Video: Hacking Revenge Porn

The video from the NYC Legal Hackers event on Revenge Porn is now available. Props to Jonathan Askin, Phil Weiss, David Giller, Warren Allen, Mark Jaffe, Lee Rowland, Ari Waldman, and Jeremy Glickman for a fantastic event. And thanks so much to everyone who braved the (blinding, driving) snow to attend! It was wonderful to catch up with so many friends.

Hacking Revenge Porn

I’ll be back in Brooklyn on Thursday, to take part in a fantastic NYC Legal Hackers session on revenge porn. I’m excited to hear from and learn from Lee Rowland, Mark Jaffe, and Ari Waldman. And, I’m really grateful to Phil Weiss, Jonathan Askin, David Giller, and the brilliant Legal Hackers team for this event. Come hang out in DUMBO and help us think about this problem. (Hint: I think copyright is the solution.)

Shark Tanks and Cybersecurity

It’s the most wonderful time of the year… for data breaches. Target may have compromised as many as 40 million credit and debit cards used by shoppers in their stores. What liability will they face?

At George Mason’s excellent workshop on cybersecurity, there was a spirited debate over the mechanisms of enforcing security standards. (This in large measure derives from Woody Hartzog and Dan Solove’s excellent paper on the FTC’s enforcement work, which they analogize to the development of the common law in tort, among other areas.) Those who criticize the FTC prefer, generally, the use of tort to regulate cybersecurity. And, their critique often accuses the FTC of neglecting to consider the offsetting consumer benefits of failing to invest in cybersecurity (15 USC 45(n)). I think those arguments are profoundly misguided. Here’s why:

Imagine you go to Whole Foods. You’re walking down the aisle with exotic shade-grown turtle-harvested coffee and notice that, in the middle of it, there’s an open pit that is filled with water and man-eating sharks. People are carefully edging around it; a few teeter on the edge, causing the sharks to circle faster, but they recover and make it past. So, as best you can tell, no one has yet been harmed by the shark pit in the middle of the grocery aisle. And, admittedly, kids in the store are fascinated by the sharks, providing them valuable entertainment while their parents overspend. Should Whole Foods be liable for the shark pit?

This is the flaw with tort regulation, and with the balancing test for the FTC’s Section 5 enforcement of cybersecurity. If there’s a data spill, plaintiffs have to wait until something bad happens – until there’s identity theft, or financial fraud, or some other definite harm – to sue. Without that, they lack standing: there’s no concrete harm to redress. And even with that harm, the plaintiffs are going to have a tough time proving causation: did the spill lead to the identity theft? How do they know? More important, how can they demonstrate it sufficient to overcome a motion to dismiss? The dirty secret is that tort doctrine is a dismal failure for redressing cybersecurity breaches. On every element of a claim – duty, breach, harm, causation – a court can (and almost always does) find a failure of proof. Even utter incompetence – not changing default passwords, for example – usually doesn’t lead to liability. Tort simply doesn’t work. Anyone arguing for it seriously is going to have to advocate for doctrinal change, not just using the standard causes of action. Similarly, claims that there isn’t any provable harm from cybersecurity breaches assume two things: one, that hackers are systematically stupid and irrational (apparently they spend time breaking in to corporate databases and then utterly fail to exploit the information they gain), and two, there’s simply no connection between spills of given people’s data and resulting identity theft, fraud, spearphishing, etc. Even if you’re ready to believe six impossible things before breakfast, this is a stretch.

The second part – the tradeoffs – is nearly as ridiculous. Sure, consumers may benefit a bit from companies that don’t employ cybersecurity precautions: perhaps prices are just a bit less. But I’d also benefit in the same way from pharmaceuticals with no clinical trials, or airlines with no NTSB or FAA regulation. That’s an argument against regulation at all, rather than a tradeoff. Given the massive information asymmetries that pervade cybersecurity, the idea of evaluating the benefits of insecurity, on behalf of consumers, is silly. The kids may well enjoy seeing the sharks in the open pit in the middle of the aisle. Perhaps we ought to factor that into the analysis of whether Whole Foods gets to have the James Bond-esque shark trap in the store. But I think that stretches utilitarianism to the point of ridicule. It’s not just that I don’t think having a slightly cheaper ride on The Mangler at the carnival is a poor trade-off, given how hard it is to inspect safety or to hold a judgment-proof vendor accountable. It’s that we don’t want The Mangler to exist in the first place.

There’s a lot of resistance to regulating cybersecurity. The trouble is that these arguments are typically Panglossian: this is the best of all possible worlds, and additional legal strictures would simply make things worse for everyone. The benefit is that these positions are often risible on inspection. Unless, of course, you like the prospect of shark attack during grocery shopping.

Draft Legislation for Protecting Intimate Media

In Exposed, I argue for expanding copyright protection to protect intimate media and to treat unauthorized performance, distribution, or display of such works (as with revenge porn) as infringement. I have drafted model legislation, the SHARE IT Media Act, for the proposal – forcing oneself to put together statutory language for a policy proposal imposes very helpful discipline, and I’ve made some changes to the paper as a result. I would welcome thoughts and feedback on the draft language.

AALS Advice

I’ve just returned from the AALS Faculty Recruitment Conference – universally known as the “meat market” – in Washington, D.C. Arizona is fortunate enough to be hiring this year, and we met some terrific candidates. There’s a wealth of advice out there for entry-level candidates, but I thought I would share three quick things that struck me after two days sitting in a slightly dingy hotel room asking the same questions of person after person:

  1. Remember, always, that it’s a conversation – The goal is to have an engaging give-and-take with your interlocutors. That means being ready to hold up your end of the conversation and, critically, not turning it into a monologue. I was quite surprised by the number of candidates who talked for 8 or 10 or 12 minutes straight, even when the body language of the committee suggested the person needed to bring their bit to a close. Everyone is nervous and wants to make a good impression, but self-awareness is absolutely vital. The committee has a certain set of things they need to get through – your research agenda, extant scholarship, teaching package, etc. – and 25 minutes, tops, to do so. You have to play your part: have a 2-3 minute bit on your research agenda and a 2-minute version of your job talk. Practice them until they’re set pieces. And, if you notice yourself talking for more than a few minutes straight (you absolutely have to pay attention to time here): STOP. Finish your sentence and cease speaking. We all have The Talker on our faculty, and we all (except The Talker) want to avoid hiring a younger version of that person. I can’t overemphasize this point.
  2. Know the flaws of your work – We asked candidates to give us their job talk papers before the meat market, and spent about half the interviews talking about them with candidates. If you’re going on the market, give your draft piece – in whatever stage it’s in – to people in your field who will give you candid criticism. I do mean criticism here: ask them specifically for the flaws or weaknesses in the paper. Listen carefully to their answers. Develop responses. Hopefully you can work these into the piece itself, but if you don’t have time, or if they’re difficult to work around, be ready with verbal responses that acknowledge the point and show how you can handle it thoughtfully. Appointments committees are like velociraptors when it comes to papers: they are built to detect weakness and pounce on it. Whatever the problems in your work, they will find them, expose them, and expect you to respond to them. You must have convincing answers: “I’ll have to think about that and get back to you” is death. I think Arizona’s faculty is unusually good in going straight to the heart of a paper and finding the difficulties with it (or, perhaps, it’s no great feat to find the woes in my work), but I also believe we’re not the only ones who do this. This weekend, I was surprised at the number of people who had not thought much about fairly evident difficulties with their work. Be ruthless in figuring out where your article’s weaknesses are.
  3. It’s not personal – Failing to get a callback feels terrible. It feels like a judgment of  your intellect, work, and even self-worth. It’s often not, though. Maybe the committee couldn’t agree on who to bring back for IP and so they don’t bring anyone. Maybe you’re up against the next Cass Sunstein and Richard Posner, and the school can only offer 2 slots. Maybe the committee decided the need for Torts outweighs the need in your area. Perhaps the university pulled the funding for a line. Or maybe your paper critiques the hiring chair’s former roommate’s brother’s work. So, sometimes it will be that you didn’t have a good interview, or failed to make a good impression. Many times, though, it’s a congeries of other factors that are completely out of your control. I hope that’s some comfort, although I don’t want to downplay the emotional toll of the hiring process.

The meat market is a tough experience. I hope these pointers can help a little bit.

The Data Speaks: A Closer Look at Gun Violence

This Thursday (October 17, 2013), Stanford Law professor John Donohue III will give a public lecture at the University of Arizona James E. Rogers College of Law on “The Data Speaks: A Closer Look at Gun Violence.” Donohue is the leading expert on empirical analysis of gun violence; his talk is the inaugural event for the College of Law’s QuantLaw program (headed by our own Jane Bambauer). You can register for the event on-line, and you can also learn more about QuantLaw. Here’s some additional information about Professor Donohue’s talk:

Stanford Law Professor John Donohue III has conducted large-scale statistical studies of gun violence and the impact of various laws and policies and is frequently sought after for his expertise and analysis of the problem. After the shootings of former Arizona Congresswoman Gabrielle Giffords and 18 others in 2011, he was invited by the New York Times to write an editorial on reducing gun violence.

Registration is required for this event. Visitor parking is available for a fee at several parking garages near campus. A visitor parking map is available here . Professor Donohue’s lecture is the inaugural event of Arizona Law’s QuantLaw Program, offering a variety of classes and opportunities for data-driven research on social, scientific, and legal issues.

Copyright, Sexting, and Revenge Porn: What Law Should Do

California has a new law criminalizing certain forms of revenge porn. I’ve been publicly skeptical about it. What do I propose instead?

As I suggested in an earlier post, I think copyright law offers a powerful mechanism to, simultaneously, foster the production of intimate media by consenting partners and to punish non-consensual distribution and display (such as revenge porn) by treating them as infringement. This post outlines the key elements of my proposal.

I propose an amendment to the Copyright Act that would confer a new right upon the subjects of intimate media. Intimate media are photographs or audiovisual works that meet four criteria:

  1. The media contain images of one or more living humans;
  2. The rightsholder – the future plaintiff – is one of those living humans captured in the media;
  3. The rightsholder can be reasonably identified from the media, or from the combination of the media and the information accompanying it; and
  4. The media contains intimate information, which is defined as sexually explicit conduct involving the plaintiff, or the plaintiff’s genitals, pubic area, or (if female) exposed nipple or areola.

A person identifiably captured in a work of intimate media would enjoy a new right: to prevent distribution and display of that work. This right would apply against both private and public distribution and display. It would be waivable in writing, but not alienable. The new right would have two key limits. First, it would not apply against someone who received the work from a person identifiably captured in it (so long as that person did not further distribute the work, or display it to someone else). And, it would apply only prospectively, to intimate media created after the implementation date of the amendment.

This new copyright entitlement would be infringed whenever someone distributed, or displayed, the work of intimate media in which the plaintiff was identifiably captured. Distribution would include making the image or video available to others, and would not require proof of actual distribution. The new right would apply to two classes of defendants: natural persons, and service providers. Natural persons would infringe via the standard modes of display and distribution. Service providers would infringe via activities such as hosting, linking, and caching.

A plaintiff who sued one of these defendants and won could obtain the usual monetary damages along with injunctive relief. The availability of statutory damages ($750 – 30,000 per work infringed) would enable plaintiffs to recover litigation costs, and would create some deterrence for potential infringers. My proposal would modify the Copyright Act’s registration requirement for statutory damages. At present, the Act requires registering a work within three months of publication to obtain these damages. I would alter it to permit registration of works of intimate media at any time before suit for this purpose.

The proposal includes a safe harbor and two affirmative defenses. The safe harbor would apply to service providers, who would be immune from damages until they received a notice of claimed infringement of the new right from a plaintiff. If the ISP disabled access to or removed the accused infringing work of intimate media within 5 days, they would retain immunity from damages. A notice of claimed infringement would include an allegation of infringement of the plaintiff’s right in a work of intimate media, URLs under the ISP’s control where the work could be located, and contact information for the plaintiff. (I would permit plaintiffs to proceed pseudonymously, coordinated by a federal district court.)

Finally, the new copyright entitlement would provide two defenses to infringement. First, a defendant who obtained written consent from the plaintiff to the distribution or display of the work of intimate media would defeat liability. Second, there would be no liability where the distribution or display was newsworthy. (Fair use would not be a defense to infringement of the new right.)

To summarize: the proposed reform would create a right for identifiable subjects of intimate media to prevent unauthorized distribution or display of those images or videos, backed by statutory damages and injunctive relief, but leavened with immunity for service providers following a take-down procedure and for any defendant obtaining written consent or making newsworthy use of the media.

Let me close with a word about my normative commitments in this project. I intend this proposal seriously, and I believe in its merits. It’s also an exploration of some troublesome zones in copyright. Are the First Amendment’s requirements really met simply by the idea-expression dichotomy and fair use? How closely would a reviewing court scrutinize substitutes for those restraints? Does the constitutional and statutory requirement of authorship have any heft, either conceptually or doctrinally? What quantum of proof must Congress adduce about the effects of a change to the Copyright Act to satisfy the goal of “promot[ing] the progress of science… by securing for limited times to authors… the exclusive right to their respective writings”? I think my proposal passes all of copyright’s tests – constitutionally, conceptually, and practically. I suspect copyright scholars will find that conclusion unappealing. I’m looking forward to hearing why they think I’m wrong.

For more details, see the full draft of the paper, Exposed (98 Minn. L. Rev., forthcoming 2014).

California’s New Revenge Porn Bill: Helpful-ish

The California legislature passed, and Governor Jerry Brown signed, a bill that creates misdemeanor criminal liability for certain types of revenge porn. Here’s the new statutory language, at Ca. Penal Code 647.4(j):

(4) (A) Any person who photographs or records by any means the image of the intimate body part or parts of another identifiable person, under circumstances where the parties agree or understand that the image shall remain private, and the person subsequently distributes the image taken, with the intent to cause serious emotional distress, and the depicted person suffers serious emotional distress.

(B) As used in this paragraph, intimate body part means any portion of the genitals, and in the case of a female, also includes any portion of the breasts below the top of the areola, that is either uncovered or visible through less than fully opaque clothing.
(C) Nothing in this subdivision precludes punishment under any section of law providing for greater punishment.

The bill is likely to be helpful… sort of. On the plus side, it invokes the understanding of the people involved as a trigger: liability can attach when you distribute the image of someone’s intimate body parts, in situations where the initial recording was understood to be / remain private. It covers any form of recording, so both video and still images are considered. And, it attaches to a type of revenge porn where, under current law, the person who takes the photo or records the video holds copyright, depriving the subject of the recording of the power to launch takedown notifications under Section 512 of the Copyright Act.

But, there are some significant shortcomings. First, and most important, this is state criminal law. That means prosecutors can go after the initial perpetrator (typically, an ex-partner of the victim), but they’re powerless to enforce anything against Web sites or other Internet intermediaries that host the images / videos, due to the immunity provided by 47 U.S.C. 230. Second, the bill does not cover instances where the victim takes the initial photo under this shared understanding of confidentiality, and then the recipient distributes it. In short, selfies aren’t covered. Third, the intent and harm requirements seem to unnecessarily narrow the ambit of the law. Proving intent is always tricky. A defendant might argue that their intent was not to cause serious emotional distress, but rather to brag about the attractiveness of their partner. And the harm aspect means that until the victim learns of the distribution, and suffers serious emotional distress, there is no possible criminal liability under the bill. So, if someone sends around a nude photo of me, and it affects my employment opportunities, keeps me from dating people I find interesting, and causes me to be subject to harassment, there’s no liability – until I suffer emotional, as opposed to financial / reputational, harm. It’s a strange triggering provision.

As I posted recently, I continue to prefer a copyright-based approach to ones sounding in criminal or privacy law. More on this soon.

Law and Revenge Porn

The New York Times has an interesting article on attempts to use law to combat revenge porn. It quotes a series of experts, including Danielle Citron, Mary Anne Franks, Eric Goldman, Eugene Volokh, Charlotte Laws, and Marc Randazza. (Danielle has an excellent new book out on the topic, which I recommend. Disclosure: she kindly asked me for feedback on drafts.) So far, there have been a variety of tactics employed: tort law, state criminal law, breach of confidence claims, and proposals for a federal criminal law. Barriers range from the immunity for intermediaries from Section 230 of the Communications Decency Act to law enforcement indifference. I favor trying different moves until we find one that works with minimal countervailing costs. But, both the NYT and legal scholars overlook a mechanism that I find to be the most promising: intellectual property law. Today, I’m going to explain why I think using copyright, in particular, to deal with this problem is the most sensible approach. In the next post, I’ll outline the substance of my proposal.

Concentrating on revenge porn sets the focus too narrowly. Revenge porn is parasitic upon a larger trend that is socially valuable and desirable: the creation and sharing of intimate media – nude or sexually explicit photos or videos – among consenting partners. Intimate media can bring people together – it allows them to express romantic and sexual feelings in new ways. People take revealing photos of themselves with smartphones and share them with a spouse. They engage in steamy Skypeing. They record themselves in intimate activity and watch the videos later. Partners in long-distance relationships can use intimate media to overcome limitations of space and distance. For people with minority sexual preferences, creating intimate media can help them challenge prevailing gender norms, empower them to engage with others while protected by greater anonymity and psychological distance, and permit them greater control over self-representation. This type of sharing is increasingly lauded by mainstream media, relationship counselors, and that reliable bellwether of safely provocative tastes, Cosmopolitan magazine. Put simply, the consensual use of intimate media is merely a technological update to long-established romantic practices, from love letters to racy poems to phone sex. Thus, we should structure legal regulation to both encourage production of intimate media, by consenting partners, and to discourage abuse of those photos and videos.

Production of intimate media, though, is threatened by revenge porn, among other abuses. Partners who are considering sending a racy photo to a loved one may hesitate, or abstain, based on fears it will spread beyond the intended audience (usually, an audience of one). And they’re right to worry: non-consensual distribution and display of this content is regrettably common. Researcher Holly Jacobs found that 22% of heterosexual respondents to her survey, and 23% of LGBT ones, had experienced someone sharing intimate media without their consent. Revenge porn causes tangible injuries: recruiters reject job candidates for inappropriate photos on the ‘Net, or on social media. Anecdotal evidence abounds: the “drunken pirate” teacher denied an education degree, or the high school English teacher forced to resign for modeling swimsuits online – even under an assumed name. And revenge porn causes less tangible injuries: it deprives subjects of the power to decide with whom they share sensitive, even secret aspects of themselves. The problem is also, presently, a gendered one – women appear to be disproportionately targeted, perhaps reinforcing social norms about sexual activity (a man who is sexually active is a playboy, a woman who is so is a whore). Revenge porn not only harms those people captured in the images or videos, it also deters others who would find benefit in sharing intimate media with a partner. Thus, I view the social disutility of revenge porn even more broadly than most scholars do.

What we need is a regime that regulates this type of material to encourage the creation of consensual intimate media, and to discourage non-consensual distribution and display (such as revenge porn). That sounds exactly like what copyright law does: it establishes legal rules that lead people to generate content by punishing forms of unauthorized sharing and use. Intimate media are one example of amateur, non-commercial production of expressive content. And, they are a fragile example: the risk that an intimate photo or video will spread beyond its intended audience deters at least some people from creating this material. Using copyright as a mechanism is appealing – it simultaneously punishes unauthorized sharing or display as infringement, with the usual panoply of remedies available, and it encourages production of intimate media by assuring creators that the law will enforce their choice of audience.

This argument tends to draw objections both from copyright scholars and from privacy scholars. Copyright experts sound complaints in at least two forms. First, using copyright law in this fashion is an undesirable deviation from the proper goals or contours of the doctrine. Second, other mechanisms, such as privacy law or criminal law, are better suited to this purpose. Privacy scholars typically sign on to the second objection, and also prefer to deploy legal regimes that they view as having greater expressive power regarding the problem of revenge porn.

I’ll take up the first objection in my next post, but want to note briefly that, if one argues my proposal departs from the true path of copyright, one bears the onus of establishing what that path is and where it leads. As for expressivism, I think criminal sanctions likely do carry greater moral disapprobation than copyright ones. However, as I explain below, I think copyright offers greater enforcement and, concomitantly, greater deterrence for potential violators and greater relief to victims. I’m willing to trade inchoate condemnation for concrete relief.

Privacy law is the most intuitive answer to the problems intimate media face. The content is intended for a limited audience that is usually connected closely to the creators or people featured in it, and so unauthorized distribution feels like a privacy violation. But, I think a privacy approach has three potential shortcomings. First, privacy law does not yet take seriously the promise and potential of intimate media. Rather, it focuses exclusively on the harms that flow from unauthorized sharing. Copyright, by contrast, embraces intimate media – it creates a generative legal regime for consensual content, and reduces harm by treating it as infringement. Second, under Section 230 of the Communications Decency Act, privacy laws (with the important exception of federal criminal statutes) do not apply to intermediaries such as Web sites. Thus, they fail to address the key harm that unauthorized distribution and display creates: the ongoing availability of material even after the initial disseminator has been punished. While privacy scholars often advocate repeal or alteration of Section 230, their proposals have proved politically non-viable to date, and they would likely exact significant, undesirable costs on intermediaries, who would have to engage in proactive monitoring of their sites or services. Lastly, even if Section 230 were modified, First Amendment objections from intermediaries might well block privacy enforcement against them. Copyright works in alignment with Section 230, and has built-in accommodations for First Amendment interests.

Similarly, criminal law appears attractive at first blush: it leverages the investigative powers of the state, bypasses 230’s immunity, and brings societal stigma to bear upon offenders. However, I think criminal law has three important drawbacks relative to copyright. First, enforcement levels are likely to be lower. Prosecutors – especially federal ones – face significant resource constraints. Revenge porn cases would compete with ones focused on terrorism, narcotics, white collar crime, immigration violations, and so forth. A useful parallel is criminal enforcement of IP laws. In 2008, Congress passed the PRO IP Act, which devoted additional resources to IP prosecutions, and the Obama administration has made criminal enforcement a relative priority. Yet prosecution is still rare: each year since 2008, the Department of Justice has brought fewer than 200 cases per annum, charging fewer than 300 defendants. Contrast that to the scale of private enforcement by the RIAA and MPAA alone. Second, the current problem with prosecution of revenge porn appears to be a lack of interest from law enforcement, not a dearth of legal tools. Danielle Citron’s new book documents quite extensively the reluctance of police to investigate, and prosecutors to charge, such cases. Indeed, the prosecution of Holly Jacobs’s former boyfriend drew significant media attention precisely because of its rarity. New laws will not in themselves drive more cases. Distributed, private enforcement under copyright is likely to be far more effective. And, finally, here too First Amendment scrutiny is a significant hurdle. Under Chief Justice John Roberts, the Supreme Court has been increasingly skeptical of laws that criminalize the sharing of information, from prescription data to animal crush videos to protests at funerals to violent video games to lies about one’s military service. Any criminal law will have to be crafted and drafted with particular care to survive review. Copyright, by contrast, has well-established First Amendment safeguards that receive considerable judicial deference.

To summarize: revenge porn is parasitic upon the socially valuable trend of consenting partners creating, and sharing with one another, intimate media. Copyright law holds the most promise to encourage consensual use while punishing unauthorized sharing and display. In the next post, I’ll lay out my proposal, and address a few potential objections to it.

Copyright and the Naughty Bits

My article Exposed is now up on SSRN. It’s coming out in volume 98 of the Minnesota Law Review in 2014. Here’s the abstract:

The production of intimate media – amateur, sexually explicit photos and videos – by consenting partners creates social value that warrants increased copyright protection. The unauthorized distribution of these media, such as via revenge porn, threatens to chill their output. To date, scholarly attention to this problem has focused overwhelmingly on privacy and criminal law as responses, neglecting the power of intellectual property doctrine to curtail harms and spur beneficial uses. Copyright law leverages an established, carefully limited system of intermediary liability that addresses the true risks of abuses, such as revenge porn. Importantly, copyright is also consonant with key statutory protections, such as Section 230 of the Communications Decency Act, that protect the thriving Internet ecosystem.

This Article proposes creating within the Copyright Act a right for identifiable people captured in intimate media to block unauthorized distribution and display of those images or video. It then uses the proposal, and issues for intimate media more broadly, as a window into contentious scholarly debates over the nature of authorship and the balance between copyright and free speech. The Article closes by identifying the rise of intimate media and its concomitant challenges as part of the ongoing revolution in information production.

Feedback welcomed!