MATRIX (Multistate Anti-Terrorism Information Exchange) describes itself as "a pilot effort to increase and enhance the exchange of sensitive terrorism and other criminal activity information between local, state, and federal law enforcement agencies." Created by a private company for the state of Florida after 9/11, it had 16 states participating at one time, but most have since withdrawn. Privacy is one concern, according to a 3/15/04 article in the New York Times. Privacy Fears Erode Support for a Network to Fight Crime
Supporters of MATRIX had expected that the number of participating states would increase, but the number has instead shrunk to five as of last week. Among those expressing concern over privacy and seeking more information about the workings of the system are the American Civil Liberties Union (ACLU), the Electronic Frontier Foundation (EFF) and the Electronic Privacy Information Center (EPIC), says the Times.
See MATRIX's FAQ.
See also ACLU's 3/11/04 feature on MATRIX, including links to FOIA requests and documents received in response.
MSNBC reports that private data about hundreds of children was publicly exposed on the Net by government subcontractors seeking some temp help. According to the 2/8/04 report by MSNBC, files with the names, birthdates, even work schedules of the children's caregivers were posted by a computer consultant struggling with a database problem, and stayed online for weeks.
Kent Kisselbrack is a spokesman for the New York Office of Children and Family Services, which regulates the county agency that leaked the data, says MSNBC. "Personal information of the nature that was on this Web site, especially information about children, it's not appropriate for this kind of information to be available to the general public," Kisselbrack told MSNBC.
MSNBC says that the county agency had subcontracted database work to a community college, which hired a third party consultant, who in turn used RentACoder.com to find help. That contractor made several public postings for help and attached a zipped copy of the file he was working on ... containing the data about hundreds of children, all according to MSNBC.
Child privacy and online safety advocate Parry Aftab operates WiredSafety.org and was quoted about the incident as saying: "This is horrible."
Source: MSNBC - Government agency exposes day-care data (2/8/04)
Perhaps some of the creativity and money now being spent on controlling the unauthorized flow of pop music on the Net should be redirected to controlling the unauthorized flow of private data about children? Perhaps the RIAA has something in their playbook for a situation like this.
Questions:
On November 14, 2003, contents of memos obtained from computer files of two United States Senators were shared with and published by the Wall Street Journal and the Washington Times. On November 28, 2003, the Washington Post reported that an official investigation had begun and that Judiciary Committee Chairman Orrin G. Hatch (R-UT) had confirmed that a member of his staff "had improperly accessed some of the documents" and a second former staff member "may also have been involved." The memos, dated from 2001 through 2003, concerned Democratic strategies for opposing judicial nominees of President Bush. See Senate Opens Inquiry Into Leaked Memos.
The incident raises significant questions about circumstances under which one can have a reasonable expectation of privacy, digital security awareness and potential civil or criminal sanctions under existing law. (More ... )
According to a January 23 story in the Los Angeles Times, Senate Sergeant-at-Arms William Pickle has confiscated hard drives, enlisted forensic experts and conducted interviews in an attempt to pin down who accessed the 15 memos in question. Details of the investigation are still emerging.
The Boston Globe reported on January 22 that a hard drive in the office of Senate Majority Leader Bill Frist (R-TN) is reported to be among the material seized by the Sergeant-at-Arms investigation. The Globe also suggests that Senator Frist's chief judicial nominee adviser, Manuel Miranda, may have been involved.
The Globe quoted Miranda as denying any impropriety. "There appears to have been no hacking, no stealing, and no violation of any Senate rule," he told the Globe. "Stealing assumes a property right and there is no property right to a government document. . . . These documents are not covered under the Senate disclosure rule because they are not official business and, to the extent they were disclosed, they were disclosed inadvertently by negligent [Democratic] staff."
Democrats have tended to disagree with the analysis represented by Miranda's statement. Judiciary Chairman Orrin Hatch, (R-UT) was quoted by the Globe as stating that he was "mortified that this improper, unethical and simply unacceptable breach of confidential files may have occurred on my watch."
On Jan. 24, Richard Powelson of the Knoxville News-Sentinel quoted Sen. Patrick Leahy (D-VT) as referring to "cybertheft" of confidential Democratic memoranda.
Sabrina Pacifica points us to Robert Vamosi's piece on ZD Net, "Security breach on Capitol Hill: It's criminal" (Jan. 26, 2004) in which he asserts that the breach is "as wrong as a criminal hacker breaking into a corporation's Web site. If these allegations hold up under investigation, those responsible should be punished just as a criminal would." Vamosi suggests that the incident also points out issues with lax computer security. He contacted Chris Rouland, vice president of Internet Security Systems's X-Force, who observed that like many corporations, the Senate had focused their security efforts on the perimeter with few internal controls, creating what he called a "hard-candy shell with a soft chewy interior."
I'm no expert on the criminal law of computer file access, so I've some ignorant questions I hope our readers can help with via Comments or Trackback:
Q: Under what circumstances would some of the overt acts possibly committed here be regarded as criminal, and under which statutes?
Q: Regardless of legality, what does this say about the security practices in place at the United States Senate and among its staff?
Q: What internal controls on network computer use and on access to the records in question would have resulted in Senators having a greater expectation of privacy as to these politically sensitive files?
Comments or Trackback, please.
Will the RIAA's legal push against music file sharing result in greater security for terrorists and organized crime, by promoting the spread of decentralized networks exchanging encrypted data, sometimes called "DarkNets"? For years, the government has worried about strong public key encryption in the hands of spies and criminals. The Clipper Chip was supposed to make the Internet safe for democracy, but it was quickly cracked and neutralized.
Consumers didn't bother to use strong encryption, because ... hey, its more work, and few folks have much worth the trouble of hiding. The RIAA's new moves, to obtain identities behind "peer-to-peer" file swappers by service of DMCA-empowered subpoenas, then sue those individuals, has dramatically changed the battlefield. As any student of military history and technology knows, the deployment of any new weapon is soon followed by the deployment of a new defense or countermeasure. Sometimes the countermeasure proves more powerful than the weapon: that's how we got the tank, as a countermeasure to the machine gun.
In today's e-letter, Clay Shirky suggests that in this case, the response to RIAA's offensive will be more widespread use of encrypted decentralized "dark nets" like WINW and BadBlue. He compares the situation to that during Prohibition, in which efforts to prevent alcohol consumption failed in their primary purpose, but did succeed in hatching organized crime: a countermeasure that survived the repeal of Prohibition and is a thorn in society's side today. He sees the result as a profound change that goes beyond the realm of music sharing.
"People will differ on the value of this change, depending on their feelings about privacy and their trust of the Government," Shirky concludes, "but the effects of the increased use of encryption, and the subsequent difficulties for law enforcement in decrypting messages and files, will last far longer than the current transition to digital music delivery, and may in fact be the most important legacy of the current legal crackdown." The RIAA Succeeds Where the Cypherpunks Failed, Clay Shirky (December 17, 2003).
See also:
Unintended Consequences: "Darknets" Offer Privacy to P2P Net
Unintended Consequences: EFF Links to 9th Cir Docs re RIAA Suit MGM v. Grokster, et al
California's Privacy Protection Office has issued guidelines on compliance with the July law requiring notice to consumers of security breach involving personal information. This implements California Civil Code Sections 1798.29 and 1798.82 to 1798.84 enacted as S.B. 1386. Recommended Practices (Read more ...)
In addition to directives as to who, what, when and how to make notification, the guide includes suggestions for best practices for:
A hearing that addressed consequences of the struggle between peer-to-peer networks and the entertainment industry was held 9/30 by the Senate Committee on Governmental Affairs. Material on the site of the Committee on Governmental Affairs includes hearing statements from three U.S. Senators, representatives of the recording industry, of the file-sharing industry, and two disinterested experts. Thanks to beSpacific for this item.
File-sharers are turning to "darknets" to stay away from prying eyes, says Business Week Online in "The Underground Internet" (September 15, 2003). Sources of technology include Freenet, Waste, BadBlue and Groove.(Read more ... )
"Darknet" software is made to enable small groups of trusted individuals to quickly set up and take down secure networks on the infrastructure of the public Internet. The article says large corporations are using darknets to communicate and share information with partners in a channel more secure than their corporate intranets. Another potential use is for swapping of content, including unauthorized copies of copyrighted materials. There are a variety of "flavors" of darknet technology.
Freenet uses a ring of trusted persons to search for and exchange information. It has been used in various sectors politically threatened by systematic denial of free speech and privacy. For a technical and practical introduction to Freenet, see a 2002 IEEE paper "Protecting Freedom of Information Online with Freenet". It is also referenced in numerous scientific articles accessible through Citeseer. Freenet's Ian Clarke has declared that Freenet will not enforce copyrights.
Direct Connect (DC) is another, but BusinessWeek Online says it secures its net with passwords, making it easy to penetrate.
Waste is said to be more secure than DC, says BWOnline, because it requires participants to exchange public keys then encrypts data travelling between network participants in transit. It was quietly made available as open source software in May by Justin Frankel, at the time head of a unit of AOL, then quickly withdrawn. Not quickly enough. It was promptly picked up by SourceForge, which also develops Freenet. Frankel also developed WinAmp, Shoutcast and Gnutella, according to an article in MIT Enterprise Technology Review.
BadBlue offers two white papers about their technology: "A Standards-based, P2P Approach to Marketplaces and Exchanges" and "BadBlue Platform Approach: A Web Server in every device."
Groove is the company that was founded and built up by Ray Ozzie, using the ultimate proceeds his share of the 1995 sale of Lotus to IBM for $3.5 billion. Ozzie was the principal developer of Lotus Notes, which was the "jewel in the crown" that IBM was after. In 2001, Groove announced a strategic relationship with Microsoft . Ozzie's weblog.
The entertainment industry is not worried about darknets yet, according to Randy Saaf of MediaDefender, Inc., who told Business Week: "If they are using private networks, there is very little risk of being caught, but there is very little risk of them really doing much harm to the entertainment companies."
GrepLaw | Ernest Miller on DRM, Privacy and Hemingway
GrepLaw is a blog at Harvard Law School's Berkman Center for Internet & Society. Ernest Miller is at Yale Law, and has been an editor at LawMeme, a law and technology blog there.
Miller explains for GrepLaw readers the Information Society Project at Yale Law School, and opines that blogs "are great places for law students to begin to find their voice and practice writing in this new medium. They will also be the center of more and more legal debate and analysis"
About the key issues of cyberlaw for the coming year, Miller tells GrepLaw: "The intersection of copyright law and the First Amendment is perhaps the key modern issue in this field. Until the theories of copyright and First Amendment can be reconciled, the law will continue to be confusing and come up with strange results. I am optimistic, though not overly so, that some movement on this front has already begun."
He has a lot to say about DRM and fair use, privacy and many other issues. An extended interview well worth reading.
Orin Kerr of GWU provides us with A User's Guide to the Stored Communications Act - And a Legislator's Guide to Amending It. Protecting the privacy of Internet communications after they come to rest in a storage medium is the Stored Communications Act (SCA), 18 USC 2701-11, part of the Electronic Communications Privacy Act (ECPA). In this article, Kerr explains the basics of a complex statute and indicates needs for legislative amendment. Thanks to beSpacific for this lead.
DougSimpson.com/blog
Blogger Justin Levine's note in The Southern California Law Blog: 9th Circuit: Internet Protections Trump Privacy Rights reports and links to a Ninth Circuit decision that the CDA shields Matchmaker.com from a suit by an actress whose privacy was invaded as a result of a posting by an imposter. Carafano v. Metrosplash.com, Inc.
A.P. reports in Digitally informed: Is price discrimination the next big trend in e-commerce? that recent studies by U. Minn. Professor Andrew Odlyzko suggest that digital rights management (DRM) may enable increasing price discrimination among customers using the Net for purchases. Professor Odlyzko, a mathematician formerly with Bell Labs, has been publishing scholarly articles about electronic publishing, e-commerce and security issues of the Internet for many years. His "Privacy, Economics, and Price Discrimination on the Internet,"(A. M. Odlyzko. Proc. ICEC03, ACM, 2003) is available at his page at the Digital Technology Center, where he is Assistant Vice President for Research, and DTC Director.
DougSimpson.com/blog
The Chronicle reports that US Dept of Ed may allow transcript release on E-signatures. The article discusses reluctance of some schools to accept anything but student's handwritten signatures for transcript release and other official business. The Dept. of Ed. has proposed a revision to rules under the Family Educational Rights and Privacy Act (FERPA) to reflect acceptance of the ESIGN law passed two years ago. The proposed rule change would allow procedures like those already approved for federal student loan programs.
GartnerG2 and The Berkman Center for Internet & Society at Harvard Law School released "Copyright and Digital Media in a Post-Napster World". This 45-page white paper reviews basics of US and EU copyright law, the impact of digital technologies on the business models for music, movies, television and books. It includes briefs of cases dealing with fair use, the DMCA, constitutional issues, e-publishing rights and non-copyright laws protecting creative control or distribution, as well as sketches of pending legislation.
It includes a description of various forms of Digital Rights Management (DRM) tools that embody a rights model, such as Open Digital Rights Language (ODRL), extensible rights markup language (XrML), content scrambling system (CSS) and Johansen's DeCSS program, the Secure Digital Music Initiative (SDMI) and Macrovision's CDS-300.
The authors suggest that the history of "launch and crack" associated with DRM systems will continue, and "points to a longer-term requirement for media companies and copyright holders to shift away from a mindset of absolute control over every piece of content." (white paper, p. 38). The authors also suggest that using technology to enforce copyright rights cannot map the evolving doctrine of fair use, pointing to Prof. Lessig's writings on code as law. Further, they say, such control stifles or penalizes innovation. They close the DRM section by introducing GartnerG2's concept of "perfectly portable content," described in the paper.
The paper closes with some editorial remarks and a promise of another publication to be released addressing five scenarios of possible outcomes under different assumptions of the playout of tech, business, legislative and legal developments.
James Boyle's book Shamans, Software and Spleens (1996) was a reference in Lessig's Code, and attempts to construct a social theory of the information society. He addresses international policy considerations of current intellectual property law and theory, conflicts between incentives and monopolies, efficiency and property. James Boyle is Professor of Law at the American University.
Boyle utilizes four "puzzles" to illustrate the issues he sees: 1) conflicts between copyright and free speech, 2) the prohibition of blackmail, 3) the prohibition of insider trading, 4) the patenting of biologicals obtained from human and native sources, as addressed in Moore v. The Regents of the University of California, 793 P.2d 479 (Cal. 1990), cert denied, 111 S.Ct. 1388 (1991).
He finds that what he calls "a romantic vision of authorship" can explain the outcome of many controversial issues in the realm of intellectual property and privacy, when combined with "the theme of originality, and the conceptual distinction between idea and expression." Id. p. 98.
He raises doubt that such theories will always result in optimal solutions, and that the trend is toward increasing rights for those seen as "authors" at the cost of free speech, the public domain and the interests of indigenous populations and biospheres. His conclusions in this 1996 book are an expansion upon a manifesto published in 1993 called the "Bellagio Declaration"
The Chronicle reports that geneticists demonstrated a link between a specific gene and increased risk of clinical depression in response to stress. Published 7/18 in Science, the finding could lead to new medication, as well as new attempts by insurers, employers and others to test for the gene as part of screening of individuals. The full article is a pay-access item at www.sciencemag.org ... or free at your local science-oriented library.
Japan's Justice Ministry asked a popular Japanese website, "2 Channel," to delete anonymous postings on their discussion forum, according to Asahi Shimbun. The postings speculate about the identity of a 12-year old suspect in the murder of a Nagasaki 4-year old found dead on July 2, and include individual children's names and class photos said to include the suspect. The Ministry based its request (and others like it in the past) on the grounds that such postings violate the right of privacy of the children identified or pictured. Thanks to Online Journalism at USC Annenberg for the tip on this story.
This case raises questions related to the recent Court of Appeals decision in Batzel v. Smith, where a website operator's republication of allegedly defamatory rumors was found to enjoy immunity under §230 of the CDA. The postings in the Nagasaki case were made on a Japanese language site focused on issues of regional interest.
Hmmmm ... if this case arose within the jurisdiction of the CDA, would the immunity in §230 extend to invasion of privacy as well as defamation? There are exceptions to immunity in the act. §230(d) provides that it will not be construed to impair the effect of any "Federal criminal statute," nor "to limit or expand any law pertaining to intellectual property," nor "to prevent any State from enforcing any State law that is consistent with this section," nor "to limit the application of the Electronic Communications Privacy Act of 1986 * * * or any similar State law." CDA §230(d).
The Children's Online Privacy Protection Act (COPPA) addresses attempts to collect information from children under 13, not to the publication of information invading their privacy. And it has no criminal sactions that I've found. Children's Online Protection Act (COPA) has criminal sanctions, but is aimed at "harmful to minors" material that fits within a "community standards" obscenity test limited to sex content, which doesn't seem to cover this category. Besides, last I heard, COPA was under a Supreme Court stay while the Court of Appeals reviews its doubtful constitutionality.
Hmmm... leaves some interesting ambiguities to resolve.
What if: there were (as Lawrence Lessig suggests might be proper) a property interest in privacy?
Doug Isenberg, an Atlanta attorney and regular columnist for the Wall Street Journal Online and CNET News.com, is the founder of GigaLaw.com, a website focused on the law of the Internet. In his Guide to Internet Law, he has compiled an essential reference work for both attorneys and laypersons seeking to understand or review the multiple elements of law pertinent to activity on the Internet. It would be particularly helpful for generalist attorneys and their clients engaging in "e-business." It is also readable enough that it kept some of my attention while at Cape Cod two weeks ago when I started reading it.
Attorney Isenberg organizes his book into seven major parts of Internet law. The first three parts deal with intellectual property law: "Copyright," including the Digital Millenium Copyright Act, "Domain Names and Trademarks," and "Patent Law." (by Greg Kirsh). As with each of the seven sections of the book, he introduces new legal principles with a case study, and then concisely identifies and explains the statutes and decisions that form the foundation of the relevant law. Where the law is still unsettled, he briefly points out the competing arguments for various outcomes, in clear yet accurate language.
Part IV deals with the hot issue of "Privacy," including short introductions to FCRA, ECPA, HIPAA, the Childrens' Online Privacy Protection Act ("COPPA"), the Gramm-Leach-Bliley Act, as well as European and Canadian regulations. Part V addresses "Free Speech and the First Amendment," including the Communications Decency Act and the Children's Online Protection Act (COPA).
The sixth section includes chapters about "Contract Law and High Technology" that includes an introduction to UETA, UCITA and the federal E-SIGN statute. The book closes with a section on "Employment Law" (by Doug Towns) relevant to employee use of the Internet and considerations particular to high technology companies.
This compact, affordable book provides an invaluable, readable desk reference which Lawrence Lessig described as "an excellent introduction for beginner and expert alike."
Isenberg, "The GigaLaw Guide to Internet Law" (Random House, 2002)
Professor Lessig raises fundamental constitutional debates in "Code and Other Laws of Cyberspace" (Basic Books, 1999). Maintaining that "code is law," and that the freedom found in cyberspace's early years is only due to choices made by those architecting it. He sees the introduction of commerce to cyberspace as "constructing an architecture that perfects control -- an architecture that makes possible highly efficient regulation." (Lessig, Code, p. 6). He then argues for the maintenance of a creative commons to check controversial forms of control over cyberspace.
A few thoughts about the book follow:
Four themes repeat throughout the book's discussion of the tension between relatively perfect freedom and relatively perfect control in cyberspace:
Prof. Lessig maintains that the nature of cyberspace is about to flip from unregulability to regulability, through the use of "architectures of control." As examples, he introduces digital certificates, encryption and the public key infrastructure (PKI). He considers recent history of government action to increase the regulability of the Net, including requiring copy degradation in Digital Audio Tape (DAT) systems; the "V-Chip" in televisions; the failed "Clipper Chip" initiative and the 1998 Digital Millenium Copyright Act (DCMA) ban on software designed to defeat copyright management schemes.
He suggests that indirect governmental regulation could come through facilitating a certificate-rich Net, in which users must provide digital credentials to access certain services. He finds that increasing commercial applications on the Net increases government's ability to regulate indirectly. "When commerce writes code, then code can be controlled, because commercial entities can be controlled." Id p. 53.
He also sees certification tools as enabling regulation across state and international borders in ways not practical today. "With a simple way to verify citizenship, a simple way to verify that servers are discriminating on the basis of citizenship, and a federal commitment to support such local discrimination, we could easily imagine an architecture that enables local regulation of Internet behavior." Id p. 55-56. Lessig sees the market forces pressing towards the "zoning" of cyberspace based upon individual users' certificate qualifications.
Lessig ends the first part of the book with a public policy question for the reader:
"How the code regulates, who the code writers are, and who controls the code writers -- these are questions that any practice of justice must focus in the age of cyberspace. The answers reveal how cyberspace is regulated. My claim in this part of the book is that cyberspace is regulated, and that the regulation is changing. Its regulation is its code, and its code is changing." Id. p 60.
Prof. Lessig introduces a schematic of an individual as a dot, surrounded by four larger dots titled Architecture, Market, Norms and Law, each a source of constraints upon the individual. He reminds us that Law can modify the influence of the other three on the individual, and thereby constrain indirectly. He criticizes indirect regulation because "it muddies the responsibility for that constraint and so undermines political accountability. If transparency is a value in constitutional government, indirection is its enemy." Id p. 96.
He also uses the concept of constitutional "translation," and offers the example of the dissent of Justice Brandeis in Olmstead v. United States, 277 U.S. 438 (1928). In Olmstead, the Court decided that a telephone wiretap did not violate the Fourth Amendment because it was not a physical trespass. Brandeis argued that the Amendment should be translated so as to preserve its meaning despite changes in the technology since its enactment. Prof. Lessig says that Brandeis "wanted to read it differently, we would say, so that it protected the same" and points to this dissent as "a first chapter in the fight to protect cyberspace." Lessig, op cit, p. 116. Brandeis' dissenting viewpoint was not adopted until 1967, with the decision in Katz v. United States 389 U.S. 347 (1967), in which Justice Stewart's opinion created the "reasonable expectation of privacy," the core value of which was the protection of people, not places.
Regarding intellectual property, Prof. Lessig notes that a least two sorts of property protection are possible in cyberspace: "One is the traditional protection of law. The other protection is a fence, a technological device (a bit of code) that (among other things) blocks the unwanted from entering." Lessig, op cit p 122. He credits to a former research assistant the idea that: "since the intent of the 'owner' is so crucial here, and since the fences of cyberspace can be made to reflect that intent cheaply, it is best to put all the incentive on the owner to define access as he wishes. The right to browse should be the norm, and the burden to lock doors should be placed on the owner." Id. p. 123. This raises the basic question, says Prof. Lessig: "Should the law protect certain types of property -- in particular, intellectual property -- at all?" Id. p. 123.
Prof. Lessig goes on to assert that private fences (code) can displace public law as the primary protector of intellectual property in cyberspace. "We are not entering a time when copyright is more threatened than it is in real space. We are instead entering a time when copyright is more effectively protected than at any time since Gutenberg. The power to regulate access to and use of copyrighted material is about to be perfected." He goes on to point to Mark Stefik's work concerning "trusted systems" used to track and control copies of copyrighted material. "What copyright seeks to do using the threat of law and the push of norms, trusted systems do through the code." Lessig, op cit p. 130.
But the professor points out that public interests lie with not giving perfect control to the owners of intellectual property. "The law has a reason to protect the rights of authors, at least insofar as doing so gives them an incentive to produce. With ordinary property, the law must both create an incentive to produce and protect the right of possession; with intellectual property, the law need only create the incentive to produce." Id. p. 133. Fair use, for example, is one limit of copyright law, a limit "constitutionally structured to help build an intellectual and cultural commons." Id. p. 135. The limited duration of copyright protection is another. Lessig asks if private code built to protect intellectual property will also be written to include 'bugs' like fair use and limited terms of protection, concluding that "Loss of fair use is a consequence of the perfection of trusted systems." Id. p. 137.
Another loss is anonymity -- trusted systems need to track use and charge for it, yet monitoring destroys anonymity. Under the "Cohen Theorem," says Prof. Lessig, reading anonymously is "so intimately connected with speech and freedom of thought that the First Amendment should be understood to guarantee such a right," quoting an article in Conn. Law Review 28 (1996) (p. 981, 982). Lessig argues that cyberspace should be architected to preserve a commons to replace that inherent before code made possible "perfect control," pointing the reader to Boyle, "Shamans, Software and Spleens" (Harvard Univ. Press 1997).
Chapter 11 deals with privacy, and suggests three elements behind the constitutional concept of privacy: 1) to minimize intrusion (the right to be left alone); 2) preserve dignity; 3) constrain the power of the state to regulate. The author sees encryption as improving privacy, but argues also for "a kind of property right in privacy." Id. p. 160, and explains why his position is different for privacy rights than it is for intellectual property rights: "In the context of intellectual property, our bias should be for freedom. *** We should take a grudging attitude to property rights in intellectual property; we should support them only as much as necessary to build and support information regimes." Id. p. 162.
Prof. Lessig sees the architecture of the Net as a top protector of free speech, through which architecture the First Amendment (in code) has been effectively exported to the world. One way that happened is by removing architectural restraints on instant global publication of information and opinions, but also removing the function of a publisher that would edit for truth and establish a reputation. "In a world where everyone can publish, it is very hard to know what to believe." Id. p. 171. He addresses means of using the architecture in the application space to control troublesome content such as pornography within the limits of Ginsberg v. New York, comparing a "zoning" approach to a "filtering" approach. He also warns about the hazards of filtering that is both perfect and invisible, and argues for less control over speech than over privacy, and less control over intellectual property.
Code becomes more abstract in its later chapters as it addresses the latent ambiguities inherent in the conflicts and overlaps of competing sovereigns with interests in behavior in cyberspace. "We should understand the code in cyberspace to be its own sort of regulatory regime, and that this code can sometimes be in competition with the law's regulatory regime." Id. p. 205. He sees the emergence of globally unified regulation through code, shifting power from sovereigns to software, suggesting to the reader a reading of Wriston's "The Twilight of Sovereignty". (Scribner 1992). He also sees a certificate-rich Net as re-enabling sovereigns to claim some of their authority: "Sovereigns get this. They will come to understand that there is a different architecture for the Net that would enable their own control. When they do, they will push to facilitate the predicate to this architecture of regulability -- certificates. And when they do, we again will have to decide whether this architecture of regulability is creating the cyberspace we want." Id. p. 207-208.
An important, thought provoking book that should be required reading, and re-reading, for any student of cyberspace and the modern world.
Lawrence Lessig, "Code and Other Laws of Cyberspace" (Basic Books, 1999).
Senator Feinstein Seeks to Ensure Individuals are Notified when Personal Information is Stolen from Databases . This federal bill introduced June 26 is modeled upon California SB 1386, but would put enforcement powers with the FTC and state attorneys general rather than with private litigants. Like 1386, the proposed federal law exempts data that was "encrypted" but seems not to define the level or manner of encryption. More info at the Senator's press release linked to above.
Thanks to beSpacific.com for the heads up on this item. I'll be looking for the full text of the bill. If a reader has a link, please let me know via a comment or email.
The "most read" story about privacy at Yale's LawMeme site is LawMeme - Accidental Privacy Spills: Musings on Privacy, Democracy, and the Internet. In this February 2003 piece, James Grimmelmann reminds us about the story of an individual who sends an informal but lengthy and broadly interesting email to a few friends, thinking it will be kept private, and within two weeks finds it picked up on MetaFilter, republished and discussed throughout the Internet. Of course, the author was Laurie Garrett, a Pulitzer prize winning science journalist and author, and the story was a chatty report of the goings-on she saw inside the controversial Davos conference of the World Economic Forum.
Grimmelmann's comprehensive and thoughtful posting muses about the social and ethical situation where one's informal email "crosses the bloodstream" and becomes a digital global phenomenon, and the revelations that the story has for privacy and the Internet. He insightfully notes that despite all the high-powered security technology one may employ, the weak link is always the unscrupulous, tactless or just plain clumsy person who has access to private information and lets it out. As he notes, "people make secure systems insecure because insecure systems do what people want and secure systems don't."
He also notes that in the age of cheap, ubiquitous scanners, even paper-based writings can be spread throughout the world in a matter of hours. The "CLICK-FORWARD" world that caught Laurie Garrett is becoming the "SCAN-FORWARD" world of tomorrow. As Grimmelmann observes: "The problem isn't just that the Internet is leaky; the Internet makes everything leaky."
The entry includes several reader comments on Grimmelmann's piece that reflect on whether various new technologies such as Microsoft's Palladium or Microsoft's Digital Rights Management tools might have been useful in this context. Such tools are designed to allow one to control with whom particular content may and may not be shared, at the architectural layer of the information medium, and have become of commercial interest in the context of peer-to-peer file sharing via Napster, Kazaa, etc.
Grimmelmann also cites a February 2000 paper "What the Publisher Can Teach the Patient: Intellectual Property and Privacy in an Era of Trusted Privication"
by Jonathan Zittrain of Harvard Law School. about the application of technology tools developed for the music industry to the preservation of personal medical information (an application of interest to those subject to HIPAA compliance). The point being to change an "Era of Promiscuous Publication" to an"Era of Trusted Privication": "one in which a well-enforced technical rights architecture would enable the distribution of information to a large audience while simultaneously, and according to rules generated by the controller of the information, not releasing it freely into general circulation."
Both articles are valuable reading to anyone dealing with privacy and the Internet.
Conference on Cyber Security, Privacy, and Disclosure at Stanford, California, scheduled for November 2003: "This conference explores the relationship between computer security, privacy and disclosure of information about security vulnerabilities." No exact date or tuition stated.
Conference on Cyber Security, Privacy, and Disclosure at Stanford, California, scheduled for November 2003: "This conference explores the relationship between computer security, privacy and disclosure of information about security vulnerabilities." No exact date or tuition stated.
"Technologies for Protecting Personal Information," was the subject of Federal Trade Commission workshops on May 14 and June 4. The Commission's page includes links to various panelist's presentations, and says: "A number of products promise to help consumers and businesses control sensitive information and guard against internal and external threats; technology is also frequently cited as the best method for managing information and ensuring information security."
Panelists whose presentations are online include:
The site also includes information for ordering videotapes of the presentations.
The syllabus and and reading list for Harvard Law's Program of Instruction For Lawyers: Internet Law 2003 includes weblogged commentary by John Palfrey and Donna Wentworth of the Berkman Center.
The program runs 6/16-20 and addresses Jurisdiction, Intellectual Property, Digital Democracy, Litigation and the Digital Environment and Privacy, one topic each of the five days. Thanks to beSpacific.com for the heads up on this resource.
FBI investigating "virus-like infection" trying to steal passwords at 1200 banks, including the world's largest, according to the Washington Post article titled "Virus Targeting Banks (washingtonpost.com)"
According to an AP feed found at The WorldLink.com the virus is not directly attacking the bank's computers, but is hitting consumer's computers, looking for bank web addresses that match those in its software. If it finds a match, it grabs consumer's passwords and emails it to ten email addresses, presumably the perpetrators', says the story.
Financial Services Information Sharing and Analysis Center distributed information from the Office of Homeland Security to its client banks and is working with the FBI.
Network Associates Inc. BugBear.B info
Hmmmm ... will this need to be reported to California residents, per Calif. S.B. 1386?
P2P file traders targeted by cyber-assaults from music publishers may not be defenseless. NWFusion's Ann Harrison notes in "Anti-file trading measures raise high profile policy questions" that a NYTimes article May 5 suggested that state and federal wiretap laws might have some say on such activity.
Harrison also mentioned a company called OverPeer, which she says develops such software tools, as do others. She also said that a representative of the RIAA acknowledged legal gray areas (or worse) exist regarding some the the software tools in development, which Harrison says include Trojan horse programs.