Tech Might Set You Free: How GPS May Have Foiled a Radar Gun

A teen has fun and races around town. The local constabulary catches the miscreant and today has him dead to rights. The officer has a radar gun which shows the youth was traveling at 62 MPH in a 45 zone. The teen will learn to obey the law. Or it may happen that the alleged offender’s parents have placed a GPS tracking device on their child’s car. That device shows not only where the car was but what speed it was going. An expert for the state has a report stating the GPS is inaccurate but changes testimony on the stand and says the “device was ‘very’ accurate, to within a couple of meters on location and to within 1 mph on speed. Dr. Heppe also pointed out that the GPS device released instantaneous data, and not data averaged over a distance.” (quoted from this article which quotes the GPS device maker’s press release).

I don’t know how accurate these reports are. But if true, the facts are fun. As the article notes, there are some curious issues here. First, the teen may not have known about the device. Second, the privacy folks who worry about tracking have reason to check this one. If the devices are that accurate, would an insurance company require it or offer lower rates for those who agree to be tracked? (I think I read that a form of this practice has begun somewhere but if anyone has more concrete information please share). Should the state require these devices? I remember the seventies gas crunch and 55 MPH laws. We may see (though I doubt the political will is there) similar acts today. Would that national issue support a general enforcement of this nature?

In general this one may be another step towards perfect enforcement. Zittrain talks about this in his book the Future of the Internet.

As a country that sees itself as founded on liberty, perfect enforcement poses real problems. Some may offer a nothing to hide type of retort. In a way these small steps to prefect enforcement remind me of the world where we in the United States could say oh look at the Soviets. They need papers to go anywhere and look over their shoulders at all times. Now, however, we may be ones with the papers (or digital tags) and looking over our shoulders. EPIC and Privacy International have a study comparing surveillance societies but if I remember correctly several comments had some good questions about how it was done. (Has anyone found a better comparison study? Please share if you have.)

Here’s a possible problem with saying just obey the law (although if you stray, we will get you no matter what): it misses a deeper question about the possibility of transgression. One may need to have the option of breaking the law to be free to follow it. Then again one may have to return to Czechoslovakia to be free.

Posted by Deven Desai at 01:59 PM | Comments (0) | TrackBack

Expunged? What Happens When A Blogger Decides To Remove Posts?

Followers of Boing Boing and Web flaps may know about a decision by one of BB’s writers, Xeni Jardin. Apparently, Ms. Jardin had previously posted material about Violet Blue’s (another blogger/Web writer/journalist) work. Then, at some point, Ms. Jardin decided that she did not wish to have that material on BB anymore. So she removed the posts (by the way the removal occurred more than a year ago but has only recently gained attention). And there is the issue. According to the New York Times, BB readers were most upset. Some saw the act as hypocritical. Ms. Blue found the practice “horrifying.” The practice has been given the name “unpublished” as in “being unpublished.” (This term is a misnomer as is discussed later.)

Possibly the most important factor is that BB patrons saw the act as breaking an unspoken understanding and failing to communicate with them. Some including Ms. Blue argue that the practice violates some norms of the Web. Maybe it does. But that alleged norm is probably not so real. And it seems difficult to really claim that one wants BB or others to detail every move or thought they make. Still the sense of outrage is more than palpable. For the law folks, the event raises questions about norms and perhaps who owns the posts.

As the article notes and Dan’s book details, in many cases one may want sites to take down posts that one does not like. Here the person liked the posts. So she feels “horrified.” To BB’s credit they are reflecting on how best to address its readers’ concerns. In the past BB has found creative solutions to deal with comments by having a moderator remove vowels from nasty posts (this idea reminds of Yossarian deleting harmless words from letters as a censor in Joseph Heller’s Catch-22; BB’s practice is not censorship of the same type but it is a way of indicating displeasure at the manners of post while letting it through in some form).

NOW many will see all of this speech limiting and so on. Again maybe so. But is BB a “publication of record?” Even if it is, does it have to make its archives available as they were? It seems that BB’s ardent fans have a view of what BB is. And once one launches anything be it a book, a Web site, a film, and so on, it has its own life. Controlling it becomes more difficult as more people choose to engage with it. This phenomenon is what seems to have caught BB off guard. Yet, with a blog control is possible. One can set forth rules and tell folks “Here is my world. Here are the basics of how to be in my world. You are welcome but I may ask you to leave and you are not required to stay here.” After reflecting on their readers’ points BB has stated:

So the [current] de facto, undiscussed, presumptive policy, which we recently just declared as part of this whole dust-up, was: Every individual has the right to do whatever they want to do. They can post anything they want, about anything they want, whenever they want without asking permission, and if they want to change those posts or take them down, they can do that too.

BB could at some point choose to keep everything up forever. I am not sure that is a wise or necessary policy. Again the courtesy of removal seems to go away with that policy. And it misses a key point about the blog posts. Ms. Jardin wrote them, not Ms. Blue.

As Ms. Jardin and her colleagues note, BB writers operate independently. They cover what they like, post what they wish, and manage their posts separately for the most part. Put differently if the posts belong to anyone, they belong to her. My paper Property, Persona, and Preservation goes into some detail about individual claims for online writings and the possible benefits of such an approach. But in short, Ms. Jardin is the author. Ms. Blue may like the posts and want to have them up when they are flattering but what if Ms. Jardin decided to write unflattering posts? Perhaps the object of the posts would want them removed. (It seems Ms. Jardin did make choice not to go into detail in part because “[A]t the time I just wanted to take this material down for a host of reasons that I don’t want to talk about in public because I don’t think it would do this person any good.”)

To be fair, Ms. Blue and others in her position, have a sense that these posts are not only about them but in a way part of them. People want to point to articles that praise them. In the past they would clip and copy the articles to send out later. Today, we are used to having the easy, instant access to the articles or posts and when they vanish, we are upset. It may even feel like the legendary Harvard act of expunging a student’s existence at the school; you were never here, it never happened.

Nonetheless, as far as Ms. Jardin’s posts are concerned, no one is unpublishing the person discussed in the post. Ms. Jardin is unpublishing Ms. Jardin’s posts. That seems to be a simple, clear power she should have at her discretion. And I do mean discretion. For now BB seems to have decided that the community they have built will work better or must understand that the authors can update and/or remove posts as they wish. So be it. If, however, they think a different policy works for their site, well amen too.

-Deven

PS I don’t know whether Harvard really does this but two links mention it here and here
so it seems to be a handy urban legend that may have some level truth behind it.

PPS Now there are possible circumstances when a site might not be able to say this is our sandbox but I leave that idea to another time and/or Frank who will likely get into the issue.

Image Source: WikiCommons
License: GNU Free Documentation license, Version 1.2 or any later version
Author: Hariadhi

Posted by Deven Desai at 01:26 PM | Comments (10) | TrackBack

The New Foreign Intelligence Surveillance Act

I have been following the new FISA Amendments Act of 2008, but I have refrained from chiming in, as many others have been doing terrific blogging on the issue. Of particular note:

* David Kris, A Guide to the New FISA Bill (I, II, III)
* Wes Alwan, Understanding Recent Changes to FISA — A Visual Guide (Flowchart)
* Orin Kerr, The New FISA Law and the Misleading Media Coverage of It
* Marty Lederman, The Privacy-Protective Components of the New FISA Law
* Jack Balkin, The New FISA Law and the Construction of the National Surveillance State

I've been particularly dismayed at the Democrats' strategy in dealing with the FISA Amendments. Why bother to try to negotiate a FISA compromise with a presidential administration that has shown nothing but contempt for the law to begin with? The Bush Administration, instead of going to Congress and requesting a change in the FISA, went ahead and blatantly violated that law. And the Administration said it would continue to violate the law, so what's the pressing need to fix the FISA, especially when negotiating with an Administration that only will meet you about 2% of the way? Why force Obama to make a difficult choice about voting on the law, risking either looking weak on security or like a sell-out? Why not wait a few months and then pass a law with a new administration, one that will hopefully be easier to negotiate with? And how is this law any more binding on a president who says he has the right to violate a law based on his Article II powers?

Future presidents can learn a lot from all this -- do exactly what the Bush Administration did! If the law holds you back, don't first go to Congress and try to work something out. Secretly violate that law, and then when you get caught, staunchly demand that Congress change the law to your liking and then immunize any company that might have illegally cooperated with you. That's the lesson. You spit in Congress's face, and they'll give you what you want.

The past eight years have witnessed a dramatic expansion of Executive Branch power, with a rather anemic push-back from the Legislative and Judicial Branches. We have extensive surveillance on a mass scale by agencies with hardly any public scrutiny, operating mostly in secret, with very limited judicial oversight, and also with very minimal legislative oversight. Most citizens know little about what is going on, and it will be difficult for them to find out, since everything is kept so secret. Secrecy and accountability rarely go well together. The telecomm lawsuits were at least one way that citizens could demand some information and accountability, but now that avenue appears to be shut down significantly with the retroactive immunity grant. There appear to be fewer ways for the individual citizen or citizen advocacy groups to ensure accountability of the government in the context of national security.

That's the direction we're heading in -- more surveillance, more systemic government monitoring and data mining, and minimal oversight and accountability -- with most of the oversight being very general, not particularly rigorous, and nearly always secret -- and with the public being almost completely shut out of the process. But don't worry, you shouldn't get too upset about all this. You probably won't know much about it. They'll keep the dirty details from you, because what you don't know can't hurt you.

Posted by Daniel J. Solove at 08:31 PM | Comments (13) | TrackBack

Justice Breyer's Information Available on Limewire

It does not take much to have a security breach. Just one person can facilitate it. In this case, someone at a high-end investment firm installed LimeWire at the office. According to AP the breach began at the end of last year and continued to June of this year. Breyer’s birthday and Social Security number were part of the breach. Apparently around 2,000 other clients have also had their data shared on LimeWire.

Again the fact of data leaks or breaches is not so new. But given the high profile of the people involved in this one, there may be a movement to have laws passed about the problem. Remember video rentals matter because of Robert Bork’s encounter with data privacy issues during his nomination for the Supreme Court. This data problem is different from Bork’s. So a legislative response may come but it will likely address the issue of identity theft. On the other hand, if senators, representatives, and White House staffers found that even their legal but perhaps interesting surfing habits were part of public knowledge and gossip, maybe the data collection and Internet monitoring that some think is necessary will be seen a threat. One paper that may be of interest on this idea is Neil Richards’s Intellectual Privacy.

Posted by Deven Desai at 01:01 PM | Comments (0) | TrackBack

Defamation by PhotoShop?

At 25, you have the face heredity gave you; at 50, you have the face you deserve; and at Fox News, your features depend on whether you're a friend or enemy of the network. Or at least that's how Jacques Steinberg and Edward Reddicliffe must feel after Fox aired doctored photos of them on its news show.

Note that the normal photo was not shown on Fox News; the distorted image was presented as the face of Steinberg. (I've embedded the full clip below the fold.)

Can such a distorted depiction give rise to a defamation action? Obviously if the picture were a cartoon, and/or the program a satire or non-news program, creative license lets just about anything go (though some particularly egregious images have sparked resistance). But does a news program have a special obligation to "objectively" present images? And, returning to defamation, is it possible to argue a) that the distorted image is a "lie" about the person it depicts and b) that ugliness (that which distortion seeks to convey) is actionable as something damaging to the person whose image is distorted?

a) As for the idea of "lie" here, consider these arguments about the infamous "darkened OJ Simpson" image on the cover of Time Magazine:

The image on Time was digitally manipulated, making OJ darker and heavily shadowed (in juxtaposition to Newsweek['s image]). . . . Although Time claimed it was a “photo illustration” that served to “show the tragic downfall of an American football hero,” other folks disagreed. Time was charged with: (1) perpetuating the stereotype of “violent” black men; (2) suggesting OJ was guilty; (3) applying digital manipulations to a “news” photo–apparently a real no-no in journalism . . . [But Cara A.] Finnegan . . . challenges those who think the image serves as a “visual argument,” which she defines as a “set of premises, identifiable in the image, leading to a conclusion which is itself present in the image” (236).

Compare the idea that "OJ is guilty" to "Steinberg is ugly." What does the puff-chinned, big-eared, grotesque-nosed Steinberg image "argue" here? Glenn Greenwald might assimilate it to what he calls "the dominant media theme for the last two decades in our political discourse:"

What matters is that Democrats and liberals are weak, effete, elitist, nerdy, military-hating, gender-confused losers . . .and who merit sneering mockery and derision. Republican right-wing male leaders are salt-of-the-earth, wholesome, likable tough guys -- courageous warriors and normal family men who merit personal admiration and affection. . . . [In our] press corps, fantasy easily trumps reality. And our media stars thus . . . cackle in derision at the Democratic weaklings and losers.

Greenwald's analysis, backed up at length in his latest book, articulates a possible "message" in the Fox News photoshopping. But is it really communication, or manipulation? And if the latter, does it not fit more under the rubric of "subliminal advertising" than defamation?

b) Another challenge to a defamation suit might be whether the image is genuinely harmful to the person's reputation. The closer one looks at it, the more obvious it becomes that the proportions of the face are impossible. But note that the clip was shown very briefly in its original context, leaving no time to scrutinize it.

What about "ugliness" is "damaging"? Enlightened individuals judge others on the basis of the content of their character, not their looks; but in this respect America may be becoming less enlightened every day. Here some perplexities raised in recent cases about allegations of homosexuality may be relevant. The question is whether, in an increasingly tolerant society, being alleged to be homosexual is still libelous. Two recent cases come out in diametric opposition:

Klepetko v. Reisman, 41 A.D.3d 551 (N.Y. App. Div. 2007) ("The false imputation of homosexuality is "reasonably susceptible of a defamatory connotation" )

Greenly v. Sara Lee Corp., 2008 WL 1925230 (E.D. Cal. 2008) ("[c]ontinuing to characterize the identification of someone as a homosexual [to be] defamation per se [demeans the lives of homosexual persons]".)

To continue the analogy: just as sodomy laws were only repealed gradually, only in the early 1970s were certain "ugly laws" repealed. One such law ordered that "'No person who is diseased, maimed, mutilated or in any way deformed so as to be an unsightly or disgusting object or improper person [is] to be allowed in or on the public ways or other public places in this city . . . under a penalty of not less than one dollar nor more than fifty dollars for each offense."

In conclusion; I imagine that a defamation case would be a tough one for either Reddicliffe or Steinberg, but admittedly I have not researched "defamation by distorted image." Edward Tufte has documented the damage that "fudged photos" can do to science, but it's not clear that much can be done about them in the political public sphere.

So what's to stop the unflattering depiction, already a mainstay of negative political ads, to gradually morph into the photoshopped truthiness Fox has pioneered? Perhaps the only answer is to fight fire with fire; Olbermann might air the work, say, of Kenneth Tin-Kin Hung . . . :

(Hung, still from Because Washington is Hollywood for Ugly People)

One thing is clear: if one side in politics adopts the tactic with impunity, the other side has clearly not read its Schmitt and Niebuhr if it decides merely to "turn the other cheek."

PS: Here is the clip in context:

And here is Reddicliffe's transmogrification:

Posted by Frank Pasquale at 10:50 AM | Comments (4) | TrackBack

The Privacy Paradox

Over at the New York Times's Bits blog, Brad Stone writes:

Researchers call this the privacy paradox: normally sane people have inconsistent and contradictory impulses and opinions when it comes to their safeguarding their own private information.

Now some new research is beginning to document and quantify the privacy paradox. In a talk presented at the Security and Human Behavior Workshop here in Boston this week, Carnegie Mellon behavioral economist George Loewenstein previewed a soon-to-be-published research study he conducted with two colleagues.

Their findings: Our privacy principles are wobbly. We are more or less likely to open up depending on who is asking, how they ask and in what context.

In one interesting experiment, students who were provided strong promises of confidentiality were less forthcoming about personal details than students who weren't provided such promises. The researchers explained this behavior as based on the fact that when an issue is raised in people's minds, they think about it more and are likely to be more concerned about it. Ironically, promising people that their privacy will be protected actually makes them think more about the dangers of their privacy being breached.

There is indeed a growing body of research that examines why people frequently state in polls that they value privacy highly yet in practice trade their privacy away for trinkets or minor increases in convenience. The work of Professor Alessandro Acquisti explores some of the reasons why people might not make rational decisions regarding privacy despite their desire to protect it.

I have also written about this in my new book, UNDERSTANDING PRIVACY (Harvard University Press, May 2008). In particular, I argue that looking at expectations of privacy is the wrong approach toward understanding privacy:

If a more empirical approach to determining reasonable expectations of privacy were employed, how should the analysis be carried out? Reasonable expectations could be established by taking a poll. But there are several difficulties with such an approach. First, should the poll be local or national or worldwide? Different communities will likely differ in their expectations of privacy. Second, people’s stated preferences often differ from their actions. Economists Alessandro Acquisti and Jens Grossklags observe that “recent surveys, anecdotal evidence, and experiments have highlighted an apparent dichotomy between privacy attitudes and actual behavior. . . . [I]ndividuals are willing to trade privacy for convenience or to bargain the release of personal information in exchange for relatively small rewards.” This disjunction leads Strahilevitz to argue that what people say means less than what they do. “Behavioral data,” he contends, “is thus preferable to survey data in privacy.”

But care must be used in interpreting behavior because several factors can affect people’s decisions about privacy. Acquisti and Grossklags point to the problem of information asymmetries, when people lack adequate knowledge of how their personal information will be used, and bounded rationality, when people have difficulty applying what they know to complex situations. Some privacy problems shape behavior. People often surrender personal data to companies because they perceive that they do not have much choice. They might also do so because they lack knowledge about the potential future uses of the information. Part of the privacy problem in these cases involves people’s limited bargaining power respecting privacy and inability to assess the privacy risks. Thus looking at people’s behavior might present a skewed picture of societal expectations of privacy.

Posted by Daniel J. Solove at 01:04 PM | Comments (5) | TrackBack

Futurology and Academia

Futurology is often derided as a pastime of trendspotters and luftmenschen. But the recent European Patent Office "Scenarios for the Future" report rehabilitated the genre a bit. I've mentioned before that an IP prof has to be a bit of a prognosticator; I'm happy to see Carlin Romano developing the theme (far more eloquently than I could) in this recent review of the Future of Reputation and The Future of the Internet:

Both . . . books, excellent and ultimately upbeat in their separate but related missions, will increase our literacy in their complex yet still intelligible fields. . . ."The best way to predict the future”, the US computer scientist Alan Kay remarked in 1971, “is to invent it.” Pre-emptive description, however, ranks second best. The chief identifying criterion of the future is that it continuously steps back from us, making nothing about it, strictly speaking, true or false.

Both Zittrain and Solove exhibit a common trait of technologically oriented futurists: they tend to assume current values and a wish to preserve them in the face of fresh logistical forces. [Yet] Solove’s examples, such as Jennifer Ringley, the twenty-year-old student who opened her whole life to regular webcam monitoring in 1996 and didn’t shut down until 2004, remind us of truths more explored by Frankfurt School philosophers than American futurists – that technology also changes our values, or at least adjusts them. The iPod, for instance, pressures us to tolerate forms of distraction formerly considered rude, such as the teenager who makes her purchase without removing her earphones.

Both Solove and Zittrain deserve Kierkegaard’s accolade, that to occupy oneself with the future is “an indication of man’s nobility”. Like many “cyberphilosophers”, they are discovering the future in the present with less wonted gloom and doom – and more incisive solutions – than many traditional literary and humanistic pronouncers on the subject.

As someone who has written on the ways new technology can shape values (and believes in the continuing relevance of the Frankfurt School)--I greatly appreciated Romano's sharp review of these two important books.

Posted by Frank Pasquale at 12:58 PM | Comments (1) | TrackBack

Do We Need an Internet Ed. Class?

While I was attending the excellent privacy conference Dan Solove and Chris Hoofnagle organized in D.C. a few days ago, it occurred to me that just as one takes driver’s ed. before being able to drive a car, it might make sense to have a required Internet Education class in middle school. Driving is a key way people engage in the economy, and the Internet, especially email and social networking use, is becoming as essential if not more so. Given all the benefits and problems of the Internet from meeting new people and peer production to unfortunate gossiping and dog poop events, it dawned on me that Internet Ed. might fill a gap that appeared as I listened to various people at the conference.

During the two days, several discussions seemed to turn to the way information placed online can offer tremendous benefits but also pose harms. That idea is not so new. But an underlying theme was that this tension is greater than before. Given the increased reputation problems of the Internet, some folks talked of a more paternal approach to reminding people about privacy (or lack of it) on work computers. The problems of PGP and complex privacy policies as opposed to easy-to-read ones as opposed to heavy opt-in ones and how people perceive the differences posed several paradoxes. In other talks people expressed concerns about cutting off the openness that has made the Internet what it is today. Many questioned just how informed people are about privacy and even if informed how much they care. These ideas should be familiar to those interested in privacy, but so many people sharing ideas about an evolving area of the law and truly seeking to find ways to solve problems made the conference invigorating.

For example, Lauren Gelman is working on how online presence operates under a binary system of public or private yet many think of their online presence as limited essentially to those in one’s circle but with a few new people possibly joining the circle. To me it seems that in some cases people might know that anyone could look at one’s pictures, blogs, MySpace pages etc. In others, some might know that but just not expect that outsiders would look. And some may be quite unaware of the way little things can catch fire and draw attention to what had been a small, personal moment. And then it hit me, why not have Internet Ed.?

Internet Ed. at an early stage might address the possible generation gap in understanding what is privacy and how the Internet works. Like driving, using the Internet can open up tremendous possibilities for fun and for work. Like driving, irresponsible or uninformed Internet use can lead to undesired consequences. Like driving, horror stories of how a picture from a drunken party ruined someone’s job prospects may not deter irresponsible Internet behaviors across the board. Still, by setting out the way in which irresponsible or immature behaviors such as sharing too much information about one’s personal life, not checking about how a site uses personal financial information, and childish rants can affect one’s life, people would have some sense of the possible repercussions of their acts. None of this idea is to suggest that people won’t continue to rant etc. regardless of age. And none of this idea is to suggest that people should act the same way at all times under some sort of enforced code of conduct (although the idea behind sites that choose to establish rules and use their community norms to shape the rules seems well in line with some of the benefits of the Internet). Rather, as a friend noted, the Internet may be similar to tattoos and piercings. In the near future many more will have them and so it will not be as big a deal. Still, in some areas of life such as politics and upper management, one may have to explain that largish hole in one’s ear or the tongue sneaking out of one’s collar towards one’s jaw. So Internet Ed. may help bring home the idea that certain acts may seem great and even be great at the time but others, and even the person who liked the act at the time, may see those moments differently later in life.

Image Source: WikiCommons
Author: strngwrldfrwl
License: Creative Commons Attribution ShareAlike 2.0 License.

Cross-posted at Madisonian

Posted by Deven Desai at 10:13 AM | Comments (4) | TrackBack

The New TSA Identification Requirement

The TSA, in its never-ending quest to inconvenience us without keeping us safe, has once again changed its rules on identification. According to the old rule, if you didn't provide ID at the airport, you would be subjected to secondary screening. Now, you may be denied the right to fly entirely. According to the TSA:

Beginning Saturday, June 21, 2008 passengers that willfully refuse to provide identification at security checkpoint will be denied access to the secure area of airports. This change will apply exclusively to individuals that simply refuse to provide any identification or assist transportation security officers in ascertaining their identity.

This new procedure will not affect passengers that may have misplaced, lost or otherwise do not have ID but are cooperative with officers. Cooperative passengers without ID may be subjected to additional screening protocols, including enhanced physical screening, enhanced carry-on and/or checked baggage screening, interviews with behavior detection or law enforcement officers and other measures.

What this rule basically seems to be doing is trying to prevent people who have a conscientious objection to presenting ID from being able to fly. For example, John Gilmore refused to present his ID and challenged the TSA identification requirement in federal court. He lost in the 9th Circuit, which held that he could have undergone secondary screening or walked away -- he wasn't forced to present his ID.

I'm one who routinely presents my ID to the TSA officials at the airport. I think that the ID requirement is stupid, but I just want to get to my plane and not be hassled. But others, for reasons of conscience or protest, do not want to present their ID at the airport. This new TSA rule strikes me as problematic from a First Amendment standpoint, since it seems to be designed to target those who don't present ID for expressive reasons. As such, this new TSA requirement might be a form of viewpoint discrimination.

Although the First Amendment doesn't restrict the TSA from requiring IDs in order to board an airplane, it does restrict using the ID requirement to penalize people who engage in expressive conduct. Because the TSA requirement seems to be targeted to this kind of expressive conduct (hence the exception for lost or stolen IDs), it may run afoul of the First Amendment.

I haven't fully analyzed this argument, so I'm just throwing it out there. Do you think that there is a First Amendment problem with the new TSA rule?

Hat tip: Bruce Schneier, who writes: "I don't think any further proof is needed that the ID requirement has nothing to do with security, and everything to do with control." Indeed, this rule will allow TSA officials who don't like you to have even greater power. If you lose your ID, you better hope that the TSA officials believe you, take pity on you, and otherwise think you're being cooperative. It's entirely up to them!

Posted by Daniel J. Solove at 12:04 AM | Comments (32) | TrackBack

Information Privacy Law Journal at SSRN

I'm pleased to announce that Christopher Hoofnagle (Berkeley Center for Law & Technology) and I have launched a new journal at SSRN -- Information Privacy Law. If you submit new papers and abstracts to SSRN and they involve information privacy law issues, please select our journal as one of the classifications for your work.

You can subscribe to the journal by clicking the link at the top of the journal's page that says "subscribe to this journal" or by clicking here. This will enable you to receive periodic emails about new abstracts and papers filed in the journal.

We created the journal because there is an increasing amount of scholarship devoted to privacy law issues. In the month of May alone, we had 22 abstracts and papers filed in the journal. A lot of really interesting work is being done in the field, and we hope that the journal will enable people to more readily keep up with it.

Posted by Daniel J. Solove at 10:12 AM | Comments (1) | TrackBack

Wired Coverage of Computers, Freedom, and Privacy Conference

I've been at the Computers, Freedom, and Privacy conference this week--there were many interesting panels which I hope to blog about soon. Wired has some good coverage of it, including this commentary on a panel I organized:

[P]rofessor Samir Chopra [asked] "Suppose Google was subject to a law which required all persons to report knowledge of a crime to the authorities. . . . Could Google be sued for breach of statutory duty if AdSense knew about people using drugs?"

While that's still hypothetical, other panelists emphasized that computer systems are already acting as agents in our world, making decisions about whether someone is a known terrorist, a likely threat at the border or a deadbeat parent late on child support. Or put another way, software is already policy. [As] panelist Danielle Citron, a University of Maryland law professor put it: "Where agencies used to use computers to store data to help agencies make decisions, now computers make decisions."

On the comments to Ryan Singel's post, Chopra notes:

[Our] comfort with Adsense, and our intuitions about it, would be shaken very quickly if the interface for Gmail was slightly different (with no change in functionality). Right now, the ads just show up unobtrusively. What if the interface was modified so that a little figure would pop up as you reading your email, and say "Hey, I see you are writing about Australia. Would you like me to show you ads for cheap flights to Australia?". I suggest that people's sense of there being nothing untoward would be shaken and yet, this would have happened with no difference in the underlying functionality.

Our "reasonable expectations of privacy" may be quite deeply affected by seemingly superficial design decisions.

Other conference highlights included:

1. Paul Ohm on potential lawbreaking by ISPs:

University of Colorado law professor Paul Ohm, a former federal computer crimes prosecutor, argues that ISPs such as Comcast, AT&T and Charter Communications that are or are contemplating ways to throttle bandwidth, police for copyright violations and serve targeted ads by examining their customers' internet packets are putting themselves in criminal and civil jeopardy.

"These ISPs are getting close to the line of illegality and may be violating the law," Ohm told conference goers at the Computers, Freedom and Privacy conference Thursday.

2. McCain campaign not quite as pro-rule-of-law as they'd appeared at the conference:

It's official, John McCain still supports amnesty for telephone and internet companies that helped the Bush Administration target Americans for wiretapping for five years, without getting any court orders.

The confusion resulted from a tech policy discussion in New Haven, Connecticut Wednesday where a surrogate for presumptive Republican presidential nominee John McCain said that as president, McCain would require strict conditions for amnesty. . . . His comments were remarkable, since in February, McCain voted against an amendment that would have stripped from a spying bill amnesty for telecoms that helped with the government's five-year warrantless wiretapping in volation of federal privacy laws. . . .

McCain's online outreach manager Patrick Hynes wrote THREAT LEVEL to say the story "incorrectly represented" McCain's position on freeing telecoms from the civil suits pending against them, saying the campaign regretted any confusion.

Too bad.

Posted by Frank Pasquale at 06:07 PM | Comments (3) | TrackBack

Is the Computer Fraud and Abuse Act Unconstitutionally Vague?

At the National Law Journal, attorney Nick Akerman (Dorsey & Whitney) contends that the Computer Fraud and Abuse Act (CFAA) indictment of Lori Drew (background about the case is here) is an appropriate interpretation of the statute:

While this may be the first prosecution under the CFAA for cyberbullying, the statute neatly fits the facts of this crime. Drew is charged with violating §§ 1030(a)(2)(C), (c)(2)(B)(2) of the CFAA, which make it a felony punishable up to five years imprisonment, if one "intentionally accesses a computer without authorization . . . , and thereby obtains . . . information from any protected computer if the conduct involved an interstate . . . communication" and "the offense was committed in furtherance of any . . . tortious act [in this case intentional infliction of emotional distress] in violation of the . . . laws . . . of any State."

There is no question that the MySpace network is a "protected" computer as that term is defined by the statute. Indeed, "[e]very cell phone and cell tower is a 'computer' under this statute's definition; so is every iPod, every wireless base station in the corner coffee shop, and many another gadget." U.S. v. Mitra, 405 F.3d 492, 495 (8th Cir. 2005). There is also no question that a violation of MySpace's TOS provides a valid predicate for proving that the defendant acted "without authorization." What the commentators ignored in their critique of this indictment is that the "CFAA . . . is primarily a statute imposing limits on access and enhancing control by information providers." EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003). A company "can easily spell out explicitly what is forbidden." Id. at 63. Thus, companies have the right to post what are in effect "No Trespassing" signs that can form the basis for a criminal prosecution.

If this interpretation of the law is correct, then the law is probably unconstitutionally vague. A vague law is one that either fails to provide the kind of notice that will enable ordinary people to understand what conduct it prohibits; or authorizes or encourages arbitrary and discriminatory enforcement. The CFAA, as construed by the prosecution in the Drew case, will probably be found vague because it authorizes or encourages arbitrary and discriminatory enforcement.

Suppose I put a notice on this post that says: "No attorneys may post a comment to this blog." Suppose Nick Ackerman comes to this site, sees this post, and and writes a comment that is defamatory. Under his theory, he can be prosecuted for violating the CFAA. He has "trespassed" on this site. Moreover, if a blog has a policy that it will not tolerate "rude, uncivil, or off-topic comments," then commenters who make such comments that are tortious (intentional infliction of emotional distress, public disclosure of private facts, false light, defamation, etc.) can be liable for a CFAA violation. Moreover, any use of a website that goes against whatever terms the operator of that site has set forth that constitutes a negligence tort is also criminal.

The problem here is that the CFAA's applicability would be extremely broad -- so broad that the cases likely to be prosecuted would be arbitrary. Since tort law is common law, and is very flexible, broad, and evolving, people would not have adequate notice about what conduct would be legal and not legal. There's a reason why tort law is different from criminal law -- we are willing to accept a lot more ambiguity and uncertainty in tort law than in criminal law, where the stakes involve potential imprisonment.

Moreover, Nick Akerman only focuses on the CFAA § 1030(c)(2)(B)(2), which makes it a felony to exceed authorized access if the offense was committed in furtherance of any tortious act.

The CFAA § 1020(a)(2)(C) makes it a criminal misdemeanor to "intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer if the conduct involved an interstate or foreign communication." If I'm interpreting this correctly (and I don't purport to be an expert on the CFAA), under the Drew prosecutor's interpretation of the CFAA, any time a person violates a website's terms of service and access any information from the site, there's a criminal violation. That means that if I post on this blog a notice that says: "No attorneys may access any other parts of this blog other than the front page," and an attorney accesses any other page on my blog, then there's a CFAA violation. Could the law possibly be this broad? I think it would require a narrowing interpretation in order to avoid problems of unconstitutional vagueness.

The CFAA strikes me as a very poorly drafted statute. The Drew indictment demonstrates the problems with the law. Either courts should fix the CFAA interpretively by narrowing its scope, or else strike it down as unconstitutionally vague. But what clearly cannot stand is for the law to be interpreted as the Drew prosecutor seeks to interpret it.

Hat tip: Dan Slater at the WSJ Blog

Posted by Daniel J. Solove at 02:29 PM | Comments (14) | TrackBack

My New Book, Understanding Privacy

I am very happy to announce the publication of my new book, UNDERSTANDING PRIVACY (Harvard University Press, May 2008). There has been a longstanding struggle to understand what "privacy" means and why it is valuable. Professor Arthur Miller once wrote that privacy is "exasperatingly vague and evanescent." In this book, I aim to develop a clear and accessible theory of privacy, one that will provide useful guidance for law and policy. From the book jacket:

Privacy is one of the most important concepts of our time, yet it is also one of the most elusive. As rapidly changing technology makes information more and more available, scholars, activists, and policymakers have struggled to define privacy, with many conceding that the task is virtually impossible.

In this concise and lucid book, Daniel J. Solove offers a comprehensive overview of the difficulties involved in discussions of privacy and ultimately provides a provocative resolution. He argues that no single definition can be workable, but rather that there are multiple forms of privacy, related to one another by family resemblances. His theory bridges cultural differences and addresses historical changes in views on privacy. Drawing on a broad array of interdisciplinary sources, Solove sets forth a framework for understanding privacy that provides clear, practical guidance for engaging with relevant issues.

Understanding Privacy will be an essential introduction to long-standing debates and an invaluable resource for crafting laws and policies about surveillance, data mining, identity theft, state involvement in reproductive and marital decisions, and other pressing contemporary matters concerning privacy.

Here's a brief summary of Understanding Privacy. Chapter 1 (available on SSRN) introduces the basic ideas of the book. Chapter 2 builds upon my article Conceptualizing Privacy, 90 Cal. L. Rev. 1087 (2002), surveying and critiquing existing theories of privacy. Chapter 3 contains an extensive discussion (mostly new material) explaining why I chose the approach toward theorizing privacy that I did, and why I rejected many other potential alternatives. It examines how a theory of privacy should account for cultural and historical variation yet avoid being too local in perspective. This chapter also explores why a theory of privacy should avoid being too general or too contextual. I draw significantly from historical examples to illustrate my points. I also discuss why a theory of privacy shouldn't focus on the nature of the information, the individual's preferences, or reasonable expectations of privacy. Chapter 4 consists of new material discussing the value of privacy. Chapter 5 builds on my article, A Taxonomy of Privacy, 154 U. Pa. L.. Rev. 477 (2006). I've updated the taxonomy in the book, and I've added a lot of new material about how my theory of privacy interfaces not only with US law, but with the privacy law of many other countries. Finally, Chapter 6 consists of new material exploring the consequences and applications of my theory and examining the nature of privacy harms.

Understanding Privacy is much broader than The Digital Person and The Future of Reputation. Whereas these other two books examined specific privacy problems, Understanding Privacy is a general theory of privacy, and I hope it will be relevant and useful in a wide range of issues and debates.

For more information about the book, please visit its website.

Posted by Daniel J. Solove at 12:03 AM | Comments (5) | TrackBack

More Misguided Responses to the Megan Meier Incident

Last week brought the unfortunate news that Lori Drew was indicted for a violation of the Computer Fraud and Abuse Act for her ill-conceived hoax on Megan Meier. According to an MSNBC article:

Andrew DeVore, a former federal prosecutor who co-founded a regional computer crime unit in New York, said Friday the interpretation raises constitutional issues related to speech and due process — in the latter case, because it doesn't allow for adequate notice of when using an alias online is criminal.

Because corporations would end up setting criminal standards, a completely legal act at one site could be illegal at another, said DeVore, who has no direct involvement in the case.

Now, the Missouri legislature has just passed a law in response to the incident. According to the bill summary:

Currently, the crime of harassment includes communications meant to frighten or disturb another person. Under this act, communications conducted to knowingly frighten, intimidate, or cause emotional distress to another person are included. Harassment includes communications by any means.

Harassment includes knowingly using unwanted expressions that put the person in reasonable apprehension of offensive physical contact or harm or knowingly making unwanted communications with a person.

A person also commits harassment:

1) By knowingly communicating with another person who is, or who purports to be, seventeen years of age or younger and in so doing, and without good cause, recklessly frightens, intimidates, or causes emotional distress to such other person; or

2) By engaging, without good cause, in any other act with the purpose to frighten, intimidate, or cause emotional distress to another person, cause such person to be frightened, intimidated, or emotionally distressed, and such person's response to the act is one of a person of average sensibilities considering the person's age.

This law is incredibly dumb, and I hope that the governor is wise enough not to sign this uniformed and very poorly crafted piece of legislation. It is yet another misguided response to the Megan Meier incident. As I discussed in my book, The Future of Reputation: Gossip, Rumor, and Privacy on the Internet (Yale 2007), we must be careful not to adopt responses to problematic online communication that are too authoritarian and too chilling of free speech.

Under this law, a person could be guilty of a crime for recklessly frightening, intimidating or causing emotional distress to a person they know is 17 or younger. That's incredibly broad -- most likely overbroad under the First Amendment. It sweeps in a potentially broad range of protected expression under the First Amendment.

It might also be unconstitutionally vague. A vague law is one that either fails to provide the kind of notice that will enable ordinary people to understand what conduct it prohibits; or authorizes or encourages arbitrary and discriminatory enforcement. This law does both. It is often very difficult to assess how others might interpret one's words, especially online. The law also encourages arbitrary enforcement, as it cannot possibly be enforced in most instances.

This law is an attempt to update a harassment law. I believe that such harassment laws exist in a number of states. Many of these underlying laws also share some of the problems I've discussed.

Consider the following case: Child 1 teases Child 2 by saying that he's a "nerd." Child 2 starts to cry. Child 1 repeats the insult. Child 1 has knowingly communicated with Child 2 and without good cause, has recklessly caused that child emotional distress. Yup, let's charge Child 1 with a crime and all other children of his or her ilk. Let's have Missouri start building jails, so it can lock up all those children who insult, frighten, or cause emotional distress to each other.

The problem with both the federal prosecution and the Missouri law is the "if it's bad it must be a crime" mentality. There is a lot of conduct that's bad -- sometimes really bad -- but that's not a crime and that shouldn't be a crime. Trying to stretch the law to criminalize everything we dislike is not a productive solution. Sadly, it scores political points, which is why a federal prosecutor and the Missouri legislature are acting so irresponsibly.

Hat tip: Media Prof blog

Posted by Daniel J. Solove at 05:39 PM | Comments (9) | TrackBack

Little Brother

Cory Doctorow’s latest novel, Little Brother, is technically a young adult novel, but there is something in there for anyone interested in cyberlaw, security, national security law, and oh yeah, a rather fun, although at times scary, tale. In classic Cory fashion, he has made the book available for free (yes well before law profs such as Benkler and Zittrain did so, Cory has been a leader in the world of I-make-money-by-giving-away-my-creations). He also allows people to remix and share the new work. The downloads and remixes are licensed under a Creative Commons Attribution-Noncommercial-ShareAlike license. Now that is a business model of the new economy. For those wondering whether this approach works, it does for Cory if making the New York Times Kids Bestseller list matters. (Scoff at your own risk. Remember kids are a tremendous market). So on to the book.

Some tech/sci-fi writers give up story for ideas. They offer great fun and build excellent worlds, but when it comes to ending the story, they fall short. (I am thinking of early Stephenson here) Little Brother, however, delivers both ideas and story. That is great because one can dive in and enjoy the characters as they navigate the modern day 1984 world of the United States.

Despite, or perhaps because, the characters and the story draw one in, the details of this world are not all fun and games. Hacking, government power, security, racism, freedom, and more swirl around as decent teens trying to have a life, trying to grow and express themselves, and trying to make mischief, crash into a new world. Anyone who remembers useful acts of rebellion and the learning that goes with them should be able to identify with these kids. The beauty of having kids as main characters is that kids often have parents. Doctorow uses the parents quite well. They express the natural desire for stability and the way that once freedom-loving individuals can easily change as they age and see the world through a lens of how-do-I-protect-my-family? Whether they will protect their kids and what the protection will look like was a subtle but important theme which Doctorow navigates well. Perhaps thoughts of becoming a father fueled this sensitivity; perhaps not. Either way it works.

Some of the text tantalizes with ways for individuals to keep their communications free, secret, and/or anonymous as context requires. Exploring those issues allows Doctorow to investigate how trust of other individuals, businesses, and the government work together to create the world we enjoy or what happens if that trust fails. Cory is not shy. He does not stop there. The relationship between federal and state government, the role of the press, and how individuals can or cannot impact the system are all in play as well.

I will stop here as I do not want to give away the details. There is more to discuss, but I also hate spoilers. So here is a possible solution. For those wishing to see Cory’s take on his book check out his post on John Scalzi’s Big Idea series. In addition, Cory is quite busy, but we hope to do a phone interview this summer. That way the law issues can be addressed and those who wish to avoid spoilers can. No promises but if he and I can connect, it should be fun.

Last, you may wonder whether I’d say buy the book given that it can be downloaded for free. Well yes I would say buy it as it keeps Cory funded. Yet, what if you decide to download it? Should you donate to Cory? No. In fact he would prefer you buy a copy for you or someone you love as it works better for his publisher and him. Or ever the innovative person, Cory has another idea you may wish to pursue: a donation program for the book. In short, Cory and his assistant have assembled a list of libraries and schools that want the book. He suggests that people who downloaded the book and want to give him money, find a library or school, buy the book online, and ship it to the school. Everybody wins: the public, the publisher, and Cory (who will receive royalties). Cory sent me the file before he put it online so I could review it. Still, I plan on following his suggestion and donating a book.

Image: Courtesy of Pablo Defendini
The image is an early sketch for a potential paperback cover. Mr. Defendini has a portfolio that you may enjoy too.

Posted by Deven Desai at 12:50 PM | Comments (1) | TrackBack

Megan Meier Case Update -- Drew Indicted

I've blogged about the Megan Meier case a while ago. This is the case where Megan Meier, a teenager, committed suicide after her online friend from Myspace suddenly started to reject her and say mean things to her. The "friend" on Myspace was actually Lori Drew, the mother of one of her classmates, and some other individuals. They created the fake profile and were pretending to be Meier's fictional friend.

Now, Drew has been indicted by a federal grand jury for a violation of the Computer Fraud and Abuse Act (CFAA). Here's the indictment.

Drew was charged with conspiracy as well as three counts of accessing protected computers without authorization. According to the indictment:

On or about the following dates, defendant DREW, using a computer in O'Fallon, Missouri, intentionally accessed and caused to be accessed a computer used in interstate commerce, namely, the MySpace servers located in Los Angeles County, California, within the Central District of California, without authorization and in excess of authorized access, and, by means of interstate commerce obtained and caused to be obtained information from that computer to further tortious acts, namely intentional infliction of emotional distress on [Megan Meier].

From the AP:

Each of the four counts carries a maximum possible penalty of five years in prison.

Drew will be arraigned in St. Louis and then moved to Los Angeles for trial.

The indictment says MySpace members agree to abide by terms of service that include, among other things, not promoting information they know to be false or misleading; soliciting personal information from anyone under age 18 and not using information gathered from the Web site to "harass, abuse or harm other people."

Drew and others who were not named conspired to violate the service terms from about September 2006 to mid-October that year, according to the indictment. It alleges that they registered as a MySpace member under a phony name and used the account to obtain information on the girl.

Drew and her coconspirators "used the information obtained over the MySpace computer system to torment, harass, humiliate, and embarrass the juvenile MySpace member," the indictment charged.

UPDATE: Over at the Volokh Conspiracy, Orin Kerr believes that the indictment should be dismissed. Kerr believes that it is a stretch to apply the CFAA to violations of a site's terms of service.

If the computer owner says that you can only access the computer if you are left-handed, or if you agree to be nice, are you committing a crime if you use the computer and are nasty or you are right-handed? If you violate the Terms of Service, are you committing a crime?

Kerr also argues that the prosecution will have a ver yhard time demonstrating that Drew intended to violate MySpace's terms of service. He writes: "But here there is no evidence that Drew even read the TOS. Most people don't, of course; I would be surprised if 1 person in 100 actually tried reading it. If Drew wasn't aware that she was violating the TOS, she couldn't be exceeding her authorized access intentionally."

I agree with Kerr on these first two reasons. While Drew's conduct is immoral, it is a very big stretch to call it illegal.

Kerr offers a third reason why the indictment is faulty -- it is unclear whether the goal of the conspiracy was to obtain information, as was charged in the indictment. Kerr writes: "[I]t doesn't seem that Drew had the intent to obtain information from her victim. Her apparent goal was to harass her victim and to cause emotional distress, not to obtain information from her." On this reason, however, I'm not so sure I agree. The news accounts I read about the case indicated that one of Drew's primary motivations for creating the fake profile was to learn information from Megan Meier. She wanted to know information from Megan that pertained to her own daughter, who was a classmate of Megan's. The harassing came later on.

Posted by Daniel J. Solove at 05:46 PM | Comments (5) | TrackBack

What Is Online Privacy Worth?

It is an old question (at least in Internet time): What is online privacy worth? Yet there seems to be a new wrinkle. Not just the Web sites or search companies want to track what one surfs. ISPs are now in the Web tracking game and stand to make “several dollars per month” per customer. When there are millions of customers for an ISP that can be some serious money. For example, if a company has 10 million customers and could gain even an extra one dollar per customer per month -- well you can do the math. (Fine, here’s the math: $120 million). So it may be time for ISPs to live the dream. According to the New York Times NebuAd can help an ISP track its customers surf habits, then serve up ads based on those patterns, and pay the ISP for that privilege. Per the Times

Here’s how the system works: NebuAd installs a hardware device it has designed inside the network of I.S.P.s One device can monitor all of the information going to and from 30,000 to 50,000 users. The device associates the information it sees with the I.P. address of the user.

A month ago NebuAd refused to discuss with whom it had partnered but claimed to “soon be monitoring the activities of 10 percent of Internet users in the country, mainly customers of small and medium Internet service providers.” Now, however, NebuAd has partnered with Charter Communications which is the fourth largest cable provider in the U.S. Charter told its customers about the change in a letter which in classic corporate spinese called the change a way to provide “an enhanced online experience that is more customized to your interests and activities.”

The system is opt-out. When challenged by The Times’ Saul Hansel about using opt-out rather than opt-in, Ted Schremp, Charter’s senior vice president for product management and strategy, claimed that opt-out is the norm for targeted ads on the Internet. That idea alone is worth researching. (Then again shame on the New York Times for checking the “remember me on this computer” box rather than leaving it blank.)

So how much could Charter make from Web browsing? Apparently “several dollars per month for every user that is monitored.” Let’s allow several to equal three dollars a month per customer. Now suppose Charter proceeds to turn all its 2.8 million customers into NebuAd surfers but two-thirds choose to opt out. Charter would still stand to make around $2.8 million per month or $33.6 million per year. Not a bad haul for connecting someone to the Internet. Put differently, under this system one will pay for the privilege (usually around $50 per month) of letting a company make money off what one does online.

How will all this play out? Most likely the apostles of the market and choice are lining up to share the good news that both are not coming but here. Of course whether a customer has a real choice in her home between two let alone more ISPs is up for grabs depending on where one lives. Furthermore, as ISPs seek more income (which is their duty) would the competitors really test the market? Or would they all install NebuAd style deveices and then charge for not having one’s surfing tracked (remember that do not list fee for your phone number?)? Talk about a bad default rule.

The bigger issues here are net neutrality and privacy. The discussions of those topics sometimes become quite abstract. Maybe bringing home how they intersect and impact the individual user will rally the populace against poor policies. Then again, if they give me a discount card, well heck, that could make me happy to pay for the privilege of giving up me privacy.

cross-posted at Madisonian

Posted by Deven Desai at 01:41 PM | Comments (2) | TrackBack

The Spread of Surveillance Culture

About 5,000 applicants across the country turned down for a Transportation Worker Identification Credential got letters with the following language: “I have determined that you pose a security threat,” authored by John M. Busch, a security administration official. I think there may be an interesting tension here between the judiciary's usual deference to the government in security matters, and some due process cases indicating a basic right of "pre-stigmatization" due process.

Meanwhile, Vauhini Vara reports that "New Sites Make It Easier To Spy on Your Friends." Some leading contenders:

Zaba Inc.'s ZabaSearch.com turns up public records such as criminal history and birthdates. Spock Networks Inc.'s Spock.com and Wink Technologies Inc.'s Wink.com are "people-search engines" that specialize in digging up personal pages, such as social-networking profiles, buried deep in the Web. Spokeo.com is a search site operated by Spokeo Inc., a startup that lets users see what their friends are doing on other Web sites. Zillow Inc.'s Zillow.com estimates the value of people's homes, while the Huffington Post's Fundrace feature tracks their campaign donations. Jigsaw Data Corp.'s Jigsaw.com, meanwhile, lets people share details with each other from business cards they've collected -- a sort of gray market for Rolodex data.

For the privacy-concerned, the article advises "If you don't want people to find your address online, for example, don't list it in local phone books, which often provide data to online address-search services."

Posted by Frank Pasquale at 02:09 PM | Comments (1) | TrackBack

The Internet Archive Protects Privacy for Libraries

Wired reports that the FBI subpoenaed the Internet Archive and demanded that Brewster Kahle (the Archive’s founder) provide records about one of the library's registered users, asking for the user's name, address and activity on the site. The FBI used a National Security Letter (example) to make the request. As Wired explains this type of letter does not require judge’s review before issuing it and often (almost always) has a gag order “forbidding the recipient from ever speaking of the subpoena, except to a lawyer.” The Archive, EFF, and the ACLU went to court and had the subpoena quashed.

As I argue in Property, Persona, and Preservation, given that our information is more and more technologically mediated, we need better systems to preserve our information. This case raises a related issue of once preserved what can be done with the information. Here, the Archive is preserving the information and then as a library allowing people to use that information. But because of the method of access, the FBI was able to ask for great detail about who looked at what information and when. Julie Cohen’s A Right to Read Anonymously: A Closer Look at "Copyright Management" In Cyberspace offers an explanation as to why the Archive’s win is so important. In short, reading anonymously involves identity of the reader and how we foster “freedom of thought and expression.”

In addition, the Wired article points out that despite the settlement the details of what was sought for example, the “kind of information the target was looking at or uploading -- such as animal rights information or Muslim literature” were kept secret. There may be reason for such secrecy. Still, when Congressional audits show that “hundreds of thousands of NSLs” have been issued, the use has not been tracked, the FBI “can only estimate how many NSLs it has issued,” each time an NSL has been challenged, it has lost (only three times according to the article), but one needs the help of a major public interest law group to fight the subpoena, something is wrong.

One disturbing thing is that no one knows exactly how these NSLs are being used or managed or if they do, they can’t talk about it. That situation reminds me of the private military context where the government also had little sense of how many and under what terms the PMCs were used. In other words, lack of oversight often leads to abuse, but then many know that, right? Another problem is that again like the PMC context, it seems quite difficult to have any sunshine fall upon this process. Why not have a judge look at such a letter? It seems the information is not going anywhere. Quite the opposite; remember it is preserved.

There is more to say on secrecy but for now I recommend Secrecy: The American Experience by Daniel Patrick Moynihan. I think I have recommended it before and probably Patrick O’Donnell has offered other books on the topic (which is always welcome). But as it is on my mind and an excellent look at how secrecy can help and harm a fight against whoever our enemies may be, I offer it again.

Posted by Deven Desai at 12:45 PM | Comments (2) | TrackBack

Computers, Freedom, and Privacy

I just wanted to announce that the preliminary program for the 2008 Computers, Freedom, and Privacy Conference (in New Haven, CT) has been announced. The theme this year is "Technology Policy '08," and it includes several topical panels