Tag: Internet Service Providers

Phone Numbers, E-Mail Addresses, and Metaphor Wars

The law normally advances by small and cautious steps—by the gradual extension of established precedents and rules to novel problems and fact patterns. Little wonder, then, that tricky questions of law often amount to conflicts between competing metaphors. Is a hard drive like a closed briefcase whose contents are all fair game for police once the “container” is legitimately opened? Or is it more like a warehouse containing hundreds or thousands of individual closed containers? If the latter, what are the “containers”? Directories? Individual files?

A similar metaphor war figures in the FBI’s effort to expand its authority to acquire information from Internet Service Providers using National Security Letters, which are issued by agents without judicial oversight, and typically forbid providers from disclosing anything about the demand for records. The Bureau had long assumed that the NSL statutes gave them broad authority to get “electronic communications transaction records”—information about your online communications, though not the contents of the communications themselves—as long as they certified that those records would be “relevant” to a national security investigation, a far lower standard than the Fourth Amendment’s “probable cause.” But in a 2008 opinion, the Bush administration’s Office of Legal Counsel rejected this interpretation, finding that NSLs could only be used to obtain the particular types of records specified in the statute, including “toll billing records.” For Internet accounts, this meant the FBI could only get “information parallel to… toll billing records for ordinary telephone service.”

The obvious question is what, exactly, constitutes information “parallel to” a toll billing record in the online context. The FBI would prefer to resolve the ambiguity by simply amending the law to give them blanket authority to acquire transaction records. In particular, according to The Washington Post, government lawyers think they can obtain “the addresses to which an Internet user sends e-mail; the times and dates e-mail was sent and received; and possibly a user’s browser history.” On its face, this sounds like a reasonable reading. An important 1979 Supreme Court case, Smith v. Maryland, held that the information contained in telephone “toll billing records”—the itemized list of calls placed and received you’d find on a standard phone bill—didn’t enjoy Fourth Amendment protection, and so unlike the contents of phone conversations themselves, could be obtained by the government without a full probable cause warrant. Surely the obvious equivalent in the online context is the list of e-mail addresses in an Internet user’s inbox and outbox? At a second glance, though, there are some problems with that metaphor, of two central kinds.

First, there’s a problem with the formal analogy. The Court in Smith supported their finding of a diminished privacy interest in toll billing records on numerous grounds.  For one, the Court noted that because one’s itemized phone bill did contain these numbers, no reasonable person could be unaware that this information was “exposed” to employees of the phone company and retained as a matter of course among the company’s business records. Of course, it’s now increasingly common for phone companies to charge a flat rate rather than billing by individual calls, and so the legislative history of the NSL statutes makes clear that by “toll billing records” they mean information that could be used to assess a charge, even if a company happened not to charge that way.

The analogy gets pretty strained when we come to Internet services, though. At the time the laws in question here were written, ISPs almost universally charged people for the amount of time they were connected, not by the number of individual e-mails sent. Now it’s much more common to simply play a flat monthly fee for broadband connection, though you also sometimes see plans where there’s a charge by the megabyte above a certain threshold of bandwidth usage. Your ISP, of course has technical access to the list of e-mail addresses you’ve communicated with—just as they have the ability to access the e-mails themselves—but no major service, as far as I know, has ever actually kept this list as a separate billing record.

But maybe that’s not the right way to apply the metaphor. Maybe what’s important is whether those to/from e-mail records are substantively “parallel to” the kind of information you’d traditionally find in telephone toll billing records. As the Smith Court observed, a list of phone numbers was far less revealing and sensitive than the actual conversation—it revealed nothing of the “purport” of the communication itself, or even who was on the call. But as soon as we start to think more carefully about how we actually use e-mail in the real world, it becomes clear that the analogy is far from perfect.

One thing lots of people do with e-mail, after all, is participate in mailing lists and discussion groups.  Records of this sort, then, are likely to reveal the membership in potentially controversial social, political, or religious groups—and the Supreme Court has also found that such membership lists enjoy First Amendment protection as a component of freedom of association. But they’d also reveal much more than that. The closest telephone analogue to a mailing list discussion is probable a conference call.  An investigator who obtained toll billing records for such a call would, at most, have learned that a certain number of people called in for a certain amount of time; they’d learn nothing about who spoke in response to whom, or how much, and who remained silent.  Someone getting  e-mail transaction records would have a much more detailed picture of who was vocal and who was silent, the order and frequency with which participants spoke, and so on. And more generally, people in practice do not use e-mail like traditional letters: They tend to have exchanges in which each individual e-mail is more like a piece of the longer conversation.

There are also many common uses of e-mail that don’t really have close analogies in the telephonic context.  If I make a purchase from Amazon, win an Ebay auction,  make an OpenTable restaurant reservation, register for a conference at a local think tank, or place a Craigslist ad, that will typically generate an automatic confirmation e-mail from the site, and the e-mail address from which the site comes will often reveal something about the nature of the transaction. (My inbox has messages from auto-confirm, order-update, ship-confirm, and  store-news @amazon.com—inherently more revealing than the mere fact that I called some mail-order vendor.) It’s not a particularly big deal in those cases, but such e-mails could also reveal that I had opened or closed or modified an account at a particular politically, sexually, or religiously oriented Web site, or subscribed to a specific publication.

For an example of just how sensitive and revealing such task-specific e-mail addresses can be, consider Craigslist in particular. The site—which for those who haven’t used it is the vast online equivalent of the newspaper’s classified section—generates an individual anonymized e-mail addresses for each ad placed, so that users don’t have to expose their own contact information to the world. Yet while this provides anonymity against the general public, it also makes those mere e-mail addresses much more revealing to the government agent who obtains transaction records. That’s because each ad can be linked to a particular e-mail address, so if you’ve sent a message to pers-1234567-ABCD [at] craigslist [dot] com, the government may not know exactly who you’ve written, but they can determine why you’re writing: To respond to an ad offering a handgun for sale, say, or one soliciting a foot fetishist for a “casual encounter.”

The point is not just that investigators shouldn’t be able to get e-mail transaction records without a probable cause warrant—though I happen to think that would be a reasonable standard. It’s that metaphors can mislead us: We need to look past the easy equivalencies between new technologies and more traditional forms of communication, and drill down to see the full range of privacy interests implicated given the real-world practices of ordinary people who use those technologies.

On Net Neutrality Regulation: Suppose Free Press Called a Crisis and Nobody Noticed?…

In the wake of today’s ruling in the D.C. Circuit that the FCC had exceeded its authority in attempting to regulate access to the Internet, I did a number of radio interviews and a radio debate with Derek Turner of Free Press, a leading advocate of Internet regulation.

The debate was a brief, fair exchange of views. I was struck, though, to hear Turner refer to the situation as a “crisis.” Sure enough, in a Free Press release, Turner says three times that the ruling creates a “crisis.” 

Recall that in 2007 Comcast degraded the service it provided to a tiny group of customers using a bandwidth-hogging protocol called BitTorrent. Recall also that before the FCC acted, Comcast had stopped doing this, relenting to customer complaints, negative attention in news stories, and such. 

In the wake of the D.C. Circuit ruling and the crisis it has created, Internet users can expect the following changes to their Internet service: None.

Wow. With crises like these, who needs tranquility?

“As a result of this decision, the FCC has virtually no power to stop Comcast from blocking Web sites,” the release intones.

That would be worrisome, though still not quite a crisis—except that Comcast would be undercutting its own business by doing that. Did you know also that no federal regulation bars people from burning their furniture in the backyard? That’s the same kind of problem.

As Tim Lee points out in his paper, “The Durable Internet,” consumer pressures are likely in almost all cases to rein in undesirable ISP practices. Computer scientist Lee presents examples of how ownership of communications platforms does not imply control. If an ISP persists in maintaining a harmful practice contrary to consumer demand—and consumers can’t express their desires by switching to another service—we can talk then. The focus should be on increasing competition by freeing up spectrum and removing regulatory barriers.

In the meantime, this “crisis” has me slightly drowsy and eager to go outside and enjoy the spring sunshine.

Big Teacher Is Watching

Researching government invasions of privacy all day, I come across my fair share of incredibly creepy stories, but this one may just take the cake.  A lawsuit alleges that the Lower Merion School District in suburban Pennsylvania used laptops issued to each student to spy on the kids at home by remotely and surreptitiously activating the webcam built into the bezel of each one. The horrified parents of one student apparently learned about this capability when their son was called in to the assistant principal’s office and accused of “inappropriate behavior while at home.” The evidence? A still photograph taken by the laptop camera in the student’s home.

I’ll admit, at first I was somewhat skeptical—if only because this kind of spying is in such flagrant violation of so many statutes that I thought surely one of the dozens of people involved in setting it up would have piped up and said: “You know, we could all go to jail for this.” But then one of the commenters over at Boing Boing reminded me that I’d seen something like this before, in a clip from Frontline documentary about the use of technology in one Bronx school.  Scroll ahead to 4:37 and you’ll see a school administrator explain how he can monitor what the kids are up to on their laptops in class. When he sees students using the built-in Photo Booth software to check their hair instead of paying attention, he remotely triggers it to snap a picture, then laughs as the kids realize they’re under observation and scurry back to approved activities.

I’ll admit, when I first saw that documentary—it aired this past summer—that scene didn’t especially jump out at me. The kids were, after all, in class, where we expect them to be under the teacher’s watchful eye most of the time anyway. The now obvious question, of course, is: What prevents someone from activating precisely the same monitoring software when the kids take the laptops home, provided they’re still connected to the Internet?  Still more chilling: What use is being made of these capabilities by administrators who know better than to disclose their extracurricular surveillance to the students?  Are we confident that none of these schools employ anyone who might succumb to the temptation to check in on teenagers getting out of the shower in the morning? How would we ever know?

I dwell on this because it’s a powerful illustration of a more general point that can’t be made often enough about surveillance: Architecture is everything. The monitoring software on these laptops was installed with an arguably legitimate educational purpose, but once the architecture of surveillance is in place, abuse becomes practically inevitable.  Imagine that, instead of being allowed to install a bug in someone’s home after obtaining a warrant, the government placed bugs in all homes—promising to activate them only pursuant to a judicial order.  Even if we assume the promise were always kept and the system were unhackable—both wildly implausible suppositions—the amount of surveillance would surely spike, because the ease of resorting to it would be much greater even if the formal legal prerequisites remained the same. And, of course, the existence of the mics would have a psychological effect of making surveillance seem like a default.

You can see this effect in law enforcement demands for data retention laws, which would require Internet Service Providers to keep at least customer transactional logs for a period of years. In face-to-face interactions, of course, our default assumption is that no record at all exists of the great majority of our conversations. Law enforcement accepts this as a fact of nature. But with digital communication, the default is that just about every activity creates a record of some sort, and so police come to see it as outrageous that a potentially useful piece of evidence might be deleted.

Unfortunately, we tend to discuss surveillance in myopically narrow terms.  Should the government be able to listen in on the phone conversations of known terrorists? To pose the question is to answer it. What kind of technological architecture is required to reliably sweep up all the communications an intelligence agency might want—for perfectly legitimate reasons—and what kind of institutional incentives and inertia does that architecture create? A far more complicated question—and one likely to seem too abstract to bother about for legislators focused on the threat of the week.

Consumer Protection for Intellectuals

Nate Anderson at Ars Technica has a good write-up of the New America Foundation’s interesting proposal for labeling of broadband services, something akin to the nutrition labels we have for food.

Labeling and disclosure are better than direct regulation of the terms on which goods and services can be sold, of course. Labeling does not presume to decide unalterably what factors are or will be the most salient to consumers. But it does seek to channel those interests, and it does presume that consumers discover information that is important to them via labels. (I dealt with some of these concepts in my recent post about privacy notices.)

What labeling is really about, I believe, is pushing consumers to focus on the terms that intellectuals believe are most interesting. Smart people’s interests often match up with everyone else’s, but not always. Anderson’s write-up wonders aloud “whether requiring disclosure of the ‘maximum round-trip latency to border router’ will do more than induce eye glaze among most broadband users.”

I want my ISP to give me a live tech-support person that can solve the problem with my wifi router, but that didn’t make it into New America’s labeling plan. Any labeling plan will likely be either overinclusive or underinclusive or both, obscuring and omitting the most relevant information.

Yes, labeling is “market-friendlier” than regulation dictating what broadband providers can and can’t offer. But if we believe that markets discover the dimensions of goods and services that are salient to consumers, we can also believe that markets discover what information consumers want, and how they best learn it.

Many years ago, I spoke to a panel of regulators about a financial privacy “short notice” project that — heck — may still be going on. I passed around a small package from which I had eaten baby carrots the previous day. Along with a nutrition label, it had a picture of a cornucopia spilling forth vegetables and fruits, with the legend “Five a Day!” This, I suggested, communicates more salient information to consumers than nutrition labels: eat more fruits and vegetables. “But I use nutrition labels,” countered a well-meaning regulator, extrapolating from her own experience to that of all Americans.

Commerce is alive with trade names, trademarks, symbols, messages, notices, and signals about the content, quality, and desirability of goods and services. Consumers get much more relevant, actionable information this way, I think, than through mandated labels.

They do not intellectualize about these things, but that’s fine. Time is scarce, and it’s not worth it for people to intellectualize about the details of most purchases. Those who do, and those who talk about it, press the market toward what is good for all. The average consumer can gather just enough information to be relatively confident of being satisfied overall with any purchase. On the whole, consumers and markets will gravitate toward products and services that make all better off.

There may be consumer demand for organized, industry-wide labeling in some areas, of course. It’s a fine thing if there is. 

Anderson takes NAF’s plan to be a call for a government mandate, but the write-up itself is vague, saying that broadband providers “should” do various things and observing the absence of a legal requirement for notice. It takes pains to use the passive voice when ordinary speech would identify what actor should establish a labeling regime. 

If only there were a label about that salient feature of the proposal!

Is This Intervention Necessary?

So asks the Washington Post in a cogent editorial about FCC Chairman Jules Genachowski’s speech proposing to regulate the terms on which broadband service is provided. (More from TLJ, Julian Sanchez, and me.) The WaPo piece nicely dismantles the few incidents and arguments that underlie Genachowski’s call for regulation.

As the debate about “ ‘net neutrality” regulation continues, I imagine it will move from principled arguments, such as whether the government should control communications infrastructure, to practical ones: Will limitations on ISPs’ ability to manage their networks cause Internet brown-outs and failures? (This is what Comcast was trying to avoid when it ham-handedly degraded the use of the BitTorrent protocol on its network.) Will regulation bar ISPs from shifting costs to heavy users, cause individual consumers to pay more, and hasten a move from all-you-can-eat to metered Internet service? We’ll have much to discuss.