I was interviewed today for this afternoon's edition of Marketplace; of course you never know if they'll use it or not.
The topic was the strange — and to my mind wrongly decided — decision ordering massive disclosure of user YouTube video-viewing records in Viacom v. Google. For a very good explanation of most of the problems with the decision see EFF's Kurt Opsahl's discussion at Court Ruling Will Expose Viewing Habits of YouTube Users.
Based on the cursory discussion in the decision, I don't think the Judge read the Video Privacy Protection Act (aka “the Bork Bill”) right.
The decision is, if anything, worse than Opsahl says, in that the court also orders disclosure of information relating to “private” videos — videos marked for limited distribution — including the title and information about who uploaded them. While it may be the case that some of these videos are trying to share copyright protected materials under the radar, it is undoubtedly the case that many of these videos are (1) truly private and of very limited distribution and (2) the author would be identifiable from the associated information ordered to be disclosed. (The order also is opaque as to what sort of precautions if any Viacom would be required to take to prevent leakage of this data.)
There are some procedural obstacles to getting an immediate interlocutory appeal of this decision, but assuming they can be surmounted I think there's a strong chance of reversal before the 2nd Circuit.
This is only one of the first in what is sure to be a long series of fishing expeditions in the increasingly elaborate databases being created about our online behavior. It will get worse once our ISPs start tracking our every move in order, they will say, to better advertise to us. Video viewing records have the peculiar advantage of being protected by an unusually powerful statute, the so-called 'Bork Bill'. Many other records won't have that (although some will have ECPA), and that is an issue which needs urgent attention.
This order is probably broader than it appears at first reading… and that’s saying something.
The order provides:
Note that merely browsing to a site containing an embedded YouTube video will result in a HTTP GET request directed to YouTube’s servers. This request happens automatically, even if the video is not played. (Unless, of course, the user has configured their browser with NoScript or Flashblock, or is using a text-mode browser like Lynx.)
The order appears to require IP addresses and other log data for everyone who has ever merely browsed to a page where a YouTube video has been embedded. Everyone. Whether they played the video or not.
Now that’s a broad order.
I don’t read the order that way: I read it to require info about “each time a YouTube video has been viewed” — and I don’t think bringing up the still on an embedding counts as a “viewing”. Now, if you click on it…
Until and unless the judge clarifies his order, then the only reading of “view” that counts are the plaintiffs and defendants. I don’t know how expansively Viacom reads “view”, but I think there’s a good —plain English— argument that viewing the still is a “view”.
I’m certain that in other circumstances, Google would argue that the language of the YouTube Privacy Notice applies to viewing an embedded still:
It seems likely that HTTP GET requests are logged in the “Logging database” which is discussed on pp.11-14 of the order.
And the order granted “all data”.
To me, “all” reads as “all”
(Also, fwiw, I was mistaken earlier: Flashblock apparently does not stop the user’s browser from issuing a GET for Flash content. It merely prevents the Flash from running and keeps the user from viewing it.)