I tend to favor protecting end-to-end in the Internet context, but I’m a bit worried about what the net neutrality rules will look like in practice. There are two ways to think of this problem. First, who is the target of regulatory action? The FCC’s rules seem to look at the CEO or CTO of an ISP or telecom company. I think the correct focus is farther down the corporate ladder: the IT folks who have to implement rules on their routers. The new rules seem fine as policy statements, but how do they translate into what you can and can’t do with bits?

Second, what existing practices are covered by the net neutrality rules? I worry there are some laudable practices that might run afoul of the rules – even if it’s unlikely the FCC would seek enforcement against them. (Safety that depends on agency discretion is not particularly comforting.) Here’s a fast list of practices that might violate net neutrality right now:

• Port blocking – can ISPs prevent you from sending e-mail except through their servers by blocking port 25? Many, including Verizon, already do. (See Rule 2 in the Press Release.)
• Network Address Translation – NAT rewrites IP addresses to ensure that packets reach their destination. Does altering header information violate the rules? (Rule 6 at least, maybe Rule 4.)
• Spam filtering – ISPs routinely drop connections, or quarantine messages, from known spammers and spam-friendly destinations. (Rules 1, 4.)
• VoIP routing – some telcos route their own VoIP traffic across their network rather than the public Internet, which is more efficient (assuming both ends of the conversation have the same provider). That’s almost certainly out. (Rule 5.)
• Virus prevention – some educational institutions scan connecting devices for Trojans / viruses / malware, or software that protects against them, and condition network access on passing this scan. (Rule 3, though doubtless the FCC would use the “harm” criterion as a dodge.)

So, I’m worried about how the FCC’s legal rules are implemented in code. I think we need a lot more guidance from the agency, particularly since net neutrality still feels somewhat like a solution in search of a problem…

Here’s the full abstract of the new article:

Social marketing is among the newest advertising trends now emerging on the internet. Using online social networks such as Facebook or MySpace, marketers could send personalized promotional messages featuring an ordinary customer to that customer’s friends. Because they reveal a customer’s browsing and buying patterns, and because they feature implied endorsements, the messages raise significant concerns about disclosure of personal matters, information quality, and individuals’ ability to control the commercial exploitation of their identity. Yet social marketing falls through the cracks between several different legal paradigms that might allow its regulation—spanning from privacy to trademark and unfair competition to consumer protection to the appropriation tort and rights of publicity.

This Article examines potential concerns with social marketing and the various legal responses available. It demonstrates that none of the existing legal paradigms, which all evolved in response to particular problems, addresses the unique new challenges posed by social marketing. Even though policymakers ultimately may choose not to regulate social marketing at all, that decision cannot be made intelligently without first contemplating possible problems and solutions. The Article concludes by suggesting a legal response that draws from existing law and requires only small changes. In doing so, it provides an example for adapting existing law to new technology, and it argues that law should play a more active role in establishing best practices for emerging online trends.

As news coverage (see here and here) emphasizes, the Commissioner’s main concerns are the extent to which third-party applications within the Facebook platform slurp up personal information irrelevant to their functions. The report also identifies some ways in which Facebook’s disclosures of its practices are insufficiently clear and criticizes certain data retention practices (particularly after deactivation of accounts). The Commissioner suggested changes Facebook could make to comply with the law; after 30 days if Facebook has not taken adequate corrective action the Commissioner may initiate a lawsuit in Canadian court.

I highlighted the Ottawa clinic’s complaint in my article about social marketing (which, of course, went to the printer just a few days too early to add mention of the report!). So I was especially interested in the report’s analysis of Facebook’s advertising practices. In my view, the Commissioner gets it partly, but not entirely, right, stating:

A Social Ad uses the individual’s actions, thumbnail photo and name to promote a certain product or service. The ad then becomes part of the News Feed and intertwines itself in the regular interactions of the user and his or her friends. In effect, the Social Ad takes on the appearance of an endorsement of the product by the user. For this reason, users would not reasonably expect their information to be used in such a manner and they should, as is the current situation, be able to opt out of such an active use of their personal information.

It seems to me, and I argue in the article, that a social marketing endorsement like the one described here should require an opt in — not only for privacy and reputation reasons, but also for information quality (to ensure it is a true endorsement). In practice, though, since the effective demise of Facebook’s Beacon program, these sorts of social ads only occur when you take actions within Facebook, and in those situations it seems to me reasonable to assume implicit opt-in — after all, why do you “become a fan” of something in Facebook if not to “share” with your friends? The report does go on to criticize the clarity of disclosure about the use of information for social marketing and the difficulty of locating the opt-out. The Commissioner proposed more frequent reminders, but Facebook objected, and the report concludes that if Facebook makes its policies clearer and more accessible that will be good enough.

Overall, a great example of the careful (and collaborative) work a robust privacy regulator can do if given the necessary legal muscle and adequate resources. Now let’s see how Facebook responds next month…

Great cases, like hard cases, make bad law. For great cases are called great, not by reason of their real importance in shaping the law of the future, but because of some accident of immediate overwhelming interest which appeals to the feelings and distorts the judgment. These immediate interests exercise a kind of hydraulic pressure which makes what previously was clear seem doubtful, and before which even well settled principles of law will bend. Northern Securities Co. v. United States, 193 U.S. 197 (1904) (Holmes, J., dissenting).

First, the Court denied cert. in IMS Health v. Ayotte. This case involved data miners’ First Amendment challenge to a New Hampshire law that prohibits the transfer of physicians’ prescribing records for use by pharmaceutical company representatives in their efforts to promote certain drugs to individual doctors. The First Circuit’s thorough decision in the case upheld the law on two distinct grounds: the transfer of the records was conduct rather than speech; and anyway if it was commercial speech the law satisfied the narrow tailoring requirements of the Central Hudson test. There is somewhat mixed case law on the First Amendment status of data mining, but I think the pro-privacy side is winning overall. (For more on this complex topic, see Neil Richards’ great law review article). While it might have been nice if the Supreme Court took the case and delivered the death blow to data miners’ constitutional arguments, that would have been very risky; it is better to leave Judge Selya’s strong opinion — and New Hampshire’s law, imitated by some other states — in place. (EPIC has more information on this one.)

The second decision is close to my co-blogger Tim’s heart, as he has described before. The Supreme Court refused to review the Second Circuit’s opinion finding that Cablevision’s proposed new DVR system does not violate copyright law. (Public Knowledge has more discussion on this one.)

(And by the way, if you share my side interest in election law, today’s announcement that the Court will hear more arguments in the campaign finance case about the Hillary Clinton documentary rather than deciding it — and consider much broader issues about corporate political donations — is also a bombshell. Probably a very bad sign for advocates of campaign finance regulation. Lots of big news other than Ricci today!)

Among the newest is the recent lawsuit filed by St. Louis Cardinals manager Tony LaRussa against Twitter. A user who claimed to be LaRussa opened a Twitter account in his name and said some nasty things, including mocking references to the deaths of two Cardinals pitchers. Twitter denied initial reports that the suit had been settled in a somewhat bellicose blog post (remember, lawyers: it isn’t a settlement until the other guy’s client signs off). Twitter then removed the case (that is, transferred it) from state to federal court, where it currently remains active on the docket of the Northern District of California. (The best news coverage is here and here.) The phony LaRussa account was terminated long ago; impersonation violates Twitter’s terms of service.

LaRussa’s actual grievances sound like they should give rise to defamation or false light, or perhaps the appropriation tort. But these would all be blocked, quite routinely, by section 230. Of course, LaRussa could go after the individual impostor, assuming that person could be found. Instead, his lawyers framed much of his complaint in terms of trademark infringement. Why? It’s no coincidence that section 230(d) carves out IP (along with criminal law) from the special immunity, stating, “Nothing in this section shall be construed to limit or expand any law pertaining to intellectual property.”

But to prevail on the trademark infringement claim, LaRussa has to prove that the phony account was likely to confuse consumers into thinking he endorsed Twitter, thus harming him. That is why his complaint emphasizes:

The Site states in large lettering, ‘Tony LaRussa is using Twitter,’ and encourages users to ‘Join today to start receiving Tony LaRussa’s updates.” It also contains a picture of Plaintiff with his name printed next to ít. Beneath the picture, the Site contains written entries that are impliedly written by Plaintiff himself when in fact they are not.

In this particular case, proving confusion and harm will be very difficult, since (1) the account only had four followers; (2) it included a notation in the user’s profile section, “Bio Parodies are fun for everyone;” (3) it’s not clear a statement (even a false one) that LaRussa used the service can fairly be called an endorsement of the service (though the “endorsement” concept can be slippery, as I have written elsewhere). Trademark dilution does not require confusion or monetary harm, but LaRussa pleaded under federal dilution law, which allows only injunctive relief — now moot since the profile is gone — and completely exempts “noncommercial use” of a trademark.

More generally, however, this case highlights the possibility of a loophole for celebrities who can recast privacy-like claims under trademark law (and possibly also rights of publicity, if those are interpreted as intellectual property under the language of section 230(d)). Where would that leave us? Well, it shows (again) that the apparently bright lines of section 230 sometimes aren’t. But it might also create what I’d consider a pernicious double standard: celebrities maligned by anonymous online impostors could plead around section 230 by claiming trademark or publicity rights in their name, while many ordinary people victimized by defamation or cyber-bullying would have their claims blocked. Other law, defamation in particular, expects celebrities to have thicker skin and tolerates more insensitive speech about them. If LaRussa pulled off this suicide squeeze, that sensible dichotomy might get turned on its head.

[UPDATE: I plumb forgot to mention another crucial angle: Twitter now wants to sell verified accounts to celebrities (as in, “This is the real Tony LaRussa tweeting.”) Those wouldn’t fetch a very high price if the fake accounts from which the celebs are trying to distinguish themselves are unlawful and Twitter is liable for them.)

Google uses industry-standard Hypertext Transfer Protocol Secure (HTTPS) encryption technology to protect customers’ login information. However, encryption is not enabled by default to protect other information transmitted by users of Google Mail, Docs or Calendar. As a result, Google customers who compose email, documents, spreadsheets, presentations and calendar plans from a public connection (such as open wireless networks in coffee shops, libraries, and schools) face a very real risk of data theft and snooping, even by unsophisticated attackers. Tools to steal information are widely available on the Internet.

Thanks to Chris Soghoian for his leadership on this one!