Last week, it was my great pleasure to be invited on NPR’s “On Point with Tom Ashbrook,” to debate Jeffrey Rosen, a leading privacy scholar and the president and chief executive of the National Constitution Center. In an editorial in the previous Sunday’s New York Times (“Madison’s Privacy Blind Spot”), Rosen proposed “constitutional amendment to prohibit unreasonable searches and seizures of our persons and electronic effects, whether by the government or by private corporations like Google and AT&T.” He said his proposed amendment would limit “outrageous and unreasonable” collection practices and would even disallow consumers from sharing their personal information with private actors even if they saw an advantage in doing so.

I responded to Rosen’s proposal in an essay posted on the IAPP  Privacy Perspectives blog, “Do We Need A Constitutional Amendment Restricting Private-Sector Data Collection?” In my essay, I argued that there are several legal, economic, and practical problems with Rosen’s proposal. You can head over to the IAPP blog to read my entire response but the gist of it is that “a constitutional amendment [governing private data collection] would be too sweeping in effect and that better alternatives exist to deal with the privacy concerns he identifies.” There are very good reasons we treat public and private actors differently under the law and there “are all far more practical and less-restrictive steps that can be taken without resorting to the sort of constitutional sledgehammer that Jeff Rosen favors. We can protect privacy without rewriting the Constitution or upending the information economy,” I concluded.

But I wanted to elaborate on one particular thing I found particularly interesting about Rosen’s comments when we were on NPR together. During the show, Rosen kept stressing how we needed to adopt a more European construction of privacy as “dignity rights” and he even said his proposed privacy amendment would even disallow individuals from surrendering their private data or their privacy because he viewed these rights as “unalienable.” In other words, from Rosen’s perspective, privacy pretty much trumps  everything, even if you want to trade it off against other values. 

Privacy Paternalism?

I’ve been seeing more and more privacy advocates and scholars adopt this attitude, including Anita Allen, Julie Cohen, Siva Vaidhyanathan, and others. Allen, for example, says that privacy is such a “foundational” human right that it some cases the law should override individual choice when consumers act against their own privacy interests. Cohen and Vaidhyanathan make similar arguments in their recent books. Vaidhyanathan claims that consumers are being tricked by the “smokescreen” of “free” online services and “freedom of choice.” Although he admits that no one is forced to use online services and that consumers are also able to opt-out of most of services or data collection practices, he argues that “such choices mean very little” because “the design of the system rigs it in favor of the interests of the company and against the interests of users.” “Celebrating freedom and user autonomy is one of the great rhetorical ploys of the global information economy,” he says.“We are conditioned to believe that having more choices–empty though they may be–is the very essence of human freedom. But meaningful freedom implies real control over the conditions of one’s life.” These are the sort of arguments I increasingly hear made by privacy scholars when claiming that consumers simply can’t be left free to make choices for themselves in this regard.  In an interesting recent article in the Harvard Law Review , privacy scholar  Daniel Solove notes that what binds these thinkers and their work together is, in essence, a sort of privacy paternalism. The point of most modern privacy advocacy has been to better empower consumers to make privacy decisions for themselves. But, Solove notes, “t he implication [of these privacy scholar’s work] is that the law must override individual consent in certain instances.” Yet, if that choice is taken away from us by law, Solove notes, then privacy regulation, “risks becoming too paternalistic. Regulation that sidesteps consent denies people the freedom to make choices,” Solove argues.

Jeff Rosen now appears to be adopting the sort of approach Solove identifies by claiming that privacy is an “unalienable right” such that it cannot be traded away for other things. By making that choice for us, Rosen’s proposed amendment would, therefore, suffer from that same sort of privacy paternalism Solove identifies. In a forthcoming law review aritcle that will appear in the  Maine Law Review, I identify some of the problems associated with privacy paternalism. Most obviously, these scholars should keep in mind that not everyone shares the same privacy values as they do and that many of us will voluntarily trade some of our data for the innovative information services and devices that we desire. If imposed in the form of legal sanctions, privacy paternalism would open the door to almost boundless controls on the activities of both producers and consumers of digital services, potentially limiting future innovations in this space.

For example, when we were on  NPR together, Rosen mentioned wireless geolocation technology as a potential source of serious privacy harm, although he did not make it clear whether he wanted it stopped entirely or what. If used improperly, wireless geolocation technology certainly can raise serious privacy concerns. But wireless geolocation technology is also what powers the mapping and traffic services that most of us now take for granted. Many of us expect — no, we demand — that our digital devices be able to give us real-time mapping and traffic notification capabilities. And most of us are willing to make the minor privacy trade-off associated with sharing our location constantly in exchange for the right to receive these services, which are also provided to us free of charge.

So, what would Rosen’s proposed amendment have to say about this trade-off? Would these wireless geolocation technologies be banned altogether, even if consumers desire them? It isn’t really clear at this point because he hasn’t offered us many details about his proposal. But, to the extent it would preempt these technological capabilities on the grounds that our locational privacy is somehow in unalienable right, then that seems like a fairly paternalistic approach to policy and it it would seem to confirm Thomas Lenard and Paul Rubin’s claim that “many of the privacy advocates and writers on the subject do not trust the consumers for whom they purport to advocate.”

Such paternalism is particularly problematic in this case since privacy is such a highly subjective value and one that evolves over time. As Solove notes, “the correct choices regarding privacy and data use are not always clear. For example, although extensive self-exposure can have disastrous consequences, many people use social media successfully and productively.” Privacy norms and ethics are changing faster than ever today. One day’s “creepy” tool or service is often the next day’s “killer app.”

Balancing Values; Considering Costs

As I will discuss in my forthcoming  Maine Law Review article and I also discussed in my recent George Mason University Law Review  article, at least here in the United States, consumer protection standards have traditionally depended on a clear showing of actual, not prospective or hypothetical, harm. In some cases, when the potential harm associated with a particular practice or technology is extreme in character and poses a direct threat to physical well-being, law has preempted the general presumption that ongoing experimentation and innovation should be allowed by default. But these are extremely rare scenarios, at least as it pertains to privacy concerns under American law, and they mostly involved health and safety measures aimed at preemptively avoiding catastrophic harm to individual or environmental well-being. In the vast majority of other cases, our culture has not accepted that paternalistic idea that law must “save us from ourselves” (i.e., our own irrationality or mistakes). As Solove notes in his recent essay, “People make decisions all the time that are not in their best interests. People relinquish rights and take bad risks, and the law often does not stop them.” Sometimes privacy advocates also ignore the costs of preemptive policy action and don’t bother conducting a serious review of the potential costs of their regulatory proposals. As a result, preemptive policy action is almost always the preferred remedy to any alleged harm. “By limiting or conditioning the collection of information, regulators can limit market manipulation at the activity level,” Ryan Calo argues in a recent paper. “We could imagine the government fashioning a rule — perhaps inadvisable for other reasons―that limits the collection of information about consumers in order to reduce asymmetries of information.” [*Clarification: In a comment down below and a subsequent Twitter exchange, Ryan clarifies that he ultimately does not come down in favor of such a rule, preferring instead to find various other incentives to solve these problems. I thank him for this clarification — and definitely welcome it! — although I found his position somewhat murky after debating him personally on these issues recently. Nonetheless, I apologize if I mischaracterized his position in any way here.]

Unfortunately, Professor Calo does not fully consider the corresponding cost of such regulatory proposals in calling for the enactment of such a rule. If preemptive regulation slowed or ended certain information practices, it could stifle the provision of new and better services that consumers demand, as I have noted elsewhere. It might also trump other choices or values that consumers care about. While privacy is obviously an incredibly important value, we cannot assume that it is the only value, or the most important value, at stake here. Consumers also care about having access to a constantly growing array of innovative goods and services, and they also care about getting those goods and services at a reasonable price.

Moving from “Rights Talk” to Practical Privacy Solutions

This is the point in the essay where some readers are getting pretty frustrated with me and thinking I am some sort of nihilist who doesn’t give a damn about privacy. I assure you that nothing is further from the truth and that I care very deeply about privacy.

But if you really care about expanding the horizons of privacy protection in our modern world, at some point you have to accept that all the “rights talk” and top-down enforcement efforts in the world are not necessarily going to help as much as you wish they would. The same thing is true for online safety, digital security, and IP protection efforts: No matter how much you might wish the opposite was true, information control is just really, really hard. Legal and regulatory approaches to bottling up information flows will inevitably be several steps behind cutting-edge technological developments. (I’ve discussed these issues in several essays here, including: “Privacy as an Information Control Regime: The Challenges Ahead,” “Copyright, Privacy, Property Rights & Information Control: Common Themes, Common Challenges,” and “When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed.”)

That doesn’t mean we should surrender in our efforts to identify more concrete privacy harms, but we should recognize that it will always be a hugely contentious matter and that a great many people will gladly trade away their privacy in a way that others will consider outrageous. In a free society, we must allow them to do so if they derive greater utility from other things. A paternalistic approach based on a sort of privacy fundamentalism will deny them the right to make that choice for themselves. And, practically speaking, no matter how much some might think that privacy values are “unalienable,” the reality is that there will be no way to stop many others from making different choices and relinquishing their privacy all the time.

Educating and empowering citizens is the better way to address this issue. We can try to teach them to make better privacy choices and treat their information, and information about others, with far greater care. We should also work to provide citizens more tools to help accomplish those goals. And if the problem is “information asymmetry” or some general lack of awareness about certain data collection and use practices, then let’s work even harder to make sure consumers are aware of those practices and what they can do about them.

It’s all part of the media literacy and digital citizenship agenda that we need to be investing much more of time and resources into. I outlined that approach in much more detail in this law review article. We need diverse tools and strategies for a diverse citizenry. We need to be talking to both consumers and developers about smarter data hygiene and sensible digital ethics. We need more transparency. We need more privacy privacy professionals working inside organizations to craft sensible data collection and use policies. And so on. Only by working to change attitudes about privacy, online “Netiquette,” and more ethical data use, can we really start to make a dent in this problem.

If nothing else, we must understand the limitations of information control in such highly context-specific harm scenarios. Prof. Rosen might want to ask himself how long it would take to even get his proposed constitutional amendment in place and what the chances are such a movement would even been successful. But, again, and far more importantly, Prof. Rosen and advocates of similar regulatory approaches should remember that their values are not shared by everyone and that, in a free society, a value as inherently subjective as privacy is likely to remain a hugely contentious, every-changing matter, especially when elevated to the level of constitutional rights talk. We need practical solutions to our privacy problems, not pie-in-the-sky Hail Mary schemes that are unlikely to go anywhere and, even if they did, would end up being too heavy-handed and potentially override individual autonomy in the process.

It’s time again to look back at the major cyberlaw and information tech policy books of the year. I’ve decided to drop the top 10 list approach I’ve used in past years (see 2008, 2009, 2010) and just use a more thematic listing of major titles released in 2011.  This thematic approach gets me out of hot water since I have found that people take numeric lists very seriously, especially when they are the author of one of the books and their title isn’t #1 on the list! Nonetheless, at the end, I will name what I regard as the most important Net policy book of the year.

I hope I’ve included all the major titles released during the year, but I ask readers to please let me know what I have missed that belongs on this list. I want this to be a useful resource to future scholars and students in the field. [Reminder: Here’s my compilation of major Internet policy books from the past decade.] Where relevant, I’ve added links to my reviews as well as discussions with the authors that Jerry Brito conducted as part of his “Surprisingly Free” podcast series. Finally, as always, I apologize to international readers for the somewhat U.S.-centric focus of this list.

Internet Freedom / General Net Regulation & Governance

Online freedom was a major theme in the field of information technology policy in 2011, especially with the continuing hullabaloo over Wikileaks as well as the various protest movements worldwide that tapped social media and mobile technologies to organize and protest. Increased government regulation and/or crackdowns often followed. Several books dealt with these issues. Morozov’s Net Delusion was one big wet blanket to the whole “Net-changes-everything” movement, but it went much too far as I noted in my lengthy review. Sifry’s book was a short manifesto making the opposite case.  Access Contested — the third edition in a series from the same authors — was another indispensable resource for Net researchers exploring censorship trends worldwide, with a particular focus on Asian countries in this latest edition. Finally, the Szoka & Marcus tome was an amazing collection of over 30 essays from a diverse group of scholars on a staggering array of topics. It was a great honor for me to contribute two chapters to the volume. I cannot recommend it highly enough—and it’s free!

• Evgeny Morozov – The Net Delusion: The Dark Side of Internet Freedom [my review] [podcast]
• Micah Sifry – WikiLeaks and the Age of Transparency [podcast]
• Ronald J. Deibert, John G. Palfrey, Rafal Rohozinski and Jonathan Zittrain – Access Contested: Security, Identity, and Resistance in Asian Cyberspace
• Eddan Katz & Ramesh Subramanian (Eds.) –The Global Flow of Information: Legal, Social, and Cultural Perspectives
• Berin Szoka & Adam Marcus (eds.) – The Next Digital Decade: Essays on the Future of the Internet
• Becky Hogge – Barefoot into Cyberspace: Adventures in Search of Techno-Utopia
• Laura DeNardis – Opening Standards: The Global Politics of Interoperability
• Chris Marsden – Internet Co-Regulation: European Law, Regulatory Governance and Legitimacy in Cyberspace
• Philip Howard – The Digital Origins of Dictatorships and Democracy: Information Technology and Political Islam
• Virginia Eubanks  – Digital Dead End: Fighting for Social Justice in the Information Age

Privacy, Security & Safety

Privacy policy and government surveillance issues have been the dominant cyberlaw policy issues of 2011, so it is unsurprising that we are starting to see more major publications in this arena. Jarvis’s book, in particular, generated intense debate and certainly represented one of the most important titles of the year. The Offensive Internet was a hugely important collection of essays since it represented the most forceful attack on the Net and freedom of speech to date. It was practically a jihad against Section 230 and online anonymity. I found it hugely troubling. The two primers on privacy listed below (by Solove & Schwartz and by Craig & Ludloff) were terrifically helpful, accessible booklets. I highly recommend students pick both of them up.

• Saul Levmore and Martha C. Nussbaum (eds.) – The Offensive Internet: Speech, Privacy & Reputation
• Jeff Jarvis – Public Parts [my review]
• Daniel Solove – Nothing to Hide: The False Tradeoff between Privacy and Security [podcast]
• Susan Landau – Surveillance or Security? The Risks Posed by New Wiretapping Technologies
• Daniel Solove & Paul M. Schwartz – Privacy Law Fundamentals
• Terence Craig and Mary Ludloff  – Privacy & Big Data
• Frederick Lane – Cybertraps for the Young

Net Pessimism / Google-phobia / Copyright

Sorry for the extremely broad grouping here, but what ties these last few titles together is a general gloominess about the Internet and what it is doing to culture, learning, dialog, or particular ways of doing business. It’s a common theme in Net policy book these days, as I have noted here before.  I found the Pariser and Vaidhyanathan books to be extremely problematic [read my reviews]. Levine’s Free Ride and Patry’s How to Fix Copyright were the major online copyright policy books this year. Levine’s book offered an outstanding history of the modern copyright wars, but I couldn’t agree with most of his recommendations. Cleland’s book was less notable for its Google-bashing than the fact it represented the beginning of an articulation of a philosophy of cyber-conservatism. Brockman’s compendium of short essays on the Net’s impact on us was a real hodge-podge of views, not all of which were pessimistic.

• Eli Pariser – The Filter Bubble: What the Internet is Hiding From You [my review]
• Siva Vaidhyanathan – The Googlization of Everything, and Why We Should Worry [my review] [podcast]
• John Brockman (ed.) –  Is the Internet Changing the Way You Think? The Net’s Impact on Our Minds and Future
• Sherry Turkle – Alone Together: Why We Expect More from Technology and Less from Each Other
• Scott Cleland – Search & Destroy: Why You Can’t Trust Google Inc.  [my review]
• Robert Levine – Free Ride: How the Internet is Destroying the Culture Business and How the Culture Business can Fight Back
• William Patry – How to Fix Copyright

Net Policy Book of the Year

So, what was the most important info-tech policy book of 2011? I’d say it was Evgeny Morozov’s Net Delusion. As I noted in previous end-of-year compendiums, I regard an “important” info-tech policy book as a title that many people are currently discussing and that we will likely be debating and referencing for many years to come.  In other words, it’s a book that creates a sustained buzz.  Net Delusion has certainly accomplished that in major way and Morozov’s relentless policy writing and Twitter ramblings kept him near the center of many Net policy debates in 2011.

That doesn’t mean I agree with everything in the book, or Evgeny’s style, for that matter. His Tweetstream, like many portions of his book, often drips with relentless, caustic snark-casm. I enjoy that in small doses — hell, I’ve used it myself on occasion here and on Twitter! — but it gets tiresome when dished out endlessly and with the volume turned up to 11. More generally, as I noted above, not only do I think he ultimately fails to prove his thesis but the book is riddled with contradictions regarding the proper disposition of governments and corporations toward the Net and online freedom. Morozov is great at tearing down the grandiose, cyber-utopian visions and visionaries, but he’s far less effective at suggesting a coherent alternative vision.

Nonetheless, the importance of Morozov’s work cannot be denied. He’s opened a new front in the intellectual battle over the role of the Net in various political movements and causes. He aims to spearhead what we might think of as the “realist” movement that counters the more “idealist” (he would say “utopian”) approach, which already has many adherents in global Net policy debates. Morozov has opened the door to more skeptical thinking in this regard. Many others are now likely to follow in his footsteps, and when they do, they will all cite back to The Net Delusion. Likewise, the idealists will now be forced to respond to Morozov in any future tracts. Thus, we’ll be discussing and debating the themes in The Net Delusion for many years to come. That’s why it is the most important Net policy book of 2011.

In his latest weekly Wall Street Journal column, Gordon Crovitz has penned a review of the new Jeff Jarvis book, Public Parts: How Sharing in the Digital Age Improves the Way We Work and Live . Gordon’s review closely tracks my own thoughts on the book, which I laid out last week in my Forbes essay, “Is Privacy Overrated?”  Gordon’s essay is entitled “Are We Too Hung Up on Privacy” and he finds, like I do, that Jarvis makes compelling case for understanding the benefits of publicness as the flip-side of privacy. Instead of repeating all the arguments we make in our reviews here, I’ll just ask people go check out both of our essays if they are interested.

I did, however, want to elaborate on one thing I didn’t have time to discuss in my review of the Jarvis book. While I like the approach he used in the book, I thought Jarvis could have spent a bit more time exploring some the thorny legal issues in play when advocates of privacy regulation look to enshrine into law quite expansive views of privacy “rights.”

One of the things that both Crovitz and I appreciated about the Jarvis book was the way he tries to get us to think about privacy in the context of ethics instead of law. “Privacy is an ethic governing the choices made by the recipient of someone else’s information,” Jarvis argues, while “publicness is an ethic governing the choices made by the creator of one’s own information,” he says. In my review, I explained why this was so important:

Jarvis’ approach to thinking about privacy and publicness in terms of ethics is particularly smart precisely because privacy is such a subjective human condition—a “conceptual jungle” and a “concept in disarray,” says law professor Daniel J. Solove, author of Understanding Privacy. Thus, a good case can be made for restraint when it comes to legislating to define and protect privacy. That doesn’t mean privacy isn’t important—it is. But how we go about “protecting” it needs to be balanced against other rights and responsibilities. For example, we’d all agree with Thomas Jefferson and the Founders that we have a “right to pursue happiness,” but a right to happiness would be a different matter altogether. Government can’t guarantee happiness. It wouldn’t even be able to define it. The same is largely true of privacy. We certainly have the right to pursue private lives and take steps to secure facts about ourselves. At the margins, law can sometimes help us do so—most often by safeguarding us against fraudulent activities. And there are plenty of tools on the market that can help people protect their personal data. By contrast, legalistic efforts to define privacy as a strict “right” leads us back into that “conceptual jungle,” which is full of unintended consequences.

Let’s unpack this a bit more because if one agrees with the argument that Jarvis makes–that privacy is better thought of as a matter of ethics and social norms–it has important ramifications for ongoing efforts to speak of privacy in legalistic ways. It’s not that I’m against any sort of privacy “rights,” but I do believe it is important to acknowledge that other important values are at stake here and we must appreciate how increased privacy controls could conflict with them.  “Recognizing that we are legislating in the shadow of the First Amendment suggests a powerful guiding principle for framing privacy regulations,” argues Kent Walker, a privacy expert who now serves as a general counsel at Google. “Like any laws encroaching on the freedom of information, privacy regulations must be narrowly tailored and powerfully justified.”

Ironically, many privacy advocates are strongly critical of copyright law and claim that, as currently structured, it represents an unjust or excessive information control regime. Yet, privacy regulation would constitute a stronger information control regime by creating the equivalent of copyright law for personal information, which would, in turn, conflict mightily with the First Amendment. [See my essays, “Two Paradoxes of Privacy Regulation” and “Privacy as an Information Control Regime: The Challenges Ahead.” The rest of this essay borrows from those pieces as well as this big filing I submitted to the FTC in February.]

In his recent book Skating on Stilts, Stewart Baker reminds us that the famous 1890 Samuel Warren and Louis Brandeis Harvard Law Review essay on “The Right to Privacy”—which is tantamount to a sacred text for many modern privacy advocates—was heavily influenced by copyright law.  As Baker explains:

Brandeis wanted to extend common law copyright until it covered everything that can be recorded about an individual. The purpose was to protect the individual from all the new technologies and businesses that had suddenly made it easy to gather and disseminate personal information: “the too enterprising press, the photographer, or the possessor of any other modern device for rewording or reproducing scenes or sounds.”  […] Brandeis thought that the way to ensure the strength of his new right to privacy was to enforce it just like state copyright law. If you don’t like the way “your” private information is distributed, you can sue everyone who publishes it.

Incidentally, it is important to recall that their call for such a regime was essentially driven by a desire to censor the press. In their article, Warren and Brandeis argued that:

The press is overstepping in every direction the obvious bounds of propriety and of decency. Gossip is no longer the resource of the idle and of the vicious, but has become a trade, which is pursued with industry as well as effrontery. To satisfy a prurient taste the details of sexual relations are spread broadcast in the columns of the daily papers. To occupy the indolent, column upon column is filled with idle gossip, which can only be procured by intrusion upon the domestic circle.

So angered were Warren and Brandeis by reports in daily papers of specifics from their own lives that they were led to conclude that:

man, under the refining influence of culture, has become more sensitive to publicity, so that solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury.

It is unclear how one could have greater “pain and distress” inflicted by words than “by mere bodily injury,” and yet the law review article that essentially gave birth to American privacy law articulated such a theory of harm.  And it only follows, then, that they would advocate fairly draconian controls on speech and press rights if they felt this strongly.

Taken to the extreme, however, giving such a notion the force of law would put privacy rights on a direct collision course with the First Amendment and freedom of speech.  As Eugene Volokh argued in a 2000 law review article entitled, “Freedom of Speech, Information Privacy, and the Troubling Implications of a Right to Stop People from Speaking about You”:

The difficulty is that the right to information privacy—the right to control other people’s communication of personally identifiable information about you—is a right to have the government stop people from speaking about you. And the First Amendment (which is already our basic code of “fair information practices”) generally bars the government from “control[ling the communication] of information,” either by direct regulation or through the authorization of private lawsuits.

This is what makes efforts to untether privacy regulation from a harms-based model or mode of analysis so troubling. For example, the Federal Trade Commission’s recent privacy review says that “the FTC’s harm-based approach also has limitations [because] it focuses on a narrow set of privacy-related harms—those that cause physical or economic injury or unwarranted intrusion into consumers’ daily lives.”  The Commission then suggests that “for some consumers, the actual range of privacy-related harms is much wider and includes reputational harm, as well as the fear of being monitored or simply having private information ‘out there,’” and suggests “consumers may feel harmed when their personal information… is collected, used, or shared without their knowledge or consent or in a manner that is contrary to their expectations.”

Not only does the Commission fail to offer any data on how this supposed harm manifests itself, how severe it is, or what trade-offs it presents to society, but it utterly fails to account for the dangerous slippery slope of speech control it puts us on. If appeals for regulation are based on emotion instead of concrete evidence of consumer harm, where will this take us next? If, for example, the Commission is to regulate based upon the fact that “consumers may feel harmed… when their personal information… in a manner that is contrary to their expectations,” how long will it be before some suggest this standard should trump First Amendment rights in other contexts?

For example, this more emotional approach to privacy regulation brings us one step closer to a “right not to be offended” or a “right to be forgotten,” as some in Europe favor. Here in the U.S., we see a similar effort underway with the so-called “Internet Eraser Button” idea, which has even been floated in federal legislation. How could a journalist even conduct their business in such a world? By their very nature, good reporters are nosy and, to some extent, disregard the privacy of the people and institutions they report on.

This is why privacy regulation must not be reduced to amorphous claims of “dignity” rights, where an assertion by a small handful that they “feel harmed” comes to replace a strict showing of actual harm to persons or property. To go down that path would have grave consequences for the future of freedom of speech, transparency, openness, and accountability.

Of course, there are many different types of privacy concerns, each of which demands its own analysis and legal consideration.  While I think most privacy concerns should be left to the realm of personal responsibility, user empowerment, and industry self-regulation, other privacy issues are more serious and should be elevated to the level of “rights.” When we speak of government search and seizure or surveillance concerns, “rights” talk certainly makes more sense. Likewise, identity theft is more than just a violation of privacy, it’s a violation of personal property rights.

With such notable exceptions, however, I prefer we speak of privacy in terms of ethics and norms. Legalistic, rights-based conceptions of privacy invite excessive government interventions with myriad unintended consequences.

A report in the U.K. Telegraph notes that the European Union is seeking to create a so-called “right to be forgotten” online, and has “drafted potential legislation that would include new, unprecedented privacy rights for citizens sharing personal data.” Details are sparse at this point, but according to this new 20-page European Commission document, “A Comprehensive Approach on Personal Data Protection in the European Union,” the EU will be:

clarifying the so-called ‘right to be forgotten’, i.e. the right of individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes. This is the case, for example, when processing is based on the person’s consent and when he or she withdraws consent or when the storage period has expired. (p.8)

Two brief comments on this.  First, it should be apparent that any “right to be forgotten” conflicts mightily with free speech rights and press freedom. As I discussed at greater length in this review of Solove’s Understanding Privacy as well as my essay on “Two Paradoxes of Privacy Regulation,” the problem with enshrining expansive privacy “rights” into law is that it means there will need to be stricter limits placed on speech and press freedoms.  As Eugene Volokh noted in his 2000 law review article entitled, “Freedom of Speech, Information Privacy, and the Troubling Implications of a Right to Stop People from Speaking About You“:

The difficulty is that the right to information privacy — the right to control other people’s communication of personally identifiable information about you — is a right to have the government stop people from speaking about you. And the First Amendment (which is already our basic code of “fair information practices”) generally bars the government from “control[ling the communication] of information,” either by direct regulation or through the authorization of private lawsuits.

Of course, there’s no First Amendment in the E.U.  But while there’s not as strong of a tradition of freedom of speech / press in Europe as in the U.S., it would still be shocking to see the E.U. go down this path.  Consider what it means for the press, in particular.  When I was in journalism school back in the late 1980s, one of my favorite professors once told my class that a good journalist was really nothing more than a nosy person who knew how to write.  But being “nosy” — digging for stories, gathering facts, reporting on the world around us — is fundamentally at odds with “privacy,” strictly defined.  For example, could someone claim “a right to be forgotten” when a journalist pens an article about them beating their wife or committing corporate fraud?  Believe it or not, Germany already has a law like this for convicted criminals who have served their time.  They can have old facts about their crimes repressed after they’ve served their sentences.  [Note: If someone could forward me additional details about that German law, I would appreciate it. Specifically, I would like a better understanding of how enforcement works.]

Second, there are economic trade-offs that must always be considered here.  Enshrining “a right to be forgotten” into law would necessitate a fairly significant expansion in the rules and regulations governing information sectors and actors.  Enforcement would certainly be challenging. As always, there is no free lunch; something has to give.  If online sites and service providers are faced with onerous new regs that limit their ability to collect data or serve up online advertising, those sites and services will need to find new methods of financing ongoing operations.  The impact on innovation could be substantial.  Indeed, one could argue that one of the reasons America’s high-tech sector and digital companies are the global leaders in so many of their fields is precisely because they have not been strapped with top-down privacy regimes and data directives that would have constrained their ability to innovate using information collection.

Information — yes, including personal information — is the fuel of the Digital Economy.  Restricting the flow of that information, or its use for advertising and marketing purposes, will have an undeniably negative impact on online content and culture.  Ask yourself this: Would you be willing to pay $19.95/month to use a social networking site, or to be charged a fee for each query you enter into a search engine?  Those subscription-based or pay-per-use business models certainly shouldn’t be prohibited, but it would seem most Netizens are comfortable with the current arrangement: Free access/use in exchange for information collection and ads.

Of course, this “right to be forgotten” regulatory regime is currently only being considered in Europe.  Some here in the U.S., therefore, might be tempted to cheer on their expansive reading of privacy “rights” in light of the hobbling effect it has on their information and high-tech sectors!   But those rules will hurt U.S. players, too, since many of them offer services across Europe.  Moreover, this regulatory paradigm could become a model for privacy advocates in the U.S. and set the stage for a major push for new legislation / regulation here.  Let’s hope that’s not the case.

As a cyber-libertarian, I’ve been lucky enough to work with people of all ideological stripes in pursuit of various public policy objectives.  I’ve made selective alliances with people on the Right on economic policy issues (like opposing Net Neutrality regulation, Internet taxes, etc) and also worked closely with folks on the Left on speech and culture issues (content controls, anonymity, online safety concerns, etc).

While engaging with with people on both sides of the political fence, I’m often struck by some of their internal inconsistencies.  Conservatives, for example, talk about a big game about personal responsibility on some issues, but quickly abandon that notion when they claim media content or online speech should be regulated by the State (typically “for the children.”)  In this essay, I’d like to discuss interesting inconsistencies on the political Left, especially among advocates of strong privacy regulation (most of whom tend to be Left-leaning in their worldview).  In particular, here are the two things I find most interesting about modern privacy advocates:

(1) Most privacy advocates are vociferous First Amendment supporters, yet they abandon their free speech values and corresponding constitutional tests when it comes to privacy regulation.  When it comes to proposals to regulate media content or online speech, most folks on the Left have a very principled, clear-cut position: people (or parents) should take responsibility for unwanted information flows in their lives (or the lives of their children). In particular, they rightly argue that the many user empowerment tools on the market (filters, monitoring software, other parental control technologies) constitute a so-called “less-restrictive means” of controlling content when compared to government regulation.

Advocacy groups that I have a great deal of respect for and work with quite closely on these issues–such as EFF, CDT and ACLU—all take this position.  Generally speaking, they argue that, when it comes to speech regulation, “household standards” (user-level controls) should trump “community standards” (government regulation). And in Court—where I frequently file joint amicus briefs with them—they repeatedly employ the “less-restrictive means” test to counter government efforts to regulate information flows.

But when it comes to privacy, they throw all this out the window!  For some reason, when the topic of debate shifts from concerns about potentially objectionable content to the free movement of personal information, personal responsibility and self-regulation become the last option, not the first.  What’s most troubling about this is the way these advocates of privacy regulation are unwittingly undermining the power of the “less-restrictive means” test, which is a vitally important barrier to greatly enhanced government control of cyberspace.  That is, when privacy advocates ignore, downplay, or denigrate user-empowerment tools, they are essentially saying self-help is the right answer in one context, but not the other.

That’s a shame because self-help tool work well in both contexts.  Indeed, I’ve spent years documenting the wide variety of user-empowerment tools on the child safety front, and more recently I have worked with colleagues at PFF to provide a similar inventory of “privacy solutions” that can help users control personal information flows.  Can privacy tools be confusing at times or difficult to set up? Yes, they can. But no more so that parental control tools.  Are privacy tools as effective as parental control tools?  I think they are actually more effective because in the case of parental controls, the person you are trying to “protect” (namely, kids) often have a stronger incentive to evade / defeat those tools.  Moreover, privacy-enhancing controls can be very effective—perhaps even too effective—at shutting down unwanted information flows.  Whether it’s ad-blocking tools, cookie controls, or encryption techniques, these tools can actually be far more effective blocks on information flows than, say, Internet filters meant to block porn or hate speech, which is also more subjective by nature.

Of course, no tool is perfect. But as the Supreme Court held in United States v. Playboy, empowerment tools need not be perfect to be preferable to government regulation. “Government cannot ban speech if targeted blocking is a feasible and effective means of furthering its compelling interests,” the Court held.  Moreover, “It is no response that voluntary blocking requires a consumer to take action, or may be inconvenient, or may not go perfectly every time.  A court should not assume a plausible, less restrictive alternative would be ineffective; and a court should not presume parents, given full information, will fail to act.”

So, then, why doesn’t the exact same principle hold for privacy regulation?  I believe it should, and because of that I get in some pretty heated fights with friends at EFF, CDT and ACLU when they abandon the user-empowerment regime on the privacy front and instead invite the government to come in and establish an information control regime.  Which leads to the second thing I find interesting about advocates or privacy regulation…

(2) Most privacy advocates bash copyright and claim it is an information control regime, yet privacy regulation would constitute a stronger information control regime by creating the equivalent of copyright law for personal information (which would, in turn, conflict mightily with the First Amendment).

While many libertarians oppose any form of copyright protection, I still find much worth praising in America’s copyright system.  Nonetheless, I do admit to my libertarian friends, as well as anti-copyright advocates on the Left, that copyright places limits on the flow of certain types of information.  After all, quite literally, copy-right deals with rights to copy information.  Of course, that’s the nature of all property rights—they foreclose and constrain alternative uses. But there’s typically a good reason for that: In the case of intangible property, it’s because we want to promote the creation of content/information in the first place.

For many copyright critics, however, this is an intolerable trade-off. Any limits on reproduction/reuse—even if those rights incentivize artistic/scientific creativity—are regarded as an unjust form of information control.  But if they believe that to be the case for copyright, why do they not feel the same of privacy rights?  After all, there are some striking similarities between the regimes.

In his new book, Skating on Stilts, Stewart Baker reminds us that the famous 1890 Brandeis and Warren Harvard Law Review essay on “The Right to Privacy“–which is like a sacred text to many modern privacy advocates–was heavily influenced by copyright law.  As Baker explains:

Brandeis wanted to extend common law copyright until it covered everything that can be recorded about an individual. The purpose was to protect the individual from all the new technologies and businesses that had suddenly made it easy to gather and disseminate personal information: “the too enterprising press, the photographer, or the possessor of any other modern device for rewording or reproducing scenes or sounds.”  […] Brandeis thought that the way to ensure the strength of his new right to privacy was to enforce it just like state copyright law. If you don’t like the way “your” private information is distributed, you can sue  everyone who publishes it.

Incidentally, it’s important to recall that the Brandeis and Warren’s call for such a regime was essentially driven by their desire to control the press. In their article, they argued that:

The press is overstepping in every direction the obvious bounds of propriety and of decency. Gossip is no longer the resource of the idle and of the vicious, but has become a trade, which is pursued with industry as well as effrontery. To satisfy a prurient taste the details of sexual relations are spread broadcast in the columns of the daily papers. To occupy the indolent, column upon column is filled with idle gossip, which can only be procured by intrusion upon the domestic circle.

So angered were Brandeis and Warren by reports in daily papers of specifics from their own lives that they were led to conclude that:

man, under the refining influence of culture, has become more sensitive to publicity, so that solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury.

Let’s ignore their hyperbolic claim that invasions of privacy could cause more harm than “mere bodily injury.”  No, wait, let’s not!  Seriously, can you believe men of this stature could utter such nonsense?  I’d love to hear a modern privacy advocate defend this notion and explain how, exactly, one could have greater “pain and distress” inflicted by words than “by mere bodily injury.”  That’s a doozy of a claim.  Nonetheless, they said it—in the law review article that quite literally gave birth to American privacy law.  And it only follows, then, that they would want fairly draconian controls on free speech / press rights if they felt this strongly.

Taken to the extreme, however, giving such a notion the force of law would put privacy “rights” on a direct collision course with the First Amendment and freedom of speech/communication.  As Eugene Volokh argued in a 2000 law review article entitled, “Freedom of Speech, Information Privacy, and the Troubling Implications of a Right to Stop People from Speaking About You“:

The difficulty is that the right to information privacy — the right to control other people’s communication of personally identifiable information about you — is a right to have the government stop people from speaking about you. And the First Amendment (which is already our basic code of “fair information practices”) generally bars the government from “control[ling the communication] of information,” either by direct regulation or through the authorization of private lawsuits.

Indeed, how could a journalist even conduct their business in such a world? By their very nature, good reporters are nosy and disregard the privacy rights of the people and institutions they report on. But in a world where privacy “rights” trump other rights, free speech would be forced to take a back seat.

To be clear, I’m not opposed to all privacy “rights.” But as I noted in my lengthy review of Daniel Solove’s Understanding Privacy, we need to begin with a theory of rights and then figure out what privacy “harms” we are trying address/rectify.  Generally speaking, I am skeptical of most claims about harms coming from people talking about us or knowing more about us and I believe that freedom of speech / communications should trump such rights claims. But that’s because I subscribe to a libertarian theory of rights/justice that–as the name implies–places human liberty at the core of that theory of rights.  If liberty isn’t your cup of tea, I can see how “privacy” might be viewed as co-equal in your theory of rights.  Nonetheless, I would hope such people would acknowledge that, at the end of the day, such a theory requires trade-offs and that, much like making an allowance for copyright in a libertarian system, information flows might be limited by these assertion of privacy rights.   What I’m asserting here, however, is that privacy regulation would entail far greater restrictions on liberty–especially freedom of speech/communication–than copyright law. After all, as Volokh notes, we are talking about “a right to have the government stop people from speaking about you.”

Addendum: I failed to mention that my fellow TLF blogger Tom Bell has said all of this much more elloquently in his 2001 Cato white paper, “Internet Privacy and Self-Regulation: Lessons from the Porn Wars.”

With the publication of Understanding Privacy (Harvard University Press 2008), George Washington University Law School professor Daniel J. Solove has firmly established himself as one of America’s leading intellectuals in the field of information policy and cyberlaw.  Solove had already made himself a force to be reckoned with in this field with the publication of important books like The Future of Reputation: Gossip, Rumor, and Privacy on the Internet (Yale University Press 2007), The Digital Person: Technology and Privacy in the Information Age (NYU Press 2004) and his treatise on Information Privacy Law with Paul M. Schwartz of the Berkeley School of Law (Aspen Publishing, 2d ed. 2006).  But with Understanding Privacy, Solove has now elevated himself to that rarefied air of “people worth watching” in the cyberlaw field; an intellectual — like Lawrence Lessig or Jonathan Zittrain — whose every publication becomes something of an event in the field to which all eyes turn upon release.

Like those other intellectuals, however, my respect for their stature should not be confused with agreement with their positions.  In fact, my disagreements with Lessig and Zittrain are frequently on display here and, we have been critical of Solove here in the past as well. [Here’s Jim Harper’s review of Solove’s last book, with which I am in wholehearted agreement.]  In a similar vein, although I greatly appreciate what Prof. Solove attempts to accomplish in Understanding Privacy — and I am sure it will change the way we conceptualize and debate privacy policy in the future — I found his approach and conclusions highly problematic.

Let me begin by summarizing Solove’s bold objective in Understanding Privacy. In the book, he attempts “to set forth a theory of privacy that will guide our understanding of privacy issues and the crafting of effective laws and policies to address them.” (p. 2) Solove’s “pragmatic” proposal to rethink privacy requires us to abandon the ways we have traditional thought about it. He begins by rightly noting that privacy has long been a “conceptual jungle” (p. 196) and a “concept in disarray.” (p. 1) “[T]he attempt to locate the ‘essential’ or ‘core’ characteristics of privacy has led to failure,” he says. (pg. 8 )

Consequently — and this is what make’s his approach so unique and important — Solove’s proposal to rethink privacy begins with a call to abandon the entire philosophical exercise of trying to tie privacy rights to some “common denominator” (pg. 8 ) since “Nobody can articulate what it means.” (p. 1) Actually, what he really means to say is that plenty of theorists can articulate what it means, it’s just that there is rarely any strong consensus about what justifies a particular theory of privacy. Indeed, in Chapter 2, he walks the reader through a half-dozen “conceptions of privacy” and illustrates how each has intellectual weaknesses and suffers from over- and under-breadth problems in terms of what it types of privacy it protects.

More importantly, according to Solove, not only has the effort “to locate the ‘essence’ of privacy” failed, but there is never any hope of it succeeding. Instead of continuing the futile search for such a grand, unified theory of privacy, Solove says we should tackle privacy issues from the “bottom up” by looking to “solve certain problems” (p. 75) The key to making it all work, he says, is “balancing”:

Because privacy conflicts with other fundamental values, such as free speech, security, curiosity, and transparency, we should engage in a candid and direct analysis of why privacy interests are important and how they ought to be reconciled with other interests. We cannot ascribe a value to privacy in the abstract. The value of privacy is not uniform across all contexts. We determine the value of privacy when we seek to reconcile privacy with opposing interests in the particular situations. (p. 87)

It is tempting to applaud Solove’s attempt to unhinge privacy from any “common denominator” and instead get more concrete about how to work through the details of practical privacy problems. After all, it is easy to get frustrated with some modern theories of privacy that have been tied up with amorphous, warm-and-fuzzy terms like “personhood” and “intimacy.” The inherent subjectivity of some of those terms makes it challenging to derive bright-line principles and tests to help craft law or resolve privacy disputes when they come before the courts.

But I believe there are serious problems with any attempt to completely divorce privacy policy from a theory of rights or justice. In my opinion, you can’t just dynamite all conceptual frameworks to the ground; value judgments will persist and references to rights theory will always be required. Even Solove’s pragmatic, bottom-up approach is value-laden; he just doesn’t acknowledge it. The majority of privacy controversies he attempts to work through in Chapter 5’s ambitious 16-part “Taxonomy of Privacy” mostly end up coming down in favor of taking stronger steps (i.e., rules, regulations, lawsuits, etc) to enhance privacy rights. He clearly has a bias in favor of enhancing and extending privacy rights relative to many other rights, but he doesn’t bother grounding it in any substantive theory of rights or justice.

Simply stated, even though Solove claims he can construct a new paradigm based strictly on a “pragmatic,” utilitarian, “problem-solving” approach, there is just no getting around the fact that, at some point, you are going to have to provide a more robust theory of rights or justice to explain why one right trumps another.

For example, let’s consider the frequent clash between privacy and free speech rights. As any casual reader of this blog knows, I feel quite passionately about the First Amendment and free speech rights. And, in all but the most extreme cases or circumstances, I will argue that speech rights should trump privacy rights. When would speech rights not trump privacy rights? For me, that would only occur when a clear, quantifiable harm resulted from the speech. But what is “clear, quantifiable harm”?  Reputation, for example, is not something one can easily quantify the loss of. When a company or a government agency loses or sells your personal health records without permission, however, that privacy violation gets a little more quantifiable. And in the case of someone stealing your personal information to engage in identity theft, the harm becomes still more quantifiable. But those cases often involve monetary damages, whereas something like defamation is much more difficult to quantify. However, when considering privacy-vs.-free speech trade-offs, I would first look to identify and quantify to concrete harm to an individual before allowing the state to curtain freedom of speech.

Solove acknowledges these privacy-speech trade-offs and cites the work of scholars like Eugene Volokh, Fred Cate, Virginia Postrel, and Solveig Singleton, who have all discussed these problems in their work. Volokh, for example, wrote an incredibly important 2000 law review article entitled, “Freedom of Speech, Information Privacy, and the Troubling Implications of a Right to Stop People from Speaking About You.” As he pointed out in that piece:

The difficulty is that the right to information privacy — the right to control other people’s communication of personally identifiable information about you — is a right to have the government stop people from speaking about you. And the First Amendment (which is already our basic code of “fair information practices”) generally bars the government from “control[ling the communication] of information,” either by direct regulation or through the authorization of private lawsuits.

Without reference to some higher set of first principles or theory of rights / justice, I believe it is very difficult to sort through thorny problems like these. We need to know how and when one right trumps another. A theory of rights that focuses on avoiding direct, tangible harm to others — but largely leaves individuals otherwise free to do what they wish — would generally place speech rights above many privacy “rights” (some of which perhaps should not quality be rights at all). Of course, this more libertarian construction of rights remains quite controversial in our modern society, and there are other theories of rights and justice that would minimize the importance of speech rights relative to privacy.

Importantly, there also needs to be some recognition of the qualitative difference between government threats to privacy versus private threats. The harm that can come from government violations of privacy are generally far more troubling (surveillance, taxation, fines, imprisonment, etc) than potential private harms. I don’t think Solove’s framework appreciates that distinction.

Regardless of which approach one adopts — reasoning from first principles, or working from the “bottom up” (a la Solove) — there will always be fair degree of “balancing” undertaken by legislatures and the courts when crafting privacy policies. Indeed, in many ways, I see Solove’s more “pragmatic” approach often getting us to the same point we would find ourselves in if we took a more philosophical, first principles-based approach. It’s just that under his approach, he would often give the nod to privacy concerns over other rights whereas others (like me) would first look to enhance other values, especially free speech.

In sum, I believe that if one attempts to divorce the exercise of “understanding privacy” from any theory of rights, inevitably, you end right back in the same “conceptual jungle” you were in before. In that sense, I regret to say that Solove’s approach in Understanding Privacy ultimately fails. There’s just no escaping a fight over first principles.

But make no doubt about it, Daniel Solove’s book — and his approach to classifying and dealing with privacy problems — will have a profound impact on all future privacy debates. In that sense, it is a vital text; a must read for all who follow, or engage in, privacy debates.

P.S. Prof. Solove contributed an article to this month’s big Scientific American special issue on “The Future of Privacy.” Many articles in that issue worth reading.

Anyone interested in the long-running debate over how to balance online privacy with anonymity and free speech, whether Section 230‘s broad immunity for Internet intermediaries should be revised, and whether we need new privacy legislation must read the important and enthralling NYT Magazine piece  “The Trolls Among Us” by Mattathias Schwartz about the very real problem of Internet “trolls“–a term dating to the 1980s and defined as “someone who intentionally disrupts online communities.”

While all trolls “do it for the lulz” (“for kicks” in Web-speak) they range from the merely puckish to the truly “malwebolent.”  For some, trolling is essentially senseless web-harassment or “violence” (e.g., griefers), while for others it is intended to make a narrow point or even as part of a broader movement.  These purposeful trolls might be thought of as the Yippies of the Internet, whose generally harmless anti-war counter-cutural antics in the late 1960s were the subject of the star-crossed Vice President Spiro T. Agnew‘s witticism:

And if the hippies and the yippies and the disrupters of the systems that Washington and Lincoln as presidents brought forth in this country will shut up and work within our free system of government, I will lower my voice.

But the more extreme of these “disrupters of systems” might also be compared to the plainly terroristic Weathermen or even the more familiar Al-Qaeda.  While Schwartz himself does not explicitly draw such comparisons, the scenario he paints of human cruelty is truly nightmarish:  After reading his article before heading to bed last night, I myself had Kafka-esque dreams about complete strangers invading my own privacy for no intelligible reason.  So I can certainly appreciate how terrifying Schwartz’s story will be to many readers, especially those less familiar with the Internet or simply less comfortable with the increasing readiness of so many younger Internet users to broadcast their lives online.

But Schwartz leaves unanswered two important questions.  The first question he does not ask:  Just how widespread is trolling? However real and tragic for its victims, without having some sense of the scale of the problem, it is difficult to answer the second question Schwartz raises but, wisely, does not presume to answer:  What should be done about it? The policy implications of Schwartz’s article might be summed up as follows:  Do we need new laws or should we focus on some combination of enforcing existing laws, user education and technological solutions?  While Schwartz focuses on trolling, the same questions can be asked about other forms of malwebolence–best exemplified by the high-profile online defamation Autoadmit.com case, which demonstrates the effectiveness of existing legal tools to deal with such problems.

Schwartz begins by noting that:

Many trolling practices … violate existing laws against harassment and threats. The difficulty is tracking down the perpetrators. In order to prosecute, investigators must subpoena sites and Internet service providers to learn the original author’s IP address, and from there, his legal identity. Local police departments generally don’t have the means to follow this digital trail, and federal investigators have their hands full with spam, terrorism, fraud and child pornography.

He then asks, quite fairly, what the consequences of more aggressive enforcement might be:

But even if we had the resources to aggressively prosecute trolls, would we want to? Are we ready for an Internet where law enforcement keeps watch over every vituperative blog and backbiting comments section, ready to spring at the first hint of violence? Probably not. All vigorous debates shade into trolling at the perimeter; it is next to impossible to excise the trolling without snuffing out the debate.

Certainly, proposals to ban online anonymity would seriously threaten legitimate anonymous speech, as my TLF colleagues Ryan Radia and Adam Thierer have pointed out.  Schwartz is probably correct that part of the answer to the problem of trolling and other serious malwebolences lies in equipping law enforcement at all levels with, and training them to use, the basic tools already available to “pierce the veil” of online anonymity and prosecute truly bad actors under existing laws.  But Schwartz is also right to highlight the danger of relying on government to enforce even existing laws, and to take on responsibility for monitoring online activity.

But like most commentators, Schwartz seems to assume that the enforcement of existing laws is solely the province of the “law enforcement” community (police, prosecutors and government investigators).  To be sure, there are a variety of state and federal laws criminalizing certain acts of “malwebolence.”  But those who find themselves victimized online generally have recourse to bring a lawsuit on their own (a “private right of enforcement”) under well-established causes of action under tort law–a crucial part of the “free system of government” lauded by Agnew.

Specifically, such a plaintiff may bring a defamation claim (“libel” if written, “slander” if oral) or one of the four categories of privacy claims that have emerged since 1890, defined by the magisterial Second Restatement of Torts as follows:

(a)  unreasonable intrusion upon the seclusion of another;
(b)  appropriation of the other’s name or likeness;
(c)  unreasonable publicity given to the other’s private life; or
(d)  publicity that unreasonably places the other in a false light before the public.

If the defendant is known, pursuing such claims is common-place.  The obstacle facing plaintiffs who do not know the legal identity of those who may have defamed them or intruded upon their privacy is the same facing law enforcement:  to “subpoena sites and Internet service providers [and other intermediaries] to learn the original author’s IP address, and from there, his legal identity.”  Such “third party subpoenas” are a vital part of the solution to the problem of malwebolence:  By enabling lawsuits under established causes of action against even anonymous defendants, they provide a real remedy to true victims.  The use of such subpoenas does not require finding new appropriations for “law enforcement,” new privacy laws or re-thinking Section 230’s grant of broad immunity to online intermediaries–a policy prescription that has gathered momentum in recent years.

For example, Daniel Solove has argued in his book The Future of Reputation that Section 230 should be re-interpreted:

to grant immunity only before the operator of a website is alerted that something posted there by another violates somebody’s privacy or defames her.  If the operator of a website becomes aware of the problematic material on the site, yet doesn’t remove it, then the operator could be liable.

Frank Pasquale has argued that we ought to require Internet search engines to provide a “right of reply”–allowing someone to post a “reply” that would appear on a search engine next to content concerning them that they consider inaccurate or defamatory (essentially the “fairness doctrine” applied online).   Others (one example) have argued for replacing Section 230 with something akin to the notice-and-takedown regime of copyright so that publishers’ immunity would be contingent on compliance with takedown notices.  But Mark Lemley, an internet law guru who is representing the plaintiffs in the Autoadmit case, has argued that Section 230 should instead be “rationalized” along with other Internet safe harbors under a unified safe harbor drawn from current trademark law:  “innocent infringers” would have immunity and would not be required to take down allegedly defamatory content, but plaintiffs could get courts to issue injunctions requiring intermediaries to take down content.  What unites advocates of all these proposals is that, like Schwartz, they downplay or ignore the effectiveness of existing tort remedies and third-party subpoenas.

Indeed, if the public is aware of third party subpoenas at all, it is probably only because of their use by copyright-holders in attempting to identify those caught using peer-to-peer software to share copyright materials.  Whatever one’s opinions on copyright and of the recording industry’s enforcement strategy, it is safe to say that the overall impression created by such lawsuits against users has been less than favorable.  Regardless, these lawsuits have established an effective legal process for identifying anonymous defendants.  While we can expect that this process–and the safeguards that accompany it–will continue to evolve, it is critical to appreciate the basics of how the third party subpoena process works if one is to evaluate the policy arguments raised by articles like Schwartz’s.

The infamous Autoadmit.com case provides a clear illustration of how this proces works and the evolving safeguards for anonymous speech.  As summarizes the case–and its most recent development:

“Women named Jill and Hillary should be raped.” Those are the words of “AK-47” — a poster to the college-admissions web forum AutoAdmit.com. AK-47 was one of a handful of students heaping misogynist scorn on women attending the nations’ top law schools in 2007, in posts so vile they spurred a national debate on the limits of online anonymity, and an unprecedented federal lawsuit aimed at unmasking and punishing the posters. Now lawyers for two female Yale Law School students have ascertained AK-47’s real identity, along with the identities of other AutoAdmit posters, who all now face the likely publication of their names in court records — potentially marking a death sentence for the comment trolls’ budding legal careers even before the case has gone to trial.

The plaintiff law students in this case originally sued Autoadmit.com and its operator in a Connecticut Federal District Court, but eventually removed them as plaintiffs in recognition of the fact that Section 230 immunizes them from liability.  But Section 230 did not stop them from suing those who had defamed them anonymously on Autoadmit.com.  And third party subpoenas have since made it possible for the plaintiffs to uncover the identity of most of those defendants.

The Process.  The procedure, made possible by Federal Rule of Civil Procedure 45, is relatively straight-forward:  A plaintiff brings a lawsuit against a John or Jane Doe(s), a pseuodymous defendant whose identify is as yet unknown.  The lawsuit must clearly state the facts, cause(s) of action and remedy sought–just as with any lawsuit (see the Autoadmit complaint, for example).

Having filed such a lawsuit, the plaintiffs may then have a court issue subpoenas (subject to certain limitations) under FRCP 45 to parties who may have identifying information about the identity of the defendants.  For example, if the plaintiff has the IP address associated with a defamatory blog comment, one can subpoena the ISP for further identifying information about that user.  There may be several steps to the process:  for example, Autoadmit might disclose under subpoena an email address, leading to a subpoena to a webmail provider and ultimately a subpoena to an ISP.  Once the John/Jane Doe has been identified, the lawsuit can proceed.

The Safeguards.  In the Autoadmit case, one of the John Does did indeed file under FRCP 45 a “motion to quash” a subpoena to AT&T by which the plaintiffs sought the disclosure of identifying information about the John Doe.  Plaintiffs, of course, opposed the motion, and the Court ultimately denied the motion.  The Court’s discussion (pp 6-13) is instructive for those wondering just how the First Amendment would protect anonymity when a plaintiff seeks to force an Internet intermediary to disclose identifying information about an anonymous speaker.

At least since the Supreme Court’s 1958 decision in NAACP v. Alabama ex rel. Patterson, the First Amendment has limited the ability of courts to order the disclosure of identifying information (in that case, the NAACP’s membership list).  Since then, U.S. courts have developed a two-part balancing test that” ensures that:

the First Amendment rights of anonymous Internet speakers are not lost unnecessarily, and that plaintiffs do not use discovery to “harass, intimidate or silence critics in the public forum opportunities presented by the Internet.”

Understanding the way in which the Autoadmit.com court applied that test is critical to understanding how courts might balance privacy with free speech in the future:

First, the Court should consider whether the plaintiff has undertaken efforts to notify the anonymous posters that they are the subject of a subpoena and withheld action to afford the fictitiously named defendants a reasonable opportunity to file and serve opposition to the In this case, the plaintiffs have satisfied this factor by posting notice regarding the subpoenas on AutoAdmit … which allowed the posters ample time to respond, as evidenced by Doe 21’s [motion to quash]. Second, the Court should consider whether the plaintiff has identified and set forth the exact statements purportedly made by each anonymous poster that the plaintiff alleges constitutes actionable speech.  Doe II has identified the allegedly actionable statements by AK47/Doe 21: the first such statement is “Alex Atkind, Stephen Reynolds, [Doe II], and me: GAY LOVERS;” and the second such statement is ““Women named Jill and Doe II should be raped….” The Court should also consider the specificity of the discovery request and whether there is an alternative means of obtaining the information called for in the subpoena.  Here, the subpoena sought, and AT&T provided, only the name, address, telephone number, and email address of the person believed to have posted defamatory or otherwise tortious content about Doe II on AutoAdmit, and is thus sufficiently specific. Furthermore, there are no other adequate means of obtaining the information because AT&T’s subscriber data is the plaintiffs’ only source regarding the identity of AK47. Similarly, the Court should consider whether there is a central need for the subpoenaed information to advance the plaintiffs’ claims.   Here, clearly the defendant’s identity is central to Doe II’s pursuit of her claims against him. Next, the Court should consider the subpoenaed party’s expectation of privacy at the time the online material was posted.  Doe 21’s expectation of privacy here was minimal because AT&T’s Internet Services Privacy Policy states, in pertinent part: “We may, where permitted or required by law, provide personal identifying information to third parties. . . without your consent. . . To comply  with court orders, subpoenas, or other legal or regulatory requirements.” Thus, Doe 21 has little expectation of privacy in using AT&T’s service to engage in tortious conduct that would subject him to discovery under the federal rules. Finally, and most importantly, the Court must consider whether the plaintiffs have made an adequate showing as to their claims against the anonymous defendant.

The court noted that there is a range of competing standards for this last prong, but dismissed those standards most deferential to the plaintiff–requiring only that the plaintiff show a “good faith basis” to contend it may have an actionable cause or that there is “probable cause” for a claim–as “set[ting] the threshold for disclosure too low to adequately protect the First Amendment rights of anonymous defendants.”  The court also dismissed other standards very favorable to the defendant, such as requiring plaintiffs to show their claims could withstand a motion for summary judgment, noting the obvious point that “it would be impossible to meet this standard for any cause of action which required evidence within the control of the defendant.”  Ultimately, the court settled on the standard requiring the plaintiffs to “make a concrete showing as to each element of a prima facie case against the defendant” as striking, “the most appropriate balance between the First Amendment rights of the defendant and the interest in the plaintiffs of pursuing their claims, ensuring that the plaintiff is not merely seeking to harass or embarrass the speaker or stifle legitimate criticism.”

While Solove, Pasquale and others would make it far easier for a victim to require an online intermediary to take down content that truly defames them or invades their privacy–or to rein in a troll posting such content–relying on existing tort law of course requires that a victim actually file a website and third-party subpoenas.  Those who demand changes to Section 230 will likely argue that this is too burdensome and costly to be an effective remedy for a widespread problem.  But, again, one must ask how widespread that problem really is before leaping to conclusions about what kind of remedies are required.  As UCLA law professor and Internet law guru Eugene Volokh noted in the Yale Daily News’ coverage of this story, even a small number of lawsuits like Autoadmit “might remind some potential would-be defamers that their anonymity may not be secure.”  One wonders whether the trolls described by Schwartz would really be so brazen if more of their coven were unmasked and sued.

One obvious advantage of relying on the combination of tort law and third party subpoenas is that requiring the actual filing of a lawsuit minimizes the problem of Internet users attempting to squelch legitimate speech–for example, by sending frivolous take-down notices to intermediaries, a serious problem in the copyright context.  Those truly concerned with protecting anonymous speech should take a far greater interest in the balancing test chosen by courts following in Autoadmit‘s footsteps.  Marc Randazza, former counsel for Autoadmit administrator Anthony Ciolli, summarized the the balance struck by the court as follows:  “If you’re doing right, the First Amendment will protect you,” Randazza said. “If you’re doing wrong, it won’t.”

Much more could be said about third-party subpoenas, but it cannot be said that the law does not already provide every American with a remedy against the trolls identified by Schwartz, the villains of the Autoadmit case or other “disrupters of the systems.”  Any inquiry into whether we need new laws or regulations should begin by looking at the processes described above.