The Volokh Conspiracy

Last week, Eugene blogged about the Ninth Circuit’s opinion in Fair Housing Council v. Roommate.com.  As Eugene noted, the court, in an opinion by Judge Alex Kozinski,

holds that federal and state housing discrimination law do not extend to discrimination in choice of roommates (or in advertising for roommates). Part of the court’s rationale is its judgment that reading the law as applying to roommate selection would raise serious constitutional concerns, given the right to “intimate association” that the Supreme Court has recognized in cases such as Bd. of Dirs. of Rotary Int’l v. Rotary Club of Duarte (1987); the Ninth Circuit therefore interprets the federal and state laws, which it sees as not definitive on the subject, to avoid the constitutional problem.

I agree that (a) the Fair Housing Act was not meant to impinge on roommate decisions and (b) if a is wrong, the right to intimate association nevertheless prohibits the government from interfering with one’s choice of roommate.

However, I was surprised that the opinion didn’t address a more subtle argument, to wit: if the Fair Housing Act does apply to roommate situations, even if it would be unconstitutional for the government to punish someone for his choice of roommate it is not unconstitutional for the government to prohibit someone from advertising discriminatory preferences.

The reasoning would be that while who one chooses to live with involves intimate association rights, publicly advertising one’s discriminatory preferences in an advertisement for a roommate is not only not an “intimate” activity, it’s a very public one.

Indeed, it’s my understanding that during the Clinton Administration, HUD’s position was that it could (and would) prohibit advertising that expressed discriminatory preferences even when acting on those preferences would be constitutionally protected.  (The relevant regulations allowing punishment for such behavior were eventually withdrawn because of a related controversy over what was seen as HUD’s overly vigorous interpretation of what constituted discriminatory advertising.)

It’s not clear that HUD’s position has changed.  Judge Kozinski points out that HUD recently dismissed a claim against a woman who advertised for a Christian roommate on a church bulletin board based in part on the unique context of the ad, but it’s not clear that HUD would take the same position about an ad seeking a white roommate published in the Washington Post classifieds.

As I discuss in You Can’t Say That!, I think that as a policy matter people should be able to advertise discriminatory roommate preferences.  Beyond standard libertarian concerns, banning such advertisements doesn’t actually decrease discrimination, it just imposes costs all around, not least on, e.g., a black individual seeking housing who winds up traveling to meet various potential roommates who will inevitably turn him down.  Meanwhile, the people who will be most affected by an advertising ban will be members of small minority groups who will have difficulty satisfying their roommate preferences if they can’t advertise them.  It’s easy enough to find a white or black roommate in Washington, DC, but what if you are a Gay Hispanic Republican, seeking the same (discrimination based on political affiliation is banned in DC)?  The counter-argument, of course, is that allowing discriminatory advertising creates dignitary harms to members of disfavored groups and “normalizes” the public expression of discriminatory housing preferences.

Given my Gay Hispanic Republican example, if I were a judge I’d likely be sympathetic to the argument that bans on advertising discriminatory preferences puts too great a burden on the exercise of intimate association rights to be constitutionally permitted. Whether precedent supports such an argument, however, is not clear.  I expect that the next major case against an entity like Roommate.com will need to take up this issue.

Fair Housing Council v. Roommate.com (9th Cir. Feb. 2, 2011) holds that federal and state housing discrimination law do not extend to discrimination in choice of roommates (or in advertising for roommates). Part of the court’s rationale is its judgment that reading the law as applying to roommate selection would raise serious constitutional concerns, given the right to “intimate association” that the Supreme Court has recognized in cases such as Bd. of Dirs. of Rotary Int’l v. Rotary Club of Duarte (1987); the Ninth Circuit therefore interprets the federal and state laws, which it sees as not definitive on the subject, to avoid the constitutional problem.

The opinion is by Chief Judge Kozinski, joined by Judge Reinhardt. Judge Ikuta concurs as to federal law, but concludes that state law does apply to roommates; she would therefore remand for further briefing in district court on the constitutional question. Thanks to How Appealing for the pointer.

UPDATE: Link fixed, sorry about that.

A recent report by Danah Boyd and others reveals that turning parents and children into liars is a principal effect of the Children’s Online Privacy Protection Act, or COPPA.  According to Consumer Reports, 7.5 million kids under 13 have joined Facebook. Since Facebook prohibits kids of that age from the service, that’s 7.5 million children who lied in the signup process.  And most of them got help in telling the lie from their parents.  According to Boyd’s study, the vast majority of parents were aware that their children joined Facebook before reaching 13; in fact, more than two-thirds of these parents helped their under-age kids join.

That’s a lot of lying.

COPPA more or less forces Facebook into excluding thirteen-year-olds.  The law and the FTC regs implementing it set stringent limits on the kinds of information that web services can collect from kids under 13 in the absence of “verifiable parental consent.” Obtaining verifiable consent requires mail, fax, phone calls, or credit card numbers; email is allowed only if accompanied by a cryptographically secure digital signature. It is quite deliberately a hassle.  And once the consent is received, the service is charged with knowledge that the customer is a child, which triggers special legal protections and limits, not to mention FTC and state attorney general oversight.

All in all, unless you’re running a site focused exclusively on preteens, you’d be crazy to let them join.  Facebook isn’t crazy.  It excludes children.  But staying off Facebook isn’t really an option for kids with a social life, or grandparents for that matter. So the real effect of the law and Facebook’s policy is to force children and their parents to lie about the child’s age.

Teaching kids to lie isn’t exactly a government policy to be proud of.  But federal law has another unintended legal consequence in store for those parents and kids.  As Orin Kerr and I have pointed out, Facebook users who violate the site’s terms of service also violate the Computer Fraud and Abuse Act, at least according to the Justice Department. Which would make every one of those parents and children guilty of a federal misdemeanor.

By my count, that’s well over ten million misdemeanors, not to mention ten million privacy victims.

Now, you might ask, “Who the hell is the government to take away the decision whether my kids can join Facebook?”  Actually, most parents feel exactly this way.  When the study asked them who should have the final say about whether or not their child should be able to use online services, 93% chose the parents, 3% opted for the company providing the service, 2% chose the government, and  2% would leave the decision to the child.

So how did we end up with an online regime that is this intrusive, stupid, and unpopular?

It wasn’t easy.  It took a lot of lobbying, and the story may help explain why we have so many stupid privacy rules.

First, in the 1990s, when parents and children were just beginning to go online, no one knew what that would be like.  There was a lot of free-floating anxiety.   By the late 1990s, the Federal Trade Commission and groups like the Consumer Federation of America were maneuvering to focus that anxiety on fear that evil websites would extract information from trusting youngsters without parental knowledge.  My guess is that the Commission and the consumer groups wanted an overarching online privacy law, and they thought that a law focusing on children’s privacy would be a good first step.

The FTC released a study in 1998 that painted the online industry in dark colors:

The results with respect to the collection of information from children are … troubling. Eighty-nine percent of children’s sites surveyed collect personal information from children. While 54% of children’s sites provide some form of disclosure of their information practices, few sites take any steps to provide for meaningful parental involvement in the process. Only 23% of sites even tell children to seek parental permission before providing personal information, fewer still (7%) say they will notify parents of their information practices, and less than 10% provide for parental control over the collection and/or use of information from children. The Commission’s examination of industry guidelines and actual online practices reveals that effective industry self-regulation with respect to the online collection, use, and dissemination of personal information has not yet taken hold.

Later, in testifying before Congress, the FTC highlighted a few extreme examples:

One child-directed site collected personal information, such as a child’s full name, postal address, e-mail address, gender, and age. The site also asked a child extensive personal questions about financial information, such as whether a child previously had received gifts in the form of stocks, cash, savings bonds, mutual funds, or certificates of deposit; who had given a child these gifts; and whether a child had put monetary gifts into mutual funds, stocks or bonds. The site also asked for family financial information including whether a child’s parents owned mutual funds. Apparently in exchange for providing this information, a child was entered into a contest. Elsewhere on the Web site, contest winners’ full names, age, city, state, and zip code were posted.

Another child-directed site collected personal information to register a child for a chat room. The information included a child’s full name, e-mail address, city, state, gender, age, and hobbies. The Web site had a lotto contest that asked for a child’s full name and e-mail address. Lotto contest winners’ full names were posted on the site. For children who wished to find an electronic pen pal, the site offered a bulletin board service that posted messages, including children’s e-mail addresses. While the Web site said it asked children to post messages if they were looking for a pen pal, in fact anyone of any age could visit this bulletin board and use the Web site information directly to contact a child.

Those examples would have a lot less power today, partly because the gathering of online data doesn’t seem as alien or scary as it did in 1998.  We’ve given our email addresses to a lot of sites without being stalked by predators.  We also know that there are practical limits on web services data collection and usage. Sites that ask kids for too much information are unlikely to prosper because, as Boyd’s study shows, parents play a pretty big role in their preteens’ decision to join a service. 

But in 1998 the FTC’s stories were seen as disturbing portents of a dystopian future. And how could we head off this future?  Not to worry; the FTC also had a solution.  Casting itself as a vigilant defender of parental rights, the Commission told Congress that the solution was – what else? – an expansion of Commission authority over online privacy practices: “As a result of our activities over the past three years, the Commission has developed significant expertise regarding children’s privacy. … The Commission strongly supports the approach adopted in this legislation.”

The bill was enacted later that year.

Where were the privacy groups while this was going on?  On the case, sort of.  The Center for Democracy and Technology testified in favor of the overall bill, but it wanted changes to give parents even less knowledge about their kids’ online activities; it asked (with some success) for modification of provisions that would have given parents access to any information their child provided to a website and alerted them when the child gave his email address to a website.

If you were a parent in 1998, you probably felt pretty good when you heard about COPPA’s passage.  You’d been told that it was going to protect your kids’ privacy by empowering you. But in fact, it mainly empowered a government agency to decide what your kids can do online.  And the privacy groups you thought were on your side?  They were more interested in protecting your kids from, well, you.

This isn’t just history.  The story of COPPA is by and large the story of most privacy legislation: a new technology emerges, followed by a “privacy panic” over how it might be misused (often engineered by interested agencies and privacy groups), followed by hasty legislation with large-scale unintended consequences — and, soon, a new class of privacy victims.

If I were a libertarian, I’d be particularly troubled by the FTC’s role in this drama. In the name of privacy and parental control, we let the FTC create a legal regime that expanded government’s authority over the Internet and took away parents’ ability to control their childrens’ online memberships, at least without lying.

And this weird mix of the authoritarian and the libertarian is not a bug unique to COPPA; it is a deliberate feature embraced by most of the privacy lobby whenever they talk about setting privacy rules for the private sector.  Considering how many supporters of privacy legislation tend to be dubious about government authority, it’s remarkable how often privacy legislation empowers some bureaucrat to regulate some part of the economy more aggressively.

Photo credit: http://www.flickr.com/photos/joebehr/5130944038/sizes/o/in/photostream/

There has been a lot of controversy in the past about whether the government should be free to subpoena library records or bookstore records, or execute search warrants for such records. (See, for instance, this post of Orin’s, this Congressional testimony by Orin, and pp. 30-37 of this article of mine.) I just ran across a case that dealt with this question in an unusual context — where the defendant’s alibi involved his supposedly returning a certain book to the library, State v. Hilton (Wash. Ct. App. Sept. 27, 2011):

Mr. Hilton’s remaining arguments are that the records were private under both Const. art. I, § 7 and the Public Records Act (PRA), chapter 42.56 RCW, and protected by the First Amendment and Const. art. I, § 5. In particular, he cites to RCW 42.56.310, which provides that a library record that “discloses or could be used to disclose the identity of a library user is exempt from disclosure under this chapter.” The emphasized language makes short work of Mr. Hilton’s PRA argument. The PRA provides an exemption from disclosure pursuant to a public records request. It does not create a privilege, let alone a privilege exempt from judicial process. See RCW 42.56.050; Brown v. Johnston, 328 N.W.2d 510 (Iowa), cert. denied, 463 U.S. 1208 (1983). Similarly, Const. art. I, § 7 prohibits intrusion into “private affairs” absent “authority of law.” A subpoena is “authority of law.” Gunwall, 106 Wn.2d at 69. Mr. Hilton’s argument is without merit.

The free speech argument fares no better. Mr. Hilton appears to predicate his claim at least in part on the theory that the SIJ [Special Inqury Judge] proceedings were invalid, an argument we have already rejected. His sole authority is a Colorado case, Tattered Cover, Inc. v. City of Thornton, 44 P.3d 1044 (Colo.2002). That authority is not apropos. That case involved an injunction against a search warrant, not a valid subpoena. The court ultimately concluded that the government had not established a compelling interest justifying the search for records that were recognized as private in Colorado. Id. at 1061. There, also, the bookstore resisted efforts to provide information about its customer. Here, the library provided the records within hours of the subpoena. Mr. Hilton has presented no relevant authority suggesting that this subpoena was invalid for failing to address the particular concerns associated with free speech rights.

Even if Washington followed the same compelling interest test, it would be met in this case. A double murder was being investigated. Mr. Hilton had voluntarily told police that he had been at the library that evening and indicated which book he had returned. He had waived any claim of privacy related to Hard Time or his checkout and return records. The compelling State interest in confirming or dispelling his alibi outweighed the privacy interest he had already waived. [Footnote: Moreover, the librarian's testimony concerning when Hard Time was returned to the library was the result of an independent source--the defendant's own admissions to the police--not the subpoena process. Thus, even if the subpoena had been invalid, it would not affect the testimony against the defendant.]

The SIJ subpoena was properly issued. It did not infringe upon any rights belonging to Mr. Hilton. Accordingly, the trial court correctly denied the motion to suppress the evidence.

As I mentioned, this is an unusual situation, and one could argue that the rule should be different if the government were seeking library records in other contexts. But I thought it was still worth noting, just as an example of how the issue might sometimes come up.

Occasionally, I see assertions that disclosing certain private information about someone — for instance, details of their sex lives, medical history, or financial affairs — would be tortious, even if the disclosure is in a private conversation. (See, for instance, this comment, and this dissent from a Supreme Court opinion.)

But generally speaking, the disclosure of private facts tort does not apply to such private disclosures. (Of course, the disclosure might in some cases be a breach of a professional duty, such as that of a lawyer, a doctor, or a psychotherapist, or a breach of nondisclosure agreement; but those are different matters.) As the Restatement (Second) of Torts § 652D puts it (emphasis added),

The form of invasion of the right of privacy covered in this Section depends upon publicity given to the private life of the individual…. “Publicity[]” … means that the matter is made public, by communicating it to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge. The difference is not one of the means of communication, which may be oral, written or by any other means. It is one of a communication that reaches, or is sure to reach, the public.

Thus it is not an invasion of the right of privacy, within the rule stated in this Section, to communicate a fact concerning the plaintiff’s private life to a single person or even to a small group of persons. On the other hand, any publication in a newspaper or a magazine, even of small circulation, or in a handbill distributed to a large number of persons, or any broadcast over the radio, or statement made in an address to a large audience, is sufficient to give publicity within the meaning of the term as it is used in this Section. The distinction, in other words, is one between private and public communication.

Illustrations:
1. A, a creditor, writes a letter to the employer of B, his debtor, informing him that B owes the debt and will not pay it. This is not an invasion of B’s privacy under this Section.
2. A, a creditor, posts in the window of his shop, where it is read by those passing by on the street, a statement that B owes a debt to him and has not paid it. This is an invasion of B’s privacy.
3. A, a motion picture exhibitor, wishing to advertise a picture to be exhibited, writes letters to a thousand men in which he makes unprivileged and objectionable statements concerning the private life of B, an actress. This is an invasion of B’s privacy.

In this respect, the disclosure tort differs from defamation law — a false and defamatory statement to one person (even a friend or close family member) might be slanderous or libelous. But if the statement is true but reveals private and non-newsworthy information about a person, it is not a disclosure of private facts unless it “reaches, or is sure to reach, the public.”

Naturally, especially in this era of Facebook, that line can be quite mushy; for instance, when would a post on a Facebook page that is readable by 1000 “friends” qualify as something that “reaches, or is sure to reach, the public”? (Illustration 3 — which is based on a real case — doesn’t fully dispose of this, partly because it might be influenced by the fact that the letters are about a famous person and are thus especially likely to be further publicized, and partly because the letters were sent to total strangers, rather than just to friends or “friends.”) What about a page readable by 100 “friends”? Still, it’s clear that certain communications, such as conversations or even e-mails that are unlikely to be broadly forwarded, aren’t covered by the tort.

The matter might be different in a few states, if they have a statute or a court decision that departs from the Restatement approach (which itself is based on the decisions of past cases). I know of one such exception: In Rhode Island, a statute defining the disclosure tort requires not “publicity” but “publication,” and Rhode Island courts have held that this means communication to one other person suffices to trigger the tort. It’s possible, then, that in Rhode Island it might be actionable for one friend (or family member) to tell another true things about a third’s love life, medical problems, and the like. But in most states, this would not be so.

None of this is intended to endorse the propriety of the tort, which I have criticized on First Amendment grounds; I only mean to explain what the tort actually covers.

The Kindle Fire is a remarkable innovation in the Apple mold:  taking a bunch of components that are pretty well known and combining them into a powerful new experience.  But unlike Apple, Amazon’s integrating vision isn’t visual design or even user delight.  Instead it’s far more ambitious — a new vision of the entire Internet ecosystem.

OK, let me try that again without the Valley babble.  The Kindle Fire forks Android into an Amazon-designed and Amazon–controlled operating system.  So far, no surprises. Amazon owns and subsidizes the hardware, too, so it can design features that integrate operating system and processor tightly.  Again, nothing that Apple can’t do.  But then comes the clever, almost-new idea:  Fire uses its own browser, called Silk, which is designed to work with Amazon’s massive cloud computer. So instead of downloading web pages one after the other and opening them on your computer, Amazon’s cloud stores and even opens them, sending you the end result.  This allows speedier downloads for a couple of reasons:  Caching of popular pages (or even parts of pages) avoids download delays when the original source is overloaded; and Amazon’s cloud can handle even the most processor-intense pages instantaneously, far faster than your wheezing desktop machine.  In short, your Internet experience on the Fire ought to be lightning quick.

There’s another advantage to this new vision of what might be called the Bezosnet.  The Bezosnet ought to be a lot more secure.  One way that hackers compromise your machine is by getting you to go to malware infected sites.  Just visiting the site triggers routines that take over the visitor’s computer.  But if the routine runs, not on a visitor’s computer but in a virtual environment at Amazon’s data center, the attacker’s code isn’t likely to work.

In fact, it looks to me as though Amazon has a remarkable security opportunity here.  It controls the Fire hardware, the Fire operating system, and the Fire user’s internet connection. If a Fire tablet joins a botnet, Amazon will know immediately. It can quarantine the tablet and alert the owner.  Indeed, it can go further, performing diagnostics to figure out and remedy the security flaw the botnet exploited. If a Fire tablet starts sending beacons or massive encrypted data files to a Chinese controller site, Amazon can spot the pattern and alert the user or even block the transmissions.  No one else, not even Apple, maybe not even DoD, will have the same ability to drive security into all parts of the Internet ecosystem.

If Amazon exploits its security opportunity, this could be transformative for users. To take one example, most people are, or should be, wary about Internet financial transactions.  Small businesses that do electronic funds transfers are at enormous risk today.  Like consumers, their machines are easily compromised, but unlike consumers, their losses to hackers are not underwritten by the banks.  That’s costing them easily hundreds of millions of dollars a year. As small businesses come to appreciate the risk, Amazon has a chance to persuade them that a dirt-cheap Amazon Fire tablet is the only safe way to access their funds.

Competitively, that could put Amazon squarely in the stream of high-value Internet transactions.  Maybe it becomes a bank.  Maybe it forces Mastercard and Visa to give it a discount because fraud on Amazon-mediated transactions is lower. Maybe it takes on Google’s relationship with advertisers, since now Amazon has insight into information advertisers really want:  what are consumers actually buying and how much are they paying? Maybe it kills the prospects of ISPs and telcos hoping to transcend dumb pipe status and exploit their direct connection to consumers; that connection won’t be much use if Amazon controls and can encrypt the entire stream of communication.

For consumers, the Fire opens up a prospect of feudal security on the Internet.  We already know that we can’t protect our own machines from attack. For all the talk of insecurity in the cloud, it’s almost certainly more secure than the decentralized system we have now. To take one example, I have a lot more faith in Google’s ability to protect my gmail account than in the ability of my system administrator to do the same for my corporate account.  And I have more faith in Amazon’s ability to spot malware infested websites than in my ability to do the same, even with help from Google and antivirus software. Yes, you’re putting all your eggs in one basket, but you’re also hiring someone to guard that basket while you get on with life. Sooner or later, to get security, it looks as though we’re all going to have to pick a liege lord and shelter under his castle walls. And now Amazon has an chance to build the first string of forts and castles across the most desirable territory.

Of course, where there’s feudalism, there’s droit de seigneur. The price for security will be, probably must be, a loss of privacy, anonymity, and control to Amazon.  Right now, Amazon’s terms of service provide some contractual anonymity to users, but as a technical matter Amazon has total visibility into everything that happens on a Fire tablet.  That visibility is very likely necessary for security, and it is damn sure valuable for commercial purposes.  So it’s hard to imagine that it won’t be used for both purposes.

I can hear the privacy Luddites cranking up their outrage machinery now.  As usual, they’ll be a day late.  But they’ll also be a dollar short, at least if I’m right that the alternative to sheltering under Amazon’s walls is living out on the plains alone, at the mercy of marauders. No one will thank the data protection authority that saves us from Amazon by pushing us into the arms of the Russian Business Network. What the authorities can do is police Amazon’s terms of service and perhaps hold Amazon to any promises of security with tough new liability rules.  But, like Regulation Z, which declares that credit card fraud can’t cost US consumers more than $50, a rule imposing liability on Amazon for Internet security breaches could turn out to be an enormous market advantage (not to mention a tough barrier to entry for imitators).

All in all, then, the Fire Tablet is potentially a very big deal.  Too bad I’m too cheap to buy one.

(As always when I get into the details of security technology, I do so with considerable humility about my grasp of, well, actual technical details. This is technology poetry, not prose, and a first draft of the poetry at that. I welcome technical corrections. )

From Electronic Privacy Information Center v. United States Department of Homeland Security (D.C. Cir., decided this morning):

The Electronic Privacy Information Center (EPIC) and two individuals petition for review of a decision by the Transportation Security Administration to screen airline passengers by using advanced imaging technology instead of magnetometers. They argue this use of AIT violates various federal statutes and the Fourth Amendment to the Constitution of the United States and, in any event, should have been the subject of notice-andcomment rulemaking before being adopted. Although we are not persuaded by any of the statutory or constitutional arguments against the rule, we agree the TSA has not justified its failure to issue notice and solicit comments. We therefore grant the petition in part….

To sum up, first, we grant the petition for review insofar as it claims the TSA has not justified its failure to initiate notice-and-comment rulemaking before announcing it would use AIT scanners for primary screening. None of the exceptions urged by the TSA justifies its failure to give notice of and receive comment upon such a rule, which is legislative and not merely interpretive, procedural, or a general statement of policy. Second, we deny the petition with respect to the petitioners’ statutory arguments and their claim under the Fourth Amendment, except their claim under the [Religious Freedom Restoration Act], which we dismiss for lack of standing. Finally, due to the obvious need for the TSA to continue its airport security operations without interruption, we remand the rule to the TSA but do not vacate it, and instruct the agency promptly to proceed in a manner consistent with this opinion.

Thanks to Tom Ault for the pointer.

UPDATE: I see Orin is working on a post about the Fourth Amendment issues, which I expect will be up very shortly. Please limit comments in this post to the administrative law questions and the other non-Fourth-Amendment questions. Please save the Fourth Amendment comments for Orin’s post. Thanks!

I asked Prof. Sonja West (University of Georgia) whether she had some thoughts on the case, because she had written two articles that relate to the question: The Story of Me: The Underprotection of Autobiographical Speech and The Story of Us: Resolving the Face-Off between Autobiographical Speech and Information Privacy. She was kind enough to pass along the following; I’m not sure I would entirely agree with the line she proposes — having constitutional protection turn on the speaker’s motive in this situation strikes me as too likely to lead to error, and to undue deterrence of speech — but I wanted to pass along her views in any event:

Eugene’s post about Greg A. Fultz’s billboard lashing out at his ex-girlfriend for allegedly having an abortion hits on an important conflict between free speech and privacy — what should happen when someone speaks about his own life and, in doing so, reveals private information about someone else.

Assuming that Fultz was telling the truth about the abortion (a matter that appears to be under some dispute), the question becomes whether it matters that Fultz was talking about something that happened to him personally. In other words, should there be heightened First Amendment protection for truthful autobiographical speech?

It is easy to tweak the scenario here to see the difference the autobiographical interest can make. Imagine that instead of Fultz, the speaker was some other third party — a friend, a community member or a co-worker — who somehow learned about the abortion and decided to broadcast the information publicly. This is the scenario our laws are equipped to handle. We ask whether the information is true; whether it was communicated to enough people; whether the disclosure would be highly offensive to a reasonable person; and whether it is a matter of public interest. But we do not look at whether the speaker was talking about his own life experiences.

Now we can add back in the autobiographical interest. In this version (and I’m taking some liberties with the Fultz case here), the speaker is profoundly affected by the abortion of his unborn child. It fills him with emotions and becomes a pivotal moment in his life. He wishes to speak about it publicly both to inform others and because he finds it cathartic. Are these two cases are different? Unlike the third-party speaker, Fultz is talking about his own life not someone else’s — should that matter?

Continue reading ‘Prof. Sonja West on the “My Ex-Girlfriend Killed Our Baby” Billboard Case’ »

Greg A. Fultz put up a billboard showing himself holding what appears to be empty space, with the words “This Would Have Been A Picture Of My 2-month Old Baby If The Mother Had Decided To Not KILL Our Child!” and some endorsements (apparently later removed) from pro-life groups, including the words “PRO LIFE” and “RIGHT TO LIFE.” The billboard didn’t identify the man’s ex-girlfriend, but presumably some people who knew him and her would figure it out. (The billboard did at first say “Created for N.A.N.I. – National Association of Needed Information,” though that was later removed, and Nani is the ex-girlfriend’s name; but I take it that no-one would identify the girlfriend from that, unless they had already figured out her identity because they knew who the man was.)

Then, as the Alamogordo News reported on June 3:

An Otero County Domestic Violence Court hearing commissioner recommended … an order of protection be granted to Nani Lawrence because Greg A. Fultz displayed a pro-life billboard about their relationship, which violated Lawrence’s right to privacy … [and] recommended the billboard be taken down by 8:15 a.m. on June 16.

Twelfth Judicial District Judge James W. Counts is expected (today) to sign the order of protection and an order to remove the billboard located on White Sands Boulevard between First and Second streets. [Later press accounts say the order was indeed entered, though I've also heard a claim that the District Judge has not yet decided. -EV]

There are many interesting First Amendment questions, and factual questions, here. Factually, Fultz now says he doesn’t really know whether the ex-girlfriend had had an abortion or a miscarriage, because the girlfriend hadn’t told him; at the same time, press accounts suggest she was just arguing invasion of privacy and not libel, so perhaps his allegation is accurate after all. Legally, I suspect that a restraining order command the removal of a billboard — entered without a full trial on the merits — would be an unconstitutional prior restraint, even if the speech could be the subject of civil damages liability after the fact. I’ve also argued that the disclosure of private facts tort is generally unconstitutional, though that’s a minority view; and there’s also the question whether such statements about someone’s abortion are outside the disclosure tort because they’re a matter “of legitimate concern to the public,” since they are connected to the hotly debated topic of abortion. (That might seem to be a stretch, though for a case holding that the identification of a rape victim, based on the public concern about reports of crime, is a matter of legitimate public concern under the First Amendment, see Florida Star v. B.J.F.) And I don’t know whether substantive New Mexico restraining order law authorizes anti-”harassment” orders that bar speech about the complainant, rather than speech to the complainant.

But let me set all these aside, and focus on a different, and less obvious, matter: While the fact pattern here is highly unusual (who buys billboards for such personal matters?), there are closely analogous patterns that are quite routine.

To begin with, note that whether an ex-lover has aborted what would have been your child is just one of many highly personal matters about a relationship. If it’s covered by the disclosure of private facts tort, then so would be quite a few other facts: whether your ex cheated on you, whether you and your ex had had sex, whether you found your ex to be sexually satisfying, whether your ex was impotent, whether your ex left you because he or she is actually gay (or, if you’re gay, because he or she is actually straight), whether your ex has cancer, whether your ex gave you a sexually transmitted disease, and so on. Some of these might be seen as marginally less “private” than the question whether your ex had had an abortion, but I don’t think there’d be any real constitutional difference between the two, or difference with respect to the common-law boundaries of the disclosure tort (or of state law relating to protection orders).

And note also that people often discuss these things when discussing their own lives. People who write their autobiographies often talk about why their marriages or relationships broke up, why they were depressed for a particular period of their lives, how their exes’ behavior affected their own later personality and behavior, and more. And of course these days lots more people are “writing their autobiographies”: They’re just called Facebook pages, blogs, Twitter feeds, and the like. “Dumped my girlfriend ’cause I caught her cheating with my best friend.” “I have to tell the truth about this: I have HIV, because my ex-husband gave it to me.” “I’m crushed: My boyfriend, who I thought was going to ask me to marry me, told me he’s gay.” (The disclosure tort is generally seen as not applying to communications to “a single person or even to a small group of persons,” so perhaps if you have just a few Facebook friends, a Facebook post wouldn’t be potentially covered by the disclosure tort. But if you have hundreds of Facebook friends, the tort would likely apply, as it would if you’re publishing things on an open blog or similarly open social-media system.)

So what should the law be in these situations? Should it protect the privacy of your exes (or your former friends, your family members, your former coworkers, and whoever else you’re talking about), even if that means that you can’t tell your life story, either in a traditional autobiography or in its modern running equivalents? Should the law allow you to discuss your personal life, even if in the process people will learn personal details about the lives of others, and will learn them even if you omit the others’ names (as in the billboard incident)? Or should the law focus on your supposed motive, and distinguish supposedly good-faith attempts to tell your life story, either in retrospect or as it happens, from supposed attempts to humiliate people you think have wronged you — and, if so, how can the law reliably and predictably do this, whether with the traditional autobiography or with Facebook or blog posts?

I’m inclined to say that you should indeed have the right to discuss your life, even if you reveal information about others in the process; but, as I mentioned, I generally disapprove of the disclosure tort, so that’s an easy matter for me. I raise the autobiography / Facebook running autobiography examples because I think they might be interesting for people who are more open to the disclosure tort, but who also are open to people’s rights to talk about their own lives.

Finally, here are three relatively recent cases on the subject (for a case that reaches the opposite result, but before modern First Amendment law developed, see Cason v. Baskin (Fla. 1944)).

Continue reading ‘When Facts About Another’s Life Are Also Facts About Your Life’ »

A trial court in New Jersey said it could be, but the New Jersey Supreme Court has said no:

During a primary contest for State Senate, opponents of candidate Brian Stack issued campaign flyers criticizing him for previously hiring a person with a criminal conviction, plaintiff G.D. One campaign flyer stated that G.D. was “a DRUG DEALER who went to JAIL for FIVE YEARS for selling coke near a public school.” G.D. filed a lawsuit alleging defamation, violation of privacy, and other related torts, and named as defendants the Hudson County Democratic Organization and certain individuals, as the purported authors and distributors of the flyers. Defendants assert truth as a defense. G.D. had been convicted of second-degree possession with intent to distribute cocaine and sentenced to a five-year prison term. Thirteen years later, he successfully petitioned for the expungement of his criminal record. Defendants reason that G.D.’s conviction was a public fact maintained as a public record long before the expungement and that the publication of that fact during a political campaign was a legitimate exercise of their free-speech rights and did not violate G.D.’s reasonable expectation of privacy.

G.D. counters that the record of his conviction was expunged and, therefore, his conviction — as a matter of law — is deemed not to have occurred. G.D. submits that, after the expungement of his record, the pronouncement that he was
convicted of a crime was simply false and the dissemination of the expunged information violated his privacy rights….

It is true that under the expungement statute, as a matter of law, an expunged conviction is “deemed not to have occurred,” N.J.S.A. 2C:52-27. But the expungement statute does not transmute a once-true fact into a falsehood. It does not require the excision of records from the historical archives of newspapers or bound volumes of reported decisions or a personal diary. It cannot banish memories. It is not intended to create an Orwellian scheme whereby previously public information — long maintained in official records — now becomes beyond the reach of public discourse on penalty of a defamation action. Although our expungement statute generally permits a person whose record has been expunged to misrepresent his past, it does not alter the metaphysical truth of his past, nor does it impose a regime of silence on those who know the truth.

Sounds exactly right to me. I’m also pleased that the New Jersey Supreme Court rejected the argument — also made in an amicus brief by the Electronic Privacy Information Center — that publicizing people’s now-expunged criminal convictions is tortious under the “disclosure of private facts” tort. “This case,” the court reasoned, “deals with public acts, a guilty plea and sentence in a public courtroom, and public facts, court records available to the public over many years. We hold that the expungement order did not and could not create a reasonable expectation of privacy in matters so long in the public domain.”

I blogged a year ago about the intermediate appellate court’s decision in this case.

So the Supreme Court unanimously held today in NASA v. Nelson, reversing a contrary Ninth Circuit panel opinion. I think the Court’s result is quite right, for reasons I blogged about earlier; I hope to post more on the reasoning soon.

UPDATE: Here’s a quick summary of the Court’s conclusions:

1. The Court “assume[d], without deciding, that the Constitution protects a privacy right of the sort mentioned in Whalen v. Roe (1977) and Nixon v. Administrator of General Services (1977),” which is to say a right to “avoid[] disclosure of personal matters.”

2. But this right, if it exists, “does not prevent the Government from asking reasonable questions of the sort included on SF–85 and Form 42 in an employment background investigation that is subject to the [federal] Privacy Act.” Among other things, The questions at issue asked contractors and employees about their recent drug use and drug treatment, and asked the contractors’ or employees’ references open-ended questions about the contractor’s or employee’s “honesty or trustworthiness,” “violations of the law,” “financial integrity,” “abuse of alcohol and/or drugs,” “mental or emotional stability,” “general behavior or conduct,” or “other matters.”

3. The court did not announce a general test for deciding which inquiries are permissible and which aren’t, but pointed to several factors in holding that these inquiries were permissible:

a. “[T]he Government has a much freer hand in dealing ‘with citizen employees [and contractors] than it does when it brings its sovereign power to bear on citizens at large.’”

b. The questions were “reasonable” and sufficiently “employment-related.”

c. The government has long engaged in inquiries of this sort, and private employers engage in them as well.

d. The information gathered would generally be kept sufficiently confidential, given the restrictions created by the federal Privacy Act on dissemination of employee and contractor information.

It seems to me that the Court was quite right on these facts, for reasons I discussed in earlier posts. But I should note that the Court’s analysis leaves lower courts and other government officials rather at sea about what sorts of questioning about private matters — whether directed to the target of the investigation, or to others — is constitutionally permissible, not just in the employment context, but in the context of criminal investigations, investigations triggered by license applications, and so on.

From Tagouma v. Investigative Consultant Servs., Inc.:

On April 8, 2004, [Appellant, Ahmed, Tagouma] fell at work while employed at Arnold Industries. He suffered an acute fracture of his right hand. [Appellant] was later diagnosed with Reflex Sympathetic Dystrophy Syndrome (RSD). [Appellant] sought workers’ compensation benefits and Arnold Logistics contested his claim. While the claim was pending, the workers’ compensation carrier, Sentry Insurance, retained [Appellee, Investigative Consultant Services, Inc.,] to perform surveillance on [Appellant]. [Michael S. Zeigler], an investigator with ICS, was assigned to conduct the surveillance.

[Appellant], currently 53 years old, is a[ ] Moroccan immigrant and a Muslim who worshipped at the Al-Hikmeh Institute, which is housed on the first floor of [the] Islamic Center of PA, located at 4704 Carlisle Pike, Mechanicsburg….

According to [ ] Zeigler, on April 7, 2005, at approximately 9:10 p.m., he parked in front of the three-store strip mall in a public lot, though at the time he parked there, all three businesses were closed. Zeigler observed [Appellant] from across Carlisle Pike as [Appellant] stood inside in the Al-Hikmeh portion [of] The Islamic Center near a window on the building’s north side. Zeigler was between 79 and 80 yards away from The Islamic Center windows. [ ] Zeigler videotaped [Appellant] for 45 minutes with a Sony 8 mm video camera and used the camera’s zoom feature.

Continue reading ‘No “Intrusion Upon Seclusion” Tort When Person is Videotaped at a Publicly Visible Religious Service’ »

It’s Ostergren v. Cuccinelli (4th Cir. July 26). I’m on a trip with my son and can’t blog much this week, and the case is complex enough that I can’t quickly summarize it, though the short answer is that the speaker won. But if you’re interested in free speech vs. information privacy questions, you should check it out. Here’s the opening paragraph:

This appeal arises from a First Amendment challenge to Virginia’s Personal Information Privacy Act, Va. Code §§ 59.1-442 to -444. Section 59.1-443.2 prohibits “[i]ntentionally communicat[ing] another individual’s social security number to the general public.” The district court found this section unconstitutional as applied to an advocacy website that criticized Virginia’s release of private information and showed publicly available Virginia land records containing unredacted Social Security numbers (“SSNs”). Later, the court entered a permanent injunction barring Virginia from punishing the republication of “publicly obtainable documents containing unredacted SSNs of Virginia legislators, Virginia Executive Officers or Clerks of Court as part as [sic] an effort to reform Virginia law and practice respecting the publication of SSNs online.” Both decisions are challenged on appeal. For the reasons that follow, we affirm in part and reverse in part.

There’s a Washington Post article summarizing the case.

It’s been a pleasure to blog this week.  I hope you’ve enjoyed this conversation and I’d love to continue it.  If you’re interested in reading more, check out our book, Wild West 2.0.  It is the most-discussed Internet policy book of 2010 (Jimmy Wales called it “an invaluable guide” to the “brave new world of the Internet”) and it sold out Amazon.com once already.  Or, contact me directly through my site at davidcthompson.com.  Thanks again to Eugene and the whole Volokh Conspiracy for inviting me to participate this week.

This week, we’ve discussed the “Wild West 2.0” metaphor for the Internet.  Today, I’m going to present a few quick ideas that didn’t make it into this week’s posts.   I don’t have enough space to flesh them all out, but I hope to provoke some thoughts and discussions that will continue beyond this week.

What will widespread surveillance and facial recognition do to privacy?

It’s always been the law in the U.S. that images you take in public are yours to use non-commercially.  There are a few exceptions around security, peeping Toms, and so-called “upskirt” photography, but basically you can take a photo from any public place and make any non-commercial use of it.

There are good reasons for this policy, ranging from a basic respect for the free press and free expression, to the First Amendment.

But, today, facial recognition is quickly becoming available on a wide scale.  For just one example, an application called Face.com allows Facebook users to use photo recognition to find their friends in photos (even if they have not been tagged, or if they have removed their tag).  Using the tool, it’s often possible to find hundreds of untagged photos of your friends (or yourself) posted by other people.

The Face.com developers just released an API (programming interface) to allow other websites to use the same technology.  So far, Face.com has restricted use of the technology to known faces, but nothing technological prevents them from using their database of hundreds of millions of Facebook photos to identify millions of people in public photos.

The results of just one company unleashing photo recognition on the Internet could be huge.  There are more than 3 billion photos on the site Flickr.com  , and billions more in the unstructured Web, on sites like Facebook, and in automated surveillance systems (every time you walk past a security camera, imagine your name being logged).

The figures above don’t even count the fact that some forms of advocacy corporate surveillance would increase in a world with easy facial recognition.  Why would anti-abortion groups not photograph every person who walks into an abortion clinic, use facial recognition to identify them, and use public name-and-address databases (see below) to target mailings (or harassment) to each person’s home?  Why would anti-gay advocates not do the same for people who frequent gay bars, or liberals target “Tea Party” activists, or statists target libertarians, etc?  Or insurance companies outside bars to monitor drinking and driving, smoking, or any other risk factor that could increase rates?

What does this mean for privacy?   If the freedom to take and post photos cannot or should not be changed, should there be regulation of the uses of facial recognition software?  Should it be a privacy tort to publicly identify private citizens by name if they are walking into an abortion clinic, a gay bar, a Tea Party rally, a divorce lawyer’s office, a police station (to “snitch”), or a substance abuse treatment facility?  What does it mean when Google indexes a list of these names and it comes up first for a search for your name?  How will it affect job prospects, inter-personal relations, and more?

Will we all just get over it and not care that our friends are getting abortions or divorces?  Will anti-gay groups get over the fact that some people visit gay bars?  Will political opponents stop harassing each other?   I hope so, but my hopes are dim.

The end result might be that we all wear low-fitting baseball caps each day, or the aptly-named “FlickrBlockrs” sunglasses that started as an art project but might fill a real need.   But should individuals have to proactively monitor their public image so fiercely?  (Read more about our ideas for privacy in the book, Wild West 2.0.)

Will the future allow a binary public/private distinction?

Right now, the law generally recognizes facts as “public” or “private” with very little gray area in between.  This has caused problems in the Fourth Amendment context, where seemingly-private facts (like your bank account information) are not considered “private” for Fourth Amendment purposes (thanks to the “third party doctrine,” the government simply ask your bank; many scholars find this doctrine problematic).

The Internet sharpened this problem by making “public-but-obscure” facts readily available online.  Privacy interests were often supported by practical obscurity; a court may have a list of all cases and convictions, but very few people bothered to trudge to the courthouse to find out.  The county clerk’s office may have a hardcopy list of home owners and their property values, but nobody actually checks.

But online, these records are being rapidly digitized and made searchable.  And because they are all “public” information for privacy purposes, there is currently no restriction on how the information can be displayed.  So far, no case of which I am aware has held that online “white pages” or “dossier” sites (like Spokeo.com, WhitePages.com, Intelius.com, and many others) cannot create a dossier of private-seeming information like your income, hobbies, credit score, home address, phone number, political contributions, and more—just so long as each data point was drawn from a “public” source.

The result of the end of practical obscurity has turned a lot of privacy upside-down.  Criminals now routinely use public records databases for identity theft purposes (itself illegal, but hard to catch), to stalk their victims at home (same), and to identify candidates for burglary or other attacks.  Millions of people (below) now casually flip through their neighbors’ dirty laundry online, ranging from bankruptcy filings to property records to divorce records.  Maybe this information has always been “public,” but it was never so readily available.

Will the law continue to recognize only “public” and “private” information?  Or will it develop shades of gray to recognize that obscurity can protect privacy while allowing “legitimate” uses.  Scholars have discussed ways to limit data like property records to their original purpose (making sure property taxes are apportioned fairly) by encouraging states to strip names from the data before publication; of course, this works only if there are no other records that correlate names to addresses.  Will that be enough?  Or is it a good thing that all these facts are public?

Does the Law Recognize the 300 Million Little Brothers Problem?

The section above should suggest it, but her it is expressly: we no longer live in a nation of Big Brother; we live in a nation of 300 million Little Brothers.

Much of our law is based around fear of surveillance by the government (Big Brother).  The Fourth Amendment is the easiest example; it is based around a fear of an overly intrusive government acting in its role as sovereign.  Statutory law like the Electronic Communications Privacy Act also seeks to protect individual privacy against the government.  And laws like the Stored Communications Act and HIPPA prohibit corporations from revealing certain information about you.

But now an equally real risk is 300 million Little Brothers.  We’ve moved from the Panopticon—where the guards can see everything—to a suburb of glass houses where everyone can see each other.  This is a powerful development for politics (we can now watch the watchers), but it has changed inter-personal privacy as well.  What laws (if any) should be updated to reflect this new reality?  Or should we all just get used to living in public–to quote Google CEO Eric Schmidt “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.“  The power of the Internet is increasingly moving toward making sure that everybody knows what everybody does.  Is this the right direction?

David Thompson is co-author of the leading Internet policy book of 2010, Wild West 2.0 (Amazon) and general counsel of ReputationDefender, Inc.. The standard disclaimer applies: the views represented here are his alone and not those of any current or former employer.

For more about the essay (for an online symposium), see here; to read the full 9 pages, see here. This week, I’m posting (and combining using the Snyder v. Phelps tag) some passages: Earlier, I blogged about Hustler v. Falwell and why it applies here, as well as about the arguments that the liability in Snyder is akin to a time, place, and manner speech restriction, justified by the proximity of the speech to a funeral, that the liability is justified because the Phelps’ speech interfered with Snyder’s own religious freedom, and that the liability is justified because the Snyders are private figures. Today I close by blogging about the invasion of privacy tort claim.

The Snyder v. Phelps jury held defendants liable not just for intentional infliction of emotional distress, but also for invasion of privacy. It seems unlikely that the Court will consider the invasion of privacy claim, because it doesn’t seem to be within the scope of the questions presented by the certiorari petition. Nonetheless, I thought I’d briefly speak about it here.

“Invasion of privacy” covers several torts, but only one led to liability in Snyder: “intrusion upon seclusion.” The intrusion upon seclusion tort generally focuses on conduct that is offensive regardless of the message it expresses, or even whether it expresses a message at all. The Restatement of Torts illustrations are entering a patient’s hospital room to take a photograph over the patient’s objection, photographing through someone’s bedroom window through a telescope, tapping someone’s phone, getting someone’s bank records using a forged court order, and calling someone every day for a month at inconvenient times. The tort is constitutionally sound precisely because it focuses on physical conduct, not communication.

Here, though, the intrusion stemmed not just from the proximity of the picketing to the funeral, but also from the message of the picketing. There must have been a good deal of speech within 1000 feet of the church at which the funeral service was being conducted, and surely one wouldn’t call all of it “highly offensive intrusion upon seclusion.”

Continue reading ‘Short Essay on Snyder v. Phelps, Part V: The Intrusion Upon Seclusion Tort’ »

The comment thread in my “down the memory hole” speech restrictions post reminded me of what I wrote ten years ago about the California Supreme Court’s 1971 decision in Briscoe v. Reader’s Digest (which has since been overruled, based on intervening Supreme Court First Amendment precedent). Here’s my criticism of Briscoe (some paragraph breaks added, and some punctuation adjusted):

[R]evealing Briscoe’s identity eleven years after his crime, the court said, served no “public purpose” and was not “of legitimate public interest”; there was no “reason whatsoever” for it. The plaintiff was “rehabilitated” and had “paid his debt to society.” “[W]e, as right-thinking members of society, should permit him to continue in the path of rectitude rather than throw him back into a life of shame or crime” by revealing his past.

“Ideally, [Briscoe's] neighbors should recognize his present worth and forget his past life of shame. But men are not so divine as to forgive the past trespasses of others, and plaintiff therefore endeavored to reveal as little as possible of his past life.” And to assist Briscoe in what the court apparently thought was a worthy effort at concealment, the law may bar people from saying things that would interfere with Briscoe’s plans.

Judges are of course entitled to have their own views about which things “right-thinking members of society” should “recognize” and which they should forget. But it seems to me that under the First Amendment members of society have a constitutional right to think things through in their own ways.

Continue reading ‘Speech Restrictions Aimed at Making Sure People Act in “Right-Thinking” Ways’ »

In an amicus brief EPIC just filed in G.D. v. Kenny — a case pending before the New Jersey Supreme Court — EPIC argues that convicted criminals should be able to sue for “disclosure of private facts” when others accurately report on the criminal conviction, so long as the state court system decided to retroactively expunge that conviction. (See here for my earlier post on a different issue in the case.)

Other parts of the EPIC brief argue that revealing the fact of a conviction without revealing that it was expunged might properly constitute false light invasion of privacy. I don’t think this is right, at least if the expungement is not based on a finding of actual innocence, since the important factual assertion underlying the revelation — which is that someone did something criminal — remains correct, and puts the person in a true light, not a false light. But that’s a separate matter.

Here, I want to point to EPIC’s argument that “‘truth’ is not a defense to privacy torts,” and in particular that “the appellate court should not have terminated [plaintiff's] … public disclosure of private facts claim[] once it dismissed the defamation claim. Invasion of privacy remains an issue of fact for the jury.”

Continue reading ‘“Down the Memory Hole” Speech Restrictions, Supported by the Electronic Privacy Information Center (EPIC)’ »

[UPDATE: Note the change in the legal analysis below.]

The Complaint is available here; it claims that the newspaper’s identifying Judge Shirley Strickland Saffold as the supposed author of items posted under the “lawmiss” account breached the newspaper’s Privacy Policy. A bit of background, from a WKYC story:

A comment by an Internet poster identified only as “lawmiss” on cleveland.com concerning the mental state of a relative of a Plain Dealer reporter was removed for violating the site’s policy against personal attacks.

The Plain Dealer reported March 22 that the online editor looked into who “lawmiss” was, and linked the “lawmiss” anonymous comments to Judge Saffold’s personal e-mail account.

Subsequent articles in the Plain Dealer noted that further investigation showed several “lawmiss” posts about an attorney….

[UPDATE: Whoops, I'd planned to include some more information, but neglected to; here it is:] The posts related to some of the cases decided by the judge herself.

A UPI story reports that the the judge and her attorney “claim any comments from a user going by the name ‘lawmiss’ connected to cases involving the judge were most likely left by the judge’s 23-year-old daughter Sydney, an aspiring law student,” though there is of course controversy about that.

Here’s my thinking: If the policy is seen as a binding promise on the newspaper’s part not to reveal commenters’ names, there’s no First Amendment problem with awarding damages for breach of that promise, even when the publication is on a matter of public concern and about a public figure. See Cohen v. Cowles Media (1991).

And it seems to me that the policy indeed promises not to disclose commenters’ identities, except in the ways that are specifically mentioned. The policy is described as involving “terms and conditions” that the user is said to “agree to” by using the Web site; that suggests that the newspaper is making binding promises there.

Nor do any of the exceptions seem to apply here. In particular, the statement that “In addition, we reserve the right to use the information we collect about your computer, which may at times be able to identify you, for any lawful business purpose, including without limitation to help diagnose problems with our servers, to gather broad demographic information, and to otherwise administer our Website” (emphasis added), doesn’t seem to cover the publication of the name of the commenter (as opposed to information about the computer). This is especially so because reading the exception as covering all revelation of information for a “lawful business purpose” would essentially undo all the privacy protection that the rest of the policy provides.

UPDATE: On the other hand, as some commenters pointed out, the User Agreement, which is as binding as the Privacy Policy, provides, “You hereby agree to release service provider, its affiliates and third-party service providers, and each of their respective directors, officers, employees, and agents from claims, demands and damages (actual and consequential) of every kind and nature, known and unknown, suspected and unsuspected, disclosed and undisclosed …, arising out of or in any way connected with your use of this site.” So it might be that this makes the Privacy Policy entirely unenforceable, if courts are willing to accept the user agreement as the all-encompassing waiver of any right to make any claims under any agreements that it seems to be.

But have a look at the policy yourself, and see what you think. An interesting “it’s a small world” item: Ted Diadiun, the Reader’s Representative at the Cleveland Plain Dealer (which is the defendant in this case), was a codefendant in Milkovich v. Lorain Journal, the 1990 Supreme Court libel case.

Details here, regarding the 2000 case NRA v. Reno, and Judge Garland’s refusal to require the Clinton Department of Justice to obey the federal statute requiring the destruction of records of firearms purchases by law-abiding Americans. The decision also suggests a cavalier disregard for privacy rights in general, such as the right not to be put on a government list simply because one engaged in a lawful activity.

TSA is facing new challenges from powerful explosives hidden in areas that usually can’t be searched until after dinner and a nice wine. No one is wild about the millimeter wave and backscatter machines that show how we’d look on the beach if we were dumb enough to wear Speedos.  The “puffer” machines that tried to find traces of explosive vapor were a better idea in theory but they didn’t work well in realistic airport trials.  What to do?

Turns out, there is an alternative.  My favorite airport search technology while I was at DHS is at last being commercialized.

Bees.

They have a great sense of smell, they can be trained a lot cheaper than dogs, they recognize more smells, and when they retire after a few days on the job, they make honey for you.

Plus, as far as I know, no tribunal has ever ruled that it’s a violation of international law to tell suspected terrorists, “Listen, buddy, either you talk to me or you’ll spend some time alone with my partners.  Yep, looky there, they’re already extending their proboscises at the thought.  You better make your mind up right quick.”

[1:58 pm: Bumped up above the other posts on today's cases.]

The Supreme Court has just granted cert in NASA v. Nelson, the Ninth Circuit case I blogged about here and here. Let me repeat below my thinking about the case from that last post:

The case involves a challenge brought by various contract employees working indirectly for NASA, claiming that NASA’s then-new background check policy violated a federal constitutional right to informational privacy. The Ninth Circuit found that the plaintiffs were likely to succeed on this claim, and thus held that they were entitled to a preliminary injunction against enforcement of the policy. In particular, the Circuit concluded that it was likely unconstitutional for the government to ask various people who knew the employees — at least “references, employers, and landlords” and perhaps others — broad questions. Such question presumptively violated a constitutional right to privacy discussed by the Supreme Court in Whalen v. Roe, and the presumption couldn’t be overcome on the grounds that the questioning was “narrowly tailored” to the government’s interests:

Form 42 [which was sent to people who had dealt with the employees] solicits “any adverse information” concerning “financial integrity,” “abuse of alcohol and/or drugs,” “mental or emotional stability,” and “other matters.” These open-ended questions are designed to elicit a wide range of adverse, private information that “is not generally disclosed by individuals to the public”; accordingly, they must be deemed to implicate the right to informational privacy….

Considering the breadth of Form 42’s questions, it is difficult to see how they could be narrowly tailored to meet any legitimate need, much less the specific interests that Federal Appellees have offered to justify the new requirement. Asking for “any adverse information about this person’s employment, residence, or activities” may solicit some information relevant to “identity,” “national security,” or “protecting federal information systems,” but there are absolutely no safeguards in place to limit the disclosures to information relevant to these interests. Instead, the form invites the recipient to reveal any negative information of which he or she is aware. There is nothing “narrowly tailored” about such a broad inquisition.

It seems to me that despite the court’s insistence that the opinion is quite narrow, its implications seem stunningly broad; and in particular, it seems to me they would dramatically affect the course of ordinary government investigations.

Say a police officer — or SEC investigator or FBI agent or a wide range of other government investigator — is trying to investigate a crime. Naturally, to get a search warrant for someone’s property, the officer would need probable cause to believe that the warrant would uncover evidence of a crime. But the officer often doesn’t start out with such probable cause.

Instead, I take it that the officer would often ask around about each person who might be involved in the crime, even if chances are that the person isn’t involved. He might go to landlords, employers, hotel clerks, acquaintances, and others, and ask questions, including open-ended questions. And the questions might deal with private matters, such as the suspect’s romantic entanglements, sexual orientation, political ideology, financial pressures, medical problems, and the like. It would be wrong and possibly unconstitutional for the government to misuse this information, for instance by arresting and prosecuting the suspect because of his political views, even when he wouldn’t have been arrested and prosecuted for the same offense if his views were different. But getting this information might well be helpful, depending on the circumstances, since it might reveal possible motives, associates, and other important information.

What’s more, the police officer would generally be able (with a prosecutor’s help) to order people to answer such questions, by subpoenaing them to testify. The officer and prosecutor can get even highly confidential information, such as bank records, records of the telephone numbers the person has called, and the like, without probable cause: All it would take is a subpoena to the bank, and such subpoenas to third parties don’t violate the Fourth Amendment, even when there is no probable cause for them. I realize that many disagree with this position, as to subpoenas (though I haven’t heard much disagreement as to the asking around mentioned in the preceding paragraphs). But it is pretty clear that this is indeed the Court’s view of the Fourth Amendment.

There are some limits on this; for instance, the officer can’t subpoena privileged lawyer-client communications, and there are likely limits on the officer’s power to subpoena abortion records and the like. But generally speaking a great many records, including bank and telephone records, are available without the need for probable cause or any showing of “narrow tailoring.” In fact, the way that officers are supposed to develop the probable cause needed to get search warrants is precisely by gathering information without search warrants — including asking questions of people who might know the information.

The Ninth Circuit’s decision, however, suggests that all such investigations are potentially subject not just to the Fourth Amendment (and the Fifth Amendment privilege against self-incrimination, when it comes to coercive questioning of the suspect himself), but also to the right of privacy. After all, the police officer or other government investigator is as much a government actor as is NASA. (The right to privacy, if it applies here, applies equally to the federal government and state and local governments.) If anything, the constitutional constraints might apply even more to the government acting as sovereign to investigate private individuals, as opposed to the government acting as employer to investigate its own employees or contractors. They certainly wouldn’t apply any less.

So say an officer is investigating an alleged theft, and there a bunch of people who had the opportunity to commit the theft, though the great majority of them are likely be innocent. The officer will no longer be free to ask people broad questions about what they know about a potential suspect, and in particular whether they have any information about their “financial integrity,” “abuse of alcohol and/or drugs,” “mental or emotional stability,” or “other matter.”

After all, while asking such questions “may solicit some information relevant to [the investigation], there are absolutely no safeguards in place to limit the disclosures to information relevant to these interests.” How could there be? The officer doesn’t know yet exactly what’s going to be relevant, and might not know until much later, when a casual revelation that Joe was sleeping with Mary, coupled with the revelation that Mary had an expensive cocaine habit, might explain why Joe might have had a special motive to commit the crime.

And presumably asking around about a person’s sexual partners, political beliefs, medical condition, financial obligations, and the like would be even more likely unconstitutional, since that would be direct questioning about matters that are most likely to be seen as private. Yet, as I mentioned above, that sort of picture of people’s lives is often vital to figuring out who might have the motive to do something, or who his likely accomplices might be, or even who else might be worth asking about the matter.

Now maybe this is the way things should be. Maybe even when there’s no search or seizure for Fourth Amendment purposes, and when there’s no compelled self-incrimination for Fifth Amendment purposes, there should be an extra constitutional requirement that asking around about a suspect be “narrowly tailored” if the questioning may reveal private information. Maybe the police shouldn’t ask broad questions, but be limited to focused questions that are directly supportable at that point by what the police already know.

But I’m pretty skeptical that this would indeed be a good constitutional law rule — and I see no basis in Whalen or in the Court’s other precedents for suggesting that there’s a constitutional right to information privacy that so constrains the government’s asking questions about people. The government doesn’t need the employee’s agreement to ask around about him, just as it doesn’t need a potential suspect’s agreement to ask around about him. There just isn’t a constitutional right not to have the government ask other people questions about you. So I’m glad the Court agreed to hear the case, and I predict that it will reverse. I’ll go further and say that I doubt there’ll be more than 2 votes to affirm the Ninth Circuit (at least on the informational privacy grounds), and quite possibly fewer.

With his usual nudge-and-wink, Matt Drudge invites us to be dismayed that “BIG SIS” — his moniker for Janet Napolitano — is “Monitoring Web Sites for Terror and Disaster Info.” Drudge links to a story saying that DHS will be monitoring social media like Twitter, as well as websites like Drudge, to keep abreast of events during the Winter Olympics. The source of the story is a twelve-page “Privacy Impact Assessment” issued by DHS.

This isn’t the first Privacy Impact Assessment (PIA) on DHS’s use of social media. A few weeks earlier, DHS wrote a similar assessment of using social media during Haitian rescue operations.

I am indeed dismayed, but not for Drudge’s reasons.  True, it’s disappointing that neither the Volokh Conspiracy nor www.skatingonstilts.com is deemed worthy of government monitoring.  But what’s really dismaying is that DHS and its Privacy Office felt obliged to labor over two separate and painfully obvious privacy assessments just to do things that you and I would do by simply firing up our browsers.

The Olympics PIA says in the first paragraph that DHS “is only monitoring publicly available online forums, blogs, public websites, and message boards.” Which should pretty much end the discussion. The government ought to be able to read the papers or watch TV or look at blogs just like anyone else. Or so you’d think. But no, the PIA drones on and on, offering thirty variations of “Hey, this stuff is public” as it assesses the “privacy impact” of, uh, surfing the web.  And so we get painfully obvious applications of irrelevant privacy principle like this:

“7.1 What are the procedures that allow individuals to gain access to their information?

Social media are public websites. All users have access to their information through their user accounts. Individuals should consult the privacy policies of the services they subscribe to for more information.”

Did we really need the federal government to tell us that?

The biggest problem with this policy, though, isn’t the “well, duh” response it inspires.  DHS apparently went into a defensive crouch about the whole program. The PIA is full of unnecessary and risky efforts to appease privacy zealots.

First, the PIAs expire quickly (the Olympics PIA expires after  thirty days, Haiti after ninety), which suggests that DHS is planning on issuing a new PIA every time it wants to look at social media for a new event or disaster. The problem with that policy isn’t just that the waste of time and electrons. The policy is also likely to slow the use of social media in the first hours of an event, when they’d be most useful. For example, the PIA for Haiti social media monitoring was issued on January 21 – nine days after the earthquake struck. Tweets from the rubble were probably getting a little stale by then (though we can hope that DHS did the monitoring first and the PIA later).

Worse, DHS says it won’t collect or share any personally identifiable data (PII), even if the information is included in the tweets. It reassures us that “any PII related to the posting will be redacted.” Does that mean that a tweet saying, “Henri Rideau is buried alive under the rubble at his home, 124 Rue Cayenne” will only be distributed after someone takes the time to bowdlerize it to read, “— is buried alive under the rubble at —”?

I’m sure Henri will thank DHS for protecting his personally identifiable information.

If someone else digs him out.

The PIA also assures us that DHS won’t read posts on sites that require a user name and login. This is also a wildly overbroad “protection” for privacy.  It applies even if the site is entirely open to the public, apparently, since Facebook is not listed. In fact, the last time I looked, the Washington Post required a login, too, and it too is left off the list. But maybe DHS can wait for the dead tree edition before it gets any disaster news broken by the Post.

Is there really a difference between public posts and Facebook updates that are shared with everyone on Facebook? If your mobile phone is set to send messages as Facebook updates rather than tweets, the government will never know you’re in trouble, thanks to this incoherent effort to appease the privacists.

DHS deserves some credit for actually understanding the value of social media in a crisis, but its self-inflicted limitations will either prevent imaginative use of social media or will guarantee violations when these unnecessary limits are set aside as a sensible response to some breaking crisis.  And that will predictably lead to new Drudge headlines: “Developing … BIG SIS violated privacy rules hundreds of times in ‘emergency’ monitoring of Americans …”

In the long run, I guess, dumb privacy policy is its own punishment.

Last week the petitioners in City of Ontario v. Quon filed their merits brief. Quon is the pending Supreme Court case on Fourth Amendment rights of government employees in their text messages created using government-provided text pagers. I’ve read the brief, and it makes a surprisingly narrow argument: I suspect that this narrow framing will make Quon a significantly less important case than it otherwise could have been.

To recap, the issue in Quon is whether city employees violated the Fourth Amendment rights of Jeffrey Quon, a SWAT sergeant who had been provided a pager by the city, when employees went to the pager service provider and obtained stored copies of text messages that Quon had sent using his pager. I think there are three basic issues at play in Quon: 1) Does an individual generally have a reasonable expectation of privacy in copies of his text messages stored by a third party service provider?, 2) If so, is that expectation of privacy eliminated in the specific facts of Quon given that he was a government employee who had been specifically notified that he had no privacy rights, and 3) If Quon did retain a reasonable expectation of privacy, is the search of his messages reasonable under the speical needs exception to the Fourth Amendment? (To be clear, these are my questions, not the formal questions presented.)

I was particularly interested in the first question, as it has tremendously far-reaching implications for how the Fourth Amendment applies to e-mail and other contents of communications sent over computer networks. To put it simply, Question 1 is the question of interest to those of us who follow how the Fourth Amendment applies to new technology; Questions 2 and 3 are of interest to those interested in the general privacy rights of government employees.

I raise this context because the petitioner’s merits brief in Quon simply ignores the threshold first question. Its argument mostly assumes that there are Fourth Amendment rights in text messages generally, but then says that even if this is true, Jeffrey Quon sure didn’t have any of those rights given the specific facts of his case. The only mention of the first question comes on page 29 of the brief, when it notes the first question in passing:

Whatever expectation of privacy a sender or recipient of text messages on a government employer’s equipment can ever legitimately have—if any [fn3] —certainly none existed within the operational realities of the Ontario Police Department.

[fn3] In its amicus brief supporting rehearing en banc, the United States pointed out the serious analytical errors in the Ninth Circuit’s conclusions, arguing, among other things, that there generally is no reasonable expectation of privacy in text messages sent and received. App. 163-180.

The rest of the brief hammers questions 2 and 3, and to my mind quite persuasively.

On the whole, I think it was a wise strategic choice not to argue the first question. The Court granted the case because of Judge Ikuta’s dissent, and her dissent didn’t get into these issues. The facts are very strongly in the petitioner’s favor on the later questions; the Ninth Circuit’s ruling that the operational realities of the workplace didn’t eliminate Quon’s Fourth Amendment rights was an outlier. This framing of the issues lets the Court correct the outlier without going into the other issues.

Further, the Justices probably don’t have any particular interest in speaking on Question 1, as the Ninth Circuit panel decision in Quon was the first circuit to address the issue. Given the rapidly changing technology and the difficult Fourth Amendment terrain, the wise course is to stay out of the issue for now (even though I think there is a correct answer, that a user does normally have Fourth Amendment rights in his text messages). Finally, the City is on much easier ground arguing this case as an uncontroversial no-privacy-for-SWAT-team-officers case rather than a controversial no-privacy-for-text-messages case. So on the whole, it’s a wise choice, even if it does mean that the Court is much less likely to get into the technology issues that I personally find so interesting.

Marc Ambinder has an interesting post on a yet-to-be-released, classified Office of Legal Counsel memorandum on the FBI’s authority to seek the “voluntary” disclosure of some records by telecommunications companies.  The memo was issued on January 8, apparently in response to a request from the FBI, and is referenced in an unredacted portion of this DoJ Office of Inspector General report on the FBI’s use of Exigent Letters and other informal requests for telephone records from telecommunications providers.

I recently participated in a New York Times “Room for Debate” blogfest on the question of how new technologies impact employee privacy. The participants were Tim Lee of Princeton; Jennifer Granick and Kurt Opsahl of EFF; Kashmir Hill of ATL; Jonathan Zittrain of Harvard Law School; and myself. You can read our posts here.