Here we'll explore the nexus of legal rulings, Capitol Hill
policy-making, technical standards development, and technological
innovation that creates -- and will recreate -- the networked world as we
know it. Among the topics we'll touch on: intellectual property
conflicts, technical architecture and innovation, the evolution of
copyright, private vs. public interests in Net policy-making, lobbying
and the law, and more.
Disclaimer: the opinions expressed in this weblog are those of the authors and not of their respective institutions.
The points he raises are mostly ones we've discussed over the past few months - ownership questions, proprietary formatting, restrictive DRM and licensing, and so on. But I thought it was worth blogging about his first point,which is just forehead-slappingly obvious and yet somehow I missed it. E-books - at least as they are sold by major providers today - pose a major privacy risk that physical books do not.
As Stallman notes, you can walk into a store and anonymously buy a physical book, often just with cash. At most you might be required to show proof of age for some materials but no record is kept of what you show. Contrast that with e-book purchasing, which requires a logged-in identity that is linked to credit cards, bank accounts, and other hard-to-remove traces. These purchase records can then be subpoenaed or seized by authorities who might have an interest in what you've been reading - bought any books on agricultural fertilizer lately? Or maybe you live in a Middle Eastern country and your government suddenly cares that you've been buying e-books about how to build apps that connect to Twitter's API.
Newswires and other media were buzzing yesterday over the Justice Department's subpoena to Google for search terms and URLs. The buzz got louder when Judge Ware indicated in court that he was likely to order Google to respond, at least in part. (Londoners might have seen me interviewed on the BBC news.)
The story converged the public's interest in everything Google with concern about government spying and the erosion of privacy online -- even if little of that privacy was ever directly at issue here. The government asked for search terms and a selection of URLs, not the IP addresses that could most directly link terms to the users who searched for them; its stated purpose was not to investigate individuals but to gather pieces that would help DOJ defend the Child Online Protection Act, a prohibition on showing material "harmful to minors" that has been on constitutional hold since its enactment in 1998. Google opposed the request, saying it called for trade secrets, was unduly burdensome, and further, that it might chill some of the search engine's users.
Even more than an actual privacy violation, the subpoena raised the preception of a privacy breach. News of the subpoena started many people thinking about how much of their personal lives they turn over to search engines -- and how little they know about what happens with that information next. With a government intent on listening to communications without warrants, could this subpoena be the first step toward a broader sweep of search engine records for other purposes? Our current privacy laws don't do a great job of protecting the information we turn over to third parties, such as search engines. Google could help protect privacy by keeping less data, but its business interests won't always align with its users' privacy wishes. The interest in the DOJ-Google subpoena shows we need to do better.
When a newspaper obtained records of then-Judge Bork's video rentals duringn 1987 hearings on his nomination for the Supreme Court, the public and members of Congress were similarly shocked that these records were so easily available. In response, Congress passed the Video Privacy Protection Act, prohibiting disclosure of video tape rental records without a warrant or court order. Though limited to sale or rental of "prerecorded video cassette tapes or similar audio visual materials," the VPPA stands out as one of our strongest privacy protection laws.
The DOJ's subpoenas for search records should be web searches' "Bork moment." Search engines, and our comfort in using them unobserved, are a key part of the Internet's vitality. If no current law protects us against government Googling our Google records, it's time to draft a law that does.
I've been complaining about Blizzard using its Terms of Service (TOS) to justify spying on gamers (I Spy With My Little EULA), but sometimes companies don't offer even the illusion of choice. Your printer could be ratting you out right now, and you wouldn't have the faintest clue.
Yes, I said printer. You see, a couple months ago we learned that at the request of the Secret Service, some printer manufacturers are secretly encoding information in color print-outs that can be used to identify where the document came from. The information appears as little yellow dots that you can see only if you use a blue light and a magnifying glass or microscope. No, really.
Today, EFF announced that it has cracked the code. The results should be of great interest to attorneys in discovery proceedings. Why? Those little yellow dots will tell anyone who can decipher them the date and time your document was printed, as well as the serial number of the printer. That makes a paper document more like email -- it reveals much more nuanced, and potentially signifcant, information about a particular communication than its "content."
Okay. So maybe you're not worried about what your videogame and printer may be revealing about you. But everyone should be worried about living in a world filled with innocuous-seeming devices that enable unprecedented, pervasive, routine surveillance. Lee Tien says it best: "[Printer surveillance] shows how the government and private industry make backroom deals to weaken our privacy by compromising everyday equipment like printers. The logical next question is: what other deals have been or are being made to ensure that our technology rats on us?"
Update: Jonathan Zittrain @ TechNewsWorld: "Counterfeiting is a serious problem, and there ought to be some way to prevent its undue exacerbation through color printing technologies without compromising the anonymity of every single document the printer might ever be asked to print."
Writes Greg Hoglund, co-author of Exploiting Software, How to Break Code:
I watched the [software] warden sniff down the email addresses of people I was communicating with on MSN, the URL of several websites that I had open at the time, and the names of all my running programs, including those that were minimized or in the toolbar. These strings can easily contain social security numbers or credit card numbers, for example, if I have Microsoft Excel or Quickbooks open w/ my personal finances at the time. ...[The scanning] certainly will result in warden reporting you as a cheater. I really believe that reading these window titles violates privacy, considering window titles contain alot of personal data. But, we already know Blizzard Entertainment is fierce from a legal perspective. Look at what they have done to people who tried to make BNetD, freecraft, or third party WoW servers.
As Schneier says, this is truly scary stuff. Yet even a few of the security-savvy readers at Schneier's weblog are downplaying its significance. Why? Annalee Newitzhas a theory that rings true to me: people think of routine spying as normal.
Do you realize the government would have to have a warrant to get the kind of information Blizzard claims it has the right to suck out of your computer to stop cheaters? Doesn't that seem a wee bit wrong?
In a normal world, a sane world, people would be boycotting Blizzard for having the nerve to look through their kids' hard drives. They'd stop playing Blizzard games online and stick to LAN parties, where a bunch of people network their computers together for a group game that circumvents the Internet.
I think fans are still flocking to Battle.net for two basic reasons. One, most probably don't realize Warden is spying on them (it's hard to blame them for not reading all the way through the stultifying terms-of-use page). And two, they've convinced themselves that surveillance is normal. Sure, games are supposed to be entertainment, but in reality they're just compressed, contained reflections of our everyday lives. It should be no surprise that, in an era when Americans submit to having their bags searched on the subway to get to work, they are willing to let corporations riffle through the entire contents of their personal computers so they can have a little fun.
If word gets out about this, it will no doubt register with more people that they need to read their EULAs, but the problem is much bigger than that. How many more of our rights will courts allow companies to click-wrap away? And how do we stop digital era privacy norms developing that let people accept things like the government demanding that ISPs and VoIP providers make Internet surveillance (even) easier, while claiming it has the right to turn our cell phones into location-tracking devices?
There are a number of collateral consequences to the FCC's order, said Perkins Coie's Gidari, counsel to education, library and other associations that opposed the FCC's decision.
"I don't think the commission had a clue that what they were saying affected other facilities-based providers," he said.
"A lot of companies and organizations make broadband available to their work force, students, faculties, researchers and others. That's why Congress holds hearings, to determine impact. The commission put out an order only carriers would pay attention to," Gidari said.
"The notion a librarian would have to do a wiretap and is subject to felony penalties if she discloses it, is amazing," he said.
"That's what CALEA requires -- you have to have a security office, security procedures. In truth, that won't happen because the library will be closed because it has no budget for this. That's why this issue is important."
Applying CALEA to the Internet is in many ways like a combo 215/Broadcast Flag -- in short, it's a technology mandate to make it easier for the government (and others) to spy on people. The kicker is that it's not the government, but, rather, the "information service providers" and the customers/patrons/surveillance subjects themselves who will pay for it.
WIRED warns that Florida has put out an RFP for sequels to MATRIX, the massive tracking database that was abandoned by states and defunded by the feds on the heels of massive popular outcry. To make it even less amusing, the intention is to put even more data into the system, not that this will make it any more secure, less intrusive or more effective. But hey, who's nitpicking?
AOL raised a few eyebrows recently with some quiet changes to its Terms of Service. Although it has attempted to 'clarify' its position that the ToS don't apply to AIM, the fundamental problem still remains - the content belongs to AOL, not to you. You have no copyrights to your fiction, no trademarks in your online business ideas, no patentable notions in your invention drawings, if you put any of it onto AOL's net. AOL owns it all and can "reproduce, display, perform, distribute, adapt and promote" it at will.
My intuition is that the other big online services have ToS that are equally privacy- and IP-hostile but today is AOL's turn under the kleiglight.
Washingtonpost.com has the transcript of an interesting online chat with Sarah Deutsch, a lawyer for Verizon, about online privacy, including the Supreme Court's recent denial of cert. in the RIAA v. Verizon case about DMCA subpoenas and file-sharers:
U Boulder, CO: I have heard that the RIAA has technologies that can find illegal downloaders online and track them. Is this stuff legal? Isn't that hacking? Do ISPs allow this kind of software on their networks?
Sarah Deutsch: The RIAA, MPAA and even the pornography industry (acting as a "copyright owners") are increasingly hiring Internet "bounty hunters" who use search tools, including search bots to scour the Internet for infringing files. Just like those mechanical spiders in the movie "Minority Report," the spiders go into users' shared folders on their hard drives and match file names to the names of copyrighted songs and movies. Unfortunately, the bots make mistakes,which is why one ISP received a notice demanding that they terminate a subscriber who had allegedly downloaded the Harry Potter movie when the attachment was actually the Harry Potter book report.
Off-topic, but absolutely fantastic news: the ACLU just won a case ruling that part of the USA PATRIOT Act is unconstitutional:
U.S. District Judge Victor Marreo ruled in favor of the American Civil Liberties Union, which challenged the power the FBI has to demand confidential financial records from companies that it can obtain without court approval as part of terrorism investigations.
The legislation bars companies and other recipients of these subpoenas from ever revealing that they received the FBI demand for records. Marreo held that this permanent ban was a violation of free speech rights.
In his ruling, Marreo prohibited the Department of Justice and the FBI from issuing special administrative subpoenas, known as national security letters.
Imagine if the FBI could, with only a piece of paper signed by the special agent in charge of your local FBI office, demand detailed information about your private Internet communications directly from your ISP, webmail service, or other communications provider. Imagine that it could do this:
* without court review or approval;
* without you being suspected of a crime; and
* without ever having to tell you that it happened.
Further imagine that with this piece of paper, the FBI could see a wide range of private details, including:
* your basic subscriber records, including your true identity and payment information;
* your Internet Protocol address and the IP address of every Web server you communicate with;
* the identity of anyone using a particular IP address, username, or email adress;
* the email address or username of everyone you email or IM, or who emails or IMs you;
* the time, size in bytes, and duration of each of your communications, and possibly even
* the web address of every website you visit.
Finally, imagine that the FBI could use the same piece of paper to gain access your private credit and financial information - and that your ISP, bank, and any other business from which the FBI gathers your private records is *forever* barred by law from notifying you.
Now stop imagining, and meet the NSL authorized under Section 505 of the USA PATRIOT Act.
UCLA law professor/Harvard law visiting professor Jerry Kang is the Larry Lessig of privacy, in that he was able very quickly and powerfully to communicate that there are extremes in the debate that result largely from the culture-born clash between "property talk" (U.S.-take on privacy) and "dignity talk" (Euro approach). He lifted the discussion out of the dreaded "tin foil hat" arena -- that is, beyond "paranoid freaks v. reasonable people" nonsense that stops people from truly engaging with the problem/issues at hand. He's one to learn from. (Check out Frank Field's comprehensive ILAW notes for a remarkably detailed transcript of his talk.)
Tell Me About It
Speaking of working to balance the debate, I want to thank ILAW attendee/NPR Deputy General Counsel Denise Leary for echoing/amplifying my call on Friday for real-world stories that reveal what the average guy on the street is losing because of the digital copyright crackdown. Jim Flowers told a personal story I'd like to hear in greater detail, about arguing successfully against an incredibly restrictive form of Internet filtering in schools by putting it in the plainest of terms -- something like, "Your children can't do research in school -- they're restricted to only 200 websites, and that's why this policy should be rejected." If you've got just such a simple-as-Valenti story about how today's copyright is frustrating your teaching/learning/creativity/ability to speak about an important issue online, do drop a comment below or send me an email to let me know.
Fordham law professor Sonia Katyal has an article up @ the SSRN Electronic Library that brings to mind a question I asked some months ago: Why do we tolerate in the name of copyright protection what we only unwillingly tolerate in the name of combating terrorism -- e.g., law that strips us of our right to privacy and due process?
The paper, entitled "The New Surveillance," describes in detail how the courts aid and abet new, extra-judicial regimes of private/corporate surveillance on the Internet -- and proposes, among other things, "greater judicial supervision of the DMCA" as an appropriate fix.
An interesting issue has come up in the Gmail and privacy session @ CFP. If you send an email to someone at a corporation, e.g. firstname.lastname@example.org, there is an implicit understanding amongst most people that Microsoft could scan the email and read its contents. After all, Microsoft has a number of trade secrets to protect (as well as other interests) and since you are sending the email to one of its employees, it presumptively has the right to check it to make sure it isn't causing the corporation any harm. At the very least, it could argue that since the mail has been sent to its comptuer servers, it has a right to look at it if it wants.
So what about Gmail? Shouldn't people have the same low expectations of privacy if they send email to someone using a gmail.com email address? After all, the email is residing on Gmail's servers and there's no illusion that the email is residing on a private server.
The difference, I think, is one of perceived control and ownership. When I send email to microsoft.com, I understand that Microsoft has a right to police its email and servers because the person you are sending the mail to is an employee there -- someone who Microsoft has control and supervision over while they are at work.
With Gmail, however, Google doesn't have any control or supervision over its users. At least, that's our current perception. In return for seeing ads, users get a Gig of storage. That's the relationship. Google doesn't try to tell the user what to use to account for or try to control their behavior or supervise it. Therefore, when I send email to someone at a Gmail account, I assume the user is in control of the privacy of that email, not Google.
A trendy topic of late seems to be that with the improvements in search technology and the increasing prevalence of message boards, blogs and other ways to express yourself on the Net, people will increasingly be able to find out what you've written and done in the past. Even law firms have apparently begun to take an interest in their employees' or candidates' online acts.
My first reaction is one I have over and over in Internet law... firms--did you really think your employees never talk about the firm and its goings-on? Did you really think your candidates had no opinions other than those they glibly recited in their interviews and fancy lunches? Lawyers--did you really think the firm would never check your background? Did you really think the firm wouldn't notice if you're writing about it? My second reaction is also typical: Firm--get a thicker skin. Lawyers---own up to your past and, today, if you're ashamed for someone to read what you're saying, why are you saying it in the first place? I know there are important reasons for anonymity, but I also think far too many people use "privacy" as an excuse to just avoid standing up for what they believe, or to get away with things they know are criminal, embarrassing or just plain icky.
As many readers might know, there are three ongoing concurrent challenges to the recently passed Partial Birth Abortion Ban in court these days. In fact, trial in the San Francisco Case was scheduled to begin today.
Part of the issues before the courts is whether or not so-called "partial birth" abortions are ever medically necessary to preserve the health of the pregnant woman. (The Ban does not include any exception for such circumstances). Congress found that such procedures were never medically necessary. Planned Parenthood and other abortion providers disagree. As part of its preparation for trial on this issue, the U.S. Gov't sought to subpoena the medical records of women who have had the procedure. PP and the other providers sought to quash the subpoena. The district court in Chicago quashed the subpoena and the Government appealed the the 7th Circuit for reversal. Just the other day, the 7th Circuit handed down their opinion (penned by the well-known hand of Judge Posner) affirming rejection of the subpoena.
While the opinion is interesting for any number of other reasons, I found Posner's reference to Internet privacy (or the lack thereof) as a reason particularly interesting:
This is hardly a typical case in which medical records get drawn into a lawsuit. Reflecting the fierce emotions that the long-running controversy over the morality and legality of abortion has made combustible, the Partial-Birth Abortion Ban Act and the litigation challenging its constitutionalityand even more so the rash of suits around the country in which the Department of Justice has been seeking the hospital records of abortion patientshave generated enormous publicity. These women must know that, and doubtless they are also aware that hostility to abortion has at times erupted into violence, including criminal obstruction of entry into abortion clinics, the firebombing of clinics, and the assassination of physicians who perform abortions. Some of these women will be afraid that when their redacted records are made a part of the trial record in New York, persons of their acquaintance, or skillful Googlers, sifting the information contained in the medical records concerning each patients medical and sex history, will put two and two together, out the 45 women, and thereby expose them to threats, humiliation, and obloquy. As the court pointed out in Parkson v. Central DuPage Hospital, supra, 435 N.E.2d at 144, whether the patients identities would remain confidential by the exclusion of their names and identifying numbers is questionable at best. The patients admit and discharge summaries arguably contain histories of the patients prior and present medical conditions, information that in the cumulative can make the possibility of recognition very high.
And check out this rather empathetic section:
Even if there were no possibility that a patients identity might be learned from a redacted medical record, there would be an invasion of privacy. Imagine if nude pictures of a woman, uploaded to the Internet without her consent though without identifying her by name, were downloaded in a foreign country by people who will never meet her. She would still feel that her privacy had been invaded. The revelation of the intimate details contained in the record of a late-term abortion may inflict a similar wound.