Category: Cyberlaw

0

China, the Internet, and Sovereignty

China’s World Internet Conference is, according to its organizers, about:

“An Interconnected World Shared and Governed by All—Building a Cyberspace Community of Shared Destiny”. This year’s Conference will further facilitate strategic-level discussions on global Internet governance, cyber security, the Internet industry as the engine of economic growth and social development, technological innovation and philosophy of the Internet. It is expected that 1200 leading figures from governments, international organizations, enterprises, science & technology communities, and civil societies all around the world will participate the Conference.

As the Economist points out, “The grand title is misleading: the gathering will not celebrate the joys of a borderless internet but promote “internet sovereignty”, a web made up of sovereign fiefs, gagged by official censors. Political leaders attending are from such bastions of freedom as Russia, Pakistan, Kazakhstan, Kyrgyzstan and Tajikistan.”

One of the great things about being at GA Tech is the community of scholars from a wide range of backgrounds. This year colleagues in Public Policy hired Milton Mueller, a leader in telecommunication and Internet policy. I have known his work for some time, but it has been great getting to hang out and talk with Milton. Not surprising, but Milton has a take on the idea of sovereignty and the Internet. I can’t share it, as it is in the works. But as a teaser, keep your eye out for it.

As a general matter, it seems to me that sovereignty will be a keyword in coming Internet governance debates across all sectors. Whether the term works from a political science perspective or others should be interesting. Thinking of jurisdiction, privacy, surveillance, telecommunication, cyberwar, and intellectual property, I can see sovereignty being asserted, perverted, and converted to serve a range of interests. Revisiting the core international relations theories to be clear about what sovereignty is and should be seems a good project for a law scholar or student as these areas evolve.

Law’s Nostradamus

The ABA Journal “Legal Rebels” page has promoted Richard Susskind’s work (predicting the future automation of much of what lawyers do) as “required reading.” It is a disruptive take on the legal profession. But disruption has been having a tough time as a theory lately. So I was unsurprised to find this review, by a former General Counsel of DuPont Canada Inc., of Susskind’s The End of Lawyers?:

Susskind perceives a lot of routine in the practice of law . . . which he predicts will gradually become the domain of non-professional or quasi-professional workers. In this respect his prediction is about two or three decades too late. No substantial law firm, full service or boutique, can survive without a staff of skilled paralegal specialists and the trend in this direction has been ongoing since IT was little more than a typewriter and a Gestetner duplicating machine. . . .

Law is not practiced in a vacuum. It is not merely a profession devoted to preparing standard forms or completing blanks in precedents. And though he pays lip service to the phenomenon, there is little appreciation of the huge volume of indecipherable legislation and regulation that is promulgated every day of every week of the year. His proposal to deal with this through regular PDA alerts is absurd. . . . In light of this, if anything in Susskind’s thesis can be given short shrift it is his prognostication that demand for “bespoke” or customized services will be in secular decline. Given modern trends in legislative and regulatory drafting, in particular the use of “creative ambiguity” as it’s been called, demand for custom services will only increase.

Nevertheless, I predict Susskind’s work on The Future of the Professions will get a similarly warm reception from “Legal Rebels.” The narrative of lawyers’ obsolescence is just too tempting for those who want to pay attorneys less, reduce their professional independence from the demands of capital, or simply replace legal regulation of certain activities with automated controls.

However, even quite futuristic academics are not on board with the Susskindite singularitarianism of robo-lawyering via software Solons. The more interesting conversations about automation and the professions will focus on bringing accountability to oft-opaque algorithmic processes. Let’s hope that the professions can maintain some autonomy from capital to continue those conversations–rather than guaranteeing their obsolescence as ever more obeisant cogs in profit-maximizing machines.

 

0

How CalECPA Improves on its Federal Namesake

Last week, Governor Brown signed the landmark California Electronic Communications Privacy Act[1] (CalECPA) into law and updated California privacy law for modern communications. Compared to ECPA, CalECPA requires warrants, which are more restricted, for more investigations; provides more notice to targets; and furnishes as a remedy both court-ordered data deletion and statutory suppression.  Moreover, CalECPA’s approach is comprehensive and uniform, eschewing the often irrational distinctions that have made ECPA one of the most confusing and under-protective privacy statutes in the Internet era.

Extended Scope, Enhanced Protections, and Simplified Provisions

CalECPA regulates investigative methods that ECPA did not anticipate. Under CalECPA, government entities in California must obtain a warrant based on probable cause before they may access electronic communications contents and metadata from service providers or from devices.  ECPA makes no mention of device-stored data, even though law enforcement agents increasingly use StingRays to obtain information directly from cell phones. CalECPA subjects such techniques to its warrant requirement. While the Supreme Court’s recent decision in United States v. Riley required that agents either obtain a warrant or rely on an exception to the warrant requirement to search a cell phone incident to arrest, CalECPA requires a warrant for physical access to any device, not just a cell phone, which “stores, generates, or transmits electronic information in electronic form.” CalECPA clearly defines the exceptions to the warrant requirement by specifying what counts as an emergency, who can give consent to the search of a device, and related questions.

ECPA’s 1986-drafted text only arguably covers the compelled disclosure of location data stored by a service provider, and does not clearly require a warrant for such investigations. CalECPA explicitly includes location data in the “electronic communication information” that is subject to the warrant requirement when a government entity accesses it from either a device or a service provider (broadly defined).  ECPA makes no mention of location data gathered in real-time or prospectively, but CalECPA requires a warrant both for those investigations and for stored data investigations. Whenever a government entity compels the “the production of or access to” location information, including GPS data, from a service provider or from a device, CalECPA requires a warrant.

Read More

0

Making Contracts on Kickstarter

11111In 2013, Chapman Ducote, a professional race car driver, and his wife, Kristin Ducote, had an idea for a new book about the world of professional motor sports, to be called Naked Paddock. Rather than the traditional route through book publishing—hiring an agent, seeking a publisher to pay an advance, and having the house handle the rest—they opted for a new approach of crowd-funding and self-publishing.

Crowd-funding refers to project financing generated from among the general public, usually facilitated by an internet-based service designed to match money to ideas. Creators post project proposals on the site and invite backers to buy the product in advance or stake funds in exchange for bonus mementos or voice in production. Proposals state the total amount sought to be raised and the deadline. If the goal is not reached on time, no funds change hands. But otherwise a deal is made: the facilitating site has enabled backers and creators to form a bargain.

Facilitators, such as Kickstarter, present on their web sites “terms of use” that all creators and backers must agree to in order to access the site. Such terms of use include standards designed to promote the commercial efficacy of the site. Kickstarter is where Chapman and Kristin Ducote hatched their book idea, posting their project and thus manifesting their assent to the terms of use.

The couple launched heavy promotional efforts, which included an appearance on a reality TV show—a spin-off of  But within a week, Kickstarer took it down because it violated its rules. The Ducotes sued for breach of contract, saying Kickstarter had no basis to remove the project. But they soon withdrew the suit acknowledging that they had made a contract with Kickstarter to abide by it rules yet failed to do so.

Kickstarter therefore had the right to remove the project.  While neither side disclosed publicly what rules were broken, they revealed that Kickstarrter acted in response to complaints from other users. Among likely violations were rules restricting what creators can do to promote projects—creators may not spam, use link-bomb forums, or promote on other Kickstarter project pages.

Terms of use flourish on the internet, where web site builders use them to define business models and a sense of community norms. While the means of assent vary from traditional means—clicking at prompts rather than signing a form—they have similar purposes, efficacy and limits.  While the traditional rules of contract formation fit the creator-facilitator relationship well, they require adaptation, at least conceptually, when considering other pairs of relationships in crowd-funding.

Consider that between backers and facilitators. On the surface, it may seem that the facilitator has agreed to provide a service to the backer, such as assuring product delivery and quality. But the sites disclaim such a traditional contractual relation, instead establishing the facilitator as a pure middleman without duties.   The Kicktarter terms of use state, for example: “The creator is solely responsible for fulfilling the promises made in their project.” Kickstarter’s terms of use declare that “Kickstarter doesn’t evaluate a project’s claims, resolve disputes, or offer refunds—backers decide what’s worth funding and what’s not.” The facilitator disclaims any duty to backers concerning product delivery, quality, warranties, or refunds. Read More

Privacy Security Novels 02
1

5 Great Novels About Privacy and Security

I am a lover of literature (I teach a class in law and literature), and I also love privacy and security, so I thought I’d list some of my favorite novels about privacy and security.

I’m also trying to compile a more comprehensive list of literary works about privacy and security, and I welcome your suggestions.

Without further ado, my list:

Franz Kafka, The Trial

Kafka’s The Trial begins with a man being arrested but not told why. In typical Kafka fashion, the novel begins badly for the protagonist . . . and then it gets worse! A clandestine court system has compiled a dossier about him and officials are making decisions about him, but he is left in the dark. This is akin to how Big Data can operate today. The Trial captures the sense of helplessness, frustration, and powerlessness when large institutions with inscrutable purposes use personal data and deny people the right to participate. I wrote more extensively about how Kafka is an apt metaphor for privacy in our times in a book called The Digital Person about 10 years ago.

Franz Kafka The Trial

 

Read More

0

FAN 53.1 (First Amendment News) U. Maryland Law to Host Conference: “The Impact of the First Amendment on American Business”

e5eb96fc377fcf9f7e18eb56d245dca1The 2015 Symposium (March 27th), “The Impact of the First Amendment on American Businesses,” will facilitate a discussion on the effects and consequences of First Amendment jurisprudence on businesses. The symposium will specifically cover the areas of commercial speech, religious exemptions for businesses, and rights of businesses to use technology appropriately. This event will be located at University of Maryland Francis King Carey School of Law, and is open to anyone interested in attending, including students, lawyers, and scholars.

Welcome and Introductory Remarks
Dean Donald TobinUniversity of Maryland Francis King Carey School of Law

Keynote Speaker 1
Travis LeBlanc, Federal Communications Commission

Panel 1: First Amendment and Commercial Speech Relating to Health

Jane Bambauer, University of Arizona School of Law
Adam Candeub, Michigan State University College of Law
Stephanie Greene, Boston College & Greene LLP
Kathleen Hoke, University of Maryland Francis King Carey School of Law
Wendy Wagner, University of Texas at Austin School of Law

Panel 2: First Amendment and Technology

Hillary Greene,  University of Connecticut School of Law
James Grimmelmann, University of Maryland Francis King Carey School of Law
Glenn Kaleta, Microsoft Corporation
Renee Knake, Michigan State University College of Law
Neil Richards, Washington University School of Law
Felix Wu, Yeshiva University Benjamin N. Cardozo School of Law

Panel 3: Religious Exemptions for Corporations

Caroline Corbin, University of Miami School of Law
Michelle Harner, University of Maryland Francis King Carey School of Law
Louise Melling, American Civil Liberties Union
Jennifer Taub, Vermont Law School
Nelson Tebbe, Brooklyn Law School

Keynote Speaker 2

Tamara PietyUniversity of Tulsa School of Law

Closing Remarks

Danielle CitronUniversity of Maryland Francis King Carey School of Law

For additional information, please contact Joella Roland, Executive Symposium & Manuscripts Editor, via email at JoellaRoland@UMaryland.edu.

ht: Neil Richards 

0

Hello Stigler: Google Trusted Stores, Amazon, and Price Discrimination

Hello, Stigler. Matchmaking and advertising are Google’s forte. It has upped its game. Never to leave things as they are, Google has been rolling out a trusted vendor system. I noticed the service for a company that I cannot recall. Not a good sign for the company, but then again I don’t notice Amazon third parties either. If Google can use algorithms and other options such as requiring applications by vendors to be part of a trusted network of retailers, that change could be huge. There are, however, some issues.

First, Amazon should keep an eye on this program as it might be the first one to challenge Amazon’s excellent third party system. For that to be a true threat, Google will have to find a way to protect customers. Amazon has been great, in my experience, when it comes to protecting me while I deal with sellers far away and sometimes dubious. It does not give away my credit card etc. So if a lemon is in play, Amazon covers me. I assume it takes a fee for being the broker. Google customer service may have to evolve, if it is to match Amazon. A series of online, automated loops that end up hitting walls will make me stay with Amazon. But as Google gets better at identifying good sellers and protecting consumers, the service may work well. In addition, the play should feed into Google’s foray into ecommerce. Again if it can aid in delivery and resolve poor third party service, Google could do quite well in this space.

Second, will search results be influenced by participation in the program? On the one hand, I’d love results that lead to better sellers. Heck if Amazon or eBay ratings figured into Google results and improved knowing whether an ad or listed result was trust-worthy, that’d be great. Then again, right or wrong, I expect Google watchers/haters/worriers will argue that Google has promoted results unfairly. As long as a company can go through certification, it seems that argument should fail. I imagine Amazon, eBay, and others require some level of clearance to be in their system. Regardless of purveyor, it seems systems that are relatively low-cost (or maybe free except for time to fill out forms) to join and then are monitored should be embraced. In other words, Yelp etc. are near useless to me. Crowds are not as smart as folks think. As the great agent Kay in Men in Black said, “A person is smart. People are dumb, panicky dangerous animals and you know it.” More ways to improve how each of us, separately, evaluates options would be welcome, and plays to the way we each are capable of being smart. Options that limit us and feed echoes of dubious sources, behaviors, and beliefs, I’d like to avoid.

So we’ll see whether Google can one-up Amazon in connecting buyers and sellers. If so, I may buy more LPs and who knows what from folks I will never meet. And prices should be more competitive. Of course, that will be so until Christmas hits. Then as happened this year, prices may go up. But hey, Amazon listed the MSRP and connected me to a retailer whose markup combined with Amazon shipping worked for a gift to my niece. That was great. Wait, did I just agree with perfect price discrimination?!!? Damn, you Goog! and Amazon! Or is that Happy Holidays! I got what I wanted without fighting through stores.

FTC 01
1

Should the FTC Be Regulating Privacy and Data Security?

This post was co-authored with Professor Woodrow Hartzog.

This past Tuesday the Federal Trade Commission (FTC) filed a complaint against AT&T for allegedly throttling the Internet of its customers even though they paid for unlimited data plans. This complaint was surprising for many, who thought the Federal Communications Commission (FCC) was the agency that handled such telecommunications issues. Is the FTC supposed to be involved here?

This is a question that has recently been posed in the privacy and data security arenas, where the FTC has been involved since the late 1990s. Today, the FTC is the most active federal agency enforcing privacy and data security, and it has the broadest reach. Its fingers seem to be everywhere, in all industries, even those regulated by other agencies, such as in the AT&T case. Is the FTC going too far? Is it even the FTC’s role to police privacy and data security?

The Fount of FTC Authority

The FTC’s source of authority for privacy and data security comes from some specific statutes that give the FTC regulatory power. Examples include the Children’s Online Privacy Protection Act (COPPA) where the FTC regulates online websites collecting data about children under 13 and the Gramm-Leach-Bliley Act (GLBA) which governs financial institutions.

But the biggest source of the FTC’s authority comes from Section 5 of the FTC Act, where the FTC can regulate “unfair or deceptive acts or practices in or affecting commerce.” This is how the FTC has achieved its dominant position.

Enter the Drama

Until recently, the FTC built its privacy and security platform with little pushback. All of the complaints brought by the FTC for unfair data security practices quickly settled. However, recently, two companies have put on their armor, drawn their swords, and raised the battle cry. Wyndham Hotels and LabMD have challenged the FTC’s authority to regulate data security. These are more than just case-specific challenges that the FTC got the facts wrong or that the FTC is wrong about certain data security practices. Instead, these challenges go to whether the FTC should be regulating data security under Section 5 in the first place. And the logic of these challenges could also potentially extend to privacy as well.

The first dispute involving Wyndham Hotels has already resulted in a district court opinion affirming the FTC’s data protection jurisprudence. The second dispute over FTC regulatory authority involving LabMD is awaiting trial.

In the LabMD case, LabMD is contending that the U.S. Department of Health and Human Services (HHS) — not the FTC — has the authority to regulate data security practices affecting patient data regulated by HIPAA.

With Wyndham, and especially LabMD, the drama surrounding the FTC’s activities in data protection has gone from 2 to 11. The LabMD case has involved the probable shuttering of business, a controversial commissioner recusal, a defamation lawsuit, a House Oversight committee investigation into the FTC’s actions, and an entire book written by the LabMD’s CEO chronicling his view of the conflict. And the case hasn’t even been tried yet!

The FTC Becomes a Centenarian

And so, it couldn’t be more appropriate that this year, the FTC celebrates its 100th birthday.

To commemorate the event, the George Washington Law Review is hosting a symposium titled “The FTC at 100: Centennial Commemorations and Proposals for Progress,” which will be held on Saturday, November 8, 2014, in Washington, DC.

The lineup for this event is really terrific, including U.S. Supreme Court Justice Steven Breyer, FTC Chairwoman Edith Ramirez, FTC Commissioner Joshua Wright, FTC Commissioner Maureen Ohlhausen, as well as many former FTC officials.

FTC 03 GW

Some of the participating professors include Richard Pierce, William Kovacic, David Vladeck, Howard Beales, Timothy Muris, and Tim Wu, just to name a few.

At the event, we will be presenting our forthcoming article:

The Scope and Potential of FTC Data Protection
83 George Washington Law Review (forthcoming 2015)

So Is the FTC Overreaching?

Short answer: No. In our paper, The Scope and Potential of FTC Data Protection, we argue that the FTC not only has the authority to regulate data protection to the extent it has been doing, but it also has the authority to expand its reach much more. Here are some of our key points:

* The FTC has a lot of power. Congress gave the FTC very broad and general regulatory authority by design to allow for a more nimble and evolutionary approach to the regulation of consumer protection.

* Overlap in agency authority is inevitable. The FTC’s regulation of data protection will inevitably overlap with other agencies and state law given the very broad jurisdiction in Section 5, which spans nearly all industries. If the FTC’s Section 5 power were to stop at any overlapping regulatory domain, the result would be a confusing, contentious, and unworkable regulatory system with boundaries constantly in dispute.

* The FTC’s use of a “reasonable” standard for data security is quite reasonable. Critics of the FTC have attacked its data security jurisprudence as being too vague and open-ended; the FTC should create a specific list of requirements. However, there is a benefit to mandating reasonable data security instead of a specific, itemized checklist. When determining what is reasonable, the FTC has often looked to industry standards. Such an approach allows for greater flexibility in the face of technological change than a set of rigid rules.

* The FTC performs an essential role in US data protection. The FTC’s current scope of data protection authority is essential to the United States data protection regime and should be fully embraced. The FTC’s regulation of data protection gives the U.S. system of privacy law needed legitimacy and heft. Without the FTC’s data protection enforcement authority, the E.U. Safe Harbor agreement and other arrangements that govern the international exchange of personal information would be in jeopardy. The FTC can also harmonize discordant privacy-related laws and obviate the need for new laws.

* Contrary to the critics, the FTC has used its powers very conservatively. Thus far, the FTC has been quite modest in its enforcement, focusing on the most egregious offenders and enforcing the most widespread industry norms. The FTC should push the development of the norms a little more (though not in an extreme or aggressive way).

* The FTC can and should expand its enforcement, and there are areas in need of improvement. The FTC now sits atop an impressive body of jurisprudence. We applaud its efforts and believe it can and should do even more. But as it grows into this role of being the data protection authority for the United States, some gaps in its power need to be addressed and it can improve its processes and transparency.

The FTC currently plays the role as the primary regulator of privacy and data security in the United States. It reached this position in part because Congress never enacted comprehensive privacy regulation and because some kind of regulator was greatly needed to fill the void. The FTC has done a lot so far, and we believe it can and should do more.

If you want more detail, please see our paper, The Scope and Potential of FTC Data Protection. And with all the drama about the FTC these days, please contact us if you want to option the movie rights.

Cross-posted on LinkedIn

1

CUT THE CORD!! HBO without Cable

O frabjous day! Callooh! Callay! It is about time! HBO has announced it will offer a streaming service in 2015. Earlier claims about the need for cable to market and to work with the cable industry seem to have fallen away. The claim is that there are 80 million homes that do not have HBO, and HBO wants to fix that. Can you say Netflix? Netflix subscriber numbers were flat today. Still, if HBO goes over the wall, I imagine that Showtime and others will too. So I may just succeed in cutting the cable. Atlanta has decent digital signals (though there should be more). The most interesting thing to watch: ESPN’s next move. It has a hold on cable a Brazilian jiujitsu master would respect. But if ESPN decides to go with a direct pay model, it could pick up many new viewers, especially the ones who are used to watching the special college version of ESPN they have for free while at some schools.

These markets may also be quite different. Some may prefer the ease of watching the pre-programed madness that is cable. Heck, if I am channel surfing and see that Ocean’s Eleven is on TNT, I will watch with commercials even though I own the blasted DVD. Oh yes, laugh. Because you know that you do it too. May not be Ocean’s but fill in the blank with Bridget Jones or whatever floats your boat; there is something oddly comforting or easy about finding a program in a guide and selecting it. It seems like a low-grade information overload problem. Rather than reaching for the DVD or searching Netflix or Amazon, having someone else narrow the options tips us into odd choices like watching that same movie for the umpteenth time with God help me commercials!

In any event, I hope the HBO experiment works. I know unbundling may threaten many offerings. But the current costs of cable are absurd and the best content is on just a few channels. I don’t think the new golden age of T.V. will suffer in this new world. It could grow as more people are reached with niche shows (that is how I see things like Breaking Bad and other winners that don’t need huge viewership to succeed). Subscriber shows should be a real thing soon. As I said before, Firefly could have been saved today, because enough viewers would likely have fronted the costs to get a 10-13 episode season. Add in many have the patience to just buy the series and binge, or stream on Netflix or Amazon or HBO, and maybe shorting cable companies is smart.

T
0

The U.S. Supreme Court’s 4th Amendment and Cell Phone Case and Its Implications for the Third Party Doctrine

Today, the U.S. Supreme Court handed down a decision on two cases involving the police searching cell phones incident to arrest. The Court held 9-0 in an opinion written by Chief Justice Roberts that the Fourth Amendment requires a warrant to search a cell phone even after a person is placed under arrest.

The two cases are Riley v. California and United States v. Wurie, and they are decided in the same opinion with the title Riley v. California. The Court must have chosen toname the case after Riley to make things hard for criminal procedure experts, as there is a famous Fourth Amendment case called Florida v. Riley, 488 U,S, 445 (1989), which will now create confusion whenever someone refers to the “Riley case.”

Fourth Amendment Warrants

As a general rule, the government must obtain a warrant before engaging in a search. A warrant is an authorization by an independent judge or magistrate that is given to law enforcement officials after they properly justify their reason for conducting the search. There must be probable cause to search — a reasonable belief that the search will turn up evidence of a crime. The warrant requirement is one of the key protections of privacy because it ensures that the police just can’t search on a whim or a hunch. They must have a justified basis to search, and that must be proven before an independent decisionmaker (the judge or magistrate).

The Search Incident to Arrest Exception

But there are dozens of exceptions where government officials don’t need a warrant to conduct a search. One of these exceptions is a search incident to arrest. This exception allows police officers to search property on or near a person who has been arrested. In Chimel v. California, 395 U.S. 752 (1969), the Supreme Court held that the police could search the area near an arrestee’s immediate control. The rationale was that waiting to get a warrant might put police officers in danger in the event arrestees had hidden dangerous items hidden on them or that arrestees would have time to destroy evidence. In United States v. Robinson, 414 U.S. 218 (1973), the Court held that there doesn’t need to be identifiable danger in any specific case in order to justify searches incident to arrest. Police can just engage in such a search as a categorical rule.

What About Searching Cell Phones Incident to Arrest?

In today’s Riley case, the Court examined whether the police are allowed to search data on a cell phone incident to arrest without first obtaining a warrant. The Court held that cell phone searches should be treated differently from typical searches incident to arrest because cell phones contain so much data and present a greater invasion of privacy than more limited searches for physical objects: “Cell phones, however, place vast quantities of personal information literally in the hands of individuals. A search of the information on a cell phone bears little resemblance to the type of brief physical search considered in Robinson.”

Read More