The CDA provides immunity from the acts of users of online providers. For example, if a user provides defamatory content in a comment, a blog need not remove the comment to be immune, even if the blog receives notice that the content is defamatory, and even if the blog knows the content is defamatory.

I agree with most of my colleagues who believe this statute is a good thing for the internet. Where I part ways from most of my colleagues is how broadly to read  the statute.

Since this is a post about statutory interpretation, I’ll include the statute:

Section 230(c)(1) of the CDA states that:

No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.

In turn, an interactive computer service is:

any information service, system, or access software provider that provides or enables computer access by multiple users to a computer server, including specifically a service or system that provides access to the Internet and such systems operated or services offered by libraries or educational institutions.

Further, an information content provider is:

any person or entity that is responsible, in whole or in part, for the creation or development of information provided through the Internet or any other interactive computer service.

So, where do I clash with others on this? The primary area is when the operators of the computer service make decisions to publish (or republish) content.  I’ll give three examples that courts have determined are immune, but that I think do not fall within the statute:

1. Web Site A pays Web Site B to republish all of B’s content on Site A. Site A is immune.
2. Web Site A selectively republishes some or all of a story from Web Site B on Site A. Site A is immune.
3. Web Site A publishes an electronic mail received by a reader on Site A. Site A is immune.

These three examples share a common thread: Site A is immune, despite selectively seeking out and publishing content in a manner that has nothing to do with the computerized processes of the provider. In other words, it is the operator, not the service, that is making publication determinations.

To address these issues, cases have focused on “development” of the information. One case, for example, defines development as a site that “contributes materially to the alleged illegality of the conduct.” Here, I agree with my colleagues that development is being defined too broadly to limit immunity. Development should mean that the provider actually creates the content that is displayed. For that reason, I agree with the Roommates.com decision, which held that Roommates developed content by providing pre-filled dropdown lists that allegedly violated the Fair Housing Act. It turns out that the roommate postings were protected speech, but that is a matter of substance, and not immunity. The fact that underlying content is eventually vindicated does not mean that immunity should be expanded. To the extent some think that the development standard is limited only to development of illegal content (something implied by the text of the Roommates.com decision), I believe that is too limiting. The question is the source of the information, not the illegality of it.

The burning issue is why plaintiffs continue to rely on “development” despite its relatively narrow application. The answer is that this is all they currently have to argue, and that is where I disagree with my colleagues. I believe the word “interactive” in the definition must mean something. It means that the receipt of content must be tied to the interactivity of the provider. In other words, receipt of the offending content must be automated or otherwise interactive to be considered for immunity.

Why do I think that this is the right reading? First, there’s the word “interactive.” It was chosen for a reason. Second, the definition of “information content provider” identifies information “provided through the Internet or any other interactive computer service.” (emphasis added). This implies that the provision of information should be based on interactivity or automation.

There is support in the statute for only immunizing information directly provided through interactivity. Section, 230(d), for example, requires interactive service providers to notify their users about content filtering tools. This implies that the information being provided is through the interactive service.  Sections 230(a) and (b) describe the findings and policy of Congress, which describe interactive services as new ways for users to control information and for free exchange of ideas.

I think one can read the statute more broadly than I am here. But I also believe that there is no reason to do so. The primary benefit of Section 230 is a cost savings mechanism. There’s is no way many service providers can screen all the content on their websites for potentially tortious activity. There’s just no filter for that.

Allowing immunity for individualized editorial decisions like paying for syndicated content, picking and choosing among emails, and republishing stories from other web sites runs directly counter to this cost saving purpose.  Complaining that it costs too much to filter interactive user content is a far cry from complaining that it costs to much to determine whether an email is true before making a noninteractive decision to republish it. We should want our service providers to expend some effort before republishing.

Facebook is top dog in social; Google in search. The thing they both (with MS lurking in the wings to make a big comeback (an odd thing given how well MS does as it is)) are doing is to take recommendations to a new level (with ads thrown in of course). I have tried logged in search. I must say I was surprised. To be clear, I find there is mainly rot in social network data just as there is in search. Whether I would have used Google+ had I not been at Google is unclear. Probably not. But I did. Then I searched for some law review articles and some basic technology information. WOW. The personal results at the top had links to blog posts by people whom I followed on Google + AND THEY WERE…RELEVANT. Blew my mind. My search time went down and I found credible sources faster. Will that last? Who knows? Someone may find ways to game the system, but the small experiences make me hopeful. Now to Facebook and Bing.

If Google can do well with a much smaller set of users for Google +, Facebook and Bing might do really well. After all, Facebook has the social piece and MS has some search computer science types. Whoever wins here may offer the next thing in search. I like conducting logged out searches and logged in. When logged in, I like the potential for seeing things from friends and people I trust. For example, if I start to be interested in cameras and search gives me posts by friends I’d ask anyway, that is a pretty cool result. I can read the post and call the friend for deeper advice or just use what they posted.

All in this space will, of course, cope with privacy concerns etc. But I think that this new level of relevance has the chance to co-exist with those concerns and users may flock to one of these services to have results well-beyond the current ones in search without social. In other words, let the games continue.

Not so fast. The sharing of book, film, and music recommendations is important, and social networking has certainly made this easier. But a world of automatic, always-on disclosure should give us pause. What we read, watch, and listen to matter, because they are how we make up our minds about important social issues – in a very real sense, they’re how we make sense of the world.

What’s at stake is something I call “intellectual privacy” – the idea that records of our reading and movie watching deserve special protection compared to other kinds of personal information. The films we watch, the books we read, and the web sites we visit are essential to the ways we try to understand the world we live in. Intellectual privacy protects our ability to think for ourselves, without worrying that other people might judge us based on what we read. It allows us to explore ideas that other people might not approve of, and to figure out our politics, sexuality, and personal values, among other things. It lets us watch or read whatever we want without fear of embarrassment or being outed. This is the case whether we’re reading communist, gay teen, or anti-globalization books; or visiting web sites about abortion, gun control, or cancer; or watching videos of pornography, or documentaries by Michael Moore, or even “The Hangover 2.”

And before you go off and say Neil doesn’t get “it” whatever “it” may be, note that he is making a good distinction: “when we share – when we speak – we should do so consciously and deliberately, not automatically and unconsciously. Because of the constitutional magnitude of these values, our social, technological, professional, and legal norms should support rather than undermine our intellectual privacy.”

I easily recommend reading the full post. For those interested in a little more on the topic, the full paper is forthcoming in Georgetown Law Journal and available here. And, if you don’t know Neil Richards’ work (SSRN), you should. Even if you disagree with him, Neil’s writing is of that rare sort where you are better off by reading it. The clean style and sharp ideas force one to engage and think, and thus they also allow one to call out problems so that understanding moves forward. (See Orwell, Politics and the English Language). Enjoy.

The book is described here (OUP site) and here (Amazon). The Introduction and Table of Contents are available here.

Short abstract:

“Infrastructure resources are at the center of many contentious public policy debates, ranging from what to do about our crumbling roads and bridges, to whether and how to protect of our natural environment, to patent law reform, to electromagnetic spectrum allocation, to providing universal health care, to energy policy, to network neutrality regulation and the future of the Internet. Each involves a battle to control infrastructure resources, set the terms and conditions under which the public gets access, and determine how the infrastructure and various infrastructure-dependent systems evolve over time. This book advances strong economic arguments for managing and sustaining infrastructure resources as commons. The book identifies resource valuation and attendant management problems that recur across many different fields and many different resource types, and it develops a functional economic approach to understanding and analyzing these problems and potential solutions.”

Julie Cohen’s book is fantastic. Unfortunately, I am late to join the symposium, but it has been a pleasure playing catch up with the previous posts. Reading over the exchanges thus far has been a treat and a learning experience. Like Ian Kerr, I felt myself reflecting on my own commitments and scholarship. This is really one of the great virtues of the book. To prepare to write something for the blog symposium, I reread portions of the book a second time; maybe a third time, since I have read many of the law review articles upon which the book is based. And frankly, each time I read Julie’s scholarship I am forced to think deeply about my own methodology, commitments, theoretical orientation, and myopias. Julie’s critical analysis of legal and policy scholarship, debate,and rhetoric is unyielding as it cuts to the core commitments and often unstated assumptions that I (we) take for granted.

I share many of the same concerns as Julie about information law and policy (and I reach similar prescriptions too), and yet I approach them from a very different perspective, one that is heavily influenced by economics. Reading her book challenged me to confront my own perspective critically. Do I share the commitments and methodological infirmities of the neoliberal economists she lambasts? Upon reflection, I don’t think so. The reason is that not all of economics boils down to reductionist models that aim to tally up quantifiable costs and benefits. I agree wholeheartdly with Julie that economic models of copyright (or creativty, innovation, or privacy) that purport to accurately sum up relevant benefits and costs and fully capture the complexity of cultural practices are inevitably, fundamentally flawed and that uncritical reliance on such models to formulate policy is distorting and biased toward seemless micromanagement and control. As she argues in her book, reliance on such models “focuses on what is known (or assumed) about benefits and costs, … [and] tends to crowd out the unknown and unpredictable, with the result that play remains a peripheral consideration, when it should be central.” Interestingly, I make nearly the same argument in my book, although my argument is grounded in economic theory and my focus is on user activities that generate public and social goods. I need to think more about the connections between her concept of play and the user activities I examine. But a key shared concept is that indeterminacy in the environment and the structure of rights and affordances sustains user capabilties and this is (might be) normatively attractive whether or not users choose to exercise the capabilities. That is, there is social (option) value is sustaining flexibility and uncertainty.

Like Julie, I have been drawn to the Capabilities Approach (CA). It provides a normatively appealing framework for thinking about what matters in information policy—that is, for articulating ends. But it seems to pay insufficient attention to the means. I have done some limited work on the CA and information policy and hope to do more in the future. Julie has provided an incredible roadmap. In chapter 9, The Structural Conditions of Human Flourishing, she goes beyond the identification of capabilities to prioritize and examines the means for enabling capabilities. In my view, this is a major contribution. Specifically, she discusses three structural conditions for human flourishing: (1) access to knowledge, (2) operational transparency,and (3) semantic discontinuity to be a major contribution. I don’t have much to say about the access to knowledge and operational transparency discussions, other than “yep.” The semantic discontinuity discussion left me wanting more, more explanation of the concept and more explanation of how to operationalize it. I wanted more because I think it is spot on. Paul and others have already discussed this, so I will not repeat what they’ve said. But, riffing off of Paul’s post, I wonder whether it is a mistake to conceptualize semantic discontinuity as “gaps” and ask privacy, copyright, and other laws to widen the gaps. I wonder whether the “space” of semantic discontinuities is better conceptualized as the default or background environment rather than the exceptional “gap.” Maybe this depends on the context or legal structure, but I think the relevant semantic discontinuities where play flourishes, our everyday social and cultural experiences, are and should be the norm. (Is the public domain merely a gap in copyright law? Or is copyright law a gap in the public domain?) Baselines matter. If the gap metaphor is still appealing, perhaps it would be better to describe them as gulfs.

Its timing couldn’t be better. Passions over the proposed SOPA (and Protect IP/PIPA, and OPEN, and related) legislation have barely cooled, but debates will certainly continue over Internet governance and copyright infringement on digital networks.  More legislation is coming. Understanding the Internet as infrastructure — not just the infrastructure of the Internet — is essential to understanding the costs, benefits, and risks of new law in this area. In fact, one might say that the goal here is not simply to minimize the risks associated with the Internet, but to maximize its benefits.  Brett’s book is a great guide.

Speaking of which, David Post has a succinct summary of the problems with SOPA, here.

I was remiss earlier in not linking to SOPA analyses by other Madisonians:

Greg Lastowka posted a commentary here.

Frank Pasquale posted a commentary here.

Updated (later on 2/14):

Bruce Boyden posted a three-part analysis of SOPA on Madisonian.net way back in November and December 2011, ages before things really heated up in earnest.  Before, that is, the blackout.  Part I is here.  Part II is here.  Part III is here.

Mike Masnick’s line-by-line reply:  http://www.techdirt.com/articles/20120208/01453517694/riaa-totally-out-touch-lashes-out-google-wikipedia-everyone-who-protested-sopapipa.shtml

Hat tip to Lauren Gelman.

(URL: http://seattletimes.nwsource.com/html/businesstechnology/2017372375_tweetingteens30.html in case the hyperlink above isn’t working).

I’m happy to report that Nosal is now being reheard in the Ninth Circuit. I’m hopeful that the court will do something to rein in the case.

I think most of my colleagues agree with me that the broad interpretation of the statute is a scary one. Where some depart, though, is on the interpretive question. As you’ll see in the comments to my last post, there is some disagreement about how to interpret the statute and whether it is void for vagueness. I want to address some of the continuing disagreement below.

I think there are three ways to look at Nosal:

1. The ruling was right, and the extension to all web users is fine (ouch);

2. The ruling was right as to the Nosal parties, but should not be extended to all web users; and

3. The ruling was not right as to the Nosal parties, and also wrong as to all web users.

I believe where I diverge from many of my cyberlaw colleagues is that I fall into group two. I hope to explain why, and perhaps suggest a way forward. Note that I’m not a con law guy, and I’m not a crim law guy, but I am a internet statute guy, so I call the statutory interpretation like I see it.

I want to focus on the notion of authorization. The statute at issue, the Computer Fraud and Abuse Act (or CFAA)  outlaws obtaining information from networked computers if one “intentionally accesses a computer without authorization or exceeds authorized access.”

Orin Kerr, a leader in this area, wrote a great post yesterday that did two things. First, it rejected tort based tresspass rules like implied consent as too vague for a criminal statute. On this, I agree. Second, it defined “authorization” with respect to other criminal law treatment of consent. In short, the idea is if you consent to access in the first place, then doing bad things in violation of the promises made is does not mean lack of consent to access. On this, I agree as well.

But here’s the rub: the statute says “without authorization or exceeds authorized access.” And this second phrase has to mean something. The goal, for me at least, is that it covers the Nosal case but not the broad range of activity on the internet. Professor Kerr, I suspect, would say that the only way to do that is for it to be vague, and if so, then the statute must be vague.

I’m OK with the court going that way, but here’s my problem with the argument. The statute isn’t necessarily vague. Let’s say that the scary broad interpretation fron Nosal means that every breach of contract is now a criminal act on the web. That’s not vague. Breach a contract, then you’re liable; there’s no wondering whether you have committed a crime or not.

Of course, the contract might be vague, but that’s a factual issue that can be litigated. It is not unheard of to have a crime based on failure to live up to an agreement to do something. A dispute about what the agreement was is not the same as being vague. Does that mean I like it? No. Does that mean it’s crazy overbroad? Yes. Does that mean everyone’s at risk and someone should do something about this nutty statute? Absolutely.

Now, here is where some vagueness comes in – only some breaches lead to exceeded access, and some don’t. How are we to decide which is which? The argument Professor Kerr takes on is tying it to trespass, and I agree that doesn’t work.

So, I return to my suggestion from several months ago – we should look to the terms of authorization of access to see whether they have been exceeded. This means that if you are an employee who accesses information for a purpose you know is not authorized, then you are exceeding authorization. It also means that if the terms of service on a website say explicitly that you must be truthful about your age or you are not authorized to access the site, then you are unauthorized. And that’s not always an unreasonable access limitation.  If there were a kids only website that excluded adults, I might well want to criminalize access obtained by people lying about their age. That doesn’t mean all access terms are reasonable, but I’m not troubled by that from a statutory interpretation standpoint.

I’m sure one can attack this as vague – it won’t always be clear when a term is tied to authorization. But then again, if it is not a clear term of authorization, the state shouldn’t be able to prove that authorization was exceeded. This does mean that snoops all over and people who don’t read web site terms (me included) are at risk for violating terms of access we never saw or agreed to. I don’t like that part of the law, and it should be changed. I’m fine with making it more limiting in ways that Professor Kerr and others have suggested.

But I don’t know that it is invalid as vague – there are lots of things that may be illegal that people don’t even know are on the books. Terms of service, at least, people have at least some chance of knowing and choose not to. That doesn’t mean it isn’t scary, because I don’t see behavior (including my own) changing anytime soon.