How Law Made Silicon Valley

Anupam Chander

Abstract

Explanations for the success of Silicon Valley focus on the confluence of capital and education. In this Article, I put forward a new explanation, one that better elucidates the rise of Silicon Valley as a global trader. Just as nineteenth-century American judges altered the common law in order to subsidize industrial development, American judges and legislators altered the law at the turn of the Millennium to promote the development of Internet enterprise. Europe and Asia, by contrast, imposed strict intermediary liability regimes, inflexible intellectual property rules, and strong privacy constraints, impeding local Internet entrepreneurs. This study challenges the conventional wisdom that holds that strong intellectual property rights undergird innovation. While American law favored both commerce and speech enabled by this new medium, European and Asian jurisdictions attended more to the risks to intellectual property rights holders and, to a lesser extent, ordinary individuals. Innovations that might be celebrated in the United States could lead to imprisonment in Japan. I show how American companies leveraged their liberal home base to become global leaders in cyberspace. I argue that nations seeking to incubate their own Silicon Valley must focus on freeing speech, and so must the United States, if it hopes not to break this new industry.

Introduction

Nearly every company set up in a garage in Silicon Valley hopes to take over the world. There is reason for such optimism. Again and again, Silicon Valley firms have become the world’s leading providers of Internet services. How did Silicon Valley become the world’s leading supplier of Internet services?

Popular explanations for Silicon Valley’s recent success revolve around two features. First, Silicon Valley bestrides the great academic centers of Stanford University and the University of California, Berkeley, and sits near the artistic and intellectual hub of San Francisco. Second, the center of venture capital in the United States also happens to be in Menlo Park, California, allowing both industries to profit from each other in a symbiotic relationship. But education and money coincide in other parts of the United States as well. Why did those parts not prosper in the manner of Silicon Valley? More fundamentally, did not the Internet make geography irrelevant? Scholars answer that Silicon Valley’s advantage lies in the economies of agglomeration. Ronald Gilson argued that California’s advantage was its labor law, which he believes encourages “knowledge spillovers” and agglomeration economies by facilitating employee mobility. While these standard accounts do much to explain the dynamism of Silicon Valley relative to other parts of the United States, they do not explain the relative absence of such Internet innovation hubs outside the United States, or the success of Silicon Valley enterprises across the world.

Law played a far more significant role in Silicon Valley’s rise and its global success than has been previously understood. It enabled the rise of Silicon Valley while simultaneously disabling the rise of competitors across the world. In this Article, I will argue that Silicon Valley’s success in the Internet era has been due to key substantive reforms to American copyright and tort law that dramatically reduced the risks faced by Silicon Valley’s new breed of global traders. Specifically, legal innovations in the 1990s that reduced liability concerns for Internet intermediaries, coupled with low privacy protections, created a legal ecosystem that proved fertile for the new enterprises of what came to be known as Web 2.0. I will argue that this solicitude was not accidental—but rather a kind of cobbled industrial policy favoring Internet entrepreneurs. In a companion paper, Uyên Lê and I show that these aspects of copyright and tort law were not driven by commercial considerations alone, but were undergirded in large part by a constitutional commitment to free speech. As we argue there, a First Amendment-infused legal culture that prizes speech offered an ideal environment in which to build the speech platforms that make up Web 2.0.

I will compare the legal regimes not between Silicon Valley and Boston’s Route 128, but between the United States and key technological competitors across the globe. The indulgence of American law for Internet enterprise appears in sharper relief when contrasted with the legal regimes faced by web entrepreneurs elsewhere. In Europe, concerns about copyright violations and strict privacy protections hobbled Internet startups. Asian web enterprises faced not only copyright and privacy constraints, but also strict intermediary liability rules. I will contrast the leading cyberlaw statutes and cases in the United States, with their explicit embrace of commerce and speech, with those from Europe and Asia, which are more attendant to the risks of this new medium for existing interests. I will show that Google and Yahoo were so worried that Japanese copyright law would make search engines illegal that they placed their search servers offshore. A Japanese computer science professor advised his students to publish their software outside Japan. British Prime Minister David Cameron suggested that Google’s search engine might have been illegal under English copyright law.

This Article upends the conventional wisdom, which sees strong intellectual property protections as the key to innovation—what the World Intellectual Property Organization calls a “power tool” for growth. Understanding the reasons for Silicon Valley’s global success is of more than historical interest. Governments across the world, from Chile to Kenya to Russia, seek to incubate the next Silicon Valley. My review suggests that overly rigid intellectual property laws can prove a major hurdle to Internet innovations, which rely fundamentally on empowering individuals to share with each other. This study helps make clear what is at stake in debates over new laws such as the Stop Online Piracy Act (SOPA) and its relatives, highlighting the effect of these laws on Silicon Valley’s capacity for innovation. I show that government has the power to enable, or disable, a new industry. The power to make in this case implies the power to break.

Innovation scholars worry about the “valley of death,” the stage between start-up idea and successful commercialization, in which most start-up enterprises founder. Cyber scholars fond of citing Joseph Schumpeter’s “creative destruction” need to attend to his focus as well on the finance needed by innovators. Imagine the boardroom in a Silicon Valley venture capital firm, circa 2005. A start-up less than a year old has already attracted millions of users. Now that start-up, which is bleeding money, needs an infusion of cash to survive and scale up. The start-up lets people share text, photos, and videos, and includes the ability to readily share text, pictures, and videos posted by one’s friends. If that start-up can be accused of abetting copyright infringement on a massive scale, or must police its content like a traditional publishing house lest it face damages claims or an injunction, your hundred-million-dollar investment might simply vanish to plaintiffs’ lawyers in damages and fees. An injunction might stop the site from continuing without extensive human monitoring that could not be justified by potential revenues. Because of the insulation brought by U.S. law reforms in the 1990s, American start-ups did not fear a mortal legal blow. The legal privileges granted to Internet enterprises in the United States helped start-ups bridge the valley of death.

Let me anticipate criticism. First, legal realists might object that I have spoken about law on the books. What about law in action? I demonstrate through actual cases the practical importance of the liberal American law and the strict European and Asian laws. Second, some might seek to trivialize my thesis: law always matters to the success of an enterprise because it could have made that enterprise illegal, but did not. That is not my claim; rather, my claim is that U.S. authorities (but not those in other technologically advanced states) acted with deliberation to encourage new Internet enterprises by both reducing the legal risks they faced and largely refraining from regulating the new risks they introduced. Third, some will insist that if law was relevant, it was only because it got out of the way. After all, the last person hired at a Silicon Valley start-up is the lawyer. The story of Silicon Valley is not only a story of brilliant programmers in their garages, but also a legal environment specifically shaped to accommodate their creations.

My claim may resonate with students of American legal history. Morton Horwitz famously argued that nineteenth-century American courts modified liability rules to favor the coming of industrialization. I suggest an even more widespread effort, with the Executive, Congress, and the Courts, each in their own way promoting Internet enterprise. Horwitz decried the nineteenth-century’s laws’ implicit subsidy to industrialists, which he saw as being borne on the backs of society’s least fortunate. The limitations on Internet intermediary liability and the lack of omnibus privacy protections beyond those that are promised contractually by websites mean that there is a price to be paid for the amazing innovation of the past two decades. Even while we celebrate innovation, we must recognize its costs.

I do not allege the discovery of the DNA for economic development in the Information Age. The cyberlaw I describe here must be understood against the broader legal, cultural, and economic background in particular societies. What works in one jurisdiction might not work elsewhere because of differences in the role of law, the role of norms, enforcement, and other features. At the same time, a comparative exercise is highly instructive, offering experience with different methods of achieving a desired result. It also helps us recognize the impact of differing legal cultures (including what James Whitman has called “the two Western cultures of privacy” ) on such values as speech and enterprise.

This Article proceeds as follows. Part I reveals how American legislators and courts altered the law to accommodate new Internet enterprises. Part II shows that European and Asian nations offered relatively stricter intermediary liability regimes and privacy protections, making illegal the new business model embraced by their American counterparts. Part III calls for due attention to the hidden price of innovation in order to avoid the “wow” to “yuck” curve—the move from dazzlement to disgust that scholars have identified for other new technologies.

I. Making America Safe for Silicon Valley

I review here key legal developments that enabled the rise of Web 2.0. Each of the individual stories I tell in this Part may seem familiar. Yet, by weaving these stories together, one begins to see a stunning pattern in the larger narrative. The pattern appears even sharper when contrasted with my survey of Europe and Asia in Part II.

In the last decade of the Millennium, the infant industry spawned by the invention of the World Wide Web posed pressing challenges. How could we protect children from being awash in pornography? Would early Internet pioneers such as AOL and Yahoo fail in the face of claims that they abetted defamation and other wrongs? Would Hollywood disappear in the face of easy and perfect digital copying through services such as Napster? Could we protect children from communicating with dangerous adults? Would companies be at the mercy of individuals who were quicker to register corporate trademarks as domain names? Would contracts entered into online, lacking an ink signature, prove unenforceable? Would e-commerce be saddled with multiple tax obligations from the thousands of taxing jurisdictions across the country?

The Clinton Administration published a white paper outlining its vision for “Global Electronic Commerce.” Announcing the report, President Clinton presciently observed, “Governments can have a profound effect on the growth of electronic commerce. By their actions, they can facilitate electronic trade or inhibit it.” The report concluded that “[e]xisting laws and regulations that may hinder electronic commerce should be reviewed and revised or eliminated to reflect the needs of the new electronic age.” Most importantly, it declared the Administration’s commitment to self-regulation: the first principle announced that “[t]he private sector should lead,” and the second principle that “[g]overnments should avoid undue restrictions on electronic commerce.” That preference for self-regulation over governmental intrusions would mark congressional activity during this period. This meant even carving out Internet enterprises from the reach of existing law. The Administration’s simple mandate: “Let a thousand Web sites bloom.”

Congress responded to the rise of the Internet with a flurry of laws. These are the laws of this fruitful period, in chronological order: the Communications Decency Act of 1996 (CDA), the Internet Tax Freedom Act, the Children’s Online Privacy Protection Act of 1998 (COPPA), the Digital Millennium Copyright Act (DMCA), the Anticybersquatting Consumer Protection Act (ACPA), and the Electronic Signatures in Global and National Commerce Act (E-Sign).

Taken together, these statutes helped undergird a legal framework that proved conducive to the development of Internet-based services. While the titles of these statutes often professed consumer-oriented goals—a remarkable list including decency, tax freedom, privacy, and consumer protection—commercial concerns were never far from the table, as we will see. I review below the CDA and the DMCA, statutes that proved especially significant for Silicon Valley enterprises over the course of the following decade. I also consider the crucial judicial interpretations that bent the law to foster web innovation.

We see that each of the branches of government played an integral part in this endeavor. In the face of calls for legal protections, the Clinton Administration promoted self-regulation by the Internet industry. Congress wrote a set of statutes that dealt with some of the principal concerns of both the content industry and the public, without placing too much in the way of burdensome constraints on Silicon Valley enterprise. The Courts, for their part, sought to protect speech and promote innovation by reading immunity statutes broadly and striking down statutes that might chill speech. At the same time, each of the branches checked the others when they proved less than friendly to Internet innovation. Congress embraced the DMCA’s Title II, even where the Clinton Administration was initially inclined to favor copyright holders; the Courts declared unconstitutional the anti-pornography restrictions imposed by Congress; and Congress offered safe harbors for intermediary liability even where courts were sometimes inclined to impose broader liability. Thus, this was a cobbled industrial policy, halting and inconsistent, yet ultimately adding up to a powerful set of pro-Internet laws.

A. Intermediary Liability

The first of this series of statutes, the Communications Decency Act, proved central to the rise of the new breed of Silicon Valley enterprise. This hardly seemed likely for a statute directed against indecent speech. The CDA made it a crime to display obscene or indecent material to persons who were less than eighteen years of age, unless the site had taken appropriate measures such as an age-verified credit card to restrict access to adults. Hidden within the statute was a small fateful section, § 230, that would save many corporations—most of them not even dreamed of when the Act was passed—from potentially ruinous legal challenges.

What risks did such firms face? By offering platforms for users across the world, Internet enterprises faced the hazard that some users would use these platforms in ways that violated the law, bringing with it the possibility of liability for aiding and abetting that illegal activity. Consider a sampling of the array of claims that might lie against these platforms for the behavior of their users. Yahoo might be liable if someone uses Yahoo Finance to circulate a false rumor about a public company. Match.com could face liability if a conniving user posted defamatory information about another individual. Craigslist might be liable under fair housing statutes if a landlord put up a listing stating that he preferred to rent to people of a particular race. Amazon and Yelp might be liable for defamatory comments written by a few of their legions of reviewers.

The risks were made apparent in 1995 in the case of Stratton Oakmont, Inc. v. Prodigy Services Co. There, an investment firm, allegedly defamed on an Internet bulletin board, sued that board’s owner, Prodigy. The New York trial court held that Prodigy could be liable as a publisher because it had advertised its editorial control over the site. Even in this decision, marking a high point of liability concerns, the court was mindful of the impact on new Internet enterprises, which might follow the decision’s logic and simply disavow any editorial control and thereby avoid any liability. The court argued that “the market will . . . compensate a network for its increased control and the resulting increased exposure.” There is economic logic to this, but it may be that the costs of monitoring are so high as to create a service that is too expensive to attract sufficient buyers. While it might be relatively cheap to monitor for pornography or indecent words, it is far more difficult to evaluate factual claims made in the thousands of posts on a particular site. More importantly, the court’s vision of the metered website is quite different than the cyberspace that actually flourished after Stratton Oakmont was undone by statute the following year.

Despite the trial court’s assurances of market compensation to come, the industry was understandably alarmed at the ruling. It turned to Congress to fashion a remedy. In a short section embedded within the Communications Decency Act, Congress undid Stratton Oakmont. Under the subsection heading “Protection for ‘Good Samaritan’ blocking and screening of offensive material” (no Good Samaritan behavior was actually required for the main § 230 immunity to attach), Congress declared that online service providers could never be treated as publishers for material they did not develop. As interpreted by courts, the section largely immunized online service providers from secondary liability for most torts committed through their service. The section offered online publishers an immunity that their offline compatriots never enjoyed. One student commentator compares the treatment of Soldier of Fortune magazine, held liable in 1992 for millions of dollars in damages for permitting an advertisement that led, tragically, to an actual murder-for-hire, to an online newspaper that would avoid similar liability because of § 230. Congress justified this differential treatment on the ground that “[t]he Internet and other interactive computer services offer a forum for a true diversity of political discourse, unique opportunities for cultural development, and myriad avenues for intellectual activity.” Furthermore, Congress sought “to preserve the vibrant and competitive free market that presently exists for the Internet and other interactive computer services, unfettered by Federal or State regulation.” Congress thus sought to simultaneously promote the speech potential of a largely self-regulated Internet, while fostering the rise of Internet enterprises. Indeed, though largely unheralded at the time, the section proved a lifeline to Web 2.0 enterprises.

For their part, courts read the mandate in § 230 broadly, defining “interactive computer service” broadly, and as covering a large array of claims, both state and federal (but excluding intellectual property claims, as per the statute’s directions). Most importantly, they not only eliminated a website’s liability as a publisher, but also as a distributor. Where publishers typically faced strict liability, distributors such as a library or bookstore would be liable if they had knowledge of the wrongdoing and still refused to act. In Zeran v. America Online, Inc., the Fourth Circuit held that § 230 must be read to eliminate distributor liability, as well as publisher liability, for web services. The court reasoned that a contrary holding would chill speech because it would create a natural incentive for service providers to take down information that some user found offensive for fear of liability for letting it remain: “Because service providers would be subject to liability only for the publication of information, and not for its removal, they would have a natural incentive simply to remove messages upon notification, whether the contents were defamatory or not.” Other circuits followed Zeran’s broad reading, eliminating distributor liability as an incident of the defense against publisher liability.

Again and again, § 230 proved invaluable to shield web enterprises from lawsuits, as demonstrated by a plethora of cases. Perhaps every major Internet enterprise has relied on the statute to defend itself over the years. The CDA insulated web enterprises from the reach of a variety of federal and state causes of action, both statutory and common law. These include, for example, the Federal Fair Housing Act, Title II of the Civil Rights Act of 1964, the Washington State Consumer Protection Act, and common law actions such as invasion of privacy, negligence, and tortious interference with business relations. The CDA’s § 230 was no panacea—it failed as a defense a third of the time; it still required the Internet enterprise to engage in expensive litigation; and, even when it proved a successful defense, a year had often passed in the interim.

Two foundational cases demonstrate the practical value of the CDA to web enterprises. In Doe v. MySpace, Inc., the social networking site faced a claim for liability arising from a heinous act—an assault on a minor by a nineteen-year-old man whom she met through MySpace. The family sued MySpace for negligence in not verifying her age on the ground that verification would have revealed that she was thirteen when she registered, not eighteen as she claimed. The Fifth Circuit Court of Appeals ruled that § 230 protected MySpace from the suit. The CDA also protected an Internet dating service from a lawsuit arising from a malicious posting of a false profile on a dating site. Someone using a computer in Berlin posted a profile using photos of the actress Christianne Carafano suggesting that she was interested in meeting men, and made her home address and phone number available. In Carafano v. Metrosplash.com, Inc., the Ninth Circuit Court of Appeals relied on § 230 to deny Carafano’s lawsuit against the owner of the dating site for invasion of privacy, misappropriation of the right of publicity, defamation, and negligence. The court ruled that “despite the serious and utterly deplorable consequences that occurred in this case, we conclude that Congress intended that service providers such as Matchmaker be afforded immunity from suit.” The court recognized that as a result of the law, “Internet publishers are treated differently from corresponding publishers in print, television and radio.”

With CDA § 230, both commercial and speech considerations coincided. As the Fourth Circuit noted in Zeran, a notice and takedown system would inevitably lead to firms generally choosing to take down controversial statements, rather than face any specter of liability. As Neal Katyal writes: “Because an ISP [Internet Service Provider] derives little utility from providing access to a risky subscriber, a legal regime that places liability on an ISP for the acts of its subscribers will quickly lead the ISP to purge risky ones from its system.”

Even while § 230 offered a lifeline to Internet enterprises, the remainder of the CDA complicated their work tremendously. Core provisions of the CDA sought to make it difficult for children to access material judged indecent by a community. But in Reno v. ACLU, the Supreme Court stepped in to strike down those provisions as a violation of the freedom of speech. The CDA’s anti-indecency provisions posed a particular challenge to sites that welcomed user content. Unless these sites verified the ages of their users, typically through credit cards, they faced the very real possibility that someone would post indecent material on their pages. The statute covered all “communications,” not just images, and thus required a website administrator to actually read through the postings of users to adjudicate decency. In a very real sense then, Reno v. ACLU made possible Web 2.0.

The interaction between Congress and the Court expressed through the CDA § 230/Reno v. ACLU pairing consisted in a legislature that immunized Internet enterprises from the actions of others, and a court that declared that Internet enterprises could not be made to act as censors for the state, at least under certain terms. Neither Congress nor the Courts were consistently single-minded in their promotion of Internet enterprise, yet their interaction resulted in precisely this. Congress overruled any court that might have sought to hold intermediaries liable for user-generated content (other than for intellectual property-based claims, an area we turn to next). Meanwhile the Courts overturned congressional efforts to require Internet enterprises to censor speech widely. The end result was a legal framework conducive to promoting speech on the Internet through online speech intermediaries.

B. Copyright

Any technology that allows individuals to share information can lend itself to copyright infringement. A company like Yahoo that allows individuals to post whatever they want online faces a high risk that its service will be used for extensive copyright infringement. The company might be liable for direct infringement every time it delivers a copy of the copyrighted work (direct infringement being a strict liability offense), for contributory infringement if it has knowledge and makes a material contribution to the infringement, and for vicarious infringement if it controls and earns a direct financial benefit from the infringement. Given that statutory damages for direct infringement alone range from $200 to $150,000 for each work, and that millions of works are copied online, the specter of liability would be enough to stop most Internet companies dead in their tracks. This is not a hypothetical concern. Consider the graveyard of dot-com enterprises, felled not by flawed monetization plans, but by copyright law: MP3.com, ICraveTV.com, Aimster, Grokster, and, most famously, Napster.

While § 230 of the CDA protected websites against a wide variety of claims arising out of the actions of their users, it explicitly excluded intellectual property claims from its ambit. This meant that any site that collected material provided by users might still be held liable for claims arising out of copyright or trademark. Internet enterprises remembered well the 1993 case of Playboy Enterprises, Inc. v. Frena, in which a court held the operator of an online bulletin board strictly liable for copyright infringement by users of that board. The declaration by a federal court that “[i]t does not matter that Defendant Frena may have been unaware of the copyright infringement” must have rattled many in Silicon Valley.

The Internet industry set out to reform the law, but the content industries resisted, as did the White House initially. In 1995, a White House task force led by Patent Commissioner Bruce Lehman concluded that it was “premature” to reduce legal risks for Internet intermediaries, preferring to treat them as publishers for copyright purposes. Traditional publishers, of course, are strictly liable for copyright infringement in their publications, and thus this approach would have subjected Google and Facebook to strict liability for their users’ actions. Given the volume of material they carry, it is hard to imagine how we might have Google or Facebook today if they were to have the publisher liability of The New York Times or Time Warner. CompuServe’s general counsel Stephen Heaton testified before Congress that strict liability for online service providers shifted enforcement responsibility from copyright owners to the online enterprises. Requiring such enterprises to monitor the “trillions of bits of data” that crossed their computer networks would “bring[] their businesses to a halt, almost immediately,” he averred. The recording industry denied the need for special protections for online service providers, making plain the industry’s aversion to such special rules for online companies:

Internet Access Providers . . . . argue that copyright liability will stifle the growth of the Internet, chill investment in companies that provide Internet access, and unfairly harm their companies when they have no control over or knowledge of what users may be doing on their network.

Frankly, we don’t see it.

Public interest groups, including library associations and consumer groups, argued against expanded rights of the copyright industry online. Consumer electronics firms, too, worried about expanded copyright liabilities, but the copyright industries responded that this was merely an effort by Japanese manufacturers to profit from American material.

By late 1998, the copyright and information industries came to a mutual understanding, reflected in a complicated set of safe harbors under which Internet companies could seek shelter from copyright liability. With the Digital Millennium Copyright Act, Congress sought to address the impact of the digital environment on copyrighted works by (a) barring devices that circumvented copyright protection schemes (Title I, the “WIPO Copyright and Performances and Phonograms Treaties Implementation Act of 1998”); and (b) offering companies that followed certain policies respectful of copyright immunity from claims for copyright infringement (Title II, the “Online Copyright Infringement Liability Limitation Act” or OCILLA). While the DMCA was best known for its first Title, which made it illegal to circumvent copyright protection schemes like those found in DVD movies, the second Title of the statute provided safe harbors for Internet enterprises from copyright liability.

OCILLA provided four safe harbors for commercial enterprises: the first for the companies that bring the Internet to one’s home, the second for the companies that make temporary copies of data being routed on the Internet, the third for companies that host on the Internet material provided by others, and the fourth for Internet search engines. The last two safe harbors in particular proved crucial to Silicon Valley enterprises. As Edward Lee writes, “virtually all commercial websites in the U.S. that deal with third-party content attempt to follow and fall within the safe harbors. Indeed, it would be foolish, if not a breach of corporate fiduciary duty, for any such company not to do so.”

OCILLA achieved a modus vivendi between northern and southern California—where Silicon Valley would banish repeat offenders and take down material if requested by the copyright owner, often based in Hollywood. By performing these duties diligently, Silicon Valley enterprises generally managed to avoid liability for the widespread copyright infringement that still occurred through their systems. While some have legitimately criticized OCILLA for leading firms to take down material too quickly for fear of jeopardizing their safe harbor, OCILLA marked a significant accomplishment for Silicon Valley in creating rules that allowed Web 2.0 enterprises to flourish without either excessive copyright management costs or high liability risks.

In recent years, especially in the battle against SOPA, it has become apparent that the content industry is dissatisfied with the détente struck in 1998. The extent of the content industry’s distaste for Silicon Valley is evident in—of all things—Rupert Murdoch’s tweets. In January 2012, Murdoch used Twitter to accuse Google of being a “[p]iracy leader.”

Courts, too, played a central role in the flourishing of Silicon Valley enterprise in the face of claims of copyright holders. Major advances in information technology had put pressure on copyright holders before, and courts had been called upon to adjudicate disputes between the two industries. In the 1980s, courts had largely sheltered the electronics industry against copyright infringement claims. When Sony introduced a video-cassette recorder, Hollywood studios sued because the device could copy television shows. The Supreme Court in 1984 in Sony Corp. of America v. Universal City Studios, Inc. protected the new technology, arguing that the device had “substantial noninfringing uses.” As Pamela Samuelson writes, had it not been for the relief from liability offered by the Sony decision, “tape recorders, photocopiers, CD burners, CD ripping software, iPods, and MP3 players, and a host of other technologies that facilitate private or personal use copying might have never become widely available.” The decision did not insulate every new technology. Peter Menell and David Nimmer observe that, in the years since the Sony decision, “the developers and distributors of Napster, Aimster, Grokster, Morpheus, and KaZaA—peer-to-peer systems that have noninfringing uses—have all been held liable for contributory infringement, Sony notwithstanding.”

Yet, the Supreme Court’s own intervention in the digital copyright, in the case of Metro-Goldwyn-Mayer Studios Inc. v. Grokster, Ltd., yielded a result that was largely friendly to Silicon Valley innovation. The movie studios and others had invited the Court to erode the Sony rule by requiring that it be the principal actual use of a device or service, not its potential use, that should determine its legality. In arguing their cause before the Court, the copyright industries understood that they must not be seen as standing in the way of innovation. The songwriter plaintiffs devoted one of the three parts of their main brief to the proposition that “[h]olding Grokster and Streamcast liable will encourage, not restrain, legitimate commerce.” The motion picture studios and recording companies argued that a holding in favor of the file-sharing services would threaten “artistic innovation” as well as “obstruct[] innovators seeking to use digital technology for lawful distribution of copyrighted works.” For their part, the file-sharing services pressed the potential chill on innovation with even greater zeal. The word “innovation” appears no less than forty-five times in their brief. The file-sharing services argued:

Modifying the Sony rule as petitioners suggest would . . . . deter investment in innovation by subjecting innovators to standards that are unpredictable in application and expensive to litigate, and put large sectors of the digital-technology economy in the hands of entertainment-industry incumbents with a vested interest in preserving their existing business arrangements, to the detriment of both creators and consumers.

Justice David Souter, writing for the Court, observed that the rule in Sony “leaves breathing room for innovation and a vigorous commerce.”

The Supreme Court’s decision marked the death knell for two Internet services, Grokster and Streamcast, which could be found liable for “inducing” copyright infringement. Yet, the Grokster decision itself largely continued to extend the Court’s welcome mat for innovation, even where the service (like any digital information service) might be used widely for copyright infringement. It only outlawed services that explicitly condoned or “induced” such infringement. While an Internet provider could not “tout the copyright-infringing uses” of its tools, Jonathan Zittrain notes that “the tools themselves seem to have remained largely, if not entirely, protected by Sony.”

The American concept of “fair use” also proved conducive to various innovations in the digital realm. Fair use allowed a court to provide exceptions to copyright after considering multiple factors. Take the example of image search, introduced by Google in 2001. Google’s computers now supplied images that matched search terms. This required Google to show smaller, “thumbnail” versions of those images. When Google was challenged, the Ninth Circuit ruled that these thumbnail versions of the images constituted fair use.

C. Privacy

U.S. privacy law offers limited constraints for American Internet entrepreneurs. The vaunted common law privacy torts are each quite narrow in scope and mostly unavailing to web users concerned about protecting personal information. The torts are not well-suited to the typical privacy concern with respect to social media, doing little to bar the use of personal information for marketing or the onward sharing of personal information in unexpected ways. Statutory protections remain quite narrow.

With the dawn of the World Wide Web, the Clinton Administration convened a task force to think through privacy rules for these new communications services. The task force’s 1995 white paper began by observing that “many people may be reluctant to use the NII [National Information Infrastructure] if they are afraid that the personal information transmitted over it can be used in ways that are unexpected or inappropriate.” But instead of a new omnibus privacy statute, the task force proposed a voluntary framework whereby companies would notify users of how they intended to collect and use information, and seek the consent of the users for such collection and use. That model, of course, became the operative one, allowing websites to set the terms for user privacy, subject only to public acceptance of those terms rather than regulatory constraints.

Congress did in fact act to protect children’s privacy through the Children’s Online Privacy Protection Act of 1998 (COPPA). COPPA established significant protections for younger children online, including requiring parental consent before websites could collect information from children under thirteen and requiring adequate security measures for information that was collected. This might have posed a challenge to web providers, which would have had to either segregate how they handled children’s information or refuse children access. Yet, the statute proved easy to avoid by e-commerce providers, who simply officially banned those under thirteen from their sites. Millions of American children responded by fabricating a false birth year to enable them to access sites such as Facebook —an expedient available to youth with a modicum of mathematical ability. As long as the sites did not have actual knowledge that the child was under thirteen, they had no statutory obligation to treat his or her information with care.

During the last decade, the absence of strong privacy regulations proved particularly important because of the business model used by many consumer-oriented websites. Web 2.0 providers earn money through advertising or through selling additional services. If the online provider can tailor advertisements precisely to the interests of the user, then the advertising will be more lucrative. In other words, the more the online provider knows about you, the more it can earn. Rules protecting user privacy can, accordingly, interfere with a company’s ability to gather information about you, or to develop a better profile of you by collating information with other online providers. Thus, the absence of a broad array of effective privacy-enhancing restraints leaves online services largely free to exploit user information for maximum profit. As long as the services do not promise more privacy than they actually deliver, online companies in the United States have a free hand with information.

The absence of privacy constraints proved especially conducive to Internet innovation. The success of Silicon Valley enterprises has often been a result not just of a single initial inspiration, but of successive rounds of serial innovation within a single firm. Much of this innovation results from rapid experimentation—roll-out of new products, beta-testing, and appraisal. Many Web 2.0 businesses rely upon a trial-and-error model for innovation. Beta offerings are presented to be retracted, modified, enhanced, or finalized depending on the market reception. The plasticity of the software allows quick responses to market conditions. Because the businesses are innovating new relationships between users and information, the risk to privacy in this process of experimentation is especially high. A liberal privacy regime thus proves conducive to this kind of trial-and-error method for innovation, allowing companies to base their offerings not on legal constraints but on market reaction.

The end result is as follows: while Facebook’s and Google’s innovations have often drawn public outcries, they seldom draw successful lawsuits or government enforcement actions.

***

By the end of the twentieth century, laws conducive to the business model of Web 2.0 were in place. Companies would offer platforms on which users could provide content, which would in turn attract other users. Companies would then monetize these large numbers of users by exploiting personal information about them for marketing. And the law would abide this.

I have shown that, just as nineteenth-century American judges altered the common law in order to subsidize industrial development, judges and legislators at the turn of the Millennium altered the law to subsidize the development of Internet companies. Did technologically advanced nations in Europe and Asia do the same?

II. Constraints in Europe and Asia

Could Google have been founded in London? According to Google’s Larry Page and Sergey Brin, as related by Prime Minister David Cameron, the answer is no. This is not due to the lack of brilliant engineers in the United Kingdom, or sufficient capital in the City of London. Prime Minister Cameron explains that the Google founders told his government that Google’s service “depends on taking a snapshot of all the content on the internet at any one time and they feel our copyright system is not as friendly to this sort of innovation as it is in the United States.” Unlike the law in the United Kingdom, where Google’s search engine activities might cross the line of copyright infringement without any promising legal lifeline, U.S. law seems more flexible. Prime Minister Cameron explained, with apparent envy: “Over there, they have what are called ‘fair-use’ provisions, which some people believe gives companies breathing space to create new products and services.”

But did not Europe offer inducements through the law to web enterprises similar to those in the United States? And what of Japan and South Korea, Asian nations that were at the forefront of creating information societies? I will show that indeed these nations took steps to adjust their laws to the new cyber-environment, but without the same depth of preference for web enterprises. Where the United States sought to insulate Internet intermediaries from liability for the misdeeds of their users, Europe, Japan, and South Korea created special responsibilities for Internet services. Indeed, what might be celebrated in the United States could be illegal in Europe, Japan, and South Korea. Facebook finds the distinction between U.S. law of intermediary liability and the law elsewhere to be material to its investors. Facebook states that the risk that it will face claims “is enhanced in certain jurisdictions outside the United States where our protection from liability for third-party actions may be unclear and where we may be less protected under local laws than we are in the United States.”

Comparative law scholars may observe that many jurisdictions lack the statutory or punitive damages available under U.S. law, making more legally demanding obligations abroad less harsh in reality in comparison to the plaintiff-friendly United States. But when it comes to Internet intermediaries, a simple injunction alone could require a restructuring of the system that made the platform economically unfeasible. Only the most foolhardy financiers would invest in an early stage enterprise that had a business that a tribunal might declare illegal at any moment. The programmer might even be sent to jail.

In the sections below, I examine the laws of the European Union, South Korea, and Japan, demonstrating that when it comes to intermediary liability, copyright liability, and privacy, the laws of these regions are far less conducive to Internet enterprise than the United States.

A. Intermediary Liability

1. European Union

The European Union’s intermediary liability law proved less welcoming to Internet entrepreneurs than U.S. law. Europe takes a unified approach to the issue of intermediary liability, setting the same standard for holding intermediaries liable regardless of the nature of the underlying offense. There is logic to this approach, even if it is unlike the American approach, which, as we have seen in Part I.A above, offers different rules for intermediary liability for copyright, trademark, and other offenses. The European Union’s Electronic Commerce Directive sets out what are essentially safe harbors from liability for specified intermediary activities, such as acting as a “mere conduit,” “caching,” or “hosting” (but not search services). Some countries go further to include safe harbors for search engines and hyperlink providers. Yet, from the perspective of Internet intermediaries, the safe harbors remain inferior to their American counterparts, providing less protection for copyright, trademark, defamation, and other claims. I explain here some of the deficiencies of the European law vis-à-vis U.S. law for Internet intermediaries. I reserve discussion of intermediary liability for copyright infringement for the following section.

First, the European approach stops far short of the near blanket exclusion from liability offered by the Communications Decency Act for non–intellectual property related wrongs. Second, the Electronic Commerce Directive largely adopts the DMCA’s notice-and-takedown approach, but leaves open the possibility of additional proactive responsibilities on the part of the online intermediary. Even while disavowing any duty to “monitor,” the European law expressly contemplates the imposition by member states of “duties of care” on intermediaries to detect and prevent certain activities. Third, the European directive lacks a statutory notice-and-takedown regime, creating greater uncertainty among European providers as to whether they have sufficient knowledge to withdraw liability if they do not delete material. Finally, the European approach permitted injunctions against online service providers more liberally than the American approach, which was more attentive to the problem of prior restraint. The Electronic Commerce Directive contemplates “orders by courts or administrative authorities requiring the termination or prevention of any infringement, including the removal of illegal information or the disabling of access to it.”

The difference between the American and European approaches to intermediary liability in trademark is evident when we contrast two authoritative decisions involving the same defendant (eBay) and similar facts on either side of the Atlantic (storied trademark holders claiming infringement). Before the European Court of Justice, L’Oréal sought to hold eBay liable for trademark infringement occurring on eBay’s site. EBay relied on Article 14(1) of the Electronic Commerce Directive to argue that it was “not liable for the information stored at the request of a recipient of the service.” The court held that this immunity would not be available where the operator had undertaken “an active role of such a kind as to give it knowledge of, or control over, the data relating to those offers for sale.” The Court of Justice sent the case back to the national court for consideration of whether eBay “was aware of facts or circumstances on the basis of which a diligent economic operator should have realised that the offers for sale in question were unlawful and, in the event of it being so aware, failed to act expeditiously.” Reporting on the decision, the law firm of Latham & Watkins advised its clients that sites like eBay will “have to engage in a higher degree of self policing in the future, especially with respect to the offer for sale of well known or famous brands.” They further observed that eBay might have to modify its system with respect to Europe to allow for easier identification of a seller: “It would be ironic, but predictable that it could become as difficult to open an account to sell goods on an auction site without proper identity checks as it is to open a bank account or instruct a lawyer in the EU.” By contrast, in Tiffany (NJ) Inc. v. eBay Inc., the Second Circuit Court of Appeals largely sided with eBay against the trademark holder. The U.S. court upheld summary judgment in favor of eBay on the issue of contributory liability for trademark infringement. It remanded the case on the issue of whether eBay had itself misled users in its advertising campaign invoking the Tiffany’s name. Commentators rightly hailed the case as a victory for Internet intermediaries.

2. South Korea

Where U.S. law seeks to reduce the liability of Internet intermediaries for statements posted on their sites, South Korean law seeks to make intermediaries responsible for activities on their sites. In the wake of demonstrations against American beef exports to Korea organized online, the South Korean legislature imposed additional obligations on Internet intermediaries to police online behavior, on the theory that the public was manipulated by allegedly false claims about the threat of mad cow disease. It also imposed additional obligations on users themselves—the Framework Act on Telecommunications singles out those using electronic means to spread information: “A person spreading a false rumor maliciously intending to damage the public interest by using an electronic machine can be sentenced to imprisonment for under five years or given a fine under fifty million won.” Furthermore, like many countries, South Korea has a more liberal substantive standard for defamation (thereby favoring plaintiffs) and permits injunctive relief for defamation.

In 2009, the Korean Supreme Court issued a decision holding web portal sites Naver, Daum, SK Communications, and Yahoo Korea liable for the defamation of a person named “Kim” occurring on their sites. The court upheld judgments of 10 million won, 7 million won, 8 million won, and 5 million won, respectively, against these services, stating that a web service “must delete slanderous posts or block searches of the offending posts, even if not requested to do so by the victim.” While these were relatively small judgments amounting to just thousands of U.S. dollars (approximately $5,700 at the highest ), this might well have caused sites to fear the accumulation of such fines. The court held that

the obligation of the portal site to remove the [defamatory material] arose when (a) the content was apparently illegal in the sense of defamation, and (b) the portal site had actual knowledge of the illegality of the infringing activity or, awareness of facts or circumstances from which infringing activity was apparent even without the [victim’s] notice . . . to the portal site.

Critics worried that the decision would chill speech, causing websites to delete user posts to preclude liability. The decision seems to confirm Kyu Ho Youm’s observation that, at least when reputation or honor is at risk, “South Korea does not protect freedom of expression as a transcendent value.”

In February 2012, the Korean Constitutional Court upheld the power of the Korea Communications Standards Commission under the Act on the Promotion of Information and Communications Network Utilization and Information Protection (the Network Act) to order the takedown of “unhealthy information” on the Internet. Importantly, however, the Network Act did not impose “penalties against non-compliance.”

3. Japan

Japan may not be a litigious society, but Internet providers seem to have faced their share of claims. In Japan, running a bulletin board service in 1997 might render you liable for the defamation occurring on that service. That year, a Tokyo trial court held Internet service provider Nifty Service liable for failing to delete defamatory messages. A heated exchange on a forum titled “Contemporary Ideas” had resulted in defamatory posts, which the forum’s manager left up, “apparently believing that continuing the discussion and trying to engage the parties in a more issue-oriented dialogue would address the problem.” It was not until 2001 that the Tokyo High Court would reverse the decision.

That same year, the Diet passed the Law Concerning the Limits of Liability for Damages of Specified Telecommunications Service Providers, under which a telecommunications service provider would not be liable for the actions of its users unless it knew, or where there was “reasonable ground to find that said relevant service provider could know[,] the violation of the rights of others was caused by the information distribution via said specified telecommunications.” Like the European approach, the law applies to all intermediary activity, whether involving copyright, trademark, or tort claims. By imposing not only an actual knowledge-and-takedown approach, but also a more vague “reasonable ground” that the provider “could know,” the 2001 limitation law was a pale shadow of the American § 230 from the perspective of Internet enterprises.

In 2002, the popular bulletin board service 2Channel was held liable using the approach of the 2001 law (but not its text because the complained of acts occurred before the law became effective). The court found that the site’s “management had been unreasonable in its refusal to remove the offensive posts when requested.” The posts arose on a thread entitled “Corrupt Animal Hospital.” 2Channel was fined 4 million yen (approximately $40,000) in damages. Salil Mehra suggests that while this was “not a particularly large amount, . . . it was a strong enough sign to change the behavior of 2Channel’s management.” The site’s duty to remove the infringing posts was upheld on appeal.

B. Copyright

1. European Union

Two directives help frame the inquiry of intermediary liability for copyright infringement in the European Union. As described above, the Electronic Commerce Directive of 2000 provided a set of exemptions from liability for “information society services” that store information at the request of users, including immunity from copyright infringement claims. The 2001 Copyright Directive offered an enumerated and exclusive list of exceptions to the rights of copyright holders.

The two directives proved inferior to their U.S. counterparts from the perspective of Internet service providers for the opposite reasons. While the Electronic Commerce Directive followed the DMCA’s Title II in granting Internet service providers certain immunities arising from web hosting activities, it did not specify the exact circumstances that would guarantee freedom from liability. At the same time, the very specificity of the Copyright Directive undermined its usefulness to web enterprises. Rather than an open-ended doctrine of fair use, European law allowed only specified exceptions to the exclusive rights of the copyright holder. These proved less flexible in responding to technological developments than American fair use, which allowed a court to consider each new case individually based on multiple factors. As one British scholar notes, fair use “provide[d] the courts with some flexibility of response to change in the way copyright works are disseminated and used, whether arising from new technologies, social behavior or institutional structures.”

Even as late as 2008, European lawyers could only advise, “[T]he scope of liability of Web 2.0 websites is an unsettled point of law.” It was only at the end of 2011 and the beginning of 2012 that the European Court of Justice made clear that Internet intermediaries could not be required to affirmatively filter their entire networks for copyright infringement. In cases brought by the Belgian collecting rights society, SABAM, against Internet access provider Scarlet and online social network Netlog, the court held that enjoining these companies to filter on behalf of copyright owners uploads by all users would violate the privacy and speech rights of users, and would be unduly costly and burdensome to the Internet enterprise. While the judgments in SABAM v. Netlog and Scarlet v. SABAM clearly support Web 2.0 enterprises, they arrived nearly a decade after the rise of such companies across the ocean.

2. South Korea

Korean law offers only weak protection for Internet intermediaries accused of abetting copyright infringement. In 2003, Korea adopted special provisions to regulate and protect online service providers (OSPs). However, the liability limitation

operates differently from the safe harbor provisions in the DMCA in that it does not provide a qualifying OSP with a complete indemnity against secondary liability: the preventive measures undertaken by the OSP only serve to limit or reduce its liability, and only provide a complete indemnity when these measures are ‘technically’ infeasible or ineffective to prevent or stop the infringing activity.

Korean peer-to-peer file trading service Soribada, having been warned by the courts that it could be held liable for the copyright infringement of its users, instituted a filtering system that “would deny a user’s request to download a file for which the copyright holder had specifically requested protection.” The Seoul High Court ruled against Soribada nonetheless, suggesting that Soribada could have designed its system to permit downloads only of music files for which the copyright owner had provided a license. This legal entitlement creating an opt-in system rather than an opt-out system has tremendous market importance, as few people (or companies) alter the default setting. This is what Lawrence Lessig characterizes as a “permissions culture”—ask first, before doing. In 2009, Korea introduced the world’s first graduated response law, a provision widely sought by the content industries. Under the law, the Ministry of Culture, Sports, and Tourism can order a website hosting infringing material to remove that material, and to disable accounts of repeat offenders. Furthermore, the government can shut down the website itself if it fails repeatedly to remove material, after warning. Some suggested that graduated response could be used to silence political criticism “such as Agora, a discussion board operated by Daum (www.daum.net), which was a seedbed for anti-government criticism during the controversy over the beef issue.”

3. Japan

In Japan, developing a peer-to-peer file sharing service in the last decade might get you arrested. In 2002, Isamu Kaneko, a researcher at the University of Tokyo’s School of Information and Science Technology, began distributing a peer-to-peer file-sharing program he wrote called “Winny.” In May 2004, he was arrested for copyright infringement because he continued to distribute his program, despite being aware that some used it to infringe copyrights. After his arrest, Kaneko, an “idol” among programmers who had taught a series of lectures to nurture “superprogrammers,” resigned from his University position. In December 2006, the Kyoto District Court found him guilty, decrying his “selfish and irresponsible attitude” and concluding that he knew that Winny “was being used to violate the law and allowed users to do so.” Yet, the judge conceded that “Kaneko did not specifically intend to cause copyright violations on the Internet.” He was fined 1.5 million yen for the infringement. The Japanese Supreme Court would ultimately clear him of all charges, but not until December 2011.

Japan’s 2001 law limiting liability for Internet service companies in certain circumstances was far less friendly to such companies than the DMCA. Rather than the relatively clear safe harbors of the DMCA, Japan’s law removed any protections if the provider knew or should have known of infringement occurring through its service, a far more uncertain standard, given the likelihood that some users will infringe on any Web 2.0 service.

While legal clarity can sometimes help Internet companies, it can also undermine them. Like Europe, Japan enumerates specific exceptions to the rights of copyright holders, rather than the open-ended approach of American fair use law. This means that unless the particular action is authorized by an enumerated exception, it violates copyright. The lack of an explicit exception even made illegal the act of uploading a photo of artwork on an auction site in connection with its sale. Because this act was not for news reporting, criticism, or research (the enumerated exceptions), it was declared illegal. In 2009, the Diet finally amended the Copyright Act to allow the use of thumbnails of a copyrighted work for an online auction. Acts that Americans take for granted—such as the posting on a blog of a souvenir picture of Disneyland—can also potentially run afoul of Japanese copyright law, even after the 2009 amendment. The enumeration approach has led many to worry that new uses, especially ones made possible by new technologies, might not qualify for the exceptions. As one Japanese academic notes, “[I]f copyright exceptions are interpreted strictly by courts, most daily use might be copyright infringements.” Japanese legal scholar Tatsuhiro Ueno portrays the end result of these rules: observing the existence of an American research website collecting cases of musical infringement stretching back over one hundred years, Ueno notes, “[I]f the same exact website were established in Japan, it would constitute an infringement of the right of public transmission.” Another Japanese intellectual property scholar concludes, “Without a proper balance [between copyright protection and innovation], any company that wants to introduce new technology services may be too cautious to start its business.”

Prime Minister Cameron’s concern about whether English law would have permitted Google might have also held true for Japan until 2010. Because of the lack of a broad fair use provision in Japan, the copying required for a search engine to function needed an express exemption from the copyright holder’s rights. Lacking such an express exemption, search engines faced the prospect of being illegal, until a 2009 amendment permitted search engines to copy copyrighted works for the purpose of displaying search results. Before this amendment went into effect in 2010, Google’s Fumi Yamazaki asked, “Did you know that running a search engine index server in Japan is illegal . . . ?” Yamazaki reports that before the amendment went into effect, “search engines in Japan such as Google and Yahoo inevitably kept their servers outside of Japan.”

This was consistent with the damning advice of a programming professor in the wake of the Winny conviction. Shinji Yamane, a researcher at the International University of Japan’s Center for Global Communications reported that after Kaneko’s conviction, his own students were “concerned about their products potentially violating the law.” Yamane continued, “I tell them to release the software overseas.”

This seems to have been the route followed by the popular Internet bulletin board, 2Channel, founded by Hiroyuki Nishimura in 1999. In 2004, The New York Times reported that Nishimura paid $20,000 a month to a company in Palo Alto to host the Japanese language service. While some might suggest that this simple sleight of hand might successfully avoid all the restraints I described earlier, that may not be so clear. In 2009, Nishimura sold the site to a Singaporean company, despite the fact that, according to Wired, the site generated 500 million page views per month. His foreign webhost had not prevented a “sea of litigation” against him and judgments amounting to millions of dollars. The legal risk involved in the operation may well have made it difficult for him to raise capital to, for example, take the site global.

C. Privacy

1. European Union

As James Whitman describes, European privacy law is a world away from the American laissez-faire approach. In October 1995, at the same time that the Clinton Administration was declaring its support for industry self-regulation, the European Union was announcing its elaborate and demanding Data Protection Directive. The 1995 Directive requires “unambiguous” consent before the automated processing of personal information. It further requires that information that is gathered must be “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.” Rather than a sectoral approach imposing obligations on certain health care and financial providers, European law offers omnibus protections covering all personal information. Certain categories of information processing—political, health, or sex-related information—are regulated even more tightly. The Directive requires that data controllers secure personal data against accidental or unauthorized disclosure. This Directive posed significant constraints on Web 2.0 enterprises, limiting their information-gathering and -sharing functions.

A 2002 directive, the Privacy and Electronic Communications Directive (the E-Privacy Directive), added even more constraints. The E-Privacy Directive included a broad requirement to ensure the confidentiality of communications, and banned the “surveillance of communications . . . without the consent of the user[].” The Directive required “clear and comprehensive information” before a company could store information such as cookies (used to track web behavior), and required the site to offer the ability to opt out of cookies. Such rules complicated the behavioral monitoring necessary for targeted advertising. They made it difficult to garner the datasets about an individual that might enable companies to know better how to cater to his or her interests (and means). Over the years, the E-Privacy Directive was interpreted and amended in ways that largely confirmed its constraints on tracking and information gathering, thus disabling sophisticated marketing capabilities.

The astonishing reach of the Data Protection Directive can be seen in the case known as Criminal Proceedings Against Bodil Lindqvist. Lindqvist was a Swedish parishioner who published a website to assist fellow churchgoers in their confirmation process. She published personal information about her fellow parishioners on this site without their consent, including the fact that one person had “injured her foot.” For this, she was criminally prosecuted under the Swedish law implementing the Data Protection Directive. The European Court of Justice held that Lindqvist had indeed violated European privacy law because she had processed personal information about others (by making it available on the web), without their permission. What would have been readily protected under the First Amendment in the United States was subject to criminal prosecution in Europe.

In another notorious case, Google executives were convicted in Italy of crimes against privacy for not taking down rapidly enough a video ridiculing a disabled child. The executives were convicted specifically of the crime of “illicit treatment of personal data” (trattamento illecito dei dati) because “with the purpose of obtaining a gain they participated in the processing of the video [by distributing it through YouTube] containing health data of the disabled teenager without his consent.” The February 2010 convictions were overturned on appeal in December 2012, but the convictions demonstrated the ambiguities of a law that might sentence Internet executives for not policing their services sufficiently. This case again demonstrates what James Whitman describes as the “‘radically different’” laws on both sides of the Atlantic on the liability of Internet providers for privacy offenses.

2. South Korea

South Korean law offers substantial omnibus protections for privacy online. South Korea’s 2001 Network Act was modeled in part on the OECD Guidelines, as well as the German Online Service Data Protection Act (Teledienstedatenschutzgesetz) of 1997, which was itself passed to implement the 1995 European Data Protection Directive. The Network Act requires data processors to “obtain as little amount of personal data as required for the provision of the services,” obtain consent of the data subject for data processing, and safeguard security of the data. Failure to comply can result in fines, imprisonment, or both. In 2011, Korea passed an additional data protection law, the Personal Information Protection Act (PIPA), which, among other things, established a right to file class actions in court over alleged violations of the law. The new law requires privacy assessments by large database developers. Wherever there is an overlap between PIPA and other privacy protections, the stronger provisions will apply.

Korean privacy law is not a paper tiger. The law establishes a standing committee to mediate personal information disputes, with the power to award enforceable awards once mediation is selected. The committee awards compensatory damages “in almost all cases” where a privacy breach is found, with damages typically ranging from U.S. $100 to U.S. $10,000. The Korean authorities receive more than 17,000 complaints per year.

3. Japan

Japan enacted an omnibus privacy statute, the Personal Information Protection Act, in 2003. While explicit consent does not seem to be required before the collection of personal information, businesses cannot obtain personal information from individuals by “fraudulent or other unfair means.” The data collector must provide notice of the intended uses of the data. If plans change for the use of the information, “the change must not exceed the scope ‘reasonably recognized as having an appropriate connection with the original [p]urpose of [u]se.’” Businesses cannot share personal information with third parties without the consent of the data subject. Businesses also have security obligations with respect to the personal data. Japan does not provide a private cause of action for data privacy violations, and even though consumer centers and the government receive over 12,000 complaints per year, the enforcement record remains unclear.

D. Application: Social Networks

The legal regime has influence in ways that are often difficult to perceive. Consider Facebook’s signal feature—its “News Feed,” which automatically supplies to your own Facebook page all the activity of your Facebook “friends.” Introduced in 2006, the feature met loud protests. Some mocked Facebook as “Stalkerbook,” and some called for a “cyber-revolt.” A student at the University of Illinois, Kiyoshi Martinez, summarized the concern: “Every change I make becomes broadcasted with a bullhorn to everyone—all my friends.” Even though the information broadcast through the news feed was technically available to everyone who took the trouble to check out each of their friend’s homepages, this changed the valence of activity on Facebook. Individuals who had posted to their webpage, expecting that they were sharing information only with those who would take the trouble to come visit their site, now found that their information was being shared among their friends without their friends’ having to leave their own homepages. Many people belonged to school networks, so that any relationship changes were broadcast essentially to the entire student body. Responding to the protests, Facebook offered users the ability to limit the feature somewhat.

Could Facebook have introduced such a feature if it had been a European company? The feature did not pose any real technological hurdle (though Facebook now owns a patent for it ). The idea and the willingness to implement it were all that were necessary. The European Data Protection Directive requires an individual’s “unambiguous” consent before any automated processing of personal information about that person. Facebook certainly did not ask its users to opt into this feature—it automatically included all of its users in broadcasting their information to their network, unless they opted out of such disclosures. The public protest in the United States at Facebook’s chutzpah (as it was then decried, now what many might consider prescience) was not followed by governmental action. Could a European social network have adopted such an innovation? Could Korea’s Cyworld social network, launched in 1999, have introduced such a feature without meeting the ire of the Korean authorities? Could Japan’s Mixi social network, launched at the same time as Facebook in February 2004, have tested the law with such a move?

An exception to my general claim (also involving Facebook) demonstrates the rule. When Netflix, the world’s most popular Internet movie service, rolled out its integration with Facebook, the world’s most popular social network, it offered the service in forty-four of the forty-five countries in which it operated. The missing country? The United States. An obscure, narrow privacy statute proved what Netflix described as an insurmountable block to information sharing between Netflix and Facebook. In 1988, in the wake of the revelations of Supreme Court nominee Robert Bork’s video rental records, Congress made it illegal for a video rental service to reveal video rental records of any customer without that customer’s contemporaneous permission. This Video Privacy Protection Act had an unexpected consequence some two decades later—effectively barring Netflix from sharing the video rental records of one Facebook user with that person’s Facebook network unless the first user consented to the sharing for each video (rather than through a blanket prior consent). Congress provided for a private cause of action, with minimum statutory damages of $2,500 for each violation. For a company like Netflix, with some twenty million American subscribers, the fines for ignoring the statute could conceivably entail a judgment in excess of its market capitalization. A relatively obscure and narrow privacy statute had foiled the social networking plans of two enormous multinational corporations (at least until they lobbied to have the law changed ). Imagine the consequences of far broader and more demanding privacy laws outside the United States.

***

But what of Germany’s StudiVZ, Japan’s Mixi, Spain’s Tuenty, and South Korea’s Daum and Naver? Should not these services be illegal as well? How can we explain the emergence and persistence of indigenous European Web 2.0 enterprises if the local law is so adverse to their existence? In part, these companies can shelter under the operations of their American counterparts, at least now that the American firms are well established. If local authorities challenge them, those authorities may be implicitly threatening the American colossi. Legal risks may well make it more difficult for them to raise capital to scale up. Perhaps even more importantly, the law hampers their ability to innovate, to offer new services (e.g., a map of their world, a timeline of their life, a tracking of their movements, a seamless link between the individual and corporations with whom she relates). One might note that Facebook and Google have come to increasingly dominate in both Germany and Spain, despite what one might suppose to be the local advantages of StudiVZ and Tuenty.

III. Avoiding “from Wow to Yuck”

Innovation scholar Vicki Colvin warns about a “wow” to “yuck” trajectory for nanotechnology. Speaking before Congress in 2003, she worried that the early enthusiasm for this new technology would be replaced by popular revulsion in the face of its unintended consequences. Colvin advised, “The good news is that it is not too late to ensure that nanotechnology develops responsibly and with strong public support.”

Silicon Valley too has captivated the world, becoming the paragon of a knowledge economy. Its enterprises have utilized the Internet and the World Wide Web to develop history’s most powerful and popular platforms for instant communications. These firms improve the productivity of workers and disseminate knowledge across the world. Individuals increasingly learn through tutorials posted on YouTube. Facebook, YouTube, and Twitter played key roles in mobilizing support for those seeking to depose Arab tyrants by allowing citizens to express their grievances, inform each other, and organize together.

At the same time, by becoming the global engines for communication, Silicon Valley enterprises have also become hosts for insults, lies, and hate speech. The enterprises know more about us than other companies, or even most governments, have ever known, holding dossiers that might have impressed the Stasi. Today, companies know what you read, what you search for, who your friends are, what you buy or browse, your politics, and your sexual orientation. Armed with this information, American Internet companies have helped to rat out dissidents in authoritarian states. In the hands of an authoritarian (or even democratic ) government, “does the Internet render an entire population prisoner to a national Panopticon?” An example from the brick-and-mortar world hints at the concern: the American retail store Target figured out a teenager was pregnant before her father did, likely based on monitoring of in-store purchases. This clearly falls on the “yuck” side of customer profiling.

The legal historian Morton Horwitz decried what he believed to be the subsidies that the law implicitly offered to industrialists in the nineteenth century: “forced subsidies to growth coerced from the victims of the process,” he charged. Horwitz argued that the “tendency of subsidy through legal change during [the antebellum years] was dramatically to throw the burden of economic development on the weakest and least active elements in the population.”

The subsidies offered to Silicon Valley enterprises through legal privileges were not without their costs. Return to the plight of actress Christianne Carafano, subjected to a “cruel and sadistic identity theft.” A malicious person using a computer in Berlin posted a false dating profile of her, providing her actual address. Once the website learned of the wrongdoing, it hid the profile and later deleted it. When she sued Metrosplash for permitting such a profile in the first place, her case was thrown out, barred by § 230. Even with a notice-and-takedown regime, as preferred by some critics, Carafano would not have had a case, given that Metrosplash seems to have promptly corrected the falsehood. But § 230 would likely have immunized Metrosplash even if it had left the material up because it did not have a hand in producing it. And chasing the wrongdoer utilizing a computer in Berlin might have proven difficult.

The costs of the privileges provided to Silicon Valley were widely dispersed. The victims included individuals whose privacy was jeopardized and others who were defamed through web services. In Mancur Olson’s terms, they (or perhaps we) are a classic “latent group,” dispersed and unorganized, and thus at risk of losing in the political process. Yet, the political economy is not entirely so clear. A large, well-organized, and economically powerful constituency—Hollywood—did in fact lobby against Silicon Valley’s exemptions. This resulted in a stricter intermediary liability regime for copyright than for tort. The political economy analysis is complicated further by the fact that the results are not consistent across jurisdictions. The intermediary liability rules in Europe, South Korea, and Japan proved quite different, as we have seen.

A focus on costs alone would be woefully incomplete. While the costs of Silicon Valley’s privileges were widely dispersed, it is important to note that so were their benefits. Most of us have gained from our greater access to knowledge, and from our ability to speak directly to the world and to hear directly from it, and to engage and enlarge our social networks. Imposing strict obligations on intermediaries might well come at the price of both speech and innovation.

Are there ways to minimize the negative consequences of a no-liability, laissez-faire regime for Internet firms yet preserve the “breathing space” that such firms clearly need to innovate? Some have suggested that the notice-and-takedown regime employed for copyright should be extended to defamation. Some law and economics scholars (including Nobel economics laureates Kenneth Arrow and Gary Becker) have suggested that Internet intermediaries can deter copyright infringement “at low cost and without any significant interference with non-infringing uses.” Others would suggest that the law tilts too strongly in favor of copyright holders: Pam Samuelson has argued that the DMCA’s Title I favored the copyright industries, harming the information technology industries in the process. Many have bemoaned the lack of substantial privacy protections in the United States, arguing that we should “renegotiat[e] [the] Faustian bargain” struck between web users and websites. These are all controversial suggestions, some of which might even pose an existential threat to a free Internet (here I mean free, as in beer).

Should we see these legal privileges as a way to kick-start an infant industry (and thus temporary), or as a response to the fundamentally new nature of such enterprises (and thus permanent)? Was a modification to tort law the best way to subsidize the new industry of Internet services? Economists often prefer subsidization through direct transfers, rather than the relatively opaque adjustment of the law. But given the fact that liability exposure might have shuttered the business entirely, only very large direct transfers might have served to counter the legal risks entailed in continuing. Indeed, bringing on new users might have generally proven uneconomical because statutory damages were far in excess of actual damages.

It is possible that the promise of strong privacy-protective legal framework might be attractive to consumers. Viviane Reding, the EU Commissioner responsible for Justice, Fundamental Rights and Citizenship, justified a stronger, unified European privacy regime, in terms starkly resounding in regulatory competition: “The new rules . . . give EU companies an advantage in global competition. . . . [T]hey will be able to assure their customers that valuable personal data will be treated with the necessary care and diligence. Trust . . . will be a key asset for service providers and an incentive for investors . . . locating services.” However, thus far there seems to be little migration from American social networks to European or Asian ones, drawn by stronger privacy regimes.

The legal moves described here in the United States have helped facilitate the “wow” of the World Wide Web, but they might also usher in the “yuck.” We need to ensure that in our zeal for promoting Internet enterprise, we do not haphazardly create the conditions for a dystopia.

Conclusion: The Hacker Way

Mark Zuckerberg calls his approach to innovation the “Hacker Way.” “Move fast and break things,” he tells Facebook’s designers and engineers. But because of Clinton, Congress, and the Courts, most of the time Facebook’s amazing innovations did not break the law.

In the same month that Zuckerberg revealed this in the company’s IPO prospectus, another major investment was made in a social media enterprise. The Japanese firm Rakuten led a $100 million investment into Pinterest, a website that allows an individual to copy any image across the web to post on one’s own scrapbook page. Were it not for safe harbors in the law, Rakuten would likely have been loath to invest in a company whose business model relied on its users’ engaging in rampant copyright infringement. Even more important, without such safe harbors, people everywhere would have been denied a simple way to express themselves and to share what they love with the world.

Facebook and Pinterest exemplify the “democratic experimentation” that Lawrence Lessig foresaw in 1995 arising from the new cybertechnologies. While Lessig worried about stultifying regulation of this new medium, over the next half-decade, we saw active intervention by both Congress and the Courts, but largely designed to limit the reach of existing law. This made possible the democratic experimentation of companies like Facebook and Google, which introduced innovations subject largely to the approval or disapproval of users rather than the law. A brilliant Japanese entrepreneur during the same period might find the police knocking on the door.

Footnotes