Marco Loos & Joasia Luzak, Wanted: A Bigger Stick. On Unfair Terms in Consumer Contracts with Online Service Providers
(Ctr. for the Study of European Contract Law, Working Paper No. 2015-01, 2015), available at SSRN
The reliance of online service providers on lengthy terms of service or related documents is easily mocked. When I teach this topic, I can choose to illustrate the topic with the selling of souls, in cartoon or written form, point to the absurd length of the policies of popular sites, and highlight experiments that call us out on our love of the I Accept button. But behind the mirth lie a number of serious legal issues, and the recent working paper by Marco Loos & Joasia Luzak of the University of Amsterdam tackles some of them.
Loos & Luzak work at the Centre for the Study of European Contract Law, and their particular concern is with the European Union’s 1993 Unfair Contract Terms Directive. They point out that although the gap between typical terms and policies and the requirements of the Directive is often pointed to, it is rarely studied in detail. In their thorough study, the authors examined the instruments used by five well-known service providers, and evaluated them against the Directive’s stipulation that mass terms (those not individually negotiated with the consumer) be ‘fair’.
The detailed paper, full of examples from the policies of the services under review (Dropbox, Facebook, Twitter and Google), covers topics including modification and termination of the agreement, as well as how liability is managed. Despite the focus of the work being the UCT Directive, the analysis is also linked with developments in related fields of law, such as the gradual expansion through Court of Justice of the EU (CJEU) decisions of the ‘consumer’ provisions of the Brussels Regulation on jurisdiction. The authors save particular criticism for the lack of clarity in how terms are drafted.
Importantly, the paper also tackles the preliminary question of whether the statements we know and love actually fall within the scope of the Directive, which is about contracts and about consumers. They challenge the assumption that ‘free’ services are excluded, but do note that in some cases more detail on the actual use of an account may be necessary in order to be certain that the Directive is applicable.
What Loos & Luzak have done here also contributes to debates on consent, rights and technology. In data protection and in consumer law, much depends on assumptions about information – what must be provided, how it informs decisions, and what legal options are available to the end user. One cannot doubt the skill that goes into drafting some of the examples that are cited in this paper, but the authors are right to call for greater study and vigilance – particularly on the part of national consumer authorities. They hope that if the CJEU is faced with appropriate questions in future years, the result might be a gradual raising of consumer protection standards. Indeed, this might well have implications across the world – as Jack Goldsmith and Tim Wu discussed regarding earlier data protection disputes in their 2006 book, Who Controls The Internet? – and of course other agencies, such as the FTC and the Australv.ian Privacy Commissioner, are interested in these issues. So, this recent work on common clauses and legal requirements for fairness should interest European and non-European audiences alike.
Cite as: Daithí Mac Síthigh, Is it Fair to Sell Your Soul?
(October 29, 2015) (reviewing Marco Loos & Joasia Luzak, Wanted: A Bigger Stick. On Unfair Terms in Consumer Contracts with Online Service Providers
(Ctr. for the Study of European Contract Law, Working Paper No. 2015-01, 2015), available at SSRN), https://cyber.jotwell.com/is-it-fair-to-sell-your-soul/
When the law faces a new technology, a basic question is who governs it and with what rules? Technological development disrupts regulatory schemes. Take, for example, the challenges the Federal Aviation Administration (FAA) now faces with drones. The FAA usually regulates aircraft safety. Drones force the FAA to consider—and in some cases reject as outside the agency’s mandate—issues of privacy, spectrum policy, data security, autonomous decision-making, and more. The pace and complexity of recent technological change has led some to call for the creation of new agencies, including a Federal Robotics Commission. But given the significant hurdles involved in agency creation, it is valuable in the short run to assess what tools we already have.
In Unfair and Deceptive Robots, Woodrow Hartzog takes up the question of who will govern consumer robots. Hartzog proposes that the Federal Trade Commission (FTC) is best equipped to govern most issues that consumer robots will soon raise. He reasons that the FTC is well prepared both as a matter of subject-matter expertise and as a matter of institutional practice.
This article was a hit at the 2015 We Robot conference. It blends practical guidance, expert knowledge of the FTC, and a range of thoughtful and often amusing examples. It also provides a window onto a number of framing questions recurring in the field: to what extent are robots new? How does that answer vary, depending on what aspect of robots you focus on? And how do you best choose or design institutions to adapt to fast-changing technology?
Hartzog points out a number of ways in which robots, or really robotics companies, might take advantage of vulnerable consumers. A company might falsely represent a robot’s capabilities, touting effectiveness in sped-up videos that make a robot look more capable than it is. Or a company might use a “Wizard-of-Oz” setup to operate a robot from behind the scenes, causing it to appear autonomous when it is not. A company might use a robot to spy on people, or to nudge their behavior. Autonomous robots and robotic implantables raise their own classes of consumer protection concerns. If you were not already worried about robots, you will be after reading this. From the robot vacuum that ate its owner’s hair, to flirtatious Twitter bots, to a dying Roomba pleading for a software upgrade, to the “Internet of Things Inside Our Body,” Hartzog’s examples are visceral and compelling.
The FTC, Hartog claims, is thankfully well positioned to address many of the consumer protection issues raised by this pending host of scambots, decepticons, autobots, and cyborgs. The FTC has a broad grant of authority to regulate “unfair and deceptive” trade practices. It has used that Section 5 authority in recent years to regulate online privacy and data security. While the FTC started by addressing classic truth-in-advertising problems, and enforcing company promises, it has developed more complex theories of unfairness that it now extends to data security and user interface design. His recent authoritative work with Dan Solove on the FTC’s Section 5 “jurisprudence” makes Hartzog uniquely qualified to discuss FTC coverage of robotics. There is no doubt that this paper will have practical applicability.
Hartzog also contributes to ongoing conversations about technological change and regulatory design. He touts the FTC’s institutional ability to adapt to changes through productive co-regulation, including its tendency to defer to industry standards and avoid “drastic regulatory lurches.” Hartzog thus identifies not just substantive but structural reasons why the FTC is a good fit for governing consumer robots.
But the view Hartzog presents is a little too rosy. The FTC has vocal and litigious critics whom Hartzog mainly ignores. Not everyone is happy with its settlement agreement process, which some regard as arbitrary and lacking notice. While Hartzog mentions in passing that the FTC’s authority to regulate data security has been challenged, the pending Wyndham decision in the Third Circuit could seriously rock the Section 5 boat. Moreover, the FTC’s focus on notice and design is in tension with developing First Amendment jurisprudence on commercial and compelled speech. And there are plenty of other good reasons why we might want to be careful about focusing governance on technological design as Hartzog proposes.
If I have one larger criticism, it is that the “which agency is best” framing is a little disingenuous. Hartzog frames his question in a way that drives his answer. He asks which agency is best positioned for governing consumer protection issues raised by robots; unsurprisingly, his answer is the FTC, a consumer protection agency. If he had asked which regime is best for governing robotic torts, or which is best for governing robotic IP issues, the answer would have differed. In other words, the article provides solid guidance for how the FTC might approach robots. It does not answer, or really justify asking, the question of who governs them best.
Which brings us to the larger conversation this piece briefly engages in, on just how new and disruptive robots will be. I am increasingly convinced that the answer to this question is dependent on the asker’s perspective. Asking how robots disrupt a particular area of law will highlight the features of the technology and its social uses that are disruptive to that particular area of law. A new technology will be disruptive to different regulatory regimes in different ways. And because Hartzog picks the FTC as his lens, he is bound to solutions the FTC provides, and somewhat blinded to the problems it can not solve. Robots fit within the FTC’s consumer protection regime, but they also fundamentally disrupt it. As with the Internet of Things, the owner of the robot is often not the only person facing harm. The FTC protects the consumer, not the visitor to a consumer’s house. As Meg Jones has recently pointed out, the FTC is not particularly well equipped to handle problems raised by this “Internet of Other People’s Things.”
Unfair and Deceptive Robots is clever and extremely useful: it tells us what the FTC is equipped to handle, and argues for the FTC’s competence in this area. As a robot’s road map to FTC jurisprudence, the piece shines. But regulating robots will take many regulatory players. While we are trying to spot the gaps and encourage them to cooperate, it might be counterproductive to name one as the “best.”
Kate Crawford & Tarleton Gillespie, What is a flag for? Social media reporting tools and the vocabulary of complaint
, New Media & Society
(2014), available at SSRN
The problem of handling harassing and discriminatory online speech, as well as other forms of unpleasant and unlawful content—infringing, privacy-invading, or otherwise tortious—has been a matter for public discussion pretty much since people noticed that there were non-governmental intermediaries involved in the process. From revenge porn to videos of terrorist executions to men kissing each other to women’s pubic hair, controversies routinely erupt over whether intermediaries are suppressing too much speech, or not enough.
“Flagging” offensive content is now an option offered to users across many popular online platforms, from Facebook to Tumblr to Pinterest to FanFiction.net. Flagging allows sites to outsource the job of policing offensive content (however defined) to unpaid—indeed, monetized—users, as well as to offer a rhetoric to answer charges of censorship against those sites: the fact that content was reported makes the flagging user/s responsible for a deletion, not the platform that created the flagging mechanism. But the meaning of flags, Crawford and Gillespie persuasively argue, is “anything but straightforward.” Users can use flags strategically, as can other actors in the system who claim to be following community standards.
One of the most significant, but least visible, features of a flagging system is its bluntness. A flag is binary: users can only report one level of “badness” of what they flag, even if they are allowed several different subcategories to identify their reasons for flagging. Nor are users part of the process that results, which is generally opaque. (As they note, Facebook has the most clarity on its process, likely not because of its commitment to user democracy but because it has faced such negative PR over its policies in the past.)
Another, related feature is flagging’s imperviousness to precedent—the memory-traces that let communities engage in ongoing debates about norms, boundaries, and difficult marginal judgments. Crawford and Gillespie explain:
[F]lags speak only in a narrow vocabulary of complaint. A flag, at its most basic, indicates an objection. User opinions about the content are reduced to a set of imprecise proxies: flags, likes or dislikes, and views. Regardless of the proliferating submenus of vocabulary, there remains little room for expressing the degree of concern, or situating the complaint, or taking issue with the rules. There is not, for example, a flag to indicate that something is troubling, but nonetheless worth preserving. The vocabulary of complaint does not extend to protecting forms of speech that may be threatening, but are deemed necessary from a civic perspective. Neither do complaints account for the many complex reasons why people might choose to flag content, but for reasons other than simply being offended. Flags do not allow a community to discuss that concern, nor is there any trace left for future debates. (P. 7.)
We often speak of the internet as a boon for communities, but it is so only in certain ways, and website owners can structure their sites so that certain kinds of communities have a harder time forming or discussing particular issues. Relatedly, YouTube’s Content ID, now a major source of licensing revenue for music companies, allows those companies to take down videos to which they object regardless of the user’s counternotifications and fair use claims, because Google’s agreements with the music companies go beyond the requirements of the DMCA. No reasoned argument need be made, as it would be in a court of law, and so neither the decisionmakers nor the users subject to YouTube’s regime get to think through the limiting principles—if any—applied by the algorithms and/or their human overlords. I have similar concerns with Amazon’s Kindle Worlds (and the Kindle’s ability to erase or alter works that Amazon deems erroneously distributed, leaving no further trace) compared to the organic, messy world of noncommercial fan fiction.
This is a rich paper with much to say about the ways that, for example, Flickr’s default reporting of images as “inappropriately classified” rather than completely unacceptable structures users’ relation to the site and to each other. “Whether a user shoehorns their complex feelings into the provided categories in a pull-down menu in order to be heard, or a group decides to coordinate their ‘complaints’ to game the system for political ends, users are learning to render themselves and their values legible within the vocabulary of flags.” Crawford and Gillespie’s useful discussion also offers insights into other forms of online governance, such as the debates over Twitter’s reporting system and the merits of “blocking” users. A “blocking” feature, available for example on Tumblr and Twitter, enables a logged-in user to avoid seeing posts from any blocked user; the offensive user disappears from the site, but only from the blocker’s perspective. Like denizens of China Miéville’s Besźel and Ul Qoma, they occupy the same “space” but do not see each other. This literalization of “just ignore the trolls” has its merits, but it also allows the sites to disclaim responsibility for removing content that remains visible to, and findable by, third parties. We may be able to remake our view of the world to screen out unpleasantness, but the unpleasantness persists—and replace “unpleasantness” with “slander and threats” and this solution seems more like offering victims blinders rather than protecting them.
What about total openness instead? As Crawford and Gillespie point out, Wikipedia generally retains a full history of edits and removals, but that process can also become exclusionary and opaque in other ways. Nonetheless, they suggest that an “open backstage” might offer a good way forward, in that it could “legitimize and strengthen a site’s decision to remove content. Significantly, it would offer a space for people to articulate their concerns, which works against both algorithmic and human gaming of the system to have content removed.” Moreover, an “open backstage” would emphasize the ways in which platforms are social systems where users can and should play a role in shaping norms.
I’m not as sanguine about this prospect. As Erving Goffman explained so well, even “backstage” is in fact a performance space when other people are watching, so I would expect new and different forms of manipulation (as has happened on Wikipedia) rather than a solution to opacity. Proceduralization and the ability to keep arguing endlessly can be a recipe for creating indifference by all but a tiny, unrepresentative fraction of users, which arguably is what happened with Wikipedia. It’s a new version of the old dilemma: If people were angels, no flags would be necessary. If angels were to govern people, neither external nor internal controls on flags would be necessary.
As someone who’s been deeply involved in writing and subsequently revising and enforcing the terms of service of a website used by hundreds of thousands of people, I know all too well the impossibility of writing out in advance every way in which a system might be abused by people acting in good faith, or even just (mis)used by people who simply don’t share its creators’ assumptions. Open discussion of core discursive principles can be valuable for communities; but freewheeling discussion, especially of individual cases, can also be destructive. And, as Dan Kahan has so well explained, our different worldviews often mean that a retreat from one field (from ideology to facts, or from substance to procedure, or vice versa) brings all the old battles to the new ground.
Still, there’s much to like about the authors’ call for a system that leaves some traces of debates over content and the associated worldviews, instead of a flagging and deletion system that “obscures or eradicates any evidence that the conflict ever existed.” Battles may leave scars, but that doesn’t mean that the better solution is a memory hole.
The overall issue addressed in this book has received renewed attention recently. On April 1, 2015 President Obama issued the Executive Order “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” which allows the Treasury Department to freeze assets of individuals and entities that are directly or indirectly involved in such activities. Furthermore in the beginning of April, in a series of meetings in China, US Homeland Security officials met with their Chinese counterparts to discuss cybersecurity issues. And in late April the US Department of Defense issued its latest document on cyber strategy that mentions – among other countries – China among the “key cyber threats.”
However, the chosen article focuses on an issue that is easily is forgotten in these grand debates: citizens’ privacy, since threats to privacy come from the inside as well as from the outside. The author is Professor of Communication at the School of Digital Media and Design Arts, Beijing’s renowned University of Posts and Telecommunications (BUPT). He starts with an overview on the present legal framework for protecting the Right to Internet Privacy in China. (P. 247) I still vividly remember a presentation I gave in October 1996 at the China Youth College for Political Science (now the China Youth University for Political Sciences) in Beijing on “The Function of Law in an Information Society” addressing privacy issues. At the end of my talk one of the Chinese students stood up and boldly asked me what my talk had to do with current situation in China.
But I digress. The situation has changed profoundly: Professor Xu’s overview is condensed, yet sufficiently detailed to gain an insight into the development of concepts of privacy in China from an understanding of privacy as “shameful or embarrassing private [family] affairs” to privacy as a more comprehensive, however, still defensive notion and how it is moving from there to a broader understanding of affected “personal information.”
The current “Deepening Reform Campaign” in China has been emphasizing the Rule of Law. The Chinese concept of law is primarily an instrumental one. Rule of Law in this context means to ensure that the judiciary subsystem works efficiently, free from cross-interference—for example with regard to corruption cases—with optimal resources as regards the educational standard of its personnel, and meets its aim of ensuring fairness across local and provincial levels. All these principles have been reconfirmed this last month by a set of specific regulations from the General Office of the Communist Party’s Central Committee and the General Office of the State Council. At the same time the judiciary should be seen to be embedded in the guiding authority of these two law-making systems: the government as the administrative body and the checking political power of the Chinese Communist Party.
In Xu’s view the current system of legal privacy protection still needs to be fundamentally improved. There is no stringent overall legal concept of privacy. “Hundreds of laws and regulations have been enacted to protect the right to online privacy, but they are quite unsystematic and hard to put into practice.” (P. 252) (Sounds familiar). Responsibilities and liabilities in civil law should be established clearly and criminal law violations need to be more precise. He points to Hong Kong experiences as a learning resource for the further development of Chinese privacy protection, just as this note seeks to point to the necessity to enlarge our view on privacy beyond our European and American concerns.
Xu thus provides a useful insight into the ongoing development of the concept of privacy in the Chinese environment. As with such developments in the US and Europe they need to be put into the context of the respective legal system.
Cite as: Herbert Burkert, Internet Privacy: A Chinese View
(July 14, 2015) (reviewing Jinghong Xu, Evolving Legal Frameworks for Protecting the Right to Internet Privacy in China, in China and Cybersecurity : Espionage, Strategy, and Politics in the Digital Domain
, 242 (edited by Jon R. Lindsay, Tai Ming Cheung, and Derek S. Reveron, 2015)), https://cyber.jotwell.com/internet-privacy-a-chinese-view/
Thank you to the Jotwell editors for indulging me as I stretch their mission statement (and quite possibly their patience) by highlighting not an article nor even a conventional work of scholarship but rather a piece of software as the “thing I like (lots)”: mitmproxy, a tool created by Aldo Cortesi who shares authorship credit with Maximilian Hils and a larger “mitmproxy community.”
mitmproxy does just what it says on the tin (assuming you know how to read this particular kind of tin). It’s a Man-In-The-Middle Proxy server for the web. In English, this means that this tool allows you to reveal, with finely wrought control, exactly what your browser is saying and to whom. It is an X-ray machine for the web, one which lays many of the Internet’s secrets bare. Let me extol the many virtues of this well-designed piece of software, and after I do that, let me explain why I think this strikes me as an important contribution to legal scholarship.
There are many other tools that do what mitmproxy does. Where mitmproxy shines relative to everything I have tried is the way it embraces both usability and power without compromising either.
Take usability first. Especially for Mac OS X users, mitmproxy is the single easiest tool of its kind I have encountered. Here is what you need to do to begin wiretapping yourself as you browse the web:
- Step 1: Install the OSX binary available at https://mitmproxy.org/
- Step 2: Open a terminal window and extract, find, and start the binary.
- Step 3: Open a browser and configure it to use the IP address and port of the computer running mitmproxy (probably 127.0.0.1 and 8080) as its web proxy.
- Step 4: Surf the web.
At this point, the mitmproxy display will fill with lots of http requests down the screen. The controls to navigate these requests are so intuitive they require little documentation: arrows scroll up and down, enter reveals more detail about the current request, escape returns to the previous screen, etc.
By performing the steps above, the student or scholar of technology law or policy who has never operated a packet sniffer above can more deeply understand some of the secrets of web surveillance. mitmproxy is, most importantly, packet sniffing for the masses. For the first time, we are given a tool which is simple to understand, relatively easy to operate, free to download, and available to people lacking root access to their computers. These qualities make this a powerfully democratizing tool.
All of this makes mitmproxy also a wonderful tool for teaching. For three years, I have taught a course on “The Technology of Privacy,” in which the students have spent an hour or two sniffing packets. Until this year, my students toiled with Wireshark–an old tool, but still the industry standard for packet sniffing. To say that Wireshark confused my students is an understatement. The semester-end reviews were replete with comments like, “Great class, but I have no idea what was going on with Wireshark.”
This year, I taught the same unit using mitmproxy. The experience could not have been more different. After walking through the steps above and watching a demo for two minutes, my students started monitoring their own web traffic, needing no further guidance. My only instruction was “find something interesting,” and within five minutes, that’s exactly what they did.
Perhaps the most astonishing thing the tool makes easy is the sniffing of encrypted web traffic. Techies might scoff at my being impressed by this, because it’s almost tautological; that’s what a MITM proxy permits. But look again at how simply this has been implemented. Here are the steps required to permit the monitoring of encrypted traffic:
- Step 5: From your browser, visit mitm.it. (This won’t send you to an Italian webpage; mitmproxy intercepts the request and sends you its own content instead.)
- Step 6: Follow the simple instructions at that page.
- Step 7: Surf the encrypted web.
If all mitmproxy did was bring packet sniffing to the masses, it would still do plenty. But mitmproxy is not only easy-to-use, it is also so powerful and robust that it has become a serious tool of web-based forensics.
Take the work of Ashkan Soltani, who introduced me to mitmproxy. Ashkan is well-known in the privacy law community as the current Chief Technologist of the FTC. He made his first big splash as the technological brains behind many of the groundbreaking studies conducted by Julia Angwin and her fellow journalists at the Wall Street Journal, in the “What They Know” series. The great impact of those studies–and what qualify them in my mind as scholarly research as much as investigative journalism–stems from the rigorously obtained and compellingly presented data revealing third-party tracking of the web and invasive tracking of mobile apps. It is my understanding that at least some of these important results were obtained using mitmproxy.
Others have used mitmproxy to “slay dragons.” It is credited with revealing privacy violations in mobile apps. It has allowed researchers to peer into opaque private APIs to learn how companies are protecting their users’ secrets (spoiler: not always well).
There is too much more to praise in full about mitmproxy, so let me summarize the rest. It is released under a GPL open source license and distributed via github, so anybody can tinker under the hood. It is written in python, so you’re likelier to understand what you’re looking at under that hood. It allows you to “replay” web requests and responses from the past, giving you fine-tuned controls for testing. It lets you monitor the activity of mobile apps as seamlessly as web browsing. You can easily automate it.
All of this power can be used for evil as well as good, of course. If I trick your browser into using my mitmproxy, then with a few lines of code, I can flip all of the images sent to the browser upside down or replace all images with photos of kittens, or do something even more evil.
Finally, back to the question I started with: why does mitmproxy belong on a website dedicated to celebrating scholarship? mitmproxy is a scholarly tool or methodology, akin to R or logistic regression, something that too few legal scholars use and many more should embrace. That alone is probably enough to justify this review.
But in some sense, a packet sniffer is the key to my personal origin story as a scholar of Internet privacy. In my first job after college–helping develop and defend the networks of the RAND Corporation–in what I think was my first week on the job, I ran a packet sniffer–one much clunkier to use than mitmproxy–on our local network segment. Entirely by happenstance, the first screenful of packets I intercepted contained a packet revealing the RAND vice president’s username and password in plaintext, right on my screen. I don’t think I ever closed an application as quickly as I did at that moment, and my manager (who was standing behind me) said, with a smile on his face, “we shall never speak of this again.” I can draw a direct line from that moment to many thoughts I have had and things I have written about Internet privacy.
We scholars of internet policy spend most of their time focused on the abstract and intangible. The things we investigate flit through the aether (or ethernet) near the speed of light. There is value in finding ways to reify these abstractions into something closer to the tangible and concrete, the way sniffing tools like mitmproxy do. It is one thing to write about, say, privacy as an abstraction, it is another altogether to capture a password or set up a proxy server. Doing little things like this will remind us that we what we are investigating is real and within our reach.
Lauren Willis, Performance-Based Consumer Law
, 82 U. Chi. L. Rev.
(forthcoming), available at SSRN
Two decades ago, contract law ran headlong into online terms of service, looked around briefly in confusion, and announced that it needed to go take a nap. It has not been heard from since. In its place we have something that looks like contract law, and claims to be contract law, but is oddly ignorant of things that the real contract law would know. This usurper, part Martin Guerre and part pod person, is formalistic to a fault, obsessed with meaningless details, lazy beyond belief, and utterly devoid of human feeling.
Generations of scholars have tried to unmask this impostor, to little effect. Lauren Willis’s Performance-Based Consumer Law offers a different and more promising way of protecting consumers from overreaching and incomprehensible terms of service. Consumer law cares about form contracts, too, but it can afford to be more realistic about how well consumers actually understand them — or don’t.
Scholars since Karl Llewellyn’s day have pointed out the obvious: courts enforcing form contracts bind consumers to terms they have not read and could not reasonably be expected to read. This is a problem for any theory based on upholding voluntary agreements, or at least it ought to be. Impostor contract law doesn’t care. It remains firmly committed to what Gregory Klass calls an “interpretive” approach to contractual meaning: a contract means what it says, even if almost no one actually knows it says that. So while there must be an unambiguous manifestation of assent by the user, that assent can relate to a mess of undigestible text vomited up on the page.
Scholars at least since Llewellyn have resisted this reasoning, trying to bring either some substantive scrutiny or some realism about what people do and don’t read to the table. For a time in the in the 1960s and 1970s, they took ground on both fronts. Unconscionability doctrine recognized that some contractual terms were simply fairer than others, and false advertising law recognized that even statements that were literally true in theory could be hopelessly misleading in practice. But both offensives bogged down in the deregulatory rainy season of the 1980s. Combine this doctrinal rigidity with ubiquitous user agreements and the result has been bad news for consumers. The only difference is that mouse clicks have replaced signatures and the mess of undigestible text is vomited up on the screen rather than on the page.
This formalistic compromise gives firms bizarre and perverse incentives. They can be dinged for not having terms of service (or their close cousins, privacy policies). They can be dinged for lying about what is in the terms. And they can be dinged for omitting important terms. But adding more is always safe. I like to show my students the reductio ad absurdum of this trend, the user agreement toward which all terms of service naturally trend: the 35,000-word user agreement of the Central Pacific Railroad Photographic History Museum, complete with staring eyeballs and warnings not to self-diagnose yourself with smallpox or engage in “vigilante activities.”
It is all but impossible make substantive regulatory progress in such an environment. Any attempt to empower consumers — think “notice and choice” in privacy law — ends up tossing a few more shovelfuls of disclosure onto the contractual dung heap. Now consumers have “notice” of the practice regulators want them to know about. But their “choice” is emptier than ever.
Willis’s article builds on a few recent turns towards realism in online contracting — attempts to point out that consumers don’t and can’t read these behemoths, and that law can recognize this fact without bringing the whole e-commerce crashing down. The Federal Trade Commission’s consumer-protection docket includes numerous cases recognizing that consumers don’t click on every link, and insisting that it’s not enough that the user agreement fully “discloses” a term if that term undercuts the messages consumers actually receive from its ads. And Ian Ayres and Alan Schwartz’s The No-Reading Problem in Consumer Contract Law helpfully suggested that perhaps the legal system should seek empirical evidence about whether consumers actually understand specific contract terms rather than simply positing that they do. (Klass calls this approach “causal-predictive”; it relies on surveys and on psychology to make informed claims about what consumers think and do.) Their proposed solution — a “warning box” with a special border for unexpected and unfavorable terms — is a bit of an epicycle, one that recreates the problem they set out to solve. But their core insights and the FTC’s are important: incomprehensible terms shouldn’t count, and the best way to learn whether a term is comprehensible to consumers is to ask consumers.
Performance-Based Consumer Law is the keystone in this arch: the conclusion toward which everything has been building, the piece that locks everything into place. Willis’s central observation is that the law can regulate what products do as well as what they are. Instead of telling a factory to use a particular kind of smokestack scrubber (a design standard), the government can tell it to reduce its emissions by 60%, any way it wishes (a performance standard). Performance standards can make it easier for regulated entities to comply, and they can make it harder for those entities to wriggle out from regulations they dislike.
In the consumer context, required disclosures and contract formalties are design standards. They regulate inputs to the consumer contracting process, but there is no guarantee those inputs make the slightest difference. Regulating the outputs of that process using performance standards lets us get at the real questions. Willis identifies two kinds. There are suitability standards: do consumers sign up for services that are right for them? And there are comprehension standards: do consumers understand the terms?
Suitability standards and comprehension standards are the old two lines of attack on form contracts — substantive scrutiny and realism about the behavior of contracting parties, respectively — updated for the 21st century. And when we understand them as consumer law, the power of Willis’s reframing becomes clear. The old contract law we knew and loved isn’t coming back; we’re stuck with this soulless reboot of the franchise instead. Applying performance standards to consumer contracting takes these familiar critiques and hands them to another body of law capable of pushing back against what contract law has become. The point is not to be skeptical about terms of service just to be skeptical about terms of service, but instead to be skeptical when there is some consumer-protection reason to care.
Willis offers thrilling suggestions about what performance-based consumer law could look like in practice. Survey evidence would become routine, and if surveys showed that consumers misunderstood important terms or made head-slappingly bad choices, there would be serious consequences. The most elegant remedy would be to deny enforcement to any systematically misunderstood term. More mildly, regulators could use this evidence to decide which firms to investigate. More severely, regulators could treat a failure to hit a comprehension or suitability benchmark as per se unfair, deceptive, or abusive. The point of imposing sanctions is not just to punish firms whose lawyers write like lawyers. Rather, it pushes firms to help consumers understand their choices and to choose wisely. It aligns firms’ incentives with their customers’.
Performance-Based Consumer Law is a rich article, and I am not doing it full justice by dwelling on its application to terms of service. Willis’s examples include overdraft fees and over-the-counter drugs; she is thoughtful about pragmatic questions of how (and how not) to implement performance standards. But when you have been beating your head against a nail for years and someone hands you a hammer, it is natural to apply it to the problem close at hand, even if there are other bodies of law also in need of a good pounding. Consumer contracts are terrible for consumers, and Willis offers a way to do something about it.
One of the greatest challenges faced by cyber scholars and policymakers is how to predict the undesired social consequences of technological developments and to design the best policies to address them. Digital technology makes this challenge even harder: change is swift and getting swifter, and is often formulated in technical terms.
This is where legal scholarship and policymaking could benefit from a novel. The Circle by Dave Eggers is a dystopian novel about the digital era. Many legal scholars have written over the past decade on the surveillance society, big data, contextual privacy, the right to privacy, the right to be forgotten, transparency and accountability. However, the analysis of these issues in the legal literature remains abstract. The Circle offers a mirror image of our daily digital experiences, helping us to imagine what it would be like to live in a society of total transparency, and to experience the gradual loss of autonomy. The Circle tells a story about the human condition in the info era, the ideology of the digital culture, and the political structure which serves it. It could help us see in real time the social implications of digital technology, identify the forces that come into play, and design more concrete strategies to address them.
The book tells the story of Mae Holland, a young middle-class woman, who has accepted a coveted position at the digital corporation—The Circle. The Circle is everything you might expect of a typical multinational internet company, such as Facebook, Google or Twitter: young, innovative, professional, and exciting. Mae is drawn into the work and social life at The Circle which quickly becomes her entire world. It takes over her relationships with her parents, friends and lovers, as the outside world fades around her. Like her fellow employees, she becomes a living example of the services, the life style and the values that the Circle generates, and eventually becomes an object of the service she provides.
Life in the data cloud involves ongoing quantification, subsequent objectification, and a loss of space for intimacy. Mae quickly discovers that customer service is only a small part of her work, while participation in the community, or more precisely, sharing with the community, is the bulk of her job. She disposes of everything that is private: her personal correspondence, her intimate photos, her health condition, her father’s deteriorating medical situation, her hobbies, her friends, her lovers—all become public in real time. This process comes to a head when a permanent collar cam is installed, recording and broadcasting everything that she encounters. That is how Mae, and everyone around her, become stars in an online reality show.
The story of Mae’s integration into The Circle is in many ways the story of our ongoing adjustment to digital life. Why do we give up our privacy every time we share pictures on Instagram, update our status on Facebook and enable location services? Studies show that people are willing to provide their personal data for even a small discount, failing to conceive the long-term negative consequences.
The dystopia of The Circle points to another reason: the ideology of sharing. As Fordism worshiped efficiency, the digital ideology worships the sharing of information. Transparency and sharing are not simply a by-product of surveillance cameras or social media: they are the cornerstone of the digital economy where data is the primary mover.
This ideology includes a social vision and a moral code. Sharing data embodies a new social order and hope for redemption through technological innovation. If we only had enough data, and sufficient processing power to analyze it, we could predict the outbreak of diseases and take measures to reduce the risks. Presumably, perfect information could offer a technological answer to the biggest challenges of humanity: health crises, climate impacts, crime, family violence, and even government corruption.
But perfect information requires participation and full transparency on the part of everyone. Sharing information therefore becomes a civil obligation and an ethical imperative. It is a moral duty to share everything with everyone, without exception and with no compromises. The slogans at The Circle declare “Privacy is theft,” “Secrets are lies,” “Sharing is caring.” Failure to share is regarded as selfish, inconsiderate and antisocial.
Individual preferences of privacy do not really matter as the ideology of sharing is not individualistic. At its core is the networked individual, who connects with others to produce economic value, political power and the wisdom of the masses. The sharing ideology strives for unity: the network merges with the person, and individuals converge via the algorithm.
The totalitarianism of sharing is perhaps the most fascinating phenomenon of our era. Full transparency makes for built-in policing: everyone oversees everyone else. The new social order makes it difficult for the individual to act autonomously. Fearing the supervisor, the political leader, or the crowd, the networked individuals are doomed to comply—naturally at the expense of autonomy and the ability to make free choices.
The human condition in the digital era is subject to constant surveillance, by governments, corporations and peers. The ideology of sharing, and the economic forces that drive it, make transparency a powerful measure of governance. This may give rise to a real threat to the constitutional structure of western democracies.
The social implications of technological changes are difficult grasp. The well-known Collingridge dilemma of control explains:
The social consequences of a technology cannot be predicted early in the life of the technology. By the time undesirable consequences are discovered, however, the technology is often so much part of the whole economics and social fabric that its control is extremely difficult.
The Circle offers an intimate look into these processes. A better understanding of the social implications of digital technology could help us identify the choices we have, and ensure that the technologies we design, and the policies that shape their use, will secure the rights and capabilities of individuals as autonomous subjects.
Recently, Scott Peppet, Dan Solove, and Paul Ohm appeared in a great Al Jazeera comic on big data and privacy, called “Terms of Service.” The comic covered the growth of data-driven companies from scrappy startups to the behemoths we know and fear today. It’s also a good introduction to the problem of discrimination by data and algorithm. For those who want to continue the conversation, Nathan Newman‘s article is an excellent guide to the issues.
Newman has already made several important interventions into the scholarly debate over the effects of big data. Marketing industry leaders have argued that data-driven marketing increases the accuracy of ad targeting. Critics have contended that the opacity and complexity of data flows makes it impossible for the average citizen to understand how they are being rated, ranked and judged. The White House Big Data Report from 2014 was a major validation for critics, compiling numerous problems in the big data economy and taking seriously threats on the horizon.
Newman opens How Big Data Enables Economic Harm with the observation that the “increasing loss of control of private data by individuals seems to be leaving them vulnerable to economic exploitation by a range of corporate actors.” He then explains how classic economic theory may exaggerate the positive effects of price discrimination, while glossing over its negative consequences.
Our common mental model of price discrimination is first class seats for airlines costing more than, say, economy: the presumption is that wealthier passengers pay more for the more comfortable ride, and in some way cross-subsidize the flight as a whole. Price discrimination is assumed to be a way reflecting ability to pay in prices. In demotic models, we imagine high prices matched to a small group (for example, those with business accounts, or those who care deeply about having more legroom on a flight).
But what if price discriminating firms take a different tack, structuring options in ways that are less easy to parse? Pushed into areas where smaller purchases are made, price discrimination can exacerbate (rather than ameliorate) inequality. For example, Newman notes that a report found that, for a certain retailer, those living in “higher-income locations were offered better deals than low-income communities, because those poorer areas had fewer local retail outlets competing with the online stores.”
According to Newman, it is not just the poor who should worry. While internet retailers may advance price transparency in some contexts, in others “price obfuscation strategies are designed to frustrate consumers and keep prices up.” Newman does a close reading of Google economist Hal Varian’s article in the industry-based academic journal Marketing Science, showing how each corporate advantage attributed to extensive data collection can amount to a consumer disadvantage, as the firm determines the “pain point” just below which it can maximally charge for its product. Microtargeting also applies to groups: as Newman notes, big data-driven “search advertising is especially attractive to companies looking for micro markets of vulnerable targets for scams,” because it allows “targeted access” to likely victims. “Vulnerability-based marketing” is also a hot new strategy. Want to find lists of the impotent, the depressed, rape victims? Data brokers have sold those and more, at 7 to 15 cents a name.
Newman’s counterintuitive take on price discrimination joins important pieces by James Boyle and Julie Cohen—both of which undermined classical economic analysis in the intellectual property field. As Boyle observed, pricing can be a manifestation of power, particularly where there is monopoly provision of a service. Newman brings these important insights to internet law. And as he has shown in other work, the market power of big data platforms can be substantial, giving consumers few ways of escaping major firms’ power.
In How Big Data Enables Economic Harm to Consumers, as well as others on the economics of search advertising, Newman is developing a very important counternarrative to the usual stories were here about Silicon Valley efficiencies and marketing magic. To be sure, there will be many who will continue to frame big data as a “tool for fighting discrimination and empowering groups.” But they will have to grapple with Newman’s work, and concede many critical points he makes, before rehabilitating big data.
Cite as: Frank Pasquale, Typecastes: Big Data’s Social Stratifications
(March 18, 2015) (reviewing Nathan Newman, How Big Data Enables Economic Harm to Consumers, Especially to Low-Income and Other Vulnerable Sectors of the Population
(18 No. 6 J. Internet L. 11, 2014).
Annemarie Bridy, Internet Payment Blockades
, 67 Fla. L. Rev.
__ (forthcoming 2015), available at SSRN
A popular culture aphorism which is useful for teaching or comprehending intellectual property laws is “follow the money.” Often a law or a court decision only makes sense when its financial implications are contextualized. In this interesting, clear and engagingly well-written article, Professor Annemarie Bridy of the University of Idaho College of Law looks at how and why monetary transactions can be stopped cold in cyberspace by financial institutions that initially appear to be acting against their own business interests, but are actually submitting to unseen authority of questionable legitimacy. It is a story of commoditized sex, online sales of illegal drugs, and copyrighted rock and roll.
At the outset, Bridy positions her account of Internet payment blockades in the context of scholarship about powerful corporate actors doing the government’s bidding as the result of behind-the-scenes pressure. She credits Ronald Mann and Seth Belzley with important observations about “how concentration and high barriers to entry in the market for payment processing make payment intermediaries a ‘highly visible ‘choke point’ for regulatory intervention.'” (P. 4, citing to Ronald Mann and Seth Belzley, The Promise of Intermediary Liability.) She further notes in her introduction that: “Public-private regulatory cooperation of this sort goes by many names in the First Amendment literature, including proxy censorship soft censorship, and new school speech regulation,” citing to relevant works by Seth Kreimer (Seth F. Kreimer, Censorship by Proxy), Derek Bambauer (Derek E. Bambauer, Orwell’s Armchair), and Jack Balkin. (P. 5.)
As is so typical in any unsavory and overreaching account of copyright law in cyberspace, a major anti-hero in the sordid tale of Internet payment blockades is a pornography company, Perfect 10. Bridy recounts the story of Perfect 10’s aggressive but ultimately unsuccessful litigation efforts to hold payment intermediaries legally responsible for alleged copyright infringement by third party websites under the theory that providing payment processing services made them contributorily and vicariously liable. Judicial findings included determinations that: providing payment services did not rise to the level of a material contribution to the infringement; providing payment services did not induce infringement because there was no clear expression or affirmative act of specific intent to foster infringement; and the right and ability to indirectly affect the degree or ease of infringement by providing payment systems did not amount to the right or ability to control the infringing activity.
Bridy observes that after their judicial defeats Perfect 10 and other content owners pressed the U.S. government to devise other mechanisms of control over private payment systems. Bills to achieve this were introduced into Congress, intended to establish new statutory authority in the form of the Combatting Online Infringements and Counterfeits Act (COICA), the Stop Online Piracy Act (SOPA) and the Protect Intellectual Property Act (PIPA). However, these proposed laws proved very unpopular with Internet companies such as Google, Mozilla, Reddit and thousands of others, which whipped themselves into a massive and productive frenzy of protest. Many potentially affected companies leveraged their customer bases to publicly express deep and dire disapproval of this menu of proposed legislation, which was forthwith discarded hot-potato style.
But that was hardly the end of the matter. Bridy cogently explains that after abandoning this quest to directly regulate private payment processors, the U.S. government began deploying “soft” pressure and ardent persuasion to turn private payment entities such as Mastercard, Visa, American Express, Discover, and Paypal into controllable financial chokepoints in cyberspace. These chokepoints, which she labels Internet payment blockades, now facilitate the financial freeze out of political targets like Wikileaks, and of sites accused of vending potentially counterfeit or infringing goods and services.
Though they are ostensibly acting voluntarily, Bridy details the ways that payment intermediaries are essentially forced to police online activities virtually worldwide at the behest of Congresspeople, the Obama administration’s Office of the U.S. Intellectual Property Enforcement Coordinator, and myriad content owners through an opaque system of ironically denominated “best practices.” Bridy warns that there are a number of reasons that these allegedly best practices actually might not even qualify as halfway decent practices: extraterritorial enforcement of U.S. laws is improperly facilitated, extrajudicial remedies are unsuitably enabled, and extraordinary efficiency comes at the expense of due process and transparency. Important disputes are now privately adjudicated, displacing four letter f words like free (as in free speech) and fair (as in fair use) with (at least for this Jotwell reviewer) another four letter f word which communicates anger and despair at this reprehensible development.
Ultimately, Bridy concludes that new payment systems could develop which are more resistant to government interventions. Bitcoin, she asserts, possibly is one of them. She spends the last section of the article explaining how Bitcoin works and evaluating its potential as an effective Internet payment blockade runner. I learned a lot from this, as I did from this excellent article in its entirety.
Cite as: Ann Bartow, Spanking the Money
(February 13, 2015) (reviewing Annemarie Bridy, Internet Payment Blockades
, 67 Fla. L. Rev.
__ (forthcoming 2015), available at SSRN), https://cyber.jotwell.com/spanking-the-money/
Julie Cohen, The Zombie First Amendment
, 56 Wm. & Mary L. Rev.
__ (forthcoming 2015), available at SSRN
Julie Cohen’s The Zombie First Amendment does not present itself as a piece of cyberlaw scholarship. It’s a treatment of information governance in the post-industrial, information age through the lens of constitutional law, with a broad range of potential applications—from information privacy to campaign finance reform to intellectual property law to network neutrality. In a sense, it’s a meta-cyberlaw paper. It’s not about information technology, but about information as technology.
Any piece by Julie Cohen both demands and rewards a more careful reading than a brief review such as this one can offer. Brevity is today’s currency, however. Begin, then, with the following overview of her argument: Contemporary First Amendment jurisprudence, she argues, is a species of the walking dead, legal doctrine whose form gives the appearance of being a plausibly sentient and responsive entity but whose spirit, soul, and intelligence has been displaced by powers that answer to a different, seemingly unstoppable and almost technological logic. Contemporary information practices have eaten the First Amendment’s brain.
The elements of the argument are these. The first part of the paper reviews and extracts a series of governing modern First Amendment principles from recent Supreme Court opinions. From Citizens United v. Federal Elec. Comm’n, 558 U.S. 310 (2010) (striking down certain campaign finance regulation), and Sorrell v. IMS Health, Inc., 131 S. Ct. 2653 (2011) (striking down state regulation of marketing use of information about physician prescribing behavior), come the proposition that “information flows that advance the purposes of private property accumulation and consumer surplus extraction may move freely with little fear of encountering regulatory obstacles” (P. 13.) From Holder v. Humanitarian Law Project, 561 U.S. 1 (2010) (upholding a federal law forbidding material support to terrorist organizations), Eldred v. Ashcroft, 537 U.S. 186 (2003) (upholding Congressional extension of the term of copyright), and Golan v. Holder, 132 U.S. 873 (2012) (upholding copyright amendments that effectively restored copyright protection to certain works that had entered the public domain) come evidence that “some types of content and speaker distinctions will be supported by the full force of law—will be treated, in other words, as principled and nonarbitrary.” (P. 13). Cohen combines these two points, as follows: “[T]hese opinions establish both a generally deregulatory stance toward proprietary, profit-motivated uses of information and the predicate for installing circuit breakers within the network to intercept other kinds of uses that threaten proprietary interests.” (P. 13.)
The cyberlaw argument comes next, and it arrives in blunt, forceful terms. That deregulatory stance, framed in terms of speech as a good “thing” to be protected or a bad “thing” to be guarded against, evinces an uncritical, almost technological determinism. This is the zombie First Amendment, which, Cohen argues, treats speech presumptively as property for constitutional purposes. In so doing it treats attempts to regulate the property-like “thing-ness” of speech as presumptively invalid—unless the regulation is itself directed to defining or advancing a property or property-like claim.
This claim extends a common cyberlaw theme, namely, the rhetorical equivalence of information and property, once recorded as “code is law,” now elevated beyond rhetoric to constitutional status. In a metaphorically technological sense, law is code, bereft of frameworks defined by humanism and justice. Understandings and definitions of what counts as “speech” for constitutional purposes have been overrun by a legal cousin of the market-oriented neoliberalism that characterizes much of the modern information economy. Speech doctrine under the First Amendment is turning from a bulwark against harmful incursions of legal power and privilege in a just society, into their avatar. More than 15 years ago, Cohen cautioned us about the implications of the technologies of the information society for distributive justice, in Lochner in Cyberspace. Her baleful predictions regarding the enduring roles of power and privilege have, in The Zombie First Amendment, come to fruition. What was emergent then in digital information technologies is being realized in decisions of the Supreme Court.
The second part of this paper turns from that conceptual framing to doctrinal and practical payoffs, which are presented partly in terms of developments in intellectual property law, particularly the regulation of expressive corporate speech via trademark and copyright doctrine, and partly in terms of information law, particularly the regulation of secret information (particularly state secrets) and the regulation of commercial data processors (both longstanding credit reporting companies and also search companies such as Google, social network platforms such as Facebook, and data brokers such as Axciom).
The technological practices and business models of all of these firms depend on extensive access to fine-grained forms of personal information. Legally protecting both the processes that do the work and the products they produce requires, as Cohen points out, a conceptual framework that identifies these “biopolitical” resources as freely “available to be commodified” (P. 20.) Those resources and practices together form an emerging norm of information access and production that consolidates and is consolidated by the “zombification” of the First Amendment that Cohen describes in the first half of the paper, with corresponding implications for power and privilege. The zombie First Amendment has lost the capability that speech doctrine once had to identify speech-related harms and to recognize true speech-related beneficiaries. Law is code, in the popular (and problematic) sense that consumers and citizens en masse are subject to and helpless before an unthinking technology.
Is Cohen right? The questions she is asking are surely questions that need to be asked; the patterns that she has identified are surely patterns to document and critique. The paper does not make a real effort to frame a path forward (and does not claim to have tried), aside from pointing to underlying resource access and allocation problems. That’s an important start. The zombie metaphor points further. Describing eventual solutions in terms of access and allocation means killing zombies by depriving them of food—that is, more brains. But everyone knows that the only truly effective way to kill a zombie is to destroy its brain. Cutting off the food supply is a half-step.
The brain of the zombie First Amendment appears to be the uncritical “thingification” of speech itself, an emerging pattern, exemplified by the work of Henry Smith, that has an uncredited cameo role here. Cohen’s paper calls to mind the work of another Cohen, Felix, who identified almost precisely the same problem, in almost precisely the same terms, 80 years ago. Felix Cohen, it turns out, was ahead of his time, or a George Romero of the legal system, if you will: the creative and intellectual source of a widespread and hugely important 21st century phenomenon. (Romero, of course, made the first true zombie movie, Night of the Living Dead, in 1968. This review’s title is a classic quotation from that film.) The physicality of the forms and practices of industrial production during the 20th century masked the true nature and implications of his claim. The rise of cyberspace, and the assumption that “information” and “code” are almost purely intangible and virtual, have pressed Felix Cohen’s dormant “thingification” idea into urgent and important service in law and in commercial and cultural practice. Can that idea be destroyed? I don’t know. But Julie Cohen’s paper is an important part of a much-needed revival of critical examination of the “thingification” pattern, and of how to go about resisting it.