At Blurry Edge Strategies, we spend a lot of time watching (and
often participating in) significant developments at the intersection of
technology and the law. And as the new year begins, it’s already
clear that we’re facing an exciting and tumultuous 12 months ahead.
Federal regulators – notably the FTC – are telegraphing a
reinvigorated interest in Internet privacy matters; after last year’s
SOPA debacle, lawmakers are primed to take another swing at copyright
enforcement legislation; and social networking giants are wading deep
into international privacy compliance issues, with mixed results.
That’s all ahead. To close out 2012, we’ve compiled for you a guide to
twelve of the most important developments of the last year. We hope you
find it useful.
Principal, Blurry Edge Strategies
- The Internet fought back against SOPA/PIPA: When Congress proposed SOPA and PIPA, bills whose overreach in the name of copyright protection would have stifled innovation and online speech, Internet users and influential websites responded with unprecedented, concerted zeal. This response culminated in a mass online blackout, with sites as large as Reddit and Wikipedia going dark to protest the legislation. Millions of users contacted their representatives to oppose the bills. While legislative ideas like SOPA and PIPA haven’t disappeared completely, last year’s response made it clear to Congress that users and Internet companies are willing to fight.
- Do Not Track: Do Not Track, the long-running consumer privacy project aimed at allowing users to tell websites not to track them, has not had the smoothest year. Leadership changes and uncooperative ad industry partners have made the project’s future unpredictable. However, DNT has showed no signs of stopping, either, and the government’s increasing scrutiny of companies that traffic in consumer data (see the FTC’s investigation of data brokers and updating of COPPA) means that the ad industry needs to find a way to self-regulate effectively if it wants to avoid even stricter rules from the government. DNT might still be that solution.
- Smart Grid privacy concerns started reaching consumers (and businesses): Last year, the California Public Utilities Commission began to draft and propagate new rules on smart grid privacy, including short-form notice and consent forms that could govern the way consumers share data with new smart grid-oriented businesses. Meanwhile, the Ninth Circuit held in Golden Valley that while administrative subpoenas can be easily obtained for things like energy records, businesses that make explicit, detailed promises to keep data confidential might have a better chance in defending against government attempts to get users’ data without a warrant. These developments suggest that even though smart grid data policies are still in development, businesses now know enough about them to make a stand for their users.
- More data, more FTC investigations: The FTC recently ordered nine data brokerage companies, which collect and aggregate information about millions of consumers, to to explain what they do with their stores of user data. Much of what these brokers do is currently unregulated: they are not necessarily required to allow consumers to access or correct data about them, or to opt out of data collection altogether. Further, it is not entirely clear whether the data these brokers collect renders them subject to existing regulations like the Fair Credit Reporting Act. While data brokers can provide useful services to consumers and businesses, it looks like those services are due for more rules and regulations in the future.
- Facebook changes its privacy rules (and everyone watches): Late last year, Facebook and its new acquisition Instagram both changed their privacy policies and terms of service. The public responded, annoyed at Facebook’s removal of its voting system and Instagram’s broad new advertising rules. Since then, Instagram has walked back its changes and Facebook has scrambled to respond to both companies’ critics. The lesson seems to be that more users — and competitors, regulators, and journalists — are reading the fine print, and without careful drafting and PR, nuanced policy changes could become big problems.
- David Petraeus‘ private emails were revealed a little too easily — and Congress realized it might be time to update our ancient email privacy laws: In one of last year’s most publicized scandals, decorated general and CIA director David Petraeus resigned after the FBI began to investigate a cyberstalking complaint. Part of this investigation involved the FBI’s acquisition of emails from all parties involved, revealing on a very public scale exactly how outdated our email privacy laws, like the Electronic Communications Privacy Act, are. (ECPA, for example, requires warrants only for email stored for less than 180 days.) Shortly after the scandal broke, however, the Senate Judiciary Committee backed ECPA amendments that would require the government to obtain a warrant before seizing email and other online data. ECPA isn’t fixed yet, but we might be getting close.
- 2012 brought some big wins for innovation-friendly copyright laws: We saw several big cases in 2012 that protected fair use and other consumer- and innovation-friendly copyright laws. The district court in Author’s Guild v. HathiTrust held that digitizing books in order to help libraries organize their collections and provide access to digital books to the visually impaired is fair use. In Flava Works v. MyVidster, Judge Posner held that allowing users to embed videos on a website is not itself infringement. And in Viacom v. Google, the Second Circuit affirmed that Internet companies like YouTube have no duty to monitor user activities and are not liable for users’ infringement if they don’t know (and don’t promote). These cases should give at least some businesses confidence in building models that depend on the use and reuse of copyrighted materials.
- LinkedIn and Zappos reminded everyone (no matter how big or successful) that proper encryption and security are important: In two of last year’s highest-profile data breaches, LinkedIn and Zappos were both hacked, exposing millions of users’ data and requiring both companies to scramble to fix the issue. LinkedIn’s breach specifically resulted in the release of a file containing millions of passwords hashed with the SHA-1 algorithm, whose security flaws were made public years ago. Incidents like these, involving two of the Internet’s biggest businesses, are valuable reminders to companies of all sizes never to forget that your users’ information is yours to protect, and protection takes work.
- Government surveillance is not slowing down: Last year, Wired broke the story that the U.S. government has been building a $2 billion “data center” in Utah. This “data center” will be capable of sucking in what was previously an unimaginably huge amount of data, analyzing it for unknown purposes, and breaking even military-grade encryption. This data center is just one symbol of the government’s increasing surveillance of all types of once-private digital data. It brings us a step closer to DARPA’s post-9/11 “Total Information Awareness,” and is a reminder that protecting our Fourth Amendment rights is a constant struggle.
- Twitter began to navigate thorny problems of international speech laws: In 2012, even before clips from the anti-Islam film “Innocence of Muslims” allegedly started riots around the world and made Internet intermediaries’ international speech policies the subjects of conversation and controversy, Twitter enacted a policy in which it would take down certain tweets in response to various countries’ valid legal processes — but only for people with IP addresses in those countries, not for global Twitter users. Twitter also gives users notice of these takedowns and sends the takedown information to Chilling Effects. In navigating a very difficult problem that any internationally expanding speech-oriented business must eventually face, Twitter has managed to promote its increasingly international presence in a way that respects the free speech platform on which its service is based.
- The FTC targets SMS spam: The FTC updated the Telephone Consumer Protection Act this year to make marketers who send consumers SMS promotions without consent subject to heavy fines and investigations. This change means that consumers have another means of combating unwanted text messages (and avoiding accompanying charges), but even ethical, legally compliant marketers who engage in SMS campaigns must be very careful to build their technological systems and conduct their campaigns within the TCPA’s bounds, or else they risk crippling fines and lawsuits.