Category Archives: Law: Internet Law

New Privacy Paper Posted

“PETs Must Be on a Leash”: How U.S. Law (and Industry Practice) Often Undermines and Even Forbids Valuable Privacy Enhancing Technology, forthcoming in the Ohio State Law Journal, just posted to SSRN.

Abstract:

U.S. law puts the onus on the individual to protect his or her own privacy with only a small number of exceptions (e.g. attorney-client privilege). In order to protect privacy, one usually has three possible strategies: to change daily behavior to avoid privacy-destroying cameras or online surveillance; to contract for privacy; or to employ Privacy Enhancing Technologies (PETs) and other privacy-protective technologies. The first two options are very frequently unrealistic in large swaths of modern life. One would thus expect great demand for, and widespread deployment of, PETs and other privacy-protective technologies. But in fact that does not appear to be the case. This paper argues that part of the reason is a set of government and corporate policies which discourage the deployment of privacy technology. This paper describes some of those polices, notably: (1) requiring that communications facilities be wiretap-ready and engage in customer data retention; (2) mandatory identification both online and off; (3) technology-limiting rules; and also (4) various other rules that have anti-privacy side effects.

The paper argues that a government concerned with protecting personal privacy and enhancing user security against ID theft and other fraud should support and advocate for the widespread use of PETs. In fact, however, whatever official policy may be, by its actions the prevailing attitude of the U.S. government amounts to saying that PETs and other privacy protecting technology, must be kept on a leash.

A last-minute update reconsiders the argument in light of the Snowden revelations about the widespread dragnet surveillance conducted by the NSA.

Comments welcome!

Posted in Civil Liberties, Law: Internet Law, Writings | 1 Comment

Small World

I was impressed to learn that the lawyer defending Barrett Brown from a 100 year prison term for the crime of linking to things is the very same now-former Navy lawyer I consider an American hero. Some heroes just don’t quit.

(found via Digby)

Posted in Civil Liberties, Law: Internet Law | 2 Comments

Good Work

If you want to see what an absolutely first-class appellate brief looks like, look no further than Petitioner’s Brief in U.S. v. Auernheimer, authored by Tor Ekeland and Mark Jaffe, Hanni Fakhoury of the EFF, Marcia Hofmann (ex-EFF, now in private practice) and Orin Kerr (GWU Law).

If I’m ever convicted of reading and copying stuff off an unprotected web page, I want these guys as my lawyers.

And, yes, that’s the essence of the felony conviction being appealed:

The government charged Auernheimer with felony computer hacking under the Computer Fraud and Abuse Act (“CFAA”) for visiting an unprotected AT&T website and collecting e-mail addresses that AT&T had posted on the World Wide Web. The government also charged Auernheimer with identity theft for sharing those addresses with a reporter.

Auernheimer’s convictions must be overturned on multiple and independent grounds. First, Auernheimer’s conviction on Count 1 must be overturned because visiting a publicly available website is not unauthorized access under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(2)(C). AT&T chose not to employ passwords or any other protective measures to control access to the e-mail addresses of its customers. It is irrelevant that AT&T subjectively wished that outsiders would not stumble across the data or that Auernheimer hyperbolically characterized the access as a “theft.” The company configured its servers to make the information available to everyone and thereby authorized the general public to view the information. Accessing the e – mail addresses through AT&T’s public website was authorized under the CFAA and therefore was not a crime.

Incredible.

Disclosure: I’m on the EFF Advisory Board, but have no connection to the case other than liking those of the lawyers I know.

Update (7/2/13): Here’s EFF’s official announcement, Appeal Filed to Free Andrew ‘Weev’ Auernheimer.

Posted in Law: Criminal Law, Law: Internet Law | Tagged | 1 Comment

Estate Planning for Your Digital Afterlife

Over the weekend I attended parts of a great symposium put on by the Miami Law Review on social media and the law.

The Law Review had drafted me to moderate a panel on “Will You Have a Digital Afterlife?” It was an interesting experience: the estate planning/probate version of privacy issues is a sort of funhouse mirror version of how I usually think about digital privacy: everything I recommend to people — e.g. strong passwords, strong encryption — can make digital probate more difficult.

The first complication is that we may not know with much certainty what the decedent wanted. Did he want the heirs to have full access to his encrypted hard drive? What if there’s a porn collection?

Second, how about the email account — it may have important information about what bills need to be paid, but it might also have a secret correspondence with far-out political groups or a mistress that the decedent might not have wanted the survivors to see. Online social media accounts have additional complexities as some providers take the view that the contract terminates with death and thus make no attempt to preserve, or may even flush, the contents. Others have contract terms of service that routinely deny access to surviving family members, if only because that blanket rule may make life easier for the provider.

Laws prohibiting various sorts of unauthorized access, written with the living in mind, add another level of complexity as innocent attempts by family members to find out about the credit card bill or the phone bill may amount — in formal terms at least — to criminal actions punishable (in theory) like the worst forms of hacking; computer intermediaries (and lawyers!) may justly be nervous about enabling such access without clear advance directives from the deceased.

The panelists — Christina L. Kunz, James Lamm, Michael J. Mcguire, and Damien A. Riehl — did an excellent job of introducing this complex area of law to an audience composed mostly of neophytes like me.

I came away from James Lamm’s talk, for example, persuaded that I should execute an ‘Authorization and Consent for Release of Electronically Stored Information’ and also add a codicil to my will that covers access to electronic material stored in the cloud or elsewhere.

James Lamm, by the way, blogs at Digital Passing.

[Note (2/21): edited to conform to a very polite copyright-related request from Mr. Lamm. You’ll have to wait for his article, or consult him, for more details.]

Posted in Law: Internet Law | 1 Comment

A Very Cute Respose to Employer Demands for Facebook Passwords

I hereby (fictionally) resign is a great, if alas so far fictional, account of blowback from an employer’s demand for Facebook passwords.

Spotted via Emergent Chaos, Chaos Emerges from Demanding Facebook Passwords.

Posted in Law: Everything Else, Law: Internet Law | Leave a comment

Harold Feld’s Insanely Long Field Guide To The Verizon/SpectrumCo/Cox Deal

Do you want to think of yourself as a well-informed citizen when it comes to technology issues? If so, you probably need to read Harold Feld’s explanation of the Verizon/SpectrumCo/Cox Deal.

In reading this, please keep in mind that in the many years I have been acquainted with Harold Feld, I have never seen anything that would tend to brand him as an alarmist.

A choice bit:

And before you could say “dangerous levels of spectrum concentration,” the former mortal enemies had become total BFFs — just like Stephen Colbert and Jimmy Fallon, but in reverse. In fact, Verizon Wireless and cable multisystem operators (“MSOs” as we say in telecom) are so into each other now that they simultaneously entered into agreements to become exclusive resellers of each other’s products and to jointly develop a whole bunch of new technologies together. The companies insist these three side agreements are totally, completely and utterly unrelated to the spectrum sale and that unrelated side agreements are just the natural love child of freaky four-way spectrum hook ups.

A few weeks later, Verizon graciously offered to buy out Cox’s AWS spectrum so that Cox could get out of the wireless business. And, in what can only be an amazing coincidence for utterly independent agreements that should in no way make anyone think that the major cable players are colluding with their Telco/Wireless chief rival, Verizon and Spectrumco offered to let Cox in on the same three agreements to become exclusive resllers and become a member of the “Joint Operating Entity” (JOE) to develop all these cool new technologies.

So you see, it’s all totally innocent, and does not in the least look like a cartel agreeing not to compete, dividing up markets, and setting up a Joint Operating Entity so they can continue to meet and discuss their business plans on an ongoing basis while developing a patent portfolio to use against competitors like DISH and T-Mobile. In fact, these three side agreements are so harmless and so completely independent of the spectrum sale that Verizon and the MSOs initially refused to give them to the FCC. When they finally did agree to put them in the record under protest, they cut a whole bunch of stuff out. Because really, as Verizon and the cable MSOs said in their response, what one mega-corp says to four of its largest competitors is really no one’s business.

Verizon will actually resell the cable MSO video services they used to (and in theory still do) compete against, while the MSOs will resell Verizon’s mobile wireless service. On top of that, they will get together as part of the “JOE” to discuss each other’s business, facilitating further cooperation. Finally, the technology developed by these one-time-rivals will be used to disadvantage competitors, much the same way Comcast is currently using its TV Everywhere certification to keep HBO On The Go off devices that facilitate ‘cord-cutting’, like Roku.

But there’s so much more…the really wonky stuff starts like this:

We can divide the substantive issues into three main categories: (a) Spectrum concentration issues that come from pumping up one of the top two wireless carriers with even more primo spectrum; (b) whether the side deals represent an illegal division of relevant markets between competing firms or, even worse, the formation of an actual cartel (a term I do not use lightly); and, (c) all kind of angsty, big picture stuff about whether the whole theory of the Telecom Act of 1996 really works and we can have facilities based competition, or whether Susan Crawford is right and we are doomed to a dystopian future where a cable monopoly controls our broadband and thus our digital future — except for the mobile part which will be controlled by an AT&T/Verizon Duopoly. But since they will be part of the new Communication Cartel, that won’t really matter.

And it does go on. Yes, it is insanely long. But he’s got me believing it’s a Big Deal.

For example,

The parties agree to form a “Joint Marketing Entity” (JOE) “for the development of technology to better integrate wireline and wireless products and services” (to quote the official press release). To translate: the largest residential broadband providers, who also happen to be among the largest residential video, and the largest mobile services provider, will sit down to jointly develop technologies on how to better integrate their supposedly competing services. You know how Google, Apple, Microsoft, and RIM are all involved in this “mobile patent war?” Imagine if, instead of each of them trying to develop competing wireless operating systems and technologies, they said: “Hey, we’re the four biggest developers of mobile operating systems. Instead of competing, lets pool all our patents together and not let anyone else license them from us except on terms we all agree to use. We’ll meet in a back room every month, talk about all our future development plans, and make sure that we develop patented technologies and proprietary standards for where we plan to take the industry going forward.” Why would that possibly raise any concerns?

I could go on, but then this would become an insanely long summary.

Read it.

Posted in Law: Internet Law | Leave a comment

11th Circuit Rules that Full Immunity Is Required for Compelled Decryption

The 11th Circuit just decided In re Grand Jury Subpoena Duces Tecum March 25, 2011, USA v. John Doe.

Doe was ordered to decrypt his hard drive, and given limited immunity (use immunity) regarding the act of production of the unencrypted contents. He refused, claiming that the immunity was insufficient, and also that he was not in fact able to decrypt the hard drives.

We turn now to the merits of Doe’s appeal. In compelling Doe to produce the unencrypted contents of the hard drives and then in holding him in contempt for failing to do so, the district court concluded that the Government’s use of the unencrypted contents in a prosecution against Doe would not constitute the derivative use of compelled testimony protected by the Fifth Amendment privilege against self-incrimination. This is so, the court thought,because Doe’s decryption and production of the hard drives would not constitute “testimony.” And although that was the Government’s view as well, the Government nonetheless requested act-of-production immunity.13 The district court granted this request.

For the reasons that follow, we hold that Doe’s decryption and production of the hard drives’ contents would trigger Fifth Amendment protection because it would be testimonial, and that such protection would extend to the Government’s use of the drives’ contents. The district court therefore erred in two respects. First, it erred in concluding that Doe’s act of decryption and production would not constitute testimony. Second, in granting Doe immunity, it erred in limiting his immunity, under 18 U.S.C. §§ 6002 and 6003, to the Government’s use of his act of decryption and production, but allowing the Government derivative use of the evidence such act disclosed.

It’s a well-argued opinion and could be influential.

Posted in Cryptography, Law: Criminal Law, Law: Internet Law | 1 Comment