Category: Social Network Websites

0

A Not So Pretty Picture

ZDNet reports that over 1,000 Facebook users adopted a Photo of the Day application featuring National Geographic images that also embedded malicious code, creating a botnet of users that launched distributed denial of service attacks. The good news is that information security researchers orchestrated the “Facebot” in order to expose this security flaw. The bad news is that given the flaws in social network platforms, real attacks could be worse. (Here is the research paper that the group produced, which is entitled “Antisocial Networks: Turning a Social Network into a Botnet”). Although Facebook has fixed the vulnerability identified by the researchers, concerns remain about the security risks of third-party applications on social networking sites. The serious downside of a pretty picture, to be sure.

0

Politics in the Age of MySpace and Facebook

myspace.jpgRecently, I was interviewed for an article in the Globe and Mail about the young teenage father-to-be involved in the media circus surrounding vice presidential candidate Sarah Palin’s pregnant teenage daughter. I believe that the media should restrain itself from prying further into Palin’s daughter’s private life, as well as that of the father-to-be. He was referred to only as “Levi” by the media until recently, when a few media entities and bloggers started identifying him by his full name. I don’t believe he should be identified by his last name unless he consents to it. His identity is of little relevance to the issues in the campaign.

Apparently, he had a MySpace page. According to the Globe and Mail:

According to his MySpace page, he loved camping, fishing and riding dirt bikes. He wasn’t much for babies (“I don’t want kids”) or political optics: “Ya fuck with me I’ll kick ass,” the page says. . . .

The Alaskan teen’s MySpace page was taken down yesterday, but the damage had been done.

“I’m a little bit surprised the campaign didn’t ask him to take these pages down,” said Daniel Solove, author of The Future of Reputation: Gossip, Rumor, and Privacy on the Internet. “It’s become a very distracting sideshow.”

Information about his identity and MySpace page are all over the Internet and media now. More and more, we’ll be seeing the media and bloggers mining the social network profiles of the kids of politicians. I think that this is unfortunate, but it is hard to stop people from gawking at a public website, especially when a politician’s child falls into the vortex of a media storm. The fact that Levi’s MySpace page remained publicly available for so long indicates that there is far too little thought and attention to social network websites and the Internet by parents and others outside of what I call “Generation Google” — the teenagers today who are posting more and more personal information online, which will be available to anybody doing a Google search.

If Sarah Palin and the McCain campaign knew about the pregnancy, they certainly must have expected that with today’s media, it would sooner or later find its way into the news. With that risk in mind, why not try to make sure that public MySpace or Facebook pages of those involved are removed before the media frenzy begins? This strikes me as a fairly substantial oversight. The teenagers involved in this incident are far from ready to confront the media frenzy they are now subjected to. Somebody should have told Levi to remove his profile (or make it accessible only to his friends) long before the story broke. Perhaps the McCain campaign. Perhaps Sarah Palin. Perhaps his parents. This illustrates part of the problem facing members of Generation Google — their parents, teachers, and others who advise them are not well-versed enough in what’s going on.

8

Trolls, cyberbullying, Dan

This week’s New York Times magazine has a fascinating article about online trolls and cyberbullying, which includes a quote from Dan. The article itself is well worth reading. An excerpt:

That the Internet is now capacious enough to host an entire subculture of users who enjoy undermining its founding values is yet another symptom of its phenomenal success. It may not be a bad thing that the least-mature users have built remote ghettos of anonymity where the malice is usually intramural. But how do we deal with cases like An Hero, epilepsy hacks and the possibility of real harm being inflicted on strangers?

Several state legislators have recently proposed cyberbullying measures. At the federal level, Representative Linda Sánchez, a Democrat from California, has introduced the Megan Meier Cyberbullying Prevention Act, which would make it a federal crime to send any communications with intent to cause “substantial emotional distress.” In June, Lori Drew pleaded not guilty to charges that she violated federal fraud laws by creating a false identity “to torment, harass, humiliate and embarrass” another user, and by violating MySpace’s terms of service. But hardly anyone bothers to read terms of service, and millions create false identities. “While Drew’s conduct is immoral, it is a very big stretch to call it illegal,” wrote the online-privacy expert Prof. Daniel J. Solove on the blog Concurring Opinions.

To steal a line from Glenn Reynolds — go read the whole thing.

3

Should (legal) academics use Facebook? (Part 527 of a continuing series.)

True, the “should academics use Facebook?” article is fast becoming passe. (See also: “should academics blog?”, “should academics use MySpace?”, and “should academics navel-gaze?”) However, a recent post on the HNN (History News Network) is a particularly good example of the species. In a discussion of whether historians should use Facebook, historian Jesse Lemisch sets out some helpful analysis:

Why should historians be on Facebook? I think it has the potential to be an electronic version of the halls of the AHA: a place of lively and utterly informal talk about what historians are doing and saying, and what’s going on in their lives. Just as Facebook threatens to replace college reunions, it can constitute something like a professional meeting, between professional meetings. (Note that “something like”: I have no desire with this proposal to replace professional meetings, but rather to extend them.)

I value the papers given at the AHA and OAH, but I generally come away from these meetings as well educated by conversations in the halls, and while prowling the book exhibits. Somebody has mounted a stupid and uncomprehending attack on me in a book whose galleys are available at booth 432. And there he is, at booth 927, hiding, but available for animated conversation. Here’s somebody you haven’t seen in years, and, thank goodness, she has a name badge. And, you find, she is doing fascinating work. Here is somebody who responds to regards to the spouse with a facial expression that tells you immediately that your information is no longer accurate. And here are historians of all stripes, and information about new sources and new work and controversies not yet erupted. And so on: readers of HNN know what happens in the halls of the AHA. For better or worse, all these things can happen on Facebook.

This sounds like an admirable enough goal. Why not chat about books, vacations, restaurants, and whatever else on Facebook?

There are interesting parallels to law. For instance, of conversations I’ve had at AALS, I’d say maybe a quarter of them have been purely law conversations of the type it would be hard to have online. But the majority have been general-topic chats of one kind or another. Ideally, Facebook and sites like it can facilitate the broad, cocktail-party mingling that helps keep law professors — a notoriously socially awkward group — connected and in general contact with one another. In theory, this could be good. (On the other hand, it’s awfully tricky to gossip on a public forum.) Right? What’s not to like about it?

I would write a lot more about how law professors could use Facebook, but duty calls. II have an urgent appointment to attack Nate’s zombie with my vampire before my daily attacks expire. Then, perhaps after a few games of Word Twist, I’ll be back with Part 2.

4

(More) stupid things not to do on Facebook

facebook3.jpgTo add to the ever-growing list:

While waiting to be sentenced for your drunk driving conviction — and trying to convince the judge that you take the process seriously, that you are remorseful, and so on — do not post lots of pictures of yourself partying and drinking.

(You would think some things would be obvious, wouldn’t you?)

The CNN story has some interesting nuggets, like: “Santa Barbara defense lawyer Steve Balash said the day he met client Jessica Binkerd, a recent college graduate charged in a fatal drunken driving crash, he asked whether she had a MySpace page. When she said yes, he told her to take it down because he figured it might have pictures that cast her in a bad light.”

That sounds reasonable. If you’re a defense lawyer these days, and your client has a Facebook or MySpace page, you’re going to tell them to take it down, aren’t you?

(Query: Is it enough to merely set it to private? What if it’s a private page? Can the prosecutor send a friend request, and get access to the page? Seek a forwarded copy from the person’s friends?

For that matter, how do you prevent your friends from posting pictures of you to their Facebook pages? (That’s what happened in one of the cases in the CNN article.) Don’t go to parties while waiting for sentencing, I guess. Or if you are partying, don’t let anyone take your picture.)

Technology — a tool for inventing all sorts of brand-new bad ideas.

14

Is the Computer Fraud and Abuse Act Unconstitutionally Vague?

At the National Law Journal, attorney Nick Akerman (Dorsey & Whitney) contends that the Computer Fraud and Abuse Act (CFAA) indictment of Lori Drew (background about the case is here) is an appropriate interpretation of the statute:

While this may be the first prosecution under the CFAA for cyberbullying, the statute neatly fits the facts of this crime. Drew is charged with violating §§ 1030(a)(2)(C), (c)(2)(B)(2) of the CFAA, which make it a felony punishable up to five years imprisonment, if one “intentionally accesses a computer without authorization . . . , and thereby obtains . . . information from any protected computer if the conduct involved an interstate . . . communication” and “the offense was committed in furtherance of any . . . tortious act [in this case intentional infliction of emotional distress] in violation of the . . . laws . . . of any State.”

There is no question that the MySpace network is a “protected” computer as that term is defined by the statute. Indeed, “[e]very cell phone and cell tower is a ‘computer’ under this statute’s definition; so is every iPod, every wireless base station in the corner coffee shop, and many another gadget.” U.S. v. Mitra, 405 F.3d 492, 495 (8th Cir. 2005). There is also no question that a violation of MySpace’s TOS provides a valid predicate for proving that the defendant acted “without authorization.” What the commentators ignored in their critique of this indictment is that the “CFAA . . . is primarily a statute imposing limits on access and enhancing control by information providers.” EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003). A company “can easily spell out explicitly what is forbidden.” Id. at 63. Thus, companies have the right to post what are in effect “No Trespassing” signs that can form the basis for a criminal prosecution.

If this interpretation of the law is correct, then the law is probably unconstitutionally vague. A vague law is one that either fails to provide the kind of notice that will enable ordinary people to understand what conduct it prohibits; or authorizes or encourages arbitrary and discriminatory enforcement. The CFAA, as construed by the prosecution in the Drew case, will probably be found vague because it authorizes or encourages arbitrary and discriminatory enforcement.

Suppose I put a notice on this post that says: “No attorneys may post a comment to this blog.” Suppose Nick Ackerman comes to this site, sees this post, and and writes a comment that is defamatory. Under his theory, he can be prosecuted for violating the CFAA. He has “trespassed” on this site. Moreover, if a blog has a policy that it will not tolerate “rude, uncivil, or off-topic comments,” then commenters who make such comments that are tortious (intentional infliction of emotional distress, public disclosure of private facts, false light, defamation, etc.) can be liable for a CFAA violation. Moreover, any use of a website that goes against whatever terms the operator of that site has set forth that constitutes a negligence tort is also criminal.

The problem here is that the CFAA’s applicability would be extremely broad — so broad that the cases likely to be prosecuted would be arbitrary. Since tort law is common law, and is very flexible, broad, and evolving, people would not have adequate notice about what conduct would be legal and not legal. There’s a reason why tort law is different from criminal law — we are willing to accept a lot more ambiguity and uncertainty in tort law than in criminal law, where the stakes involve potential imprisonment.

Moreover, Nick Akerman only focuses on the CFAA § 1030(c)(2)(B)(2), which makes it a felony to exceed authorized access if the offense was committed in furtherance of any tortious act.

The CFAA § 1020(a)(2)(C) makes it a criminal misdemeanor to “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer if the conduct involved an interstate or foreign communication.” If I’m interpreting this correctly (and I don’t purport to be an expert on the CFAA), under the Drew prosecutor’s interpretation of the CFAA, any time a person violates a website’s terms of service and access any information from the site, there’s a criminal violation. That means that if I post on this blog a notice that says: “No attorneys may access any other parts of this blog other than the front page,” and an attorney accesses any other page on my blog, then there’s a CFAA violation. Could the law possibly be this broad? I think it would require a narrowing interpretation in order to avoid problems of unconstitutional vagueness.

The CFAA strikes me as a very poorly drafted statute. The Drew indictment demonstrates the problems with the law. Either courts should fix the CFAA interpretively by narrowing its scope, or else strike it down as unconstitutionally vague. But what clearly cannot stand is for the law to be interpreted as the Drew prosecutor seeks to interpret it.

Hat tip: Dan Slater at the WSJ Blog

3

The Privacy Virus

I’ve been thinking recently about social networking services and privacy. Certainly, they raise profiling and investigation concerns that seem quite familiar from debates about ISP and search engine surveillance. I’m becoming increasingly convinced, however, that they also present some quite distinctively social privacy issues. The flow of information within a Facebook or a LiveJournal both is deeply embedded in a particular set of social relationships and also regularly defies the expectations of the participants in those relationships. Hilarity, or rather privacy trouble, regularly ensues.

One of things I did when starting to ponder these privacy problems was to make a list of the ways in which social networking services encourage users to supply personal information. There are actually quite a few. Here’s an incomplete list:

  • Explicit appeals to reciprocity: If someone tries to add you as a friend, it seems impolite to refuse.
  • Implicit appeals to reciprocity: If friends have pictures on their pages, you’re spurning their social advances if you don’t have pictures on your page.
  • Norming the network as “private” space: Facebook started on a college campus; people use it in ways that recreate the informality of students scribbling jokes on whiteboards posted to each others’ dorm-room doors.
  • Norming the network as “safe” space: It’s hard to estimate the risk that releasing a little private information now will bite you later, so we use our peers’ actions as a heuristic to tell us whether it’s safe to speak freely here. If they share, you share.
  • Creating a barter economy in personal information: By affiliating with new groups and adding more friends, you decrease the distance between you and others. That means more access: it opens up more profiles to your inspection (and vice-versa).
  • Encouraging status competition: Facebook helpfully lists how many friends your friends have; can you blame Robert Scoble for wanting to have more than 5,000?

I could go on, but have you noticed the common pattern? All of these mechanisms use other people’s personal information to convince you to supply more of your own. Facebook is a privacy virus: an organism that reproduces itself within a social network by convincing infected hosts to use their own replication mechanisms to spread it to others. And the way it gets past our privacy defense mechanisms is to turn them against us: social network service interactions have almost all the indicia we look for in reassuring ourselves that we’re in a private setting, rather than out in public.

9

More Misguided Responses to the Megan Meier Incident

Last week brought the unfortunate news that Lori Drew was indicted for a violation of the Computer Fraud and Abuse Act for her ill-conceived hoax on Megan Meier. According to an MSNBC article:

Andrew DeVore, a former federal prosecutor who co-founded a regional computer crime unit in New York, said Friday the interpretation raises constitutional issues related to speech and due process — in the latter case, because it doesn’t allow for adequate notice of when using an alias online is criminal.

Because corporations would end up setting criminal standards, a completely legal act at one site could be illegal at another, said DeVore, who has no direct involvement in the case.

Now, the Missouri legislature has just passed a law in response to the incident. According to the bill summary:

Currently, the crime of harassment includes communications meant to frighten or disturb another person. Under this act, communications conducted to knowingly frighten, intimidate, or cause emotional distress to another person are included. Harassment includes communications by any means.

Harassment includes knowingly using unwanted expressions that put the person in reasonable apprehension of offensive physical contact or harm or knowingly making unwanted communications with a person.

A person also commits harassment:

1) By knowingly communicating with another person who is, or who purports to be, seventeen years of age or younger and in so doing, and without good cause, recklessly frightens, intimidates, or causes emotional distress to such other person; or

2) By engaging, without good cause, in any other act with the purpose to frighten, intimidate, or cause emotional distress to another person, cause such person to be frightened, intimidated, or emotionally distressed, and such person’s response to the act is one of a person of average sensibilities considering the person’s age.

This law is incredibly dumb, and I hope that the governor is wise enough not to sign this uniformed and very poorly crafted piece of legislation. It is yet another misguided response to the Megan Meier incident. As I discussed in my book, The Future of Reputation: Gossip, Rumor, and Privacy on the Internet (Yale 2007), we must be careful not to adopt responses to problematic online communication that are too authoritarian and too chilling of free speech.

Under this law, a person could be guilty of a crime for recklessly frightening, intimidating or causing emotional distress to a person they know is 17 or younger. That’s incredibly broad — most likely overbroad under the First Amendment. It sweeps in a potentially broad range of protected expression under the First Amendment.

Read More

Revenge of the Bodysnarkers

Author Hannah Seligson coins a new term in her critique of celeb-mocking websites: bodysnarking, which she defines as

the snide, often witty, comments that have become a ubiquitous part of under-30 female conversation. In an age when the digital camera is a must-bring accessory for a night out (how else are you going to upload the pictures to Facebook?), when blogs give everyone with an opinion a venue for comment, and when tabloid culture has made it fine to dissect other women’s looks, bodysnarking appears to be a favorite female pastime.

The watershed moment for bodysnarking, Ms. Redd says, came a few years ago when Google introduced its advertising program AdSense. “The program allowed sites to track pages viewed and make ad revenue based on the number of visitors. [Blogger] Perez Hilton realized that nobody cared about his personal shopping trips; they cared when he [mocked mostly female celebrities.]” The masses had spoken: Bodysnarking was now a revenue generator.

As I’ve noted before, sometimes the technology that “gives the people what they want” serves only to reinforce destructive trends. In addition to Seligson’s analysis, I’d say that the rise of the bodysnarkers is an unexpected side effect of the prevalence of plastic surgery. Whereas “defects” in appearance were once largely assumed unavoidable, they can now be “cured.” So celebrity’s “fans” demand ever more appearance-wise. Given their wealth, whatever can be fixed, must be fixed.

Read More

5

Megan Meier Case Update — Drew Indicted

myspace1.jpgI’ve blogged about the Megan Meier case a while ago. This is the case where Megan Meier, a teenager, committed suicide after her online friend from Myspace suddenly started to reject her and say mean things to her. The “friend” on Myspace was actually Lori Drew, the mother of one of her classmates, and some other individuals. They created the fake profile and were pretending to be Meier’s fictional friend.

Now, Drew has been indicted by a federal grand jury for a violation of the Computer Fraud and Abuse Act (CFAA). Here’s the indictment.

Drew was charged with conspiracy as well as three counts of accessing protected computers without authorization. According to the indictment:

On or about the following dates, defendant DREW, using a computer in O’Fallon, Missouri, intentionally accessed and caused to be accessed a computer used in interstate commerce, namely, the MySpace servers located in Los Angeles County, California, within the Central District of California, without authorization and in excess of authorized access, and, by means of interstate commerce obtained and caused to be obtained information from that computer to further tortious acts, namely intentional infliction of emotional distress on [Megan Meier].

From the AP:

Each of the four counts carries a maximum possible penalty of five years in prison.

Drew will be arraigned in St. Louis and then moved to Los Angeles for trial.

The indictment says MySpace members agree to abide by terms of service that include, among other things, not promoting information they know to be false or misleading; soliciting personal information from anyone under age 18 and not using information gathered from the Web site to “harass, abuse or harm other people.”

Drew and others who were not named conspired to violate the service terms from about September 2006 to mid-October that year, according to the indictment. It alleges that they registered as a MySpace member under a phony name and used the account to obtain information on the girl.

Drew and her coconspirators “used the information obtained over the MySpace computer system to torment, harass, humiliate, and embarrass the juvenile MySpace member,” the indictment charged.

UPDATE: Over at the Volokh Conspiracy, Orin Kerr believes that the indictment should be dismissed. Kerr believes that it is a stretch to apply the CFAA to violations of a site’s terms of service.

If the computer owner says that you can only access the computer if you are left-handed, or if you agree to be nice, are you committing a crime if you use the computer and are nasty or you are right-handed? If you violate the Terms of Service, are you committing a crime?

Kerr also argues that the prosecution will have a ver yhard time demonstrating that Drew intended to violate MySpace’s terms of service. He writes: “But here there is no evidence that Drew even read the TOS. Most people don’t, of course; I would be surprised if 1 person in 100 actually tried reading it. If Drew wasn’t aware that she was violating the TOS, she couldn’t be exceeding her authorized access intentionally.”

I agree with Kerr on these first two reasons. While Drew’s conduct is immoral, it is a very big stretch to call it illegal.

Kerr offers a third reason why the indictment is faulty — it is unclear whether the goal of the conspiracy was to obtain information, as was charged in the indictment. Kerr writes: “[I]t doesn’t seem that Drew had the intent to obtain information from her victim. Her apparent goal was to harass her victim and to cause emotional distress, not to obtain information from her.” On this reason, however, I’m not so sure I agree. The news accounts I read about the case indicated that one of Drew’s primary motivations for creating the fake profile was to learn information from Megan Meier. She wanted to know information from Megan that pertained to her own daughter, who was a classmate of Megan’s. The harassing came later on.