The story began when a pseudonymous commenter stopped by the St. Louis Post-Dispatch site and left a vulgar comment in the reader commentary section. The site admin deleted the comment, and the commenter re-posted it. At this point, the site admin decided to do some basic sleuthing. He traced the commenter’s IP address to a local school, and then he alerted the school (which turned out to be the commenter’s employer) that the vulgar comment had originated from its IP address. The school’s sysadmin was able to trace it from there, and the commenter ultimately lost [...]]]> What happens when a commenter’s privacy expectations collide with a would-be tattletale? This recent news story raises that question, with some interesting facts.

The story began when a pseudonymous commenter stopped by the St. Louis Post-Dispatch site and left a vulgar comment in the reader commentary section. The site admin deleted the comment, and the commenter re-posted it. At this point, the site admin decided to do some basic sleuthing. He traced the commenter’s IP address to a local school, and then he alerted the school (which turned out to be the commenter’s employer) that the vulgar comment had originated from its IP address. The school’s sysadmin was able to trace it from there, and the commenter ultimately lost his job.

I don’t know that any legal privacy rights have been violated here. (Dan?) But this does seem like overreaching by the site admin. Penalties like comment deletion or even banning are within the norms of site administration. Ratting someone out to their boss? I’m not so sure.

But what about Autoadmit? Those commenters also thought that their obnoxious comments would be anonymous; and they were also surprised by the way that the veil was lifted. Do they also enjoy a right to privacy in their attacks? The difference, I think, is in the nature of their comment. Autoadmit comments were attacks, targeted at specific women. The Post-Dispatch comment was obnoxious, but not targeted enough that anyone sued over it.

And in addition, autoadmit commenters’ identities were not simply revealed by an administrator’s whim. Instead, plaintiffs had to go through a legal process to obtain that information.

Are those distinctions that matter? Well, if a person’s comments have harmed others to the extent that they are willing to bring suit — as in the Autoadmit case — then perhaps they deserve scrutiny. (Especially given the gendered nature of those harms, as Danielle Citron’s research makes clear.) However, a site admin actively ratting out potty-mouthed commenters to their employers seems to fall on the other side of the line.

Which brings us to the subject I’m sure you’re all waiting for: What does this mean for me?

Well, for one thing, be careful with your comments.

But I can offer a very modest safe space. I can’t change other people’s actions, but I will say this: If you are a commenter here and you begin to ramble or fight or drop into potty humor, I may tell you to cut it out. I may delete your comment. I may even ban you altogether, especially if you show a persistent pattern of problem comments. But I will not send your stupid comments to your employer. They’re a nuisance, but they’re not worth anyone’s job. (One exception — if your comments indicate that you are planning or in the act of committing a crime or action which might endanger other people’s safety, I reserve the right to tell the authorities.)

Volume 57, Issue 1 (October 2009)

Articles

Essay

Comments

Discourse

Th UCLA Law Review is also pleased to announce the launch of a our new website.

Strengthening the nation’s commitment to privacy is crucial.  But, as Paul Schwartz’s engrossing Preemption and Privacy essay (Yale [...]]]> Privacy has seemingly come center stage.  Companies like Google, Microsoft, and eBay have joined forces to support a federal law that would impose uniform standards for the collection, use, and transfer of information across the private sector.  Activists and officials hope to update the Privacy Act of 1974 for the twenty-first century.  Senator Leahy has a renewed interest in data breach legislation, proposing the Personal Data Privacy and Security Act in July.  The American Recovery and Reinvestment Act of 2009, the stimulus bill, includes a data breach notification requirement for health providers.  The Federal Trade Commission recently published its final rule on data breach notification for e-health records.

Strengthening the nation’s commitment to privacy is crucial.  But, as Paul Schwartz’s engrossing Preemption and Privacy essay (Yale Law Journal) illuminates, a unitary federal information privacy statute should give us pause.  Today’s information privacy law landscape is mainly comprised of federal sector-specific statutes and stronger state regulation.  Schwartz makes a compelling case for remaining on that course, rather than adopting a uniform federal privacy statute.  As Schwartz underscores, a uniform federal approach would likely preempt stronger state law rules, eliminating successful experimentation at the state level.  California exemplifies this trend:  its privacy innovations include allowing consumers to freeze their credit in the face of identity theft among others.  New York and Connecticut are now considering bills that would set limits on companies that track consumers across websites to deliver targeted advertisements based on their online behavior.  A uniform federal law would likely extinguish state-driven innovations whereas most federal sectoral privacy laws, such as the Gramm-Leach-Bliley Act, only provide a federal floor for information privacy and security, not a ceiling.  Schwartz highlights the possibility that a comprehensive information privacy law may ossify, thus making the loss of state experimentation all the more grave.  The piece also spearheads an important discussion about whether the centralizing forces at work today undermines the contributions of competitive federalism.

Schwartz’s piece is a must read.  Here is the abstract for Preemption and Privacy:

A broad coalition, including companies formerly opposed to the enactment of
privacy statutes, has now formed behind the idea of a national information privacy law. Among the benefits that proponents attribute to such a law is that it would harmonize the U.S. regulatory approach with that of the European Union and possibly minimize international regulatory conflicts about privacy. This Essay argues, however, that it would be a mistake for the United States to enact a comprehensive or omnibus federal privacy law for the private sector that
preempts sectoral privacy law. In a sectoral approach, a privacy statute regulates only a specific context of information use. An omnibus federal privacy law would be a dubious proposition because of its impact on experimentation in federal and state sectoral laws, and the consequences of ossification in the statute itself. In contrast to its skepticism about a federal omnibus statute, this Essay views federal sectoral laws as a promising regulatory instrument. The critical question is the optimal nature of a dual federal-state system for information privacy law, and this Essay analyzes three aspects of this topic. First, there are general circumstances under which federal
sectoral consolidation of state law can bring benefits. Second, the choice between federal ceilings and floors is far from the only preemptive decision that regulators face. Finally, there are second-best solutions that become important should Congress choose to engage in broad sectoral preemption.

To be sure, computer [...]]]> Government is increasingly automating its services.  From Medicaid coverage to building permits, machines help determine individuals’ ability to take advantage of important governmental benefits and services.  Agencies collect huge amounts of data in the process.  Mayor Michael Bloomberg recently remarked that the real payoff of such automation is “actually us[ing] the data.”  With that mission in mind, agencies emphasize the importance of linking government databases to take full advantage of tools that mine data for insights.  In the effort to make its city “smarter,” Dubuque, Iowa is working on a project that will use sensors, software, and networked computing to give its government and individuals the digital tools to measure, monitor, and alter the way that they use water, electricity, and transportation.

To be sure, computer algorithms can analyze linked databases to identify fraud and waste, as well as simply help government make better decisions and policy.  But one hopes that government is not following the “adopt first-think later” model (as with e-voting machine purchases) when it comes to privacy, security, and auditability of these linked systems.  To what extent are vendors accounting for these concerns?  As my work on Technological Due Process and Open Code Governance explores, government’s automated systems overwhelmingly fail to incorporate audit trails that would reveal where information comes from and who has been using it.  We see this problem at the state level, where agencies often collect information free of intrusive regulation such as the Privacy Act of 1974 and perhaps even if they did would contend that the merging of data to allow intra-agency access would constitute a “routine use.”  No matter, managing this data glut in an accountable and privacy-protective manner is crucial as we move forward.

On a related note, Ken Bamberger’s Technologies of Compliance: Risk and Regulation in a Digital Age does a superb job exploring another side to the automated systems story.  His piece addresses firms’ automation of their compliance with laws mandating risk management.  Click here to read the abstract.  A must read.

This state of affairs may be due to the difficult nature of the task at hand.  Former NSA head General Michael Hayden recently said: [...]]]> Securing our networked environment is both crucial and difficult.  Six months ago, President Obama declared his Administration’s commitment to protect cyberspace from sabotage of all stripes.  For the President, the rise of online theft, electronic espionage, and military-related cyber assaults necessitated the appointment of a cyber czar to protect our cyber “national assets.”  The President has tried to fill that spot: Shane Harris of National Journal explains that “more candidates had declined the job than were still in the running for it.”  And despite our failed efforts at CoOp to recruit Orin Kerr for the job, the cyber czar position remains empty.

This state of affairs may be due to the difficult nature of the task at hand.  Former NSA head General Michael Hayden recently said: “There is no regime for us to work within to respond to cyberattack.  We are in a place where technology has long outstripped policy–let alone law–in term of what’s available.  We are going to have to rely on heroism instead of a plan.”  If Hayden has it right, it is no wonder that no one wants the job.

Nonetheless, the Administration may have already charted its path, one that entrusts the National Security Agency with protecting cyberspace.  According to the National Journal, Lt. General Keith B. Alexander, the NSA’s director, has been “setting up the central nervous system in the government’s campaign to defend cyberspace.”  The NSA will now, unlike the past, help oversee the networks of civilian government and privately-owned, criticial infrastructure (dams, railroads, hospitals, banks, food industry, hotels, telecommunications, postal, shipping, retail, transportation, and well everything else).  This is true even though DHS is charged with defending civilian networks and coordinating private sector protection.  Homeland Security Security Secretary Janet Napolitano said that NSA will provide DHS “technical assistance” on this issue.  In short, DHS will rely on the NSA for the tools, expertise, and resources to protect cyberspace.

So the NSA apparently will be overseeing and securing private networks, the same NSA that engaged in wholesale warrantless surveillance of Americans after 9/11 (and the agency that monitored telegrams coming in and out of the United States to detect individuals with communist ties in the 1950s and 1960s)?  Congress has, of course, limited the NSA’s warrantless wiretapping and the President has promised us greater transparency in government decision-making.  Nonetheless, NSA’s oversight over privately-owned systems and wholesale access to their contents raises serious concerns.  And because the NSA will direct these efforts in the name of national security and intelligence, little transparency will be forthcoming.  On another note, the question remains whether it was agency turf-war antics that led to Melissa Hathaway’s decision to leave government–she was the DHS official and most senior cyber expert in the White House who had been a leading candidate for the cyber czar post.  At the time of her resignation, Hathaway told the Washington Post that she “wasn’t willing to continue to wait any longer,” and she wasn’t “empowered” to make any changes.

Some of the survey’s findings:

* Even when they are told that the act of following them on websites will take place anonymously, Americans’ aversion to it remains: 68% “definitely” would not allow it, and 19% would “probably” not allow it. (p. 2)

* 69% of American adults feel there should be a law that gives people the right to know everything that a website knows about them. (p. 2)

* 92% agree there should be a law that requires “websites and advertising companies to delete all stored information about an individual, if requested [...]]]> Joseph Turow, Chris Hoofnagle, Jennifer King, Amy Bleakley, and Michael Hennessy have just issued a very interesting consumer survey on privacy and behavioral marketing entitled, Americans Reject Tailored Advertising and Three Activities that Enable It.

Some of the survey’s findings:

* Even when they are told that the act of following them on websites will take place anonymously, Americans’ aversion to it remains: 68% “definitely” would not allow it, and 19% would “probably” not allow it. (p. 2)

* 69% of American adults feel there should be a law that gives people the right to know everything that a website knows about them. (p. 2)

* 92% agree there should be a law that requires “websites and advertising companies to delete all stored information about an individual, if requested to do so.” (p. 2)

* Signaling frustration over privacy issues, Americans are inclined toward strict punishment of information offenders. 70% suggest that a company should be fined more than the maximum amount suggested ($2,500) “if a company purchases or uses someone’s information illegally.” (p. 3)

* Our survey did find that younger American adults are less likely to say no to tailored advertising than are older ones. Still, more than half (55%) of 18- 24 year-olds do not want tailored advertising. And contrary to consistent assertions of marketers, young adults have as strong an aversion to being followed across websites and offline (for example, in stores) as do older adults. 86% of young adults say they don’t want tailored advertising if it is the result of following their behavior on websites other than one they are visiting, and 90% of them reject it if it is the result of following what they do offline. (p. 2)

These are just a few of the many findings in this fascinating survey.  The New York Times has coverage of the survey here.

Although the President has proven his mettle on Facebook and MySpace (where he has over 1.8 million friends), Republicans rule the day on the micro-blogging front.  The Congressional Research Service reports that congressional Republicans out-tweeted their Democratic counterparts during two one-week periods this summer.  Nancy Scola attributes Congressional Republicans’ Twitter dominance to their desire to regain the public’s attention and favor [...]]]> During the 2008 election, Democrats effectively used Web 2.0 platforms to garner interest in the campaign and win supporters.  President Obama has been widely hailed as the first “Tech President,” and he seems to have trounced the Facebook landscape.  To date, President Barack Obama has over 6.6 million Facebook friends, while Sarah Palin only has 848, 614 Facebook pals and Mitt Romney has 70, 130.

Although the President has proven his mettle on Facebook and MySpace (where he has over 1.8 million friends), Republicans rule the day on the micro-blogging front.  The Congressional Research Service reports that congressional Republicans out-tweeted their Democratic counterparts during two one-week periods this summer.  Nancy Scola attributes Congressional Republicans’ Twitter dominance to their desire to regain the public’s attention and favor now that they are in the minority.  AMERICAblogs’ John Aravosis worries that Democrats have ceded their online advantage.

No matter the current political victor in this social media landscape, Government 2.0 is here to stay.  It surely has great potential to shine light on government policymaking and to marshal public participation, especially from people who otherwise wouldn’t bother getting involved with government policymaking.  Adding the President as a friend on MySpace and joining live chats may seem to be a relatively costless endeavor as compared to writing letters or commenting on agency rulemakings.  But Government 2.0 also poses privacy risks: social media sites not only give government access to people’s policy insights but also access to all of individuals’ social media data, such as their videos, photos, walls musings, “Top 25 things you don’t know about me” lists, and the like.  Soon, I will be posting on SSRN a draft of my essay “The One-Way Mirror: Enhancing Participation and Securing Privacy for Government 2.0″ (forthcoming George Washington Law Review) and hope to get your feedback.

* The Facebook-Fandango Connection: Invasion of Privacy?

* Facebook’s Beacon: News Feeds All Over Again?

* Facebook and the Appropriation of Name or Likeness Tort

* The New Facebook Ads — Starring You: Another Privacy Debacle?

* Facebook — the New DoubleClick?

* Facebook Listens and Responds

* Facebook’s Beacon, Blockbuster, and the Video Privacy Protection Act

A class action suit was initiated against Facebook, and recently, a settlement agreement has been reached.  According to the WSJ:

Facebook Inc. said Friday it settled a class-action lawsuit related to its Beacon Web product, a controversial service that displayed actions that users took on other Web sites back on Facebook.

As part of the settlement, which is pending approval [...]]]> A while ago, I wrote a lot about Facebook’s Beacon on this blog:

* The Facebook-Fandango Connection: Invasion of Privacy?

* Facebook’s Beacon: News Feeds All Over Again?

* Facebook and the Appropriation of Name or Likeness Tort

* The New Facebook Ads — Starring You: Another Privacy Debacle?

* Facebook — the New DoubleClick?

* Facebook Listens and Responds

* Facebook’s Beacon, Blockbuster, and the Video Privacy Protection Act

A class action suit was initiated against Facebook, and recently, a settlement agreement has been reached.  According to the WSJ:

Facebook Inc. said Friday it settled a class-action lawsuit related to its Beacon Web product, a controversial service that displayed actions that users took on other Web sites back on Facebook.

As part of the settlement, which is pending approval in the U.S. District Court of the Northern District of California, the social-network concern will shut down the Beacon service, which it has been phasing out but which is still being used by a small number of Web sites, according to a Facebook spokesman.

The company will also pay $9.5 million to create a foundation to fund products that promote online privacy, safety and security, the spokesman said. The settlement was submitted to the court late Friday evening.

For a moment, let’s put aside the stark difference between the [...]]]> Every year, my small section reads a New Yorker “On the Town” squib called “Oops” to kick off a discussion on care and professional responsibility in their legal careers.  “Oops” tells the story of a summer associate who, in 2003, mistakenly sent the following email to lawyers with whom he worked on a deal: “I’m buy doing jack shit.  Went to a nice 2hr sushi lunch today at Sushi Zen.  Nice place.  Spent the rest of the day typing e-mails and bullshitting with people.”  The summer associate signed  off the email: “So yeah, Corporate Love hasn’t worn off yet. But give me time.”  The summer associate meant to send the email to his friend.  Oops.

For a moment, let’s put aside the stark difference between the world (and law firm environment) facing the summer associates of 2003 and the one facing the summers of 2009 and turn to Sunday’s New York Times story “A Legal Battle: Online Attitude Vs. Rules of Bar.”  The Times talked about recent cases where lawyers do violence to their careers through their online activities.  Lawyers blog about judges:  one wrote that he thought a named judge was an “Evil, Unfair, Witch” and questioned the judge’s competence.  Another lawyer friended a judge on Facebook and later posted about his/her drinking and motorbiking.  The problem: the lawyer asked the judge to delay a trial because of a death in the family in the same week that the lawyer shared the drinking tales with his/her social network.  The lawyers in those cases have suffered serious consequences (the first is facing a reprimand from the bar, the second faced the wrath of his/her firm–the judge told the lawyer’s bosses what happened).

Now, the 2003 summer associate made a big mistake, but perhaps not on the same order as the lawyers covered in yesterday’s Times.  The summer associate had a slip of the finger perhaps, a hasty moment that changed the way those in his firm saw him.  But the lawyers arguably dove into the pool of their fate head first: one might say that they knowingly risked their careers and should suffer the consequences (to the extent the Bar desires and the First Amendment permits).  Social scientists like Alessandro Acquisti and danah boyd and legal scholars like James Grimmelmann offer an explanation for why people are so foolish online.  People write carelessly not because they have “a reduced sense of privacy” but because they felt anonymous.  As danah boyd explains, social network participants “live by ‘security through obscurity’ where they assume that as long as no one cares about them, no one will come knocking.”  They operate under the norm that people with no social connection to them “could look at your profile, but shouldn’t.”  They assume that only close friends are paying attention to their online activities.  All of this is to say that perhaps President Obama shouldn’t just talk to young people about the perils of oversharing online.  Maybe lawyers need the lesson too.

Wikimedia Commons Image

Understanding Privacy offers a comprehensive overview of the many difficulties involved in discussions of privacy. Drawing from a broad array of interdisciplinary sources, I set forth a framework for understanding privacy that provides clear practical guidance for engaging with privacy issues.

Some experts are skeptical, asking how these sites will guarantee patient privacy.  One [...]]]> Patients of rare diseases find that drug companies have little interest in devoting limited R&D budgets to diseases of small populations.  As a result, patients have begun to strike out on their own in the search of cures.  As The New York Times explains, patients increasingly share their medical information (including details about their everday experiences living with a disease) online in the hopes that other similarly-situated patients will do the same.  This would permit interested academic researchers to mine the data for observations about their diseases.  Patients see online communities as offering new ways to transform medical research–especially into rare diseases that elude the current model of large-scale studies of widespread conditions.

Some experts are skeptical, asking how these sites will guarantee patient privacy.  One imagines that these sites will respond to privacy concerns by employing anonymization practices.  For instance, sites might delete personal identifiers like names and social security numbers and remove other potential identifiers, such as names of next of kin or student ID numbers.  This ostensibly permits researchers to use the amassed data without concomitant privacy risks.  But, as Paul Ohm’s important and engrossing new paper Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization argues, technology renders this privacy-protection option obsolete.  Computing advances now permit clever adversaries to reidentify or deanonymize the people hidden in anonymized databases.  This means that datasets that were meant to be kept apart are easily rejoined, allowing sensitive secrets to be  revealed.

Patients may of course be willing to take that risk if their particpation in open-source research leads to cures of rare diseases.  Yet patients also jeopardize their offsprings’ privacy: if medical information can be reidentified with ease and linked with other datasets, a patient’s children may get caught up in that web of re-identification.  This may lead to genetic discrimination in the grown-up child’s life.  Grown-up children may be willing to bear that risk–it is, however, worth considering this possibility when assessing privacy concerns related to such open-source research efforts.

The 20-year-old said: “What she has done has taken the very worst years of my life and cleverly blended it into a work of art, and that to me is obscene.

“I was only 17, I was a confused teenager, I was too young really to know who I was or what was happening.

“What she describes in her book are a series of incidents, it’s not who I am and I [...]]]> Over at the NYT blog is an interesting story about a British writer (Julie Myerson) who has published a memoir about her son’s drug addiction (The Lost Child).  Her 20-year old son has criticized the publication of the book. According to the Telegraph (UK):

The 20-year-old said: “What she has done has taken the very worst years of my life and cleverly blended it into a work of art, and that to me is obscene.

“I was only 17, I was a confused teenager, I was too young really to know who I was or what was happening.

“What she describes in her book are a series of incidents, it’s not who I am and I find it very sad that she feels the need to tar me with the ‘drug addict’ brush.

“She’s been writing about me since I was two, and, quite frankly, I’m not surprised by anything she does any more.

The NYT Blog asks:

Is it inappropriate and even harmful to expose the private lives of minor children, in particular? What privacy lines should be observed, if any, in writing about family members and others?

It contains responses from four people, Alison Gopnik (a psychology professor), David Matthews (author), Melanie Gideon (author0, and Michael Greenberg (author).  For example, Author David Matthews writes:

Nothing is off limits as far as I’m concerned. Whether an author wants to risk fraying familial and social ties in the pursuit of the truth (as they see it) is a question left up to the writer.

Matthews’ response strikes me as rather extreme. In Britain, family members owe each other duties to keep private information confidential. In the US, the breach of confidentiality tort applies to doctors, lawyers, and others, but hasn’t been extended to friends and family.  Perhaps it should be.

According to the Telegraph article, Myerson’s son said:

“I even consulted a lawyer to try to stop it, but was told there wasn’t much I could do, so I made her take out the part where she said I was selling drugs to my 12-year-old brother, which was one of her fantasies.

I’m surprised that he was advised the law didn’t protect him, since the book was published in Britain and he’d likely have a decent case under British precedent.

The Myerson case is increasingly becoming more common.  Numerous bloggers are chronicling the lives of their children online, posting photos and a day-by-day account of their lives.  What happens when these children grow up and resent having their entire childhood permanently recorded for the world to see?

Should family members owe each other a duty of confidentiality?  Should parents write about a child’s life without that child’s consent?

Hat tip: PogoWasRight

“This is the new JuicyCampus,” says a note at Campus Gossip, which boasts campus-specific message boards for hundreds of colleges and encourages anonymous and racy barbs such as “These Fellas got herpes,” with a list of names attached. Going even further than its predecessor, there’s also a photo section where students can post embarrassing pictures and videos of others.

The site is planning a back-to-school marketing push, including a happy hour near Arizona State University where a rap artist named Sabotage will perform a song about the pleasures of campus gossip.

Another site, CollegeACB (the letters stand for Anonymous Confession Board), [...]]]> A while ago, the notorious college gossip website, Juicy Campus, bit the dust.  But according to an article by Jeffrey Young in the Chronicle of Higher Education:

“This is the new JuicyCampus,” says a note at Campus Gossip, which boasts campus-specific message boards for hundreds of colleges and encourages anonymous and racy barbs such as “These Fellas got herpes,” with a list of names attached. Going even further than its predecessor, there’s also a photo section where students can post embarrassing pictures and videos of others.

The site is planning a back-to-school marketing push, including a happy hour near Arizona State University where a rap artist named Sabotage will perform a song about the pleasures of campus gossip.

Another site, CollegeACB (the letters stand for Anonymous Confession Board), paid the defunct JuicyCampus $10,000 to redirect visitors from its Web address to CollegeACB.

For those who want a first-hand look at these sites, the Campus Gossip site is here and the CollegeACB site is here.  I’m quoted in the article, as is co-blogger Danielle Citron:

Internet shaming creates an indelible blemish on a person’s identity,” wrote Daniel J. Solove, a professor of law at George Washington University, in his 2007 book, The Future of Reputation: Gossip, Rumor, and Privacy on the Internet (Yale University Press). “It’s similar to being forced to wear a digital scarlet letter or being branded or tattooed. People acquire permanent digital baggage. They are unable to escape their past, which is forever etched into Google’s memory.” . . . .

“I don’t see why it has to be that way,” the law professor told me in a recent interview. “Just like when you drive, it’s not a free-for-all,” he added, equating the current laws governing online forums to a road without traffic lights or stop signs. “It’s like if we looked at the roads and said, There’s just nothing to be done—let’s just abolish all rules of the road.” . . . .

Danielle Citron, a law professor at the University of Maryland at Baltimore, said she hoped that stamping out harassment on campus-gossip Web sites would be considered a matter of civil rights.

She makes the case in an article published in the Michigan Law Review this year called “Law’s Expressive Value in Combating Cyber Gender Harassment.” In it, she argues that law-enforcement officials fail to take seriously complaints about online anonymous comments, and that using “civil-rights remedies” may be the most effective way to pursue such acts.

“Women should not have to wait until cyberharassment fulminates into physical violence for law enforcement to address it,” she wrote. “A civil-rights agenda … would demonstrate that the Internet is not the lawless Wild West, just as court settlements and state legislation made clear that the home does not insulate abusing husbands from societal intervention.”

In an opinion released on August 28, Judge George Wu struck down, on unconstitutional vagueness grounds, the prosecution’s attempt to enforce violations of website terms of service as crimes under the Computer Fraud and Abuse Act (CFAA):

[I]f any conscious breach of a website’s terms of service is held to be sufficient by itself to constitute intentionally accessing a computer without authorization or in excess of authorization, the result will be that section 1030(a)(2)(C) becomes a law “that affords too much discretion to the police and too little notice to citizens who wish to use [...]]]> The Lori Drew case has finally been decided.  Background about the case is here.  In previous posts (here and here), I argued that the CFAA should be held to be unconstitutionally vague.

In an opinion released on August 28, Judge George Wu struck down, on unconstitutional vagueness grounds, the prosecution’s attempt to enforce violations of website terms of service as crimes under the Computer Fraud and Abuse Act (CFAA):

[I]f any conscious breach of a website’s terms of service is held to be sufficient by itself to constitute intentionally accessing a computer without authorization or in excess of authorization, the result will be that section 1030(a)(2)(C) becomes a law “that affords too much discretion to the police and too little notice to citizens who wish to use the [Internet].” City of Chicago [v. Morales], 527 U.S. [41] at 64 [(1999)].

Congratulations to Orin Kerr, who assisted in the defense, and who is cited numerous times throughout the court’s opinion.

Some have asked whether this case warrants treatment as a cyber civil rights issue since it “is just a girl cat fight.”  To be sure, women can deprive other women of their right to be free of unequal treatment on the basis of their gender.  But the larger concern is, for me, convincing skeptics to see the blog attacks on Ms. [...]]]> Dan, Kaimi, and Elizabeth have offered some terrific insights on the issues raised by the court’s unmasking of the “Skanks of NYC” blogger.  Kaimi’s post “Cyber Civil Rights vs Privacy in the ‘Skanks in NYC’ case” in particular did a superb job capturing the issue as discrimination.  I write here to follow up on issues related to the case that folks have discussed with me.

Some have asked whether this case warrants treatment as a cyber civil rights issue since it “is just a girl cat fight.”  To be sure, women can deprive other women of their right to be free of unequal treatment on the basis of their gender.  But the larger concern is, for me, convincing skeptics to see the blog attacks on Ms. Cohen as more than just an interpersonal disagreement between two women, something that tort law can handily address on its own, but rather as gender discrimination.  Tort law would not reach the harm experienced by Ms. Cohen, women, and society due to the blog’s interference with her right to equal treatment.  It would not address the stigma that Ms. Cohen experienced a a result of the blog’s message that she had worth only as a sex object.  Much like sexual harassment in the workplace, the blog suggested that Ms. Cohen constitutes an object of sexual derision, not a person worthy of respect.  Moreover, they interfered with Ms. Cohen’s right to work as an equal.  According to Ms. Cohen, potential employers asked her about the blog, which quite possibly deterred them and others from hiring her.  In a world filled with aspiring models, employers might chose to work with someone who comes with less baggage, even if they do not believe the postings a wit.  And the blog postings harm women as a group and a society as a whole by entrenching gender hierarchy in cyberspace.  Whether current law would support such a claim is certainly in dispute, but such a law could be crafted.  Such a law would play an important expressive role–it would change the social meaning of such harassment of women.

Indeed, as privacy scholar Ian Kerr suggested, maybe the media’s attention to the case can be attributed to its leering interest in a “battle” between two beautiful women?  Maybe coverage of the issue reflects a deeper misogyny: the story has attracted so much attention because it produces an image of women as female wrestlers of sorts, battling it out in their bikinis?

A commentator on Dan’s posting asked whether labeling Ms. Cohen “a liar, ho, and skank” could support a defamation claim, at least under the Doe v. Cahill summary judgment standard to warrant unmasking the defendant.  Courts have upheld defamation awards in cases where defendants’ online postings asserted that plaintiffs were “liars.”  The allegations also might have supported an intentional infliction of emotional distress claim.  As my colleague Greg Young wisely noted to me though, even a rigorous standard like the one in Doe v. Cahill (which I support much like Dan) gives leeway to judges to balance values and risks imposing costs on speech.

Hat tip to Ian Kerr and Greg Young.