Law and Information

Heise online reports that a Berlin District Court overturned the temporary restraining order against Wikimedia Deutschland. According to Heise, the application of the plaintiff has been dismissed. Consequently, Wikimedia is legally entitled to redirect visitors to the domain wikipedia.de to the international domain de.wikipedia.org. Read more here, background here.

Swissinfo has just put online an article entitled “A case to answer over Mohammed cartoons?,” which discusses legal aspects of the Mohammed cartoons under Swiss law. My colleague Daniel Haeusermann, Reseracher at the University of St. Gallen’s Research Center of Information Law, has been interviewed and quoted extensively in this piece.

Later today, I will be traveling “back home” to Cambridge, MA, where I will be attending an invitation only workshop on user centric identity and commerce hosted by the Berkman Center at Harvard Law School and organized by Berkman Fellow John Clippinger. In preparation for a panel on identity and privacy at this workshop, I have written a discussion paper. Here are the main points:

1. User-centric approaches to online identity management such as Identity 2.0 have several advantages compared to previous attempts—commonly referred to as Privacy Enhancing Technologies (PET)—aimed at regulating the flow of personal information through Code. Three achievements are particularly noteworthy: First, Identity 2.0-like approaches mirror the social phenomenon that privacy must be understood as an aggregation of an individual’s choices along a spectrum between the poles “complete anonymity” and “complete identification.” In other words, Identity 2.0 reflects, inter alia, the granular nature of offline privacy and replicates it at the design level of the digitally networked environment. Second, user profiles containing personal information (as elements of identity profiles) that have been created under the regime of previous PETs are often not “portable” across services and applications. Profiles based on concepts such as Identity 2.0, by contrast, are user-centric and, in that sense, universal in their use. Third, Identity 2.0 seeks to provide a set of profiles that enable an individual user to have parallel identities and make situative choices about the flow of personal data in the context of (commercial) interactions.

2. Consequently, user-centric identity systems have the potential to eliminate some of the basic weaknesses of previous incarnations of identity and privacy management technologies. From a privacy perspective, however, a series of important questions and problems remain to be addressed. First, it is striking that user-centric identity and privacy concepts like Identity 2.0 seek to restore an individual’s control over personal data through the medium “choice,” thereby following a property rights approach to privacy. The designers’ choice is remarkable because the majority of analyses suggest that the privacy crisis in cyberspace, by and large, is the product of extensive data collecting, processing, and aggregating practices by commercial entities vis-�-vis the individual user. In other words, Identity 2.0 concepts are regulating—via Code—the behavior of the sender of personal information (user) rather than targeting the source of the problem, i.e. the informational behavior of the recipients (commercial entities.) Viewed from that angle, the approach taken by Identity 2.0 is in tension with some of the basic principles of data protection, which seek to avoid the use of personal information by the recipient and to establish restrictive requirements on the collection, storage, and usage of personal data while leaving an individual user’s informational behavior unregulated. Although counterintuitive, a user-centric approach to identity and privacy management might therefore result in less user autonomy—understood as the freedom to communicate about oneself—when compared to a traditional data protection approach that aims to regulate the informational practices of the data collectors. This tension between identity architecture and fundamental data protection principles might become more explicit in jurisdictions outside of the U.S.

3. The second persistent challenge results from yet another design choice. Starting point is the observation that user-centric identity and privacy schemes are built upon what might be called the “consent approach,” an approach that ultimately suggests user’s choice as the solution to online identity and privacy problems. Indeed, the emerging generation of identity management and privacy enhancing technology aims to provide the tools to make (and express) choices. However, experiences with previous choice-based mechanisms and standards (like P3P) seem to suggest that the promise of this approach is fairly limited. Even the most sophisticated architecture cannot counter power asymmetries between individual users and the Amazons, eBays, Googles, etc. of this world. From such a pragmatic perspective, it remains doubtful to what extent real choices are available to the user. Or, as Herbert Burkert pointed out in the context of PET, “… the data subject is [usually] asked to choose between giving consent and losing advantages, privileges, rights, or benefits, some of which may be essential to the subject in a given situation.” Further, economic incentives which may motivate people to give away personal information in return for free services such as email accounts, content management sites, social networks, etc. might be particularly strong in the online environment and have a limiting effect on the freedom to choose, especially in situations where users (e.g. due to financial constraints) are forced to rely on such deals. Finally, the user acceptability of consent-based tools heavily depends on the ease-of-use of those instruments, as P3P and similar initiatives have illustrated. Given the number of stakeholders, interests, and standards involved, it remains to be seen whether the apparently complex web of identity providers, identity mechanisms, privacy profiles, etc. in fact will be manageable over one easy-to-use interface as has been envisioned by leading designers.

4. The observation that user-centric concepts such as Identity 2.0 contain many different interacting elements and relations—and, thus, add technological and social complexity to the Net—leads to the third conceptual challenge. Consent and choice in the privacy context means informed consent and choice, respectively. It has been observed with regard to much less complex designs of privacy enhancing technologies that data subjects “cannot know how much they should know without fully understanding the system and its interconnection with other systems.” (H. Burkert) In other words, informed consent by users requires transparency for users, but transparency usually decreases in complex and highly technical environments. Someone with a non-technical background who seeks to understand how the emerging protocols and governance models in the area of user-centric work and what the differences among them are will immediately recognize how difficult it will be to make truly informed choices among different identity providers and privacy management systems. The more individuals depend on complex user-centered technology in order to manage their online identities, the more desirable it seems from a policy perspective that users know about the underlying Code, the functionalities, and risks. So far, it remains unclear whether is a realistic scenario that someone will have access to this meta-information and will aggregate it for users.

5. The three challenges outlined above are not meant as argument against the Identity 2.0 concept. Rather, the remarks are intended as a cautionary note—we should resist the temptation to overestimate the promise of any user-centric and choice-based approaches in the context of privacy. In response to the above arguments, however, one might argue that the emerging user-centric approaches will not exclusively rely on Internet users who are educated enough (probably supported by some sort of “choice assistants”) to dynamically manage their multiple online identities and exchanges of personal information on the Net. Rather, according to this argument, identity and privacy policies developed and monitored by private parties would supplement the user-centric approach. Indeed, such a complementary approach addresses some of the concerns mentioned above. However, the experiences with self-regulation in the area of Internet privacy in the U.S. have been rather disillusioning as several studies demonstrate. Viewed from that angle, it does not seem entirely clear why a similar approach should work well in the context of an Identity 2.0 environment.

6. The previous question leads us to another emerging problem under an Identity 2.0-like environment. It is the question about the control of the information practices of the identity providers themselves. The control issue is a particularly important one because it seems inevitable that the emergence of identity providers will be associated with an increased degree of centralization where personal information in the online environment is managed for the purpose of identity building. Again, the common line of argument currently suggests that self-regulation in the form of peer-auditing and/or reputation systems is an adequate solution to the problem. However, once more a look back at the history of privacy regulation in cyberspace might trigger doubts as to whether an industry-controlled self-regulatory scheme will be adequately effective to ensure fair information practices on the part of identity providers as the new and important players of the future Internet. Against this backdrop, it seems advisable to consider alternatives and critically rethink the interaction between code and law and their respective contributions to an effective management of the identity and privacy challenges in cyberspace. This step may mark the beginning of a discussion on Identity 3.0.

Professor Terry Fisher has the difficult job, as the Day 1 Rapporteur, to present in 10 minutes the OECD conference conclusions. Here are the main points he made a few minutes ago:

A. Points of agreement (or at least substantial consensus)

(a) Descriptive level:
o We’re entering a participatory culture, active users, explosion of blogs; differences in web usage.

(b) Predictive level:
o Consensus that we’ll see a variety of applications that will florish; the shift to biz models that incl internet distribution will have long tail effects, increase diversity

(c) Level of aspiration:
o We should aim for a harmonized, global Internet – single, harmonized global approach (vs. competing legal/regulatory frameworks)
o Governments should stay out, but broad consensus of 6 areas where governmental intervention is desirable: (1) Stimulating broadband; (2) fostering universal access (bridging dig.div.); (3) educating consumers; (4) engage in consumer protection against fraud, spam; (5) fostering competition; (6) promoting IP to achieve an optimal balance
o We should attempt to achieve “biz model neutrality” (TF’s personal comment: appealing idea, but infeasible, there’s no way to achieve it.)

B. Points of disagreement

(a) Descriptive level
o Whether IP currently does strike optimal balance (yes, middle ground, no – spectrum of positions)

(b) Predictive level
o Which biz strategy will prevail: pay-per-view; subscription; free-advertisement based model?

(c) Level of aspiration:
o Network neutrality: required or not as a matter of policy
o TPM: Majority: yes, smaller group: no; intermediate group: only under certain conditions.
o Should governments be in the biz of interoperability?
o Using government power to move towards open doc format?
o Government intervention to achieve an Internet that is open vs. variations of a walled-gardened net?

Here are the keywords I wrote down during Marybeth Peters’ (U.S. Register of Copyrights, United States Copyright Office) statement here in Rome, which she delivered in the context of the final policy roundtable aimed at identifying priority issues, tools, and policy challenges.

• We must adjust our copyright laws to the digital environment. Copyright law has always responded to new technologies.
• Must be an internationally coordinated response due to the global nature of the Net.
• If copyright owner choose to use TPM, those TPM must be protected. Both copy & access controls.
• Key questions to ask: Are there new rights that are required to protect creators? But also: Do we need new exceptions (e.g. for libraries). Third, what are appropriate remedies (e.g. criminal penalties).
• Other important set of question: Who is the infringer (primary vs. secondary). This issue comes up in P2P context (Kazaa, Grokster, etc.) Secondary liability must be considered at the international level.
• Licensing issues: To be saved for the marketplace, no government intervention required. Consumers know what they want. Strongly opposed to compulsory licensing (costly, ineffective). Instead: DRM, collective administration to solve the problem.

I had the pleasure to chair a panel on new user habits and social attitudes at the OECD’s Rome conference entitled “The Future Digital Economy: Digital Content Creation, Distribution and Access.” On the panel was a wonderful group of experts:

• Dr. David Day, Nielsen’s/Net Ratings’ Director for Europe, the Middle East and Africa was presenting data on Internet use and online behavior with focus on the EU;
• Dr. John Horrigan, Associate Director for Research at the Pew Internet & American Life Project presented recent surveys on broadband usage in the U.S.;
• David Sifry, Founder, President and CEO of Technorati was talking about the development and measurement of weblogs as well as the overall evolution of the blogosphere
• Frieda Brioschi, President Wikipedia and Wikimedia Italy, shared thoughts about current trends and developments in peer-production projects like Wikipedia; and
• Dr. Jens Uwe Intat used the case of games to show how emerging user habits and social attitudes are changing the ways we consume entertainment.

From David Day’s and John Horrigan’s presentations I caught the following data points:

• More than 150 million W Europeans with Internet access and still growing.
• 95% of established Internet users are using the Net at home, 49% at work, 23% at educational institutions, 18% in the Internet cafe, 14% in public libraries.
• The top-device to access the Internet is the Pc/Mac (91%), followed by laptop (33%), mobile phones (18%), digital TV (5%), PDAs (4%) and game consoles (4%).
• Typical online behavior in a month includes: search (94%), general interest/portals (86%), web services/internet tools (75%), mass merchandisers (73%), auctions (66%), email (54%), online banking (53%) and community sites (53%).
• 36% of adult Americans have high-speed connections at home.
• The following percentage of the age group 35 & under has ever been engaged in the following activities: 20% blog; 39% sharing creative work online; 35% sharing any online content.
• A December survey by Pew shows that having a broadband connection at home continues to have a transformative impact on users. The three areas of impact are: (i) increased reliance on the Internet for news and information; (ii) heavy use of the Internet for gaming and entertainment; (iii) use of the Net to satisfy creative needs (amateur content production).

Here are my personal take home points from the panel discussion:

Empirical as well as anecdotal evidence (case studies) suggest fundamental changes in the way we access, use, create, and distribute information, knowledge, and entertainment.

(1) Access:

• Broadband has arrived and is creating a critical mass.
• In large part due to broadband technology, the Internet is increasingly embedded in our daily lives.

(2) Use:

• Technology matters, too, not only specific user demographics.
• We heavily use services that require some sort of content intermediaries (search engines, news aggregators, games).

(3) Creation:

• Weblogs play a key role in bottom-up content creation, both in the EU and the US.
• Peer-produced projects such as Wikipedia are prime examples of new modes of content production

(4) Distribution:

• Large-scale P2P file-sharing, for legitimate and illegitimate purposes, is persistent.
• Increasingly important is sharing of self-created content.

In conclusion, it seems to me that we are at the beginning of a long, multi-layered discussion that is likely to be increasingly centered on access and creation rather than (P2P) distribution.

Reportedly (see, e.g., here, here, here, and here), Wikipedia Germany (i.e., Wikimedia Deutschland – Gesellschaft zur F�rderung Freien Wissens e.V.) has been forced by a temporary restraining order of the District Court of Berlin-Charlottenburg not to redirect from http://www.wikipedia.de to http://de.wikipedia.org. The story seems to be straightforward: Wikipedia features a story on the deceased German hacker Tron and – as many other online sources do – also reveals his real name in the respective article. The hacker’s family has taken legal actions against Wikipedia based on the argument that the post qualifies as an intrusion of privacy.

The interesting part of the story: Apparently, the German version of the article is stored on a server in the U.S. controlled by the Wikipedia Foundation. While it is not that surprising that the family’s lawyers were able to get a preliminary injunction against Wikimedia Germany, it is much more challenging to take effective actions against the content provider in the U.S. In my personal view, it’s almost impossible to enforce a similar court order (targeting the article itself, though) in the U.S. based on the privacy argument mentioned above. It’s yet another variation on the theme global internet versus local free speech and privacy laws. And once again the story is likely to boil down to an enforcement issue. In any event, another illustrative example for our privacy classes…

My question to the family’s lawyer: Did you tell your client in advance that legal actions against Wikimedia/Wikipedia will get a lot of public attention (trust me on this one) – with the result that many more people will learn about the real name of Tron than would have otherwise? It’s a basic information law – and I use the term ‘law’ not in the legal sense…

Update: check here.

Our Londoner colleague and friend Ian Brown (Happy New Year, Ian!) points us to Jamie Boyle’s FT.com Op-Ed on the European Commission’s recent Database Directive impact analysis.

My colleague Professor Herbert Burkert, President of our St. Gallen Reserach Center for Information Law and ISP Yale International Fellow, has just released a paper he presented at the CIAJ 2005 Annual Conference on Technology, Privacy and Justice in Toronto, Ontario. The paper is entitled “Changing Patterns – Supplementary Approaches to Improving Data Protection: A European Perspective” and identifies, analyzes, and evaluates several approaches aimed at improving data protection legislation. Burkert argues that current approaches – broken down into three schools of thought: the renovators, the reformist and the engineers – are insufficient, because they do not sufficiently address “the phenomenon that the deep changes of data protection’s role in our information societies do not result from administrations and private sector organizations applying data protection laws insufficiently or from applying insufficient data protection laws but from parliaments continuously restricting by special sector legislation what had been granted by the general data protection laws.” Vis-a-vis the new threat model, Burkert proposes a supplementary approach that relies on independent data protection agencies and addresses parliaments’ role in information law making more directly.

My fellow Fellow Mary Rundle has just released a thoughtful post-Tunis piece entitled “Beyond Internet Governance: The Emerging International Framework for Governing the Networked World.” Here’s the abstract: