This Week In Law 257 (Transcript)
Denise Howell: (bagandbaggage.com - @dhowell) Today in This Week in Law, Bood Radley, Karl Marx, and copyright. Digital potty training. John Oliver gets weird and incisive with outgoing NSA chief Keith Alexander. How not to be targeted and much more with Lou Schneier, Mark Pauling and Kyle Courtney. Next on This Week in Law.
Netcasts You Love, From People You Trust. This is TWiT! (TWiT logo) Bandwidth for This Week in Law is provided by CacheFly at CacheFly.com (CacheFly logo)
This is TWiL, This Week in Law, with Denise Howell and Evan Brown, Episode 257, recorded May 2, 2014
Clamshell Phones and Gas Powered Copiers
Denise: This episode of This Week in Law is brought to you by Nature Box where you can order great tasting healthy snack delivered right to your door. Forget the vending machine and get into shape with healthy, delicious treats like blueberry almond bites. To get 50% off your first box go to nature box.com/twit. That’s nature box.com/twit.
Denise: Hi there, I’m Denise Howell and you’re joining us for This Week in Law. We have an amazing panel for you today. We are going to focus a lot on privacy and security issues, but don’t worry, we will throw in some copyright and entertainment stuff for you too. We’ve got Bruce Schneier joining us today, a widely respected author and cryptographer, one of the world’s foremost experts on issues of privacy and security. Bruce we are so thrilled to have you on the show.
Bruce Schneier: (schneier.com -@schneierblog) Yeah, it’s fun to be here.
Denise: Also joining us, from Harvard University where he is counsel in charge of the entire Harvard library system is Kyle Courtney. Hello Kyle.
Kyle Courtney: (scholar.harvard.edu/kcourtney-@kylekcourtney). Thank you very much.
Denise: Wonderful to have you here. And I’m sorry but our traditional cohost, Evan Brown is not present with us this week, but Evan has kindly sent us one of his colleagues, Mark Paulding who is also an expert on privacy and information security. Hello, Mark.
Mark Paulding: (infolawgroup.com - @infolawgroup). Hi, Denise. Happy to be here!
Denise: Wonderful to have you. So, since we have lots and lots of privacy stuff to discuss let’s go there first.
(Privacy logo)
Denise: All right, well, for anyone who doesn’t already read Bruce Schneier, a Colbertisk wag of the finger at you, you should be because Bruce definitely pays attention to and helps all the rest of us understand the important issues related to privacy and security. And in his book, a while back, coined the term, “security theater” relating to what goes on at airports. So I thought we would start there, Bruce since that might be where people have heard of you before, if they haven’t already. It’s from that term. Because we have had a bit of development in what the TSA does and how they treat people going through airport security, the TSA pre-check program first went into effect back in 2011, but it’s starting to get more and more uptake especially as global entry members and other border search systems that TSA has in place are able to use TSA pre-check. And also it’s kind of near and dear to my heart since my son and I are members and we’ve used it a couple of times. And it’s like going back to traveling in the early 80’s, where you would just waltz through security. You kept all your clothes on. You kept all your shoes on, things stayed in your bag, including all of your toiletries, all of your electronic devices and you didn’t have to worry about going through backscatter x-ray scanners. So it’s sort of back to the future here. As far as pre-check goes and now they are extending the program to international airlines as well. And I wondered from the standpoint of “Security Theater”; what you think Bruce, about this going back in time. Once, of course, the people involved in the program have given up a good deal of information about themselves.
Bruce: Well, I don’t know about the of course, but that’s what’s happening. It’s funny that you talk about the 80s that this is like the 80s. The 80s actually was a much worse time for terrorism. We don’t think that, we don’t believe it because we believe that terrorism is singularly the threat of this new century, but there was a lot more terrorism on planes in the 80s then there are today. I’m a big fan of pre-check. I’ve had it for years, I fly a lot and going back to sensible security, I think makes things a lot easier. My problem with pre-check; unfortunately, is that it’s really reserved for those who pay, for those who fly a lot, those are who are in other programs. So it really makes class division and my fear is that once the rich people are going through normal security that the horrible post 9-11 will stay because nobody will realize how bad it is anymore. I think pre-check level security is what airport security should look like. I don’t think it needs a background check, I think it should be available to everybody, the more people the better, but I do worry about the class differential.
Denise: Yeah, that’s a really good point. The global entry program that my son and I joined was $150 per traveler. I can’t see a whole lot of people springing for that. Pre-check itself is a five dollar per traveler, so it’s still a pretty hefty fee. The other concern that I have, that you could share Bruce; now that we have gone to the process. I don’t feel like a terribly thorough going background check was done. Now my 10-year-old son, perhaps might not have been necessary, but for 49-year-old me, I would have expected more questions and a more thorough look at what I have been up to. And it was kind of a rubber stamp process, I mean, I don’t know what goes on behind the scenes, but I can tell you it was very quick and cursory.
Bruce: When I got it, I got it for free, because I was a frequent flyer so there was actually no interaction for me. I just magically had it. Again, I don’t think any background check is necessary. So if it’s cursory or dumb; I don’t care, just as long people can get through airport security like they’re supposed to, and not have this post-9/11 crazy. So, global entry is harder, I’m in that program too, that requires the fee plus an interview. You actually go to the airport at a time when you’re not flying which is really weird. And then they sit down and interview. So that takes time. But the people who have global entry are business travelers who will fly a lot, then that makes sense. We’re also seeing pre-check, and I have noticed over the years that pre-check has been in operation; more and more people I think of them as amateurs will go to the pre-check line. Where they don’t know what to do, they don’t know what they’re supposed to do and not supposed to do, and they are very confused and very slow. I mean pre-check works best when we’re all going faster the line. And as it expands, I assume more people will get used to again pre-9/11, more normal security. It is a shame that we have to have these systems to get people there. There are airports that looks like they are moving people through the pre-check line kind of randomly; I don’t know if there is any profiling going on as to who goes in there. But I will see people that are not pre-check people in the pre-check lines. So a lot of stuff going on with TSA. So, for example, liquids don’t seem to be much of a problem anymore. I haven’t even, not as pre-check, not taken my liquids bag out of my suitcase for a long time, and no one seems to care. I have bottles that are a little bit over and no one seems to care. You know the big water bottle, no one’s paying attention anymore, with not a lot of fanfare. So there are definitely changes, we are trying to get back to normal sane airport security. Even though it’s a slow and hard process.
Denise: Yes, some of the coverage I’ve been reading about pre-check does mention that when the pre-check line is short or nonexistent that they will profile us, as you say, persons in the other line and bring out people who they feel would be good pre-check candidates. It almost sounds like it’s a marketing tool too. To get people, if you haven’t tried this before, give it a try, you might enjoy not having to take your shoes off, etc. The other funny thing that I have noticed to your point, of people not knowing what to do when you’re in the pre-check line, is we have all become accustomed to the TSA agent standing there kind of lecturing you sometimes through a bullhorn telling what you have to take off and where to put things and what goes in what bin. In the pre-check line, they’re doing it to, but they’re telling you, just the opposite. They are telling you keep your sweaters on, keep your shoes on, nothing has to come of your bag. So they are having to unteach everything that they have taught before. Mark what is your take from this privacy and security standpoint on all of this.
Mark: Well, I generally agree with Bruce. I have a similar view that a lot of the security that has been put in place over the past 10, 15 years has been rather excessive. I have not done a check, though, I haven’t done it yet. I haven’t been traveling as much in the last year or two. So I haven’t reached a point where it made economic sense to invest in it yet but I expect that to change soon. So I suppose I will get used to being able to wear shoes with places in the airport again, that might be nice, it’s a good thing. I like loafers, so it wasn’t a big change for me. But I think it’s, I think there has been so little evidence that the heightened security measures have had practical impact on security that, much like Bruce said, that’s the way security should be.
Denise: Bruce, how do you feel, you’ve said a couple of times you think everyone should have pre-check caliber check at the airport. Two questions, tell us why that is sufficient and secondly, do you think that TSA will eventually get there?
Bruce: Well, eventually is a long time. I think it’s impossible after the rest of history of our country will be in this insane terrorists are going to kill us all mentality. So, yes, we will get back to a normal levels of threat, normal levels of risk assessment, and normal levels of security. It might take a generation, but eventually we will get back there. As to why it is sufficient. It’s sufficient, because it is not the enhanced security isn’t going to catch anybody. You think about terrorism, there are two basic kinds of terrorists. There are your random nut cases and your professionals. The random nut cases and the airport security is going to catch. They’re bringing a gun, they’re bringing a knife, they’re bringing a bomb, and they’re kind of obvious. Airport security catches those people. The professionals designed their plots so that airport security doesn’t catch it. Sort of think about pre-check. If I had a team of terrorists. I’m going to have everyone apply for pre-check and the ones that get it; go on the mission. So all these enhanced securities assume that terrorists doesn’t know about that and we all do know. The thing about the liquid bombers, they picked a plot that was designed to go through airport security at the time. The underwear bomber picked a plot designed to go through airport security. The notion that we are going to defend against the terrorists did last week is kind of fanciful. So, you look at the two types of threats. The first type pre-9/11 security does great against. The second type post 9/11 security doesn’t do great against. So we might as well go to pre-9/11 security, take all that extra money put it in investigation and intelligence; the things that actually work regardless of the plot, regardless of the tactic, regardless of that target. It’s a basic cost analysis benefit. Airport security is the last line of defense, and it is not a very good one. Shoring it up, does not make us much safer.
Denise: Yeah, that’s a really good point. Yep. Kyle, have you been traveling lately? And what are your thoughts on this?
Kyle: Yeah, I actually just came back from Congress about a month ago, well maybe three weeks. And I saw the pre-check Lane for the first time because I was flying JetBlue. Being unaware of that, it was exactly what Bruce was saying, I was in the express Lane, the one where you can go through security, a little faster not wait on the big line and they moved me into the pre-check Lane. And I kind of act, well I’m not pre-checked and they were like, oh well, it was a new service. And they advertised it to me in a way. So, it is exactly what happened, I’ve been wearing loafers for years now, so I would agree with that as well. But I was surprised at the price. I know background checks costs money to do in the employment world, but they told me it was $85 for five years, I think, is what they said.
Denise: That’s right.
Kyle: And they didn’t tell me about the international. I have no idea about that, but I guess if it’s getting people moving through the airport faster and it still has the psychological component, which I think a lot of the TSA’s actions were to deal with the public at large and their nerves about the post 9/11 environment, I think it will work, but the socioeconomic aspect of it is interesting.
Denise: It is, and we were talking about the obvious drawbacks of creating a class system when it comes to airport security, but this whole notion that they’re marketing the program, aggressive to people who aren’t already members of its and the fact that it is pricey. Hints at the fact that the TSA views this as kind of profit center. What do you make of that Bruce?
Bruce: You know, I don’t know. I don’t think we know how expensive these background checks are. They are not going to be free, but as talked about. It’s not very extensive. So I don’t know who is making money on this. It does disturb me, because we’re all sitting here talking about this in a position of privilege; we fly a lot, we learn the old rules, we learn the new rules, we learned some new rules. Some of us fly once a year, once every other year, it’s a big deal. It’s a big amount of money and, they are going to airports, not knowing what the rules are. And they haven’t flown in a couple years, they hear a lot of stories they hear me talking, they hear you talking. And everyone is saying different things. From you’re going to get a really invasive patdown to you can keep your shoes on. So, there’s not a lot of people who know, and you can actually tell if you go fly during times when a lot of people who don’t fly regularly fly, Christmas breaks, spring break for schools. It’s much slower because people just don’t know the rules because that is something they are fact sealed with.
Denise: Yeah, it’s not something that takes up a whole lot of time in most people’s daily life, I’m sure. Well, we put these phrases into the show a couple of them per show so that people who are listening for continuing legal or other professional education credit can demonstrate that they have watched or listened to the show. So let’s make the first one.” Keep your shoes on.” And if you need more information about CLE credit for listening to or watching This Week in Law, head on over to our wiki at wiki.twit.tv. And our show page there has much more information for you.
Bruce: So, so this is to make sure that people are paying attention? That’s incredible.
Denise: No, it’s just a random way to demonstrate, there’s some oversight bodies that say. Okay, sure you listened to that show or watched it. We need some further proof that you actually did this show that is almost 2 hours long. So we drop these phrases in so, it’s kind of like Groucho Marx, “secret word”. We have a couple of them. Let’s move on to. Recently, when I was not flying, I was driving around the bay area, in northern California and spotted a billboard by Idrive. And I guess they put a bunch of these billboards around San Francisco to coincide with Macworld. And their push was and they did a press release on this too.
(Webpage: PRNewswire: Idrive, Inc. provides complete NSA-proof cloud backup across all platforms)
That Idrive was providing NSA-proof cloud backup. And focusing on the fact that they are offering end-to-end encryption for their cloud backup. So, I’d like to probe this with you, Bruce and see what you think about marketing your products to thwart surveillance and how effective. Is this false advertising by any chance?
Bruce: Well, a couple of questions. The first one is, are they actually saying that if they get a US government court order, they will ignore it? I mean, one of the ways NSA gets at your data is go to the FISA court and get a warrant for your data. So, what does that mean? The other way the NSA gets at your data, they go into the system and find a flaw, break in, and take your data. And I don’t think that they can guarantee that their software doesn’t have any flaws. If it is, it’s the first time in the history of mankind that we have come up with software that is not flawed. That would be neat, but I’m not going to bet that way. So, looking at the two basic ways that NSA has to get in, one is through the front door and one is through the back door. I’m not sure how they can viably claim to protect you against either. I think all they can claim is that they’re using good cryptography. And we hope they are using it properly, who knows. One of the ways to check, of course, is to lose your key and ask for a backup. They can give you a backup and then all bets are off here. Unfortunately, that’s the best you could do. Schmidt, I’m blanking out his name, the CEO of Google, Eric Schmidt; said at South by Southwest something like,” we’re pretty sure the NSA can’t get into our data streams.” That’s probably the best you can do, we’re pretty sure. Right, except for the ways we are legally obligated, I’m not going to tell you about, except for the ways that we don’t know about; that’s probably a better marketing claim. NSA-proof, I’m less, I don’t know, I don’t trust it.
Denise: Well, it’s certainly a more trustworthy marketing claim, maybe not as an effective one.
Bruce: But the problem with more effective is it’s going to be less accurate, the good market claims are effective; I like ones that are actually truthful.
Denise: That would be a good thing, the law likes that too. Mark, I don’t know if you read through the articles we had in the rundown about this, but there are quite a few products who are using public concern about government’s surveillance to market themselves these days. And I’m wondering if you are watching closely if they go too far?
Mark: Well, I have been watching it and I will say that earlier in my legal career I did a lot of consumer protection, deceptive advertising work, so, I have to say as soon as I hear or read those claims a little bit of an alarm goes off in my head. But with that said, I think, to take a point that Bruce brought earlier. What a lot of these services are claiming to do, they are claiming to avoid the court issue by essentially engineering their systems so that only the user would have possession of the keys to the data. So even though the service may store the information in the cloud, the representation is that the data is encrypted on the client’s side before it’s actually transferred to their servers, their cloud servers.
(Webpage: Mother Jones-article- “The “NSA proof” Cloud Drive: Spy-Thwarting Gadgets Are The Latest Tech””
Mark: So, then in theory if they never take possession of the key they never know the key, they can never be forced to give the key to the government. Of course, I share Bruce’s concern in that it is very dependent on how they engineer the system and obviously I’m not privy to that information. But I would be very hesitant to go all the way out on a limb and saying, “in essay proof, if for no other reason than, it’s sort of is like driving a giant bull’s-eye on your service. Particularly if you are actually successful, then in theory people who actually have a reason to be concerned about the NSA, and who the NSA might actually be interested in surveiliancing, may actually to use this service, which is pretty much a, like I said, putting a bull’s-eye on your service and saying, “ we double dog dare you NSA” , and I’m a little skeptical that most private companies are going to invest in the kind of money and resources necessary to harden a system to be NSA proof.
Bruce: Remember, it’s not just the NSA, it’s going to be the Chinese government does well. So, the people are going to use that system are going to need that system to stay alive. That is the way you have to think about it. Sure there are a lots of system that we use, that we recommend that the dissidents and very dangerous countries use, and they are NSA proof and other organization proof. We do know unfortunately that the NSA is not beyond forcing companies to change their business models and lie about it. So we know that, for example, Skype. Microsoft bought Skype and the US government, the NSA, possibly through the FBI mandated that Microsoft make some changes in how Skype. We don’t know the details to make it more eavesdropping friendly. And then not tell their users and customers. So the problem is that as long as the company inside the US is subject to some very draconian US laws about surveillance and don’t know if we can trust those claims. Now, which countries are better, there are some out there. There are some countries that are worse. If the Chinese products, said NSA proof, we look at it and say yeah, but the Chinese government is going to get it all. In a sense, you have to pick your enemies. When claims are, I don’t know if they’re dangerous, but the political climate is trumping technology at this point. Because of all of these laws requiring access. The technological claims almost can’t be trusted.
Denise: Yeah, it’s an excellent observation. Kyle, I know you focus more on copyright issues as far as communications and data storage at Harvard are concern. But certainly in working with the library system; you are working with a lot of sensitive data that hopefully that people can trust to remain private and I was wondering if you have thought about how that data is being stored and if this is on the radar screen for folks in your kind of the situation?
Kyle: Sure, library records are protected usually in the same manner that other sensitive records are protected. Usually a lot of state laws with, you just can’t come in and sees library records of individuals who have checked out books and access the Internet, in fact, there was a whole host of big orders for libraries and New England where the FBI had come in and basically said, we want to know who use this computer when, what puts they checked out, etc. Typically, it’s must like getting at any other data, it is subject to subpoena or warrant. However, these marketing claims of NSA proof, I believe them to be more gimmicky than actually, it’s like saying there’s a certain amount of pomegranate juice in pomegranate. It’s a FCC, sort of a consumer protection thing. But then again, if it, you are the owner of this data and you’re the only person with the keys. The Fifth Amendment to the United States Constitution protects a person against being incriminated against by his own compelled testimonial communications. So, in my mind I think that there is this double down here. That companies are putting the burden on you to take the fifth in a sense on your data. That being said, the NSA is building a supercomputer supposedly that can have any of these things; library records, terabytes of data held on these I drives or these NSA proof drives so I’m not sure anything is 100% safe. I seem think these billboards are a little bit more gimmicky, commercially oriented, then actually saying they are NSA proof.
Denise: Bruce do you have any insights on the latter point on the NSA being able to break any kind of end to end encryption?
Bruce: They can’t, they can’t it’s a myth. We know that for a lot of the Snowden documents that cryptology still gives them a lot of trouble at this scale. Most of how they break crypto systems is by getting around them, or by stealing keys, by making leveraging default keys, and bad implementation, and software bugs. That breaking the math is not something they can do regularly. Now, they do have advances in math that giant supercomputer is going to be for storage, and analysis. And less for encrypt gnosis. So, crypto is still a great solution. I do have a question for the lawyers on this panel. Do we have definitive case law that revealing and encryption key counts as self-incrimination, because from what I know, as it were, the jury is still out on that question. That hasn’t been decided, certainly in the UK you can be compelled, I don’t think in the US
Kyle: Yes, you can be, I don’t think it’s decided, however, you had that border case in Vermont a few years ago. That I think is Boucher. And in this case it was an ICE agent that had already seen the content of the laptop, but unfortunately they closed the laptop and the PGP, privacy protection took hold and when they try to compel that defendant to give over the password, he resisted, he won at a lower court, but at the middle court they said it’s a foregone conclusion that the government knows that that’s there.
Bruce: So, which means they really didn’t decide on the actual merits of revealing the key and the Fifth Amendment.
Kyle: Absolutely, yes, they are saying that there was no testimonial they. We know it’s there. The contents and the nature of the thing they demanded would not compel testimonial communication. That’s the one that I am aware of. I don’t know if anyone else has another case that is similar.
Mark: I’m not aware of anything more definitive than that. And I would say it’s difficult to project how the Supreme Court or the circuit courts would really rule on that question down the road. So, I would say it’s not definitive in the US, but the thing to say in the United States is there is still an argument as opposed to in the UK. (Laughter)
Denise: Yeah, and we’ve talked about that at different times. On the show, when one of these, I’m asserting the Fifth Amendment outs to a password or encryption key cases comes up, we follow it and talk about it on the show. And the ones that we have followed and discuss have gone both ways. So, I agree there is no definitive answer. And it is certainly asserting the Fifth Amendment is alive and well. But there is no guarantee that it is going to prevail. Let’s move on to the bathroom, shall we? Bruce you pointed to something on your blog that is just pretty darn hilarious. And that is, a company, I love it when company does this, they want to bring attention to what they consider, actually it wasn’t probably a company that more and advocacy group, maybe you can bring me up to speed on that Bruce. But someone came up with a fake company that they “launched “at the ACM conference on human factors in computing and event where research is discuss, the science of how people interact with technology. And this got written up in the Atlantic. The name of the Fow Company was Quantified Toilet, and it took a lot of people in.
(Webpage: The Atlantic, “What a toilet hoax can tell us about the future of surveillance.”)
Denise: This, is about smart toilets out there on the show before have discussed that, having a digital diaper record information for parents about your child’s toileting habits is actually not a false idea, but something that has been floated before. No pun intended there at all.
(Webpage: the New York Times: A Digital Diaper For Tracking Children’s Health.)
Denise: laughter). This quantified toilets idea, was supposed to exist in the Toronto convention center and other civic venues and was supposed to, you know gathered data from what went on in the restroom. And in fact, turned out to be a hoax and designed to draw attention to the fact that, gee, you know, this could actually happen. And people aren’t really responding with outrage or dismay. So Bruce, want to give us some thoughts on this?
Bruce: Yes, sort of interesting; the idea of, the idea is that there is a device that is measuring things about you. The quantified comes from the Quantified Self-Movement. So people that wear Fit bit and other self-devices on their wrists that will measure their movements, and make some medical measurements and gives you a lot it data about yourself. The difference here. Is that this was something being done by a third-party; this was done in a public restroom. Now, that was the idea. And in a sense it is similar to some of the tracking devices in stores. In department stores that track individual customers around and seeing what they are standing near, what they are looking at, what they are consider buying. There is a lot of this data, it is the Internet of things. It is all the sensors. And the idea was this was billed as an art project to make people aware of some of the very, very draconian surveillance possibilities that are here or just around the corner. I do think it is an issue that we have to pay attention to. Whether it is a Fit bit on your wrists or whether it’s something in a store. Who’s collecting that data, what’s being done with it, how’s it being stored?
(Webpage: More in Technology: Quantified Toilets: the accompanying website featured a live stream (ha) of toilet data being collected in real time)
Bruce: How’s it being bought and sold. In a lot of cases we do not know, another company 23 and me, sort of another similar idea. You give them genetic data and they give you back stuff that is sort of halfway between medical information and horoscope. As to what it all means. What else do they do with that data? How are they marketing it? How are they making money? What does that do with your data back to the NSA or other law enforcement or hacker groups, who else can get at that data, and what can they do with it. These are things we need to start thinking. And largely we are not. Google, we’re going to talk about Google later. What are they doing with our data? This is all sort of in this sea of data we are in exuding a as we deliver our life either walking down the street, going to the bathroom and everything in between. And what happens to.
Denise: If I am reading this Atlantic article correctly, I think it was the conference organizers by themselves where they come up with this idea to put one over on its attendees as a thought experiment. And to make the points that we’re discussing here. But as I mentioned, go ahead Bruce.
Bruce: There’s some public venue in the UK did this, but in aggregate. They were able to aggregate data about things like drug use at a rock concert by measuring the outflow, but not individually by person.
Denise: Did people have to consent to that or no?
Bruce: I don’t think so, I think because the aggregators believed that it was anonymous. And aggregate use is anonymous enough, I don’t believe there was consents. The UK uses different rules than we do.
Denise: But I tend to think of the UK and the EU as being a bit more privacy sensitive, maybe not in terms of surveillance in the UK certainly. What this made me think of as I mentioned, is another story that we did on the show a while ago about the digital diaper. About tracking children’s health and something else that cross my radar screen, which was helping children get potty trained by plunking an iPad down in front of them. And what this leads me to consider is,
(Webpage: Amazon.com: CTA Digital 2-in1 iPotty with activity seat for iPad advertisement)
Denise: while adults may or may not be able to make a rational choice about whether you are going to use the convention center’s toilet. If there is a notice, and here there was in this fake scenario. A notice that said something like there was a behavior at this toilet was being recorded for analysis access your live data, you could go and watch the data as it was coming in. But for people growing up today, who are too young to give legally valid consent, although as Bruce mentioned. All of us adults are leaving a whole lot of data that could construct a useful profile of us. I think for the children of the world. It’s an even bigger equation and they don’t have any say over this. And I wanted to get everyone’s take on that, Bruce?
Bruce: It’s sort of interesting to think of the generational differences and what’s going to matter and what isn’t, and there’s a lot of notions of privacy that are changing. Some of them are changing because of a generation who is used to being online, some of it is being changed forcibly by for-profit companies like Facebook, who are changing how people view privacy. I do think that we need to pay attention to how minors are going to have to deal with their data as they are older, whether it is old posts on Zynga or medical information that’s flowing into these databases. Now, I don’t know how we’re going to navigate this, we can’t even navigate this for us, let alone for other people. We are at the point where there is so much, the money and lobbying dollars in collecting and selling the data that we are not seeing useful forms. That do not track clause is a great example, something that went badly as we went to Congress. And there are deep philosophical differences about what is going to happen our stuff, with our data. I had heard of digital diaper, you look at it and is like the digital thermostat. It’s a device that is sitting somewhere in the world, and you can access the data via your phone. And that data is in someone’s database. And it is not clear what the rights are, where my rights end.
(Webpage: Bits: A Digital Diaper for Tracking Children’s Health)
Bruce: and someone else’s begins. We have a very antiquated laws in the US, where basically our privacy is based on proximity; that the stuff that are near us, our homes, our cars, our persons are protected by special laws. Stuff we give to third parties is protected by much less law, the whole third-party doctrine, but now we give our most intimate stuff whether it’s information about our child’s diapers or our personal email to a third-party. And yet it’s our most private stuff.
Denise: Well, to that point. In discussing the idrive, the Mother Jones piece that I put in the rundown and or those of you listening and watching if you want to access all of these things that we have looked at to get ready for the show. Go to delicious.com/this week in law/257 and all the links are there. It talked about personal clouds and how it’s possible to have all the convenience of cloud storage with greater security, then you could get by giving your data to a third party. By doing it yourself.
(Webpage: Mother Jones: The “NSA-proof” cloud Drive: Spy-thwarting gadgets are the latest tech boom)
Denise: Obviously, that sounds like a better solution than giving the data to a third party, but Bruce do you think it’s too big a hurdle for most people?
Bruce: Certainly not a better solution, your email is probably more reliably secure on Google’s hard drive. Then on yours. I know my mother. Her photos are much safer on Flickr, then if she has them herself. The reasons we give our data to third parties are real and they are compelling. We are not just goofing off by doing this; we do it for really good reasons. We like the fact that that we use our computers or our phones we push a button and magically our stuff reappears. There are risks, but by and large, most of us feel a lot more secure with someone else managing our data, doing the backup, making sure that nothing bad happens to it. Because for most people the biggest security risk is not the NSA or the Chinese government or cyber criminals, it’s I lost this stuff and that’s our biggest risk. And putting stuff on the cloud or text against that pretty well.
Denise: Yeah, that’s a pretty good reason and one that I think that the legal industry in general needs to get its arms around. Mark getting back to my point about children and collecting data about them through their parents’ consent. But, obviously, you can’t get a three-year-old’s consent to that sort of thing, is this an issue that the law is ready and able to cope with?
Mark: not at the moment, it’s clearly not, it’s clearly not that would be effectively addressed by existing law. Quite frankly, the existing law is Copa. Which has a number of issues and complications and doesn’t even really fit very well, scenarios like the digital diaper. So, if for no other reason, the entire theory behind Coppola is getting parental consent. And as you mentioned, the one good thing that you can say about a digital diaper; is the two-year-old is not going to buy the wrong digital diaper, not yet. So, it’s going to take some changes in, I think it will take some changes in the law but to be entirely honest, I think it’s going to need to take some changes in culture. I think, as a society we have to make some decisions which I don’t think we’ve done yet about what we really are important, and want to protect and how we want to balance the value of security and protection of our data. Because I agree with Bruce, that for most people the biggest security concern for data is simply losing it. But how do we balance that against the risk of third-parties using that data in ways that individuals can not anticipate and perhaps the biggest challenge there is the fact that it is so incredibly difficult to anticipate how personal information might be used in the future. Even working in this industry, I am frequently surprised by what, what a business wants to use data for and how they may plan to use that in the future, and I think if you’re not a specialist in this field, you would be simply mystified by the rapid changes in the way that businesses are trying to monetize personal information or information related to a person so as to not get to deep into an argument about what constitutes personal information. So, I think even before, I suppose the American tradition is that we will try to legislate things before we reach any real cultural conclusion. But I think in order to resolve any of these issues, I do think that as a society we need to reach some cultural conclusions about how we value privacy as opposed to other needs.
Denise: Yep, and I agree there is nothing worse than ill-fitting diapers. (Laughter.) Kyle, do you have any thoughts before we move on?
Kyle: Just this real fast, I agree with how the data is used. I’m not sure the data about the diapers can be used in the nefarious way. At least I don’t perceive a bit like right now, but as far as protecting children and their data. There is tons of movements both on the state and federal level regarding this. And I don’t think all teens puts everything on Facebook. The intelligence group had a report that came out recently that said, like 20% of them say no I don’t put a lot of my stuff on Facebook. You have the Do Not Track kids legislation that was introduced last term. We may talk about that later. You have California, who is a leader in data privacy or data related legislation talking about specific laws for minors. And you have Copa, which has been renovated several times. So there is attempts to deal with this, but I am not sure that they are effective. But I do think that the regulatory environment is rich, I just don’t know if the FCC is capable of handling it or if the state should be doing.
Denise: Yeah, your point is why I brought this up in the first place. That teenagers that I know are not anxious to have a whole lot of information about them out there and use snapshot and other tools like that for that reason.
Kyle: I think the pendulum is starting to swing maybe in the other direction finally.
Denise: Yeah, I think it is an interesting collision when perhaps for assisting in parenting or childrearing or keeping track of your child or all of the various reasons why it’s good for parents to have data about their children will crash head on at some point; a teenager or young adult desire to be more clandestine. I’m not sure what we’re going to do with all of that and where the law is going to fallout, but we have mentioned do not track a couple of times, and there have been a couple of developments on that; that it’s worth noting on the one hand, there’s finally some progress on do not track and at the W, I always get confused, WC 3, W3C I always get it confused. W3C, is actually what it is. It has finally advanced the TPE, the tracking preference extension specifications to last call status. Now that’s a lot of mumbo-jumbo that apparently means that it’s getting close to some kind of approval. This came out, well the article. I’m reading about it from the Center for Democracy and Technology was written on April 24. Hard on the heels of that on April 30, Yahoo announced, you know how we were some of the first people to say we were going to do; Do not track. We’re not going to do that anymore.
(Webpage: CDT: At Last, Some Progress on Do Not Track. April 24, 2014, Justin Brookman)
Denise: So, I think you can read between the lines and see that the progress that is being made is not fast enough, not effective enough, not enough of an industry-standard, for someone like Yahoo to get behind. Bruce what you make of all this?
Bruce: Well, do not track has always been voluntary. And when you have industries that make their money by tracking you. It’s very hard to say to them-don’t make your money. So, nobody basically pays attention to Do Not Track, nobody who you care about. If you read their privacy policy. It says things like, we do not know what Do Not Track means so we won’t do anything, or at best, they track you, but they don’t show you targeted ads. So instead of Do Not Track, it’s track me in secret. Well, for this to change. There has to be lost and back when the industry thought that only a few percent of people would ever turn that on, they were willing to go with it and it wouldn’t bother them. When it is one third or one quarter, certainly they are looking at their bottom line and saying- this isn’t the law we are going to ignore it; if you don’t like it too bad. A lot of companies aren’t as forthcoming as Yahoo, they just ignore it and don’t tell you. But no one pays attention to Do Not Track unless they are legally mandated to. Because so many people don’t want to be tracked; and tracking is the business model of the Internet. Right, we build systems that survey of people in exchange for services. That’s what we do. So, Do Not Track is not going to work in that regime there needs to be other ways for businesses to operate then surveillance.
Denise: So, Mark think we’re close to having a government mandate some type of a Do Not Track regime be in place?
Mark: At this point, I would say no. I think the one notable thing that might come out of the finalization of the TPE, whenever that really is actually finalized would be that; it is supposed to contain a signaling mechanism that would allow, and I’m not sure what’s required, but allow sites to actually in an automated fashion to a Do Not Track signal. So, for example, if you came to website and you indicated that you do not want to be tracked, that when they received that signal they would actually send an automated response that would either say yes, we will not track you or no this is not a law, as Bruce pointed out, and we are not going to volunteer to undercut our business model. So we’re going to keep tracking, etc. And, it will be interesting to see whether or not, if such a mechanism is implemented in systematic fashion. Whether or not the response rate and I guess a clear indication that-oh, by the way, no matter how much I have turned on my Do Not Track signal pretty much every site that I care about is saying-oh yeah, that was very nice of you, but, we are going to continue tracking. Whether that could create a public backlash might push legislative or regulatory efforts either from Congress or the FTC, but right now I think it’s still in that realm where both regulators and legislators, they’ve just finished fighting over this issue and I think they are going to want to spend some time seeing how Do Not Track plays out in practice. Even though so far it’s not looking like it’s going to be much of a change.
Denise: Kyle you mentioned that last year the Do Not Track kids’ act of 2013 was introduced, that is still pending, right? It’s not a law yet?
Kyle: Right, no, no, I don’t think it’s a law. Along with every other Do Not Track attempt that has been done on the federal level. I think the most recent one was actually, and I only remember his name, John Rockefeller. He was the one that introduced the 2013 version of Do Not Track. But this is the very definition of, it’s policy oriented, do we regulate or do we allow this voluntary, self-regulating to occur for the tracking. So it is do not track kids, do not track consumers, consumer Bill of Rights, which has do not track legislation in it. None of these have made it out of committee ever.
Denise: All right, we will continue to watch that space and I think you all have made great points of their needs to be a better way of signaling that you or some user on your network does not want to be tracked and then have actually having that wish respected. We seem to have a divide between those two things at the moment and there are no solid standard on how to bridge that divide. We are going to have to let Bruce go in a minute here. But Bruce, I thought we’d let you go out by highlighting the interview between John Oliver on his new HBO show, and Keith Alexander, the outgoing head of the NSA. Which also got written up in the Atlantic as the strangest interview yet, with the outgoing head of the NSA. John Oliver, in addition to asking some really weird questions, asked some very hard-hitting ones and there was actually some journalism going on in that interview, wouldn’t you say?
Bruce: Yeah, and it’s again another, only comedians can do real journalism anymore, and we see it again and again, so weird and unfortunate.
(Webpage: the Atlantic: The Strangest Interview Yet With The Outgoing Head Of The NSA; appearing on John Oliver show, Keith Alexander showed slipperiness.)
Bruce: The interview actually is worth watching. Oliver asks some really good questions, I think he gave the best explanation of inadvertent collection that I have heard, he did it all in the space of about four seconds and Alexander did do a lot of dodging. Unfortunately, Oliver didn’t follow up on a lot of things, but you could definitely see Alexander’s media training in the way he would acknowledge a question and then shift the answer to something else and do that again and again. So it was kind of neat to see that. But yes, it was some of the best questions asked of Alexander that I’ve ever heard, including being asked in congressional hearings and unfortunately also some really bizarre weird questions. I guess you’re actually going to play some of it, which is good.
(Video of: John Oliver interviewing Keith Alexander)
John Oliver: Do you think the NSA is suffering from a perception problem with the American people at the moment, bearing in mind that the answer to that is yes?
Keith Alexander: Absolutely, you know, the first assumption is that you are collecting on American people and therein lies the problem, because the reality is the target is not the American people.
John Oliver: No, the target is not the American people, but it seems that too often you miss the target and hit the American person standing next to him going, “whoa, whoa, him”
Keith Alexander: Well, you see, we’re not just out there gathering US communications, listening to their phone calls or collecting their emails, but that’s the first thing that people jump to.
John Oliver: But you are out there doing that. You’re just saying you’re not then reading them, you are gathering them.
Keith Alexander: No. So In terms of going after US infrastructure or sitting here in the United States, you know, talking to A and B talking in the United States. We aren’t collecting that, we don’t collect that, and we do collect the metadata: a to-from number, date-time group and, duration of a call. That’s all that’s in there.
John Oliver: But that’s not nothing.
Keith Alexander: No.
John Oliver: That’s significant information otherwise you wouldn’t want it. Is this the argument then, to get the needle you need the haystack?
Keith Alexander: Well, that’s part of the argument.
John Oliver: Right, The people’s concerns, I think are that you are not just taking the haystack, but the whole farm, and the county, and the state and also you’ve got some folks with the farmer’s wife in the shower as well.
(Laughter, Denise)
Keith Alexander: The NSA is not allowed to go do that on its own, it has oversight. It’s with the courts, Congress and the administration to say, if you are going to do this. . .
Denise: There sits media training kicking in, right there.
John Oliver: So, the question I think the American people really have to ask is; are we doing the right things to protect the nation and our civil liberties and privacy.
Bruce: Oliver got it correct, that is what we need to talk about. Are we doing the right things? And in a sense, Oliver has a point that he is following what the president, Bush and then, what Congress and the court has told them, he has been very aggressive about increasing that authority, but fundamentally, it is not his job to say that we are not going to do this. It is Congress’s job to say, you shouldn’t do this, but are you doing the right things. And unfortunately, this goes back to TSA as long as we are scared, we’re unlikely to say “back off.” When we can view what we are doing at airports and what the NSA is doing with the same horror and amazement as,” What do you mean you interned all the Japanese in World War II, or that McCarthyism wasn’t a joke?” We have to actually look back at this time like we looked back at those times, then there will be reform. But his point is right there, I think, is a valid one. He’s just following orders and he’s doing it aggressively like you’d expect him to do.
Denise: Well, of course we could go on for another hour. And have a discussion on the oversight and how we go on addressing the fact that the surveillance in the country might be something that we look back on in several decades with shock and dismay, or are looking at that now, but have so appreciated you being able to spend an hour with us already, Bruce and we know your time is valuable and we’re going to let you go off and continue writing, and analyzing, and helping keep us informed about all these issues. So, thank you so much for joining us. Is there anything you want to let people know about coming up with you that they should pay attention to?
Bruce: I don’t know, I just keep writing and speaking and doing my stuff, so nothing important coming in the next, soon, but there is always stuff.
(Webpage, blog: Schneier on security: analysis of the FBI’s failure to stop the Boston Marathon bombings)
Bruce: and, I see my blog. You should definitely. You should have me back. This was fun!
Denise: Yeah. Definitely, we’d love to have you back. Thank you so much for joining us today and we are going to soldier on. We hope to talk to you again soon. And this might be a good time for anyone out there whose feeling a little hungry to think about a snack break.
(Advertisement: Nature Box-wholesome, delicious snacks delivered to your door. Awesome snacks delivered: 50% off your first box, use code: TWIT, Nature Box)
Denise: and if you’re going to think about a snack break. Of course you’re going to want to think about nature box.com. Of course, it’s easy to talk about eating right, but when you’re starving. It’s 3 PM, all cranky and lightheaded, that evil vending machine can seem like your only friend. You don’t need to give into it though. You can keep. I am looking great and feeling great and head on over to nature box.com/twit. When you do that, you’re going to click on the continue button to choose between three subscription options. Then you can place an order. So, what you’re going to choose between either savory or sweet and spicy is one of the options as well. And I been sampling these, our whole family has we can keep them in the house. They are just too yummy they go too fast. So, you’re going to need to stay on this. You know what snacks you liked in your monthly box and then when it comes, I don’t know, a little word to the wise here. I like to take the good ones and put them away for a little while until I’m good and hungry so I know that they’re going to be there in the pantry. And maybe a little too high for my 10-year-old to have gone in and snagged before I could get to them. You can select your dietary needs. They have a vegan option, soy free, gluten conscious, lactose-free, nut free and non-GMO. You can also do the tastes as I mentioned: savory, sweet or spice. They send great tasting snacks right to your door with free shipping anywhere in the US. They are healthy, satisfying snacks like barbecue kettle kernels, French toast granola, I haven’t tried that one yet, that sounds amazing, and over 100 more. All with zero trans-fat, zero high fructose corn syrup and nothing artificial. It’s the snack happy gift that keeps on giving. You can order Nature Box for a three, six, or 12 months subscription. Order it for yourself, order for a family member, order for friends who you know needs to be paying attention to healthy snacks. Swimsuit weather is almost here. Time to snack smarter! Forget the vending machine and get in shape with healthy delicious treats like honey mesquite almonds. Remember to get 50% off your first box to go naturebox.com/twit. Stay full, stay strong – go to naturebox/twit and we thank Nature Box for their support of This Week in Law. All right guys, let’s see. We were talking about John Oliver. I don’t know if I got everyone else’s take yet. Let’s start with you Mark. Was this an eye opener for you? I know that just from the fact of the little bit that we watched there that John Oliver was not letting him get off the hook by giving platitudes as answers.
Mark: I suppose it was maybe not eye opening but it was interesting in that initially that General Alexander agreed to do John Oliver’s show because…
Denise: Nothing surprises me after the President of the United States sat between 2 ferns. All bets are off at that point.
Mark: That is true. Not to slander General Alexander but he’s never struck me as being as good an improver as the President. It felt a little bit like a trap to me. Not that there was any mystery to what John Oliver was going to do and that’s why I watch the show. I guess I have to agree in large part with Bruce in that eventually General Alexander did get to what I think is the key point which is he is generally following his mission and while I know the jury is still out on the legality of a lot of the things they say he was doing; my interpretation is that quite a bit of it probably was legal. It’s maybe more important for us as a society to start thinking about “do we want to be empowering intelligence agencies, to be this aggressive or have the capability to be that aggressive in surveilling American citizens”; because I think to a certain degree we have given the NSA that power and that may have been a mistake and one that we should probably try to step back from.
Denise: Do you think that we will have to congressionally step back from it or do you think that any of these cases that are pending challenging the laws that make this kind of surveillance legal on constitutional grounds; do you think that they have a chance?
Mark: I think they have a chance. They obviously question a first impression in almost every case so it is a little difficult to predict how things will play out and ultimately I think these are issues that are going to have to be decided by the Supreme Court. Some of the justices are already – they’re not signaling how they’re going to vote but I do think they’re starting to signal their sympathies in that I think Justice Galea would very much like to never hear any of these cases. Not that he would be a rubber stamp to the government but he’s already expressed some concern that he doesn’t feel that it’s the court’s role to get into these issues. So my instinct is that a legislative solution is probably the best approach or best course for reigning in this kind of authority. I think it’s going to be very hard for the courts to really reign in all of the surveillance programs. If it’s left to the court there’ll always be a little bit of wiggle room for agencies like the NSA to test the boundaries. I think unfortunately the political reality is that the NSA – I think most of the motivations for the NSA will always be to push the boundaries because no one is ever going to give the NSA a medal for protecting the liberties of Americans but they will be held accountable for a any terrorist attack, so there is very little incentive for the NSA to be activist in protecting civil liberties and privacy.
Denise: That’s an excellent point. Kyle do you have anything else before we move on?
Kyle: Just that the NSA was doing the legal stuff. There was a decision by the head of the Phiza court – the court that hears all these things and the judge basically said that they were misbehaving or misrepresenting information and additionally in the John Oliver there was a number of NSA employee’s that were using the powers that they had abusively to look up girlfriends, tax records, ex-husbands, ex-wives. So there is illegal activity going on. I would be surprised however if the legislature undid the Phiza Courts structure because that seems to be the go to for the government when they’re saying no, no, there is absolutely oversight. It’s in the form of a court room ruling. However that 2011 ruling said well you’ve failed in this regard so what liability does that open up for these other cases that has been referred to the Dept. of Justice regarding the abuses of the NSA privileges? That’s an open question by the way.
Denise: Yes and I think it’s going to remain one. We’ll have to stay tuned on that. Let’s do one more story in sort of this privacy and maybe moving on to the legislation and regulation and policy arena. We’re sort of going there mechanically anyway. Mark since you’re our expert in that area is there something in particular that is still in the run down that we haven’t gotten to that you really wanted to discuss today?
Mark: Actually I think we hit the most interesting topics or the most notable topics so far. So unless there is something in particular that you or Kyle wanted to discuss then I am happy to move on to other topics.
Denise: I guess I did want to touch on warrants for just a moment so why don’t we – that is one of our policy topics so why don’t we go there next. We had a couple of cases argued in the Supreme Court, no decisions yet but argument was this week on warrant-less cell phone searches and I wondered if you had any takeaways for us on those cases Mark.
Mark: I suppose I guess I would say that I didn’t notice anything that I would necessarily consider a surprise and I think that the courts are still struggling with the idea of how to handle – what’s the best way to put this politely; how to handle technology that they, that the law had not really anticipated. I still think that that core – the cases tend to boil down to trying to find their way through to beat those types of issues. I’m hard pressed to find a real meaningful pattern out of the law so far. I don’t necessarily think that has changed recently so I suppose that’s been a bit of a frustration lately on my part because I would love to be able to find a pattern that would make advising clients a lot easier. Right now I suppose that tends to be my initial reaction; every time one of these cases comes out it’s like oh wonderful, another but – I tell my client but if you do this and if you do that…
Denise: Right, so the 2 cases for people who haven’t been following them, 1 is called Riley versus California. It involved a guy who was stopped for having expired license plates and there were guns in the car and they searched his phone and found photos and videos that seemed to connect him with gang activity. So the question is could they do that without a warrant. Then in US versus Ware a man was arrested for dealing drugs and then his phone kept ringing with a call from quote unquote “my house”, then the police went onto the alleged dealers phone to get the number that was calling him, tracked that to a house that seemed to belong to him and then after getting a warrant went in to find drugs, cash and a gun. So they searched his phone in order to find this house. The good news is it seems the justices in hearing these cases are at least getting the distinction that a phone seems to have or perhaps intuitively should seem to have more privacy value than your twitter feed or what you’re putting on Facebook. The expectations of privacy in those cases are different. Kyle anything on this before we move into more copyright related issues?
Kyle: We covered this in my cyber law class pretty closely because we knew the cases were coming up this year. Additionally 1 of them happened here in south Boston so there was even more regional interest there. I would like to point out that there are people in the world that carry 2 things. This is my Samsung Galaxy; this is my old fashioned phone which is untraceable. There was some discussion in the course that if you have 2 cell phones it means there must be drug activity. Some people were very curious about that but the idea is that these cases may expand an important exception to this which is the scope of search is incident to arrest. That’s really important and I think the difference between my 2 phones will be the difference in these cases perhaps; because the smart phone that I have does have what some of the justices says is my entire life. Whereas in the US 1st circuit case, the 1 that happened here in south Boston it was an old fashioned phone that was actively receiving calls at the time period that was incidental to the arrest. I think the justices have to find a middle ground that doesn’t make it a narrow exception for the police to determine at this time what level of technology is this. What app is this? There was a lot of discussion of making an exception for particular apps that share certain amounts of technology but that’s not going to work in these environments where you have these searches incident to an arrest. I’m hoping that what I heard when I listened to the arguments was that both ends of the court will come to some middle ground but it will be difficult.
Mark: Kyle if it makes you feel any better I also have an old dumb phone and a smart phone.
Kyle: It does make me feel better.
Denise: Wow, why? Is it for security and privacy purposes?
Kyle: This phone is old, it has all my contacts on it and I know I don’t have to worry about downloading an app that accidently shares all my information with everyone. This is a privacy phone. The tab I use more for work and email but I know that anything I share on there with any 3rd party apps is not mine. I don’t assume any privacy with the Galaxy.
Denise: Isn’t that fascinating.
Kyle: I’m strange.
Denise: No Mark is in the same boat. Is it for the same reason Mark?
Mark: Pretty similar reasons, I do like the dumbness of my dumb phone although it is traceable on some levels but not nearly as much as my smart phone. To be entirely honest with you I still actually just prefer talking on traditional clamshell phones. The smart phones to me are still in that fuzzy middle ground between real tablets with real screen real estate and a phone that is easy to put anywhere. So I find them more useful for things like email and not necessarily for talking.
Denise: Harvard law professor and info sec lawyer are both using clam shell phones for privacy reasons at least in part. That says something.
Mark: There may be a Harvard connection there. I went to the law school.
Denise: There we go.
Mark: It’s a Cambridge connection.
Denise: Cambridge and Clamshells. I was just going to highlight the fact again over at the center for democracy and technology they are monitoring the fact that there is a white house petition that’s pending and has gotten over 100 thousand signatures about warrantless surveillance as opposed to warrantless search. It still hasn’t gotten the white house response yet. They actually have a clock running – Days the white house has remained silent on warrantless seizures. Then there is the site “notwithoutawarrant.com. So if these are issues that are near and dear to your heart that might be something to go check out. In the meantime let’s move on to some copyright issues. Let’s talk about E-books Kyle and the fact that Boo Radley is now digital. To Kill a Mockingbird is finally an e-book but there are lots of books that aren’t. Can you kind of give us the lay of the land there?
Kyle: Sure, so believe it or not I’m kind of against the current e-book model; speaking on my library side. Traditionally libraries buy books, put them on the shelves and make them available to the public. It’s really important in communities where they can’t afford electronics or internet access this is the place they go for information. The e-book world has developed a model that they learned from the software industry in the 80’s and 90’s that is “don’t sell your product so that it’s subject to an actual sale. Because if it is subject to an actual sale the first sale doctrine which we saw litigated in Kurtzang last year in the Supreme Court says that once I buy a book I can sell it to somebody else, I can give it away, I can loan it. This is how libraries exist, but what they’re doing with eBooks now is they are licensing or leasing it to us. So you and I buy an Amazon book, we store it on our tablet and we don’t actually own that book. In fact the license says they can come in and take it away from us any time they want. It much like that I don’t own a copy of Microsoft Word on my laptop, it is licensed to me. This impacts libraries greatly because we want to be able to provide users with books and we want to enter the digital arena but we are subject to these licenses which basically take away our ability to develop collections because we have to pay onerous prices for access to these eBooks. These eBook contracts including the one for To kill a Mockingbird which Harper Lee eventually gave over to – the intent here she said I’m still old fashioned and I love dusty old books and libraries – her actually signing this over into an eBook actually hurts the very library she tends to protect or love. This is all part of something called the secondary market –eBay, used book stores, used record stores etc. exist because of this first sale doctrine which is very much tied to traditional out of print media. What I’d like to see if eBook sales that are not licensed but are actually sold. That way libraries continue their mission of providing information and access to literature, to fiction and non-fiction, to their communities. That was a lot.
Denise: It is a lot and it’s a really good point and I’m going to refrain from making any comments about clamshell phones in connection with this. I think it’s an excellent point and that you end on the point that perhaps we need to rethink the way that eBooks are sold and actually enable that actual sales of eBooks. From my standpoint that doesn’t seem like that’s something we can really look forward to in the future. I don’t see a trend in that direction. Do you?
Kyle: There are attempts going on right now and I know Digital Public Library of America and other large consortia groups that are library oriented are thinking of should we have a national eBook library platform where there is ownership of these works and we can collect and maintain. Digital preservation is as important as print preservation and that we maintain this cultural institution which libraries are in many ways. We’re preserving the culture that exists on a time period; their idea of libraries as the holders of forever. The intent here is to maybe do this. Some places are doing it by specifically developing their own eBook content, their own eBook platform and not signing away the rights to a large conglomerate Amazon like eBook Company. Why not write the publishers and authors and get permission yourself and be able to loan eBooks, be able to collect eBooks. If 100 years from now somebody wants to see an edition that was only available in eBook the library will be able to have kept it because they have bought it. So there is a mission. Now the publishers don’t want this. If fact they price books 10-20 to 300% higher than what average consumers - a book that costs you and I $9.99 to download on Amazon will cost a library upwards of 180-250 dollars because they are afraid and they are afraid of something that is not happening in libraries piracy. We’re information professionals, we follow the law, and we’re making collections available to our communities. We’re not contributing to the piracy problem.
Denise: Is part of the rationale just that the 1 copy at a library will be read by so many more people even if it is not pirated?
Kyle: There is that element to it. Harper Collins famously introduced into their eBook policy that you have to repay for the book, the eBook, every 26 times meaning it was mimicking the life cycle of a book. 26 checkouts and you have to pay for the whole book again. The library community was up at arms about this because we have books at our library that have been lent hundreds of thousands of times and are still in perfect shape so the idea that it’s 26 times and you have to pay again is mimicking the life cycle of a book is insane. It’s kind of a methodology of business practice to drive out the middle man who they perceive of as us – libraries.
Denise: It sounds to me like this is something the authors should be paying attention to and if it is important to you as an author to make sure those libraries are able to have a digital collection of your works. This is something you’re going to want to negotiate with your publisher.
Kyle: Absolutely but as we know publisher contracts are not really the most flexible form of contracts. What has to happen is that the more popular authors, the breadwinners have to consider this when they’re looking at these publishing contracts which can contracts as old as the library system's themselves. So Harper Lee agreed to this I was thinking oh my goodness wouldn’t it be great if she said no they’re going to actually buy the book and own it on their Kindle. That would be in an incredible kind of move. As this article points out there is a number of other great books out there that are not available right now on e-books but will be available in your local library. Let's try and build the collection of these. These are important books in our society so it’s the idea that maybe we could allow libraries to own these and preserve them for the future in that digital content capacity.
Denise: Somewhat along these lines equally important to our society and culture is to have not just a print but a digital record of the political thought and philosophy that has given rise to our current political climate. Tell us how someone could possibly claim a copyright on the writings of Carl Marx at this point.
Kyle: Copyright law is such a headache sometimes. So in this case the Carl Marx – the Marxist internet archive which had hosted free versions of the writings – the problem was that they are under copyright because they are translated works. Translation triggers a new – in some legal regimes, a new copyright. The irony in all of this is that – and I’m not a studied Marxist but I have a feeling that he would reject this assertion over his works not being free to the world.
Denise: One would think!
Kyle: Yes, and it happened on May Day I think was double down for the folks that are the Marxists in this world and the idea that this is being done for the exact reason – kind of the Harper Lee argument I had – that they want to take it off line so that they can digitize it and then sell it to libraries. They would be unable to sell it to libraries digitally if there was a free version already online.
Denise: Yes that is a tragedy. Is there a solution to this? This is just going to happen – the free versions are down now and maybe there will be a pay version available at some point in the future?
Kyle: Yes from what I’ve read and I’ve looked at a couple blogs about this because it was a shocker – is that it’s down for now, there is a petition being formed to try and reverse this or at least maybe offer some version of it – maybe it doesn’t have as many scholarly notes or that is somehow… every time it gets translated or people add 3rd party content to it there is a potential for it to be re-copyrighted. This is what they did with Shakespeare in England; I retranslated the original into my new version of this play so I’m going to claim copyright over it yet again. This happens internationally more than it does domestically in the United States but it’s because there’s more translations in Europe where there are more countries speaking different languages that are on top of each other. I don’t see this coming back online unless the good will of the petitioners and other people point out to this publisher the massive irony in taking down these works.
Denise: One would hope that’s not lost on them! Let’s move on to a final story today and it moves us into the world of entertainment. Alright, we’ve kind of come full circle back to privacy considerations here. Hulu has been under fire for some time about the information it was sharing about subscribers with Facebook. Kyle, can you bring us up to speed on the latest there?
Kyle: There’s a law called the video privacy protection act which basically says you’re not allowed to tell people what videos individuals are renting. We’ll talk about how that act origins came about in maybe just a moment but the idea is that Hulu is doing that in a particular way that this California Federal Judge did not like. Now Hulu does privatize the data somehow but unique identifiers that they share with Facebook – so it says hey I’m watching this movie – the idea that even those unique identifiers may trigger enough for someone to reverse engineer in a way the name of the individual or they’d be sharing this information without permission. The judge found that it was at least a good enough claim to go forward. It’s not that they are necessarily guilty but it’s the idea that these identifiers are not secret enough. I’m having trouble understanding the decision but there is disclosure enough that it may violate the VPPA.
Denise: Tell us a bit about that law. Again this is a law that was enacted some time ago and it’s sort of not a perfect fit. A lot like an ill-fitting diaper to put something like Hulu into it. So can you give us some context there?
Kyle: For those that are watching there used to be something called video stores and these were places you went into and you could – if you remember as far back as I do – 1 side was VHS, the other side was Betamax and you could rent movies there. When I explained this to my students who have no idea what Blockbuster is anymore or what a video store is I like to say; 1 time Netflix had a store. So what happened was there was a video shop called Potomac Video that was in Washington DC and this was during the 1987 Robert Bork nomination which had a whole bunch of political components to it. There was a reporter that went into the video shop where he knew Bork took out videos and said could I look at his video rental records just for curiosity’s sake? The person that was there said well absolutely because there was no law at the time preventing you from sharing that type of information. There wasn’t anything too nefarious in there but you can imagine that the people in DC that were renting from various video stores in that area that were tied to government somehow might have freaked out about that. Also for those of you that don’t remember video stores there was also a back room in these video stores that you had to be 18 and up to go into and see these videos. These would also be recorded in the video log. I think a lot of people were afraid that peeking at these records would violate some sort of privacy you have about your movie watching and your viewing habits. So they passed the VPPA in 1998 which is by the way very quick for congress. This is the 80’s when things got done quickly especially if it was going to impact a potential nominee by the President of the United States. Move that VHS up into the modern era – we have Netflix, we have Hulu, we have all this “I’m sharing what I’m watching” online and it actually forced in 2008 for the law to be amended to include these social networking sights that were sharing information about what their users were watching. Now it wasn’t VHS videos, it was streaming movies but it had the same effect. The irony of it is that this same store – and I can’t believe it was still open – just closed this week. After 33 years there was still a video store in DC – amazing!
Denise: That is stunning, but then you guys are using clamshell phones so I’m just not going to be stunned by anything.
Kyle: I haven’t rented a video from Blockbuster in almost 3 years.
Denise: For someone who has forked over back in the day so many late fees to that particular entity it just warms my heart in a very Freudian way that your students have just never even heard of Blockbuster. Mark any thoughts on Hulu and online video providers and their sharing of data with Google, Facebook, others who are trying to create the most complete data profile of you as possible?
Mark: A couple of points. 1 I actually went to the going out of business sale at Potomac about a week and a half ago.
Kyle: Oh that’s great!
Mark: Actually it was pretty much for nostalgia purposes. It was awesome to walk into a video store again to see the concept again. For this case I’ve actually done a fair amount of work on the VPPA over the last couple of years. I think it was sort of this stealth privacy law that caught a couple of internet companies completely by surprise. Related to the issue or sort of the question at issue in the Hulu case I think a good precedent to note that a few years ago Netflix as an experiment released a set of records – their customer records which they had anonymized or they believed they had anonymized to researchers for the purpose of doing social science research etc. It was very quickly discovered that despite Netflix attempts to anonymize the data researchers could identify the vast majority – not 100% but the vast majority of the users and their video selections. That was actually the event or one of the events that brought the VPPA act back to life so to speak with regard to the internet and is largely at the core of the decision here with Hulu. Basically what the court concluded was that anonymization is more a matter of context than an absolute. Particularly if you’re retaining any ability to keep or maintain a record that is unique to an individual it because mathematically very difficult to make it very hard to re-identify that individual. So having a unique ID for an individual account or an individual Hulu account – they may match an individual Facebook account – makes it really difficult statically speaking to really make information anonymous. Basically the court concluded that we can’t simply say that because we removed the name, the phone number, the address, and the traditional identifiers that one can assume that that information is now anonymous because it’s become actually quite easy… I don’t want to say easy but it’s quite possible for a qualified statistician to re-identify a great deal of information that may have been in a laymen sense rendered anonymous. I think it’s an important precedent really for privacy law in general because there isn’t a lot of guidance on what constitutes anonymization in privacy law outside of the HIPPA context which covers health information. There’s a very specific set of rules for health information but for just traditional internet click stream information or records of your video watching habits, there’s very little guidance out there of what constitutes meaningful anonymization and I think it’s going to be important to watch how this case progresses once they get into fact finding and to really see how much – can the plaintiff’s actually prove that is would have been relatively easy to re-identify that information and if so I think that could set a really important precedent for a number of industries, not just those in the streaming video business.
Denise: I thought it was really interesting and I don’t know if you guys caught it during our quantified toilet discussion but Bruce seemed to be expressing the opinion there that at least for good enough purposes it might be possible to anonymize data and I certainly have heard a lot of skepticism on that front. We’ll have to see what the court here makes of all of the conflicting views around that. What were you going to say Kyle?
Kyle: I think it’s also a subject of the area that it’s from so this is a California Federal District Court and California as I said is keenly aware of data protections. They’ve been ahead in this area with notice of data breech laws. They have very specific definitions of what is personally identifiable information or PII. Even though I think she gave too much weight to this – you’d have to get a statistician get in there and this and that – I think it’s a subject of the area of the country that this is coming from and the judges there are very aware of how you can reconstruct things into PII based on the statutes that they have at both the state and federal level. That may be a little bit of it.
Denise: Yes, I live in California and I can tell you people just anecdotally do discuss and are concerned with the issues and so I’m not surprised that lawmakers and judges here are. Let’s move on to our tip and resources of the week. Our tip of the week is a funny one. I forget exactly who it was that tweeted this my way. It has to do with witness preparation and how much might be too much. I guess this has been around for a while but an article just came out in the New York Times and it’s an excerpt from a deposition transcript. It was a deposition in Ohio that involved the definition of a photo copier. I’m not sure why having someone admit there was a photo copy machine in their office was clearly a critical importance to this case but the witness had been very, very, well coached on this issue perhaps to an extreme. So the tip I guess I’m trying to glean from this is “Coach your witnesses well but don’t make them look ridiculous. What they did here was there was no actual video from the deposition so these are actors. So let’s play the video. You should watch the whole thing. It’s hysterical. The guy is just so well coached. He is answering each question very literally but I don’t know – we’ve got 2 very smart lawyers on here with me. Do you think the poor guy is too well coached on here and that when you’re this literal in your answers you’re just making yourself look like a putz? What do you think Kyle?
Kyle: They have this great thing where he keeps looking over at the lawyer. I’ve seen that at depositions where he’s like ok say you don’t know or you don’t recall or please help me define this. He’s clearly over coached but the last 2 seconds of that is the surprise at the end - the actual use of the word which is the best. He was really making him literally – imagine this case which settled and did not go to trial – imagine if they were going to go head to head on just the definition of that word, how bad this case was going to be afterwards. That’s what I was thinking.
Denise: Any thoughts, Mark?
Mark: I have to say that as over coached as that witness was I have had occasions in my career where I think that would have been preferable.
Denise: See, I think you’re right.
Mark: It’s a very tight line and I don’ t know if you’ve ever seen the video of – very old – they used to show this CEO that would barge in to deposition prep and basically say I know how to talk to anybody and would totally ignore all of their attorneys advice about deposition prep. It’s so hard to find the middle ground between those 2 types of witnesses.
Denise: You do want to try and strike that middle ground and I guess that would be our tip of the week for anyone who might find themselves in the position of having to be a witness and any lawyer who is trying to coach a credible witness. We have a couple of resources for you. The first one is a cool newsletter that folks who tune in regularly to the show will enjoy. It’s by EFF’s Parker Higgins who has been on with us before and hopefully will be again and Sarah Jeong, who I think is a Harvard Law student. Do you know Sarah?
Kyle: I do know Sarah. In fact Sarah has written for our fair use blog and Sarah is a graduating 3L.
Denise: Excellent. They are writing this awesome little newsletter called 5 Useful Articles, 5UA for short that comes nicely to your email inbox and they have all kinds of good insight about the kinds of things we’ve been talking about today. I think both of them it sounds like attended the Aereo argument and were giving their thoughts and impressions on that. I think I found this in your twitter stream Kyle and do you have any other thoughts to add?
Kyle: Sarah and Parker are 2 of the best writers about breaking stuff down both in a humorous and serious manner in this thing. It comes to your inbox weekly; it is insightful and has some of the best description. They were at the Aereo arguments and they typed it as Aereo Thereeo because they were there. It was brilliant and actually Sarah’s analysis of the levels of technology of each justice is profoundly brilliant. So I would check that out and subscribe to that newsletter. It is fantastic.
Denise: Good. Then Mark over at the infolawgroup.com site has some great advice if you are a company who would like to avoid having a debacle occur like the Target data breech. The take away I got from your article there Mark is to have a completely walled off sub-network where you’re going to keep sensitive data and you even suggest that the system admins have completely separate access to that sub-network than they would to any other part of the network. Do you want to expand on that for us?
Mark: The basic idea is in my experience I’ve worked with a lot of companies where segmenting their networks has been a bit of a life saver for security purposes. Because a lot of companies struggle with security because they approach it as something they have to do for their entire network in order to protect certain particularly sensitive types of data. They can make their lives tremendously easier by simply identifying where the important information is; where does it actually need to go and keep it in those places. Keep it in those areas and segment your network accordingly because quite often what you’ll find is that most of the people in your company simply do not need access to all the payment card information even when you’re a retailer there are very few people in your company who really need to have access to the systems that handle payment cards. If you can successfully segment your network you not only make it a lot harder for people to break in because you’ve added another layer of defense to protect yourself but you can also moderate your regulatory requirements by making sure that all of your PCI which is the payment card industry security standard. Requirements only have to be met by the segment of your network that handles and accesses payment card data and you don’t have to worry about making the system used by your sales people PCI compliant because frankly they should never see payment card information in the first place.
Denise: I think it’s really great. You talk about having an information security strategy and I think it’s a great way to think about things for businesses that – of course you want your entire network to be secure but there is some information that it’s far worse if it gets out than – yes you’re going to have some upset employees if their emails get read but you’re going to have far more problems if your entire PCI data base as you mentioned is out there in the wild. So having different layers, having strong security in one place and super strong as you talk about DMC’s – demilitarize and MC’s – Militarize them – making sure that the really important stuff is really tightly locked down. I think it’s great advice for any company and a great way to look at it. You can check out more about this at the information law group site. Guys I’ve had so much fun on this show today. I really can’t thank you enough for joining me. I’ve really learned a lot and I hope people who’ve been listening have and it’s been an interesting and engaging discussion. Before I go to you guys to say goodbye I’m remember even without Sue the writer in chat reminding me to do it that we need a 2nd MCLE passphrase for the show in order to help out those people who are showing their oversight folks that they did in fact watch or listen and that 2nd phrase is going to be the back room. So now we’ve got our phrases in. I can thank once again Mark Paulding from the Info law group for joining us today. Mark so great of you to come in; we miss Evan of course but it’s been wonderful getting to know you.
Mark: Thank you very much. It’s been a pleasure.
Denise: Tell us if there’s anything coming up or anything that you want to plug that people should be aware of?
Mark: Nothing immediate, there may be some blogging in my near future but that’s going to require me to fit that into my schedule. You’ll probably see some more blogging activity from me next week; fun security stuff for those who find security fun.
Denise: I am all for intermittent blogging when there’s great substance to do it. So keep plugging away at it and we’ll keep looking at your blog on the information law group site and keep up with what you’re keeping up with there. Kyle Courtney from Harvard, what a pleasure your students must have in your classes. You’re so engaging and eloquent and understand these issues so well. Of course it is Harvard University so one would expect little else but we’re so glad that you could join us today.
Kyle: Happy to be here. Thanks so much for inviting me. It was a lot of fun.
Denise: Aside from paying attention to you making sure that digital works have adequate representation and availability in libraries what else should people be paying attention to and is there anything either in the library system at Harvard or elsewhere that you think people need to know about?
Kyle: I always kind of make a plug for something called Digital Public Library of America DPLA which is making an attempt to combine all the libraries, archives, special collections around the US to create a cultural of our works, history, photos, and our books. So I would say check that out, it’s very interesting and a lot of the leadership in that feel the same way I do about libraries and preserving our heritage here and doing it in a consumer friendly and citizen accessible way. Thank you.
Denise: We will definitely check that out and I will put it in our discussion points for this episode of the show so that it’s there with everything else we talked about today. Thanks again to Bruce for taking time out of his day to join us and to help us better understand all the privacy and information security issues that we discussed with him. We do the show every Friday at 11 AM pacific time, 1800 UTC on the Twit Network. That’s when we record live and you can join us live which is always fun but you can always join us on your own time too. If that time slot doesn’t work for you head on over to Twit.tv/twil, our archive is there. If YouTube works out better for you go to youtube.com/thisweekinlaw, if you’ve got a Roku box we’ve got our very own channel there that makes it very convenient and we’ve got some other places that aside from just watching the show you can reach out and communicate with us. Evan Brown is usually here and you can email him at evan@twit.tv. I’m denise@twit.tv. He’s internetcases on Twitter, I’m dhowelloverthere. We also have Facebook and Google plus pages for the show where you can get in touch with us. Let us know what you thought, any questions or anecdotes that came to mind after you listened to the great people that we have on the show explaining and giving insight about interesting and difficult issues. We’d love to hear suggestions from you about what we should discuss, suggestions about guests and suggestions about anything at all. So get in touch with us, we love to hear from you, actually we could not do this show without the great participation that we get from our audience. Thank you so much for that. Thanks again to our wonderful guests, thanks so much to our wonderful Victor on the board in the studio and we will see you next on This Week in Law! Take care!