Interoperability is a topic that has long been of interest to me. How networks, platforms, and devices work with each other–or sometimes fail to–is an important engineering, business, and policy issue. Back in 2012, I spilled out over 5,000 words on the topic when reviewing John Palfrey and Urs Gasser’s excellent book, Interop: The Promise and Perils of Highly Interconnected Systems.

I’ve always struggled with the interoperability issues, however, and often avoided them became of the sheer complexity of it all. Some interesting recent essays by sci-fi author and digital activist Cory Doctorow remind me that I need to get back on top of the issue. His latest essay is a call-to-arms in favor of what he calls “adversarial interoperability.” “[T]hat’s when you create a new product or service that plugs into the existing ones without the permission of the companies that make them,” he says. “Think of third-party printer ink, alternative app stores, or independent repair shops that use compatible parts from rival manufacturers to fix your car or your phone or your tractor.”

Doctorow is a vociferous defender of expanded digital access rights of many flavors and his latest essays on interoperability expand upon his previous advocacy for open access and a general freedom to tinker. He does much of this work with the Electronic Frontier Foundation (EFF), which shares his commitment to expanded digital access and interoperability rights in various contexts.

I’m in league with Doctorow and EFF on some of these things, but also find myself thinking they go much too far in other ways. At root, their work and advocacy raise a profound question: should there be any general right to exclude on digital platforms? Although he doesn’t always come right out and say it, Doctorow’s work often seems like an outright rejection of any sort of property rights in networks or platforms. Generally speaking, he does not want the law to recognize any right for tech platforms to exclude using digital fences of any sort.

Where to Draw the Lines?

As someone who has authored a book about the importance of permissionless innovation, I need to be able to answer questions about where these lines between open versus closed systems are drawn. Definitions and framing matter, however. I use “permissionless innovation” as a descriptor for one possible policy disposition when considering where legal and regulatory defaults should be set. Another conception of permissionless innovation is more of an engineering ideal; a general freedom to connect, tinker, modify, etc. (I speak more about these conceptions in my latest book, Evasive Entrepreneurs.) Of course, someone advocating permissionless innovation as a policy default will sometimes be confronted with the question of what the law should say when someone behaves in an “evasive” fashion in the latter conception of permissionless innovation.

Doctorow would generally answer that question by saying that law should not be rigged to favor exclusion through laws like the DMCA (and specifically the law’s anti- circumvention provisions), Computer Fraud and Abuse Act, patent law, and various other rules and laws. “[T]he current crop of Big Tech companies has secured laws, regulations, and court decisions that have dramatically restricted adversarial interoperability.”

Generally speaking, I agree. I’m not a fan of technocratic laws or regulations that seek to micro-manage interoperability and which stack the deck in favor of exclusionary conduct with steep penalties for evasion. But does that mean adversarial interoperability should be permitted in all cases? Should there exist any sort of common law presumption one way or the other when a user or competitor seeks access to an existing private platform or device?

Specifics matter here and I don’t have time to get into all the case studies that Doctorow goes through. Some are no-brainers, like the infamous Lexmark case involving refillable printer ink cartridges. Other cases are far more complicated, at least for me. Does Epic, creator of Fortnite, have a right of adversarial interoperability that it can exercise against Apple and their AppStore? As Dirk Auer suggests in a new essay, this episode looks more like a straightforward pricing dispute. Epic is making it out to be much more than that, suggesting Apple is guilty of unfair and exclusionary practices that require a legal remedy.

Why not take that logic further and just say Apple’s App Store us tantamount to a natural monopoly or digital essential facility that Epic and everyone else is entitled to on whatever terms they want? For that matter, why not apply the same logic to Epic’s Fortnite platform or even its Unreal Engine? Does every other gaming developer have a right to piggyback on the juggernaut that Epic has built?

This gets to the core question about Doctorow’s concept of adversarial interoperability: Exactly what should common law and the courts say platform owners make access rights a simple pricing matter and say: “You pay or you are out.” Like Doctorow and EFF, I don’t want Apple to benefit from any special favors from laws like DMCA. Where we differ is that I would still leave the door open for Apple to exercise various other common law contractual rights or property rights in court.

I suspect Doctorow would deny any such claims by Apple or anyone else. If so, I would like to see him spell out in more precise terms exactly what Apple’s property rights and contractual rights are in this instance. Or, again, should we just treat the App Store as a digital commons with unfettered open access rights for developers? If so, would Apple be required to still manage the resource once it is a quasi-commons?

I think that would end miserably, but would like to hear Doctorow’s preferred approach before saying more. I suspect a lot rides on the distinction between “open” verses “proprietary” standards, but compared to Doctorow and EFF, I am willing to embrace a world of both open and proprietary systems, and many hybrids in between. I don’t want the law favoring one type over the other, but that means I need to endorse a generalized property right for digital operators such that they can still exclude others (even in the absence of artificial regulatory rights like DMCA creates). Again, I suspect Doctorow would reject that standard, preferring a generalized right of access, even if that means the platforms become de facto commons.

More Radical Steps

Elsewhere, Doctorow has said is that some of these questions would be better addressed through more aggressive antitrust regulation. Mere data portability or mandatory interoperability isn’t enough for him. “Data portability is important,” Doctorow says, “but it is no substitute for the ability to have ongoing access to a service that you’re in the process of migrating away from.”

In his latest online book on “How to Destroy Surveillance Capitalism,” Doctorow suggests that it is time to “make Big Tech small again” through an “anti-monopoly ecology movement.” That “means bans on mergers between large companies, on big companies acquiring nascent competitors, and on platform companies competing directly with the companies that rely on the platforms.” And he desires a host of other remedies.

So, here we have the convergence of interoperability policy and antitrust policy, with a layer of property confiscation layered on top apparently. “Now it’s up to us to seize the means of computation, putting that electronic nervous system under democratic, accountable control,” he insists in his latest manifesto.

What’s funny about this is that Doctorow begins most of his essays by pointing out all the ways that politics is the problem when it comes to access issues, only to end by suggesting that a lot more political meddling is the required solution. He repeatedly laments how large tech players have so often been able to convince lawmakers and regulators to pass special laws or regulations that work to their favor. Yet, in his We-Can-Build-A-Better-Bureaucrat model of things, all those old problems will apparently disappear when we get the right people in power and get rid of those nefarious capitalist schemers.

Thus, what really animates Doctorow’s advocacy for adversarial interoperability is a deep suspicion of free market capitalism and property rights in particular. In this worldview, interoperability really just becomes a Trojan Horse meant to help bring down the entire capitalist order. Am I exaggerating? “As to why things are so screwed up? Capitalism.” Those are his exact words from the conclusion of his latest book.

Adversarial Innovation & Evolutionary Interop

Still, Doctorow raises many legitimate issues about interconnection and digital access rights. But we need a better approach to work though these questions than the one he suggests.

In my lengthy review of the Palfrey and Gasser Interop book, I tried to sketch out an alternative framework for thinking seriously about these issues. I referred to my preferred approach as “experimental interoperability” or “evolutionary interoperability.” I described this as the theory that ongoing marketplace experimentation with technical standards, modes of information production and dissemination, and interoperable information systems, is almost always preferable to the artificial foreclosure of this dynamic process through state action. The former allows for better learning and coping mechanisms to develop while also incentivizing the spontaneous, natural evolution of the market and market responses.

Adversarial interoperability is important, but not nearly as important as adversarial innovation and facilities-based competition. Stated differently, access rights to existing systems is an important value, but the incentives we have in place to encourage entirely new systems is what really matters most. At some point, a generalized right of access to existing systems discourages the sort of platform-building that could help give rise to the sort of creative destruction we have seen at work repeatedly in the past and that we still need today. Taken too far, adversarial interoperability threatens to undermine this goal. Why seek to build a better alternative platform if you can just endlessly free ride off someone else’s by force of law?

Thus, I prefer to work at the margins and think through how to balance these competing claims of access / interoperability rights versus contractual / property rights. My take will be too utilitarian for not only Doctorow but also for some libertarians, who want clear answers to all these questions based upon their preferred natural law-oriented constructions of rights. The problem with that approach is that it leads to all-or-nothing extremes (complete digital property rights, or virtually none) and that approach is fundamentally unworkable and destructive. We need to work harder about how to balance these rights and values in pro-competitive, pro-innovation fashion.

There is No Such Thing as Optimal Interoperability

In sum, there is no such thing as “optimal interoperablity.” Sometimes proprietary or “closed” systems will offer the public features and options that they will find preferable to “open” ones.  “There are many reasons why consumers might prefer ‘closed’ systems – even when they have to pay a premium for them,” argues Dirk Auer in a separate essay. It could be greater convenience, security, or other things. Palfrey and Gasser correctly noted in their book that, “the state is rarely in a position to call a winner among competing technologies” (p. 174). Moreover, they concluded:

“Lawmakers need to keep in view the limits of their own effectiveness when it comes to accomplishing optimal levels of interoperability. Case studies of government intervention, especially where complex information technologies are involved, show that states tend to be ill suited to determine on their own what specific technology will be the best option for the future (p. 175)

A thousand amens to that! The law should not artificially foreclose experimentation with many different types of platforms, standards, devices and the interoperability that exists among them.

When Google announced it was acquiring digital thermostat company Nest yesterday, it set off another round of privacy and security-related technopanic talk on Twitter and elsewhere. Fear and loathing seemed to be the order of the day. It seems that each new product launch or business announcement in the “Internet of Things” space is destined to set off another round of Chicken Little hand-wringing. We are typically told that the digital sky will soon fall on our collective heads unless we act preemptively to somehow head-off some sort of pending privacy or security apocalypse.

Meanwhile, however, a whole heck of lot of people are demanding more and more of these technologies, and American entrepreneurs are already engaged in heated competition with European and Asian rivals to be at the forefront of the next round Internet innovation to satisfy those consumer demands. So, how is this going to play out?

This gets to what becoming the defining policy issue of our time, not just for the Internet but for technology policy more generally: To what extent should the creators of new technologies seek the blessing of public officials before they develop and deploy their innovations? We can think of this as “the permission question” and it is creating a massive rift between those who desire more preemptive, precautionary safeguards for a variety of reasons (safety, security, privacy, copyright, etc.) and those of us who continue to believe that permissionless innovation should be the guiding ethos of our age. The chasm between these two worldviews is only going to deepen in coming years as the pace of innovation around new technologies (the Internet of Things, wearable tech, driverless cars, 3D printing, commercial drones, etc) continues to accelerate.

Sarah Kessler of Fast Company was kind enough to call me last night and ask for some general comments about Google buying Nest and she also sought out the comments of Marc Rotenberg of EPIC about privacy in the Internet of Things era more generally. Our comments provide a useful example of the divide between these two worldviews and foreshadow debates to come:

With an estimated 50 billion connected objects coming online by 2050, some see good reason to put policies in place that regulate the new categories of data they will collect about the people who use those products. “The basic problem with the Internet of Things, unless privacy safeguards are established up front, is that users will lose control over the data they generate,” Marc Rotenberg, the president of the Electronic Privacy Information Center, told Fast Company in an email. Others see the emerging category as a perfect reason to block omnibus attempts to regulate user data. “If we spend all of our time living in fear of hypothetical worst-case scenarios, then the best-case scenarios will never come about,” says Adam Thierer, a Senior Research Fellow at George Mason University’s Mercatus Center. “That’s the nature of how innovation works. You have to allow for risks and experimentation, and even accidents and failures, if you want to get progress.”

Last week, I wrote about this conflict of visions in my dispatch from the CES show and this topic is also the focus of my forthcoming eBook, “Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom.” To reiterate what I already said, my book will describe the future of the Internet of Things and all technology policy as a grand battle the “precautionary principle” and “permissionless innovation.” The “precautionary principle” refers to the belief that new innovations should be curtailed or disallowed until their developers can prove that they will not cause any harms to individuals, groups, specific entities, cultural norms, or various existing laws, norms, or traditions. The other worldview, “permissionless innovation,” refers to the notion that experimentation with new technologies and business models should generally be permitted by default. Unless a compelling case can be made that a new invention will bring serious harm to society, innovation should be allowed to continue unabated and problems, if they develop at all, can be addressed later.

While those adhering to the precautionary principle mindset tend to favor “top-down” legalistic approaches to solving those potential problems that might creep up, those of us who favor the premissionless innovation approach favor “bottom-up” solutions that evolve over time but do not interrupt the ongoing experimentation and innovation that consumers demand. What does a “bottom-up” approach mean in practice? Education and empowerment, social pressure, societal norms, voluntary self-regulation, and targeted enforcement of existing legal norms (especially through the common law) are almost always superior to top-down, command-and-control regulatory edits and bureaucratic schemes of a “Mother, May I” (i.e., permissioned) nature.

We really should not underestimate the power of norms and public pressure to “regulate” in this regard, perhaps even better than law, which tends to be too slow-moving to make much of a difference. In my book I spend a great deal of time talking about how other technological innovations have been shaped by social norms, public pressure, and press attention. That same will be true for the Internet of Things and various new technologies I discuss in my book. Others will gradually adapt to the new technological realities and integrate these new devices and services into their lives over time.

Perhaps, then, it will be the case that if Google does something particularly bone-headed with Nest that a public backlash will ensue. Or maybe some consumers will just reject Nest and look for other options, which is apparently what Rotenberg is doing according to the Fast Company article. Of course, as I noted in concluding the interview, others may act quite differently and accept Nest and other new Internet of Things technologies, even if there are some privacy or security downsides. As I told Sarah Kessler, while I was visiting the consumer electronics show last week, I heard it was freezing back here in DC. If I would have had Nest in my house, perhaps Google Now could have alerted me to the dangerously low temps in my house and suggested that I raise the temp remotely before my pipes froze. As I noted to Kessler:

“Would that have been creepy?” he says. “To me it would have been helpful. So for everything that people regard as a negative, I can usually find a positive. And if there’s that balance there, then it should be left to individuals to decide for themselves how to decide that balance.”

Finally, since I often get accused of being some sort of nihilist in these debates, I want to make it clear that ethics should influence all these discussions, but I prefer that we not impose ethics in a heavy-handed, inflexible way through preemptive, proscriptive regulatory controls. It makes more sense to wait and see how things play out before regulating to address harms, once we figure out which ones are real. (See the second and third essays listed below for more on ethics and technological innovation.) But we absolutely need to be engaging in robust societal discussions about digital ethics, digital citizenship, privacy and security by design, and sensible online etiquette. I’ve spent a lifetime writing about the power of that approach in the context of online child safety and I think it is equally applicable for privacy and security-related matters. In particular, we need to talk to our kids and our future technologists and innovators about smarter digital habits that respect the safety, security, and privacy of others. Those conversations can help us chart a more sensible path forward without sacrificing the many benefits that accompany the ongoing technological revolution we are blessed to be experiencing today.

Additional Reading:

• “Who Really Believes in ‘Permissionless Innovation’?” Technology Liberation Front, March 4, 2013.
• “What Does It Mean to ‘Have a Conversation’ about a New Technology?” Technology Liberation Front, May 23, 2013.
• “On the Line between Technology Ethics vs. Technology Policy,” Technology Liberation Front, August 1, 2013.
• “Planning for Hypothetical Horribles in Tech Policy Debates,” Technology Liberation Front, August 6, 2013.
• “Edith Ramirez’s ‘Big Data’ Speech: Privacy Concerns Prompt Precautionary Principle Thinking,” Technology Liberation Front, August 29, 2013.
• “When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed,” Technology Liberation Front, April 29, 2011.
• “Copyright, Privacy, Property Rights & Information Control: Common Themes, Common Challenges,” Technology Liberation Front, April 10, 2012.
• “Can We Adapt to the Internet of Things?” IAPP Privacy Perspectives, June 19, 2013.
• “Why Do We Always Sell the Next Generation Short?” Forbes, January 8, 2012.
• “The Six Things That Drive ‘Technopanics,’” Forbes, March 4, 2012.

[Update II: The petition has now expired, about 2,500 signatures shy of the 25,000 needed to require a White House response.]

[Update: The D.C. Circuit Court of Appeals has accepted CEI’s amicus brief and ordered the TSA to answer EPIC’s petition. It is common for courts to simply reject petitions of this kind, so this is important progress in the effort to get TSA to follow the law.]

Will the White House give us a substantive answer or not?

A few weeks ago, we ‘celebrated’ the one-year anniversary of a court order requiring the TSA to do a notice-and-comment rulemaking on its policy of using strip-search machines for primary screening at airports. It’s been a year and the TSA has shown no action.

The Electronic Privacy Information Center, which brought the original case, filed a petition asking the D.C. Circuit Court of Appeals to require action on the TSA’s part. The Competitive Enterprise Institute and many other friends of the court chimed in with an amicus brief highlighting issues in the case. I emceed a Cato Capitol Hill briefing on the topic.

But the real fun has been with a petition on Whitehouse.gov asking the president to make the TSA follow the law. When I put that up there, the issue took off. Stories and links went out on Ars Technica, Wired, and the Washington Times, just to name a few. People sent notices out to their email lists. And there was plenty of Tweeting, blogging, reTweeting, reblogging.

The <a href=""petition”>https://petitions.whitehouse.gov/petition/require-transportation-security-administration-follow-law/tffCTwDd”>petition is nearing 16,000 signatures (of 25,000 needed to require a response from the White House). That would be great to have, though not essential. The PR value has already been gained.

PR value is real value in Washington, D.C., and to illustrate that value, inveterate friend of liberty Will Hayworth whipped up a little code to grab the locations of the people that named their location when they signed the petition, and he put them on a Google map. It’s a nice illustration of the nationwide distaste for the TSA’s policy—and its refusal to implement the policy consistent with the law.

Take a look and see how many people from your state or town have signed on. Do your friends need a reminder? Send them the link to the petition page!

Petitioning isn’t going to upend government, but it is an organizing idea with a constitutional pedigree—the First Amendment. So if you think TSA should follow the law, well, maybe you should <a href=""join”>https://petitions.whitehouse.gov/petition/require-transportation-security-administration-follow-law/tffCTwDd”>join in the fun!

If we get 25,000 signatures by August 9th, the White House will have to respond.

Daily news service TechLawJournal (subscription) reports that the U.S. District Court (DC) has granted summary judgment to the National Security Agency in EPIC v. NSA, a federal Freedom of Information Act (FOIA) case regarding the Electronic Privacy Information Center’s request for records regarding Google’s relationship with the NSA.

EPIC requested a wide array of records regarding interactions between Google and the NSA dealing with information security. Reports TLJ:

The NSA responded that it refused to confirm or deny whether it had a relationship with Google, citing Exemption 3 of FOIA (regarding records “specifically exempted from disclosure by statute”) and Section 6 of the National Security Agency Act of 1959 (which prohibits disclose of information about the NSA).

The FOIA merits of EPIC’s suit are one thing. It’s another for Google to have an intimate relationship with a government agency this secretive.

This would be a good time to not be evil. Google should either sever ties with the NSA or be as transparent (or more) than federal law would require the NSA to be in the absence of any special protection against disclosure.

PaidContent.org has posted a chart showing “Who’s Getting Buzz Settlement Money.” This refers to the $9.5 million payout following the Federal Trade Commission settlement with Google a class action suit over its “Buzz” social networking service. Last week, the Federal Trade Commission entered into a consent decree with Google over its botched rollout of Buzz saying the search giant violated its own privacy policy. Google will also pay out to various advocacy groups according to the distribution seen in the chart as part of a separate class action. Payouts to advocates like this are not uncommon, although they are more often the result of a class action settlement than a regulatory agency consent decree. [Update/Correction 5:13 pm: I should have made it clear that this payout was the result of a class action lawsuit against Google and not the direct result of the FTC settlement. Apologies for that mistake, but still interested in the questions raised below.]

But that got me wondering whether this might make for good fodder for a case study by a public choice economist or political scientist. There are some really interesting questions raised by settlements like this that would be worth studying.

First, do rewards like this promote agitation with regulatory agencies for consent decrees? Regulatory advocates stand to gain a healthy cut of any final settlement, so it seems likely that they would seek such regulatory actions. It’s noteworthy that, according to Computer Business News, “The Electronic Privacy Information Center (EPIC) has filed an objection to agreements Google has reached over its social network Buzz because it is not one of the beneficiaries of the privacy fund set up by Google.” Apparently EPIC wants a $1.75 million cut. [Recall that EPIC wanted Google’s Gmail banned when it came out back in 2004.] The ACLU, EFF, and CDT all made out handsomely from the settlement, too, and they have been among the primary cheerleaders for a new Internet regulatory regime in the name of protecting privacy.

Second, shouldn’t this settlement money go to consumers who were supposedly harmed instead of to these regulatory advocates? Of course, finding and making whole a massive class of potentially aggrieved consumers would be extremely difficult and costly, especially because of the amorphous nature of the “harm” in question with something like Buzz. And so we instead get the payouts to the privacy regulatory advocates. The theory is that transferring money to these surrogates is the next best thing because they will stand up on consumers’ behalf in the future. I’m not so sure. Privacy is a highly amorphous value and these regulatory advocates almost certainly do not represent the varied interests of all consumers.

Anyway, if you are an aspiring public choice econ or poly sci PhD student, this might make for an interesting study. It would be interesting to see how this money is spent and how much more aggressive these groups become in their push for privacy-related investigations/regulation when there is a nice pot of gold at the end of that particular rainbow.

Facebook has had a tough month. The site’s latest round of privacy changes, implemented last month, spurred stiff backlash — not just from so-called privacy advocates, but also from several U.S. Senators. Facebook CEO Mark Zuckerberg shot back with an op-ed in The Washington Post, as Braden discussed here yesterday.

I’ve had much to say about Facebook’s past privacy controversies (1, 2, 3, 4, 5), but what really sticks out about the latest anti-Facebook backlash is who’s leading the charge: U.S. Senator Chuck Schumer.

Seriously, of all people, Chuck Schumer should be the last to criticize Facebook’s privacy practices. That’s because Schumer is leading the push in Congress to establish a biometric national identification regime. If Schumer had his way, all Americans, including U.S. citizens, wishing to legally work in this country would be required by law to obtain a national ID card! Compared to this highly invasive potential exercise of the state’s coercive power, concerns about Facebook’s privacy practices seem downright trivial.

I elaborated on Schumer’s hypocrisy and discussed the problems surrounding federal regulation of online privacy in an op-ed that recently appeared on Townhall.com:

Hypocrisy in politics is nothing new. But Senator Charles Schumer (D-N.Y.) set a new standard for it last week when he and three of his colleagues attacked social networking giant Facebook over its privacy practices. In a scathing letter, the senators demanded that Facebook change certain features to give users greater “control over their information.” The real threat to privacy, however, comes not from innovative companies like Facebook, but from posturing politicians. The controversy began last month when Facebook unveiled several new changes and features. Under the new privacy policy, Facebook user profiles are linked to the popular websites Yelp, Pandora, and Microsoft’s Docs.com by default. Users can opt out of these “social plug-ins.” Facebook also made all users’ likes and interests publicly visible, with no opt-out. These changes angered some users and sparked uproar in the blogosphere. Naturally, politicians saw this controversy as a chance to score political points by getting involved. Sen. Schumer and company asked federal regulators to “recommend” privacy guidelines for social networking sites, and are reportedly on the verge of introducing legislation to regulate online privacy. One moment, Sen. Schumer implores Facebook to change its privacy policies. The next, he’s leading the push in Congress to require all Americans to have national ID cards. Unlike social networking sites, which are entirely voluntary, Americans will not be able to “opt out” of Schumer’s national ID scheme. (Schumer’s proposal even requires citizens’ biometric information, like an iris scan or fingerprint.) Perhaps Sen. Schumer could use a dose of his own privacy medicine. …

You can read the rest of the piece here.

Last week, the Electronic Privacy Information Center released a petition from a group it spearheaded, asking the Department of Homeland Security to suspend deployment of whole-body imaging (aka “strip-search machines”) at airports.

The petition is a thorough attack on the utility of the machines, the process (or lack of process) by which DHS has moved forward on deployment, and the suitability of the privacy protections the agency has claimed for the machines and computers that display denuded images of air travelers.

The petition sets up a variety of legal challenges to the use of the machines and the process DHS has used in deploying them.

Whole-body imaging was in retreat in the latter part of last year when an amendment to severely limit their use passed the House of Representatives. The December 25 terror attempt, in which a quantity of explosives was smuggled aboard a U.S.-bound airplane in a passenger’s underpants, gave the upper hand to the strip-search machines. But the DHS has moved forward precipitously with detection technology before, wasting millions of dollars. It may be doing so again.

My current assessment remains that strip-search machines provide a small margin of security at a very high risk to privacy. TSA efforts to control privacy risks have been welcome, though they may not be enough. The public may rationally judge that the security gained is not worth the privacy lost.

Wouldn’t it be nice if decisions about security were handled in a voluntary rather than a coercive environment? With airlines providing choice to consumers about security and privacy trade-offs? As it is, with government-run airline security, all will have to abide by the choices of the group that “wins” the debate.

I’m a big fan of CNET’s “Buzz Out Loud” podcast and often enjoy co-host Molly Wood’s occasional “Molly Rant” but I’m disappointed to see her jumping on the Google-bashing bandwagon with her latest rant: “Google Buzz: Privacy nightmare.” Instead of appreciating the “privacy by design” features of Buzz, she seems to be rushing to privacy paternalism—just as I feared many would when I blogged about the Buzz launch.

Molly’s primary complaint, repeated several times, is that “you automatically follow everyone in your Gmail contact list, and that information is publicly available in your profile, by default, to everyone who visits your profile.” Actually, while Buzz does automatically follow some users your contact list, it does so only for the ones you chat with most using Gmail (which I believe means only other Gmail users). After that, Buzz simply tells you when other users follow you, and makes it easy to follow them.

So what’s the big deal? Molly’s concern, shared by a number of other bloggers, is that, before a user can start Buzzing, they have to set up Google Profile (another Google product launched last August, which typically appears on the bottom of the first page of Google search results for that name) and the default setting for Google profiles is to “Display the list of people I’m following and people following me.” In this respect, your Google Profile is a lot like your Facebook profile, except that users can decide to hide their followers/followees on their Google profile. (On Facebook, that information is part of the limited bucket of “publicly available information” and can’t be hidden by the user from their profile, but users can opt-out of having their profile accessible at all through search engines or Facebook search.)

There are essentially three ways of dealing with this concern about inadvertent sharing of sensitive contacts:

1. Buzz could autofollow no one—in which case many users would probably log in, see no Buzzes from other users because they’re not yet following anyone, wonder what all the fuss is about, and abandon the service without really getting the sample experience that having a small set of automatically added followers provides.
2. Gogole could change the default setting for Google profiles not to “Display the list of people I’m following and people following me.” This change in default would make a huge difference in just how easy it is to build out one’s social network, since the best way to find friends you may not have in your own contact book is to look at the list of users your friends are following.
3. Google provide clearer notice to users to remind them that their most frequent contacts may be publicly visible on their Gooogle profile—which is exactly what Google implemented earlier today by adding the text shown in this splash screen for initial creation of a Google Profile:

Somehow, I suspect that won’t be good enough for her and many other users complaining about this. I wouldn’t be surprised to see the privacy paternalists at EPIC filing another complaint with the FTC arguing that users are too stupid to figure this out for themselves, so the government has to do it for them—no matter the costs to other users in added hassle and a less useful network.

There just isn’t anything wrong with encouraging consumers to use your product rather than making it hard for them to get involved. The success of any social network in achieving a critical mass of vibrant, broad-based participation depends critically on differences as small as whether a user sees a few users when they first start out—or just an empty Inbox. Ban things like autofollowing, no matter how transparent to the user and easy to over-ride they might be, and you’ll make it a lot harder for the next social networking service to get off the ground—and pose a challenge to Google, Facebook and Twitter.

Molly’s next complaint:

let’s say you’ve customized your Google profile page with the vanity URL Google helpfully offers at the bottom of the page. Well, that’d be your e-mail handle. Anytime anyone does an @ reply to you, they’ve broadcast your e-mail address to the world.

True indeed. But she fails to mention that the vanity URL (in my case, http://www.google.com/profiles/berin.szoka) is purely opt-in.  When a user first sets up a Google Profile, they’re given a non-identifying string for their URL that doesn’t tie to their email address. Just above the option to opt-in to the vanity email is this explanation (emphasis added):

To make it easier for people to find your profile, you can customize your URL with your Google email username. (Note this can make your Google email address publicly discoverable.) This unique name will also be used in other links to your content on Google. To help others discover your profile, in some Google services contacts who know your email address will see a link to your profile

So… what more should Google to do? I guess they could bold and italicize the warning as I’ve done…

She’s even more clearly mistaken about the way Buzz works on mobile phones (as one commenter noted):

there are no preferences in the Android app–no way, near as I can tell–to choose to broadcast only to the list of people you follow or a group you’ve established, as you can in the Web interface. So be equally prepared for everyone around you to know who you are and where you are when you post to Buzz from your phone. Yeah, no, really. I’m totally not making this up.

Actually, Buzz is accessible through the mobile browser (not an app), and it gives users the same choice every time they post a new Buzz as to whether the Buzz should be public or private—just as on the desktop browser version. The default setting is public, yes, but so what? Is it really that hard to click “Private?” When you do, you’ll get a list of whatever contact groups you’ve created so you can share your Buzz just with that list—or you can start a new list.

Moreover, “Show Nearby Users” feature only shows Buzzes from users who have decided to broadcast their location.

A number of these responses were raised by commenters on the piece. Most notable was this comment (originally written in ee cummings style, which I have punctuated for readability), which takes issue with Molly’s central complaint that there should be more “setup required”:

i like your show for the most part, molly. but seriously, privacy on the internet these day is like having sex: it’s on us to protect ourselves. it may say “no set up required.” but if we are concerned about things getting out that we don’t want, always check the setting! it’s your virtual condom. wrap it up…

Crude, but exactly right: It’s one thing for Molly and others to suggest ways for Google to make the privacy controls for Buzz and Google Profile more accessible and easily understandable. Google’s already shown its eagerness incorporate constructive suggestions to that end. But it’s quite another thing for privacy paternalists to insist that we just can’t expect users to take any responsibility for their own privacy.

Instead of preaching “Sharing-abstinence-only” (which is what the paternalists’ cry for “opt-in” boils down to), we should be teaching users how to engage in “safer-sharing”—and encouraging companies like Google to build user interfaces that make safety options as easy to use as possible without breaking the whole site. As with sex, there’s no such thing as 100% safe-sharing, but, hey, that’s life. We accept risks all the time—every time we drive, get on a plane or trust that the restaurant meal we’re about to eat hasn’t been contaminated or poisoned. As Adam has reminded us, we need to keep in mind the “proportionality” of the risks involved compared to the benefits, and, ultimately, trust users to chose for themselves.

Addendum: Given the discussion below, I want to reiterate the point I stressed when I first blogged about this, responding to questions raised by Larry Magid in the initial Buzz launch press conference:

I’m glad that Larry is raising these concern as someone who has done yeoman’s work in educating Internet users, especially kids, about how to “Connect Safely” online (the name of his advocacy group). The fact that companies like Google know they’ll get questions like Larry’s is hugely important in keeping them on their toes to continually plan for “privacy by design.” But I do worry that those with a political axe to grind will take these same questions and twist them into arguments for regulation based on the idea that if some people forget to use a tool or just don’t get care as much about protecting their privacy as some self-appointed “privacy advocates” think they should, the government—led by Platonic philosopher kings who know what’s best for us all—should step in to protect us all from our own forgetfulness, carefulness or plain ol’ apathy. After all, consumers are basically mindless sheep and if the government doesn’t look after them, the digital wolves will devour them whole!

So, by all means, let’s hear some healthy criticism about how Google has implemented Buzz and talk about how the “privacy by design” features can be improved. But let’s make sure to get our facts straight before rushing to assume the worst—or before calling in the Feds to take over.

Says Epic Games founder and CEO Tim Sweeney. I wonder what the FTC will think about this prospect in the report Congress asked them to send this year about video games.  I think it’s safe to assume that the thought of life-like sex and violence will create a true technopanic.

Unlike with wiretaps, law enforcement agents are not required by federal statutes to obtain search warrants before employing pen registers or trap and trace devices. These devices record non-content information regarding telephone calls and Internet communications. (Of course, “non-content information” has quite a bit of content – who is talking to whom, how often, and for how long.)

The Electronic Privacy Information Center points out in a letter to Senate Judiciary Committee Chairman Patrick Leahy (D-VT) that the Department of Justice has consistently failed to report on the use of pen registers and trap and trace devices as required by law:

The Electronic Communications Privacy Act requires the Attorney General to “annually report to Congress on the number of pen register orders and orders for trap and trace devices applied for by law enforcement agencies of the Department of Justice.” However, between 1999 and 2003, the Department of Justice failed to comply with this requirement. Instead, 1999-2003 data was provided to Congress in a single “document dump,” which submitted five years of reports in November 2004. In addition, when the 1999-2003 reports were finally provided to Congress, the documents failed to include all of the information that the Pen Register Act requires to be shared with lawmakers. The documents do not detail the offenses for which the pen register and trap and trace orders were obtained, as required by 18 U.S.C. § 3126(2). Furthermore, the documents do not identify the district or branch office of the agencies that submitted the pen register requests, information required by 18 U.S.C. § 3126(8).

EPIC has found no evidence that the Department of Justice provided annual pen register reports to Congress for 2004, 2005, 2006, 2007, or 2008. “This failure would demonstrate ongoing, repeated breaches of the DOJ’s statutory obligations to inform the public and the Congress about the use of electronic surveillance authority,” they say.

It’s a good bet, when government powers are used without oversight, that they will be abused. Kudos to EPIC for pressing this issue. Senator Leahy’s Judiciary Committee should ensure that DoJ completes reporting on past years and that it reports regularly, in full, from here forward.

Earlier this month, Google made news when it announced that its cloud computing productivity suite Google Docs had suffered a technical glitch that temporarily compromised a subset of users’ shared documents. After becoming aware of this glitch, Google notified its users via email and posted an entry to the Official Google Docs Blog that offered a more detailed explanation of what happened.

It turns out that a bug in Google’s permissions code was causing certain documents that had been shared by their author with other users but subsequently unshared to remain visible to those users. By the time Google notified its users, the bug had already been resolved, and Google estimates that only around 0.05% of all documents were vulnerable due to the glitch. As to how many documents were actually viewed by unauthorized parties, it’s unclear at this point.

All in all, the Google Docs glitch, while troubling, seems relatively minor as far as bugs go. Nevertheless, the Electronic Privacy Information Center’s Mark Rotenberg jumped on the chance to attack Google, as he often does when Google makes news for anything privacy-related. Yesterday, EPIC filed a complaint with the Federal Trade Commission that called on the FTC to investigate Google’s privacy safeguards, order Google to shut down all cloud computing services—including Gmail, which has 26 million users—pending a thorough privacy evaluation, and force Google to pay $5 million to a fund that would be setup for “privacy research.”

Watchdog activist groups like EPIC can play a useful role in the public discourse on privacy, helping to publicize unsavory behavior by companies and educating consumers about keeping data secure. Unfortunately, however, these groups’ admirable focus on protecting privacy sometimes edges on the myopic, causing them to overreact to data breaches and sometimes even call for regulatory interventions that are decidedly anti-consumer. EPIC’s latest complaint about Google is a classic example of this.

How would it be in consumers’ interests for the FTC to shut down Google’s cloud computing services until Google can offer its users an ironclad data security guarantee? Gmail has been at the forefront of innovation in webmail, and was among the first providers to offer its users gigabytes of free storage and SSL-encrypted IMAP connectivity. And Google Docs is a wildly popular alternative to Microsoft Office that doesn’t cost a dime to use. Shutting down both of these services would be extremely detrimental to the millions of consumers and small businesses who find the service useful and valuable and are willing to accept the small risk of a bug or data breach. But Mark Rotenberg wants to deny consumers that choice. Concerned users can already close their Google account and switch to another productivity suite; Google even makes it easy for users to export their data in an open source format for painless migration.

It’s unrealistic to expect watertight privacy safeguards in a world in which information sharing is on the rise. As collaborative software and cloud computing grow in popularity, the number of potential avenues for breaches, bugs, and compromises will only increase. But closing every service that suffers a bug until federal regulators can comb through every line code isn’t the solution—the solution already exists. Companies like Google risk losing billions of dollars if consumers lose faith in cloud-based products.

Leaks of sensitive data did not begin with the invention of the Internet, and breaking agreements that promise confidentiality has long been a matter of civil liability. In other words, the proper venue for recourse against Google is not the FTC but the courts. Instead of EPIC complaining to the FTC, victims of the Google Docs bug should be taking Google to court. There’s no reason for the FTC to intervene every time there’s a security flub when existing liability laws combined with market pressures already give the Googles of the world a strong incentive to guard against breaches.

The ever-present threat of FTC action against firms can have extremely destructive consequences for online innovation. What EPIC is advocating — for the FTC force a company to shut down one of its product suites on account of a single, relatively minor bug — would be a case of harmful regulatory action.

Facebook sparked a major user uprising when it amended its terms of service earlier this month to grant the social networking site greater licensing rights over user-submitted content. The implications of Facebook’s amended Terms of Use were originally uncovered by The Consumerist this past Sunday in a story entitled, “Facebook’s New Terms Of Service: ‘We Can Do Anything We Want With Your Content. Forever.'” The title pretty much sums up what the controversy was all about: under Facebook’s amended Terms of Use, even after a user deletes his Facebook account, Facebook would retain its license to distribute nearly all types of user-submitted content including photos and videos.

Predictably, news of Facebook’s expanded licensing rights made many users angry, with several Facebook groups against Terms of Use modifications popping up, attracting thousands of members overnight. As is often the case with juicy reports like this one, news of the Facebook fiasco spread throughout the blogosphere rapidly, eventually making its way to major tech sites and even the main page of CNN.com. By yesterday afternoon, a snapshot of Mark Zuckerberg‘s face was plastered on Fox News Channel, next to an excerpt of an entry he posted to Facebook’s blog in defense of the social networking site’s new terms.

Facebook’s explanation of its new terms seemed reasonable enough: even after a user quits Facebook, material that user has posted on friends’ walls and other messages the user has sent to others may remain available. Facebook also noted that its perpetual license only allowed the site to use material in accordance with departed users’ privacy settings (presumably at the time of their departure). Under the new terms, therefore, Facebook would still be required to respect albums marked as private–and ensure they stay that way.

But the seemingly stark contrast between Facebook’s attempts to justify the changes to its terms of use and, well, the actual language of terms themselves left many observers dissatisfied. In theory, if a user who had a Facebook photo album open to her entire network were to delete her account, Facebook would retain license to make those photos available to members of her network in perpetuity. And depending on how you parse the amended terms, Facebook could even use your profile pic in ads for the social network long after you terminated your Facebook account.

Would Facebook actually do any of these things? Probably not. As Zuckerberg pointed out, Facebook “wouldn’t share your information in a way you wouldn’t want.”  Taking this a step further, I think that even if Facebook saw a chance to earn a quick buck or two by selling departed users’ images, such a move would undoubtedly spur user backlash orders of magnitude more severe than anything the site has experienced before. Instead of thousands of users in arms, there’d be millions, and a mass exodus of users would be a very real possibility. Despite Facebook’s awesome success in the social networking arena, there are lots of robust alternatives to Facebook out there that would love nothing more than to provide a home to disaffected Facebook users. Facebook’s execs know all of this, which is why I highly doubt the site would ever commit any of the violations that some have speculated might be possible under the new terms.

Of course, none of these assurances–however comforting they may be–would hold up in court. Even though Facebook probably wouldn’t ever misuse its license to user content, it could under its new terms. That fact alone is unsettling to many users.

All these concerns were rendered largely moot this morning when Facebook announced that it had decided to revert to a previous version of its Terms of Use, thereby nullifying the changes responsible for the uprising. Facebook’s move isn’t especially surprising, nor is it unprecedented. Back in late 2007, Facebook unveiled an advertising service called Beacon that tracked the buying habits of Facebook users for advertising purposes. Beacon allowed your friends to see your purchasing habits, sparking privacy concerns and media scrutiny. After a few weeks, Facebook gave in to pressure and began allowing users to opt-out of Beacon entirely by changing their privacy settings.

The peaceful resolution of the latest Facebook fiasco further hammers home an argument that many of us TLFers have made time and time again: especially on the Web, companies have little choice but to listen to their users, and firms often find that they can’t get away with unsavory practices that might have flown under the radar in another era without spurring user backlash and, worse still, bad PR. As Bob Garfield aptly put it, when disputes between consumers and businesses arise in age of the Internet and the blogosphere, ” the Herd Will Be Heard.”

If Facebook had not relented, there’s a chance government would’ve gotten involved. Yesterday, the Electronic Privacy Information Center had announced it was “readying a complaint” against Facebook with the Federal Trade Commission. And even if that complaint hadn’t gone anywhere, chances are some member of Congress would have seen it fit to “investigate” social networking practices and send Facebook a detailed questionnaire about its content licensing policies.

But as the user uprising and Facebook’s quick reaction illustrate, markets are perfectly capable of resolving many kinds of disputes quickly and efficiently. Regulators are the dinosaurs of the digital era. Even if the FTC had acted on EPIC’s planned complaint, any regulatory ruling probably would not have emerged until long after the fiasco had been resolved–either by Facebook relenting, or by users ditching Facebook for a competing social network.

We’ll never know what would have happened had Facebook held firm, but if history is any guide, keeping regulators at bay may well have been a wise move on Facebook’s part.

Over the past year or so, many market-oriented critics of Google, like Scott Cleland and Richard Bennett, have criticized the company for aligning itself with Left-leaning causes and intellectuals. Lately, however, what I find interesting is how many leading leftist intellectuals and organizations have begun turning on the company and becoming far more critical of the America’s greatest capitalist success story of the past decade. The reason this concerns me is that I see a unholy Right-Left alliance slowly forming that could lead to more calls for regulation not just of Google, but the entire search marketplace.  In other words,  “Googlephobia” could bubble over into something truly ugly.

Consider the comments of Tim Wu and Lawrence Lessig in Jeff Rosen’s huge New York Times Magazine article this weekend, “Google’s Gatekeepers.” Along with Yochai Benkler, Lessig and Wu form the Holy Trinity of the Digital Left; they set the intellectual agenda for the Left on information technology policy issues. Rosen quotes both Wu and Lessig in his piece going negative on Google. Wu tells Rosen that “To love Google, you have to be a little bit of a monarchist, you have to have faith in the way people traditionally felt about the king.” Moreover:

“The idea that the user is sovereign has transformed the meaning of free speech,” Wu said enthusiastically about the Internet age. But Google is not just a neutral platform for sovereign users; it is also a company in the advertising and media business. In the future, Wu said, it might slant its search results to favor its own media applications or to bury its competitors. If Google allowed its search results to be biased for economic reasons, it would transform the way we think about Google as a neutral free-speech tool. The only editor is supposed to be a neutral algorithm. But that would make it all the more insidious if the search algorithm were to become biased. “During the heyday of Microsoft, people feared that the owners of the operating systems could leverage their monopolies to protect their own products against competitors,” says the Internet scholar Lawrence Lessig of Stanford Law School. “That dynamic is tiny compared to what people fear about Google. They have enormous control over a platform of all the world’s data, and everything they do is designed to improve their control of the underlying data. If your whole game is to increase market share, it’s hard to do good, and to gather data in ways that don’t raise privacy concerns or that might help repressive governments to block controversial content.”

So, here we have Wu raising the specter of search engine bias and Lessig raising the specter of Google-as-panopticon. And this comes on top of groups like EPIC and CDT calling for more regulation of the online advertising marketplace in the name of protecting privacy.  Alarm bells must be going off at the Googleplex. But we all have reason to be concerned because greater regulation of Google would mean greater regulation of the entire code / application layer of the Net.  It’s bad enough that we likely have greater regulation of the infrastructure layer on the way thanks to Net neutrality mandates. We need to work hard to contain the damage of increased calls for government to get its hands all over every other layer of the Net.

Declan McCullagh, CNET News’ chief political correspondent, does a nice job debunking the privacy fears about Google Flu Trends that a couple of pro-regulatory privacy advocates have set forth. Flu Trends is a very cool application that uses search terms as an indicator of possible upticks in flu-related illnesses in various regions of the U.S.  Of course, it didn’t take long for some Chicken Littles to rain on the parade with their irrational fears about data privacy. As Declan notes, however, there is no personally identifiable information being collected or shared here. It’s just search term analysis. Moreover, if these privacy-sensitive advocates are really that paranoid about it, they should just just Tor or another anonymizer to cloak their searches instead of calling in the regulators to suffocate another technology while its still in the cradle.

Anyway, make sure to read Declan’s excellent piece.