ILI Student Blog

Year: 2013

  • FISA Amendments Act and the Supreme Court

    By Eugene Levin

     

    http://www.nytimes.com/2013/02/27/us/politics/supreme-court-rejects-challenge-to-fisa-surveillance-law.html?partner=rss&emc=rss

    The Supreme Court, in a 5-4 decision, denied standing to a group of plaintiffs, including lawyers, journalists, human rights and privacy advocates, seeking to challenge the constitutionality of the the FISA Amendments Act. The plaintiffs argued that they had been encumbered by the legislation, that their speech had been chilled and they had incurred additional expenses in avoiding possible surveillance while meeting with sources and clients. Justice Alito, writing for the majority, dismissed such harms as the product of speculation on the part of the plaintiffs, insufficient to grant standing to challenge the law.

  • Could the U.S. be Close to Adopting an EU-esque Approach to Online Privacy?

    By Samantha Steinfeld

     

    http://dailycaller.com/2012/03/05/white-house-follows-eu’s-lead-with-new-internet-rules-of-the-road/

     

    This article, from March of last year, does a good job of synthesizing the notions undergirding this week’s discussion of European privacy laws and regulations, and the themes that have pervaded our previous class discussions.

     

    The first interesting aspect of this article is its discussion of President Obama’s proposed “Internet Rules of the Road,” which, as the article’s author notes, in many ways resemble EU privacy regulations. Quoting Darren Hayes, a professor at Pace University, the article draws parallels between the ways in which EU laws and regulations, and the President’s proposed “Rules” are both aimed at “provid[ing] a shield to consumers…from unsavory marketing practices.” The author also points out that many American legal journals have begun to view European-style regulations as more “sophisticated” in recent years, and have thus begun to advocate for American laws that provide more uniformity and are less sectoral or self-regulatory in nature.

     

    Specifically, the President’s proposed “Rules” would crack down on targeted advertisements and greatly curb the ways in which companies can track web users’ online behavior. They would also provide for a much broader FTC enforcement power, which we know to be a significant development, given that a major point in our class discussion regarding FTC enforcement is that the agency’s limited power and jurisdiction prevent FTC enforcement actions from being a truly powerful source of online data and privacy protection for consumers.  Enactment of these “Rules” would seem to minimize this issue, by creating an “enforceable ‘code of conduct’ that Internet companies would have to comply with, or face litigation or civil penalties, under the expanded FTC power.”  Finally, it is important to note that the President, in his proposal, has asked Congress to “codify the new rights;” not only would this approach represent a massive departure from the largely sectoral and self-regulatory approach to privacy that permeates U.S. privacy law to date, but it very much echoes the European “fundamental rights”-based approach to privacy and data protection that we have seen reflected in the EU Directive and OECD Guidelines.

     

    In addition to hitting on these topics, the article also addresses some other major themes of our class thus far, such as the centrality of notice and consent to information privacy law, and the pushback by industry and other powerful figures against a more omnibus-style approach in the U.S. Providing a counterpoint to Professor Hayes’ support for the “Rules,” Professor Jacob D. Furst of DePaul University argues that privacy concerns can be mitigated by changes in consumer behavior, and that the only way people can be sure that their privacy is protected online is “to be smart about their online behaviors.” Furst, like many business leaders and other advocates for the American-style approach, points out that almost every company has privacy policies readily available on their website, and that forcing companies to do anything more to ensure that data is protected and not misused would be unduly burdensome, both in financial terms, as well as in terms of companies’ ability and willingness to continue to provide services to consumers on as wide of a scale.

     

    The executive branch’s response to these concerns is, oddly, a characteristically European one, and focuses on the supremacy of consumers’ “internet rights.” Indeed, the article concludes with a statement from the White House asserting that “consumers can’t wait any longer for clear rules of the road that ensure their personal information is safe online.”

     

    While I think that this move is certainly undergirded by legitimate policy concerns, I do not believe that an omnibus-style approach will work in America. Such a “Bill of Rights” would not just be a cumbersome effort to control industry, but it would also represent a top-down determination of what “type” of information sharing is “appropriate” on an individual level. In my opinion, the federal government should not be defining what is and is not acceptable information sharing by consumers; this is a decision that should be left to individuals. Perhaps a broader-based FTC enforcement power without an enforceable code of conduct would be a better way to achieve this outcome.

     

    NB: you can find the proposed “Internet Rules of the Road,” along with its proposed “code of conduct” here: http://www.whitehouse.gov/the-press-office/2012/02/23/we-can-t-wait-obama-administration-unveils-blueprint-privacy-bill-rights

  • UK Pushback to European Data Protection Directive Updates

    By Judd Lindenfeld

     

    The proposed changes to the European Data Protection Directive were sure to face strong opposition from U.S. lobbyists representing Facebook, Google and other pillars of the tech industry. After all, the switch from mere “directive” to actual “regulation” is one that gives the provisions an immediate and uniform impact across the European Union. This is on top of the additional requirements and standards that the change imposes. But consternation from Member States themselves—to the point of calling for the changes to be scrapped entirely—is a bit more surprising.

     

    However, this is exactly what the UK Information Commissioner’s Office (ICO) has called for.

     

    http://www.ico.gov.uk/news/~/media/documents/library/Data_Protection/Research_and_reports/data_protection_reform_latest_views_from_the_ico.ashx

     

    The UK ICO has called the current undertaking “a great opportunity” to update the way that personal information is used today yet laments the outcome of the process for a number of reasons. First, the ICO takes general aim at the updates for being “too prescriptive” when it comes to its administrative requirements. This concern is mostly reserved for small and medium enterprises (SMEs) that cannot afford the safeguards—such as hiring a Data Protection Officer—that the regulations require. Indeed, these kinds of administrative requirements create greater barriers of entry into the tech industry.

     

    Next, the ICO complains about the lack of clarity in the regulations. Terms like “personal data” must be defined more precisely by the new regulations (do they include non-obvious identifiers such as IP addresses). The same applies to the new “right to be forgotten” that the regulations create (how forgotten is “forgotten”? Will users understand the degree of protection that this right offers?). Determining the definition of these provisions is crucial because of the heavy penalties that result from violating the regulations.

     

    Finally, the ICO questions what is perhaps the key feature of the regulations: its uniformity. He correctly points out that different Member States have different legal traditions and “what is allowed by law is not spelled out in the UK in the way that it is in some other countries’ legal systems. However, in the change from “directive” to “regulation,” what is applied to one State is applied to all.

     

    The position of the UK ICO is illuminates a number of important considerations in the quest to achieve data protection. First, it shows that patrolling the tech industry through an omnibus set of regulations is a difficult venture. Growth in the tech sector is dependent on small firms and start-ups that lack the protective capabilities of their larger counterparts. And terms like “personal data” that may seem clear today might, with the advent of new technologies, seem murky tomorrow.

     

    Most importantly, it’s questionable whether the goal of data protection can be achieved through the same means in every State. Of course, uniformity of law brings its own set of benefits. However, these benefits will never be realized if the laws that apply to every Member State are not “one size fits all”

     

    For more information on the controversy surrounding the new regulations:

     

    http://www.wired.co.uk/news/archive/2013-02/07/ico-against-eu-data-protection

    http://www.theregister.co.uk/2013/02/06/uk_ico_position_data_protection_directive/

    http://www.wired.co.uk/news/archive/2013-01/22/us-eu-data-protection-advocates

     

     

  • Updating the ECPA

    By Molly Ryan

     

    Though the Electronic Communications Privacy Act was passed in 1986, it has not been updated to reflect the evolving communication norms.  The recent scandal involving General Petraeus has finally spurred Congress to update the act.  The proposed bill will require police to obtain a warrant before reading emails and any other form of electronic communication.  Currently, only an administrative subpoena is required unless the email was already open or sent over 180 days ago.  There was draft provision containing an exception in order to expedite the process of obtaining business records.  This would have limited the warrant requirement only to service providers to the public.  There was understandable controversy over this as information such as student emails from a  university would be available with only a subpoena.  It has not been included in the most recent draft.

    http://thehill.com/blogs/hillicon-valley/technology/269569-leahy-keeps-tough-protections-in-email-privacy-bill

    The idea that to read emails police should have a warrant seems to be a common sense one, given today’s current conception of privacy and the increased prominence of email as a major form of communication.  This bill and the efforts to update it highlight a broader concern – namely, how do we define privacy such that our legal system’s definition can keep up with that of society?  Julie E. Cohen, a Georgetown University Law professor suggests that we move away from a conception of privacy as merely a tool to further other, independent aims such as liberty.  In the current conception, privacy is one of many means to protect other values and as such is interchangeable with other defenses.  She sees privacy as an end in itself, a buffer that keeps us free to develop without surveillance.  Perhaps if the law defined privacy this way, it would be much easier for the law to progress alongside technology.

    http://www.theatlantic.com/technology/archive/2013/02/why-does-privacy-matter-one-scholars-answer/273521/

  • Google AdWords

    By Owen Kirshner

     

    Part 1 – Google AdWords moves a step closer to global acceptance with a win in Australian court. AdWords has been slowly gaining legitimacy throughout the world with some key wins in court. This most recent win follows a complaint by the Australian Competition & Consumer Commission alleging false advertising claims because AdWords advertisers were buying keyword advertising on their competitors trademarks. The High Court of Australia found that Google was an intermediary and was not liable for the advertising practices of their AdWords users. This case follows several in the US and EU that bring the treatment of internet advertising in line with more traditional advertising platforms, affording them protection from secondary liability. http://blog.ericgoldman.org/archives/2013/02/with_its_austra.htm

     

    Part 2 – A Wisconsin court rejected a publicity rights claim in another AdWords dispute. In this case a personal injury law firm brought suit against a competitive firm that had bought the names of the first firm’s partners on AdWords. The court rejected the claim because the plaintiff’s names were used in an invisible way in the AdWords advertising (they merely led to results, but were not displayed in the results themselves) and thus did not fall under the Wisconsin publicity statute. It should be noted that this type of dispute is often brought as a trademark claim where “use” has often been found in the invisible AdWords process. Although Google was not brought into this suit, it’s  clear that despite increasing global acceptance AdWords will continue to raise privacy issues.  http://blog.ericgoldman.org/archives/2013/02/buying_keyword.htm

  • The right to be forgotten – forget it?

    By Emma Peters

     

    The right to be forgotten has been widely criticized – not only as too far reaching but also as technically impossible to implement. These issues, many of which we touched on in class, are addressed in the articles described below:

     

    In the Stanford Law Review, Jeffrey Rosen, Professor of Law at The George Washington University, states that the proposed European legislation will not only seriously alter the structure of the Internet, damage companies like Google, Yahoo and Facebook, but much more important “represents the biggest threat to free speech on the Internet in the coming decade.”

    Rosen starts by acknowledging that the right to be forgotten addresses an urgent problem in the digital age: it is very hard to escape your past on the Internet as every photo, status update and tweet lives forever in the cloud. Nevertheless, Rosen points out that in its present form the right could cause a dramatic clash between European and American conceptions of the proper balance between privacy and free speech. He argues that the right is too vague and broad.

    Rosen notes that the right to be forgotten as it applies to “any information relating to a data subject”. Thus, it covers not only to information posted (only) by the data subject herself, (which he finds unobjectionable) but also information that has been put up by the data subject but copied or reposted by someone else (II), or that has initially been posted by a third person (III). He thinks that categories II and III pose great threats to free speech: Can Facebook be forced to delete a photo of the data subject, that has been shared by a friend – without the friends’ consent? Can media be forced to take down legally acquired, truthful but embarrassing information – such as a rape victim’s name (alluding to the Supreme Court decision in Florida Star v. B.J.F.)?

    Furthermore, Rosen thinks that the exceptions to protect the right of freedom of expression are not adequate. The regulation puts the burden to assess the difficult balance of privacy rights and free speech and to prove an exemption on the data processor. The envisaged hefty fines could lead data controllers to err on the side of deletion or blocking of all sites referring to the data subject, producing serious chilling effects to free speech.

     

    http://www.stanfordlawreview.org/online/privacy-paradox/right-to-be-forgotten

     

    The European Network and Information Security Agency (ENISA) asks how the government will implement an individual “right to be forgotten” when data are so often plural – concerned with more than one person and freely exchanged with many more. ENISA notes that the right to be forgotten is virtually impossible to enforce in an open, global system such as the Internet. How would a government force the forgetting of a couple’s photograph when one person wants the photo forgotten and the other does not? Furthermore, nothing prevents users from freely copying, storing, and redistributing digital content, including photos. Unauthorized copying of information by human observers is ultimately impossible to prevent by technical means. How can data be tracked down and “forgotten” when we don’t even know who has seen or stored it? Subsequently trying to find and erase the distributed copies is impossible.

     

    ENISA report: http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/the-right-to-be-forgotten)

    The Right To Be … Oh, Forget It

    http://www.hldataprotection.com/2012/11/articles/international-eu-privacy/right-to-be-forgotten-cant-be-enforced-on-the-internet-says-european-security-agency/

  • Google Faces Heat for Privacy Policies

    Shaelyn Dawson

     

    http://www.kqed.org/news/story/2013/02/19/116575/google_faces_heat_for_privacy_policies?category=technology

     

    This article from only two days ago explains how Google is under fire from both Microsoft and the European Union for its violation of privacy laws. Essentially Google’s new policy allows for the tracking and combining of an individuals’ information and usage data when they use any more than one of Google’s services—this means if you use Gmail, Google Calendar, Google Maps, Google News, et cetera you are being tracked. Ultimately, though, the article ends by explaining that the primary reason that Microsoft is after Google is because of Google’s monopoly in the operating system and productivity software markets.

    This article struck me as particularly relevant in light of our class discussion about the Electronic Communications Privacy Act as well as our lecture by Brad Smith.  On Tuesday the class heard two comments: one declaring as to how the advertisements related to an upcoming wedding were exceedingly helpful and another who bristled at the idea of targeted advertising. It seems to me that the take home from this conversation is that there is not a monolithic model that will make everyone happy. As Brad Smith explained in response to my question about the EU, the “notice and consent” model simply do not seem to be working. Thus, in applying Mr. Smith’s advice, a new model should be reworked following this 3-step approach: first, we need updated laws and regulatory measures which create an even playing field for all actors: good and bad. Though the EU model has wider consumer protection, many of the same problems that occur in the U.S. also occur in the EU. Second, we need more self-regulation so that the legal/regulatory foundation can be bolstered and built upon. This means that a company like Google must regulate itself and create internal safeguards in order to comply with recognized laws and regulations. Finally, we need market-based innovation and competition so that actors are incentivized to respect consumers’ privacy as well as legal norms.

    This third prong directly relates to the above article in that the article specifically notes that Microsoft “has seen Google and others erode its monopoly position in the operating-system and productivity software market, and “it’s fighting tooth and nail to try and find a way to get it back.” Thus, the free-market essentially encourages competitors to be watch-dogs of each other. While Microsoft’s motives may not be purely altruistic the fact that it is keeping Google honest ultimately will benefit the consumer.

  • ARE YOU BEING SCROOGLED? (What’s a “Scroogle”?)

    Marissa Schwartz

     

    Brad Smith was an amazing guest speaker! As lead general counsel for Microsoft, he knows the in and outs of the tech market and even more about privacy law.  During the Q&A a student asked him about Microsoft’s new campaign, “Scroogled,” which aims to inform the public of Google’s improper use of Gmail users personal information in order rack up advertising sales. Google’s profit model is based on creating products/services that are then available to the market for free and profiting off advertising revenues.  I have no qualms about this business model up until learning from Mr. Smith that Google was combing my Gmail account and extracting my personal information.

     

    I am not a very private person – I am an active Facebooker, Instagrammer, Tweeter, etc. – but I believe that my Gmail account should be private: THIS IS MY INBOX, which is way more important than my physically locked up mailbox, AND ITS CONTENTS ARE FOR MY EYES ONLY! I have extremely “sensitive” information in my Gmail account (along with the momentarily funny and forever corny chain emails I get from my mother): electronic receipts, travel confirmation numbers, delivery information, subscription records, tickets to see Joan Rivers perform stand-up tonight, employment listings, job contacts, my daily horoscope, and on and on the list could go.

     

    Google should not be allowed to access any of this information and I signed (anonymously of course!) the Microsoft “Scroogle” petition to formally object! You can do so too by clicking here: http://www.thepetitionsite.com/997/086/864/tell-google-to-stop-going-through-your-email-to-sell-ads/?z00m=20503710.

     

    The marketplace, myself included, does in fact believe some things are not to be aired. The leaders of the tech market should be cognizant of this when designing products and crafting their business models because their costs of doing business should not fall squarely on their consumers. Even though I do feel violated I also shudder at the thought of parting ways with Gmail. I am grateful to Mr. Smith and those other brainiacks at Microsoft who decided to inform the world about Google’s intrusive practices. Further, I applaud this endeavor because it is paving the way for increased self-regulation by market forces. The more the public knows about these companies’ practices (rather than the other way around) the better!

     

    More web chatter about “Scroogled!”

     

    First, we have a comic commercial video of Google reading your Valentines Day love letters, brought to you by Microsoft: http://techcrunch.com/2013/02/14/bing-launches-new-scroogled-video-for-valentines-day-warns-google-will-read-your-love-letters/.

     

    Next, some more inside scoop from the Bay Area: http://www.nbcbayarea.com/news/local/Microsoft-Hits-At-Google-In-New-Scroogled-Ad-Campaign-191738631.html.

     

    And finally, not everyone feels the way I do so here is a criticism of “Scroogled:” http://techland.time.com/2013/02/16/how-microsoft-scroogled-itself/.

  • European Union to take Action Against Google

    Emi Briggs

     

    http://www.bbc.co.uk/news/technology-21499190

     

    http://epic.org/2013/02/europe-prepares-action-against.html

     

    http://mashable.com/2012/01/24/google-changes-again-launches-one-

    privacy-policy-to-rule-them-all/

     

    http://ftc.gov/opa/2012/08/google.shtm

     

    On January 2012 Google launched a new master privacy policy that created an umbrella policy to cover its various products. Shortly after, 26 European countries requested Google address aspects of its policy deemed to be contrary to EU Law. After receiving what it deemed to be inadequate response from Google, the French Data Protection Commissioner, acting on behalf of the European Union will be taking action against Google.

    In light of our recent lecture with Microsoft executive Brad Smith, I felt news on Microsoft’s major competitor, Google, would be particularly relevant.  Furthermore, this investigation highlights the difference between the US and European models of privacy regulation.  The Federal Trade Commission has also investigated Google recently for alleged antitrust violations and settled with the company for violating the privacy of Safari users.  However, it is yet to raise issues concerning the master privacy policy the EU is now contesting.

  • THE STATE OF CFAA AND THE PASSING OF PRIVACY SCHOLAR ALAN WESTIN

    Chad Sandler

    Aaron Swartz was indicted in 2011under the CFAA and wiretapping statute for exceeding his authorized access to the research portal JSTOR and downloading and disseminating articles from JSTOR. He subsequently committed suicide leading to a public backlash against criminal prosecution under the CFAA. This article in Forbes reviews Aaron’s actions and explains how they violated the CFAA. It explains that the misconduct went beyond violating JSTOR’s terms of use to include exceeding authorized use and circumventing identity restrictions.

    http://www.forbes.com/sites/ciocentral/2013/02/15/how-congress-can-create-a-lasting-legacy-for-aaron-swartz/

    Orin Kerr offers a cogent legal analysis defending the actions of federal prosecutors in the case against Swartz. Kerr asserts that under the Wire Fraud statute, Swartz’s use of masked IP addresses and false identification to gain access to JSTOR articles comports with statute’s prohibition on schemes to gain property by false pretenses.

    Kerr then analyzes the case under the CFAA. He notes that the $5,000 threshold is easily met here if one uses the ‘reasonable costs of production’ value that many courts have adopted. With regard to exceeding authorized use, Kerr points out the methods used by Swartz to circumvent detection (and defensive block attempts) by JSTOR.

    The Criminal Charges Against Aaron Swartz (Part 1: The Law)

    Efforts to amend the CFAA include removing liability for exceeding authorized use to perhaps simply access without authorization. This tech crunch article outline some of the legal debate on reformation efforts: http://techcrunch.com/2013/02/11/aarons-law-takes-shape/

    Finally, a few days ago, Alan F. Westin, noted privacy scholar, passed away. This article highlights his contributions to the field of information privacy. He believed privacy “is more than the right to be left alone. It is the ability to control how much information about ourselves we reveal to others, and how and when to share it.”

    http://www.washingtonpost.com/national/alan-f-westin-scholar-of-privacy-in-the-information-ages-dies-at-83/2013/02/19/7258b28c-7aa6-11e2-a044-676856536b40_story.html