Tuesday, June 13, 2017

FTC Announces Third PrivacyCon, Calls for Presentations

FTC Announces Third PrivacyCon, Calls for Presentations

FOR RELEASE

Building on the success of its two previous PrivacyCon events, the Federal Trade Commission is announcing a call for presentations for its third PrivacyCon, which will take place on February 28, 2018.

The 2018 PrivacyCon will expand collaboration among leading privacy and security researchers, academics, industry representatives, consumer advocates, and the government. As part of this initiative, the FTC is seeking general research that explores the privacy and security implications of emerging technologies, such as the Internet of Things, artificial intelligence and virtual reality. The 2018 event will focus on the economics of privacy including how to quantify the harms that result from companies' failure to secure consumer information, and how to balance the costs and benefits of privacy-protective technologies and practices.

"Deepening the FTC's understanding of the economics of privacy and consumer harm in the context of information exposure is integral to the FTC's enforcement and educational efforts," said Acting FTC Chairman Maureen K. Ohlhausen. "I have made studying the economics of privacy a centerpiece of my consumer protection agenda, and I hope that PrivacyCon 2018 will highlight important research in this area."

The call for presentations seeks research and input on a wide range of issues and questions to build on previously presented research and promote discussion, including:

  • What are the greatest threats to consumer privacy today? What are the costs of mitigating these threats? How are the threats evolving? How does the evolving nature of the threats impact consumer welfare and the costs of mitigation?
  • How can companies weigh the costs and benefits of security-by-design techniques and privacy-protective technologies and behaviors? How can companies weigh the costs and benefits of individual tools or practices?
  • How can companies assess consumers' privacy preferences?
  • Are there market failures (e.g. information asymmetries, externalities) in the area of privacy and data security? If so, what tools and strategies can businesses or consumers use to overcome or mitigate those failures? How can policymakers address those failures?

Submissions for PrivacyCon must be made by November 17, 2017.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook(link is external), follow us on Twitter(link is external), read our blogs and subscribe to press releases for the latest FTC news and resources.

CONTACT INFORMATION 

MEDIA CONTACT:
Juliana Gruenwald Henderson(link sends e-mail)
Office of Public Affairs
202-326-2924

STAFF CONTACT:
Kristen Anderson
Bureau of Consumer Protection
202-326-3209

Friday, June 09, 2017

Is an IP Number the Same as a Telephone Number? :: U.S. v Ulbright, 2nd Cir. May 31, 2017 (The Silk Road Case)

Both telephone numbers and IP numbers function as network addresses. Are they analogous in terms of law and policy? The recent Second Circuit decision U.S. v Ulbright (The Silk Road Case) concludes that they are. But of course the answer to this question depends on the context in which it is asked.

Source: Wikicommons
CASE SUMMARY: "Defendant Ulbricht appeals from a judgment of conviction and sentence to life imprisonment entered in the United States District Court for the Southern District of New York. A jury convicted Defendant of drug trafficking and other crimes associated with his creation and operation of Silk Road, an online marketplace whose users primarily purchased and sold illegal goods and services. He challenges several aspects of his conviction and sentence, arguing that (1) the district court erred in denying his motion to suppress evidence assertedly obtained in violation of the Fourth Amendment; (2) the district court committed numerous errors that deprived him of his right to a fair trial, and incorrectly denied his motion for a new trial; and (3) his life sentence is both procedurally and substantively unreasonable. Because the appellate court identified no reversible error, it AFFIRMED Defendant's conviction and sentence in all respects."

In this post, we look at Defendant's claim that evidence was obtained in violation of the Fourth Amendment, specifically that for purposes of Trap and Trace, an IP number is not functionally the same as a telephone number.

FACTS: Suspecting Defendant's involvement in Silk Road, law enforcement agents (LEAs) obtained five pen/trap orders pursuant to 18 U.S.C. § 3121-27. "The orders authorized LEAs to collect IP address data for Internet traffic to and from Defendant's home wireless router and other devices that regularly connected to Defendant's home router." "The pen/trap orders did not permit the government to access the content of Defendant's communications, nor did the government 'seek to obtain the contents of any communications.'"

"According to Defendant, the government's use of his home Internet routing data violated the Fourth Amendment because it helped the government match Defendant's online activity with DPR's use of Silk Road. Defendant argues that he has a constitutional privacy interest in IP address traffic to and from his home and that the government obtained the pen/trap orders without a warrant, which would have required probable cause."

RULE: "The government obtained the orders pursuant to the Pen/Trap Act, which provides that a government attorney "may make [an] application for an order . . . authorizing or approving the installation and use of a pen register or a trap and trace device . . . to a court of competent jurisdiction." 18 U.S.C. § 3122(a)(1). A "pen register" is defined as a "device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted," and "shall not include the contents of any communication." Id. § 3127(3). A "trap and trace" device means "a device or process which captures the incoming electronic or other impulses which identify the originating number or other dialing, routing, addressing, and signaling information reasonably likely to identify the source of a wire or electronic communication." Id. § 3127(4). Like pen registers, trap and trace devices may not capture the "contents of any communication." Id."

The level of legal process required is an application to a court, unlike a Fourth Amendment search and seizure that requires a warrant. LEAs receive transactional information about the communications, such as the communications' addressing. Courts have held that pursuant to the Third Party Doctrine, individuals have no expectation of privacy in transactional information - individuals turn this information over to network providers in order to set up and complete communications.

It is settled caselaw that telephone numbers are "addressing" that fall within this precedent. They are network addresses used by individuals given over to the network provider to set up and complete telephone calls. According to the Supremes,
Telephone users, in sum, typically know that they must convey numerical information to the phone company; that the phone company has facilities for recording this information; and that the phone company does in fact record this information for a variety of legitimate business purposes.
Smith v. Maryland, 442 U.S. 735, 743-44 (1979) .

ISSUE: Is an IP number an "address" analogous to a telephone number?

ANALYSIS: Federal courts have concluded that IP numbers provide the same function as telephone numbers and fall under the Third Party Doctrine in the same way as telephone numbers.
E-mail and Internet users, like the telephone users in Smith, rely on third-party equipment in order to engage in communication. Smith based its holding that telephone users have no expectation of privacy in the numbers they dial on the users' imputed knowledge that their calls are completed through telephone company switching equipment. 442 U.S. at 742, 99 S.Ct. 2577. Analogously, e-mail and Internet users have no expectation of privacy in the to/from addresses of their messages or the IP addresses of the websites they visit because they should know that this information is provided to and used by Internet service providers for the specific purpose of directing the routing of information. Like telephone numbers, which provide instructions to the "switching equipment that processed those numbers," e-mail to/from addresses and IP addresses are not merely passively conveyed through third party equipment, but rather are voluntarily turned over in order to direct the third party's servers. Id. at 744, 99 S.Ct. 2577.
United States v. Forrester, 512 F.3d 500, 510 (9th Cir. 2008).

The 2nd Circuit in Ulbright agrees with the 9th Circuit, stating that "the recording of IP address information and similar routing data, which reveal the existence of connections between communications devices without disclosing the content of the communications, are precisely analogous to the capture of telephone numbers at issue in Smith… The substitution of electronic methods of communication for telephone calls does not alone create a reasonable expectation of privacy in the identities of devices with whom one communicates."

HOLDING: IP numbers are analogous to telephone numbers for purposes of Trap and Trace and Pen Registers.

WHERE IP NUMBERS and TELEPHONE NUMBERS INTERSECT: There are other points where IP numbers and telephone numbers intersect. Recently the FCC in the 2015 Open Internet order revised the definition of " telecommunications service" to include networks that utilize the North American Numbering Plan as well as ICANN's IP address resource. When the FCC then applied privacy regulations to the Internet, the Internet Society adamantly argued that IP numbers are not analogous to telephone numbers. . However, ISOC elsewhere indicated support for the Open Internet. ISOC's concern appeared to be less about the analogy and more about applying "telephone era regulations to the Internet."

The analogy between IP numbers and telephone numbers has also arisen in the context of Regional Internet Registries (RIRs) who have grappled with address transfers and whether network addresses are the property of the assignee or of the network. FCC precedent has held that network addresses are the property of the network, not the subscriber - a policy necessary to ensure the efficient operation of the network. A policy that views network addresses as the property of subscribers encumbers the network resource in bankruptcy proceedings, trademark disputes, mergers and acquisitions, and speculations. Following the precedent of the telephone numbering resource, RIRs have contractual terms that state that IP numbers are the property of the RIRs and not assignees.

Finally, IP Numbers and telephone numbers intersect with VoIP. iVoIP providers need access to the telephone number resource in order to assign telephone numbers to their customers and must make number portability available. They also need to be able to interconnect with other North American Numbering Plan networks (in other words, reach other network end points addressable by telephone numbers). See also ENUM.

CITATION: U.S. v Ulbright, 2nd Cir. May 31, 2017 (The Silk Road Case)

Sunday, April 30, 2017

1995 :: April 30 :: NSFNET Decommissioned

April 30th, 1995 marked the end of the wildly successful NSFNET.  NSFNET was born out of the desire to expand the Internet community beyond a Department of Defense playground, extending it to the full academic community.  It ended with the successful privatization of the Internet, transferring backbone services to commercial networks, and establishing key commercial Internet interconnection sites.

NSFNET gave us the early commercial topology of the Internet, with Tier 1 backbones, Tier 2 regional networks, and Tier 3 local networks. NSFNET gave us our first dedicated backbone and the first mbps backbone.  It also gave us the crucial Network Access Points, known today as Internet eXchange Points.  The contractors that bid for the opportunity to build and operate NSF's network learned from their experience and launched into the information economy as the leading commercial Internet networks. A government investment of millions of dollars had a Return on Investment of an entire new economy.


In 1995, MERIT published the NSFNET Final Report, in which it was stated:
"Infrastructures, for purposes such as transportation and communication, have long been vital to national welfare. They knit together a country's economy by facilitating the movement of people, products, services, and ideas, and play important roles in national security." p. 4.
The report concluded:
"Since the earliest days of the telegraph and the telephone, history tells us that the arrival of each new communications medium has been accompanied by grandiose claims of its potential benefits to society. In order to take advantage of the exciting opportunities afforded by today's technology, it is imperative that policy makers examine the development of the NSFNET and the Internet. We are still far away from a truly open, interoperable, and ubiquitous global information infrastructure accessible to all, "from everyone in every place to everyone in every other place, a system as universal and as extensive as the highway system of the country which extends from every man's door to every other man's door," in the words of Theodore Vail, president of AT&T in 1907. However, the Internet has brought us a giant step closer to realizing the promise of high-speed networking, one of the most revolutionary communications technologies ever created. As part of this phenomenon, the NSFNET backbone service provided a model for future partnerships as well as a legacy of technology for the world." p. 43.

Wednesday, April 05, 2017

Not Not Pleading That Defendant is a Content Producer Means Continued Friction of Sec. 230(c) Litigation :: Moretti v. The Hertz Corp., D. Del. 2017

Litigation is a painful friction. And an expense. And generally one wants to dispose of litigation as expeditiously as possible.

To understand today’s 47 U.S.C. s 230(c) litigation, we must go back to Civil Procedure 101. What is the difference between a motion on the pleadings, Rule 12(c), and a motion to for summary judgment, Rule 56? Friction and expense. If plaintiff files suit and alleges a claim that cannot result in a decision in plaintiff’s favor, regardless of the facts, then defendant can file a “You Got Nothing” motion for judgment on the pleadings. For example, if plaintiff sues defendant for being a raspberry cupcake, defendant can move to dismiss on the grounds that being a raspberry cupcake is not grounds for a lawsuit. Lawsuit ends before it even begins.

If, however, we are in the 9th Circuit where being a raspberry cupcake actually is a problem, then a motion to dismiss will not succeed. Defendant must defend, arguing that defendant is a blueberry cupcake, not a raspberry cupcake. To establish this, parties must engage in discovery (expense) and submit evidence (expense). Now, after discovery, if there are no relevant facts in dispute, defendant can move for summary judgment. “Plaintiff alleges that Defendant is a cupcake, but after discovery it is undisputed that Defendant is a blueberry cupcake. Therefore plaintiff’s cause of action should be dismissed.” Defendant wins again…. but after friction and expense.

Got it?

Now you are ready to understand today’s Sec. 230(c) case: Moretti v. THE HERTZ CORPORATION, Dist. Court, D. Delaware 2017.

Plaintiff sued Hertz, Dollar Thrifty, and Hotwired on the grounds that, according to the court,
“The Hertz Corporation and Dollar Thrifty Automotive Group, Inc. supplied [] misleading information about car rental prices and terms to Hotwire, and Hotwire incorporated the content into listings on its website. Plaintiff alleges that Hotwire continued to do so despite consumer complaints and Hotwire's knowledge of the information's fraudulent content. Plaintiff characterizes Hotwire as a willing and ratifying participant in this arrangement, and alleges that Hotwire "directly profit[s]" from the scheme.”
Defendant Hotwired said, “Plaintiff’s Got Nothing.” Plaintiff has alleged that Defendant Hotwired has published third party content. Pursuant to Sec. 230(c), Defendant Hotwired as an Interactive Computer Service is not liable for third party content on its website. Easy get out of litigation free case.

Before we move forward, let’s review some precedent. There is no “notice and takedown provision” to Sec. 230(c); notice to an interactive computer service that third party content is problematic does not obligate the interactive computer service to remove that content and does not give rise to a cause of action. Zeran v. American Online, Inc., 958 F. Supp. 1124, 1134-36 (E.D. Va. 1997), aff'd 129 F.3d at 333 ("Liability upon notice would defeat the dual purposes advanced by § 230 of the CDA" as it would "reinforce[] service providers' incentives to restrict speech and abstain from self-regulation"; notice-based liability "would provide third parties with a no-cost means to create the basis for future lawsuits."). Furthermore, making a profit also does not give rise to a cause of action and does not transform an interactive content service into a content producer (see caselaw involving interactive content services that made money off of hosting third party content). The only relevant allegation with regards to Defendant Hotwired is that it published third party content.

Not so fast, says the court. And this is where the tension between a motion to dismiss and motion for summary judgment grows. Even though, according to the facts as presented by the court, plaintiff did not allege that defendant Hotwired was a content provider, plaintiff also did not allege that defendant Hotwired was not (yes a double negative) a content provider. It is not on Plaintiff to anticipate every affirmative defense and plead facts sufficient in the complaint to defeat those affirmative defenses. There is no evidence that Congress wanted to convert Sec. 230(c) from an affirmative defense to a pleading requirement.

Really?? REALLY!! I mean come on! The court would rather encumber defendants with the slings and arrows of pissed off plaintiffs rather than dispose of unnecessary litigation out of the gates? We have been here over and over and over again and yet plaintiff’s attorneys seem unable to learn that interactive computer services ARE NOT LIABLE for third party content. But hey, on the one hand we could have plaintiff easily amend its complaint and add like three words that say defendant is a content provider - something the court said plaintiff indicated it could do - but the court did not require of the plaintiff in order to continue the litigation - or we can let defendants out of litigation (without prejudice) that they allegedly have no business being dragged through, wasting their time and money.

Let’s be clear. According to the Rules of Civil Procedure, Rule 8(a)(2): the complaint must plead “a short and plain statement of the claim showing that the pleader is entitled to relief.” Defendant Hotwired gets to know why it’s being sued. According to the facts as presented by the court, the content in question came from third party defendants; the only relevant factual allegation is that defendant Hotwired hosted the third party content. And from that, the only way Defendant can respond is that Defendant is an Interactive Computer Service protected under Sec. 230(c). Compare Levitt v. Yelp! Inc., Case No. C10-1321, 2011 WL 5079526, at *2 (N.D. Cal. Oct. 26, 2011) (Mere speculation is insufficient to overcome a motion to dismiss).

The court weasels:
“The Court recognizes the friction between its holding and Congress's stated goals in enacting Section 230. The Court is sensitive to the expense of litigation and the public policy arguments in favor of requiring plaintiffs to plead around immunities from suit like Section 230.“
Nevertheless, “Hotwire has not ‘clearly established that no material issue of fact remains to be resolved.’” Yeah, establishing that there are no disputed facts is the summary judgment standard. The motion to dismiss standard is that “Plaintiff’s Got Nothing.” And when on the pleadings all that Plaintiff has alleged is that a third party supplied content and defendant has that content on its website, then Plaintiff has nothing and the court should not be putting defendants through litigation that cannot lead anywhere (or make plaintiff amend its complaint).

Unless, off course, it’s just the case that the judge feels that Congress through Sec. 230(c) inappropriately shielded defendants and that Interactive Computer Services really should face responsibility for publishing third party content.

Or did I get that wrong?