Saturday, November 12, 2011

Governance of Social Media, MSU Quello Center Workshop

Missed the first day, but here's the second:
Panel 5: Social Media, Privacy and the User
Moderator: Jonathan Obar (MSU)

Matt Jackson (PSU)
Concern about exploitation/commodification of user by marketers. Issues related to redlining: businesses or other entities may make predictions about us for health insurance, life insurance, etc. Price discrimination. General security breaches from large companies.

First Amendment hurdles to regulation. Also, courts have ruled there’s almost no expectation of privacy online, even when sites claim to protect privacy/use security measures. Clickwraps often purport to take away users’ say in the matter anyway. A party to a communication can divulge that communication to someone else absent a privilege. So if we look at Doubleclick case, disclosing cookies to marketing affiliates; court held that the website was the intended recipient of info and thus had the authority to share or authorize Doubleclick to intercept the data.

10 years later, Facebook: Court says it doesn’t matter who the user is communicating with. If intended recipient is Facebook, Facebook can share it with a third party marketer. If user is communicating with third party marketer, can share it with Facebook. Either way, user has no control. When users gave third parties authority to go to Facebook and mine their data, court ruled that users had no authority to give Power Ventures right to access their data. One of the parties to the communication can’t give authorization because of ToU—again, the user has no say.

Solutions? Opt out or opt in. Technical issues are a barrier. Regulation through essential facilities doctrine, but courts generally skeptical.

Typically unconsented data collection is not considered economic loss. Users’ attention can’t be unjustly taken, even though marketers pay millions for that access. Copyright is no solution; facts are not protected by copyright, and compilations have only thin protection. However, DMCA is being leveraged by Facebook to claim additional control—Power Ventures case that FB may have copyright in its layout of user’s page.

Need new solutions for users to control own privacy.

Frank Pasquale (Seton Hall)

From health privacy to medical reputation: invasive personal profiling in an age of digitized social networks. Health-based social networks: Patients Like Me; also, people release health status information on general social networks. Data breaches: recent enforcement of HIPAA, which used to be known as a toothless tiger. Medical reputation is different—development of predictive algorithms, used like credit scores. He believes that these analytics will be used more and more in health.

Why do social networks change things? We have many sources of health info. There are new forms of disclosure. “Liking” the syphilis info page, or liking “a glass of wine solves everything” or “I do stupid things when I’m drunk.” Quantified self. What if you’re reading stories on AIDS treatment with a social reader, or what if your relatives/friends mention your health status in their own discussions?

It’s really hard to understand what’s happening to your data. Suppose you “friend” a local hospital. How can you know what they’re doing with the hundreds of other “friends”? Default: no independent verification of who joins, including whether or not they’re data miners.

Rough proposals: social networks need to prohibit scraping or clearly notify users not only of data uses, but also of credible threats. Regulation needs to move beyond social networks to medical profiles. Consent is increasingly rickety. Need audit trails in the health privacy context, as we do with SEC and national security. The power of corporations over individuals is so great that we need to understand what’s going on and institute forbidden grounds for making decisions (or at least disclosure to individuals of the record on which decisions were made).

FTC recently settled with a couple of companies that were gathering pharmacy data not covered by HIPAA and using it to create profiles of individuals, then distributing that to insurance companies to make insurance decisions. Any record of a mental health prescription was a red flag for insurers. These types of profiles are very commercially powerful. Employers now have so much access to health data, including social networking, that it’s too tempting—especially if they self-insure—to profile and wrap that profile into a larger score, so you’re never really fired for being too costly.

Increasing pressures to self-disclose as well. Nothing preventing you from advertising your good health decisions, which creates its own dynamic.

We tend to think of different areas (telecom, health) as silos. But in this realm, with so much data unleashed, any source can be medically charged and will leak across silos.

Kathryn Montgomery (American)
Safeguards for children and teens. General points: Any discussion of privacy implications has to be considered in context of the digital marketplace. Information is used covertly to manipulate; young people are being socialized into the system, with huge implications not just for them but for everyone.

COPPA was the result of a lot of lobbying, debate over online privacy. Recent settlements: skid-e-kids involved a big fine for failure to comply. But that’s just a tiny part of a huge social media landscape. Teens in particular are highly engaged with social media. Parents are lying to get their kids on Facebook—Consumer Reports says 5 million users are 10 or younger. Parents don’t necessarily know what they’re getting into. Could comply with the law if parents were well informed.

Social media resonate with key adolescent developmental needs—explore identity, figure out who you are, express yourself and find your voice, develop relationships with peers, and be autonomous. Marketers know this too. Teens’ brains are still developing; can be impulsive, sensation-seeking, risk-taking, subject to peer influence, subject to severe mood variations. Advertisers have developed very specific ways to find and measure influencers, used to create user-generated ad campaigns distributed to friends with lots of incentives and data collection built in. Mountain Dew: Dewmocracy, kids induced to create their own ads. Activation: another step beyond monitoring—prompts certain behaviors and measures them. Discussion of Doritos Asylum 626 promotion, which includes pulling two of the user’s FB friends into the asylum, having the player choose which one to save, and inviting the user’s entire social network to help “save” him or her. Have to buy Doritos to “unlock” the “darkest” part of the game.

Current initiatives: revising COPPA rules to be extended/clarified for mobile apps. What constitutes personal information? Has called for greater attention to adolescents, giving more transparency and control. Digital bill of rights for marketing to teens. How do we market fairly to adolescents to honor full participation but also providing them safeguards as consumers—not in the COPPA model of permission from parents but socialization into responsibilities as consumers.

Junichi Semitsu (University of San Diego)

Arresting development: FB and the information superhighway. He’s one minor traffic stop away from having all the details of his life scoured because the police can search cellphones on arrest. Companies make extraction devices so that police can clone phones easily. He has a password, but companies promise to break right through those passwords. Architecture of FB and other sites means that gov’t can catalog my personal info if any one of my friends is arrested. Must assume that anything he’s ever written, liked, or shared on FB may be easily searchable by law enforcement.

Is that legal? Traditional 4th amendment; Electronic Communications Privacy Act; First Amendment all offer concerns. His work is going towards First Amendment because the other alternatives won’t get the job done and the present solution risks a serious chill.

53 cell phone search cases found in his search for reported opinions after Arizona v. Gant: Not many compared to number of searches, but in 82% search of cell phone upheld. 17.6% invalidated. The list of crimes for which one might find evidence on a cell phone is huge—any crime where mens rea is important, location, potential conspirators. Only minor vehicular traffic violations in which the police already have all the info they need at the time of arrest wouldn’t potentially turn up relevant evidence. When searches struck down, involved (1) invalid inventory search (purpose should be safeguarding, not looking for evidence—though courts have also accepted inventory searches of the contents of a phone); (2) improper for fact-specific reasons unrelated to cell, such as that the entire search of a car was improper; (3) one case, Ohio S.Ct., held that cell phones shouldn’t be treated like any other container because of how much is in them—but that’s an exception, conflicting with other cases including Cal. S.Ct. Some cases are vague about where the info came from, but most involve texts, email, and call logs.

What if the police did go through one’s FB account? Should the magnitude of the amount of content matter? Should it matter that valuable evidence could disappear from the account? What’s the expectation of privacy? Very difficult claim to make because the information is public, or shared with a large number of people. Many FB users are careful about restricting access, but even if so there’s still FB in the middle.

ECPA: only covers, at most, private FB messages less than 181 days old. More importantly, there’s no suppression remedy.

This leaves us with the First Amendment.

Robert Sprague (Wyoming)

The walls have eyes: surveillance through social media. Privacy is about seclusion/controlling information about yourself. Surveillance is the thing that makes intrusions work. One judge’s view: if you voluntarily post info/pictures on a social networking site you can’t have any reasonable expectation of privacy. “By definition, a social networking site is the interactive sharing of your personal life with others.” Privacy is binary: it’s either secret, or if it gets out it’s gone.

Who is tracking you? Gov’t, individuals, employers (productivity, liability avoidance, asset protection, reputation, litigation), businesses (FB, protecting their own reputation either by addressing complaints or threatening responses).

Recent moves to reform ECPA—unclear what if anything might happen. Maybe should be unlawful to pressure your employees (or applicants) to provide access to their social media passwords. Over 100 charges by employees who were fired for complaining on FB—question is whether that’s protected activity. FTC: deceptive practices, but limited resources for enforcement. Fair Credit Reporting Act—some preemployment investigations may bump up against this, and states are considering their own acts.

FRCP: court reviews the publicly accessible portions; if there’s reasonable likelihood of further relevant information, subject may have to turn over username and password. (As Eric has pointed out, this is a way overbroad solution that has the potential to embarrass and chill the litigant. Why not have them turn over discoverable results, not all the info?)

DMCA/ACTA are also potentially relevant—obligations on ISPs to monitor for copyright infringement.

Panel 6: First Amendment and Free Speech
Respondent/Moderator: David Post (Temple)

Peter Swire (Ohio State)
Privacy as pain in the neck for, e.g., Obama organizers who just want to reach their targets. Progressives wanted us to be empowered, but that means reaching out through social networking (also true of Tea Party). Engines of associational activity. 2009, 97% of charities used social media. Majority of online users have been invited online to join a group. Over 1/3 have used the internet to invite others to form a group.

Do not track: one version is that we won’t show you ads based on targeting; version two is that we actually won’t track, which is what people think the concept means. It’s like do not call, but there’s an exception for do not call for nonprofits/political parties. Are nonprofits/political campaigns entitled to a similar exception for do not track? Not in FTC proposals; they’re working on this.

Data collection limits are a different animal. That’s a pretty severe interruption in data flows, but won’t much affect nonprofits/political entities.

More generally: our ability to reach out and touch people is data empowerment, in contrast with EU privacy/data protection—human rights not to have others process data. The form of that argument is that there is a right to avoid contact. But right to association can also kick in—it’s right v. right, not right v. interest.

Think about an integrated intellectual structure of social media as platforms for association and privacy. We split within ourselves: we like to get our stuff out there to our friends, but we don’t necessarily want it done to us either. Legal doctrine needs more development of freedom of association. Practical politics: hard to tell politicians to limit their FB activities. If you make it hard to find supporters, that will make politicians sad.

Marvin Ammori (New America Foundation)

New e-PARASITE act, following earlier drafts. Goal supposedly to target Pirate Bay type sites. Broad union and corporate support (AFL-CIO); opponents: tech companies and law professors. Allows AG to go after rogue sites, as well as private right of action to any IP right holder harmed by a site. “Market-based private right of action.” Sites are any sites “dedicated to the theft of US property.” Site “enables or facilitates” copyright infringement. That freaks out a lot of sites because that’s pretty broad. YouTube is potentially at risk. Or: any site that has taken actions to avoid confirming a high probability of the use of a site to violate copyright: imposes a duty to monitor to avoid infringement. Also covers sites whose object is to promote infringement. Implicates much social media.

Sites at risk: Facebook, Technorati, Flicker, Delicious, Stumbleupon, Twitter, Blogger, etc. Turntable.fm—you upload some songs for friends, like a DJ. Hugely popular, likely dedicated to infringement under the new standard. Soundcloud: also allows people to upload music and comment on it at particular points in the song—also at risk. MonsterCable: a supporter of the act; lists eBay, Craigslist, Costco, and Sears as targeted entities. GroupM, another supporter: lists Internet Archive, BitTorrent Inc., Soundcloud, Vimeo, Vibe Magazine, many hip-hop blogs. Anticompetitive motive!

The law says that it shouldn’t be construed to impose a prior restraint on free speech or the press. First Amendment question is harder than that, though. Floyd Abrams wrote a letter on behalf of the content industry saying it’s ok; 90 law professors disagreed, arguing that it was a prior restraint.

One angle: private right of action generally. Private rights of action are indeed subject to First Amendment scrutiny. Covers foreign or domestic sites. Foreign speakers don’t have First Amendment rights, but American recipients do.

Argument 1: this is a copyright-based restriction, a new class of speech of sites “dedicated to infringement.” Entire sites subject to punishment from payment services/change in the DNS. If so, it’s not narrowly tailored because it shuts down the whole site and doesn’t just target the infringing material. Also not tailored to the compelling interest if the interest is foreign sites.

Argument 2: suppose it’s not content-based. Eldred says change to copyright’s ok if it doesn’t change the basic contours of copyright, but this changes the basic contours by going after the whole service/technology instead of the infringing material. Not clear what standard applies in such a case, but he argues it fails both strict and intermediate scrutiny.

Long history of copyright owners fighting against new tech. Now: Hollywood finally gets a chance to break the internet. Sony Pictures CEO says: “I’m a guy who doesn’t see anything good having come from the internet.” Bad precedent abroad for other people who want to break the internet.

Adam Candeub (MSU)

Anonymity/pseudonymity. First Amendment protects anonymous speech. (Me: Why doesn’t the privacy reasoning courts have used to make privacy binary also apply to anonymity? It clearly doesn’t—courts have protected anonymity as against the world even when the speaker has provided identifying information to an intermediary—but why not?) But there’s no First Amendment right against a private actor running a social network, so you don’t have a right to speak anonymously. FB has a policy against anonymous speech; Google+ banned pseudonyms (actually they still do but have promised to stop). ToU violations can be a crime under the CFAA, and fraud and other laws limit the right to act pseudonymously.

If you’re a fan of the Federalist Papers, how do we protect pseudonymity? How does anonymity fit into self-help privacy?

Privacy is contextual. Medical record privacy is important. You want doctors to have your gory details, not someone on the subway. Privacy is therefore not binary, as the doctrine is inclined to say. Privacy should be “good enough.”

Tools to get good enough privacy: technical, “do not track” market structure etc. In social media: have a pseudonymous FB account. Everyone who knows me can find me, but a potential employer won’t come up with the account. A little research into the name would probably reveal the identity backwards, though.

Other tech tools: proxies like Tor. Behavioral tracking/server records would remain available.

What do you do when the service fights back? CFAA prosecution—criminalizes the violation of an employer’s computer use policy. We don’t know what will happen next. Plain vanilla fraud also remains available. Many states have anti-impersonation rules; some statutes aren’t written to cover only fraudulent intent—Nevada bars any pseudonym. If we want to protect pseudonymity, we need a First Amendment safe harbor for nonfraudulent uses. A precedent for this in the materiality requirement in federal misrepresentation statutes.

Rob Frieden (PSU)

The dichotomous world of social media as neutral conduit and active content packager. Social networks have competing motives, creating ambivalence. Not quite common carriers; not really foremost identified as a First Amendment speaker, though we have exemptions for liability where the network disavows responsibility for speech. Best of both worlds for it is to be able to toggle between speaker and nonspeaker. Weaving in network neutrality: new motivations for service providers to actively manage their networks, engage in quality discrimination and price discrimination.

Lee Tien (EFF)

Does not use any social media for fear of exposure. We don’t know where our private medical data are going: private entities are sharing it for their own purposes. This is very different from other types of speech. Speech is intended; it has an audience; you can refrain from speaking when you don’t want to. First Amendment embraces a right not to speak, or at least allows policies sensitive to audience selectivity. In any robust conception of the First Amendment, there has to be a sense of audience selection. (Me: This is why Julie Cohen is right to point out the conflict between defenders of copyright restriction/transformative fair use and privacy advocates; types of control are not created equally.)

Disclosure/transparency are inadequate unless we can make the gov’t tell us what it’s doing with our data. Government bans you from disclosing you’ve received a national security letter—gag orders.

Statutory framework: consent can vitiate any statutory protections. If the gov’t doesn’t need to use a warrant, we’ll never detect the things the gov’t is doing. So one thing necessary is to restore the consumer’s ability to set terms.

Sorrel: probably correctly decided because statute was poorly drafted, but sui generis. Court was clear that it was shocked by the content/speaker discrimination. Court was careful, because the US raised a bunch of cautions, to distinguish HIPAA. People are over-reading Sorrel. The real issue is whether we’re talking about speech in a particular instance of data. What you say on FB is speech, but the clickstream data moving around because of what you’re doing on FB is a different animal: did you intend to communicate that?

230 exceptionalism aside, for the most part, social media isn’t presenting different cases (laws about teachers maintaining social media profiles, for example, shouldn’t be thought of differently than other regulations of teacher communication).

Post: how do you get courts to take First Amendment claims seriously in these contexts?

Candeub: pseudonymity is a limiting case of association rights—I don’t want to be associated with myself.

Tien: Association cases are stronger, but do seem to require a signficant factual showing of some kind of fear of reprisal.

Q: hyperbolic to say that e-parasite act will kill the internet. Music is one of the most important industries in the country. YouTube has as much as acknowledged that it’s an infringer and has taken steps to correct it, using tech to identify videos using commercially released music and work with content owners. They wanted eyeballs (founders said so). They could’ve negotiated with rights holders and specifically chose not to do so when others were doing so. There’s a problem with licensing, yes, but that’s not enough. Turntable.fm is now negotiating licenses. Some sites just need to go to BMI/ASCAP and just chooses not to. Limewire is a good example. Law professors are being unreasonable. (Hey!)

Ammori: disagree with it all. The act is even more extreme than when it started. Turntable and YouTube suggest the current system is working. Imposing extra obligations seems unnecessary. There has been litigation (which Viacom lost at the lower level). When you say it’s a joke for tech companies to be concerned, that’s hard to buy given that they’re concerned about their own business models.

Q: your one-sided presentation is a joke. Silicon Valley is engaged in DC.

Ammori: new involvement as a result of this law!

Q: idea that they’re forced to negotiate up front is added on to the DMCA. We’ve been operating with a launch first, ask forgiveness model. That’s anticompetitive to those companies that ask first and negotiate the licenses. The licensing structure is broken, sure, but that’s what needs fixing. Current law is unfair to content companies.

Post: the law doesn’t break the net by getting rid of infringers. It breaks it through the architecture: novel enforcement procedure going through the domain name system, authorizing courts for the first time to order registrars, registries, and ISPs to remove sites from the databases. That’s in deep conflict with the architectural principles of the net, which is that it should be the same thing whereever you are. There’s a serious argument from the technologists that an entire suite of applications is built on that unified notion of addressing. Second, the obligation of monitor is new and bad. You can get shut down if you have taken steps to avoid confirming that there is infringement, whether or not there is infringement. Creates a new duty to monitor which is troubling.

Semitsu: If the social network actually refused to cough up the identity when the gov’t ask, wouldn’t the anonymity argument still maintain its First Amendment punch? Isn’t the problem that the networks roll over?

A: a truly privacy-protecting social network hasn’t emerged yet—that’s an economic/industrial org question about why we don’t have these competitors.

Post: the question is, when faced with a subpoena for a group’s membership, why is it so difficult for an ISP to say no, it’s unconstitutional under NAACP v. Alabama?

A: q is how the third party doctrine fits in. The moment 5 people organize through FB, the Fourth Amendment says it can be turned over. Can you nonetheless assert a First Amendment claim because you meant to keep it private?

Tien: certainly in the Doe cases—ISPs may notify a user and allow them to litigate.

Panel 7: Traditional communication policy goals - Implications for Social Media
Moderator: Patricia Longstaff (Syracuse)

Information theory: sender, encoding, channel/medium/interference, decoding, receiver—provides a framework for thinking about regulation.

Johannes Bauer (MSU)

Governance: includes co-regulation, self-regulation, and emergent coordination. Social media are governed by nested systems of laws, norms, code, and so on. First question: what is working and is there a need for change? Traditional media raise similar problems, but how we deal with competition and other things may change—as it turns out, barriers to entry to new media are also high. Information security is a new issue, unaddressed in social media.

Governance happens within existing institutional frameworks, producing inertia. Mechanisms evolve at different speeds. This is why we can expect layers—likewise international aspects push towards co-regulation and self-regulation.

Nonlinear (tipping point, network effects, etc.) qualities of social networks make them difficult to regulate. Institutional entrepreneurs are needed to help evolve existing and new governance mechanisms.

Barbara Cherry (Indiana)

Social media and the constitutional rights of individuals v. corporations. Her focus: evolving legal landscape for social media—legal limits on gov’t power are evolving. Growth in judicial recognition of corporate rights coupled with regulatory retrenchment is undermining the rule of law and allowing corporate power to be leveraged over individuals.

Phase transition, driven by litigation by corporations asserting First Amendment rights. Erodes government’s ability to distinguish between corporations and individual human beings. Coupled with erosion of consumer protection—unilateral imposition of arbitration barring class actions, etc. Economic power can be leveraged into political realm. New tech environments are no different. Increased globalization—serves to undermine rule of law itself when gov’ts can’t respond in time. Exacerbation of systemic risks and “normal” accidents.

How do we respond? Constitutional amendment limiting const’l rights of corporations. Encourage judiciary to balance constitutional rights of corporations v. individuals. Extend constitutional rights to new forms of human collective activity, such as those facilitated by new media, as counterweight to corporate rights.

Governance of social activities affects the continuing coevolution of economic/political systems. We have the opportunity for self-direction.

Philip Napoli (Fordham)

Implicit/explicit concern of most traditional communications policy has been that citizens receive necessary information. How does journalism factor into social media policy discussions? Growing importance of social media in the news ecosystem. Social media can produce news, distribute news, and provide feedback for news producers—these are very distinct roles and each must be understood. News sites are making most use of social media for sharing—news referral service. FB is thus 2d/3d most important driver of traffic to many sites. Social media as tool for feedback: reporting more relevant news or further descent into market-driven news.

Access issues: government blockage or shutdown of social media platforms—hundreds of instances 1995-2011, for example BART blockage recently.

Diversity: who participates? 10% of Twitter accounts produce 90% of tweets. Diversity of FB users seems to reflect diversity of US internet-using population. Diversity affects the role of feeback: news will be responsive to those who provide the feedback.

Amit Schejter (PSU)

All media are social, so he doesn’t like the term. Are we in this to help out marketers? To craft policy to improve access? Innovation? Participation/opportunity for those who don’t have it? There is a connection between economic development and democracy, but that requires equitable distribution of growth. Compare government adoption of static v. interactive web apps. One study: state gov’ts’ use of social media tools. There’s a direct connection between usage and access to the internet—getting people connected changes their relation with government/increases participation in public life. But, Nov. 2011 report still shows socioeconomic barriers. There are populations that aren’t able to connect, mainly “nothing for me there” (beats even “I can’t afford it”). Why isn’t there anything for those populations?

We should look for a policy promoting civic participation, not hands-off or hands-on. There’s no contradiction between market growth and increased connection of people who aren’t yet connected. Replace our metaphor of utilitarianism with a corrective justice policy.

Q: How do we understand the DMCA safe harbors and CDA 230 from a rule of law perspective? Maybe they allow for decentralized solutions, but now we see efforts to close off those safe harbors. These are very destabilizing laws.

Cherry: Isn’t a copyright expert. Outgrowth of litigation that proceeded without a definitive statutory framework; attempt to provide uniformity previously lacking. But any legislation is always the result of lobbying. If you can’t win, you at least leave wiggle room to litigate—ambiguities intentionally left in. In terms of rule of law, would think about it this way: consider how we’ve enabled certain kinds of activities through the legal structure of the corporation, allowing it to block government regulation, in ways initially reserved for humans. Certain collectivities can trump humans in the political realm by leveraging economic power derived in another sphere. That’s her focus.

No comments: