More on YouTube v. Viacom v. User Privacy
There is more to say, in addition to what David Sohn pointed out in Thursday's blog post, about the recent court order requiring YouTube to turn over user information. The order directing YouTube to turn over information about anyone who has ever used YouTube illustrates two points: (1) Google (which now runs YouTube) and other Internet and e-commerce companies are collecting far too much information and keeping it for too long; and (2) current laws are woefully inadequate to protect privacy today.
The first concern can and should be addressed by any company that collects information that can be used to identify its users or subscribers or track their behavior: collect less information and keep what you collect for shorter periods of time. Whether it is credit card data collected by online merchants or logs of viewing or reading habits, companies should carefully review and cut back on what they collect and how long they store it. YouTube could address much of the user privacy problems it faces in this litigation by storing IP addresses and log in IDs only for a short period. At the same time, since companies need to collect some information, the legal rules for access by business associates, civil litigants and government agents need to be updated to make them consistently stronger across various technologies and business models. Internet users should not have to rely only on the vagaries of sector-specific privacy statutes like the Video Privacy Protection Act or on the voluntary efforts of Google/YouTube to protect their privacy. Instead, as the court's order in Viacom v. YouTube shows that Congress needs to update the Electronic Communications Privacy Act (ECPA) to account for the way people communicate today.
CONSIDER THE COMPLEXITIES
To appreciate the complexities and limits of current law, consider its applicability to YouTube in connection with its private video posting and viewing functions. Under ECPA, which was written in 1986, any person or entity providing to the public "computer storage or processing services" by means of an electronic communications system is subject to certain restrictions on the disclosure of information they hold about their subscribers or users. Such entities are, in ECPA's terminology, providers of a "remote computing service"(RCS). The Viacom v. YouTube court assumed that YouTube is acting as an RCS covered by ECPA when it permits users to privately post a video and select those who can view it. When they were defining "remote computing service," ECPA's drafters back in the 1980's had in mind services like the processing of a company payroll. If the processing was done in-house, the payroll information was protected from disclosure. ECPA leveled the playing field so the payroll could be processed off-site, and so that other processing services could likewise be offered with some degree of protection against disclosure of information, requiring at least a subpoena to compel its disclosure.
Today's communications systems test what constitutes "computer storage and processing services." For example, does a search engine like Google provide "computer storage and processing services?" CDT argued in 2006 that it does and that as a result, Google could not disclose customer search terms pursuant to the government's civil discovery subpoena. The government had a contrary view and characterized Google as a party to communications from its users. Therefore, the government argued, Google could be required by a mere subpoena to disclose users' search information. The court denied the government's motion to compel disclosure of search terms without determining whether ECPA protected them.
WHERE DO SOCIAL NETWORK SITES FIT?
What about Facebook, MySpace and other social networking websites? Do they provide "computer storage and processing services" when they allow users to post information to a page and limit the universe of "friends" who have access to it? Probably. But what if the user gives access to the group consisting of every Facebook user in San Francisco? The law becomes murkier. And even if data falls under ECPA's protections, in many cases a mere subpoena issued by a trial lawyer or a government prosecutor is all the law requires. As the Viacom case illustrates, a single subpoena can sweep in data on millions of people. ECPA's uncertain application to such common Internet activities as search and social networking cries out for Congress to provide better protection to information generated by popular services in today's communications environment.
Ironically, Viacom v. YouTube also points up a way in which current law may not provide enough access: the court found that YouTube is completely barred from providing Viacom with access to any of the video content entrusted to it in connection with YouTube's private video viewing service. No matter how compelling the litigant's need and no matter whether notice and an opportunity to object are given, no litigant can use a subpoena or secure a court order that will enable it access to the contents of a communication provided to an RCS in connection with computer processing and storage services. Criminal defendants, among others, are at an enormous disadvantage. If YouTube has exculpatory communications content because, for example, somebody privately posted a video that shows that the defendant was not at the crime scene, ECPA bars YouTube from disclosing it to the criminal defendant. However, if YouTube has incriminating communications content, the government - but only the government -- can trigger compulsory process that can require YouTube to disclose it.
ECPA is an outlier: other statutes that protect the privacy of records -- the Family Educational and Privacy Rights Act, the Health Insurance Portability and Accountability Act, and the Fair Credit Reporting Act - permit civil litigants and criminal defendants to access content with proper process.
FREE TO DISCLOSE NON-CONTENT
While YouTube and other entities covered by ECPA are completely barred from disclosing content to a non-governmental entity, they are completely free under ECPA to disclose non-content, no matter how revealing it is. They can disclose the information voluntarily if they want to, or, as in the Viacom case, they can be compelled to disclose it in response to a subpoena issued in a civil lawsuit. That's why the court ordered YouTube to disclose "transactional information" that could identify who viewed particular privately-posted videos.
The Video Privacy Protection Act, written in the era of videotape, may be technology neutral enough to provide some protection in the Viacom case. However, if the Video Privacy Protection Act does not protect from disclosure sensitive information about who viewed what videos posted privately to YouTube, YouTube's users have no other law that protects them. Congress needs to step in. One approach would be to create a limited rule permitting litigant access to content protected by ECPA when the litigant can prove to a court a compelling need, that the content is not available elsewhere, and when notice and an opportunity to object are afforded. At the same time, Congress should impose new privacy protections on disclosure of non-content and create a limited exception to permit litigant access in some circumstances.