Washingtonpost.com has the transcript of an interesting online chat with Sarah Deutsch, a lawyer for Verizon, about online privacy, including the Supreme Court's recent denial of cert. in the RIAA v. Verizon case about DMCA subpoenas and file-sharers:

U Boulder, CO: I have heard that the RIAA has technologies that can find illegal downloaders online and track them. Is this stuff legal? Isn't that hacking? Do ISPs allow this kind of software on their networks?

Sarah Deutsch: The RIAA, MPAA and even the pornography industry (acting as a "copyright owners") are increasingly hiring Internet "bounty hunters" who use search tools, including search bots to scour the Internet for infringing files. Just like those mechanical spiders in the movie "Minority Report," the spiders go into users' shared folders on their hard drives and match file names to the names of copyrighted songs and movies. Unfortunately, the bots make mistakes,which is why one ISP received a notice demanding that they terminate a subscriber who had allegedly downloaded the Harry Potter movie when the attachment was actually the Harry Potter book report.

Off-topic, but absolutely fantastic news: the ACLU just won a case ruling that part of the USA PATRIOT Act is unconstitutional:

U.S. District Judge Victor Marreo ruled in favor of the American Civil Liberties Union, which challenged the power the FBI has to demand confidential financial records from companies that it can obtain without court approval as part of terrorism investigations.

The legislation bars companies and other recipients of these subpoenas from ever revealing that they received the FBI demand for records. Marreo held that this permanent ban was a violation of free speech rights.

In his ruling, Marreo prohibited the Department of Justice and the FBI from issuing special administrative subpoenas, known as national security letters.

Here's a bit more on national security letters under PATRIOT, explaining just how indefensible they are:

Imagine if the FBI could, with only a piece of paper signed by the special agent in charge of your local FBI office, demand detailed information about your private Internet communications directly from your ISP, webmail service, or other communications provider. Imagine that it could do this:

* without court review or approval;
* without you being suspected of a crime; and
* without ever having to tell you that it happened.

Further imagine that with this piece of paper, the FBI could see a wide range of private details, including:

* your basic subscriber records, including your true identity and payment information;
* your Internet Protocol address and the IP address of every Web server you communicate with;
* the identity of anyone using a particular IP address, username, or email adress;
* the email address or username of everyone you email or IM, or who emails or IMs you;
* the time, size in bytes, and duration of each of your communications, and possibly even
* the web address of every website you visit.

Finally, imagine that the FBI could use the same piece of paper to gain access your private credit and financial information - and that your ISP, bank, and any other business from which the FBI gathers your private records is *forever* barred by law from notifying you.

Now stop imagining, and meet the NSL authorized under Section 505 of the USA PATRIOT Act.

Later: Here's the ruling itself.

Two quick reflections post-ILAW, to add to the ever-growing pool:

Jerry is the New Larry

UCLA law professor/Harvard law visiting professor Jerry Kang is the Larry Lessig of privacy, in that he was able very quickly and powerfully to communicate that there are extremes in the debate that result largely from the culture-born clash between "property talk" (U.S.-take on privacy) and "dignity talk" (Euro approach). He lifted the discussion out of the dreaded "tin foil hat" arena -- that is, beyond "paranoid freaks v. reasonable people" nonsense that stops people from truly engaging with the problem/issues at hand. He's one to learn from. (Check out Frank Field's comprehensive ILAW notes for a remarkably detailed transcript of his talk.)

Tell Me About It

Speaking of working to balance the debate, I want to thank ILAW attendee/NPR Deputy General Counsel Denise Leary for echoing/amplifying my call on Friday for real-world stories that reveal what the average guy on the street is losing because of the digital copyright crackdown. Jim Flowers told a personal story I'd like to hear in greater detail, about arguing successfully against an incredibly restrictive form of Internet filtering in schools by putting it in the plainest of terms -- something like, "Your children can't do research in school -- they're restricted to only 200 websites, and that's why this policy should be rejected." If you've got just such a simple-as-Valenti story about how today's copyright is frustrating your teaching/learning/creativity/ability to speak about an important issue online, do drop a comment below or send me an email to let me know.

Fordham law professor Sonia Katyal has an article up @ the SSRN Electronic Library that brings to mind a question I asked some months ago: Why do we tolerate in the name of copyright protection what we only unwillingly tolerate in the name of combating terrorism -- e.g., law that strips us of our right to privacy and due process?

The paper, entitled "The New Surveillance," describes in detail how the courts aid and abet new, extra-judicial regimes of private/corporate surveillance on the Internet -- and proposes, among other things, "greater judicial supervision of the DMCA" as an appropriate fix.

Continue reading "The New "Piracy Surveillance" - Whither Due Process?"

An interesting issue has come up in the Gmail and privacy session @ CFP. If you send an email to someone at a corporation, e.g. jason@microsoft.com, there is an implicit understanding amongst most people that Microsoft could scan the email and read its contents. After all, Microsoft has a number of trade secrets to protect (as well as other interests) and since you are sending the email to one of its employees, it presumptively has the right to check it to make sure it isn't causing the corporation any harm. At the very least, it could argue that since the mail has been sent to its comptuer servers, it has a right to look at it if it wants.

So what about Gmail? Shouldn't people have the same low expectations of privacy if they send email to someone using a gmail.com email address? After all, the email is residing on Gmail's servers and there's no illusion that the email is residing on a private server.

The difference, I think, is one of perceived control and ownership. When I send email to microsoft.com, I understand that Microsoft has a right to police its email and servers because the person you are sending the mail to is an employee there -- someone who Microsoft has control and supervision over while they are at work.

With Gmail, however, Google doesn't have any control or supervision over its users. At least, that's our current perception. In return for seeing ads, users get a Gig of storage. That's the relationship. Google doesn't try to tell the user what to use to account for or try to control their behavior or supervise it. Therefore, when I send email to someone at a Gmail account, I assume the user is in control of the privacy of that email, not Google.

A trendy topic of late seems to be that with the improvements in search technology and the increasing prevalence of message boards, blogs and other ways to express yourself on the Net, people will increasingly be able to find out what you've written and done in the past. Even law firms have apparently begun to take an interest in their employees' or candidates' online acts.

My first reaction is one I have over and over in Internet law... firms--did you really think your employees never talk about the firm and its goings-on? Did you really think your candidates had no opinions other than those they glibly recited in their interviews and fancy lunches? Lawyers--did you really think the firm would never check your background? Did you really think the firm wouldn't notice if you're writing about it? My second reaction is also typical: Firm--get a thicker skin. Lawyers---own up to your past and, today, if you're ashamed for someone to read what you're saying, why are you saying it in the first place? I know there are important reasons for anonymity, but I also think far too many people use "privacy" as an excuse to just avoid standing up for what they believe, or to get away with things they know are criminal, embarrassing or just plain icky.

Continue reading "Your Permanent Record"

As many readers might know, there are three ongoing concurrent challenges to the recently passed Partial Birth Abortion Ban in court these days. In fact, trial in the San Francisco Case was scheduled to begin today.

Part of the issues before the courts is whether or not so-called "partial birth" abortions are ever medically necessary to preserve the health of the pregnant woman. (The Ban does not include any exception for such circumstances). Congress found that such procedures were never medically necessary. Planned Parenthood and other abortion providers disagree. As part of its preparation for trial on this issue, the U.S. Gov't sought to subpoena the medical records of women who have had the procedure. PP and the other providers sought to quash the subpoena. The district court in Chicago quashed the subpoena and the Government appealed the the 7th Circuit for reversal. Just the other day, the 7th Circuit handed down their opinion (penned by the well-known hand of Judge Posner) affirming rejection of the subpoena.

While the opinion is interesting for any number of other reasons, I found Posner's reference to Internet privacy (or the lack thereof) as a reason particularly interesting:

This is hardly a typical case in which medical records get drawn into a lawsuit. Reflecting the fierce emotions that the long-running controversy over the morality and legality of abortion has made combustible, the Partial-Birth Abortion Ban Act and the litigation challenging its constitutionality—and even more so the rash of suits around the country in which the Department of Justice has been seeking the hospital records of abortion patients—have generated enormous publicity. These women must know that, and doubtless they are also aware that hostility to abortion has at times erupted into violence, including criminal obstruction of entry into abortion clinics, the firebombing of clinics, and the assassination of physicians who perform abortions. Some of these women will be afraid that when their redacted records are made a part of the trial record in New York, persons of their acquaintance, or skillful “Googlers,” sifting the information contained in the medical records concerning each patient’s medical and sex history, will put two and two together, “out” the 45 women, and thereby expose them to threats, humiliation, and obloquy. As the court pointed out in Parkson v. Central DuPage Hospital, supra, 435 N.E.2d at 144, “whether the patients’ identities would remain confidential by the exclusion of their names and identifying numbers is questionable at best. The patients’ admit and discharge summaries arguably contain histories of the patients’ prior and present medical conditions, information that in the cumulative can make the possibility of recognition very high.”

And check out this rather empathetic section:

Even if there were no possibility that a patient’s identity might be learned from a redacted medical record, there would be an invasion of privacy. Imagine if nude pictures of a woman, uploaded to the Internet without her consent though without identifying her by name, were downloaded in a foreign country by people who will never meet her. She would still feel that her privacy had been invaded. The revelation of the intimate details contained in the record of a late-term abortion may inflict a similar wound.