Harvard Law Review Harvard Law Review Harvard Law Review




Lore has it that the internet was born on an autumn night in 1969.1×1. Oliver Burkeman, Forty Years of the Internet: How the World Changed for Ever, The Guardian (Oct. 23, 2009, 3:00 PM), https://www.theguardian.com/technology/2009/oct/23/internet-40-history-arpanet [https://perma.cc/UA83-N7M5]. Sitting in front of a computer at the University of California in Los Angeles, Professor Leonard Kleinrock sent a message to another computer housed at the Stanford Research Institute in Palo Alto: “LO.”2×2. Id. Kleinrock had intended to write “LOGIN,” but the system crashed after the first two letters were transmitted.3×3. Id. Nonetheless, sending “LO” was an incredible success and marked the beginning of a monumental — and unbelievably swift — societal shift.

Although the exponential growth of internet and computer use was not a surprise to many technologists,4×4. Id. the statistics are striking: As of 2016, about 81% of adults in the United States have a smartphone,5×5. Jacqueline Howard, Americans Devote More than 10 Hours a Day to Screen Time, and Growing, CNN (July 29, 2016, 4:22 PM), http://www.cnn.com/2016/06/30/health/americans-screen-time-nielsen/index.html [https://perma.cc/3KHE-KTH6]. and 87% of U.S. adults use the internet.6×6. Monica Anderson & Andrew Perrin, 13% of Americans Don’t Use the Internet. Who Are They?, Pew Res. Ctr. (Sept. 7, 2016), http://www.pewresearch.org/fact-tank/2016/09/07/some-americans-dont-use-the-internet-who-are-they [https://perma.cc/5PJK-YA5C]. In 2017, the average U.S. adult spent over four hours per day on her phone.7×7. How Much Time Do People Spend on Their Mobile Phones in 2017?, Hacker Noon (May 9, 2017), https://hackernoon.com/how-much-time-do-people-spend-on-their-mobile-phones-in-2017-e5f90a0b10a6 [https://perma.cc/N36M-HV42]. Seventy-nine percent of U.S. adults shop online as of 2016, up from only 22% in 2000.8×8. Aaron Smith & Monica Anderson, Online Shopping and E-Commerce, Pew Res. Ctr.: Internet & Tech. (Dec. 19, 2016), http://www.pewinternet.org/2016/12/19/online-shopping-and-e-commerce/ [https://perma.cc/64YS-774G]. By 2015, 65% of U.S. adults used social media, up from 7% in 2005, including 90% of young adults aged eighteen to twenty-nine.9×9. Andrew Perrin, Social Media Usage: 2005–2015, Pew Res. Ctr.: Internet & Tech. (Oct. 8, 2015), http://www.pewinternet.org/2015/10/08/social-networking-usage-2005-2015 [https://perma.cc/2W5F-VHTT]. And by 2012, 71% of smartphone users said that they could not go a day without their phones.10×10. See Your Wireless Life: Results of TIME’s Mobility Poll, Time, http://content.time.com/time/interactive/0,31813,2122187,00.html [https://perma.cc/FQ9C-5WP4]. Nearly one-third said that their phone was the first thing they looked at in the morning, and the last thing they looked at in the evening.11×11. Id.

It is clear that in the fifty years since “LO,” and the roughly twenty-five years since the first usable internet browser was launched,12×12. Matthew Lasar, Before Netscape: The Forgotten Web Browsers of the Early 1990s, Ars Technica (Oct. 11, 2011, 10:15 AM), https://arstechnica.com/information-technology/2011/10/before-netscape-forgotten-web-browsers-of-the-early-1990s [https://perma.cc/GVE9-HWVT]. internet-connected computers have become a critical part of everyday life. In the words of Steve Crocker, a computer scientist who was present for that first internet communication in 1969, “there has not been, in the entire history of mankind, anything that has changed so dramatically as computer communications, in terms of the rate of change.”13×13. Burkeman, supra note 1.

In our growing reliance on modern technology, smartphone and computer users are placing more and more of their personal data on devices and online — both purposefully, by storing photos and documents, for example, and unwittingly, by communicating personal preferences to advertisers, for example. And yet most users do not completely understand what they have gotten themselves into. Take, for example, a 2012 survey gauging how much the average U.S. adult understands about cloud storage and computing.14×14. Jay Yarow, 51% of People Think Stormy Weather Affects “Cloud Computing,” Bus. Insider (Aug. 30, 2012, 12:14 PM), http://www.businessinsider.com/people-think-stormy-weather-affects-cloud-computing-2012-8 [https://perma.cc/9PZN-GYW6]. A majority of respondents, 54%, asserted that they had never used the cloud.15×15. Id. However, researchers found that 95% of this group actually did use the cloud — when shopping, banking, using social media, playing games, storing photos, and engaging in other activities.16×16. Id. Further, the survey found that 22% of U.S. adults pretend to know what the cloud is and how it works even though they do not, and 56% suspect that others are doing the same.17×17. Id. (For the record, “the cloud” refers to a network of servers located around the world, which are used to “store and manage data, run applications, or deliver content” to internet-connected devices.18×18. What Is the Cloud?, Microsoft: Azure, https://azure.microsoft.com/en-us/overview/what-is-the-cloud [https://perma.cc/HE43-EG38]. It bears no relation to actual clouds.)

Unsurprisingly, the law is struggling to catch up with these developments as well. This edition of Developments in the Law considers issues that arise when our personal information is stored on computers and online. Chapters I and II address the rise of surveillance intermediaries19×19. The term “surveillance intermediaries” was coined in a recent article by Professor Alan Rozenshtein. See Alan Z. Rozenshtein, Surveillance Intermediaries, 70 Stan. L. Rev. 99, 104–05 (2018). : tech companies that store an enormous amount of their users’ personal data. In storing this data, these companies have become critical to our law enforcement and national security apparatus on the one hand, and to our privacy on the other. Chapter III turns its attention to reader privacy, advocating for the creation of federal reader privacy legislation in our age of e-readers and ever-available search histories. Finally, Chapter IV asks how the legal requirements of wills — which were developed prior to the rise of the internet — can be adapted to “electronic wills.” Together, these Chapters address a wide range of novel legal issues and needs that have arisen in the wake of “LO.”

Chapter I begins by noting that surveillance intermediaries hold an extraordinary amount of power in our law enforcement and national security apparatus.20×20. See infra ch. I, pp. 1722–23. These companies have significant discretion in deciding when to cooperate with government requests for their users’ personal data, and when to resist such requests.21×21. Id. The Chapter suggests that leaving such discretion to private, profit-motivated companies may be problematic and that this might be an area for future regulation.22×22. Id. at 1723–24. Before Congress can regulate intermediary behavior, it must understand the incentive structure motivating that behavior: “How do surveillance intermediaries decide when to cooperate and when to resist? And how do these decisions vary between companies and over time?”23×23. Id.

The rest of the Chapter sets out to answer these questions. It observes that existing scholarship seeks to generalize the behavior of surveillance intermediaries, arguing either that intermediaries tend to assist the government, largely cooperating with government investigations (whether or not they are legitimate), or that intermediaries tend to resist the government, obstructing government investigations (whether or not they are legitimate).24×24. Id. at 1724–27. But this is a false dichotomy — the Chapter shows that intermediaries do both, and that the decision of whether to assist or resist the government varies between companies and over time.25×25. Id. at 1727–29. Next, the Chapter explores several incentives that might cause a surveillance intermediary to assist or resist a government investigation.26×26. Id. at 1729–36. These incentives include a company’s reactions to current events,27×27. Id. at 1730–32. technical structure,28×28. Id. at 1732–34. and business model,29×29. Id. at 1734–35. as well as the interests of corporate and individual users.30×30. Id. at 1735–36.

Finally, the Chapter ends on a hopeful note: Although the surveillance intermediary model is not ideal, it is not without its advantages.31×31. Id. at 1737–41. When large companies act as surveillance intermediaries, they can generate public information about surveillance practices,32×32. Id. at 1738. leverage their bird’s-eye view into federal, state, and local surveillance regimes,33×33. Id. at 1738–39. pursue surveillance-related litigation unavailable to individuals,34×34. Id. at 1739. invest resources in policy teams that handle government requests for data,35×35. Id. and serve as valuable resources to the government, particularly in the face of emergencies.36×36. Id. at 1740.

Chapter II also discusses the role of surveillance intermediaries, this time in the context of challenging national security–related surveillance in court. It begins by considering the following scenario: Under § 702 of the Foreign Intelligence Surveillance Act37×37. Foreign Intelligence Surveillance Act of 1978, Pub. L. No. 95-511, 92 Stat. 1783 (codified as amended in scattered sections of 18 and 50 U.S.C.). (FISA), the U.S. government can conduct surveillance on any non-U.S. person.38×38. See 50 U.S.C. § 1881a (2012 & Supp. III 2016); see also infra ch. II, p. 1742 (defining U.S. persons as “American citizens located within U.S. borders, American citizens located abroad, and foreign nationals who are either on U.S. soil, and/or who have developed ‘substantial ties’ to the United States”). Under the Fourth Amendment, the U.S. government cannot conduct surveillance on any U.S. person, unless that surveillance is pursuant to a search warrant.39×39. Infra ch. II, p. 1742. However, when a U.S. person exchanges emails with a non-U.S. person, and that non-U.S. person is subject to surveillance under § 702, the U.S. person’s emails will be “incidental[ly] collect[ed]” as part of that surveillance.40×40. Id. at 1743. So when the U.S. government requests that Google produce records related to the non-U.S. person’s email account, Google’s compliance will include emails sent to that account by a U.S. person. The central question of this Chapter is: how can that U.S. person challenge the incidental collection of her data?41×41. Id.

The answer is that she likely would not have standing to pursue such a challenge — but the surveillance intermediary, Google, would. In In re Directives,42×42. In re Directives [redacted text] Pursuant to Section 105B of the Foreign Intelligence Surveillance Act, 551 F.3d 1004 (FISA Ct. Rev. 2008). the Foreign Intelligence Surveillance Court of Review concluded that surveillance intermediaries have standing to challenge § 702 surveillance: intermediaries must devote resources toward complying with surveillance requests and therefore can show an injury in fact.43×43. Infra ch. II, pp. 1748–50. In contrast, the Supreme Court concluded that individuals do not have standing in these cases. In Clapper v. Amnesty International USA,44×44. 568 U.S. 398 (2013). the Court held that individuals who suspect that they are subject to incidental collection cannot show an adequate concrete injury under the standing doctrine.45×45. Infra ch. II, pp. 1750–52.

The Chapter goes on to argue that individuals must be permitted to pursue surveillance challenges themselves. It first explains why surveillance intermediaries cannot be relied upon to vindicate the privacy rights of their users — intermediaries’ incentives will not always align with those of their customers subject to incidental collection, and being a privacy advocate is simply not the job of a profit-motivated company.46×46. Id. at 1752–60. Second, it explains the benefits of allowing an individual to be her own advocate47×47. Id. at 1760–63. and concludes with some suggestions for how standing doctrine might be able to accommodate such suits.48×48. Id. at 1763–65.

Chapter III considers another privacy issue related to personal data: the need for federal reader privacy legislation. It begins by noting that our video-consumption habits — both off- and online — are protected by the Video Privacy Protection Act49×49. 18 U.S.C. § 2710 (2012). (VPPA).50×50. Infra ch. III, p. 1767. Passed in 1988, the VPPA was created as “a unique gap-filler, extending protection . . . to the expressive activities recognized as vital to the First Amendment but left underprotected by the Fourth.”51×51. Id. at 1768. However, our book- and eBook-consumption habits are offered no such statutory protection.52×52. Id. at 1783. This Chapter argues that the VPPA, though not perfect, is a good model for badly needed federal reader privacy legislation.53×53. Id. at 1783–89.

First, the Chapter argues that the VPPA has aged surprisingly well.54×54. Id. at 1769. The VPPA’s flexible language has allowed the statute to be applied to both VHS tapes and online streaming services, surviving significant technological changes.55×55. Id. at 1769–70. In addition, the VPPA’s close relationship with the First Amendment has allowed it to remain a powerful statute despite changes to standing doctrine.56×56. Id. at 1770–77. Next, the Chapter addresses the real weakness of the VPPA: poor drafting, which has led to numerous issues of statutory interpretation.57×57. Id. at 1777–83. While these are real problems, they are not inherent to the structure of the VPPA; they could easily be fixed with more accommodating statutory interpretation.58×58. Id. at 1782–83.

Finally, the Chapter returns to its call for federal reader privacy legislation modeled off of the VPPA and its First Amendment bent.59×59. Id. at 1783–87. It argues that such legislation is needed, among other reasons, because reader privacy legislation would “implicate[] First Amendment values that the First Amendment cannot protect.”60×60. Id. at 1784. Problems arise because “[t]he First Amendment governs state action, but citizens are increasingly surveilled not by state actors, but by private corporations who render the need for direct government surveillance of such activity redundant.”61×61. Id. In other words, the First Amendment on its own cannot extend its protections in order to combat the chilling effect of surveillance by private companies — which is precisely why federal reader privacy legislation is so badly needed. The Chapter concludes that the VPPA’s flexibility in the face of technological and doctrinal changes, and the ease with which its flaws could be addressed, make the VPPA the ideal candidate for a model for federal reader privacy legislation.62×62. Id. at 1786–87.

Finally, Chapter IV considers how the process of creating a will can be modernized to reflect the reality that most people are now accustomed to storing their data on computers and the internet. In order to create and execute a valid will, a testator must follow three “formalities”: the will must be in writing, signed, and attested to.63×63. Infra ch. IV, p. 1790. Due to the rise of computer and internet use, probate courts increasingly must evaluate the validity of “electronic wills” — “wills that have been written, signed, and/or attested using an electronic medium.”64×64. Id. However, it is thus far unclear how the traditional formalities of a will can be translated to an electronic medium, and scholars cannot seem to agree on a path forward.65×65. Id. at 1790–91.

This Chapter seeks to illuminate such a path by providing an analytic framework with which to evaluate the validity of an electronic will. First, the Chapter considers the current requirements for valid wills.66×66. Id. at 1792–95. It describes the functions that will formalities serve67×67. Id. at 1792–93. and current compliance standards that wills must meet in order to satisfy those formalities.68×68. Id. at 1793–95.

Second, the Chapter considers how these formalities might be applied to electronic wills.69×69. Id. at 1795–96. It observes that the term “electronic will” actually encompasses three separate categories of wills that involve electronic media: The first category is offline electronic wills, which are written and stored locally on the testator’s computer or other device.70×70. Id. at 1796. For example, imagine someone writing her will in a Word document and storing it on her laptop. The second category is online electronic wills, where a will is created or stored through a third party.71×71. Id. at 1801–02. For example, imagine someone writing her will in a Facebook message to a friend. Finally, the third category is qualified custodian electronic wills, where a “for-profit entity undertakes to become a ‘qualified custodian’ that would create, execute, and store the testator’s will, subject to rules and regulations put forth by a state.”72×72. Id. at 1806. For example, imagine someone creating her will using the website of a start-up that markets its services in assisting with wills. Each category of electronic wills poses a unique set of challenges under current will formality requirements. The Chapter addresses the issues inherent to offline electronic wills,73×73. Id. at 1797–801. online electronic wills,74×74. Id. at 1801–06. and qualified custodian electronic wills75×75. Id. at 1806–09. in turn, highlighting tensions between each of these categories and the purpose of will formalities. In its conclusion, the Chapter anticipates the continuing rise of electronic wills, encouraging scholars and courts to develop a systematic method of analyzing such wills under the traditional formalities.76×76. Id. at 1809–11.

Together, the four Chapters of this issue of Developments in the Law highlight the challenges that go hand-in-hand with the rise of internet and computer use. By storing so much of our personal data online, we have created novel legal issues related to law enforcement, national security, privacy, and even donative transfers. These Chapters seek to shed some light on these new legal issues and suggest ways in which the law can adapt to our new reality.