This is an archive page. What you are looking at was posted sometime between 2000 and 2014. For more recent material, see the main blog at http://laboratorium.net
It’s my pleasure to announce (slightly belatedly) my most recent paper, Three Theories of Copyright in Ratings. It’s a slightly subversive look at what ratings are, through the unlikely lens of copyright law. Consider it a sidelong way of gaining more insight into the nature of search results by stepping back and asking how law treats other kinds of ratings and rankings. It also, I hope, tells us a bit about how copyright sees the world. Here’s the abstract:
Are ratings copyrightable? The answer depends on what ratings are. As a history of copyright in ratings shows, some courts treat them as unoriginal facts, some treat them as creative opinions, and some treat them as troubling self-fulfilling prophecies. The push and pull among these three theories explains why ratings are such a difficult boundary case for copyright, both doctrinally and theoretically. The fact-opinion tension creates a perverse incentive for raters: the less useful a rating, the more copyrightable it looks. Self-fulfilling ratings are the most troubling of all: copyright’s usual balance between incentives and access becomes indeterminate when ratings shape reality, rather than vice versa. All three theories are necessary for a complete understanding of ratings.
According to a new scheduling order entered by Judge Chin, summary judgment motions in the Authors Guild case will be delayed for a month. The proposed schedule supplied by the parties asked for two months, but Judge Chin crossed out the dates and gave them one. Here are the new dates:
- July 27: Motions for summary judgment due
- August 24: Oppositions to motions for summary judgment due
- September 17: Replies in support of motions for summary judgment
- October 9: Oral argument on summary judgment
The order itself will be posted on the Public Index soon.
At today’s hearing of the Subcommittee on Intellectual Property, Competition and the Internet of the House Judiciary Committee, I referred to an attempt to “sabotage” the forthcoming Do Not Track standard. My written testimony discussed a number of other issues as well, but Do Not Track was clearly on the Representatives’ minds: I received multiple questions on the subject. Because of the time constraints, oral answers at a Congressional hearing are not the place for detail, so in this blog post, I will expand on my answers this morning, and explain why I think that word is appropriate to describe the current state of play.
For years, advertising networks have offered the option to opt out from their behavioral profiling. By visiting a special webpage provided by the network, users can set a browser cookie saying, in effect, “This user should not be tracked.” This system, while theoretically offering consumers choice about tracking, suffers from a series of problems that make it frequently ineffective in practice. For one thing, it relies on repetitive opt-out: the user needs to visit multiple opt-out pages, a daunting task given the large and constantly shifting list of advertising companies, not all of which belong to industry groups with coordinated opt-out pages. For another, because it relies on cookies—the same vector used to track users in the first place—it is surprisingly fragile. A user who deletes cookies to protect her privacy will also delete the no-tracking cookie, thereby turning tracking back on. The resulting system is a monkey’s paw: unless you ask for what you want in exactly the right way, you get nothing.
The idea of a Do Not Track header gradually emerged in 2009 and 2010 as a simpler alternative. Every HTTP request by which a user’s browser asks a server for a webpage contains a series of headers with information about the webpage requested and the browser. Do Not Track would be one more. Thus, the user’s browser would send, as part of its request, the header:
The presence of such a header would signal to the website that the user requests not to be tracked. Privacy advocates and technologists worked to flesh out the header; privacy officials in the United States and Europe endorsed it. The World Wide Web Consortium (W3C) formed a public Tracking Protection Working Group with a charter to design a technical standard for Do Not Track.
Significantly, a W3C standard is not law. The legal effect of Do Not Track will come from somewhere else. In Europe, it may be enforced directly on websites under existing data protection law. In the United States, legislation has been introduced in the House and Senate that would have the Federal Trade Commission promulgate Do Not Track regulations. Without legislative authority, the FTC could not require use of Do Not Track, but would be able to treat a website’s false claims to honor Do Not Track as a deceptive trade practice. Since most online advertising companies find it important from a public relations point of view to be able to say that they support consumer choice, this last option may be significant in practice. And finally, in an important recent paper, Joshua Fairfield argues that use of the Do Not Track header itself creates an enforceable contract prohibiting tracking under United States law.
In all of these cases, the details of the Do Not Track standard will be highly significant. Websites’ legal duties are likely to depend on the technical duties specified in the standard, or at least be strongly influenced by them. For example, a company that promises to be Do Not Track compliant thereby promises to do what is required to comply with the standard. If the standard ultimately allows for limited forms of tracking for click-fraud prevention, the company can engage in those forms of tracking even if the user sets the header. If not, it cannot. Thus, there is a lot at stake in the Working Group’s discussions.
Internet Explorer and Defaults
On May 31, Microsoft announced that Do Not Track would be on by default in Internet Explorer 10. This is a valuable feature, regardless of how you feel about behavioral ad targeting itself. A recurring theme of the online privacy wars is that unusably complicated privacy interfaces confuse users in ways that cause them to make mistakes and undercut their privacy. A default is the ultimate easy-to-use privacy control. Users who care about what websites know about them do not need to understand the details to take a simple step to protect themselves. Using Internet Explorer would suffice by itself to prevent tracking from a significant number of websites.
This is an important principle. Technology can empower users to protect their privacy. It is impractical, indeed impossible, for users to make detailed privacy choices about every last detail of their online activities. The task of getting your privacy right is profoundly easier if you have access to good tools to manage the details. Antivirus companies compete vigorously to manage the details of malware prevention for users. So too with privacy: we need thriving markets in tools under the control of users to manage the details.
There is immense value if users can delegate some of their privacy decisions to software agents. These delegation decisions should be dead simple wherever possible. I use Ghostery to block cookies. As tools go, it is incredibly easy to use—but it still is not easy enough. The choice of browser is a simple choice, one that every user makes. That choice alone should be enough to count as an indication of a desire for privacy. Setting Do Not Track by default is Microsoft’s offer to users. If they dislike the setting, they can change it, or use a different browser.
Microsoft’s move intersected with a long-simmering discussion on the Tracking Protection Working Group’s mailing list. The question of Do Not Track defaults had been one of the first issues the Working Group raised when it launched in September 2011. The draft text that emerged by the spring remains painfully ambiguous on the issue. Indeed, the group’s May 30 teleconference—the day before Microsoft’s announcement—showed substantial disagreement about defaults and what a server could do if it believed it was seeing a default Do Not Track header, rather than one explicitly set by the user. Antivirus software AVG includes a cookie-blocking tool that sets the Do Not Track header, which sparked extensive discussion about plugins, conflicting settings, and explicit consent. And the last few weeks following Microsoft’s announcement have seen a renewed debate over defaults.
Many industry participants object to Do Not Track by default. Technology companies with advertising networks have pushed for a crucial pair of positions:
- User agents (i.e. browsers and apps) that turned on Do Not Track by default would be deemed non-compliant with the standard.
- Websites that received a request from a noncompliant user agent would be free to disregard a DNT: 1 header.
This position has been endorsed by representatives the three companies I mentioned in my testimony today: Yahoo!, Google, and Adobe.
Thus, here is an excerpt from an email to the list by Shane Wiley from Yahoo!:
If you know that an UA is non-compliant, it should be fair to NOT honor the DNT signal from that non-compliant UA and message this back to the user in the well-known URI or Response Header.
Here is an excerpt from an email to the list by Ian Fette from Google:
There’s other people in the working group, myself included, who feel that since you are under no obligation to honor DNT in the first place (it is voluntary and nothing is binding until you tell the user “Yes, I am honoring your DNT request”) that you already have an option to reject a DNT:1 request (for instance, by sending no DNT response headers). The question in my mind is whether we should provide websites with a mechanism to provide more information as to why they are rejecting your request, e.g. “You’re using a user agent that sets a DNT setting by default and thus I have no idea if this is actually your preference or merely another large corporation’s preference being presented on your behalf.”
And here is an excerpt from an email to the list by Roy Fielding from Adobe:
The server would say that the non-compliant browser is broken and thus incapable of transmitting a true signal of the user’s preferences. Hence, it will ignore DNT from that browser, though it may provide other means to control its own tracking. The user’s actions are irrelevant until they choose a browser capable of communicating correctly or make use of some means other than DNT.
Pause here to understand the practical implications of writing this position into the standard. If Yahoo! decides that Internet Explorer 10 is noncompliant because it defaults on, then users who picked Internet Explorer 10 to avoid being tracked … will be tracked. Yahoo! will claim that it is in compliance with the standard and Internet Explorer 10 is not. Indeed, there is very little that an Internet Explorer 10 user could do to avoid being tracked. Because her user agent is now flagged by Yahoo! as noncompliant, even if she manually sets the header herself, it will still be ignored.
A cynic might observe how effectively this tactic neutralizes the most serious threat that Do Not Track poses to advertisers: that people might actually use it. Manual opt-out cookies are tolerable because almost no one uses them. Even Do Not Track headers that are off by default are tolerable because very few people will use them. Microsoft’s and AVG’s decisions raise the possibility that significant numbers of web users would be removed from tracking. Pleasing user agent noncompliance is a bit of jujitsu, a way of meeting the threat where it is strongest. The very thing that would make Internet Explorer 10’s Do Not Track setting widely used would be the very thing to “justify” ignoring it.
But once websites have an excuse to look beyond the header they receive, Do Not Track is dead as a practical matter. A DNT:1 header is binary: it is present or it is not. But second-guessing interface decisions is a completely open-ended question. Was the check box to enable Do Not Track worded clearly? Was it bundled with some other user preference? Might the header have been set by a corporate network rather than the user? These are the kind of process questions that can be lawyered to death. Being able to question whether a user really meant her Do Not Track header is a license to ignore what she does mean.
Return to my point above about tools. I run a browser with multiple plugins. At the end of the day, these pieces of software collaborate to set a Do Not Track header, or not. This setting is under my control: I can install or uninstall any of the software that was responsible for it. The choice of header is strictly between me and my user agent. As far as the Do Not Track specification is concerned, websites should adhere to a presumption of user competence: whatever value the header has, it has with the tacit or explicit consent of the user.
Websites are not helpless against misconfigured software. If they really think the user has lost control over her own computer, they have a straightforward, simple way of finding out. A website can display a popup window or an overlay, asking the user whether she really wants to enable Do Not Track, and explaining the benefits disabling it would offer. Websites have every opportunity to press their case for tracking; if that case is as persuasive as they claim, they should have no fear of making it one-on-one to users.
This brings me to the bitterest irony of Do Not Track defaults. For more than a decade, the online advertising industry has insisted that notice and an opportunity to opt out is sufficient choice for consumers. It has fought long and hard against any kind of heightened consent requirement for any of its practices. Opt-out, in short, is good enough. But for Do Not Track, there and there alone, consumers allegedly do not understand the issues, so consent must be explicit—and opt-in only.
It is time for the participants in the Tracking Protection Working Group to take a long, hard look at where the process is going. It is time for the rest of us to tell them, loudly, that the process is going awry. It is true that Do Not Track, at least in the present regulatory environment, is voluntary. But it does not follow that the standard should allow “compliant” websites to pick and choose which pieces to comply with. The job of the standard is to spell out how a user agent states a Do Not Track request, and what behavior is required of websites that choose to implement the standard when they receive such a request. That is, the standard must be based around a simple principle:
A Do Not Track header expresses a meaning, not a process.
The meaning of “DNT: 1” is that the receiving website should not track the user, as spelled out in the rest of the standard. It is not the website’s concern how the header came to be set.
No means no, and Do Not Track means Do Not Track.
Given the core significance of the role of hyperlinking to the Internet, we risk impairing its whole functioning. Strict application of the publication rule in these circumstances would be like trying to fit a square archaic peg into the hexagonal hole of modernity.
Crookes v. Newton, 2011 SCC 47,  3 S.C.R. 269 ¶ 36.
The point is well taken, but switching from “round” to “hexagonal” undoes the metaphor. A cube, viewed from directly above one of its corners, is hexagonal.
The biggest news in Google Books land is that Google has filed a petition with the Second Circuit asking for an immediate appeal of class certification. The case proceeds in the District Court while the Second Circuit decides whether or not to hear the appeal—and even if it does, there’s no guarantee the case will be stayed. Obviously, Judge Chin won’t be one of the judges considering the appeal; this move does put his colleagues in the slightly unusual position of hearing an appeal from one of the fellow members of their court.
The petition doesn’t contain anything substantive that will be terribly surprising to close watchers of the case. Like a good appellate brief, it gives a highly readable statement of Google’s basic position on class certification. Many authors benefit from Google Books and favor its continued existence, so the class representatives are unavoidably adverse to the authors they purport to represent. And further, the diversity of fair use considerations will preclude Google from being able to present the individualized defense it is entitled to present to each book. I was convinced by Judge Chin’s conclusions that these issues shouldn’t block certification, but perhaps the Second Circuit will disagree.
The real surprise comes as an aside: Google has added the law firm of WilmerHale to its team, and the petition is submitted and signed by Seth Waxman, a former Solicitor General and one of the country’s all-star appellate litigators. Google has the money and motivation to hire the best.
In addition, I should catch everyone up on some housekeeping matters in the various cases. Summary judgment motions in the main Authors Guild case have been pushed back to June 26. In the visual artists’ case, the class certification motion has been pushed back to August 20. And in the HathiTrust case against the libraries, summary judgment motions are now due on June 29.
I would like to do something perverse with the Supreme Court’s decision in United States v. Jones: focus on what the court actually held. Scholarly attention has focused on Justice Sotomayor’s concurrence and Justice Alito’s opinion concurring in the judgment, and their apparent willingness to embrace a mosaic theory of sustained observation, and to rethink the third-party doctrine. But in its own way, Justice Scalia’s majority opinion raises just as many deep questions as the concurrences do.
By grounding the Fourth Amendment “search” in property law—in particular, the sleepy backwater tort of trespass to chattels—the Court follows what Orin Kerr calls the “positive law” model of Fourth Amendment protection. The scope of one’s privacy rights is defined in part by the scope of one’s property rights. But only in part. The Court’s opinion, however, suggests that some trespasses will not be searches, and that some searches would not be actionable under trespass law. The divergences are instructive, both about the Fourth Amendment and about property law.
Jones raises four kinds of questions about trespassory searches:
- What things are protected?
- What activities in relation to those things are prohibited?
- What counts as valid consent to use the things?
- What consequences or circumstances are needed to make a “technical trespass” actionable?
In each case, it turns out, Scalia’s opinion for the Court raises basic conceptual issues about the nature of trespass.
First, start with the things protected from trespass. The Fourth Amendment is straightforward on this score: it protects “right of the people to be secure in their persons, houses, papers, and effects.” This sounds simple enough: it includes the body (“persons”), real property (“houses”), and personal property (“papers” and “effects”). Concerned about a search? There’s a tort for that. Battery protects the person, trespass protects real property, trespass to chattels protects personal property.
But here is the first place where the post-Jones Fourth Amendment law of trespassory searches diverges from trespass law. The Court reaffirms that a trespass to open fields is not a search, because the Amendment describes only “houses.” Trespass is not so restricted: in the canonical case of Jacque v. Steenberg Homes, the Supreme Court of Wisconsin upheld a $100,000 punitive damage award for a trespass over a vacant snow-covered field.
Among the ironies of this holding is that the Fourth Amendment may now protect personal property more stringently than it does real property. Unlike “houses,” which the Court reads to exclude open fields, “effects” is a catch-all term for all personal property. But historically, trespass to land was a more muscular tort than trespass to chattels; common law has a “special respect for land ownership.” The Court cites Entick v. Carrington for the absoluteness of trespass to land:
[O]ur law holds the property of every man so sacred, that no man can set his foot upon his neighbour’s close without his leave; if he does he is a trespasser, though he does no damage at all; if he will tread upon his neighbour’s ground, he must justify it by law.
Second, consider the nature of the activities that make a non-owner’s use of those things problematic. In Jones itself, the police attached a tracking device to Jones’s car. This was an extended touching of the car by an object that did not significantly affect the car itself. The Court uses a variety of language to describe the genus of conduct of which this is a species: the government “occupied” Jones’s property, this was an “invasion” or an “intrusion.”
This last language (repeated six times in the majority opinion) is telling. It comes from a phrase in Justice Brennan’s concurrence in another tracking-device case, United States v. Knotts, “physical intrusion of a constitutionally protected area.” The idea is profoundly spatial: like a home, a car defines a space, into which the police may not extend so much as an arm without triggering the Fourth Amendment. (The most amusing portions of Jones involve Justice Scalia and Justice Alito butting heads over the plausibility of a “a constable’s concealing himself in the target’s coach.”)
But most personalty is much smaller; it would be odd to speak of “intruding” into a wallet or a jacket. Indeed, slapping a GPS device on a car is more of an extrusion than an intrusion. Justice Sotomayor’s concurrence says the government “usurped” the car, which focuses on the misuse of property rather than the entry into a space it defines.
This issue is most likely to play out in surprising ways when it comes to the question of what kinds of contact constitute a trespass. The line between tangible and intangible contacts is a problematic one in property law, as Justice Alito’s concurrence observes. For real property, a series of cases ask whether dust, vibrations, or radiation can sound in trespass, or whether they must be raised as nuisances. Radiation, in particular, will be of great interest for advanced surveillance technologies: imagine an active version of of the thermal scanning devices at stake in Kyllo v. United States. But land has other boundaries as well. If we’re committed to an originalist understanding of trespass, then the ad coelum rule presumably applies, which means drones need to stay out of the column of airspace above the suspect’s property (or at least the column above her house).
For personal property, electronic communications with computers have been successfully pleaded as trespasses to chattels, and the modern trend is that such intangible intrusions are actionable (at least when they lead to damages, as discussed below). This trend may or may not matter for an originalist, but it does suggest that certain kinds of electronic surveillance may be problematic even without reference to an expectation of privacy. When the police log in to a suspect’s computer, the “intrusion” is virtual, but there is also inarguably an intangible contact with the computer treated as a chattel.
Third, there is the problem of consent. One axis here is the well-known Fourth Amendment problem of who is entitled to consent to or object to a search. The Court distinguished a previous tracking-device case, United States v. Karo by holding that there the tracker had been installed before the chattel came into the possession of the suspect. Justice Alito, in challenging the trespassory search theory, pointed to the variations among state community-property laws as affecting who will have property rights in an object.
But there is another problem lurking here. In Karo, the initial installation was not the only relevant conduct. If the suspect had pleaded instead that the continuing attachment of the device was an ongoing violation of “the dignitary interest in the inviolability of chattels,” this would appear to be a good plea of trespass to chattels. So perhaps the suspect’s initial acceptance of the chattel with the device attached is to be treated as consent, which the suspect could revoke at any time. But this is a stretch: we do not ordinarily say that one gives consent to trespasses of which one is completely unaware.
This brings us into the deeply murky area of consent obtained under false or misleading pretenses. The undercover police officer who is invited into the suspect’s business is not committing a Fourth Amendment violation. The suspect assumed the risk that his guest was not to be trusted. But that’s not how consent works in tort law: the undercover investigator who obtains entry to a business’s premises by lying about his purposes sometimes is a trespasser, as in Food Lion v. Capital Cities.
And finally, there is the question of what consequences are required to make an intrusion or misuse actionable at law. This is the source of the most famous distinction between trespass to land and trespass to chattels. The former, given the heightened protection afforded real property, will support a lawsuit for nominal damages. But the modern rule is that a suit for trespass to chattels will not lie unless the owner is dispossessed or deprived of the use of the chattel, its condition or value is impaired, or some other physical harm results.
Of course, none of these was the case in Jones: the car itself was materially unaffected. Thus, for Fourth Amendment purposes, it appears that that the harm rule does not apply to trespass to chattels. A “technical trespass” causing no damage will not give rise to a tort suit, but it will trigger the Fourth Amendment. As Justice Alito notes, “Attaching such an object is generally regarded as so trivial that it does not provide a basis for recovery under modern tort law.” To be precise, the Second Restatements of Torts describes such intrusions as trespasses to chattels, but does not make them actionable at law.
Seizure law tracks tort law here: there must be “some meaningful interference” with the right to possession. But search law does not. As Jones explains, a trespassory search is a technical trespass plus “an attempt to find something or to obtain information.” So here, the Fourth Amendment is now more zealously protective than tort law is.
And this loops us back to the central theme of Jones, one that runs through all of these issues: the relationship between property, tort, and privacy. For trespass to land, the dignitary interest in privacy is one of the most commonly invoked reasons for protecting against intrusion even when there are no tangible harms. In the language of the 1814 English case Merest v. Harvey:
Suppose a gentleman has a paved walk in his paddock, before his window, and that a man intrudes and walks up and down before the window of his house, and looks in while the owner is at dinner, is the trespasser permitted to say “here is a halfpenny for you which is the full extent of the mischief I have done.” Would that be a compensation? I cannot say that it would be… .”
Thus, privacy values become a core justification for the right to exclude—even in cases where privacy itself is not at stake. Jones turns this theory back: the right to exclude becomes the measure of when society will protect privacy interests. Whether this is exactly right or exactly backwards, the reader is invited to consider.
- Gave our place in line to another party.
- Served my wife a lime soda instead of ginger.
- Brought us our appetizer almost simultaneously with the main course.
- Served me meatloaf instead of meatless meatloaf.
- Undercooked my wife’s chicken.
- Never brought my wife the side of okra she ordered.
It was a tasty meatloaf, but still, that’s a pretty impressive record of error for a single meal.