Digital rights defenders gather in Taipei to tackle mass surveillance, online propaganda, authoritarianism

Culled from my notes, here are some of the most interesting things I heard last week in Taipei at RightsCon, the world's leading summit on digital rights for technology, commercial, civil society, and government sectors.

A dragon towers over the 2025 Taiwan Lantern Festival in Taoyuan.
RJ Peltz-Steele CC BY-NC-SA 4.0

Chinese Surveillance Technology

China is methodical in suppressing conversation around the world about the repression of the Uyghur people, according to representatives of the World Uyghur Congress (WUC). Within days of her speaking at the Hudson Institute, WUC Chair Rushan Abbas said, her sister and aunt in China disappeared. Chinese officials sometimes approach venues hosting conferences that will discuss the Uyghurs and offer them double the price to cancel the conference contract, according to Haiyuer Kuerban, director of the WUC Berlin office. Now governments in England and Germany are keen to buy from Chinese firms such as Huawei the very tech that Chinese authorities use to surveil Uyghur activists and their families, Kuerban said, a perverse reward for the facilitation of human rights abuse.

Linjiang night market bustles in Taipei.
RJ Peltz-Steele CC BY-NC-SA 4.0

If you use a China-based media service such as WeChat even outside China, you might be helping the Chinese surveillance apparatus. Open Technology Fund Fellow Pellaeon Lin explained that censors scan files shared online and "fingerprint" them to tailor the blocking of sensitive content from recipients in China. Scanning and fingerprinting happens on Chinese tech even when when users share content wholly outside China. Chinese users, meanwhile, can't penetrate "the great firewall" as easily as in the past, Lin explained. Authorities can see when a VPN is used, if not the content, and that's reason enough to bring someone in for questioning. Tor is better than a VPN because it wraps and disguises internet traffic within innocent transmissions. But Lin warns, it's a game of cat and mouse; the censors are always refining their methods.

Undersea Infrastructure

Remember that all of these panels took place in Taiwan, so criticism of China carried a grave sort of resonance. While discussion of digital rights naturally suggests the metaphysics of cyberspace, the infrastructure of the infosphere exists very much in the real world. One fascinating panel of experts fretted over the vulnerability of the world's undersea cables. Recent outages, such as the cut cable in the Gulf of Finland at Christmas, concerningly exhibit indicia of human agency. Professor Yachi Chiang, of the National Taiwan Ocean University, said, to my surprise, that Taiwan is located at right about the world's highest-density crossroads of undersea traffic. She's right; you can see it at the Submarine Cable Map by TeleGeography:

Submarine Cable Map CC BY-SA 4.0

The security challenges of this network are massive. About 20% of damage results from natural forces, such as deterioration and shark bites, Chiang said; sharks like to bite cables. About 70% of damage is caused by people. A lot of that is inadvertent, anchoring by fishing vessels. But there's no easy way to determine whether there was a malicious act, much less a nation behind it. In the Christmas incident, Finnish officials have alleged a deliberate anchor drag by a Cook Islands-flagged vessel doing Russia's bidding, NPR reported in December.

Taiwan had five incidents already in 2025, Chiang said, with four domestic lines and one international line disrupted. In one incident, the Taiwan Coast Guard took a vessel into custody and detained the crew. That incident was suspicious, because the boat had irregular routing for fishing and inexplicably bore a changeable nameboard. But the capture was exceptional, only possible because the ship was in Taiwanese waters, Chiang explained. On the high seas, ships bear flags of convenience, and any claim against the vessel must be taken up with the flag nation. Those claims in distant and ill developed bureaucracies go nowhere. So some better coordinated legal response is needed to protect the undersea information infrastructure, Chiang concluded.

Authoritarianism in Africa

While the United States retreats to some amalgam of isolationism and opportunism, China is dominating the developing world technologically. China built more than 70% of the 4G network in Africa, Amnesty International's Sikula Oniala said, and now is working on 5G. Chinese-made TVs are flooding the market, Oniala said, but to work, they must be connected to the internet via their Chinese software, raising specters of surveillance and control.

Starlink deployment over
Rhode Island, February 2025.

RJ Peltz-Steele CC BY-NC-SA 4.0

Authoritarian impulses in Africa are ever more complemented by Chinese technology and strategies. Governments control the gateways for internet access; last year, protests were met with internet shutdowns in Kenya, Mozambique, Tanzania, Mauritius and Equatorial Guinea, VOA reported. Amid the civil war in Sudan, both sides have used internet shutdowns strategically, cutting off information about unfriendly protests, permitting access when it undermines the enemy, and charging usurious rates for access to vital information, according to Hussam Mahjoub, co-founder of Sudan Bukra, an independent television channel.

While Starlink seems to promise liberation from government gateways, authorities in countries such as Sudan refuse to license the service and are pressuring the company to limit roaming access for accounts opened abroad, such as in neighboring Kenya, Mahjoub said. Worse, Tor Project Executive Director Isabela Fernandes warned, beware the gift bearer. The Bolsonaro regime in Brazil used Starlink data to track down and kill indigenous activists, she said.

Correspondingly, public access to information (ATI, freedom of information, or FOI) law is on the wane. In Kenya, Uganda, and Zimbabwe, mass surveillance is chilling human rights activism. And governments—even Kenya, the ATI law of which, on paper at least, I praised—are following Chinese examples in ATI law, Oniala said, reducing transparency purportedly in the name of national security.

Data Protection in Africa

Even with the best of intentions, African governments hardly can be expected to stand up to tech giants such as Meta, with turnovers that dwarf nations' GDPs, Open Technology Fund Fellow Tomiwa Ilori said. Speaking to African countries' efforts to establish meaningful enforcement of data protection laws, Ilori analogized: "You only get to kill snakes because they don't move together." In other words, African countries must coordinate their efforts. Franco Giandana Gigena, an Argentine lawyer and policy analyst for Access Now, described a similar dynamic in Latin American countries' inability to resist incentives from the U.S. government and American corporations to look the other way on data protection enforcement.

In the vein of collective action, the African Union Convention on Cyber Security and Personal Data Protection came into force in 2023, upon accession by Mauritania. However, the convention, adopted in 2014, already is dated. Ilori suggested it would benefit from optional protocols on extraterritorial application and stronger enforcement, and overall, African people need more education about their rights.

At that, there might be cultural impediments to EU-style data protection. Thobekile Matimbe, a senior project manager for the Nigeria-based Paradigm Initiative, said that the convention perspective on privacy, while inspired by the EU General Data Protection Regulation (GDPR), is more communitarian than individualist. Curiously, the African perspective, which prizes the integrity of the family, for example, over self-determination or the right to dissent, marks the same ground from which the human right of data protection emerged in the European tradition. The problem, Matimbe explained, is that authoritarians invoke the communitarian perspective to subordinate personal freedoms to the purported imperative of national security. That rationalization has seen surveillance deployed in Malawi, for one example, targeting human rights advocates, critics of government, and journalists, Matimbe said.

Disinformation Regulation

The classical dichotomy between true and false no longer works to balance free expression and disinformation regulation, according to Lutz Güllner, head of the European Economic and Trade Office in Taiwan. As Ukrainian journalist and Public Interest Journalism Lab CEO Nataliya Gumenyuk put it, debunking just isn't working anymore.

The problem, Güllner said, is that disinformation can have truth at its core, but the dis arises in the spin. That's why, he said, the EU's new Digital Services Act (DSA) aims not at content, but at manner of presentation: imposing on Big Tech a responsibility to police platforms for manipulative amplification of speech or suppression of others' speech (for example, planting an item of disinformation in a flood of mundane but accurate news). That isn't to say that the DSA strikes the right balance. Dionysia Peppa, a Greek lawyer and senior policy analyst for Beirut-based SMEX, said that the DSA rule on takedown of illegal content does not define "illegal," devolving authority to member states. In a time of right-leaning elections in Europe, states might disagree sharply over politically charged questions, such as when policy criticism of Israel becomes illegal hate speech.

In a similar vein, Liliana Vitu, chair of the Audiovisual Council of Moldova, talked about the challenges of combatting Russian propaganda in mass media. Banning "primitive propaganda" in "news" and talk shows was easy, she said. The devil lay in entertainment. For example, Russia-originating programs might consistently portray European characters as gay, effeminate, or weak, playing to stereotypes, she explained, while Russian characters appear masculine and strong.

Ukrainian journalists Nataliya Gumenyuk and Angelina Kariakina
talk about The Reckoning Project, which trains conflict journalists
in the preservation of evidence to prosecute war crimes.
RJ Peltz-Steele CC BY-NC-SA 4.0

As mere debunking doesn't work, Gumenyuk described research from The Reckoning Project seeking to figure out how journalists should combat disinformation. Viewers suffer from "compassion fatigue" at all the suffering in the world, she said. So when confronted with fact-based news accounts, such as the appearance of a drowned Syrian boy on a Bodrum beach, or the torture and murder of civilians in Bucha, Ukraine, viewers resisted and complained that journalists are out to manipulate them emotionally. The same viewers, though, proved receptive to people's firsthand accounts in documentaries. Gumenyuk described her astonishment at one study subject's testimony that he trusted the documentary more than the news because journalists were not telling the story. He seemed utterly unaware that the documentary form is a product of journalism and no more or less capable of conveying viewpoint than a news story.

The Reckoning Project, which Gumenyuk co-founded, occupies a compelling position at the junction of journalism and law. Gumenyuk said she tired of seeing reports collected by journalists excluded from war-crime investigations and prosecutions because the journalists did not understand rules of evidence. The Reckoning Project brings together journalists and lawyers to accomplish their complementary missions in seeking truth and justice. Gumenyuk gave as an example the questions a journalist might ask of a witness of atrocities, such as those committed by Russian forces against civilians in Bucha. Ordinarily, a journalist might ask, "How did the Russian soldiers kill this man?" But a leading question yields exclusion of the response as evidence in a legal proceeding. So journalists are trained to ask instead, "Tell me what happened that day."

Apropos of lawyering skills and picking up on the point that tech and its ill-intentioned users evolve faster than law and regulators, Armenian attorney and former head of the Armenian Data Protection Authority Gevorg Hayrapetyan played my tune when he told an audience:

One of the most important disciplines in law is philosophy of law, what law is and what it ought to be. One of the most important steps in developing human rights is recognizing the right.

Data protection, after all, was not a thing until someone thought of it. Maybe that's why it's not a thing in the United States. If we strip black-letter law of theory and policy and dumb down the American law school curriculum to comprise a glorified bar course and skills-training program, then we're headed in the right direction. Right? Asking for a friend.

Time to Save the World

Even were we all so inclined, is there time yet to save the world? Probably not. Law and regulation can't keep up, Güllner said, so the answer has to come from education, to develop people's sensory reflexes to detect disinformation. That will take a generation. "Ask my Ukrainian colleagues," he said. "We don't have that long."

Vitu described complex Moldovan legislation with multi-factor tests to determine whether disinformation conveys falsity and threatens national security. But that took years to develop with civil society stakeholders at the table to protect free expression; propaganda meanwhile grew yet more sophisticated. "Moscow never sleeps," she lamented. 

And Raša Nedeljkov, with the Serbian Center for Research, Transparency and Accountability, summed up the anxiety wracking the world:

A beacon of light for us was U.S. democracy. Now look what is happening.

Maybe that's the silver lining, journalist Tess Bacalla of the Asia Democracy Network suggested: The rest of the world, especially the European Union, will have to step up.

Hospitals may track patients online and sell their data without violating state wiretap law, high court rules

Mike MacKenzie (via Flickr) CC BY 2.0

State wiretap law does not prevent hospitals from tracking patients on the web and selling their data, the Massachusetts Supreme Judicial Court ruled last week.

The plaintiff is a patient at two hospitals in the Beth Israel Lahey Health network. As the court explained the facts, the plaintiff "reviewed information available to the public on the hospitals' websites regarding doctors (including their credentials and backgrounds) and medical symptoms, conditions, and procedures." Without her consent, the hospitals shared the plaintiff's browsing data with third parties to generate revenue from targeted advertising.

The plaintiff sued under state wiretap law and got some traction in the lower courts, where the theory has bubbled up in other cases, too. The high court ended the trend, though, ruling that the state wiretap law, which threatens criminal penalties such as imprisonment, while reaching interpersonal communications such as telephone calls and email and text exchanges, was not intended to reach persons' interactions with websites.

The 47-page majority opinion by Justice Scott L. Kafker, drew a vigorous and almost as lengthy dissent from Justice Dalila Argaez Wendlandt, who accused the hospitals of lying to patients in their pledges of confidentiality and argued that the alleged misconduct falls squarely within legislative intent in prohibiting the interception of electronic communication.

I won't belabor the back and forth, as ample commentary already has been published about the case (e.g., JD Supra, Commonwealth Beacon, Bloomberg, National Law Review, Law360 (subscription), Massachusetts Lawyers Weekly (subscription)), and there is plenty more to come. Rather, I will comment only that the decision reflects the sorry state of privacy law in the United States.

The majority and dissent both make defensible arguments. I come down with the dissent on the technical merits of what the wiretap law was designed to prevent, i.e. "the spirit of the law," regardless of whether the legislature could have foreseen web surveillance. At the same time, the majority is right that the legislature likely would not have wanted to imprison every actor engaging in the kind of web surveillance that has become pervasive in our online society.

The missing link between the two positions is the meaningful data protection law that the United States still doesn't have, and which Americans want and expect, while almost three decades have passed since the European Union Data Protection Directive. The later General Data Protection Regulation (GDPR) has been in force for six years.

Wiretap law was once the stuff of political intrigue, à la Watergate. The Massachusetts statute characteristically dates to the 1960s. Just as the advent of the internet made media law again hotly relevant to society, so wiretap law found new life in the electronic era. Courts had little difficulty transposing the law of wired telephone surveillance to wireless cell phones and electronic communication media such as email and texts. Even the U.S. Supreme Court got in on the action.

That's why I think Wendlandt has the better argument on the technical merits, by the way. The majority's distinction of interaction with a person or a website, when there are persons receiving surveillance data from the website, seems meaninglessly formalistic.

With electronic communication burgeoning in the internet era and electronic interception easier to accomplish without the need for specialized hardware, wiretap laws have been repurposed to do more work than they were designed for, becoming a key tool in the personal privacy arsenal.

The problem in tort law, to oversimplify modestly, always has been what Professor Daniel Solove termed "the secrecy paradigm." The common law of privacy torts, which also emerged largely in the 1960s, was not designed to handle the nuances of an online world. Rather, tort law, like the Fourth Amendment right against search and seizure, focused on secrets kept. A person might resort to the law to protect an intimate secret shared with a spouse. But the person who discloses financial information to a bank has forfeit legal privacy. 

Intimate space is not the theory of privacy that animates data protection in Europe and most of the rest of the world. In the theory abroad, the human right of privacy flows forward with personal data as they are handed off from person to person and corporation to corporation. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) provides a modicum of privacy protection in this vein, but the circumstances in which it pertains are extremely narrow—web activity is not protected health information, and a web host is not a healthcare provider—and it authorizes no private right of action for violation.

In the absence of a legal model of downstream privacy preservation in the United States—notwithstanding a perplexing emerging plethora of competing state laws, if usually limited to commercial contexts; Massachusetts has been working on joining the pack, but has not yet—wiretap law has been unexpectedly instrumental to protect personal privacy in a narrow class of cases, because wiretap law focuses on the misconduct of clandestine surveillance rather than on the purportedly private nature of the intercepted content.

To be fair to the Massachusetts majority, though, such use of anachronistic wiretap law takes us down a road of ever more speculative application as the electronic avatar increasingly becomes an embodiment of personal identity. Electronic tools such as Google Analytics watch our every word. And we don't necessarily want to stop that wholesale. The other day, I watched a dated TV movie that Amazon thought I would like, and it was right. Time travel, Ireland, and Jane Seymour? Drop everything.

Notwithstanding which side in the instant case has the better argument in statutory interpretation, the legal response to the problem presented, that is, surveillance of web usage for the relatively innocuous if mercantile purpose of advertising, would arise better from business regulation than from common law or statutory torts.

Alas, if I had the magic potion that would make our broken Congress favor consumer protection over corporate profits, I would be running for President.

The case is Vita v. New England Baptist Hospital, No. SJC-13542 (Mass. Oct. 24, 2024).

Law class visits Constitutional Court of Portugal

Law students and Dean Sam Panarella (left)
visit the Constitutional Court. © RJ Peltz-Steele

Since last week, ten talented U.S. law students have been making the most of Lisbon, Portugal, in UMass Law's first class abroad.

In our maiden venture, we are studying comparative data protection law in the United States, European Union, and Portugal. We have been treated to superb lectures by law faculty of our partner institution, the Universidade Católica Portuguesa (UCP).

Today, a UCP faculty member welcomed us to the home of the Portugal Constitutional Court, where he also serves as Vice-President. Justice Gonçalo de Almeida Ribeiro spoke to us there about constitutional conflict in the EU legal system.

The justice had instructed students to prepare by reading Digital Rights Ireland, a 2014 case in the EU Court of Justice (CJEU), and the "Metadata Ruling," a 2019 decision of the Constitutional Court of Portugal. In Digital Rights, the CJEU had struck down an EU directive on data retention as inconsistent with fundamental rights under the European Charter. 

Justice Gonçalo de Almeida Ribeiro addresses law students.
RJ Peltz-Steele CC BY-NC-SA 4.0

The case marked a recognition of the CJEU's own power of judicial review. But it also raised a confounding question. The CJEU lacks authority to review national legislation directly. So what would become of national, domestic laws that had been enacted already pursuant to the stricken EU directive? 

The Portuguese Constitutional Court in Metadata construed Portuguese constitutional law in harmony with the EU Charter to strike down as well the problematic provisions of Portuguese law that had been enacted pursuant to the directive. The responses of the Portuguese and other national constitutional courts to Digital Rights thus marked a pivotal point in the evolution of the EU's peculiar brand of "federalism" (to jam a square peg into a round word).

All of the law students in the class deserve praise for being good-natured and flexible in the face of a fluctuating itinerary for this fledgling Portugal project. They all assert, nonetheless, that they are here first and foremost for this remarkable learning opportunity, and not for myriad other benefits, for example, to see Taylor Swift at Benfica Stadium at what are by U.S. standards bargain ticket prices. That was icing.

UMass law students with me at Universidade Católica Portuguesa
© Prof. Sofia Pinto (licensed)

 

Consumers turn tables against corporate defense in compelled arbitration of information privacy claims

Image via www.vpnsrus.com by Mike MacKenzie CC BY 2.0

Consumer plaintiffs turned the usual tables on corporate defense in the fall when a federal court in Illinois ordered Samsung Electronics to pay millions of dollars in arbitration fees in a biometric privacy case.

In the underlying arbitration demand, 50,000 users of Samsung mobile devices accuse the company of violating the Illinois Biometric Information Privacy Act (BIPA). BIPA is a tough state privacy law that has made trans-Atlantic waves as it fills the gap of Congress's refusal to regulate the American Wild West of consumer privacy.

Typically of American service providers, Samsung endeavored to protect itself from tort liability through terms and conditions that divert claims from the courts to arbitration. The (private) U.S. Chamber of Commerce champions the strategy. Arbitration is reliably defense-friendly. Rumor has it that arbitrators who don't see cases corporations' way don't have long careers. And companies bask in the secrecy that shields them from public accountability. (Read more.)

Resistance to compelled arbitration has been a rallying cause of consumer advocates and the plaintiff bar. For the most part, resistance has been futile. But consumer plaintiffs appear to have a new strategy. The Chamber is not happy.

In the instant case, consumers alleging BIPA violation were aiming for arbitration. Arbitration rules, endorsed by Samsung's terms, require both sides to pay toward initial filing fees, a sum that adds up when 50,000 claims are in play. The consumers' attorneys fronted their share, but Samsung refused. The company weakly asserted that it was being scammed, because some of the claimants were deceased or not Illinois residents, both BIPA disqualifiers.

Samsung must pay its share of arbitration filing fees for living Illinois residents, the district court answered, at least those living in the court's jurisdiction. Many of those consumer claimants were identified with Samsung's own customer records. A few whom Samsung challenged, the claimants dropped from their number. Even when the court pared the list to consumers in Illinois's federal Northern District, roughly 35,000 were still standing.

"Alas, Samsung was hoist with its own petard," the court wrote, quoting Shakespeare. The court opined:

Samsung was surely thinking about money when it wrote its Terms & Conditions. The company may not have expected so many would seek arbitration against it, but neither should it be allowed to “blanch[] at the cost of the filing fees it agreed to pay in the arbitration clause.” Abernathy v. Doordash, Inc., 438 F.Supp. 3d 1062, 1068 (N.D. Cal. 2020) (describing the company’s refusal to pay fees associated with its own-drafted arbitration clause as “hypocrisy” and “irony upon irony”).

The American Arbitration Association, the entity with which the claimants filed pursuant to Samsung's terms, estimated Samsung's tab at $4.125 million when the number was still 50,000 claims.

Attorneys Gerald L. Maatman, Jr., Rebecca S. Bjork, and Derek Franklin for corporate defense firm DuaneMorris warned:

As corporations who employ large numbers of individuals in their workforces know, agreements to arbitrate claims related to employment-related disputes are common. They serve the important strategic function of minimizing class action litigation risks. But corporate counsel also are aware that increasingly, plaintiffs’ attorneys have come to understand that arbitration agreements can be used to create leverage points for their clients. Mass arbitrations seek to put pressure on respondents to settle claims on behalf of large numbers of people, even though not via the procedural vehicle of filing a class or collective action lawsuit. As a result, corporate counsel should carefully review arbitration agreement language with an eye towards mitigating the risks of mass arbitrations as well as class actions.

Samsung wasted no time appealing to the Seventh Circuit. The case has drawn a spate of amici with dueling briefs from the Chamber and associates, favoring Samsung, and from Public Justice, et al., favoring the consumer claimants.

The district court case is Wallrich v. Samsung Electronics America, Inc. (N.D. Ill. Sept. 12, 2023), opinion by Senior U.S. District Judge Harry D. Leinenweber. The appeal is Wallrich v. Samsung Electronics America, Inc. (7th Cir. filed Sept. 25, 2023).

Plaintiff drops privacy suit that stretched to claim against UMass Medical in nationwide data breach

UMass Chan Medical School
Mass. Office of Travel & Tourism via Flickr CC BY-ND 2.0

Until six days ago, the University of Massachusetts Chan Medical School was defending a privacy suit over a data breach, though the plaintiff liability theories looked thin.

There doesn't seem to be any dispute over the fact of the data breach. UMass Chan was just one of hundreds of organizations nationwide implicated in a breach affecting tens of millions. According to electronic security firm Emsisoft (which has a commercial interest in higher numbers), the breach affected more than 2,700 organizations and the data of more than 94 millions persons (last updated Jan. 18, 2024).

The vulnerability for all of these organizations was a file transfer platform called MOVEit, a product of publicly traded, Burlington, Mass.-based Progress Software Corp. UMass Chan used MOVEit to transfer personal information to other state agencies and programs. Hackers obtained and published the data of more than 134,000 persons, including recipients of state supplemental income and elder services.

According to state officials, WBUR reported, the "exposed data varies by person, but in each case includes the person's name and at least one other piece of information like date of birth, mailing address, protected health information like diagnosis and treatment details, Social Security number, and financial account information." The commonwealth notified affected persons and offered free credit monitoring and identity theft protection.

The complaint filed in federal court in September 2023 sought class action certification. The named plaintiff blamed UMass Chan for weak security and delayed notification resulting in a fraudulent attempt to use her debit card. Wednesday last week, the plaintiff voluntarily dismissed without prejudice, meaning the case might not yet be over.

The articulated causes of action, though, were a stretch. That's not to say that the putative plaintiffs suffered no injury. The problem rather is that the law in most states, including Massachusetts, and at the federal level still fails to define data privacy wrongs in a manner on par with the law of Europe and most of the rest of the world.

There was no statutory cause of action in the UMass Chan complaint. The diversity complaint alleged counts of negligence, breach of contract, and unjust enrichment.

Negligence has not been a productive vein for privacy plaintiffs, who lack the usually prerequisite physical injury. Massachusetts cracks open the door more than most other states to negligence actions based on lesser injury claims, such as emotional distress or economic loss. But it's not a wide opening.

Privacy actions in state law meanwhile are problematic because American common law has not yet well established the nature of the plaintiff's loss according to conventional understandings of injury. Indeed, federal courts disagree over when a statutory state privacy action supplies the "injury-in-fact" standing required by the federal Constitution. 

The named plaintiff in the UMass Chan case hastened to emphasize her contractual relationship with UMass Chan as a service provider, in an effort to anchor the negligence claim within a strong relationship of duty to get through the Massachusetts doorway. She described the identity risk of the debit-card incident to establish economic loss at least.

It's not clear that the pleading could have pushed over the hurdles to negligence recovery. I have advocated for the evolution of common law tort to close the gap in recognition of privacy violations in U.S. law, similarly to how UK courts developed the "misuse of private information" tort in common law to complement transposition of EU data protection. The Massachusetts Supreme Judicial Court could do that; certification would be required here in a federal case. But the trend in American data privacy law rather has been for the courts to wait on legislators to move the ball forward.

The other liability theories were a stretch, too. In contract, the plaintiff alleged herself a third-party beneficiary of data sharing agreements between UMass Chan and its state partners. Third parties can claim rights in a contract, but the proof is stringent. Contract law also raises a damages problem. The plaintiff here was not seeking specific performance, and it's not clear that any recovery in contract law would exceed the remediation the commonwealth already offered.

The equitable claim of unjust enrichment theorized essentially that UMass Chan benefited financially by cheaping out on security. That's creative, but a plaintiff in equity usually wants back something she lost to the defendant. A differential in the cost of contract services is speculative, and it's an attenuated causal chain to allege detriment to UMass Chan clients.

Privacy plaintiffs in the United States have seen some success using laws that predate contemporary data breach. But those theories won't work here. Massachusetts once had a leading data regulatory system for its requirements of secure data management. But the law is now well worn and has not kept up with other states, California being the model. Critically, the Massachusetts regs don't provide for private enforcement.

Some plaintiffs have found success with the dated (1986) Computer Fraud and Abuse Act. But a federal CFAA claim would be leveled properly against the hacker. The alleged culpability of UMass Chan is more accident than abuse.

American privacy plaintiffs flailing to state wrongs in litigation unfortunately is common and will continue as long as the United States lacks a comprehensive approach to data protection. I wrote 10 years ago already that American expectations in data privacy had outpaced legal entitlements.

The pivotal factor in whether MOVEit breach victims find any relief is likely to be the state where they and their defendants are located. Perhaps the case will push commonwealth legislators at last to act on a bill such as the proposed Massachusetts Information Privacy and Security Act (see, e.g., Mass. Tech. Leadership Council).

The case is Suarez v. The University of Massachusetts Chan Medical School (D. Mass. filed Sept. 18, 2023).

Mass., EU courts wrestle with requisite harm in defamation, data protection cases

The vexing problem of proof of damages in defamation and privacy has turned up recently in the Massachusetts Court of Appeals and the Court of Justice of the European Union. Meanwhile, the Massachusetts Gaming Commission borrowed European privacy principles for new data security rules.

Tiny turkey. Stéphanie Kilgast via Flickr CC BY-NC-ND 2.0

'Stolen' Turkey Money in Massachusetts

The Appeals Court in April vacated dismissal in a business dispute over turkeys. Nonprofit and business collaborators fell out over spending on variably sized turkeys for a charitable food event. The defendant wrote on social media that the plaintiff "stole" money intended for charitable purposes.

The complaint, which was filed by a Massachusetts lawyer, was messy—narrative in excess, numbering in disarray, and allegations jumbled between liability theories—so it was difficult for the trial court to parse the pleadings. With the aid of oral argument on appeal, the court teased out the defamation count and determined that it had been dismissed for want of pleaded loss.

However, Massachusetts is among jurisdictions that continue to recognize the historical doctrines of libel per se and slander per se. Those doctrines allow some pleadings to proceed without allegation of loss, and for good reason. Reputational harm is exceedingly difficult to prove, even when it seems self-evident. After all, whom should a plaintiff call to testify to prove her damaged reputation, people who now think an awful falsity about her? Witnesses will be less than eager. Even in case of a business plaintiff that suffers economic loss, it can be exceedingly difficult to tie specific losses to specific assertions of falsity.

The historical approach allows a plaintiff to demand presumed damages. That's a messy solution, because the jury is entrusted with broad discretion to assess the damages. On the plaintiff side, perhaps that's OK; we just juries to measure intangible losses all the time, as in the case of general damages for injuries, or pain and suffering. The defense bar and allied tort reformers have rebelled against presumed damages, though, arguing that they afford juries a blank check. That unpredictability makes it difficult for defendants and insurers to assess their liability exposure. Defense-oriented tort reformers have been successful in extinguishing per se defamation actions in many U.S. states.

Massachusetts splits the difference, I think in a healthy way. Per se actions are preserved, but the plaintiff is entitled to nominal damages, plus proved actual losses, but not presumed damages. I mentioned recently that the E. Jean Carroll case has spurred overblown commentary about the potential of defamation law to redress our misinformation problem. The unavailability of per se actions in many states is one reason that defamation is not up to the job. A defamation action for nominal damages helps, though, coming about as close as U.S. jurisdictional doctrine allows to a declaration of truth—which is what defamation plaintiffs usually most want.

Allegation of a crime, such as theft or misappropriation of charitable funds, fits the class of cases that qualify for per se doctrine, whether libel or slander. There is some room debate about whether social media better fits the historical mold of libel or slander, but that's immaterial here. The allegation of "stolen" money fit the bill.

The Appeals Court thus vacated dismissal and remanded the claim for defamation and related statutory tort. The court clerk entered the Memorandum and Order for Judges Mary Thomas Sullivan, Peter Sacks, and Joseph M. Ditkoff in Depena v. Valdez, No. 22-P-659 (Mass. App. Ct. Apr. 28, 2023).

Austrian post box.
High Contrast via Wikimedia Commons CC BY 3.0 DE

Non-Consensual Political Analysis in Austria

The Court of Justice of the European Union (CJEU) also recently tussled with a problem of proof of damages. The court held early in May that a claimant under the EU General Data Protection Regulation (GDPR) must claim harm for a personal data processing violation, but need not meet any threshold of seriousness.

The court's press release summarized the facts in the case:

From 2017, Österreichische Post collected information on the political affinities of the Austrian population. Using an algorithm, it defined "target group addresses" according to socio-demographic criteria. The data thus collected enabled Österreichische Post to establish that a given citizen had a high degree of affinity with a certain Austrian political party. However, that data processed were not communicated to third parties.

The citizen in question, who had not consented to the processing of his personal data, claimed that he felt great upset, a loss of confidence and a feeling of exposure due to the fact that a particular affinity had been established between him and the party in question. It is in the context of compensation for the non-material damage which he claims to have suffered that he is seeking before the Austrian courts payment of the sum of €1,000.

The plaintiff endeavored to quantify his emotional upset, but in the absence of communication of the conclusions about the plaintiff to to any third party, the claim of harm was thin. Emotional suffering resulting from the mere processing of personal data in contravention of one's advance permissions seems minimal. Accordingly, the Austrian courts, following the example of neighboring Germany, were inclined to disallow the plaintiff's action for failure to demonstrate harm.

Harm has been a sticking point in privacy law in the United States, too. Privacy torts are a relatively modern development in common law, and they don't import the per se notion of historical defamation doctrine. Tort law balances culpability with harm to patrol the borders of social contract. Thus, intentional battery is actionable upon mere unwanted touching, while merely accidental infliction of harm requires some degree of significance of injury. Defamation law arguably defies that dynamic, especially in per se doctrine, in part for the reasons I explained above, and in part because, for much of human history, personal integrity has been as essential for survival as physical security.

Not having inherited the paradigm-defying dynamic, privacy law has posed a puzzle. Scholars disagree whether damages in privacy should follow the example of business torts, requiring at least economic loss; the example of emotional distress torts, requiring at some threshold of severity; or defamation per se torts, recognizing some sui generis harm in the disruption of personal integrity. As personal data protection has grown into its own human right independent of privacy, the problem has been amplified, because, exactly as in the Austrian case, a right against the non-consensual processing of data that are personal, but not intimately personal, is even more difficult to generalize and quantify.

The problem is not only a European one. In the United States, courts and scholars have disagreed over when claims in the burgeoning wave of state data protection laws, such as the Illinois Biometric Information Privacy Act, can satisfy the "case or controversy" constitutional requirement of jurisdiction. Failure to see a sui generis harm in privacy violations means, arguably, that there is no "case or controversy" over which courts, particularly federal courts, have competence.

The CJEU balked at Austrian courts' unwillingness to see any wrong upon a claim of only intangible loss. But the court agreed that the plaintiff must demonstrate harm. Hewing to the text of the GDPR, the court reasoned that a plaintiff must show a violation of the regulation, a resulting harm, and a causal connection between the two. Thus, harm is required, but there is no requirement that the harm meet some threshold of seriousness or economic measure.

The CJEU decision was touted in headlines as "clarifying" the law of damages under the GDPR, while the stories beneath the headlines tended to do anything but. Some writers said that the court raised the bar for GDPR claims, and others said the court lowered it. Confusion stems from the fact that the court's decision spawns subsequent many questions. Conventionally, the GDPR leaves the quantum of damages to national courts. So how must a claim of de minimis harm be measured on remand? Are nominal damages sufficient compensation, or must the data protection right be quantified?

Moreover, Sara Khalil, an attorney with Schönherr in Vienna, observed that the court left out a component of tort liability that national courts sometimes require: culpability. Is there a minimal fault standard associated with recovery for mere data processing? Because tort law ties together the elements of harm and fault, at least in some jurisdictions, the one question necessarily begets the other.

RW v. Österreichische Post AG, No. C-154/21 (May 4, 2023), was decided in the First Chamber of the CJEU.

Data Security in Gambling in Massachusetts

Policymakers and courts on both sides of the Atlantic are wrestling with the problems of contemporary personal data protection. And while the gap between the GDPR and patchwork state and federal regulation in the United States has stressed international relations and commerce, it's no wonder that we see convergence in systems trying to solve the same problems.

To wit, the Massachusetts Gaming Commission has employed recognizably European privacy principles in new data security rules. For Israeli law firm Herzog Fox & Neeman, attorneys Ariel Yosefi, Ido Manor, and Kevin David Gampel described the overlap. The commission adopted the regulations for emergency effect in December 2022; final rules were published in April.

The attorneys detailed the requirements of gambling operators:

• to establish and plainly disclose to players comprehensive data privacy policies, including measures regarding data collection, storage, processing, security, and disclosure, the latter including the specific identities of third-party recipients; 
• to guarantee player rights including access, correction, objection, withdrawal of consent, portability, and complaint;
• to eschew purely automated decision-making; and
  
• to implement physical, technical, and organization security practices.

The regulations are 205 CMR 138 and 205 CMR 248 (eff. Mar. 9, 2023, publ. Apr. 28, 2023).

Lissens presents EU data protection, IoT research

Sylvia Lissens, a Ph.D. student and teaching assistant at the KU Leuven Centre for Global Governance Studies in Belgium, presented part of her doctoral research comparing U.S. and EU data protection law at a doctoral seminar in Lyon, France, in December.

In her research, Lissens focuses on the internet of things (IoT) to examine how American and European law protects the personal data that machines increasingly collect. She has a law degree from KU Leuven and a background in criminology, so is especially interested in government access to personal data, which has been a sticking point in trans-Atlantic privacy negotiations.

Looking at the emerging norms in state legislation in the United States, on the one hand, and at developing data protection jurisprudence in the European Union, on the other hand, Lissens hopes to identify points of convergence and divergence that might smooth the way forward for agreement over data flows.

In Lyon, Lissens presented findings from the EU leg of her research at the International Doctoral Seminar in European and International Human Rights Law, hosted by the Université Jean Moulin Lyon 3. She explained how the broad range of data collected by devices in our homes, from phones to refrigerators, will confront national security and international trade regimes with new challenges in the protection of personal privacy.

Comparative law is among Lissens's teaching responsibilities at KU Leuven. She joined my Comparative Law class by Zoom this semester to provide an EU perspective on contemporary European legal issues. Students' experience was greatly enriched by both her experience as a professional and her informed perspectives as a Belgian voter. I'm privileged to serve on Lissens's dissertation committee.

Judge delays decision again on Mass. right to repair, cites need to study SCOTUS climate change ruling

pix4free

Last week, in West Virginia v. Environmental Protection Agency, the U.S. Supreme Court dealt a major blow to federal regulators on the climate change front, and the case has stalled, again, release of the trial court decision over the right-to-repair law in Massachusetts.

First, a word on West Virginia, in which the Court struck down climate change-combative regulations for being born of a breadth not sufficiently specifically authorized by Congress. Others will comment more ably than I on the constitutional law of it all, but from where I sit, the case was correctly decided. Before you throw your rotten tomatoes at me for composting, at least absorb my two cents on the matter: 

We have too long been under the rule of administrative fiat in the United States, rather than democratic lawmaking, because our dysfunctional Congress long ago abdicated its role as a co-equal branch of government. Early in the 20th century, the Court unwisely allowed the non-delegation doctrine to slip away, and with it went the checks and balances of the constitutional separation of powers itself. So we're overdue for a correction.

You don't want to hear it from me, but the same problem pertains in the Roe/Dobbs debacle, where the administrative fiats on privacy have been coming from the Court rather than the administrative state, but certainly not from Congress: same difference. People, especially people ill schooled in the separation of powers—wherefore the sorry state of K12?—look to monolithic government for answers to their problems. They don't much care which public office provides the answer. So they fail to distinguish a Supreme Court decision—West Virginia or Dobbs—that says not our job from one that says simply not. Protestors picketing the Supreme Court building in recent weeks were on the wrong side of the street.

Abdication is a win-win for lawmakers, who can rake in the dough from corporations for the small price of doing nothing while blaming other branches of government for failing to offer a fix. Lawmakers sat on their hands on privacy and women's rights for decades in the wake of Griswold and Roe, content to let the Court struggle to map fine lines. Now they pantomime outrage and aspersion when Roe goes away and there is no statutory civil rights framework to replace it, nor even a framework to protect interstate travel rights, which is well within congressional authority.

Anyway, the angle on West Virginia that interests me is that on July 1, the U.S. District Judge Douglas P. Woodlock again delayed his decision in automakers' challenge to the Massachusetts right-to-repair initiative, saying that he would have to study the impact, if any, of West Virginia on his rationale. (E.g., Repair Driven News.)

Issuance of the decision in the case has been delayed time and again this calendar year, and the case has spurred occasional fireworks. Chris Villani for Law 360 wrote in February how "[a]n exasperated federal judge said ... he was close to a verdict in a suit challenging Massachusetts' revised 'right to repair' law, yet he pressed attorneys for a group of manufacturers about why they didn't tell him that new Subaru and Kia vehicles complied with rules they claimed are impossible to follow."

It was not clear, later, whether Subaru and Kia had actually complied, or just turned off the offending telematic features in new cars to be sold in Massachusetts. Turning off an otherwise functional mechanism does not, Massachusetts AG Maura Healey opined, and I agree, comply with the consumer data access law.

Though the omission that aggravated the judge was explainable, the incident is demonstrative nonetheless of automakers' obfuscating foot-dragging in their conduct of the case overall. They threw every kitchen-sink theory and procedural roadblock at the Massachusetts law, because every day of noncompliance is money in the bank, never mind the merits, nor the defense cost to taxpayers.

Automakers' problem is less with telematics regulation and more with being regulated state by state, rather than by federal standards. Federal regulation, rather than state regulation, has two powerful advantages for industry. First, federal regulations are universal, rather than 50+ in number, which vastly reduces compliance costs. More efficiency in compliance costs is good for consumers, too. So that's fair.

Second, federal regulations come from a grinding rule-making process that is almost irretrievably contaminated by the mostly lawful if deeply lamentable corruption of the industry-state complex. So manufacturers can lobby their way free of meaningful burdens that would benefit consumers and protect social and economic rights. Less fair.

It is not clear why Judge Woodlock thinks that West Virginia might affect his ruling. I might be able to say if I followed the Massachusetts case more closely. Absent a study, my guess is that the issue has to do with preemption. One of the automakers' kitchen-sink challenges alleged that Massachusetts could not regulate telematics because federal regulation of the auto industry impliedly preempts state right-to-repair regulation. If the judge thought that the vitality of that theory depended on the breadth of the federal regulations, and the permissible breadth of federal regulations, when ambiguous, is necessarily narrowed by West Virginia, then maybe it's less likely that the federal regulations can be said impliedly to preclude state regulation.

I'm now piling supposition upon supposition, but if I'm right, the likelihood is that the trial court was going to rule in favor of industry, and it's possible but unlikely that West Virginia would change that. I put money on industry on this one back in the winter, too, in part because I supposed that the judge's exasperation was evoked by a seeming deception on the part of the soon-to-be-announced prevailing side, and in part because I'm a pessimist. Or, I like to think, a realist.

My will for public policy, though, if not my bet, is on the side of AG Healey. Previously, I've written favorably about right to repair as a bulwark of consumer protection, and I support the Massachusetts initiative.

The Massachusetts case is Alliance for Automotive Innovation v. Healey (D. Mass. filed Nov. 20, 2020).

Hospital BAC disclosure prompts tort privacy claims

Photo by Marco Verch (CC BY 2.0)

The federal district court in Montana in December refused to dismiss an informational privacy claim against police, highlighting the space for state law to effect personal privacy protection in the United States.

Plaintiff Harrington was hospitalized after police found her unresponsive in her parked car. In the complaint, she alleged that sheriff's deputies "joked about her incapacitated condition and played along when nurses asked them to guess her blood alcohol content" (BAC). A nurse thereby disclosed Harrington's BAC, and, the complaint alleged, deputies then coaxed the record from a doctor. Harrington was charged with driving under the influence.

Subsequently, Harrington sued county officials and Madison Valley Hospital, the latter on theories of state statutory information privacy and common law invasion of privacy, negligence, and negligent infliction of emotional distress. The hospital sought dismissal on grounds that the federal Health Insurance Portability and Accountability Act (HIPAA), cited by the plaintiff in the complaint, affords no private right of action.  The federal district court, per Chief Judge Brian Morris, denied the motion to dismiss, recognizing that while HIPAA does not itself authorize private enforcement, it also does not preclude state law from providing greater privacy protection.

The case caught my attention because its facts point to something for which I've advocated, the use of tort law to fill gaps in informational privacy protection in the United States.  The law has not kept up with Americans' expectations of privacy, much less the norms of the world, but the common law should be sufficiently dynamic to reflect the evolving social contract.  I see drift in this direction in the expansion of medical fiduciary duty in emerging precedents in the states, such as Connecticut's Byrne v. Avery Center for Obstetrics & Gynecology, P.C., in 2018.

A theory as tenuous as negligent infliction of emotional distress, "NIED," can't usually stand on its own.  And tortious invasion of privacy has a poor track record in protecting personal information that is already in limited circulation.  However, paired with a medical provider's fiduciary duty and bolstered by a privacy violation recognized in regulation, either tort theory might be ripe for redefinition.

The case is Harrington v. Madison County, No. 2:21-cv-00015 (D. Mont. Dec. 6, 2021).  Hat tip to Linn Foster Freedman at Robinson+Cole's Data Privacy + Cybersecurity Insider.

Code might inevitably regulate journalism in digital age

The U.K. Information Commissioner's Office is working on a "journalism code of practice" to legislate against defamation and invasion of privacy by mass media.

Principally and ostensibly, the code is intended to bring media law into conformity with U.K. data protection law, essentially the European General Data Protection Regulation (GDPR), including the stories "right to be forgotten," or right to erasure (RTBF). On the ground, the picture is more complicated. The British phone hacking scandal and following Leveson Inquiry constitute a strong causal thread in public receptiveness to media regulation.

Cambridge legal scholar David Erdos analyzed the draft code for the INFORRM public in part one and part two postings in October.  The code incorporates media torts such as defamation of privacy and misuse of private information (MOPI), the latter a common law innovation of British courts to facilitate enforcement of data protection rights. I have posited in other venues that common law tort similarly might provide a way forward to fill gaps in information privacy law in the United States.

Journalism and data protection rights have been on a collision course for a quarter century, like a slow-motion car wreck, and the draft journalism code is a harbinger of the long anticipated impact.  Back in 1995, when the EU GDPR-predecessor Data Protection Directive was brand new, the renowned media law scholar Jane Kirtley published an article in the Iowa Law Review, "The EU Data Protection Directive and the First Amendment: Why a 'Press Exemption' Won't Work."  Kirtley foresaw data protection and the First Amendment's arguably irreconcilable differences before most U.S. scholars had even heard of data protection.

In those innocent days, journalism ethics was reshaping itself to preserve professionalism in the newly realized and anxiety-inducing 24/7 news cycle.  A key plank in the new-ethics platform was its essentiality to resist regulation.  In 2000, media law attorney Bruce Sanford published the book Don't Shoot the Messenger: How Our Growing Hatred of the Media Threatens Free Speech for All of Us.  Then in 2001, everything changed, and mass media and their consumers became engrossed by new concerns over government accountability.

In a way, the consolidation of media regulation in a generation of code could be a relief for journalism, especially on the European continent.  In an age of ever more complex regulatory mechanisms, codification can offer bright lines and safe harbors to guard against legal jeopardy.  Information service providers from local newspapers to transnationals such as Google are struggling to comply with new legal norms such as the RTBF, and there is as yet little evidence of uniformity of norms, much less convergence. Yet even if industry ultimately embraces the security of code, what's good for business is not necessarily good for wide-ranging freedom of expression. 

Courts, too, are struggling with novel problems.  For example, in late November, the European Court of Human Rights ruled in Biancardi v. Italy that RTBF de-indexing orders extend beyond search engines and bind original news publishers.  Writing for Italian Tech and INFORRM, attorney Andrea Monti fairly fretted that the decision effectively compels journalistic organizations to expend resources in constant review of their archives, else face liability in data protection law.  The result, Monti reasoned, will be to discourage preservation, manifesting a threat to the very existence of historical record.

On the one hand, it's foolish to wring one's hands for fear that journalism is being newly subordinated to legal regulation.  Tort itself is a regulatory mechanism, and defamation has been around for a long time, notwithstanding the seeming absolutism of the First Amendment.  On the other hand, media regulation by law looks nothing like the punctilious supervision of regulated industries, including the practice of law.

In my own education, I found the contrast in approaches to ethics perplexing.  In journalism school, my ethics class had been taught aptly by a religion scholar who led impassioned discussions about handout hypotheticals.  In law school, the textbook in legal profession hit the desk with a thud for what was as much a study of model or uniform code as was crim or sales.

With no "First Amendment" per se, media regulation by code is not the novelty in the U.K. that it would be in the United States.  Still, with privacy and digital rights sweeping the globe, law is poised to regulate journalism in new ways everywhere, whether through the subtlety of common law or the coercive power of civil regulation.  American courts will not be able to escape their role in reshaping fundamental rights for the digital world, as European courts are at work doing now.  Kirtley foresaw the issues in 1995, and the chickens are slowly but surely turning up at the roost.

The present ICO consultation closes on January 10, 2022.

Justices test Harvard property claims, as civil rights attorney pleads passionately for return of slave images

Lanier's story in a 2020 short by Connecticut Public

This morning the Massachusetts Supreme Judicial Court heard oral arguments in the case of Lanier v. Harvard, in which Tamara Lanier seeks to recover daguerreotypes of her enslaved ancestors, father and daughter Renty and Delia Taylor, taken on a South Carolina plantation in 1850.

The case is mostly about property and procedural law, namely, replevin and laches, though counsel for Lanier described the initial possession of the images as tortious conversion.  The images were taken and "used by the Harvard biologist Louis Agassiz to formulate his now-discredited ideas about racial difference, known as polygenism," the Center for Art Law explained. "Renty and Delia were photographed naked to the waist from the front, side and back without their consent or compensation."

Harvard's position depends on a narrow view of the case as a simple question of property ownership.  As the saying goes, "possession is nine tenths of the law."  Harvard bolsters its position with the argument that has become familiar from museums in our age in which returning artifacts to the once colonized, developing world is increasingly common, that the public will benefit from, and the horrors of slavery will be exposed by, public presentation of the daguerreotypes in a scholarly context.

The Lanier family articulates a broader theory of the case.  Civil rights attorney Ben Crump compared the sought-after return of the daguerreotypes to return of the possessions of Japanese families after World War II internment and Jewish families after the Holocaust, the latter including The Woman in Gold. 

The Lanier side divided its argument between two attorneys.  Crump opened the second half with a powerful statement of what he described as "three historical references" to frame the case from the Lanier perspective.  First, he said:

The fact that I stand before you as a free man and not a slave is a testament to someone's decision to change the course of human history.  It is a testament to our legal system, a testament that was led by the courts here in Massachusetts when Chief Justice William Cushing in 1783 judicially abolished slavery in the Quock Walker case.  And it is the reason why he is so often quoted even 250 years later with ... the idea of slavery as inconsistent with our conduct and our Constitution.

Second, Crump paraphrased Frederick Douglass, that

the genealogical trees of black people do not flourish as a result of slavery.  In essence what he was saying is that what slavery did was destroy the African-American family connection to its ancestral lineage.  But this historical case has the ability not only to recognize such lineage but [to recognize such lineage in] Ms. Linear and her family.

Third, Crump said:

This case presents a case study of Massachusetts's complicated history with slavery.  On one hand it has profited mightily from the cotton trade.  Its most powerful institution, Harvard University, has ties with slavery that date back centuries.  In fact the textile factories that were the largest donors of the university helped to build capitalistic empires on the backs of slave empires.  In fact the institution of Harvard and the institution of slavery were born in this country a mere 17 years apart.  On the other hand, Massachusetts is also the home of John Adams, and it is not lost on me or Ms. Lanier that we are in the John Adams Courthouse.  John Adams said slavery is the great and foul stain upon the North American Union.

Justices Kafker, Wendlandt, and Cypher actively and almost exclusively interrogated the advocates.  Based on the colloquy, the smart money in the case is on Lanier.  Kafker and Wendlandt tied up Harvard advocate Anton Metlitsky mostly in civil procedure.  The justices seemed to be testing out how they might navigate procedural challenges to reach a ruling in Lanier's favor.

The justices did challenge Crump and co-counsel Joshua Koskoff on First Amendment issues.  In an amicus brief in the case, the Massachusetts Newspaper Publishers Association warned against a ruling that would give the subjects of photos an ownership interest in the images, for fear that First Amendment-protected news coverage would be jeopardized.  It's interesting to see that concern raised in this context, because the point also marks division between the United States and Europe over data privacy rights in photographs of persons in public places.

The probing revealed that counsel for Lanier would render the case large or small, depending on their needs.  Taming the case back to mere property dispute, Koskoff called "First Amendment implications" in the case "a strawman."  The First Amendment is not implicated in a case of conversion, he argued, any more than the Second Amendment is implicated when someone is shot and killed.

Justice Kafker challenged Koskoff on whether return of the pictures would make them inaccessible to scholars and, as Harvard contends, thus unable to educate the public in the way that Holocaust images have.  Koskoff stuck to his guns, responding that it was up to Renty and Delia, and thus up to the Lanier family, whether the images would be used for public education.  The ends don't justify the means, he said.

In a related vein, Justice Wendlandt questioned Crump whether the outcome would be the same if the images had been discovered "in a drawer of the Boston Globe."  Crump ducked the question.  "This was a scientific experiment with black people being used as lab rats," he responded potently but inappositely, a "crime against humanity" and a crime under Massachusetts law.

Wendlandt reiterated her question, and still Crump ducked it, arguing that the hypothetical was not the facts of the case.  Wendlandt then restated Crump's response back to him as a "yes," that it makes no difference who claims ownership of the daguerreotypes today.  Crump picked up the thread, arguing analogy to the removal of The Woman in Gold from public display in Austria.

"This court has the ability to finally free Renty and Delia from bondage," Crump concluded.  "We are beseeching this court not to condemn them in death to the property of Harvard for all eternity."

The case is Lanier v. President and Fellows of Harvard College, No. SJC-13138 (argued Nov. 1, 2021).  Briefs are posted on the docket.  The oral argument will be posted at the Suffolk Law archive.  The Harvard Crimson published a thorough piece on the case in March.  A retired probation officer in Connecticut, Tamara Lanier tells her story at the website of the "Harvard Coalition to Free Renty"; there also is a documentary film by David Grubin.

[UPDATE, Nov. 3:] 

The oral argument is now posted in the Suffolk archive.  Also, Tamara Lanier posted a 15-minute clip of Crump's argument on her YouTube page today (below).

I add that Crump's argument, while quotable, was not as substantively important as Koskoff's.  I rewatched the oral argument today.  It remains clear to me that the justices, at least those who participated in the colloquy, are searching for a way to have Lanier win, but are struggling to find a legal rationale that matches the policy rationale.

In a telling exchange out of the gate, the justices pressed Koskoff for a rationale to convert his theory of tortious conversion in 1850, a premise the justices seemed willing to accept, into a property right in 2021.  Koskoff responded by describing tort law as an umbrella and property law within it, reasoning that a tortfeasor is not allowed to keep the proceeds of a tort.

I find the reasoning sound, notwithstanding the doctrine of laches, but I'm not sure the semantics and metaphor were quite right.  I have never understood tort law to dictate the outcome Koskoff describes; rather, I regard the proceeds of a tort as forfeit in equity.  Well recognizing how easy it is to Monday morning quarterback, I wonder that Koskoff might have prepared a better argument grounded in equity rather than tort law.

Anyway, it will take some legal gymnastics for the court to reach the result that at least three justices seemed to desire.