1. It was a technical mistake;
2. Change.org was spamming ASU; and
3. ASU needs to “protect the use of our limited and valuable network resources for legitimate academic, research and administrative uses.”

#1 and #2 run together. If spam is the problem, you don’t need to block access to the Web site. However, if you are concerned that students are going to read the petition, and sign it, you do need to block access to the Web site.

For #2, sorry, ASU, this isn’t spam. Spam is unsolicited bulk commercial e-mail. Change.org is, allegedly, sending unsolicited political e-mail. And that’s protected by the First Amendment – see, for example, the Virginia Supreme Court’s analysis of that state’s anti-spam law that covered political messages. Potential political spammers have a sharp disincentive to fill recipient’s inboxes – it’s a sure-fire way to annoy them into opposing your position.

For #3, ASU doesn’t get to determine what academic and research uses are “legitimate.” If they throttle P2P apps, that’s fine. If they limit file sizes for attachments, no problem. But deciding that the message from Change.org is not “legitimate” is classic, and unconstitutional, viewpoint discrimination.

This looks like censorship. I think it’s more likely to be stupidity: someone in ASU’s IT department decided to block these messages as spam, and to filter outbound Web requests to the site contained within those messages. But: with great power over the network comes great responsibility. Well-intentioned constitutional violations are still unlawful. It would also help if ASU’s spokesperson simply admitted the mistake rather than engaging in idiotic justification.

As I mention in Orwell’s Armchair, public actors are increasingly important sources of Internet access. But when ASU and other public universities take on the role of ISP, they need to remember that they are not AOL: their technical decisions are constrained not merely by tech resources, but by our commitment to free speech. Let’s hope the Sun Devils cool off on the filtering…

Cross-posted at Concurring Opinions.

This is why piracy is a helpful pointer: it tells us what channels consumers want to use to access content. Sometimes this is just displacement of lawful consumption, as when college students with copious disposable income download songs via BitTorrent, but sometimes it indicates an unaddressed market niche (as with me and the baseball playoffs). To paraphrase Thomas Jefferson, I think a little bit of infringement now and again is a good thing. It is only when there is a viable threat in a new medium that existing players innovate – or cut deals with those who do. In that regard, even if SOPA and PROTECT IP are effective at reducing infringement, we might not want them.

Cross-posted at Concurring Opinions.

Now that the European Union’s member states are flailing around attempting to implement their miserable cookie directive, the European Commission has decided it’s a good time to retard the Internet some more.

Today the European Commission will release an already-leaked new version of the Data Protection Directive which firmly establishes a European right to data erasure, or “right to be forgotten.” Article 17 will give EU residents an unprecedented inalienable right to control and delete facts that were once voluntarily communicated by the subject. Moreover, the right to erasure covers all publications of the personal information. As the preamble explains:

To strengthen the ‘right to be forgotten’ in the online environment, the right to erasure should also be extended in such a way that any publicly available copies or replications in websites and search engines should also be deleted by the controller who has made the information public.

The European Commission’s Vice President for Justice has clarified that the data deletion rule applies even to information that the data subject communicates herself on a public web forum like Facebook.

The right to be forgotten supposedly has some limits:

However, the further retention of the data should be allowed where it is necessary for historical, statistical and scientific research purposes, for exercising the right of freedom of expression, when required by law, or where there is a reason to restrict the processing of the data instead of erasing them.

But this exception is undermined both by the necessity language (when, exactly, is a single factum “necessary” for history or expression?) and by the downright draconian fines that are imposed for noncompliance. Article 79 instructs EU authorities to collect 1% of an enterprise’s annual revenue in fines for failure to comply with the right to be forgotten.

I am disappointed, but not surprised, to see the EU continue a misguided attack on the information economy. The right to be forgotten unequivocally favors the interests of the data subject, no matter how selfishly motivated, over the interests of data controllers and other consumers. Moreover, by making the right of erasure inalienable, the EU prevents its own citizens from participating in a business model that allows consumers to trade their information for stuff they want—convenience, discounts, or content. EU residents have no unencumbered information to sell.

The popular understanding in U.S. privacy discourse is that the EU does a better job protecting consumers from big corporations than the U.S. On the surface this looks right—after all, the regulations speak almost exclusively of “rights” granted to consumers, and almost exclusively of “obligations” imposed on business entities. But on closer inspection, Europe’s approach to information privacy is more emblematic of a desire to hold technology fixed, as if the amount of information people had about one another just before the advent of the Internet was the right amount for some reason. Sooner or later, the policies motivating the EU Data Protection Directive will prove to be counter-productive and regressive. The negative right against automated processing is a good example:

Every natural person should have the right not to be subject to a measure which is based on profiling by means of automated processing.

Article 20 gives every EU resident has an absolute right to stop a company from using predictive analytics concerning employment, creditworthiness, or health decisions. (These examples come straight from the text of the new regulations.) This sounds like a good deal for data subjects until one thinks for a moment about who the local losers would be. There are two possibilities. The opt-out might create a market for lemons where the person’s decision to opt out serves as a reliable signal of some sort of problem. This quite obviously cuts against the goals of the opt-out right.  Alternatively, opt-outs will simply muddy the predictive models for everybody. Credit, for example, will be extended to applicants who are slightly more likely to default. The lower income applicants who might have looked more were creditworthy in comparison will pay higher interest rates, if credit is extended at all. Hooray.

Allegedly, one of the motivations for amending the directive is to make consumers feel more comfortable with e-commerce.

Lack of trust makes consumers hesitate to buy online and adopt new services. This risks slowing down the development of innovative uses of new technologies. Personal data protection therefore plays a central role in the Digital Agenda for Europe.

Complete and utter hogwash. And it’s old hogwash, too. Consumer mistrust and timidity has been trotted out as a threat to e-commerce for as long as there have been public opinion surveys about the Internet. The theory refuses to die despite ample evidence to the contrary.  Now I am not suggesting that everything consumers do is per se good for them; law can and should occasionally force producers and service providers to take precautions that consumers would not choose to pay for if they could help it.  Information asymmetries and optimism bias are among the justifications. But the claim that consumers are shying away from Internet commerce and services does not comport with actual consumer behavior.

Google and other major Internet companies might want to start coordinating a protest similar to the effective campaign we saw here in the states in response to SOPA. If Google makes every person with the first name “John” ungoogleable for a day, and if online retailers refuse to access cookie data for a day, and if content providers double the amount of advertising for a day, pressure can build before the Directive comes to a vote.

For European Internet users, the deal is getting worse all the time. Pray the European Commissioners don’t alter it any further.

UPDATED: The draft that was released today is modified from the late November draft I used for my original post. The right to be forgotten is now found in Article 17, the right to object to processing is contained in Articles 19 and 20, and the Article 79 fines have been lowered from 3% to 1% of annual global revenues. I have edited this post accordingly. Here is the current draft.

Cybersecurity is a conundrum. Despite a decade of sustained attention from scholars, legislators, military officials, popular media, and successive presidential administrations, little if any progress has been made in augmenting Internet security. Current scholarship on cybersecurity is bound to ill-fitting doctrinal models. It addresses cybersecurity based upon identification of actors and intent, arguing that inherent defects in the Internet’s architecture must be remedied to enable attribution. These proposals, if adopted, would badly damage the Internet’s generative capacity for innovation. Drawing upon scholarship in economics, animal behavior, and mathematics, this Article takes a radical new path, offering a theoretical model oriented around information, in distinction to the near-obsession with technical infrastructure demonstrated by other models. It posits a regulatory focus on access and alteration of data, and on guaranteeing its integrity. Counterintuitively, it suggests that creating inefficient storage and connectivity best protects user capabilities to access and alter information, but this necessitates difficult tradeoffs with preventing unauthorized interaction with data. The Article outlines how to implement inefficient information storage and connectivity through legislation. Lastly, it describes the stakes in cybersecurity debates: adopting current scholarly approaches jeopardizes not only the Internet’s generative architecture, but also key normative commitments to free expression on-line.

Conundrum, 96 Minn. L. Rev. 584 (2011).
Cross-posted at Concurring Opinions.

Scalia’s theory is basically Katz (reasonable expectation of privacy) plus trespass. For Scalia, the conduct in Jones – law enforcement attaching a GPS transmitter to Jones’s car, and then tracking its movements – is a search because “The Government physically occupied private property for the purpose of obtaining information.” But, that’s not quite precise enough: the key is that the government must “physically intrud[e] on a constitutionally protected area.” (emphasis mine) The tricky part, naturally, is deciding what counts as such an area. Scalia disposes of Oliver (the open fields case) by emphasizing that a field “is not one of those protected areas enumerated in the Fourth Amendment.” Katz is still around for “Situations involving merely the transmission of electronic signals without trespass.”

Scalia thus wants to create magic places: spots where any governmental intrusion, with any physicality, is a search. The home is certainly such a place (see Kyllo) – Jane Yakowitz pointed out to me that this has to explain why the Court took cert in Florida v. Jardines, when we already have Caballes and Place on the books. Determining which places are magic is hard. It’s here that Scalia’s originalism does its work: Scalia wants to apply the understanding and expectations from 1791 to sort places into protected/magic and unprotected.

Alito thinks this is rubbish: his footnote 3 openly makes fun of Scalia’s contention that we can analogize the Jones facts to a constable hiding in a coach (“this would have required either a gigantic coach, a very tiny constable, or both”). His method would instead simply apply the Katz reasonable expectation of privacy test, which he rightly points out is more consonant with the Court’s jurisprudence since its rejection of the physical trespass test set out in Olmstead. This approach looks analytically cleaner, although Alito forthrightly acknowledges the circularity inherent in the reasonable expectations test – expectations derive from the law, in addition to driving it. And, of course, there is the one-way ratchet worry: the government can reduce our reasonable expectations of privacy by abusing our privacy.

Alito, though, proceeds to mess up a previously tidy picture by inventing two new considerations for Fourth Amendment analysis: the duration of the information-gathering (such as GPS tracking), and the severity of the crime. Scalia rightly smacks Alito around for this, as he fails to ground this analysis in anything remotely resembling precedent. At best, this is judicial activism, and at worst, it’s an invitation for a wave of new cases where the government tests boundaries and magnifies the threat posed by those surveilled.

I like Scalia’s approach much better. It sets out clearly that there are some spaces that get heightened privacy protection: we don’t have to engage in the weighing involved in the reasonable expectations test, so it’s cheaper, and there won’t be instances where judges decide that in fact society is willing to permit certain observations in the home, for example. Scalia’s approach is a firewall: it offers a redoubt for privacy. And, it maintains the viability of Katz in other instances. Alito’s two additional considerations point towards the worry that makes me prefer Scalia. Imagine observation of the interior of a home – say, using tiny drones – that would clearly constitute a search under the magic places theory. If the observation is fairly short, or if the crime involved is serious (drug smuggling, terrorism, child pornography), Alito’s analysis would find that there isn’t a search, and hence no need for a warrant. Scalia’s approach always forces the cops to get a warrant. That reassures me.

There are two issues that neither Alito nor Scalia deals with, although to her credit Justice Sonia Sotomayor tackles both: pervasive surveillance, and cloud computing. Pervasive surveillance involves the government’s increasing capabilities to deploy low-cost observation technology – everything from traffic cameras to facial recognition technology – and to store, index, and analyze the resulting torrent of data. Cloud computing involves the shift from maintaining information on devices we control to storing it on devices controlled by Google or Apple or Amazon. The former presents the mosaic theory that the D.C. Circuit endorsed in its opinion in Jones. The latter invites us to re-visit the third party doctrine, whereby one loses any reasonable expectation of privacy if one turns over data to someone else (unless that someone is, say, a priest or lawyer). One failing of the two major opinions in Jones is that they fail to provide any guide for how the Court thinks about these issues – other than to hope mightily that Congress will take care of it for them.

I like Scalia’s hybrid with its magic places. What our privacy rights are when we venture outside the castle walls is a topic the court reserves for another day.

Cross-posted at Concurring Opinions.

I argue in a forthcoming paper, Conundrum, that cybersecurity can only be understood as an information problem. Conundrum posits that, if we’re worried about ensuring access to critical information on-line, we should make the Net less efficient – building in redundancy. But for cybersecurity, information is like the porridge in Goldilocks: you can’t have too much or too little. For example, there was recent panic that a water pump burnout in Illinois was the work of cyberterrorists. It turned out that it was actually the work of a contractor for the utility who happened to be vacationing in Russia. (This is what you get for actually answering your pager.)

The “too little” problem can be described via two examples. First, prior to the attacks of September 11, 2001, the government had information about some of the hijackers, but was impeded by lack of information-sharing and by IT systems that made such sharing difficult. Second, denial of service attacks prevent Internet users from reaching sites they seek – a tactic perfected by Anonymous. The problem is the same: needed information is unavailable. I think the solution, as described in Conundrum, is:

increasing the inefficiency with which information is stored. The positive aspects of both access to and alteration of data emphasize the need to ensure that authorized users can reach, and modify, information. This is more likely to occur when users can reach data at multiple locations, both because it increases attackers’ difficulty in blocking their attempts, and because it provides fallback options if a given copy is not available. In short, data should reside in many places.

But there is also the “too much” problem. This is exemplified by the water pump fiasco: after 9/11, the federal government, including the Department of Homeland Security, began a massive information-sharing effort, such as through Fusion Centers. The difficulty is that the Fusion Centers, and other DHS projects, are simply firehosing information onto companies who constitute “critical infrastructure.” Much of this information is repetitive or simply wrong – as with the water pump report. Bad information can be worse than none at all: it distracts critical infrastructure operators, breeds mistrust, and consumes scarce security resources. The pendulum has swung too far the other way: from undersharing to oversharing. Finding the “just right” solution is impossible; this is a dynamic environment with constantly changing threats. But the government hasn’t yet made the effort to synthesize and analyze information before sounding the alarm. It must, or we will pay the price of either false alarms, or missed ones.

(A side note: I don’t put much stock in which federal agency takes the lead on cybersecurity – there are proposals for the Department of Defense, or the Department of Energy, among others – but why has the Obama administration delegated responsibility to DHS? Having the TSA set Internet policy hardly seems sensible. Beware of Web-based snow globes!)

Cross-posted at Concurring Opinions.

Censorship is on the march, in democracies as well as dictatorships. With this movement we see, finally, the death of the American myth of free speech exceptionalism. We have viewed ourselves as qualitatively different – as defenders of unfettered expression. We are not. Even without SOPA and PROTECT IP, we are seizing domain names, filtering municipal wi-fi, and using funding to leverage colleges and universities to filter P2P. The reasons for American Internet censorship differ from those of France, South Korea, or China. The mechanism of restriction does not. It is time for us to be honest: America, too, censors. I think we can, and should, defend the legitimacy of our restrictions – the fight on-line and in Congress and in the media shows how we differ from China – but we need to stop pretending there is an easy line to be drawn between blocking human rights sites and blocking Rojadirecta or Dajaz1.

Cross-posted at <a href="Today, you can't get to The Oatmeal, or Dinosaur Comics, or XKCD, or (less importantly) Wikipedia. The sites have gone dark to protest the Stop Online Piracy Act (SOPA) and the PROTECT IP Act, America’s attempt to censor the Internet to reduce copyright infringement. This is part of a remarkable, distributed, coordinated protest effort, both online and in realspace (I saw my colleague and friend Jonathan Askin headed to protest outside the offices of Senators Charles Schumer and Kirstin Gillibrand). Many of the protesters argue that America is headed in the direction of authoritarian states such as China, Iran, and Bahrain in censoring the Net. The problem, though, is that America is not alone: most Western democracies are censoring the Internet. Britain does it for child pornography. France: hate speech. The EU is debating a proposal to allow “flagging” of objectionable content for ISPs to ban. Australia’s ISPs are engaging in pre-emptive censorship to prevent even worse legislation from passing. India wants Facebook, Google, and other online platforms to remove any content the government finds problematic.

Censorship is on the march, in democracies as well as dictatorships. With this movement we see, finally, the death of the American myth of free speech exceptionalism. We have viewed ourselves as qualitatively different – as defenders of unfettered expression. We are not. Even without SOPA and PROTECT IP, we are seizing domain names, filtering municipal wi-fi, and using funding to leverage colleges and universities to filter P2P. The reasons for American Internet censorship differ from those of France, South Korea, or China. The mechanism of restriction does not. It is time for us to be honest: America, too, censors. I think we can, and should, defend the legitimacy of our restrictions – the fight on-line and in Congress and in the media shows how we differ from China – but we need to stop pretending there is an easy line to be drawn between blocking human rights sites and blocking Rojadirecta or Dajaz1.

Cross-posted at Concurring Opinions.

Speaking of exciting developments, it appears that the Stop Online Piracy Act (SOPA) is dead, at least for now. House Majority Leader Eric Cantor has said that the bill will not move forward until there is a consensus position on it, which is to say, never. Media sources credit the Obama administration’s opposition to some of the more noxious parts of SOPA, such as its DNSSEC-killing filtering provisions, and also the tech community’s efforts to raise awareness. (Techdirt’s Mike Masnick has been working overtime in reporting on SOPA; Wikipedia and Reddit are adopting a blackout to draw attention; even the New York City techies are holding a demonstration in front of the offices of Senators Kirstin Gillibrand and Charles Schumer. Schumer has been bailing water on the SOPA front after one of his staffers told a local entrepreneur that the senator supports Internet censorship. Props for candor.) I think the Obama administration’s lack of enthusiasm for the bill is important, but I suspect that a crowded legislative calendar is also playing a significant role.

Of course, the PROTECT IP Act is still floating around the Senate. It’s less worse than SOPA, in the same way that Transformers 2 is less worse than Transformers 3. (You still might want to see what else Netflix has available.) And sponsor Senator Patrick Leahy has suggested that the DNS filtering provisions of the bill be studied – after the legislation is passed. It’s much more efficient, legislatively, to regulate first and then see if it will be effective. A more cynical view is that Senator Leahy’s move is a public relations tactic designed to undercut the opposition, but no one wants to say so to his face.

I am not opposed to Internet censorship in all situations, which means I am often lonely at tech-related events. But these bills have significant flaws. They threaten to badly weaken cybersecurity, an area that is purportedly a national priority (and has been for 15 years). They claim to address a major threat to IP rightsholders despite the complete lack of data that the threat is anything other than chimerical. They provide scant procedural protections for accused infringers, and confer extraordinary power on private rightsholders – power that will, inevitably, be abused. And they reflect a significant public choice imbalance in how IP and Internet policy is made in the United States.

Surprisingly, the Obama administration has it about right: we shouldn’t reject Internet censorship as a regulatory mechanism out of hand, but we should be wary of it. This isn’t the last stage of this debate – like Wesley in The Princess Bride, SOPA-like legislation is only mostly dead. (And, if you don’t like the Obama administration’s position today, just wait a day or two.)

Cross-posted at Concurring Opinions.

There are two additional, disturbing developments. First, the public choice problems that Jessica Litman identifies with copyright legislation more generally are manifestly evident in SOPA: Rep. Lamar Smith, the SOPA sponsor, gets more campaign donations from the TV / movie / music industries than any other source. He’s not the only one. These bills are rent-seeking by politically powerful industries; those campaign donations are hardly altruistic. The 99% – the people who use the Internet – don’t get a seat at the bargaining table when these bills are drafted, negotiated, and pushed forward.

Second, representatives such as Mel Watt and Maxine Waters have not only admitted to ignorance about how the Internet works, but have been proud of that fact. They’ve been dismissive of technical experts such as Vint Cerf – he’s only the father of TCP/IP – and folks such as Steve King of Iowa can’t even be bothered to pay attention to debate over the bill. I don’t mind that our Congresspeople are not knowledgeable about every subject they must consider – there are simply too many – but I am both concerned and offended that legislators like Watt and Waters are proud of being fools. This is what breeds inattention to serious cybersecurity problems while lawmakers freak out over terrorists on Twitter. (If I could have one wish for Christmas, it would be that every terrorist would use Twitter. The number of Navy SEALs following them would be… sizeable.) It is worrisome when our lawmakers not only don’t know how their proposals will affect the most important communications platform in human history, but overtly don’t care. Ignorance is not bliss, it is embarrassment.

Cross-posted at Prawfsblawg.