How Not to Obtain Online Consent, or Why Panera Bread Owes Me Free Muffins

When I need to edit an article, I will sometimes park myself at a booth at the local Panera Bread, sipping the decent coffee, snacking on the beautiful (notice I didn't say tasty) pastries, and using the free WiFi. Long ago, I noticed that Panera had made a stupid technological mistake that probably strips it of the right to manage its network lawfully.

Panera tries to extract consent from its users using what is known as a captive portal, the same method used by most hotel and airport WiFi network providers. When a Panera WiFi user first tries to connect to any website, Panera's computers redirect her instead to its own web page with a link to its terms of service (ToS). Only when the user clicks "I agree" may she start surfing.

Compared to some of the other methods Internet providers use for attempting to obtain consent, a captive portal deserves some praise. It is much more likely to be noticed and read than a ToS or privacy policy link buried on a home page (or, as the case may be, not even on the home page). It is better than the paper privacy policies my credit card companies send with their monthly bills, usually along with a half-dozen ads. Unlike either of these methods, a captive portal acts like a virtual stop sign--until you click "I agree," you can go no further. (Of course, calling even a captive portal meaningful consent seems to stretch things if the ToS offered are dozens of pages long.)

But if Panera ever tried to enforce its WiFi ToS--say it got caught monitoring user communications and had to defend against a wiretapping lawsuit or say it was sued for banning a user suspected of downloading porn in violation of the ToS--a court should probably hold that its ToS are unenforceable. Panera has made a simple web design mistake that introduces doubt about what terms are being agreed to by its users.

Like many sites, Panera displays the ToS within a text box. It probably does this to save screen real estate: with a text box, it can allow the user to scroll through a smallish-square rather than be faced with a dauntingly long web page. But carelessly, Panera made its text box EDITABLE! To see what I mean, compare the two text boxes below:

This text box is marked readonly; you should NOT be able to edit this text.
This text box is NOT marked readonly; you should be able to add, delete, and modify this text.

At the very least, Panera will have a hard time proving to a court that a particular customer didn't delete all of the ToS before clicking "I agree." But, there is a crazier possibility: Every time I am faced with Panera's editable ToS, I delete all of the text and replace it with a proposed contract of my own. Here are some of the contracts I have proposed:

• "By allowing me to surf the web using your network, you agree to give me one free muffin every day for the rest of my life."
• "By allowing me to surf the web using your network, you agree to name me CEO of Panera Bread for a day. I choose next Tuesday."
• "By allowing me to surf the web using your network, you agree to change the name of your company to Pantera Bread, and the name of your 'Frontega Chicken' sandwich to 'Cowboys from Hell' Sandwich.'"

I know enough about the http protocol and cgi-bin to know that my modified ToSes probably get transmitted back to a Panera, er, Pantera web server. Are my contracts enforceable? Probably not. But my arguments for enforceability sound no less ridiculous than some of the arguments made by those seeking to enforce click-wrap and buried ToS "contracts".

Excuse me while I go try to claim a free muffin.

Posted by Paul Ohm at 11:39 AM | Comments (14) | TrackBack

The Cultural Contradictions of Jenny Craig

I was astonished to learn that the number of TV shows about weight loss has ballooned to seven this season. Alessandra Stanley's superb report on them catalogs the cultural contradictions they're a part of:

Americans are goaded into ever more drastic and extreme expectations of physical perfection on prime time, while their path is mined with Double Croissan’wich specials at Burger King and Olive Garden “Tour of Italy” triptychs (lasagna, chicken parmigiana and fettuccine Alfredo). On “Today” a homily on sensible dieting from the Joy Fit Club is followed by instructions in a following segment for hibiscus margaritas and churros — deep-fried, sugar-dipped Mexican crullers.

On the WE network’s show “The Secret Lives of Women,” a tribute to three women’s hard-won journey to extreme weight loss is interrupted by an ad for Baskin-Robbins Oreo sundae. It’s a world of contradictions bracketed by all-you-can-eat breakfast at Applebee’s and pay-as-you-go gastric bypass.

Anyone who's read Benforado/Hanson/Yosifon's work on the situational pressures toward obesity probably won't be surprised by these juxatpositions. Nevertheless, they're a strikingly intimate example of what Daniel Bell might have termed the "cultural contradictions of capitalism." The donut factory may forbid its workers from smoking in order to lower its health care costs, but its profit margins depend on big sales to the 65% or so of the population that is overweight or obese.

The market has given us these shows primarily because they offer a chance to feel like we're doing something about the problem without actually doing much. As Stanley notes, "Mostly the visuals feed complacency; as overweight as a viewer may feel, he or she surely will never fall this far into the potato chip abyss. And if the morbidly obese people on screen can drop 100 pounds, then even the chubbiest kid on the couch can fit into a swimsuit by summer."

Posted by Frank Pasquale at 11:11 PM | Comments (1) | TrackBack

Student Control

In a world of increased occasions for forms of social control, the university is extending its reach. In an AP story today we learn that universities are broadening the scope of their campus behavior codes to apply to student conduct off campus, in an effort to cultivate humanity, to borrow from Martha Nussbaum. One purpose is to make students better citizens within the community. From the article:

We have a responsibility to educate our students about being responsible citizens,'' said Elizabeth A. Higgins, Washington's director of community standards and student conduct, whose office has ‘educated’ 19 students since the extended code of conduct took effect in January.

The scope of these codes can be quite broad, as the article reports that the University of Colorado code “regulates any conduct that ''affects the health, safety or security of any member of the university community or the mission of the university.” The article further reports that Seattle University “has put its students on notice that cyber-patrolling will continue this year.”

Universities have a unique institutional role with regard to their students, and the impact of student conduct on surrounding communities can be significant (with both positive and negative externalities). Extending the scope of behavior monitoring to off-campus sites and to the internet does, however, reduce the realm of personal privacy and provides another occasion in which institutional control over behavior applies beyond the institution’s own parameters. Even if the purpose of this sort of cultivated humanity is to produce good citizens, it is unclear to me that more extensive monitoring is the way to achieve that goal. Without spaces to develop a sense of serendipitous self-determination, cultivating humanity may be more like growing corn – we get more homogenization and a good food supply, but we may also get more corn than we bargained for. Besides providing another occasion when one can mention Foucault’s work on forms of social control, it may be that universities are merely catching up with other institutions such as private companies who expect certain kinds of behavior from off-duty employees. Is it likely that law schools will increase the monitoring of their students off-campus or on-line any time soon as well?

Posted by Thomas Crocker at 02:24 PM | Comments (21) | TrackBack

The End of Privacy?

I've written an article for the September issue of Scientific American magazine called The End of Privacy? The article is available online here, with a slightly different title: Do Social Networks Bring the End of Privacy?.

The entire issue is devoted to privacy, and there are some other really interesting articles. Here are links to the other articles in the issue:

Whitfield Diffie and Susan Landau, Internet Eavesdropping: A Brave New World of Wiretapping

Steven Ashley, Digital Surveillance: Tools of the Spy Trade

Katherine Albrecht, How RFID Tags Could Be Used to Track Unsuspecting People

Anil K. Jain and Sharath Pankanti, Beyond Fingerprinting: Is Biometrics the Best Bet for Fighting Identity Theft?

Mark A. Rothstein, Tougher Laws Needed to Protect Your Genetic Privacy

Simson L. Garfinkel, Data Fusion: The Ups and Downs of All-Encompassing Digital Profiles

Peter Brown, Privacy in an Age of Terabytes and Terror

Esther Dyson, How Loss of Privacy May Mean Loss of Security

Anna Lysyanskaya, Cryptography: How to Keep Your Secrets Safe

Posted by Daniel J. Solove at 12:03 AM | Comments (0) | TrackBack

Reputation Regulation

Dan's posts this week about privacy in campaign donations and public records are related to some issues I'll be discussing soon (at the Congressional Internet Caucus's State of the Net West Conference, the IPSC, and the Annenberg School at UPenn). I've discussed the power of intermediaries to shape our reputation in a few prior projects, and now I'm concentrating on how to address that power. Here's an extended abstract on these ideas:

Reputation Regulation:
Rationalizing Internet Intermediary Responsibility

Reputation regulation has become essential because traditional restrictions on data and information flows—be they in the form of privacy or intellectual property laws—inadequately constrain important intermediaries. In considering the balance of power between intermediaries and those whom their actions affect, scholars have focused on either strengthening or weakening extant doctrines of copyright, trademark, contract, antitrust, and privacy law. However, a critical mass of doctrine in these fields, established patterns of consumer behavior, and the advent of cloud computing have freed up so much information that law must now not only be concerned with information’s flow, but with what results from it: the rankings, recommendations or ratings based on it.

While the Fair Credit Reporting Act set a precedent for reputation regulation, more recently only a few powerful groups have succeeded in the US in forcing reputation-generating systems to be more accountable. For example, a medical association in Washington state has persuaded some large insurance companies that rate physicians to disclose the basis of their ratings and to permit appeals of negative ones. Concerns about stealth marketing have also led to guidance from the FTC on the separation of editorial and paid content in search engines. EU intermediaries are generally required to be more responsible than those in the US. For example, one German court has required Google to manage results associated with an actress distressed by them, while a much worse case of harassment in the US led to no requirement of corrective action from Yahoo.

The burden of this article is to make a case for extending similar responsibilities to other dominant general-purpose search engines, as well as e-commerce hubs (e.g., eBay, Amazon, and iTunes), social networks (e.g., MySpace, FaceBook, CyWorld, and 23andMe), and gossip boards (e.g., AutoAdmit and JuicyCampus). Individuals and organizations ought to have a basic right to some account of how dominant intermediaries generate associations related to them. Meaningful exercise of that right will require flexible, responsive regulation of entities which make reputation-affecting decisions.

Reputation regulation may seem like an oxymoron, given the usual associations evoked by the two concepts. Reputation is traditionally considered a most mutable intangible, existing only in the minds of individuals. It may seem like the quintessential quality beyond the reach of bureaucrats. Regulation, on the other hand, has a reputation for being rigid, ossified, cumbersome, captured, or worse.

Nevertheless, companies stake enormous sums on their goodwill, and individuals have grown accustomed to a vast network of privacy regulations over the past few decades. If this most personal of attributes can be a prerogative of the administrative state, so too can its correlates. Moreover, regulation need not be administered only or even primarily by the state—as Google’s StopBadware program has already proven, a creative intermediary can partner with NGO’s to provide “rough justice” to sites it denigrates.

Recurrent battles over “network neutrality/broadband discrimination” have focused public attention on one dominant set of intermediaries—the carriers who control the physical layer of internet transmissions. However, there are other “bottlenecks” on the internet that merit similar attention because of their parallel power to order content on the web. While many commentators assume that these sites’ innovative genius should give them a completely free hand to conduct their own affairs as they see fit, they downplay legal sources of intermediaries’ success. As the legal realists cautioned, rarely is there a clean separation between state and market actors. Intermediaries’ dependence on legal immunities both belies their moral arguments for untrammeled autonomy, and provides a legal “hook” on which to hang reformist measures.

Large online intermediaries may now seem like the inevitable mountainous landmarks of our online topography; certainly business books on “crowdpreneuring,” “wikinomics,” and the “long tail” suggest as much. However, their dominance of the internet ecosystem was anything but foreordained. As Part II demonstrates, any number of cyberlaw disputes could have checked intermediaries’ growth, or required them to negotiate more with those adversely affected by their actions. However, favorable legislation (like the DMCA and CDA) and court rulings have fueled their rapid growth and scale-driven business models. Moreover, their ability to impose one-sided “terms of use” has made it increasingly unlikely that new entities can arise to compete with dominant intermediaries. Fortunately, a few gaps in existing immunities still pose threats to intermediaries, and may require Congressional intervention to solve. If Congress chooses to take up these issues, it should condition strengthened immunity on the types of public responsibility described in this article.

Considered in isolation, particular legal victories won by intermediaries in the United States over the past two decades may reflect warranted extensions of precedent or sound policy judgments. However, when seen as a broad spectrum of legal development, they are aggregating toward an unfair competitive advantage unearned by commensurate public responsibility. Intermediaries only deserve immunities to the extent they realize and reflect public values.

Part III articulates these public values by describing more responsible reputation-generating entities and applying the norms apparent in their operation to dominant online intermediaries. In early work on the topic I assessed search engine quality with respect to the authoritativeness and responsibility of the metadata they provided. In the course of proposing regulatory responses to search engine manipulation, Oren Bracha and I elaborated these concepts with respect to democratic legitimacy, economic efficiency, and fairness. As this article attempts to apply some ideals of accountability to intermediaries and ranking sites generally, reputation regulation provides a more unitary umbrella concept for assessing intermediaries’ degree of responsibility.

Part IV makes the moral and economic case for complementing court-driven responses to intermediaries with regulation. Calls for increasing public responsibility for intermediaries are presently being channeled in two reformist directions: A) promoting competition among intermediaries (by lowering barriers to entry and challenging incumbents’ anticompetitive practices), and B) tinkering in particular doctrinal areas in order to promote responsible behavior by intermediaries. Even at their best, neither of these approaches can fully realize the values described in Part III.

Competition promotion is at best a partial response—while it may maximize the “consumer welfare” of users of intermediaries, it may do worse than nothing for third parties (since one competitive strategy of intermediaries like Juicy Campus is to make it easier for users to harm third parties). Moreover, in some areas, the intermediary may be a natural monopoly, and any competition in the space it occupies is bound to be contrived. Traditional litigation (or doctrinal adjustment) is more promising, but risks either over- or under-correcting intermediaries’ practices. In many areas, it may prove beyond the institutional competence of courts to deal with rapidly shifting business practices occluded by trade secret protection. An agency with teams of engineers and programmers can monitor and understand intermediaries’ practices better than nonspecialist judges. Finally, both the competition-promotion and doctrinal-adjustment schools have tended to understand the problems posed by intermediaries in purely economic terms—whereas media and credit-reporting regulation has traditionally taken into account the cultural and moral consequences of intermediary power.

Legal scholarship has traditionally focused on discrete doctrinal areas. In intellectual property law, scholars seek to rationalize copyright, trademark, patent, and related doctrines; “cyberlaw” extends to contract, property, and tort online; and privacy experts confront the welter of common law and statutory limits on the accumulation and disclosure of data. While such specialization may promise to “work the law pure” in particular doctrinal bailiwicks, lack of coordination risks reinforcing trends that few would endorse. Sectoral regulation of reputation has the potential to promote the best aspects of intermediaries, while reining in their more irresponsible actions.

Posted by Frank Pasquale at 03:02 PM | Comments (0) | TrackBack

Should People's Political Donations Be Public?

Pursuant to the Federal Election Campaign Act (FECA), people's campaign contributions must be accessible to the public. I've long found this to be problematic when applied to the campaign contributions of individuals. Certainly, information must be reported to the government to ensure that campaign contribution limits aren't exceeded. But I don't know why it is the public's business to know what candidates I've given money to and how much. Go to Moneyline CQ or Fundrace2008 or OpenSecrets.org and you can search for the campaign contributions of anyone. You can learn a person's address, occupation, and the amounts he/she contributed and to whom.

I find this problematic for at least two reasons.

1. I believe that the disclosure of people's campaign contributions violates the First Amendment. The First Amendment protects one's right to privacy in one's associations, and campaign contributions often reveal one's political party affiliation. I disagree strongly with Buckley v. Valeo, 424 U.S. 1 (1976), the U.S. Supreme Court decision that holds that FECA's public disclosure requirements satisfy First Amendment heightened scrutiny. The Court justified its holding based on the need to "alert the voter to the interests to which a candidate is most likely to be responsive," to "deter actual corruption and avoid the appearance of corruption by exposing large contributions and expenditures to the light of publicity," and to "gather[] the data necessary to detect violations of the contribution limitations described above." The first function doesn't strike me as relevant when it comes to individual contributions. Is the fact that Person X contributed $100 to Candidate Y likely to reveal interests to whom Candidate Y will be beholden? The second function -- exposing corruption -- could be done by a government agency vetting the contributions. Likewise for the third function.

Professor William McGeveran makes a persuasive argument that Buckley's holding should be rethought in light of modern technology, namely searchable databases like the ones I mentioned above. He contends that people might be chilled from making political contributions because of negative professional consequences or the stigma of being associated with unpopular non-mainstream candidates. William McGeveran, McIntyre’s Checkbook: Privacy Costs of Political Contribution Disclosure, 6 U. Pa. J. Const. L. 1, 19, 30, 38 (2003).

2. Another problem with making the data so publicly accessible is that it facilitates abuse by employers or others who might discriminate against people because of their political views. For example, the DOJ Report on the illegal and improper hiring practices based on political beliefs by Monica Goodling and others demonstrates how readily accessible information about political contributions can be used in nefarious ways:

We found that Goodling’s Internet research on candidates for Department positions was extensive and designed to obtain their political and ideological affiliations.

We determined that while working in the OAG, Goodling conducted computer searches on candidates for career as well as political Department positions. . . . At some time during the year Williams served as White House Liaison, she had attended a seminar at the White House Office of Presidential Personnel and received a document entitled "The Thorough Process of Investigation." The document described methods for screening candidates for political positions and recommended using www.tray.com and www.opensecrets.org to find information about contributions to political candidates and parties. The document also explained how to find voter registration information.

Posted by Daniel J. Solove at 12:07 AM | Comments (12) | TrackBack

The Problems of More Accessible Criminal Conviction Information

A recent New York Times article by Brad Stone discusses a website called CriminalSearches.com, which allows you to punch in a name of a person and do a search for any criminal records about him or her. From the article:

Want to vet a baby sitter? Need to peek into the background of a prospective employee? Curious about the past of a potential date?

Last month, PeopleFinders, a 20-year-old company based in Sacramento, introduced CriminalSearches.com, a free service to satisfy those common impulses. The site, which is supported by ads, lets people search by name through criminal archives of all 50 states and 3,500 counties in the United States. In the process, it just might upset a sensitive social balance once preserved by the difficulty of obtaining public documents like criminal records.

Academics have a term for the old inaccessibility of records like those for criminal convictions: “practical obscurity.” Once upon a time, people in search of this data had to hire private investigators to navigate byzantine courthouses and rudimentary filing or computer systems, and to deal with often grim-faced legal clerks. In a way, the obstacles to getting criminal information maintained a valuable, ignorance-fueled civil peace. Convicts could start fresh after serving their time without strangers knowing their pasts, and there was little risk that unsophisticated researchers could confuse people with identical names.

Well, not anymore. The information on CriminalSearches.com is available to all comers. “Do you really know who people are?” the site blares in large script at the top of the page.

I'm quoted briefly in the article:

In the past, Congress carefully considered how the public should use criminal records. Amendments to the Fair Credit Reporting Act in 1997 required that employers who hire investigators to obtain criminal records from consumer reporting agencies advise prospective employees of the search in advance, and disregard some types of convictions that are older than seven years.

“I don’t think Congress stuck that in there randomly,” says Daniel J. Solove, a professor of law at the George Washington University Law School and author of “Understanding Privacy.” “Congress made the judgment that after a certain period of time, people shouldn’t be harmed by having convictions stick with them forever and ever.”

Websites such as CriminalSearches.com create a host of problems:

1. They create a problem I call "increased accessibility" in my book, Understanding Privacy (Harvard U. Press, May 2008):

If the information is already available to the public, what is the harm in increasing its accessibility? Increased accessibility does not involve a direct disclosure. Secret information is not revealed. Confidentiality is not breached. Rather, information that is already available to the public is made easier to access. With increased accessibility, a difference in quantity becomes a difference in quality--it heightens the risk of the harms of disclosure.

Increased accessibility to personal information has many benefits. It enhances openness by allowing people to locate information that they are seeking more easily. Ready accessibility of records, for example, can assist in investigating the background of a person whom one is planning to hire. . . .

Increased accessibility, however, creates problems, such as the greater possibility of disclosure. Information can readily be exploited for purposes other than those for which it was originally made publicly accessible. For example, companies are gathering data from public records for commercial and marketing purposes or for profiling and other analysis. Peter Winn notes that increased access to court records will cause harms to participants in the judicial system: "They will lose . . . their interest in privacy -- their identities will be subject to potential misuse by thieves, and their children may be exposed to sexual predators."

2. In a number of circumstances, people can get their convictions expunged. What happens, though, when websites that report this information do not delete conviction information after expungement? We might see the end of people's ability to get a conviction expunged.

3. Government records are notoriously inaccurate. If a person is wrongly listed in a database, the problems of that error are now amplified.

Unfortunately, given the Supreme Court's First Amendment jurisprudence, websites such as CriminalSearches.com are difficult to regulate. The Court held in Cox Broadcasting v. Cohn, 420 U.S. 469 (1975) that "[o]nce true information is disclosed in public court documents open to public inspection, the press cannot be sanctioned for publishing it." The only way to restrict the use and disclosure of such information is for the government to impose conditions in exchange for the receipt of the information. In LAPD v. United Reporting Publishing Corp., 528 U.S. 32 (1999), the Court upheld a California law that conditioned access of arrestee and victim information on agreeing not to use it for commercial purposes. "This is not a case in which the government is prohibiting a speaker from conveying information that the speaker already possesses. The California statute in question merely requires that if respondent wishes to obtain the addresses of arrestees it must qualify under the statute to do so."

Posted by Daniel J. Solove at 06:20 PM | Comments (5) | TrackBack

Saved by Pervasive Surveillance

At 26 seconds into this video, a policeman appears to tackle a bicyclist without provocation. . . . and guess who was arrested after the incident?

Yes, you guessed it, the bicyclist. If the moment hadn't been caught on tape, it's quite possible the victim here would be facing criminal charges, and the policeman in question could be plotting another assault.

More prosaically on the transportation front, car insurance firms are now offering big discounts to drivers who install technological devices that monitor driving moment-by-moment.

I predict that the car monitoring technology will gradually become an industry standard for insurers--once a critical mass of drivers adopts it, the "bonus" for installing it will quickly morph into a penalty for failure to do so (just as I've chronicled that development for other technologies in this paper). Lior Strahilevitz has given some good policy arguments for adopting a parallel (but P2P) surveillance system for drivers, and my sense is that they apply just as well here. Jonathan Zittrain warns us that "FBI can secretly eavesdrop on any automobile with [a similar] OnStar navigation system by obtaining a judge’s order and ensuring that the surveillance does not otherwise disrupt the system’s functioning," but I don't know if that concern is enough to cause me to worry here. I care about privacy, but if there's any way we can get some of the maniacs on the Garden State parkway to slow down, I think I'm for it.

The bicyclist-bashing seems like an even better case for pervasively distributed surveillance--or at least for David Brin's admonition that we must always try to "watch the watchers." Policing, like driving, may provide a special case for pervasive surveillance, despite worries like Zittrain's over the cultural consequences of pervasive surveillance:

The summed outrage of many unrelated people viewing a disembodied video may be disproportionate to whatever social norm or law is violated within that video. Lives can be ruined after momentary wrongs, even if merely misdemeanors. [Just as] too many road signs and driving rules change people into automatons, causing them to trade in common sense and judgment for mere hewing to exactly what the rules provide, no more and no less[,] . . . too much scrutiny can also turn us into automatons. Teacher behavior in a classroom, for example, is largely a matter of standards and norms rather than rules and laws, but the presence of scrutiny, should anything unusual happen, can halt desirable pedagogical risks if there is a chance those risks could be taken out of context, misconstrued, or become the subject of pillory by those with perfect hindsight. . . .

In this hyperscrutinized reality, people may moderate themselves instead of expressing their true opinions. To be sure, people have always balanced between public and private expression. As Mark Twain observed: “We are discreet sheep; we wait to see how the drove is going, and then go with the drove. We have two opinions: one private, which we are afraid to express; and another one—the one we use—which we force ourselves to wear to please Mrs. Grundy, until habit makes us comfortable in it, and the custom of defending it presently makes us love it, adore it, and forget how pitifully we came by it. Look at it in politics.”

Today we are all becoming politicians. People in power, whether at parliamentary debates or press conferences, have learned to stick to carefully planned talking points, accepting the drawbacks of appearing stilted and saying little of substance in exchange for the benefits of predictability and stability. Ubiquitous sensors threaten to push everyone toward treating each public encounter as if it were a press conference, creating fewer spaces in which citizens can express their private selves.

As Dan Solove does, Zittrain focuses on expressive realms where distributed watching can tamp down originality and spontaneity. But after the bicycle case (and similar incidents), the value of surveillance of police is clearly demonstrable. The key question is whether this salutary kind of "watching the watchers" can be accomplished without unduly impinging on the expressive realms that Zittrain and Solove describe.

PS: The bicyclist in question was part of a group called Critical Mass, which has clashed with the NYPD in the past. Law & order types in particular will probably find the police's criticisms of the group compelling--it organizes "spontaneous gatherings" to avoid regulations of protests, and has been accused of slowing down traffic (and emergency vehicles) during its bike rides. (It was also treated quite harshly for its protests at the Republican National Convention.) But however much one might dislike the group, the treatment of the bicyclist here appears utterly indefensible.

Posted by Frank Pasquale at 08:00 PM | Comments (2) | TrackBack

Tech Might Set You Free: How GPS May Have Foiled a Radar Gun

A teen has fun and races around town. The local constabulary catches the miscreant and today has him dead to rights. The officer has a radar gun which shows the youth was traveling at 62 MPH in a 45 zone. The teen will learn to obey the law. Or it may happen that the alleged offender’s parents have placed a GPS tracking device on their child’s car. That device shows not only where the car was but what speed it was going. An expert for the state has a report stating the GPS is inaccurate but changes testimony on the stand and says the “device was ‘very’ accurate, to within a couple of meters on location and to within 1 mph on speed. Dr. Heppe also pointed out that the GPS device released instantaneous data, and not data averaged over a distance.” (quoted from this article which quotes the GPS device maker’s press release).

I don’t know how accurate these reports are. But if true, the facts are fun. As the article notes, there are some curious issues here. First, the teen may not have known about the device. Second, the privacy folks who worry about tracking have reason to check this one. If the devices are that accurate, would an insurance company require it or offer lower rates for those who agree to be tracked? (I think I read that a form of this practice has begun somewhere but if anyone has more concrete information please share). Should the state require these devices? I remember the seventies gas crunch and 55 MPH laws. We may see (though I doubt the political will is there) similar acts today. Would that national issue support a general enforcement of this nature?

In general this one may be another step towards perfect enforcement. Zittrain talks about this in his book the Future of the Internet.

As a country that sees itself as founded on liberty, perfect enforcement poses real problems. Some may offer a nothing to hide type of retort. In a way these small steps to prefect enforcement remind me of the world where we in the United States could say oh look at the Soviets. They need papers to go anywhere and look over their shoulders at all times. Now, however, we may be ones with the papers (or digital tags) and looking over our shoulders. EPIC and Privacy International have a study comparing surveillance societies but if I remember correctly several comments had some good questions about how it was done. (Has anyone found a better comparison study? Please share if you have.)

Here’s a possible problem with saying just obey the law (although if you stray, we will get you no matter what): it misses a deeper question about the possibility of transgression. One may need to have the option of breaking the law to be free to follow it. Then again one may have to return to Czechoslovakia to be free.

Posted by Deven Desai at 01:59 PM | Comments (0) | TrackBack

Expunged? What Happens When A Blogger Decides To Remove Posts?

Followers of Boing Boing and Web flaps may know about a decision by one of BB’s writers, Xeni Jardin. Apparently, Ms. Jardin had previously posted material about Violet Blue’s (another blogger/Web writer/journalist) work. Then, at some point, Ms. Jardin decided that she did not wish to have that material on BB anymore. So she removed the posts (by the way the removal occurred more than a year ago but has only recently gained attention). And there is the issue. According to the New York Times, BB readers were most upset. Some saw the act as hypocritical. Ms. Blue found the practice “horrifying.” The practice has been given the name “unpublished” as in “being unpublished.” (This term is a misnomer as is discussed later.)

Possibly the most important factor is that BB patrons saw the act as breaking an unspoken understanding and failing to communicate with them. Some including Ms. Blue argue that the practice violates some norms of the Web. Maybe it does. But that alleged norm is probably not so real. And it seems difficult to really claim that one wants BB or others to detail every move or thought they make. Still the sense of outrage is more than palpable. For the law folks, the event raises questions about norms and perhaps who owns the posts.

As the article notes and Dan’s book details, in many cases one may want sites to take down posts that one does not like. Here the person liked the posts. So she feels “horrified.” To BB’s credit they are reflecting on how best to address its readers’ concerns. In the past BB has found creative solutions to deal with comments by having a moderator remove vowels from nasty posts (this idea reminds of Yossarian deleting harmless words from letters as a censor in Joseph Heller’s Catch-22; BB’s practice is not censorship of the same type but it is a way of indicating displeasure at the manners of post while letting it through in some form).

NOW many will see all of this speech limiting and so on. Again maybe so. But is BB a “publication of record?” Even if it is, does it have to make its archives available as they were? It seems that BB’s ardent fans have a view of what BB is. And once one launches anything be it a book, a Web site, a film, and so on, it has its own life. Controlling it becomes more difficult as more people choose to engage with it. This phenomenon is what seems to have caught BB off guard. Yet, with a blog control is possible. One can set forth rules and tell folks “Here is my world. Here are the basics of how to be in my world. You are welcome but I may ask you to leave and you are not required to stay here.” After reflecting on their readers’ points BB has stated:

So the [current] de facto, undiscussed, presumptive policy, which we recently just declared as part of this whole dust-up, was: Every individual has the right to do whatever they want to do. They can post anything they want, about anything they want, whenever they want without asking permission, and if they want to change those posts or take them down, they can do that too.

BB could at some point choose to keep everything up forever. I am not sure that is a wise or necessary policy. Again the courtesy of removal seems to go away with that policy. And it misses a key point about the blog posts. Ms. Jardin wrote them, not Ms. Blue.

As Ms. Jardin and her colleagues note, BB writers operate independently. They cover what they like, post what they wish, and manage their posts separately for the most part. Put differently if the posts belong to anyone, they belong to her. My paper Property, Persona, and Preservation goes into some detail about individual claims for online writings and the possible benefits of such an approach. But in short, Ms. Jardin is the author. Ms. Blue may like the posts and want to have them up when they are flattering but what if Ms. Jardin decided to write unflattering posts? Perhaps the object of the posts would want them removed. (It seems Ms. Jardin did make choice not to go into detail in part because “[A]t the time I just wanted to take this material down for a host of reasons that I don’t want to talk about in public because I don’t think it would do this person any good.”)

To be fair, Ms. Blue and others in her position, have a sense that these posts are not only about them but in a way part of them. People want to point to articles that praise them. In the past they would clip and copy the articles to send out later. Today, we are used to having the easy, instant access to the articles or posts and when they vanish, we are upset. It may even feel like the legendary Harvard act of expunging a student’s existence at the school; you were never here, it never happened.

Nonetheless, as far as Ms. Jardin’s posts are concerned, no one is unpublishing the person discussed in the post. Ms. Jardin is unpublishing Ms. Jardin’s posts. That seems to be a simple, clear power she should have at her discretion. And I do mean discretion. For now BB seems to have decided that the community they have built will work better or must understand that the authors can update and/or remove posts as they wish. So be it. If, however, they think a different policy works for their site, well amen too.

-Deven

PS I don’t know whether Harvard really does this but two links mention it here and here
so it seems to be a handy urban legend that may have some level truth behind it.

PPS Now there are possible circumstances when a site might not be able to say this is our sandbox but I leave that idea to another time and/or Frank who will likely get into the issue.

Image Source: WikiCommons
License: GNU Free Documentation license, Version 1.2 or any later version
Author: Hariadhi

Posted by Deven Desai at 01:26 PM | Comments (10) | TrackBack

The New Foreign Intelligence Surveillance Act

I have been following the new FISA Amendments Act of 2008, but I have refrained from chiming in, as many others have been doing terrific blogging on the issue. Of particular note:

* David Kris, A Guide to the New FISA Bill (I, II, III)
* Wes Alwan, Understanding Recent Changes to FISA — A Visual Guide (Flowchart)
* Orin Kerr, The New FISA Law and the Misleading Media Coverage of It
* Marty Lederman, The Privacy-Protective Components of the New FISA Law
* Jack Balkin, The New FISA Law and the Construction of the National Surveillance State

I've been particularly dismayed at the Democrats' strategy in dealing with the FISA Amendments. Why bother to try to negotiate a FISA compromise with a presidential administration that has shown nothing but contempt for the law to begin with? The Bush Administration, instead of going to Congress and requesting a change in the FISA, went ahead and blatantly violated that law. And the Administration said it would continue to violate the law, so what's the pressing need to fix the FISA, especially when negotiating with an Administration that only will meet you about 2% of the way? Why force Obama to make a difficult choice about voting on the law, risking either looking weak on security or like a sell-out? Why not wait a few months and then pass a law with a new administration, one that will hopefully be easier to negotiate with? And how is this law any more binding on a president who says he has the right to violate a law based on his Article II powers?

Future presidents can learn a lot from all this -- do exactly what the Bush Administration did! If the law holds you back, don't first go to Congress and try to work something out. Secretly violate that law, and then when you get caught, staunchly demand that Congress change the law to your liking and then immunize any company that might have illegally cooperated with you. That's the lesson. You spit in Congress's face, and they'll give you what you want.

The past eight years have witnessed a dramatic expansion of Executive Branch power, with a rather anemic push-back from the Legislative and Judicial Branches. We have extensive surveillance on a mass scale by agencies with hardly any public scrutiny, operating mostly in secret, with very limited judicial oversight, and also with very minimal legislative oversight. Most citizens know little about what is going on, and it will be difficult for them to find out, since everything is kept so secret. Secrecy and accountability rarely go well together. The telecomm lawsuits were at least one way that citizens could demand some information and accountability, but now that avenue appears to be shut down significantly with the retroactive immunity grant. There appear to be fewer ways for the individual citizen or citizen advocacy groups to ensure accountability of the government in the context of national security.

That's the direction we're heading in -- more surveillance, more systemic government monitoring and data mining, and minimal oversight and accountability -- with most of the oversight being very general, not particularly rigorous, and nearly always secret -- and with the public being almost completely shut out of the process. But don't worry, you shouldn't get too upset about all this. You probably won't know much about it. They'll keep the dirty details from you, because what you don't know can't hurt you.

Posted by Daniel J. Solove at 08:31 PM | Comments (14) | TrackBack

Justice Breyer's Information Available on Limewire

It does not take much to have a security breach. Just one person can facilitate it. In this case, someone at a high-end investment firm installed LimeWire at the office. According to AP the breach began at the end of last year and continued to June of this year. Breyer’s birthday and Social Security number were part of the breach. Apparently around 2,000 other clients have also had their data shared on LimeWire.

Again the fact of data leaks or breaches is not so new. But given the high profile of the people involved in this one, there may be a movement to have laws passed about the problem. Remember video rentals matter because of Robert Bork’s encounter with data privacy issues during his nomination for the Supreme Court. This data problem is different from Bork’s. So a legislative response may come but it will likely address the issue of identity theft. On the other hand, if senators, representatives, and White House staffers found that even their legal but perhaps interesting surfing habits were part of public knowledge and gossip, maybe the data collection and Internet monitoring that some think is necessary will be seen a threat. One paper that may be of interest on this idea is Neil Richards’s Intellectual Privacy.

Posted by Deven Desai at 01:01 PM | Comments (0) | TrackBack

Defamation by PhotoShop?

At 25, you have the face heredity gave you; at 50, you have the face you deserve; and at Fox News, your features depend on whether you're a friend or enemy of the network. Or at least that's how Jacques Steinberg and Edward Reddicliffe must feel after Fox aired doctored photos of them on its news show.

Note that the normal photo was not shown on Fox News; the distorted image was presented as the face of Steinberg. (I've embedded the full clip below the fold.)

Can such a distorted depiction give rise to a defamation action? Obviously if the picture were a cartoon, and/or the program a satire or non-news program, creative license lets just about anything go (though some particularly egregious images have sparked resistance). But does a news program have a special obligation to "objectively" present images? And, returning to defamation, is it possible to argue a) that the distorted image is a "lie" about the person it depicts and b) that ugliness (that which distortion seeks to convey) is actionable as something damaging to the person whose image is distorted?

a) As for the idea of "lie" here, consider these arguments about the infamous "darkened OJ Simpson" image on the cover of Time Magazine:

The image on Time was digitally manipulated, making OJ darker and heavily shadowed (in juxtaposition to Newsweek['s image]). . . . Although Time claimed it was a “photo illustration” that served to “show the tragic downfall of an American football hero,” other folks disagreed. Time was charged with: (1) perpetuating the stereotype of “violent” black men; (2) suggesting OJ was guilty; (3) applying digital manipulations to a “news” photo–apparently a real no-no in journalism . . . [But Cara A.] Finnegan . . . challenges those who think the image serves as a “visual argument,” which she defines as a “set of premises, identifiable in the image, leading to a conclusion which is itself present in the image” (236).

Compare the idea that "OJ is guilty" to "Steinberg is ugly." What does the puff-chinned, big-eared, grotesque-nosed Steinberg image "argue" here? Glenn Greenwald might assimilate it to what he calls "the dominant media theme for the last two decades in our political discourse:"

What matters is that Democrats and liberals are weak, effete, elitist, nerdy, military-hating, gender-confused losers . . .and who merit sneering mockery and derision. Republican right-wing male leaders are salt-of-the-earth, wholesome, likable tough guys -- courageous warriors and normal family men who merit personal admiration and affection. . . . [In our] press corps, fantasy easily trumps reality. And our media stars thus . . . cackle in derision at the Democratic weaklings and losers.

Greenwald's analysis, backed up at length in his latest book, articulates a possible "message" in the Fox News photoshopping. But is it really communication, or manipulation? And if the latter, does it not fit more under the rubric of "subliminal advertising" than defamation?

b) Another challenge to a defamation suit might be whether the image is genuinely harmful to the person's reputation. The closer one looks at it, the more obvious it becomes that the proportions of the face are impossible. But note that the clip was shown very briefly in its original context, leaving no time to scrutinize it.

What about "ugliness" is "damaging"? Enlightened individuals judge others on the basis of the content of their character, not their looks; but in this respect America may be becoming less enlightened every day. Here some perplexities raised in recent cases about allegations of homosexuality may be relevant. The question is whether, in an increasingly tolerant society, being alleged to be homosexual is still libelous. Two recent cases come out in diametric opposition:

Klepetko v. Reisman, 41 A.D.3d 551 (N.Y. App. Div. 2007) ("The false imputation of homosexuality is "reasonably susceptible of a defamatory connotation" )

Greenly v. Sara Lee Corp., 2008 WL 1925230 (E.D. Cal. 2008) ("[c]ontinuing to characterize the identification of someone as a homosexual [to be] defamation per se [demeans the lives of homosexual persons]".)

To continue the analogy: just as sodomy laws were only repealed gradually, only in the early 1970s were certain "ugly laws" repealed. One such law ordered that "'No person who is diseased, maimed, mutilated or in any way deformed so as to be an unsightly or disgusting object or improper person [is] to be allowed in or on the public ways or other public places in this city . . . under a penalty of not less than one dollar nor more than fifty dollars for each offense."

In conclusion; I imagine that a defamation case would be a tough one for either Reddicliffe or Steinberg, but admittedly I have not researched "defamation by distorted image." Edward Tufte has documented the damage that "fudged photos" can do to science, but it's not clear that much can be done about them in the political public sphere.

So what's to stop the unflattering depiction, already a mainstay of negative political ads, to gradually morph into the photoshopped truthiness Fox has pioneered? Perhaps the only answer is to fight fire with fire; Olbermann might air the work, say, of Kenneth Tin-Kin Hung . . . :

(Hung, still from Because Washington is Hollywood for Ugly People)

One thing is clear: if one side in politics adopts the tactic with impunity, the other side has clearly not read its Schmitt and Niebuhr if it decides merely to "turn the other cheek."

PS: Here is the clip in context:

And here is Reddicliffe's transmogrification:

Posted by Frank Pasquale at 10:50 AM | Comments (4) | TrackBack

The Privacy Paradox

Over at the New York Times's Bits blog, Brad Stone writes:

Researchers call this the privacy paradox: normally sane people have inconsistent and contradictory impulses and opinions when it comes to their safeguarding their own private information.

Now some new research is beginning to document and quantify the privacy paradox. In a talk presented at the Security and Human Behavior Workshop here in Boston this week, Carnegie Mellon behavioral economist George Loewenstein previewed a soon-to-be-published research study he conducted with two colleagues.

Their findings: Our privacy principles are wobbly. We are more or less likely to open up depending on who is asking, how they ask and in what context.

In one interesting experiment, students who were provided strong promises of confidentiality were less forthcoming about personal details than students who weren't provided such promises. The researchers explained this behavior as based on the fact that when an issue is raised in people's minds, they think about it more and are likely to be more concerned about it. Ironically, promising people that their privacy will be protected actually makes them think more about the dangers of their privacy being breached.

There is indeed a growing body of research that examines why people frequently state in polls that they value privacy highly yet in practice trade their privacy away for trinkets or minor increases in convenience. The work of Professor Alessandro Acquisti explores some of the reasons why people might not make rational decisions regarding privacy despite their desire to protect it.

I have also written about this in my new book, UNDERSTANDING PRIVACY (Harvard University Press, May 2008). In particular, I argue that looking at expectations of privacy is the wrong approach toward understanding privacy:

If a more empirical approach to determining reasonable expectations of privacy were employed, how should the analysis be carried out? Reasonable expectations could be established by taking a poll. But there are several difficulties with such an approach. First, should the poll be local or national or worldwide? Different communities will likely differ in their expectations of privacy. Second, people’s stated preferences often differ from their actions. Economists Alessandro Acquisti and Jens Grossklags observe that “recent surveys, anecdotal evidence, and experiments have highlighted an apparent dichotomy between privacy attitudes and actual behavior. . . . [I]ndividuals are willing to trade privacy for convenience or to bargain the release of personal information in exchange for relatively small rewards.” This disjunction leads Strahilevitz to argue that what people say means less than what they do. “Behavioral data,” he contends, “is thus preferable to survey data in privacy.”

But care must be used in interpreting behavior because several factors can affect people’s decisions about privacy. Acquisti and Grossklags point to the problem of information asymmetries, when people lack adequate knowledge of how their personal information will be used, and bounded rationality, when people have difficulty applying what they know to complex situations. Some privacy problems shape behavior. People often surrender personal data to companies because they perceive that they do not have much choice. They might also do so because they lack knowledge about the potential future uses of the information. Part of the privacy problem in these cases involves people’s limited bargaining power respecting privacy and inability to assess the privacy risks. Thus looking at people’s behavior might present a skewed picture of societal expectations of privacy.

Posted by Daniel J. Solove at 01:04 PM | Comments (5) | TrackBack

Futurology and Academia

Futurology is often derided as a pastime of trendspotters and luftmenschen. But the recent European Patent Office "Scenarios for the Future" report rehabilitated the genre a bit. I've mentioned before that an IP prof has to be a bit of a prognosticator; I'm happy to see Carlin Romano developing the theme (far more eloquently than I could) in this recent review of the Future of Reputation and The Future of the Internet:

Both . . . books, excellent and ultimately upbeat in their separate but related missions, will increase our literacy in their complex yet still intelligible fields. . . ."The best way to predict the future”, the US computer scientist Alan Kay remarked in 1971, “is to invent it.” Pre-emptive description, however, ranks second best. The chief identifying criterion of the future is that it continuously steps back from us, making nothing about it, strictly speaking, true or false.

Both Zittrain and Solove exhibit a common trait of technologically oriented futurists: they tend to assume current values and a wish to preserve them in the face of fresh logistical forces. [Yet] Solove’s examples, such as Jennifer Ringley, the twenty-year-old student who opened her whole life to regular webcam monitoring in 1996 and didn’t shut down until 2004, remind us of truths more explored by Frankfurt School philosophers than American futurists – that technology also changes our values, or at least adjusts them. The iPod, for instance, pressures us to tolerate forms of distraction formerly considered rude, such as the teenager who makes her purchase without removing her earphones.

Both Solove and Zittrain deserve Kierkegaard’s accolade, that to occupy oneself with the future is “an indication of man’s nobility”. Like many “cyberphilosophers”, they are discovering the future in the present with less wonted gloom and doom – and more incisive solutions – than many traditional literary and humanistic pronouncers on the subject.

As someone who has written on the ways new technology can shape values (and believes in the continuing relevance of the Frankfurt School)--I greatly appreciated Romano's sharp review of these two important books.

Posted by Frank Pasquale at 12:58 PM | Comments (1) | TrackBack

Do We Need an Internet Ed. Class?

While I was attending the excellent privacy conference Dan Solove and Chris Hoofnagle organized in D.C. a few days ago, it occurred to me that just as one takes driver’s ed. before being able to drive a car, it might make sense to have a required Internet Education class in middle school. Driving is a key way people engage in the economy, and the Internet, especially email and social networking use, is becoming as essential if not more so. Given all the benefits and problems of the Internet from meeting new people and peer production to unfortunate gossiping and dog poop events, it dawned on me that Internet Ed. might fill a gap that appeared as I listened to various people at the conference.

During the two days, several discussions seemed to turn to the way information placed online can offer tremendous benefits but also pose harms. That idea is not so new. But an underlying theme was that this tension is greater than before. Given the increased reputation problems of the Internet, some folks talked of a more paternal approach to reminding people about privacy (or lack of it) on work computers. The problems of PGP and complex privacy policies as opposed to easy-to-read ones as opposed to heavy opt-in ones and how people perceive the differences posed several paradoxes. In other talks people expressed concerns about cutting off the openness that has made the Internet what it is today. Many questioned just how informed people are about privacy and even if informed how much they care. These ideas should be familiar to those interested in privacy, but so many people sharing ideas about an evolving area of the law and truly seeking to find ways to solve problems made the conference invigorating.

For example, Lauren Gelman is working on how online presence operates under a binary system of public or private yet many think of their online presence as limited essentially to those in one’s circle but with a few new people possibly joining the circle. To me it seems that in some cases people might know that anyone could look at one’s pictures, blogs, MySpace pages etc. In others, some might know that but just not expect that outsiders would look. And some may be quite unaware of the way little things can catch fire and draw attention to what had been a small, personal moment. And then it hit me, why not have Internet Ed.?

Internet Ed. at an early stage might address the possible generation gap in understanding what is privacy and how the Internet works. Like driving, using the Internet can open up tremendous possibilities for fun and for work. Like driving, irresponsible or uninformed Internet use can lead to undesired consequences. Like driving, horror stories of how a picture from a drunken party ruined someone’s job prospects may not deter irresponsible Internet behaviors across the board. Still, by setting out the way in which irresponsible or immature behaviors such as sharing too much information about one’s personal life, not checking about how a site uses personal financial information, and childish rants can affect one’s life, people would have some sense of the possible repercussions of their acts. None of this idea is to suggest that people won’t continue to rant etc. regardless of age. And none of this idea is to suggest that people should act the same way at all times under some sort of enforced code of conduct (although the idea behind sites that choose to establish rules and use their community norms to shape the rules seems well in line with some of the benefits of the Internet). Rather, as a friend noted, the Internet may be similar to tattoos and piercings. In the near future many more will have them and so it will not be as big a deal. Still, in some areas of life such as politics and upper management, one may have to explain that largish hole in one’s ear or the tongue sneaking out of one’s collar towards one’s jaw. So Internet Ed. may help bring home the idea that certain acts may seem great and even be great at the time but others, and even the person who liked the act at the time, may see those moments differently later in life.

Image Source: WikiCommons
Author: strngwrldfrwl
License: Creative Commons Attribution ShareAlike 2.0 License.

Cross-posted at Madisonian

Posted by Deven Desai at 10:13 AM | Comments (4) | TrackBack

The New TSA Identification Requirement

The TSA, in its never-ending quest to inconvenience us without keeping us safe, has once again changed its rules on identification. According to the old rule, if you didn't provide ID at the airport, you would be subjected to secondary screening. Now, you may be denied the right to fly entirely. According to the TSA:

Beginning Saturday, June 21, 2008 passengers that willfully refuse to provide identification at security checkpoint will be denied access to the secure area of airports. This change will apply exclusively to individuals that simply refuse to provide any identification or assist transportation security officers in ascertaining their identity.

This new procedure will not affect passengers that may have misplaced, lost or otherwise do not have ID but are cooperative with officers. Cooperative passengers without ID may be subjected to additional screening protocols, including enhanced physical screening, enhanced carry-on and/or checked baggage screening, interviews with behavior detection or law enforcement officers and other measures.

What this rule basically seems to be doing is trying to prevent people who have a conscientious objection to presenting ID from being able to fly. For example, John Gilmore refused to present his ID and challenged the TSA identification requirement in federal court. He lost in the 9th Circuit, which held that he could have undergone secondary screening or walked away -- he wasn't forced to present his ID.

I'm one who routinely presents my ID to the TSA officials at the airport. I think that the ID requirement is stupid, but I just want to get to my plane and not be hassled. But others, for reasons of conscience or protest, do not want to present their ID at the airport. This new TSA rule strikes me as problematic from a First Amendment standpoint, since it seems to be designed to target those who don't present ID for expressive reasons. As such, this new TSA requirement might be a form of viewpoint discrimination.

Although the First Amendment doesn't restrict the TSA from requiring IDs in order to board an airplane, it does restrict using the ID requirement to penalize people who engage in expressive conduct. Because the TSA requirement seems to be targeted to this kind of expressive conduct (hence the exception for lost or stolen IDs), it may run afoul of the First Amendment.

I haven't fully analyzed this argument, so I'm just throwing it out there. Do you think that there is a First Amendment problem with the new TSA rule?

Hat tip: Bruce Schneier, who writes: "I don't think any further proof is needed that the ID requirement has nothing to do with security, and everything to do with control." Indeed, this rule will allow TSA officials who don't like you to have even greater power. If you lose your ID, you better hope that the TSA officials believe you, take pity on you, and otherwise think you're being cooperative. It's entirely up to them!

Posted by Daniel J. Solove at 12:04 AM | Comments (32) | TrackBack

Information Privacy Law Journal at SSRN

I'm pleased to announce that Christopher Hoofnagle (Berkeley Center for Law & Technology) and I have launched a new journal at SSRN -- Information Privacy Law. If you submit new papers and abstracts to SSRN and they involve information privacy law issues, please select our journal as one of the classifications for your work.

You can subscribe to the journal by clicking the link at the top of the journal's page that says "subscribe to this journal" or by clicking here. This will enable you to receive periodic emails about new abstracts and papers filed in the journal.

We created the journal because there is an increasing amount of scholarship devoted to privacy law issues. In the month of May alone, we had 22 abstracts and papers filed in the journal. A lot of really interesting work is being done in the field, and we hope that the journal will enable people to more readily keep up with it.

Posted by Daniel J. Solove at 10:12 AM | Comments (1) | TrackBack

Wired Coverage of Computers, Freedom, and Privacy Conference

I've been at the Computers, Freedom, and Privacy conference this week--there were many interesting panels which I hope to blog about soon. Wired has some good coverage of it, including this commentary on a panel I organized:

[P]rofessor Samir Chopra [asked] "Suppose Google was subject to a law which required all persons to report knowledge of a crime to the authorities. . . . Could Google be sued for breach of statutory duty if AdSense knew about people using drugs?"

While that's still hypothetical, other panelists emphasized that computer systems are already acting as agents in our world, making decisions about whether someone is a known terrorist, a likely threat at the border or a deadbeat parent late on child support. Or put another way, software is already policy. [As] panelist Danielle Citron, a University of Maryland law professor put it: "Where agencies used to use computers to store data to help agencies make decisions, now computers make decisions."

On the comments to Ryan Singel's post, Chopra notes:

[Our] comfort with Adsense, and our intuitions about it, would be shaken very quickly if the interface for Gmail was slightly different (with no change in functionality). Right now, the ads just show up unobtrusively. What if the interface was modified so that a little figure would pop up as you reading your email, and say "Hey, I see you are writing about Australia. Would you like me to show you ads for cheap flights to Australia?". I suggest that people's sense of there being nothing untoward would be shaken and yet, this would have happened with no difference in the underlying functionality.

Our "reasonable expectations of privacy" may be quite deeply affected by seemingly superficial design decisions.

Other conference highlights included:

1. Paul Ohm on potential lawbreaking by ISPs:

University of Colorado law professor Paul Ohm, a former federal computer crimes prosecutor, argues that ISPs such as Comcast, AT&T and Charter Communications that are or are contemplating ways to thro