Category: Privacy

0

Could Revenge Porn Victims Seek Civil Liability Against Hunter Moore?

Suppose that former revenge porn operator Hunter Moore is convicted of federal crimes of conspiracy to engage in computer hacking. Could individuals whose nude photos appeared on his site next to their home addresses and screenshots of their Facebook profiles sue Moore for intentional infliction of emotional distress and public disclosure of private fact? Probably not, but it’s worth exploring the issue.

The closest case law involves civil penalties provided for under federal criminal law. In M.A. v. Village Voice, a federal district court judge found that Backpage.com enjoyed Section 230 immunity for civil penalties under the child trafficking statute, 18 U.S.C. 2255. Section 2255 allows victims of child trafficking to recover damages from those who had committed or profited from the crimes against them. provides that, “[a]ny person who, while a minor, was a victim of a violation of [criminal statutes concerning child trafficking] and who suffers personal injury as a result of such violation may sue” and “recover actual damages such person sustained.” The representatives of a victim of child trafficking argued that Section 230 immunity was inapplicable because Backpage.com had profited from the plaintiff’s victimization in violation of Section 2255. As the court held, however, Section 2255 was a “civil damages” provision of Title 18, not federal criminal law.

The only remaining question is whether Moore materially contributed to the contested content–nude photos and Facebook screen shots. If so, he could be found liable as a co-developer of the content that often was tantamount to cyber stalking. Of course, the question of liability would remain. Just because a site operator does not enjoy immunity from liability does not mean he would be strictly liable for torts of intentional infliction of emotional distress, for instance. The question would be whether he intentionally inflict emotional distress on particular individuals? Recall that Moore boasted to the press that the more embarrassing and destructive the material, the more money he made. When a reporter told him that revenge porn had driven people to commit suicide, Moore said that he did not want anybody to die, but if it happened, he would be grateful for the publicity and advertising revenue it would generate; “Thank you for the money . . . from all of the traffic, Googling, redirects, and press.” Earlier this year, Moore told Betabeat’s Jessica Roy that he was relaunching his site including not just of people’s Facebook accounts, but their home addresses. “We’re gonna introduce the mapping stuff so you can stalk people,” he told Roy. When talking to Forbes’s Kashmir Hill, Moore backed off his statement, claiming to be drunk, but had tweeted, “I’m putting people’s house info with google earth directions. Life will be amazing.”

More broadly, sites that principally host revenge porn are making a mockery of Section 230. As Citizen Media Law Project’s Sam Bayard explains, a site operator can enjoy the protection of Section 230 while “building a whole business around people saying nasty things about others, and . . . affirmatively choosing not to track user information that would make it possible for an injured person to go after the person directly responsible.” In my book Hate Crimes in Cyberspace, I explore the possibility of Section 230 reform to ensure that the worst actors don’t enjoy immunity. It’s certainly a perverse result that the “Good Samaritan” provision of the Communications Decency Act immunizes from liability sites that solicit and principally host revenge porn and other forms of cyber stalking. More to come in August, when Harvard University Press publishes the book.

 

3

Some Thoughts on Section 230 and Recent Criminal Arrests

We’ve devoted considerable attention on our blog to Section 230 of the Communications Decency Act, which immunizes online service providers/hosts from liability for user-generated content. Site operators are protected from liability even though they knew (or should have known) that user-generated content contained defamation, privacy invasions, intentional infliction of emotional distress, civil rights violations, and state criminal activity. Providing a safe harbor for ISPs, search engines, and social networks is a good thing. If communication conduits like ISPs did not enjoy Section 230 immunity, they would surely censor much valuable online content to avoid publisher liability. The same is true of search engines that index the vast universe of online content and produce relevant information to users in seconds and, for that matter, social media providers that host millions, and some billions, of users. Without Section 230, search engines like Google and Bing and social media providers like Yelp, Trip Advisor, Facebook, YouTube, and Twitter might not exist. The fear of publisher liability would have inhibited their growth. For that reason, Congress reaffirmed Section 230’s importance in the SPEECH Act of 2010, which requires U.S. courts to apply the First Amendment and Section 230 in assessing foreign defamation judgments.

In the past few months, prosecutors have arrested notorious revenge porn site operators Hunter Moore, Kevin Bolleart, and Casey Meyering. Those arrests have raised the question, what about Section 230? Hunter Moore’s arrest is the least controversial. Although Section 230 immunity is broad sweeping, it isn’t absolute. It exempts from its reach federal criminal law, intellectual property law, and the Electronic Communications Privacy Act. As Section 230(e) provides, the statute has “[n]o effect” on “any [f]ederal criminal statute” and does not “limit or expand any law pertaining to intellectual property.” Federal prosecutors indicted Moore for conspiring to hack into people’s computers in order to steal their nude images. According to the indictment, Moore paid a computer hacker to access women’s password-protected computers and e-mail accounts to steal nude photos for financial gain—profits for his revenge porn site Is Anyone Up. Site operators may be held accountable for violating federal criminal law.

What about revenge porn operators Bolleart and Meyerson who are facing state criminal charges? Generally speaking, site operators are not transformed into “information content providers” (who are not immunized from liability) unless they co-developed or co-created the allegedly criminal/tortious content, such as by paying for the illegal content and reselling it or drafting some of the contested content themselves. California Attorney General Kamala Harris’s prosecutions of both Bolleart and Meyerson press the question whether Section 230’s immunity extends to sites that effectively engage in extortion by encouraging the posting of sensitive private information and profiting from its removal.

Let’s take Bolleart’s case. It’s based on a similar theory as the case against Meyerson, who runs WinbyState, a private revenge porn site with a connected site that charges for the take down of photos. In December 2013, Bollaert, operator of revenge porn site UGotPosted, was indicted for extortion, conspiracy, and identity theft. His site featured the nude photos, Facebook screen shots, and contact information of more than 10,000 individuals. The indictment alleged that Bollaert ran the revenge porn site with a companion takedown site, Change My Reputation. According to the indictment, when Bollaert received complaints from individuals, he would send them e-mails directing them to the takedown site, which charged up to $350 for the removal of photos. Attorney General Harris explained that Bollaert “published intimate photos of unsuspecting victims and turned their public humiliation and betrayal into a commodity with the potential to devastate lives.”

Bollaert will surely challenge the state’s criminal law charges on Section 230 grounds. His strongest argument is that charging for the removal of user-generated photos is not tantamount to co-developing them. Said another way, charging for the removal of content is not the same as paying for, or helping develop, it. That is especially true of the identity theft charges because Bollaert never personally passed himself off as the subjects depicted in the photos. Nonetheless, the state has a strong argument that the extortion charges fall outside Section 230’s immunity because they hinge on what Bollaert himself did and said, not on what his users posted. Only time will tell if that sort of argument will prevail. Even if the California AG’s charges are dismissed on Section 230 grounds, federal prosecutors could charge Bollaert with federal criminal extortion charges. Sites that encourage cyber harassment and charge for its removal (or have a financial arrangement with removal services) are engaging in extortion. At the least, they are actively and knowingly conspiring in a scheme of extortion. Of course, this possibility depends on the enforcement of federal criminal law vis-à-vis cyber stalking, which as we have seen is stymied by social attitudes and insufficient training.

1

What Makes a Stranger Not So Strange

Most of the literature on trust among strangers comes from game theorists. Scholars perform simulations of so-called “trust games” to suggest that “impersonal trust” can develop under this or that circumstance. This literature is voluminous (the previous link is just one of many hits from a JSTOR search). The mere fact that trust among repeat actors can be seen in repeated evolutionary games should, at the very least, complicate a legal doctrine that necessarily extinguishes privacy upon disclosures. But you don’t have to understand (or agree) with game theorists to see the problem with such a bright line rule.

Over the last year, I observed different types of support group meetings, including Alcoholics Anonymous, Narcotics Anonymous, and an HIV-positive support group. I interviewed several members, though many members declined to be interviewed, as I expected. These support groups thrive on privacy and anonymity. The very characteristic that made me want to study them was the very thing that would make it hard: members of such groups tend to know everything about a specific area of each other’s lives (their addiction), but often know precious little about a participant’s life and identity outside of what brought him to the group in the first place. In many cases, outside of the sponsor-recovering relationship, even last names remain unknown. And yet they share a secret that, unfortunately, retains a significant stigma in greater society.

This knowledge asymmetry is not always the case, I must admit. But for now, let’s accept the scenario: Participants are veritable strangers, except they know this one big secret about each other. This was in fact the story for most of the people I interviewed. And although this type of ethnography must always be a dubious source for grand conclusions about wide populations, we can still ask: Why do recovering addicts share their stigmatizing secret with strangers?

My research suggests it is because they all share the same stigmatizing secret. It is not simply that everyone shares the same secret or the same identity. People who are all Libras or all white males or all like Maroon5 do not necessarily feel a comfort level with those who were born at the same time, look the way they do, and listen to the same music, respectively. Rather, the shibboleth of a willingness to open up among strangers in this context is that everyone shares a stigmatizing identity. They trust each other not because they know them but because they know what they’ve been through in the greater world. And this is entirely reasonable.

I think this trust exists in other areas of life and not just in the unique support group environment. If it does, if trust develops among individuals who share a stigmatizing identity, then trust among so-called strangers can exist such that individuals would not be assuming the risk of further disclosure of a secret revealed to such a stranger.

I have designed a study to test this, using accepting/declining “friend” requests from strangers as a proxy. It is an imperfect proxy, but trust is hard to measure. But if we can control for other factors and see that friend requests from strangers are accepted more frequently by individuals who share a defining, stigmatizing characteristic — sexual minority status, is just one example — then we may have found a social determinant of trust among strangers.

0

Why Some Risk Sending Intimate Pictures to “Strangers” and What It Says About Privacy

It is, as always, an honor and a pleasure to speak with the Co-Op community. Thank you to Danielle for inviting me back and thank yous all around for inviting me onto your desks, into your laps, or into your hands.

My name is Ari and I teach at New York Law School. In fact, I am honored to have been appointed Associate Professor of Law and Director of the Institute for Information Law and Policy this year at NYLS, an appointment about which I am super excited and will begin this summer. I am also finishing my doctoral dissertation in sociology at Columbia University. My scholarship focuses on the law and policy of Internet social life, and I am particularly focused on online privacy, the injustices and inequalities in unregulated online social spaces, and the digital implications for our cultural creations.

Today, and for most of this month, I want to talk a little bit about the relationship between strangers, intimacy, and privacy.

Over the last 2 years, I have conducted quantitative surveys and qualitative interviews with almost 1,000 users of any of the several gay-oriented geolocation platforms, the most famous of which is “Grindr.” These apps are described (or, derided, if you prefer) as “hook up apps,” or tools that allow gay men to meet each other for sex. That does happen. But the apps also allow members of a tightly identified and discriminated group to meet each other when they move to a knew town and don’t know anyone, to make friends, and to fall in love. Grindr, my survey respondents report, has created more than its fair share of long term relationships and, in equality states, marriages.

But Grindr and its cousins are, at least in part, about sex, which is why the app is one good place to study the prevalence of sharing intimate photographs and the sharers’ rationales. My sample is a random sample of a single population: gay men. Ages range from 18 to 59 (I declined to include anyone who self-reported as underage); locations span the globe. My online survey asked gay men who have used the app for more than one week at any time in the previous 2 years. This allowed me to focus on actual users rather than those just curious. Approximately 68 % of active users reported having sent an intimate picture of themselves to someone they were chatting with. I believe the real number is much higher. Although some of those users anonymized their initial photo, i.e., cropped out their head or something similar, nearly 89 % of users who admitted sending intimates photos to a “stranger” they met online also admitted to ultimately sending an identifiable photo, as well. And, yet, not one respondent reported being victimized, to their knowledge, by recipient misuse of an intimate photograph. Indeed, only a small percentage (1.9) reported being concerned about it or letting it enter into their decision about whether to send the photo in the first place.

I put the word “stranger” in quotes because I contend that the recipients are not really strangers as we traditionally understand the term. And this matters: You can’t share something with a stranger and expect it to remain private. Some people argue you can’t even do that with a close friend: you assume the risk of dissemination when you tell anyone anything, some say. But, at least, the risk is so much higher with strangers such that it is difficult for some to imagine a viable expectation of privacy argument when you chose to share intimate information with a stranger. I disagree. Sharing something with a “stranger” need not always extinguish your expectation of privacy and your right to sue under an applicable privacy tort if the intimate information is shared further.

A sociologist would say that a “stranger” is a person that is unknown or with whom you are not acquainted. The law accepts this definition in at least some respects: sometimes we say that individuals are “strangers in the eyes of the law,” like a legally married same-sex couple when they travel from New Jersey to Mississippi. I argue that the person on the other end of a Grindr chat is not necessarily a stranger because nonverbal social cues of trustworthiness, which can be seen anywhere, are heightened by the social group affinity of an all-gay male environment.

Over the next few weeks, I will tease out the rest of this argument: that trust, and, therefore, expectations of privacy, can exist among strangers. Admittedly, I’m still working it out and I would be grateful for any and all comments in future posts.

I
0

4 Points About the Target Breach and Data Security

There seems to be a surge in data security attacks lately. First came news of the Target attack. Then Neiman Marcus. Then the U.S Courts. Then Michael’s. Here are four points to consider about data security:

1. Beware of fraudsters engaging in post-breach fraud.

After the Target breach, fraudsters sent out fake emails purporting to be from Target about the breach and trying to trick people into providing personal data. It can be hard to distinguish the real email from an organization having a data breach from a fake one by fraudsters. People are more likely to fall prey to a phishing scheme because they are anxious and want to take steps to protect themselves. Post-breach trickery is now a growing technique of fraudsters, and people must be educated about it and be on guard.

2. Credit card fraud and identity theft are not the same.

The news media often conflates credit card fraud with identity theft. Although there is one point of overlap, for the most part they are very different. Credit card fraud involving the improper use of credit card data can be stopped when the card is cancelled and replaced. An identity theft differs because it involves the use of personal information such as Social Security number, birth date, and other data that cannot readily be changed. It is thus much harder to stop identity theft. The point of overlap is when an identity thief uses a person’s data to obtain a credit card. But when a credit card is lost or stolen, or when credit card data is leaked or improperly accessed, this is credit card fraud, and not identity theft.

3. Data breaches cause harm.

What’s the harm when data is leaked? This question has confounded courts, which often don’t recognize a harm. If your credit card is just cancelled and replaced, and you don’t pay anything, are you harmed? If your data is leaked, but you don’t suffer from identity theft, are you harmed? I believe that there is a harm. The harm of credit card fraud is that it can take a long time to replace all the credit card information in various accounts. People have card data on file with countless businesses and organizations for automatic charges and other transactions. Replacing all this data can be a major chore. People’s time has a price. That price will vary, but it rarely is zero.

Read More

1

Atrocious Privacy Invasion: Non-Consensual Videotaping of Sex Indicted in NY

Criminalizing privacy invasions has a long history. In their ground-break article The Right to Privacy published in 1890, Samuel Warren and Louis Brandeis argued that “[i]t would doubtless be desirable that the privacy of the individual should receive the added protection of the criminal law.” Since that time, lawmakers have banned the non-consensual recording of individuals in a state of undress in contexts where they have reasonable expectation of privacy. New York’s unlawful surveillance law, for instance, prohibits use of an imaging device to secretly record or to broadcast another person undressing or having sex for the purpose of degrading that person in cases where the person had a reasonable expectation of privacy.

In November 2013, a New York former private wealth adviser was indicted for nineteen counts of unlawful surveillance and attempted unlawful surveillance for secretly taping himself having sex with different women without their consent. The illegal tapings allegedly occurred over a year’s time and apparently were many.

The New York Post talked to one of the victim’s attorney, Daniel Parker, who explained that the man posted the illegal videos on Internet sites. According to Parker, the man “used an elaborate system of surveillance using multiple devices in both his bedroom and their homes.” In other words, the man not only had various cameras in his own bedroom to tape himself having sex with women who had no idea and never consented but he also secretly taped himself having sex with the women in their homes. Parker explained that the man “left a trail and it was on YouTube and Vimeo.” What were those hidden devices? The man apparently used a hidden camera, a web cam and a stealth phone app to film the women engaged in various sexual acts. According to Parker, the man installed a hidden camera in the bookshelf of his East 69th Street apartment.

The victims delivered the video footage to the Manhattan District Attorney’s Office prompting the investigation. Kudos to prosecutor Siobahn Carty for bringing the case, though my sense is that it took the victims considerable energy and time to convince law enforcement to take their case seriously and to understand the technology used to perpetrated the egregious privacy violations. Technical ignorance is common amongst law enforcement, well, and common for may people. Troubling cultural attitudes and “I don’t get the tech” response are notorious responses to different forms of harassment, including non-consensual taping of individuals in their most intimate moments. I will report more on the case as I get a hold of the indictment.


 

CoreHarms

What President Obama’s Surveillance Speech Should Have Addressed

In his recent speech on surveillance, President Obama treated the misuse of intelligence gathering as a relic of American history. It was something done in the bad old days of J. Edgar Hoover, and never countenanced by recent administrations. But the accumulation of menacing stories—from fusion centers to “joint terrorism task forces” to a New York “demographics unit” targeting Muslims—is impossible to ignore. The American Civil Liberties Union has now collected instances of police surveillance and obstruction of First Amendment‐protected activity in over half the states. From Alaska (where military intelligence spied on an anti-war group) to Florida (where Quakers and anti-globalization activists were put on watchlists), protesters have been considered threats, rather than citizens exercising core constitutional rights. Political dissent is a routine target for surveillance by the FBI.

Admittedly, I am unaware of the NSA itself engaging in politically driven spying on American citizens. Charles Krauthammer says there has not been a “single case” of abuse.* But the NSA is only one part of the larger story of intelligence gathering in the US, which involves over 1,000 agencies and nearly 2,000 private companies. Moreover, we have little idea of exactly how information and requests flow between agencies. Consider the Orwellian practice of “parallel construction.” Reuters has reported that the NSA gave “tips” to the Special Operations Division (SOD) of the Drug Enforcement Administration, which also shared them with the Internal Revenue Service.
Read More

Surveillance Man 02
0

10 Reasons Why Privacy Matters

Why does privacy matter? Often courts and commentators struggle to articulate why privacy is valuable. They see privacy violations as often slight annoyances. But privacy matters a lot more than that. Here are 10 reasons why privacy matters.

1. Limit on Power

Privacy is a limit on government power, as well as the power of private sector companies. The more someone knows about us, the more power they can have over us. Personal data is used to make very important decisions in our lives. Personal data can be used to affect our reputations; and it can be used to influence our decisions and shape our behavior. It can be used as a tool to exercise control over us. And in the wrong hands, personal data can be used to cause us great harm.

2. Respect for Individuals

Privacy is about respecting individuals. If a person has a reasonable desire to keep something private, it is disrespectful to ignore that person’s wishes without a compelling reason to do so. Of course, the desire for privacy can conflict with important values, so privacy may not always win out in the balance. Sometimes people’s desires for privacy are just brushed aside because of a view that the harm in doing so is trivial. Even if this doesn’t cause major injury, it demonstrates a lack of respect for that person. In a sense it is saying: “I care about my interests, but I don’t care about yours.”

3. Reputation Management

Privacy enables people to manage their reputations. How we are judged by others affects our opportunities, friendships, and overall well-being. Although we can’t have complete control over our reputations, we must have some ability to protect our reputations from being unfairly harmed. Protecting reputation depends on protecting against not only falsehoods but also certain truths. Knowing private details about people’s lives doesn’t necessarily lead to more accurate judgment about people. People judge badly, they judge in haste, they judge out of context, they judge without hearing the whole story, and they judge with hypocrisy. Privacy helps people protect themselves from these troublesome judgments.

Read More

6

Online Voter Information and Privacy

Donny-Osmond-007Did you ever want to know Donny Osmond’s birthday, along with his voter registration status? Now you can find out, through a simple website which has posted the entire Utah state voting roll to the internet in easily searchable form. What if you’re looking in Colorado, Connecticut, or a half dozen other states? Their voter rolls are online too, sometimes with additional information like addresses.

Is this troubling? It’s one thing to post Donny Osmond’s birthday to the internet; that information is on Wikipedia anyway. It’s more troubling to post the private information of tens of thousands of everyday people, many of whom may have no idea that this online database exists.

The website pooh-poohs potential privacy concerns and touts the potential value of this information — it could help in genealogical projects, for instance. The site also points out that this information is legally available already as public records which anyone could order. That is troubling itself (it illustrates what kind of information marketing companies and others could be buying right now).

But I’m also not convinced by the “this is available anyway” argument. As scholars like Dan Solove and Danielle Citron have pointed out, sometimes structural barriers and transaction costs create a sort of informal, de-facto privacy protection, which everyday citizens may depend on. When a company acts to strip away those barriers, it threatens everyone’s privacy.

3

We Will All Be Jaime Sommers – 3D printing ears

Thanks to 3D printing and advances in material sciences, questions I had a few years ago about what data is sent, how we are regulated, and of course illusive ownership are hitting home for biomedical, implanted devices. I wrote about some of these issues in a short piece about the implications of a post-human world. I thought about implanted medical devices and the idea that we are becoming appliances with all the contracts and data issues we see online moving to the body.

On the one hand, I love some of the outcomes of this engineering. For example, what if we all could be the Bionic Woman? Michael McAlpine of Princeton may be making it so that anyone could have a bionic ear, and he wants to improve us even more. He is engineering:

a synthetic ear made with a 3-D bioprinter, is a realization of that vision. The complex biomechanical structure was fabricated by depositing live cells and conductive silver in layers. It started as an exploration of material properties, but commercial applications started to appear rapidly. He discovered that cochlear implants, a leading treatment for those with some hearing impairment, are made by hand in a slow and laborious process with costs to match.

His work draws on the way hearing works. The interface sends “the electronic signal right into your medula and brings us one step closer to a world where we can learn kung fu by plugging into a computer.” That idea is fantastic (as in fantasy) but his main point, “It will just be considered normal that you have electronics embedded in your body, … You won’t think its weird that a door will just open up as you walk towards it. We will become cyborgs and it will be seen as just a normal thing” connects to my piece.

So on the other hand, as these changes move forward, we will have to consider what is control over health and other data that may come from within us. Security and hacking will take on new dimensions. I also think that class will play a role. If devices and surgery are expensive but “natural” will only the rich get to have them? Will the poor be stuck sneaking steroids will the privileged pay for dexterity enhancement?

I don’t think dystopia is ahead. I think these questions are the right and fun ones to consider and manage. Again the New Year looks good.

P.S. Jamie Boyle’s Shamans, Software, and Spleens is ever more relevant, as we move into the next technology era.