Understanding Privacy offers a comprehensive overview of the many difficulties involved in discussions of privacy. Drawing from a broad array of interdisciplinary sources, I set forth a framework for understanding privacy that provides clear practical guidance for engaging with privacy issues.

The 20-year-old said: “What she has done has taken the very worst years of my life and cleverly blended it into a work of art, and that to me is obscene.

“I was only 17, I was a confused teenager, I was too young really to know who I was or what was happening.

“What she describes in her book are a series of incidents, it’s not who I am and I [...]]]> Over at the NYT blog is an interesting story about a British writer (Julie Myerson) who has published a memoir about her son’s drug addiction (The Lost Child).  Her 20-year old son has criticized the publication of the book. According to the Telegraph (UK):

The 20-year-old said: “What she has done has taken the very worst years of my life and cleverly blended it into a work of art, and that to me is obscene.

“I was only 17, I was a confused teenager, I was too young really to know who I was or what was happening.

“What she describes in her book are a series of incidents, it’s not who I am and I find it very sad that she feels the need to tar me with the ‘drug addict’ brush.

“She’s been writing about me since I was two, and, quite frankly, I’m not surprised by anything she does any more.

The NYT Blog asks:

Is it inappropriate and even harmful to expose the private lives of minor children, in particular? What privacy lines should be observed, if any, in writing about family members and others?

It contains responses from four people, Alison Gopnik (a psychology professor), David Matthews (author), Melanie Gideon (author0, and Michael Greenberg (author).  For example, Author David Matthews writes:

Nothing is off limits as far as I’m concerned. Whether an author wants to risk fraying familial and social ties in the pursuit of the truth (as they see it) is a question left up to the writer.

Matthews’ response strikes me as rather extreme. In Britain, family members owe each other duties to keep private information confidential. In the US, the breach of confidentiality tort applies to doctors, lawyers, and others, but hasn’t been extended to friends and family.  Perhaps it should be.

According to the Telegraph article, Myerson’s son said:

“I even consulted a lawyer to try to stop it, but was told there wasn’t much I could do, so I made her take out the part where she said I was selling drugs to my 12-year-old brother, which was one of her fantasies.

I’m surprised that he was advised the law didn’t protect him, since the book was published in Britain and he’d likely have a decent case under British precedent.

The Myerson case is increasingly becoming more common.  Numerous bloggers are chronicling the lives of their children online, posting photos and a day-by-day account of their lives.  What happens when these children grow up and resent having their entire childhood permanently recorded for the world to see?

Should family members owe each other a duty of confidentiality?  Should parents write about a child’s life without that child’s consent?

Hat tip: PogoWasRight

“This is the new JuicyCampus,” says a note at Campus Gossip, which boasts campus-specific message boards for hundreds of colleges and encourages anonymous and racy barbs such as “These Fellas got herpes,” with a list of names attached. Going even further than its predecessor, there’s also a photo section where students can post embarrassing pictures and videos of others.

The site is planning a back-to-school marketing push, including a happy hour near Arizona State University where a rap artist named Sabotage will perform a song about the pleasures of campus gossip.

Another site, CollegeACB (the letters stand for Anonymous Confession Board), [...]]]> A while ago, the notorious college gossip website, Juicy Campus, bit the dust.  But according to an article by Jeffrey Young in the Chronicle of Higher Education:

“This is the new JuicyCampus,” says a note at Campus Gossip, which boasts campus-specific message boards for hundreds of colleges and encourages anonymous and racy barbs such as “These Fellas got herpes,” with a list of names attached. Going even further than its predecessor, there’s also a photo section where students can post embarrassing pictures and videos of others.

The site is planning a back-to-school marketing push, including a happy hour near Arizona State University where a rap artist named Sabotage will perform a song about the pleasures of campus gossip.

Another site, CollegeACB (the letters stand for Anonymous Confession Board), paid the defunct JuicyCampus $10,000 to redirect visitors from its Web address to CollegeACB.

For those who want a first-hand look at these sites, the Campus Gossip site is here and the CollegeACB site is here.  I’m quoted in the article, as is co-blogger Danielle Citron:

Internet shaming creates an indelible blemish on a person’s identity,” wrote Daniel J. Solove, a professor of law at George Washington University, in his 2007 book, The Future of Reputation: Gossip, Rumor, and Privacy on the Internet (Yale University Press). “It’s similar to being forced to wear a digital scarlet letter or being branded or tattooed. People acquire permanent digital baggage. They are unable to escape their past, which is forever etched into Google’s memory.” . . . .

“I don’t see why it has to be that way,” the law professor told me in a recent interview. “Just like when you drive, it’s not a free-for-all,” he added, equating the current laws governing online forums to a road without traffic lights or stop signs. “It’s like if we looked at the roads and said, There’s just nothing to be done—let’s just abolish all rules of the road.” . . . .

Danielle Citron, a law professor at the University of Maryland at Baltimore, said she hoped that stamping out harassment on campus-gossip Web sites would be considered a matter of civil rights.

She makes the case in an article published in the Michigan Law Review this year called “Law’s Expressive Value in Combating Cyber Gender Harassment.” In it, she argues that law-enforcement officials fail to take seriously complaints about online anonymous comments, and that using “civil-rights remedies” may be the most effective way to pursue such acts.

“Women should not have to wait until cyberharassment fulminates into physical violence for law enforcement to address it,” she wrote. “A civil-rights agenda … would demonstrate that the Internet is not the lawless Wild West, just as court settlements and state legislation made clear that the home does not insulate abusing husbands from societal intervention.”

In an opinion released on August 28, Judge George Wu struck down, on unconstitutional vagueness grounds, the prosecution’s attempt to enforce violations of website terms of service as crimes under the Computer Fraud and Abuse Act (CFAA):

[I]f any conscious breach of a website’s terms of service is held to be sufficient by itself to constitute intentionally accessing a computer without authorization or in excess of authorization, the result will be that section 1030(a)(2)(C) becomes a law “that affords too much discretion to the police and too little notice to citizens who wish to use [...]]]> The Lori Drew case has finally been decided.  Background about the case is here.  In previous posts (here and here), I argued that the CFAA should be held to be unconstitutionally vague.

In an opinion released on August 28, Judge George Wu struck down, on unconstitutional vagueness grounds, the prosecution’s attempt to enforce violations of website terms of service as crimes under the Computer Fraud and Abuse Act (CFAA):

[I]f any conscious breach of a website’s terms of service is held to be sufficient by itself to constitute intentionally accessing a computer without authorization or in excess of authorization, the result will be that section 1030(a)(2)(C) becomes a law “that affords too much discretion to the police and too little notice to citizens who wish to use the [Internet].” City of Chicago [v. Morales], 527 U.S. [41] at 64 [(1999)].

Congratulations to Orin Kerr, who assisted in the defense, and who is cited numerous times throughout the court’s opinion.

Cohen started pursuing the defamation suit against the anonymous ‘Skanks’ blogger in January after discovering the site, on which the blogger called Cohen a skank, a ho, and an old hag, among other nasty things, and posted photos of her, taken from various websites. Since Cohen needed the identity of the blogger in order to file the lawsuit against her, a judge in Manhattan granted Cohen’s request to force Google to reveal the e-mail address and IP address of the alleged defamer.

Cohen has since dropped her $3 million lawsuit.  The unmasked blogger — Rosemary Port — plans to sue Google [...]]]> A model named Liskula Cohen was being attacked on a blog called Skanks in NYC.  The author of the Skanks blog was anonymous.  Kashmir Hill reports:

Cohen started pursuing the defamation suit against the anonymous ‘Skanks’ blogger in January after discovering the site, on which the blogger called Cohen a skank, a ho, and an old hag, among other nasty things, and posted photos of her, taken from various websites. Since Cohen needed the identity of the blogger in order to file the lawsuit against her, a judge in Manhattan granted Cohen’s request to force Google to reveal the e-mail address and IP address of the alleged defamer.

Cohen has since dropped her $3 million lawsuit.  The unmasked blogger — Rosemary Port — plans to sue Google for $15 million for breaching its fiduciary duty to defend her anonymity.

Over at CyberSLAPP, a website maintained by EFF (disclosure: I’m on EFF’s advisory board), ACLU, CDT, EPIC, and Public Citizen, they have posted documents from the case, including the court’s order to Google to unmask the author of Skanks.

CyberSLAPP seeks to combat frivolous lawsuits to reveal another’s identity:

CyberSLAPP cases typically involve a person who has posted anonymous criticisms of a corporation or public figure on the Internet. The target of the criticism then files a frivolous lawsuit just so they can issue a subpoena to the Web site or Internet Service Provider (ISP) involved, discover the identity of their anonymous critic, and intimidate or silence them.

The Skanks in NYC raises a lot of interesting issues.  I’ll tackle a few in this post.

1.Was Cohen’s lawsuit frivolous? Cohen might have a decent defamation lawsuit, but she subsequently dropped it when she found out Cohen’s identity.  This behavior indicates she was using the lawsuit only to unmask the blogger.  I agree with CyberSLAPP that such a practice should be restricted.

2. Did the court properly reveal Port’s identity? I believe that the court used too low a standard in revealing the blogger’s identity.  The court ordered Google to reveal the anonymous blogger because “a strong showing that a cause of action exists.”  This standard appears to be little more than requiring the plaintiff to survive a motion to dismiss.  While I’m very sympathetic to people who have been injured through online defamation and invasions of privacy, I’m also wary of courts being too quick to reveal the identities of bloggers.  I believe that in order to reveal a blogger’s identity, plaintiffs must meet the summary judgment standard, as set forth in Doe v. Cahill, 884 A.2d 451 (Del. 2005) (I blogged about it here).

3. Does Port have a cause of action against Google? I don’t think she’s got much of a case.  Google was complying with a court order.  However, over at PogoWasRight, Dissent raises the interesting point that Google had a rather anemic defense of Port’s anonymity.  Could Google be liable for not doing enough to defend Port?  Maybe, as EFF attorney Matt Zimmerman notes in Dissent’s post, if Google didn’t notify the anonymous blogger and give her a chance to respond.  Beyond that, though, I’m not sure that there’s much of a case against Google, but there may be facts I’m not aware of that would change my opinion.

4. Does Port have a cause of action against Cohen for using the legal process to reveal her identity? A better defendant than Google might be Cohen.  Port may be able to sue Cohen, perhaps for abuse of the legal process, if Port can prove that Cohen initiated a frivolous action solely to unmask her.  The revealing of an anonymous blogger’s identity is a privacy invasion in my opinion, because it links speakers to things they said that they don’t want to be connected with their true identity.  The use of legal process and obtaining of a court order might provide shelter to Cohen unless Port could prove it was just a ruse to reveal her identity.

5. How should courts protect anonymous bloggers? In addition to using the summary judgment standard, courts should require a plaintiff who finds out the identity of an anonymous blogger to keep it confidential until it absolutely must be revealed to the public.  Courts should enforce this via a protective order. A lawsuit can proceed quite far before it is necessary to reveal a litigant’s name to the general public.

Moreover, plaintiffs should be prohibited (to the extent possible) from using unmasking the identity of an anonymous blogger as a bargaining chip in settlement negotiations.

However, in the end, if a blogger has anonymously invaded a person’s privacy or defamed that person, then the blogger should be held responsible.  I fully support a person’s ability to sue for privacy violations or defamation.  Anonymity shouldn’t be a shield for hurting other people and committing torts (or crimes).  The difficulty is in robustly protecting people’s First Amendment right to speak anonymously and preventing harm to people from invasions of privacy and defamation.

For more on the Skanks case, see this other post by Kashmir Hill discussing the rights of the Skanks blogger.

For more on the issue of blogging and anonymity, see also this story on CNN about the coming-out stories of anonymous bloggers.  I have a quote in it, and the reporter kindly linked to The Future of Reputation.

Over at the New York Times Bits Blog, Jenna Wortham writes:

According to a new study conducted by Harris Interactive for CareerBuilder.com, 45 percent of employers questioned are using social networks to screen job candidates — more than double from a year earlier, when a similar survey found that just 22 percent of supervisors were researching potential hires on social networking sites like Facebook, MySpace, Twitter and LinkedIn.

The study, which questioned 2,667 managers and human resource workers, found that 35 percent of employers decided not to offer a job to a candidate based on the content uncovered on a social networking site. (The survey has no margin of sampling error because it was not drawn from a representative nationwide sample but rather from volunteer participants.)

According to [...]]]>

Over at the New York Times Bits Blog, Jenna Wortham writes:

According to a new study conducted by Harris Interactive for CareerBuilder.com, 45 percent of employers questioned are using social networks to screen job candidates — more than double from a year earlier, when a similar survey found that just 22 percent of supervisors were researching potential hires on social networking sites like Facebook, MySpace, Twitter and LinkedIn.

The study, which questioned 2,667 managers and human resource workers, found that 35 percent of employers decided not to offer a job to a candidate based on the content uncovered on a social networking site. (The survey has no margin of sampling error because it was not drawn from a representative nationwide sample but rather from volunteer participants.)

According to the report, most employers did their research on applicants by using Facebook.  I wonder whether they respected the applicants’ privacy settings.  If the applicants limited the access of their profile to a select group of friends, and the employer accessed that profile, then the employer might find themselves at odds with the Computer Fraud and Abuse Act — with possible criminal penalties!

What leads to job rejections?  Photos!  Photos involving nudity, drink, and drugs are the most frequent job killers.

As I discuss in The Future of Reputation: Gossip, Rumor, and Privacy on the Internet, people must learn to be more careful about what they post about themselves and others or else they will face serious consequences and lost opportunities.

In an earlier post regarding college admissions officers researching applicants online, I argued that most lack guidelines for how they conduct such research and for how they use the information they find.  These questions also pertain to employers:

* Should such information be used? When?

* How heavily should it be relied upon?

* What kinds of things should negatively impact an applicant? Information about sex life? Drug use? Drinking? Bad behavior?

* What steps should be taken to make sure that the information was accurate?

* Should a distinction be made between information that people post about themselves and information that others have posted about them, perhaps invading their privacy without their consent?

* What steps should be taken to make sure that the information used in fact relates to the applicant and not to somebody else with the same name?

* Should people be notified that information online was used against them and be given an opportunity to be heard to explain it?

“It basically leaves it up to a website owner to determine what is a crime,” said Wu on Thursday, echoing what critics of the case have been saying for months. “And therefore it criminalizes what would be a breach of contract.” . . . .

Wu told Assistant U.S. Attorney Mark Krause that if Drew had been convicted of the felonies, he would have let the convictions stand, and would have already sentenced her. But the misdemeanor [...]]]> Judge George Wu has ruled that he is planning to dismiss the charges against Lori Drew, the woman involved in the MySpace suicide case involving Megan Meier.  Background about the case is here.  According to an article by Kim Zetter of Wired, who has provided terrific coverage of the case:

“It basically leaves it up to a website owner to determine what is a crime,” said Wu on Thursday, echoing what critics of the case have been saying for months. “And therefore it criminalizes what would be a breach of contract.” . . . .

Wu told Assistant U.S. Attorney Mark Krause that if Drew had been convicted of the felonies, he would have let the convictions stand, and would have already sentenced her. But the misdemeanor convictions troubled him, because of the vague wording of the statute. . . .

To convict Drew of the felonies, prosecutors would have needed to prove two things: that Drew accessed MySpace “without authorization,” and did it for the purpose of committing a tortious act — in this case, to intentionally cause harm to Megan Meier.

But for the misdemeanors, the jury just had to find that Drew obtained the unauthorized access. Wu said that language, standing on its own, was too vague to pass constitutional muster in this case.

“I don’t see how the misdemeanor aspect would be constitutional,” he said. “That is the issue I’m wrestling with at this time.”

Wu also doubted that MySpace provided sufficient notice to members to hold them responsible. If a user didn’t read the terms of service, the judge asked prosecutor Krause, could they still be charged with violating them?

In previous posts (here and here), I argued that the CFAA should be held to be unconstitutionally vague.  I’m encouraged that Judge Wu agrees, though I believe the CFAA is unconstitutionally vague not only in its misdemeanor provisions, but in its felony ones as well.

Congratulations to my colleague, Orin Kerr, who assisted in Lori Drew’s defense.

The AP story is here.

President Obama has stressed that privacy is key to the government’s cyber security efforts.  Davis’s record on privacy issues, however, is troubling.  As Wired’s Ryan Singel reports, Davis has been on the “wrong side of privacy issues.”  Davis supported the controversial REAL ID Act.”  He attempted to undo a measure that ultimately put [...]]]> According to Time magazine, former Congressman Tom Davis has emerged as a front runner for the newly created Cyber Security Czar position.  The Time piece cited Davis’s authorship of the Federal Information Security Management Act of 2002, his work as chair of the Subcommittee on Technology and Procurement policy, his connections to the IT community through his former district, and his current work at Deloitte as some of the reasons supporting his candidacy.

President Obama has stressed that privacy is key to the government’s cyber security efforts.  Davis’s record on privacy issues, however, is troubling.  As Wired’s Ryan Singel reports, Davis has been on the “wrong side of privacy issues.”  Davis supported the controversial REAL ID Act.”  He attempted to undo a measure that ultimately put a chief privacy officer in every major government agency.  He embraced the Bush Administration’s expansion of government wiretapping powers.  Aside from his spotty record on privacy, Davis’s congressional record suggests that he does not share the President’s regard for government transparency.  He helped pass the Critical Infrastructure Act, which created an exemption to FOIA for information provided DHS by private companies concerning its oversight of critical infrastructure.  Hopefully, the President will consider these issues before making his final decision.

Celia Barnes’ ex-boyfriend created fake profiles in her name on Yahoo.  Moreover, as the court relates:

The profiles contained nude photographs of Barnes and her boyfriend, taken without her knowledge, and some kind of open solicitation, whether express or implied is unclear, to engage in sexual intercourse. The ex-boyfriend then conducted discussions in Yahoo’s online “chat rooms,” posing as Barnes and directing male correspondents to the fraudulent profiles he had created. The profiles also included the [...]]]> The Ninth Circuit recently decided Barnes v. Yahoo!, a case with some very interesting holdings relating to the Communications Decency Act § 230 as well as promissory estoppel.  I wrote about this case briefly in my book, The Future of Reputation, long before it made it up to the Ninth Circuit.

Celia Barnes’ ex-boyfriend created fake profiles in her name on Yahoo.  Moreover, as the court relates:

The profiles contained nude photographs of Barnes and her boyfriend, taken without her knowledge, and some kind of open solicitation, whether express or implied is unclear, to engage in sexual intercourse. The ex-boyfriend then conducted discussions in Yahoo’s online “chat rooms,” posing as Barnes and directing male correspondents to the fraudulent profiles he had created. The profiles also included the addresses, real and electronic, and telephone number at Barnes’ place of employment. Before long, men whom Barnes did not know were peppering her office with emails, phone calls, and personal visits, all in the expectation of sex.

Barnes contacted Yahoo to get the profiles taken down:

In accordance with Yahoo policy, Barnes mailed Yahoo a copy of her photo ID and a signed statement denying her involvement with the profiles and requesting their removal. One month later, Yahoo had not responded but the undesired advances from unknown men continued; Barnes again asked Yahoo by mail to remove the profiles. Nothing happened. The following month, Barnes sent Yahoo two more mailings. During the same period, a local news program was preparing to broadcast a report on the incident. A day before the initial air date of the broadcast, Yahoo broke its silence; its Director of Communications, a Ms. Osako, called Barnes and asked her to fax directly the previous statements she had mailed. Ms. Osako told Barnes that she would “personally walk the statements over to the division responsible for stopping unauthorized profiles and they would take care of it.” Barnes claims to have relied on this statement and took no further action regarding the profiles and the trouble they had caused. Approximately two months passed without word from Yahoo, at which point Barnes filed this lawsuit against Yahoo in Oregon state court. Shortly thereafter, the profiles disappeared from Yahoo’s website, apparently never to return.

The court held, as expected, that Section 230 immunizes Yahoo from Barnes’s claim that it was negligent in removing the content.   This is in line with many courts that have interpreted the scope of Section 230 immunity.

The interesting part of the court’s holding involves Barnes’s promissory estoppel claim.  For non-lawyers, promissory estoppel is a doctrine that provides that when one makes a promise to another person, and that person relies on that promise, then the promise will be treated akin to a contract.  Ordinarily a contract requires bargaining and consideration, which are often lacking with mere promises.

Barnes contended that she relied on Yahoo’s promise to take down the tortious profiles and did not pursue other avenues of relief because of her belief that Yahoo would fulfill its promise.  The court held that Section 230 didn’t immunize Yahoo against the promissory estoppel claim as it had against Barnes’s tort claims:

Subsection 230(c)(1) creates a baseline rule: no liability for publishing or speaking the content of other information service providers. Insofar as Yahoo made a promise with the constructive intent that it be enforceable, it has implicitly agreed to an alteration in such baseline.

I agree with this conclusion.  Promissory estoppel and contract claims differ from tort claims such as negligence, defamation, or invasion of privacy.  Indeed, such claims are treated very differently under the First Amendment, with tort claims receiving full scrutiny and contract/promissory estoppel claims receiving virtually no scrutiny.  In a recent paper, Neil Richards and I discuss why First Amendment law takes such wildly divergent approaches: Rethinking Free Speech and Civil Liability, 109 Columbia Law Review (forthcoming 2009).  We also argue that the line shouldn’t be drawn based on the formalist distinction between tort and contract, as this distinction readily breaks down.  For example, we conclude that the tort of breach of confidentiality should be treated akin to contract/promissory estoppel claims rather than tort claims such as defamation and public disclosure of private facts.

Back to the case.  One of the potential problems with the court’s holding is that it may deter ISPs and other sites from having an explicit policy for removing tortious material.  Yahoo could be penalized with potential liability and a loss of its immunity by having a removal policy.  An ISP or site that has no such removal policy and that would say “get lost” to people who request takedowns would not be subject to promissory estoppel liability.  Is it fair to penalize those who have such policies?

The court notes how its holding is limited:

[A] general monitoring policy, or even an attempt to help a particular person, on the part of an interactive computer service such as Yahoo does not suffice for contract liability. This makes it easy for Yahoo to avoid liability: it need only disclaim any intention to be bound.

In other words, Yahoo is liable not because it had a general removal policy, but because it made specific promises to Barnes.

Eric Goldman argues that policies can readily be redrafted.  He notes that “websites can easily manage their potential exposure to this claim by picking their words carefully.”

I hope that the Ninth Circuit’s holding doesn’t result in various sites qualifying all their promises and weakening their policies in the hopes of avoiding liability.  One of the problems with situations faced by Barnes and others is that the websites and ISPs that have the offensive information posted about victims are often not in any customer relationship with the victims.   Barnes did not contact Yahoo for a regular customer complaint with its service — she was hurt by a Yahoo customer.  The removal policies at many sites and ISPs help people who are often non-customers.  There is no particularly strong incentive for such sites and ISPs to respond to such complaints as with customers who could threaten to leave.

The court’s holding, though correct, might encourage ISPs and sites to further attempt to hide under Section 230’s umbrella by weakening promises to take down harmful content.  And that’s a problem because the original goal of Section 230 was to encourage sites to monitor and take down offensive and hurtful content.  Now the law seems to be saying loudly: You have no responsibility to protect people from harmful content about them.  If you do nothing, then you’re not liable because of Section 230 immunity.  If you promise to protect people, then you might be liable.

This reminds me of Stratton Oakmont, Inc. v. Prodigy Services Co., 23 Media L. Rep. 1794 (N.Y. Sup. 1995), where the court held that an ISP could be liable for content provided by another because it had a policy of monitoring content.  This was the very case that Congress wanted to overrule when it passed the CDA 230.

Ironically, the law of Section 230 immunity seems to have moved closer to Stratton Oakmont with the Ninth Circuit’s holding (of course, very significant differences still remain).  This isn’t the fault of the Ninth Circuit’s holding, which strikes me as quite valid.  Rather, it is due to the perverse implications of the overreaching interpretations of CDA immunity that most courts have now adopted, making such immunity near absolute for tort claims.

For further discussion of some of the other issues in the case, see Paul Levi’s post at Consumer Law & Protection Blog and Eric Goldman’s post at Technology & Marketing Law Blog.

Yesterday’s Washington Post sadly underscored that point in its coverage of Peoples Dirt.  The site has the dubious distinction of being one of the first to organize anonymous gossip by high schools.  A review of its postings reveals that the site is a Juicy Campus for Juniors.  And like its now-defunct older sibling, Peoples Dirt is filled with attacks on named individuals.  As Brian Leiter has aptly described similar sites, it is a cyber cesspool of racist, sexist, and homophobic rants.  Posters claim to have had sex [...]]]> When Juicy Campus closed for business, many students, parents, and educators sighed with relief.  We unfortunately had little to celebrate.  As I noted then, Juicy Campus was but one player in a crowded line up of anonymous attack sites.

Yesterday’s Washington Post sadly underscored that point in its coverage of Peoples Dirt.  The site has the dubious distinction of being one of the first to organize anonymous gossip by high schools.  A review of its postings reveals that the site is a Juicy Campus for Juniors.  And like its now-defunct older sibling, Peoples Dirt is filled with attacks on named individuals.  As Brian Leiter has aptly described similar sites, it is a cyber cesspool of racist, sexist, and homophobic rants.  Posters claim to have had sex with named female students.  They disparage named girls’ body parts; they compile lists of the “ugliest middle school” girls.  They discuss students’ sexuality in threatening ways.  A posting under a male student’s name: “we know your g@y…just come out of the closet…and you should choke on a dick and die.”

Sadly, the era of the anonymous gossip site is far from over.

Stock.xchng image

Two weeks later, Lesli’s brother, Geoff, got a call from a neighbor. “Have you seen the photos?” he asked. Apparently, photos of the crash scene were circulating around town, via e-mail. Soon they showed up on Web sites, many of them dedicated to hard-core pornography and death. A fake MySpace page was set up in Nikki’s name, where she was identified [...]]]> In Newsweek, Jessica Bennett tells the tragic story about a family being harassed by the spread of death-scene images of their daughter, who was killed in an automobile accident. The photos of Nikki Catsouras were particularly gruesome — Nikki was decapitated in the crash. According to the article, soon after the crash, photos taken by the California Highway Patrol started circulating on the Internet:

Two weeks later, Lesli’s brother, Geoff, got a call from a neighbor. “Have you seen the photos?” he asked. Apparently, photos of the crash scene were circulating around town, via e-mail. Soon they showed up on Web sites, many of them dedicated to hard-core pornography and death. A fake MySpace page was set up in Nikki’s name, where she was identified as a “stupid bitch.” “That spoiled rich girl deserved it,” one commenter wrote. “What a waste of a Porsche,” announced another.

The family filed a formal complaint about the photos’ release, and three months later, they received a letter of apology from the California Highway Patrol. An investigation had revealed that the images, taken as a routine part of a fatal accident response, had been leaked by two CHP dispatchers: Thomas O’Donnell, 39, and Aaron Reich, 30. O’Donnell, a 19-year CHP veteran, had been suspended for 25 days without pay. Reich quit soon after—for unrelated reasons, says his lawyer. Both men declined requests for comment, but Jon Schlueter, Reich’s attorney, says his client sent the images to relatives and friends to warn them of the dangers of the road. “It was a cautionary tale,” Schlueter says. “Any young person that sees these photos and is goaded into driving more cautiously or less recklessly—that’s a public service.”

Apparently, the two California Highway Patrol officers took the pictures and improperly circulated them to others. The photos then started spreading like a virus around the Internet.

The conduct of the anonymous people spreading the photos over the Internet was despicable. From the complaint:

An individual sent an e-mail to Christos Catsouras with the subject line “Woo Hoo Daddy,” whereupon Christos Catsouras opened it, only to read the e-mail message stating “Hey Daddy I’m still alive,” with the graphic and horrific images of Decedent’s uncovered decapitated remains displayed immediately next to the message. . . .

An individual sent an e-mail to Plaintiffs with the subject line “Fletcher Jones,” which is a Mercedes-Benz dealer in Orange County, California, whereupon Christos Catsouras opened it, only to see the graphic and horrific images of Decedent’s uncovered decapitated remains displayed on the e-mail message. . . .

Over 2,500 Internet websites have been identified throughout in the United States and the United Kingdom which have posted the graphic and horrific images of Decedent’s uncovered remains, and all of them have done so without the permission, authority or consent of any of the Plaintiffs.

The family brought suit against the California Highway Patrol, alleging, among other things, that it violated the family’s constitutional right to information privacy. In Whalen v. Roe, 429 U.S. 589 (1977), the Supreme Court stated that the constitutional right to privacy protected two “different kinds of interests” — (1) “the individual interest in avoiding disclosure of personal matters” and (2) “the interest in independence in making certain kinds of important decisions.” The first interest has become known as the constitutional right to information privacy. Most federal circuit courts have recognized the constitutional right to information privacy, including the 9th Circuit.

But the trial court threw out their claim. In a pithy order, the court declared that no duty exists between the highway patrol officers and the family members. The case is currently on appeal.

This reasoning strikes me as incorrect. I’m quoted in the Newsweek article, but here’s an elaboration of my argument as to why the court got it wrong.

The California Highway Patrol owes a duty to all citizens to not violate their constitutional rights. This includes the Catsouras family’s constitutional right to information privacy.

The constitutional right to information privacy provides protection if a person has a privacy interest, if government officials violated that interest by disclosing personal information, and if the privacy interest isn’t outweighed by the government’s interest in disclosure. All of these elements are met.

Families have a privacy interest in death-scene photos of deceased relatives. In National Archives and Records Admin. v. Favish, 541 U.S. 157 (2004), a Freedom of Information Act case, the U.S. Supreme Court declared:

We have little difficulty . . . in finding in our case law and traditions the right of family members to direct and control disposition of the body of the deceased and to limit attempts to exploit pictures of the deceased family member’s remains for public purposes. . . .

In addition this well-established cultural tradition acknowledging a family’s control over the body and death images of the deceased has long been recognized at common law. Indeed, this right to privacy has much deeper roots in the common law. . . . An early decision by the New York Court of Appeals is typical:

It is the right of privacy of the living which it is sought to enforce here. That right may in some cases be itself violated by improperly interfering with the character or memory of a deceased relative, but it is the right of the living, and not that of the dead, which is recognized. A privilege may be given the surviving relatives of a deceased person to protect his memory, but the privilege exists for the benefit of the living, to protect their feelings, and to prevent a violation of their own rights in the character and memory of the deceased. Schuyler v. Curtis, 147 N.Y. 434 (1895). . . .

As the Supreme Court notes, many courts have held that families have a privacy interest in photos of deceased relatives in cases involving common law privacy torts. Given the extensive legal recognition of such a privacy interest, it is reasonable to conclude that such an interest would exist in the context of the constitutional right to information privacy.

Once a privacy interest is identified, the government has a duty to avoid unwarranted disclosure of personal information unless there is a countervailing interest that outweighs the privacy interest. In the Catsouras case, the disclosure of the photos was clearly unwarranted. The police department punished the dispatchers for the disclosure, indicating that the disclosure was not condoned. These facts indicate to me a rather compelling case under existing law that the California Highway Patrol is liable for violating the Catsouras’s constitutional right to information privacy.

The Catsouras family has only sued the California Highway Patrol, but I believe that they would also have a case for intentional infliction of emotional distress against some of the individuals who engaged in some of the more egregious behavior such as targeting the family with emails with the pictures (as described in the complaint above). To be liable under this tort, a defendant’s conduct must be “extreme and outrageous” and cause “severe emotional distress.”

It is clear that people cannot be punished merely for disseminating the photos, since they were leaked by the government. See Cox Broadcasting v. Cohn, 420 U.S. 469 (1975). But some of the conduct alleged in this case — people deliberately contacting members of the Catsouras family and assaulting them with the images — goes beyond the umbrella of First Amendment protection in Cox.

Social networking sites and blogs have increasingly become breeding grounds for anonymous online groups that attack women, people of color, and members of other traditionally disadvantaged groups. These destructive groups target individuals with defamation, threats of violence, and technology-based attacks that silence victims and concomitantly destroy their privacy. Victims go offline or assume pseudonyms to prevent future attacks, impoverishing online dialogue and depriving victims of the social and economic opportunities associated with a vibrant online presence. Attackers manipulate search engines to reproduce their lies and threats for employers and clients to see, creating [...]]]> From tomorrow through Thursday, Concurring Opinions will be hosting a number of scholars invited to discuss Danielle Citron’s work Cyber Civil Rights. Responding to controversies over online attacks, Citron argues the following:

Social networking sites and blogs have increasingly become breeding grounds for anonymous online groups that attack women, people of color, and members of other traditionally disadvantaged groups. These destructive groups target individuals with defamation, threats of violence, and technology-based attacks that silence victims and concomitantly destroy their privacy. Victims go offline or assume pseudonyms to prevent future attacks, impoverishing online dialogue and depriving victims of the social and economic opportunities associated with a vibrant online presence. Attackers manipulate search engines to reproduce their lies and threats for employers and clients to see, creating digital “scarlet letters” that ruin reputations. . . .

Web 2.0 technologies accelerate mob behavior. With little reason to expect self-correction of this intimidation of vulnerable individuals, the law must respond. General criminal statutes and tort law proscribe much of the mobs’ destructive behavior, but the harm they inflict also ought to be understood and addressed as civil rights violations. Civil rights suits reach the societal harm that would otherwise go unaddressed and would play a crucial expressive role. Acting against these attacks does not offend First Amendment principles when they consist of defamation, true threats, intentional infliction of emotional distress, technological sabotage, and bias-motivated abuse aimed to interfere with a victim’s employment opportunities. To the contrary, it helps preserve vibrant online dialogue and promote a culture of political, social, and economic equality.

As I’ve noted before, I think this piece breaks new ground in applying venerable laws to the online environment. In this cyber-symposium, we propose to discuss the following issues:

What can the law do to respond to these threats?

How we deter harassment while promoting legitimate speech?

How do we balance the privacy rights of speakers and those they speak about in the new communicative landscape created by sites like AutoAdmit, Juicy Campus, Facebook, and anonymous message boards?

A list of scholars invited to discuss these issues appears below:

Ann Bartow

David Fagundes

Michael Froomkin

Nathaniel Gleicher

James Grimmelmann

Orin Kerr

Nancy Kim

Susan Kuo

Daithí Mac Síthigh

Helen Norton

David Post

David Robinson

As co-organizers of the online symposium, Danielle, David Hoffman, Deven Desai and I welcome these guests and look forward to participating in the discussion. We have decided to default to “no comments” for this cyber-symposium. It was a tough decision, but ultimately we tended to feel that, for this topic in particular, the costs of editing and/or responding to abusive or off-topic comments would likely be higher than the benefits of our usual default to openness.

As recent controversies have shown, it’s easy for online mobs to inflict real injuries on their victims–and women bear a disproportionate share of the abuse. Citron argues that “acting against these attacks . . . helps preserve vibrant online dialogue and promote a culture of political, social, and economic equality.” We look forward to an animated and insightful discussion on how to balance liberty, equality, and privacy online.

Recently, Professor Neil Richards and I posted on SSRN our new article exploring this question: Rethinking Free Speech and Civil Liability, 109 Columbia Law Review (forthcoming 2009).

Surprising, the issue of when civil liability for speech triggers First Amendment scrutiny is governed by two totally contradictory rules. Since New York Times v. Sullivan, the First Amendment applies to tort liability for speech, including defamation and invasion of privacy.

But in other contexts, the First Amendment does not apply to liability for speech. According to Cohen v. Cowles, there is no First Amendment scrutiny for speech restricted by promissory estoppel and contract. The First Amendment rarely requires scrutiny when property rules restrict speech.

In a large range [...]]]> When does civil liability for speech trigger First Amendment protections?

Recently, Professor Neil Richards and I posted on SSRN our new article exploring this question: Rethinking Free Speech and Civil Liability, 109 Columbia Law Review (forthcoming 2009).

Surprising, the issue of when civil liability for speech triggers First Amendment scrutiny is governed by two totally contradictory rules. Since New York Times v. Sullivan, the First Amendment applies to tort liability for speech, including defamation and invasion of privacy.

But in other contexts, the First Amendment does not apply to liability for speech. According to Cohen v. Cowles, there is no First Amendment scrutiny for speech restricted by promissory estoppel and contract. The First Amendment rarely requires scrutiny when property rules restrict speech.

In a large range of situations, however, these rules collide. Tort, contract, and property law overlap to a substantial degree, so formalistic distinctions between areas of law will not adequately resolve when the First Amendment should apply to civil liability.

This conflict is vividly illustrated by the law of confidentiality. We pose the following hypothetical in the article:

Suppose an attorney representing a client in a highly-publicized case discloses the client’s confidential information. The client sues under the breach of confidentiality tort. The attorney claims that she was engaging in free speech and that the First Amendment protects her right of expression. Does the Sullivan or Cohen rule apply? One could argue that the Sullivan rule applies because breach of confidentiality is a tort. On the other hand, breach of confidentiality remedies a contract-like harm. Even if never expressed orally or in writing, an implicit agreement exists between the attorney and client that the attorney will maintain the confidentiality of the client’s information. Perhaps this situation should fall under the Cohen rule because the breach of confidentiality claim more closely resembles an action for promissory estoppel rather than an action for public disclosure of private facts. If this were the case, then the First Amendment would not apply.

In our article, we explore how this problem can be resolved. We survey the way that existing doctrine and theories attempt to address the conflict between the Sullivan and Cohen rules, and we demonstrate why such approaches are lacking. We aim to develop a coherent approach for resolving when the First Amendment applies to civil liability for speech. To find out our solution, take a look at our article and let us know what you think.

The video that sparked the investigation was captured in a Turin classroom. Four high school boys were recorded taunting a young man with Down syndrome, and hitting the 17-year-old with a tissue box. One of the boys uploaded the footage to Google Video’s Italian site on September 8, 2006.

According to Google, more than 200,000 videos are uploaded to Google Video each day. Under EU legislation incorporated into Italian law in 2003, Internet service providers are not responsible for [...]]]> In Italy, a rather disturbing prosecution is taking place. Google officials, including Chief Privacy Counsel Peter Fleischer, are being criminally prosecuted for a video somebody else uploaded to YouTube. According to an article by Tracey Bentley in the International Association of Privacy Professionals’ The Privacy Advisor:

The video that sparked the investigation was captured in a Turin classroom. Four high school boys were recorded taunting a young man with Down syndrome, and hitting the 17-year-old with a tissue box. One of the boys uploaded the footage to Google Video’s Italian site on September 8, 2006.

According to Google, more than 200,000 videos are uploaded to Google Video each day. Under EU legislation incorporated into Italian law in 2003, Internet service providers are not responsible for monitoring third-party content on their sites, but are required to remove content considered offensive if they receive a complaint about it. Between November 6 and 7, 2006, Google received two separate requests for the removal of the video–one from a user, and one from the Italian Interior Ministry, the authority responsible for investigating Internet-related crimes. Google removed the video on November 7, 2006, within 24 hours of receiving the requests.

Nonetheless, Milan public prosecutor Francesco Cajani decided that by allowing the 191-second clip onto its site, Google executives were in breach of Italian penal code. . . .

Cajani is prosecuting Google as an Internet content provider. Unlike Internet service providers, Italian penal code states that Internet content providers are responsible for the third-party content posted to their sites. This is essentially the same law regulating newspaper and television publishers.

I’ve been quite critical of very broad immunity for websites or ISPs that host defamatory or privacy invasive content of others. See Chapter 6 of The Future of Reputation. However, I find this Italian prosecution extremely troubling. And if I find it troubling, one can only imagine how apoplectic Professor Eric Goldman will be!

First, this is a criminal prosecution, and I’m generally very troubled for criminal prosecutions for defamation or privacy invasions. There might be some limited circumstances where criminal liability is warranted, though I believe that the problem is best deal with through civil liability, not criminal. While the prospect of civil liability can certainly chill speech, criminal law is an even more serious threat, and therefore, it shouldn’t be treated in the same way. Free speech protections should therefore be greater when criminal liability is involved.

Second, Google is not the content provider here. It shouldn’t be prosecuted as one. Apparently, from the reports (I haven’t seen the specific Italian law), Italy has a law that resembles Communications Decency Act (CDA), 47 U.S.C. § 230, which immunizes a website or ISP for the content posted by others. I agree with this general immunity. However, I believe that if a website or ISP is on notice that content is defamatory or invasive of privacy, then it must take down that material or lose its immunity from civil liability. Under the CDA, as interpreted by the courts, websites and ISPs are immune even after having knowledge that content posted on their sites is defamatory or invasive of privacy. I’ve argued that immunity under these circumstances is going too far. From what I’ve read, Italian law adopts the position I advocate.

But Google complied with the law and took down the videos after being notified. Thus, I don’t understand what Google did wrong. I don’t understand how it can be deemed the content provider. If Google officials can be criminally prosecuted any time a person uploads a defamatory or privacy invasive video to YouTube, it’s hard to see how they can possibly avoid running afoul of the law. YouTube and much of Web 2.0 would pose massive risks of criminal liability.

So as one who has strongly advocated for less immunity for defamatory and privacy invasive material online, even I find Italy’s prosecution of Fleischer and other Google executives to be quite outrageous and unjustified.

If anyone has a link to the Italian ISP immunity legislation in English, as well as more information about the specific criminal charges against Google, please let me know.

The case is a criminal prosecution of a man who secretly recorded his girlfriend in the nude, in violation of Wisconsin Statute § 942.09(2)(am). I’ve posted the text of the full statute below. The statute provides that it is a felony to record another person in the nude without that person’s consent “in a circumstance in which [the person] has a reasonable expectation of privacy.” The defendant contended that his girlfriend didn’t have a reasonable expectation of privacy because (as the court characterizes his argument), “she knowingly and consensually exposed her [...]]]> An interesting case from the Wisconsin Court of Appeals embodies what I believe is a thoughtful and nuanced understanding of privacy. The case is Wisconsin v. Jahnke, 2007AP2130-CR (Dec. 30, 2008).

The case is a criminal prosecution of a man who secretly recorded his girlfriend in the nude, in violation of Wisconsin Statute § 942.09(2)(am). I’ve posted the text of the full statute below. The statute provides that it is a felony to record another person in the nude without that person’s consent “in a circumstance in which [the person] has a reasonable expectation of privacy.” The defendant contended that his girlfriend didn’t have a reasonable expectation of privacy because (as the court characterizes his argument), “she knowingly and consensually exposed her nude body to him while he was secretly videotaping her.” In other words, he argued that since she expected to be seen by him, she lost her expectation of privacy in her nude body.

The court wisely rejected the defendant’s construction of the statute:

Under this construction, Jahnke’s girlfriend’s privacy interest in not being recorded in the nude is left unprotected any time she permits anyone, under any circumstance, to view her nude. If she disrobes in a medical facility and permits medical personnel to view her, such personnel could record her without violating subsection 1 and, of course, later share that recording without violating subsections 2 or 3. It is one thing to be viewed in the nude by a person at some point in time, but quite another to be recorded in the nude so that a recording exists that can be saved or distributed and viewed at a later time.

The dissent raises some interesting arguments involving statutory construction and some prior caselaw. In particular, the dissenting judge points to an earlier decision defining the term “reasonable expectation of privacy” under the statute, holding that it “requires that the person who is depicted nude is in a circumstance in which he or she has an assumption that he or she is secluded from the presence or view of others, and that assumption is a reasonable one under all the circumstances.” State v. Nelson, 718 N.W.2d 168 (Wisc. App. 2006). The majority concluded that the Nelson definition was “incomplete” and that the “statute is plainly directed at reasonable expectations vis-à-vis not being recorded.”

The majority opinion wisely avoids a trap that many courts get into — understanding “privacy” narrowly as absolute secrecy or seclusion. Privacy involves a cluster of expectations involving the nature and extent to which their information is captured, used, and disseminated. It seems quite reasonable to assume that two lovers who see each other nude nevertheless expect privacy. They might be exposing their nude bodies to each other, but what they expect is that nobody else will see them. Since this is a criminal statute, it is important that courts avoid interpreting privacy too liberally, especially in areas where expectations of privacy are muddy. But it seems to me that under this circumstance–the nonconsensual recording of a person in the nude when she is exposing her body only to her boyfriend (rather than walking down a public street in the nude)–expectations are clear that the intended exposure is for the boyfriend’s eyes only.

The opinion is here.

WISCONSIN STAT. § 942.09(2)(am) provides:

Whoever does any of the following is guilty of a Class I felony:

1. Captures a representation that depicts nudity without the knowledge and consent of the person who is depicted nude while that person is nude in a circumstance in which he or she has a reasonable expectation of privacy, if the person knows or has reason to know that the person who is depicted nude does not know of and consent to the capture of the representation.

2. Makes a reproduction of a representation that the person knows or has reason to know was captured in violation of subd. 1. and that depicts the nudity depicted in the representation captured in violation of subd. 1., if the person depicted nude in the reproduction did not consent to the making of the reproduction.

3. Possesses, distributes, or exhibits a representation that was captured in violation of subd. 1. or a reproduction made in violation of subd. 2., if the person knows or has reason to know that the representation was captured in violation of subd. 1. or the reproduction was made in violation of subd. 2., and if the person who is depicted nude in the representation or reproduction did not consent to the possession, distribution, or exhibition.

Hat tip: How Appealing