The week-long Cato Unbound online debate about the 10th anniversary of Lawrence Lessig’s Code and Other Laws of Cyberspace continues today with Prof. Lessig’s response to Declan McCullagh’s opening essay, “What Larry Didn’t Get,” Jonathan Zittrain’s follow-up essay, and my essay on, “Code, Pessimism, and the Illusion of ‘Perfect Control.’”  Needless to say, Prof. Lessig isn’t too happy with my response. You should jump over to the Cato site to read the entire thing, but here are a couple of excerpts and my response.

To my suggestion that there is a qualitative difference between law and code, Prof. Lessig says:

I’ve argued that things aren’t quite a simple as some libertarians would suggest. That there’s not just bad law. There’s bad code. That we don’t need to worry just about Mussolini. We also need to worry about DRM or the code AT&T deploys to help the government spy upon users. That public threats to liberty can be complemented by private threats to liberty. And that the libertarian must be focused on both.  […] Of course, law is law. Who could be oblivious to that? And who would need a book to explain it?  But the fact that “law is law” does not imply that it has a “much greater impact in shaping markets and human behavior.” Sometimes it does — especially when that “law” is delivered by a B1 bomber. But ask the RIAA whether it is law or code that is having a “greater impact in shaping markets” for music. Or ask the makers of Second Life whether the citizens of that space find themselves more constrained by the commercial code of their geo-jurisdiction or by the fact that the software code of Second Life doesn’t permit you simply to walk away (so to speak) with another person’s scepter. Whether and when law is more effective than code is an empirical matter — something to be studied, and considered, not dismissed by banalities spruced up with italics.

Well, I beg the professor’s pardon for excessive use of italics.  [I won’t ask for an apology for misspelling my last name in his piece!] Regardless, it’s obvious that we’ll just never see eye-to-eye on the crucial distinction between law and code. Again, as I stated in my essay: “With code, escape is possible. Law, by contrast, tends to lock in and limit; spontaneous evolution is supplanted by the stagnation of top-down, one-size-fits-all regulatory schemes.”

Lessig largely dismisses much of this with that last line above, suggesting that we just need to keep studying the matter to determine the right mix of what works best.  To be clear, while I’m all for studying the impact of law vs. code as “an empirical matter,” that in turn begs the question of how we define effectiveness or success. I suspect that the professor and I would have a “values clash” over some rather important first principles in that regard.  This is, of course, a conflict of visions that we see throughout the history of philosophy; a conflict between those who put the individual and the individual’s rights at the core of any ethical political system versus those who would place the rights of “the community,” “the public” or some other amorphous grouping(s) at the center of everything.  It’s a classic libertarian vs. communitarian / collectivist debate.

Lessig, however, makes it clear in his response that he doesn’t take kindly to being called a cyber-collectivist, even accusing me of “red-baiting” by using the term.  But the collectivism of which I speak is a more generic type; not the hard-edged Marxist brand of collectivism of modern times.   What separates Lessig’s brand of cyber-collectivism from the cyber-libertarianism that I espouse is a general preference for who calls the shots most of the time.  Quite obviously, I place an enormous amount of faith in largely unfettered markets in code to generally advance the values of individual liberty, freedom of speech, and economic innovation more often than rule by politics and public officials will.  Prof. Lessig is obviously far more enamored with the potential of the state and politics to play a beneficial role in shaping things.

Thus, even though Prof. Lessig rejects the association, Declan McCullagh was right to point to the distant influence of Plato on Code and much of Lessig’s other work.  (And there’s a bit of Rousseauian influence there, too.)  In any event, if Prof. Lessig takes offense at this label and wants to call his approach something other than cyber-collectivism, than by all means be my guest; invent a new term and I’ll use it.  But to me, as a student of political philosophy, I see his philosophy as just another variant of collectivism and just don’t know what else to call it.  This isn’t “red-baiting;” it’s simply an exercise in philosophical classification.

To some extent, Prof.  Lessig undercuts my arguments here in concluding his essay by asking that we “focus on a large number of difficult questions that remain… about how to preserve the liberty of society and the Net against the ever-expanding harm caused by the captured corruption that we call democratic government.”  Hey, now that sounds like something a true libertarian might say! (Except that we would have likely used the phrase “preserve the liberty of the individual” instead of “society”!) Regardless, Lessig is at least willing to admit that there may be some problems in paradise for Platonist thinking or Rousseauian romanticism.

Alas, for reasons articulated quite nicely here by Tim Lee in the past, “Lessig clearly understands what it takes to catch the interest of conservative- and libertarian-minded readers, and he’s not above spinning his arguments to maximize their appeal to the people he’s addressing.” For the libertarian, there is only one fool-proof solution to the problem of government corruption: You shrink the Leviathan. From what I’ve seen of Lessig’s proposals so far to address corruption, however, he’s not really willing to have that conversation. It’s all about the old “getting money out of politics” and “kill all the lobbyists” approach. Unfortunately, as Tim notes:

The problem isn’t that there’s a discrete list of corrupt practices that we can identify and prohibit. The problem is that if politicians are willing to be corrupted, and special interests are willing to spend resources to corrupt them, they’ll find ways to get it done. You can certainly reduce the effect on the margin — by banning overt bribery, for example — but once you’ve banned the really obvious categories of back-scratching, it becomes more and more difficult to make any further progress. What’s going on in Washington is disgusting, to be sure, but it’s not new or unique to the United States. And I think fixing it is going to be a lot more challenging than Lessig imagines.

I couldn’t agree more.  Nonetheless, I eagerly await more details from Prof. Lessig regarding his new effort to address corruption in our political system, however he defines it.  He may set forth some reform proposals that we libertarians find quite sensible and ultimately endorse.  But if “reform” instead comes in the form of layers of additional campaign finance regulations, well then, I think we’ll find ourselves disagreeing once again. Because many of those so-called reforms are simply free-speech violating restrictions on the rights of both individuals to petition their government.

But to conclude this exchange on a good note, let me just say that — at least in theory — I wholeheartedly endorse Lawrence Lessig’s call to protect “the Net against the ever-expanding harm caused by the captured corruption that we call democratic government.”   And I hope someday he will be more open to the notion that limits on the power of the state are the ultimate key to accomplishing that goal.

The Cato Unbound online debate about the 10th anniversary of Lawrence Lessig’s Code and Other Laws of Cyberspace continues today with my response to Declan McCullagh’s opening essay, “What Larry Didn’t Get,” as well as Jonathan Zittrain’s follow-up.

In my response, “Code, Pessimism, and the Illusion of ‘Perfect Control,'” I begin by arguing that:

The problem with peddling tales of a pending techno-apocalypse is that, at some point, you may have to account for your prophecies — or false prophecies as the case may be. Hence, the problem for Lawrence Lessig ten years after the publication of his seminal book, Code and Other Laws of Cyberspace.

I go on to argue that:

Lessig’s lugubrious predictions proved largely unwarranted. Code has not become the great regulator of markets or enslaver of man; it has been a liberator of both. Indeed, the story of the past digital decade has been the exact opposite of the one Lessig envisioned in Code.

After providing several examples of just how wrong Lessig’s predictions were, I then ask:

[W]hy have Lessig’s predictions proven so off the mark? Lessig failed to appreciate that markets are evolutionary and dynamic, and when those markets are built upon code, the pace and nature of change becomes unrelenting and utterly unpredictable. With the exception of some of the problems identified above, a largely unfettered cyberspace has left digital denizens better off in terms of the information they can access as well as the goods and services from which they can choose. Oh, and did I mention it’s all pretty much free-of-charge? Say what you want about our cyber-existence, but you can’t argue with the price!

I am forced to admit, however, that Lessig’s book has had enormous impact of the field of cyberlaw and digital technology policy:

This brings me to what I believe is the most important impact of Code: the philosophical movement it has spawned. As Declan noted in his opening essay, Code “offered a burgeoning protest movement [a] unifying theme and philosophy” in that it was both a polemic against cyber-libertarianism and a sort of call-to-arms for cyber-collectivism. It gave this movement its central operating principle: Code and cyberspace can be bent to the will of the collective, and it often must be if we are to avoid any number of impending disasters brought on by those nefarious (or just plain incompetent) folks in corporate America. Led by a gifted, prolific set of disciples such as Jonathan Zittrain and Tim Wu, as well as increasingly influential activist groups such as Public Knowledge and Free Press, Lessig’s cyber-collectivists continue to preach skepticism regarding markets and property rights, and a general openness to — and frequent embrace of — government solutions to digital-era dilemmas. […]  Prof. Lessig and his movement are winning the battle of ideas on the cyber-front today. We have Code to thank — or blame — for that.

Please head over to the Cato Unbound website to read the entire thing.  Prof. Lessig’s response is scheduled to be posted on Monday.

I’ve been catching up on Radio Berkman, the podcast produced by our friends at the Berkman Center for Internet & Society and a great companion to the TLF’s own Tech Policy Weekly Podcast.  There’s been a lot of talk about government transparency on the TLF lately, including TPW 40: Obama, e-Government & Transparency.  But that conversation has been mainly focused on how to make “public” records accessible.

The most recent Radio Berkman episode, “Can you Keep a Secret?” explores the thorny questions about what should be deemed public in the first place, and what should be classified:

The government keeps secrets. We take that for granted. But should we? Some speculate that intelligence agencies and elected officials are a little bit trigger happy with the “Top Secret” stamp, and that society would benefit from greater openness. With the government classifying millions of pages of documents per year – in a recent year the U.S. classified about five times the number of pages added to the Library of Congress – a great deal of useful human knowledge gets put under lock and key. But some argue that secrecy is still crucial to our national security. Radio Berkman pokes its head into a recent talkback with the directors of the film  Secrecy, Harvard University professors Peter Galison and Robb Moss. They are joined by Harvard Law School professors Jonathan Zittrain, Martha Minow, and Jack Goldsmith.

I look forward to seeing the film (when it comes out on Netflix).  

What I found most interesting was the discussion of the essential trade-off in the relationship between the media and the state has always been between the media’s “independence” and its “responsibility” (~33:30 in).  Even the staunchest critics of the national security state would probably accept that there are some stories in the media shouldn’t publish because they’d jeopardize the safety of Americans.  But we all want the media to blow the whistle on the bad stuff that goes on behind a veil of secrecy.  Drawing that line is a terribly difficult task.  But it becomes even more complicated with the decline of traditional professional investigative journalism and the rise of blog/amateur journalism.  

I’m generally not very sympathetic to the chicken-littleism of those who bemoan the fact that journalism is being forced to evolve and innovate by technological change, but on this point, it does indeed seem more likely that the increasingly diffuse media will act less “responsibly” by running stories that really shouldn’t be run.  As one of the panelists points out, the problem is not so much that journalists (of whatever kind) don’t want to be responsible; it’s that they can’t possibly know enough about the context of their story to appreciate why publishing the story might be damaging in surprising ways (such as exposing the capability of U.S. spy satellites by publishing a photo of a Soviet tank).  In the “good” old days of media scarcity, the small number journalists whose beat touched on national security had the luxury of being able to think through their stories and having personal relationships with someone inside the government who could be relied on to tell them whether the story really shouldn’t be run or, even more importantly, which particular aspect of a story truly deserved secrecy.  

The panelists also touched on a separate danger:  the “independence” of media will suffer from economic dependence on the government.  Would a newspaper sucking at the teet of government bail-outs really have run photos of American soldiers torturing prisoners at Abu Ghraib, for example?  Herein lies a secondary danger of the rise of Internet journalism—that traditional media will become less effective watchdogs as their bottom line suffers and government starts to supplement income once provided by advertising revenue.  Were classified ads the very thing that kept newspapers independent?  What will happen if newspapers cannot shed their physical distribution costs, or find new sources of revenue in the form of smarter advertising, subscriptions, micro-payments or donations?  Adam Thierer has discussed these tough questions and others.

Other interesting points:

• Protective orders no longer offer an effective safety valve by which certain parties can gain access to classified materials because the ease of Internet publishing means that such orders too often lead to disclosure.
• 80% of leaks of classified documents are made by persons inside the Executive branch for political purposes (usually in order to advance a pet policy).  If that’s true, then maybe the “problem” (to the extent that leaks really are a problem, as some leaks certainly are) is more on the “supply” side (at the leaks’ source) and less on the “demand” side (investigative journalism).  If so, perhaps the ethics of journalistic responsibility matter less than we might think. 

In case you’ve been in a pre-holiday daze this week, the blogosphere has been atwitter (not to mention a-twittering) with the news that the Hon. Louis L. Stanton, the Federal district judge presiding over Viacom’s massive copyright infringement suit against YouTube has ordered Google, which owns YouTube, to turn over its viewership records (12 terabytes).  Most notably, TechCrunch’s Michael Arrington has called Judge Stanton a “moron” for failing to appreciate that “handing over user names and a list of videos they’ve watched to a highly litigious copyright holder is extremely likely to result in lawsuits against those users that have watched copyrighted content on YouTube.”  Whatever one thinks of the Viacom v. YouTube/Google case, Arrington’s concern is misplaced (if not hysterical) and his logic betrays his ignorance of how litigation actually works. 

Judge Stanton’s July 2 order (PDF) explains:

[YouTube and Google’s] “Logging” database contains, for each instance a video is watched, the unique “login ID” of the user who watched it, the time when the user started to watch the video, the internet protocol address other devices connected to the internet use to identify the user’s computer (“IP address”), and the identifier for  the video.  That database (which is stored on live computer hard drives) is the only existing record of how often each video has been viewed during various time periods. Its data can “recreate the number of views for any particular day of a video.” Plaintiffs [primarily Viacom] seek all data from the Logging database concerning each time a YouTube video has been viewed on the YouTube website or through embedding on a third-party website. They need the data to compare the attractiveness of allegedly infringing videos with that of non-infringing videos. A markedly higher proportion of infringing-video watching may bear on plaintiffs’ vicarious liability claim, and defendants’ substantial non-infringing use defense.

While Stanton denied other requests made by Viacom for the search code that powers YouTube and Google Video on the grounds that Viacom had not made a sufficient showing of need for such records, he rejected Google’s arguments that turning over the large amount of viewer data would be unduly burdensome (given today’s cheap and convenient storage).  Also rejecting Google’s “speculative privacy concerns,” the judge agreed with Viacom that, the “’login ID is an anonymous pseudonym that users create for themselves when they sign up with YouTube’ which without more ‘cannot identify specific individuals.'”  The judge noted that Google–hoisted on its own petard–had elsewhere taken the position that IP addresses alone are not personally identifying:

We . . . are strong supporters of the idea that data protection laws should apply to any data that could identify you. The reality is though that in most cases, an IP address without additional information cannot.

The Electronic Frontier Foundation raises the valid question of whether the release of viewer data would violate the Video Privacy Protection Act (VPPA), passed in 1988 after a newspaper disclosed Supreme Court nominee Robert Bork’s video rental records during his controversial and abortive nomination.  While Judge Stanton’s order dismisses this law as inapplicable in a footnote, EFF argues that the law does in fact apply because (i) the law covers “prerecorded video cassette tapes or similar audio visual materials,” which should include YouTube and (ii) some user names do identify users (e.g., “berinszoka”).  If EFF is correct, the VPPA would preclude the kind of comprehensive data production ordered by Judge Stanton.

Whether EFF is correct as a legal matter, this is certainly the kind of question privacy advocates should ask.  Those of us who argue that government should generally address concerns about user privacy by enforcing privacy policies (rather than dictating to companies how they should treat data through regulation) must be especially vigilant whenever the government forces companies to turn over potentially identifying user data, either to other companies in lawsuits such as this one or to law enforcement, lest the threat of the real “Big Brother” (government) completely obscure the fact that companies like Google live and die by their reputation, and thus have strong incentives to protect user privacy.

But Arrington is not engaging in such thoughtful analysis, merely name-calling:

I can understand why Judge Stanton, who graduated from law school in 1955, may be completely and utterly clueless when it comes to online video services. But perhaps one of his bright young clerks or interns could have told him that (1) handing over user names and a list of videos they’ve watched to a highly litigious copyright holder is extremely likely to result in lawsuits against those users that have watched copyrighted content on YouTube, and (2) YouTube’s source code is about as valuable as the hard drive it would be delivered on, since the core Flash technology is owned by Adobe and there are countless YouTube clones out there, most of which offer higher quality video. … Judge Stanton doesn’t seem to care much about [the the Video Privacy Protection Act] for now. And he clearly doesn’t understand that far more data is being transferred than is necessary to comply with Viacom’s core stated concern, which is to understand the popularity of copyright infringing v. non-infringing material. Viacom has asked for far more data than that, and there’s only one use for that data: to sue individual users (or shake them down via the threat of lawsuit, which has been perfected by the RIAA) who have watched a few music videos or television shows on YouTube. I say this with the utmost respect, but Judge Stanton is a moron. And Google simply cannot hand this data over without facing a class action lawsuit of staggering proportions.

Is Arrington unfamiliar with the concept of a protective order?  A standard feature of any major lawsuit, protective orders allow parties to limit use of sensitive information they may be required to provide in the “discovery” process during litigation.  In this case, the protective order grants access to the viewership data Google is required to provide to a very limited number of individuals on plaintiffs’ litigation team, requires that they “maintain that information … in confidence and use it only for the purposes of this litigation.”  Thus, as noted by CNET, the viewership records could not be used in copyright infringement lawsuits against users, such as those pursued by the Recording Industry Association.

For those interested, here is the most recent protective order in the case (see paragraphs 3 and 10):

Of course, there is always the possibility that such records, once released, might be accidentally disclosed–though the fact that the plaintiffs in this case are subject to criminal sanctions for violation of the protective order does create a rather strong incentive for them to avoid such disclosures.  (EFF provides the example of 2006 “AOL search data scandal.”)  Accidental disclosure–or hacking–certainly is a valid concern.  Indeed, this exactly the kind of concern that always weighs in the balance when courts make decisions about whether to order the production of documents.  In this particular case, Stanton noted, in rejecting Viacom’s demands for the YouTube and Google Video search code, that “the protections set forth in the stipulated confidentiality order are careful and extensive, but nevertheless not as safe as nondisclosure.”  That is, Viacom had not shown sufficient need for the search code to overcome the risk of accidental disclosure–while he reached the opposite conclusion on viewership records.

The real question here is a difficult one of balancing the plaintiff’s need for certain data to make its case against concerns about sensitivity of the data at issue.  Such questions are highly fact-dependent and it is always difficult for those outside the case to evaluate the claims, since we lack all the key details, many of which has been redacted from court filings.

Setting aside (but not trivializing) EFF’s arguments about the VPPA, the most one can say here is that Google’s response–to request that Viacom “respect users’ privacy and allow us to anonymize the logs before producing them under the court’s order”–seems eminently reasonable, at least from the outside.  Certainly such a solution would set a valuable precedent for future disclosures that would allow plaintiffs like Viacom access to data where necessary while minimizing the risks to users’ privacy.  Such a solution would be akin to the March 2006 court order that required Google to disclose only a sample of Google’s search index, rather than individual user search terms, in response to the Justice Department’s broader demands for data it said it needed to test software intended to block access to child pornography.