During the week of March 5, we’re going to hold an online symposium on Julie Cohen’s important and engrossing book Configuring the Networked Self: Law, Code, and the Play of Everyday Practice (Yale University Press).  As Rebecca Tushnet noted at a celebration of Julie’s book held at Georgetown Law School (see here for her post on the event), Cohen “challenges us to imagine better: understand culture’s power and make policies that both acknowledge and attempt to work with that power.”  Some of what appealed to Dan Solove is the book’s exploration of privacy and creativity together, with all of their nuances. As Dan explained, “copyright and privacy both concern control over information; tension because scholars who argue for limits on copyright are often arguing for more protection for privacy—less control/more control over information.  Is there a coherent way to argue for less copyright/more privacy?  Cohen’s work establishes the normative foundations for that.”  One of my favorite contributions is the book’s illumination of networked architecture’s impact on human flourishing and her development of the Capabilities Approach to address pressing challenges to the practice of everyday life.

Concurring Opinions is thrilled to welcome an all-star group of scholars to lead the discussion, including the author Julie Cohen:

• Anita L. Allen
• Ann Bartow
• Kristin Eschenfelder
• Edward Felten
• Ian Kerr
• Jaron Lanier
• Paul Ohm
• Hector Postigo
• Ted Striphas
• Valerie Steeves
• Michael Zimmer

In the meanwhile, get your copy of the book and mark your calendars!

Twitter fought the subpoena’s accompanying gag order, and has earned a partial victory that allowed Twitter to make the order public. [Some surmise that the wording of the order -- asking for size of "data files" -- suggests the same order was made to other ISPs or online providers, but there is no evidence that anyone other than Twitter has objected.] Upon learning of her inclusion in the subpoena, Birgitta Jonsdottir, a member of Iceland’s parliament, sought the help of the EFF and  filed a motion challenging the government’s attempt to obtain the records, asking the court to vacate the order. The motion argued the government’s demand for the records violated First Amendment speech rights and Fourth Amendment privacy rights of the Twitter-account holders.

In March 2011, Judge Theresa Buchanan, in the Eastern District of Virginia, ruled against that motion, arguing that because the government was not seeking the content of the Twitter accounts in question (.pdf), the subjects did not have standing to challenge the government’s request for the records. She further argued that “because petitioners voluntarily conveyed their IP addresses to Twitter as a condition of use, they have no legitimate Fourth Amendment privacy interest.” The judge was unpersuaded by the petitioners initial suggestion that they did not read or understand Twitter’s Privacy Policy, and that any conveyance of IP addresses to Twitter was involuntary. In a footnote of the motion, she wrote quite plainly: “Internet users are bound by the terms of click-through agreements made online.”

Christopher Soghoian has posted a critical analysis of this portion of the judge’s ruling, noting that while the judge states in her order that “[b]efore creating a Twitter account, readers are notified that IP addresses are among the kinds of ‘Log Data’ that Twitter collects, transfers and manipulates,” that isn’t entirely true. Soghoian comments:

It would be far more accurate to say that before creating a Twitter account, users are presented a link to a privacy policy, which includes a statement six paragraphs down about IP address collection. Users are further told that by clicking on a button to create the account, that they acknowledge that they read the linked privacy policy, although Twitter does not actually take any steps to make sure that users clicked on the link or scrolled through the content on that page.

Of course, it wouldn’t really matter if Twitter forced people to click on the privacy policy, or scroll through the page, because everyone knows that consumers won’t actually read through the text.

This final point is critical: “everyone knows that consumers won’t actually read through the text.” Soghoian’s post includes numerous studies that show users rarely read terms of service or privacy policies, as well as quotes from both FTC officials and US Supreme Court Chief Justice Roberts acknowledging the fact that these policies are difficult to read and understand.

Building from his original post, Soghoian has penned an amici brief (pdf) to the court, which presents the following argument:

Amici urge the court to not dismiss petitioners’ Fourth Amendment privacy interests based on their mouse clicks. Research has shown that consumers rarely read and even more rarely understand privacy policies. In fact, the mere presence of a privacy policy is often misunderstood by consumers to mean their privacy is protected. While “clickwrap” acceptance of terms may constitute a contract under certain circumstances, this legal construct for private obligations has limited bearing on whether a user’s expectation of privacy against government intrusion is objectively reasonable and protected by the Fourth Amendment.

I’m among the signers* of this brief, and would like to thank Chris for his continued efforts on protecting privacy online.

• Dr. Kelly Caine, Principal Research Scientist in the Center for Law, Ethics and Applied Research in Health Information and the School of Informatics and Computing, Indiana University
• Danielle Keats Citron, Professor of Law, University of Maryland School of Law
• Dr. Serge Egelman
• Jerry Kang, Professor of Law, UCLA School of Law
• Dr. Aleecia M. McDonald
• Frank A. Pasquale, Schering-Plough Professor in Health Care Regulation and Enforcement, Seton Hall Law School, Visiting Fellow, Princeton University Center for Information Technology Policy
• Len Sassaman, Researcher, Katholieke Universiteit Leuven (Belgium)
• Jason M. Schultz, Assistant Clinical Professor of Law, Director, Samuelson Law, Technology & Public Policy Clinic, UC Berkeley School of Law
• Wendy Seltzer, Associate Research Scholar, Center for Information Technology Policy, Princeton University
• Christopher Soghoian, Graduate Fellow, Center for Applied Cybersecurity Research, Indiana University
• Dr. Michael Zimmer, Assistant Professor, School of Information Studies, Co-Director, Center for Information Policy Research, University of Wisconsin-Milwaukee

Interfaces on Trial 2.0
By Jonathan Band and Masanobu Katoh
March 2011
ISBN-10: 0-262-01500-5
ISBN-13: 978-0-262-01500-4

We live in an interoperable world. Computer hardware and software products from different manufacturers can exchange data within local networks and around the world using the Internet. The competition enabled by this compatibility between devices has led to fast-paced innovation and prices low enough to allow ordinary users to command extraordinary computing capacity.

In Interfaces on Trial 2.0, Jonathan Band and Masanobu Katoh investigate an often overlooked factor in the development of today’s interoperabilty: the evolution of copyright law. Because software is copyrightable, copyright law determines the rules for competition in the information technology industry. This book–a follow-up to Band and Katoh’s successful 1995 book Interfaces on Trial–examines the debates surrounding the use of copyright law to prevent competition and interoperability in the global software industry in the last fifteen years.

Band and Katoh are longtime advocates for interoperable devices but present a reasoned view of contentious issues related to interoperability issues in the United States, the European Union, and the Pacific Rim[. They discuss such topics as the protectability of interface specifications, the permissibility of reverse engineering (and legislative and executive endorsement of pro-interoperability case law), the interoperability exception to the U.S. Digital Millennium Copyright Act and the interoperability cases decided under it, the enforceability of contractural restrictions on reverse engineering;] and recent legal developments affecting the future of interoperability, including those related to open source-software and software patents.

About the Authors

Jonathan Band is an attorney who has written more than 100 articles on intellectual property and the Internet. He is an Adjunct Professor at Georgetown University’s Law Center.

Masanobu Katoh is the former head of the Law and Intellectual Property Unit of Fujitsu Limited, a global information technology company based in Japan.

You can purchase it at Amazon and other sellers, and also download a open access copy at MIT Press.

On Monday, September 21 (7:00pm, UWM Union Theater),  UW-Milwaukee’s Center for Information Policy Research and School of Information Studies is hosting a free screening of the Girl Talk-produced documentary Good Copy/Bad Copy. The film (featuring appearances by Girl Talk, Danger Mouse, and Lawrence Lessig) examines the state of copyright in today’s tech-savvy and dynamic remix culture. The film also features music by RJD2, Santogold, Girl Talk, Danger Mouse, Gnarls Barkley, De La Soul, and more.

The event will also feature a panel discussion and commentary by:

• David Bollier – Independent policy strategist, journalist, activist and consultant whose work focuses on reclaiming the commons, the effects of digital technology on democratic culture, and fighting the excesses of intellectual property law.
• Brad Lichtenstein – Award-winning documentary filmmaker, president of 371 Productions, and currently producing “What We Got: DJ Spooky’s Quest for the Commons”.
• Nancy Kranich – A former President of the American Library Association, Nancy focuses on the role of libraries in democracies by undertaking advocacy, civic engagement, and information literacy projects. A champion of the public’s information rights, she has spoken out against censorship, privatization, and other attempts to limit public access to vital information.

On Tuesday, September 22 (1:00pm, UWM Union, room 191), David Bollier, Brad Lichtenstein, and Nancy Kranich will reconvene for a panel discussion on “Copyright, Commons and the Struggle to Control Culture”.

Feel free to download and distribute our fliers for the film screening and the panel discussion. Please join us!

I’ve already written about the limited usefulness of such grading data for students looking to organize their curriculum, and there are a variety of possible explanations for why certain courses/majors/schools have particular GPAs. But what concerns me about this particular data release is whether it might violate FERPA.

The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. Generally, schools must have written permission from the parent or eligible student in order to release any information from a student’s education record. However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions (34 CFR § 99.31):

• School officials with legitimate educational interest;
• Other schools to which a student is transferring;
• Specified officials for audit or evaluation purposes;
• Appropriate parties in connection with financial aid to a student;
• Organizations conducting certain studies for or on behalf of the school;
• Accrediting organizations;
• To comply with a judicial order or lawfully issued subpoena;
• Appropriate officials in cases of health and safety emergencies; and
• State and local authorities, within a juvenile justice system, pursuant to specific State law.

The release to the Milwaukee Journal Sentinel doesn’t appear to fit any of these conditions. So how was the grading data release justified?

It is likely that UW-M’s Office of Assessment and Institutional Research felt compelled to provide the grading data under Wisconsin’s public records law. Other public universities have been successfully sued to release similar data, and it appears to be standard thinking that “anonymous” grade data isn’t covered by FERPA, since this is how services like CampusBuddy have apparently received over 80 million grades at universities across the US & Canada.

Some of my colleagues, however, have raised the specter that under certain conditions a student’s grade could become identifiable in this dataset. Consider the following scenario:

Alice is in a class of 5 students. She earned a B+. Alice proceeds to lookup that particular class in the database and discovers that only one B+ was earned, while all the other students earned a B. Alice now knows the grade of each student within the class.

In this scenario, grade confidentiality is lost, thanks to the “anonymous” data released by UW-M. Given this, was FERPA violated?

Much of this hinges on how FERPA defines “personally identifiable information” (PII), for only if an educational record was improperly released with PII attached do we likely have a FERPA violation. PII is defined at 34 CFR § 99.3 (revised in December 2008):

Personally Identifiable Information

The term includes, but is not limited to—
(a) The student’s name;
(b) The name of the student’s parent or other family members;
(c) The address of the student or student’s family;
(d) A personal identifier, such as the student’s social security number, student number, or biometric record;
(e) Other indirect identifiers, such as the student’s date of birth, place of birth, and mother’s maiden name;
(f) Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or
(g) Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.

As we can see, FERPA views PII as much more than just a student’s name, address, or SSN. Focusing on item (f), FERPA recognizes that other information that is linkable to a specific student could also be considered PII, but only if it could be linked by someone “who does not have personal knowledge of the relevant circumstances.” Thus, in our scenario above, Alice did have personal knowledge of the circumstances: she was able to surmise the grades of her fellow students only because she knew her own grade. If a random person came across that same dataset, he wouldn’t be able to link any of the grades to a particular student.

We can think of similar scenarios:

Bob is pursuing an evening graduate degree, and in order to have his employer subsidize his tuition, he submitted a schedule of courses to his human resources department. Someone in HR proceeds to search the grade database and discovers that one of Bob’s courses is an independent study with a professor with only one grade posted, presumably Bob’s. The employer now knows Bob’s grade.

While I consider this a violation of Bob’s privacy, under the current definition of PII, it doesn’t appear to be a violation of FERPA. It was only because the employer had “personal knowledge of the relevant circumstances” that Bob’s grade became identifiable.

There was much discussion surrounding the definition of “personally identifiable information” in the most recent version of the FERPA regulations. Originally, the definition included this condition:

(e) A list of personal characteristics that would make the student’s identity easily traceable.

But that was changed to the current condition (f):

(f) Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty

The reason for the changed related mostly to the imprecision of the phrase “easily traceable”. Under the old version, I feel FERPA would have been violated in this data release. But given the current “reasonable” test that exempts those with “personal knowledge of the relevant circumstances,” it appears these data releases are acceptable under a strict reading of FERPA — even when students’ grades can be identified by outside people.

Are there any FERPA experts out there who can shed more light on this?

Apparently Chinese Internet users have grown so accustomed to downloading music online, that piracy and illegal downloading has impacted music sales there more than even what the RIAA claims to be such a huge problem here in the U.S. Relatedly, Google has been struggling to take market share away from Baidu, the leading Chinese search engine.

The win-win solution seems to be for the music companies to join forces with Google to create a free music download option for the Chinese market. In the deal, Google will start directing music searchers to Top100.cn, a Chinese Web site in which Google owns a stake, which will provide free downloads that have been properly licensed from music industry. Top100.cn will sell advertising on its website, and the music industry will reportedly earn 50% of that revenue. Google hopes to get increased search activity due to the lure of free (and better quality?) downloads.

The obvious question: if this business model is good enough for the 300 million Internet users in China, why not adopt a similar model for the 300 million users in the EU, or the 220 million in the U.S.?

Kutiman has taken existing YouTube videos of people playing music alone, sampled, looped, mixed and mashed them together to make absolutely amazing new music. Here’s a sample:

These songs are genius. They are original. Yet, most interpretations of existing copyright laws would conclude that Kutiman violated the copyrights of the original uploaders (however, perhaps some uploaded with a Creative Commons license?).

The spirit and original intent of copyright and fair use is to encourage creativity, and it would be tragic to think that Kutiman’s creations aren’t transformative in such a way as to be allowed under our current intellectual property regime.

It’s hard not to agree with the sentiments expressed at P2P News: “Copyright is an unethical constraint on society’s cultural liberty and those societies who choose to remain bound by it choose cultural stagnation and obscurity.”

From the announcement:

In an effort to protect and advance the human rights of freedom of expression and privacy, a diverse coalition of leading information and communications companies, major human rights organizations, academics, investors and technology leaders today launched the Global Network Initiative.

From the Americas to Europe to the Middle East to Africa and Asia, companies in the information and communications industries face increasing government pressure to comply with domestic laws and policies that require censorship and disclosure of personal information in ways that conflict with internationally recognized human rights laws and standards.

The Initiative is founded upon new Principles on Freedom of Expression and Privacy – supported by specific implementation commitments and a framework for accountability and learning – that provide a systematic approach for companies, NGOs, investors, academics and others to work together in resisting efforts by governments that seek to enlist companies in acts of censorship and surveillance that violate international standards.

The Initiative’s website includes a full list of participants and three core documents that describe the Initiative’s objectives and key commitments, including a statement of Principles, Implementation Guidelines, and a Governance, Accountability & Learning Framework.

There is a lot to parse here, but I’ll provide some initial reactions below.

Participants

The list of participants includes the usual suspects in initiatives like these, including Google, Microsoft, Yahoo!, Berkman Center for Internet & Society, Center for Democracy & Technology, Electronic Frontier Foundation, Human Rights Watch, etc. It also includes a variety of (sociall-minded) investment firms, like Domini Social Investments, F&C Asset Management, and Trillium Asset Management, perhaps indicating a new focus on brining the financial sector of the ICT industry into the fold on these vital issues.

Noticeably absent from the list of partners are other major tech companies who commonly confront issues of privacy and freedom of expression, such as Facebook (ahem), AT&T (ahem), Cisco (ahem), or Skype (ahem). Also absent are other major advocacy groups like EPIC or Amnesty International. It is unkown whether these groups we asked to join and declined, or haven’t been approached to contribute to these efforts.

Principles

The GNI’s Principles outline its commitment to the protection and advancement of freedom of expression and privacy online, largely based on international human rights laws and standards including the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and the International Covenant on Economic, Social and Cultural Rights.

The Principles statement opens with a strong endorsement of protecting human rights:

All human rights are indivisible, interdependent, and interrelated: the improvement of one right facilitates advancement of the others; the deprivation of one right adversely affects others. Freedom of expression and privacy are an explicit part of this international framework of human rights and are enabling rights that facilitate the meaningful realization of other human rights.

And then continues to outline how freedom of expression and privacy fit into that human rights perspective. Notably, it defines “privacy” as:

Privacy is a human right and guarantor of human dignity. Privacy is important to maintaining personal security, protecting identity and promoting freedom of expression in the digital age.

Right on. Unfortunately, however, it frames the threat to privacy solely in terms of government interference:

The right to privacy should not be restricted by governments, except in narrowly defined circumstances based on internationally recognized laws and standards.

…

Participating companies will respect and protect the privacy rights of users when confronted with government demands, laws or regulations that compromise privacy in a manner inconsistent with internationally recognized laws and standards.

Given this language, it appears these principles are meant to provide guidelines to prevent unwarranted government access to personal information, but does little to address how the companies themselves might be impacting users’ privacy rights through their own collection and use of personal information.

Implementation Guidelines

The Implementation Guidelines provide more details on how the partners plan to put the Principles into practice. Notably, it calls for the boards of the participating companies to “incorporate the impact of company operations on freedom of expression and privacy into the Board’s review of the business”, as well as “employ human rights impact assessments to identify circumstances when freedom of expression and privacy may be jeopardized or advanced, and develop appropriate risk mitigation strategies”. This is to be achieved through the “creation of a senior-directed human rights team, including the active participation of senior management, to design, coordinate and lead the implementation of the Principles.”

This is incredibly similar to a recent shareholder proposal that Google’s board rejected (twice). What made them change their mind? Perhaps they wanted to make it appear as an inernal & altruistic move, rather than “giving in” to shareholder demands? One wonders…

With regard to privacy, the Implementation Guidelines outlines numerous steps for the Partners to follow, including some key items related to transparency:

Participating companies will seek to operate in a transparent manner when required to provide personal information to governments. To achieve this, participating companies will:

• Disclose to users in clear language what generally applicable government laws and policies require the participating company to provide personal information to government authorities, unless such disclosure is unlawful.
• Disclose to users in clear language what personal information the participating company collects, and the participating company’s policies and procedures for responding to government demands for personal information.
• Assess on an ongoing basis measures to support user transparency, in an effective manner, regarding the company’s data collection, storage, and retention practices.

Many of the partner companies have been working hard to make their data collection practices more transparent, and this is good stop towards codifying these efforts. In particular, I hope the first point above means that privacy policies will be more explicit when they state a company will disclose personal information to “satisfy any applicable law, regulation, legal process or enforceable governmental request.”

Finally, the Guidelines also call for the creation of a “confidential multi-stakeholder Advisory Forum [to] provide guidance to participating companies on emerging challenges and opportunities for the advancement of freedom of expression and privacy.” Why must this be confidential? I have no idea, and contradicts the efforts towards transparency stressed above.

Governance, Accountability & Learning Framework

The Governance, Accountability & Learning Framework outlines a multi-stakeholder governance structure, goals for collaboration and a system of company accountability to support the Principles, maximize opportunities for learning and ensure the integrity and efficacy of the Initiative.

Essentially, each of the Partners will contribute to the formation of an Organization to oversee the Initiative, “with equal representation from company and non-company participants that will strive to operate on a consensus basis.” A key task of this Organization will be to conduct “independent assessments” of the participating companies to ensure compliance with the Principles. Note, however, that the companies get to choose their independent assessor (“in close consultation with the Organization”). Hopefully the independence criteria to become an accredited assessor are sufficient to ensure fair assessments of the companies’ actions.

Summary

To summarize, this is an important (perhaps unprecedented?) step by members of the tech industry to recognize how their products and actions impact human rights, and I am thrilled that they are willing to sign on to such an initiative. I know many of the people who have been working on this (I’ve been hearing rumors of its creation), and I know they are committed to protecting both freedom of expression and privacy rights across the globe.

While there are gaps, this is an important step, and I hope momentum builds and real action emerges as a result.

Here is the introduction:

WHAT THIS IS

This document is a code of best practices that helps creators, online providers, copyright holders, and others interested in the making of online video interpret the copyright doctrine of fair use. Fair use is the right to use copyrighted material without permission or payment under some circumstances.

This is a guide to current acceptable practices, drawing on the actual activities of creators, as discussed among other places in the study Recut, Reframe, Recycle: Quoting Copyrighted Material in User-Generated Video and backed by the judgment of a national panel of experts. It also draws, by way of analogy, upon the professional judgment and experience of documentary filmmakers, whose own code of best practices has been recognized throughout the film and television businesses.

WHAT THIS ISN’T

This code of best practices does not tell you the limits of fair use rights.

It’s not a guide to using material people give permission to use, such as works using Creative Commons licenses. Anyone can use those works the way the owners say that you can.

It’s not a guide to material that is already free to use without considering copyright. For instance, all federal government works are in the public domain, as are many older works. In most cases, trademarks are not an issue. For more information on “free use,” consult the document “Yes, You Can!” and copyright.cornell.edu.

It’s not a guide to using material that someone wants to license but cannot trace back to an owner—the so-called “orphan works” problem. However, orphan works are also eligible for fair use consideration, according to the principles detailed below.

The Code provides best practices in six key areas:

1. Commenting On Or Critiquing Of Copyrighted Material
2. Using Copyrighted Material For Illustration Or Example
3. Capturing Copyrighted Material Incidentally Or Accidentally
4. Reproducing, Reposting, Or Quoting In Order To Memorialize, Preserve, Or Rescue An Experience, An Event, Or A Cultural Phenomenon
5. Copying, Reposting, And Recirculating A Work Or Part Of A Work For Purposes Of Launching A Discussion
6. Quoting In Order To Recombine Elements To Make A New Work That Depends For Its Meaning On (Often Unlikely) Relationships Between The Elements

[via danah boyd]

1. Privacy. Protect human dignity, autonomy, and privacy by providing individuals with control over the collection, use, and distribution of their personal information and medical information.

2. Access. Promote high-speed Internet access and increased connectivity for all, through both government and private initiatives, to reduce the digital divide.

3. Network Neutrality. Legislate against unreasonable discrimination by network providers against particular applications or content to maintain the Internet’s role in fostering innovation, economic growth, and democratic communication.

4. Transparency. Preserve accountability and oversight of government functions by strengthening freedom of information and improving electronic access to government deliberations and materials.

5. Innovation. Restore balance to intellectual property rules and explore alternative incentives to better promote innovation, freedom, access to knowledge, and human development.

6. Democracy. Empower individuals to fully participate in government and politics by making electronic voting consistent, reliable, and secure with voter-verifiable paper trails.

7. Education. Expand effective exceptions and limitations to intellectual property for education to ensure that teachers and students have access to innovative digital teaching techniques and educational resources.

8. Culture. Ensure that law and technology promote a free, vibrant and democratic culture, fair exchanges between different cultures, and individual rights to create and participate in culture.

9. Diversity. Limit media concentration and expand media ownership to ensure a diverse marketplace of ideas.

9.5 Openness. Support innovation and fair competition by stimulating openness in software, technological standards, Internet governance, and content licensing.

Please feel free to comment on the official post at the CFP08 blog.

(9.5 Theses – get it?)