to me since we need more facts.  Nevertheless, at this point, I’m growing tired of giving the government the benefit of the doubt.  These problems are indicative of a general trend in various government agencies during the Bush Administration to either concoct various end-runs around the law or ignore it entirely.

The lessons of the aftermath of September 11th indicate the following: (1) the existing electronic surveillance laws were poorly understood; (2) these laws were not as nimble and pro-security as many Executive Branch officials would have liked; (3) despite various provisions in these laws to protect privacy, they were often ignored or not adequately followed.

There’s clearly a larger problem at play here — our electronic surveillance laws aren’t working very well if the goal is to keep the government under control during times of crisis (when these laws are most fervently needed).

Google Attacks Highlight the Importance of Surveillance Transparency

by Timothy B. Lee

Ed posted yesterday about Google’s bombshell announcement that it is considering pulling out [...]]]> The Google China news deserves some thought for a range of reasons. The questions about democracy, censorship, and more that swirled around Google and China’s relationship are important. One issue that is easily lost is the relationship between the claimed reasons for Google’s leaving China and policies about surveillance. My colleague at CITP, Timothy B. Lee, wrote an excellent piece at Freedom to Tinker about this issue. Ordinarily I would summarize and point folks to the post. It captured my attention so much, however, that I asked Tim whether I might repost it in full here. I am happy that he has agreed.

Google Attacks Highlight the Importance of Surveillance Transparency

by Timothy B. Lee

Ed posted yesterday about Google’s bombshell announcement that it is considering pulling out of China in the wake of a sophisticated attack on its infrastructure. People more knowledgeable than me about China have weighed in on the announcement’s implications for the future of US-Sino relations and the evolution of the Chinese Internet. Rebecca MacKinnon, a China expert who will be a CITP visiting scholar beginning next month, says that “Google has taken a bold step onto the right side of history.” She has a roundup of Chinese reactions here.

One aspect of Google’s post that hasn’t received a lot of attention is Google’s statement that “only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.” A plausible explanation for this is provided by this article (via James Grimmelmann) at PC World:

Drummond said that the hackers never got into Gmail accounts via the Google hack, but they did manage to get some “account information (such as the date the account was created) and subject line.”

That’s because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press.

Obviously, this report should be taken with a grain of salt since it’s based on a single anonymous source. But it fits a pattern identified by our own Jen Rexford and her co-authors in an excellent 2007 paper: when communications systems are changed to make it easier for US authorities to conduct surveillance, it necessarily increases the vulnerability of those systems to attacks by other parties, including foreign governments.

Rexford and her co-authors point to a 2006 incident in which unknown parties exploited vulnerabilities in Vodafone’s network to tap the phones of dozens of senior Greek government officials. According to news reports, these attacks were made possible because Greek telecommunications carriers had deployed equipment with built-in surveillance capabilities, but had not paid the equipment vendor, Ericsson, to activate this “feature.” This left the equipment in a vulnerable state. The attackers surreptitiously switched on the surveillance capabilities and used it to intercept the communications of senior government officials.

It shouldn’t surprise us that systems built to give law enforcement access to private communications could become vectors for malicious attacks. First, these interfaces are often backwaters in the system design. The success of any consumer product is going to depend on its popularity with customers. Therefore, a vendor or network provider is going to deploy its talented engineers to work on the public-facing parts of the product. It is likely to assign a smaller team of less-talented engineers to work on the law-enforcement interface, which is likely to be both less technically interesting and less crucial to the company’s bottom line.

Second, the security model of a law enforcement interface is likely to be more complex and less well-specified than the user-facing parts of the service. For the mainstream product, the security goal is simple: the customer should be able to access his or her own data and no one else’s. In contrast, determining which law enforcement officials are entitled to which information, and how those officials are to be authenticated, can become quite complex. Greater complexity means a higher likelihood of mistakes.

Finally, the public-facing portions of a consumer product benefit from free security audits from “white hat” security experts like our own Bill Zeller. If a publicly-facing website, cell phone network or other consumer product has a security vulnerability, the company is likely to hear about the problem first from a non-malicious source. This means that at least the most obvious security problems will be noticed and fixed quickly, before the bad guys have a chance to exploit them. In contrast, if an interface is shrouded in secrecy, and only accessible to law enforcement officials, then even obvious security vulnerabilities are likely to go unnoticed and unfixed. Such an interface will be a target-rich environment if a malicious hacker ever does get the opportunity to attack it.

This is an added reason to insist on rigorous public and judicial oversight of our domestic surveillance capabilities in the United States. There has been a recent trend, cemented by the 2008 FISA Amendments toward law enforcement and intelligence agencies conducting eavesdropping without meaningful judicial (to say nothing of public) scrutiny. Last month, Chris Soghoian uncovered new evidence suggesting that government agencies are collecting much more private information than has been publicly disclosed. Many people, myself included, oppose this expansion of domestic surveillance grounds on civil liberties grounds. But even if you’re unmoved by those arguments, you should still be concerned about these developments on national security grounds.

As long as these eavesdropping systems are shrouded in secrecy, there’s no way for “white hat” security experts to even begin evaluating them for potential security risks. And that, in turn, means that voters and policymakers will be operating in the dark. Programs that risk exposing our communications systems to the bad guys won’t be identified and shut down. Which means the culture of secrecy that increasingly surrounds our government’s domestic spying programs not only undermines the rule of law, it’s a danger to national security as well.

Update: Props to my colleague Julian Sanchez, who made the same observation 24 hours ahead of me.

It’s one thing to report on the phenomenon of people disappearing. But to really understand it, I figured that I had to try it myself. So I decided to vanish. I would leave behind my loved ones, my home, and my name. I wasn’t going off the grid, dropping out to live in a cabin. Rather, I would actually try to drop my life and pick up another.

The article is here. Anyone interested in privacy, manhunts, and [...]]]> Wired magazine ran an interesting competition starting on August 13. Writer Evan Ratliff who had written about how people disappear tried to disappear from the world and everyone he knew while Wired encouraged and helped people try and find him. The winner would receive $5,000. Ratliff explained his motivation:

It’s one thing to report on the phenomenon of people disappearing. But to really understand it, I figured that I had to try it myself. So I decided to vanish. I would leave behind my loved ones, my home, and my name. I wasn’t going off the grid, dropping out to live in a cabin. Rather, I would actually try to drop my life and pick up another.

The article is here. Anyone interested in privacy, manhunts, and technology should enjoy the read which I recommend. For one thing, the tale reminded me of Hitchcock thrillers where everyone is looking for an innocent man. Like Roger O. Thornhill in North by Northwest, Ratliff uses buses and trains to evade his pursuers (of course Ratliff asked for this one but the feel is quite similar). And like the movies there were sides. In this case, teams formed to hunt Ratliff down and much smaller ones tried to help him (the details about how folks used technology to track and coordinate the hunt (down to finding out who is cat sitter was and contacting the sitter) while Ratliff used it to fool the hunters is another fun part of the story). An interesting point comes from the romantic quarter. I started with a emotional response that the author and others expressed. It would be nice to drop out of one’s life; escape for a bit. I like the idea that one might be able to reinvent one’s life. I also think that our society does a poor job of letting people claim a new beginning and instead embraces a Inspector Javert approach to identity. I rooted for Ratliff. I wanted to believe that if you really said let me alone, it could work. But, as I read on, something else became clear. Ratliff missed his social life. That sense of absence was heightened because of Facebook and Twitter. Insofar as we like some of our lives, we probably like the people in them. Furthermore, when Ratliff has a triumph, he laments that he cannot share it.

In short, the article shows how easy it is to track someone. It also shows that once the spotlight is off, a type of obscurity returns. The problem may be that the spotlight can be turned on all too easily.

Volume 57, Issue 1 (October 2009)

Articles

Essay

Comments

Discourse

Th UCLA Law Review is also pleased to announce the launch of a our new website.

Although the President has proven his mettle on Facebook and MySpace (where he has over 1.8 million friends), Republicans rule the day on the micro-blogging front.  The Congressional Research Service reports that congressional Republicans out-tweeted their Democratic counterparts during two one-week periods this summer.  Nancy Scola attributes Congressional Republicans’ Twitter dominance to their desire to regain the public’s attention and favor [...]]]> During the 2008 election, Democrats effectively used Web 2.0 platforms to garner interest in the campaign and win supporters.  President Obama has been widely hailed as the first “Tech President,” and he seems to have trounced the Facebook landscape.  To date, President Barack Obama has over 6.6 million Facebook friends, while Sarah Palin only has 848, 614 Facebook pals and Mitt Romney has 70, 130.

Although the President has proven his mettle on Facebook and MySpace (where he has over 1.8 million friends), Republicans rule the day on the micro-blogging front.  The Congressional Research Service reports that congressional Republicans out-tweeted their Democratic counterparts during two one-week periods this summer.  Nancy Scola attributes Congressional Republicans’ Twitter dominance to their desire to regain the public’s attention and favor now that they are in the minority.  AMERICAblogs’ John Aravosis worries that Democrats have ceded their online advantage.

No matter the current political victor in this social media landscape, Government 2.0 is here to stay.  It surely has great potential to shine light on government policymaking and to marshal public participation, especially from people who otherwise wouldn’t bother getting involved with government policymaking.  Adding the President as a friend on MySpace and joining live chats may seem to be a relatively costless endeavor as compared to writing letters or commenting on agency rulemakings.  But Government 2.0 also poses privacy risks: social media sites not only give government access to people’s policy insights but also access to all of individuals’ social media data, such as their videos, photos, walls musings, “Top 25 things you don’t know about me” lists, and the like.  Soon, I will be posting on SSRN a draft of my essay “The One-Way Mirror: Enhancing Participation and Securing Privacy for Government 2.0″ (forthcoming George Washington Law Review) and hope to get your feedback.

Understanding Privacy offers a comprehensive overview of the many difficulties involved in discussions of privacy. Drawing from a broad array of interdisciplinary sources, I set forth a framework for understanding privacy that provides clear practical guidance for engaging with privacy issues.

In an opinion released on August 28, Judge George Wu struck down, on unconstitutional vagueness grounds, the prosecution’s attempt to enforce violations of website terms of service as crimes under the Computer Fraud and Abuse Act (CFAA):

[I]f any conscious breach of a website’s terms of service is held to be sufficient by itself to constitute intentionally accessing a computer without authorization or in excess of authorization, the result will be that section 1030(a)(2)(C) becomes a law “that affords too much discretion to the police and too little notice to citizens who wish to use [...]]]> The Lori Drew case has finally been decided.  Background about the case is here.  In previous posts (here and here), I argued that the CFAA should be held to be unconstitutionally vague.

In an opinion released on August 28, Judge George Wu struck down, on unconstitutional vagueness grounds, the prosecution’s attempt to enforce violations of website terms of service as crimes under the Computer Fraud and Abuse Act (CFAA):

[I]f any conscious breach of a website’s terms of service is held to be sufficient by itself to constitute intentionally accessing a computer without authorization or in excess of authorization, the result will be that section 1030(a)(2)(C) becomes a law “that affords too much discretion to the police and too little notice to citizens who wish to use the [Internet].” City of Chicago [v. Morales], 527 U.S. [41] at 64 [(1999)].

Congratulations to Orin Kerr, who assisted in the defense, and who is cited numerous times throughout the court’s opinion.

“It basically leaves it up to a website owner to determine what is a crime,” said Wu on Thursday, echoing what critics of the case have been saying for months. “And therefore it criminalizes what would be a breach of contract.” . . . .

Wu told Assistant U.S. Attorney Mark Krause that if Drew had been convicted of the felonies, he would have let the convictions stand, and would have already sentenced her. But the misdemeanor [...]]]> Judge George Wu has ruled that he is planning to dismiss the charges against Lori Drew, the woman involved in the MySpace suicide case involving Megan Meier.  Background about the case is here.  According to an article by Kim Zetter of Wired, who has provided terrific coverage of the case:

“It basically leaves it up to a website owner to determine what is a crime,” said Wu on Thursday, echoing what critics of the case have been saying for months. “And therefore it criminalizes what would be a breach of contract.” . . . .

Wu told Assistant U.S. Attorney Mark Krause that if Drew had been convicted of the felonies, he would have let the convictions stand, and would have already sentenced her. But the misdemeanor convictions troubled him, because of the vague wording of the statute. . . .

To convict Drew of the felonies, prosecutors would have needed to prove two things: that Drew accessed MySpace “without authorization,” and did it for the purpose of committing a tortious act — in this case, to intentionally cause harm to Megan Meier.

But for the misdemeanors, the jury just had to find that Drew obtained the unauthorized access. Wu said that language, standing on its own, was too vague to pass constitutional muster in this case.

“I don’t see how the misdemeanor aspect would be constitutional,” he said. “That is the issue I’m wrestling with at this time.”

Wu also doubted that MySpace provided sufficient notice to members to hold them responsible. If a user didn’t read the terms of service, the judge asked prosecutor Krause, could they still be charged with violating them?

In previous posts (here and here), I argued that the CFAA should be held to be unconstitutionally vague.  I’m encouraged that Judge Wu agrees, though I believe the CFAA is unconstitutionally vague not only in its misdemeanor provisions, but in its felony ones as well.

Congratulations to my colleague, Orin Kerr, who assisted in Lori Drew’s defense.

The AP story is here.

computer vendors storing the confidential, electronic data of others will be able to fully analyze data on their clients’ behalf without expensive interaction with the client, and without seeing any of the private data. With Gentry’s technique, the analysis of encrypted information can yield the same detailed results [...]]]> According to Help Net Security, Craig Gentry, a researcher at IBM, appears to have found a way to allow “the deep and unlimited analysis of encrypted information – data that has been intentionally scrambled – without sacrificing confidentiality.” The solution involves a an “ideal lattice.” I’ll leave the explanation of all the math to the math/computer science folks. As the Help Net article notes, the solution seems to enable some great advantages for anyone providing cloud computing for:

computer vendors storing the confidential, electronic data of others will be able to fully analyze data on their clients’ behalf without expensive interaction with the client, and without seeing any of the private data. With Gentry’s technique, the analysis of encrypted information can yield the same detailed results as if the original data was fully visible to all.

It all sounds wonderful. One could have encrypted data and let others data mine while maintaining anonymity or privacy. Yet, something seemed odd to me. So I did what lawyers do, I called someone who knew more about computer science and asked for some help. That person explained that yes this could mean one could query an encrypted database without decrypting the data. The example to consider is a database of book purchases. One could ask how many people bought both book A and book B and see that result without ever seeing what a specific person purchased. Great, right? Not so fast.

As this person reminded me, with other sources of information one can figure out what a specific person did. That reminded me of the AOL debacle. With a little work, people were able to figure out who the anonymous subjects were.

All of which highlights that privacy is not binary. The cluster of information and the ability to analyze it seems often, if not always, to lead to problems about the use of information. So if this breakthrough allows a company or the government to claim that we should remain calm and all is well, we may want to remain clam but show how all may not be well. A few regulations about the use of the data even if supposedly anonymous, might allow the beneficial aspects of the solution to thrive while limiting the harms that can occur.

Image: WikiCommons
By: Gwenda; License: Public Domain
(My apologies to CS folks if the image does not match the breakthrough’s area of encryption)

Worries about the “death of privacy” have been prevalent for some time. We increasingly lack control over [...]]]> As they follow the fascinating and heartening “Twitter Revolution” in Tehran, commentators worry that “the regime is prepared to detain dissidents — reportedly using Facebook and Twitter to locate them.” Yesterday also saw new reports of controversy over domestic surveillance by the US National Security Agency. Apparently the “agency routinely examined large volumes of Americans’ e-mail messages without court warrants.” Commentators like Glenn Greenwald and our own Dan Solove have done a great job explaining the legal details of NSA surveillance. I just want to comment on some of broader social trends that explain the upward ratchet of surveillance around the world.

Worries about the “death of privacy” have been prevalent for some time. We increasingly lack control over (or even awareness of) the digital profiles kept about us by businesses and governments. Another form of privacy—that at the core of the public-private divide—has also been in decline over the past couple decades. As the essays in Freeman and Minow’s book Government by Contract show, “privatization” is often less an arm’s length transaction between government and business than a veritable marriage of institutions. The recent explosion of public-private partnerships in the finance and auto industries further erodes the distinction between government and business. As William J. Novak’s essay in Government by Contract observes, much of what we think of as purely private markets are creatures of state action:

Robert Lee Hale contended that the sharp theoretical separation of public and private obscured the actual proactive role of public power in structuring the so-called private bargains that had such an immense effect on the distribution of wealth and power in American society. . . . [T]he private sphere is positively constructed by law and government and is consequently always suffused with (as opposed to immune from) sovereignty, force, violence, and coercion.

This is particularly true of communications technologies, which are often of great interest to government regulators. As Michael D. Birnhack and Niva Elkin-Koren explain in their brilliant article The Invisible Handshake, new and hidden exchanges of information for power are key to government-business relations:

Law enforcement agencies seek to enhance their monitoring capacity and online businesses seek to prevent fraud and combat piracy while strengthening their ties with authorities. . . . The invisible hand [of market-based communications] turned out to be very useful for the State, and it is now being replaced with a handshake, which, likewise, is invisible. . . . The use of private parties for executing government roles may create an unholy alliance between governments that wish to exercise their power and large online players that seek to maintain and strengthen their dominant role in the market.

Birnhack and Elkin-Koren were prophetic. The kind of government-business alliances they feared have become de rigeur in the national surveillance state. Both Chris Hoofnagle and Jon D. Michaels have described the development in some detail. Michaels’s story of FedEx is indicative of the larger trend:

[After FedEx's] CEO announced his company’s commitment to cooperating with the government “up to and including the line on which we would be doing a disservice to our shareholders” . . . FedEx has received a range of government perks. For instance, FedEx has been afforded special access to government security databases, presumably giving it a range of advantages over non-cooperating competitors. It has also been awarded a prized seat on the FBI’s regional terrorism task force (it is the only private company so represented) and thus has even more insider access to international security threats, again presumably well before its competitors receive such warnings. Moreover, FedEx has received an exceptional license from the State of Tennessee to develop an internal police force . . . .

Hoofnagle proposes that “the Privacy Act should apply to private sector companies that sell information to the government,” not just to the government itself. It seems to me that the first step to wisdom in this area is to realize that whatever we fear from direct government collection of data, we should fear from ostensibly “private” third parties that do the same. Otherwise, the ailing “public/private” divide could cause many more “deaths” of individual privacy.

Why do we need to coalesce power in a cyber security czar to oversee the nation’s information security efforts?  Ira Winkler offers an explanation for centralizing this responsibility, rather than [...]]]> President Obama recently announced the creation of a White House cyber security coordinator who will oversee a national strategy for securing American interests in cyberspace.  The coordinator will be a member of the National Security Council, reporting to the national security adviser and the senior White House economic adviser.   President Bush started us in this direction by instituting the Cyber Initiative to overhaul the government’s cyber defenses.  Yet we remain vulnerable to attacks on systems related to government operations, money supply, electric-power distribution, and transportation.  Thus, devoting resources to shoring up cyber security is crucial.

Why do we need to coalesce power in a cyber security czar to oversee the nation’s information security efforts?  Ira Winkler offers an explanation for centralizing this responsibility, rather than spreading it across various agencies.  He considers complications that arise when multiple agencies engage in cyber security efforts of the offensive and defensive variety.  He asks: what if the NSA engages in a long-term project to enter false information into an adversary’s database, unaware that the Army had hacked into the same database to try to track military movements?  According to Winkler, the lack of coordination would allow the NSA’s efforts to mislead the Army.  Divergent defensive efforts could similarly clash, thus undermining cyber security.

The President’s plan raises a number of unresolved issues.  The President hopes to recruit the private sector’s help in devising a comprehensive security strategy.  He has suggested building public and private partnerships around cybersecurity.  How will the Administration accomplish this partnership?  Would it be designed to get input from security professionals regarding government regulation of the private sector’s cyber security efforts?  Will the government have a role in overseeing private networks?  The heart burn involved in solving these issues is worthwhile given the critical importance of our networks to our economy and the real threat of cyber warfare.

Thanks to Wikimedia Commons for the image.

Social networking sites and blogs have increasingly become breeding grounds for anonymous online groups that attack women, people of color, and members of other traditionally disadvantaged groups. These destructive groups target individuals with defamation, threats of violence, and technology-based attacks that silence victims and concomitantly destroy their privacy. Victims go offline or assume pseudonyms to prevent future attacks, impoverishing online dialogue and depriving victims of the social and economic opportunities associated with a vibrant online presence. Attackers manipulate search engines to reproduce their lies and threats for employers and clients to see, creating [...]]]> From tomorrow through Thursday, Concurring Opinions will be hosting a number of scholars invited to discuss Danielle Citron’s work Cyber Civil Rights. Responding to controversies over online attacks, Citron argues the following:

Social networking sites and blogs have increasingly become breeding grounds for anonymous online groups that attack women, people of color, and members of other traditionally disadvantaged groups. These destructive groups target individuals with defamation, threats of violence, and technology-based attacks that silence victims and concomitantly destroy their privacy. Victims go offline or assume pseudonyms to prevent future attacks, impoverishing online dialogue and depriving victims of the social and economic opportunities associated with a vibrant online presence. Attackers manipulate search engines to reproduce their lies and threats for employers and clients to see, creating digital “scarlet letters” that ruin reputations. . . .

Web 2.0 technologies accelerate mob behavior. With little reason to expect self-correction of this intimidation of vulnerable individuals, the law must respond. General criminal statutes and tort law proscribe much of the mobs’ destructive behavior, but the harm they inflict also ought to be understood and addressed as civil rights violations. Civil rights suits reach the societal harm that would otherwise go unaddressed and would play a crucial expressive role. Acting against these attacks does not offend First Amendment principles when they consist of defamation, true threats, intentional infliction of emotional distress, technological sabotage, and bias-motivated abuse aimed to interfere with a victim’s employment opportunities. To the contrary, it helps preserve vibrant online dialogue and promote a culture of political, social, and economic equality.

As I’ve noted before, I think this piece breaks new ground in applying venerable laws to the online environment. In this cyber-symposium, we propose to discuss the following issues:

What can the law do to respond to these threats?

How we deter harassment while promoting legitimate speech?

How do we balance the privacy rights of speakers and those they speak about in the new communicative landscape created by sites like AutoAdmit, Juicy Campus, Facebook, and anonymous message boards?

A list of scholars invited to discuss these issues appears below:

Ann Bartow

David Fagundes

Michael Froomkin

Nathaniel Gleicher

James Grimmelmann

Orin Kerr

Nancy Kim

Susan Kuo

Daithí Mac Síthigh

Helen Norton

David Post

David Robinson

As co-organizers of the online symposium, Danielle, David Hoffman, Deven Desai and I welcome these guests and look forward to participating in the discussion. We have decided to default to “no comments” for this cyber-symposium. It was a tough decision, but ultimately we tended to feel that, for this topic in particular, the costs of editing and/or responding to abusive or off-topic comments would likely be higher than the benefits of our usual default to openness.

As recent controversies have shown, it’s easy for online mobs to inflict real injuries on their victims–and women bear a disproportionate share of the abuse. Citron argues that “acting against these attacks . . . helps preserve vibrant online dialogue and promote a culture of political, social, and economic equality.” We look forward to an animated and insightful discussion on how to balance liberty, equality, and privacy online.

The case is a criminal prosecution of a man who secretly recorded his girlfriend in the nude, in violation of Wisconsin Statute § 942.09(2)(am). I’ve posted the text of the full statute below. The statute provides that it is a felony to record another person in the nude without that person’s consent “in a circumstance in which [the person] has a reasonable expectation of privacy.” The defendant contended that his girlfriend didn’t have a reasonable expectation of privacy because (as the court characterizes his argument), “she knowingly and consensually exposed her [...]]]> An interesting case from the Wisconsin Court of Appeals embodies what I believe is a thoughtful and nuanced understanding of privacy. The case is Wisconsin v. Jahnke, 2007AP2130-CR (Dec. 30, 2008).

The case is a criminal prosecution of a man who secretly recorded his girlfriend in the nude, in violation of Wisconsin Statute § 942.09(2)(am). I’ve posted the text of the full statute below. The statute provides that it is a felony to record another person in the nude without that person’s consent “in a circumstance in which [the person] has a reasonable expectation of privacy.” The defendant contended that his girlfriend didn’t have a reasonable expectation of privacy because (as the court characterizes his argument), “she knowingly and consensually exposed her nude body to him while he was secretly videotaping her.” In other words, he argued that since she expected to be seen by him, she lost her expectation of privacy in her nude body.

The court wisely rejected the defendant’s construction of the statute:

Under this construction, Jahnke’s girlfriend’s privacy interest in not being recorded in the nude is left unprotected any time she permits anyone, under any circumstance, to view her nude. If she disrobes in a medical facility and permits medical personnel to view her, such personnel could record her without violating subsection 1 and, of course, later share that recording without violating subsections 2 or 3. It is one thing to be viewed in the nude by a person at some point in time, but quite another to be recorded in the nude so that a recording exists that can be saved or distributed and viewed at a later time.

The dissent raises some interesting arguments involving statutory construction and some prior caselaw. In particular, the dissenting judge points to an earlier decision defining the term “reasonable expectation of privacy” under the statute, holding that it “requires that the person who is depicted nude is in a circumstance in which he or she has an assumption that he or she is secluded from the presence or view of others, and that assumption is a reasonable one under all the circumstances.” State v. Nelson, 718 N.W.2d 168 (Wisc. App. 2006). The majority concluded that the Nelson definition was “incomplete” and that the “statute is plainly directed at reasonable expectations vis-à-vis not being recorded.”

The majority opinion wisely avoids a trap that many courts get into — understanding “privacy” narrowly as absolute secrecy or seclusion. Privacy involves a cluster of expectations involving the nature and extent to which their information is captured, used, and disseminated. It seems quite reasonable to assume that two lovers who see each other nude nevertheless expect privacy. They might be exposing their nude bodies to each other, but what they expect is that nobody else will see them. Since this is a criminal statute, it is important that courts avoid interpreting privacy too liberally, especially in areas where expectations of privacy are muddy. But it seems to me that under this circumstance–the nonconsensual recording of a person in the nude when she is exposing her body only to her boyfriend (rather than walking down a public street in the nude)–expectations are clear that the intended exposure is for the boyfriend’s eyes only.

The opinion is here.

WISCONSIN STAT. § 942.09(2)(am) provides:

Whoever does any of the following is guilty of a Class I felony:

1. Captures a representation that depicts nudity without the knowledge and consent of the person who is depicted nude while that person is nude in a circumstance in which he or she has a reasonable expectation of privacy, if the person knows or has reason to know that the person who is depicted nude does not know of and consent to the capture of the representation.

2. Makes a reproduction of a representation that the person knows or has reason to know was captured in violation of subd. 1. and that depicts the nudity depicted in the representation captured in violation of subd. 1., if the person depicted nude in the reproduction did not consent to the making of the reproduction.

3. Possesses, distributes, or exhibits a representation that was captured in violation of subd. 1. or a reproduction made in violation of subd. 2., if the person knows or has reason to know that the representation was captured in violation of subd. 1. or the reproduction was made in violation of subd. 2., and if the person who is depicted nude in the representation or reproduction did not consent to the possession, distribution, or exhibition.

Hat tip: How Appealing