Naturally, the idea that Google wrote code to evade Safari’s privacy settings has not sat well with many. The Electronic Freedom Frontier dubbed Google’s actions “just as paternalistic as ad networks” and posited that Google needed a new approach to privacy to “restore [its] users’ trust.” Several Congressmen have asked the FTC to investigate whether these actions violate the Google Buzz settlement, which prohibits Google from making “future privacy misrepresentations.” One user has filed a class action suit against Google, claiming violation of federal wiretapping laws and other computer-related statutes.

Tensions often run high when privacy is threatened. Nevertheless, amidst the outcry, it is important to identify the contours of the threat and know what exactly it is we are upset about.

Circumvention Explained

Apple Inc.’s Safari is the only web browser that blocks third-party cookies by default. Cookies are essentially helper-files that websites commonly use to store things like user preferences and session information (for example, the state of a shopping cart). When a site contains third-party content (for example, a banner advertisement on your favorite news site), that third-party (in our example, the advertising company) can write its own cookie. Third-party advertisers commonly use this feature to record where and for whom  their advertisements have been displayed, allowing them to build a history of the sites an individual user visits.

Last September, in an effort to compete with Facebook’s “like” functionality, Google added a “+1” button to certain Google ads, which Google+ users could click on to indicate they “liked” those ads. However, because Google has set up its services such that Google+ and Google Ads reside on different domains, interfacing between the two required the use of third-party cookies. Because Safari blocks these by default, Google faced the prospect that most Safari users – a sizeable user base – would not be able to use this new feature.

To address this problem, Google exploited a known exception to Safari’s no third-party cookie policy. Safari allows third-party cookies when a user submits an HTML form, so Google created an invisible form, never seen by the user, which it submitted any time the user clicked “+1.” This triggered Safari’s form exception, allowing the creation of third-party cookies by Google Ads. The Stanford study showed that, in practice, Google used this backdoor method to create cookies that not only enabled the  “+1 Ads” functionality, but also set up the general Google Ads tracking cookie, which monitors the browsing behavior of users going forward. Google stated that they “didn’t anticipate that this [(setting up the general Google Ads tracking cookie)] would happen” and that they have “now started removing these advertising cookies from Safari browsers.”

So We Are Fighting For?

It’s true the technical facts aren’t flattering for Google: its code uses an invisible form to emulate Little Red Riding Hood and gain access to Grandma’s house, exposing the user to whatever tracking Google Ads decides to subject her to.  It’s true that Google’s primary motivation was enabling the “+1” feature for Safari users, but can we really say the end justifies the means in this case?

Still, this begs the question: what is it about Google’s actions that render them so troubling? Is it the fact that Google can track a user’s browser history? This seems unlikely. Google already tracks search history and processes electronic mail information in Gmail – how much more of an invasion can ad tracking be? Moreover, this backdoor is not triggered until a user actually clicks on “+1” – arguably this surveillance involves some kind of consent, albeit uninformed in most cases. Even if we can’t call this consent, enabling tracking involves some affirmative act by the user, and avoiding this is much easier than with search or Gmail.

If, then, it’s not the tracking itself that is particularly disquieting, perhaps the issue goes to some more fundamental idea of respect. By circumventing Safari’s privacy settings to enable the “+1 Ads” feature, one could say that Google ignored the express desires of its users, elevating its own commercial interests over the user’s personal privacy interests. This kind of disregard may be particularly troubling given the relative bargaining power that an individual consumer has against a monolith like Google.  At the same time, however, it may be hard to say that Google was ignoring express interests – blocking third-party cookies is Safari default behavior that most users are not aware of. Moreover, as one blog points out, Safari’s policy may just be a strategic move by Apple to curb the information its competitors can glean from its customers. Viewed in this light, Google’s actions could be understood as commonplace competitive behavior rather than neglect towards individual privacy concerns.

In this case, prudential arguments may bolster the respect rationale. Even if Safari’s default settings were not actual expressions of most users’ real desires, they nonetheless provide the interface through which these preferences can be expressed. Much like a court artificially thinks about Congress as a unified body with “wishes” and “intentions,” it makes sense for Google to treat browser preferences as a real expression of user preferences. Otherwise, it seems unclear what forum users have left. If browser settings are indeed an expression of real user preferences, then, slippery slope arguments counsel against tolerance of any disregard for them. If Google can violate privacy preferences in this area, what is to stop violations in other areas? And, if Google can do it, why can’t Apple or Microsoft do it too?

Looking Ahead

Clearly, slopes are not always slippery and it is possible to draw lines. Context is also useful – why privacy was breached, the extent of the harm caused by the breach, and the basis under which we deem that harm problematic should all be considered in determining whether that breach should be tolerated. In the case of Google, much uncertainty remains in at least two of these areas – nevertheless, consumers, policymakers, and Google executives alike should think critically about these questions in developing rules and recourse available for internet privacy violations.

• Sprint is urging the FCC to quickly hold hearings to rule on whether the transfer of spectrum licenses from T-Mobile to AT&T serves the public interest. AT&T’s proposed $39 billion acquisition of T-Mobile is currently under review by the FCC after the US Justice Department sued to block the proposal.

• Senators Blumenthal (CT) and Franken (MN) introduced a bill on Tuesday that would prohibit wireless companies from having contract clauses that require consumers to use binding arbitration rather than suing in the case of a contract dispute.

• On Wednesday, members of the House reviewed the FTC’s recommendations to the Children’s Online Private Protection. The proposed changes would require greater permission from parents of children under the age of 13 before information could be collected from them on the Web.

• Also on Wednesday, Senator Coons (DE) and Kohl (WI) proposed amendments to the pending Currency Exchange Rate Oversight Reform Act of 2011. The amendments would allow private federal civil actions for trade secret infringement and would allow Customs & Border Patrol to share information on suspected counterfeiters with US rights holders.

• Samsung wants courts in France and Italy to prohibit Apple’s iPhone 4S, claiming that the iPhone infringed two of its patents. Samsung and Apple are currently in around 20 patent infringement legal disputes.

• AstraZeneca returned to court this week to defend its US patent on Crestor, a multibillion-dollar cholesterol drug, against generic drug makers who are appealing a decision from the US District Court in Delaware. In June 2010, the court ruled that generic firms failed to prove the patent was invalid because it was obvious.

But, what can one really do if, for example, your top search results include an out of date, hopelessly inaccurate and embarrassing article from your hometown newspaper? As much guff as Facebook gets for its poor record on privacy protection, an average Facebook user has a relatively powerful set of tools at his or her disposal: you can delete or untag yourself from embarrassing photos, limit who can view your profile, and even delete your profile completely. But, is there anything you can do about embarrassing search results?

In 2010, Hugo Guidotti Russo, a Spanish plastic surgeon, filed a legal complaint with Spain’s privacy regulator, the Agency for Data Protection, asking them to order Google to remove a 1991 article about a malpractice complaint from his top search results. Russo insisted that because he was cleared of wrongdoing and the article did not mention this, it was within his right to privacy to have the search results removed. The agency agreed. Google is fighting the ruling which was recently referred to the European Court of Justice in Luxembourg on the issue of whether the ruling clashed with EU freedom of expression laws.

The case of the Mr. Russo is connected to the larger issue of whether governments should—or could—guarantee individuals a so-called “right to be forgotten.” Though, like most newly recognized rights, the contours are hazy and the terms ambiguous, the right to be forgotten is catching on. In 2009, the French secretary of state launched a campaign for le Doit a l’Oubli (the right to oblivion, though no English translation is quite adequate) that culminated in the adoption of so-called “codes of good practice” by several trade associations, social networks and search engines.  The provisions are themselves broad but somewhat vague: adoptees are obligated to give notice to users about how to exercise their privacy rights, respect an individual’s right to consent to data processing, to receive prior notice of procession and to object to the use of their data. The European Union is currently tossing around some proposed legislation which would give people the right, any time to have all personal information online deleted—though it’s hard to see how this would work in practice. Even in the United States, where courts have been much less willing to allow individuals to assert a general right of privacy against search engines and social networks, the FTC has issued a working paper called “Safeguarding Consumer Privacy in an Era of Fast Transform” which recommends, among other things, that individuals have the right to have inaccurate information about themselves removed from databases.

Critics of the “right to privacy” argue that, in its extreme form, it’s tantamount to suppression of speech—censorship. Most facts and opinions worth writing about–and reading about– are facts and opinions about people.  Individuals have always been able to fight others who publish false information using libel and defamation law, but falsity is not a requirement for a privacy claim. If individuals are empowered to suppress true or arguably true information written about them by third parties under the guise of privacy, the argument goes, our freedom of expression is significantly burdened.  In one infamous case, Wikipedia was sued by two German murderers  demanding that their names be removed from an article about their victim. German law allows criminals’ names to be withheld from association with their crimes after their sentences are over.  The case of German murderers points to another criticism of the right to privacy: practicability. If a German court orders the removal of the names from the article, does it only apply to the German language version of Wikipedia or with a .de web url? Does it apply to any article accessible from Germany? Or only if the servers which host the article are located in Germany? Moreover, does Wikipedia, which can be edited by anyone, have an ongoing obligation to ensure that the ex-con’s names are kept of the site? For a website like Wikipedia, which relies heavily on user donations, and which relies on a relatively small number of editors to maintain their pages, an ongoing obligation to monitor for information about individuals is a heavy burden.

From the perspective of someone with a rare name—say for example, the author of this post (but three out of the first four results are not me!)—the right to delete whatever search results I wanted from Google would certainly be a blessing. That being said, there is a thin and hazy line between what information is truly private—which should be protected—and what information is merely embarrassing or inconvenient, but a legitimate part of the public discourse.

Background: Sorrell v. IMS Health

In Sorrell v. IMS Health, plantiffs data-mining firms and PhRMA, an association representing pharmaceutical drug manufacturers, have challenged a Vermont law that prohibits drug manufacturers from using of prescriber records for purposes of marketing. The plaintiffs argue that this restriction on their use of information violates their free speech rights.

The Vermont law attempts to curb marketing uses of prescription records by targeting a common three-part transaction: First, upon filling prescriptions, pharmacies collect information including the prescriber’s name and address, the name, dosage, and quantity of the drug, the date and place the prescription is filled, and the patient’s age and gender. Pharmacies sell this information to data-mining firms who aggregate it to reveal individual physician prescribing patterns.

Second, the data-mining firms “de-identify” the aggregated data by stripping it of patient information and then sell it to drug manufacturers. The extent to which the firms de-identify the data is apparently left to their discretion, since no statute defines what constitutes sufficiently de-identified data.

Third, after purchasing the data, drug manufacturers use it in their marketing efforts. Most notably, manufacturers employ representatives to promote their products during visits with individual physicians, a process known as “detailing.”

The challenged Vermont law seeks to disrupt this transaction by prohibiting pharmacies from selling or using prescription records for any marketing purposes without the express consent of the prescribing physician. Put another way, the law prohibits part one of the transaction described above in order to prevent part three. The law permits pharmacies to continue to transmit the data for non-commercial purposes such as health care research, treatment, and safety-related uses.

Plaintiffs data-mining firms and PhRMA argue that the law restricts commercial speech and therefore violates their First Amendment rights. Vermont, in contrast, argues among other things that the law is not a restriction on speech but merely conduct. Even if it were a restriction on commercial speech, Vermont argues, the law advances three substantial state interests: protecting public health, protecting patient privacy, and containing health care costs.

In November, 2010, the Second Circuit agreed with plaintiffs’ argument and struck down the law. The three judge panel held that the statute restricted commercial speech—not merely conduct—and that it failed to advance the state’s asserted interests in lowering health care costs and protecting public health. The court determined that the state’s stated interest in protecting privacy was “too speculative” to qualify as substantial.

The State’s Interest in Privacy

In rejecting the state’s interest in protecting patient privacy as substantial, the Second Circuit neglected to consider developments in technology and decryption techniques that pose a real and substantial threat to patient privacy. In fact, the state itself neglected these developments and instead argued (.pdf) that allowing marketing uses of prescription data undermined the privacy of the patient-doctor relationship.

In an amicus brief (.pdf) cited by the dissent, the Electronic Privacy Information Center (EPIC) emphasized the importance of the state’s interest in protecting patient privacy in light of recent technological developments. In particular, it explained the various ways in which de-identified data can be easily re-identified, and how this re-identification presents serious risks where medical records are at stake.

In its brief, EPIC describes one method of re-identifying anonymous data known as record linkage, which involves merging two or more databases (e.g. public census data, voting records, etc.). This method has been proven to be very effective at re-identifying individuals from supposedly anonymous data—even from ordinary desktop computers. For example, one privacy researcher employing this method was able to uniquely identify 87% of the US population by utilizing only date of birth, gender, and zip code. The same researcher also re-identified a former governor of Massachusetts’ full medical record by cross-referencing public census data with de-identified health data.

Expanding on its amicus brief for the Second Circuit, EPIC’s recent amicus brief (.pdf) filed at the Supreme Court attacks the data-mining firm IMS Health’s method for encrypting the prescription data. According to the brief, the firm uses a faulty method of encryption, known as MD5.  MD5 has been abandoned not only by its inventor Ron Rivest, who has deemed the method “clearly broken,” but also the Department of Homeland Security, whose Computer Emergency Readiness Team concluded that it was “cryptographically broken and unsuitable for further use.”

The court’s failure to recognize these developments would be more understandable if computer scientists had just discovered the risks re-identification; however, these risks have been well documented for years even in the popular press. In an article published nearly two years ago, The New York Times profiled several individuals whose prescription data had been sold to drug manufacturers without their consent and re-identified so that it could be used for purposes of marketing products directly to them.

In the article, one woman in particular began receiving promotional material for various pregnancy-related products after she bought fertility drugs at a pharmacy in San Diego. Although she was unsuccessful in having a baby, she continued to receive ads for over ten years promoting at first diapers and baby formula and later discounts on family photos and “gifts suitable for an elementary school graduate.” The woman describes the ads as painful reminders of a difficult time in her life: “To just go to the mailbox and get that stuff, time after time after time, it was just awful.”

While digitizing medical records provides several benefits, we must not ignore or underestimate the risks. Although one would like to find assurance in the notion of de-identified or anonymous data, the reality proves more troubling. At the very least, state attempts to protect this sensitive data should be carefully reviewed before being struck down—and an understanding of encryption technology and methods must be part of any meaningful review.

Recently, the Federal Trade Commission terminated its inquiry into Google’s “accidental” collection of Internet users’ personal data through its Street View vehicles after Google promised to improve its privacy efforts and delete the data. As you may recall, the investigation began after the FTC learned that Google’s Street View vehicles had been taking more than just pictures—the cars had also inadvertently collected and stored “payload” data, including passwords and email messages that were available over unsecured Wi-Fi networks.

Although critics are crying foul on the FTC, others are commending its decision. They argue that Google did nothing wrong, and that users transmitting their information over unsecured networks cannot expect privacy.

While this argument is certainly reasonable, another point (among many) should be made: Google disappointed not only unreasonable expectations of privacy, but also perfectly reasonable expectations. When a Street View car sets out to acquire information, we expect it to take pictures and chart streets. We do not expect it to record login information and emails—whether transmitted over secured networks or not. Likewise, when any company performs a service or sells a product, the public has certain expectations about the kinds of information it will collect and store. When companies ignore these expectations, the public rightly gets nervous.

Despite its decision to let Google off the hook, the FTC recently affirmed the role of consumer expectations in privacy policy. During a recent speech (.pdf) in New York, Commissioner Julie Brill discussed the FTC’s recent efforts to “re-think” privacy in the digital age. Its research started by conducting a series of public roundtable discussions to gauge consumer expectations and attitudes about privacy.

Judging from Brill’s remarks, the FTC’s new approach will be a needed improvement. Unlike its previous approaches, the agency’s new approach will be centered on consumer expectations. Such an approach is necessary in today’s technologically advanced economy, which depends on the routine exchange of information. By focusing on the unexpected uses of information, rather than the expected uses, the new approach will better protect the privacy of consumers while still accommodating the marketplace.

Privacy, Previously

According to Brill, the FTC’s latest privacy approach will be its third. The FTC’s first approach, starting in the mid-1990’s, used a “notice and choice” model. Under this model, the agency called for businesses to provide consumers with notice and choice about how their personally identifiable information would be used.

Despite its good intentions, this model has resulted in long and complex privacy policy statements that seem to be aimed at shielding websites from liability rather than informing consumers, according to Brill. By flooding consumers with every conceivable use of their information, companies are able to discreetly obscure unexpected and potentially harmful uses of information. With its focus on consumer expectations, the FTC’s new approach will hopefully discourage sprawling privacy policy statements in favor of clear, concise notices of unexpected uses of information.

In the early 2000s, the agency shifted to a “harm based” model, which is still in place today. Under this model, according to Brill, the agency focuses on harmful privacy practices and the risks of privacy-related consumer injuries. The harm based approach focuses on areas such as data security and data breaches, identity theft, children’s privacy, spam, and spyware.

According to Brill, the harm based model focuses too heavily on quantifiable harms and neglects other real but intangible harms. Such harms include those resulting from exposure of sensitive information such as information regarding religion, sexual orientation, or medical conditions. By allowing consumers themselves to define what constitutes harm, the FTC’s new approach can alleviate this problem. An approach informed by the public’s attitudes will likely recognize a broader range of potential harms—both tangible and intangible.

Privacy Now

Although we still await specifics about the FTC’s privacy report, Brill describes three issues it will address. First, it will promote proactive “privacy by design.” Privacy by design limits data collection to uses that are truly necessary, and implements reasonable procedures to ensure data security and accuracy. Second, the report will address transparency and encourage shorter and more consistent privacy notices, with the goal of allowing customers to compare privacy policies. Third, the report will address consumer choice and meaningful notice. Brill expressed her support for “streamlining” notices and focusing on “‘unexpected’ uses of consumer data, rather than on uses that consumers reasonably expect, such as giving their address to a shipping company in connection with an online product order.”

While we await the final details of the FTC report, at the very least, we can commend its concern with consumer expectations and its focus on unexpected uses of information in particular. Although consumer expectations are fluid and can be difficult to define, any effective privacy approach in our rapidly changing environment must be flexible enough to accommodate changing norms and technologies.

Not if the email has been “in electronic storage” for more than 180 days, under the 1986 Stored Communications Act (18 U.S.C. Section 2703). The Stored Communications Act (SCA) is Title II of the Electronic Communications Privacy Act (ECPA).  In contrast, that same Act states that a warrant is required for disclosures of emails that have been stored for 180 days or less.

A Recent Battle Over Email Through Webmail

How to apply the SCA to emails stored by webmail providers was the central issue in a court battle pitting several tech company heavyweights and privacy advocates against the U.S. Department of Justice.  In December of 2009, the DOJ requested and received an order from a magistrate judge that Yahoo turn over emails in specified accounts stored for less than 181 days—without a search warrant.  The DOJ’s rationale? The emails had already been read by the recipient, and thus did not count as being in “electronic storage” within the meaning of the SCA.

Yahoo refused to comply with the magistrate judge’s order. The DOJ filed a motion to compel the production of the emails in March (PDF). Yahoo’s response brief (PDF) contested the DOJ’s interpretation of “storage” and accused the DOJ of trying to overturn years of precedent in an effort to gut Fourth Amendment protections for emails.

Yahoo was not alone in its battle. Google and a coalition of digital privacy groups came to its defense, filing an amicus brief (PDF) arguing that the Fourth Amendment protects email just as much as private conversations and written papers, and supporting Yahoo’s interpretation of “electronic storage” within the meaning of the SCA.

The Government Backs Off… For Now

The fight was just coming to a head when it ended abruptly. The DOJ withdrew its motion to compel the production of the emails (PDF)—without, however, backing down from its interpretation of the law. This means that the argument may not be truly over, but may simply have been postponed. Although Yahoo briefly expressed its pleasure over the new development, the digital privacy groups (for instance, the Electronic Frontier Foundation) are less pleased because the withdrawal delayed resolution of a contentious issue. Adding to their consternation: they thought they were going to win.  Precedent indicates that the resolution the DOJ’s withdrawal delayed may have been favorable to email users and companies like Yahoo, and less than favorable to the DOJ. Although Yahoo won this short-term victory, the government’s withdrawal means that Yahoo and Google and their users will likely face similar issues very soon.

“Electronic Storage” and Cloud Computing

Yahoo, in its response to the DOJ’s motion to compel, relied on the 2003 9^th Circuit case Theofel v. Farey-Jones (PDF) which plainly stated that opened emails fell within the SCA’s definition of “electronic storage.” For the purposes of SCA § 2701(a)(1), a communication is in “electronic storage” if it is stored temporarily and incidentally to transmission or if it is stored “for purposes of backup protection” (SCA § 2510(17)). In Theofel, the 9^th Circuit did not decide the question of whether opened emails were stored incidentally to transmission, but held that regardless of that issue, opened emails were stored for purposes of backup protection. Accordingly they are in “electronic storage” within the plain meaning of the SCA. Yahoo argued that not only are the opened emails stored for purposes of backup protection, but that the court should also consider them to be stored incidentally to transmission. Relying on the plain meaning of the SCA provisions, Yahoo argued that whether an email was opened or not was irrelevant to its classification as “electronic storage” and consequent protection under the SCA.

The DOJ, by contrast, argued that Theofel was an erroneous decision and that the 9^th Circuit was disregarding the structure and legislative history of the SCA. In particular, the DOJ argued that the protection for backup storage only applied to copies made by a service provider in case of system failure. Since opened email does not fall into this category, it is not in “electronic storage” for the purposes of the SCA, but instead falls into the category of communications held by a “remote computing service”—in this case, Yahoo.  The SCA, passed in the days before common use of webmail, does not have warrant requirements for such communications (see section 2703(a), regarding communications in “electronic storage,” compared with section 2073(b), discussing communications held by a “remote computing service”).

The SCA’s distinction between “electronic storage” and storage by a “remote computing service” suggests that much of the information stored by web users will have very little statutory privacy protection in the era of cloud computing, as more and more personal data is stored remotely. That is probably why the amici brief by Google and various digital privacy groups, in addition to supporting Yahoo’s interpretation of the SCA, also argued that the emails were protected under the Fourth Amendment—regardless of whether the SCA’s protections extend to them or not.

Fourth Amendment and Email

Citing a line of cases beginning with Katz v. United States, a Supreme Court decision from 1967 holding that governmental eavesdropping on phone conversations is a Fourth Amendment violation, the amici brief argued that email users have a “reasonable expectation of privacy” (a prerequisite to Fourth Amendment claims) for the contents of emails stored with a webmail provider. The argument was supported by analogy to conversations in person and over the phone (which are intangible, yet constitutionally protected), sealed postal mail (private for Fourth Amendment purposes even though carried by a third party) and the contents of hotel rooms (private even though the room is owned by a third party).

Possible Future Developments

Despite all these fine-tuned legal arguments, all of these parties will have to wait for a final conclusion on whether opening an email makes it less protected and whether email is as constitutionally protected as a phone conversation. However, Google and the digital privacy organizations behind the amici brief—along with Microsoft, AT&T, AOL, Loopt, and others—have joined forces to advocate federal laws that would render moot all of this analysis by changing the SCA so that police will need a search warrant to access emails even if they are stored “in the cloud.” Describing the issue as one of “digital due process,” the coalition argues that the 1986 attitude to “remote computing services” has become obsolete and that privacy protections need updating in the current era.

The fact that most of this diverse coalition banded together to support Yahoo’s case so quickly after it was announced (it was announced on March 30^th and the amici brief was filed on April 13^th) suggests that the coalition may have regarded the Yahoo case as the initial test run for its legal strategy. The DOJ’s withdrawal can be taken as a sign of uncertainty in its position, or at least unwillingness to argue it unless strictly necessary. However, the DOJ’s lack of any concession on this issue shows that it has by no means given up the possibility of pursuing this battle in later cases, which means that we will likely see giants like Google, Microsoft, and AT&T clash with the federal government over email privacy in the future.

• The Department of State’s annual Human Rights Report turns the spotlight on internet freedom in China and Iran, from ZDNet Government.

• The US District Court in Delaware stays the patent litigations between Apple and Nokia, pending decisions by the International Trade Commission, says The Register.

• A California appeals court rules that cyberbullying threats are not protected free speech, reports Wired.

• Also from Wired, the Supreme Court agrees to review a Ninth Circuit decision on privacy rights in the context of background checks on government workers.

• The FCC announces that it will recommend the sale of 500 megahertz of spectrum to meet the needs of mobile broadband users, from the Washington Post.

• Programmers in trouble over financial misdeeds: two programmers who developed code for Madoff are charged with fraud (The New York Times, The Register) and the Securities Exchange Commission files a complaint against a one-man Russian investment company for hacking into online portfolios to “pump and dump” stocks (Switched, Wired).

• From E-Commerce Times: TiVo wins its long running patent infringement case against digital video recorder rivals.

• Spicy IP reports that Brazil seems set to invoke WTO intellectual property cross-retaliation provisions for the first time, against the US.

• The European Parliament threatens to bring a legal challenge against the European Commission if it fails to disclose details of the Anti-Counterfeiting Trade Agreement (ACTA), writes Outlaw (see our post on the controversial treaty here).

• Also from Outlaw: Net Neutrality in the UK: Ofcom to probe broadband providers’ management of web traffic.

• As it launches its cloud computing platform, Azure, Microsoft calls for federal regulation to clarify many of the open legal questions surrounding cloud computing, says the MTTLR Blog.

• Ten years after it applies, TiVo is granted patent for season pass subscriptions, writes Gizmodo (see our recent post on TiVo’s patent battle with Microsoft here).

• INFO/LAW recommends a Paul Ohm paper arguing that statistical techniques are eroding the effectiveness of anonymization of data, with great implications for privacy law.

• The Third Circuit revives the hopes of Mr. and Mrs. Boring, who sued Google in trespass after a Google Street View car drove down their private driveway, writes Eric Goldman.

• Ephemerallaw reports on the looming compliance deadline for the Massachusetts Data Security Law.

• Rob Tiller of Red Hat argues for calling a troll a troll at Opensource.com’s law channel.

• Mashable reports that the U.S. Department of Justice and the European Commission have given the go-ahead to the Microsoft-Yahoo deal that will see Yahoo’s search engine powered by Bing technology.

• The controversy surrounding Google’s Buzz is not confined to the U.S. (see our post): the Canadian Office of the Privacy Commissioner is also taking a look, says CBC News.

• Further afield, Indian IP blog Spicy IP considers whether the Indian Reprographic Rights Organisation (IRRO) might challenge the Google Books settlement, on the basis on India’s stricter “fair use” standard.

• It’s not just China: European security and rights watchdog, the Organization for Security and Co-Operation in Europe, calls on Turkey to reform or abolish its restrictive internet law.

• And also in Europe, Out-Law gives a round-up of just-decided and upcoming litigation involving trademarks and keywords.

• Ephemerallaw assess the chances of Microsoft being sued for the Internet Explorer 6 vulnerability involved in the hacks recently suffered by Google, Adobe and other major companies.

• Billboard.biz reports that search engine Baidu, Google’s arch-rival in China, has won a piracy case brought by the International Federation of the Phonographic Industry for linking to illegal music downloads.

• As Apple launches its latest handheld device, Erblawg reports on Apple’s battle again Fujitsu for the “iPad” trademark.

• The US District Court for the North District of Georgia upholds the forum selection clause in the Facebook User Agreement in copyright infringment suit, writes Eric Goldman on the Technology & Marketing Law Blog.

• Keeping with Facebook, OUT-Law reports that the Canadian Privacy Commissioner is investigating Facebook’s reponse to its earlier investigation into the social networking site’s privacy policy. See also the New York Times advice on the three Facebook settings every user should check now.

• The European competition watchdog has finally cleared Oracle’s $7.4bn purchase of Sun Microsystems, reports the Financial Times (See our post on the backstory here).

• And on a related note, Microsoft warns Google that it is likely to come up against the EU Commissions over anti-trust issues sooner or later, reports E-Commerce Times.

• Californians with medical marijuana prescriptions can now carry any amount of pot, rules the California Supreme Court. Report by Court House News.

• The New York Times discusses the increasingly complex battle over e-book publishing rights.

• True/Slant reports on Facebook CEO Mark Zuckerberg’s glitch with his social network’s new privacy settings, and asks whether the changes might violate FTC regulations.

• Misbehaving in the jury box: jurors researching on Wikipedia led to an overturned murder conviction, and jurors friending each other on Facebook is the subject of mistrial challenge, reports the ABA Journal.

• Former state representative and convicted pederast Ted Klaudt claims his name is covered by “common law copyright” and says news organizations that use it in coverage have to pay him $500,000 in licensing fees, blogs The Legal Satyricon.  That’s TED KLAUDT making the claim.  TED KLAUDT.

• Wired’s Threat Level reports on a new hacker application that deletes traces of illegal computer activity when it detects a commonly used suite of police forensic tools beginning to run.  If it doesn’t work perfectly, this could be a godsend for prosecutors looking to indict on obstruction of justice charges.

• Microsoft dips its toes a little deeper into open-source waters with Moonlight 2, the Linux version of its web application framework Silverlight.  With the new version, Microsoft extends its Patent Covenant to End Users of Moonlight to users who get the framework from any third-party, including distributors like Red Hat or Ubuntu.

• Apple-Psystar, the final chapter, on Gizmodo.

• Fake Steve Jobs rallies iPhone users to DoS attack AT&T today, reports Gizmodo.

• The FTC sues chipmaker Intel for antitrust violations, everyone reports.

• Europe drops its antitrust case against Microsoft after the software giant agreed to offer consumers a choice of web browsers installed with copies of Windows, says the New York Times.

• Video sharing site Vimeo is sued by Capitol Records over user-posted lip dubs, reports NewTeeVee.

• The Supreme Court will review employers’ access to employees’ text messages on company-owned mobile devices, reports the Wall Street Journal.