March 2013

Last week on his personal blog, Peter Fleischer, Global Privacy Counsel for Google, posted an interesting essay entitled “We Need a Better, Simpler Narrative of US Privacy Laws.” Fleischer says that Europe has done a better job marketing its privacy regime to the world than the United States and argues that “The US has to figure out how to explain its privacy laws on the global stage” since “Europe is convincing many countries around the world to implement privacy laws that follow the European model.” He notes that “in the last year alone, a dozen countries in Latin America and Asia have adopted euro-style privacy laws [while] not a single country, anywhere, has followed the US model.” Fleischer argues that this has ramifications for long-term trade policy and global Internet regulation more generally.

I found this essay very interesting because I deal with some of these issues in my latest law review article, “The Pursuit of Privacy in a World Where Information Control is Failing” (Harvard Journal of Law & Public Policy, vol. 36, no. 2, Spring 2013). In the article, I suggest that the U.S. does have a unique privacy regime and it is one that is very similar in character to the regime that governs online child safety issues. Whether we are talking about online safety or digital privacy, the defining characteristics of the U.S. regime are that it is bottom-up, evolutionary, education-based, empowerment-focused, and resiliency-centered. It focuses on responding to safety and privacy harms after exhausting other alternatives, including market responses and the evolution of societal norms.

The EU regime, by contrast, is more top-down in character and takes a more static, inflexible view of privacy rights. It tries to impose a one-size-fits-all model on a diverse citizenry and it attempts to do so through heavy-handed data directives and ongoing “agency threats.” It is a regime that makes more sweeping pronouncements about rights and harms and generally recommends a “precautionary principle” approach to technological change in which digital innovation is more “permissioned.”

Put simply, the U.S. regime is reactive in character while the E.U. regime is more preemptive.  The U.S. system focuses on responding to safety and privacy problems using a more diverse toolbox of solutions, some of which are governmental in character while others are based on evolving social and market norms and responses. To be clear, law does enter the picture here in the U.S., but it does so in a very different way than it does in the E.U.   Continue reading →

At Mobile World Congress in Barcelona last month, I was surprised that nobody had access to 4G mobile Internet services. How could Barcelona, the second largest city in Spain and host to the “world’s premier mobile industry event,” lack access to 4G? In the opening day keynote session, Vittorio Colao, Vodafone’s CEO, said Europe has only 6% of the world’s LTE connections, and Telefónica’s CEO, César Alierta, said only 17% of European mobile subscribers have smartphones. European mobile operators agreed they are lagging the world in 4G deployment and penetration due to existing price regulations that discourage new infrastructure investments.

Europe now stands at a crossroads: Does it adopt the modern, investment-based approach toward wireless markets that made the US the world’s 4G leader, or does it further increase regulation and impose new obligations on “over the top” (e.g., Skype) services? Our history with the regulation of rural telephone companies demonstrates the perils of the second option. Yet European mobile operators appear ready to embrace new regulations as a means to enhance their business and create a “balanced relationship” with “US companies” that provide over the top (OTT) services. Continue reading →

There is renewed interest in unlicensed spectrum as the FCC approaches the TV white space issue (again). Tim B. Lee reports on some of the unlicensed supporters,

Activists at the South by Southwest Interactive festival in Austin, TX, built a free wireless network to help publicize the power of unlicensed “white spaces” technology. The project is part of a broader campaign to persuade the FCC not to auction off this spectrum for the exclusive use of wireless carriers.

Unlicensed spectrum for high-powered devices has been called Super Wifi (“wifi” in this context is used loosely; Super Wifi is a PR term and has nothing to do with the wifi technical standard). Frankly, there are many reasons to be cautious about assigning more unlicensed spectrum, especially given the confusing information out there about the technology. (For instance, despite a popular rumor, Super Wifi would not provide free Internet access to everyone with a device, as Matt Yglesias and Jon Brodkin point out.) Continue reading →

In anticipation of a hearing in the House Judiciary Committee Wednesday afternoon, Sandra Aistars, executive director of the Copyright Alliance, writes in The Hill about the principles that should guide copyright reform, calling for debate “based in reality rather than rhetoric.”

Chief among these principles is that protecting authors is in the public interest. Ensuring that all creators retain the freedom of choice in determining how their creative work is used, disseminated and monetized is vital to protecting freedom of expression.

Arguing for authors in terms of freedom of choice and expression is good rhetoric, but it’s quite unlike what I expect you’ll hear during Cato’s noon Wednesday forum on copyright and the book Laws of Creation: Property Rights in the World of Ideas.

Authors Ron Cass and Keith Hylton methodically go through each intellectual property doctrine and explore its economic function, giving few words to authors’ “choice” or their “freedom of expression.” They certainly don’t denigrate authors or their role, but Cass and Hylton don’t vaunt them the way Aistars does either.

Recent events in the copyright area are providing much grist for the discussion. You can still register for the book forum, treating it as a warm-up for Wednesday afternoon’s hearing, if your freedom of choice and expression so dictate.

Susan W. Brenner, associate dean and professor of law at the University of Dayton School of Law,  discusses her new paper published in the Minnesota Journal of Law, Science & Technology entitled “Cyber-threats and the Limits of Bureaucratic Control.”

Brenner argues that the approach the United States, like other countries, uses to control threats in real-space is ill-suited for controlling cyberthreats. She explains that because this approach evolved to deal with threat activity in a physical environment, it is predicated on a bureaucratic organizations. This is not an effective way of approaching cyber-threat control, she argues. 

Brenner also explains why congressional efforts at cybersecurity legislation are flawed and why U.S. authorities persist in pursuing antiquated strategies that cannot provide an effective cyberthreats defense system. She outlines an alternative approach to the task of protecting the country from cyberthreats, and approach that is predicated on older, more fluid threat control strategies.


Related Links

Benjamin Lennett and Danielle Kehl have an article in the Chronicle of Higher Education that is representative of a genre: worrying about the adverse consequences of mobile data “caps.” In this installment, Lennett and Kehl argue that pricing structures imposed by wireless carriers will limit the future of online education. “As a nation, we should embrace the potential benefits of online education. But we must not ignore the disparities that may keep many from taking advantage of those innovations,” they warn.

But are mobile data caps really what is holding back online education? Let’s take a look.
Continue reading →

HJLPP coverI’m excited to announce the release of my latest law review article, “The Pursuit of Privacy in a World Where Information Control is Failing,” which appears in the next edition (vol. 36) of the Harvard Journal of Law & Public Policy. This is the first of two complimentary law review articles that I will be releasing this year dealing with privacy policy. The second, which will be published later this summer by the George Mason University Law Review, is entitled, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” (FYI: Both articles focus on privacy claims made against private actors — namely, efforts to limit private data collection — and not on privacy rights against governments.)

The new Harvard Journal article is divided into three major sections. Part I focuses on some of normative challenges we face when discussing privacy and argues that there may never be a widely accepted, coherent legal standard for privacy rights or harms here in the United States. It also explores the tensions between expanded privacy regulation and online free speech. Part II turns to the many enforcement challenges that are often ignored when privacy policies are being proposed or formulated and argues that legislative and regulatory efforts aimed at protecting privacy must now be seen as an increasingly intractable information control problem. Most of the problems policymakers and average individuals face when it comes to controlling the flow of private information online are similar to the challenges they face when trying to control the free flow of digitalized bits in other information policy contexts, such as online safety, cybersecurity, and digital copyright.

If the effectiveness of law and regulation is limited by the normative considerations discussed in Part I and the practical enforcement complications discussed in Part II, what alternatives remain to assist privacy-sensitive individuals? I address that question in Part III of the paper and argue that the approach America has adopted to deal with concerns about objectionable online speech and child safety offers a path forward on the privacy front as well. Continue reading →

Register here now for next Wednesday’s Cato book forum on Laws of Creation: Property Rights in the World of Ideas.

In the book, Ronald A. Cass and Keith Hylton reject the idea that changing technology undermines the case for intellectual property rights. They argue that making the work of inventors and creators free would be a costly mistake.

That cuts against the bulk of academic opinion today, which is critical of the broad scope and length of intellectual property protections today. The book has qualities that many libertarians will enjoy because it starts with first principles: the theoretical underpinnings and practical benefits of property rights.

By no means does the book answer all the questions, and we’ll have TLF’s own Jerry Brito, the editor of Copyright Unbalanced, on hand to provide commentary.

That’s Wednesday (3/20) at noon in the Cato Institute’s F.A. Hayek auditorium. There’s no such thing as a free lunch, but the sandwiches provided afterwards come at the low cost of learning more dimensions of the intellectual property debate. Register now!

In the past couple weeks, three bills addressing the legality of cell phone unlocking have been introduced in the Senate:

  • Sens. Leahy, Grassley, Franken, and Hatch’s “Unlocking Consumer Choice and Wireless Competition Act” (S.517)
  • Sen. Ron Wyden’s “Wireless Device Independence Act” (S.467)
  • Sen. Amy Klobuchar’s “Wireless Consumer Choice Act” (S.481)

This essay will explain how these bills would affect users’ ability to lawfully unlock their cell phones.


If you buy a new cell phone from a U.S. wireless carrier and sign a multi-year service contract, chances are your phone is “locked” to your carrier. This means if you want to switch carriers, you’ll first need to unlock your phone. Your original carrier may well be happy to lend you a helping hand—but, if not, unlocking your phone may violate federal law.4s-unlock

The last few months have seen an explosion of public outcry over this issue, with a recent White House “We the People” petition calling for the legalization of cell phone unlocking garnering over 114,000 signatures—and a favorable response from the Obama administration. The controversy was sparked in October 2012, when a governmental ruling (PDF) announced that unlocking cell phones purchased after January 26, 2013 would violate a 1998 federal law known as the Digital Millennium Copyright Act (the “DMCA”).

Under this law’s “anti-circumvention” provisions (17 U.S.C. §§ 1201-05), it is generally illegal to “circumvent a technological measure” that protects a copyrighted work. Violators are subject to civil penalties and, in serious cases, criminal prosecution.

However, the law includes an escape valve: it empowers the Librarian of Congress, in consultation with the Register of Copyrights, to periodically determine if any users’ “ability to make noninfringing uses . . . of a particular class of copyrighted works” is adversely affected by the DMCA’s prohibition of tools that circumvent access controls. Based on these determinations, the Librarian may promulgate rules exempting categories of circumvention tools from the DMCA’s ban.

One such exemption, originally granted in 2006 and renewed in 2010, permits users to unlock their cell phones without their carrier’s permission. (You may be wondering why phone unlocking is considered an access control circumvention—it’s because unlocking requires the circumvention of limits on user access to a mobile phone’s bootloader or operating system, both of which are usually copyrighted.)

But late last year (2012), when the phone unlocking exemption came up for its triennial review, the landscape had evolved regarding a crucial legal question: do cell phone owners own a copy of the operating system software installed on their phone, or are they merely licensees of the software?

Continue reading →

A market has developed in which specialized firms discover new vulnerabilities in software and sell that knowledge for tens or hundreds of thousands of dollars. These vulnerabilities are known as “zero day exploits” because there is no advance knowledge of them before they are used. In this blog post, we recognize that this market may require some kind of action, but reject simplistic calls for “regulation” of suppliers. We recommend focusing on the demand side of the market.

Although there is surprisingly little hard evidence of its scope and scale, the market for vulnerabilities is considered troublesome or dangerous by many. While the bounties paid may stimulate additional research into security, it is the exclusive and secret possession of this knowledge by a single buyer that raises concerns. It is clear that when a someone other than the software vendor pays $100,000 for a zero-day they are probably not paying for defense, but rather for an opportunity to take advantage of someone else’s vulnerability. Thus, the vulnerabilities remain unpatched. (Secrecy also makes the market rather inefficient; it may be possible to sell the same “secret” to several buyers.)

The supply side of the market consists of small firms and individuals with specialized knowledge. They compete to be the first to identify new vulnerabilities in software or information systems and then bring them to buyers. Many buyers are reputed to be government intelligence, law enforcement or military agencies using tax dollars to finance purchases. But we know less about the demand side than we should. The point, however, is that buyers are empowered to initiate an attack, a power that even legitimate organizations could easily abuse.

Insofar as the market for exploits shifts incentives away from publicizing and fixing vulnerabilities toward competitive efforts to gain private, exclusive knowledge of them so they can be held in reserve for possible use, the market has important implications for global security. It puts a premium on dangerous vulnerabilities, and thus may put the social and economic benefits of the Internet at risk. While the US might think it has an advantage in this competition, as a leader in the Internet economy and one of the most cyber-dependent countries, it also has the most to lose.

Unfortunately, so far the only policy response proposed has been vague calls for “regulation.” Chris Soghoian in particular has made “regulation” the basis of his response, calling suppliers “modern-day merchants of death” and claiming that “Security researchers should not be selling zero-days to middle man firms…These firms are cowboys and if we do nothing to stop them, they will drag the entire security industry into a world of pain.”

Such responses, however, are too long on moral outrage and too short on hard-headed analysis and practical proposals. The idea that “regulation” can solve the problem overlooks major constraints:

Continue reading →