The Volokh Conspiracy

Occasionally, I see assertions that disclosing certain private information about someone — for instance, details of their sex lives, medical history, or financial affairs — would be tortious, even if the disclosure is in a private conversation. (See, for instance, this comment, and this dissent from a Supreme Court opinion.)

But generally speaking, the disclosure of private facts tort does not apply to such private disclosures. (Of course, the disclosure might in some cases be a breach of a professional duty, such as that of a lawyer, a doctor, or a psychotherapist, or a breach of nondisclosure agreement; but those are different matters.) As the Restatement (Second) of Torts § 652D puts it (emphasis added),

The form of invasion of the right of privacy covered in this Section depends upon publicity given to the private life of the individual.... “Publicity[]” ... means that the matter is made public, by communicating it to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge. The difference is not one of the means of communication, which may be oral, written or by any other means. It is one of a communication that reaches, or is sure to reach, the public.

Thus it is not an invasion of the right of privacy, within the rule stated in this Section, to communicate a fact concerning the plaintiff’s private life to a single person or even to a small group of persons. On the other hand, any publication in a newspaper or a magazine, even of small circulation, or in a handbill distributed to a large number of persons, or any broadcast over the radio, or statement made in an address to a large audience, is sufficient to give publicity within the meaning of the term as it is used in this Section. The distinction, in other words, is one between private and public communication.

Illustrations:
1. A, a creditor, writes a letter to the employer of B, his debtor, informing him that B owes the debt and will not pay it. This is not an invasion of B’s privacy under this Section.
2. A, a creditor, posts in the window of his shop, where it is read by those passing by on the street, a statement that B owes a debt to him and has not paid it. This is an invasion of B’s privacy.
3. A, a motion picture exhibitor, wishing to advertise a picture to be exhibited, writes letters to a thousand men in which he makes unprivileged and objectionable statements concerning the private life of B, an actress. This is an invasion of B’s privacy.

In this respect, the disclosure tort differs from defamation law — a false and defamatory statement to one person (even a friend or close family member) might be slanderous or libelous. But if the statement is true but reveals private and non-newsworthy information about a person, it is not a disclosure of private facts unless it “reaches, or is sure to reach, the public.”

Naturally, especially in this era of Facebook, that line can be quite mushy; for instance, when would a post on a Facebook page that is readable by 1000 “friends” qualify as something that “reaches, or is sure to reach, the public”? (Illustration 3 — which is based on a real case — doesn’t fully dispose of this, partly because it might be influenced by the fact that the letters are about a famous person and are thus especially likely to be further publicized, and partly because the letters were sent to total strangers, rather than just to friends or “friends.”) What about a page readable by 100 “friends”? Still, it’s clear that certain communications, such as conversations or even e-mails that are unlikely to be broadly forwarded, aren’t covered by the tort.

The matter might be different in a few states, if they have a statute or a court decision that departs from the Restatement approach (which itself is based on the decisions of past cases). I know of one such exception: In Rhode Island, a statute defining the disclosure tort requires not “publicity” but “publication,” and Rhode Island courts have held that this means communication to one other person suffices to trigger the tort. It’s possible, then, that in Rhode Island it might be actionable for one friend (or family member) to tell another true things about a third’s love life, medical problems, and the like. But in most states, this would not be so.

None of this is intended to endorse the propriety of the tort, which I have criticized on First Amendment grounds; I only mean to explain what the tort actually covers.

The Kindle Fire is a remarkable innovation in the Apple mold:  taking a bunch of components that are pretty well known and combining them into a powerful new experience.  But unlike Apple, Amazon’s integrating vision isn’t visual design or even user delight.  Instead it’s far more ambitious — a new vision of the entire Internet ecosystem.

OK, let me try that again without the Valley babble.  The Kindle Fire forks Android into an Amazon-designed and Amazon–controlled operating system.  So far, no surprises. Amazon owns and subsidizes the hardware, too, so it can design features that integrate operating system and processor tightly.  Again, nothing that Apple can’t do.  But then comes the clever, almost-new idea:  Fire uses its own browser, called Silk, which is designed to work with Amazon’s massive cloud computer. So instead of downloading web pages one after the other and opening them on your computer, Amazon’s cloud stores and even opens them, sending you the end result.  This allows speedier downloads for a couple of reasons:  Caching of popular pages (or even parts of pages) avoids download delays when the original source is overloaded; and Amazon’s cloud can handle even the most processor-intense pages instantaneously, far faster than your wheezing desktop machine.  In short, your Internet experience on the Fire ought to be lightning quick.

There’s another advantage to this new vision of what might be called the Bezosnet.  The Bezosnet ought to be a lot more secure.  One way that hackers compromise your machine is by getting you to go to malware infected sites.  Just visiting the site triggers routines that take over the visitor’s computer.  But if the routine runs, not on a visitor’s computer but in a virtual environment at Amazon’s data center, the attacker’s code isn’t likely to work.

In fact, it looks to me as though Amazon has a remarkable security opportunity here.  It controls the Fire hardware, the Fire operating system, and the Fire user’s internet connection. If a Fire tablet joins a botnet, Amazon will know immediately. It can quarantine the tablet and alert the owner.  Indeed, it can go further, performing diagnostics to figure out and remedy the security flaw the botnet exploited. If a Fire tablet starts sending beacons or massive encrypted data files to a Chinese controller site, Amazon can spot the pattern and alert the user or even block the transmissions.  No one else, not even Apple, maybe not even DoD, will have the same ability to drive security into all parts of the Internet ecosystem.

If Amazon exploits its security opportunity, this could be transformative for users. To take one example, most people are, or should be, wary about Internet financial transactions.  Small businesses that do electronic funds transfers are at enormous risk today.  Like consumers, their machines are easily compromised, but unlike consumers, their losses to hackers are not underwritten by the banks.  That’s costing them easily hundreds of millions of dollars a year. As small businesses come to appreciate the risk, Amazon has a chance to persuade them that a dirt-cheap Amazon Fire tablet is the only safe way to access their funds.

Competitively, that could put Amazon squarely in the stream of high-value Internet transactions.  Maybe it becomes a bank.  Maybe it forces Mastercard and Visa to give it a discount because fraud on Amazon-mediated transactions is lower. Maybe it takes on Google’s relationship with advertisers, since now Amazon has insight into information advertisers really want:  what are consumers actually buying and how much are they paying? Maybe it kills the prospects of ISPs and telcos hoping to transcend dumb pipe status and exploit their direct connection to consumers; that connection won’t be much use if Amazon controls and can encrypt the entire stream of communication.

For consumers, the Fire opens up a prospect of feudal security on the Internet.  We already know that we can’t protect our own machines from attack. For all the talk of insecurity in the cloud, it’s almost certainly more secure than the decentralized system we have now. To take one example, I have a lot more faith in Google’s ability to protect my gmail account than in the ability of my system administrator to do the same for my corporate account.  And I have more faith in Amazon’s ability to spot malware infested websites than in my ability to do the same, even with help from Google and antivirus software. Yes, you’re putting all your eggs in one basket, but you’re also hiring someone to guard that basket while you get on with life. Sooner or later, to get security, it looks as though we’re all going to have to pick a liege lord and shelter under his castle walls. And now Amazon has an chance to build the first string of forts and castles across the most desirable territory.

Of course, where there’s feudalism, there’s droit de seigneur. The price for security will be, probably must be, a loss of privacy, anonymity, and control to Amazon.  Right now, Amazon’s terms of service provide some contractual anonymity to users, but as a technical matter Amazon has total visibility into everything that happens on a Fire tablet.  That visibility is very likely necessary for security, and it is damn sure valuable for commercial purposes.  So it’s hard to imagine that it won’t be used for both purposes.

I can hear the privacy Luddites cranking up their outrage machinery now.  As usual, they’ll be a day late.  But they’ll also be a dollar short, at least if I’m right that the alternative to sheltering under Amazon’s walls is living out on the plains alone, at the mercy of marauders. No one will thank the data protection authority that saves us from Amazon by pushing us into the arms of the Russian Business Network. What the authorities can do is police Amazon’s terms of service and perhaps hold Amazon to any promises of security with tough new liability rules.  But, like Regulation Z, which declares that credit card fraud can’t cost US consumers more than $50, a rule imposing liability on Amazon for Internet security breaches could turn out to be an enormous market advantage (not to mention a tough barrier to entry for imitators).

All in all, then, the Fire Tablet is potentially a very big deal.  Too bad I’m too cheap to buy one.

(As always when I get into the details of security technology, I do so with considerable humility about my grasp of, well, actual technical details. This is technology poetry, not prose, and a first draft of the poetry at that. I welcome technical corrections. )

From Electronic Privacy Information Center v. United States Department of Homeland Security (D.C. Cir., decided this morning):

The Electronic Privacy Information Center (EPIC) and two individuals petition for review of a decision by the Transportation Security Administration to screen airline passengers by using advanced imaging technology instead of magnetometers. They argue this use of AIT violates various federal statutes and the Fourth Amendment to the Constitution of the United States and, in any event, should have been the subject of notice-andcomment rulemaking before being adopted. Although we are not persuaded by any of the statutory or constitutional arguments against the rule, we agree the TSA has not justified its failure to issue notice and solicit comments. We therefore grant the petition in part....

To sum up, first, we grant the petition for review insofar as it claims the TSA has not justified its failure to initiate notice-and-comment rulemaking before announcing it would use AIT scanners for primary screening. None of the exceptions urged by the TSA justifies its failure to give notice of and receive comment upon such a rule, which is legislative and not merely interpretive, procedural, or a general statement of policy. Second, we deny the petition with respect to the petitioners’ statutory arguments and their claim under the Fourth Amendment, except their claim under the [Religious Freedom Restoration Act], which we dismiss for lack of standing. Finally, due to the obvious need for the TSA to continue its airport security operations without interruption, we remand the rule to the TSA but do not vacate it, and instruct the agency promptly to proceed in a manner consistent with this opinion.

Thanks to Tom Ault for the pointer.

UPDATE: I see Orin is working on a post about the Fourth Amendment issues, which I expect will be up very shortly. Please limit comments in this post to the administrative law questions and the other non-Fourth-Amendment questions. Please save the Fourth Amendment comments for Orin’s post. Thanks!

I asked Prof. Sonja West (University of Georgia) whether she had some thoughts on the case, because she had written two articles that relate to the question: The Story of Me: The Underprotection of Autobiographical Speech and The Story of Us: Resolving the Face-Off between Autobiographical Speech and Information Privacy. She was kind enough to pass along the following; I’m not sure I would entirely agree with the line she proposes — having constitutional protection turn on the speaker’s motive in this situation strikes me as too likely to lead to error, and to undue deterrence of speech — but I wanted to pass along her views in any event:

Eugene’s post about Greg A. Fultz’s billboard lashing out at his ex-girlfriend for allegedly having an abortion hits on an important conflict between free speech and privacy — what should happen when someone speaks about his own life and, in doing so, reveals private information about someone else.

Assuming that Fultz was telling the truth about the abortion (a matter that appears to be under some dispute), the question becomes whether it matters that Fultz was talking about something that happened to him personally. In other words, should there be heightened First Amendment protection for truthful autobiographical speech?

It is easy to tweak the scenario here to see the difference the autobiographical interest can make. Imagine that instead of Fultz, the speaker was some other third party — a friend, a community member or a co-worker — who somehow learned about the abortion and decided to broadcast the information publicly. This is the scenario our laws are equipped to handle. We ask whether the information is true; whether it was communicated to enough people; whether the disclosure would be highly offensive to a reasonable person; and whether it is a matter of public interest. But we do not look at whether the speaker was talking about his own life experiences.

Now we can add back in the autobiographical interest. In this version (and I’m taking some liberties with the Fultz case here), the speaker is profoundly affected by the abortion of his unborn child. It fills him with emotions and becomes a pivotal moment in his life. He wishes to speak about it publicly both to inform others and because he finds it cathartic. Are these two cases are different? Unlike the third-party speaker, Fultz is talking about his own life not someone else’s — should that matter?

Continue reading ‘Prof. Sonja West on the “My Ex-Girlfriend Killed Our Baby” Billboard Case’ »

Greg A. Fultz put up a billboard showing himself holding what appears to be empty space, with the words “This Would Have Been A Picture Of My 2-month Old Baby If The Mother Had Decided To Not KILL Our Child!” and some endorsements (apparently later removed) from pro-life groups, including the words “PRO LIFE” and “RIGHT TO LIFE.” The billboard didn’t identify the man’s ex-girlfriend, but presumably some people who knew him and her would figure it out. (The billboard did at first say “Created for N.A.N.I. – National Association of Needed Information,” though that was later removed, and Nani is the ex-girlfriend’s name; but I take it that no-one would identify the girlfriend from that, unless they had already figured out her identity because they knew who the man was.)

Then, as the Alamogordo News reported on June 3:

An Otero County Domestic Violence Court hearing commissioner recommended ... an order of protection be granted to Nani Lawrence because Greg A. Fultz displayed a pro-life billboard about their relationship, which violated Lawrence’s right to privacy ... [and] recommended the billboard be taken down by 8:15 a.m. on June 16.

Twelfth Judicial District Judge James W. Counts is expected (today) to sign the order of protection and an order to remove the billboard located on White Sands Boulevard between First and Second streets. [Later press accounts say the order was indeed entered, though I've also heard a claim that the District Judge has not yet decided. -EV]

There are many interesting First Amendment questions, and factual questions, here. Factually, Fultz now says he doesn’t really know whether the ex-girlfriend had had an abortion or a miscarriage, because the girlfriend hadn’t told him; at the same time, press accounts suggest she was just arguing invasion of privacy and not libel, so perhaps his allegation is accurate after all. Legally, I suspect that a restraining order command the removal of a billboard — entered without a full trial on the merits — would be an unconstitutional prior restraint, even if the speech could be the subject of civil damages liability after the fact. I’ve also argued that the disclosure of private facts tort is generally unconstitutional, though that’s a minority view; and there’s also the question whether such statements about someone’s abortion are outside the disclosure tort because they’re a matter “of legitimate concern to the public,” since they are connected to the hotly debated topic of abortion. (That might seem to be a stretch, though for a case holding that the identification of a rape victim, based on the public concern about reports of crime, is a matter of legitimate public concern under the First Amendment, see Florida Star v. B.J.F.) And I don’t know whether substantive New Mexico restraining order law authorizes anti-”harassment” orders that bar speech about the complainant, rather than speech to the complainant.

But let me set all these aside, and focus on a different, and less obvious, matter: While the fact pattern here is highly unusual (who buys billboards for such personal matters?), there are closely analogous patterns that are quite routine.

To begin with, note that whether an ex-lover has aborted what would have been your child is just one of many highly personal matters about a relationship. If it’s covered by the disclosure of private facts tort, then so would be quite a few other facts: whether your ex cheated on you, whether you and your ex had had sex, whether you found your ex to be sexually satisfying, whether your ex was impotent, whether your ex left you because he or she is actually gay (or, if you’re gay, because he or she is actually straight), whether your ex has cancer, whether your ex gave you a sexually transmitted disease, and so on. Some of these might be seen as marginally less “private” than the question whether your ex had had an abortion, but I don’t think there’d be any real constitutional difference between the two, or difference with respect to the common-law boundaries of the disclosure tort (or of state law relating to protection orders).

And note also that people often discuss these things when discussing their own lives. People who write their autobiographies often talk about why their marriages or relationships broke up, why they were depressed for a particular period of their lives, how their exes’ behavior affected their own later personality and behavior, and more. And of course these days lots more people are “writing their autobiographies”: They’re just called Facebook pages, blogs, Twitter feeds, and the like. “Dumped my girlfriend ’cause I caught her cheating with my best friend.” “I have to tell the truth about this: I have HIV, because my ex-husband gave it to me.” “I’m crushed: My boyfriend, who I thought was going to ask me to marry me, told me he’s gay.” (The disclosure tort is generally seen as not applying to communications to “a single person or even to a small group of persons,” so perhaps if you have just a few Facebook friends, a Facebook post wouldn’t be potentially covered by the disclosure tort. But if you have hundreds of Facebook friends, the tort would likely apply, as it would if you’re publishing things on an open blog or similarly open social-media system.)

So what should the law be in these situations? Should it protect the privacy of your exes (or your former friends, your family members, your former coworkers, and whoever else you’re talking about), even if that means that you can’t tell your life story, either in a traditional autobiography or in its modern running equivalents? Should the law allow you to discuss your personal life, even if in the process people will learn personal details about the lives of others, and will learn them even if you omit the others’ names (as in the billboard incident)? Or should the law focus on your supposed motive, and distinguish supposedly good-faith attempts to tell your life story, either in retrospect or as it happens, from supposed attempts to humiliate people you think have wronged you — and, if so, how can the law reliably and predictably do this, whether with the traditional autobiography or with Facebook or blog posts?

I’m inclined to say that you should indeed have the right to discuss your life, even if you reveal information about others in the process; but, as I mentioned, I generally disapprove of the disclosure tort, so that’s an easy matter for me. I raise the autobiography / Facebook running autobiography examples because I think they might be interesting for people who are more open to the disclosure tort, but who also are open to people’s rights to talk about their own lives.

Finally, here are three relatively recent cases on the subject (for a case that reaches the opposite result, but before modern First Amendment law developed, see Cason v. Baskin (Fla. 1944)).

Continue reading ‘When Facts About Another’s Life Are Also Facts About Your Life’ »

A trial court in New Jersey said it could be, but the New Jersey Supreme Court has said no:

During a primary contest for State Senate, opponents of candidate Brian Stack issued campaign flyers criticizing him for previously hiring a person with a criminal conviction, plaintiff G.D. One campaign flyer stated that G.D. was “a DRUG DEALER who went to JAIL for FIVE YEARS for selling coke near a public school.” G.D. filed a lawsuit alleging defamation, violation of privacy, and other related torts, and named as defendants the Hudson County Democratic Organization and certain individuals, as the purported authors and distributors of the flyers. Defendants assert truth as a defense. G.D. had been convicted of second-degree possession with intent to distribute cocaine and sentenced to a five-year prison term. Thirteen years later, he successfully petitioned for the expungement of his criminal record. Defendants reason that G.D.’s conviction was a public fact maintained as a public record long before the expungement and that the publication of that fact during a political campaign was a legitimate exercise of their free-speech rights and did not violate G.D.’s reasonable expectation of privacy.

G.D. counters that the record of his conviction was expunged and, therefore, his conviction — as a matter of law — is deemed not to have occurred. G.D. submits that, after the expungement of his record, the pronouncement that he was
convicted of a crime was simply false and the dissemination of the expunged information violated his privacy rights....

It is true that under the expungement statute, as a matter of law, an expunged conviction is “deemed not to have occurred,” N.J.S.A. 2C:52-27. But the expungement statute does not transmute a once-true fact into a falsehood. It does not require the excision of records from the historical archives of newspapers or bound volumes of reported decisions or a personal diary. It cannot banish memories. It is not intended to create an Orwellian scheme whereby previously public information — long maintained in official records — now becomes beyond the reach of public discourse on penalty of a defamation action. Although our expungement statute generally permits a person whose record has been expunged to misrepresent his past, it does not alter the metaphysical truth of his past, nor does it impose a regime of silence on those who know the truth.

Sounds exactly right to me. I’m also pleased that the New Jersey Supreme Court rejected the argument — also made in an amicus brief by the Electronic Privacy Information Center — that publicizing people’s now-expunged criminal convictions is tortious under the “disclosure of private facts” tort. “This case,” the court reasoned, “deals with public acts, a guilty plea and sentence in a public courtroom, and public facts, court records available to the public over many years. We hold that the expungement order did not and could not create a reasonable expectation of privacy in matters so long in the public domain.”

I blogged a year ago about the intermediate appellate court’s decision in this case.

So the Supreme Court unanimously held today in NASA v. Nelson, reversing a contrary Ninth Circuit panel opinion. I think the Court’s result is quite right, for reasons I blogged about earlier; I hope to post more on the reasoning soon.

UPDATE: Here’s a quick summary of the Court’s conclusions:

1. The Court “assume[d], without deciding, that the Constitution protects a privacy right of the sort mentioned in Whalen v. Roe (1977) and Nixon v. Administrator of General Services (1977),” which is to say a right to “avoid[] disclosure of personal matters.”

2. But this right, if it exists, “does not prevent the Government from asking reasonable questions of the sort included on SF–85 and Form 42 in an employment background investigation that is subject to the [federal] Privacy Act.” Among other things, The questions at issue asked contractors and employees about their recent drug use and drug treatment, and asked the contractors’ or employees’ references open-ended questions about the contractor’s or employee’s “honesty or trustworthiness,” “violations of the law,” “financial integrity,” “abuse of alcohol and/or drugs,” “mental or emotional stability,” “general behavior or conduct,” or “other matters.”

3. The court did not announce a general test for deciding which inquiries are permissible and which aren’t, but pointed to several factors in holding that these inquiries were permissible:

a. “[T]he Government has a much freer hand in dealing ‘with citizen employees [and contractors] than it does when it brings its sovereign power to bear on citizens at large.’”

b. The questions were “reasonable” and sufficiently “employment-related.”

c. The government has long engaged in inquiries of this sort, and private employers engage in them as well.

d. The information gathered would generally be kept sufficiently confidential, given the restrictions created by the federal Privacy Act on dissemination of employee and contractor information.

It seems to me that the Court was quite right on these facts, for reasons I discussed in earlier posts. But I should note that the Court’s analysis leaves lower courts and other government officials rather at sea about what sorts of questioning about private matters — whether directed to the target of the investigation, or to others — is constitutionally permissible, not just in the employment context, but in the context of criminal investigations, investigations triggered by license applications, and so on.

From Tagouma v. Investigative Consultant Servs., Inc.:

On April 8, 2004, [Appellant, Ahmed, Tagouma] fell at work while employed at Arnold Industries. He suffered an acute fracture of his right hand. [Appellant] was later diagnosed with Reflex Sympathetic Dystrophy Syndrome (RSD). [Appellant] sought workers’ compensation benefits and Arnold Logistics contested his claim. While the claim was pending, the workers’ compensation carrier, Sentry Insurance, retained [Appellee, Investigative Consultant Services, Inc.,] to perform surveillance on [Appellant]. [Michael S. Zeigler], an investigator with ICS, was assigned to conduct the surveillance.

[Appellant], currently 53 years old, is a[ ] Moroccan immigrant and a Muslim who worshipped at the Al-Hikmeh Institute, which is housed on the first floor of [the] Islamic Center of PA, located at 4704 Carlisle Pike, Mechanicsburg....

According to [ ] Zeigler, on April 7, 2005, at approximately 9:10 p.m., he parked in front of the three-store strip mall in a public lot, though at the time he parked there, all three businesses were closed. Zeigler observed [Appellant] from across Carlisle Pike as [Appellant] stood inside in the Al-Hikmeh portion [of] The Islamic Center near a window on the building’s north side. Zeigler was between 79 and 80 yards away from The Islamic Center windows. [ ] Zeigler videotaped [Appellant] for 45 minutes with a Sony 8 mm video camera and used the camera’s zoom feature.

Continue reading ‘No “Intrusion Upon Seclusion” Tort When Person is Videotaped at a Publicly Visible Religious Service’ »

It’s Ostergren v. Cuccinelli (4th Cir. July 26). I’m on a trip with my son and can’t blog much this week, and the case is complex enough that I can’t quickly summarize it, though the short answer is that the speaker won. But if you’re interested in free speech vs. information privacy questions, you should check it out. Here’s the opening paragraph:

This appeal arises from a First Amendment challenge to Virginia’s Personal Information Privacy Act, Va. Code §§ 59.1-442 to -444. Section 59.1-443.2 prohibits “[i]ntentionally communicat[ing] another individual’s social security number to the general public.” The district court found this section unconstitutional as applied to an advocacy website that criticized Virginia’s release of private information and showed publicly available Virginia land records containing unredacted Social Security numbers (“SSNs”). Later, the court entered a permanent injunction barring Virginia from punishing the republication of “publicly obtainable documents containing unredacted SSNs of Virginia legislators, Virginia Executive Officers or Clerks of Court as part as [sic] an effort to reform Virginia law and practice respecting the publication of SSNs online.” Both decisions are challenged on appeal. For the reasons that follow, we affirm in part and reverse in part.

There’s a Washington Post article summarizing the case.

It’s been a pleasure to blog this week.  I hope you’ve enjoyed this conversation and I’d love to continue it.  If you’re interested in reading more, check out our book, Wild West 2.0.  It is the most-discussed Internet policy book of 2010 (Jimmy Wales called it “an invaluable guide” to the “brave new world of the Internet”) and it sold out Amazon.com once already.  Or, contact me directly through my site at davidcthompson.com.  Thanks again to Eugene and the whole Volokh Conspiracy for inviting me to participate this week.

This week, we’ve discussed the “Wild West 2.0” metaphor for the Internet.  Today, I’m going to present a few quick ideas that didn’t make it into this week’s posts.   I don’t have enough space to flesh them all out, but I hope to provoke some thoughts and discussions that will continue beyond this week.

What will widespread surveillance and facial recognition do to privacy?

It’s always been the law in the U.S. that images you take in public are yours to use non-commercially.  There are a few exceptions around security, peeping Toms, and so-called “upskirt” photography, but basically you can take a photo from any public place and make any non-commercial use of it.

There are good reasons for this policy, ranging from a basic respect for the free press and free expression, to the First Amendment.

But, today, facial recognition is quickly becoming available on a wide scale.  For just one example, an application called Face.com allows Facebook users to use photo recognition to find their friends in photos (even if they have not been tagged, or if they have removed their tag).  Using the tool, it’s often possible to find hundreds of untagged photos of your friends (or yourself) posted by other people.

The Face.com developers just released an API (programming interface) to allow other websites to use the same technology.  So far, Face.com has restricted use of the technology to known faces, but nothing technological prevents them from using their database of hundreds of millions of Facebook photos to identify millions of people in public photos.

The results of just one company unleashing photo recognition on the Internet could be huge.  There are more than 3 billion photos on the site Flickr.com  , and billions more in the unstructured Web, on sites like Facebook, and in automated surveillance systems (every time you walk past a security camera, imagine your name being logged).

The figures above don’t even count the fact that some forms of advocacy corporate surveillance would increase in a world with easy facial recognition.  Why would anti-abortion groups not photograph every person who walks into an abortion clinic, use facial recognition to identify them, and use public name-and-address databases (see below) to target mailings (or harassment) to each person’s home?  Why would anti-gay advocates not do the same for people who frequent gay bars, or liberals target “Tea Party” activists, or statists target libertarians, etc?  Or insurance companies outside bars to monitor drinking and driving, smoking, or any other risk factor that could increase rates?

What does this mean for privacy?   If the freedom to take and post photos cannot or should not be changed, should there be regulation of the uses of facial recognition software?  Should it be a privacy tort to publicly identify private citizens by name if they are walking into an abortion clinic, a gay bar, a Tea Party rally, a divorce lawyer’s office, a police station (to “snitch”), or a substance abuse treatment facility?  What does it mean when Google indexes a list of these names and it comes up first for a search for your name?  How will it affect job prospects, inter-personal relations, and more?

Will we all just get over it and not care that our friends are getting abortions or divorces?  Will anti-gay groups get over the fact that some people visit gay bars?  Will political opponents stop harassing each other?   I hope so, but my hopes are dim.

The end result might be that we all wear low-fitting baseball caps each day, or the aptly-named “FlickrBlockrs” sunglasses that started as an art project but might fill a real need.   But should individuals have to proactively monitor their public image so fiercely?  (Read more about our ideas for privacy in the book, Wild West 2.0.)

Will the future allow a binary public/private distinction?

Right now, the law generally recognizes facts as “public” or “private” with very little gray area in between.  This has caused problems in the Fourth Amendment context, where seemingly-private facts (like your bank account information) are not considered “private” for Fourth Amendment purposes (thanks to the “third party doctrine,” the government simply ask your bank; many scholars find this doctrine problematic).

The Internet sharpened this problem by making “public-but-obscure” facts readily available online.  Privacy interests were often supported by practical obscurity; a court may have a list of all cases and convictions, but very few people bothered to trudge to the courthouse to find out.  The county clerk’s office may have a hardcopy list of home owners and their property values, but nobody actually checks.

But online, these records are being rapidly digitized and made searchable.  And because they are all “public” information for privacy purposes, there is currently no restriction on how the information can be displayed.  So far, no case of which I am aware has held that online “white pages” or “dossier” sites (like Spokeo.com, WhitePages.com, Intelius.com, and many others) cannot create a dossier of private-seeming information like your income, hobbies, credit score, home address, phone number, political contributions, and more—just so long as each data point was drawn from a “public” source.

The result of the end of practical obscurity has turned a lot of privacy upside-down.  Criminals now routinely use public records databases for identity theft purposes (itself illegal, but hard to catch), to stalk their victims at home (same), and to identify candidates for burglary or other attacks.  Millions of people (below) now casually flip through their neighbors’ dirty laundry online, ranging from bankruptcy filings to property records to divorce records.  Maybe this information has always been “public,” but it was never so readily available.

Will the law continue to recognize only “public” and “private” information?  Or will it develop shades of gray to recognize that obscurity can protect privacy while allowing “legitimate” uses.  Scholars have discussed ways to limit data like property records to their original purpose (making sure property taxes are apportioned fairly) by encouraging states to strip names from the data before publication; of course, this works only if there are no other records that correlate names to addresses.  Will that be enough?  Or is it a good thing that all these facts are public?

Does the Law Recognize the 300 Million Little Brothers Problem?

The section above should suggest it, but her it is expressly: we no longer live in a nation of Big Brother; we live in a nation of 300 million Little Brothers.

Much of our law is based around fear of surveillance by the government (Big Brother).  The Fourth Amendment is the easiest example; it is based around a fear of an overly intrusive government acting in its role as sovereign.  Statutory law like the Electronic Communications Privacy Act also seeks to protect individual privacy against the government.  And laws like the Stored Communications Act and HIPPA prohibit corporations from revealing certain information about you.

But now an equally real risk is 300 million Little Brothers.  We’ve moved from the Panopticon—where the guards can see everything—to a suburb of glass houses where everyone can see each other.  This is a powerful development for politics (we can now watch the watchers), but it has changed inter-personal privacy as well.  What laws (if any) should be updated to reflect this new reality?  Or should we all just get used to living in public–to quote Google CEO Eric Schmidt “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.“  The power of the Internet is increasingly moving toward making sure that everybody knows what everybody does.  Is this the right direction?

David Thompson is co-author of the leading Internet policy book of 2010, Wild West 2.0 (Amazon) and general counsel of ReputationDefender, Inc.. The standard disclaimer applies: the views represented here are his alone and not those of any current or former employer.

For more about the essay (for an online symposium), see here; to read the full 9 pages, see here. This week, I’m posting (and combining using the Snyder v. Phelps tag) some passages: Earlier, I blogged about Hustler v. Falwell and why it applies here, as well as about the arguments that the liability in Snyder is akin to a time, place, and manner speech restriction, justified by the proximity of the speech to a funeral, that the liability is justified because the Phelps’ speech interfered with Snyder’s own religious freedom, and that the liability is justified because the Snyders are private figures. Today I close by blogging about the invasion of privacy tort claim.

The Snyder v. Phelps jury held defendants liable not just for intentional infliction of emotional distress, but also for invasion of privacy. It seems unlikely that the Court will consider the invasion of privacy claim, because it doesn’t seem to be within the scope of the questions presented by the certiorari petition. Nonetheless, I thought I’d briefly speak about it here.

“Invasion of privacy” covers several torts, but only one led to liability in Snyder: “intrusion upon seclusion.” The intrusion upon seclusion tort generally focuses on conduct that is offensive regardless of the message it expresses, or even whether it expresses a message at all. The Restatement of Torts illustrations are entering a patient’s hospital room to take a photograph over the patient’s objection, photographing through someone’s bedroom window through a telescope, tapping someone’s phone, getting someone’s bank records using a forged court order, and calling someone every day for a month at inconvenient times. The tort is constitutionally sound precisely because it focuses on physical conduct, not communication.

Here, though, the intrusion stemmed not just from the proximity of the picketing to the funeral, but also from the message of the picketing. There must have been a good deal of speech within 1000 feet of the church at which the funeral service was being conducted, and surely one wouldn’t call all of it “highly offensive intrusion upon seclusion.”

Continue reading ‘Short Essay on Snyder v. Phelps, Part V: The Intrusion Upon Seclusion Tort’ »

The comment thread in my “down the memory hole” speech restrictions post reminded me of what I wrote ten years ago about the California Supreme Court’s 1971 decision in Briscoe v. Reader’s Digest (which has since been overruled, based on intervening Supreme Court First Amendment precedent). Here’s my criticism of Briscoe (some paragraph breaks added, and some punctuation adjusted):

[R]evealing Briscoe’s identity eleven years after his crime, the court said, served no “public purpose” and was not “of legitimate public interest”; there was no “reason whatsoever” for it. The plaintiff was “rehabilitated” and had “paid his debt to society.” “[W]e, as right-thinking members of society, should permit him to continue in the path of rectitude rather than throw him back into a life of shame or crime” by revealing his past.

“Ideally, [Briscoe's] neighbors should recognize his present worth and forget his past life of shame. But men are not so divine as to forgive the past trespasses of others, and plaintiff therefore endeavored to reveal as little as possible of his past life.” And to assist Briscoe in what the court apparently thought was a worthy effort at concealment, the law may bar people from saying things that would interfere with Briscoe’s plans.

Judges are of course entitled to have their own views about which things “right-thinking members of society” should “recognize” and which they should forget. But it seems to me that under the First Amendment members of society have a constitutional right to think things through in their own ways.

Continue reading ‘Speech Restrictions Aimed at Making Sure People Act in “Right-Thinking” Ways’ »

In an amicus brief EPIC just filed in G.D. v. Kenny — a case pending before the New Jersey Supreme Court — EPIC argues that convicted criminals should be able to sue for “disclosure of private facts” when others accurately report on the criminal conviction, so long as the state court system decided to retroactively expunge that conviction. (See here for my earlier post on a different issue in the case.)

Other parts of the EPIC brief argue that revealing the fact of a conviction without revealing that it was expunged might properly constitute false light invasion of privacy. I don’t think this is right, at least if the expungement is not based on a finding of actual innocence, since the important factual assertion underlying the revelation — which is that someone did something criminal — remains correct, and puts the person in a true light, not a false light. But that’s a separate matter.

Here, I want to point to EPIC’s argument that “‘truth’ is not a defense to privacy torts,” and in particular that “the appellate court should not have terminated [plaintiff's] ... public disclosure of private facts claim[] once it dismissed the defamation claim. Invasion of privacy remains an issue of fact for the jury.”

Continue reading ‘“Down the Memory Hole” Speech Restrictions, Supported by the Electronic Privacy Information Center (EPIC)’ »

[UPDATE: Note the change in the legal analysis below.]

The Complaint is available here; it claims that the newspaper’s identifying Judge Shirley Strickland Saffold as the supposed author of items posted under the “lawmiss” account breached the newspaper’s Privacy Policy. A bit of background, from a WKYC story:

A comment by an Internet poster identified only as “lawmiss” on cleveland.com concerning the mental state of a relative of a Plain Dealer reporter was removed for violating the site’s policy against personal attacks.

The Plain Dealer reported March 22 that the online editor looked into who “lawmiss” was, and linked the “lawmiss” anonymous comments to Judge Saffold’s personal e-mail account.

Subsequent articles in the Plain Dealer noted that further investigation showed several “lawmiss” posts about an attorney....

[UPDATE: Whoops, I'd planned to include some more information, but neglected to; here it is:] The posts related to some of the cases decided by the judge herself.

A UPI story reports that the the judge and her attorney “claim any comments from a user going by the name ‘lawmiss’ connected to cases involving the judge were most likely left by the judge’s 23-year-old daughter Sydney, an aspiring law student,” though there is of course controversy about that.

Here’s my thinking: If the policy is seen as a binding promise on the newspaper’s part not to reveal commenters’ names, there’s no First Amendment problem with awarding damages for breach of that promise, even when the publication is on a matter of public concern and about a public figure. See Cohen v. Cowles Media (1991).

And it seems to me that the policy indeed promises not to disclose commenters’ identities, except in the ways that are specifically mentioned. The policy is described as involving “terms and conditions” that the user is said to “agree to” by using the Web site; that suggests that the newspaper is making binding promises there.

Nor do any of the exceptions seem to apply here. In particular, the statement that “In addition, we reserve the right to use the information we collect about your computer, which may at times be able to identify you, for any lawful business purpose, including without limitation to help diagnose problems with our servers, to gather broad demographic information, and to otherwise administer our Website” (emphasis added), doesn’t seem to cover the publication of the name of the commenter (as opposed to information about the computer). This is especially so because reading the exception as covering all revelation of information for a “lawful business purpose” would essentially undo all the privacy protection that the rest of the policy provides.

UPDATE: On the other hand, as some commenters pointed out, the User Agreement, which is as binding as the Privacy Policy, provides, “You hereby agree to release service provider, its affiliates and third-party service providers, and each of their respective directors, officers, employees, and agents from claims, demands and damages (actual and consequential) of every kind and nature, known and unknown, suspected and unsuspected, disclosed and undisclosed ..., arising out of or in any way connected with your use of this site.” So it might be that this makes the Privacy Policy entirely unenforceable, if courts are willing to accept the user agreement as the all-encompassing waiver of any right to make any claims under any agreements that it seems to be.

But have a look at the policy yourself, and see what you think. An interesting “it’s a small world” item: Ted Diadiun, the Reader’s Representative at the Cleveland Plain Dealer (which is the defendant in this case), was a codefendant in Milkovich v. Lorain Journal, the 1990 Supreme Court libel case.

Details here, regarding the 2000 case NRA v. Reno, and Judge Garland’s refusal to require the Clinton Department of Justice to obey the federal statute requiring the destruction of records of firearms purchases by law-abiding Americans. The decision also suggests a cavalier disregard for privacy rights in general, such as the right not to be put on a government list simply because one engaged in a lawful activity.