WI governor signs revenge porn and social media privacy bills into law; privacy bill raises questions

(Update 1: Included link and excerpt from Rep. Sargent's Op-Ed when the bill was introduced, and further comments - to provide some context)

Governor Scott Walker of Wisconsin signed 62 bills into law today, including SB223 (relating to social media privacy) and SB367 (revenge porn).

A full list of the bills he signed can be found here: At a glance: List of 62 bills Gov. Walker signed, and regarding the two bills mentioned above:

Senate Bill 223 – prohibits employers, educational institutions and landlords from requesting or requiring passwords or other protected access to personal internet accounts of students, employees, and tenants. Viewing, accessing and using information from internet accounts, including social media, in the public domain is allowed. Senator Glenn Grothman (R-West Bend) and Representative Garey Bies (R-Sister Bay) authored the bill which unanimously passed the Senate and passed the Assembly on a voice vote; it is Act 208.

Senate Bill 367 – modernizes Wisconsin’s law relating to disseminating private images and expands protections for victims who have their private images distributed without their consent. Senator Leah Vukmir (R-Wauwatosa) and Representative John Spiros (R-Marshfield) authored the bill which passed both the Senate and the Assembly on a voice vote; it is Act 243. 

I criticized the original revenge porn bill proposal in Wisconsin (see: Wisconsin's "revenge porn" bill goes too far. Hypos to ponder and why the legislature should look to Professor Franks ); specifically, I labeled the original proposal as overbroad because the bill did not include a scienter requirement. In the final bill, after a substitute amendment was adopted, the statutory text has been narrowed with just such a requirement. The bill signed into law requires "knowledge":

942.09 (3m) (a) Whoever does any of the following is guilty of a Class A misdemeanor: 

1. Posts, publishes, or causes to be posted or published, a private representation if the actor knows that the person depicted does not consent to the posting or publication of the private representation. 

2. Posts, publishes, or causes to be posted or published, a depiction of a person that he or she knows is a private representation, without the consent of the person depicted.

The social media privacy bill signed by the governor will surely be lauded by privacy advocates as a win for individual autonomy (and freedom from employer/educational institution snooping). But, I find the exceptions to the bill much more intriguing and noteworthy than the protections most will focus on. Particularly, the interesting carve-outs in bold:

(2) Restrictions on employer access to personal Internet accounts.  

   (a) Except as provided in pars. (b), (c), and (d), no employer may do any of the       following:

1. Request or require an employee or applicant for employment, as a condition of employment, to disclose access information for the personal Internet account of the employee or applicant or to otherwise grant access to or allow observation of that account.

2. Discharge or otherwise discriminate against an employee for exercising the right under subd. 1. to refuse to disclose access information for, grant access to, or allow observation of the employee's personal Internet account, opposing a practice prohibited under subd. 1., filing a complaint or attempting to enforce any right under subd. 1., or testifying or assisting in any action or proceeding to enforce any right under subd. 1. 

3. Refuse to hire an applicant for employment because the applicant refused to disclose access information for, grant access to, or allow observation of the applicant's personal Internet account. 

   (b) Paragraph (a) does not prohibit an employer from doing any of the following:
…

2. Discharging or disciplining an employee for transferring the employer's proprietary or confidential information or financial data to the employee's personal Internet account without the employer's authorization.

3. Subject to this subdivision, conducting an investigation or requiring an employee to cooperate in an investigation of any alleged unauthorized transfer of the employer's proprietary or confidential information or financial data to the employee's personal Internet account, if the employer has reasonable cause to believe that such a transfer has occurred, or of any other alleged employment-related misconduct, violation of the law, or violation of the employer's work rules as specified in an employee handbook, if the employer has reasonable cause to believe that activity on the employee's personal Internet account relating to that misconduct or violation has occurred. In conducting an investigation or requiring an employee to cooperate in an investigation under this subdivision, an employer may require an employee to grant access to or allow observation of the employee's personal Internet account, but may not require the employee to disclose access information for that account.

…

 So, an employer may not require you to provide access to your personal Internet account on a whim or a hunch. But, if the employer can point to an Acceptable Use Policy, text in an employee handbook, or can establish reasonable cause to believe employment-related misconduct, the employer can require such access. Sure, you don't have to provide your login/password, but in subsection 3, above, you could be required to grant access (whatever that means).

The social media bill's carve-outs sound a lot like CFAA cases of late, and also general social media prying lawsuits as well. How, then, is this bill a boon for employee/student privacy? Also, if my employer requested I grant access to a personal account, as part of an "investigation," I would almost assuredly deny that request, absent a subpoena. I am very curious how these exceptions will be used by employers going forward.

Update 1: 

Rep. Sargent wrote an Op-Ed in the Milwaukee Journal Sentinel when she proposed the bill (with other representatives). See here: Bipartisan bill protects social media accounts

Later, after the bill made it out of the Senate on a 33-0 vote, Sargent issued a press release. See here: Social Media Protection Bill Passes Senate on a 33-0 Vote. An interesting quote from the release:

I’m pleased that this common sense, bi-partisan legislation advanced further through the legislative process today.  It makes sense that personal internet accounts should be given the same, 4th Amendment protections as other aspects of our daily lives.  People have a reasonable expectation of privacy when interacting with their friends and family on Facebook or other sites. An employer, university, or landlord should not have access to private communications on social media sites. As technology evolves, so must our legislative efforts to protect our citizen’s privacy. The current generation will write the laws on social media.  We must do it carefully and with respect for all parties involved.

There should, in my opinion, be an asterisk (*) after that paragraph, noting that the exceptions may indeed swallow a large chunk of the well-intentioned proposal. If the bill's intent was to prevent forced disclosure of account credentials, then the text should have narrowly reflected that (considering, to wit, that the exceptions do not require providing credentials, but merely providing/granting access). Further, just as some courts have attempted to bring TOS/Acceptable Use Policies/Employee Handbooks within the ambit of CFAA liability, this bill allows varying employer-defined standards to dictate whether an employee must grant access to a social media/personal email account.

Hypo: If an employee handbook states no surfing the internet for personal reasons (or updating social media) during work hours and there is "reasonable cause" to believe that a violation occurred - must the employee grant access to the account to prove otherwise? How is that giving personal internet accounts "4th Amendment protections...[similar to those in] other aspects of our daily lives?" What if the employee refuses to grant access - is that grounds for termination?

More fundamentally, though, is this question: now that the bill has become law, who benefitted more from its enactment: employers, or employees?

Read More

Massive round-up of new law articles, covering privacy, Fourth Amendment, GPS, cell site, cybercrime, big data, revenge porn, drones, and more

Spencer, Shaun B., The Surveillance Society and the Third-Party Privacy Problem (2013). South Carolina Law Review, Vol. 65, No. 2, 2013. Abstract: 

This Article examines a question that has become increasingly important in the emerging surveillance society: Should the law treat information as private even though others know about it? This is the third-party privacy problem. Part II explores two competing conceptions of privacy — the binary and contextual conceptions. Part III describes two features of the emerging surveillance society that should change the way we address the third-party privacy problem. One feature, “surveillance on demand,” results from exponential increases in data collection and aggregation. The other feature, “uploaded lives,” reflects a revolution in the type and amount of information that we share digitally. Part IV argues that the binary conception cannot protect privacy in the surveillance society because it fails to account for the new realities of surveillance on demand and uploaded lives. Finally, Part V illustrates how courts and legislators can implement the contextual conception to deal with two emerging surveillance society problems — facial recognition technology and geolocation data.

Kimberly N. Brown, Anonymity, Faceprints, and the Constitution, 21 Geo. Mason L. Rev. (forthcoming Winter 2014).

Jane Bambauer, Is Data Speech?, 66 Stan. L. Rev. 57 (2014). Abstract:

Privacy laws rely on the unexamined assumption that the collection of data is not speech. That assumption is incorrect. Privacy scholars, recognizing an imminent clash between this long-held assumption and First Amendment protections of information, argue that data is different from the sort of speech the Constitution intended to protect. But they fail to articulate a meaningful distinction between data and other more traditional forms of expression. Meanwhile, First Amendment scholars have not paid sufficient attention to new technologies that automatically capture data. These technologies reopen challenging questions about what “speech” is. 

This Article makes two overdue contributions to the First Amendment literature. First, it argues that when the scope of First Amendment coverage is ambiguous, courts should analyze the government’s motive for regulating. Second, it highlights and strengthens the strands of First Amendment theory that protect the right to create knowledge. Whenever the state regulates in order to interfere with the creation of knowledge, that regulation should draw First Amendment scrutiny. 

In combination, these claims show clearly why data must receive First Amendment protection. When the collection or distribution of data troubles lawmakers, it does so because data has the potential to inform and to inspire new opinions. Data privacy laws regulate minds, not technology. Thus, for all practical purposes, and in every context relevant to privacy debates, data is speech.

Elizabeth E. Joh, Privacy Protests: Surveillance Evasion and Fourth Amendment Suspicion, 55 Ariz. L. Rev. 997 (2014). Abstract:

The police tend to think that those who evade surveillance are criminals. Yet the evasion may only be a protest against the surveillance itself. Faced with the growing surveillance capacities of the government, some people object. They buy “burners” (prepaid phones) or “freedom phones” from Asia that have had all tracking devices removed, or they hide their smartphones in ad hoc Faraday cages that block their signals. They use Tor to surf the internet. They identify tracking devices with GPS detectors. They avoid credit cards and choose cash, prepaid debit cards, or bitcoins. They burn their garbage. At the extreme end, some “live off the grid” and cut off all contact with the modern world. 

These are all examples of what I call privacy protests: actions individuals take to block or to thwart government surveillance for reasons unrelated to criminal wrongdoing. Those engaged in privacy protests do so primarily because they object to the presence of perceived or potential government surveillance in their lives. How do we tell the difference between privacy protests and criminal evasions, and why does it matter? Surprisingly scant attention has been given to these questions, in part because Fourth Amendment law makes little distinction between ordinary criminal evasions and privacy protests. This Article discusses the importance of these ordinary acts of resistance, their place in constitutional criminal procedure, and their potential social value in the struggle over the meaning of privacy.

Conor M. Reardon, Cell Phones, Police Recording, and the Intersection of the First and Fourth Amendments, 63 Duke Law Journal 735-779 (2013). Abstract:

In a recent spate of highly publicized incidents, citizens have used cell phones equipped with video cameras to record violent arrests. Oftentimes they post their recordings on the Internet for public examination. As the courts have recognized, this behavior lies close to the heart of the First Amendment. 

But the Constitution imperfectly protects this new form of government monitoring. Fourth Amendment doctrine generally permits the warrantless seizure of cell phones used to record violent arrests, on the theory that the recording contains evidence of a crime. The Fourth Amendment inquiry does not evaluate a seizing officer’s state of mind, permitting an official to seize a video for the very purpose of suppressing its contents. Moreover, Supreme Court precedent is typically read to ignore First Amendment interests implicated by searches and seizures. 

This result is perverse. Courts evaluating these seizures should stop to recall the Fourth Amendment’s origins as a procedural safeguard for expressive interests. They should remember, too, the Supreme Court’s jurisprudence surrounding seizures of obscene materials—an area in which the Court carefully shaped Fourth Amendment doctrine to protect First Amendment values. Otherwise reasonable seizures can become unreasonable when they threaten free expression, and seizures of cell phones used to record violent arrests are of that stripe. Courts should therefore disallow this breed of seizure, trusting the political branches to craft a substitute procedure that will protect law-enforcement interests without doing violence to First Amendment freedoms.

Elizabeth Friedler, Protecting the Innocent—the Need to Adapt Federal Asset Forfeiture Laws to Protect the Interests of Third Parties in Digital Asset Seizures, Cardozo Arts & Entertainment Law Journal, Volume 32, Issue 1 (2013).

Jana Sutton, Of Information, Trust, and Ice Cream: A Recipe for a Different Perspective on the Privacy of Health Information, 55 Ariz. L. Rev. 1171 (2014). Abstract:

The concept of privacy is inescapable in modern society. As technology develops rapidly and online connections become an integral part of our daily routines, the lines between what may or may not be acceptable continue to blur. Individual autonomy is important. We cannot, however, allow it to suffocate the advancement of technology in such vital areas as public health. Although this Note cannot lay out detailed instructions to balance the desire for autonomy and the benefits of free information, it attempts to provide some perspective on whether we are anywhere close to striking the right balance. When the benefits of health information technology are so glaring, and yet its progress has been so stifled, perhaps we have placed far too much value—at least in the health care context—on individual privacy.

Kevin S. Bankston & Ashkan Soltani, Tiny Constables and the Cost of Surveillance: Making Cents Out of United States v. Jones, 123 YALE L.J. ONLINE 335 (2014). Abstract:

In United States v. Jones, five Supreme Court Justices wrote that government surveillance of one’s public movements for twenty-eight days using a GPS device violated a reasonable expectation of privacy and constituted a Fourth Amendment search. Unfortunately, they didn’t provide a clear and administrable rule that could be applied in other government surveillance cases. In this Essay, Kevin Bankston and Ashkan Soltani draw together threads from the Jones concurrences and existing legal scholarship and combine them with data about the costs of different location tracking techniques to articulate a cost-based conception of the expectation of privacy that both supports and is supported by the concurring opinions in Jones.

Schmitt, Michael N. and Vihul, Liis, The International Law of Attribution During Proxy 'Wars' in Cyberspace (January 30, 2014). 1 Fletcher Security Review (2014 Forthcoming). Abstract:

The article examines the use of non-State actors by States to conduct cyber operations against other States. In doing so, it examines attribution of a non-State actor's cyber operations to a State pursuant to the law of State responsibility, attribution of a non-State actor's cyber armed attack to a State for the purposes of a self-defense analysis, and attribution of cyber military operations to a State in the context of determining whether an international armed conflict has been initiated. These three very different legal inquiries are often confused with each other. The article seeks to deconstruct the issue of attribution into its various normative components.

Kate Crawford & Jason Schultz, Big Data and Due Process: Toward a Framework to Redress Predictive Privacy Harms, 55 B.C. L. Rev. 93 (2014). Abstract:

The rise of “Big Data” analytics in the private sector poses new challenges for privacy advocates. Through its reliance on existing data and predictive analysis to create detailed individual profiles, Big Data has exploded the scope of personally identifiable information (“PII”). It has also effectively marginalized regulatory schema by evading current privacy protections with its novel methodology. Furthermore, poor execution of Big Data methodology may create additional harms by rendering inaccurate profiles that nonetheless impact an individual’s life and livelihood. To respond to Big Data’s evolving practices, this Article examines several existing privacy regimes and explains why these approaches inadequately address current Big Data challenges. This Article then proposes a new approach to mitigating predictive privacy harms—that of a right to procedural data due process. Although current privacy regimes offer limited nominal due process-like mechanisms, a more rigorous framework is needed to address their shortcomings. By examining due process’s role in the Anglo-American legal system and building on previous scholarship about due process for public administrative computer systems, this Article argues that individuals affected by Big Data should have similar rights to those in the legal system with respect to how their personal data is used in such adjudications. Using these principles, this Article analogizes a system of regulation that would provide such rights against private Big Data actors.

Larkin, Paul J., 'Revenge Porn,' State Law, and Free Speech (January 14, 2014).  Abstract:

For most of our history, only celebrities — presidents, movie stars, professional athletes, and the like — were at risk of having their everyday exploits and activities photographed and shown to the world. But that day is gone. Today, we all face the risk of being made into a celebrity due to the ubiquity of camera-equipped cell phones and the ease of uploading photographs or videos onto the Internet. But a particularly troubling aspect of this phenomenon goes by the name of "revenge porn" — that is, the Internet posting of photographs of naked former wives and girlfriends, sometimes in intimate positions or activities. Revenge porn is an example of malicious conduct that injures the welfare of someone who mistakenly trusted an intimate partner. Tort law traditionally has allowed parties to recover damages for such violations of privacy, and criminal law also can prohibit such conduct, but there are several First Amendment defenses that the responsible parties can assert to fend off liability. This article argues that allowing a victim of revenge porn to recover damages for publication that breaches an implicit promise of confidentiality is faithful to tort and criminal law principles and will not punish or chill the legitimate expression of free speech.

Jonathan Olivito, Beyond the Fourth Amendment: Limiting Drone Surveillance Through the Constitutional Right to Informational Privacy, 74 Ohio St. L.J. 669 (2013). 

The entirety of Volume 74, Issue 6 in the Ohio State Law Journal; Symposium: The Second Wave of Global Privacy Protection (Titles Below)

Peter Swire, The Second Wave of Global Privacy Protection: Symposium Introduction, 74 Ohio St. L.J. 841 (2013). 

Ann Bartow, Privacy Laws and Privacy Levers: Online Surveillance Versus Economic Development in the People’s Republic of China, 74 Ohio St. L.J. 853 (2013). 

Andrew Clearwater & J. Trevor Hughes, In the Beginning . . . An Early History of the Privacy Profession, 74 Ohio St. L.J. 897 (2013). 

Claudia Diaz, Omer Tene & Seda Gürses, Hero or Villain: The Data Controller in Privacy Law and Technologies, 74 Ohio St. L.J. 923 (2013). 

A. Michael Froomkin, “PETs Must Be on a Leash”: How U.S. Law (and Industry Practice) Often Undermines and Even Forbids Valuable Privacy Enhancing Technology, 74 Ohio St. L.J. 965 (2013). 

Woodrow Hartzog, Social Data, 74 Ohio St. L.J. 995 (2013). 

Dennis D. Hirsch, In Search of the Holy Grail: Achieving Global Privacy Rules Through Sector-Based Codes of Conduct, 74 Ohio St. L.J. 1029 (2013). 

Gus Hosein & Caroline Wilson Palow, Modern Safeguards for Modern Surveillance: An Analysis of Innovations in Communications Surveillance Techniques, 74 Ohio St. L.J. 1071 (2013). 

Anil Kalhan, Immigration Policing and Federalism Through the Lens of Technology, Surveillance, and Privacy, 74 Ohio St. L.J. 1105 (2013). 

Bartosz M. Marcinkowski, Privacy Paradox(es): In Search of a Transatlantic Data Protection Standard, 74 Ohio St. L.J. 1167 (2013). 

Thomas Margoni & Mark Perry, Deep Pockets, Packets, and Harbors, 74 Ohio St. L.J. 1195 (2013). 

Omer Tene, Privacy Law’s Midlife Crisis: A Critical Assessment of the Second Wave of Global Privacy Laws, 74 Ohio St. L.J. 1217 (2013). 

Yofi Tirosh & Michael Birnhack, Naked in Front of the Machine: Does Airport Scanning Violate Privacy? 74 Ohio St. L.J. 1263 (2013). 

Yang Wang, Pedro Giovanni Leon, Xiaoxuan Chen, Saranga Komanduri, Gregory Norcie, Kevin Scott, Alessandro Acquisti, Lorrie Faith Cranor & Norman Sadeh, From Facebook Regrets to Facebook Privacy Nudges, 74 Ohio St. L.J. 1307 (2013). 

Tal Z. Zarsky & Norberto Nuno Gomes de Andrade, Regulating Electronic Identity Intermediaries: The “Soft eID” Conundrum, 74 Ohio St. L.J. 1335 (2013).

The entirety of Volume 14, Issue 1 of the  Journal of High Technology Law (2014) (Titles Below).

After Jones, The Deluge: The Fourth Amendment's Treatment Of Information, Big Data And The Cloud , Lon A. Berk, 14 J. High Tech L. 1 (2014). 

The Legislative Response To Employers' Requests For Password Disclosure, Jordan M. Blanke, 14 J. High Tech L. 42 (2014). 

A Shot In The Dark: An Analysis Of The SEC's Response To The Rise Of Dark Pools Edwin Batista, 14 J. High Tech L. 83 (2014). 

Privacy Protections Left Wanting: Looking At Doctrine And Safeguards On Law Enforcements' Use Of GPS Tracking And Cell Phone Records With A Focus On Massachusetts, Lloyd Chebaclo, 14 J. High Tech L. 120 (2014).

Read More

California Attorney General announces the arrest of alleged revenge porn website owner, charged with conspiracy, identity theft, and extortion

Yesterday, California Attorney General Kamala Harris announced the arrest of Kevin Bollaert, the “alleged owner and operator of a revenge porn website who facilitated the posting of more than 10,000 sexually explicit photos and extorted victims for as much as $350 each to remove the illicit content.”

Bollaert, a 27 year-old San Diego native, is allegedly behind the site “ugotposted.com.” According to allegations in the arrest warrant, the site allowed posters to upload nude images of victims with accompanying personal information, which in some cases provided the victim’s name, city, state, Facebook account, and other social media sites.

Additional statements in the arrest warrant allege that some of the victims paid money in order to have their images removed from the site

Doe # 1 and Doe #2 related that each of them sent an email to the website asking that their photos be removed and were instructed to go to the link at the bottom of UGOTPOSTED to have their photos removed. The link was to a website called changemyreputation@gmail.com. Both Jane Doe #1 and Jane Doe #2 stated that they paid $249.99 to have their photos removed from UGOTPOSTED.

(NOTE: the website described in the above quote is likely misstated, and is likely referring to "changemyreputation.com." According to the arrest warrant, Bollaert is allegedly linked to this site as well).

The accompanying complaint alleges 31 criminal counts, spanning 14 victims. Of particular note, however, is the explanation provide for in the conclusion of the arrest warrant:

The publishing of nude photographs, in conjunction with the victim's name, Facebook account or other [personally identifiable information] without the victim's permission is the crime of identity theft in violation of Penal Code section 530.5. To be guilty under section 530.5(a), the defendant must (1) willfully obtain personal identifying information of another person, and (2) use the identifying information for an unlawful purpose without the person's consent." (People v. Tillotson (2007) 157 Cal.App.4th 517, 533.) Here the unlawful purpose includes both a criminal offense under Penal Code section 653m (b) and a civil tort for the publication of private images. (In re Rolando S (2011) 197 Cal.App 936.)

Section 653m (b) states in pertinent part: "Every person who, with intent to annoy or harass, makes repeated telephone calls or makes repeated contact by means of an electronic communication device, or makes any combination of calls or contact, to another person is, whether or not conversation ensues from making the telephone call or contact by means of an electronic communication device, guilty of a misdemeanor. 

In this case the investigation revealed that Kevin BOLLAERT is aiding and abetting the crime of PC 653m (b)-annoy or harass, by facilitating the publishing of nude photographs, in conjunction with the victim's name, Facebook page or other PII, without the victim's permission, which is the crime of identity theft in violation of Penal Code (PC) section 530.5. 

Furthermore, Kevin BOLLAERT, by demanding and accepting payments to remove victims unauthorized posted nude images from UGOTPOSTED via changemyreputation.com is the crime of extortion in violation of Penal Code section 518. The publication of the victims nude images exposed them to disgrace within their public lives. Kevin BOLLAERT continued to expose the victims private information and secrets to the public -unless paid.

Considering the large amount of attention "revenge porn" has been getting lately, and what seems to be a somewhat aggressive use of California's identity theft law, it will be interesting to see how this case progresses.

Read More

Video of Wisconsin Legislature (Committee on Judiciary and Labor) public hearing on AB462/SB367 criminalizing "revenge porn"

Skip to 4:06:50 to hear the short, non-controversial "public hearing" on the Wisconsin "revenge porn" bill. Notably, the representatives noted that the bill was drafted with input with Mary Ann Franks. I find that interesting, given that I called the bill overbroad and noted that it does not in fact follow the model statute proposed by Professor Franks. My post criticizing the bill is here: Wisconsin's "revenge porn" bill goes too far. Hypos to ponder and why the legislature should look to Professor Franks

Video:
11.20.13 | Senate Committee on Judiciary and Labor
Agenda: On November 20, 2013, the Senate Committee on Judiciary and Labor held a public hearing at the state Capitol on the following items: Senate Bill 167, relating to actions for damages caused by wind energy systems; Senate Bill 367, relating to distributing a sexually explicit image without consent and providing a penalty.

**Skip to 4:06:50**

Read More

Wisconsin's "revenge porn" bill goes too far. Hypos to ponder and why the legislature should look to Professor Franks

The Wisconsin legislature recently proposed a "revenge porn" bill (Assembly Bill 462, full text here: https://docs.legis.wisconsin.gov/2013/related/proposals/ab462.pdf). While I applaud the Wisconsin legislature for addressing an issue that has garnered national attention, I interpret the current proposal (unless I am missing something, and I encourage you to prove me wrong), to criminalize a whole host of conduct having nothing to do with revenge porn. (Of course, if the proposed bill ends up becoming law, the text introduced here may vanish in the final Act; that said, I was still quite surprised that such ambiguous and broad language was proposed in the first instance).

Here is the relevant text:

942.09 (3m) (a) Whoever, without the consent of the person represented,
reproduces, distributes, exhibits, publishes, transmits, or otherwise disseminates a
representation of a nude or partially nude person or of a person engaging in sexually
explicit conduct is guilty of a Class A misdemeanor. The consent of the person
represented to the capture of the representation or to the possession of the
representation by the actor is not a defense to a violation of this subsection. 

…(various non-controversial exceptions) 

(c) This subsection does not apply if the person represented consented to the
reproduction, distribution, exhibition, publication, transmission, or other
dissemination of the representation for commercial purposes.

This language, to me, omits key words in the model state statute Professor Franks proposes and, by doing so, is overbroad. My reasoning (with hypotheticals calling the language into question):

(1) I think the obvious flaw is omission of a scienter requirement (particularly “intentionally”). If I take a nude photo of my girlfriend with her consent, but accidentally email it to my friend instead of a photo of a wet kitten, I violate this statute. 

(2) The more interesting flaw (and one that implicates the 1st Amendment, perhaps), is that it might criminalize merely emailing any non-commercial pornographic picture. So, if I spend my nights surfing porn and emailing the best photos I find to my friends, but I cannot prove that I had the consent of the person represented to send that image, am I committing a crime? And, moreover, how does one know if they can be saved by subsection (c) — i.e. how does one determine if a pornographic photo was consented to for commercial purposes? (Most images lack any identifying origin). Amateur pornography (and nude self-expression/artistic work) may not be commercial in nature; so, if my neighbor is a free spirit and loves to mail me artistic nude photos taken consensually by her friend, am I committing a crime if I photocopy the picture (reproduce it) for my own personal use (without her consent)? 

(3) Also, I saw an amendment to the bill proposing that “fine art” be exempt from the statute. This makes sense because as the language stands, displaying nude paintings of anyone without their consent runs afoul of the existing language. But, even exempting fine art, if I create a pencil sketch of a female nude model (arguably a representation of her without a statutory definition of “representation”) and show it at an art exhibit without her consent, is that a violation? (this example supposes, correctly, that no one would consider my sketches (or paintings) as “fine art”). The hypo is equally applicable to a photo I suppose. 

(4) One last set (these are less about Wisconsin’s statute and more about the enforcement of any such "revenge porn" statute). What if the nude person in the representation is now dead? If my girlfriend dies in a car accident with her secret lover and, to get back at her for the infidelity, I post all of our intimate photos online, is that a crime? (I think I lean towards yes, but how does one prove she did not consent?) Alternatively, if my grandmother leaves me a nude photo of her in her will and I post it to my Facebook page, crime? (My grandmother's consent is impossible to prove; however, can my grandfather's abhorrence at my conduct serve as the predicate for a violation of the Wisconsin statute?).

Do not take my criticism of the Wisconsin proposal as a condemnation of statutes like this. But, criminalizing any conduct requires a statute narrowly drafted to achieve the overarching goal without: (1) criminalizing conduct not contemplated by the legislature (see, e.g., the CFAA); (2) infringing on protected First Amendment rights; and (3) punishing conduct that misses the "revenge" part of "revenge porn."

The last point is worth elaborating on. "Revenge" is defined in a variety of ways,  see, e.g., the Free Dictionary depending on the context. But, the substance of the word "revenge" is not hard to discern when it is used as a weapon against another; for example, "revenge, reprisal, retribution, [and] vengeance suggest a punishment or injury inflicted in return for one received. [R]evenge is the carrying out of a bitter desire to injure another for a wrong done to oneself or to those who are close to oneself: to plot revenge for a friend's betrayal." Id. Legislatures took notice of "revenge porn" after tragic events and horrific stories popped up on the internet about individuals (often female) being tormented by ex-lovers wishing to exact punishment for real or perceived harm. The nationwide legislative focus on a this sociological phenomenon is, to be sure, quite encouraging. 

However, Wisconsin's current proposal reinforces the well-founded fear of many (including organizations like the EFF and ACLU) that statutes intended to cure "revenge porn," without careful drafting, might overreach and infringe on First Amendment rights. My overarching fear is that legislative bodies will get lost in the morality of pornography (or personal conceptions of permissible social interactions), instead of focusing on the "easy win"  a narrow statute intended to prevent revenge porn's abhorrent invasion of privacy might provide. 

Additionally, notwithstanding the considerations above, it cannot be ignored that a digital photograph published to the internet exists long after the subject of the photo is gone. Digital photos can be cached, preserved as screenshots, or archived by third-party sites like the Wayback Machine. Part of the "revenge" inherent in revenge porn is that the person possessing the nude/pornographic picture is well aware of the above considerations and ignores them as part of the intent to exact revenge.

That said, I must admit that I disagree with the California revenge porn statute; I do not understand requiring something more than "intent" (i.e., an intent to harm as the CA statute reads) to criminalize "revenge porn." While the mens rea for revenge porn might persist as a point of contention, my take is that: an intent to harm rquirement is unnecessarily restrictive; but, at the other end of the spectrum, no scienter requirement (as is the case in Wisconsin AB462) is impermissibly overbroad (see supra).

I don't have all the answers, but my suggestion is that the Wisconsin Legislature look to the wording Professor Franks has proposed as a method to revise the current proposal.

Read More

Wired, ABA Journal publish articles on revenge porn

Wired and the ABA Journal have both recently published good articles on the subject of revenge porn. If those legal issues interest you at all, you should be sure to check these out:

ABA Journal - "Victims are taking on ‘revenge porn’ websites for posting photos they didn’t consent to"

[T]here’s no clear legal avenue to penalize posters of revenge porn. Only two states, California and New Jersey, make it illegal to post a sexual photo online without the subject’s consent. Though experts say revenge porn may violate other state statutes, it’s common for police to say no law was broken unless the picture is child porn, of those under 18 when a photo was taken.

Wired - "Revenge Porn Is Bad. Criminalizing It Is Worse"

We do not need to choose between the internet and women, or between free speech and feminism. These are false and unnecessary dichotomies. Refusing to criminalize revenge porn would not make us misogynists. It would instead make us prudent.

Also, feel free to check out past Cybercrime Review posts about revenge porn.

Read More

Recent News: Lavabit, Silk Road, and Calif. revenge porn bill

Lavabit used 4-point type in attempt to prolong Snowden SSL key release
Edward Snowden's e-mail provider, now-defunct Lavabit, attempted to defy the government's request for Snowden's SSL keys by printing the 2,560 characters in 11 pages of 4-point type. That way, the FBI would have to retype the key manually. Read more from Wired.

Silk Road closed by FBI, others promptly take its place
The FBI shut down Silk Road earlier this week, but the Huffington Post reports that many alternatives exist, and black market vendors have already made the move.

“I am now offering all of my inventory at a discounted rate due to the fall of SR!” wrote [a] vendor at Black Market Reloaded.

Read past Cybercrime Review posts about Silk Road here.

California bans revenge porn
California governor Jerry Brown recently signed into law a bill that could punish violators with up to six months in jail and a $1,000 fine for posting revenge porn. Revenge porn is when a person posts sexual photos of an ex on the Internet in an act of revenge.

Read more about the law from CNN, and more about revenge porn in an earlier Cybercrime Review post.

Read More

Professor Danielle Keats Citron on the criminalization of “revenge porn” and a cyber civil rights agenda

A recent CNN opinion by Professor Danielle Keats Citron, a law professor at the University of Maryland Francis King Carey School of Law and an affiliate scholar at the Stanford Center on Internet and Society and Yale Information Society Project, calls for the criminal law to take action in deterring and punishing “revenge porn.” Jeffery defined revenged porn in an earlier post as an individual posting “nude images of someone they know on the Internet - often doing so after the end of a relationship.”  As Professor Citron details, the impact on a victim's future employment opportunities, mental and physical well-being, and the overall impact on his or her daily life is no doubt striking.

The criminalization of revenge porn has captured headlines recently due to the introduction of California’s SB 255, which is the latest attempt to criminalize the act. Under the current language of the Bill,

any person who photographs or records by any means the image of another, identifiable person with his or her consent who is in a state of full or partial undress in any area in which the person being photographed or recorded has a reasonable expectation of privacy, and subsequently distributes the image taken, with the intent to cause serious emotional distress, and the other person suffers serious emotional distress would constitute disorderly conduct subject to that same punishment.

However, as Professor Citron outlines, states have substantially fallen behind on criminalizing revenge porn. New Jersey Code 2C:14-9, one of the only laws of its kind, has specifically criminalized revenge porn activities. Some state laws address the issue of distributing sexually explicit images more broadly, such as Texas Penal Code 21.15(B), which prohibits "visually record[ing] another (A) without the other person's consent; and (B) with intent to arouse or gratify the sexual desire of any person." These laws, however, run into a variety of problems when applied to common revenge porn scenarios, one of which is the likelihood that the victim, while in a relationship with the hypothetical poster, consented to the creation of the visual recording.

Professor Citron has written extensively on the issue and has advocated for a “cyber civil rights” agenda highlighted in this 2009 Boston University Law Review article. This 2009 proposal spawned a 2010 symposium hosted by the Denver University Law Review (Part One, Part Two, and Part Three of this symposium are available at the Denver University Law Review Online).

Some of Professor Citron’s other publications on both “revenge porn” and “cyber civil rights” more generally can be found over at Concurring Opinions. Below are some of her more recent posts on the topic  

Blaming the Victim: Been There Before, Concurring Opinions, Feb. 1, 2013 (a response to Professor Mary Anne Frank’s post on “revenge porn”)

Revenge Porn Site Operators and Federal Criminal Liability, Concurring Opinions, Jan. 30 2013 

The Importance of Section 230 Immunity for Most, Concurring Opinions, Jan. 25 2013 

Revenge Porn and the Uphill Battle to Pierce Section 230 Immunity (Part II), Concurring Opinion, Jan. 25 2013

Professor Citron’s CNN opinion is a great read and I applaud her advocacy on the adoption of a cyber civil rights agenda. Some form of response is sorely needed to combat the more unsavory activities occurring online at the expense of others. I do, however, hope that those who are hesitant to react through regulatory measures in fear that such a response could chill free speech protections continue to take an active role in voicing their concerns. It is only through active and open discussion that the criminalization of discriminatory and abusive activities occurring online can properly conform to the protections of the First Amendment. As cyber civil rights issues continue to take shape throughout the country, such as those associated with the revenge porn debate,  I would advise keeping a close eye on the insightful work of Professor Citron.

Read More

"Revenge porn" website owner offers to close site if he raises $200,000

There was a time when people ended a relationship and moved on with their lives. Nowadays, with digital cameras and the Internet, it is much easier to seek revenge for all of the wrongs you experienced. For those of you unaware, "revenge porn" is the term applied when a person posts nude images of someone they know on the Internet - often doing so after the end of a relationship. 

Several revenge porn websites have come and gone, but one website owner has recently made headlines by offering to shut down his websites after he raises $200,000. According to Betabeat.com:

Mr. Brittain has devised a new scheme to flout the desires of victims who want him to take down their intimate photos. He and Is Anybody Down co-owner Chance Trahan have launched an Indiegogo campaign with a goal of $200,000, claiming that if they hit their goal they will officially shut down both sites. And they’ve named their campaign after revenge porn victim Holly Jacobs’ victim resource hub, End Revenge Porn.

Here are a few related links:

• 'I'm tired of hiding': Revenge-porn victim speaks out over her abuse after she claims ex posted explicit photos of her online
• Criminalizing “revenge porn” - discussion of what different groups and legislatures are doing to try to shut it down
• Revenge porn: the fight against the net's nastiest corner

Read More