Anne McKenna – Privacy Law Scholars Conference Archive

Michael Froomkin, Lessons Learned Too Well

Comment by: Anne McKenna

PLSC 2012

Published version available here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1930017

Workshop draft abstract:

A decade ago the Internet was already subject to a significant degree of national legal regulation. This first generation of internet law was somewhat patchy and often reactive. Some legal problems were solved by simple categorization, whether by court decisions, administrative regulation, or statute. Other problems required new approaches: the creation of new categories or new institutions. And in some cases, governments in the US and elsewhere brought out the big guns of direct legislation, sometimes with stiff penalties.

The past decade has seen the crest of the first wave of regulation and the gathering of a second, stronger, wave based on a better understanding of the Internet and of law’s ability to shape and control it. Aspects of this second wave are encouraging: Internet regulation is increasingly based on a sound understanding of the technology, minimizing pointless rules or unintended consequences. But other aspects are very troubling: where a decade ago it was still reasonable to see the Internet technologies as empowering and anti-totalitarian, now regulators in both democratic and totalitarian states have learned to structure rules that previous techniques cannot easily evade, leading to previously impossible levels of regulatory control.

On balance, that trend seems likely to continue. One result that seems likely to follow from current trends in centralization and smarter and more global regulation is legal restriction, and perhaps the prohibition, of online anonymity. As a practical matter, the rise of identification technologies combined with commercial and regulatory incentives have made difficult for any but sophisticated users to remain effectively anonymous. First wave internet regulation could not force the identification of every user and packet, but the second wave regulation is more international, more adept, and benefits from technological change driven by synergistic commercial and regulatory objectives. Law which harnesses technology to its ends achieves far more than law regulating outside technology or against it.

The consequences of an anonymity ban are likely to be negative. This paper attempts to explain how we came to this pass, and what should be done to avoid making the problem worse.

Part One of this article discusses the first wave of Internet regulation, before the year 2000, focusing on US law. This parochial focus is excusable because even at the start of the 21st Century a disproportionate number of Internet users were in the US. And, with only a very few exceptions . the greatest of which involve aspects of privacy law emanating from the EU’s Privacy Directive . the US either led or at least typified most of the First Wave regulatory developments.

The second wave of regulation has been much more global, so in Part Two, which concerns the most recent decade, the paper’s focus expands geographically, but narrows to specifically anonymity-related developments. Part A describes private incentives and initiatives that resulted in the deployment of a variety of technologies and private services each of which is unfriendly to anonymous communication. Part B looks at three types of government regulation, relevant to anonymity: the general phenomenon of chokepoint regulation, and the more specific phenomena of online identification requirements and data retention (which can be understood as a special form of identification).

Part Three examines competing trends that may shape the future of anonymity regulation. It takes a pessimistic view of the likelihood that given the rapid pace of technical and regulatory changes the fate of online anonymity in the next decade will be determined by law rather than by the deployment of new technologies or, most likely, pragmatic political choices. It therefore offers normative and pragmatic arguments why anonymity is worth preserving and concludes with questions that proponents of further limits on anonymous online speech should be expected to answer.

Goaded by factors ranging from traditional public order concerns to fear of terrorism and hacking to public disclosures by WikiLeaks and others, both democratic and repressive governments are increasingly motivated to attempt to identify the owners of every packet online, and to create legal requirements that will assist in that effort. Yet whether a user can remain anonymous or must instead use tools that identify him is fundamental to communicative freedom online. One who can reliably identify speakers and listeners can often tell what they are up to even if he is not able to eavesdrop on the content of their communications; getting the content makes the intrusion and the potential chilling effects that much greater. Content industries with copyrights to protect, firms with targeted ads to market, and governments with law enforcement and intelligence interests to protect all now appreciate the value of identification, and the additional value of traffic analysis, not to mention the value of access to content on demand . or even the threat of it.

Online anonymity is closely related to a number of other issues that contribute to communicative freedom, and thus enhance civil liberties, such as the free use of cryptography, and the use of tools designed to circumvent online censorship and filtering. One might reasonably ask why, then this essay concentrates on anonymity, and on its inverse, identification technologies. The reason is that anonymity is special, arguably more essential to online freedom than any other tool except perhaps cryptography (and one of the important functions of cryptography is to enable or enhance anonymity as well as communications privacy). Without the ability to be anonymous, the use of any other tool, even encrypted communications, can be traced back to the source. Gentler governments may use traffic analysis to piece together networks of suspected dissidents, even if the government cannot acquire the content of their communications. Less-gentle governments will use less-gentle means to pressure those whose communications they acquire and identify. Whether or not the ability to be anonymous is sufficient to permit circumvention of state-sponsored communications control, it is necessary to ensure that those who practice circumvention in the most difficult circumstances have some confidence that they may survive it.

Pauline T. Kim, Employee Privacy and Speech: Pushing the Boundaries of the Modern Employment Relationship

Comment by: Anne T. McKenna

PLSC 2011

Workshop draft abstract:

Employee privacy and speech have always been contested terrain. Employees have asserted their rights to keep certain matters private, or to speak without fear of retaliation. Employers have argued that intrusions on employees’ privacy or restrictions on their speech are justified by legitimate business interests and their need to manage the workplace. When it comes to privacy, the law strikes a rough accommodation between these competing interests by distinguishing between personal life and work life. Aspects of an employee’s personal life are more likely to be protected against employer scrutiny or retaliation. Conversely, the more closely an employee’s activities are connected to her job duties or the workplace, the less likely they are to be protected. The doctrine governing employee speech exhibits a different pattern. Although off-duty speech may be incidentally protected as an aspect of off-duty conduct, the law’s particular focus is on protecting certain types of socially valued speech, such as collective speech about working conditions or speech as private citizens that contributes to public debate. Despite the differing doctrinal frameworks, these two employee interests—privacy and speech—are closely interrelated, and work together to protect not only individual dignitary interests but broader social concerns as well.

Recent changes in the nature of work and changes in technology have significantly shifted the balance between employees’ privacy interests and employers’ managerial concerns. Together, these changes are raising the incentives and lowering the costs for employers to intrude on areas employees have claimed are private. In addition, these changes are increasingly blurring the line between home and work, between off-duty and on-duty activities. In the face of these changes, the traditional doctrinal frameworks used to analyze employee privacy claims are becoming obsolete because they rely on the existence of established social norms of privacy and on drawing a distinction between personal and work life. The net effect of all these developments is that the traditional doctrinal forms are increasingly inadequate to delineate the boundaries of employees’ personal activities that should be free from employer scrutiny. This development in turn, has left employee speech rights more vulnerable. Current forms of regulation of employee privacy, which typically rely on after-the-fact challenges by individual plaintiffs (e.g. tort or constitutional claims for invasion or privacy) are unlikely to be successful in addressing emerging privacy challenges in the workplace. In the final section, I review alternative types of regulatory responses that might be used to address employee privacy concerns, and briefly discuss their advantages and limitations.

Archives