Congress has recently amended the quarter-century-old Video Privacy Protection Act. In immediate and practical terms, it means that a video service like Netflix can now share your personal viewing history with an outside service (like Facebook) after getting your permission.
The VPPA amendment is being talked about as another example of the dangers of handing personal information over to tech companies. In truth, it serves better as an illustration of why technology is so damned-near impossible to legislate. The lawmaking process walks. The process of innovation runs, then hops on a Segway, then jumps in an electric car, and then abandons that for a superconducting maglev bike because, come on...motors and wheels are just soooooo twenty minutes ago. VPPA, in its existing form, made it hard for good companies to create valuable services for willing customers.
Netflix had been working hard to make amendment happen. VPPA was spawned during the 1988 confirmation hearings for Supreme Court nominee Robert Bork. When a journalist obtained the judge’s private video rental history from a clerk at his local store and published it, the event shined a rather explosive light on the need to secure the personal information that we leave behind as the residue of our daily transactions. As a result, video companies can’t even share your personal records with law enforcement unless you’ve given the store either your explicit, written consent, or the police have demonstrated probable cause and obtained a warrant.
Which was all very good in 1988. But the VPPA couldn’t possibly have anticipated the tectonic changes in both technology and in people’s relationship with their personal data. In so many cases, the concept of your viewing habits becoming accessible by the public isn’t a scary threat; it’s actually a desired feature. Many music services let me auto-post my music as it’s being played. But the VPPA prohibited Netflix and others from incorporating this kind of feature for video. Its existence even encouraged a prudent service to use caution when implementing a “Like Button”-style connection to social media.
Moreover, well-intentioned but antiquated laws can often get in the way of a good new idea. In 2011, for example, Netflix was hit with two separate class action suits for violations of VPPA. The Act requires a video store to destroy records of customer viewing habits in a timely and practical manner. But Netflix needs to hold that data indefinitely. Otherwise, how can it tell me which episodes of “The West Wing” I’ve already watched, or build such an uncanny “sixth sense” about the kinds of movies I should consider watching next?
I just came across a great example of how well Netflix exploits my personal viewing history. I visited Netflix.com, just to confirm that they hadn’t added a “Like This” button while I wasn’t looking (no, they hadn’t). The top page had a selection of movies and TV shows that Netflix had recently acquired and which were currently popular with its subscribers. One of these was a documentary about what porn stars do with their lives after they leave showbiz.
It looked interesting, so I added it to my queue. Netflix instantly made additional recommendations, based on this new selection and my previous history.
Well, maybe you people (and my editors) might not believe that I clicked on the porn film solely because I’m interested in documentaries. But Netflix does. It recommended other documentaries, ones with such racy descriptions as “the current state of the global socioeconomic monetary paradigm.”
It’s hard for me to imagine a scene involving a sorority-house pillow fight interrupted by a pizza delivery in that flick. But hey...I don’t subscribe to Cinemax so maybe it’s just me.
So why the worry about the VPPA amendment? Because “Facebook” is the “Frau Blücher” of tech companies. The mere mention of the name causes horses to rear up and panic, and thunder to crash. With good reason, too. Netflix wants to use the changes to VPPA to allow your viewing activity to flow into Facebook as a constant, invisible stream. Mind you, even the amended VPPA requires Netflix to obtain your specific consent before they turn on the tap. Not even a line in their labyrinthine terms of service and an “I agree” checkbox will suffice.
But once you’ve gone ahead and thought “Sure, it’ll be fun to let my 7 friends and 18 family members on Facebook see what movies I watch” the data is Facebook’s...and they can do whatever they like with it. Do you trust them? I trust Apple with my personal data because their business is based on exploiting my monkey-like drive to acquire pretty new shiny things, not on exploiting my personal information. I trust Netflix with it because they’ve proven to be good custodians in the past (thanks mostly to VPPA) and because they convert the collection of my viewing history into a valuable feature that benefits me. They also use that data in an intelligent way.
But do I trust Facebook? No way. If Facebook learned that I watched “After Porn Ends,” I’m certain that soon I’d be inundated with ads for...consumer devices that have the outward appearance of a flashlight, but which very much aren’t flashlights.
And “consent” is a vague term. I recently “consented” to allow my phone company to stop sending me printed bills, even though I had no intention of doing so. They had snuck in a pre-selected “ohandbythewaypleasestopsendingmeprintedbillsthanks” checkbox in tiny print at the bottom of the screen after I’d made a temporary change to my service plan.
On the whole, the amended VPPA seems to be a sensible update that lets the law do its job (meaning: allow us to have some control over our personal information) while letting modern companies move ahead with great ideas that were inconceivable during the Reagan administration.
Another bill, attached to the VPPA legislative package, was far more interesting. It involves big changes to the 1986 Electronic Communications Privacy Act, and like the amendment to the VPPA, it attempts to bring an important electronic privacy law into the 21st century. The proposal, introduced by Senate Judicial Committee chair Patrick Leahy, makes it tougher for law enforcement to access your private emails without showing probable cause and obtaining a warrant.
The 1986 ECPA -- which was also spearheaded by Leahy -- was a creation of its time, when storage and bandwidth were expensive and most people’s concerns about privacy centered around a third party intercepting messages as they came in. Essentially, it was designed to protect against eavesdropping. Thus, under ECPA, if an email is less than 180 days old, or if you’ve moved it off of a server and onto a local hard drive (or even just printed it out and stuck it in a drawer), it falls under the full fury and protection of the Fourth Amendment. But if it’s older, and it’s sitting somewhere on a server that you don’t own, then law enforcement has much freer access. Though they can’t just wave a badge and dive right in, they won’t need to convince a judge of their need for the information and get a warrant before they can access your data.
That was considered adequate protection back when older emails just kind of spooled off into hyperspace, never to be seen again. Believe it or not, at the time, the Justice Department argued that older emails should fall under the same legal umbrella as paper records that a business has shoved into rented warehouse storage. By moving the documents out of their personal control, the owner had implicitly declared that the data was of low importance, and were demonstrating a lower expectation of privacy.
Today, of course, we complain when an ISP only gives us a single measly gigabyte of email storage, and we expect the data in our Inboxes to outlive us. Remember Google’s “Dear Sophie” commercial, in which a new dad creates a GMail account for his newborn daughter, and then he keeps sending it diary entries, photos and video as she grows up? There you go. Google promises to keep mail forever. And under the existing terms of the Electronic Communications Privacy Act, that’s the scope of law enforcement’s power to perform a warrantless search of your email history on a third-party server.
The amendments to ECPA were approved by the Senate Judicial Committee. The ACLU likes it, but the Justice Department is strongly against it, and it’s also been lobbied against by national law enforcement organizations. It’ll come up for vote again next year and it’s certain to be subjected to a great deal of argument and compromises in the coming months.
I’m not scared of the country undergoing a quiet transition into a police state. It’s just the principle of the thing. I’m glad about the fact that if digital photography had existed back when ECPA and the VPPA were ratified, then by now any photos I’d emailed friends of myself in an unstructured tuxedo jacket with the sleeves rolled up and a skinny neon tie would have been deleted from Compuserve’s servers twenty years ago, and thus rendered inaccessible by God or Man. Today? What you say and what you do become a permanent record, with few protections.
The nice thing about 1980’s fashions is that I had seen the errors of my ways by the early 90’s. Flock Of Seagulls-era laws are far tougher to get rid of, and they create far bigger problems then just being ridiculed by your social betters.