Joris van Hoboken

The American Library Associations have filed their amicus brief to the Google Books Settlement approval procedure. They call for strong judicial oversight, stronger guarantees against possible abuse of market power, and more emphasis on intellectual freedom and privacy protection.

I have been following the settlement proceedings, mostly through James Grimmelmann’s efforts, and was looking forward to the libraries’ position on privacy and intellectual freedom. I have to admit that I am a little disappointed.

On privacy, the brief concludes:

In response to concerns raised by libraries and others, Google has stated that it will take appropriate measures to protect user privacy. The Library Associations expect Google, in consultation with the Library Associations and other representatives of user interests, to meet this commitment. Google and the Registry should develop strong policies to protect personally identifiable information, and provide users with clear notice describing those policies.

In other words the brief does not call for limitations on the registration of individual reading habits or the further use of such information. And the problem that the brief does not address is the lack of protection against government access under US law. Without legislative action, the reading records that would be collected by Google are accessible with a simple subpoena. Google and the Registry can settle what they want, and the court can approve what it wants, they cannot offer additional protection under US law against access by law enforcement and national security agencies.

On intellectual freedom, a library term for freedom of expression and information, the brief discusses Google’s discretion to exclude books for editorial and non-editorial reasons. A recent debate over library censorship shows how real these concerns are in the United States. The brief notes:

While Google on its own might not choose to exclude books, it probably will find itself under pressure from state and local governments or interest groups to censor books that discuss topics such as alternative lifestyles or evolution. After all, the Library Project will allow minors to access up to 20% of the text of millions of books from the computers in their bedrooms and to read the full text of these books from the public access terminals in their libraries. Although public libraries have often contended with demands to eliminate or restrict access to specific books, any collection management decision by a particular librarian affected only that community.

What the brief fails to notice, is that the books in the Google Books Program are already available somewhere in a United States library. One would expect this to mean that the material is legal and suitable for American readers, from a librarian’s perspective at least. Why would libraries agree to an extra round of editorial discretion with regard to material that has been carefully selected already?

The remedy proposed in the brief is accountability through transparency. The Court, overseeing the settlement, should be able to direct Google to provide a list of excluded books with a motivation for these exclusions. This will probably be enough for Google to think twice about excluding books for bad reasons, but I would have expected libraries to take a stronger stand on (private) censorship and simply oppose the removal of books from Google Books because they would be unsuitable for children.

This Tuesday, I attended a lecture at Suffolk Law School by copyright law authority David Nimmer. Nimmer discussed the copyright implications and legal developments for text, image, video and book search. As the title suggests, he focused almost entirely on services provided by Google. His discussion of video search did not implicate ’search’ in the strict sense, but addressed the Viacom v. YouTube lawsuit. The Google Book Search has taken a different legal path since the proposed settlement, which received preliminary approval this week. Below are my notes of professor Nimmer’s discussion of text and image search.

Netcom and pre-DMCA

Nimmer started his discussion with the famous Netcom case of 1995. In RTC v. Netcom, Scientology sued a Bulletin Board Service (BBS) for infringement of copyright of Scientology material. Users of the BBS had posted the material on the BBS. In a pragmatic decision, the court concluded there was no direct and no contributory infringement, because there was no volition and no knowledge of the infringing activity respectively.

Nimmer then referred to the WIPO discussions about copyright leading to the WIPO Internet Treaties, and the legislative efforts in the United States leading to the well known Digital Millennium Copyright Act (DMCA), which currently provides for safe harbors for online intermediaries, including search engines, in section 512. He pointed out that part of the intermediary copyright liability regime in the DMCA are two provisions that state that exempted intermediaries have to (1) adopt a policy for repeat infringers and (2) conform to standard technological measures to prevent infringing activity (in other words adopt filtering measures if there is standard accepted filtering technology). He clarified that until now the latter provision has proven meaningless, because there are no such accepted filtering technologies yet. He did point to filtering technology companies as Audible Magic, claiming they had improved over the last decade to the extent that the provision would start to be meaningful. Recently, this reasoning received a serious blow when a Belgium court lifted an order to use filtering technology because it considered it to be ineffective.

Field v. Google

Focusing on text search and search engine caching, Nimmer discussed the case Field v. Google. Before addressing that case he discussed an image search case, Kelly v. Arriba Soft. In that case, the 9th Circuit held that the use of thumbnails did not require authorization by the rights holders because of fair use. The court considered the use of thumbnails transformative and stressed the value of the service provided by Arriba. Nimmer did not address the issue of inline linking in Kelly.

Going back to Field, he first explained the background of the case. Field, an attorney, was the publisher of a website with various stories and essays in which he held copyrights. He waited for Google to crawl, index and make available cached copies of this website and then sued Google for copyright infringement. Field, probably not surpisingly, lost on all accounts. The district court found no direct infringement. The court  also held that Google had four defenses with regard to possible direct copyright infringement. First, it had an implied license for the publication of cached copies. Second, Field was estopped from asserting its copyright claim against Google. Third, the conduct of Google amounted to fair use. And fourth, Google was entitled to the caching safe harbor in Section 512 (b) of the DMCA. It might be interesting to note that Field did not assert that the initial copying by Google as a result of crawling and indexing constituted direct infringement.]

The court in Field relied on Netcom in its conclusion that there was no direct infringement by Google:

[...] when a user requests a Web page contained in the Google cache by clicking on a “Cached” link, it is the user, not Google, who creates and downloads a copy of the cached Web page. Google is passive in this process. Google’s computers respond automatically to the user’s request. Without the user’s request, the copy would not be created and sent to the user, and the alleged infringement at issue in this case would not occur. The automated, non-volitional conduct by Google in response to a user’s request does not constitute direct infringement under the Copyright Act. See, e.g., Religious Tech. Ctr., 907 F. Supp. at 1369-70 (direct infringement requires a volitional act by defendant; automated copying by machines occasioned by others not sufficient);[...] Summary judgment of non-infringement in Google’s favor is thus appropriate.

Nimmer asserted that this reference to volition in Netcom was wrong, since the legislative history had replaced the holding in Netcom with the DMCA and the DMCA did not codify the volition criterion. He explained how in the Judiciary Committee, the Playboy ruling had first been overruled and the Netcom ruling held in favour, but that later the current DMCA framework was adopted that replaced both rulings.

Robots.txt and implied license

Nimmer seemed to be more pleased with the court’s conclusion with regard to the implied license. The argument of the court is based on the availability of an opt-out for webmasters, in the form of robots.txt, that makes it possible for them to exclude their material from crawling, indexing and caching in search engines. This, in Nimmer’s words, ‘idiot proof computer program’ lies at the basis of the implied license and the estoppels defense.

Fair use and DMCA defenses in Field problematic

Nimmer pointed out that the he considered the fair use defense problematic, because Googe copied and made available the complete material as an archival (cached) copy. Nimmer stated that the defense of section 512 b of the DMCA was not available to search engines. He clarified that this caching safe harbor involves 4 actors in the statutory provision. It is not applicable to search engine cache, because the actors involved in the statute do not map to the search engine context. The caching safe harbor is written for proxy caching. For a complete discussion, see Peguera 2008.

Nimmer also shortly discussed the famous Napster litigation, in which the safe harbor for linking and search engines did not apply because of knowledge of the infringement taking place with the help of its service.

Perfect 10 v. Google

Moving on to image search, Nimmer discussed the Perfect 10 v. Google case, which hasn’t ended yet. Perfect 10, a rights holder in adult pictures, sued various intermediaries, including Google and major credit card companies, for direct and/or indirect copyright infringement. The case is different from Field because the material that ended up in Google consisted of unauthorized copies. As a result the implied license and estoppels defense were not applicable here, since Perfect 10 had no control over the postings of the content like Field had. In his lecture, Nimmer focused on the question about fair use and indirect infringement. The fair use defense failed at the district court level, because the court found that there was an actual market for thumbnail size pictures (mobile phone downloads).  The Ninth Circuit reversed and remanded, with a complex ruling in two steps, arguing that the use of thumbnail images was commercial in nature but that the public interest had to be taken into account when determining whether the use was transformative. The case is back at the district court level. Nimmer said he was agnostic as to who we will ultimately win the case.

European developments

It is interesting to note that the European Commission has issued a Green Paper that deals with some of these important issues (in footnote 21) and that in Germany the image search litigation continues to be challenging for search engines.

“Deep Search” - The digital future of finding out

World-Information Institute, Saturday 08 November 2008, 10:30 – 20:00. Live stream available on the website. Location: Austria Trend Hotel Savoyen Vienna, Free entrance, conference language is English.

Ars technica reports; “Do people read online privacy policies? Of course not. But if they did read them at least once a year, it would take an average of 10 minutes per policy and cost $365 billion in lost leisure and productivity time.” The study is here.

The US Court dealing with the YouTube v. Viacom case has ordered Google to provide Viacom the log file of the use of the Youtube service. It does not have to provide the source code of its search engine(s), which could be considered a victory for Google. Some other motions are either granted (list of all removed videos) or dismissed.

The “logging” database contains: for each instance a video is watched,

• the unique “login ID” of the user who watched it;
• the time when the user started to watch the video;
• the internet protocol address other devices connected to the internet use to identify the user’s computer (“IP address”);
• the identifier for the video.”

Google tried to defend its millions and millions of users on the basis of their privacy, but, unfortunately, Google’s statements about user privacy over the last few years now boomerang back into its face. The judge considers that Google’s privacy claims are “speculative“. The problem is that Google tries to have it both ways - to users and regulators it says there is no privacy problem, and when it is in its own interest it says these data collections are a privacy concern (which of course they are, and not only a privacy concern but a freedom of expression and freedom to access information interest as well). The judge simply cites Google. Google does:

“not refute that the “login ID is an anonymous pseudonym that users create for themselves when they sign up with YouTube” which without more “cannot identify specific individuals” (Pls.’ Reply 44)” (what about users that do use their real name?)

and Google has elsewhere stated:

“We . . . are strong supporters of the idea that data protection laws should apply to any data that could identify you. The reality is though that in most cases, an IP address without additional information cannot.” (this statement must have been made by Google in the European data protection law context.)

This is terrible for Youtube users and arguably shows how awfully Google represents the privacy interests of its users. I am not sure about the reasoning of the judge but there seems something wrong there too. EFF argues there is a problem with the Video Privacy Protection Act (VPPA), but i doubt it applies, since YouTube is not in the rental business and these kinds privacy laws in the US are usually very specific. More fundamentally, I would argue that the privacy interests of users should be (partly) evaluated independent of Google’s statements about them.

I am curious how the Youtube community will react to this. Some might even be taken to Court by Viacom. Finally, it will be interesting to see what Google will do. Will it be calling for better privacy laws in the US, now that it gets hurt in its trust relationship with its users on this major scale?

More coverage on:

• Search Engine Land, calling for a US Internet Privacy Act;
• TechCrunch, promising a class action lawsuit of staggering proportions if Google turns over the data;
• Heisse online, asking whether the judge took the privacy protection of Europeans into account;
• News.com, discussing several legal issues around the ordered data transfer such as Viacom’s ability to use the data for other purposes than to prove the prevalence of piracy on YouTube;
• BBC, with a short Q&A, concluding that Google is liekly to challenge the order, more here.
• Forbes, with a good overview with quotes of Rotenberg and a product manager.

Update: Google and Viacom both try to resue the damage in terms of goodwill. Both parties assert that the transfer will be structured in such a way that it will not affect user privacy. And Google has hastily posted a link to its privacy policy on its homepage. A ‘historical’ miniature move.

Reuters reports about a letter of Google to a U.S. lawmaker, signed Alan Davidson, stating that: “Google supports the adoption of a comprehensive federal privacy law that would accomplish several goals such as building consumer trust and protections; creating a uniform framework for privacy, which would create consistent levels of privacy from one jurisdiction to another; and putting penalties in place to punish and dissuade bad actors.”

Marc Rotetenberg of EPIC, explains that a federal privacy law could end up lowering privacy protection, since states like New York and California have privacy laws in place, which could be pre-empted by a federal law. In fact, Californian data privacy law would oblige Google to put a “privacy policy” link on its homepage, something it still refuses to do. The EU’s Article 29 Working Party recently concluded that (with regard to the EU data protection directive) there is still some work to do for search engines with regard to their privacy policies. Not only do they have to be more esily accessible, they also have to include a user’s rights of access (absolute) or deletion (not absolute) included in Articles 12, 13 and 14 of the Data Protection Directive.

This is an excellent video of panel on privacy and online advertising, organized by Joseph Turow of the Annenberg School. It is really worth watching.

James Grimmelmann has a thoughtful post criticizing a proposal in the United States on section 108 of the Copyright Law. The proposal aims to improve the statutory carve-out of libraries and archives, but seems to make it more compluicated and also restricts it. He nicely puts the proposal in the prespective of the common reaction of the  so-called professionals to the new role of the so-called amateurs in our information ecology:

“[..] when amateurs start doing the sort of tasks we associate with experts—in this case, the tasks of librarianship and archiving—sometimes the experts have trouble recognizing the value of what the amateurs are doing it. We’ve seen this with journalism and blogs; we’ve seen this with encyclopedists and Wikipedia; we’ve seen this with programmers and free software. Instead of making common cause with the thousands of eager volunteers who want to work alongside them, the professions close ranks around a misguided notion of exclusivity.“

Should the European Commission address the privacy implications of the Google Doubleclick merger review and impose conditions? What does the Data Protection Directive mean for the logging and profiling of users by Web search providers? These were the central questions discussed at the public seminar, of the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament, on Monday 21 January 2008. Invited speakers included, Peter Hustinx (EDPS), Pamela Jones Harbour (FTC), Mark Rotenberg (EPIC) , Peter Fleischer (Google), Thomas Myrup Kristensen (Microsoft), Cornelia Kutterer (BEUC) and Sjoera Nas (Dutch DPA).

Although the afternoon started promising, with opening remarks by chair Cavada on the long history of the need for scrutinizing concentration in the information and communication industry, referring to the fundamental issues at stake for individuals and society as a whole, the debate did not bring many perspectives that had not been offered previously.

The discussion about IP addresses, processed by Web search providers in their logfiles, made the news. More specifically, the statements by Hustinx, and Peter Schaar, chair of the Article 29 Working Party that search engines should treat them as personal data, as defined in the European Data Protection Directive. This is just a reiteration of earlier conclusions, most notably the opinion of the Article 29 Working Party on the concept of personal data. The Dutch DPA recently published guidelines on privacy and publications of personal data on the Web, that included the same conclusion. I never heard any sensible legal argument why ip-addresses would not (in general, there are a few specific exceptions) fall under the definition of personal data in EU law. Surely there are many practical reasons, including the lack of will to deal with the provisions on fair and accountable procession of personal data of the Directive, but that’s a different question. In the U.S. there is a similar debate, which is more open due to the lack of any definition or norm of what constitutes personal data under U.S law.

The remarks about the relevance of the possible privacy implications of the merger were not of the same quality and level as the discussion in the United States. FTC Commissioner Harbour restated her opinion that the economic relevance of the personal data and the effects on privacy of the merger should be part of a merger review. There seems reason to believe that the Commission will approve the merger, without privacy conditions. However, merged or unmerged, data protection laws will apply. As Sjoera Nas of the Dutch Data Protection Authority stated:

“In her opinion, the privacy directive was adequate, in that it provided a clear, useable framework. For her, it was not
for the data protection authorities to consider the consequences of a merger, but for the companies themselves to continue to comply with data protection rules. She also called for adequate enforcement powers of all data protection authorities.”
An official summary of the seminar is available through Statewatch.

A recurring argument in defense of legislative measures eroding civil liberties is that these measures provide the needed security for citizens. Especially the right to privacy has suffered immensely because of this seemingly strong but false argument.

Now the argument has been put forward in a rather extreme form -“security and privacy are a zero sum game”- by a National Intelligence officer in the United States. He makes the argument in the context of Internet surveillance proposals that would include easy access to Web search records for the U.S. government.

The Opennet initiative has a reaction that sums up a number of reasons why the argument is wrong and dangerous. It concludes: “To describe conflicts between privacy and security as a zero-sum game is to obscure the value of [Congressional, judicial, popular, or other form of] oversight and of careful weighings, and thus is inappropriate whatever one’s views of the appropriate trade-off between privacy and security in any given situation.”

I agree that the argument of the zero sum game is wrong and probably dangerous, and there are many more reasons for that. They result from the falsities in the general argument that in case the prevention of (perceived) new or increased harms to society is considered to justify a change in the existing scheme of civil liberties, that process has to be understood in terms of “striking a new balance between liberty and security”. A great analysis of that argument in the context of terrorism politics has been made by Jeremy Waldron in his article ‘Security and Liberty: The Image of Balance’, Journal of Political Philosophy 11 (2), 191–210.

Waldron gives four fundamental reasons why this general argument deserves close scrutiny:

“(i) Objections to consequentialism. Talk of balance—particularly talk of changes in the balance as circumstances and consequences change—may not be appropriate in the realm of civil liberties. Civil liberties are associated with rights, and rightsdiscourse is often resolutely anti-consequentialist. [...]“ The zero sum game argument especially suffers from the objection against consequentialism.

“(ii) Difficulties with distribution. Though we may talk of balancing our liberties against our security, we need to pay some attention to the fact that the real diminution in liberty may affect some people more than others.” I find this argument rather important in practice. History has shown that all sort of groups have suffered disproportionally, often unjustifiably, from the lack of civil rights, be it political opposition, ethnic or religious minorities or economically less well off.

“(iii) Unintended effects. When liberty is conceived as negative liberty, a reduction in liberty is achieved by enhancing the power of the state. This is done so that the enhanced power can be used to combat terrorism. But it would be naive to assume that this is the only thing that that enhanced power can be used for. We need to consider the possibility that diminishing liberty might also diminish security against the state, even as it enhances security against terrorism.”

In the case of Web search privacy, one of these (unintended?) effects is the chilling effect on the information practices of citizens. Recently I taught a class in Internet & privacy at the Institute for Information Law in Amsterdam, where I conduct my PhD research. We got to discuss Web Search Privacy in detail. In the discussion several students stated they would not search about certain sensitive issues they had an interest in, because they were worried that these queries might end up in the hands of certain government agencies. Now the legislation is drafted that makes the conceptions of these students reality. The cited judgment of the German Constitutional Court below can serve as further comment.

“(iv) Real versus symbolic consequences. Though talk of adjusting the balance sounds like hard-headed consequentialism, it often turns out that those who advocate it have no idea what difference it will actually make to the terrorist threat. Accordingly we must subject these balancing arguments to special scrutiny to see how far they are based on fair estimates of actual consequences and how far they are rooted in the felt need for reprisal, or the comforts of purely symbolic action.” Such symbolic legislation is widespread. An example in the Netherlands is the Identity obligation.

I would like to add to this long list of arguments that security and privacy are in many ways overlapping. Data privacy for instance protects us from identity theft, the Fourth Amendment protects Americans (in theory) from warrantless searches, thus security against the State. That makes it difficult to put them on a scale. Another flaw results from the complexity of both of these notions. Privacy is understood in various ways. Most times security is all together ill defined.

Finally, a defense of data privacy , which could be stressed in this context, is the fundamental relation data privacy has with pluralism and democracy. The German Constitunional Court concluded in 1983:

” A society in which citizens can no longer know, who what when and in which occasions knows about them, is not compatible with the right of informational self-determination. One who is uncertain, whether deviant behavior is continually noticed and durably registered, used, or shared, will attempt not to attract attention through such behavior. [...] This would not only affect the possibilities of individual self-fulfillment, but also the common good, while self-determination is a qualitative requirement of a free and democratic society, built on autonomous citizens. Hence, self-development sets a limit for the individual to the aggregation, registration, usage and sharing of his personal data.

[ my translation of: „Mit dem Recht auf informationelle Selbstbestimmung wären eine Gesellschaftsordnung und eine diese ermöglichende Rechtsordnung nicht vereinbar, in der Bürger nicht mehr wissen können, wer was wann und bei welcher Gelegenheit über sie weiß. Wer unsicher ist, ob abweichende Verhaltensweisen jederzeit notiert und als Information dauerhaft gespeichert, verwendet oder weitergegeben werden, wird versuchen, nicht durch solche Verhaltensweisen aufzufallen. […] Dies würde nicht nur die individuellen Entfaltungschancen des Einzelnen beeinträchtigen, sondern auch das Gemeinwohl, weil Selbstbestimmung eine elementare Funktionsbedingung eines auf Handlungsfähigkeit und Mitwirkungsfähigkeit seiner Bürger begründeten freiheitlichen demokratischen Gemeinwesens ist. Hieraus folgt: Freie Entfaltung der Persönlichkeit setzt unter den modernen Bedingungen der Datenverarbeitung den Schutz des Einzelnen gegen unbegrenzte Erhebung, Speicherung, Verwendung und Weitergabe seiner persönlichen Daten voraus.”]