I tend to favor protecting end-to-end in the Internet context, but I’m a bit worried about what the net neutrality rules will look like in practice. There are two ways to think of this problem. First, who is the target of regulatory action? The FCC’s rules seem to look at the CEO or CTO of an ISP or telecom company. I think the correct focus is farther down the corporate ladder: the IT folks who have to implement rules on their routers. The new rules seem fine as policy statements, but how do they translate into what you can and can’t do with bits?

Second, what existing practices are covered by the net neutrality rules? I worry there are some laudable practices that might run afoul of the rules – even if it’s unlikely the FCC would seek enforcement against them. (Safety that depends on agency discretion is not particularly comforting.) Here’s a fast list of practices that might violate net neutrality right now:

• Port blocking – can ISPs prevent you from sending e-mail except through their servers by blocking port 25? Many, including Verizon, already do. (See Rule 2 in the Press Release.)
• Network Address Translation – NAT rewrites IP addresses to ensure that packets reach their destination. Does altering header information violate the rules? (Rule 6 at least, maybe Rule 4.)
• Spam filtering – ISPs routinely drop connections, or quarantine messages, from known spammers and spam-friendly destinations. (Rules 1, 4.)
• VoIP routing – some telcos route their own VoIP traffic across their network rather than the public Internet, which is more efficient (assuming both ends of the conversation have the same provider). That’s almost certainly out. (Rule 5.)
• Virus prevention – some educational institutions scan connecting devices for Trojans / viruses / malware, or software that protects against them, and condition network access on passing this scan. (Rule 3, though doubtless the FCC would use the “harm” criterion as a dodge.)

So, I’m worried about how the FCC’s legal rules are implemented in code. I think we need a lot more guidance from the agency, particularly since net neutrality still feels somewhat like a solution in search of a problem…

Filtering Workshop: Implications for ISPs (University of New South Wales, 4 March 2009)

My theme is that the proposed Australian filtering program contemplates a wholesale change in the role of the Internet Service Provider (ISP). This alteration creates a significant risks of undesirable, secondary effects.

ISPs are attractive regulatory targets, especially where enforcement against primary actors such as end users is expensive, uncertain, or problematic due to those actors’ behavior. This may be particularly true in countries such as Australia, the United States, or the United Kingdom, where the network architecture is decentralized. Countries such as China and Saudi Arabia designed their Internet infrastructure to enable centralized control at key choke points, making the involvement of intermediaries in filtering less crucial.
There can be benefits from requiring ISPs to act as enforcers. The application of restrictions is likely to be more uniform than with controls on end users directly, and ISP-based enforcement offers greater immunity against user error or evasion. Filtering at the ISP level is “always on.” In addition, lists of proscribed material are more readily updated since they are deployed at fewer locations on the network.

However, ISP-based restraints create critical challenges. ISPs shift from passing bits to differentiating among them. Power over content decisions shifts from end users at the edge of the cloud to providers, in conjunction with government, at the center. ISPs become regulators with significant power, especially under a system that permits or encourages variation in content blocking. It is not clear, under the current Australian plan, what requirements (if any) ISPs would have to adhere to in terms of transparency about filtering decisions.

Concomitantly, providers may be hesitant about assuming such a role, for they will become enmeshed in heated debates over content. They may be forced into difficult normative judgments, as with decisions regarding fair use versus copyright infringement under the U.S. Digital Millennium Copyright Act (DMCA) or its Australia equivalent. ISPs will quickly face demands for restrictions from a variety of interest groups – consider spam, hate speech, defamation, and illegal drugs sites among others. IP infringement is likely to be the first successor to initial content filtering – note that a requirement for filtering copyrighted material was proposed as a rider to the economic stimulus legislation recently passed in the U.S. ISPs, in short, will be converted to general-purpose watchdogs. The ease with which filtering can be accomplished will tempt interest groups to use it as a way of achieving their goals while minimizing debate or scrutiny. Moreover, ISPs are likely to face varying or inconsistent decisions based on the content at issue (which may be difficult to ascertain without reassembling all of the packets involved in a transaction). For example, U.S. ISPs confront a range of incentives or penalties depending on whether the content at issue infringes copyright, trademark law, bans on child pornography, defamation, or anti-spam statutes.

If faced with these demands to prevent access to content, ISPs may be overdeterred. The threat of liability may cause them to target questionable or even innocent content for blocking. Consider, for example, blog hosts or e-mail service providers in China. Research by the OpenNet Initiative and Rebecca MacKinnon, among others, shows both variation in filtering – suggesting uncertainty about the boundaries of proscribed content – and targeting of seemingly innocent keywords and phrases. In China, and elsewhere, ISPs must consider that failure to prevent access to banned material may lead to draconian or highly visible sanctions as an example to other, similarly situated entities.

Finally, tertiary effects from this role change are likely, but difficult to predict. Data retention efforts or mandates may increase, as governments seek to track who attempts to access banned pages in addition to blocking those efforts. Filtering may substitute for alternative enforcement regimes that are more effective. Consider that in New York, the state attorney general pushed major ISPs into dropping Usenet newsgroups over child pornography concerns while admitting that prosecuting those who produced and distributed the material was infeasible (though probably a more effective way to protect children). An impact on user privacy is nearly certain. ISPs may be required to detect the creation or publishing of banned content, and techniques such as deep packet inspection create risks that can chill communication. Filtering can undercut innovation: it may require blocking protocols such as BitTorrent, or peer-to-peer software more generally, or limiting encryption. It threatens to undercut the end-to-end principle central to the Internet’s design and thus the production of new communications technologies.

Finally, there is the Cylon problem: ISPs may have incentives to filter not just on our behalf, but on their own. For example, the Canadian provider Telus blocked access to the Web site of a labor group involved in an action against it. Similar concerns emerge from the network neutrality debates about ISPs favoring content from partners or subsidiaries. Detecting self-interested measures becomes more difficult in a system where blocking is ubiquitous and mandatory.

In conclusion, ISPs are ground zero in the filtering debate. They may be a necessary component of any blocking system due to the architecture of Australia’s network, but enrolling them as content regulators fundamentally changes the nature of the ISP and raises issues we must address before moving forward.

Spam’s basic problem is the same: our social norms of trust are at odds with the insecure foundations of e-mail. Put another way, both we and our e-mail systems are too trusting, and thus easily duped. Spam exploits the credulous (”If my friend forwarded this link, it must be OK!”) and the opportunistic (”Hey, free Anna Kournikova pictures!).

I still think we should do three things. First, e-mail just doesn’t work for communications that need security and the ability to authenticate senders. I proposed “safe mail” a few years back, and as with most academic ideas, it’s garnered almost as many supporters as Blagojevich for President. But it’s still a good approach. Second, ISPs need to think about rather paternalistic approaches (=URL blocking) in some cases, with opt-out for those willing to take informed risks. Think of this as mandatory StopBadware – when you try to connect to a spoofed or phishing site, you can’t. Finally, we need better defenses on our computers. Microsoft Vista tried for this, but its constant security warnings annoyed everyone without increasing security, leading to defensive ad campaigns rather than defensive computing.

Spam will always be around. It worries me, though, that our perception of its threat seems to be inversely proportional to the harm its payload carries…

Second, the claim that shifting to e-mail marketing would harm the environment – you know, all those servers and data centers – is laughable. First, snail mail and e-mail marketing increasingly target separate market niches – the former is particularly important for folks who don’t go on-line or have slow-speed connections. Second, while spam overall constitutes a large share of e-mail traffic, the marginal increase from this shift would not significantly affect costs. (Legitimate mail gets stored more often, as long as spam filters are well-working, but spam transport requests swamp legit messages.) And the cost of spam filters is pretty low: there are free software programs, and free Webmail services such as Gmail and Hotmail do a good job. If spam constitutes 90% of e-mail traffic (put aside the software industry self-interest in that stat), then doubling legitimate e-mail would only increase traffic about 10%. Hardly burdensome.

But I do agree with Critelli about how consumers actually behave. Let’s be plain: I am the problem here. When I first moved to Michigan in 2006, I had no idea how to find a dentist. Most of the recommendations I got were in Ann Arbor, and I lived a half-hour away from there. So how did I pick someone to make me feel guilty about not flossing? I got a solicitation in the mail. The dentist was covered by my dental plan; his dental assistants were very nice; and he was up-to-date on the newest tech and research. In my case, though, direct mail spam worked. And I think my experience is typical. I may not request the catalog, but I will still order from it. Unsolicited information can be valuable to consumers, and unsolicited advertising can be effective. I’ve long argued this is the real challenge of spam: not its cost structure, not defining consent or opt-in / opt-out, but the fact that it works often enough to make spamming viable financially.

So, I’ll still recycle most of the flyers and catalogs that I get here in Brooklyn, but if someone wants to send me stuff on the latest and greatest computer parts or SCUBA gear – even unasked-for – it’s possible I’ll give it a read.

In short, the new program allows corporations to set up Facebook pages where visitors who take certain actions can thereby trigger the sending of a “Social Ad” to their network of friends. Here is Facebook’s own explanation:

Facebook’s ad system serves Social Ads that combine social actions from your friends – such as a purchase of a product or review of a restaurant – with an advertiser’s message. This enables advertisers to deliver more tailored and relevant ads to Facebook users that now include information from their friends so they can make more informed decisions.

First of all, as the Wired blog Epicenter notes, one reason this may well backfire is that many will see this as an onslaught of “lots and lots of product-pushing app spam” — even though the ads are nominally triggered by friends.

Not only is it spammy for the recipients, but it’s privacy-invasive for the Facebook user — even for the social-network butterfly who generally shares lots and lots of information. Given its past obliviousness to users’ privacy concerns in the News feeds debacle, this second misstep is really surprising. (They were supposed to have “learned” from last time, when they admitted they “really messed up.”) But the press release unveiling Social Ads contains only this feeble, minimal anticipation of privacy objections:

No personally identifiable information is shared with an advertiser in creating a Social Ad. … Facebook has always empowered users to make choices about sharing their data, and with Facebook Ads we are extending that to marketing messages that appear on the site. Facebook users will only see Social Ads to the extent their friends are sharing information with them.

This misses the point completely, just as they did with News Feeds. It’s nice that they don’t hand over data to advertisers. But as Dan and the New York Times‘ Saul Hansell both point out, users are only asked in general if they want to share information, not if they want their name and picture to be featured in an ad for some product. Just as with News Feeds, consent to share is assumed to remain constant even when the nature of the sharing changes dramatically. And that may not just raise the ire of users once again, it may break the law too. Here’s why:

Privacy law, as it should, treats advertising uses differently from other uses. One of the four common-law privacy torts forbids “appropriation.” Specifically: “One who appropriates to his own use or benefit the name of likeness of another is subject to liability to the other for an invasion of his privacy.” (Restatement (Second) of Torts Section 652C) Even more significantly, several states including New York and California have statutory provisions that are similar. New York’s well-known statute creates both a misdemeanor and a civil cause of action for “[a]ny person whose name, portrait, picture, or voice is used within this state for advertising purposes or for the purposes of trade without the written consent first obtained.”

I don’t see how broad general consent to share one’s information translates into the specific written consent necessary for advertisers to use one’s name (and often picture) under this law. And the introduction of Facebook’s sales pitch about the program to advertisers leaves little doubt that individual users’ identities will be appropriated for the benefit of Facebook and advertisers alike:

Reach the right people.
Instead of creating an advertisement and hoping that it reaches the right customers, you can create a Facebook Social Ad and target it precisely to the audience you choose. The ads can also be shown to users whose friends have recently engaged with your Facebook Page or engaged with your website through Facebook Beacon. Social Ads are more likely to influence users when they appear next to a story about a friend’s interaction with your business. [emphasis added]

The famous 1902 case that led directly to adoption of the New York law (and eventually to the tort as well) involved a teenager whose picture was used without her consent on advertisements for flour. Look at the Facebook ads and see if they seem any different to you.

[UPDATE: I should have mentioned in the post the problem that many of these appropriation suits face -- damages. Maybe a case isn't worth bringing if you can't show you suffered real damages. The girl in the flour lawsuit alleged she needed medical attention for the illness caused by her humiliation. But that doesn't make it any less illegal...]

[UPDATE 2: Follow-up post here]

[UPDATE 3: Facebook has retreated somewhat in its new advertising plans after getting a lot of heat for them, but it's unclear whether their improved policy includes Social Ads.]

Here at Info/Law, we’ve got our spam tag over there on the right-hand side, and if you click it, you can see the half-dozen or so posts, some of them bearing only indirectly on the “spam problem,” that we have managed to cobble together between the three of us over the past year and a half. So apparently, at least among my Info/Law colleagues and myself, spam isn’t exactly a burning issue on the order of, say, privacy. Are we giving spam short shrift? Or is the issue really dropping off all of our collective radar screens?

It’s true that you still occasionally see stories in the news about how the estimated level of spam, as a percentage of all e-mail traffic, has crossed yet another seemingly absurd threshold; or how unwary Windows users are having their PCs hijacked and turned into spam-sending zombies. My general sense, however — based on absolutely no empirical evidence, I admit — is that a good deal of the wind has gone out of the sails of the anti-spam crusade; that this just isn’t a topic any more that really grabs people, that causes them to form coalitions or demand legislative action or file lawsuits or pen densely reasoned, meticulously footnoted scholarly articles as they once did.

I’ve been trying to come up with reasons for what I perceive to be the relative lack of public interest in the spam problem. This isn’t by any means meant to be an exhaustive list of possibilities — indeed, I’m quite certain that not all of them can simultaneously be true, and possibly none of them individually are, either. I’d love to hear any comments proposing alternative explanations (or disputing my overall perception that there has been a relative decline in interest in spam):

1. All hope is lost. We have tried everything, and nothing has worked. The flood of spam has risen to overwhelm all attempted countermeasures. State and federal anti-spam legislation has been ineffective. Blacklists, whitelists, challenge-and-response schemes, captchas, and other technical fixes haven’t gained traction outside the small community of tech-savvy users with the time and expertise necessary to configure and maintain them. On this view, there’s no point in debating the problem any more, because nothing we do in the future will work, either.
2. We lack the collective will to try the things that will really work. Here I’m thinking of some of the more radical proposals, like tampering with SMTP, or imposing micropostage (you can send e-mails only if you pay, say, $0.000001 each) or cryptographic-challenge (you can send e-mails only if your computer first computes a solution to some sort of simple equation) burdens on senders. The idea behind the latter sorts of proposals is that we want to target the million-at-a-time bulk e-mailers without also harming individual users, so we impose some sort of a burden that is inconsequential to “typical” users but becomes onerous as the quantity of sent mail increases to spammer levels. These seem to have, individually and collectively, gone nowhere, on the not unreasonable ground that we shouldn’t have to destroy the village in order to save it. On this view, the problem isn’t the inefficacy of the proposed solutions, but rather on the lack of collective willpower to do the hard work necessary to get them implemented. I suppose you could lump my own (widely, and likely justly, ignored) modest proposal (lawsuits to force the owners of zombified PCs to bear the costs they now impose on the rest of us by running {unpatched versions of,} Windows!) in with this category, too. On this view, unless there is some dramatic shift in public attitudes that creates a call for action and makes some of the now-unpalatable choices palatable, the problem doesn’t warrant further debate.
3. Good filters have reduced spam to the level of acceptable background noise. The debate about spam has abated because the problem is mostly gone. Organizational e-mail providers (corporations, universities, and the like), along with the big free (think: Gmail) and fee-based (think: Spamcop) providers have roughly kept pace with the spammers in the perpetual filtering arms race. The filters, on the whole, work, and they’re constantly learning and improving. Most of the spam that is sent is never delivered. Every now and then, one gets through, but when it does it’s more amusing than annoying. The era of people actually receiving and having to wade through 50-100+ spams a day is long past.
4. Spam isn’t annoying any more because the Internet is pervasively commercial. Unsolicited ads arriving in your in-box used to be cause for consternation in the Net’s idyllic, John Perry Barlow era (i.e., up through the mid-1990s). But now, unsolicited ads are everywhere you look. If you use a search engine, read a news site, or do any of the ordinary activities of daily life on the Web, you’re going to be reading advertisements (unless you’re one of that tiny subset of people who configure their browsers to refuse to load images from advertising servers or set up a proxy to filter them out). Ads are an unavoidable part of life now, so why should e-mail be any different? Nobody debates the spam problem any more because our normative expectations about what life “ought” to be like online have altered to incorporate a certain amount of spam.
5. D00D EMAIL IS TEH SUXX0R!!!1! LOL K THX. There’s a generational divide emerging, and many of the people who use the internet most heavily have turned to other channels — chat, instant messaging, social networking sites, etc. — to carry the communications that used to (and, for ladies and gentlemen of a certain age, still do) go through e-mail. On this view, spam is becoming a peripheral issue because e-mail is becoming a peripheral tool. (Or, to put it more cynically, concern over spam is decreasing because the spammers have succeeded in driving people away from e-mail.)
6. The battle has been won! Federal and state legislation has succeeded in driving the worst of the worst (the graphic porn spams) offline. All the big spammers are in jail; it was really only 10 guys in Florida anyway. People are becoming more educated and well able to protect themselves online, so spam is becoming less profitable and therefore more rare. This Panglossian explanation is obviously the one about which I’m the most skeptical, but there are a few data points you could marshal in support, ranging from the occasional high-profile convictions of spammers to new government anti-phishing education campaigns.

Am I way off base in thinking that people are growing less interested in spam as a policy issue? Should it be dropped from the cyberlaw curriculum?

Until recently, the same was not true for info/law issues. The problems were often seen as based almost entirely on some combination of legal regulation and technological architecture. Tech companies were regarded as ideals by many socially responsible investors — they had low environmental impacts, typically they had progressive employment policies and benefits, and their supply chains did not involve the sorts of entanglements with corrupt regimes and human rights problems that beset industries from oil to global agriculture.

Until recently, I said. Then came this and this and this, and lots more of the same sort.

We already heard long ago from Larry Lessig about the regulatory role of markets in info/law, and from James Boyle promoting an ethos of “cultural environmentalism” that learned lessons from the success and struggle of the environmental movement. And now, at last, there are signs of serious attention to the role of corporations and their investors in preserving values such as privacy, data security, free speech, and open access to content.

As Derek noted previously in this space, an industry-wide initiative is forming to help companies develop ethical business standards for promoting free expression and privacy online. The Berkman Center is one of the leaders of the effort, along with a wide range of investors, civil society groups, academic institutions, and, of course, companies operating in this space. One of the investors really thinking about these issues is F&C Asset Management, a London-based manager of over $200 billion. The F&C Governance & Sustainable Investment Team recently released a thoughtful report directed at managers in companies who need to think about access, security, and privacy issues in the digital environment. [Disclosure: my wife works on the F&C GSI Team, though she wasn't really involved in this report.] Because it’s written on behalf of investors and directed at corporate managers, its tone is different from some of the advocacy you see elsewhere — which is exactly the point. Investor dialogue will be one of the keys to helping companies contribute to solutions in these areas. Law is important too, but not the only component. We are learning, once again, from environmentalism.

I’m starting to believe that these baleful spam statistics can be viewed in the same way that Mark Twain saw the weather: everyone complains about it, but no one does anything about it. This has two aspects. First, spam is increasingly a force beyond the control of Internet users or sovereign states; it’s easily manufactured given the way Internet e-mail works and it’s quite difficult to stop or alter. Second, we all whine about it, but spam isn’t the catastrophe that technical experts (and me) thought it would be. For most users, it’s a manageable irritant.

My take on this remains the same: spam persists because it’s a guilty pleasure. It provides useful for information for consumers, even if that’s just a small minority of consumers. There are some scary studies on this – spam’s rate of success is well above what’s necessary for it to justify the costs of sending it. I think we need to re-evaluate spam. Believing that it is pure evil blinds us to the root cause of the problem: some people benefit from spam. Until we think hard about that information value, and how to deal with it, we’re still going to be getting helpful impotence remedy pitches in our inboxes.

Update: The New York Times covers the story, noting both the technological challenges (botnets, image spam) and the economic ones (”pump and dump” stock, citing Jonathan Zittrain’s brilliant research, and the increasing cost of prevention). Stock touting spam takes away one of the anti-spam tools I like best: Web site redirection and blackholing. On the other hand, I’m skeptical of the Times‘ anecdote regarding the Mariners: I’d guess the deluge of e-mail is from fans who are complaining about the signing of Adrian Beltre.

The story dissected the threat posed by splogs (and link farms and comment spam and the like) to the vitality of the interactive internet (what some people persist in calling “Web 2.0” –although the New York Times now confusingly says that the “semantic web” is “Web 3.0″!). These are familiar nusiances to blog writers and readers, but the Wired treatment was one of the best general-readership summaries of the problem I had seen. As the article explains:

[S]ploggers and other Web spammers make most of their money by getting viewers to click on ads that run adjacent to their nonsensical text. Web page owners – the spammer, in this case – get paid by the advertiser every time someone clicks on an ad. … Because the ad money is effectively available only to Web sites that appear in the first page or two of search results, spammers devote enormous efforts to gaming Google, Yahoo, and their ilk. Search engines rank Web sites in large part by counting the number of other sites that link to them, assigning higher placement in results to sites popular enough to be referred to by many others. To mimic this popularity, spammers create bogus networks of interconnected sites called link farms.

The story (worth reading despite the serious objection I am about to discuss) reviews various economic and technological approaches for dealing with the problem, particularly captchas and various automated filtering approaches such as Akismet. Author Mann quotes observers like David Sifry of Technorati and WordPress (and Akismet) developer Matt Mullenweg, who (1) acknowledge that there will be a bit of a technological “arms race” against the sploggers but (2) consider that effort to be the price we pay for an open, distributed, interactive, user-centered network — for, in other words, a “generative internet” (an important concept from Jonathan Zittrain that I have discussed here, here, and here).

Then, four paragraphs from the end of the not-short article, after all the discussion of these technological fixes, Mann suddenly becomes dispirited and closes with an apparent endorsement of the alternative path laid out by Six Apart executive Anil Dash. According to Dash, “the spammers are too good” and we cannot “muddle through” with such technological fixes. Instead:

Ultimately, [Dash] thinks, “the solution is going to be accountability…” [T]here will have to be some kind of global identifier – an Internet Social Security number, so to speak. Everyone could select a personal URL, he says, such as their blog address. Dash concedes that such global identifiers would alarm privacy activists. But the other solutions are even worse…

“Alarmed” is not quite the word for my reaction when this heretofore sensible discussion about technological fixes concluded abruptly, blithely, and without any exploration, by saying more or less: Oh well, no more online anonymous speech I guess. The End.

There are serious and genuine threats posed by the openness of distributed network architecture. I am not denying those threats. But there also seem to be some pretty good solutions out there, getting better all the time. They are not perfect, but they appear sufficient to allow for much of the functionality we seek. Advocates of mandatory authenticated identity think they have a better solution, but I just don’t see it.

The evident benefits of online anonymity (including pseudonynity) range from matters of life and death (e.g. political dissidents speaking out in repressive regimes) to individual self-expression and communication (e.g. open and frank discussions about sensitive topics such as politics, religion, sex, or health) to convenience and data privacy (e.g. using psudonyms to avoid data mining — or at least direct the resultant marketing to a web mail account maintained for the purpose). These are not to be dismissed lightly.

Maybe — maybe — I might be less “alarmed” if I believed this sort of accountability would really work. But it can represent an improvement over the current arms race only if it is implemented by technology that cannot be gamed by all these devious sploggers and spammers. Leave any scope for remaining anonymous and the bad guys will exploit it. Then we’ll have the same arms race played out with different weapons, while at the same time making anonymity even harder to obtain for average internet users. You have to be skeptical, at the design level, that we can build perfect identity technology any more easily than we can build perfect filtering technology or perfect captchas.

Even more than my disagreement with the substance of the conclusion, though, I was infuriated by its glibness. This was a perfect example of an all-too-typical attitude among certain types of techies. They see anonymity as, at most, a nice extra, but not fundamental to what makes the internet wonderful. At least I could respect a sober analysis of costs and benefits that acknowledges the importance of anonymity. Too often one encounters this sort of gearheaded tunnel vision instead.