Monthly Archives: April 2010

There’s Something About ECPA

I write in “The Laws of Disruption” of the risk of unintended consequences that regulators run in legislating emerging technologies.  Because the pace of change for these technologies is so much faster than it is for law, the likelihood of defining a legal problem and crafting a solution that will address it is very slim.  I give several examples in the book of regulatory actions that quickly become not just obsolete but, worse, wind up having the opposite result to what regulators intended.

An unfortunate example of that problem in the news quite a bit lately is the Electronic Communications Privacy Act or ECPA.   (My first published legal scholarship, in 1994, was an article about a provision of ECPA that allowed law enforcement officers to use evidence they came across by accident in the course of an otherwise lawful wiretap, see “Electronic Communications and the Plain View Exception:  More ‘Bad Physics.’”)

Passed in 1986, ECPA at the time was a model of smart lawmaking in response to changing technologies.  It updated the federal wiretap statute, known as Title III, to take into account the rise of cellular technologies and electronic messages–which didn’t exist when the original law was passed in 1968.

In essence, ECPA brought these new forms of communications under the legal controls of the wiretap law, meaning for example that police could not intercept cell phone transmissions without a warrant, just as under Title III they needed a warrant to intercept wireline calls.  Private interception was also made illegal.

Lost in the Clouds

A lot has happened since 1986, and unfortunately for the most part ECPA hasn’t kept up.  Most significant has been the explosion of new data sources of all varieties, and in particular the now billions (trillions?) of messages sent and received each day by individuals communicating through the Internet.  The potential evidence those messages contain for a variety of investigations—criminal, civil, terror-related—has made them an irresistible target for law enforcement as well as civil litigants.

In addition to the sheer volume of new data sources, the other significant change undermining ECPA’s assumptions has been the movement to cloud-based services, particularly for email.  In the early days of email (say, 1995), ISPs kept messages on their servers only until the user, through a client email program such as Eudora, downloaded the message to his or her personal computer.  Once downloaded, the message was immediately or soon after deleted from the server, if for no other reason than to save storage space.

Storage, however, has gotten cheap, and the potential uses of stored data for a variety of purposes has made it attractive for ISPs and other services (e.g., Google’s Gmail) to retain copies of messages and other user data on a permanent basis.

The drafters of ECPA had great foresight, but they couldn’t have imagined these changes.

Here come the unintended consequences.  Under the law, law enforcement agents hoping to get access to your emails as part of an investigation are required to obtain a warrant, just as they would need a warrant to search your home and seize your computer.

But for data stored on a third party computer—an ISP or other cloud provider—the warrant requirement applies only for “unopened” messages and only for 180 days after receipt.  Once the message is opened and 180 have passed, any stored data can be obtained without a warrant based on the much lower standard of a subpoena.

In some sense, this means that as users move to cloud computing they are inadvertently and unknowingly waiving protections against law enforcement uses of their data. Keep your data only locally on equipment in your home or office, and the police need a warrant to look at or take it.  Leave it in the cloud somewhere, and they can get at it without much fuss at all.

This turn of events, the result not of any secret conspiracy so much as the random confluence of technological inventions since 1986, is almost certainly not what the drafters of ECPA had in mind.  It is more likely to be just the opposite.  For ECPA, like the wiretap law it amended, was intended to give greater protection to communications than what the Fourth Amendment to the U.S. Constitution would otherwise have provided.

A Very Brief History of the Fourth Amendment in Cyberspace

The Fourth Amendment, recall, protects citizens from “unreasonable searches and seizures” by the government.  (We are, it bears emphasizing, talking ONLY about government access here—employers, parents, friends and companies are not subject to the Fourth Amendment.)

Which is to say, the Fourth Amendment is the absolute floor of citizen protections from government.  Title III and ECPA were intended to raise that floor for telephone and later data communications to something that gave citizens more, not less, privacy.

At some point, indeed, technology may push the law below the standards of the Fourth Amendment, making it unconstitutional.  That’s been a concern all along, from the beginning of the wiretap statute itself in 1968.  The passage of Title III followed landmark Supreme Court decisions in the Katz and Berger cases, in which the Court reversed the 1928 Olmstead case, which allowed the police to intercept phone calls of a suspect without a warrant.

The Olmstead decision, Justice Harlan wrote in his concurrence to Katz, was “bad physics as well as bad law, for reasonable expectations of privacy may be defeated by electronic as well as physical invasion,” 398 U.S. at 362 (1967).

Harlan’s phrasing has proven prophetic.  In order to avoid the metaphysical problem of explaining how electronic interception could constitute a “search” or a “seizure” when no physical property of the subject is involved, the Court focused instead on the “reasonable” part of the Fourth Amendment.

Search and seizure, the Court has held over the last fifty years, is really about privacy, and a “reasonable” expectation of privacy for any information law enforcement agents want to gather requires a warrant.  What part of a wiretap is a search and what part a seizure are questions neatly elided (though perhaps too neatly as we’ll see) by the “reasonable expectation of privacy” standard.

The privacy standard has proven at least somewhat resilient to changing technologies.  But with mainstream adoption of revolutionary information technologies comes changing expectations of what is reasonably expected to be “private” information.  Indeed, Olmstead can be seen as a perfectly understandable decision in light of the fact that in 1928 nearly all telephones were connected through party lines, where no caller had any expectation of privacy.

But that also means there is no absolute baseline for Fourth Amendment challenges (usually by a criminal defendant) to evidence collected by the government.  Again, Title III and ECPA can and did set a higher bar than was required as a constitutional minimum, but even as those intentions have been reversed by technology it does not automatically follow that ECPA is now below what the Fourth Amendment requires.

Absent special protections citizens may have had from ECPA, the question under Fourth Amendment jurisprudence becomes:  Do users who keep email and other data archived with ISPs and other cloud providers have an expectation of privacy?  Is that expectation reasonable?

The Ugly Details

Not surprisingly, courts are increasingly asked to weigh in on those questions, and the results are also not surprisingly inconclusive.  (David Couillard at Ars Technica reviewed some of the case law in a recent article, “The Cloud and the Future of the Fourth Amendment.”)

Earlier this month, the Department of Justice abandoned an attempt to avoid a search warrant even for mail messages less than 180 days old in a case that involved Yahoo mail.  (See Declan McCullagh, “DOJ Abandons Warrantless Attempts to Read Yahoo E-mail.”)

Google, which came to Yahoo’s defense, has begun disclosing just how many requests for information about its users it receives from various government agencies.  (See Jessica Vascellaro, “Google Discloses Requests on Users.”)

It’s also worth noting that sometimes technology goes the other way—making it harder for law enforcement officials to collect evidence and conduct investigations.  Encryption is a good example here—stronger encryption protocols make it easier for criminals to hide activity from the police.

Indeed, law enforcement and privacy advocates are in some sense always engaged in a complicated dance.  As technology constantly changes the delicate balance between the sanctity of private activity and the need for effective law enforcement, lawmakers are regularly asked by one side or the other (or both) to change the law to bring it back into something that satisfies both groups.

The Digital Due Process Coalition

The cloud computing problem has inspired the creation of an interesting coalition aimed at returning ECPA where its drafters intended to set the scales.  The group, called Digital Due Process, was launched in March and is calling for specific reforms of ECPA to take into account the reality of digital life in 2010.  (For those who want the legal details, the site includes an excellent analysis by my one-time boss Becky Burr, see “The Electronic Communications Privacy Act of 1986: Principles for Reform.”)

The Digital Due Process group is a remarkable coalition of organizations and corporations who might not otherwise be thought to agree on too many issues of technology policy.  It includes advocacy groups normally thought to be on the right or the left, including the ACLU, the Center for Democracy and Technology, the Progress and Freedom Foundation, the Electronic Frontier Foundation and the American Library Association.  Corporate members include Google, AT&T, Microsoft, eBay, and Intel.

One might think that with such specific recommendations and such a wide coalition of support from across the ideological spectrum that ECPA reform would be a slam dunk.  But of course that would ignore one very powerful lobby not represented by Digital Due Process–the lobby of law enforcement agencies.

These agencies almost certainly recognize that the move to cloud computing has given them unintended and unprecedented access to information otherwise protected by the law, but naturally they are loathe to let go of any advantage in the fight against crime.

Though there have been some calls in Congress for enacting the reforms called for by the coalition, the success of Digital Due Process is far from certain.  And even if the group does succeed, there’s no telling how long it will be before the scales become unbalanced yet again, or in whose favor, by the next set of disruptive information technologies to become mainstream.

As Thomas Jefferson said, “The price of freedom is eternal vigilance.”

Reality Check: “Reclassifying” Broadband Would be Hard—Thank Goodness

I have a long opinion piece on CNet today, arguing that much of the talk of “reclassifying” or “relabeling” broadband Internet access to bring it under the FCC’s regulatory authority is just that—talk.

On April 6th, the D.C. Circuit Court of Appeals ruled definitively that the squishy doctrine of “ancillary jurisdiction” provides no authority for the FCC to impose its net neutrality rules on broadband Internet providers.

Law professors and paid advocates are doing a good job of convincing journalists who don’t understand the finer points of administrative law that all the FCC needs to undo that decision is the will to change the classification of broadband and…problem solved.

Not quite.  Those who argue the FCC can simply waive a regulatory wand and give itself all the jurisdiction it needs under Title II of the Communications Act are engaging in serious wishful thinking, or worse.

Yesterday, for example, The New York Times ran an editorial that suffered from a surfeit of fairy dust:

Fortunately, the commission has the tools to fix this problem. It can reverse the Bush administration’s predictably antiregulatory decision to define broadband Internet access as an information service, like Google or Amazon, over which it has little regulatory power. Instead, it can define broadband as a communications service, like a phone company, over which the commission has indisputable authority.

Where to begin?

First, it was the FCC, not the Bush administration, that convinced the U.S. Supreme Court that broadband is an (unregulated) information service.  And that was not a decision the agency made with Congressionally-delegated discretion.  The FCC didn’t “define” anything–it interpreted the statute.  That broadband is an “information service” reflected the FCC’s understanding of where Congress put broadband when it wrote the 1996 revisions to the Communications Act.

(Nothing in the definition of “information service” has anything to do with applications or web-based businesses such as Google or Amazon, by the way—that’s really left-field.  As I say in the CNet piece, “information services” mean data, as opposed to voice, communications.)

The Supreme Court agreed with the FCC’s interpretation in the Brand X case, and Congress has given not even a hint of a rumor of a private thought that they believed the agency and the courts got their intention wrong.

In Brand X and regulatory proceedings before and since, the FCC argued for treating broadband Internet access as an information service not because the agency thought that the best way to regulate.  They argued that broadband was outside any common carrier regulation because Congress said so in the 1996 Communications Act.  With the Brand X decision, all three branches of the government agreed with that understanding of the law.

Finally, there’s nothing in the statute that gives the agency the power to “define broadband as a communications service.”  (The actual term is “telecommunication”—nice fact-checking, New York Times.)  Agencies don’t get to define terms in their governing statute—Congress does.  If the FCC had the kind of authority the Times’ editors seem to think they have, the Communications Act would likely fail a constitutional challenge.  Congress cannot delegate lawmaking power to an agency of the executive branch.

Journalists aside, even the strongest proponents of the Title II panacea know in their hearts that the FCC can’t just wish themselves new powers without authorization from Congress.  But they also know that going back to Congress for that authority—the logical response to any finding that an agency lacks authority it believes it needs to meets its statutory objectives–is a dicey proposition.

There never has been sufficient support in Congress for net neutrality to get anything passed.  The math looks worse now than it did a few years ago, when Comcast was first found to have secretly slowed or blocked some users’ BitTorrent downloads.

Indeed, the NPRM came after Congress failed for years to pass any of the proposed neutrality laws.  The FCC argued that ancillary jurisdiction was enough authority to do it themselves, a gambit even pro-neutrality groups including the Electronic Frontier Foundation saw as more dangerous than the harm the agency was trying to abate.  Now the D.C. Circuit has signed on to that view, an entirely sensible limitation of agency power regardless of whether it is being exercised for good or perceived evil.

If the FCC wants to save its net neutrality proposal, it will have to go back to Congress one way or the other.  Or proceed, and face at least a decade of litigation that it will ultimately lose—at the waste of millions of taxpayer dollars that could go toward fulfilling the National Broadband Plan.

Sounds like an easy choice to me.  But some people want it to be even easier, despite those pesky facts that are getting in the way.

A Few Words on Comcast v. FCC: Net Neutrality Neutralized

The D.C. Circuit Court of Appeals issued its opinion today in Comcast’s appeal of sanctions issued in 2008, rejecting the FCC’s authority to issue the sanctions in the first place.  (Brent Kendall of The Wall Street Journal has already reported the story, see “Court Strikes at Net Neutrality.”)

The ruling punished the cable company’s efforts to throttle peer-to-peer traffic over its network of some customers using the BitTorrent application, a network management principle the FCC said violated its “policy” on open and transparent Internet or “net neutrality.”   Since Comcast agreed to more subtle forms of traffic management and to make such decisions more transparent, the FCC left them with a slap on the wrist.  Comcast appealed nonetheless.  (Appeals of FCC adjudications go directly to the D.C. Circuit.)

I’ve read through the court’s 36-page opinion, which will serve as an important marker in the “net neutrality” debate.  It largely follows the harsh line of questioning taken during the oral arguments for the case back in January, where the panel challenged the FCC to identify a specific statutory provision that gave them authority to impose the neutrality principles—in this case, in an adjudication that Comcast had failed to follow the rules.

In 36 pages, there is not a single reference to any arguments made by Comcast.  Instead, the court “begins and ends” by dismantling the brief of the FCC, rejecting every effort to tie the Commission’s “ancillary jurisdiction” to something—anything!–in the Communications Act that could justify the sanctions.

When the FCC issued its Notice of Proposed Rulemaking on net neutrality in October of last year (rules that would in essence codify the basis for sanctions in the Comcast case), it cited as its authority to issue the rules none other than “ancillary jurisdiction”–making the same argument there that the D.C. Circuit has now rejected.  (See Paragraph 83 of the NPRM.)

FCC Commissioner Robert McDowell dissented from that aspect of the NPRM, noting “My view is that regulation of network management is simply not reasonably ancillary to responsibilities set forth under other sections of the Act.”

The D.C. Circuit agrees.  In conclusion, the court notes:

It is true that “Congress gave the [Commission] broad and adaptable jurisdiction so that it can keep pace with rapidly evolving communications technologies.”  It is also true that “[t]he Internet is such a technology,” indeed, “arguably the most important innovation in communications in a generation.” Yet notwithstanding the “difficult regulatory problem of rapid technological change” posed by the communications industry, “the allowance of wide latitude in the exercise of delegated powers is not the equivalent of untrammeled freedom to regulate activities over which the statute fails to confer . . . Commission authority.” [citations omitted]

The spin doctoring of this opinion will now commence.  But it is very hard to see how the NPRM can go forward—or survive even the briefest of legal challenges should the FCC simply do so—given this ruling.  The FCC could try to appeal to the U.S. Supreme Court or go back to Congress for explicit authority to issue net neutrality rules.  As I’ve written earlier, the FCC could also try to reclassify Internet services under the common carrier rules of Title II, where it has extensive regulatory powers.

Each of these paths is fraught with dangers and unintended consequences.

Perhaps it’s time for the Commission instead to take a step back and ask a question that was missing from the many posed in the NPRM:  Why regulate at all?

EBay Wins Important Victory Against Tiffany

As the Wall Street Journal is already reporting, today eBay sustained an important win in its long-running dispute with Tiffany over counterfeit goods sold through its marketplace.  (The full opinion is available here.)

I wrote about this case as my leading example of the legal problems that appear at the border between physical life and digital life, both in “The Laws of Disruption” and a 2008 article for CIO Insight.

To avoid burying the lede, here’s the key point:  for an online marketplace to operate, the burden has to be on manufacturers to police their brands, not the market operator.  Any other decision, regardless of what the law says or does not say, would effectively mean the end of eBay and sites like it.

Back to the beginning.  Tiffany sued eBay over counterfeit Tiffany goods being sold by some eBay merchants.  The luxury goods manufacturer claimed eBay was “contributorily” liable for trademark infringement—that is, for confusing consumers into thinking that non-Tiffany goods were in fact made by Tiffany.

The problem of counterfeit items has been a long-standing problem for electronic commerce, and as one of the largest and first online marketplaces it’s little surprise that eBay has found itself so often in the cross-hairs of unhappy manufacturers.  While the company has generally won these lawsuits, it lost an important case in France at about the same time the trial court in the Tiffany case ruled it its favor in 2008.

(A related problem that was explicit in the French case is that luxury goods manufacturers are unhappy in general with secondary markets given the tight—sometimes illegal—control they exert over primary channels.  Electronic commerce doesn’t respect local territories, fixed pricing and regulating discounting, perhaps the bigger headache for companies such as Tiffany’s.)

The struggle for courts is to apply traditional law to new forms of behavior.  Many of the opinions in these cases tie themselves in knots trying to figure out just what eBay actually is—is it a department store, where a variety of goods from different manufacturers are sold?  Is it a flea market, where merchants pay for space to sell whatever they want?  Or is it a bulletin board at a local grocery store, where individuals offer products and services?

Of course eBay is none of these things.  But courts must apply the law they have, and the case law for trademark infringement is based on these kinds of outdated classifications.  In the “common law” tradition, judges decide cases by analogy to existing case laws.  That means when there isn’t a good analogy to be found, the law is often thrown into confusion for a long period of time while new analogies get worked out.  Disruptive technologies create such discontinuities in the law, particularly for common law.

At the heart of these decisions is a question of control.  The more the marketplace operator controls the goods that are sold, the more likely they will be found liable for all manner of commercial misconduct.  (Tiffany also sued for false advertising, for example, claiming that eBay ads placed on Google searches promising Tiffany goods at low prices on its site were false, given that some of the goods were counterfeit.  Of course some of the goods were NOT counterfeit.)

A department store operator has complete control over the source of merchandise, and so would be held liable for selling counterfeits.  A bulletin board host has no control, and so would not be held liable.  Flea market operators sit somewhere in between, and depending on the extent and obviousness of the counterfeiting that takes place, operators are sometimes held liable along with the counterfeiters themselves.

The eBay marketplace sits somewhere between the two extremes.  On the one hand, eBay can and does have the ability to review the text of listings prior to their posting, and provides extensive service to merchants including listing services, postage and packaging, and payment management through PayPal.  It can and does respond to complaints by buyers of misrepresented goods (condition and source, e.g.) and by trademark holders who are given extensive tools to review listings to check for counterfeits.  And it charges the sellers for these services—indeed, that is the source of its revenue.

On the other hand, eBay never has physical possession of the goods that are sold through its marketplace—indeed, it never sees them.  That’s an essential feature of the company’s success—eBay couldn’t handle millions of listings in a limitless range of categories if merchants actually sent the goods to eBay during the course of an auction, the way high-end auctioneers such as Sotheby’s and Christie’s would do.

EBay (or buyers for that matter) can’t inspect the goods (other than through photos and text descriptions) prior to purchase, and even if it could the company doesn’t have the expertise to evaluate authenticity and condition of everything from buttons to Rolex watches to cars.  That’s why eBay’s buyer feedback system is so important to the efficient operation of the marketplace.

In today’s decision, the Second Circuit Court of Appeals in New York mostly affirmed the trial court’s holdings.  It agreed that for eBay to be liable for the trademark infringements of its misbehaving sellers, the company had to have actual knowledge of their activities and still continue doing business with them.

There was substantial evidence to the contrary—including direct policing by eBay as well as the tools provided to manufacturers to review and flag suspicious listings.  As the court noted, eBay has plenty of incentives to ensure counterfeit goods stay off the site—for unhappy buyers mean the loss of liquidity and the loss of any competitive advantage.

Tiffany objected to the fact that the eBay tools put the burden on trademark holders rather than marketplace operators to ensure the authenticity of the goods.  But the court agreed with eBay that such is indeed the burden of a trademark, a valuable and exclusive right given to manufacturers to encourage the creation of consistent and quality goods and services.  Since eBay acted on actual knowledge of infringement and could not be said to have willfully ignored the illegal behavior of some merchants, the company had fulfilled its legal obligation to trademark holders.

The opinion is, as to be expected, largely a discussion of legal precedent and the law of trademark.  That, after all, is the role of an appellate court—not to retry the case, but to review the trial judge’s findings in search of legal error.  The decision by the appellate court will serve as a powerful precedent for eBay and other e-commerce sites in the future.  (Tiffany says it may appeal to the U.S. Supreme Court, but it’s unlikely for many reasons that the Court would take the case.)

One important feature of the case that is not discussed directly in the appellate decision, however, is worth highlighting.  Though courts rarely say so explicitly, an important factor in deciding cases has to do with the practical limits of the remedy requested by a plaintiff, in this case Tiffany’s.  Given what eBay already does to police counterfeit goods, it’s hard to see what Tiffany’s actually wanted the company to do—that is, what it wanted the courts to order eBay to do had it won the lawsuit.

For aside from money damages, the purpose of a lawsuit and the reason the taxpayers fund the legal system is that court decisions let everyone know what behaviors are acceptable and which are not–and how to correct those that are not.  Had eBay lost, they would have had to pay damages, but more to the point the loss would have sent a message to them and others to change their behavior to avoid future damage claims.

So would would a loss have signaled?  In essence, eBay would have had either to agree not to sell any Tiffany goods (a limit other brands would have demanded as well) or to verify and authenticate all items before allowing them to be listed on the site.  That would have been the only way to satisfy Tiffany’s that their view of the law was being followed.

That remedy, though theoretically possible, would have meant the end of eBay and sites like it (including Amazon Marketplace).  It would in essence have said that any auction or other third-party sales model other than the high-end Sotheby’s or Christie’s approach is inherently illegal.  For there would have been nothing left to distinguish eBay’s low-cost approach to buying and selling—all of the efficiencies would have been eaten up by the need to authenticate before the auction began.

Such a remedy would have been economically inefficient—it would, to use Ronald Coase’s terminology, have introduced a great deal of unnecessary transaction costs.  For most of the items on eBay are accurately described, and for them the cost of authentication would be a waste.  eBay practices in essence a post-auction model of authentication.  If the buyer doesn’t agree with the description of the item once they receive it, eBay will correct the problem after the fact.

That’s much more efficient, but it does introduce cost to brand holders such as Tiffany’s.  A buyer who gets a counterfeit good may think less not only of the seller and of eBay but also of Tiffany’s.  Worse, the buyer who doesn’t realize they’ve received a counterfeit good may attribute its poorer quality to Tiffany’s, another form of damage to the mark.

The court’s decision implicitly weighs these costs and concludes that eBay’s model is, overall, the more efficient use of resources.  The brand owner can always sue the eBay sellers directly, of course, and can use the tools provided by eBay to reduce the number of bad listings that get posted in the first place.  Those enforcement costs, the court implies, are less than the authentication costs of Tiffany’s proposed remedy.  Faced with two possible outcomes, the court chose the more economically efficient.

Under the “law and economics” approach to legal decision-making, that finding would have been made explicit.  Some appellate judges, including Richard Posner and Frank Easterbrook, would have actually done the math as best they could from the record.

In any case, the finding seems economically sound.  Meanwhile, the law is still struggling mightily to catch up to reality.