Thursday, June 17, 2010

A Day in Paris (Is Like a Year In Any Other Place.)

Pangloss just spent a very intense, very challenging day at the OECD Workshop on the Liability of 0nline Intermediaries, sadly curtailed by the need to rush off on a plane to Estonia (of which more anon). The idea was to kick off a major programme of work in this area and the great and good were assembled in force, with pithy comments and insights coming thick and fast.

Danny Weitzner, who was a fresh faced freedom fighter for the CDT when I first met him, transmogrified into a rising star at the WWW and MIT, and is now an adviser to Obama (ah, why doesn’t UK academe provide this kind of career path!) lead the forces favouring, by and large, US-style industry self regulation, but noted that even in 1731, Benjamin Franklin had recognised need for intermediary immunities by presenting an “apology for printers” (of the human, not inkjet, kind) lest they be persuaded by criticism to print only texts they were personally convinced by.

Peter Fleischer, chief privacy counsel for Google, made the political decidedly personal, by commencing his intervention on privacy and intermediaries with anecdotes about being a convicted criminal who could no longer enter Italy (prompting mildly irascible responses from various Italians trying to make it plain they were not exactly the new China). Gary Davis from Ireland, perhaps a tad controversially for a data protection deputy commissioner, noted that there seemed to be emerging agreement on trading personal data for free web 2.0 services, but the question was, how much data was too much data; and Bruce Schneier (no link needed!) created the biggest stir of the day (to Pangloss’s silent cheers) by mentioning almost casually that, at least in relation to security, he had never had much time for user education. An unnamed EU Commission person made the sign of the cross and quoted liberally from the EC’s Safer Social Networking principles. Lightning did not however smite the infidel Schneier.

Jean Bergevin, in charge of the EC Commission’s much delayed but upcoming review of the E-Commerce Directive (ECD) (expect a consultation soon) took ferocious notes and reminded those present that although copyright and criminal liability may steal the headlines, the exclusion of gambling from the ECD gives a case study of how these things pan out (clue: not well) when safe harbours for intermediaries are not in place. The response seemed to be for the actual gambling hosting websites to move safely offshore, leading to undue pressure from states against payment intermediaries, so as to starve the unauthorised gambling sites of funds; yet, on the whole, these strategies merely multiplied bureaucracy and were still unsuccessful, since the grey market found ways round them (as it did, I noted, when similar strategies were applied to stimey offshore illegal music sites like AllofMP3.com in Russia). Later Mr Bergevin finally enlightened me as to why the ECD excludes data protection and privacy from its remit, as famously was publicised during the Google Italy case; not some abstract academic justification, but just that “that belonged to another Directive”. Time to raise the issue of intermediary liability in the ongoing DPD reform process then, methinks?

My own main contribution came in the first scene-setting session, where Prof. Mark MacCarthy of Georgetown University kicked off discussion on whether the OECD (which is also soon to review its longstanding and much applauded privacy guidelines) could conceivably come up with similar global guidelines on intermediary liability acceptable to all states, all types of intermediaries (ISPs, search engines, social networking sites, domestic hosts, user generated content sites?) and all types of content related liability (copyright, trademark, porn, libel, privacy, security??)? Everyone agreed that once upon a time a rough global consensus on limited liability, based around the notice and takedown (NTD) paradigm, had been achieved c 2000, with the standout exception of the US’s CDA s 230(c), which provided total immunity to service providers in relation to publication torts, but which was seen in the EU at least as something of a historical accident.

Since then, however, twin pressures from both IP rightsholders seeking solutions to piracy, and states keen to get ISPs to police the incoming vices of online child pornography, pro-terror material and malware, had converged to drive some legislatures, and some courts, towards re-imposing liability on online intermediaries (graduated response laws and ISPs being one of the most obvious case studies) and even moving tentatively from a post factum NTD paradigm to an ex ante filtering duty (SABAM, some Continental eBay counterfeit goods cases, the projected Australian mandatory filtering scheme for adult content). While the “top end” of the market might sort its own house out in the negotiable world of IP without further regulation (see the protracted Viacom v YouTube saga, which could be seen as a very expensive game of blind negotiator’s bluff) other areas were (still) less amenable to self regulation.

Privacy was identified very early on as an outstanding example of this: getting sites like Facebook and Google, which live off the profits of selling their client’s personal data, to take the main responsibility for policing those clients’ privacy was, as one speaker said, like getting the wolf to guard the sheep. Ari Schwartz of the CDT interestingly noted the new-ish difficulty of getting businesses like Facebook to take responsibility vis a vis their own users for third party apps using their platform. Apple however were piloting a new model of responsibility by careful selection of apps allowed to use their platforms, while Google Android were doing it differently again (I want to come back to this fascinating discussion in a separate post).

My own points circled around the idea that increasingly, the current idea of “one size fits all” enshrined in the ECD does not really work; more in relation to types of liability though (copyright vs libel , for example, with very diifferent balances of rights and public policy at work) than in relation to types of intermediaries (did search engines really need a special regime, of the kind the DMCA has and the ECD doesn’t, I was asked? My answer, given the fact that the two most troublesome EC Google cases – Italy and Adwords – have actually related to hosting not linking – was probably no (though that still leaves Copiepresse to sort out).)

However there was also room for thinking about different regimes for different sizes of intermediaries – small ISPs and hosts, eg, will simply crumble under the weight of any potential monitoring obligations, jeopardising both freedom of expression and innovation, while in a similar bind, Google can afford to build a Content ID system for YouTube which lets filtering become, effectively, a monetising opportunity. All this of course still avoided the main problem, of how complicit or “non neutral” (in the words of the ECJ Adwords case) an intermediary has to be in relation to illegal or infringing behaviour or content (cf eBay, YouTube, Google etc) before it should lose any special immunities. On that point, even the EU let alone the OECD is going to have to work very, very hard to find consensus.

Security provided the best example (and the best panel) of the day on how market-driven self regulation cannot always provide an optimum solution in the Internet intermediary world, given the prevalence of what became known by shorthand as “misaligned incentives”. Put simply, this refers to the situation where A causes harm to B (or to everyone) but does not suffer the costs of those harms themselves and so has no or few incentives to correct/avoid them. So one of the most obvious ways to reduce malware spread, botnet threats, etc would be to ask ISPs to monitor users on their networks, isolate them if they became apparently infected by malware, and refuse to allow them to rejoin the Internet until they had submitted to “decontamination” and perhaps mandatory reloading of anti-virus protection plus automatic patching. In fact however ISPs mostly don’t do this; partly because there’s no extra money in it for them, but rather a possibility of years of wearying customer care; partly because many ISPs still think (probably wrongly, the Prodigy years are over) that taking any active steps may lead to them being held legally liable to the customer or for bad content. The bad effects meanwhile are felt by (a) society and (b) sometimes though not always, the customer: so misaligned incentives all round. Notwithstanding this, we heard heartening tales of newly launched voluntary initiatives in Germany and Australia for local ISP industry to take part in isolation and decontamination – so hurrah for that, and let us hope the OECD takes this on board as an important if not “traditional” part of the intermediary liability issue.

(This was where the Bruce Schneier quote on user education came in – and I have to say I absolutely agree. If you want a safer Internet for all – a societal aggregate good of security - you do not leave complex choices to be made by domestic users, who not only don’t understand either the risks or the options, but will never be interested enough, or continually educated enough, to do so. But this is not the same as when you talk about privacy; which is primarily an individual not a social good, and where society views the individual making an informed choice as a key element of their autonomy as a subject of human rights. But talking about consent to giving up personal data on SNSs took us into the world of age verification for kids and its impact on privacy, an even nastier can of worms, and no-one’s going to convince me you can get kids to use anonymous digital signatures when it’s hard enough to persuade lawyers to do this).

In short, a day with so much to chew on, my jaw ached by the end. Very sorry I had to miss the last two sessions: if anyone reading has notes on any preliminary conclusions reached, I’d be pleased to see them. Thanks to Karine Perset of the OECD especially for organising the day. Meanwhile I hope myself to stay involved both with this OECD work, and the revision of the ECD; as I often say, watch this space.

No comments: