Angry Crypto Firm Posts Weird Cease & Desist Letter To Its Own Blog; DMs It To Critics

Legal Issues

from the that's-not-how-any-of-this-works dept

You know things are going just great in crypto-land when a cryptocurrency company has to post a vague cease-and-desist letter to its own blog. Everything about this is bizarre, but it culminated in this very strange cease-and-desist blog post by Nexo.

There is a separate blog post that sort of, but not quite, tries to explain what’s going on, noting that a Twitter user has started to spread a false story about the company. And, indeed, Nexo makes a compelling case that the Twitter user “otteroooo” posted a blatantly false (and most likely defamatory — something I don’t say lightly) claim about Nexo’s co-founder, possibly confusing him (whether on purpose or not) with a very different individual who has a somewhat similar (but really not that close) name.

So, yes, sure, I can totally understand Nexo being mad. And I can totally understand and appreciate Nexo posting its compelling argument for why otterroooo’s claims are full of shit.

But… that still doesn’t explain posting a cease-and-desist to your blog. For that, you have to look elsewhere, and see that Nexo is apparently sending Direct Messages to people on social media when they retweet the otteroooo tweets, and (1) sharing with them the explanation blog post and (2) the cease-and-desist.

Except, even then, this doesn’t make much sense. The cease-and-desist is not specific (because, how can it be when it’s just out there for everyone) and completely overstates what is “unlawful.”

If they want to send a cease-and-desist letter to people spreading false information, there are ways to do that, but posting it to your blog seems like a way to call negative attention to yourself, and get you ridiculed, much more than it is likely to get anyone to cease or desist even if you have a decent argument for why people should cease and desist.

Filed Under: cease and desist, defamation
Companies: nexo

The Future Of Policing In China Is Pervasive, Surveillance-Driven Law Enforcement Crystal Balls

(Mis)Uses of Technology

from the pre-criming-billions dept

China is choked by surveillance. It’s everywhere and it touches every aspect of its citizens’ lives. The government uses it to stifle dissent, control the population, and persecute undesirables.

Law enforcement has been doing pre-crime for years, but China’s version is amped up and all-consuming. “Guilty until forever” is the guideline in China, where massive amounts of data from surveillance dragnets allow the government to assume things about people. It also allows them to convert normal activities into crime predicates by assuming the worst about its own citizens. This New York Times report shows just how far off the pre-crime deep end China has gone. Everything is on the table because, well, everything is available to a government that immerses its citizens in always-on surveillance.

The latest generation of technology digs through the vast amounts of data collected on their daily activities to find patterns and aberrations, promising to predict crimes or protests before they happen. They target potential troublemakers in the eyes of the Chinese government — not only those with a criminal past but also vulnerable groups, including ethnic minorities, migrant workers and those with a history of mental illness.

They can warn the police if a victim of a fraud tries to travel to Beijing to petition the government for payment or a drug user makes too many calls to the same number. They can signal officers each time a person with a history of mental illness gets near a school.

The only way to opt-out (so to speak) is to get off the surveillance grid. The Times report details the efforts taken by 74-year-old Zhang Yuqiao, who has been petitioning the government regularly for years. To avoid being caught in China’s surveillance net (and punished for bothering his government too often), Zhang turns off his phone, uses cash, and buys multiple rail tickets to destinations he’s never going to travel to.

That sort of effort may pay off in the short run. But it’s only a matter of time before the Chinese government decides a dearth of generated data is itself indicative of criminal plans or activities. After all, even the US government tends to believe these same things (the carrying of cash, tickets purchased at the last minute or for one-way trips) are things only criminals do.

And, much like every other government in the world, the Chinese government trumpets the successes of this pre-crime program that affects billions by pointing out the rounding error’s-worth of wins the system has provided. The wins, though, are underwhelming. Two cases highlighted by the Chinese government involved a fake migration permit and the apprehension of someone involved in a pyramid scheme. Not exactly the sort serious crime/national security threat one would assume an expensive, expansive system would be used for.

To accomplish this, the Chinese government is recruiting local tech companies. One is Megvii, an AI startup that has, for the past five years, created a “search engine for crime” that “digs out ordinary people who seem innocent” to help the government punish people for things like spending too much time at a train station.

Another is Hikvision, which supplies cameras to many of the Chinese government internment camps. The end goal of this collaboration is to shield the government from controversy and criticism.

In 2022, the police in Tianjin bought software made by a Megvii competitor, Hikvision, that aims to predict protests. The system collects data on legions of Chinese petitioners, a general term in China that describes people who try to file complaints about local officials with higher authorities.

It then scores petitioners on the likelihood that they will travel to Beijing. In the future, the data will be used to train machine-learning models, according to a procurement document.

Local officials want to prevent such trips to avoid political embarrassment or exposure of wrongdoing. And the central government doesn’t want groups of disgruntled citizens gathering in the capital.

Authorities are invited to fill in the blanks as to perceived temperament of those listed as problematic petitioners, often using loaded terms like “paranoid” or “short tempered.” This tracks directly with other efforts uncovered by the New York Times using leaked or otherwise obtained documents detailing Chinese surveillance — ones that include increased surveillance of “key persons” targeted by the government: people with mental illnesses, migrant workers, “idle” teenagers, ethnic minorities, and people suffering from HIV.

As for staying off the grid, like Zhang Yuqiao has tried to do? Well, as he found out when he started dodging the government’s surveillance, the grid comes to you. Photos in article show several cameras set up near Zhang’s home. According to Zhang, there are no other cameras in the village. When he has tried to dodge surveillance by turning off his phone, officers show up at his house to make sure he isn’t off on another trip to Beijing to again demand compensation for the torture of his family during the Cultural Revolution.

That’s how pre-crime works. The surveillance net is deployed. Data and recordings are fed to algorithms. The government adds its own bias. And out pops the sort of thing we’re seeing here: the unending persecution of someone who just wants the government to be held accountable for its actions. That’s the sort of threat the Chinese government really fears. Regular criminal activity is a nuisance. But government criticism is dangerous.

Filed Under: ai, china, pre-crime, surveillance
Companies: hikvision, megvii

Daily Deal: Degoo Premium Mega Backup Plan

Deals

from the good-deals-on-cool-stuff dept

Users are juggling huge amounts of data, so it makes sense that you’re taking care of that data responsibly. With Degoo you get up to 50TB of secured storage space from which to manage and share files with simplicity. With high-speed transfers, you’ll love how easy it is to keep tabs on all of your valuable data. Store, re-experience and share your best moments with cloud storage for your mobile phone, tablet, and web browser. Get 15TB for $150, 25TB for $200, 35TB for $250, or 50TB for $300.

Note: The Techdirt Deals Store is powered and curated by StackCommerce. A portion of all sales from Techdirt Deals helps support Techdirt. The products featured do not reflect endorsements by our editorial team.

Filed Under: daily deal

FCC’s Carr Once Again Heads To The Fainting Couch Over TikTok

Overhype

from the performative-face-fanning dept

A week or two ago we noted how there was a mass panic because TikTok was found to be sharing U.S. user data with executives at the company’s Chinese parent company, ByteDance. This was in stark contrast to the strict, U.S.-based data management controls the company claimed to be implementing, and, to be clear, was not a good thing.

But while this showcased how TikTok’s privacy standards are often performative, it wasn’t truly all that different than what happens with countless other domestic and international companies with shitty privacy practices. Vast troves of varying US consumer behavior, location, and browsing and app datasets are bought and sold everyday in the largely unaccountable telecom/adtech/app/hardware data world without anywhere near the same level of hyperventilation TikTok receives.

There’s a tendency among some performative politicians (see: Trump) to specifically single out what TikTok is doing on this front for xenophobic, political, or cronyistic purposes, yet turn a complete blind eye to the broader policy failures that made TikTok (and everybody else’s) lax privacy practices possible in the first place.

That’s been a particular habit of FCC Commissioner Brendan Carr, whose public record shows he literally could not give any less of a shit about any of the vast privacy abuses in a sector he actually regulates (telecom), yet loves to head to the fainting couches any time TikTok is mentioned.

Like this week, when Carr sent a letter to Google and Apple demanding they kick TikTok from the app store because he’s just super concerned about American consumer privacy!

If you were to dig through the resulting news reports covering Carr’s empty letter, you’d be hard pressed to find a single one that could be bothered to note that Carr doesn’t have any regulatory authority over social media or app stores, the letter has absolutely no meaningful legal backing to support his request, or that Carr himself has absolutely zero credibility on consumer privacy issues.

Yeah, there are serious concerns about TikTok user security and privacy. But there’s equal concern about the privacy violations in the telecom sector Carr actually regulates. And in adtech. And in the internet of things space. And in Chinese-made routers and other hardware. And among app makers, and data brokers, smart TV makers, Wi-Fi-connected toys, modern vehicles, and….

Carr’s voting and policy record has made it pretty clear he doesn’t care about any of that. The sector Carr actually regulates, telecom, has been plagued with a parade of location data scandals showcasing how cellular carriers have repeatedly failed to protect user location data, often to devastating effect. Carr’s been largely a no show on the subject, despite its increased relevance post Roe.

Several former officials who worked with Carr to help AT&T kill net neutrality and lobotomize the FCC’s consumer protection authority have since gone on to work at Targeted Victory, a right wing K Street policy and lobbying shop recently busted trying to smear TikTok on behalf of Facebook. Surely that’s just a weird coincidence, though.

Not only does pushing scary stories about TikTok help Facebook, it helps feed xenophobia to a growing right wing base proud of its own bigotry. This kind of scary rhetoric is of great benefit to any U.S. company that doesn’t want to compete with China. Of course Carr’s letter also does something else incredibly important (to Carr), it puts his name in headlines for no real reason.

As recently noted, you could demolish TikTok today with a giant patriotic hammer and the Chinese government could just nab much of the same data from any number of unaccountable app makers, telecoms, ad brokers, or hardware giants. And they can do that because we have garbage privacy standards, no functional privacy laws with any teeth, and zero accountability.

That’s directly thanks to politicians like Carr, who don’t believe in meaningful privacy oversight, laws, or guidelines of any kind.

It’s extremely easy for U.S. companies like Facebook or Cisco to use politicians as marionettes to create or feed moral panics about China. But the underlying motivations usually have absolutely nothing to do with a genuine interest in US consumer privacy or security. Made evident by those same politicians’ completely hollow track record when it comes to tackling the broader problem.

Filed Under: adtech, app stores, brendan carr, china, competition, fcc, privacy, scare-mongering, security, social media, surveillance
Companies: apple, google, tiktok

Trump Doesn’t Want To Get Back On Twitter So Badly, He’s Appealing His Case To Get Back On Twitter

Legal Issues

from the say-what-now? dept

In April, Donald Trump insisted he had no interest whatsoever in getting back on Twitter (in response to questions about whether or not Elon Musk would allow him back, should he ever close his Twitter purchase). In May, Donald Trump lost his lawsuit trying to force Twitter to reinstate him. In June, Donald Trump (who again, insists he wouldn’t even go back to Twitter if he were allowed to) decided to appeal the loss in his lawsuit in order to try to force Twitter to reinstate him.

The fact that Donald Trump might state things contrary to the truth isn’t much of a surprise, of course. But at some point, you gotta wonder how much he wants to actually rack up legal bills for this nonsense victimization campaign.

To be honest, I was a bit surprised Trump jumped straight to appeal here. The district court judge had left it open for him to amend his complaint, and I figured Trump would take one more crack at that before jumping to appeal. However, maybe he’s feeling high because his hand-picked Supreme Court Justices have started to show less and less restraint in using their lifetime appointments to settle political grievances — so perhaps he feels the faster he can get in front of today’s SCOTUS, the better.

This case is a total loser, though, and it would take some seriously warped twisting of so much existing law, that even this court would likely find it difficult to force Twitter to reinstate Trump.

Filed Under: 1st amendment, appeal, content moderation, donald trump
Companies: twitter

Enjoy Digital Ownership And Public Libraries While You Still Can

(Mis)Uses of Technology

from the you'll-miss-them-when-they're-gone dept

Michael E. Karpeles, Program Lead on OpenLibrary.org at the Internet Archive, spotted an interesting blog post by Michael Kozlowski, the editor-in-chief of Good e-Reader. It concerns Amazon and its audiobook division, Audible:

Amazon owned Audible ceased selling individual audiobooks through their Android app from Google Play a couple of weeks ago. This will prevent anyone from buying audio titles individually. However, Audible still sells subscriptions through the app (…)

Karpeles points out that this is yet another straw in the wind indicating that the ownership of digital goods is being replaced with a rental model. He wrote a post last year exploring the broader implications, using Netflix as an example:

What content landlords like Netflix are trying to do now is eliminate our “purchase” option entirely. Without it, renting become the only option and they are thus free to arbitrarily hike up rental fees , which we have to pay over and over again without us getting any of these aforementioned rights and freedoms. It’s a classic example of getting less for more.

He goes on to underline four extremely serious consequences of this shift. One is the end of “forever access”. If the company adopting the rental model goes out of business, customers lose access to everything they were paying for. With the ownership of goods, even if the supplier goes bankrupt, you still have the product they sold to you.

Secondly, the rental model effectively means the end of the public domain for material offered in that way. In theory, books, music, films and the rest that are under copyright should enter the public domain after a certain time – typically around a century after they first appeared. But when these digital goods are offered using the rental model, they usually come wrapped up in digital locks – digital rights management (DRM) – to prevent people exiting from the rental model by making a personal copy. That means that even if the company offering the digital goods is still around when the copyright expires, this content will remain locked-away even when it enters the public domain because it is illegal under copyright laws like the US DMCA and EU Information Society Directive to circumvent those locks.

Thirdly, Karpeles notes, the rental model means the end of personal digital freedom in this sphere. Since you access everything through the service provider, the latter knows what you are doing with the rented material and when. How much it chooses to spy on you will depend on the company, but you probably won’t know unless you live somewhere like the EU where you can make a request to the company for the personal data that it holds about you.

Finally, and perhaps least obviously, it means the end of the library model that has served us so well for hundreds of years. Increasingly, libraries are unable to buy copies of ebooks outright, but must rent them. This means that they must follow the strict licensing conditions imposed by publishers on how those ebooks are lent out by the library. For example, some publishers license ebooks for a set period of time – typically a year or two – with no guarantee that renewal will be possible at the end of that time. Others have adopted a metered approach that counts how many times an ebook is lent out, and blocks access after a preset number. Karpeles writes:

Looking to the future, as more books become only available for lease as eBooks, I see no clear option which allows libraries to sustainably serve their important roles as reliable, long-term public access repositories of cultural heritage and human knowledge. It used to be the case that a library would purchase a book once and it would serve the public for decades. Instead, now at the end of each year, a library’s eBooks simply vanish unless libraries are able to find enough quarters to re-feed the meter.

The option to own new digital goods or to access the digital holdings of public libraries may not be available much longer – enjoy them while you can.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon. Originally posted to Walled Culture.

Filed Under: audio books, digital ownership, libraries, ownership, rental model

Please Take A Moment To Celebrate How A Very Different Supreme Court Saved The Internet 25 Years Ago

Policy

from the can-we-please-not-have-to-do-this-again dept

The terrible, awful, no good, horrible plans to regulate the internet keep coming faster and furiouser these days. So, it’s worth remembering a time back when Congress passed one of the worst laws about the internet: the Communications Decency Act. Yes, these days we talk about the CDA more reverently, but that’s only because we’re talking about the one part of it that wasn’t declared unconstitutional: Section 230. Section 230, of course, was never even supposed to be a part of the CDA in the first place. It was crafted by then Representatives Chris Cox and Ron Wyden as an alternative approach to the ridiculousness that was coming out of Senator James Exon in the Senate.

But, you know, this is Congress, and rather than just do the right thing, it mashed the two approaches together in one bill and figured God or the courts would sort it out. And, thankfully, the courts did sort it out. Twenty-five years ago this week, the court decided Reno v. ACLU, dumped the entire CDA (minus Section 230) as blatantly unconstitutional, and, in effect, saved the internet.

Jared Schroeder and Jeff Kosseff wrote up a nice article about the 25th anniversary of the Reno decision that is well worth reading.

When faced with the first significant case about online expression, justices went in a completely different direction than Congress, using the Reno case to confer the highest level of protections on online expression.

The case started when a broad coalition of civil liberties groups, business interests, and others, including the American Civil Liberties Union, American Library Association, Planned Parenthood Federation of America, and Microsoft, sued. A three-judge panel in Philadelphia struck down much of the law, and the case quickly moved to the Supreme Court.

The federal government tried to justify these restrictions partly by pointing to a 1978 opinion in which the court allowed the FCC to sanction a radio station that broadcast George Carlin’s “seven dirty words.” Justices dismissed these arguments. They saw something different in the internet and rejected attempts to apply weaker First Amendment protections to the internet. Justices reasoned the new medium was fundamentally different from the scarce broadcast spectrum.

“This dynamic, multifaceted category of communication includes not only traditional print and news services, but also audio, video, and still images, as well as interactive, real-time dialogue,” Justice John Paul Stevens wrote. “Through the use of chat rooms, any person with a phone line can become a town crier with a voice that resonates farther than it could from any soapbox. Through the use of Web pages, mail exploders, and newsgroups, the same individual can become a pamphleteer.”

The article has a lot more details about the case, and why it’s still relevant. Also, how the messages from that ruling are still useful today as we are, once again, facing many attempts to regulate the internet.

The precedent’s relevance isn’t in the case’s dated facts or romanticized predictions. Its enduring value is in the idea the internet should generally be protected from government control. Without the Supreme Court’s lucid and fervent defense of online free speech, regulators, legislators, and judges could have more easily imposed their values on the internet.

There’s a lot more in that article, but go read it… on this very internet that would have been a very, very different place without that ruling.

Filed Under: 1st amendment, cda, communications decency act, internet, reno, reno v. aclu
Companies: aclu

How The Internet Enabled A Mariners Fan And DoorDash Driver To Connect And Do Something Cool

Culture

from the faith-restored dept

The world can be an awful, horrible place. Lately, it feels like, in America, things are only getting more difficult. And, because my country loves its scapegoats, the internet has been routinely blamed for all the country’s, perhaps the world’s, ills. Insurrections, political radicalization, obesity, poor socialization, literally any sub-optimal thing to do with children: blame the internet.

But that’s obviously stupid. The internet is responsible for both good and bad outcomes in society, as is pretty much everything else. But the internet also is only as good or bad as those that make use of it. And sometimes, the internet enables really awesome stuff.

Take the story of Sofie Dill, Seattle Mariners fan, and Simranjeet Singh, a DoorDash driver. This past weekend, without getting into too much detail, Jesse Winker was hit by a pitch while playing the L.A. Angels and a brawl between the teams ensued. Baseball fights are plainly dumb, but some fans enjoy them, or at least root for their players in the fight. To that end, Dill, from her home in Arkansas, decided to send Winker a pizza from a local Anaheim parlor to be delivered directly to the stadium. And, for added measure, she live-tweeted her DoorDash experience for everyone to follow along.

Baseball fan or not, you should go check out the full thread. It’s a harrowing journey to see if she could in fact deliver a pizza to a professional baseball player in a visiting Major League clubhouse to express her support. The spoiler here is that the pizza did in fact get delivered, Winker reached out to her on Twitter to say thanks, and a whole bunch of people were cheering on the DoorDash driver, Singh, as he went on his dutiful journey.

As a result, Dill managed to get Singh to share his Venmo QR code and shared it out to Twitter.

And from there, the internet did its thing. Plenty of folks started sending money to Singh’s Venmo. Other’s asked they could send him money via another platform. Singh himself started sending out tweets thanking everyone, clearly overjoyed at everyone’s generosity. Then, were that not enough, two other awesome outcomes happened, just to restore your faith in humanity.

While I can’t be sure how much was donated to Singh, he certainly didn’t keep all of it for himself.

There are good people in this world. Paying it forward would have been the feel good coda to this story on its own, but then the Mariners decided to get in on the fun as well.

Dill got herself a Winker jersey from the Mariners. Singh had what he describes as a life-changing event. Mariners fans got to have a ton of fun on Twitter with all of this. St. Jude’s got a donation.

If there’s a loser in this story, I can’t find one. And all of this made possible by the evil, vile internet that too many people blame for every last thing.

Filed Under: baseball, fandom, internet, jesse winker, pizza, sharing, simrajeet singh, sofie dill
Companies: doordash, seattle mariners

California Legislators Seek To Burn Down The Internet — For The Children

Policy

from the stop-trying-to-regulate-stuff-you-don't-understand dept

I’m continuing my coverage of dangerous Internet bills in the California legislature. This job is especially challenging during an election year, when legislators rally behind the “protect the kids” mantra to pursue bills that are likely to hurt, or at least not help, kids. Today’s example is AB 2273, the Age-Appropriate Design Code Act (AADC),

Before we get overwhelmed by the bill’s details, I’ll highlight three crucial concerns:

First, the bill pretextually claims to protect children, but it will change the Internet for EVERYONE. In order to determine who is a child, websites and apps will have to authenticate the age of ALL consumers before they can use the service. NO ONE WANTS THIS. It will erect barriers to roaming around the Internet. Bye bye casual browsing. To do the authentication, businesses will be forced to collect personal information they don’t want to collect and consumers don’t want to give, and that data collection creates extra privacy and security risks for everyone. Furthermore, age authentication usually also requires identity authentication, and that will end anonymous/unattributed online activity.

Second, even if businesses treated all consumers (i.e., adults) to the heightened obligations required for children, businesses still could not comply with this bill. That’s because this bill is based on the U.K. Age-Appropriate Design Code. European laws are often aspirational and standards-based (instead of rule-based), because European regulators and regulated businesses engage in dialogues, and the regulators reward good tries, even if they aren’t successful. We don’t do “A-for-Effort” laws in the U.S., and generally we rely on rules, not standards, to provide certainty to businesses and reduce regulatory overreach and censorship.

Third, this bill reaches topics well beyond children’s privacy. Instead, the bill repeatedly implicates general consumer protection concerns and, most troublingly, content moderation topics. This turns the bill into a trojan horse for comprehensive regulation of Internet services and would turn the privacy-centric California Privacy Protection Agency/CPPA) into the general purpose Internet regulator.

So the big takeaway: this bill’s protect-the-children framing is designed to mislead everyone about the bill’s scope. The bill will dramatically degrade the Internet experience for everyone and will empower a new censorship-focused regulator who has no interest or expertise in balancing complex and competing interests.

What the Bill Says

Who’s Covered

The bill applies to a “business that provides an online service, product, or feature likely to be accessed by a child.” “Child” is defined as under-18, so the bill treats teens and toddlers identically.

The phrase “likely to be accessed by a child means it is reasonable to expect, based on the nature of the content, the associated marketing, the online context, or academic or internal research, that the service, product, or feature would be accessed by children.” Compare how COPPA handles this issue; it applies when services know (not anticipate) users are under-13 or direct their services to an under-13 audience. In contrast, the bill says that if it’s reasonable to expect ONE under-18 user, the business must comply with its requirements. With that overexpansive framing, few websites and apps can reasonably expect that under-18s will NEVER use their services. Thus, I believe all websites/apps are covered by this law so long as they clear the CPRA quantitative thresholds for being a “business.” [Note: it’s not clear how this bill situates into the CPRA, but I think the CPRA’s “business” definition applies.]

What’s Required

The bill starts with this aspirational statement: “Companies that develop and provide online services, products, or features that children are likely to access should consider the best interests of children when designing, developing, and providing that service, product, or feature.” The “should consider” grammar is the kind of regulatory aspiration found in European law. Does this statement have legal consequences or not? I vote it does not because “should” is not a compulsory obligation. So what is it doing here?

More generally, this provision tries to anchor the bill in the notion that businesses owe a “duty of loyalty” or fiduciary duty to their consumers. This duty-based approach to privacy regulation is trendy in privacy circles, but if adopted, it would exponentially expand regulatory oversight of businesses’ decisions. Regulators (and private plaintiffs) can always second-guess a business’ decision; a duty of “loyalty” gives the regulators the unlimited power to insist that the business made wrong calls and impose punishments accordingly. We usually see fiduciary/loyalty obligations in the professional services context where the professional service provider must put an individual customer’s needs before its own profit. Expanding this concept to mass-market businesses with millions of consumers would take us into uncharted regulatory territory.

The bill would obligate regulated businesses to:

• Do data protection impact assessments (DPIAs) for any features likely to be accessed by kids (i.e., all features), provide a “report of the assessment” to the CPPA, and update the DPIA at least every 2 years.
• “Establish the age of consumers with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business, or apply the privacy and data protections afforded to children to all consumers.” As discussed below, this is a poison pill for the Internet. This also exposes part of the true agenda here: if a business can’t do what the bill requires (a common consequence), the bill drives businesses to adopt the most restrictive regulation for everyone, including adults.
• Configure default settings to a “high level of privacy protection,” whatever that means. I think this meant to say that kids should automatically get the highest privacy settings offered by the business, whatever that level is, but it’s not what it says. Instead, this becomes an aspirational statement about what constitutes a “high level” of protection.
• All disclosures must be made “concisely, prominently, and using clear language suited to the age of children likely to access” the service. The disclosures in play are “privacy information, terms of service, policies, and community standards.” Note how this reaches all consumer disclosures, not just those that are privacy-focused. This is the first of several times we’ll see the bill’s power grab beyond privacy. Also, if a single toddler is “likely” to access the service, must all disclosures must be written at toddlers’ reading level?
• Provide an “obvious signal” if parents can monitor their kids’ activities online. How does this intersect with COPPA?
• “Enforce published terms, policies, and community standards established by the business, including, but not limited to, privacy policies and those concerning children.” 🚨 This language unambiguously governs all consumer disclosures, not just privacy-focused ones. Interpreted literally, it’s ludicrous to mandate businesses enforce every provision in their TOSes. If a consumer breaches a TOS by scraping content or posting violative content, does this provision require businesses to sue the consumer for breach of contract? More generally, this provision directly overlaps AB 587, which requires businesses to disclose their editorial policies and gives regulators the power to investigate and enforce any perceived or alleged deviations how services moderate content. See my excoriation of AB 587. This provision is a trojan horse for government censorship that has nothing to do with protecting the kids or even privacy. Plus, even if it weren’t an unconstitutional provision, the CPPA, with its privacy focus, lacks the expertise to monitor/enforce content moderation decisions.
• “Provide prominent, accessible, and responsive tools to help children, or where applicable their parent or guardian, exercise their privacy rights and report concerns.” Not sure what this means, especially in light of the CPRA’s detailed provisions about how consumers can exercise privacy rights.

The bill would also obligate regulated businesses not to:

• “Use the personal information of any child in a way that the business knows or has reason to know the online service, product, or feature more likely than not causes or contributes to a more than de minimis risk of harm to the physical health, mental health, or well-being of a child.” This provision cannot be complied with. It appears that businesses must change their services if a single child might suffer any of these harms, which is always? This provision especially seems to target UGC features, where people always say mean things that upset other users. Knowing that, what exactly are UGC services supposed to do differently? I assume the paradigmatic example are the concerns about kids’ social media addiction, but like the 587 discussion above, the legislature is separately considering an entire bill on that topic (AB 2408), and this one-sentence treatment of such a complicated and censorial objective isn’t helpful.
• “Profile a child by default.” “Profile” is not defined in the bill. The term “profile” is used 3x in the CPRA but also not defined. So what does this mean?
• “Collect, sell, share, or retain any personal information that is not necessary to provide a service, product, or feature with which a child is actively and knowingly engaged.” This partially overlaps COPPA.
• “If a business does not have actual knowledge of the age of a consumer, it shall not collect, share, sell, or retain any personal information that is not necessary to provide a service, product, or feature with which a consumer is actively and knowingly engaged.” Note how the bill switches to the phrase “actual knowledge” about age rather than the threshold “likely to be accessed by kids.” This provision will affect many adults.
• “Use the personal information of a child for any reason other than the reason or reasons for which that personal information was collected. If the business does not have actual knowledge of the age of the consumer, the business shall not use any personal information for any reason other than the reason or reasons for which that personal information was collected.” Same point about actual knowledge.
• Sell/share a child’s PI unless needed for the service.
• “Collect, sell, or share any precise geolocation information of children by default” unless needed for the service–and only if providing “an obvious sign to the child for the duration of that collection.”
• “Use dark patterns or other techniques to lead or encourage consumers to provide personal information beyond what is reasonably expected for the service the child is accessing and necessary to provide that service or product to forego privacy protections, or to otherwise take any action that the business knows or has reason to know the online service or product more likely than not causes or contributes to a more than de minimis risk of harm to the child’s physical health, mental health, or well-being.” No one knows what the term “dark patterns” means, and now the bill would also restrict “other techniques” that aren’t dark patterns? Also see my earlier point about the “de minimis risk of harm” requirement.
• “Use any personal information collected or processed to establish age or age range for any other purpose, or retain that personal information longer than necessary to establish age. Age assurance shall be proportionate to the risks and data practice of a service, product, or feature.” The bill expressly acknowledges that businesses can’t authenticate age without collecting PI–including PI the business would choose not to collect but for this bill. This is like the CCPA/CPRA’s problems with “verifiable consumer request”–to verify the consumer, the business has to ask for PI, sometimes more invasively than the PI the consumer is making the request about. ¯_(ツ)_/¯

New Taskforce

The bill would create a new government entity, the “California Children’s Data Protection Taskforce,” composed of “Californians with expertise in the areas of privacy, physical health, mental health, and well-being, technology, and children’s rights” as appointed by the CPPA. The taskforce’s job is “to evaluate best practices for the implementation of this title, and to provide support to businesses, with an emphasis on small and medium businesses, to comply with this title.”

The scope of this taskforce likely exceeds privacy topics. For example, the taskforce is charged with developing best practices for “Assessing and mitigating risks to children that arise from the use of an online service, product, or feature”–this scope isn’t limited to privacy risks. Indeed, it likely reaches services’ editorial decisions. The CPPA is charged with constituting and supervising this taskforce even though it lacks expertise on non-privacy-related topics.

New Regulations

The bill obligates the CPPA to come up with regulations supporting this bill by April 1, 2024. Given the CADOJ’s and CPPA’s track record of missing statutorily required timelines for rule-making, how likely is this schedule? 🤣

Problems With the Bill

Unwanted Consequences of Age and Identity Authentication. Structurally, the law tries to sort the online population into kids and adults for different regulatory treatment. The desire to distinguish between children and adults online has a venerable regulatory history. The first Congressional law to crack down on the Internet, the Communications Decency Act, had the same requirement. It was struck down as unconstitutional because of the infeasibility. Yet, after 25 years, age authentication still remains a vexing technical and social challenge.

Counterproductively, age-authentication processes are generally privacy invasive. There are two primary ways to do it: (1) demand the consumer disclose lots of personal information, or (2) use facial recognition and collect highly sensitive face information (and more). Businesses don’t want to invade their consumers’ privacy these ways, and COPPA doesn’t require such invasiveness either.

Also, it’s typically impossible to do age-authentication without also doing identity-authentication so that the consumer can establish a persistent identity with the service. Otherwise, every consumer (kids and adults) will have to authentication their age each time they access a service, which will create friction and discourage usage. But if businesses authenticate identity, and not just age, then the bill creates even greater privacy and security risks as consumers will have to disclose even more PI.

Furthermore, identity authentication functionally eliminates anonymous online activity and all unattributed activity and content on the Internet. This would hurt many communities, such as minorities concerned about revealing their identity (e.g., LGBTQ), pregnant women seeking information about abortions, and whistleblowers. This also raises obvious First Amendment concerns.

Enforcement. The bill doesn’t specify the enforcement mechanisms. Instead, it wades into an obvious and avoidable tension in California law. On the one hand, the CPRA expressly negates private rights of action (except for certain data security breaches). If this bill is part of the CPRA–which the introductory language implies–then it should be subject to the CPRA’s enforcement limits. CADOJ and CPPA have exclusive enforcement authority over the CPRA, and there’s no private right of action/PRA. On the other hand, California B&P 17200 allows for PRAs for any legal violation, including violations of other California statutes. So unless the bill is cabined by the CPRA’s enforcement limit, the bill will be subject to PRAs through 17200. So which is it?  ¯\_(ツ)_/¯

Adding to the CPPA’s Workload. The CPPA is already overwhelmed. It can’t make its rule-making deadline of July 1, 2022 (missing it by months). That means businesses will have to comply with the voluminous rules with inadequate compliance time. Once that initial rule-making is done, the CPPA will then have to build a brand-new administrative enforcement function and start bringing, prosecuting, and adjudicating enforcements. That will be another demanding, complex, and time-consuming project for the CPPA. So it’s preposterous that the California legislature would add MORE to the CPPA’s agenda, when it clearly cannot handle the work that the California voters have already instructed it to do.

Trade Secret Problems. Requiring businesses to report about their DPIAs for every feature they launch potentially discloses lots of trade secrets–which may blow their trade secret protection. It certainly provides a rich roadmap for plaintiffs to mine.

Conflict with COPPA. The bill does not provide any exceptions for parental consent to the business’ privacy practices. Instead, the bill takes power away from parents. Does this conflict with COPPA such that COPPA would preempt it? No doubt the bill’s basic scheme rejects COPPA’s parental control model.

I’ll also note that any PRA may compound the preemption problem. “Allowing private plaintiffs to bring suits for violations of conduct regulated by COPPA, even styled in the form of state law claims, with no obligation to cooperate with the FTC, is inconsistent with the treatment of COPPA violations as outlined in the COPPA statute.” Hubbard v. Google LLC, 546 F. Supp. 3d 986 (N.D. Cal. 2021).

Conflict with CPRA’s Amendment Process. The legislature may amend the CPRA by majority vote only if it enhances consumer privacy rights. As I’ve explained before, this is a trap because I believe the amendments must uniformly enhance consumer privacy rights. In other words, if some consumers get greater privacy rights, but other consumers get less privacy rights, then the legislature cannot make the amendment via majority vote. In this case, the AADC undermines consumer privacy by exposing both children and adults to new privacy and security risks through the authentication process. Thus, the bill, if passed, could be struck down as exceeding the legislature’s authority.

In addition, the bill says “If a conflict arises between commercial interests and the best interests of children, companies should prioritizes the privacy, safety, and well-being of children over commercial interests.” A reminder of what the CPRA actually says: “The rights of consumers and the responsibilities of businesses should be implemented with the goal of strengthening consumer privacy, while giving attention to the impact on business and innovation.” By disregarding the CPRA’s instructions to consider impacts on businesses, this also exceeds the legislature’s authority.

Dormant Commerce Clause. The bill creates numerous potential DCC problems. Most importantly, businesses necessarily will have authenticate the age of all consumers, both in and outside of California. This means that the bill would govern how businesses based outside of California interact with non-Californians, which the DCC does not permit.

Conclusion

Due to its scope and likely impact, this bill is one of the most consequential bills in the California legislature this year. The Internet as we know it hangs in the balance. If your legislator isn’t paying proper attention to those consequences (spoiler: they aren’t), you should give them a call.

Originally posted to Eric Goldman’s Technology & Marketing Law blog. Reposted with permission.

Filed Under: aadc, ab 2273, age appropriate design code act, california, for the children, privacy