Cathy Gellis’s Techdirt Profile


About Cathy Gellis

Posted on Techdirt - 25 September 2018 @ 10:44am

District Court Misses The Forest For The Trees In Dismissing Constitutional Challenge To FOSTA

from the stop-hitting-yourself dept

It's like the scene in the Naked Gun, where Leslie Nielsen stands outside the exploding fireworks factory telling everyone, "Nothing to see here. Please disperse." Such is the decision by the district court dismissing the EFF's lawsuit challenging the constitutionality of FOSTA.

Since FOSTA's passage, many have largely been reacting in terror at its vague, yet broad, language threatening civil and even criminal liability. It has led to the censorship of enormous swathes of legitimate speech as platforms seek to reduce this new risk. But in a decision Monday dismissing the case for lack of standing the district court basically declared that it couldn't understand what everyone was so worked up over.

Standing has to do with who is entitled to file a lawsuit. Ordinarily you have to have suffered an actual injury, although in certain situations, such as constitutional challenges, parties can have standing if it is likely that they will suffer an injury. After all, we wouldn't want people to have to expend resources needlessly in the effort to comply with an unconstitutional law, or have to risk prosecution in order to have its constitutionality tested before the courts. But the injury risk still needs to be reasonably likely.

Imminence, the element most relevant here, is concededly a somewhat elastic concept. Nevertheless, imminence "cannot be stretched beyond its purpose, which is to ensure that the alleged injury is not too speculative for Article III purposes – that the injury is certainly impending." […] The concept of imminence has been particularly important in the context of pre-enforcement challenges. The Supreme Court has held that plaintiff who challenges a statute must demonstrate a realistic danger of sustaining a direct injury as a result of the statute's operation or enforcement. A credible threat of prosecution exists when the challenged law is aimed directly at plaintiffs, who, if their interpretation of the statute is correct, will have to take significant and costly compliance measures or risk criminal prosecution. Thus, fear of prosecution cannot be "imaginary or wholly speculative," and allegations of a subjective "chill" are not an adequate substitute for a claim of specific present objective harm or a threat of specific future harm. [p. 15-16]

Yet here the court decided it was not.

It would be great if it were right, and no one had anything to fear. But while the court essentially declared the fears contorting the availability of online speech to be much ado about nothing, it didn't do so in a way that would effectively allay those fears.

As the court ran through its analysis of the standing of each plaintiff, it struggled to see how what they proposed to do, and how what they feared would be chilled by the law, was targeted by the law.

[P]laintiffs say, FOSTA criminalizes "anything that promotes or facilitates prostitution, and not a specific crime." This is particularly problematic because prostitution is an area where there has been significant advocacy, both by government entities and by private citizens. As plaintiffs see it, that advocacy places them in crosshairs. In pressing this argument, however, plaintiffs ignore key textual indications that make clear that FOSTA targets specific acts of illegal prostitution not the abstract topic of prostitution or sex work. [p. 22]

The above is some of what the court had to say about the lead plaintiff Woodhull Freedom Foundation. It concluded similarly for plaintiff Human Rights Watch. For plaintiff Jesse Maley a/k/a Alex Andrews, the creator and operator of an actual platform,, it similarly minimized her concerns.

Under Maley's reasoning, because providing housing or childcare services to sex workers "make[s] sex work easier," Rate That Rescue could be said to promote or facilitate prostitution. For this reason, Maley fears that amendments to Section 230 - which clarify that immunity does not extend to conduct made unlawful by Section 2421A - could expose her to prosecution for the speech of third parties on Rate That Rescue. […] Her concerns, however, are unwarranted. Put simply, Maley has failed to show that Section 230 amendments expose her to a credible threat of prosecution. That is so because Maley, on the current record, lacks the mens rea to violate any of the provisions specified in Section 230(c)(5). […] In managing Rate That Rescue, Maley cannot possibly be said to act "with the intent to promote or facilitate the prostitution of another person" in violation of Section 2421A. Maley's declaration concedes as much, repeatedly expressing concern that law enforcement could determine that "the user-generated content on Rate That Rescue promotes or facilitates prostitution." But those formulations lack the critical mens rea element of the Section 2421A offense. Indeed, Maley herself does not even assert that law enforcement could credibly contend that, in managing Rate That Rescue, she acts "with the intent to promote or facilitate" the prostitution of another person. Of course, the mere promotion or facilitation of prostitution is not enough: Maley must intend that her conduct produce the specific result. [p. 25-26]

It's a statutory parsing that would be a lot more assuring if it didn't ignore another perfectly plausible read of the statute. Of course it's ridiculous to say that Maley intended to promote prostitution. But that's not what the statute forbids. In a subsequent passage the court dismisses the argument that FOSTA's amendments to 18 U.S.C. Sec. 1591 create any additional legal risk for platforms. But the amendments expand the prohibition against the "participation in a venture" to engage in sex trafficking to include "knowingly assisting, supporting, or facilitating" such a venture. This language suggests that liability does not require knowledge of a specific act of sex trafficking. Instead, merely providing services to sex traffickers – even ones unsuccessful in their sex trafficking venture – would seem to trigger liability. In other words, knowledge seems to hinge not on knowledge of a sex trafficking act but on knowledge of a sex trafficking venture (including one that may even be victimless), yet both the statute and the court are silent as to how much, or how little, a platform would need to actually know in order to have "knowledge" for purposes of the statute. This vagueness is what is so chilling to them, because it forces them to guess conservatively. But the court provides little relief, and in dismissing the case denies the opportunity to even attempt to gain any.

Also, while these plaintiffs were suing because they feared prospective injury, plaintiff Eric Koszyk has already experienced a tangible injury directly traceable to the changes in the law wrought by FOSTA. He was a massage therapist who relied on Craigslist to advertise his services. In the wake of FOSTA, Craigslist shut down its Therapeutic Services section, thus limiting his ability to find customers. Without FOSTA (which would result if it were declared unconstitutional) it would seem that the shutdown decision could be reversed. But to the court this result would be too speculative:

Unfortunately for Koszyk, he cannot establish redressability under the relevant precedents. That is so because Koszyk has not established that a victory "will likely alleviate the particularized injury alleged." It is well established that a plaintiff lacks standing when the "redress for its injury depends entirely on the occurrence of some other, future event made no more likely by its victory in court." When, as here, a third party can exercise "broad and legitimate discretion the courts cannot presume either to control or to predict," a court is generally unable to redress the alleged injury and, accordingly, standing is found wanting. [p. 27-28]

This is insanity. Of course the court can't force Craigslist to re-open its Therapeutic Services section. But it can eliminate the reason for its closure and at least make the decision to re-open it possible. As long as FOSTA remains on the books it eliminates that possibility, and that's an injury.

It didn't go any better for the Internet Archive's standing as a plaintiff. As a platform that handles a massive amount of third party created content, for which review would be impossible, it worried it could nonetheless be caught in FOSTA's net. Don't worry about it, said the court.

Although the Internet Archive represents that it does not intend to promote sex trafficking or prostitution, it believes that the Section 230 amendments 2 and the ambiguity of their scope may expose it to liability. Once again, however, there are no facts in the record supporting an inference of the mens rea standard necessary to peel back Section 230's protections. The Internet Archive's practice of sweeping up vast amounts of content from the web for indefinite storage, and its attested practical inability to review the legality of that third-party content, mean that that entity simply cannot meet the stringent mans rea standard required for liability under Sections 2421A, 1591, or 1595. [p. 28]

In a way, that sounds great. Don't know what's in all that user content? No problem. But the problem is, inevitably platforms are going to have some knowledge of what's in all the user content. In fact, if Section 230 is going to work as intended to encourage platform moderation of content they are going to have to know. And, thanks to this decision, this knowledge remains a terrifying prospect for all.

It is likely that EFF will continue to press forward with this case, so it is not the final word on FOSTA's constitutionality, but it is an unfortunate start.

Read More | 30 Comments | Leave a Comment..

Posted on Techdirt - 20 September 2018 @ 1:33pm

Wherein Jean Luc Picard Learns How Not To Moderate Twitter

from the instructive-allegory dept

For those not familiar with the Star Trek: the Next Generation canon, in the episode "Hero Worship" the Enterprise receives a distress call from somewhere deep in space, and in responding discovers a heavily-damaged ship with just one survivor. While the Enterprise crew is investigating what happened to the ship, they soon realize that they are being pounded by energy waves, and eventually it dawns on them that these waves could eventually destroy their ship like they apparently did the other. As the Enterprise tries to channel more and more power to its shields to protect itself from the battering, the waves hitting the ship become more and more violent. Until finally – spoiler alert! (although let's be honest: the episode basically telegraphs that this will be the solution) – Commander Data realizes that the waves are reflecting back the energy the Enterprise is expending, and that the solution is to cut the power or else be destroyed by the slapback.

This is a sci fi story illustrating a phenomenon with which we're all familiar. It's that basic principle: to every action there is an equal and opposite reaction. And that's what's happening as people demand more censorship from platforms like Twitter, and then get more outraged when platforms have inevitably censored things they like. Of course increased calls to remove content will inevitably result in increased calls not to. And of course platforms' efforts to comply with all these competing demands will just make the platform more unusable until, like the wrecked ship, it will have torn itself apart to the point that it's hardly recognizable.

As the Enterprise crew learned, solutions don't always require figuring out ways to expend more energy. Sometimes they involve disengaging from a struggle that can never be won and finding new ways to view the problem. And when it comes to platform moderation, that same lesson seems relevant here.

Because just as the challenge facing the Enterprise was not actually to overpower the energy rocking it, that is not really the platforms' challenge either. The essential, and much less pugilistic, challenge they face is to figure out how to successfully facilitate the exchange of staggering amounts of expression between an unprecedented number of people. Content moderation is but one tool, but it's not the only one available, nor is it the best one for achieving that ultimate goal. Platforms shouldn't need to completely control the user experience; instead they need to deliver the control users need to optimize it for themselves. Being fixated only on the former at the expense of the latter is doomed to be no more successful than when the Enterprise was focused on doing nothing but feeding more power to the shields. In the end it wouldn't have saved the ship, because ultimately the solution it needed was something far less antagonistic. And the same is just as true for platforms.

Internet platforms of course are not fictional starships. And unlike fictional starships they can't depend on artificial intelligence to set them on the right path. Theirs is a very human exercise, that first requires understanding the human beings who use their systems and then ensuring that the interfaces of these systems are built in accordance with how those users expect to use them, and need to.

Which itself is a lesson the story teaches. The survivor of that wrecked ship happened to have been a child, who was worried that it was he who had accidentally destroyed his ship when he stumbled during a wave attack and hit a computer console during his fall. The Enterprise crew assured him there was nothing he could have done to hurt anything. The engineers who had designed those consoles understood what their users needed from their interfaces, including the protection the interfaces needed to afford, and the enormous stakes if users didn't get it. And that's what the people building computer systems always need to do, no matter what the century.

23 Comments | Leave a Comment..

Posted on Free Speech - 18 September 2018 @ 10:44am

How Regulating Platforms' Content Moderation Means Regulating Speech - Even Yours.

from the democratization-of-the-Internet dept

Imagine a scenario:

You have a Facebook page, on which you've posted some sort of status update. Maybe an update from your vacation. Maybe a political idea. Maybe a picture of your kids. And someone comes along and adds a really awful comment on your post. Maybe they insult you. Maybe they insult your politics. Maybe they insult your kids.

Would you want to be legally obligated to keep their ugly comments on your post? Of course not. You'd probably be keen to delete them, and why shouldn't you be able to?

Meanwhile, what if it was the other way around: what if someone had actually posted a great comment, maybe with travel tips, support for your political views, or compliments on how cute your kids are. Would you ever want to be legally obligated to delete these comments? Of course not. If you like these comments, why shouldn't you be able to keep sharing them with readers?

Now let's expand this scenario. Instead of a Facebook page, you've published your own blog. And on your blog you allow comments. One day you get a really awful comment. Would you want to be legally obligated to keep that comment up for all to see? Of course not. Nor would you want to be legally obligated to delete one that was really good. Think about how violated you would feel, though, if the law could force you to make these sorts of expressive decisions you didn't want to make and require you to either host speech you hated or force you to remove speech that you liked.

And now let's say that your website is not just a blog with comments but a larger site with a message board. And let's say the message board is so popular that you've figured out a way to monetize it to pay for the time and resources it takes to maintain it. Maybe you charge users, maybe you run ads, or maybe you take a cut from some of the transactions users are able to make with each other through your site.

And let's say that this website is so popular that you can't possibly run it all by yourself, so you run it with your friend. And now that there are multiple people and money involved, you and your friend decide to form a company to run it, which both gives you some protection and makes it easier to raise money to invest in better equipment and more staff. Soon the site is so popular that you've got dozens, hundreds, or even thousands of people employed to help you run it. And maybe now you've even been able to IPO.

And then someone comes along and posts something really awful on your site.

And someone else comes along and posts something you really like.

Which gets to the point on this post: if it was not OK for the law to be able to force you to maintain the bad comments, or to delete the good ones, when you were small, at what point did it become OK when you got big – if ever?

There is a very strong legal argument that it never became OK, and that the First Amendment interest you had in being able to exercise the expressive choices about what content to keep or delete on your website never went away – it's just that it's easier to see how the First Amendment prevents being forced to make those choices when the choices are so obviously personal (as in the original Facebook post example). But regardless of whether you host a small personal web presence, or are the CEO of a big commercial Internet platform, the principle is the same. There's nothing in the language of the First Amendment that says it only protects editorial discretion of small websites and not big ones. They all are entitled to its protection against compelled speech.

Which is not to say that as small websites grow into big platforms there aren't issues that can arise due to their size. But it does mean that we have to be careful in how we respond to these challenges. Because in addition to the strong legal argument that it's not OK to regulate websites based on their expressive choices, there's also a strong practical argument.

Ultimately large platforms are still just websites out on the Internet, and ordinarily the Internet allows for an unlimited amount of websites to come into being. Which is good, because, regardless of the business, we always want to ensure that it's possible to get new entrants who could provide the same services on terms the market might prefer. In the case of platform businesses, those may be editorial terms. Naturally we wouldn't want larger companies to be able to throw up obstacles that prevent competitors from becoming commercially viable, and to the extent that a large company's general business practices might unfairly prevent competition then targeted regulation of those specific practices may be appropriate. But editorial policies are not what may prevent another web-based platform from taking root. Indeed, the greater the discontent with the incumbent's editorial policies, the more it increases the public's appetite for other choices.

The problem is, if we regulate big platforms by targeting their editorial policies, then all of a sudden that loss of editorial freedom itself becomes a barrier to having those other choices come into being, because there's no way to make rules that would only apply to bigger websites and not also smaller or more personal ones, including all the nascent ones we're trying to encourage. After all, how could we? Even if we believed that only big websites should be regulated, how would we decide at what stage of the growth process website operators should lose their right to exercise editorial discretion over the speech appearing on their sites? Is it when they started running their websites with their friends? Incorporated? Hired? (And, if so, how many people?) Is it when they IPO'd? And what about large websites that are non-profits or remain privately run?

Think also about how chilling it would be if law could make this sort of distinction. Would anyone have the incentive to grow their web presence if its success meant they would lose the right to control it? Who would want to risk building a web-based business, run a blog with comments, or even have a personal Facebook post that might go viral, if, as a consequence of its popularity, it meant that you no longer could control what other expression appeared on it? Far from actually helping level the playing field to foster new websites seeking to be better platforms than the ones that came before, in targeting editorial policies with regulation we would instead only be deterring people from building them.

130 Comments | Leave a Comment..

Posted on Techdirt - 6 September 2018 @ 3:33pm

United Airlines Made Its App Stop Working On My Phone, And What This Says About How Broken The Mobile Tech Space Is

from the garbage-in-garbage-out? dept

This post isn't really about United Airlines, but let's start there because it's still due plenty of criticism.

One day my phone updated the United App. I forget if I had trusted it to auto-update, or if I'd manually accepted the update (which I usually do only after reviewing what's been changed in the new version), but in any case, suddenly I found that it wasn't working. I waited a few days to see if it was a transient problem, but it still wouldn't work. So I decided to uninstall and reinstall, and that's where I ran into a wall: it wouldn't download, because Google Play said the new version wasn't compatible with my phone.

Wait, what? It used to run just fine. So I tweeted at United, which first responded in a surprisingly condescending and unhelpful way.

Sometime later I tweeted again, and this time the rep at least took the inquiry seriously. Apparently United had made the affirmative choice to stop supporting my Android version. And apparently it made this decision without actually telling anyone (like, any of their customers still running that version, who might not have updated if they knew they would have to BUY A NEW PHONE if they wanted to keep running it).

Ranting about this on Twitter then led to an interesting argument about what is actually wrong with this situation.

But let's not let United off the hook too soon. First, even if United were justified in ceasing to support an Android 4.x capable app, it should have clearly communicated this to the customers with 4.x phones. Perhaps we could have refused the update, but even if not, at least we would have known what happened and not wasted time troubleshooting. Plus we would have had some idea of how much United valued our business...

Second, one of the points raised in United's defense is that it is expensive to have to support older versions of software. True, but if United wants to pursue the business strategy of driving its customers to its app as a way of managing that relationship, then it will need to figure out how to budget for maintaining that relationship with all of its customers, or at least those whose business it wants to keep. If providing support for older phones is too expensive, then it should reconsider the business decision of driving everyone to the app in the first place. It shouldn't make customers subsidize this business decision by forcing them to invest in new equipment.

And then there was the third and most troubling point raised in United's defense, which is that Android 4.x is a ticking time bomb of hackable horror, and that any device still running it should be cast out of our lives as soon as possible. According to this argument, for United to continue to allow people to use their app on a 4.x Android device would be akin to malpractice, and possibly not even be allowed per their payment provider agreements.

At this point we'll stop talking to United, because the problem is no longer about them. Let's assume that the security researchers making this argument are right about the vulnerability of 4.x and its lack of support.

The reality is, THE PHONES STILL WORK. They dial calls. They surf the web. They show movies. Display ebooks. Give directions. Hold information. Sure, at some point the hardware will fail. But for those wrapped in good cases that have managed to avoid plunging into the bath, there's no reason they couldn't continue to chug on for years. Maybe even decades. In fact, the first thing to go may be the battery – although, thanks to them often not being removable, this failure would doom the rest of the device to becoming e-waste. But why should it be doomed to becoming e-waste a moment before it actually becomes an unusable thing? Today these phones are still usable, and people use them, because it is simply not viable for most people to spend several hundred dollars every few years to get a new one.

And yet, in this mobile ecosystem, they'll need to. Not only to keep running the software they depend on, but to be able to use the devices safely. The mere ability to function no longer is enough to delineate a working device from a non-working one. The difference between a working device and a piece of trash is what the OS manufacturer deems it. Because when it says it's done maintaining the OS, then the only proper place for a phone that runs it is a landfill.

It is neither economically nor environmentally sustainable for mobile phones to have such artificially short lifespans. "Your phone was released in 2013!" someone told me, as if I'd somehow excavated it from some ancient ruin and turned it on. It's a perfectly modern device (in fact, this particular phone in my possession came into use far more recently than 2013), still holds a reasonable charge, and is perfectly usable for all the things I use it for (well, except the United app...). So what do you mean that I can't use it? Or that any of the other millions if not billions of people in the world running Android 4.x phones can't use them?

There are lots of fingers to point in this unacceptable state of affairs. At app makers who refuse to support older OSes. At app makers who make us use apps at all, instead of mobile web applications, since one of the whole points of the Web in the first place was to make sure that information sharing would not be device- or OS-dependent. At carriers who bake the OS into their phones in such a way that we become dependent on them to allow us OS updates. At the OS manufacturers who release these systems into the wild with no intention of supporting them beyond just a few years. And to various legal regimes (I'm looking at you, copyright law…) that prevent third parties from stepping in to provide the support the OEM providers refuse to anymore. Obviously there are some tricky issues with having a maintenance aftermarket given concerns with authentication, etc., but we aren't even trying to solve them. We aren't doing anything at all, except damning the public to either throw good money after bad for new devices that will suffer the same premature fate, or to continue to walk around with insecure garbage in their pockets. And neither is ok.

140 Comments | Leave a Comment..

Posted on Techdirt - 4 September 2018 @ 3:38pm

Ninth Circuit Stops Monkeying Around And Denies En Banc Review Of The Monkey Selfie Case

from the it-ain't-over-till-its-over dept

Whatever will we do without the Monkey Selfie case rearing its not-actually-copyrighted head every few months? We might finally get to find out, now that the Ninth Circuit has declined to rehear the appeal en banc. This denial now makes clear that monkeys lack standing to sue for copyright, at least within the Ninth Circuit. Someday (hopefully not soon) we may find out what other Circuits have to say about primate copyrights, but for now we can finally be confident that they lack standing to sue over them here.

Provided that no cert petition is granted, of course. And given that this is a case that has thus far steadfastly refused to end, it is way too soon to be confident that this is truly the last we've heard from Naruto or any of his alleged next friends. We should at least know whether a cert petition's been filed in about three months or so, though (see Rule 13), so stay tuned...

Read More | 30 Comments | Leave a Comment..

Posted on Techdirt - 31 August 2018 @ 12:09pm

The Scunthorpe Problem, And Why AI Is Not A Silver Bullet For Moderating Platform Content At Scale

from the what's-in-a-name dept

Maybe someday AI will be sophisticated, nuanced, and accurate enough to help us with platform content moderation, but that day isn't today.

Today it prevents an awful lot of perfectly normal and presumably TOS-abiding people from even signing up for platforms. A recent tweet from someone unable to sign up to use an app because it didn't like her name, as well as many, many, MANY replies from people who've had similar experiences, drove this point home:

Facebook, despite its insistence on users using real names, seems particularly bad at letting people actually use their real names.

But of course, Facebook is not the only instance where censorship rules based on bare pattern matching interfere not just with speech but with speaker's ability to even get online to speak.

This dynamic is what's known as the Scunthorpe Problem. Scunthorpe is a town in the UK whose residents have had an appallingly difficult time using the Internet due to a naughty word being contained within the town name.

The Scunthorpe problem is the blocking of e-mails, forum posts or search results by a spam filter or search engine because their text contains a string of letters that are shared with another (usually obscene) word. While computers can easily identify strings of text within a document, broad blocking rules may result in false positives, causing innocent phrases to be blocked.

The problem was named after an incident in 1996 in which AOL's profanity filter prevented residents of the town of Scunthorpe, North Lincolnshire, England from creating accounts with AOL, because the town's name contains the substring cunt. Years later, Google's opt-in SafeSearch filters apparently made the same mistake, preventing residents from searching for local businesses that included Scunthorpe in their names.

(A related dynamic, the Clbuttic Problem, creates issues of its own when, instead of outright blocking, software automatically replaces the allegedly naughty words with ostensibly less-naughty words instead. People attempting to discuss such non-purient topics as Buttbuttin's Creed and the Lincoln Buttbuttination find this sort of officious editing particularly unhelpful…)

While examples of these dynamics can be amusing, each is also quite chilling to speech, and to speakers wishing to speak.

It's not something we should be demanding more of, but every time people call for "AI" as a solution to online content challenges these are the censoring problems the call invites.

A big part of the problem is that calls for "AI" tend to treat it like some magical incantation, as if just adding it will solve all our problems. But in the end, AI is just software. Software can be very good at doing certain things, like finding patterns, including patterns in words (and people's names…). But it's not good at necessarily knowing what to make of those patterns.

More sophisticated software may be better at understanding context, or even sometimes learning context, but there are still limits to what we can expect from these tools. They are at best imperfect reflections of the imperfect humans who created them, and it's a mistake to forget that they have not yet replicated, or replaced, human judgment, which itself is often imperfect.

Which is not to say that there is no role for software to help in content moderation. The things that software is good at can make it an important tool to help support human decision-making about online content, especially at scale. But it is a mistake to expect software to supplant human decision-making. Because, as we see from these accruing examples, when we over-rely on them, it ends up being real humans that we hurt.

46 Comments | Leave a Comment..

Posted on Techdirt - 17 August 2018 @ 9:25am

NJ Courts Impose Ridiculous Password Policy 'To Comply With NIST' That Does Exactly What NIST Says Not To Do

from the the-poor-online-security-guardin'-state dept

As a New Jersey native I know how tempting it is for people to gratuitously bash my home state. But, you know, sometimes it really does have it coming.

In this case it's because of the recent announcement of a new password policy for all of the New Jersey courts' online systems – ranging from e-filing systems for the courts to the online attorney registration system – that will now require passwords to be changed every 90 days.

This notice is to advise that the New Jersey Judiciary is implementing an additional information security measure for those individuals who use Judiciary web-based applications, in particular, attorney registration, eCourts, eCDR, eTRO, eJOC, eVNF, EM, MACS, and DVCR. The new security requirement - password synchronization or p-:-synch - will require users to electronically reset their passwords every 90 days.

For reasons explained below, this new policy is a terrible idea. But what makes it particularly risible is that the New Jersey judiciary is claiming this change is being implemented in order to comply with NIST.

This requirement is being added to ensure that our systems and data are protected and secure consistent with industry security standards (National Institute of Standards and Technology Cybersecurity Framework (NIST CSF)).

The first problem here, of course, is that this general allusion to NIST is not helpful. If NIST has something specific to say that the courts are relying on, then the courts should specially say what it is. Courts would never accept these sorts of vague hand-wavy references to authority in matters before them. Assertions always require a citation to the support upon which they are predicated so that they can be reviewed for accuracy and reasonableness. Instead the New Jersey judiciary here expects us to presume this new policy is both, when in fact it is neither.

The reality is that the NIST Cybersecurity Framework does not even mention the word "password," let alone any sort of 90-day expiration requirement. Moreover, what NIST does actually say about passwords is that they should not be made to expire. In particular, the New Jersey judiciary should direct its attention to Special Publication 800-63B, which expressly says:

Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).

That same section of the Special Publication also says that, "Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets" because, as a NIST study noted, it tends to reduce overall security hygiene. Guess what else the new New Jersey password policy does:

Users must select passwords that are no more than eight (8) characters long and contain at least one capital letter, one lower case letter, one numeral, and one of the enumerated special characters.

It also gets worse, because as part of this password protocol it will require security questions in order to recover lost passwords.

Additionally, this policy change will require that each user choose and answer three personal security questions that will later allow the user to reset their own password should their account become disabled, for example, because of an expired password. The answers to the three security questions should be kept confidential in order to reduce the risk of unauthorized access and allow for most password resets to be done electronically.

Security questions are themselves a questionable security practice because they are often built around information that, especially in a world of ubiquitous social media, may not be private.

From their dangerous guessability to the difficulty of changing them after a major breach like Yahoo's, security questions have proven to be deeply inadequate as contingency mechanisms for passwords. They're meant to be a reliable last-ditch recovery feature: Even if you forget a complicated password, the thinking goes, you won't forget your mother's maiden name or the city you were born in. But by relying on factual data that was never meant to be kept secret in the first place—web and social media searches can often reveal where someone grew up or what the make of their first car was—the approach puts accounts at risk. And since your first pet's name never changes, your answers to security questions can be instantly compromised across many digital services if they are revealed through digital snooping or a data breach.

The Wired article this passage came from is already two years old. Far from New Jersey imposing an "industry standard" password protocol, it is instead imposing one that is outdated and discredited, which stands to undermine its systems security, rather than enhance it.

And largely, it seems, because it does not seem to understand the unique needs of its users – who are not all the same. Some may log into these sites daily, while others (like me) only once a year when it's time to pay our bar dues. (What does this 90-day reset requirement mean for an annual-only user?) Furthermore, although things have been improving over the years, lawyers are notoriously non-technical. They are busy and stressed with little time to waste wrangling with the systems they need to use to do their job on behalf of their clients. And they are often dependent on vendors, secretaries, and other third parties to act on their behalf, which frequently results in credential sharing. In short, the New Jersey legal community has some particular (and varied) security needs, which all need to be understood and appropriately responded to, in order to improve systems security overall for everyone.

But that's not what the New Jersey courts have opted to do. Instead they've imposed a sub-market, ill-tailored, laborious, and needlessly demanding policy on their users, and then blamed it on NIST. But as yet another NIST study explains, security is only enhanced when users can respect the policy enforcing it. The more arbitrary and frustrating it is, the more risky the user behavior, and the weaker the security protocol becomes.

The key finding of this study is that employees’ attitudes toward the rationale be-hind cybersecurity policies are statistically significant with their password behaviors and experiences. Positive attitudes are related to more secure behaviors such as choosing stronger passwords and writing down passwords less often, less frustration with authentication procedures, and better understanding and respecting the significance to protect passwords and system security.

As NIST noted in a summary of the study, "'security fatigue' can cause computer users to feel hopeless and act recklessly." Yet here are the New Jersey courts, expressly implementing, for no good reason, a purposefully cumbersome and frustrating policy, one that could hardly be better calculated to overwhelm users, and which, despite its claims to the contrary, is far from a respected industry norm.

59 Comments | Leave a Comment..

Posted on Techdirt - 6 August 2018 @ 3:40pm

SESTA, FOSTA, And How To Make Sense Of The Acronym Soup

from the You-say-potato,-I-say-we-should-have-called-the-whole-thing-off dept

Here at Techdirt we've been slow to switch: so dug in were we for so long against the legislative scourge known as SESTA that we've been reluctant to call it anything else. Even after its ghastly provisions became law – in some ways, because its ghastly provisions became law – we've been reluctant to change what we called this vehicle of censoring doom. After all, we said for months that SESTA would be awful, and now here it is, being awful. If we called it something else people might be confused about what we had been complaining about.

The problem is, it's not technically correct to continue to call this legislative outrage SESTA, and doing so threatens to create its own confusion. SESTA didn't become law; FOSTA did. When we react to those legislative changes, and cite to their source, we are citing to the bill called FOSTA, not the bill called SESTA. SESTA itself no longer exists in legislative form – FOSTA's enactment mooted it – and it's confusing to complain about a law that isn't actually one, or ever going to be one, because even if you can convince someone that it's terrible, they'll never be able to find in any law book what it is they should be upset about.

It's FOSTA that now haunts us from the U.S. Code. But what's confusing is that while FOSTA is the enacted legislation now hurting us, SESTA was the proposed bill we had warned would. All the legislative history is with SESTA (well, most of it anyway), but all the legislative power is with FOSTA.

So what happened? What's up with the two names? Why the shift? Basically this:

SESTA was a terrible bill proposing to gut Section 230 that had been rumbling around the Senate for a while. There were some hearings and proposed amendments, but by and large it remained a bill full of terrible, Internet-ruining proposals. Eventually, when it looked like it might be picking up enough steam to pass, an alternate bill got floated in the House: FOSTA. It still played SESTA's game, but it did so with different language that presumably would have resulted in something less Internet-ruining.

For what it's worth, not everyone thought this was a great strategy. Some thought that it would be better to do nothing but try to nip the whole idea behind SESTA in the bud, but others thought it might be better to go with a "devil you know" strategy if passage of something seemed inevitable, because then hopefully it could at least be something a little less awful.

FOSTA was still pretty bad, although it had some hearings and amendments to try to make it less so. But then, all of a sudden, the legislative sausage-making machine went berserk and spit out something even worse. The result was a Frankenstein monster of a bill, still called FOSTA, which combined the worst of its own proposals with the worst of the SESTA bill percolating in the Senate. This new FOSTA bill soon passed the House, and shortly thereafter it's the bill that passed the Senate. Notably it was not the original SESTA bill that the Senate voted on, because if the Senate had tried to pass anything different from what the House had passed the reconciliation process between the two bills might have delayed the ultimate passage of either. Perhaps that delay would have spared us this horror, but such a fate was not something the law's Internet-undermining champions wanted to risk.

So here we are, stuck with this garbage on the books, legislation so awful it can't even be labeled coherently. But giving name to something always makes it easier to fight. So from here on out, we'll be calling it FOSTA.

28 Comments | Leave a Comment..

Posted on Techdirt - 20 July 2018 @ 1:30pm

Appeals Court Tells Lower Court To Consider If Standards 'Incorporated Into Law' Are Fair Use; Could Have Done More

from the 102(b)-or-not-102(b),-that-was-the-question dept

Carl Malamud published the law on his website. And for that he got sued. The problem was, in posting the Code of Federal Regulations he also included the various enforceable standards included as part of those Regulations. This displeased the organizations which had developed those standards (SDOs) and who claimed a copyright in them. So they sued Public Resource for infringement, and in a terrible decision last year Public Resource lost. Public Resource then appealed, and this week Malamud's organization won a reversal of the district court decision.

The decision by the D.C. Circuit in American Society for Testing and Materials v. stands as a win for those who would choose to republish the law, even when their doing so may involve republishing standards created by non-governmental SDOs that were then incorporated by reference into controlling law. Although one can never presume to read the tea leaves at oral argument, it did seem as though the court was extremely uncomfortable with the idea that someone could be punished for having published the law. But the particular way the court addressed the copyright and trademark claims brought against Public Resource for it having done so is still worth further discussion. Disclosure: I helped file an amicus brief on behalf of members of Congress supporting Public Resource's defense, and amicus briefs on behalf of law professors at the district court.

On the copyright front, it is important to first note how the court did NOT resolve the question of whether republishing standards incorporated into law constituted copyright infringement. A threshold question in any copyright infringement case is whether there's any copyright that could have been infringed at all, because no copyright = no infringement, and with no infringement the case goes away. One way there might not be a copyright is if employees of the federal government had worked on developing the standards, like the ones at issue in this case, since under § 105 of the copyright statute, works by federal government employees are ineligible for copyright protection. But in its decision the D.C. Circuit dismissed this argument, finding that Public Resource had effectively waived it at the district court below.

As an initial matter, PRO argues that there is a triable question as to whether the standards at issue here were ever validly copyrighted given the Act’s prohibition on copyrighting “work[s] of the United States Government,” 17 U.S.C. § 105, and the fact that government employees may have participated in drafting certain standards. PRO, however, failed to adequately present this claim to the district court and has thus forfeited it. [p. 14]

Another way there might not be copyright in the standards Public Resource published is that, by being published as a factual representation of what the law is, that factual nature would preclude there being a copyright in what was republished, since, per § 102(b) of the copyright statute, purely factual works are also not eligible for copyright protection. This consideration was kicked around by the judges during oral argument because it's a complicated issue with some interesting implications. First, there's the question of whether the standards themselves are too factual to be copyrighted, but for the sake of this case the court generally assumed they could be. But even if they are copyrightable, the next question is what happens when the standards have now become a factual representation of the law governing people's behavior? Does that incorporation cause them to lose their copyright? And what would it mean for SDOs and the development of future standards by third parties if that were the case?

The court, however, chose to avoid these questions. It gave several reasons for this avoidance, including that a ruling on the copyrightability of incorporated standards could have a significant economic effect on those SDOs, [p. 16], and also that it's generally considered better practice for courts to decide cases on grounds other than constitutional ones [p. 15]. (As Public Resource and amici pointed out, not being able to post the law for people governed by it to read raises significant First Amendment and due process concerns, which would mean that the question of if the law could be copyrighted may be a constitutional one.) [p. 14-15].

Avoiding the constitutional question is all the more pressing here given that the record reveals so little about the nature of any given incorporation or what a constitutional ruling would mean for any particular standard. After all, it is one thing to declare that “the law” cannot be copyrighted but wholly another to determine whether any one of these incorporated standards—from the legally binding prerequisite to a labeling requirement, see 42 U.S.C. § 17021(b)(1), to the purely discretionary reference procedure, see 40 C.F.R. § 86.113-04(a)(1)—actually constitutes “the law.” [p. 15-16]

Instead the court chose to find for Public Resource on fair use grounds. [p.17] Or at least put Public Resource in a position to ultimately prevail on those grounds. Although the court lifted the injunctions the district court had placed on it – injunctions that had forced Public Resource to remove from its site actual, operative, mandatory law binding on the public – the case still needs to go back to the district court because the appeals court didn't think it had a sufficiently developed record before it to itself fully perform its own fair use analysis. It did, however, give the district court a head start, with enough instruction of how to perform that analysis to make it likely to yield a favorable result for Public Resource on remand.

In this section, we review each of the fair use factors, and, as we shall explain, though there is reason to believe “as a matter of law” that PRO’s reproduction of certain standards “qualif[ies] as a fair use of the copyrighted work,” id. (internal quotations and citations omitted), we ultimately think the better course is to remand the case for the district court to further develop the factual record and weigh the factors as applied to PRO’s use of each standard in the first instance. As we have emphasized, the standards here and the modes of their incorporation vary too widely to conclusively tell goose apart from gander, and the record is just too thin to tell what went into the sauce. On remand, the district court will need to develop a fuller record regarding the nature of each of the standards at issue, the way in which they are incorporated, and the manner and extent to which they were copied by PRO in order to resolve this “mixed question of law and fact.” Id. This is not to say that the district court must analyze each standard individually. Instead, it might consider directing the parties, who poorly served the court by treating the standards interchangeably, to file briefs addressing whether the standards are susceptible to groupings that are relevant to the fair use analysis. [p. 19]

Overall, this is a good result for Public Resource. And far be it for me to rain on Carl Malamud and his legal team's well-deserved parade, it's still important to point out why, although this D.C. Circuit decision is a good one, it could have been better.

For one thing, the parties have already litigated a lengthy trial. And their prize for finally winning the pie eating contest now is more pie. That litigating fair use is so arduous, even for as well-counseled a defendant as Public Resource, is a significant problem. As Lawrence Lessig has observed, "Fair use is only the right to hire a lawyer." Fair use is of little value for worthy defendants who might ultimately win infringement cases on those grounds if they can get obliterated by the litigation defending themselves along the way. Which is one reason why the D.C. Circuit's refusal to evaluate the core copyrightability grounds is a troubling one, because while Public Resource may ultimately prevail, what about anyone else who similarly decides to publish the law that also incorporates standards?

Furthermore, while the court's interest in ensuring that Public Resource could survive a subsequent fair use inquiry is great for Public Resource, and there is nothing in the decision to suggest that it is only Public Resource that should get to, it won't be helpful if the way the court framed each of the fair use factors in order to ensure it could reach Public Resource can't be of use to other defendants not exactly like Public Resource but with their own plausible fair use defenses. Certain language in particular does give some pause, such as the hostility towards some of Public Resource's transformative uses.

On this point, the district court properly rejected some of PRO’s arguments as to its transformative use—for instance, that PRO was converting the works into a format more accessible for the visually impaired or that it was producing a centralized database of all incorporated standards. [p. 21 (citing American Geophysical Union v. Texaco Inc., 60 F.3d 913, 923–24 (2d Cir. 1994)]

On the other hand, much of its reasoning is necessarily flexible enough to reach other defendants so that they, too, can have the four factors balanced in their favor. For the same reasons the court found the idea distasteful that Public Resource should be prevented from sharing the law, it would be similarly distasteful if others were similarly prevented. In addition, should another defendant have difficulty showing its use is fair, the court also left open the possibility that the underlying copyrightability of the standards incorporated into law could still be challenged.

To be sure, it may later turn out that PRO and others use incorporated standards in a manner not encompassed by the fair use doctrine, thereby again raising the question of whether the authors of such works can maintain their copyright at all. [p. 16]

The concurrence by Judge Katsas provides additional reassurance. First, he reiterated that the Section 102(b) and Constitutional questions raised by someone claiming copyright over parts of published law remain unresolved and may yet be resolved in a way that dispels these claims. [Katsas concurrence p. 3]. He also provided some additional framing for the fair use analysis, noting that "it puts a heavy thumb on the scale in favor of an unrestrained ability to say what the law is." [Katsas concurrence p. 2]

Thus, when an incorporated standard sets forth binding legal obligations, and when the defendant does no more and no less than disseminate an exact copy of it, three of the four relevant factors—purpose and character of the use, nature of the copyrighted work, and amount and substantiality of the copying—are said to weigh “heavily” or “strongly” in favor of fair use. […] The Court acknowledges the thinness of the record in this case, and it appropriately flags potentially complicating questions about how particular standards may be incorporated into law, and whether such standards, as so incorporated, actually constitute “the law.” But, where a particular standard is incorporated as a binding legal obligation, and where the defendant has done nothing more than disseminate it, the Court leaves little doubt that the dissemination amounts to fair use. [Katas concurrence p. 2]

In other words, despite the above concerns, the decision will still make it harder for future plaintiffs to try to lock people out of sharing the law on copyright grounds, as it is not something that, at least in the D.C. Circuit, will be looked upon with a friendly eye.

Meanwhile, there is also some additional good news from this case on the trademark front. Public Resource had included the trademarks of the SDOs behind the incorporated standards, and the SDOs (and district court) believed this use of the marks to be infringing. The D.C. Circuit disagreed, however, and found it possible that Public Resource's use of the trademarks could qualify as nominative fair use, which "occurs when the defendant uses the plaintiff’s trademark to identify the plaintiff’s own goods and ‘makes it clear to consumers that the plaintiff, not the defendant, is the source of the trademarked product or service.’” [p. 33-34] This issue, too, was remanded back to the trial court, although with the admonition that if the trial court should again find Public Resource's use to be infringing, it should potentially refrain from issuing another injunction barring all use of the trademark and instead consider whether merely modifying the use would be an adequate remedy. [p.36-37].

Read More | 25 Comments | Leave a Comment..

Posted on Free Speech - 16 July 2018 @ 3:38pm

On Speech And Subpoenas, New York Giveth And Taketh (Now, The Bad News On Journalist Protection)

from the unappealing-jurisprudence dept

Having just written about a good New York ruling concerning third-party subpoenas and the ability to protect free speech, now we have to write about some less good news: the recent decision by New York's highest court undermining the protection afforded by the state's shield law.

Shield laws are critical to preserving a free and independent press because they enable journalists to resist testifying about the non-public aspects of their reporting, or having to turn over their notes and related work product. This ability to resist is what empowers them to promise anonymity to sources, which often can be the only way for news the public needs to know about to come to light. If journalists couldn't resist, or had to risk going to jail in order to try, it would inhibit their reporting and leave the public less able to learn about matters of public concern. Yet unfortunately this decision by the New York Court of Appeals invites just such a result by interfering with journalists' ability to avail themselves of the protection ostensibly afforded by the state shield law. (Note: New York confusingly labels its lowest court the Supreme Court. The highest court is instead known as the Court of Appeals. The Appellate Division is in the middle.)

As frequently happens with tough cases involving important First Amendment interests, the underlying facts of this case are awful: Conrado Juarez has been charged with the gruesome 1991 murder of his four year-old niece. The case remained unsolved until DNA evidence made him a suspect. After fourteen hours of interrogation, he purportedly confessed. He now claims that the confession was coerced, and prosecutors want to use the notes and testimony of New York Times reporter Frances Robles, who had interviewed him, to challenge his claims. The trial court originally refused her motion to quash the subpoena demanding she provide the notes and testimony, but the Appellate Division overruled that decision and quashed it. Only now the Court of Appeals has overturned the Appellate Division's ruling, thus making the subpoena once again enforceable.

In overturning the Appellate Division's decision the Court of Appeals found that the reporter had no right to appeal the original denial of her motion to quash the subpoena by the trial court. If she had no right to appeal the trial court's decision, then the Appellate Division had no ability to reverse it. [p. 2] But even if this Court of Appeals finding that she had no right of appeal were truly consistent with chapter and verse of New York appellate procedure (the dissent believes it isn't [Rivera dissent p. 8-9]), it's still a remarkably formalistic conclusion that gives short shrift to the significant substantive rights at stake.

Formalism isn't of course inherently bad; careful adherence to procedural rules can sometimes help protect substantive rights better than ad hoc short cuts can. These rules exist in order to further the administration of justice, and the Court of Appeals itself fairly makes this point: by limiting the ability to appeal in criminal matters, it keeps the administration of justice from being bogged down unfairly through appellate gamesmanship. [p. 2]

But justice isn't furthered by being a slave to interpretations of procedural rules so at odds with why we have the rules in the first place. Or, as in this case, so indifferent to the rights of those these rules were never intended to govern – namely, the third parties affected here and whose interests the Court of Appeals seems so hostile to [p. 4-5]. Or so arbitrary in their application and effect.

That arbitrariness is well on display here. First, the no-appeal rule the Court cites only applies to criminal cases, not civil ones, [p. 2], which suggests that if this case had not involved a prosecution, the reporter apparently could still have appealed a lower court's refusal to quash a subpoena without problem. Next, the rule limiting appeals does not apply to subpoenas issued as part of investigations of criminal matters. [p. 3] So, if they hadn't already begun to prosecute the defendant, the reporter also likely could have appealed a refusal to quash a subpoena.

In addition, if this case had originally broken the other way, and the trial court had originally quashed the subpoena, then per this rule, if applied consistently, it would have been the government who could not have been able to appeal that ruling. Obviously this particular result would be protective of journalists, but for the no-appeal rule to be applied this way it still makes journalists' protection entirely contingent on the judgment of trial courts. And that's a problem, because trial courts are not infallible. If they were, then there would be no need to have any appeals courts at all. We have these courts because sometimes lower courts get things wrong, as this one did here, and there needs to be some way to set things right when they do. But what the Court of Appeals is saying in this case is that when it comes to subpoenaing journalists (something that the NY legislature passed the shield law in order to prevent), if this subpoenaing happens as part of a criminal trial, then journalists will be entirely dependent on that trial court getting the decision whether to quash it perfectly correct in the first instance, because its decision on the matter will not be one that can ever be reviewed.

For shield law protection to be meaningful it needs to have adequate rights of appeal baked into it, in all situations where journalists may need to assert it. True, in the context of criminal trials journalists might be able to recover the right to appeal as part of their challenge of a contempt order seeking to punish their refusal to comply with a subpoena. But if journalists are forced to risk jail to assert their shield law protection effectively, then the protection the shield law affords is hardly effective.

The Court of Appeals seems to think that a legislative fix is the way to go to make it explicit that there is always a right of appeal. [p. 5] And there may also be the possibility of challenging a subpoena as part of an "Article 78" civil proceeding, although, as the dissent notes, forcing journalists to go this route does nothing to advance the speedy-trial interests the majority's "no appeal" rule is supposed to advance (nor is it clear that an Article 78 proceeding would necessarily be an effective option).

In any case, the alternatives available to a nonparty seeking some type of appellate review of the denial of a motion to quash will likely result in even greater delay of the criminal proceeding than would a direct appeal of a quashal motion. The two avenues left open to a nonparty to contest a denial would be a CPLR Article 78 action in the nature of prohibition or for the nonparty to simply fail to comply with the subpoena and seek appellate review of the subsequent order of contempt. In either case, if the prosecutor or defendant needed the nonparty’s evidence, they would wait until the resolution of the collateral proceedings. [Rivera dissent p. 11]

But the problem is that journalists should not be in the situation where their right and ability to resist subpoenas the shield law is supposed to protect them from are so uncertain. In order to be consistent with the First Amendment and similar principles enshrined in the New York Constitution, principles that the shield law seeks to vindicate, the right to appeal any trial court denial should be implicit, since the effect of barring these appeals so significantly impinges on the free press the public needs.

Sadly, however, this sort of decision – procedural formalism over the effective preservation of substantive speech rights – may be par for the course for the New York Court of Appeals these days. This case is not the first one where the Court of Appeals has reached a conclusion that puts substantive speech rights at risk because of the way it has limited the appellate rights of third parties. In fact, it justified this shield law decision by citing another case it decided last year where Facebook, as a third party, had tried to quash 381 Stored Communications Act "warrants" seeking information about its speakers. In that case, Facebook had been similarly denied a right to appeal the denial of its motion to quash, and for generally similar reasons as those cited in this case now.

We've written before about troubling effects that arise when shield law jurisprudence collides with attempts by platforms to protect the anonymity of their users. The questions of whether journalists can resist subpoenas and whether platforms also can are separate and distinct, and, as such, are often best resolved according to separate and distinct reasoning. After all, the right to a free press and the right to speak anonymously often affect liberty interests in different ways. Plus, as we saw in the Glassdoor case, when both the district court and the Ninth Circuit unhelpfully conflated the two sets of questions and used the reasoning for journalist subpoenas to drive its analysis of platform subpoenas, it used the weak reasoning in the former context to undermine the constitutional protection of anonymous speech in the latter. And in this case now we see further problems with conflating these issues, only this time in reverse, with the earlier Facebook case about platform subpoenas and anonymous speech now negatively shaping this case about journalist subpoenas and the right to a free press.

On the other hand, both anonymous speech and free press cases affect the interests of third parties and both vindicate important First Amendment rights upon which public discourse depends. Both therefore deserve to have had these critical rights treated with more care than the New York high court lately has afforded them.

Read More | 2 Comments | Leave a Comment..

Posted on Techdirt - 16 July 2018 @ 1:31pm

On Speech And Subpoenas, New York Giveth And Taketh (First, The Good News On Platform Jurisdiction)

from the I-love-New-York-decisions-like-this dept

There are a few recent cases to note out of New York that address speech and subpoenas on third parties. This first post is about a good one, and soon we'll have another... less good one. In Amelius v. Grand Imperial LLC a court in New York has recently reaffirmed that a New York-issued subpoena is only enforceable on an Internet platform if the New York courts have jurisdiction over the platform. Furthermore, relying on a 2014 US Supreme Court ruling, Daimler AG v. Bauman, the court in Amelius concluded that having merely registered to do business as an out-of-state company is not enough to give New York jurisdiction over platform companies with no other connection to the state than that, nor is their having information that might be relevant to a New York case. Instead the platform would either need to be incorporated or headquartered in New York for its courts to have jurisdiction over them.

Which does not mean that out-of-state platforms like Yelp (the platform at issue in this case) cannot be subpoenaed to supply information relevant to a New York case. What it does mean, however, is that the New York subpoena would need to be "domesticated" in the platform's home jurisdiction so that its own local courts would be able to enforce it. It is not necessarily hard to do this: for instance, in California, pretty much all that needs to happen is for a California court clerk, or even just a licensed California attorney, to add a California subpoena form to the out-of-state subpoena for it to become an enforceable California subpoena.

But what's good about this arrangement is that platforms can have some control over what laws will govern the subpoenas propounded against them and anticipate which courts will be able to compel them to act. In fact, they can choose to base themselves in states that offer the best laws and procedural rules most protective to them and their users' speech, because not all states do so equivalently. For instance, the test for whether a subpoena can be allowed to unmask an anonymous speaker in California is the Krisnky test (which requires the pleading to make a prima facie case against the speaker), but in other states the test is either the Dendrite test, the Cahill test, the "good faith" test (as was the case in the Virginia Hadeed Carpet case, which raised similar jurisdictional issues as this one), or no test at all (thus rendering all the subpoenas potentially enforceable, no matter what the effect on speech). These tests obviously vary greatly in the protection they afford to anonymous speakers.

California also includes mandatory fee-shifting to help deter abusive subpoenas and to compensate those who have had to fight them off. Like the anti-SLAPP statute does for unmeritorious litigation Section 1987.2 of the Code of Civil Procedure allows for mandatory recovery of fees for unmeritorious unmasking subpoenas that courts quash. Unfortunately, like robust anti-SLAPP laws, not all states have such a provision, which is another reason why it's important that platforms not be exposed to these other jurisdictions simply because they may have completed the purely ministerial task of registering with the Secretary of State or having some users there and not any more substantive connection. Platforms are in the business of facilitating speech, and they should be able to choose which laws to expose themselves to that will give them the best ability to do it.

Read More | 5 Comments | Leave a Comment..

Posted on Techdirt - 6 July 2018 @ 10:47am

What Soda Taxes And Lead Paint Have To Do With Internet Regulation

from the public-policy-on-sale-now! dept

They say that laws are like sausages, and you should never watch either be made if you don't want to be sick. But some manufacturing processes are more disgusting than others, and if we don't want to suffer ill-effects, we need to keep an eye on the worst of them.

As others have discussed, the new California Consumer Privacy Act (CCPA) is at best a law with troubling aspects, if not completely chilling for future Internet businesses and even non-commercial online expression. True, there may be the opportunity to amend it before it goes into effect to dull the worst of it, but how we find ourselves in this position where we are stuck with a ticking time bomb of a law that we now need to fix is a story worth telling, because if it could happen once it could happen again. And already has.

Which is why I'm going to tell the story about how California just banned soda taxes (in fact, not coincidentally, right around the same time that it passed the CCPA).

To understand what happened, one first needs to understand a bit about the California Constitution. In addition to setting up the typical branches of government (legislative, executive, judicial), it also allows for a form of direct democracy through ballot initiatives. Ballot initiatives generally only need a simple majority to pass, but once passed, they can be very difficult, if not impossible, to un-pass or modify them without another ballot measure. Even when ballot measures only amend statutory code, and not the Constitution itself, the legislature can be prevented from making any modifications to that new language, no matter how necessary those changes may be, unless the ballot initiative allows the legislature to act. And even if the initiative does permit it, it may require a much more difficult to attain super-majority of the legislature to make any changes, rather than the simple majority typically required to pass legislation.

The upshot is that an awful lot of California law and policy can depend on the initiative process -- and thus a whole lot can depend on who is able to use it to push forth the policy they prefer. In one sense, it's hard to get a new initiative on the ballot: it requires hundreds of thousands of signatures to qualify. But it turns out that for people who have a lot of money, it's not all that hard. Some estimate that it may take only $3-4 million to acquire enough signatures to get any initiative on the ballot.

Of course, whether such an initiative would pass is a separate question, but there are a few factors that make the odds pretty good. One is that it's very difficult for the electorate to make informed choices, and I don't say that as any sort of insult to the average California voter. In the most recent election this past June I timed how long it took to figure out who and what to vote for and clocked it at a whole hour. And that's with me, a lawyer practiced in reading and evaluating law and policy, living in an unincorporated area of California, meaning that I was spared having to wade through any city candidate or ballot measure choices. I just had to vote on candidates for all county, state, and federal offices, and on all county and state ballot measures. And this was in June, where there were fewer choices all around than there will be in November, yet it still took an hour to make any sort of responsible decisions before I was prepared to head to the polls. Of course, not everyone has that hour, and for many it will likely take longer, which means that the electorate tends to be dependent on campaign advertising to help them make those choices. But if someone has a few million dollars to spend to get an initiative on the ballot, they may easily have a few more, or a lot more, to spend on that advertising, and their opponents, no matter how principled in their opposition, just as easily may not.

The reality is that anyone who can spend a few million dollars to get an initiative on the ballot can use that money to put an electoral gun to the head of policymakers and force them to legislate for their desired policy in exchange for withdrawing the initiative from the upcoming election. Because at least if the policy gets implemented via the legislature's hand, rather than through the initiative process, the legislature might be able to temper some of its language. Also, by being an ordinary bill, it would theoretically be more changeable in the future, subject only to ordinary legislative majorities and not dependent on someone funding a new initiative that could successfully override it.

As this article in the Sacramento Bee describes, the soda tax ban is a case study of this dynamic. A business group wrote a proposal that would have created some significant limitations in the state's ability to raise revenue. It then shopped around the proposed initiative until it found someone willing to underwrite the signature-gathering necessary to get it on the ballot. That someone turned out to be the beverage industry, which generally hates soda taxes.

The relative merits of soda taxes are beyond the scope of this post. Suffice it to say, certain California communities like them, often as a way of raising revenue for public health programs and deterring the over-consumption of unhealthy drinks. Several of these communities have already passed a few such taxes.

But after the beverage industry underwrote the effort to get enough signatures to qualify the tax-limiting initiative for the ballot, an initiative that did more than just ban soda taxes but instead affected the state's taxation ability more broadly, the legislature found itself having to play electoral roulette: perhaps the ballot measure might fail and everything would be fine, but if it passed, it risked messing up the fiscal health of the state and all the policies and programs the legislature wanted to fund. So it capitulated and did a deal with the initiative's sponsor to bar any other California communities from passing their own soda taxes for the next 12 years in exchange for having the ballot initiative withdrawn.

In fact, June was a busy month for legislative capitulation, because right around the same time that the legislature did that deal it also did a deal with the sponsors of the "Consumer Right to Privacy Act of 2018" initiative that had also qualified for the November ballot.* Because that initiative, if it passed, would definitely cripple the Internet, the legislature instead agreed to pass the CCPA, which will only probably cripple it, but at least has the potential for improvement.

And that's what this post is really about, this extortionate ability for basically anyone with $4 million to spend to blackmail the legislature to set aside its own legislative judgment and build into California law whatever terrible policy the person with the money wants. Sure, for any policy that is so awful or unpopular there's always the chance that it might lose at the polls come Election Day, and from time to time ballot initiatives do get shot down. But it's very easy for garbage to get through, and wealthy minority voices count on that possibility when they try to ram through all sorts of policies that aren't necessarily good ones for Californians or its businesses – including on matters of tech policy.

On our best days these tech policy challenges require careful, nuanced treatment. We should look to the legislature, and legislators, to give it that careful, nuanced treatment before imposing drastic changes in the law that will affect them. But they can't give these regulatory proposals that sort of necessary attention they deserve if for a mere $4 million or so people can force them to rush through law that has been drafted without any of the care or necessary transparency sound regulation requires.

And when they are forced to pass a law like that, as they were just now with the CCPA, it is unlikely to be something we should cheer.

* Also, per the Los Angeles Times article linked above, "A third proposal, asking taxpayers to subsidize lead paint cleanup projects, was withdrawn by paint companies in exchange for lawmakers scrapping a slate of bills designed to impose new rules on the industry."

19 Comments | Leave a Comment..

Posted on Techdirt - 3 July 2018 @ 1:33pm

California Court Not Yet Ready To Undermine The Entire Internet; Rules Yelp Can't Be Forced To Delete A Review

from the Section-230-not-quite-dead-yet dept

In 2016, Techdirt wrote about a troubling case, Hassell v. Bird, in which a court issued an injunction telling Yelp to delete a review after a lawyer won a default judgment in a defamation case. The court ignored that Section 230 of the CDA says that platforms like Yelp cannot be held liable (and thus can't be legally mandated) to remove content of third parties, and didn't seem to care that Yelp wasn't even a party in the case.

The good news is that Yelp won its appeal of the injunction. The bad news, though, is that it barely won, and the relatively elegant, cogent opinion finding that Section 230 prevented the injunction is tempered in its effect by only being a plurality decision: victorious in its ultimate holding only because of a concurring vote on different grounds that provided a less-than-full-throated endorsement of the plurality's conclusion.

This case began when someone, who the plaintiff Hassell believes to be Bird, had posted a critical review of the Hassell law firm on Yelp that Hassell claimed to be defamatory. Hassell sued Bird and ended up with a default judgment agreeing that it was defamatory. Hassell also got the trial court in San Francisco to issue an injunction ordering Yelp to delete the offending posts. Yelp appealed the injunction on several grounds, including that it never had a chance to be heard by the court before it issued a judgment against it, and because Section 230 should have barred it. After losing at the California Court of Appeals, the California Supreme Court agreed to take up its case, and this week it issued its ruling.

The plurality opinion, which garnered three votes, found it sufficient to invalidate the injunction entirely on Section 230 grounds without having to reach any due process consideration. It cited plenty of prior cases to support its Section 230 analysis, but spent some time discussing the holdings in three in particular: Zeran v. AOL, Kathleen R. v. City of Livermore, and Barrett v. Rosenthal [p. 14-20]. Zeran was an early case construing Section 230 that set forth why it was so important for speech and ecommerce that platforms have this statutory protection for liability arising from their users' content. Barrett v. Rosenthal was a subsequent California Supreme Court case, which similarly construed it. And Kathleen R. was a case where a California Court found that Section 230 precluded injunction relief. These and other cases underpinned the plurality's opinion.

It also made several other points in support of its Section 230 finding. One was the observation that if Section 230 couldn't prevent the non-party injunction against Yelp it would just prompt litigants to game the system by not even bothering trying to name platforms as defendants, since they'd have better luck getting injunctions against them if they did NOT try to sue them than if they did.

The question here is whether a different result should obtain because plaintiffs made the tactical decision not to name Yelp as a defendant. Put another way, we must decide whether plaintiffs’ litigation strategy allows them to accomplish indirectly what Congress has clearly forbidden them to achieve directly. We believe the answer is no. [p. 22]

And part of the reason the answer is no, is that Section 230 was never intended to only limit damages liability against a platform; it also was meant to prevent injunctions as well. [p. 26-27].

An injunction like the removal order plaintiffs obtained can impose substantial burdens on an Internet intermediary. Even if it would be mechanically simple to implement such an order, compliance still could interfere with and undermine the viability of an online platform. (See Noah v. AOL Time Warner, Inc., supra, 261 F.Supp.2d at p. 540 [“in some circumstances injunctive relief will be at least as burdensome to the service provider as damages, and is typically more intrusive”].) Furthermore, as this case illustrates, a seemingly straightforward removal order can generate substantial litigation over matters such as its validity or scope, or the manner in which it is implemented. (See Barrett, supra, 40 Cal.4th at p. 57.) Section 230 allows these litigation burdens to be imposed upon the originators of online speech. But the unique position of Internet intermediaries convinced Congress to spare republishers of online content, in a situation such as the one here, from this sort of ongoing entanglement with the courts. [p. 28]

And it had to prevent injunctions, in order for platforms and the online speech they facilitate to be protected:

Perhaps the dissenters’ greatest error is that they fail to fully grasp how plaintiffs’ maneuver, if accepted, could subvert a statutory scheme intended to promote online discourse and industry self-regulation. What plaintiffs did in attempting to deprive Yelp of immunity was creative, but it was not difficult. If plaintiffs’ approach were recognized as legitimate, in the future other plaintiffs could be expected to file lawsuits pressing a broad array of demands for injunctive relief against compliant or default-prone original sources of allegedly tortious online content. Injunctions entered incident to the entry of judgments in these cases then would be interposed against providers or users of interactive computer services who could not be sued directly, due to section 230 immunity. As evinced by the injunction sought in Kathleen R., supra, 87 Cal.App.4th 684, which demanded nothing less than control over what local library patrons could view on the Internet (id., at p. 691), the extension of injunctions to these otherwise immunized nonparties would be particularly conducive to stifling, skewing, or otherwise manipulating online discourse — and in ways that go far beyond the deletion of libelous material from the Internet. Congress did not intend this result, any more than it intended that Internet intermediaries be bankrupted by damages imposed through lawsuits attacking what are, at their core, only decisions regarding the publication of third party content. [p. 30-21]

Unfortunately the rest of the Court was not as amenable to the plurality's application of Section 230 as a defense against the injunction. Even the concurrence by Justice Kruger, which provided the fourth vote in favor of overturning the injunction, did so, as Eric Goldman observed, with potentially some qualification of the Section 230 analysis ("I express no view on how section 230 might apply to a different request for injunctive relief based on different justifications."). [concurrence p.1]. But both the concurrence and the plurality recognized that there were problems with trying to hold a non-party platform like Yelp responsible for complying with the injunction to take down content that had also been directed to the defendant Bird. For the plurality it was a straightforward violation of Section 230.

[I]t is also true that as a general rule, when an injunction has been obtained, certain nonparties may be required to comply with its terms. But this principle does not supplant the inquiry that section 230(c)(1) requires. Parties and nonparties alike may have the responsibility to comply with court orders, including injunctions. But an order that treats an Internet intermediary “as the publisher or speaker of any information provided by another information content provider” nevertheless falls within the parameters of section 230(c)(1). In substance, Yelp is being held to account for nothing more than its ongoing decision to publish the challenged reviews. Despite plaintiffs’ generic description of the obligation they would impose on Yelp, in this case this duty is squarely derived from “the mere existence of the very relationship that Congress immunized from suit.” [p. 24]

For the concurrence the platform's relationship with the defendant was too attenuated and not the sort of agency relationship where it may be proper to hold a third party responsible for complying with an injunction on another.

Plaintiffs, as well as [dissenting] Justice Liu, argue that the injunction naming Yelp is valid because it merely makes explicit that Yelp, as an entity “through” whom Bird acts, is obligated to carry out the injunction on her behalf. But the trial court made no finding that Bird acts, or has ever acted, “through” Yelp in the sense relevant under Berger, nor does the record contain any such indication; we have no facts before us to suggest that Yelp is Bird’s “agent” or “servant.” It is true and undisputed, as plaintiffs and Justice Liu emphasize, that Bird’s statements were posted on Yelp’s website with Yelp’s permission. And as a practical matter, Yelp has the technological ability to remove the reviews from the site. These facts might well add up (at least absent section 230) to a good argument for filing suit against Yelp and seeking an injunctive remedy in the ordinary course of litigation. But the question presented here is whether these facts establish the sort of legal identity between Bird and Yelp that would justify binding Yelp, as a nonparty, to the outcome of litigation in which it had no meaningful opportunity to participate. Without more, I do not see how they could. [concurrence p. 7]

The plurality also rejected the theory raised by the trial court and pushed by the dissent that the platform had somehow "aided and abetted" the defamatory speech. If this argument could prevail, Section 230 would become a nullity, since every platform enables user expression, and not all that expression is necessarily entirely legal.

In his dissent, Justice Cuéllar argues that even if the injunction cannot on its face command Yelp to remove the reviews, the removal order nevertheless could run to Yelp through Bird under an aiding and abetting theory premised on conduct that remains inherently that of a publisher. (See dis. opn. of Cuéllar, J., post, at pp. 3, 20-22, 34-37.) We disagree. As applied to such behavior, Justice Cuéllar’s approach would simply substitute one end-run around section 230 immunity for another. [p. 25]

The dissenting opinions, on the other hand, were very focused on the plight of the plaintiff who had apparently been injured by these purportedly defamatory posts. (I say "purportedly," because although the Supreme Court decision does not spend much time on this issue, it's worth noting that the conclusion of the posts' defamatory nature was drawn from an ex parte default proceeding at the trial court where no defense was supplied. It is certainly easier for a court to accept a plaintiff's characterization of language as defamatory when there is no one present – even Yelp was left out – to show that it is not.) As we've seen in cases like Garcia v. Google, the operation of Section 230 can make it difficult for a legitimately aggrieved plaintiff to obtain a remedy against someone who has defamed them. But it isn't necessarily impossible, and the plurality reminded everyone that Hassell was not without any recourse:

On this last point, we observe that plaintiffs still have powerful, if uninvoked, remedies available to them. Our decision today leaves plaintiffs’ judgment intact insofar as it imposes obligations on Bird. Even though neither plaintiffs nor Bird can force Yelp to remove the challenged reviews, the judgment requires Bird to undertake, at a minimum, reasonable efforts to secure the removal of her posts. A failure to comply with a lawful court order is a form of civil contempt (Code Civ. Proc., §1209, subd. (a)(5)), the consequences of which can include imprisonment (see In re Young (1995) 9 Cal.4th 1052, 1054). Much of the dissents’ rhetoric regarding the perceived injustice of today’s decision assumes that plaintiffs’ remaining remedies will be ineffective. One might more readily conclude that the prospect of contempt sanctions would resonate with a party who, although not appearing below, has now taken the step of filing an amicus curiae brief with this court. [p. 32]

Perhaps this is the most important passage in the whole opinion. It's become really popular especially as of late to try to make platforms responsible for everything their users do. It's good to have courts remind us that it's the people who do the things who really should be held accountable instead.

Read More | 21 Comments | Leave a Comment..

Posted on Techdirt - 28 June 2018 @ 3:50pm

The Monkey Selfie Case Continues, But The Dancing Baby One Does Not

from the never-ending-copyright-litigation dept

Thankfully this is not a post about the Monkey Selfie case, which should have ended by now but has not. Instead it's about Lenz v. Universal, the Dancing Baby case, which shouldn't have come to an end yet, but has. This week the EFF announced that the case has been settled.

The problem though isn't that it the case has been settled. It had been remanded for trial, which would have been a long, expensive slog to not accomplish what the case really needed to accomplish: put teeth back into the Section 512(f) remedy that the DMCA is supposed to afford to deter illegitimate takedown demands. The problem is that the opportunity to provide that benefit was extinguished when the US Supreme Court denied cert and refused to review the Ninth Circuit's interpretation of that provision. So we'll be stuck with this precedent until another case can prompt another look by the court and the serious issue of censorship-via-takedown notice can finally get the judicial attention it deserves.

Maybe it will even be a case where a monkey has taken a video of himself dancing along to music, because the rights of monkeys have so far been a lot more successful in attracting en banc attention from the Ninth Circuit than the speech rights of people. And maybe it won't even take 10 years of litigation (that's 32 in monkey years) to find out.

16 Comments | Leave a Comment..

Posted on Techdirt - 25 June 2018 @ 3:40am

The Supreme Court Makes A Federal Case Out Of South Dakota's Inability To Collect Taxes From Its Residents And Thus A Big Mess

from the aereo-for-ecommerce dept

In some ways the Supreme Court's decision last week in South Dakota v. Wayfair may seem like a small thing: it simply overturned an earlier decision, Quill Corp v. North Dakota, which had concluded that states could not impose requirements to collect sales tax on businesses with no physical presence in the state. But in dispensing with that rule, the decision invited broader effects that may not be so small, thanks to the alarming reasoning the Court used to justify it.

The Court was prompted to reverse its earlier decision – something that the Supreme Court does but rarely, thanks to the principle of stare decisis that ordinarily discourages the Court from messing with an earlier precedent – for a few reasons. In particular it was concerned that Internet businesses without a physical presence in the state had an advantage over those with one [p.12-13], and it accepted South Dakota's claims that it was losing out on millions of dollars in sales tax revenue when South Dakotans bought things from out-of-state Internet businesses who were not collecting the sales taxes that normally would have been owed [p.2].

These assumptions, if true, would raise reasonable policy concerns. But even if they were valid worries, it doesn't follow that the Supreme Court should be the organ of government to address them, especially not when its doing so threatens to create additional policy concerns of its own.

First, South Dakota may be heavily dependent on sales tax to generate revenue, but that's its choice. If consumption taxes turn out to be an inadequate way of filling its coffers, it could choose to impose other forms of taxation, like an income tax, as many other states have. It is not dependent on the United States Supreme Court to help it balance its budget.

Second, like other states, South Dakota requires its residents to independently submit to the state the sales tax that would have been collected, had they bought their goods from an Internet business with a physical presence there. ("If for some reason the sales tax is not remitted by the seller, then instate consumers are separately responsible for paying a use tax at the same rate." [p.2]). The Court may have been correct in observing that enforcing these sorts of payment requirements may be difficult [p.2], but just because it is difficult does not mean that it should fall to the United States Supreme Court to relieve the state of its enforcement burden – especially not an enforcement burden against parties over whom the state already had undisputed jurisdictional reach. This case essentially seems to boil down to South Dakota complaining, "We can't make our residents, who are clearly subject to our laws, pay their taxes, so please make sure that out-of-state residents, who are not clearly subject to our laws, do instead." And the court was amenable to this plea. [p.13]

As for whether the physical presence rule truly gave an advantage to out-of-state businesses, if the state could manage to get its residents to pay the taxes they owe the answer would be no, since any price advantage an out-of-state business could offer would have been negated by the subsequent payment obligation. But the problem with the Supreme Court having now changed the rule is that it's placed its thumb firmly on the other side of the scale and disadvantaged out-of-state businesses in favor of those with a physical presence.

In terms of sales tax collection, in and of itself it's no small task. States rarely have one tax rate applicable to the whole state, or to all types of goods. True, as the Court notes, South Dakota "is one of more than 20 States that have adopted the Streamlined Sales and Use Tax Agreement."

This system standardizes taxes to reduce administrative and compliance costs: It requires a single, state level tax administration, uniform definitions of products and services, simplified tax rate structures, and other uniform rules. It also provides sellers access to sales tax administration software paid for by the State. Sellers who choose to use such software are immune from audit liability. [p.23]

Such an agreement may certainly aid in minimizing compliance costs. So might the reasonably-priced software that the Court glibly assumes may eventually "make it easier for small businesses to cope with these problems." [p.21]. But in the here and now, compliance is still not so simple. This decision will still reach the other 30 states that have not adopted the Streamlined Sales and Use Tax Agreement, and figuring out how to comply will be more feasible for some businesses than others. Larger companies, for instance, will have more resources to manage complex compliance requirements. Companies large enough, or local enough, to have a presence in these states will also be more familiar with the state and its compliance requirements generally, since they will need to comply with the state's other laws as well.

Which leads to a more significant question raised by this decision, whose holding won't be confined to sales tax collection: what about these other state laws? Per the logic of the decision, can states impose other compliance obligations on Internet businesses, in addition to tax collection ones? As we've seen in recent discussions around Section 230, including in the cases involving Airbnb/Homeaway and Armslist, states love to apply local law to the Internet. In fact, even before the Internet states liked to impose local law whenever they could. The "long-arm" reach of states to impose their regulatory power on out-of-state parties has traditionally been limited by the requirement that the foreign party at least have some minimum contact with the state before they can be exposed to its jurisdiction. Which is why the physical presence rule made sense: being physically there suggested there was a significant enough contact between the party being regulated and the state doing the regulating. It also seemed more fair: in-state companies will also likely have in-state employees able to wield political pressure on the state government if the laws it passes to apply to their employers starts threatening their employment. Whereas out-of-state companies have no such political leverage to wield over the regulators they are nonetheless beholden to.

What the Court seems to be saying now is that lesser contact with a state than physical presence may be sufficient to establish minimum contact. In and of itself, such an assertion may not be controversial, and if the decision's rationale had been focused on those indicia it might not be so disquieting. In terms of the South Dakota taxation law itself, the law does incorporate some limitations so that it won't apply to Internet businesses with only incidental connections to South Dakota.

The Act applies only to sellers that, on an annual basis, deliver more than $100,000 of goods or services into the State or engage in 200 or more separate transactions for the delivery of goods or services into the State."[p.3]

But the Court is not specific as to what sort of lesser contact will be sufficient to subject an Internet business to state jurisdiction for taxation or otherwise, and it is going to be really expensive for out-of-state Internet businesses to find out.

Furthermore, the hostility that the Court showed to these out-of-state businesses is worrying. First, it is unjustifiably dismissive to the utility of the physical presence requirement.

The argument, moreover, that the physical presence rule is clear and easy to apply is unsound. Attempts to apply the physical presence rule to online retail sales are proving unworkable. States are already confronting the complexities of defining physical presence in the Cyber Age. For example, Massachusetts proposed a regulation that would have defined physical presence to include making apps available to be downloaded by in-state residents and placing cookies on in-state residents’ web browsers. Ohio recently adopted a similar standard. Some States have enacted so-called “click through” nexus statutes, which define nexus to include out-of-state sellers that contract with in-state residents who refer customers for compensation. Others still, like Colorado, have imposed notice and reporting requirements on out-of-state retailers that fall just short of actually collecting and remitting the tax. Statutes of this sort are likely to embroil courts in technical and arbitrary disputes about what counts as physical presence. [p. 19-20]

Of course, far from impugning the physical presence rule, these examples demonstrate the wisdom of it, because in all the examples described any dispute that might arise would arise because the states are trying to target businesses that aren't actually physically present in their states.

In fact, in general the Court seems to have an uneasy notion of what constitutes physical presence by an Internet business:

For example, a company with a website accessible in South Dakota may be said to have a physical presence in the State via the customers’ computers. A website may leave cookies saved to the customers’ hard drives, or customers may download the company’s app onto their phones. Or a company may lease data storage that is permanently, or even occasionally, located in South Dakota. Cf. United States v. Microsoft Corp., 584 U. S. ___ (2018). [p.15]

The Court also cannot imagine how limiting a company's physical presence might be of value to it:

But the administrative costs of compliance, especially in the modern economy with its Internet technology, are largely unrelated to whether a company happens to have a physical presence in a State. For example, a business with one salesperson in each State must collect sales taxes in every jurisdiction in which goods are delivered; but a business with 500 salespersons in one central location and a website accessible in every State need not collect sales taxes on otherwise identical nationwide sales. [p. 12]

Worse, to the extent that the Court can imagine why a 500-person company might choose not to have boots on the ground in every state where it might happen to have an online customer, it is inexplicably hostile:

In effect, Quill has come to serve as a judicially created tax shelter for businesses that decide to limit their physical presence and still sell their goods and services to a State’s consumers—something that has become easier and more prevalent as technology has advanced. [p. 13]

Later it in the decision the Court further describes Quill as allowing out-of-state companies to aid and abet customers in "evad[ing] a lawful tax that unfairly shifts to those consumers who buy from their competitors with a physical presence that satisfies Quill—even one warehouse or one salesperson—an increased share of the taxes." [p. 17]

What is concerning is that in using these pejorative assessments the Court is essentially declaring, "How dare you do something legal to avoid liability." Which is sadly an admonition we've heard the Court make before in trying to substantiate a questionable holding in another case: Aereo.

As the Court continues, the comparison with Aereo becomes even more apt:

"Distortions caused by the desire of businesses to avoid tax collection mean that the market may currently lack storefronts, distribution points, and employment centers that otherwise would be efficient or desirable." [p. 13]

In other words, the Court has concluded, "Our jurisdictional rule is deterring investment in the state, so therefore it's a bad rule."

This sort of contorted reasoning is exactly what happened in Aereo, where the Court looked at who was making money, unilaterally decided it was the wrong people, and then tied itself in knots to write new law, indifferent to how much settled precedent it displaced or the full extent of its likely effects, in order to justify reallocating the financial gains.

Then, as now, it was a decision predicated on a series of questionable assumptions. We can only hope that this latest result won't be as seriously catastrophic for online innovation as Aereo has been.

83 Comments | Leave a Comment..

Posted on Techdirt - 19 June 2018 @ 11:57am

Think The GDPR Only Regulates Big Internet Companies? The EU Says It Regulates You Too.

from the another-threat-to-democratized-speech dept

People tend to think of the GDPR as regulation companies must comply with. But thanks to a decision by the Court of Appeals for the EU earlier this month, there's particular reason to believe that ordinary Internet users will need to worry about complying with it as well.

In this decision the court found that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of its visitors' data. And, as such, the administrator must comply with applicable data processing regulations – which necessarily include the GDPR.

The fan page at issue in this case appears to be run by some sort of enterprise, "Wirtschaftsakademie." But fan pages aren't always run by companies: as the court acknowledges, they are often run by individuals or small groups of individuals. Yet there doesn't appear to be anything in the ruling that would exempt them from its holding. Indeed, the court recognizes that its decision would inherently apply to them:

Fan pages are user accounts that can be set up on Facebook by individuals or businesses. To do so, the author of the fan page, after registering with Facebook, can use the platform designed by Facebook to introduce himself to the users of that social network and to persons visiting the fan page, and to post any kind of communication in the media and opinion market user data a processor of the data for visitors to its page, and thus jointly responsible with Facebook for its handling.

The problem is, compliance with data protection regulations like the GDPR is no simple matter. In fact, as this article suggests, the decision also potentially makes it even more complicated and expensive by expanding the jurisdiction of individual member states' data protection authorities (which was something that EU-wide regulation like the GDPR was actually supposed to minimize).

[Eduardo] Ustaran expressed concern in his 2017 post about the potential for local DPAs’ authority to issue decisions that affect companies located in other areas, in this case, Facebook, whose EU representative is in Ireland. He says that this goes against the letter of GDPR’s one-stop shop goal.

But even without this change to the GDPR's enforcement operation, the burdens of compliance were already a matter of concern. As discussed previously, compliance with the GDPR is difficult and expensive for even well-resourced companies. It's not something that individual Internet users are going to be able to easily manage, and that's a problem, because who would want to set up a Facebook fan page if doing so opened yourself up to such a crippling compliance burden?

Which leads to the essential problem here. Some cheer the GDPR because it puts user privacy front and center as a policy priority. In and of itself, there's nothing wrong with doing so – in fact, it's an idea whose time has come. But it doesn't matter how well-intentioned a law is if instead of merely regulating otherwise lawful activity it ends up suppressing it. And it's especially problematic when that activity is expressive. Even if chilling expression weren't the intent, if that's the effect, then there is something wrong with the regulation.

Furthermore, while it's bad enough if regulation chills the expressive activity of those well-resourced companies better able to navigate complex and costly compliance requirements, it's even worse if it chills the lawful and even desirable expressive activity of ordinary individuals. One of the things an Internet platform like Facebook does, and does well, is encourage the casual expression of ordinary people. If you have things to say, these platforms make it easy to say them to other people without you needing to invest in corporate structure or technical infrastructure before doing so. These are tools that help democratize expression, which ordinarily is something places claiming to value the principles of free expression should want to support. In fact, the more the antipathy against big companies, the more they should want to ensure that independent voices can thrive.

But instead we're seeing how all this regulation targeted at those big companies instead attacks regular people trying to speak online. We've seen the same problem with SESTA/FOSTA too, where individual online speakers suddenly find themselves risking legal liability for how they interact with other speakers online. And now it's happening again in the GDPR context, where the very regulation ostensibly intended to protect people online now threatens to silence them.

20 Comments | Leave a Comment..

Posted on Techdirt - 11 June 2018 @ 3:29pm

More Bad Facts Making More Bad Law, This Time In Wisconsin

from the thy-online-speaker's-keeper dept

A few weeks ago we, and others, filed an amicus brief in support of Airbnb and Homeaway at the Ninth Circuit. The basic point we made there is that Section 230 applies to all sorts of platforms hosting all sorts of user expression, including transactional content offering to rent or sell something, and local jurisdictions don't get to try to impose liability on them anyway just because they don't like the effects of those transactions. It's a point that is often forgotten in Section 230 litigation, and so last week the Copia Institute, joined by EFF, filed an amicus brief at the Wisconsin Supreme Court reminding them of the statute's broad application and why that breadth so important for the preservation of online free speech.

The problem is that in Daniels v. Armslist, the Wisconsin Court of Appeals had ignored twenty-plus years of prior precedent affirming this principle in deciding otherwise. We therefore filed this brief to support Armslist in urging the Wisconsin Supreme Court to review the Court of Appeals decision.

As in so many cases involving Section 230 the case in question followed an awful tragedy: someone barred from owning a gun bought one through the online marketplace run by Armslist and then shot his estranged partner. The partner's estate sued Armslist for negligence in having constructed a site where dangerous people could buy guns. As we acknowledged up front:

Tragic events like the one at the heart of this case often challenge the proper adjudication of litigation brought against Internet platforms. Justice would seem to call for a remedy, and if it appears that some twenty-year old federal statute is all that prevents a worthy plaintiff from obtaining one, it is tempting for courts to ignore it in order to find a way to give them that remedy.

Nonetheless, there was more at stake than just the plaintiff's interest. This case might look like a gun policy case, or a negligence case, but, like with Airbnb/Homeaway, this case was really a speech case, and laws like Section 230 that help protect speech are ignored at our peril because doing so imperils all the important expression they exist to protect.

The reason it was a speech case is that, as in the Airbnb/Homeaway case where someone was using the platform to say, "I have a home to rent," here someone had used the Armslist platform to say, "I have a gun to sell." Because these platforms only facilitate these narrow topics of expression it's easy to lose sight of what's getting expressed and instead focus on the consequences of the expression. But that's the problem with these cases: someone is trying to hold an Internet platform liable for the consequences of what someone said, and that's exactly what Section 230 forbids.

Tempting though it may be to try to find exceptions to that critical statutory protection, it is important to hold the line because Section 230 only works when it can always work. It wouldn't accomplish anything if platforms were only protected from certain forms of liability but still had to monitor all their users' content anyway. Congress recognized that such monitoring would be an impossible task and crippling to platforms' ability to remain available to facilitate users' speech. A major reason Section 230 exists is to protect speech from the corrosive effects these monitoring burdens would have on it. It is also why Section 230 does not let state and local jurisdictions impose their own monitoring burdens through the threat of liability, as the Wisconsin appeals court decision would do.

Thanks to local counsel Kathryn Keppel at Gimbel, Reilly, Guerin & Brown LLP for all her help getting this brief filed.

Read More | 14 Comments | Leave a Comment..

Posted on Techdirt - 4 June 2018 @ 1:34pm

Highlights From Former Rep. Chris Cox's Amicus Brief Explaining The History And Policy Behind Section 230

from the future-reference dept

The Copia Institute was not the only party to file an amicus brief in support of Airbnb and Homeaway's Ninth Circuit appeal of a district court decision denying them Section 230 protection. For instance, a number of Internet platforms, including those like Glassdoor, which hosts specialized user expression, and those like eBay, which hosts transactional user expression, filed one pointing out how a ruling denying Airbnb and Homeaway would effectively deny it to far more platforms hosting far more kinds of user speech than just those platforms behind the instant appeal.

And then there was this brief, submitted on behalf of former Congressman Chris Cox, who, with then-Representative Ron Wyden, had been instrumental in getting Section 230 on the books in the first place. With this brief the Court does not need to guess whether Congress intended for Section 230 to apply to platforms like Airbnb and Homeaway; the statute's author confirms that it did, and why.

In giving insight into the statutory history of Section 230 the brief addresses the two main issues raised by the Airbnb appeal – issues that are continuing to come up over and over again in Section 230-related litigation in state and federal courts all over the country: does Section 230 apply to platforms intermediating transactional user expression, and does Section 230's pre-emption language preclude efforts by state and local authorities to hold these platforms liable for intermediating the consummation of the transactional speech. Cox's brief describes how Congress intended both these questions to be answered in the affirmative and thus may be relevant to these other cases. With that in mind, we are archiving – and summarizing – the brief here.

To illustrate why Section 230 should apply in these situations, first the brief explains the historical context that prompted the statute in the first place:

In 1995, on a flight from California to Washington, DC during a regular session of Congress, Representative Cox read a Wall Street Journal article about a New York Superior Court case that troubled him deeply. The case involved a bulletin board post on the Prodigy web service by an unknown user. The post said disparaging things about an investment bank. The bank filed suit for libel but couldn’t locate the individual who wrote the post. So instead, the bank sought damages from Prodigy, the site that hosted the bulletin board. [page 3]

The Stratton Oakmont v. Prodigy decision alarmed Cox for several reasons. One, it represented a worrying change in judicial attitudes towards third party liability:

Up until then, the courts had not permitted such claims for third party liability. In 1991, a federal district court in New York held that CompuServe was not liable in circumstances like the Prodigy case. The court reasoned that CompuServe “ha[d] no opportunity to review [the] contents” of the publication at issue before it was uploaded “into CompuServe’s computer banks,” and therefore was not subject to publisher liability for the third party content." [page 3-4]

It had also resulted in a damage award of $200 million dollars against Prodigy. [page 4]. Damage awards like these can wipe technologies off the map. If platforms had to fear the crippling effect that even one such award, arising from just one user, could have on their developing online services, it would dissuade them from being platforms at all. As the brief observes:

The accretion of burdens would be especially harmful to smaller websites. Future startups, facing massive exposure to potential liability if they do not monitor user content and take responsibility for third parties’ legal compliance, would encounter significant obstacles to capital formation. Not unreasonably, some might abjure any business model reliant on third-party content. [page 26]

Then there was also a third, related concern: according to the logic of Stratton Oakmont, which had distinguished itself from the earlier Cubby v. Compuserve case, unlike Compuserve, Prodigy had "sought to impose general rules of civility on its message boards and in its forums." [page 4].

The perverse incentive this case established was clear: Internet platforms should avoid even modest efforts to police their sites. [page 4]

The essential math was stark: Congress was worried about what was going on the Internet. It wanted platforms to be an ally in policing it. But without protection for platforms, they wouldn't be. They couldn't be. So Cox joined with Senator Wyden to craft a bill that would trump the Stratton Oakmont holding. The result was the Internet Freedom and Family Empowerment Act, H.R. 1978, 104 Cong. (1995), which, by a 420-4 vote reflecting significant bipartisan support, became an amendment to the Communications Decency Act – Congress's attempt to address the less desirable material on the Internet – which then came into force as part of the Telecommunications Act of 1996. [page 5-6]. The Supreme Court later gutted the indecency provisions of the CDA in Reno v. ACLU, but the parts of the CDA at Section 230 have stood the test of time. [page 6 note 2].

The statutory language provided necessary relief to platforms in two important ways. First, it included a "Good Samaritan" provision, meaning that "[i]f an Internet platform does review some of the content and restricts it because it is obscene or otherwise objectionable, then the platform does not thereby assume a duty to monitor all content." [page 6]. Because keeping platforms from having to monitor was the critical purpose of the statute:

All of the unique benefits the Internet provides are dependent upon platforms being able to facilitate communication among vast numbers of people without being required to review those communications individually. [page 12]

The concerns were practical. As other members of Congress noted at the time, "There is no way that any of that any of those entities, like Prodigy, can take the responsibility [for all of the] information that is going to be coming in to them from all manner of sources.” [page 14]

While the volume of users [back when Section 230 was passed] was only in the millions, not the billions as today, it was evident to almost every user of the Web even then that no group of human beings would ever be able to keep pace with the growth of user-generated content on the Web. For the Internet to function to its potential, Internet platforms could not be expected to monitor content created by website users. [page 2]

Thus Section 230 established a new rule expressly designed to spare platforms from having to attempt this impossible task in order to survive:

The rule established in the bill [...] was crystal clear: the law will recognize that it would be unreasonable to require Internet platforms to monitor content created by website users. Correlatively, the law will impose full responsibility on the website users to comply with all laws, both civil and criminal, in connection with their user-generated content. [But i]t will not shift that responsibility to Internet platforms, because doing so would directly interfere with the essential functioning of the Internet. [page 5]

That concern for the essential functioning of the Internet also explains why Section 230 was not drawn narrowly. If Congress had only been interested in protecting platforms from liability for potentially defamatory speech (as was at issue in the Stratton Oakmont case) it could have written a law that only accomplished that end. But Section 230's language was purposefully more expansive. If it were not more expansive, while platforms would not have to monitor all the content it intermediated for defamation, they would still have to monitor it for everything else, and thus nothing would have been accomplished with this law:

The inevitable consequence of attaching platform liability to user-generated content is to force intermediaries to monitor everything posted on their sites. Congress understood that liability-driven monitoring would slow traffic on the Internet, discourage the development of Internet platforms based on third party content, and chill third-party speech as intermediaries attempt to avoid liability. Congress enacted Section 230 because the requirement to monitor and review user-generated content would degrade the vibrant online forum for speech and for e-commerce that Congress wished to embrace. [page 15]

Which returns to why Section 230 was intended to apply to transactional platforms. Congress didn't want to be selective about which types of platforms could benefit from liability protection. It wanted them all to:

[T]he very purpose of Section 230 was to obliterate any legal distinction between the CompuServe model (which lacked the e-commerce features of Prodigy and the then-emergent AOL) and more dynamically interactive platforms. … Congress intended to “promote the continued development of the Internet and other interactive computer services” and “preserve the vibrant and competitive free market” that the Internet had unleashed. Forcing web sites to a Compuserve or Craigslist model would be the antithesis of the congressional purpose to “encourage open, robust, and creative use of the internet” and the continued “development of e-commerce.” Instead, it will slow commerce on the Internet, increase costs for websites and consumers, and restrict the development of platform marketplaces. This is just what Congress hoped to avoid through Section 230. [page 23-24]

And it wanted them all to be protected everywhere because Congress also recognized that they needed to be protected everywhere in order to be protected at all:

A website […] is immediately and uninterruptedly exposed to billions of Internet users in every U.S. jurisdiction and around the planet. This makes Internet commerce uniquely vulnerable to regulatory burdens in thousands of jurisdictions. So too does the fact that the Internet is utterly indifferent to state borders. These characteristics of the Internet, Congress recognized, would subject this quintessentially interstate commerce to a confusing and burdensome patchwork of regulations by thousands of state, county, and municipal jurisdictions, unless federal policy remedied the situation. [page 27]

Congress anticipated that states and local authorities would be tempted to impose liability on platforms, and in doing so interfere with the operation of the Internet by forcing platforms to monitor after all and thus cripple their operation:

Other state, county, and local governments would no doubt find that fining websites for their users’ infractions is more convenient than fining each individual who violates local laws. Given the unlimited geographic range of the Internet, unbounded by state or local jurisdiction, the aggregate burden on an individual web platform would be multiplied exponentially. While one monitoring requirement in one city may seem a tractable compliance burden, myriad similar-but-not-identical regulations could easily damage or shut down Internet platforms. [page 25]

So, "[t]o ensure the quintessentially interstate commerce of the Internet would be governed by a uniform national policy" of sparing platforms the need to monitor, Congress deliberately foreclosed the ability of state and local authorities to interfere with that policy with Section 230's pre-emption provision. [page 10]. Without this provision, the statute would be useless:

Were every state and municipality free to adopt its own policy concerning when an Internet platform must assume duties in connection with content created by third party users, not only would compliance become oppressive, but the federal policy itself could quickly be undone. [page 13]

This pre-emption did not make the Internet a lawless place, however. Laws governing offline analogs to the services starting to flourish on the web would continue to apply; Section 230 simply prevented platforms from being held derivatively liable for user generated content that violated them. [page 9-10].

Notably, none of what Section 230 proposed was a controversial proposition:

When the bill was debated, no member from either the Republican or Democratic side could be found to speak against it. The debate time was therefore shared between Democratic and Republican supporters of the bill, a highly unusual procedure for significant legislation. [page 11]

It was popular because it advanced Congress's overall policy to foster the most beneficial content online, and the least detrimental.

Section 230 by its terms applies to legal responsibility of any type, whether under civil or criminal state statutes and municipal ordinances. But the fact that the legislation was included in the CDA, concerned with offenses including criminal pornography, is a measure of how serious Congress was about immunizing Internet platforms from state and local laws. Internet platforms were to be spared responsibility for monitoring third-party content even in these egregious cases.

A bipartisan supermajority of Congress did not support this policy because they wished to give online commerce an advantage over offline businesses. Rather, it is the inherent nature of Internet commerce that caused Congress to choose purposefully to make third parties and not Internet platforms responsible for compliance with laws generally applicable to those third parties. Platform liability for user-generated content would rob the technology of its vast interstate and indeed global capability, which Congress decided to “embrace” and “welcome” not only because of its commercial potential but also “the opportunity for education and political discourse that it offers for all of us.” [page 11-12]

As the brief explains elsewhere, Congress's legislative instincts appear to have been born out, and the Internet today is replete with valuable services and expression. [page 7-8]. Obviously not everything the Internet offers is necessarily beneficial, but the challenges the Internet's success pose don't negate the policy balance Congress struck. Section 230 has enabled those successes, and if we want its commercial and educational benefit to continue to accrue, we need to make sure that the statute's critical protection remains available to all who depend on it to realize that potential.

Read More | 48 Comments | Leave a Comment..

Posted on Techdirt - 30 May 2018 @ 11:57am

Wherein Facebook Messes Up Elections By Trying Not To Mess Up Elections

from the early-bird-gets-the-political-ad-buy dept

A few months ago I suggested that calling Facebook a bull in a china shop might not be fair to bulls. I fear the suggestion remains apt, as Facebook throws its considerable weight around in ways that, while potentially well-meaning, leaves all sorts of chaos in its wake. The latest evidence of this tendency relates to its recent announcement of policies designed to limit who can place political ads on Facebook.

The problem is, that's what it's done: limit who can place ads on Facebook. But according to the Verge, all it's done is limit the ability for SOME people to post political ads. As in, only SOME of the candidates in any particular race.

The Verge article notes that the Mississippi primary is set for June 5. But in one particular race for Congress, only the incumbent's authentication paperwork is in order, so only he is able to buy ads. As the day of the election draws near, his challenger finds himself locked out of being able to advertise through the medium.

E. Brian Rose is a Republican candidate for Congress in Mississippi, and is a primary challenger to the incumbent Rep. Steven Palazzo (R-MS). Up until yesterday, Rose said, Facebook had been a critical part of his campaign strategy. He amassed more than 6,000 followers on his official page, using Facebook ads to target voters in hundreds of narrowly defined demographic targets.

Yesterday, Rose’s campaign planned to buy 500 different Facebook ads. The first batch were approved shortly before the new rules took effect. But when Rose went to buy the remainder, he received a message from Facebook saying his ads had not been authorized. Rose filled out the required online forms attesting to his identity. At the end, Facebook said it would send Rose an authorization code in the mail. He was told it would arrive in 12 to 15 days — by which point the election would be over.

It's a fair read of the story that the challenger screwed up: if the incumbent was able to register, then so should have the challenger. But even so, it still looks like Facebook handled the rule change poorly, both in its timing (mid-race in the critical days leading up to an election), and with too drastic a change too dependent on its successful promotion that left too much to chance despite the serious stakes.

Facebook began allowing political advertisers to start the verification process on April 23rd. The company promoted the new process with a blog post and messages inside Facebook directed at administrators of political pages. In May, it also sent emails to page administrators advising them of the changes.

The challenger says he didn't get the notices about the change. It's a contention that seems plausible: even assuming there were no issues with the messages actually being sent out, or ending up caught in a spam filter, they would have arrived in campaign inboxes in the midst of what surely were busy days full of priorities more important than keeping up with Facebook notifications. Even assuming that authentication is the key to addressing political ad-buy abuse, an effective authentication solution should not have risked locking out live candidates in pending elections. The implementation of any solution should produce greater benefit than cost, which does not seem to be the case here. Because while it may be commendable that Facebook is trying to reduce the manipulation by outsiders on America's political campaigns, it accomplishes little if in the process of trying to reduce one candidate's unfair advantage, it ends up creating another. It appears Facebook should have done more to anticipate what might go wrong with its new system before switching over to it, but the lesson here is not just for Facebook but for those fond of pressuring Facebook to do something, anything, to change its existing policies because it turns out that sometimes doing just anything may be worse than doing nothing.

12 Comments | Leave a Comment..

Posted on Techdirt - 25 May 2018 @ 7:39pm

The GDPR: Ghastly, Dumb, Paralyzing Regulation It's Hard To Celebrate

from the if-you-like-privacy-and-the-Internet-demand-better dept

Happy GDPR day! At least if you can manage to be happy about a cumbersome, punitive, unprecedentedly extraterritorial legal regime that hijacks the resources of businesses everywhere without actually delivering privacy protection commensurate with the enormous toll attempts to comply with it extract. It's a regulatory response due significant criticism, including for how it poorly advances the important policy goals purportedly prompting it.

In terms of policy goals, there's no quarrel that user privacy is important. And it's not controversial to say that many providers of digital products and services to date may have been… let's just say, insufficiently attentive to how those products and services handled user privacy. Data-handling is an important design consideration that should always be given serious attention. To the extent the GDPR encourages this sort of "privacy by design," it is something to praise.

But that noble mission is overwhelmed by the rest of the regulatory structure not nearly so adeptly focused on achieving this end, which ultimately impugns the overall effort. Just because a regulatory response may be motivated by a worthwhile policy value, or even incorporate a few constructive requirements, it is not automatically a good regulatory response. Unless the goal is to ruin, rather than regulate, knotty policy problems need nuanced solutions, and when the costs of complying with a regulatory response drown out the intended benefit it can't be considered a good, or even effective, policy response. Here, even if all the GDPR requirements were constructive ones – and while some are, some are quite troubling – as a regulatory regime it's still exceptionally problematic, in particular given the enormous costs of compliance. Instead of encouraging entities to produce more privacy-protective products and services, it's instead diverted their resources, forcing them to spend significant sums of money seeking advice or make their own guesses on how to act based on assumptions that may not be correct. These guesses themselves can be costly if it results in resources being spent needlessly, or for enormous sums to be put in jeopardy if the guesses turn out to be wrong.

The rational panic we see in the flurry of emails we've all been getting, with subject lines of varying degrees of grief, and often with plaintive appeals to re-join previously vibrant subscriber communities now being split apart by regulatory pressure, reveals fundamental defects in the regulation's implementation. As does the blocking of EU users by terrified entities afraid that doing so is the only way to cope with the GDPR's troubling scope.

The GDPR's list of infirmities is long, ranging from its complexity and corresponding ambiguity, to some notably expensive requirements, to the lack of harmonization among crucial aspects of member states' local implementations, to the failure of many of these member states to produce these local regulations at any point usefully in advance of today, and to the GDPR's untested global reach. And they fairly raise the concern that the GDPR is poorly tailored to its overall policy purpose. A sound regulatory structure, especially one trying to advance something as important as user privacy, should not be this hard to comport with, and the consequences for not doing so should not be so dire for the Internet remaining the vibrant tool for community and communication that many people – in Europe and elsewhere – wish it to remain being.

107 Comments | Leave a Comment..

More posts from Cathy Gellis >>