Book review: Habeas Data

What does modern technology say about you? What can the police or other government agencies learn? What checks on their power exist? These questions are the subject of a new book from technology reporter Cyrus Farivar.

Habeas Data (affiliate link) explores the jurisprudence that has come to define modern privacy law. With interviews with lawyers, police officers, professors, and others who have shaped the precedent. What makes this such an interesting subject is the very nature of American privacy law. Almost nothing is explicitly defined by legislation. Instead, legal notions of privacy come from how courts interpret the Fourth Amendment to the United States Constitution. This gives government officials the incentive to push as far as they can in the hopes that no court cases arise to challenge their methods.

For the first two centuries or so, this served the republic fairly well. Search and seizure were constrained to the physical realm. Technological advances did little to improve the efficiency of law enforcement. This started to change with the advent of the telegraph and then the telephone, but it’s the rapid advances in computing and mobility that have rendered this unworkable.

As slow as legislatures can be to react to technological advances, courts are even slower. And while higher court rulings have generally been more favorable to a privacy-oriented view, not everyone agrees. The broad question that courts must grapple with is which matters more: the practical effects of the technology changes or the philosophical underpinnings?

To his credit, Farivar does not claim to have an answer. Ultimately, it’s a matter of what society determines is the appropriate balance between individual rights and the needs of the society at large. Farivar has his opinions, to be sure, but Habeas Data does not read like an advocacy piece. It is written by a seasoned reporter looking to inform the populace. Only by understanding the issues can the citizenry make an informed decision.

With that in mind, Habeas Data is an excellent book. Someone looking for fiery advocacy will likely be disappointed, but for anyone looking to understand the issue, it’s a great fit. Technology law and ethics courses would be well-advised to use this book as part of the curriculum. It is deep and well-researched while still remaining readable.

It has its faults, too. The flow of chapters seems a little haphazard at times. On the other hand, they can largely be treated as standalone studies on particular issues. And the book needed one more copy editing pass. I saw a few typographic errors, which is bound to happen in any first-run book, but was jarred by a phrase that appeared to have been accidentally copy/pasted in the middle of a word.

None of this should be used as a reason to pass on this book. I strongly recommend Habeas Data to anyone interested in the law and policy of technology, and even more strongly to those who aren’t interested. The shape that privacy law takes in the next few years will have impacts for decades to come.

left-pad exposed the real problems

During halftime of Super Bowl 49, “Left Shark” became an instant pop culture phenomenon. Last week, an 11-line software package called “left-pad” became an instant tech culture phenomenon.

In you’re not familiar with what happened, here is a basic summary as I understand it: the social network/chat company Kik approached a developer and threatened him with lawyering if he didn’t remove or rename his “kik” NPM package (the package was in no way related to Kik the company). When the developer refused, Kik went to NPM, who acquiesced and reassigned ownership. As a result, the developer pulled all of his packages, including left-pad, from NPM.

Normally, this wouldn’t get much attention. However the Node.js ecosystem apparently favors many small packages, such that you end up with single-function packages like left-pad. Many NPM packages either depend on left-pad or depend on packages that in turn depend on left-pad. This led to, as some people hyperbolicly said, the Internet breaking.

Much of the discussion has focused on the technical matters. The NPM ecosystem is the subject of a great deal of ridicule. The opinion isn’t unanimous, but ridicule is the prevailing sentiment. And rightfully so, but not for the reason being discussed.

The real problem with NPM isn’t the numerous tiny packages. The problem is with how the ecosystem is apparently managed. Breaking dependencies by “unpublishing” packages is not something a mature ecosystem allows. Removing a package without consent because another developer wants to use the name is a terrible way to build and maintain a community.

The other bad part is how Kik’s lawyers were able to make all of this happen. Trademarks are not universal. Just because Kik has trademarked the term in the context of a messaging platform, that doesn’t mean the term can’t be used in another context. Maybe in this specific case, there’s infringement here. I’m not a lawyer or a judge. But the way it was handled was not at all suitable. As Ben Thompson said, “lawyers overreaching on trademark were the Mentos to an open source absolutist’s cola.

It’s a bit unfair to pin this on “an open source absolutist”. Azer Koçulu may or may not be an open source absolutist, that’s irrelevant. Lawyers tossing threat grenades and ecosystem managers not protecting the ecosystem are more important than the number of packages or having trivially-small packages.



American Broadcasting Companies v. Aereo

The Internet is abuzz with discussion in the wake of today’s ruling in American Broadcasting Companies v. Aereo, but I can’t let it go by without offering my own opinion. As a “cord cutter” who lives an hour away from most of the over-the-air broadcasters, I have a personal interest in an Aereo-like service. I’d much rather pay $8/month to receive local television broadcasts over the Internet than to pay to install and maintain an aerial antenna. So it was with much dismay (but little surprise) that I read that the Supreme Court ruled 6-3 against Aereo.

I won’t presume to say that I know the law better than six justices of the nation’s highest court. Indeed, I’m not convinced that the ruling is incorrect from a legal standpoint. It’s certainly true, as the majority held, that Congress acted in 1976 to prevent the retransmission of broadcasts by community antenna TV (CATV) systems. Aereo, according to the majority, is similar to the old CATV systems. The fact that the underlying technology is substantially different from CATV (particularly in that there’s a 1:1 correspondence between receiver and customer as opposed to the one-to-many of CATV) is irrelevant, only the customer-facing experience matters.

As Justice Scalia noted in his dissent, that’s a lousy argument. I’ll grant that Aereo was slavishly devoted to the strict letter of the law (a less generous description is “exploiting the hell out of loopholes”), but the technical implementation matters. Aereo subscribers have their own antenna (ephemerally-assigned, as I understand it) and their recordings are stored in their own account. It’s not much of a leap (except in the cost) to provide an antenna and run a coaxial cable directly from the antenna to the customer’s television. At that point, it would be very difficult to argue that the service provider is “performing”, even by the ludicrously broad definition in the 1976 update to the Copyright Act.

Even if the Court’s ruling today is technically correct for this specific case, I worry about the impact it will have on technological advances in general. While the majority took care to say that “those who act as owners or possessors of the relevant product”, you have to imagine that some enterprising entertainment lawyer is looking to step up the attack on services like Slingbox. Just as rulings against Napster, Grokster, and others have failed to end file sharing, consumers will still be able to find content they want online. It’s just a matter of whether or not the creators and distributors get paid for it. The content industry has shown to be remarkably out of tune with the consumer, and the Aereo ruling only delays the inevitable.

Of course, Aereo isn’t exactly being forced to shutter. They can stay in business by paying retransmission fees to the broadcasters (assuming such an option is economically viable for them). This is probably the outcome that would make the broadcasters happiest. The real money these days is in retransmission fees, not advertising, so broadening the viewer base without broadening the pool of people paying for content they’re entitled to (by virtue of living within the broadcast range of the station) isn’t nearly as lucrative. Alternately, if Aereo provided a specific antenna to each user (such that the user owned the antenna and Aereo just housed it), that might be sufficient to meet the conditions established in today’s ruling.

It’s unlikely that Aereo will do anything but shut down. Aereo’s CEO has said “there is no plan B”. While the Court’s ruling today may have been correct, it is wrong.

Liable for sending texts to drivers?

On episode 225 of This Week in Law, the panel discussed a recent appeals court ruling in New Jersey. According to a summary by Jeremy Byellin, the court left open the possibility that someone sending a text message to a driver might be held liable for civil damages if the driver is distracted and gets into an accident. I haven’t been able to find the actual text of the decision, so all I have to go on is Byellin’s summary. Given that disclaimer, this seems like a questionable thing to put into a ruling. To be clear, the defendant in this case was not held liable. The court appears to be saying “but if you know someone is driving and will immediately look at your text, you may be partially liable for any damages they cause.”

From a theoretical perspective, it makes sense. If you know you’ll be distracting someone operating a four-wheeled killing machine, there’s a compelling interest to disincentivize such behavior. In the real world, this is tough to prove. The easiest defense is ignorance, since the court required active knowledge to hold a person liable. Unless the driver explicitly said “I’m driving and immediately viewing all messages I receive,” there’s little to prove that the sender had sufficient knowledge to be liable.

Even if the driver did send such a message, it might never see a court room. Because the parties to the conversation would likely delete incriminating messages and most carriers limit the amount of time they store messages, Byellin says “only a very narrow percentage of cases will the content actually be discoverable.”

TWiL panelist Gordon Firemark brought up an interesting point as well. Is the government repsonsible for distracting drivers with Wireless Emergency Alert (WEA) messages? From the New Jersey ruling, the government would not be liable because it could not know if a particular recipient is driving. Still, it’s easy to see how this opens the door for additional litigation. Even if every defendant wins, there’s a real cost to having to defend against a suit.

The slippery slope that I find particularly interesting is the non-SMS case. Indiana’s texting-and driving law was wisely written to cover more than just SMS messages. However, a pedantic reading could apply it to any method of data transfer. GPS-enabled applications, such as Google Maps or Waze, can reasonably determine if a phone is mobile or not. By design, they distract drivers from the road. Could Google be sued for not disabling Maps while the car is in motion?

Probably not. Really, this is all just an academic exercise. To my knowledge, no one has ever been held liable for texting a driver, in part because it’s so monumentally difficult to prove the plaintiff’s case. But the fact that a court would basically invite unwinnable suits strikes as little more than a stimulus program for the Bar Association.

Student speech rights

To continue the legal theme from a few days ago (with the addition of some “old news is so exciting!”), a high school in Kansas suspended the senior class president for comments he made on Twitter. What did he say? ““Heights U” is equivalent to WSU’s football team“. WSU’s football team doesn’t exist. That’s it. For that, the school deemed his initial tweet and responses were disruptive to the school.

It’s not clear to me if the Heights High School is acting in accordance with legal precedent (their decision is certainly unjust, but that’s another matter). The Supreme Court has affirmed and re-affirmed restrictions on the free speech rights of students. Bethel School District v. Fraser, Hazelwood v. Kuhlmeier, and Morse v. Frederick have all served to limit what students can say.

In Tinker v. Des Moines, the Court protected non-disruptive political speech, with the disruption being the critical factor. In Bethel, Hazelwood, and Morse the speech in question was part of a school-sanctioned activity even if the activity was not on school grounds (as in Morse). It would be a great stretch to consider Mr. Teague’s Twitter account to be a school-sanctioned activity, as it appears to be his personal account. To my knowledge, no Supreme Court ruling has ever addressed a school’s ability to restrict speech that occurs outside of school events.

Arguably, the concept of in loco parentis could be used to support the ability of schools to respond to behavior that happens outside the school. I don’t agree with this, but it would be interesting to see how this argument played out in the courts. In the meantime, I expect that this may end up being discussed in court rooms for years to come. If no suit is filed, it should at least be used as an exercise in high school government classes across the country.

Facebook’s post policing

Casey Johnston had an article on Ars Technica today about Facebook’s announcement that they would step up monitoring and removal of what they deem to be hate speech. Because this appears to be driven by complaints from women’s advocacy groups, the commentary has been largely political. I’d like to set aside the specifics of this and focus on the general case. It’s an interesting move on Facebook’s part because it sets a precedent.

Long, long ago, when telephones were still a thing, there was a legal idea of a “common carrier” (it still exists, of course, I’m just employing some blogtistic license). Common carriers offered services to the general public and were generally prohibited from doing anything about the content. For example, AT&T could not cut off your phone service if you did nothing but swear and say profane things when you were on the phone.

Although phone provides are still considered common carriers, internet service providers (ISPs) generally are not. ISPs, while protected from liability under various laws (e.g. Comcast can’t be shut down because a customer used a Comcast connection to transmit child pornography), can [in my understanding] theoretically terminate service if they don’t like what you’re “saying” on your connection.

Moving up the stack, websites such as Facebook or Funnel Fiasco are neither ISPs nor are they telecommunications common carriers. The general consensus, though untested in court as far as I know, is that sites are privately owned and can allow or disallow whatever content they like. This seems to be a pretty reasonable position, but there’s a difference between Facebook and Funnel Fiasco.

Apart from having a smarter and better-looking founder, Funnel Fiasco doesn’t allow just anyone to have a presence on the site. Facebook, especially for businesses/organizations, is more than just a blog or a message board, it’s a key part of digital presence. While that doesn’t make it an ISP, it does move it away from being just a website. Perhaps some additional category (e.g. “hosting provider”) needs to enter the understanding in this context.

What makes Facebook’s policy interesting to me from my perch as an armchair lawyer is the selective enforcement. While they are well within their legal rights, does it set a dangerous precedent for them? By choosing to police some content, are they liable (legally or otherwise) for not policing other content? Can they be held liable for policing content when other substantially similar content was not policed? Can the publicness of Facebook make it a common carrier?

Eventually this will become better defined. Whether it be by legislation, regulation, or litigation.

Protecting rights in the American legal system

[Ed. note: I normally avoid politics on this blog (and frankly, just about anywhere else. It’s no longer enjoyable for me to engage in political debate), so I hope this post doesn’t violate that too much. I’ve tried to avoid making too many references to contemporary events or persons, because that’s not what this is about. I’m talking about the philosophy of the American legal system, which is not always related to the implementation.]

A friend of mine recently shared an article on The Agitator about the death of Rodney King and people’s reactions to his life and death. One line toward the end of the article particularly resonated with me:

Part of protecting rights is committing to protect them without caring too much whether the rights are held by people who are awful or wonderful.

This sounds like something Atticus Finch might have said to his children to explain why he was defending a convicted felon. To me, it seems to be the heart of the American legal system. Our notion of presumed innocence, and fourth through eighth amendments to the Constitution are all intended to be applied to everyone, whether we’d invite them into our homes or not. The mob mentality sometimes forgets these ideals, and for that we have the cold, impersonal justice system.

It can be difficult when a high-profile case doesn’t go the way you expect, or even an episode of “Law and Order”, which generally has several procedural rulings in addition to the verdict. Even in the cases where the system fails to convict a guilty person, I’m glad our system is set up the way it is. The older I get, the more appreciation I have for the philosophical foundings of American government and law. I look foward to explaining them to my daughter when she’s old enough.

Privacy in the 21st century (or at least this week)

Digital privacy has been in the news this week. The first story involves a judge ordering a woman to decrypt her laptop. There has been a lot of uninformed commentary surrounding this story, and I thought I’d add my own to the pile. My initial reaction was that it was a pretty blatant violation of the Fifth Amendment, but after further reflection, I’m not so sure. I still struggle to find the right parallel to the physical world.

I don’t believe that decrypting the data is self-incrimination, in and of itself. A person can’t avoid a search warrant by simply locking the door. On the other hand, the police already have the data (in some form) in their possession. There’s no requirement that the data be in a form that the state finds convenient.

Overall, I’m not that concerned with this decision. A valid warrant should be sufficient to require a person to turn over documents in an unencrypted form. Failure to comply is rightly contempt of court. The only problem is when a person legitimately forgets the key, because it is nearly impossible to determine if they have legitimately forgotten. Still, I’m not at all convinced that this ruling is a death knell for the Fifth Amendment.

The other story in the news came from Google, who announced that they are changing their privacy policy for accounts (this does not include search, Wallet, and Chrome). This story has caused no end of hand-wringing, but it seems to me like a severe overreaction. From what I can tell, interactions with third party sites hasn’t changed. The changes mostly make it easier for Google services to share data internally.

To me, that’s part of the appeal of using the variety of services Google offers. What’s the point of a single account if the services aren’t tightly integrated? The lack of an opt-out isn’t a compelling argument to me. Anyone who doesn’t like the privacy policy doesn’t have to use the service (though I’ll admit that if you just bought an Android phone, the cost for leaving (assuming an early termination fee with the carrier) can be prohibitive). There’s an adage that states if you’re not paying, you’re the product. I’m fine with my data being more available across my Google services and hope the promised cool things come to pass. If it ever becomes unacceptable to use Google services, I’ll take my ball and go home.

The “Amazon tax”: who’s the bad guy?

ArsTechnica had an article recently about how Amazon has decided to cut off its California affiliates in order to avoid having to collect California sales tax. The California law considers independent affiliates to be a physical presence of the affiliated company, a position Amazon disagrees with. In the midst of an overwhelming budget crisis, it’s understandable that Governor Brown would want California residents to pay the same tax on their Amazon purchases that they would at BigBoxStoreCo. There’s concern that this could end up resulting in a loss in tax revenue as employees of these affiliates lose their jobs. I did a cursory search for reports of such job losses in other states that have enacted similar laws, but couldn’t find anything concrete.

I understand why Amazon is taking this position. They’re not avoiding paying taxes (the customers would be the ones paying), they’re avoiding the overhead of determining the appropriate sales tax for every combination of address and product. Sales taxes are complicated. They vary not only by state, but sometimes by county and city. Different products are sales-taxable and others aren’t. Some customers are exempt from sales tax for certain purchases. Trying to keep all of that straight for the entire country is a non-trivial overhead.

So what’s the solution? One argument is that sales taxes are inherently unfair as they disproportionately affect the poor. Some would argue that a uniform sales tax is the solution. Another issue is that sales taxes are the sometimes only way to get money people who don’t live in the area but use services and infrastructure. This is a complicated problem and the solution is way more political than I care to be on this blog (if you like law and politics, Doug Masson’s blog is an enjoyable read). I take this as an example of how governments have yet to catch up with technology. It’s not unreasonable that online retailers collect sales taxes, but it’s unreasonable to expect it until the process is simplified.

The Casey Anthony verdict

I’m not a lawyer (if you want to read a lawyer’s reaction to the case, see Doug Masson’s blog), but I have watched a lot of “Law and Order”. I haven’t paid much attention to the case, but I was made quite aware of the verdict by the rest of the world. Seemingly, everyone in the country except the 12 who mattered thought she was guilty. I’m not convinced that Casey Anthony killed or was involved in the death of her daughter. Why not? Because I’ve seen almost no facts regarding the case, I’ve just picked up a few bits and pieces from commentary elsewhere. While I know there are some who have watched the coverage of this trial closely, I suspect most people have received their information the same way I have: filtered through one or more layers of reporting.

I understand that people think Casey Anthony is guilty. I expect that most people are convinced that O.J. Simpson is guilty of murder, too. There’s a case from the homeland where the accused has been twice-convicted of a triple murder but has had the verdict overturned on appeal. And you know what? I think that’s a good thing. It should be very difficult to convict someone of murder. The penalty for murder is justifiably harsh, but it is a greater travesty of justice when someone is wrongly convicted.

The other noteworthy point about this case is the question of: why is it news? Is it news because Nancy Grace has shoved her face into it? (On a related note, have you seen the episode of “Leverage” where they take down an obvious Nancy-Grace-alike? It’s good times.) As tragic as it is, I don’t see a reason for this to be national news. The sad truth is that many children are abused and sometimes killed across the country. I’ve never understood why some become national news and others barely get covered at all.

But that’s 322 words about a case that I’m not familiar with from a person who isn’t a legal expert in any sense. So we’ll call this the end.