In light of the financial meltdown of 2008, it is reasonable to question whether the prior decade’s emphasis on corporate compliance – the internal programs that corporations adopt in order to educate employees, improve ethical norms, and detect and prevent violations of law – has been fruitful. This Article contends that the key problem with compliance is that we regulate it through an adversarial system that pits federal prosecutors against corporate defense counsel, fueling distrust between corporate entities and the government, and between the corporate employees and the internal monitors tasked with ensuring compliance. Despite this adversarial atmosphere, a number of scholars have suggested that corporate compliance is an example of a more collaborative regulatory approach known as “New Governance.” This Article challenges that notion, arguing that the government’s adversarial stance all but eliminates the experimental and collaborative approach championed by the New Governance movement. The Article further concludes that a New Governance model of compliance regulation is unlikely to take hold. Nevertheless, policymakers should consider New Governance’s administrative stance in lieu of the more punitive, “war-driven” approach that adjudication usually encourages.

We’ve seen a wave of compliance-oriented information law in recent years – perhaps most notably Sarbanes-Oxley – and it’s useful to ponder how worthwhile this approach is likely to prove.

Update: The action figures are available for purchase! (Hat tip: Ted Janger)

Here’s the full abstract of the new article:

Social marketing is among the newest advertising trends now emerging on the internet. Using online social networks such as Facebook or MySpace, marketers could send personalized promotional messages featuring an ordinary customer to that customer’s friends. Because they reveal a customer’s browsing and buying patterns, and because they feature implied endorsements, the messages raise significant concerns about disclosure of personal matters, information quality, and individuals’ ability to control the commercial exploitation of their identity. Yet social marketing falls through the cracks between several different legal paradigms that might allow its regulation—spanning from privacy to trademark and unfair competition to consumer protection to the appropriation tort and rights of publicity.

This Article examines potential concerns with social marketing and the various legal responses available. It demonstrates that none of the existing legal paradigms, which all evolved in response to particular problems, addresses the unique new challenges posed by social marketing. Even though policymakers ultimately may choose not to regulate social marketing at all, that decision cannot be made intelligently without first contemplating possible problems and solutions. The Article concludes by suggesting a legal response that draws from existing law and requires only small changes. In doing so, it provides an example for adapting existing law to new technology, and it argues that law should play a more active role in establishing best practices for emerging online trends.

The paper grew out of a seemingly simple question I tried to answer a couple of years ago, namely: if I put something into the public domain, can I take it out again? On the one hand, it seems like the answer would have to be “no” for policy reasons; otherwise, what happens to all the people who might have relied on the public-domain status of the work to create their own derivatives and remixes? But on the other hand, the copyright statute in the U.S. includes some fairly obscure provisions that seem to allow authors to change their minds any time they transfer ownership of their work. Those provisions exist to solve a completely different problem, but if applied literally, they could make it possible for authors to rescind a dedication of their own work to the public domain.  As I discuss in the paper, there might be some constitutional problems with that outcome, and downstream users of a (formerly) public-domain work may be able to raise a number of valid equitable defenses to any claim of copyright infringement.  But as a purely statutory matter (as many others have recognized), it’s hard to find a basis for upholding a permanent, irrevocable dedication of one’s copyright to the public domain.

I argue in the paper that these parts of the statute may create a big headache down the road for the open-source software community, and for other large-scale informational projects (like Wikipedia, for instance) whose legality depends on the provisions of specialized copyright licenses.  Legally, all those projects rest on an interlocking set of permissions among contributors to reuse one another’s work.  But under the statute, any of those permissions can be  revoked in the future, even if the contributor promised not to.  Possible problem: what happens when somebody who contributed code to an open-source project many years ago revokes permission to continue using their work?

In the paper, I take a couple of stabs at creatively reinterpreting existing copyright law to fix the problem, before ultimately throwing up my hands and kicking it over to Congress.  I’ll post the abstract of the paper after the jump.

Here is the abstract:

Federal law limits the free alienability of copyright rights to prevent powerful transferees from forcing authors into unremunerative bargains. The limiting mechanism is a statutory provision that permits authors or their heirs, at their sole election, to terminate any transfer or license of any copyright interest during a defined period. Indeed, the applicable provisions of the Copyright Act go so far as to invalidate purported waivers by authors of their statutory termination powers.

These statutory provisions may constitute an impediment to the effective grant of rights for the benefit of the public under widely used “open content” licensing arrangements, such as the GNU General Public License (”GPL”) for software or the Creative Commons family of licenses for other sorts of expressive works. Although recent case law suggests that such open-source or open-content licensing arrangements should be analyzed under the same rules that govern other copyright licenses, doing so necessarily raises the possibility of termination of the license. If GPL or Creative Commons-type licenses are subject to later termination by authors (or their heirs), and this termination power cannot validly be waived, then users of such works must confront the possibility that the licenses may be revoked in the future and the works effectively withdrawn from public use, with potentially chaotic results.

Although a number of judge-made doctrines may be invoked to restrict termination of a license granted for the benefit of the public, the better course would be for Congress to enact new legislation expressly authorizing authors to make a nonwaiveable, irrevocable dedication of their works, in whole or in part, to the use and benefit of the public—a possibility that the Patent Act expressly recognizes, but the Copyright Act presently does not.

Would love to hear any feedback.

1. Judge Gertner will reduce the damages somewhat.
2. She will find that the statutory damages provisions of the Copyright Act do not contravene constitutional protections under the Gore line of cases.
3. The First Circuit will affirm.
4. The Supreme Court will deny cert.

I think the damages provision might be vulnerable in a specific defendant’s case (though Ms. Thomas-Rasset would be a better test than Mr. Tenenbaum here), but is safe on its face. In lawyerspeak, it’ll survive a facial challenge, but might fail as-applied.

The Gore limits depend in part on the concept of notice: defendants should know ahead of time how much they’d be liable for if they violate the law. No one expects punitive damages of 500:1 (Gore) or 145:1 (State Farm). But predicting liability – at least at its minimum / maximum amounts – is easy for copyright law. That’s a key difference between a statutory damages scheme, with a range specified by the legislature, and a common-law one where juries pick a number from a hat.

Second, the range of damages in the Copyright Act looks reasonable on its face. $30,000 per work (and up to $150,000 for willful infringement) is a lot, especially if it’s just to deter (or compensate for harm by) a single defendant. (General deterrence is out under Philip Morris v. Williams, which is sad for law & econ thinkers.) Imagine a business that runs off copies of “Harry Potter and the Deathly Hallows” in its basement and sells them. Copyright infringement of this one work is clear, but the business carefully shreds all evidence of sales. So, it’s impossible to prove actual damages; businesses are often risk-averse, meaning that higher awards of damages are needed to deter; and there’s only 1 copyrighted work at issue. Statutory damages are important to provide any deterrence – since proof of harm is under the infringer’s control – and since the infringement might be quite profitable, an award might need to be high (even $150K). Hence, the damages scheme is clearly rational in at least some cases.

The harder question is whether the unconstrained jury discretion for statutory damages could run afoul of due process protections. Individual downloaders tend to be pretty similar if you think about it: there’s not much difference between Thomas and Tenenbaum. So why is her penalty almost 4 times more per work than his, for the same type of infringement? Neither has much in the way of monetary resources, so they’re either undeterrable, or able to be deterred at a fairly low amount (marginal value of a dollar and all that). Here is where the damages scheme seems like it might be vulnerable: it does get hard to predict liability in some individual cases, and the wide range of damages looks a bit too much like absolute discretion. (Thought exercise: what if a jury could award any amount of damages per infringement? Would that improve deterrence against Tenenbaum and Thomas? Would it be significantly less accurate than the actual damages, which everyone agrees are pretty low in real terms? But such a framework would likely run afoul of constitutional limits.)

If this is right, it means that both sides should worry – as should Congress. Getting damages right is important, but preserving both procedural and substantive protections for defendants is just as much so. Comments and disagreement welcomed…

A couple of idiosyncratic highlights for me so far include:

Tom Lee’s empirical analysis of how consumers perceive the semantic or linguistic content of trademarks as opposed to their context (as in placement on packaging). While it only addresses certain kinds of situations–that is, situations where there is lots of context available for the consumer–it provided interesting data.

Laura Heymann’s presentation about the law’s treatment of personal names and how it does or does not resemble the regime for trademark law, with a focus on the interaction between denotative (source-based) and connotative (association-based) meanings of both types of names. Legal regulation (or lack of it) of name changes of both kinds raises fascinating issues.

Lisa Ramsey’s discussion of brandjacking on social network sites, which can lead to serious harms but maybe not the kind of harm trademark law addresses. (I wondered if it is possible to make a clean and principled distinction between impersonation of a trademark or its holder vs. a misleading association with one.)

My good friend Jessica Silbey’s analysis, based on narrative theory, of the rhetoric used by “access movements” such as Free Culture, A2K, free software activism, and the like. She finds that these protests against existing IP law ironically share certain key features of the traditional story told to support expanded IP rights.

Mark Lemley and Mark McKenna’s article, “Irrelevant Confusion,” which I think is destined to become a watershed in trademark scholarship.

James Grimmelmann’s presentation of a piece he is writing with Paul Ohm where they identify a coherent school of thought within cyberlaw they call (for now) “architecturalism,” typified by Jonathan Zittrain’s recent book.

Surely others would make different lists out of the nearly 100 papers. (Maybe someone might even pick mine!). As usual, Rebecca Tushnet is providing great live-blogging of the sessions she attends. Thanks to the organizers for an incredibly stimulating event.

[T]he most difficult challenge — both to grasp and to solve — of the cloud is its effect on our freedom to innovate. The crucial legacy of the personal computer is that anyone can write code for it and give or sell that code to you — and the vendors of the PC and its operating system have no more to say about it than your phone company does about which answering machine you decide to buy. [snip] This freedom is at risk in the cloud, where the vendor of a platform has much more control over whether and how to let others write new software.

If you think about info/law very much, none of this is quite new. And as I have said before about Zittrain’s work, I think he is too pessimistic about the certainty of lockdown (after all, we were worried about the walled gardens of AOL and Compuserve too, and look what happened).

But the danger is real and must be addressed, presumably in large part by the audience who reads the Times op-ed page. JZ is such an excellent communicator and synthesizer, and he conveys the seriousness and complexity of the problem very nicely to a key audience in a format where it is difficult to do that. Go read the whole op-ed right now.

[UPDATE: Adam Thierer does not care for this op-ed at all, and has some interesting responses.]

As news coverage (see here and here) emphasizes, the Commissioner’s main concerns are the extent to which third-party applications within the Facebook platform slurp up personal information irrelevant to their functions. The report also identifies some ways in which Facebook’s disclosures of its practices are insufficiently clear and criticizes certain data retention practices (particularly after deactivation of accounts). The Commissioner suggested changes Facebook could make to comply with the law; after 30 days if Facebook has not taken adequate corrective action the Commissioner may initiate a lawsuit in Canadian court.

I highlighted the Ottawa clinic’s complaint in my article about social marketing (which, of course, went to the printer just a few days too early to add mention of the report!). So I was especially interested in the report’s analysis of Facebook’s advertising practices. In my view, the Commissioner gets it partly, but not entirely, right, stating:

A Social Ad uses the individual’s actions, thumbnail photo and name to promote a certain product or service. The ad then becomes part of the News Feed and intertwines itself in the regular interactions of the user and his or her friends. In effect, the Social Ad takes on the appearance of an endorsement of the product by the user. For this reason, users would not reasonably expect their information to be used in such a manner and they should, as is the current situation, be able to opt out of such an active use of their personal information.

It seems to me, and I argue in the article, that a social marketing endorsement like the one described here should require an opt in — not only for privacy and reputation reasons, but also for information quality (to ensure it is a true endorsement). In practice, though, since the effective demise of Facebook’s Beacon program, these sorts of social ads only occur when you take actions within Facebook, and in those situations it seems to me reasonable to assume implicit opt-in — after all, why do you “become a fan” of something in Facebook if not to “share” with your friends? The report does go on to criticize the clarity of disclosure about the use of information for social marketing and the difficulty of locating the opt-out. The Commissioner proposed more frequent reminders, but Facebook objected, and the report concludes that if Facebook makes its policies clearer and more accessible that will be good enough.

Overall, a great example of the careful (and collaborative) work a robust privacy regulator can do if given the necessary legal muscle and adequate resources. Now let’s see how Facebook responds next month…

The Associate Director of Research & Education for the Consortium on Law and Values in Health, Environment & the Life Sciences and the Joint Degree Program in Law, Health & the Life Sciences conducts research relating to law, biomedicine, the life sciences, and bioethics; collaborates on grants; generates original scholarship; teaches graduate and professional students; and helps lead the Minnesota Journal of Law, Science & Technology.

Our previous Associate Director, the very talented Jordan Paradise, is leaving to take a tenure-track faculty position at Seton Hall Law School. Please spread the word about this great opportunity!

When my consulting team did security stuff (note technical terminology) at Lotus, we found that the biggest risk from passwords is the Post-It note: users write down their passwords because security policies mandate ones that aren’t readily remembered. Try wandering around your office environment and see how many of these you can find 1) attached to monitors, 2) under keyboards, or 3) on office desk calendars / blotters. Far too much security protocol relies on conventional wisdom and accepted practice rather than empirical data.