:Information Law and Policy Spring 10

Google continues to make new friends, especially in Europe: the firm is catching heat while setting up its StreetView service in Germany.  Not for the conspicuous privacy concerns, but a slightly more surreptitious one: its StreetView vans, those modern-day equivalents of the ice-cream truck, apparently have been logging wireless networks and the MAC addresses of devices attached to them.  It’s basically WAR driving with corporate imprimatur.

Equally surprising is Google’s increasing tone-deafness about these sorts of privacy violations, especially in countries outside of the U.S.  It certainly adds grist for the mill in privacy cases like the recent one in Italy that resulted in criminal convictions for top Google executives.

The Germans’ response?  I think the phrase “data octopus” speaks for itself.

http://www.theregister.co.uk/2010/04/22/google_streetview_logs_wlans/

Comments Off on Google Street View logs WiFi networks, Mac addresses

Saw this article and thought it was timely addition to our discussion on defamation. Apparently, a man bought a clock on eBay and received it as a broken mess with parts that didn’t seem to fit together, so he gave the seller a bad review. Now the seller filed a $15,000 defamation lawsuit because of the bad review.  It seems like an outrageous claim but are online customer reviews no longer a safe area to give honest feedback? If this case actually wins, are customers going to have to be afraid that Sears is going to sue them if they don’t like their merchandise or service and they publish their opinions online?

http://www.orlandosentinel.com/news/local/os-man-sued-over-ebay-review-20100411,0,4827887.story

Comments Off on Florida Man Sued Over Negative eBay Review

Did any of you ever get a message from Tagged.com?

I’ve deleted them all, but they went along the lines of: “your technologically un-savvy friend has given us her email password and we’ve helpfully spammed everyone in her address book with a message that she’s left a very personal message for you and that you should sign up at our site to find out what she said. And while you’re at it, please give us your email password as well so that we can continue this behavior with everyone in your address book as well?

Due to this behavior, tagged.com now claims that they’re the 3rd largest social networking site in the US and worth $700 million.

Recently, several states have gone after them for deceptive business practices regarding this email spamming. New York and Texas went after the site last year, and San Francisco got in the fun as well – last week it was announced that tagged.com has agreed to a $650,000 settlement and will change their current practices. Well, they’ll still ask for your email password to send out spam, but they’ll be much more upfront about it! I guess it’s a start…

http://www.contracostatimes.com/news/ci_14874240

Comments Off on Tagged.com

By George Hayes, Ayush Khanna and Niranjan Krishnamurthi

Our readings describe two very different approaches to cyber crime. In the US v. Drew case, the implications of one being convicted for violating ToS was lost in the perceived connection between the crime that Drew was charged with and what actually transpired. On the other hand in the Universal Studios v. Reimerdes case, there is conflict between the Constitutional right of Free Speech and Fair Use and the use or distribution of tools to circumvent copyright protection. Lastly we briefly discuss the connections, exceptions and implications of current cyber crime law.

In United States of America v. Lori Drew the core issue of the case was whether or not violating the Terms of Service of a site like MySpace constitutes “fraud” under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. When this story broke in 2007 a clear narrative was described by the media, that in a way obscured the true importance of what was being tried. The public was presented with a disturbing story of an older woman, and neighbor of 13 year old Megan Meier, overseeing the creation of a false online identity that was used to deceive Meir. This online identity, “Josh Evans”, used multiple online services such as AOL Instant Messanger and MySpace to befriend Meirs, find out what whether she spread rumors about Drew’s daughter and then to end their friendship in a potentially hurtful way. This narrative is typified by Suburban Journals, a local news organization serving the greater St. Louis, Missouri area, which wrote an article about this story from a the very personal view point of the Meier’s family and received an outpouring of response from their community. Articles such as this create an incredibly biased view of the story, getting into details of Megan Meier’s struggle with depression, weight and friendship and how her relationship with “Josh Evans” potentially put her over the edge, causing her to commit suicide.

What Lori Drew was being charged with was not causing the death of Megan Meier, but instead with violating 18 U.S.C. § 1030 (a)(2)(c) and (c)(2)(b)(2) by violating MySpace’s terms of service by providing false information and then using this to intentionally inflict emotional distress upon a user. She violated the Terms of Service by providing a fake name, using this fake name to obtain information about a juvenile, and then by using the information they found to “torment” the juvenile. Drew was being charged with criminal charges but the implications of her being found guilty would have been far more significant than that of potentially reducing cyber bullying. As Judge Wu addresses on pages 29-30 of his opinion granting Drew’s motion for an acquittal, Megan Meier herself was also in violation of MySpace’s Terms of Service and therefore violating the same laws which Lori Drew was being convicted of. Judge Wu also describes the many ways in which people could potentially violate MySpace’s Terms of Service and questions where they could be considered criminals.

What would it mean to be able to be charged criminally once you broke a Terms of Service agreement on websites such as MySpace, and more importantly would it be possible to regulate and enforce these rules if they were criminal? It’s easy to see what Lori Drew did was morally reprehensible, the jury foreman in her initial trial Valentina Kunasz told Wired Magazine on December 1st, 2008, “Trust me, I was so for this woman going away for 20 years. However, on the harsher felony charge, it was very hard to find her guilty on the specific [evidence] given to us.”. Though what Lori Drew may have seemed wrong, it is in our collective best interests not to be considered criminals for breaking Terms of Service and for companies like MySpace to be able to determine what it is we can and cannot do online.

The DMCA came into place in the United States as this country’s implementation of the World Intellectual Property Organization (WIPO) Copyright Treaty, but, as mentioned in here at chillingeffects.org, this implementation is “in a much stricter fashion than required, giving copyright owners broader protection than was intended in the international treaty.”

In the second case that we look at, Universal City Studios, Inc. v. Reimerdes, the defendant, Eric Corley, posted on 2600.com, a description, source code, object code and links to other sites where people could download the program DeCSS. Using the DMCA Section 1201, Universal Studios obtained injunctions to have the defendant remove any ability for people to access the said program.

From the case, we realize that one can be in violation of the DMCA Section 1201 if one provides access or traffics in copyright protection circumvention tools. This may not be a concern for the majority of people who do not produce, distribute or provide access to such tools. On the other hand, the average person should be concerned about the use of these tools, even if the end result of using them does not infringe on the rights of the copyright holder, as the DMCA Section 1201 makes circumvention prohibitions distinct from copyright infringement. Say, for example, you wanted to use DeCSS to make copies of legitimately purchased DVDs for your own personal use. Would you be violating the law for having the copies for your personal use? Most probably not, as this falls under the traditional concept of fair use. Unfortunately, you would be violating the law for using DeCSS. So, in reality, its ok to make copies of your DVDs for personal use but not ok to use a tool that facilitates you in doing so, unless it so happens that the tool falls under the exception of the DMCA Section 1201 (a)(1)(C).

Taking things a step further, even if the Librarian of Congress, under the DMCA Section 1201 (a)(1)(C), allows for the use of such circumvention tools, nothing is set in place in the DMCA to protect the development or distribution of such tools. An example of this is the use of the DMCA by cellphone service providers to sue people who purchased or unlocked their cellphones until an exemption was won. However as mentioned in Wired Magazine, “The problem is that the exemption protects unlockers, but it doesn’t apply to those entities that distribute unlocking tools or provide unlocking services to others. Even when the Copyright Office grants exemptions for non-infringing or fair uses, customers usually still suffer because in most cases, including unlocking, only the small number of persons who have the technical know-how to circumvent can do so.”

Copyright holders are entitled to enjoy the exclusive rights to distribute their protected materials for economic gain but enforcement of the DMCA can have negative impact on the fair use of access control measures. In his ruling on Universal City Studios, Inc. v. Reimerdes, District Judge Lewis A. Kaplan addresses this conflict by stating “.. they (the defendants) have raised a legitimate concern about the possible impact on traditional fair use of access control measures in the digital era. Each side is entitled to its views. In our society, however, clashes of competing interests like this are resolved by Congress. For now, at least, Congress has resolved this clash in the DMCA and in plaintiffs’ favor. Given the peculiar characteristics of computer programs for circumventing encryption and other access control measures, the DMCA as applied to posting and linking here does not contravene the First Amendment.”

One of the biggest concerns we see going forward, is how well equipped these laws are to understand an increasingly open, participative web. Let’s take this example, for instance: “Script Kiddies” started unlocking iPhones to enable use on other telephone networks. Of course, AT&T chose to sue these people. Their rationale? The DMCA’s anti-circumvention clause prevents you from circumventing locks in place in order to gain access to copyrighted works. The intended use, however, was limited to protecting copyrighted works of music and movie artists. Eventually, the hackers won: an exception was granted in case the purpose was “lawfully connecting to a wireless telecomunication network”. It can also be argued that, the US v. Drew case was significant here: the Apple/AT&T ToS violation would otherwise have been the plaintiff’s next course of action. There is a catch here though: what about people who sell/distribute this software? It could be said that their “purpose” is entirely different: profit. Where does the law stand on that? There is no convincing answer.

Another interesting scenario arises from the Boardfirst v. Southwest case mentioned in the US v. Drew opinion. Boardfirst was allowing Southwest passengers to check in to particular seats of their choice, for commercial gain. The court ruled against Boardfirst on count of violation of Southwest’s Terms of Service, which stated that the data on their site could not be used for commercial gain. What are the implications of this decision in today’s scenario? We have an plethora of social media tools, each with their own utilities. There is also a fair degree of overlap – You Tweet your Foursquare update via your Facebook account. Can a user be held liable for inadvertently violating the Terms of Service in this maze? The problem is only worsened when we consider how often these ToS evolve. Another parallel from the Boardfirst case: the Southwest flight information was essentially public data, just like much social network data. Can access to such information be “unauthorized”? The broadness – and resulting vagueness of the CFAA was the focal point of the discussion of the US v. Drew case, and this will perhaps be indicative of further tensions between what a user does online and what is considered a crime.

Comments Off on Cyber Bullies & Script Kiddies – Crime 2.0

Last week’s issue of Time Magazine (yes, I read the paper copy) ran an article about a relatively new smartphone application called TigerText which allows the sender to specify an amount of time (between one and five minutes) after which the message is erased from the sender’s phone, the receiver’s phone, and supposedly all servers in between, according to the company.  Time writes that the app is named for Tiger Woods (zing!), and would have also been oh so helpful for our poor Mr. Quan whom we read about this week.

This app made me wonder if the paradigm for law enforcement by collecting text message evidence might now be forced to change to something similar to phone tapping, including getting a “super warrant” first.  Does anyone know if it’s even possible to strip text messages off servers in transit?  It seems like it might be tricky given the relatively arbitrary routing nature of data packets.

Comments Off on Of Texting and Tiger Woods

Looks like my NPR addiction will keep me informed: http://www.npr.org/templates/story/story.php?storyId=125998549

Comments Off on The Quon Case Goes to the Show

Interesting background on the precursor to copyright, how intent has evolved over the years, and why we’re protecting the interests of someone decades after they’ve died: http://www.onthemedia.org/transcripts/2010/04/09/05

Comments Off on 300 Years of the Statute of Anne

By Dan Byler and Amy Haas

“Freedom of opinion and expression is a human right and a guarantor of human dignity… Privacy is a human right and guarantor of human dignity.” These words, from the Global Network Initiative, reflect a belief that cuts to the heart of modernity: humans have the right to freedom from unwarranted meddling. Privacy and freedom of expression are merely two sides of the same issue.

As we have read, the primary legal purpose of copyright law is to promote creative expression. In the case of free expression and privacy, a similar dynamic holds: privacy promotes freedom of expression. Consider, for instance, how your behavior would change if you knew you were the protagonist in The Truman Show or 1984. But privacy is far more than a means to the end of free expression. If this was the case, privacy would merely occupy a place in US legal code, not the Bill of Rights. In fact, privacy is a thing to be valued even if it did not promote freedom of expression.

Privacy rights have a long history in the United States, starting with the Bill of Rights, where the principle of privacy is implied in the Fourth Amendment. When courts assess Fourth Amendment claims, there is an emphasis on determining the “reasonableness” of search and seizure, and whether or not an individual’s “reasonable expectation of privacy” has been violated. Given that establishing boundaries for privacy in the physical world is complex, it is even more difficult for courts to offer strong privacy protections for the online environment. Under current Fourth Amendment doctrine, there is still considerable uncertainty whether Internet users can or should retain a “reasonable expectation of privacy” concerning information sent to network providers, especially with regard to stored e-mails.

The Fourth Amendment does not protect information revealed to third parties; therefore, an area of debate exists over whether or not files stored by ISPs should have Fourth Amendment protection if, in fact, ISPs act as third parties on behalf of Internet users. Adding to the complexity of the issue is the fact that most ISPs are private commercial service providers, not government entities. As a result, even if it were perfectly clear that the Fourth Amendment does protect files stored by ISPs, the ISPs (when not acting as agents for the government) can freely access all of the files stored on their servers under the private search doctrine and can then disclose them to the government without violating the Fourth Amendment.

Past Supreme Court cases have held that while the government’s placement of an electronic listening device in a public phone booth violated the Fourth Amendment (Katz v. United States, 389 U.S. 347, 1967), the government’s use of a pen register did not (Smith v. Maryland, 442 U.S. 735, 742, 1979). Both are forms of surveillance but as with written communication, the difference lies in the expectations of the  sender/receiver – one would expect that a third party would need to know the “to/from” information in order to route a message; whereas, the third party would not need to know the contents of the message to do so.

The case of Quon v. Arch Wireless exemplifies the ambiguities with which modern privacy regulation is fraught. In this case, the plaintiff alleged that he had a reasonable expectation of privacy regarding the contents of his text messages based on his supervisor’s informal policy, regardless of the fact that his pager was property of the police department, he had signed an employee agreement acknowledging the City of Ontario’s “Computer Usage, Internet and E-mail” policy, and had attended a meeting which expressly informed all present that pager messages were considered “public information and eligible for auditing.”  A case that seemed straight-forward in the beginning turned into a very complicated issue of determining whether Arch Wireless was acting as a Remote Computing Service (RCS) or an Electronic Communication Service (ECS). A classification of RCS would release Arch Wireless from liability; however, if Arch Wireless was considered an ECS, they would be held liable under the Stored Communications Act. The case teetered on being a semantic argument that could go either way but ultimately, Arch was determined to be an ECS based on Theofel v. Farey-Jones, 359 F. 3d 1066, 1070, 2004.

We see in the readings two forms of response to the legal ambiguities surrounding privacy legislation. On the one hand, the Global Network Initiative calls for the coordinated actions of member businesses to uphold the privacy and freedom of expression in their dealings with governments and business partners. Digital Due Process takes another approach, calling for the simplification and clarification of legal standards regarding privacy laws. (Consider, for example, the absurd legal distinctions that put “read” vs “unread” emails in distinct legal categories for the purposes of surveillance, or which render files stored in a cloud computing arrangement less protected than those which reside on one’s computer. What, for instance, is a business traveler to do: keep files on his or her laptop, subjecting it to search at any U.S. port of entry, or keep it in secure cloud services, subjecting it to possible warrantless search?)

Despite the clear synergy between privacy and freedom of expression, the two needs are also at odds. For instance, one could achieve near-complete privacy by forfeiting all personal expression. (This is known as being a hermit, by the way.) At the other extreme, extreme self-expression is a form of self-disclosure—a tacit relinquishment of a certain privacies. What is certain is that we feel that the right to self-expression, self-disclosure, and privacy are our rights—not privileges bestowed on us by our government, employer, or family. In general, U.S. laws attempt to balance the privacy rights of individuals against the law enforcement needs of government. Where applicable, considerations are made for third parties involved in the exchange of personal information, such as mobile service providers.

One interesting battleground for these tensions is Burning Man, an annual arts festival held in Nevada’s Black Rock desert. The festival maintains a reputation for fostering unfettered free expression, but came under fire by the Electronic Frontier Foundation last year for its draconian photography policy, which states “I understand that I have no rights to make any non-personal use of any image, film, or video footage obtained at the event, and that I cannot sell, transfer, or give the footage or completed film or video to any other party, except for personal use, and I agree to inform anyone to whom I give any footage, film, or video that it can only be used for personal use.” Yet Burning Man insists that this legal strong-arming is in defense of its participants: “There are but two essential reasons we maintain these increased controls on behalf of our community: to protect our participants so that images that violate their privacy are not displayed, and to prevent companies from using Burning Man to sell products”. Paradoxically, it seems the only way to protect the free expression of Burning Man participants is to protect their privacy—by limiting the free expression of Burning Man photographers. Is there a middle ground?

1 Comment

During our class discussion, many raised the issue that the language in the FTC v. TJX agreement and the California law on security are pretty vague. How can a company determine what are “reasonable and appropiate security measures to protect specified personal information of California residents”? Do they always have to hire a consultant? What happens when the technology of today is going to be obsolete tomorrow?

Organizations such as the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) developed a set of guidance materials for IT governance that may help companies understand what is reasonable and appropriate from the perspective of the industry. Just as Deirdre pointed out in class, looks like an effort of the industry to self-regulate to prevent the government to come up with legislation about it.

Nevertheless, the COBIT framework provides companies with a set of guidelines to follow and a set of metrics to measure against. Although it is not as visible and transparent as the emissions parameter, it may become a differentiator and consumers may start pushing companies to implement standards such as COBIT or ISO/IEC 27002.

Comments Off on Reasonable security?

Comcast: 1, FCC: 0.  The U.S. Court of Appeals (D.C. circuit) handed down a ruling today that looks like a serious blow to net neutrality:

A federal appeals court ruled on Tuesday that regulators had limited power over Web traffic under current law. The decision will allow Internet service companies to block or slow specific sites and charge video sites like YouTube to deliver their content faster to users.

In addition to narrowly granting Comcast the right to arbitrarily tweak throughput for different types of traffic (such as BitTorrent), this decision has implications for the Obama administration’s plans to increase broadband access, as well as a potential chilling effect on innovation itself: what happens to adoption of the next Google, Facebook, or Twitter when a network provider decides to crank the spigot down?

1 Comment