***WINNER*** 2015 Nissenbaum Internet Law Scholarship Essay – SHEILA A. VALENE (University of Colorado, Colorado Springs)

How Can The American Legal System Improve Its Approach To Policing And Regulating Digital Technology Without Unduly Stifling Innovation And Civil Liberties?  

We now have more information available at our fingertips than during all of collective history. This digital technology encompasses a vast amount of information as well as processing and accessing it. But how, if possible, can we even regulate digital technology? After all, the internet is difficult to police; it’s a public good, an exchange of information, not a physical location that can be patrolled. And even if it were, would we want it to be policed? Or does this violate our free speech and, most importantly, our right to privacy? Despite these concerns, there are some things that can be done to improve internet safety without unduly affecting civil liberties, including establishing international standards, requiring the stringent self-regulation and transparency of intermediaries (such as search engines and internet service providers), setting up a council within the US to address complaints, and lastly, educating the consumers who use this technology.

First of all, it is worth noting that there are many individuals who feel the internet should be self-governing. David Johnson, for example, has been a strong proponent of this, stating that “governing the Internet well fundamentally entails governing ourselves, making sure that more of our time, attention and effort … make society more productive, congruent, ethical, and, yes, interesting, complex and empowering for everyone… It is no light duty to be a good netizen.”[1] While his idea of a benevolent internet citizen, or “netizen,” is optimistic and hopeful, it doesn’t reflect the current reality. There are many violations being committed that require some type of legal intervention to properly resolve them.

And what are these violations? The most common are those committed by criminals, including identity theft, phishing, malware, and fraud. Other common violations are committed at the commercial level and include collecting consumer information to sell or use in marketing without compensating, or sometimes even advising, the consumer. More recently we have become aware of governmental violations of “accidental disclosure,”[2] such as when a government employee’s laptop is stolen as well as the citizens’ information contained within it. This has occurred with other organizations as well, such as major retailers, credit card companies, and health insurance companies. While these infractions don’t occur with the frequency one would expect given the amount of available data, they happen enough to be concerning, and can have serious detrimental financial, psychological, and emotional effects on the individuals involved.

Clearly, then, some type of legal intervention is necessary. However, a large part of digital technology is essentially local access to worldwide information, and there is little worldwide consensus on how this should be handled and who’s jurisdiction it is. For example, someone from Country A is communicating with another person from Country B, and they are using a server maintained in Country C. So, if a problem arises, under which country’s laws is it handled? This can become very tricky, as different countries have different laws. Because of this, the US needs to be part of an international committee whose purpose is to codify a system of “Standards and Practices.” Guidelines regulating the obtainment of information and it’s appropriate usage should be created. Furthermore, penalties for violating this use should also be established, along with an agreement to enforce those penalties. This should reduce violations occurring both criminally and commercially. Of course, not all countries will be willing to participate, but establishing these laws for the majority would be the first step in managing global communications.

The US has the FTC to try and regulate these concerns within its own boundaries, yet the agency is having a difficult time. When it was established in 1914, it’s role was to prevent unfair methods of competition. Then in 1938 it’s role evolved to also “prevent fraud, deception, and unfair business practices in the marketplace.”[3] These provisions were established long before digital technology and simply do not meet the needed current regulation demands. There is just too much information. In 2009, for example, Google processed 24 petabytes (that’s 24 of 108 bytes) of information daily[4]; and that was six years ago. Neither the FTC’s size nor defined scope allow it to properly regulate and investigate the numerous concerns from all of this data. So, if the FTC can’t do it, who can?

One solution has been the required transparency and strict self-regulation of intermediaries; essentially, those companies through which consumers access information. These companies in effect “govern online life”[5] and include internet service providers such as Comcast and search engines such as Google. The problem with this method, however, is that there can be an inherent bias. Does Google prevent a site from being accessed because it has been identified as violating privacy rights, or because the site would compete with Google directly? And how does Google itself collect and use our private information? What is needed is a clear definition of use rules, as the Business Forum for Consumer Privacy has called for, which would “require all organizations to be transparent, offer and honor appropriate choice, ensure that risks to consumers related to use are assessed and managed, and implement security for the information they maintain.”[6Making the intermediaries more responsible for safety and security seems obvious, and clear law defining this monitoring is required. Yet we also need someone to “watch the watchers,” so to speak.

The establishment of a consumer-based council which would watch over the intermediaries and ensure they are complying with this model is necessary; this council could then file reports with the FTC after having conducted an investigation. Furthermore, the council could adhere to a strict confidentiality agreement to help maintain individual privacy; it could withhold individual names and identifying information from the FTC or any other government agency. This would eliminate the concern that “enforcement of privacy rights against enterprises would have the effect of exposing data to the government that otherwise would be forbidden to see.”[7] Thus privacy is maintained, and justice can still be meted out.

But creating laws and regulations and committees to enforce them is only part of the solution. Educating consumers is of the utmost importance. People need to be aware of where and how they are accessing information. Logging into a bank account from a random server while at a mall, for example, probably isn’t the safest way to look up that bank balance. It’s also critical to inform people of the unlikelihood that mailing $500 to a foreign country will result in the winning of an overseas lottery, and that they will probably never meet that attractive individual from a dating website whom they’ve been sending money. Additionally, people need to be educated on the importance of anti-virus protection, what malware does, and that Trojan describes more than a resident of ancient Troy. A safety study conducted in December 2005 discovered that 81% of personal home computers did not have “first-order protection measures such as current antivirus software, spyware protection, and effective firewalls.”[8] This is a scary statistic to be sure, and clearly the public is not receiving adequate information on how to utilize the internet safely. Another reality that needs to be reiterated to consumers is that once information is put out on the internet it becomes a public good, and can be retained there indefinitely. A series of public service announcements over the media, including television, radio, and even in print, would help educate individuals. Also, periodically noting safety suggestions on internet homepages would serve as a good reminder whenever people are online.

And what of privacy? Even according to the US Privacy Act of 1974, “the increasing use of computers and sophisticated information technology, while essential to the efficient operations of the Government, has greatly magnified the harm to individual privacy that can occur from any collection, maintenance, use, or dissemination of personal information.”[9] The bottom line is that consumers are essentially exchanging some level of privacy for the freedoms of communication, accessing information, and commerce that the internet provides. This is inescapable and inherit in design; the system is more “for flexibility…than security.”[10] This needs to be made clear to consumers through a variety of medium. Yet creating a private domestic council that would maintain privacy and assist the FTC, as well as establishing an international committee, are crucial to regulating digital technology. Furthermore, neither of these would unduly infringe upon civil liberties, allowing us as law-abiding consumers to continue to express our individuality and creativity.

 

[1]  Johnson, David R. “Democracy in Cyberspace: Self Governing Netizens & a New, Global Form of Civic Virtue, Online.” The Next Digital Decade: Essays on the Future of the Internet. Berin Szoka and Adam Marcus. Washington D.C.: TechFreedom, 2010. http://www.nyu.edu/projects/nissenbaum/papers/The-Next-Digital-Decade-Essays-on-the-Future-of-the-Internet.pdf . Accessed May 2015.

[2]  Downes, Larry. “A Market Approach to Privacy Policy.” The Next Digital Decade: Essays on the Future of the Internet. Berin Szoka and Adam Marcus. Washington D.C.: TechFreedom, 2010. http://www.nyu.edu/projects/nissenbaum/papers/The-Next-Digital-Decade-Essays-on-the-Future-of-the-Internet.pdf , pg 515. Accessed May 2015.

All preceding information contained within the paragraph regarding the types of misuses of data are taken from the author cited.

[3] Federal Trade Commission, About the FTC, Our strategic goals, https://www.ftc.gov/about-ftc . Accessed May 2015.

[4]  “MapReduce”. Portal.acm.org. Retrieved 16 August 2009. http://en.wikipedia.org/wiki/Petabyte . Accessed May 2015

[5]  Pasquale, Frank. “Trusting (and Verifying) Online Intermediaries‘ Policing.” The Next Digital Decade: Essays on the Future of the Internet. Berin Szoka and Adam Marcus. Washington D.C.: TechFreedom, 2010. http://www.nyu.edu/projects/nissenbaum/papers/The-Next-Digital-Decade-Essays-on-the-Future-of-the-Internet.pdf , pg 348. Accessed May 2015.

[6]  Downes, Larry. “A Market Approach to Privacy Policy.” The Next Digital Decade: Essays on the Future of the Internet. Berin Szoka and Adam Marcus. Washington D.C.: TechFreedom, 2010. http://www.nyu.edu/projects/nissenbaum/papers/The-Next-Digital-Decade-Essays-on-the-Future-of-the-Internet.pdf , pg 524. Accessed May 2015.

[7]  Ibid, pg 523.

[8]  AOL/NCSA ONLINE SAFETY STUDY 2 (Dec. 2005), http://www.bc.edu/content/dam/files/offices/help/pdf/safety_study_2005.pdf

[9]  Pub.L. 93–579, 88 Stat. 1896, enacted December 31, 1974, 5 U.S.C. § 552a

[10]  Zitrrain, Johnathan. “Protecting the Internet Without Wrecking It: How to Meet the Security Threat.” The Next Digital Decade: Essays on the Future of the Internet. Berin Szoka and Adam Marcus. Washington D.C.: TechFreedom, 2010. http://www.nyu.edu/projects/nissenbaum/papers/The-Next-Digital-Decade-Essays-on-the-Future-of-the-Internet.pdf , pg 92. Accessed May 2015.