ethan zuckerman – Techdirt (original) (raw)

Judge To Zuckerman: Release Your App First, Then We’ll Talk Section 230

from the chilling-effects dept

The first shot to use Section 230 to force adversarial interoperability on platforms has hit a setback.

Earlier this year, we wrote about an absolutely fascinating lawsuit that was an attempt to activate a mostly-ignored part of Section 230 in a really interesting way. Most people know about Section 230 for its immunity protections for hosting and content moderation of third party content. But Section (c)(2)(B) almost never warrants a mention. It says this:

No provider or user of an interactive computer service shall be held liable on account of any action taken to enable or make available to information content providers or others the technical means to restrict access to material described in paragraph (1)

This part of the law almost never comes up in litigation, but Ethan Zuckerman, who has spent years trying to inspire a better internet (partly as penance for creating the pop-up ad), along with the Knight First Amendment Institute at Columbia, tried to argue that this section means that a platform, like Meta, can’t threaten legal retaliation against developers who are offering third party “middleware” apps that work on top of a platform to offer solutions that “restrict access to material” on a platform.

The underlying issue in the lawsuit was that Ethan wanted to release a plugin called “Unfollow Everything 2.0” based on an earlier plugin called “Unfollow Everything,” which allowed Facebook users to, well, unfollow everything. This earlier plugin was created by developer Louis Barclay, after he found it useful personally to just unfollow everyone on his Facebook account (not unfriend them, just unfollow them). Meta banned Barclay for life from the site, and also threatened legal action against him.

In the last few years, it’s unfortunately become common for the big platforms to legally threaten any service that tries to build tools to work on top of the service without first getting permission or signing some sort of agreement to access an API.

These legal threats have wiped out the ability to build tools for other platforms without permission. They’ve also very much gotten in the way of important “adversarial interoperability” tools and services that history has shown have been vital to innovation and competition.

So the argument from Zuckerman is that this little snippet from Section 230 says that he can’t face legal liability for his tool. Meta could still take technical actions to try to break or block his app, but they couldn’t threaten him with legal actions.

Meta’s response to all of this was that the court should reject Zuckerman’s case because the specifics of the app matter, and until he’s released the app, there’s no way to actually review this issue.

The Court should decline Plaintiff’s request to invoke this Court’s limited jurisdiction to issue an advisory opinion about a non-existent tool. Plaintiff’s claims—which are contingent on facts that cannot be known until after he has created and released Unfollow Everything 2.0 and Meta has had an opportunity to evaluate how the tool actually works—are not ripe for review under either Article III of the Constitution or the Declaratory Judgment Act, 28 U.S.C. § 2201.

It appears that the judge in the case, Judge Jacqueline Scott Corley, found that argument persuasive. After a hearing in court last Thursday, the judge dismissed the case, saying that Zuckerman could conceivably refile once the app is released. While a written opinion is apparently coming soon, this is based on what happened in the courtroom:

Judge Jacqueline Scott Corley of the U.S. District Court for the Northern District of California granted Meta’s request to dismiss the lawsuit on Thursday, according to court records. The judge said Mr. Zuckerman could refile the lawsuit at a later date.

This is perhaps not surprising, but it’s still not good. It’s pretty obvious what would happen if Zuckerman were to release his app because we already know what happened to Barclay, including the direct threats to sue him.

So, basically, the only way to move forward here is to put himself at great risk of facing a lawsuit from one of the largest companies in the world with a building full of lawyers. The chilling effects of this situation should be obvious.

I don’t know what happens next. I imagine Zuckerman can appeal to the Ninth Circuit, or he could actually try to release the app and see what happens.

But seeing as how the big platforms have spent over a decade abusing legal threats against companies that are just trying to help build products on top of those platforms, it would have been nice to have received a clean win that such “middleware” apps can’t be blocked through legal intimidation. Unfortunately, we’re not there yet.

Filed Under: adversarial interoperability, ethan zuckerman, interoperability, jacqueline scott corley, middleware, section 230
Companies: meta

Meta Tells Court Section 230 Shouldn’t Empower Users And Third Party Apps

from the why-oh-why-are-we-doing-this? dept

Meta has a long history of making sure no one but Meta, or Meta-approved apps, can operate on top of its services. And now, in a new court filing, it’s going to somewhat ridiculous lengths to try to stop one developer from making sure he won’t get sued for creating a tool that automates clicking some buttons in the Facebook UI.

In early May, I had a long post about a kinda wacky lawsuit filed by Ethan Zuckerman against Meta, in which he argued that (among other things) a mostly-ignored clause in Section 230 gave him (and anyone else) immunity for building middleware level products that operated on larger social media sites.

I won’t go over all the background again, but the key part is that Section (c)(2)(B) of 230 says:

No provider or user of an interactive computer service shall be held liable on account of any action taken to enable or make available to information content providers or others the technical means to restrict access to material described in paragraph (1)

With “paragraph (1)” being the lack of liability for any action taken in good faith to restrict access to content deemed to be “obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable.”

While Section 230 is often (misleadingly) discussed as providing social media platforms some sort of unwarranted liability shield, the argument Zuckerman is making is that this clause means that he couldn’t face legal liability if he were to create a tool that would (in this particular example) allow Facebook users to go in and unfollow everything and everyone they follow with the click of a button and allow those users to then share some data with academic researchers.

This lawsuit caused way more chatter among tech policy and law watchers than I’m used to. It was a really novel approach. Some definitely worried that if the lawsuit succeeded, it might make certain bad actors immune from certain lawsuits. But, frankly, I still don’t see that. As I explained, the claims here don’t prevent sites from taking technical measures (blocking, rate limiting, etc.). They only seek to stop Meta from using questionable legal theories, such as CFAA claims of “unauthorized access” to bully developers with threats of huge fines (or even criminal charges).

So, while I wasn’t sure the litigation strategy would work, I am hopeful that it succeeds. It could help establish a more vibrant market for middleware, giving users more control over their own data, as well as the apps and services that they use. In fact, it would bring us back a bit towards the earlier internet world, where building on top of other services was considered normal.

Meta has now filed its motion to dismiss in the case. I’m a little surprised not just by the argument, but by how weak it is. That’s not to say it won’t succeed, as it gives plenty of opportunities for a judge to just toss out the case (judges, especially in the 9th Circuit, seem to really hate declaratory judgment, especially in non-IP cases).

The crux of the argument is this: Zuckerman hasn’t yet created his “Unfollow Everything 2.0” app, and therefore there is no actual controversy, so the case should be dismissed.

The Court should decline Plaintiff’s request to invoke this Court’s limited jurisdiction to issue an advisory opinion about a non-existent tool. Plaintiff’s claims—which are contingent on facts that cannot be known until after he has created and released Unfollow Everything 2.0 and Meta has had an opportunity to evaluate how the tool actually works—are not ripe for review under either Article III of the Constitution or the Declaratory Judgment Act, 28 U.S.C. § 2201. Even if the claims were ripe, jurisdiction under the Act remains discretionary, and there are a host of prudential reasons why exercising jurisdiction would not make sense here. Adjudicating Plaintiff’s claims would require needless rulings on hypothetical applications of California law, would likely result in duplicative litigation, and would encourage forum shopping. Nor is it clear that Plaintiff has a bona fide plan to launch this tool. He has widely spoken about this case in the media, going so far as to characterize it as an opportunity for courts to “shap[e] policy.”1 The Court should reject Plaintiff’s invitation to issue such an advisory opinion and follow the more prudent course of declining jurisdiction.

But, of course, that ignores the very clear chilling effects issue related to this case. Yes, Zuckerman has not released such an app because he saw the legal threats that the creator of Unfollow Everything 1.0 received, as well as Meta’s past legal actions going after companies like Power Ventures. This isn’t a theoretical issue. Meta has shown that it will absolutely engage in lawfare to go after third-party app builders, and thus there is a real controversy and concern here.

Within this, there are some other odd mini-arguments, including the fact that since Meta can change how the “unfollow” button works, the eventual app might work differently, and thus the case is not yet ripe for court.

But, that seems to be a weird way of admitting that Meta has the technical ability to break the app, which no one denies, and no one is challenging. But if the ability to technically break a middleware product means you can never challenge the threat of legal liability… well… that wouldn’t make any sense at all.

Even so, Meta’s lawyers argue that the case should still be dismissed, even if the judge determines that the chilling effects are enough to allow the case to move forward. But they do so by pulling a sleight of hand move to avoid discussing the actual issues:

First, use of Unfollow Everything 2.0’s anticipated automation of Facebook processes would violate Meta’s Terms of Service (“Terms”), which prohibit accessing or collecting data from Facebook “using automated means.”

So what? The whole point of the lawsuit is that in the event that such an app violates such policies, Meta still remains able to use technical measures to stop or block the app, just not legal ones.

Then there’s this very, very strange and legally wrong argument:

Plaintiff’s invocation of section 230(c)(2)(B) of the Communications Decency Act, 47 U.S.C. § 230 et seq., is without merit, as (1) section 230(c)(2)(B) does not immunize Plaintiff from his contractual obligations under Meta’s Terms as a matter of law; (2) it is highly unlikely from Plaintiff’s allegations that he would qualify as an “interactive computer service” provider; and (3) the allegations do not show that Plaintiff’s tool would “restrict access” (rather than “restrict availability”) of content

This paragraph gets so many things wrong, I’m not sure where to begin. We’ll get back to the argument about contractual claims in a minute, but I want to focus on the idea that Zuckerman would not qualify “as an interactive computer service.”

That doesn’t matter.

The law clearly says (and multiple courts have reinforced) that the liability protection applies to “providers or users.” And he is absolutely a user. The fact that he might not be a provider is meaningless. There’s an entire section devoted to this argument, and I don’t understand why Meta thinks it matters, unless they think that the judge (like some amateur Section 230 commentators) will somehow skip over the “or user” part of Section 230.

As for the claim that 230(c)(2) should not bar liability based on contracts liability, I don’t think that’s right and I also don’t think Meta realizes the harm it might be doing in arguing that. Because people in the past have certainly brought “breach of contract” claims against Meta over content moderation decisions, and Meta has relied on 230 to get them dismissed. Be careful what you litigate for, Meta.

Finally, as for the claim that Zuckerman’s app would only “restrict availability” rather than “restrict access,” this seems like a meaningless distinction. What is the actual difference here? How are those different things? It kinda feels like Meta saying “if we call this something different, maybe we can pretend the law doesn’t apply to us.”

Indeed, so much of what Meta is arguing here seems to be about pretending that Zuckerman is saying they can’t use technical means to block his app. But the lawsuit isn’t arguing that at all. It is just focused on making sure that Meta can’t threaten him with a baseless lawsuit for creating an app that is useful to a small group of users, and that simply automates a feature that Meta already makes available to any user directly.

Meta cites some earlier Section 230 cases, such as Alex Berenson’s case against Twitter or the seminal Barnes v. Yahoo. Meta uses these examples to argue that 230(c)(2) liability protections don’t apply to breach of contract claims. However, this twists what actually happened in those cases, which were related to questions around content moderation and whether or not employees of the companies had made additional promises above and beyond the terms of service to do (or, in the Berenson case, not do) certain things.

That is wholly different from what Zuckerman is arguing here: that 230, and its policy of encouraging third-party tools for dealing with content issues online, should make these apps immune from civil liability from the platforms.

One other note on this: in the original lawsuit, Zuckerman and his lawyers from the Knight First Amendment Institute point out (a few times) that he’s hoping to use his Unfollow Everything 2.0 app for academic research. In the Motion to Dismiss, Meta argues that this is meaningless because Meta has policies and offerings in place for researchers to get access to certain data.

Meta supports rigorous and independent research into the potential impact social media services like Facebook may have on the world, and it makes available tools and processes to help researchers gain access to information and analytical capabilities to support their research through a privacy-protective approach. See, e.g., Research Tools and Data Sets, Meta Transparency Center, https://transparency.meta.com/en-gb/researchtools/; Our Approach, Facebook Open Research & Transparency, https://fort.fb.com/approach. Plaintiff does not indicate whether he has considered using these tools or why his research could not be conducted through them.

Who cares? There’s no legal requirement that you use only approved methods of doing research. Why even make this argument?

Anyway, I’m still not convinced Zuckerman will succeed with this legal theory, but Meta’s motion to dismiss seems really off base in multiple ways.

Filed Under: adversarial interoperability, ethan zuckerman, middleware, section 230, unfollow everything
Companies: meta

Was There A Trojan Horse Hidden In Section 230 All Along That Could Enable Adversarial Interoperability?

from the zuckerman-v.-zuckerberg dept

There’s a fascinating new lawsuit against Meta that includes a surprisingly novel interpretation of Section 230. If the court buys it, this interpretation could make the open web a lot more open, while chipping away at the centralized control of the biggest tech companies. And, yes, that could mean that the law (Section 230) that is wrongly called “a gift to big tech” might be a tool that undermines the dominance of some of those companies. But the lawsuit could be tripped up for any number of reasons, including a potentially consequential typo in the law that has been ignored for years.

Buckle in, this is a bit of a wild ride.

You would think with how much attention has been paid to Section 230 over the last few years (there’s an entire excellent book about it!), and how short the law is, that there would be little happening with the existing law that would take me by surprise. But the new Zuckerman v. Meta case filed on behalf of Ethan Zuckerman by the Knight First Amendment Institute has got my attention.

It’s presenting a fairly novel argument about a part of Section 230 that almost never comes up in lawsuits, but could create an interesting opportunity to enable all kinds of adversarial interoperability and middleware to do interesting (and hopefully useful) things that the big platforms have been using legal threats to shut down.

If the argument works, it may reveal a surprising and fascinating trojan horse for a more open internet, hidden in Section 230 for the past 28 years without anyone noticing.

Of course, it could also have much wider ramifications that a bunch of folks need to start thinking through. This is the kind of thing that happens when someone discovers something new in a law that no one really noticed before.

But there’s also a very good chance this lawsuit flops for a variety of other reasons without ever really exploring the nature of this possible trojan horse. There are a wide variety of possible outcomes here.

But first, some background.

For years, we’ve talked about the importance of tools and systems that give end users more control over their own experiences online, rather than leaving it entirely up to the centralized website owners. This has come up in a variety of different contexts in different ways, from “Protocols, not Platforms” to “adversarial interoperability,” to “magic APIs” to “middleware.” These are not all exactly the same thing, but they’re all directionally strongly related, and conceivably could work well together in interesting ways.

But there are always questions about how to get there, and what might stand in the way. One of the biggest things standing in the way over the last decade or so has been interpretations of various laws that effectively allow social media companies to threaten and/or bring lawsuits against companies trying to provide these kinds of additional services. This can take the form of a DMCA 1201 claim for “circumventing” a technological block. Or, more commonly, it has taken the form of a civil (Computer Fraud & Abuse Act) CFAA claim.

The most representative example of where this goes wrong is when Facebook sued Power Ventures years ago. Power was trying to build a unified dashboard across multiple social media properties. Users could provide Power with their own logins to social media sites. This would allow Power to log in to retrieve and post data, so that someone could interact with their Facebook community without having to personally go into Facebook.

This was a potentially powerful tool in limiting Facebook’s ability to become a walled-off garden with too much power. And Facebook realized that too. That’s why it sued Power, claiming that it violated the CFAA’s prohibition on “unauthorized access.”

The CFAA was designed (poorly and vaguely) as an “anti-hacking” law. And you can see where “unauthorized access” could happen as a result of hacking. But Facebook (and others) have claimed that “unauthorized access” can also be “because we don’t want you to do that with your own login.”

And the courts have agreed to Facebook’s interpretation, with a few limitations (that don’t make that big of a difference).

I still believe that this ability to block interoperability/middleware with law has been a major (perhaps the most major) reason “big tech” is so big. They’re able to use these laws to block out the kinds of companies who would make the market more competitive and pull down some the walls of walled gardens.

That brings us to this lawsuit.

Ethan Zuckerman has spent years trying to make the internet a better, more open space (partially, I think, in penance for creating the world’s first pop-up internet ad). He’s been doing some amazing work on reimagining the digital public infrastructure, which I keep meaning to write about, but never quite find the time to get to.

According to the lawsuit, he wants to build a tool called “Unfollow Everything 2.0.” The tool is based on a similar tool, also called Unfollow Everything, that was built by Louis Barclay a few years ago and did what it says on the tin: let you automatically unfollow everything on Facebook. Facebook sent Barclay a legal threat letter and banned him for life from the site.

Zuckerman wants to recreate the tool with some added features enabling users to opt-in to provide some data to researchers about the impact of not following anyone on social media. But he’s concerned that he’d face legal threats from Meta, given what happened with Barclay.

Using Unfollow Everything 2.0, Professor Zuckerman plans to conduct an academic research study of how turning off the newsfeed affects users’ Facebook experience. The study is opt-in—users may use the tool without participating in the study. Those who choose to participate will donate limited and anonymized data about their Facebook usage. The purpose of the study is to generate insights into the impact of the newsfeed on user behavior and well-being: for example, how does accessing Facebook without the newsfeed change users’ experience? Do users experience Facebook as less “addictive”? Do they spend less time on the platform? Do they encounter a greater variety of other users on the platform? Answering these questions will help Professor Zuckerman, his team, and the public better understand user behavior online and the influence that platform design has on that behavior

The tool and study are nearly ready to launch. But Professor Zuckerman has not launched them because of the near certainty that Meta will pursue legal action against him for doing so.

So he’s suing for declaratory judgment that he’s not violating any laws. If he were just suing for declaratory judgment over the CFAA, that would (maybe?) be somewhat understandable or conventional. But, while that argument is in the lawsuit, the main claim in the case is something very, very different. It’s using a part of Section 230, section (c)(2)(B), that almost never gets mentioned, let alone tested.

Most Section 230 lawsuits involve (c)(1): the famed “26 words” that state “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”

Some Section 230 cases involve (c)(2)(A) which states that “No provider or user of an interactive computer service shall be held liable on account of any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected.” Many people incorrectly think that Section 230 cases turn on this part of the law, when really, much of those cases are already cut off by (c)(1) because they try to treat a service as a speaker or publisher.

But then there’s (c)(2)(B), which says:

No provider or user of an interactive computer service shall be held liable on account of any action taken to enable or make available to information content providers or others the technical means to restrict access to material described in paragraph (1)

As noted, this basically never comes up in cases. But the argument being made here is that this creates some sort of proactive immunity from lawsuits for middleware creators who are building tools (“technical means”) to “restrict access.” In short: does Section 230 protect “Unfollow Everything” from basically any legal threats from Meta, because it’s building a tool to restrict access to content on Meta platforms?

Or, according to the lawsuit:

This provision would immunize Professor Zuckerman from civil liability for designing, releasing, and operating Unfollow Everything 2.0

First, in operating Unfollow Everything 2.0, Professor Zuckerman would qualify as a “provider . . . of an interactive computer service.” The CDA defines the term “interactive computer service” to include, among other things, an “access software provider that provides or enables computer access by multiple users to a computer server,” id. § 230(f)(2), and it defines the term “access software provider” to include providers of software and tools used to “filter, screen, allow, or disallow content.” Professor Zuckerman would qualify as an “access software provider” because Unfollow Everything 2.0 enables the filtering of Facebook content—namely, posts that would otherwise appear in the feed on a user’s homepage. And he would “provide[] or enable[] computer access by multiple users to a computer server” by allowing users who download Unfollow Everything 2.0 to automatically unfollow and re-follow friends, groups, and pages; by allowing users who opt into the research study to voluntarily donate certain data for research purposes; and by offering online updates to the tool.

Second, Unfollow Everything 2.0 would enable Facebook users who download it to restrict access to material they (and Zuckerman) find “objectionable.” Id. § 230(c)(2)(A). The purpose of the tool is to allow users who find the newsfeed objectionable, or who find the specific sequencing of posts within their newsfeed objectionable, to effectively turn off the feed.

I’ve been talking to a pretty long list of lawyers about this and I’m somewhat amazed at how this seems to have taken everyone by surprise. Normally, when new lawsuits come out, I’ll gut check my take on it with a few lawyers and they’ll all agree with each other whether I’m heading in the right direction or the totally wrong direction. But here… the reactions were all over the map, and not in any discernible pattern. More than one person I spoke to started by suggesting that this was a totally crazy legal theory, only to later come back and say “well, maybe it actually makes some sense.”

It could be a trojan horse that no one noticed in Section 230 that effectively bars websites from taking legal action against middleware providers who are providing technical means for people to filter or screen content on their feed. Now, it’s important to note that it does not bar those companies from putting in place technical measures to block such tools, or just banning accounts or whatever. But that’s very different from threatening or filing civil suits.

If this theory works, it could do a lot to enable these kinds of middleware services and make it significantly harder for big social media companies like Meta to stop them. If you believe in adversarial interoperability, that could be a very big deal. Like, “shift the future of the internet we all use” kind of big.

Now, there are many hurdles before we get to that point. And there are some concerns that if this legal theory succeeds, it could also lead to other problematic results (though I’m less convinced by those).

Let’s start with the legal concerns.

First, as noted, this is a very novel and untested legal theory. Upon reading the case initially, my first reaction was that it felt like one of those slightly wacky academic law journal articles you see law professors write sometimes, with some far-out theory they have that no one’s ever really thought about. This one is in the form of a lawsuit, so at some point we’ll find out how the theory works.

But that alone might make a judge unwilling to go down this path.

Then there are some more practical concerns. Is there even standing here? ¯\_(ツ)_/¯ Zuckerman hasn’t released his tool. Meta hasn’t threatened him. He makes a credible claim that given Meta’s past actions, they’re likely to react unfavorably, but is that enough to get standing?

Then there’s the question of whether or not you can even make use of 230 in an affirmative way like this. 230 is used as a defense to get cases thrown out, not proactively for declaratory judgment.

Also, this is not my area of expertise by any stretch of the imagination, but I remember hearing in the past that outside of IP law, courts (and especially courts in the 9th Circuit) absolutely disfavor lawsuits for declaratory judgment (i.e., a lawsuit before there’s any controversy, where you ask the court “hey, can you just check and make sure I’m on the right side of the law here…”). So I could totally see the judge saying “sorry, this is not a proper use of our time” and tossing it. In fact, that might be the most likely result.

Then there’s this kinda funny but possibly consequential issue: there’s a typo in Section 230 that almost everyone has ignored for years. Because it’s never really mattered. Except it matters in this case. Jeff Kosseff, the author of the book on Section 230, always likes to highlight that in (c)(2)(B), it says that the immunity is for using “the technical means to restrict access to material described in paragraph (1).”

But they don’t mean “paragraph (1).” They mean “paragraph (A).” Paragraph (1) is the “26 words” and does not describe any material, so it would make no sense to say “material described in paragraph (1).” It almost certainly means “paragraph (A),” which is the “good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable” section. That’s the one that describes material.

I know that, at times, Jeff has joked when people ask him how 230 should be reformed he suggests they fix the typo. But Congress has never listened.

And now it might matter?

The lawsuit basically pretends that the typo isn’t there. Its language inserts the language from “paragraph (A)” where the law says “paragraph (1).”

I don’t know how that gets handled. Perhaps it gets ignored like every time Jeff points out the typo? Perhaps it becomes consequential? Who knows!

There are a few other oddities here, but this article is getting long enough and has mostly covered the important points. However, I will conclude on one other point that one of the people I spoke to raised. As discussed above, Meta has spent most of the past dozen or so years going legally ballistic about anyone trying to scrape or data mine its properties in anyway.

Yet, earlier this year, it somewhat surprisingly bailed out on a case where it had sued Bright Data for scraping/data mining. Lawyer Kieran McCarthy (who follows data scraping lawsuits like no one else) speculated that Meta’s surprising about-face may be because it suddenly realized that for all of its AI efforts, it’s been scraping everyone else. And maybe someone high up at Meta suddenly realized how it was going to look in court when it got sued for all the AI training scraping, if the plaintiffs point out that at the very same time it was suing others for scraping its properties.

For me, I suspect the decision not to appeal might be more about a shift in philosophy by Meta and perhaps some of the other big platforms than it is about their confidence in their ability to win this case. Today, perhaps more important to Meta than keeping others off their public data is having access to everyone else’s public data. Meta is concerned that their perceived hypocrisy on these issues might just work against them. Just last month, Meta had its success in prior scraping cases thrown back in their face in a trespass to chattels case. Perhaps they were worried here that success on appeal might do them more harm than good.

In short, I think Meta cares more about access to large volumes of data and AI than it does about outsiders scraping their public data now. My hunch is that they know that any success in anti-scraping cases can be thrown back at them in their own attempts to build AI training databases and LLMs. And they care more about the latter than the former.

I’ve separately spoken to a few experts who were worried about the consequences if Zuckerman succeeded here. They were worried that it might simultaneously immunize potential bad actors. Specifically, you could see a kind of Cambridge Analytica or Clearview AI situation, where companies trying to get access to data for malign purposes convince people to install their middleware app. This could lead to a massive expropriation of data, and possibly some very sketchy services as a result.

But I’m less worried about that, mainly because it’s the sketchy eventuality of how that data is being used that would still (hopefully?) violate certain laws, not the access to the data itself. Still, there are at least some questions being raised about how this type of more proactive immunity might result in immunizing bad actors that is at least worth thinking about.

Either way, this is going to be a case worth following.

Filed Under: adversarial interoperability, competition, copyright, dmca 1201, ethan zuckerman, liability, section 230, unfollow everyone
Companies: meta

Anyone Brushing Off NSA Surveillance Because It's 'Just Metadata' Doesn't Know What Metadata Is

from the your-metadata-reveals-quite-a-bit dept

One of the key themes that has come out from the revelations concerning NSA surveillance is a bunch of defenders of the program claiming “it’s just metadata.” This is wrong on multiple levels. First of all, only some of the revealed programs involve “just metadata.” The so-called “business records” data is metadata, but other programs, such as PRISM, can also include actual content. But, even if we were just talking about “just metadata,” the idea that it somehow is no big deal, and people have nothing to worry about when it comes to metadata is ridiculous to anyone who knows even the slightest thing about metadata. In fact, anyone who claims that “it’s just metadata” in an attempt to minimize what’s happening is basically revealing that they haven’t the slightest clue about what metadata is. Here are a few examples of why.

Just a few months ago, Nature published a study all about how much a little metadata can reveal, entitled Unique in the Crowd: The privacy bounds of human mobility by Yves-Alexandre de Montjoye, Cesar A. Hidalgo, Michel Verleysen, and Vincent D. Blondel. The basic conclusion: metadata reveals a ton, and even “coarse datasets” provide almost no anonymity:

A simply anonymized dataset does not contain name, home address, phone number or other obvious identifier. Yet, if individual’s patterns are unique enough, outside information can be used to link the data back to an individual. For instance, in one study, a medical database was successfully combined with a voters list to extract the health record of the governor of Massachusetts27. In another, mobile phone data have been re-identified using users’ top locations28. Finally, part of the Netflix challenge dataset was re-identified using outside information from The Internet Movie Database29.

All together, the ubiquity of mobility datasets, the uniqueness of human traces, and the information that can be inferred from them highlight the importance of understanding the privacy bounds of human mobility. We show that the uniqueness of human mobility traces is high and that mobility datasets are likely to be re-identifiable using information only on a few outside locations. Finally, we show that one formula determines the uniqueness of mobility traces providing mathematical bounds to the privacy of mobility data. The uniqueness of traces is found to decrease according to a power function with an exponent that scales linearly with the number of known spatio-temporal points. This implies that even coarse datasets provide little anonymity.

Some of the figures they presented show how easy it is to track individuals and their locations, which can paint a pretty significant and revealing portrait of who they are and what they’ve done.

In an interview, one of the authors of the paper basically said that your metadata effectively creates a “fingerprint” that is unique to you and easy to match to your identity:

“We use the analogy of the fingerprint,” said de Montjoye in a phone interview today. “In the 1930s, Edmond Locard, one of the first forensic science pioneers, showed that each fingerprint is unique, and you need 12 points to identify it. So here what we did is we took a large-scale database of mobility traces and basically computed the number of points so that 95 percent of people would be unique in the dataset.”

Others are discovering the same thing. Ethan Zuckerman, who recently co-taught a class with one of the authors of the paper above, Cesar Hidalgo, wrote about how two students in the class created a project called Immersion, with Hidalgo, which takes your Gmail metadata (“just metadata”) and maps out your social network. As Zuckerman notes, his own use of Immersion reveals some things that could be questionable or dangerous.

He discusses some bits of metadata that are “obvious,” which would make him easily identifiable, but which probably aren’t that “questionable.” However, he also notes some potentially problematic things as well:

Anyone who knows me reasonably well could have guessed at the existence of these ties. But there’s other information in the graph that’s more complicated and potentially more sensitive. My primary Media Lab collaborators are my students and staff – Cesar is the only Media Lab node who’s not affiliated with Civic who shows up on my network, which suggests that I’m collaborating less with my Media Lab colleagues than I might hope to be. One might read into my relationships with the students I advise based on the email volume I exchange with them – I’d suggest that the patterns have something to do with our preferred channels of communication, but it certainly shows who’s demanding and receiving attention via email. In other words, absence from a social network map is at least as revealing as presence on it.

Separately, more than two years ago, we wrote about how a German politician named Malte Spitz got access to all of the metadata that Deutsche Telekom had on him over a period of six months, and then worked with the German newspaper Die Zeit to put together an amazing visualization that lets you track six months of his life entirely via his metadata, combined with public information, such as his Twitter feed.

While this all came out over two years ago, just recently, Spitz wrote a NYT op-ed piece about how this “just metadata” situation means that it’s tough to trust the US government.

In Germany, whenever the government begins to infringe on individual freedom, society stands up. Given our history, we Germans are not willing to trade in our liberty for potentially better security. Germans have experienced firsthand what happens when the government knows too much about someone. In the past 80 years, Germans have felt the betrayal of neighbors who informed for the Gestapo and the fear that best friends might be potential informants for the Stasi. Homes were tapped. Millions were monitored.

Although these two dictatorships, Nazi and Communist, are gone and we now live in a unified and stable democracy, we have not forgotten what happens when secret police or intelligence agencies disregard privacy. It is an integral part of our history and gives young and old alike a critical perspective on state surveillance systems.

“Just metadata” isn’t “just” anything, other than a massive violation of basic privacy rights.

Filed Under: cesar hidalgo, ethan zuckerman, fingerprints, immersion, malte spitz, metadata, nsa surveillance, prism, privacy, surveillance