William Carleton, Counselor @ Law

I've read - skipping about from end to middle to beginning- about a quarter of the new Jaron Lanier book, "Who Owns the Future," and thought I would share a few initial impressions.

The work is like a thought collage. Units of two or three pages of text raise a concept, double back on the verbal logic of an arresting metaphor, then recede quickly to give way to another unit that might be framed around another industry.

But that other industry will be framed in a consistent metaphor. For example, money, throughout its history and at all times, has been a means of information exchange and thus essentially a kind of information technology. (That leap is a bridge too far for me. More productively provocative is his simple juxtaposition of Instagram as the digital economy's replacement for Eastman Kodak - I can't help but doubt the comparison is fair, but it does challenge you and reset some assumptions.)

Jacob Silverman has suggested that the organization of the book is over-determined. Silverman calls out in particular the length and complexity of the table of contents. I wonder though if Lanier isn't subverting the tropes of better business and self-help books, which use unnecessary headers and insets as though conceding that the intended readership has neither the attention span nor analytic reach to actually read a narrative.

Perhaps Lanier's table of contents, and indices at the end of his book, should be thought of as after-the-fact hyperlinks, or a kind of browser history log that needs to be granular enough to be useful when you are possessed to retrace a step, to revisit a paragraph that might have germinated in your subconscious since first encounter.

Lanier is reaching for a literary code, but making due for the most part with a discursive, personal voice. Some of the units seem like exercises whereby Lanier justifies to himself the extent and limits of his critique. (He seems to so much value identification with Silicon Valley, that all targets of his critique must be identified by that metaphor, too. Even Amazon is part of Lanier's Silicon Valley, though I am fairly confident that Amazon is about a half mile from the downtown Seattle window I am looking from as I type this. It is taking a surprisingly long time for Amazon's geography to be absorbed in the culture.)

But here's the surprise about Lanier as a writer: certain insets, certain narrative paragraphs, are brilliant. Examples: Lanier provides a mock terms of use - a EULA that parents of children wanting to start a lemonade stand must agree to - that utterly lays bare the feudal agenda of social networking; and a dreamy, imagined scene at a beach describes how nanobots carried by the wind might perform sponsored surgery on your heart while you thirst to death because you haven't subscribed to the service with the exclusive license to desalinate water from the ocean in plain sight.

It's a provocative work. Hope to have time this week to read the rest. The subject could not be more momentous.

The picture is borrowed - for the editorial purposes of this non-commercial review - from this site, which I think is picking it up from a third site.

I've been reading Evgeny Morozov's new book, To Save Everything, Click Here. Am about halfway, and find the book's conservative (small "c") themes already coloring how I interact with Twitter, what I think of the dysfunction in Washington DC, even the wisdom or folly of non-accredited crowdfunding.

I may not yet see the central urgency of Morozov's critique - I still have half the book to read - but it seems to me that the ways in which online connectivity disappoints us, the ways in which the fervent privileging of efficiency as an end (rather than a means) lets us down, that will all be self-evident in good time. Though to read the signs, to call out the false promises, name the hypocrisy, and tie the essential utopianism of information technology hype to historical antecedents, all that can hasten the moment of awakening under the tree of knowledge.

It's a relief to think of the dawning of the internet era as something more like the rise of railroads than the invention of Greek democracy. Railroads are still important today, sure, but air travel is bigger. It's comforting to think there may be something bigger than the internet that will displace it, that we live in the spaciousness of a transitional time rather than a cloister at the end of the world.

Quick note about the report issued by the SEC this week in connection with a decision to not proceed with action against Netflix CEO Reed Hastings for making selective disclosures of material Netflix information on his personal Facebook page:

The report says there isn't anything that needs to be changed in five year old written guidance on the subject.

"Our 2008 Guidance was directed primarily at the use of corporate web sites for the disclosure of material, non-public information. Like web sites, corporate social media pages are created, populated, and updated by the issuer. The 2008 Guidance, furthermore, specifically identified 'push' technologies, such as email alerts and RSS feeds and 'interactive' communication tools, such as blogs, which could enable the automatic electronic dissemination of information to subscribers. Today’s evolving social media channels are an extension of these concepts, whereby information can be disseminated to those with access. Thus, the 2008 Guidance continues to provide a relevant framework for applying Regulation FD to evolving social media channels of distribution."

So the problem in the Hastings matter (prior posts from this blog on the topic here, here and here) wasn't lack of up to date rules or guidance so much as an obstinace in thinking social media inhabits some obscure alternate universe perpendicular to the many parallel universes in which we all otherwise manage to travel concurrently.

Whatever channel chosen for disclosure, the key is to let shareholders know, so that they are able, in the words of the report, "to take the steps necessary to be in a position to receive important disclosures — e.g., subscribing, joining, registering, or reviewing that particular channel."

Aside to Netflix shareholders: join Facebook!

According to the summary of the facts in the report, letting shareholders know in advance that he would make material Netflix disclosures on his personal Facebook page was not something Hastings did. On the contrary, as late as December 2012, according to the report, "Hastings stated for the public record that 'we [Netflix] don’t currently use Facebook and other social media to get material information to investors; we usually get that information out in our extensive investor letters, press releases and SEC filings.'”

Bottom line analysis you'll get here that you may not get anywhere else: the SEC stood down from pursuing enforcement while reaffirming that it had a poster child of a case for doing so.

Last month we talked a lot about laws a handful of states have passed that address an apparent practice of employers demanding social media user names and passwords from employees and job applicants.

It must be a problem state legislators are hearing about, because the cause is picking up steam.

According to the National Conference of State Legislatures, social media password legislation "has been introduced or is pending in at least 25 states in 2013."

Twenty-five states!

Federal legislators want to address the issue, too.

The bill at the federal level is called "the Social Networking Online Protection Act." According to Thomas, it is numbered H.R. 537 and was introduced in the 113th Congress on February 6. As of this morning, Thomas reports that the text of the bill "has not yet been received" from the Government Printing Office. Though the bill may simply be a re-introduction of a bill that died in the prior Congress, let's wait to see the text of H.R. 537.

Also on this topic: yesterday on his and Eric Goldman's blog, Venkat Balasubramani posted on the Washington State social media password protection bill. I like how Venkat keeps a spotlight on the implications of these bills for the social media account ownership issues (is that Twitter account yours or your employer's?) that are playing out in a slew of court cases which he and Eric cover pretty much as they happen.

Thanks to Danan Margason for a heads up about state agendas for 2013 and to Joe Wallin for a heads up about the federal bill.

Photo: Nico Paix / Flickr.

If a recent settlement announced by the FTC is eventually approved by a court, Path will join Twitter and Facebook in the ranks of social media companies who have agreed to subject at least certain of their privacy practices to government oversight for years to come.

Like Twitter and like Facebook, Path is faulted for not following the standards that it told users it would follow.

Pictured is Exhibit A from the FTC's complaint against Path. The complaint alleges that the design of version 2.0 of the Path App for iOS was deceptive, because it implied to a user that she had control over whether contacts were exposed to Path, or not. Instead, the complaint alleges, "regardless of whether the user elected to 'Add Friends,' Defendant automatically collected personal information from users' mobile device contacts (also known as the user's 'address book') and stored the personal information on Defendant's servers. For each contact in the user's mobile device address book, Defendant automatically collected and stored the following personal information, if available: first name; last name; address; phone numbers; email addresses; Facebook username; Twitter username; and date of birth. . . . Contrary to the representation made by the Path App's user interface . . . Defendant automatically collected and stored personal information from the user's mobile device contacts even if the user had never selected the 'Find friends from your contacts' option."

The point that a social media company can get into legal trouble for violating standards the company sets for itself, that is hard for some to fathom. Many people assume the trouble must follow violations of a prescribed regulatory standard, some minimum threshold of objective privacy protection that all companies dealing in personal information should meet. That's not the typical case, however. (Aside: Path did indeed get in trouble for violating positive standards that apply when dealing with children.)

For instance, as I wrote about two and a half years ago in a post on this blog titled Bitter Twitter Boilerplate, Twitter got into trouble with the FTC for making this kind of statement to users:

"Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical and electronic measures designed to protect your information from unauthorized access."

Vague as the promise was, Twitter apparently was unable to point the FTC to any reasonable measures designed to protect user information.

For its part, Facebook made a number of unqualified, negative assurances to users, all of which the FTC alleged were false. These included the statement "we do not give your content to advertisers." (For a laundry list of Facebook's broken promises, see this post I wrote for Geekwire, Why Facebook's privacy settlement may not be a done deal.)

The broad implication of Twitter's settlement was - and remains- that it's better to have no privacy protections, than to state or imply that you have protections that are not in fact in place. The upshot of Facebook's settlement is, you shouldn't lie to users.

In a sense, Path repeated the errors made by Twitter and Facebook and compounded them. Instead of non-existent processes, Path did indeed have sophisticated processes dealing with personal information; it's just that those processes were deliberately siphoning user information, by default, in flat out contradiction of an assurance that users would be in total control: 

"Path should be private by default. Forever. You should always be in control of your information and experience."

Now, just as with Twitter and Facebook before it, Path does not appear to be admitting the FTC's allegations to be true. (Judge Rakoff, we need you; but that is another topic.) So we have to assume Path had no malice nor intent to deceive. Even so, it's hard to imagine how this kind of disparity between promise and practice could occur. Perhaps the people designing the Path app and those writing the Path terms of service had never spoken with one another, and neither group had a common report.

Here's a big difference between the FTC proposed settlement with Path and the prior settlements with Twitter and Facebook: Path alone among the three has been fined. The amount is not trivial for a struggling startup: $800,000. I think the fine arises out of alleged violations of the Children’s Online Privacy Protection Act, pursuant to which there are in fact objective standards for online businesses to follow.

Washington State legislators have introduced a bill (pdf) in the Washington State Senate that would make it unlawful for employers to ask employees or job applicants for passwords to social networking accounts.

If it passes, Washington will join at least six other states with similar laws.

Five Internet lawyers recently "graded" how those six other states did in defining what should be meant by "social media," "social networking site," or the like, for purposes of their respective statutes.

Comparing the Washington bill against the six state statutes we know of, the Washington bill is model most closely after the Illinois Act.

Here is a link to a redline (pdf) that takes the Illinois Act as the baseline and tracks changes in the Washington Senate bill against that. The comparison highlights how the sponsors of the Washington bill are dropping a couple of exceptions that would benefit employers; presumably the Washington legislators have seen the Illinois bill (or something very much like it) and have deliberately chosen to leave out some of the employer-friendly exceptions?

Among the express exceptions to be found in one or more of the other state statutes:

• email;
• passwords for employer devices;
• actions taken to facilitate investigations of misconduct or illegal behavior.

I'm noticing different lawyers reacting differently to these laws, depending on whether they feel individual privacy protection should extend to online activities beyond or other than those on Facebook, Twitter, LinkedIn and their ilk.

For instance, Eric Goldman faults the California statute for imprecision; he thinks the California definition of "social media" fails because it can include everything. By contrast, the group of internet lawyers issuing “grades” on this blog generally preferred the statutes that try, like California’s, to protect a broader set of online activities.

I must admit to being skeptical as to whether laws like these are needed. But maybe, with Facebook use being so ubiquitous now, there is actually a problem out there with overreaching employers, something legislators are picking up on.

Related posts on this blog:

• The “grading the legislatures” post on my blog: http://www.wac6.com/wac6/2013/01/grading-the-social-media-savvy-of-six-state-legislatures.html (includes links to different state statutes)
• Follow up post on lessons from the "grading” project: http://www.wac6.com/wac6/2013/01/the-takeaway-from-our-project-to-grade-legislative-definitions-of-social-media.html
• Post comparing the California statute against Illinois': http://www.wac6.com/wac6/2012/10/defining-social-media-legislatively.html (in which I show my hand on drafting preferences)

Image: Paul O'Rear / Flickr.

The takeaway from our project to grade legislative definitions of social media may be this: legislatures, don't do it.

You'll get it wrong, you'll define a set of services that may be gone tomorrow, and you'll miss addressing the broader problem.

If you're going to legislate to protect employee internet behavior from overreaching employers, don't get distracted by narrowly defining the genus that would contain Facebook.

It's no accident that the internet lawyers grading the work of California, Delaware,Illinois, Maryland, Michigan and New Jersey prefer Maryland's statute. Maryland chose to avoid defining "social media" or "social networking site." Instead, the Maryland statute focuses on whether the circumstance at hand involves a user name or password, and leaves vague the nature of the account or service to which the user name or password relates.

Pulling the project's critique into sharpest focus is an alternative definition proposed by one of our graders, Kyle Hulten:

“'Personal Internet account' means any personal account for a password protected Internet based service."

Kyle explains his definition this way:

"[I]t’s simple to understand and it’s appropriately broad. I understand there may be some whom are uncomfortable with the ambiguity in the definition of 'personal account' but that’s language I trust a judge can interpret."

The comments of another of our graders, Venkat Balasubramani, contains additional advice to legislatures. It's great stuff, and if you follow how Venkat keeps up on the Technology & Marketing Law Blog with the subject of ownership of social media accounts, you'll know his view is informed by a close reading of all the recent cases on the subject:

"One thing drafters should worry about is whether these laws may unintentionally prevent the employer from trying to get access to mixed accounts (used for both business and personal) that were created or accessed by the employee after the employment relationship commenced. The few 'ownership' disputes over social media accounts that we've seen (along with personal experience) indicate that accounts are typically mixed — there's no clear factual answer of whether the account properly belongs to either the employer or the employee. I think a carveout that somehow makes clear that these statutes are not intended to alter ownership rules would be useful or something to consider."

That's not all. Venkat thinks that legislatures might do well to anticipate mischief resulting from (mis)use of Klout-like services:

" . . .I would consider whether 'social media credit checks' are covered by the statute. If a service aggregates publicly available data and makes certain judgments about you, should this information be off-limits to employers?"

Like Kyle, Venkat also offered thoughts on how to approach drafting legislation in this area:

"I would go with something pretty minimalist. 'A social media account is any network-based service that allows you to post or transmit content that's tied to a profile.' Then maybe box this in with private or public accounts. My qualm with most the of the definitions is that they try to get too granular and in doing this don't account for changes or new services. Also, they don't really do a good job of getting into the private vs. public distinction, which is really the most important thing."

Finally, I want to quote at length the comments of Doug Cornelius, publisher of Compliance Building, which came in after the Tuesday post went to press. Doug says there is a business solution to the problem that may obviate the need for legislatures to intervene:

"I applaud the legislative efforts, although I think they are using lots of energy when there are bigger problems. The problem should be addressed by the social media platforms. Not only should they fix the problem, they can probably turn it into a revenue source.

"In the financial services industry, there are regulatory requirements to monitor employees’ interactions with customers. That’s easy to do with platforms controlled by the firm, like email, but difficult with the ever-changing platforms in social media. The solution. The social media platform should allow a company to monitor an employee’s account provided the company pays a monitoring fee. Of course the employee will need to consent to the monitoring. The platform gets a revenue stream and the company gets the monitoring and record-keeping it needs. The employee ends up with 'big brother' but only if the company thinks it’s a big enough problem that it is willing to pay the monitoring fee."

By the way, Doug graded the six legislative efforts, too, and his ranking pretty much matched that of Tuesday's group. Which state do you suppose ranked best with Doug? You guessed it:

"Of the six, I find Maryland’s to be the best. It does not limit its scope to social media. Maryland just uses the term 'personal account or service' but does not try to define it."

My thanks again to  Venkat Balasubramani, Jeremy Freeland, Jay Gairson, Kyle Hulten and Danan Margason for their work, insight and sense of fun in tackling this project. Thanks to Doug, too, for getting into the spirit and for the terrific contribution.

All of us, I noticed Tuesday and I notice again today, happen to be male. I do want it to be known that several lawyers I asked to participate are female; I guess they didn't have the inclination or else the time to participate.

Picture of Maryland State Senate by Mark Peters / Flickr.