IPSC Breakout Session III

IP & Privacy
Exploring Privacy as Commons
Katherine Strandburg & Brett Frischmann
Knowledge production/privacy as highly related, not
orthogonal/opposed.  Knowledge production
framework as a way of doing descriptive empirical case studies of how privacy
works in context, which can aid policy design. Appropriate info flows take
place in complex and variable forms, and understanding the variations is
important.  Knowledge commons framework also
lines up w/Helen Nissenbaum’s work on contextual integrity in the privacy
realm. Norms and info transmission principles can be supplemented w/a broader
conception of governance.
Privacy is community management that applies to resources and
involves a group/community but doesn’t denote the resources, community, place,
or thing: privacy is the institutional arragnement of these elements.
Meeting under Chatham House rules: identify or affiliation
of speakers/participants can’t be revealed but participants are free to use the
info received. Is this privacy or knowledge commons? It is both: encourages
candor, openness, sharing of ideas. Once adopted, the rule governs the
resources/knowledge produced and behavior. Reflects and shapes norms for
participants; reinforces boundary b/t community members and nonmembers. It’s a
good example of privacy/commons governance. 
Norms of behavior at IPSC can also be described in the same way.  [E.g., I blog about talks but not about
hallway conversations, I think he means.]
Studies of different research consortia for rare diseases,
which are all about knowledge production: in both, there are IP issues on the
fringes, but one really important issue that drives production is privacy w/r/t
patient data. How do you get patients to participate?  What will happen w/clinical trials? 
The basic characteristic distinguishing privacy from nonprivacy
is institutionalized sharing of resources among members of a community: both
jarring and useful.  We are accustomed to
think of privacy as nonsharing, but privacy is often social; always connotes
boundaries b/t sharing and nonsharing.  Doesn’t
work at n=1, maybe not w/physical resources; sidelines normative debate and
values; takes a long time and needs dedicated research community. Benefits:
learn more about variance, nuance, obstacles/dilemmas, institutions; explore
intersections w/knowledge commons, as w/big data; learn what people really care
about and why; improving insittutional design.
Q: seems like a lot of work is done at different level of
generality. Drug cos. are willing to claim protection for privacy as their
justification for not sharing information.
A: the studies do provide the necessary details. Boundary
crossing: sharing research w/community at large v. within the pharma co. You
can get at boundary management by studying a variety of pharma patient
communities: rare disease community is different than big pharma. In one case,
pharma reps were part of the disease research community. We unpack what privacy
means only if we study them systematically, asking the same set of questions to
a bunch of different communities.
Q: sharing among corporations involves very different
environments, cultures, etc. than sharing among friends—privacy as trust.  How do you translate an idea about privacy
that’s inherently about individuals to a larger corporate environment?
A: look at the ends they set for themselves and how their
practices interact w/ that.  Maybe
withholding data benefits the internal community; our proposal doesn’t judge
that or assume that it has social benefit.
Q: can anything be excluded from the definition of an
institutional arrangement you offer? E.g., family, freedom.
A: not sure!
Silbey: Privacy is generally considered an individual right
against the gov’t in constitutional law; we don’t study institutional
mechanisms enough in law to figure out how individual rights are translated
into a system.
A: he thinks of privacy as a means; ends are for society to
Trickle Down Privacy
Ari Waldman
How we operationalize privacy in institutions.  Individual expectations of trust form
contexts of privacy.  Bamberger/Mulligan’s
work in 2010, 2015 about operationalizing privacy on the ground.  We can write all the laws we want, but what
happens in corporations as they write policies or create products that suck in
data or manipulate us into sharing information? 
B/M showed: corporations began to take privacy more seriously, even
though the law didn’t change much in 20 years; still swiss cheese like. What
changed: development of robust privacy professional sphere, who understood that
privacy was about trust.  Role of FTC in
developing common law of privacy and data breach notification statutes also
mattered, as well as tech changes where new products primarily implicated
privacy. If that’s true that over 20 years companies have developed a more
robust conception of privacy, why do we still have all these problems? Why are
privacy notices still so terrible, unread, unhelpful?  Why are some companies more nimble w/privacy
issues than others? Why do platforms get built specifically to manipulate people
into sharing data they might otherwise not share?  Do practices start at the top? What about in-house
lawyers, and people creating the tech/designing the products? Do they share the
robust conception of privacy at the CPO level? And what’s the role of the user?  This matters to help companies that do care
to structure their operations to take care of privacy, and for purposes of
legal reform. FTC settlements just say “create comprehensive privacy program,”
which generally means hiring a CPO, but if that doesn’t matter we should know.
Research design: interviews w/lawyers, programmers,
engineers, members of privacy teams, project managers/tech leads.  Observation of product design process for an
app that involves lots of user data. 
Qualitative w/quantititave aspects.
Hypothesis: robust privacy won’t trickle down from CPO w/o
active tech person lower down who shares that vision.  Tech people aren’t trained like lawyers or
ethicists, but in efficiency/gathering data. May think about privacy in terms
of notice, or user’s response.
Privacy leads even at middle management tend to think about
privacy as more than notice, but also user trust, even if they don’t have a
complete concept of what privacy is. Robust practices and guidelines exist in
all but the newest startups. Lawyers think of privacy as notice pure and
simple. They write privacy policies as legal documents; don’t care about impact
on users’ decisions to share.  Their goal
is to cover everything—cautious. 
Technologists use the same words as robust privacy pros, but they
fundamentally think about privacy as notice. Privacy becomes creating a product
that’s fun and takes in data.  Privacy
norms trickle down: only time he’s seen it trickle down is when the
technologist designing it isn’t just given a mandate “take privacy seriously”
but also shares the robust vision of privacy/trust.  May have something to do with
education/training.  An engineer
manager/product designer who feels the same way may also be able to produce the
privacy trickle down.
Cyberlaw & Intermediary Liability
DMCA+ Enforcement in the New gTLDs
Annemarie Bridy
Rise of DMCA plus enforcement.  Two categories: Type 1 DMCA intermediaries
are covered by DMCA but have privately agreed to do more.  Graduated response; link demotion for search
engines; proactive content blocking (Content ID etc.). Type 2 are beyond the
reach of secondary liability but have privately agreed to do more—payment network,
ad network—notice and termination or blocking regimes.  Domain name registrars—pressure on ICANN and
related entities to engage more actively.
Characteristics of DMCA plus: nominally voluntary but
implemented under gov’t pressure: members of Congress, IPEC, USTR.  Privately negotiated w/o input from public or
public interest groups.  Terms generally
disclosed only partially, w/resistance. 
Enforcement lacks transparency re: nature/volume of sanctions. Lack of
procedural safeguards for accused infringers. Notable exception: Copyright
Alert system, which was more transparent in substance and operation than other
Enforceable against users via provisions in intermediaries’
TOS that prohibit illegal activity/abuse and reserve right to terminate service
at their sole discretion.
For TM, the ACPA and UDRP have existed since before
2000.  Domain Name System is a logical
target b/c domain names often incorporate word marks.  Rarely requires assessment of underlying
content of website, which means a critical difference from © enforcement.
Enforcing © through DNS is more recent; © owners like it b/c
it enables cross border enforcement. First major development: PRO-IP Act of
2008, which became the basis of hundreds of domain names, from © to counterfeit
pharmaceuticals. SOPA almost provided for court-ordered site-blocking. Courts
have been asked to grant, and have been granting, site-blocking injunctions
against US based nonparty registrars and registry operators.  Private ordering: MPAA and Donuts, which
contains hundreds of new GTLDs.
Rightsholders saw in new GTLD process the opportunity to
inject © related obligations between ICANN and registries/registrars.  In 2014, USTR included a new issue focus on
domain name registrars in its annual Special 301 review of notorious
counterfeit markets. Called for © owners to get new procedures/policies.  Music/movie industries most active in
lobbying for new © enforcement.  Demanded
increased commitments for © enforcement, especially those targeting music or
digital content.  2013 version of
Registrar Accreditation Agreement contained new obligations for accepting
notices of infringement.
ICANN Registry agreement now requires registries to include
in contracts w/registrars a provision requiring registrars to include in
contracts w/registrants an obligation to refrain from © infringement and a
promise of suspension.  Registrar Accreditation
Agreement requires registrars to have abuse contacts to receive reports, w/duty
to investigate and respond appropriately to claims.  Thus Registrar is contractually bound both to
registry and ICANN. Complainants can seek redress through ICANN’s contractual
compliance process by completing a simple online form.
Donuts is registry operator for .movie, .wine, .computer,
.education., .clothing and others. MPAA has announced another partnership and
created a template for agreements w/registry operators.  Donuts thus requires adherence to ICANN and
acceptable use policies.  Permits
registry to delete, suspend, revoke, transfer or cancel the offending domain
name.  Donuts agrees to treat MPAA notices
expeditiously and w/presumption of credibility, like Google’s trusted removal
program for search.  Standard for
complaint: has to be clear and pervasive © infringement before approaching
registry; first must go to registrar of record and hosting provider; complaint
must state DMCA-like good faith belief; must be the result of human
review.  Intended to limit volume of
notices under the program.
Normative concerns: presumption of guilt; target/sanctions
affect entire domain, not URLs; no requirement of attempt to contact the
registrant despite the requirement to look up WHOIS information. Lack of
clarity about what’s clear and pervasive infringement; what’s careful human
review. Lack of procedures for registrants to contest complaints/appeal
sanctions; lack of transparency.
Goldman: great to do all this digging; glad it was you and
not me.  [I’ve joined ICANN’s TM review
group and I share this sentiment.]  Is
this an unstoppable train? Is there a way to combat that, similar to §512(f)
for wrongful takedowns? Is there any cause of action possible?  W/o §512(f), fox is in henhouse; what can the
chickens do?  We need a better §512(f).
A: that’s a hole in the law, and not clear what public law
can do b/c users have consented to terms of use. More productive way to go
about this: try to get these agreements to look more like the Copyright Alert
system. That had a right to a third party appeal to a neutral third party, and
these don’t.  Can’t get details of Donuts
agreement or Radix agreement though did get template for trusted notifier
Justin Hughes discussion: Someone registers
Harrypotter.education, and MPAA detects a bunch of streaming going on. They’re
under no obligation to contact the registrant? 
Yes. They’re under an obligation to contact the registrar, then
Donuts.  Then the registry is under an
obligation to assess clear & pervasive © infringement identified through
human review—it’s a bit of a black box. 
If Donuts finds so, they are obligated to cut off the registrant no
matter what the registry has found. 
A: Donuts has said that there have been 6 complaints filed
under trusted notifier system; 3 domain names blocked.  This was their evidence that it’s working,
but no info is available, for example about what a user sees when a site has
been blocked or locked.
RT: ICANN could require disclosure/transparency in its
agreements. There is something we as a community can do: join ICANN’s working
groups on these issues. I’ve done it for TM and it is not fun, but it is
necessary work and right now they are not hearing from the policy/academic
community, only from people with stark economic interests.  Show up!  Voice matters at ICANN.
IP, the Constitution and the Courts
A Free Speech Right to Trademark Protection?
Lisa Ramsey
International issues: US and other countries are members of
Paris Convention, w/obligations to allow certain registrations.  Says that nations may deny
registration/invalidate registrations for marks contrary to morality or public
order. WTO members agreed in TRIPS to keep that the same.  International conventions on human rights—allow
restrictions to freedom of expression if necessary to protect public order and
morals; rights and reputations of others; to prevent incitement to violence.
Consider, not just in the US but as a template for
evaluating free expression issues: 1. Gov’t action. Who is regulating the
expression?  If FB deletes your post,
there’s no state action.  If it’s a
misleading ad taken down by the FTC, that’s gov’t action though ok.  In Tam, the gov’t action is a law barring
registration of disparaging TMs (gov’t inaction).
2. Suppression, punishment, or other harm to expression. Consider
how the regulation actually harms expression. Unconstitutional conditions
doctrine: big debate.  Ramsey’s position
is that unconstitutional conditions shouldn’t apply where the benefit being
denied is the right to suppress the free speech of others.
3. What’s being regulated? TMs are expression, even though
you sometimes see people deny it.
4. Whose expression is being regulated?  Tam is not about gov’t speech—TM registration
is individual speech.  Could also
consider whether corporations have free speech rights, though they do in the US.
5. Are there categorical exclusions for this type of
expression?  Misleading commercial
speech, incitement to violence. But scandalous/disparaging marks aren’t
categorically excluded.
6. Whether the regulation of expression fails constitutional
scrutiny—level of constitutional scrutiny depends on local doctrine.  Is it content- or viewpoint-based?  Does it cover commercial or noncommercial
speech? Requires evaluation of law’s purpose, fit between law and purpose,
amount of harm to expression.
Upholding options: SCt might use unconstitutional conditions
doctrine to say that §2(a) is constitutional. 
Could say it satisfies constitutional scrutiny, though unlikely to say
it satisfies strict scrutiny.  Or it
could go the (c) route, treating (c) differently than other kinds of speech as
long as Congress doesn’t alter the “traditional contours.”  Offensive TM laws seem pretty traditional;
but might be a problem for dilution.
Linford: Ginsburg isn’t going to want to go near “traditional
contours”—Golan signals that
traditional contours means only 2 things. 
What about Harper & Row claiming that there’s no conflict, and we’ll
say hands off. 
Q: What is the state action requirement?  Enforcement of TM including injunctive
RT: my question was similar—Linford says “hands off” but
what does that mean?   “In Tam, the gov’t
action is a law barring registration of disparaging TMs” but that’s gov’t
A: When the examiner denies your application that’s gov’t
RT: but in that case if I go to court and say “FB suspended
my account for using a non-real name and you should bar that part of the TOU
b/c it violates my free speech rights” then you also get state action in
enforcing FB’s contractual terms.
A: true.  Reminder
that TM registration allows lots of suppression of speech—can interfere
w/T-shirts, merchandising, claim dilution, etc.
Charles Duan: disparaging marks have particularly strong
expression values—people use them to express feelings.  Preventing others from using those terms may
thus be worse than ordinary suppression through TM.
A: yes, one of the dissents does a really good job—makes a
difference from ordinary unconstitutional conditions cases, where benefit
sought was not the right to suppress others’ speech. Still, troublesome to have
individual examiners deciding what’s disparaging.  Internationally, nations can decide
(Afghanistan bars marks that are harmful to chastity).
Pam Samuelson: Different nations have different ideas of
scandalousness, public order, disparagement. Are you thinking we need

A: the opposite. We need to allow nations to make their own
decisions.  I worry that after Tam,
people will go to other countries and demand registration of these marks. Some people will only register marks that they can register in multiple countries, so there’s a chilling effect no matter what.

from Blogger http://ift.tt/2aP5RoD

This entry was posted in Uncategorized and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s