9Mar

Reading Over Your Shoulder: Social Readers and Privacy Law

Categories: Online
Comments Off on Reading Over Your Shoulder: Social Readers and Privacy Law

By Margot Kaminski

My friends, who are generally well educated and intelligent, read a lot of garbage.  I know this because since September 2011, their taste in news about Justin Bieber, Snooki, and the Kardashians has been shared with me through “social readers” on Facebook.{{1}}  Social readers instantaneously list what you are reading on another website, without asking for your approval before disclosing each individual article you read.  They are an example of what Facebook calls “frictionless sharing,” where Facebook users ostensibly influence each other’s behavior by making their consumption of content on other websites instantly visible to their friends.{{2}}  Many people do not think twice about using these applications, and numerous publications have made them available, including the Washington PostWall Street Journal, and Guardian.{{3}}

I intend to prompt conversation about social readers on three fronts.  First, social readers are part of a shift toward real name policies online, and, for a number of reasons, should remain opt-in rather than becoming the default setting.  Second, if people do choose to use these applications, they should know that they are making that choice against a backdrop of related battles in privacy law concerning the right to consume content without a third party sharing your activity more broadly.  And third, when individuals choose to use these applications, they may be sharing their habits more widely than they think.

I.  Social Readers and Online Real-Name Policies

Social readers are part of a larger trend toward linking online activity to Internet users’ real identities.  Unlike America Online’s use of invented screen names, the two major social networks, Facebook and Google+, require users to register with their real names or verified pseudonyms.{{4}}  Both Google and Facebook aim to link user activity outside of the social network to one identifiable, real name profile, although Google’s aspirations currently appear limited to other Google services, while Facebook’s ambitions are broader.{{5}}  This real-name model is desirable to online companies and their supporting advertisers because it is easier to advertise to someone if you know who he or she is, and know all of his or her online behavior.

Business concerns are not the only motivating factor behind the shift toward real-name policy.  There is also an argument that real-name policies on comment forums may make people behave more civilly toward each other, because they are part of a social community that imports accountability into the online context.{{6}}  This has been compelling to some newspapers.  The Huffington Post, for example, has a Social News feature that encourages readers to log in through their Facebook accounts and comment on articles under their real identities.{{7}}  However, shifting to real name policy creates other problems, such as preventing pseudonymic or anonymous whistleblowing by commenters, and chilling more controversial or critical speech.{{8}}

Social readers are part of this potential collapse of anonymous or pseudonymic online activity.  It used to be the case that reading an article on the New York Times was a separate activity from communicating to your friends on a social network.  Social readers, however, import your reading activity from the newspaper website into your social network and broadcast it instantaneously under your real name.  Your presence on the other website is no longer anonymous.

Despite the potential benefits to companies, the decision to allow instantaneous sharing of all content consumed elsewhere connected to a user’s real identity should remain firmly in the hands of Internet users.  As individuals, we construct discrete identities for different circumstances: one for work, one for home, one for our closest friends.{{9}}  This is in fact the idea behind Google+’s “Circles” feature, which allows a user to tailor the parts of his or her identity that are visible to each “Circle,” whether it be friends, co-workers, or family.{{10}}  For a social network to retain value by mirroring reality, it needs to allow us to retain these distinctions.  Before social readers, one’s decision to read US Weekly at the gym would not be broadcast to one’s coworkers.  If one is forced to sign up for an US Weekly social reader, however, one’s network would see every article read.  This first point is about one’s relationship as an individual to other individuals: we should each be able to control the parts of our identity we want shown to other people.  We do this in real life; we should be able to do this online.  There may also be a benefit to media companies of allowing individuals to be pickier in their sharing: friends might take recommendations more seriously if they are deliberate and limited, rather than a list of everything their mutual friend haphazardly read.{{11}}

Already, some companies have experienced a backlash from making such pervasive sharing the default option for their software.  For example, in September 2011, the music service Spotify announced a partnership with Facebook that would allow new users to sign up only if they have a Facebook account.{{12}}  Users started seeing their music playlists automatically shared on Facebook; they could opt out of the service, but only by manually disabling the sharing feature.{{13}}  In response to a strong negative reaction, Spotify rolled out a more visible new privacy feature to allow users to “hide their guilty pleasures,” according to the Spotify CEO.{{14}}  The strong reaction to Spotify’s automatic frictionless sharing, and the fact that many newspapers have decided not to create social reader applications at all, shows that if users’ interests are kept in mind, frictionless sharing should remain an option, not the default.

II.  Social Readers and Other Privacy Law Battles

Coincidentally or consequentially, the legal debate over privacy and media consumption has taken on new dimensions at the same time that companies move toward frictionless sharing.  As people on Facebook allow the Washington Post to broadly share every article they have ever read, others are fighting to protect reader records from third parties.

First, it’s important to address whether, and why, reader privacy is important.  Librarians are adamant about the importance of reader privacy.{{15}}  The American Library Association has affirmed a right to privacy for readers since 1939,{{16}} and states that “one cannot exercise the right to read if the possible consequences include damage to one’s reputation, ostracism from the community or workplace, or criminal penalties.  Choice requires both a varied selection and the assurance that one’s choice is not monitored.”{{17}}  This concern comes in part from a historical awareness of how the government might abuse knowledge of citizens’ reading material.  Reading material can be used by the government to track dissidence.  Famously, Joseph McCarthy released a list of allegedly pro-communist authors, and the State Department ordered overseas librarians to remove such books from their shelves.{{18}}  Imagine if social readers had existed during the McCarthy era—the government would have been able to check each person’s virtual bookshelf for blacklisted material.  With the advent of data mining, the reading choices that seem innocuous to you can cumulatively be indicative of patterns, intent, or allegiances to others, including law enforcement.{{19}}

The United States has surprisingly scattered law on the question of readers’ privacy.  There is no federal statute explicitly protecting it.  This means that companies are not specifically prohibited on a federal level from sharing your reading history with others.  In practice, librarians usually require a court order for the government to obtain reader records, and most states make that requirement explicit.{{20}} The PATRIOT Act famously raised ire from librarians by permitting the government under certain circumstances to request library patron records secretly and without judicial oversight.{{21}}

Although there is no federal reader privacy statute, related laws concerning library patrons exist in forty-eight states.{{22}}  Recently, there has been a push at the state level to expand protections for reader privacy beyond libraries.  The California Reader Privacy Act, which was signed into law in October 2011 and took effect in January 2012, extends the type of protections traditionally afforded to library patrons to all books and e-books, although it does not extend to other types of reading online.{{23}}  Government entities must obtain a warrant before accessing reader records, and booksellers or providers must be afforded an opportunity to contest the request.  Booksellers must report the number and type of requests that they receive.{{24}}  Requests made in the context of civil actions must show that the requesting parties are using the “least intrusive means” and have a “compelling interest” in the records, and must obtain a court order.

The First Amendment could arguably protect readers from the discovery of their reading history by the government or by third parties using the court system to obtain the information.  A series of cases have given rise to a standard protecting the anonymity of online speakers.{{25}}  Julie E. Cohen has suggested that the First Amendment should extend its protections to a similar right to read anonymously.{{26}}  However, there has not yet been a case where a litigant has successfully made this argument to protect digital reader records under the First Amendment.

We do have one federal law protecting user privacy during content consumption: the Video Privacy Protection Act (“VPPA”),{{27}} which prohibits the disclosure of personally identifiable video rental information to third parties without a user’s specific consent, and prohibits disclosure of the same to police officers without a warrant.{{28}}  This strangely precise piece of law arose after Supreme Court nominee Robert Bork had his video rental records disclosed in a newspaper.{{29}}

Companies have realized, however, that VPPA is a hurdle to their business models.  In December 2011, the House of Representatives passed H.R. 2471, amending VPPA to allow the disclosure of video rental records with consent given in advance and until that consent is withdrawn by the consumer.{{30}}  This change would allow companies such as Netflix to get a one-time blanket consent to disclose user records through frictionless sharing on Facebook.  The Senate Judiciary Committee held a hearing on H.R. 2471 on January 31, 2012, at which many privacy concerns were raised.{{31}}

III.  Oversharing

Those who currently use social readers may be sharing their reading activity far more broadly than they expect.  Your close friends are not the only ones who can see your Facebook profile.  A Freedom of Information Act (“FOIA”) lawsuit by the Electronic Frontier Foundation revealed that law enforcement agencies use social media to obtain information about people by going undercover on social media sites to gain access to nonpublic information.{{32}}  And even if no police officer or other informant has posed as a friend of yours, using a social network to broadcast your reading records means you have shared those records with a third party—the social network itself—which under United States v. Miller means the police may not need a warrant to obtain those records from the social network.{{33}}

Perhaps more significantly, even if we get rid of the Miller doctrine, as Justice Sotomayor recently suggested, the wholesale sharing of your reading history with Facebook friends may ultimately impact the Supreme Court’s understanding of what constitutes a “reasonable expectation of privacy.”{{34}}  In the 1967 seminal Supreme Court case on wiretapping, Katz v. United States, Katz placed a phone call in a public phone booth with the door closed, and was found to have a reasonable expectation of privacy in the phone call, so a warrant was required for wiretapping the phone.{{35}}  Justice Alito recently contemplated that we may be moving toward a world in which so many people share information with so many friends that social norms no longer indicate a reasonable expectation of privacy in that information.{{36}}  Without a reasonable expectation of privacy, there will be no warrant requirement for law enforcement to obtain that information.  This analysis is troubling; sharing information with your friends should not mean that you expect it to be shared with law enforcement.  This would be like saying that just because you sent wedding invitations to 500 of your closest friends, the government is justified in opening the envelope.  The size of the audience for private communication should not change the fact that it is private.

The recent trend toward social readers and other types of frictionless sharing may at first glance seem innocuous, if inane.  But it has occurred just as privacy advocates are pushing to create more privacy protections for readers through state laws, and may result in the loss of VPPA, the one federal law that protects privacy in content consumption.  And users may not understand that sharing what they read with friends may mean sharing what they read with the government, as well.  That is a whole lot more serious than just annoying your friends with your taste for celebrity gossip.  Indeed, it may be another step toward the death of the Fourth Amendment by a thousand cuts.{{37}}


* Research Scholar in Law and Lecturer in Law at Yale Law School, and Executive Director of the Information Society Project at Yale Law School. She thanks Kevin Bankston of the Center for Democracy and Technology for his review and helpful comments.

[[1]] See, e.g., Ian Paul, Wall Street Journal Social on Facebook: A First Look, Today @PCWorld Blog (Sep. 20, 2011, 7:02 AM), http://www.pcworld.com/article/240274/wall_street_journal_social_on_facebook
_a_first_look.html.[[1]]
[[2]] Jason Gilbert, Facebook Frictionless App Frenzy Will Make Your Life More Open, Huffington Post (Jan. 18, 2012),  http://www.huffingtonpost.com
/2012/01/18/facebook‑actions‑arrive‑major‑changes_n_1213183.html.[[2]]
[[3]] See The Washington Post Social Reader, Wash. Post, http://www.washingtonpost.com/socialreader (last visited Feb. 26, 2012); Press Release, The Guardian, Guardian Announces New App on Facebook to Make News More Social (Sept, 23, 2011),available at http://www.guardian.co.uk/gnm
-press-office/guardian-launches-facebook-app; Paul, supra note 1.[[3]]
[[4]] Facebook requires real names as user names, allowing its users to sign into other sites and comment there—although it has just recently started allowing celebrities to use pseudonyms. See Somini Sengupta, Rushdie Runs Afoul of Web’s Real-Name Police, N.Y. Times (Nov. 14, 2011), http://www.nytimes.com/2011/11/15/technology/hiding‑or‑using‑your‑name‑online-and-who-decides.html; see also Nathan Olivarez-Giles, Facebook Verifying Celebrity Accounts, Allowing Pseudonyms, L.A. Times (Feb. 16, 2012), http://www.latimes.com/business/technology/la‑fi‑tn‑facebook‑verified‑accounts
‑nicknames-pseudonyms-20120216,0,3899048.story.  Google’s social network, Google+, uses real names and now pseudonyms, but only if you can prove to Google that you are in fact known by that name elsewhere.  See Claire Cain Miller, In a Switch, Google Plus Now Allows Pseudonyms, N.Y. Times Bits Blog (Jan. 23, 2012, 4:08 PM), http://bits.blogs.nytimes.com/2012/01/23/in-a-switch
-google-plus-now-allows-pseudonyms/.[[4]]
[[5]] Google’s new privacy policy is an example of this. The new privacy policy states that “[w]e may use the name you provide for your Google Profile across all of the services we offer that require a Google Account. In addition, we may replace past names associated with your Google Account so that you are represented consistently across all our services. If other users already have your email, or other information that identifies you, we may show them your publicly visible Google Profile information, such as your name and photo.” Preview: Privacy Policy, Google, http://www.google.com/policies/privacy/preview/ (last visited Feb. 29, 2012).[[5]]
[[6]] See, e.g., Lawrence Lessig, Code and Other Laws of Cyberspace 80 (1999) (“Just as anonymity might give you the strength to state an unpopular view, it can also shield you if you post an irresponsible view. Or a slanderous view. Or a hurtful view.”).[[6]]
[[7]] See Frequently Asked Questions, Huffington Post, http://www.huffingtonpost.com/p/frequently-asked-question.html (last visited Feb. 26, 2012).[[7]]
[[8]] Stone v. Paddock Publications, Electronic Frontier Found., https://www.eff.org/cases/stone-v-paddock (last visited Feb. 26, 2012) (noting that the Illinois Court of Appeals recognized the potential harms in the “chilling effect on the many citizens who choose to post anonymously on the countless comment boards for newspapers, magazines, websites and other information portals”).[[8]]
[[9]] See, e.g., Jan E. Stets & Michael M. Harrod, Verification Across Multiple Identities: The Role of Status, 67 Soc. Psych. Quart. 155 (2004) (investigating status verification across three identities: the worker identity, academic identity, and friend identity).[[9]]
[[10]] See, e.g.Google+ Overview, Google, http://www.google.com/
+/learnmore/ (last visited Feb. 29, 2012) (“You share different things with different people. But sharing the right stuff with the right people shouldn’t be a hassle. Circles make it easy to put your friends from Saturday night in one circle, your parents in another, and your boss in a circle by himself, just like real life.”).[[10]]
[[11]] Jeff Sonderman, With ‘Frictionless Sharing,’ Facebook and News Orgs Push Boundaries of Online Privacy, Poynter (Sep. 29, 2011), http://www.poynter.org/latest‑news/media‑lab/social‑media/147638/with‑frictionless-sharing-facebook-and-news-orgs-push-boundaries-of-reader-privacy/ (noting that “[i]f everything is shared automatically, nothing has significance”).[[11]]
[[12]] See  Sarah Jacobsson Purewal, Spotify Adds Facebook Requirement, Angering Users, Today @PCWorld Blog (Sep. 27, 2011), http://www.pcworld.com/article/240646/spotify_adds_facebook_requirement_angering_users.html.[[12]]
[[13]] See Zack Whittaker, Spotify’s ‘Frictionless Sharing’ Bows to Facebook Privacy Pressure, ZD Net Between the Lines Blog (Sept. 30, 2011), http://www.zdnet.com/blog/btl/spotifys‑frictionless‑sharing‑bows‑to‑facebook‑privacy-pressure/59408.[[13]]
[[14]] Id.[[14]]
[[15]] See, e.g.An Interpretation of the Library Bill of Rights, Am. Library Ass’n, http://www.ala.org/Template.cfm?Section=interpretations&Template=
/ContentManagement/ContentDisplay.cfm&ContentID=88625 (last visited Feb. 26, 2012).[[15]]
[[16]] Id.[[16]]
[[17]] Privacy and Confidentiality, Am. Library Ass’n, http://www.ala.org
/offices/oif/ifissues/privacyconfidentiality (last visited Feb. 26, 2012).[[17]]
[[18]] Robert Griffith, The Politics of Fear: Joseph R. McCarthy and the Senate 215–16 (1970).[[18]]
[[19]] See, e.g., Stephen L. Baker, The Numerati (2008).[[19]]
[[20]] See State Privacy Laws Regarding Library Records, Am. Library
Ass’n, http://www.ala.org/offices/oif/ifgroups/stateifcchairs/stateifcinaction
/stateprivacy (last visited Feb. 26, 2012) (stating that “[l]ibraries should have in place procedures for working with law enforcement officers when a subpoena or other legal order for records is made. Libraries will cooperate expeditiously with law enforcement within the framework of state law.”).[[20]]
[[21]] The USA Patriot Act, Am. Library Ass’n, http://www.ala.org/advocacy
/advleg/federallegislation/theusapatriotact (last visited Feb. 26, 2012) (observing that “[l]ibraries cooperate with law enforcement when presented with a lawful court order to obtain specific information about specific patrons; however, the library profession is concerned some provisions in the USA PATRIOT Act go beyond the traditional methods of seeking information from libraries.”); see also Resolution on the USA PATRIOT Act and Libraries, Am. Library Ass’n, (June 29, 2005),http://www.ala.org/offices/files/wo/reference
/colresolutions/PDFs/062905-CD20.6.pdf (explaining that “Section 215 of the USA PATRIOT Act allows the government to secretly request and obtain library records for large numbers of individuals without any reason to believe they are involved in illegal activity” and “Section 505 of the USA PATRIOT Act permits the FBI to obtain electronic records from libraries with a National Security Letter without prior judicial oversight”).[[21]]
[[22]] State Privacy Laws Regarding Library Records, Am. Library
Ass’n, http://www.ala.org/offices/oif/ifgroups/stateifcchairs/stateifcinaction
/stateprivacy (last visited Feb. 28, 2012).[[22]]
[[23]] See Joe Brockmeier, California Gets Reader Privacy Act: Still Not Enough, ReadWrite Enterprise (Oct. 3, 2011), http://www.readwriteweb.com
/enterprise/2011/10/california-gets-reader-privacy.php.[[23]]
[[24]] See Rebecca Jeschke, Reader Privacy Bill Passes California Senate—Moves on to State Assembly, Electronic Frontier Found. (May 9, 2011), https://www.eff.org/deeplinks/2011/05/reader‑privacy‑bill‑passes‑california‑senate-moves.[[24]]
[[25]] See, e.g., Dendrite Int’l, Inc. v. John Doe No. 3, 775 A.2d 756 (N.J. Super Ct. App. Div. 2001).[[25]]
[[26]] Julie E. Cohen, A Right to Read Anonymously: A Closer Look at “Copyright Management” In Cyberspace, 28 Conn. L. Rev. 981 (1996).[[26]]
[[27]] 18 U.S.C. § 2710 (2006).[[27]]
[[28]] Id.see also Video Privacy Protection Act, Electronic Privacy Info. Center, http://epic.org/privacy/vppa/ (last visited Feb. 28, 2012) (providing an overview of the VPPA).[[28]]
[[29]] See Video Privacy Protection Act, Electronic Privacy Info. Center, http://epic.org/privacy/vppa/ (last visited Feb. 28, 2012).[[29]]
[[30]] See H.R. 2471, 112th Cong. (1st Sess. 2011).[[30]]
[[31]] The Senate Judiciary Committee had a hearing on VPPA in January.  See The Video Privacy Protection Act: Protecting Viewer Privacy in the 21st Century: Hearing Before the Senate Committee on the Judiciary, Subcommittee on Privacy, Technology, and the Law, 112th Cong. (2nd Sess. 2012), available
at http://www.judiciary.senate.gov/hearings/hearing.cfm?id=f14e6e2889a80b6b5
3be6d4e412d460f. See also Grant Gross, Lawmakers Question Proposed Change to Video Privacy Law, PCworld (Jan. 31, 2012), http://www.pcworld.com
/businesscenter/article/249058/lawmakers_question_proposed_change_to_video_privacy_law.html.[[31]]
[[32]] Jaikumar Vijayan, IRS, DOJ Use Social Media Sites to Track Deadbeats, Criminal Activity, Computerworld (Mar. 16, 2010), http://www.computerworld.com/s/article/9171639/IRS_DOJ_use_social_media_sites_to_track_deadbeats_criminal_activity_.[[32]]
[[33]] 425 U.S. 435, 443 (1976).[[33]]
[[34]] United States v. Jones, No. 10–1259, slip op. at 3–6 (U.S. Jan. 23, 2012) (Sotomayor, J., concurring).[[34]]
[[35]] 389 U.S. 347, 348, 352 (1967); see also id. at 361 (Harlan, J., concurring) (developing the reasonable expectation of privacy test).  Later Courts would adopt the reasonable expectation of privacy test.  See Smith v. Maryland, 442 U.S. 735, 740 (1979).[[35]]
[[36]] Jones, slip op. at 10 (Alito, J., concurring in judgment). Alito in the concurrence in Jones noted that “even if the public does not welcome the diminution of privacy that new technology entails, they may eventually reconcile themselves to this development as inevitable.”  Id.  At oral argument, Alito remarked that “[t]echnology is changing people’s expectations of privacy. Suppose we look forward 10 years, and maybe 10 years from now 90 percent of the population will be using social networking sites and they will have on average 500 friends and they will have allowed their friends to monitor their location 24 hours a day, 365 days a year, through the use of their cell phones. Then—what would the expectation of privacy be then?”  Transcript of Oral Argument at 44, United States v. Jones 565 U.S. ___ (2012) (No.10–1259).[[36]]
[[37]] See Alex Kozinski & Stephanie Grace, Pulling the Plug on Privacy: How Technology Helped Make the 4th Amendment Obsolete, The Daily (June 22, 2011), http://www.thedaily.com/page/2011/06/22/062211-opinions-oped-privacy
-kozinski-grace-1-2/.[[37]]

Tags: