Andrew Orlowski of The Register (U.K.) recently posted a very interesting essay making the case for treating online copyright and privacy as essentially the same problem in need of the same solution: increased property rights. In his essay (“‘Don’t break the internet’: How an idiot’s slogan stole your privacy“), he argues that, “The absence of permissions on our personal data and the absence of permissions on digital copyright objects are two sides of the same coin. Economically and legally they’re an absence of property rights – and an insistence on preserving the internet as a childlike, utopian world, where nobody owns anything, or ever turns a request down. But as we’ve seen, you can build things like libraries with permissions too – and create new markets.” He argues that “no matter what law you pass, it won’t work unless there’s ownership attached to data, and you, as the individual, are the ultimate owner. From the basis of ownership, we can then agree what kind of rights are associated with the data – eg, the right to exclude people from it, the right to sell it or exchange it – and then build a permission-based world on top of that.”

And so, he concludes, we should set aside concerns about Internet regulation and information control and get down to the business of engineering solutions that would help us property-tize both intangible creations and intangible facts about ourselves to better shield our intellectual creations and our privacy in the information age. He builds on the thoughts of Mark Bide, a tech consultant:

For Bide, privacy and content markets are just a technical challenges that need to be addressed intelligently.”You can take two views,” he told me. “One is that every piece of information flowing around a network is a good thing, and we should know everything about everybody, and have no constraints on access to it all.” People who believe this, he added, tend to be inflexible – there is no half-way house. “The alternative view is that we can take the technology to make privacy and intellectual property work on the network. The function of copyright is to allow creators and people who invest in creation to define how it can be used. That’s the purpose of it. “So which way do we want to do it?” he asks. “Do we want to throw up our hands and do nothing? The workings of a civilised society need both privacy and creator’s rights.”  But this a new way of thinking about things: it will be met with cognitive dissonance. Copyright activists who fight property rights on the internet and have never seen a copyright law they like, generally do like their privacy. They want to preserve it, and will support laws that do. But to succeed, they’ll need to argue for stronger property rights. They have yet to realise that their opponents in the copyright wars have been arguing for those too, for years. Both sides of the copyright “fight” actually need the same thing. This is odd, I said to Bide. How can he account for this irony? “Ah,” says Bide. “Privacy and copyright are two things nobody cares about unless it’s their own privacy, and their own copyright.”

These are important insights that get at a fundamental truth that all too many people ignore today: At root, most information control efforts are related and solutions for one problem can often be used to address others. But there’s another insight that Orlowski ignores: Whether we are discussing copyright, privacy, online speech and child safety, or cybersecurity, all these efforts to control the free flow of digitized bits over decentralized global networks will be increasingly complex, costly, and riddled with myriad unintended consequences. Importantly, that is true whether you seek to control information flows through top-down administrative regulation or by assigning and enforcing property rights in intellectual creations or private information.

Let me elaborate a bit (and I apologize for the rambling mess of rant that follows).

Parallels in Debates over Copyright & Privacy Protection

In several essays here over the past few years I have attempted to draw parallels between the battles over protecting digital copyright and online privacy, as well as battle over online safety/speech and cybersecurity. Here are a few of those essays in case you’re interested in seeing the evolution of my thinking about this:

• When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed
• And so the IP & Porn Wars Give Way to the Privacy & Cybersecurity Wars
• SOPA & Selective Memory about a Technologically Incompetent Congress
• Privacy as an Information Control Regime: The Challenges Ahead
• Isn’t “Do Not Track” Just a “Broadcast Flag” Mandate for Privacy?

In those essays I have argued that a combination of selective morality and wishful thinking are at work in the information policy world these days. In essence, people hate Internet regulation… until they love it! Here’s how I summarized that fact during the debate over SOPA:

… conservatives rush out and breathlessly denounce each and every effort to impose Net neutrality regulation because of the danger of empowering an already over-zealous bunch of bumbling bureaucrats at the FCC. (And I agree with them.) Yet, with their next breath many conservatives praise SOPA even though it also empowers government to muck with the inner workings of the Internet. Some of those conservatives are also turning a blind eye to the growing appetite of the defense/security community to meddle with the Net’s architecture in the name of avoiding any number of non-catastrophes. Meanwhile, the liberals decry SOPA and want it stopped at all costs. There’s never been a copyright protection measure they liked, of course, but each time one pops up we hear them claim that our analog era Congress is not well-positioned to be designing industrial policy schemes for the Internet. (And I generally agree with them.) But most liberals do a complete 180 whenever online privacy or Net neutrality regulations are the subject of congressional inquiry. Suddenly, the cyber-oafs in Congress are considered veritable technocratic philosopher kings who we should trust to guard our cyber-freedoms to lead us to the digital promised land.

Again, it’s both selective morality and wishful thinking. It’s selective morality in that some folks think certain values are sacrosanct and deserving of a “by-any-means-necessary” enforcement attitude, yet they are often just as likely to denounce similar information control efforts when it comes to issues or values they don’t give a damn about.  And it is wishful thinking in that you can’t run around insisting that “information wants to be free” in some contexts but then express outrage when something that you want to bottle up turns out to “just want to be free” as well!

But the important takeaway here is that, consistent with what Orlowski argues, I believe that online copyright and privacy are essentially the same problem: It’s an information control problem.

Potential Costs of Control

Once you start thinking about Internet policy debates as a single issue — namely, information control — you can begin to investigate the potential costs of control in a somewhat more objective fashion. Of course, challenging issues remain:

1. Which method of control should we choose? On one hand, there are many varieties of administrative regulation, technical infrastructure controls, and device mandates. On the other hand, there are property rights and liability / tort schemes. And there are many hybrid enforcement models, such as increasingly popular “co-regulation” models, government standard-setting, and “nudging” of system defaults. Each method will entail different costs and trade-offs.
2. What metric(s) should we use when attempting to determine whether the benefits of control exceed the costs? Ask any advocate of information control about whether the costs might exceed the benefits of regulation for their pet issue and they will typically suggest that either (a) there are no costs or that (b) the benefits dwarf any costs that may exist. But all too often the benefits they identify are extremely subjective and amorphous in character (“privacy,” “safety,” and “security” are hard to quantify, after all) while the costs are very real and increasingly substantial.

In my view, these practical questions are increasingly the most interesting issues to explore in the field of cyberlaw and digital economics. We can debate the normative or ethical considerations until we’re all blue in the face and ready to rip each other’s heads off, but I am less and less interested in such squabbles. Instead, I keep coming back to the question of how we’ll go about controlling info flows and how much effort and resources it makes sense to expend in pursuit of each of the values identified above. Some of the specific considerations I find myself asking in every paper I write these days include:

(A) Will the proposed form of information control tie us up in the courts forever, lead to increasingly onerous and unworkable liability norms, and end up yielding outrageous litigation costs?

(B) Will the proposed form of information control require a significant increase in regulatory bureaucracy? How many levels of government will need to be involved in the proposed enforcement scheme? How many new offices and officials will need to be empowered in the hope of achieving some measure of control?

(C) What are the alternatives to the proposed form of information control? Are there less costly or less restrictive means of addressing the concern in question? For example, education and empowerment effort are often an effective way to address many online safety and digital privacy concerns. Can we use those methods in conjunction with social norms, public pressure, self-regulation, informal contracting, and other methods to address these and other concerns?

For me, the costs associated with the A & B are increasing so rapidly that I almost always default to C as the better approach. Importantly, although A & B will be less onerous or costly when the solution is of the increased property-ization variety than of the administrative regulation variety, that does not mean property rights-based solutions for information are costless. Indeed, I increasingly find myself concluding that C solutions are more cost-effective even compared to increased property rights.

Practical Advice Once You Accept the Increasing Costs & Complications of Control

At this point, readers may be thinking: “Wait a minute, this dude is just some kooky libertarian who doesn’t want any form of information control, so he’s just trying to rationalize anarchy here.” No, I’m not. I certainly favor less control across the board than most people, but I also understand that there are times, at the margin, when some forms of “control” are necessary. But my views on the wisdom of control are heavily influenced by the costs of control. The costs of control — broadly defined — are a key factor in every cost-benefit analysis I do related to the wisdom of Net regulation and information control methods — even when one of those methods is increased “property-ization.” And because I have come to believe that those costs are going up and that most information control efforts will not work well in practice, I have boiled down my advice on this front to two simple principles:

1. Choose your info control battles wisely. Figure out where the most serious harms or threats lie and then target the info control solution accordingly and forget about the rest. For example, in child safety debates, that would mean going after child porn rings but leaving run-of-the-mill adult porn alone entirely. In copyright, it would mean nailing the largest commercial mass piracy sites but accepting a certain amount of casual sharing. In the field of personal info, it means singling out health and financial information and data for special protections and likely giving up on most other forms of info control. And so on. In essence, these are where the greatest potential harms lie that most people would consider intolerable. As you move further away from such issues, the case for control becomes harder and harder and the costs will almost certainly exceed the benefits.
2. Have a good backup plan in mind when those info control plans fail anyway. That backup plan should generally be based on education, empowerment, coping strategies, and resiliency. Again, these are the “C” solutions mentioned above. [I developed this model more robustly in the second half of this recent paper.] This approach won’t be perfect but it will likely be what you’ll end up relying on anyway, so you better start thinking about plowing more resources into this alternative approach even while you’re trying to devise info control mechanisms.

Let me just say a brief word to my market-oriented friends who are dismayed by my inclusion of property rights in the mix of “information control” efforts. I’m a big believer in the importance of property rights in many contexts, but context does matter. More specifically, physicality matters. It is easy to create property rights in tangible goods and almost always right to do so. Property rights in intangible ideas and creations raise special issues, however. Because ideas are non-rivalrous and have public good qualities, it makes property-ization more complicated and less effective. Property rights in facts can also come into conflict with other values and more well-established rights, especially freedom of speech and expression.

On the privacy front, Eugene Volokh made this point in his famous 2000 law review article, “Freedom of Speech, Information Privacy, and the Troubling Implications of a Right to Stop People from Speaking About You,” when he noted that, “The difficulty[with] the right to information privacy — the right to control other people’s communication of personally identifiable information about you — is a right to have the government stop people from speaking about you. And the First Amendment (which is already our basic code of “fair information practices”) generally bars the government from “control[ling the communication] of information,” either by direct regulation or through the authorization of private lawsuits.” That doesn’t mean free speech values should always trump privacy values, but denying this tension is just plain silly. If you want to propertytize all personal information, then you better be prepared to explain how that plays out in practice. How far are you prepared to go to ban the dissemination of facts? Would you place prior restraint on the press to accomplish it? Would you ban a historian from writing a biographies that reveal intimate facts about the subject? Would you shut down all the online sites and services that rely on a certain amount of personal information to fuel their free offerings?

Likewise, copyright law was far more effective in the analog age when we were still pressing music on vinyl and plastic. As soon as digitization become widespread, it was pretty much game over for traditional copyright law and now we are off and running with all sorts of convoluted and increasingly costly regulatory regimes. It’s not that I don’t want these some of these schemes to work — I’ve been a long-time copyright defender — but, again, the practicality of control simply must be considered here. I am not will to “pay any price, bear any burden” in defense of protecting intellectual property rights even as I remain outraged by the staggering amount of free-riding at work every single second of the day on the Internet. So, adopting the framework I outlined about, we might try targeted solutions to go after the biggest of those freeloaders — commercial mass piracy hubs — but we should generally avoid the sort of ham-handed technical control methods we saw in SOPA and other fights, like the broadcast flag battle among others. But, generally speaking, property rights just aren’t going to work as well in this space going forward. I’ve come to believe that the best hope lies in massive consolidation of content and conduit. In other words, pipe and device owners need to buy out all the content-creating industries and just embed a small fee in their monthly services to cross-subsidize content. This is essentially a private collective licensing solution and it is not unprecedented. Nor is it perfect. It will be very leaky. Plenty of piracy will still take place. But it will probably offer creators a better chance of finding a sustainable revenue stream than the current system does. The old copyright system that served them and us so well is dying and they had better start thinking of alternatives like this. Of course, antitrust law may never allow it, so I could be wasting my breath here. (Just look at all the grief that antitrust officials both here and abroad are giving Apple and eBook sellers for working together even though that it probably the best scheme devised in recent memory to sustain publishing in an age of mass piracy. Policymakers should be encouraging more of that sort of thing, not punishing it.)

An Uncertain Future

So, to wrap up… I can imagine a future in which both heavy-handed, top-down info control efforts and property / liability solutions are failing almost universally because of the ubiquitous, instantaneous, quicksilver-like flow of information across decentralized digital networks. Some utopians will argue that such a world will be better in every way than the one we live in today. I do not share such hyper-optimism. While I believe that, on balance, the free flow if information generally benefits society, I also understand how it creates enormous angst and intractable challenges for many. It’s a world in which copyright is a hollow shell of its former self that offers creators very little protection for their expressive works. And it’s a world in which personal privacy is harder to safeguard with each passing day because no matter how hard we try to property-tize facts about ourselves, that enforcement model simply breaks down at some point or becomes socially and economically intolerable. As with copyright, efforts to property-tize personal information will lose the battle against data sharing. As computer scientist Ben Adida argued in his essay, “(Your) Information Wants to be Free,” “unfortunately, information replication doesn’t discriminate: your personal data, credit cards and medical problems alike, also want to be free. Keeping it secret is really, really hard.”

Indeed, and it is growing harder by the day. Contrary to what Orlowski suggests, therefore, this isn’t a simple engineering problem. I wish it were as easy as he suggests to build “permissions-based markets” because they could have real benefits for individuals and society. But it is most certainly not that simple. It is far more costly and complicated than ever to devise workable information control schemes on one hand and “permissions-based” property rights schemes on the other. In some cases, I might still be willing to try the latter, but unlike Orlowski, I just don’t place much faith in the success of the endeavor.

In his latest weekly Wall Street Journal column, Gordon Crovitz has penned a review of the new Jeff Jarvis book, Public Parts: How Sharing in the Digital Age Improves the Way We Work and Live . Gordon’s review closely tracks my own thoughts on the book, which I laid out last week in my Forbes essay, “Is Privacy Overrated?”  Gordon’s essay is entitled “Are We Too Hung Up on Privacy” and he finds, like I do, that Jarvis makes compelling case for understanding the benefits of publicness as the flip-side of privacy. Instead of repeating all the arguments we make in our reviews here, I’ll just ask people go check out both of our essays if they are interested.

I did, however, want to elaborate on one thing I didn’t have time to discuss in my review of the Jarvis book. While I like the approach he used in the book, I thought Jarvis could have spent a bit more time exploring some the thorny legal issues in play when advocates of privacy regulation look to enshrine into law quite expansive views of privacy “rights.”

One of the things that both Crovitz and I appreciated about the Jarvis book was the way he tries to get us to think about privacy in the context of ethics instead of law. “Privacy is an ethic governing the choices made by the recipient of someone else’s information,” Jarvis argues, while “publicness is an ethic governing the choices made by the creator of one’s own information,” he says. In my review, I explained why this was so important:

Jarvis’ approach to thinking about privacy and publicness in terms of ethics is particularly smart precisely because privacy is such a subjective human condition—a “conceptual jungle” and a “concept in disarray,” says law professor Daniel J. Solove, author of Understanding Privacy. Thus, a good case can be made for restraint when it comes to legislating to define and protect privacy. That doesn’t mean privacy isn’t important—it is. But how we go about “protecting” it needs to be balanced against other rights and responsibilities. For example, we’d all agree with Thomas Jefferson and the Founders that we have a “right to pursue happiness,” but a right to happiness would be a different matter altogether. Government can’t guarantee happiness. It wouldn’t even be able to define it. The same is largely true of privacy. We certainly have the right to pursue private lives and take steps to secure facts about ourselves. At the margins, law can sometimes help us do so—most often by safeguarding us against fraudulent activities. And there are plenty of tools on the market that can help people protect their personal data. By contrast, legalistic efforts to define privacy as a strict “right” leads us back into that “conceptual jungle,” which is full of unintended consequences.

Let’s unpack this a bit more because if one agrees with the argument that Jarvis makes–that privacy is better thought of as a matter of ethics and social norms–it has important ramifications for ongoing efforts to speak of privacy in legalistic ways. It’s not that I’m against any sort of privacy “rights,” but I do believe it is important to acknowledge that other important values are at stake here and we must appreciate how increased privacy controls could conflict with them.  “Recognizing that we are legislating in the shadow of the First Amendment suggests a powerful guiding principle for framing privacy regulations,” argues Kent Walker, a privacy expert who now serves as a general counsel at Google. “Like any laws encroaching on the freedom of information, privacy regulations must be narrowly tailored and powerfully justified.”

Ironically, many privacy advocates are strongly critical of copyright law and claim that, as currently structured, it represents an unjust or excessive information control regime. Yet, privacy regulation would constitute a stronger information control regime by creating the equivalent of copyright law for personal information, which would, in turn, conflict mightily with the First Amendment. [See my essays, “Two Paradoxes of Privacy Regulation” and “Privacy as an Information Control Regime: The Challenges Ahead.” The rest of this essay borrows from those pieces as well as this big filing I submitted to the FTC in February.]

In his recent book Skating on Stilts, Stewart Baker reminds us that the famous 1890 Samuel Warren and Louis Brandeis Harvard Law Review essay on “The Right to Privacy”—which is tantamount to a sacred text for many modern privacy advocates—was heavily influenced by copyright law.  As Baker explains:

Brandeis wanted to extend common law copyright until it covered everything that can be recorded about an individual. The purpose was to protect the individual from all the new technologies and businesses that had suddenly made it easy to gather and disseminate personal information: “the too enterprising press, the photographer, or the possessor of any other modern device for rewording or reproducing scenes or sounds.”  […] Brandeis thought that the way to ensure the strength of his new right to privacy was to enforce it just like state copyright law. If you don’t like the way “your” private information is distributed, you can sue everyone who publishes it.

Incidentally, it is important to recall that their call for such a regime was essentially driven by a desire to censor the press. In their article, Warren and Brandeis argued that:

The press is overstepping in every direction the obvious bounds of propriety and of decency. Gossip is no longer the resource of the idle and of the vicious, but has become a trade, which is pursued with industry as well as effrontery. To satisfy a prurient taste the details of sexual relations are spread broadcast in the columns of the daily papers. To occupy the indolent, column upon column is filled with idle gossip, which can only be procured by intrusion upon the domestic circle.

So angered were Warren and Brandeis by reports in daily papers of specifics from their own lives that they were led to conclude that:

man, under the refining influence of culture, has become more sensitive to publicity, so that solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury.

It is unclear how one could have greater “pain and distress” inflicted by words than “by mere bodily injury,” and yet the law review article that essentially gave birth to American privacy law articulated such a theory of harm.  And it only follows, then, that they would advocate fairly draconian controls on speech and press rights if they felt this strongly.

Taken to the extreme, however, giving such a notion the force of law would put privacy rights on a direct collision course with the First Amendment and freedom of speech.  As Eugene Volokh argued in a 2000 law review article entitled, “Freedom of Speech, Information Privacy, and the Troubling Implications of a Right to Stop People from Speaking about You”:

The difficulty is that the right to information privacy—the right to control other people’s communication of personally identifiable information about you—is a right to have the government stop people from speaking about you. And the First Amendment (which is already our basic code of “fair information practices”) generally bars the government from “control[ling the communication] of information,” either by direct regulation or through the authorization of private lawsuits.

This is what makes efforts to untether privacy regulation from a harms-based model or mode of analysis so troubling. For example, the Federal Trade Commission’s recent privacy review says that “the FTC’s harm-based approach also has limitations [because] it focuses on a narrow set of privacy-related harms—those that cause physical or economic injury or unwarranted intrusion into consumers’ daily lives.”  The Commission then suggests that “for some consumers, the actual range of privacy-related harms is much wider and includes reputational harm, as well as the fear of being monitored or simply having private information ‘out there,’” and suggests “consumers may feel harmed when their personal information… is collected, used, or shared without their knowledge or consent or in a manner that is contrary to their expectations.”

Not only does the Commission fail to offer any data on how this supposed harm manifests itself, how severe it is, or what trade-offs it presents to society, but it utterly fails to account for the dangerous slippery slope of speech control it puts us on. If appeals for regulation are based on emotion instead of concrete evidence of consumer harm, where will this take us next? If, for example, the Commission is to regulate based upon the fact that “consumers may feel harmed… when their personal information… in a manner that is contrary to their expectations,” how long will it be before some suggest this standard should trump First Amendment rights in other contexts?

For example, this more emotional approach to privacy regulation brings us one step closer to a “right not to be offended” or a “right to be forgotten,” as some in Europe favor. Here in the U.S., we see a similar effort underway with the so-called “Internet Eraser Button” idea, which has even been floated in federal legislation. How could a journalist even conduct their business in such a world? By their very nature, good reporters are nosy and, to some extent, disregard the privacy of the people and institutions they report on.

This is why privacy regulation must not be reduced to amorphous claims of “dignity” rights, where an assertion by a small handful that they “feel harmed” comes to replace a strict showing of actual harm to persons or property. To go down that path would have grave consequences for the future of freedom of speech, transparency, openness, and accountability.

Of course, there are many different types of privacy concerns, each of which demands its own analysis and legal consideration.  While I think most privacy concerns should be left to the realm of personal responsibility, user empowerment, and industry self-regulation, other privacy issues are more serious and should be elevated to the level of “rights.” When we speak of government search and seizure or surveillance concerns, “rights” talk certainly makes more sense. Likewise, identity theft is more than just a violation of privacy, it’s a violation of personal property rights.

With such notable exceptions, however, I prefer we speak of privacy in terms of ethics and norms. Legalistic, rights-based conceptions of privacy invite excessive government interventions with myriad unintended consequences.

A report in the U.K. Telegraph notes that the European Union is seeking to create a so-called “right to be forgotten” online, and has “drafted potential legislation that would include new, unprecedented privacy rights for citizens sharing personal data.” Details are sparse at this point, but according to this new 20-page European Commission document, “A Comprehensive Approach on Personal Data Protection in the European Union,” the EU will be:

clarifying the so-called ‘right to be forgotten’, i.e. the right of individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes. This is the case, for example, when processing is based on the person’s consent and when he or she withdraws consent or when the storage period has expired. (p.8)

Two brief comments on this.  First, it should be apparent that any “right to be forgotten” conflicts mightily with free speech rights and press freedom. As I discussed at greater length in this review of Solove’s Understanding Privacy as well as my essay on “Two Paradoxes of Privacy Regulation,” the problem with enshrining expansive privacy “rights” into law is that it means there will need to be stricter limits placed on speech and press freedoms.  As Eugene Volokh noted in his 2000 law review article entitled, “Freedom of Speech, Information Privacy, and the Troubling Implications of a Right to Stop People from Speaking About You“:

The difficulty is that the right to information privacy — the right to control other people’s communication of personally identifiable information about you — is a right to have the government stop people from speaking about you. And the First Amendment (which is already our basic code of “fair information practices”) generally bars the government from “control[ling the communication] of information,” either by direct regulation or through the authorization of private lawsuits.

Of course, there’s no First Amendment in the E.U.  But while there’s not as strong of a tradition of freedom of speech / press in Europe as in the U.S., it would still be shocking to see the E.U. go down this path.  Consider what it means for the press, in particular.  When I was in journalism school back in the late 1980s, one of my favorite professors once told my class that a good journalist was really nothing more than a nosy person who knew how to write.  But being “nosy” — digging for stories, gathering facts, reporting on the world around us — is fundamentally at odds with “privacy,” strictly defined.  For example, could someone claim “a right to be forgotten” when a journalist pens an article about them beating their wife or committing corporate fraud?  Believe it or not, Germany already has a law like this for convicted criminals who have served their time.  They can have old facts about their crimes repressed after they’ve served their sentences.  [Note: If someone could forward me additional details about that German law, I would appreciate it. Specifically, I would like a better understanding of how enforcement works.]

Second, there are economic trade-offs that must always be considered here.  Enshrining “a right to be forgotten” into law would necessitate a fairly significant expansion in the rules and regulations governing information sectors and actors.  Enforcement would certainly be challenging. As always, there is no free lunch; something has to give.  If online sites and service providers are faced with onerous new regs that limit their ability to collect data or serve up online advertising, those sites and services will need to find new methods of financing ongoing operations.  The impact on innovation could be substantial.  Indeed, one could argue that one of the reasons America’s high-tech sector and digital companies are the global leaders in so many of their fields is precisely because they have not been strapped with top-down privacy regimes and data directives that would have constrained their ability to innovate using information collection.

Information — yes, including personal information — is the fuel of the Digital Economy.  Restricting the flow of that information, or its use for advertising and marketing purposes, will have an undeniably negative impact on online content and culture.  Ask yourself this: Would you be willing to pay $19.95/month to use a social networking site, or to be charged a fee for each query you enter into a search engine?  Those subscription-based or pay-per-use business models certainly shouldn’t be prohibited, but it would seem most Netizens are comfortable with the current arrangement: Free access/use in exchange for information collection and ads.

Of course, this “right to be forgotten” regulatory regime is currently only being considered in Europe.  Some here in the U.S., therefore, might be tempted to cheer on their expansive reading of privacy “rights” in light of the hobbling effect it has on their information and high-tech sectors!   But those rules will hurt U.S. players, too, since many of them offer services across Europe.  Moreover, this regulatory paradigm could become a model for privacy advocates in the U.S. and set the stage for a major push for new legislation / regulation here.  Let’s hope that’s not the case.

In a post here last month on “Two Paradoxes of Privacy Regulation,” I discussed some of the interesting — and to me, troubling — similarities between rising calls for online privacy regulation and ongoing attempts to enact various types of controls on online speech or expression.  In that essay, I argued that while most privacy advocates are First Amendment supporters as it pertains to content regulation, they abandon their free speech values and corresponding constitutional tests when it comes to privacy regulation. When the topic of debate shifts from concerns about potentially objectionable content to the free movement of personal information, personal responsibility and self-regulation become the last option, not the first.  Privacy advocates typically ignore, downplay, or denigrate user-empowerment tools, even though many of those same advocates endorse “self-help” efforts as the superior method of dealing with objectionable speech or media content. In essence, therefore, they are claiming self-help is the right answer in one context, but not the other.  Ironically, therefore, privacy advocates and moral conservatives actually share much in common in that they are using the same playbook to advance their goals:  They are rejecting personal responsibility and user-empowerment tools and techniques in favor or government control for their respective issues.

Keeping that insight in mind, I want to take this comparison a step further and suggest that what really unites these two movements is a general conservatism about how our online lives and online business should be governed.  For the moral conservatives, that instinct is well-understood. They want hold the line against what they believe is a decaying moral order by restricting access to potentially objectionable speech or content — dirty words, violent video games, online porn, or whatever else.   The conservatism of the modern privacy movement is less obvious at first blush.  I suspect that many privacy conservatives would not consider themselves “conservative” at all, and they might even be highly offended at being grouped in with moral conservatives who seek to wield government power to control online speech and expression. Nonetheless, the two groups share a common trait — an innate hostility to the impact of technological / social change within the realm of “rights” or values they care about.  In their respective arenas, they both rejected the evolutionary dynamism of the free marketplace and they long for a return to a simpler and supposedly better time.

For the privacy conservatives, we see this instinct on display in discussions about “targeted advertising” and “behavioral marketing.”   Most privacy regulation advocates want to slow or stop the advancement of online advertising techniques for a variety of reasons.  Some say privacy — however they define it — is an inalienable human right and that data collection and targeted marketing betrays “human dignity.”  Others just despise commercialism and advertising in all its forms and hope to take steps to stop its spread or evolution. Still others say they want regulation to help give users more control over their personal information. Or, some combination of all of the above factors motivates their desire to see advertising and marketing practices curtailed.

On Defining Harm

Privacy conservatives and moral conservatives share another common trait: The struggle to identify or prove a tangible harm exists that justifies government regulation that would foreclose the evolution or markets and/or speech. “Privacy” has long been a controversial, ambiguous term, much like the terms “obscenity” or “indecency” in the speech context. My response in both cases is not that “harm” never exists, but rather that:

1. “harm” is extremely user-specific;
2. such “harms” should not necessarily be elevated to actionable legal / regulatory matters; especially when..
3. the better approach is user-empowerment and personal responsibility instead of collectivized political responsibility for such matters.

Stated differently, precisely because of the eye-of-the-beholder problem we face in both speech and privacy contexts, I believe the better approach is to rely on “household standards” (user-level controls + personal responsibility) instead of “community standards” (government regulation for the entire universe of consumers / users).  Thus, in light of the diverse nature of the citizenry and the importance of the evolution of online markets and speech, freedom should generally trump control.

Journalism provides a good case study for why that should be the general rule.  When it comes to the concerns about what should or should not be aired or reported by journalists, most of us would come down in favor of press freedoms and greater freedom of speech.  We don’t allow concerns about violent media images or salty language to trump the rights of journalists to report on wars, for example.  In a similar sense, we don’t allow privacy rights to trump freedom of speech as it relates to the collection of private facts about individuals by journalists.  Think about it; the job of a good journalist is to be a nosy son-of-a-bitch.  They pry into every corner of the private lives of individuals. They not only get paid to do, but they win awards for doing it well!  The First Amendment generally protects their ability to gather and reveal all this information about individuals and organizations.  Again, speech rights trump privacy rights.  That isn’t always the case, of course, but it is 9 times out of 10.  So, for purposes of our discussion here, the interesting question is: How far would privacy conservatives be willing to go to undermine speech rights since — if enforced aggressively — a privacy “right” would essentially become “a right to stop people from speaking about you” (to borrow the memorable subtitle of a 2000 Eugene Volokh law review article)?

The Case for Transparency, and the Futility of It

Like moral conservatives, privacy conservatives are on their strongest footing in advocating greater transparency.  Before jumping to direct government regulation of speech or content, some moral conservatives are willing to give greater transparency a shot.  For example, they push for content creators to reveal more details about the nature of their products using labels or ratings so that consumers can better understand what they will see or hear. Similarly, before advocating comprehensive Internet regulation, some privacy conservatives at least give lip service to the idea of industry self-regulation and they encourage sites and services to be more transparent about the information they collect about users for advertising / marketing purposes.

Such transparency generally doesn’t restrict innovation and progress. In fact, in some ways, it can help create a more vibrant market if consumers act upon the information they are given.  However, whether we are talking about objectionable media content or privacy-related matters, it doesn’t seem like many consumers are willing to do much to change their behavior once supplied with better product or service information — at least not in the way the regulatory advocates desire. In both cases, moral conservatives and privacy conservatives can’t seem to come to grips with the fact that the world isn’t made of people who share their hostile knee-jerk reaction to these things.

For example, there are some outstanding rating and labeling systems out there for movies and games, and those content descriptors really do give people (especially parents) a good idea of what they can expect to see, hear or play.  But the existence of those ratings and labels doesn’t deter millions upon millions of people from rushing to watch or buy a controversial new movie or video game that many moral conservatives probably find offensive.  Same goes for language.  We can warn people nasty talk is coming, or even channel it to later hours of the day, but a lot of people will still consume it anyway.  Many people probably recoiled upon first hearing a George Carlin monologue back in the 70s.  But while the moral conservatives couldn’t get over it — and still enforce regulations based on one particularly famous Carlin monologue — the rest of the world moved on. In fact, in 2008, Carlin was awarded the Mark Twain Prize for American Humor as one of our country’s most revered satarists.  Society evolved not just to accept, but embrace, Carlin’s wicked wit and even much of his billingsgate.

Similarly, privacy conservatives — who tend to think the multitudes share their general aversion to almost any form of data collection or commercial advertising — often seem mystified that the masses aren’t in open revolt against the likes of Facebook, Google, or online advertising networks.  To hear many privacy regulatory advocates talk, you’d think online advertising innovation should have been frozen in the pop-up ad era.  Some of them still can’t get over the fact that cookies weren’t regulated out of existence a decade ago.  Yet, despite their fundamentalist views about privacy rights and supposed violations of those rights, progress has marched on. Privacy expectations — much like cultural / speech expectations — have evolved. New baselines have emerged. And while there’s an occasional flashpoint over something particularly inflammatory — for speech, think of the Janet Jackson incident or the Grand Theft Auto “Hot Coffee” incident; and for privacy, think Facebook Beacon and Google Buzz — the reality is that most people have adapted to technological and social change.  Stated differently, regardless of what any poll or survey might suggest, citizens have generally rejected the fundamental conservatism of both the moral conservatives on content issues and the privacy conservatives on advertising / marketing issues.

Strange Bedfellow Alliances?

Are formal alliances between privacy conservatives and moral conservatives likely?  I think they are possible, but highly unlikely.  On occasion, some moral conservatives will reach across the aisle and work with Left-leaning groups when it works to their advantage.  A prime example came back in 2003-04 during the media ownership reform debates, when social conservatives like Brent Bozell aligned the Parents Television Council with the radical regulatory group Free Press and its neo-Marxist founder Robert McChesney.  Bozell’s contempt for entertainment companies was so extreme that he was willing to make peace with extremists like Free Press, who are always happy to string up the capitalists in the content community.

But that’s an unusual example.  It’s unlikely we’ll see the extreme poles of moral and privacy conservatism making many alliances because they generally don’t play well together.  That is, most moral conservatives don’t necessarily have a big beef with online advertisers, and few privacy conservatives care about free speech issues (and, to the extent they do care, they probably favor greater First Amendment freedoms).

However, whether they broker formal alliances or not, what should be clear is that moral conservatives and privacy conservatives are unwittingly working together as they both strive to bring greater government control to cyberspace and end evolutionary dynamism in their respective arenas.

As a cyber-libertarian, I’ve been lucky enough to work with people of all ideological stripes in pursuit of various public policy objectives.  I’ve made selective alliances with people on the Right on economic policy issues (like opposing Net Neutrality regulation, Internet taxes, etc) and also worked closely with folks on the Left on speech and culture issues (content controls, anonymity, online safety concerns, etc).

While engaging with with people on both sides of the political fence, I’m often struck by some of their internal inconsistencies.  Conservatives, for example, talk about a big game about personal responsibility on some issues, but quickly abandon that notion when they claim media content or online speech should be regulated by the State (typically “for the children.”)  In this essay, I’d like to discuss interesting inconsistencies on the political Left, especially among advocates of strong privacy regulation (most of whom tend to be Left-leaning in their worldview).  In particular, here are the two things I find most interesting about modern privacy advocates:

(1) Most privacy advocates are vociferous First Amendment supporters, yet they abandon their free speech values and corresponding constitutional tests when it comes to privacy regulation.  When it comes to proposals to regulate media content or online speech, most folks on the Left have a very principled, clear-cut position: people (or parents) should take responsibility for unwanted information flows in their lives (or the lives of their children). In particular, they rightly argue that the many user empowerment tools on the market (filters, monitoring software, other parental control technologies) constitute a so-called “less-restrictive means” of controlling content when compared to government regulation.

Advocacy groups that I have a great deal of respect for and work with quite closely on these issues–such as EFF, CDT and ACLU—all take this position.  Generally speaking, they argue that, when it comes to speech regulation, “household standards” (user-level controls) should trump “community standards” (government regulation). And in Court—where I frequently file joint amicus briefs with them—they repeatedly employ the “less-restrictive means” test to counter government efforts to regulate information flows.

But when it comes to privacy, they throw all this out the window!  For some reason, when the topic of debate shifts from concerns about potentially objectionable content to the free movement of personal information, personal responsibility and self-regulation become the last option, not the first.  What’s most troubling about this is the way these advocates of privacy regulation are unwittingly undermining the power of the “less-restrictive means” test, which is a vitally important barrier to greatly enhanced government control of cyberspace.  That is, when privacy advocates ignore, downplay, or denigrate user-empowerment tools, they are essentially saying self-help is the right answer in one context, but not the other.

That’s a shame because self-help tool work well in both contexts.  Indeed, I’ve spent years documenting the wide variety of user-empowerment tools on the child safety front, and more recently I have worked with colleagues at PFF to provide a similar inventory of “privacy solutions” that can help users control personal information flows.  Can privacy tools be confusing at times or difficult to set up? Yes, they can. But no more so that parental control tools.  Are privacy tools as effective as parental control tools?  I think they are actually more effective because in the case of parental controls, the person you are trying to “protect” (namely, kids) often have a stronger incentive to evade / defeat those tools.  Moreover, privacy-enhancing controls can be very effective—perhaps even too effective—at shutting down unwanted information flows.  Whether it’s ad-blocking tools, cookie controls, or encryption techniques, these tools can actually be far more effective blocks on information flows than, say, Internet filters meant to block porn or hate speech, which is also more subjective by nature.

Of course, no tool is perfect. But as the Supreme Court held in United States v. Playboy, empowerment tools need not be perfect to be preferable to government regulation. “Government cannot ban speech if targeted blocking is a feasible and effective means of furthering its compelling interests,” the Court held.  Moreover, “It is no response that voluntary blocking requires a consumer to take action, or may be inconvenient, or may not go perfectly every time.  A court should not assume a plausible, less restrictive alternative would be ineffective; and a court should not presume parents, given full information, will fail to act.”

So, then, why doesn’t the exact same principle hold for privacy regulation?  I believe it should, and because of that I get in some pretty heated fights with friends at EFF, CDT and ACLU when they abandon the user-empowerment regime on the privacy front and instead invite the government to come in and establish an information control regime.  Which leads to the second thing I find interesting about advocates or privacy regulation…

(2) Most privacy advocates bash copyright and claim it is an information control regime, yet privacy regulation would constitute a stronger information control regime by creating the equivalent of copyright law for personal information (which would, in turn, conflict mightily with the First Amendment).

While many libertarians oppose any form of copyright protection, I still find much worth praising in America’s copyright system.  Nonetheless, I do admit to my libertarian friends, as well as anti-copyright advocates on the Left, that copyright places limits on the flow of certain types of information.  After all, quite literally, copy-right deals with rights to copy information.  Of course, that’s the nature of all property rights—they foreclose and constrain alternative uses. But there’s typically a good reason for that: In the case of intangible property, it’s because we want to promote the creation of content/information in the first place.

For many copyright critics, however, this is an intolerable trade-off. Any limits on reproduction/reuse—even if those rights incentivize artistic/scientific creativity—are regarded as an unjust form of information control.  But if they believe that to be the case for copyright, why do they not feel the same of privacy rights?  After all, there are some striking similarities between the regimes.

In his new book, Skating on Stilts, Stewart Baker reminds us that the famous 1890 Brandeis and Warren Harvard Law Review essay on “The Right to Privacy“–which is like a sacred text to many modern privacy advocates–was heavily influenced by copyright law.  As Baker explains:

Brandeis wanted to extend common law copyright until it covered everything that can be recorded about an individual. The purpose was to protect the individual from all the new technologies and businesses that had suddenly made it easy to gather and disseminate personal information: “the too enterprising press, the photographer, or the possessor of any other modern device for rewording or reproducing scenes or sounds.”  […] Brandeis thought that the way to ensure the strength of his new right to privacy was to enforce it just like state copyright law. If you don’t like the way “your” private information is distributed, you can sue  everyone who publishes it.

Incidentally, it’s important to recall that the Brandeis and Warren’s call for such a regime was essentially driven by their desire to control the press. In their article, they argued that:

The press is overstepping in every direction the obvious bounds of propriety and of decency. Gossip is no longer the resource of the idle and of the vicious, but has become a trade, which is pursued with industry as well as effrontery. To satisfy a prurient taste the details of sexual relations are spread broadcast in the columns of the daily papers. To occupy the indolent, column upon column is filled with idle gossip, which can only be procured by intrusion upon the domestic circle.

So angered were Brandeis and Warren by reports in daily papers of specifics from their own lives that they were led to conclude that:

man, under the refining influence of culture, has become more sensitive to publicity, so that solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury.

Let’s ignore their hyperbolic claim that invasions of privacy could cause more harm than “mere bodily injury.”  No, wait, let’s not!  Seriously, can you believe men of this stature could utter such nonsense?  I’d love to hear a modern privacy advocate defend this notion and explain how, exactly, one could have greater “pain and distress” inflicted by words than “by mere bodily injury.”  That’s a doozy of a claim.  Nonetheless, they said it—in the law review article that quite literally gave birth to American privacy law.  And it only follows, then, that they would want fairly draconian controls on free speech / press rights if they felt this strongly.

Taken to the extreme, however, giving such a notion the force of law would put privacy “rights” on a direct collision course with the First Amendment and freedom of speech/communication.  As Eugene Volokh argued in a 2000 law review article entitled, “Freedom of Speech, Information Privacy, and the Troubling Implications of a Right to Stop People from Speaking About You“:

The difficulty is that the right to information privacy — the right to control other people’s communication of personally identifiable information about you — is a right to have the government stop people from speaking about you. And the First Amendment (which is already our basic code of “fair information practices”) generally bars the government from “control[ling the communication] of information,” either by direct regulation or through the authorization of private lawsuits.

Indeed, how could a journalist even conduct their business in such a world? By their very nature, good reporters are nosy and disregard the privacy rights of the people and institutions they report on. But in a world where privacy “rights” trump other rights, free speech would be forced to take a back seat.

To be clear, I’m not opposed to all privacy “rights.” But as I noted in my lengthy review of Daniel Solove’s Understanding Privacy, we need to begin with a theory of rights and then figure out what privacy “harms” we are trying address/rectify.  Generally speaking, I am skeptical of most claims about harms coming from people talking about us or knowing more about us and I believe that freedom of speech / communications should trump such rights claims. But that’s because I subscribe to a libertarian theory of rights/justice that–as the name implies–places human liberty at the core of that theory of rights.  If liberty isn’t your cup of tea, I can see how “privacy” might be viewed as co-equal in your theory of rights.  Nonetheless, I would hope such people would acknowledge that, at the end of the day, such a theory requires trade-offs and that, much like making an allowance for copyright in a libertarian system, information flows might be limited by these assertion of privacy rights.   What I’m asserting here, however, is that privacy regulation would entail far greater restrictions on liberty–especially freedom of speech/communication–than copyright law. After all, as Volokh notes, we are talking about “a right to have the government stop people from speaking about you.”

Addendum: I failed to mention that my fellow TLF blogger Tom Bell has said all of this much more elloquently in his 2001 Cato white paper, “Internet Privacy and Self-Regulation: Lessons from the Porn Wars.”

Congresswoman Diane E. Watson, who serves as Chair of the House Government Management, Organization, and Procurement Subcommittee, has just introduced new legislation proposing the creation of a “National Office for Cyberspace” within the Executive Office of the President.  Rep. Watson’s bill, “The Federal Information Security Management Act of 2010” (H.R. 4900) amends the Federal Information Security Management Act (FISMA) of 2002 in an attempt “to strengthen and harmonize the federal government’s efforts to ensure the integrity of its information infrastructure.”

It’s hard to argue against that goal, and I won’t here. Clearly, our government needs to get it’s own house in order when it comes to network and data security. Nonetheless, an “Office for Cyberspace” gives me pause. Although I always try to be careful with slippery slope arguments (per Eugene Volokh’s excellent advice here), I think there are good reasons to fear that any Executive Branch-level “Office for Cyberspace” would quickly come to take on a wide variety of other policy matters beyond just federal cyber-security issues.  The Federal Communication Commission’s past and recent history of regulatory mission creep is not encouraging in this regard. The agency has always looked to grow its mission and powers, and it has often succeeded. Of course, to be fair, the fundamental ambiguity of certain clauses and phrases within the agency’s charter document– the Communications Act of 1934 — left the door open to creative readings of things like what was in “the public interest,” or what constituted “fair and non-discriminatory” practices.

If, by contrast, the powers of this new “National Office for Cyberspace” are tightly limited to the mission of simply ensuring that the federal government keeps its own house in order — and doesn’t try to regulate our digital houses at the same time — then perhaps we have nothing to worry about. But, I remain a bit paranoid about these things and fear that the old “Hands Off the Net!” dream dies a little more each day because of bills like this.

Yesterday’s Supreme Court decision in Citizens United v. FEC essentially stands for the proposition that free speech is free speech regardless of the speaker. The 5-4 majority for the Court ruled that “We find no basis for the proposition that, in the context of political speech, the Government may impose restrictions on certain disfavored speakers. Both history and logic lead us to this conclusion.” (at 25)  Echoing its early decision in Bellotti, the Court noted that “Political speech is ‘indispensable to decisionmaking in a democracy, and this is no less true because the speech comes from a corporation rather than an individual.’” (at 33) “All speakers, including individuals and the media, use money amassed from the economic marketplace to fund their speech. The First Amendment protects the resulting speech, even if it was enabled by economic transactions with persons or entities who disagree with the speaker’s ideas.” (at 35) “There is simply no support for the view that the First Amendment, as originally understood, would permit the suppression of political speech by media corporations.” (at 37)

Somehow this has proven controversial, even radical, to some.  But, as George Will correctly notes, “This was radical only because after nearly four decades of such ‘reform’ the First Amendment has come to seem radical. Which, indeed, it is. The Supreme Court on Thursday restored First Amendment protection to the core speech that it was designed to protect — political speech.”  Essentially, the decision gets Congress out of the game of picking who, or what platform, deserves full First Amendment protection when it comes to uttering political speech. And there’s nothing radical about that.

Indeed, as Justice Kennedy noted for the majority, there is nothing surprising about this reasoning once you realize that almost every other type legislative or regulatory speech restriction has been struck down as a violation of the First Amendment. “The law before us is an outright ban [on political speech], backed by criminal sanctions,” Kennedy noted (at 20).  “If the First Amendment has any force, it prohibits Congress from fining or jailing citizens, or associations of citizens, for simply engaging in political speech.” (at 33)  Think about this for a second: Criminal sanctions or jail time for political speech! How in the world did we get to the point in this nation where criminalizing political speech became acceptable to our legislators?  Ignoring the obvious answer—it’s all about protecting incumbents—what is really “radical” here is not that the Supreme Court setting us back on the right path, but that our legislative branch has veered so far off of it.

I also agree with Tim Lee and Eugene Volokh who note that corporate money has always been part of politics and it is silly to think the restrictions in play here would really do much to change things in Washington in terms of diminishing “corruption.” Frankly, if you want less corruption in government, you need to begin by shrinking the powers of government to a more sensible level.  Big government breeds corruption opportunities simply because the “return on investment” for dollars spent trying to influence politics depends on how much money politicians can control through spending and regulation.

And political advertising or “electioneering communications” in the days leading up to an election are about the last thing you should be worrying about if you really want to “clean up the system.”  You don’t strengthen democracy by stifling freedom of speech or issue advocacy. That’s the equivalent of burning the village in order to save it.

For technology policy, the most important part of the decision is probably the following passage:

Rapid changes in technology—and the creative dynamic inherent in the concept of free expression—counsel against upholding a law that restricts political speech in certain media or by certain speakers… Today, 30-second television ads may be the most effective way to convey a political message… Soon, however, it may be that Internet sources, such as blogs and social networking Web sites, will provide citizens with significant information about political candidates and issues…The First Amendment does not permit Congress to make these categorical distinctions based on the corporate identity of the speaker and the content of the political speech…[viii][viii]

As Seth Cooper correctly argues:

These passages… are clearly at odds with Red Lion Broadcasting v. FCC’s assertion sixty years ago that “differences in the characteristics of news media justify different in the First Amendment standards applied to them.”

Eugene Volokh makes much the same point. Perhaps we are finally seeing an end to America’s “First Amendment Twilight Zone” as I have called it [see this video presentation] and, with any luck, a consistent First Amendment for the Information Age.

The Gawker offers a fascinating discussion of the legal right to anonymity:

“There is clearly a moral case that some people should be able to join the public debate and retain their anonymity,” Tench told Gawker. “And I think this will have a chilling effect. Blogs like this can only exist anonymously, and I imagine that anyone who wanted to set one up is thinking about this case.” As well they should. But the notion that anonymous publishers have a right, in perpetuity, to keep their identities a secret—or that people who learn their identities are honor-bound not to reveal them—is nonsense.

Amen! One can resist, fiercely, government efforts to reduce online anonymity through age verification or identity authentication mandates, as Adam Thierer have argued most recently in our work about efforts to expand COPPA to cover adolescents (“COPPA 2.0,” which would indirectly mandate age verification for large numbers of adults for the first time).  One might even argue that there are moral reasons to resist the urge to out pseudonymous/anonymous bloggers (just as one might avoid outing closeted gays out of respect for their privacy).   But one need not accept the pernicious idea that the government should punish the outing of peusodonymous/anonymous writers, which is simply a restraint on legitimate free speech.

This exchange, cited by the Gawker article, is particularly interesting, and demonstrates how one can distinguish the question of whether outing is “right” or “appropriate” from the question of whether it should be punished by law:

When the National Review‘s Ed Whelan revealed Publius, who writes for Obsidian Wings, to be a professor of law at the South Texas College of Law named John F. Blevins earlier this month, the palpable online outrage forced Whelan to apologize.

Anyone interested in the long-running debate over how to balance online privacy with anonymity and free speech, whether Section 230‘s broad immunity for Internet intermediaries should be revised, and whether we need new privacy legislation must read the important and enthralling NYT Magazine piece  “The Trolls Among Us” by Mattathias Schwartz about the very real problem of Internet “trolls“–a term dating to the 1980s and defined as “someone who intentionally disrupts online communities.”

While all trolls “do it for the lulz” (“for kicks” in Web-speak) they range from the merely puckish to the truly “malwebolent.”  For some, trolling is essentially senseless web-harassment or “violence” (e.g., griefers), while for others it is intended to make a narrow point or even as part of a broader movement.  These purposeful trolls might be thought of as the Yippies of the Internet, whose generally harmless anti-war counter-cutural antics in the late 1960s were the subject of the star-crossed Vice President Spiro T. Agnew‘s witticism:

And if the hippies and the yippies and the disrupters of the systems that Washington and Lincoln as presidents brought forth in this country will shut up and work within our free system of government, I will lower my voice.

But the more extreme of these “disrupters of systems” might also be compared to the plainly terroristic Weathermen or even the more familiar Al-Qaeda.  While Schwartz himself does not explicitly draw such comparisons, the scenario he paints of human cruelty is truly nightmarish:  After reading his article before heading to bed last night, I myself had Kafka-esque dreams about complete strangers invading my own privacy for no intelligible reason.  So I can certainly appreciate how terrifying Schwartz’s story will be to many readers, especially those less familiar with the Internet or simply less comfortable with the increasing readiness of so many younger Internet users to broadcast their lives online.

But Schwartz leaves unanswered two important questions.  The first question he does not ask:  Just how widespread is trolling? However real and tragic for its victims, without having some sense of the scale of the problem, it is difficult to answer the second question Schwartz raises but, wisely, does not presume to answer:  What should be done about it? The policy implications of Schwartz’s article might be summed up as follows:  Do we need new laws or should we focus on some combination of enforcing existing laws, user education and technological solutions?  While Schwartz focuses on trolling, the same questions can be asked about other forms of malwebolence–best exemplified by the high-profile online defamation Autoadmit.com case, which demonstrates the effectiveness of existing legal tools to deal with such problems.

Schwartz begins by noting that:

Many trolling practices … violate existing laws against harassment and threats. The difficulty is tracking down the perpetrators. In order to prosecute, investigators must subpoena sites and Internet service providers to learn the original author’s IP address, and from there, his legal identity. Local police departments generally don’t have the means to follow this digital trail, and federal investigators have their hands full with spam, terrorism, fraud and child pornography.

He then asks, quite fairly, what the consequences of more aggressive enforcement might be:

But even if we had the resources to aggressively prosecute trolls, would we want to? Are we ready for an Internet where law enforcement keeps watch over every vituperative blog and backbiting comments section, ready to spring at the first hint of violence? Probably not. All vigorous debates shade into trolling at the perimeter; it is next to impossible to excise the trolling without snuffing out the debate.

Certainly, proposals to ban online anonymity would seriously threaten legitimate anonymous speech, as my TLF colleagues Ryan Radia and Adam Thierer have pointed out.  Schwartz is probably correct that part of the answer to the problem of trolling and other serious malwebolences lies in equipping law enforcement at all levels with, and training them to use, the basic tools already available to “pierce the veil” of online anonymity and prosecute truly bad actors under existing laws.  But Schwartz is also right to highlight the danger of relying on government to enforce even existing laws, and to take on responsibility for monitoring online activity.

But like most commentators, Schwartz seems to assume that the enforcement of existing laws is solely the province of the “law enforcement” community (police, prosecutors and government investigators).  To be sure, there are a variety of state and federal laws criminalizing certain acts of “malwebolence.”  But those who find themselves victimized online generally have recourse to bring a lawsuit on their own (a “private right of enforcement”) under well-established causes of action under tort law–a crucial part of the “free system of government” lauded by Agnew.

Specifically, such a plaintiff may bring a defamation claim (“libel” if written, “slander” if oral) or one of the four categories of privacy claims that have emerged since 1890, defined by the magisterial Second Restatement of Torts as follows:

(a)  unreasonable intrusion upon the seclusion of another;
(b)  appropriation of the other’s name or likeness;
(c)  unreasonable publicity given to the other’s private life; or
(d)  publicity that unreasonably places the other in a false light before the public.

If the defendant is known, pursuing such claims is common-place.  The obstacle facing plaintiffs who do not know the legal identity of those who may have defamed them or intruded upon their privacy is the same facing law enforcement:  to “subpoena sites and Internet service providers [and other intermediaries] to learn the original author’s IP address, and from there, his legal identity.”  Such “third party subpoenas” are a vital part of the solution to the problem of malwebolence:  By enabling lawsuits under established causes of action against even anonymous defendants, they provide a real remedy to true victims.  The use of such subpoenas does not require finding new appropriations for “law enforcement,” new privacy laws or re-thinking Section 230’s grant of broad immunity to online intermediaries–a policy prescription that has gathered momentum in recent years.

For example, Daniel Solove has argued in his book The Future of Reputation that Section 230 should be re-interpreted:

to grant immunity only before the operator of a website is alerted that something posted there by another violates somebody’s privacy or defames her.  If the operator of a website becomes aware of the problematic material on the site, yet doesn’t remove it, then the operator could be liable.

Frank Pasquale has argued that we ought to require Internet search engines to provide a “right of reply”–allowing someone to post a “reply” that would appear on a search engine next to content concerning them that they consider inaccurate or defamatory (essentially the “fairness doctrine” applied online).   Others (one example) have argued for replacing Section 230 with something akin to the notice-and-takedown regime of copyright so that publishers’ immunity would be contingent on compliance with takedown notices.  But Mark Lemley, an internet law guru who is representing the plaintiffs in the Autoadmit case, has argued that Section 230 should instead be “rationalized” along with other Internet safe harbors under a unified safe harbor drawn from current trademark law:  “innocent infringers” would have immunity and would not be required to take down allegedly defamatory content, but plaintiffs could get courts to issue injunctions requiring intermediaries to take down content.  What unites advocates of all these proposals is that, like Schwartz, they downplay or ignore the effectiveness of existing tort remedies and third-party subpoenas.

Indeed, if the public is aware of third party subpoenas at all, it is probably only because of their use by copyright-holders in attempting to identify those caught using peer-to-peer software to share copyright materials.  Whatever one’s opinions on copyright and of the recording industry’s enforcement strategy, it is safe to say that the overall impression created by such lawsuits against users has been less than favorable.  Regardless, these lawsuits have established an effective legal process for identifying anonymous defendants.  While we can expect that this process–and the safeguards that accompany it–will continue to evolve, it is critical to appreciate the basics of how the third party subpoena process works if one is to evaluate the policy arguments raised by articles like Schwartz’s.

The infamous Autoadmit.com case provides a clear illustration of how this proces works and the evolving safeguards for anonymous speech.  As summarizes the case–and its most recent development:

“Women named Jill and Hillary should be raped.” Those are the words of “AK-47” — a poster to the college-admissions web forum AutoAdmit.com. AK-47 was one of a handful of students heaping misogynist scorn on women attending the nations’ top law schools in 2007, in posts so vile they spurred a national debate on the limits of online anonymity, and an unprecedented federal lawsuit aimed at unmasking and punishing the posters. Now lawyers for two female Yale Law School students have ascertained AK-47’s real identity, along with the identities of other AutoAdmit posters, who all now face the likely publication of their names in court records — potentially marking a death sentence for the comment trolls’ budding legal careers even before the case has gone to trial.

The plaintiff law students in this case originally sued Autoadmit.com and its operator in a Connecticut Federal District Court, but eventually removed them as plaintiffs in recognition of the fact that Section 230 immunizes them from liability.  But Section 230 did not stop them from suing those who had defamed them anonymously on Autoadmit.com.  And third party subpoenas have since made it possible for the plaintiffs to uncover the identity of most of those defendants.

The Process.  The procedure, made possible by Federal Rule of Civil Procedure 45, is relatively straight-forward:  A plaintiff brings a lawsuit against a John or Jane Doe(s), a pseuodymous defendant whose identify is as yet unknown.  The lawsuit must clearly state the facts, cause(s) of action and remedy sought–just as with any lawsuit (see the Autoadmit complaint, for example).

Having filed such a lawsuit, the plaintiffs may then have a court issue subpoenas (subject to certain limitations) under FRCP 45 to parties who may have identifying information about the identity of the defendants.  For example, if the plaintiff has the IP address associated with a defamatory blog comment, one can subpoena the ISP for further identifying information about that user.  There may be several steps to the process:  for example, Autoadmit might disclose under subpoena an email address, leading to a subpoena to a webmail provider and ultimately a subpoena to an ISP.  Once the John/Jane Doe has been identified, the lawsuit can proceed.

The Safeguards.  In the Autoadmit case, one of the John Does did indeed file under FRCP 45 a “motion to quash” a subpoena to AT&T by which the plaintiffs sought the disclosure of identifying information about the John Doe.  Plaintiffs, of course, opposed the motion, and the Court ultimately denied the motion.  The Court’s discussion (pp 6-13) is instructive for those wondering just how the First Amendment would protect anonymity when a plaintiff seeks to force an Internet intermediary to disclose identifying information about an anonymous speaker.

At least since the Supreme Court’s 1958 decision in NAACP v. Alabama ex rel. Patterson, the First Amendment has limited the ability of courts to order the disclosure of identifying information (in that case, the NAACP’s membership list).  Since then, U.S. courts have developed a two-part balancing test that” ensures that:

the First Amendment rights of anonymous Internet speakers are not lost unnecessarily, and that plaintiffs do not use discovery to “harass, intimidate or silence critics in the public forum opportunities presented by the Internet.”

Understanding the way in which the Autoadmit.com court applied that test is critical to understanding how courts might balance privacy with free speech in the future:

First, the Court should consider whether the plaintiff has undertaken efforts to notify the anonymous posters that they are the subject of a subpoena and withheld action to afford the fictitiously named defendants a reasonable opportunity to file and serve opposition to the In this case, the plaintiffs have satisfied this factor by posting notice regarding the subpoenas on AutoAdmit … which allowed the posters ample time to respond, as evidenced by Doe 21’s [motion to quash]. Second, the Court should consider whether the plaintiff has identified and set forth the exact statements purportedly made by each anonymous poster that the plaintiff alleges constitutes actionable speech.  Doe II has identified the allegedly actionable statements by AK47/Doe 21: the first such statement is “Alex Atkind, Stephen Reynolds, [Doe II], and me: GAY LOVERS;” and the second such statement is ““Women named Jill and Doe II should be raped….” The Court should also consider the specificity of the discovery request and whether there is an alternative means of obtaining the information called for in the subpoena.  Here, the subpoena sought, and AT&T provided, only the name, address, telephone number, and email address of the person believed to have posted defamatory or otherwise tortious content about Doe II on AutoAdmit, and is thus sufficiently specific. Furthermore, there are no other adequate means of obtaining the information because AT&T’s subscriber data is the plaintiffs’ only source regarding the identity of AK47. Similarly, the Court should consider whether there is a central need for the subpoenaed information to advance the plaintiffs’ claims.   Here, clearly the defendant’s identity is central to Doe II’s pursuit of her claims against him. Next, the Court should consider the subpoenaed party’s expectation of privacy at the time the online material was posted.  Doe 21’s expectation of privacy here was minimal because AT&T’s Internet Services Privacy Policy states, in pertinent part: “We may, where permitted or required by law, provide personal identifying information to third parties. . . without your consent. . . To comply  with court orders, subpoenas, or other legal or regulatory requirements.” Thus, Doe 21 has little expectation of privacy in using AT&T’s service to engage in tortious conduct that would subject him to discovery under the federal rules. Finally, and most importantly, the Court must consider whether the plaintiffs have made an adequate showing as to their claims against the anonymous defendant.

The court noted that there is a range of competing standards for this last prong, but dismissed those standards most deferential to the plaintiff–requiring only that the plaintiff show a “good faith basis” to contend it may have an actionable cause or that there is “probable cause” for a claim–as “set[ting] the threshold for disclosure too low to adequately protect the First Amendment rights of anonymous defendants.”  The court also dismissed other standards very favorable to the defendant, such as requiring plaintiffs to show their claims could withstand a motion for summary judgment, noting the obvious point that “it would be impossible to meet this standard for any cause of action which required evidence within the control of the defendant.”  Ultimately, the court settled on the standard requiring the plaintiffs to “make a concrete showing as to each element of a prima facie case against the defendant” as striking, “the most appropriate balance between the First Amendment rights of the defendant and the interest in the plaintiffs of pursuing their claims, ensuring that the plaintiff is not merely seeking to harass or embarrass the speaker or stifle legitimate criticism.”

While Solove, Pasquale and others would make it far easier for a victim to require an online intermediary to take down content that truly defames them or invades their privacy–or to rein in a troll posting such content–relying on existing tort law of course requires that a victim actually file a website and third-party subpoenas.  Those who demand changes to Section 230 will likely argue that this is too burdensome and costly to be an effective remedy for a widespread problem.  But, again, one must ask how widespread that problem really is before leaping to conclusions about what kind of remedies are required.  As UCLA law professor and Internet law guru Eugene Volokh noted in the Yale Daily News’ coverage of this story, even a small number of lawsuits like Autoadmit “might remind some potential would-be defamers that their anonymity may not be secure.”  One wonders whether the trolls described by Schwartz would really be so brazen if more of their coven were unmasked and sued.

One obvious advantage of relying on the combination of tort law and third party subpoenas is that requiring the actual filing of a lawsuit minimizes the problem of Internet users attempting to squelch legitimate speech–for example, by sending frivolous take-down notices to intermediaries, a serious problem in the copyright context.  Those truly concerned with protecting anonymous speech should take a far greater interest in the balancing test chosen by courts following in Autoadmit‘s footsteps.  Marc Randazza, former counsel for Autoadmit administrator Anthony Ciolli, summarized the the balance struck by the court as follows:  “If you’re doing right, the First Amendment will protect you,” Randazza said. “If you’re doing wrong, it won’t.”

Much more could be said about third-party subpoenas, but it cannot be said that the law does not already provide every American with a remedy against the trolls identified by Schwartz, the villains of the Autoadmit case or other “disrupters of the systems.”  Any inquiry into whether we need new laws or regulations should begin by looking at the processes described above.