LibertyVoice

Just a few weeks after his interview with EFF Legal Director Cindy Cohn, American hero Stephen Colbert has returned to the subject of digital rights. And in his show on Tuesday, he came up with a great solution to the problem of privacy and online social networks: Control-Self-Delete.

As Colbert suggests, the CEOs of Google and Facebook can be astonishingly tone deaf when it comes to the question of the privacy of their customers. As these experts in social media ought to know, the fact that a person chooses to share some information about themselves online is no indication that they prefer to share everything — nor does it indicate that control of personal data is not something they care deeply about. <a href="http://www.pewinternet.org/Reports/2007/Teens-Privacy-and-Online-Social-Networks.aspx
“>Study after study has shown the opposite to be true: users care about privacy, and demand control of their own data.

We like Colbert’s basic point, saved for the end of this clip: if anyone should change their behavior to address the problem of online privacy, it isn’t young people who have uploaded some racy pics — it’s the companies that have made themselves the guardians of our personal data.

Facebook is facing down another embarrassing episode of censorship this week after refusing to show ads submitted by the Just Say Now marijuana legalization campaign. The gag is an important reminder that social networks like Facebook — while useful, interesting, and pretty — are “walled gardens” with overseers whose interests can overwrite free speech, open communication, and in this case, essential political debate. (In this they have something in common with Apple.)

Most recently, Facebook was caught censoring mentions of Power.com, an online tool designed to help users collect their information from Facebook to facilitate migration to other social networks. To this day, users are still blocked from sending messages or posting status updates containing the word “Power.com,” preventing users from spreading the word about a convenient way to “make the move” to Orkut, or LinkedIn, or any other social networking service that may crop up to compete. The block even stopped law professor Eric Goldman from commenting on Facebook’s lawsuit against Power.com (Disclosure: EFF filed an amicus brief in support of Power in that case).

Facebook’s censorship for anticompetitive reasons is petty and lame to be sure, but silencing Just Say Now’s marijuana legalization ad campaign is even worse. Voters in various districts nationwide will have to make important political decisions about marijuana this year (California’s Proposition 19 is one example). Facebook’s decision, reportedly an attempt to be consistent with its ad policies restricting smoking and/or marijuana-related content, is instead primarily silencing an important, motivated voice in a politically significant debate.

Facebook should lift the ban and show Just Say Now’s political ads. For better or worse, Facebook has become a important means of communication and organization for candidates and political campaigns. In this role, Facebook functions best as a neutral platform, hosting the debate without entering it. Whether or not Facebook wants to restrict depictions of smoking in commercial ads, it should not prohibit the open and robust political debate central to the value and promise of the Internet.

Yesterday, Facebook introduced Places, a new location feature that competes with popular services like Foursquare, Google Latitude, Loopt, and Gowalla. Places allows Facebook users to ‘check in’ to real world locations and to tag their friends as present (similar to how Facebook allows tagging in photos). Everyone who is checked in to the location can see who else is listed as “Here Now” for a few hours after they check in. Once you are checked in to a location, Places also creates a story in your friends’ News Feeds and places a notice in the location’s page’s Recent Activity section. The product will roll out over the next few days.

Like all location products, the new application publishes potentially sensitive information, since a stream of information on location can provide a detailed picture of your life. Some locations might appear cool at one moment, and yet become something you’d rather forget the next. Your Facebook friends may include prolific bloggers, business competitors, and former lovers. For business and personal reasons, you might need to keep your location private from them. And, as pleaserobme.com effectively illustrated, revealing your location can also reveal sensitive information about where you are not.

To its credit, by default, only your Facebook friends can see when you are tagged in a location, unless you opted for the “Everyone” master setting on the privacy controls. (EFF recommends against using the “Everyone” master setting; see how to maximize your privacy on Facebook). To further protect your privacy, you can use friend lists to exercise a more fine-tuned control over who can see your check-ins. If you don’t want a location to go down on your permanent record, you need to manually delete the check in.

If your friend attempts to check you in and you have not opted into Places, you will receive a notification that gives you two options: (1) “allow check-ins,” which opts you in to the program or (2) “not now” which only disallows that particular check in. Once you are opted in, you will not receive further notices before being checked in by friends. If you want to have complete control over whether you are listed at a location, you have to permanently disallow check-ins by your friends by disabling “Friends can check me in to Places” on the customize privacy settings page. This is the most privacy protective option, since you will only be listed at a location if you affirmatively choose to check in.

“Here Now” broadcasts a list of those checked in to everyone else who is checked in, regardless of whether they are “friends.” Sometimes you may not want every Places user in the same location to be able to see you, since the location might be large like a ballpark or an outdoor music festival. You can opt out of the Here Now feature by unchecking the “Include me in ‘People Here Now’ after I check in” privacy control. However, Facebook does not offer the ability to limit Here Now visibility to subsets of your friends.

Places is designed to limit your location options to places that are actually near you, as reported by the geolocation features of your mobile device. Sometimes, however, you may have personal or professional reasons to report a different location. For example, you might want to report your location as being at a cafe, when you are really at an HIV clinic or a domestic violence shelter. While you can have a friend check you in anywhere they are, or spoof your geolocation if you have sufficient technical chops, Facebook should allow arbitrary locations.

Note that location data can be a tempting target for law enforcement. We urge Facebook to follow the lead of other location service providers like Google and Loopt, and provide the strongest protection for its users by requiring a wiretap order before tracking a Places user’s location for law enforcement. Update: In response to this post, Facebook tells us that “We consider our Places product to generate content of communications, and would require a search warrant for prior generated content or a wiretap to capture forward generated content.”

If you start to use Places, Facebook apps can also use your location data, and your friends can authorize the disclosure of your location data. The ACLU’s DotRights has provided a helpful guide to managing your location privacy settings, including how to prevent your friends’ apps from seeing your location information. (Facebook responded to ACLU’s criticisms in Techcrunch).

Places is Facebook’s most significant product launch since the controversial introduction of Connections and Instant Personalization. We had a number of constructive conversations with Facebook leading up to this launch, and appreciated the opportunity to provide feedback. Not everything resulted in changes, but overall it was a positive process. While the product is not perfect and could use some important changes, as noted above, the privacy settings and defaults represent a substantial improvement over those earlier launches. However, the settings are only good if users understand them intuitively and use them effectively. As the product rolls out to millions of Facebook users, we will be looking closely at its implementation and effects on locational privacy.

Recent news reports have presented somewhat contradictory analysis of government plans in the United Arab Emirates (UAE), Saudi Arabia, and other countries to block the use of BlackBerry smart phones as a form of pressure on Research in Motion, BlackBerry’s Canadian manufacturer. All the reports agree that these governments feel RIM has made at least some BlackBerry messages too private and secure, but reports disagree about how private they actually are and exactly what RIM is being asked to do.

Many observers have noted that we’re likely to stay in the dark about some of these details. As Jonathan Zittrain put it, “we’re only seeing a small slice of a government-to-company negotiation — the public threat part — so exactly what’s being asked hasn’t been disclosed, and neither the government nor RIM have much incentive to say more.” We particularly appreciate the analyses of the situation from Prof. Zittrain and our former colleague Danny O’Brien at the Committee to Protect Journalists. Both emphasize that only a portion of BlackBerry communications are really strongly encrypted: those sent through BlackBerry’s business-oriented BlackBerry Enterprise Service, but not those sent through the ordinary BlackBerry Internet Service. (Of course, all BlackBerry users — and other smartphone users — can optionally use other encryption tools to protect themselves. The subtle distinction between BES and BIS is just one reminder that users need to be skeptical about exactly what kind of protection they’re getting. It also raises concerns that Blackberry’s recent statements that fail to differentiate between the products may be misleading a large number of their customers — we believe Blackberry should immediately clarify this).

In any case, the UAE government’s rhetoric that it must have a backdoor into all communications is very alarming. It reminds us of the situation here in the United States during the 1990s, when the Federal government repeatedly sought to keep strong cryptography out of the general public’s hands and to put U.S. government backdoors into communications products. We often call that time the “crypto wars.” During them, the civil liberties and business communities fought to make sure Americans would be allowed to use the best available privacy tools to protect their communications. EFF was heavily involved in the crypto wars, litigating the Bernstein case to protect programmers’ rights to publish encryption software. Ultimately the government dropped plans like the Clipper Chip that would have been a backdoor into Americans’ communications and dramatically reduced the government regulations that stood in the way of Americans getting strong cryptography in their tools.

Today, the crypto wars often feel like ancient Internet history. We all use strong cryptography every day to protect our privacy and security, whether we see it or not, and the picture is getting brighter in many ways as more web sites and services support the routine use of encryption.

But the UAE government position seems like 1995 all over again, with government officials insisting that some privacy tools are just too secure to let the public use them.

Press reports also suggest that UAE officials have compared their announced restrictions to “lawful intercept” laws (like the U.S. Communications Assistance for Law Enforcement Act) that force communications carriers to provide wiretapping assistance to government officials. But those laws have never forbidden users from using their choice of encryption software or forced carriers to block any communications, domestic or foreign, because of how they were encrypted or who had the keys. So millions of people in every country routinely use strong cryptography to protect their communications at home or when they travel.

The UAE’s and Saudi Arabia’s announced restrictions are particularly scary because it seems that the same rationale will lead to government blocks on all sorts of other communications — from web mail to virtual private networks — that those governments deem too private and secure. They also show that the right to use encryption technology to protect privacy needs to be defended all around the world. Quite possibly, the crypto wars never ended.

Coauthored by Seth Schoen

The White House recently released a draft of a troubling plan titled “National Strategy for Trusted Identities in Cyberspace” (NSTIC). In previous iterations, the project was known as the “National Strategy for Secure Online Transactions” and emphasized, reasonably, the private sector’s development of technologies to secure sensitive online transactions. But the recent shift to “Trusted Identities in Cyberspace” reflects a radical — and concerning — expansion of the project’s scope.

The draft NSTIC now calls for pervasive, authenticated digital IDs and makes scant mention of the unprecedented threat such a scheme would pose to privacy and free speech online. And while the draft NSTIC “does not advocate for the establishment of a national identification card” (p. 6), it’s far from clear that it won’t take us dangerously far down that road. Because the draft NSTIC is vague about many basic points, the White House must proceed with caution and avoid rushing past the risks that lay ahead. Here are some of our concerns.

Is authentication really the answer?

Probably the biggest conceptual problem is that the draft NSTIC seems to place unquestioning faith in authentication — a system of proving one’s identity — as an approach to solving Internet security problems. Even leaving aside the civil liberties risks of pervasive online authentication, computer security experts question this emphasis. As prominent researcher Steven Bellovin notes:

The biggest problem [for Internet security] was and is buggy code. All the authentication in the world won’t stop a bad guy who goes around the authentication system, either by finding bugs exploitable before authentication is performed, finding bugs in the authentication system itself, or by hijacking your system and abusing the authenticated connection set up by the legitimate user. All of these attacks have been known for years.

A Real ID Society?

The draft NSTIC says that, instead of a national ID card, it “seeks to establish an ecosystem of interoperable identity service providers and relying parties where individuals have the choice of different credentials or a single credential for different types of online transactions,” which can be obtained “from either public or private sector identity providers.” (p. 6) In other words, the governments want a lot of different companies or organizations to be able to do the task of confirming that a person on the Internet is who he or she claims to be.

Decentralized or federated ID management systems are possible, but like all ID systems, they definitely pose significant privacy issues. 1 There’s little discussion of these issues, and in particular, there’s no attention to how multiple ID’s might be linked together under a single umbrella credential. A National Academies study, Who Goes There?: Authentication Through the Lens of Privacy, warned that multiple, separate, unlinkable credentials are better for both security and privacy (pp. 125-132). Yet the draft NSTIC doesn’t discuss in any depth how to prevent or minimize linkage of our online IDs, which would seem much easier online than offline, and fails to discuss or refer to academic work on unlinkable credentials (such as that of Stefan Brands, or Jan Camenisch and Anna Lysyanskaya).

Providing a uniform online ID system could pressure providers to require more ID than necessary. The video game company Blizzard, for example, recently indicated it would implement a verified ID requirement for its forums before walking back the proposal only after widespread, outspoken criticism from users.

Pervasive online ID could likewise encourage lawmakers to enact access restrictions for online services, from paying taxes to using libraries and beyond. Website operators have argued persuasively that they cannot be expected to tell exactly who is visiting their sites, but that could change with a new online ID mechanism. Massachusetts recently adopted an overly broad online obscenity law; it takes little imagination to believe states would require NSTIC implementation individuals to be able to access content somehow deemed to be “objectionable.”

Anonymity

The draft NSTIC “envisions” that a blogger will use “a smart identity card from her home state” to “authenticate herself for . . . [a]nonymously posting blog entries.” (p. 4) But how is her blog anonymous when it’s directly associated with a state-issued ID card?

The proposal mistakenly conflates trusting a third party to not reveal your identity with actual anonymity — where third parties don’t know your identity. When Thomas Paine anonymously published Common Sense in 1776, he didn’t secretly register with the British Crown.

Indeed, the draft NSTIC barely recognizes the value of anonymous speech, whether in public postings or private email, or anonymous browsing via systems like Tor. Nor does it address issues about re-identification, e.g. the ability to take different sets of de-identified data and link them so as to re-identify individuals.

Bellovin credits the draft NSTIC for suggesting the use of attribute credentials rather than identity credentials — that is, using credentials that could establish that you’re authorized to do something without saying who you are. But, as he puts it, “We need ways to discourage collection of identity information unless identity is actually needed to deliver the requested service,” and the draft NSTIC doesn’t seem to address this.

Privacy, Identity Theft and Surveillance

The draft NSTIC seems to presuppose widespread use of smart ID cards. In one example, it envisions that an individual will use “a smart identity card from her home state” to “authenticate herself for a variety of online services,” presumably modeled upon driver’s licenses. (p. 4)

One major concern, acknowledged briefly in the draft, is whether people’s computers can really be secure enough to be used for these purposes — smart ID cards or no smart ID cards. As noted above, the vast majority of privacy and authentication vulnerabilities stem from buggy software, and when a computer is trivial to compromise, its users’ credentials are easy to steal. The NSTIC proposal could, in fact, decrease user privacy and enable identity theft: once a user’s digital ID is stolen, it could be used to both pose as the user and access all the user’s accounts and data.

Consider, for example, the proposal to use a state digital ID card to access health records and online banking. What happens next time you lose your wallet?

Furthermore, by consolidating your credentials, the NSTIC plan may provide the government with a centralized means of surveilling your online accounts. And if the government issues your digital ID itself, it won’t even need to approach a third party with any kind of legal process before surveilling you.

The draft NSTIC also mentions the development of a public-key infrastructure (PKI). (pp. 15, 27) We support good, widespread encryption, which could allow people to get correct public keys reliably and possibly cut down on phishing, spam, fraud, and pretexting. But as Bruce Schneier and Carl Ellison have explained, doing PKI properly isn’t easy.2 All of their concerns apply, in some form, to the NSTIC proposal.

Another concern that’s emerged recently is whether governments could coerce certificate authorities in a PKI to issue false credentials in order to facilitate surveillance. Chris Soghoian and Sid Stamm have reported on an industry claim that governments could get “court orders” giving them access to falsified cryptographic credentials. This threat seems greater if the government itself is running the PKI.

Much more could be said. The NSTIC is only a draft, and the Department of Homeland Security and the White House sought public input online through July 19th. Because of the importance of this issue, EFF has joined with a coalition of concerned civil liberties group to ask the Administrations for a longer comment period and a way to submit more detailed comments. We hope and expect that this will be only the beginning of a public debate about ID management online.

1. 1. See, e.g., Susan Landau et al., Achieving Privacy in a Federated Identity Management System.
2. 2. See Ten Risks of PKI: What You’re Not Being Told about Public Key Infrastructure

In a landmark announcement issued today, the data protection officials across the European Union found that the way that EU Member States have implemented the data retention obligations in the 2006 EU Data Retention Directive is unlawful. The highly controversial 2006 EU Data Retention Directive compels all ISPs and telecommunications service providers operating in Europe to retain telecom and internet traffic data about all of their customers’ communications for a period of at least 6 months and up to 2 years.

European privacy officials from the Article 29 Data Protection Working Party have been reviewing how the EU Member States have implemented these obligations in their national laws.

Among the most important findings of the Article 29 Working Party’s report are:

• “Service providers were found to retain and hand over data in ways contrary to the provisions of the [data retention] directive.”
• “There are significant discrepancies regarding the retention periods, which vary from six months to up to ten years, which largely exceeds the allowed maximum of 24 months.”
• “More data are being retained than is allowed. The data retention directive provides a limited list of data to be retained, all relating to traffic data. The retention of data relating to the content of communication is explicitly prohibited. However, it appears from the inquiry that some of these data are nevertheless retained.”
• Regarding Internet traffic data: “Several service providers were found to retain URLs of websites, headers of e-mail messages as well as recipients of e-mail messages in “CC”- mode at the destination mail server.
• Regarding phone traffic data: “it was established that not only the location of the caller is retained at the start of the call, but that his location is being monitored continuously.”
• “Member states have scarcely provided statistics on the use of data retained under the Directive, which limits the possibilities to verify the usefulness of data retention.”
• “The provisions of the data retention directive are not respected and the lack of available sensible statistics hinders the assessment of whether the directive has achieved its objectives.”

The timing of the Article 29 Working Party’s opinion is particularly sensitive because the European Commission is currently conducting an evaluation of the impact of the Data Retention Directive on economic operators and citizens in Europe. One of the possible outcomes of this evaluation is a recommendation that the Data Retention Directive should be amended or repealed in its entirety. The Article 29 Working Party has submitted its report to the European Commission to provide the Commission with vital empirical evidence for its evaluation of whether to recommend the amendment or repeal the Directive.

Once completed, the Commission’s evaluation will be sent to the European Parliament and the Council of Ministers. Reflecting the far-reaching impact and sensitive policy issues involved in the Data Retention Directive, three Commissioners are likely to be engaged in its review. The EU Commissioner for Home Affairs, Commissioner Malmström leads the evaluation process, but it is expected that Vice President of the Commission and EU Commissioner for Justice, Fundamental Rights and Citizenship, Commissoner Reding and the Commissioner for the Digital Agenda, Commissioner Kroes will also participate actively in the review process.

EFF, AK Vorrat and a coalition of over 100 organizations across Europe recently called for an end to mandatory data retention of telecom and Internet traffic data. In a joint letter sent last month to European Commissioners Malmström, Reding, and Kroes, the coalition urged the Commissioners to “propose the repeal of the EU requirements regarding data retention in favor of a system of expedited preservation and targeted collection of traffic data as agreed in the Council of Europe’s Convention on Cybercrime.”

In her July 7 reply to the coalition letter, Commissioner Reding stated that, “the review of the EU Data Retention directive provides the European Commission, but also the 27 EU Member States and the European Parliament, with an opportunity to assess the effectiveness and proportionality of the measures included in the Directive. I will in this context ask for a particular focus on the considerable impact data retention may have on fundamental rights of all European citizens, especially with regard to their privacy.”

With the recent adoption of the Lisbon Treaty and the entry into force of the Charter of Fundamental Rights, privacy and data protection has been strengthened in the European Union, including in the sensitive areas of law enforcement and crime prevention.

We must now see whether the European Commission will be faithful to the Charter of Fundamental Rights, and recommend the repeal of the overbroad 2006 Data Retention Directive.

The Federal Trade Commission has some strong words for the former publishers of a defunct magazine and website for gay youth: don’t sell or use personal information provided by your customers. It’s probably illegal.

The warning came during a contentious bankruptcy proceeding filed by the publisher of XY Magazine, which was a widely circulated magazine for gay teens published from 1996 to 2007. The publisher also operated XY.com, a dating website for gay youth that at one point had as many as a million users. XY’s privacy policies promised customers that their personal information would not be given or sold to anybody.

Now the publisher and his former business partners are fighting over who owns the customer information, which includes names, street addresses, phone numbers, credit card numbers, email addresses, personal stories submitted by readers, online profiles, contact lists, and photos, among other data.

In a letter (pdf) to the publisher’s former business partners, the Federal Trade Commission said that any sale or transfer of the customer information would violate XY’s privacy promises and likely the Federal Trade Commission Act, which prohibits unfair and deceptive acts and practices.

The FTC also suggested that any continued use of the information — even by the publisher himself — might disclose the customers’ identities to third parties, which could also violate XY’s privacy policies and the law. The Commission asked that the data be destroyed “to avoid the possibility that this highly sensitive data could fall into the wrong hands.”

EFF has been keeping a watchful eye on this case, and is glad to see that the FTC is too.

The XY customer information reveals the sexual preferences of more than a million men. Some of them may be openly gay, but others may not want certain people — like family members or employers — to know their sexual orientation or that they explored their sexuality when they were younger. If disclosed either purposefully or unintentionally, this information could cause severe personal and professional repercussions. The privacy interests of the customers outweigh any limited commercial value this outdated but extremely sensitive information might have to anyone else.

Like the FTC, we believe that the XY customer information should be destroyed. This is the best way to ensure that the data will never be disclosed to anybody — as XY promised — and to protect the customers from potential harm. We hope the bankruptcy court will agree.

Ever since Google’s January 2010 decision to cease censorship of its Chinese-language search engine, the world has watched closely to see what would happen next. The ensuing cat-and-mouse game of information repression and dissemination represented a serious challenge to the ability of the Internet to remain free and open in the face of totalitarian government censorship. Would Google cease all operations in China? Would China block access to Google altogether?

These questions came to a climax on June 30, when Google’s license to operate as an Internet Content Provider (ICP) from China’s Ministry of Industry and Information Technology was up for renewal. The days surrounding that deadline were full of complicated signals and maneuvers. First, on June 28, Google carefully walked back an aspect of its anti-censorship policy by requiring Chinese users to specifically choose an uncensored search portal, rather than sending them to it automatically (the full implications for users are not yet known). Later, on July 5, no official word had yet been issued as to the status of Google’s license — but observers noticed that what appeared to be an ICP license number had nonetheless been posted on Google.cn.

Finally, on July 9, it was officially announced that China had renewed Google’s license after all, and that unfiltered searches at Google.com.hk from China apparently remain unfiltered. It’s a great victory, both for the people of China and for the free and open Internet. Access to unfiltered search is the gateway to the networked public sphere and the openness of the Internet. In practice, nothing has changed in that many Chinese citizens interested in circumventing the Great Firewall were already able to do so through the use of proxy systems such as Tor. It is the ceremonial acceptance of Google’s workaround as nominally adhering to Chinese law that exposes the censorship regime’s vulnerability.

Despite this, many remain critical of Google’s decision to stay in China. Speculation abounds about whether Google made additional concessions to the Chinese government and about their commercial ambitions for a music service, its mobile phone business, and Chinese-language advertising opportunities.  

As Anupam Chander points out in his recent article Googling Freedom, dismissing these historic developments as mere profit maximization strategy misses important lessons for corporate responsibility and human rights, especially regarding Internet technologies. Dissecting the extent to which Google still has ties with China neglects the differences between divestment strategies of removing assets and the communication aspects of Internet access services. It underestimates the impact that information and communication technologies have for enabling the individual self-help to resist the state. The fact of the matter is that Google has remained faithful to principled engagement and its commitments to the Global Network Initiative principles.

As the global flows of information smash against the Great Firewall of China, Google.cn’s license renewal may very well mark a significant recognition by Chinese censors that their dams will have to be built differently. Could they have recognized inevitable defeat of their censorship regime in the face of Internet search at their borders and decided to focus their efforts elsewhere? The confrontation is certainly far from over and this event a postponement, as the power wielded by the Chinese censorship regime is constant in its blocking, surveillance, and cyber attacks.

Further clues as to the Chinese Government’s new cyber-strategy can be found in a paper released last week by the China Academy of Social Sciences, which is backed by the Communist Party Government. That paper identified social networking sites as being at the center of China’s new media plans, and also claimed Facebook and other sites are vessels for US military political subversion.

For those Chinese citizens seeking Surveillance Self-Defense from the Great Firewall of China, the availability of proxy servers, anonymizers, P2P file sharing services, encrypted VoIP, and VPNs are commonplace. We hope more companies will also do their part in preserving the Global Internet in China.

Gaming giant Blizzard announced yesterday that it would be making some major changes to its official discussion forums, including the forums for World of Warcraft, Diablo, and the upcoming Starcraft II. In the upcoming weeks and months, players who want to post to these boards will have to log in using Blizzard’s Real ID system, which will display their real full names next to every post they make. These changes will not be retroactive, meaning that the thousands of existing posts on the online discussion forums will not be affected. Parental controls will allow parents to prevent minors who have signed up for Real ID on the game from posting to the forums, if they so choose.

Why is Blizzard taking such an unprecedented step? Unpleasantness. “The forums have…earned a reputation as a place where flame wars, trolling, and other unpleasantness run wild,” writes Naethera, a Blizzard employee who will soon be posting under her own full name. “Removing the veil of anonymity typical to online dialogue will contribute to a more positive forum environment [and] promote constructive conversations.”

Blizzard appears to have subscribed to the colorful Greater Internet F***wad Theory, which posits that perfectly normal people, when faced with an audience and total anonymity, can become flaming jerks. Internet forums from BoingBoing, Slashdot, Reddit, to newspaper websites, and Yahoo! Finance Message boards have used various techniques — from active moderation by humans to community rating tools and algorithms — to cope with the low signal-to-noise ratio that can result when large numbers of people communicate anonymously on the internet. Some methods have been more successful than others, but innovation in this realm continues to develop. None of these sites has gone so far as to try eliminating anonymity entirely.

Many forum posters do not share Blizzard’s certainty that the forums will be improved by the mandatory use of real names. They cite concerns about privacy and safety as compelling reasons not to link their real names to posts on a forum. Some forum posters feel betrayed, as if their community has been yanked out from under them.

To assume — as Blizzard seems to have assumed — that anonymity enables only “ugly speech” is the product of a failed imagination. Anonymous speech has always been an integral part of free speech because it enables individuals to speak up and speak out when they otherwise may find reason to hide or self-censor. Behind the veil of anonymity, individuals are more free to surface honest observations, unheard complaints, unpopular opinions — incidentally, all healthy contributions to an evolving gaming community.

Blizzard is completely within its legal rights to set rules, standards, and regulations for its forum, but only time will determine whether or not they are making the right choice. Will flame wars substantially decrease as a result of enforced de-anonymization of posters? If Blizzard claims success, will other forums follow suit? Will the use of real names lead to the harassment of posters elsewhere online or in the real world? Will it chill speech? Will Blizzard’s forums become a ghost town as players migrate elsewhere to discuss their games? For now, the only way to find is out is keep watching as this experiment unfolds.

Update, Friday July 9: As it turns out, the experiment is not going to unfold at all. Blizzard has backed down from its decision to require posters to use their real names on the official forums.

In Henley v. DeVore, a federal court recently held that senatorial candidate Charles DeVore’s two political advertisements featuring the songs “The Hope of November” and “All She Wants to Do Is Tax” infringed Don Henley’s “The Boys of Summer” and “All She Wants to Do Is Dance,” ruling against DeVore’s fair use defense.

The videos were core political speech, the most protected form of speech under the First Amendment. Yet the court blocked them, relying on copyright law. What happened?

The trouble is the misguided way that some courts have distinguished “parody” from “satire” in when measuring fair use. “Parody,” in the world of copyright, means using a work in order to comment on the work itself (or its creator). Parody gets a wide berth under fair use. So, for example, when 2 Live Crew famously <a href=”http://www.youtube.com/watch?v=65GQ70Rf_8Y
“>sent-up Roy Orbison’s “<a href=”http://www.youtube.com/watch?v=mBrbpWwWafQ
“>Pretty Woman,” the Supreme Court found that the use was permitted. A “satire,” in contrast, involves using a work to comment on something other than the work itself.

Some courts have drawn the conclusion that “satires” are disfavored under the fair use doctrine. That’s the mistake the court made in Henley v. DeVore. The court determined that “November” was mostly a satire (with a dash of parody), and that “Tax” was a satire through and through. According to the court, if DeVore wanted to use Henley’s songs, he had to be making fun of Henley, not other politicians.

From a First Amendment point of view, this is a bizarre way to address political speech. For the court, the political purpose was a strike against fair use, because the court considered the videos to be a commercial use, seeking “publicity and campaign donations.” In contrast, the Supreme Court has recognized that “the First Amendment ‘has its fullest and most urgent application’ to speech uttered during a campaign for political office.” In contexts other than copyright, a law blocking this kind of speech would have to meet the strictest First Amendment scrutiny.

So what about fair use, which is supposed to serve as a proxy for First Amendment concerns? Here, the court appears to have misunderstood the potential for market harm that is a critical part of the fair use test. The test should be informed by the purposes of copyright—ensuring that creators have adequate incentives to create—and the importance of the First Amendment.

Can anyone say that musicians like Don Henley would give up on song-writing if they knew that politicians could use their works in satires? Obviously, no one shopping for “The Boys of Summer” would say, “Hey, you know what, I’ll just watch that DeVore ad again instead.” But the court insisted DeVore prove the negative, and show that the videos would not harm the potential licensing market for Henley’s songs. The court was apparently concerned that “licensees and advertisers do not like to use songs that are already associated with a particular product or cause.”

Under that view, however, few satires will ever pass fair use muster. That would inflict far more harm on future creators than DeVore did on Henley’s works. Satire is an art form that has enriched the political process since time immemorial. In the fourth century BC, Aristophanes, a comic playwright in ancient Athens, routinely skewered politicians and influenced this early democracy. Satire has continued to play a vital role in democracies through today.

Satire is most effective when can draw from the well of society’s shared experiences, using common cultural references to leverage the commentary and reach a wider audience. It can take a known quantity, and add new meaning and message – classic characteristics of a fair use.

Fortunately, courts have increasingly begun to understand that fair use can and should apply to transformative satires. So although the judge in Henley v. DeVore got it wrong, other courts will have a chance to recognize the value of satire and fair use.