Law and Information

Here in Ottawa, I had the pleasure to speak at the OECD Technology Foresight Forum of the Information, Computer and Communications Policy Committee (ICCP) on the participative web – a forum aimed at contributing to the OECD Ministerial Meeting “The Future of the Internet Economy” that will take place in Seoul, Korea, in June 2008.

My remarks (what follows is a summary, full transcript available, too) were based on our joint and ongoing Harvard-St.Gallen research project on Digital Natives and included some of the points my colleague and friend John Palfrey and I are making in our forthcoming book “Born Digital” (Basic Books, 2008).

I started with the observation that increased participation is one of the features at the very core of the lives of many Digital Natives. Since most of the speakers at the Forum were putting emphasis on creative expression (like making mash-ups, contributing to Wikipedia, or writing a blog), I tried to make the point that participation needs to be framed in a broad way and includes not only “semiotic democracy”, but also increased social participation (cyberspace is a social space, as Charlie Nesson has argued for years), increased opportunities for economic participation (young digital entrepreneurs), and new forms of political expression and activism.

Second, I argued that the challenges associated with the participative web go far beyond intellectual property rights and competition law issues – two of the dominant themes of the past years as well as at the Forum itself. I gave a brief overview of the three clusters we’re currently working on in the context of the Digital Natives project:

• How does the participatory web change the very notion of identity, privacy, and security of Digital Natives?
• What are its implications for creative expression by Digital Natives and the business of digital creativity?
• How do Digital Natives navigate the participative web, and what are the challenges they face from an information standpoint (e.g. how to find relevant information, how to assess the quality of online information)?

The third argument, in essence, was that there is no (longer a) simple answer to the question “Who rules the Net?”. We argue in our book (and elsewhere) that the challenges we face can only be addressed if all stakeholders – Digital Natives themselves, peers, parents, teachers, coaches, companies, software providers, regulators, etc. - work together and make respective contributions. Given the purpose of the Forum, my remarks focused on the role of one particular stakeholder: governments.

While still research in progress, it seems plain to us that governments may play a very important role in one of the clusters mentioned above, but only a limited one in another cluster. So what’s much needed is a case-by-case analysis. I briefly illustrated the different roles of governments in areas such as

• online identity (currently no obvious need for government intervention, but “interoperability” among ID platforms on the “watch-list”);
• information privacy (important role of government, probably less regarding more laws, but better implementation and enforcement as well as international coordination and standard-setting);
• creativity and business of creativity (use power of market forces and bottom-up approaches in the first place, but role of governments at the margins, e.g. using leeway when legislating about DRM or law reform regarding limitations and exceptions to copyright law);
• information quality and overload (only limited role of governments, e.g. by providing quality minima and/or digital service publique; emphasis on education, learning, media & information literacy programs for kids).

Based on these remarks, we identified some trends (e.g. multiple stakeholders shape our kids’ future online experiences, which creates the need for collaboration and coordination) and closed with some observations about the OECD’s role in such an environment, proposing four functions: awareness raising and agenda setting; knowledge creation (“think tank”); international coordination among various stakeholders; alternative forms of regulation, incl. best practice guides and recommendations.

Berkman Fellow Shenja van der Graaf was also speaking at the Forum (transcripts here), and Miriam Simun presented our research project at a stand.

Today and tomorrow, the OECD delegates are discussing behind closed doors about the take-aways of the Forum. Given the broad range of issues covered at the Forum, it’s interesting to see what items will finally be on the agenda of the Ministerial Conference (IPR, intermediaries liability, and privacy are likely candidates.)

I’m delighted to announce that our Research Center for Information Law at the University of St. Gallen - usually focusing more on basic research rather than implementing project work - has just launched an online data privacy case law collection (in German and French) that features the entire collection of cases decided by the Swiss Commission for Data Privacy and Freedom of Information from 1993 - 2006. The Commission has now been integrated into the “Tribunal administrativ federal“, the branch of the Supreme Court that deals with administrative law issues. Free online access to the collection is particularly exciting since only part of the Commission’s decisions has been published so far. Thanks are due to the Swiss Federal Chancellery and the St. Gallen University’s Research Council for financial support. And, of course, special thanks to Silke Ernst, LL.M., for excellent project management.

My colleague Daniel Haeusermann and I just released a new paper entitled “E-Compliance: Towards a Roadmap for Effective Risk Management.” In the article, which is largely based on consulting work we’ve been doing, we argue that the widespread use of digital communication technology on the part of business organizations leads to new types of challenges when it comes to the management of risks at the intersection of law, technology, and the marketplace. In order to effectively manage these challenges and associated risks in diverse areas such as security, privacy, consumer protection, IP, and content governance, we call for an integrated and comprehensive compliance concept in response to the structural and substantive peculiarities of the digital environment in which corporations - both in and outside the dot-com industry - operate today. See also this post. The conclusion section of the paper reads as follows:

Through significant efforts, the legal system has adjusted to the changes in the information and communications technology of daily corporate life—changes at the intersection of the market, technology, and law. Organizations must make adjustments on their part as well in order to deal with the consequences resulting from these changes in the legal system. The observation that led to this essay was that these adjustments represent a greater challenge than the already decreasing entropy surrounding concepts such as “e-commerce law” or “cyberlaw” would suggest. Our initial foray into the concept, characteristics, responsibilities and organizational guiding principles of e-Compliance confirms this observation.

E-Compliance, as discussed in this article, is confronted with the phenomenon of a close interconnection between law and technology, a prominent dynamization of the law, massive internationalization of issues and legal problems, as well as a strong increase in the significance of soft law. These characteristics, which in part may also apply to traditional areas of compliance such as financial market regulation, call in their interplay for the further development of compliance concepts as well as adaptation of the affected aspects of corporate organization. Due to the increasing amalgamation of corporate organizational nexus and ICT, the symbiotic relations between traditional compliance and e-Compliance will be increasingly amplified. The view that e-Compliance represents merely a single risk area among the many of compliance is therefore outdated in our opinion. E-Compliance is actually a multidimensional and multidisciplinary task, although there are certainly areas of law that are particularly affected by digitization (or also which particularly impact digitization) and therefore are of particular importance for the field of e-Compliance.

Thus, in conclusion, the authors do not posit a special “e-Sphere” within or without existing compliance departments. Rather, we argue for an integrated and comprehensive compliance concept that appropriately makes allowance for the structural and substantive peculiarities of e-Compliance as outlined in this essay and stays abreast with the pace of digitization.

Please contact Daniel or me if you have comments.

Microsoft released a white paper entitled “The Identity Metasystem: Towards a Privacy-Compliant Solution to the Challenges of Digital Identity.” The excellent paper, authored by Microsoft’s Internet Policy Council Ira Rubinstein and Tom Daemen, senior attorney with Microsoft, and posted on Kim Cameron’s blog, is a must-read for everyone interested in user-centric ID management systems. (Disclosure: As you can take from the acknowledgments, I have commented on a draft version of the paper, based on my earlier observations on “Identity 2.0”-like initiatives.)

Among my main concerns – check here for other problem areas - has been Microsoft’s claim that the i-card model is “by design” in compliance with the unambiguous and informed consent requirement as set forth, for instance, by EU data protection law. I’ve argued that the “hardwired”-argument (obviously a variation on the theme “regulation by code”) might be sound if one focuses on a particular relationship between one user and one identify provider and/or one relying party – as the white paper does. However, at the aggregated level, the i-card model’s complexity – i.e. the network of informational relationships between one user and multiple ID providers and relying parties – increases dramatically. If we were serious about the informed consent requirement, so my argument, one would wish that the user could anticipate not only the consequences of consent vis-à-vis one ID provider, but would understand he interplay among all the components of the ID-system. Even in less complex informational environments, experience has shown that the making available of various privacy policies can’t be the answer to this problem - as the white paper seems to acknowledge.

In this regard, I particularly sympathize with the white paper’s footnote 23. It might indeed be a starting point for an answer to what we might call the “transparency challenge” to create “a system enabling web sites to represent privacy policies in a simple, iconic fashion analogous to food labels. This would allow consumers to see at a glance how a site’s practices compared to those of other Web sites using a small number of universally accepted visual icons that were both secure against spoofing and verified by a trusted third party.” (p. 19, FN 23.) Such a system could become particularly effective if the icons – machine-readable analogous to creative commons labels – would be integrated in search results and monitored by “Neighborhood campaigns” similar, for instance, to Stopbadware.com.

Although Microsoft’s paper leaves some important issues unadressed, it seems plain to me that it takes the discussion on identity and privacy protections as code and policy an important step further – in a sensible and practical manner.

With the usual time-lag, the debate about Internet censorship in repressive countries such as China and the role of Internet intermediaries such as Google, Microsoft and Yahoo! has now arrived in Europe. The EU Parliament now confirms what many of us have argued for months, i.e., that the problem of online censorship is not exclusively a problem of U.S.-based companies and is not only about China.

The recent resolution on freedom of expression on the Internet by the European Parliament starts with references to previous resolutions on human rights and freedom of the press, including the WSIS principles, as well as international law (Universal Declaration of Human Rights) and opens with the European-style statement that restrictions on online speech “should only exist in cases of using the Internet for illegal activities, such as incitement to hatred, violence and racism, totalitarian propaganda and children’s access to pornography or their sexual exploitation.”

Later, the resolution lists some of the speech-repressive regimes, including China, Belarus, Burma, Cuba, Iran, Libya, Maldives, Nepal, North Korea, Uzbekistan, Saudi Arabia, Syria, Tunisia, Turkmenistan and Vietnam. The resolution then makes explicit references to U.S.-based companies by recognizing that the “…Chinese government has successfully persuaded companies such as Yahoo, Google and Microsoft to facilitate the censorship of their services in the Chinese internet market” and “notes that other governments have required means for censorship from other companies.” European companies come into play with regard to the sale of equipment to repressive governments, stating that

“… equipment and technologies supplied by Western companies such as CISCO Systems, Telecom Italia, Wanadoo, a subsidiary of France Telecom have been used by governments for the purpose of censoring the Internet preventing freedom of expression.” (emphasis added.)

The resolution, declaratory in nature, in one of its probably most significant parts calls on the European Commission and the Council “to draw up a voluntary code of conduct that would put limits on the activities of companies in repressive countries.” The policy document also stresses the broader responsibility of companies providing Internet services such as search, chat, or publishing to ensure that users’ rights are respected. Hopefully, the Commission and the Council will recognize that several initiatives aimed at drafting such code of conducts are underway on both sides of the Atlantic (I have myself been involved in some of these processes, including this one), and will engage in conversations with the various groups involved in these processes. In any event, it will be interesting to see how the Commission and the Council approach this tricky issue, and as to what extent, for instance, they will include privacy statements in such a set of principles - a crucial aspect that, interestingly enough, has not been explicitly addressed in the Parliament’s resolution.

The resolution also calls on the Council and Commission “when considering its assistance programmes to third countries to take into account the need for unrestricted access by their citizens.” Further coverage here.

Update: On the “European Union’s schizophenric approach to freedom of expression”, read here (thanks, Ian.)

The Yale Journal of Law and Technology just published my article on search engine regulation. Here’s the extended abstract:

The use of search engines has become almost as important as e-mail as a primary online activity. Arguably, search engines are among the most important gatekeepers in today’s digitally networked environment. Thus, it does not come as a surprise that the evolution of search technology and the diffusion of search engines have been accompanied by a series of conflicts among stakeholders such as search operators, content creators, consumers/users, activists, and governments. This paper outlines the history of the technological evolution of search engines and explores the responses of the U.S. legal system to the search engine phenomenon in terms of both litigation and legislative action. The analysis reveals an emerging “law of search engines.” As the various conflicts over online search intensify, heterogeneous policy debates have arisen concerning what forms this emerging law should ultimately take. This paper offers a typology of the respective policy debates, sets out a number of challenges facing policy-makers in formulating search engine regulation, and concludes by offering a series of normative principles which should guide policy-makers in this endeavor.

As always, comments are welcome.

In the same volume, see also Eric Goldman’s Search Engine Bias and the Demise of Search Engine Utopianism.

Today, the Boston Globe runs a story about a promising cross-industry project on user-centric identity that is directed by my colleague Dr. John Clippinger at the Berkman Center for Internet and Society, Harvard Law School. It has now become public that the Berkman Center together with an industry consortium of tech companies, including IBM Corp. and Novell Inc., is working on an open security project - code-named Higgins - aimed at creating code that gives users more control over their online identities. John is quoted as follows:

Recently, I commented on this blog on the merits of user-centric identity systems - sometimes referred to as Identity 2.0 - from a privacy perspective. After the discussions at the workshop mentioned in the previous post, I’m more convinced than ever that the approach taken by Clippinger et al - despite remaining challenges, which, BTW, were fully acknowledged by the leading technologists at the workshop - has the potential to solve some of the thorniest pivacy issues on the web.

I trust that we’ll get back to this issue before the June conference mentioned in the Globe. In any event, stay tuned.

I’ve just read Rep. Chris Smith’s discussion draft of a “Global Online Freedom Act of 2006,” which has been made available online on Rebecca MacKinnon’s blog. Rebecca nicely summarizes the key points of the draft. From the legal scholar’s rather then the activist’s viewpoint, however, some of the draft bill’s nitty-gritty details are equally interesting. Among the important definitions is certainly the term “legitimate foreign law enforcement purposes,” which appears, for instance, in the definition of substantial restrictions on Internet freedom, and in sec. 206 on the integrity of user identifying information. According to the draft bill, the term ”legitimate foreign law enforcement purposes” means

And the next paragraph clarifies that

While the first part of the definition makes a lot of sense, the second part is more problematic to the extent that it suggests, at least at a glance, a de facto export of U.S. free speech standards to the rest of the world. Although recent Internet rulings by U.S. courts have suggested an expansion of the standard under which U.S. courts will assert jurisdictions over free speech disputes that arise in foreign jurisdiction, it has been my and others impression that U.S. courts are (still?) reluctant to globally export free speech protections (see, e.g. the 9th Circuit Court of Appeal’s recent Yahoo! ruling.)

Indeed, it would be interesting to see how the above-mentioned definition would relate to French legislation prohibiting certain forms of hatred speech, or German regulations banning certain forms of expression—black lists, by the way, which are also incorporated by European subsidiaries of U.S. based search engines and content hosting services.

While the intention of the draft bill is certainly a legitimate one and while some of the draft provisions (e.g. on international fora, code of conduct, etc.) deserve support, the evil—as usual—is in the details. Given its vague definitions, the draft bill (may it become law) may well produce spillover-effects by restricting business practices of U.S. Internet intermediaries even in democratic countries that happen (for legitimate, often historic reasons) not to share the U.S.’ extensive free speech values.

Addendum: Some comments on the draft bill from the investor’s perspective here. Note, however, that the draft bill also includes foreign subsidiaries of U.S businesses to the extent that the latter control the voting shares or other equities of the foreign subsidiary or authorize, direct, control, or participate in acts carried out by the sbusidiary that are prohibited by the Act.

Later today, I will be traveling “back home” to Cambridge, MA, where I will be attending an invitation only workshop on user centric identity and commerce hosted by the Berkman Center at Harvard Law School and organized by Berkman Fellow John Clippinger. In preparation for a panel on identity and privacy at this workshop, I have written a discussion paper. Here are the main points:

1. User-centric approaches to online identity management such as Identity 2.0 have several advantages compared to previous attempts—commonly referred to as Privacy Enhancing Technologies (PET)—aimed at regulating the flow of personal information through Code. Three achievements are particularly noteworthy: First, Identity 2.0-like approaches mirror the social phenomenon that privacy must be understood as an aggregation of an individual’s choices along a spectrum between the poles “complete anonymity” and “complete identification.” In other words, Identity 2.0 reflects, inter alia, the granular nature of offline privacy and replicates it at the design level of the digitally networked environment. Second, user profiles containing personal information (as elements of identity profiles) that have been created under the regime of previous PETs are often not “portable” across services and applications. Profiles based on concepts such as Identity 2.0, by contrast, are user-centric and, in that sense, universal in their use. Third, Identity 2.0 seeks to provide a set of profiles that enable an individual user to have parallel identities and make situative choices about the flow of personal data in the context of (commercial) interactions.

2. Consequently, user-centric identity systems have the potential to eliminate some of the basic weaknesses of previous incarnations of identity and privacy management technologies. From a privacy perspective, however, a series of important questions and problems remain to be addressed. First, it is striking that user-centric identity and privacy concepts like Identity 2.0 seek to restore an individual’s control over personal data through the medium “choice,” thereby following a property rights approach to privacy. The designers’ choice is remarkable because the majority of analyses suggest that the privacy crisis in cyberspace, by and large, is the product of extensive data collecting, processing, and aggregating practices by commercial entities vis-�-vis the individual user. In other words, Identity 2.0 concepts are regulating—via Code—the behavior of the sender of personal information (user) rather than targeting the source of the problem, i.e. the informational behavior of the recipients (commercial entities.) Viewed from that angle, the approach taken by Identity 2.0 is in tension with some of the basic principles of data protection, which seek to avoid the use of personal information by the recipient and to establish restrictive requirements on the collection, storage, and usage of personal data while leaving an individual user’s informational behavior unregulated. Although counterintuitive, a user-centric approach to identity and privacy management might therefore result in less user autonomy—understood as the freedom to communicate about oneself—when compared to a traditional data protection approach that aims to regulate the informational practices of the data collectors. This tension between identity architecture and fundamental data protection principles might become more explicit in jurisdictions outside of the U.S.

3. The second persistent challenge results from yet another design choice. Starting point is the observation that user-centric identity and privacy schemes are built upon what might be called the “consent approach,” an approach that ultimately suggests user’s choice as the solution to online identity and privacy problems. Indeed, the emerging generation of identity management and privacy enhancing technology aims to provide the tools to make (and express) choices. However, experiences with previous choice-based mechanisms and standards (like P3P) seem to suggest that the promise of this approach is fairly limited. Even the most sophisticated architecture cannot counter power asymmetries between individual users and the Amazons, eBays, Googles, etc. of this world. From such a pragmatic perspective, it remains doubtful to what extent real choices are available to the user. Or, as Herbert Burkert pointed out in the context of PET, “… the data subject is [usually] asked to choose between giving consent and losing advantages, privileges, rights, or benefits, some of which may be essential to the subject in a given situation.” Further, economic incentives which may motivate people to give away personal information in return for free services such as email accounts, content management sites, social networks, etc. might be particularly strong in the online environment and have a limiting effect on the freedom to choose, especially in situations where users (e.g. due to financial constraints) are forced to rely on such deals. Finally, the user acceptability of consent-based tools heavily depends on the ease-of-use of those instruments, as P3P and similar initiatives have illustrated. Given the number of stakeholders, interests, and standards involved, it remains to be seen whether the apparently complex web of identity providers, identity mechanisms, privacy profiles, etc. in fact will be manageable over one easy-to-use interface as has been envisioned by leading designers.

4. The observation that user-centric concepts such as Identity 2.0 contain many different interacting elements and relations—and, thus, add technological and social complexity to the Net—leads to the third conceptual challenge. Consent and choice in the privacy context means informed consent and choice, respectively. It has been observed with regard to much less complex designs of privacy enhancing technologies that data subjects “cannot know how much they should know without fully understanding the system and its interconnection with other systems.” (H. Burkert) In other words, informed consent by users requires transparency for users, but transparency usually decreases in complex and highly technical environments. Someone with a non-technical background who seeks to understand how the emerging protocols and governance models in the area of user-centric work and what the differences among them are will immediately recognize how difficult it will be to make truly informed choices among different identity providers and privacy management systems. The more individuals depend on complex user-centered technology in order to manage their online identities, the more desirable it seems from a policy perspective that users know about the underlying Code, the functionalities, and risks. So far, it remains unclear whether is a realistic scenario that someone will have access to this meta-information and will aggregate it for users.

5. The three challenges outlined above are not meant as argument against the Identity 2.0 concept. Rather, the remarks are intended as a cautionary note—we should resist the temptation to overestimate the promise of any user-centric and choice-based approaches in the context of privacy. In response to the above arguments, however, one might argue that the emerging user-centric approaches will not exclusively rely on Internet users who are educated enough (probably supported by some sort of “choice assistants”) to dynamically manage their multiple online identities and exchanges of personal information on the Net. Rather, according to this argument, identity and privacy policies developed and monitored by private parties would supplement the user-centric approach. Indeed, such a complementary approach addresses some of the concerns mentioned above. However, the experiences with self-regulation in the area of Internet privacy in the U.S. have been rather disillusioning as several studies demonstrate. Viewed from that angle, it does not seem entirely clear why a similar approach should work well in the context of an Identity 2.0 environment.

6. The previous question leads us to another emerging problem under an Identity 2.0-like environment. It is the question about the control of the information practices of the identity providers themselves. The control issue is a particularly important one because it seems inevitable that the emergence of identity providers will be associated with an increased degree of centralization where personal information in the online environment is managed for the purpose of identity building. Again, the common line of argument currently suggests that self-regulation in the form of peer-auditing and/or reputation systems is an adequate solution to the problem. However, once more a look back at the history of privacy regulation in cyberspace might trigger doubts as to whether an industry-controlled self-regulatory scheme will be adequately effective to ensure fair information practices on the part of identity providers as the new and important players of the future Internet. Against this backdrop, it seems advisable to consider alternatives and critically rethink the interaction between code and law and their respective contributions to an effective management of the identity and privacy challenges in cyberspace. This step may mark the beginning of a discussion on Identity 3.0.