BlurryEdge Strategies

Happy 2013!

At Blurry Edge Strategies, we spend a lot of time watching (and
often participating in) significant developments at the intersection of
technology and the law.  And as the new year begins, it’s already
clear that we’re facing an exciting and tumultuous 12 months ahead.

Federal regulators – notably the FTC – are telegraphing a
reinvigorated interest in Internet privacy matters; after last year’s
SOPA debacle, lawmakers are primed to take another swing at copyright
enforcement legislation; and social networking giants are wading deep
into international privacy compliance issues, with mixed results.

That’s all ahead. To close out 2012, we’ve compiled for you a guide to
twelve of the most important developments of the last year.  We hope you
find it useful.

Lauren Gelman
Principal, Blurry Edge Strategies

gelman@blurryedge.com
@laurengelman

1. The Internet fought back against SOPA/PIPA: When Congress proposed SOPA and PIPA, bills whose overreach in the name of copyright protection would have stifled innovation and online speech, Internet users and influential websites responded with unprecedented, concerted zeal. This response culminated in a mass online blackout, with sites as large as Reddit and Wikipedia going dark to protest the legislation. Millions of users contacted their representatives to oppose the bills. While legislative ideas like SOPA and PIPA haven’t disappeared completely, last year’s response made it clear to Congress that users and Internet companies are willing to fight.
2. Governments are getting serious about privacy: In 2012, the FTC proposed more stringent changes in children’s privacy rules and undertook enforcement of its existing privacy rules against app makers and other online businesses for everything from “history sniffing” to data-leaking security flows. California also announced its own mobile privacy rules, requiring privacy policies for mobile apps, and recently launched an enforcement action against Delta for not including a mobile privacy policy in its app. The lesson for business is clear: governments are treating violations of privacy rules as serious breaches that can lead to investigation and enforcement.
3. Do Not Track: Do Not Track, the long-running consumer privacy project aimed at allowing users to tell websites not to track them, has not had the smoothest year. Leadership changes and uncooperative ad industry partners have made the project’s future unpredictable. However, DNT has showed no signs of stopping, either, and the government’s increasing scrutiny of companies that traffic in consumer data (see the FTC’s investigation of data brokers and updating of COPPA) means that the ad industry needs to find a way to self-regulate effectively if it wants to avoid even stricter rules from the government. DNT might still be that solution.
4. Smart Grid privacy concerns started reaching consumers (and businesses): Last year, the California Public Utilities Commission began to draft and propagate new rules on smart grid privacy, including short-form notice and consent forms that could govern the way consumers share data with new smart grid-oriented businesses. Meanwhile, the Ninth Circuit held in Golden Valley that while administrative subpoenas can be easily obtained for things like energy records, businesses that make explicit, detailed promises to keep data confidential might have a better chance in defending against government attempts to get users’ data without a warrant. These developments suggest that even though smart grid data policies are still in development, businesses now know enough about them to make a stand for their users.
5. More data, more FTC investigations: The FTC recently ordered nine data brokerage companies, which collect and aggregate information about millions of consumers, to to explain what they do with their stores of user data. Much of what these brokers do is currently unregulated: they are not necessarily required to allow consumers to access or correct data about them, or to opt out of data collection altogether. Further, it is not entirely clear whether the data these brokers collect renders them subject to existing regulations like the Fair Credit Reporting Act. While data brokers can provide useful services to consumers and businesses, it looks like those services are due for more rules and regulations in the future.
6. Facebook changes its privacy rules (and everyone watches): Late last year, Facebook and its new acquisition Instagram both changed their privacy policies and terms of service. The public responded, annoyed at Facebook’s removal of its voting system and Instagram’s broad new advertising rules. Since then, Instagram has walked back its changes and Facebook has scrambled to respond to both companies’ critics. The lesson seems to be that more users — and competitors, regulators, and journalists — are reading the fine print, and without careful drafting and PR, nuanced policy changes could become big problems.
7. David Petraeus‘ private emails were revealed a little too easily — and Congress realized it might be time to update our ancient email privacy laws: In one of last year’s most publicized scandals, decorated general and CIA director David Petraeus resigned after the FBI began to investigate a cyberstalking complaint. Part of this investigation involved the FBI’s acquisition of emails from all parties involved, revealing on a very public scale exactly how outdated our email privacy laws, like the Electronic Communications Privacy Act, are. (ECPA, for example, requires warrants only for email stored for less than 180 days.) Shortly after the scandal broke, however, the Senate Judiciary Committee backed ECPA amendments that would require the government to obtain a warrant before seizing email and other online data. ECPA isn’t fixed yet, but we might be getting close.
8. 2012 brought some big wins for innovation-friendly copyright laws: We saw several big cases in 2012 that protected fair use and other consumer- and innovation-friendly copyright laws. The district court in Author’s Guild v. HathiTrust held that digitizing books in order to help libraries organize their collections and provide access to digital books to the visually impaired is fair use. In Flava Works v. MyVidster, Judge Posner held that allowing users to embed videos on a website is not itself infringement. And in Viacom v. Google, the Second Circuit affirmed that Internet companies like YouTube have no duty to monitor user activities and are not liable for users’ infringement if they don’t know (and don’t promote). These cases should give at least some businesses confidence in building models that depend on the use and reuse of copyrighted materials.
9. LinkedIn and Zappos reminded everyone (no matter how big or successful) that proper encryption and security are important: In two of last year’s highest-profile data breaches, LinkedIn and Zappos were both hacked, exposing millions of users’ data and requiring both companies to scramble to fix the issue. LinkedIn’s breach specifically resulted in the release of a file containing millions of passwords hashed with the SHA-1 algorithm, whose security flaws were made public years ago. Incidents like these, involving two of the Internet’s biggest businesses, are valuable reminders to companies of all sizes never to forget that your users’ information is yours to protect, and protection takes work.
10. Government surveillance is not slowing down: Last year, Wired broke the story that the U.S. government has been building a $2 billion “data center” in Utah. This “data center” will be capable of sucking in what was previously an unimaginably huge amount of data, analyzing it for unknown purposes, and breaking even military-grade encryption. This data center is just one symbol of the government’s increasing surveillance of all types of once-private digital data. It brings us a step closer to DARPA’s post-9/11 “Total Information Awareness,” and is a reminder that protecting our Fourth Amendment rights is a constant struggle.
11. Twitter began to navigate thorny problems of international speech laws: In 2012, even before clips from the anti-Islam film “Innocence of Muslims” allegedly started riots around the world and made Internet intermediaries’ international speech policies the subjects of conversation and controversy, Twitter enacted a policy in which it would take down certain tweets in response to various countries’ valid legal processes — but only for people with IP addresses in those countries, not for global Twitter users. Twitter also gives users notice of these takedowns and sends the takedown information to Chilling Effects. In navigating a very difficult problem that any internationally expanding speech-oriented business must eventually face, Twitter has managed to promote its increasingly international presence in a way that respects the free speech platform on which its service is based.
12. The FTC targets SMS spam: The FTC updated the Telephone Consumer Protection Act this year to make marketers who send consumers SMS promotions without consent subject to heavy fines and investigations. This change means that consumers have another means of combating unwanted text messages (and avoiding accompanying charges), but even ethical, legally compliant marketers who engage in SMS campaigns must be very careful to build their technological systems and conduct their campaigns within the TCPA’s bounds, or else they risk crippling fines and lawsuits.

I get to talk to a lot of interesting audiences about privacy, security and other issues. Last month was unquestionably the most fun talk-- at DefCon Kids with Jeff Moss (darktangent). CNN was there and wrote about it and I hope parents everywhere will share this information with their 8 year olds.

Computer hacking for 8-year-olds

I have a comment on the NYT Room to Debate forum Google or China: Who Has More to Lose? praising Google's decision not to censor search results on .cn but recognizing that it was the alleged Chinese government's hacking that broke the camel's back as opposed to general disgust with the regime's Internet Freedom policy (I also wrote about this at the time of the initial announcement in January).  I do think it shows that while doing business with China could be justified by a goal of fostering engagement, collaborating with the regime cannot.

It's easy to make headlines by offering grand statements that privacy is dead.  Millions of users certainly are sharing a lot of very personal information, stories, pictures, and data online everyday.  So why should a company or any other institution invest their limited time and resources in thinking about privacy?

Because carefully considering privacy issues early on can save you significant headaches later.  First, there are dozens of national and international laws and regulations that cover data collection, and if you are not in compliance with those laws you can have serious problems.  Second, if you aspire to get funded, acquired or go public, you want to build your data collection architecture so that privacy issues do not create a roadblock when you least expect it.    And finally, the truth is no one really knows where your users will draw the line when it comes to your use of their data.  It simply makes good business sense to consider the implications of your decisions early and often, as your innovate in technology, as new business models develop or as new corporate directions evolve.

Personally, I think people care about privacy a lot more than the anecdotal evidence of the moment suggests. Successful businesses building sustainable and innovative products are those that are ready to answer the tough questions, whether asked by their investors, the press or their users, and to evolve their privacy strategy to complement their business strategy.

I'm teaching Privacy and Free Speech Online at Stanford Law School in the Spring Quarter.  The course description:

Privacy and free speech values frequently conflict. Protecting one individual's privacy often requires preventing another's speech. The Internet has created significant opportunity for users to express themselves in chatrooms, on the web, and through new social network applications. With this increased expression has come increased disclosures of personal information that may be saved, searched, and republished. Courts are currently grappling with the privacy- speech tension in cases where individuals as opposed to media institutions are the publishers of personal information about themselves and others and where people are publishing information on public networks but intended for limited groups of readers. This seminar will explore the tension between protecting privacy and free speech online, with specific emphasis on the legal rules and social norms around user initiated communications and social networking and other web 2.0 applications.

I have a fairly hefty set of legal readings, but I'm also looking for interesting apps, websites, non- legal papers and innovative policies or business models that bring the privacy-speech conflict into focus.  Any ideas?

The Boston College Law Review published my paper Privacy, Free Speech and Blurry Edged-Social Networks last November.

From the Abstract:

Much of Internet-related scholarship over the past ten years has focused on the enormous benefits that come from eliminating intermediaries and allowing user generated one-to-many (one person to many people) communications. Many commentators have noted the tension created between the positive benefits for free speech and the negative effects on user privacy. This tension has been exacerbated by technologies that permit users to create social networks with “blurry edges” - places where they post information generally intended for a small network of friends and family, but which is left available to the whole world to access. The thought is that someone the user cannot identify a priori might find the information interesting or useful. These technological advances have created enormous benefits as people connect to each other and build communities online. The technology that enables these communities, however, also creates an illusion of privacy and control that the law fails to recognize. This Article discusses the technological, social, and legal regimes that have created this framework, and proposes a technical solution to permit users to maintain networks with blurry edges while still appropriately balancing speech and privacy concerns.

I propose a system of privacy tags, perhaps a common metadata system, that users can attach to any content (like a blog post or picture) to indicate their preference for subsequent reuse.    Because of the potential chilling effect on speech a code-based approach might create, I suggest a neighborliness approach where people can choose to indicate their preference and rely on social norms to enforce it. Of course, I hope that the privacy torts that assume  a user's musings on the public web are available for any reuse would adjust once subjective intentions of individuals become visceral.  But I still prefer a liability rule to a property based approach.

I've been thinking about this project for a long time-- when Creative Commons was launched a few doors down from my office at Stanford Law School, I thought: Why can't we do this for privacy?  Some of my early thoughts from working with students at SLS are here.  Professor Ann Bartow is less optimistic that a norms (as opposed to code or law) based approach will actually produce any behavioral change.

I am interested what others think about the "neighborliness" approach.