Escaping Your Online Mistakes: Should There Be a Law?

Should a law protect your right to take back those tweets?

July 4, 2011, 6:16 PM

July 5, 2011 — -- How many times in your online life have you wished for a "do-over"? That kind of Jimmy Stewart "It's a Wonderful Life" second chance to make something -- a photo, a Karaoke Bar performance caught on video, an ill-fated online tirade, or a 140-character Twitter poison dart -- disappear as if it had never happened? Because so much of our lives are now chronicled and archived on the Internet, some have begun to look for a way to make this happen, perhaps in the form of an almost magical "eraser button" or through a legislative mandate creating a so-called "right to be forgotten."

These efforts are gaining traction in the European Union, where regulators are considering ways to create a legally enforceable "right to be forgotten" online. Depending on the scope of this "right," it could give people the right to demand removal of any information that appears about them online. The European Commission has voiced its support for the creation of such a right, arguing that people, "should have the 'right to be forgotten' when their data is no longer needed or they want their data to be deleted."

Laws Spread in Europe

The idea already has a strong foothold in Europe. In France, the idea is characterized as le Droit à l'Oubli (the right to oblivion). In Germany, the idea has already featured in a court case involving two notorious convicted murderers who served their time and now want the stories of their crimes expunged from the U.S.-based website Wikipedia based on their rights under German privacy law. And in Spain, Google has come under attack for invading personal privacy in breach of the country's "right to be forgotten" law that allows people to control information about them. Google's alleged violation of the Spanish law? Returning search results for websites that include inaccurate or outdated information about people. (Google is fighting the claim.)

Here in the U.S. we have no "right to be forgotten." Users have some rights under a patchwork of privacy laws, scattered across various sectors (including the financial and health care sectors), which protect personal information to various degrees and provide users with some limited ability to correct or have removed erroneous information (such as reports of missed payments on one's credit report). Recently, there have been calls for the creation of some kind of "eraser button" that could be used to "disappear" information from social networks. But any description or implementation of a "right to be forgotten" here in the U.S. remains vague and undefined. There's a good reason for that: the complexities inherent in the idea of controlling the flow of information online are legion, and the U.S. Constitution protects speech that some people would like to forget.

Protecting Both Privacy and Free Speech

The concept of a "right to be forgotten" is at once seductive and deceptive. Seductive because it plays to that visceral longing for a second chance that lingers in all of us; deceptive because, while the notion is easily grasped, a thoughtful discussion on the issue quickly becomes mired in a labyrinth of complications. Here's a thumbnail view of a few broad scenarios and the questions that underlie a "right to be forgotten" in different settings.

The most obvious scenario is when a user provides the data herself in a setting she expects to control, such as when you fill out a social networking profile, create a YouTube channel, or post in your personal blog. Another scenario is when a user posts information on someone else's online space – when you post comments on someone's blog, respond to a friend's Facebook status updates, or write a restaurant review and post it on Yelp. A third situation arises when a third party copies information from the previous two scenarios and posts it elsewhere. This would include when someone retweets your Twitter post, quotes your comment to a news article in their own reply comment, or perhaps takes a screenshot of an argument between two Facebook users and posts it to their own blog.

The 'Right to Be Forgotten'

In considering a new "right to be forgotten" in the context of the three scenarios presented above, many policy and technical challenges are evident. The first scenario is the simplest to interpret, and even that raises questions. It seems clear that a user should be able to request that a site or content host to remove information that user initially provided from the user's "own" space on the site -- you should be able to delete your profile page or the blog you created. But should a site that provides a platform for multiple users to communicate -- a description that covers most user-generated content sites out there -- be required to "forget" a user's contribution to aggregate data about use of the site, such as rankings, ratings, or "likes"? How much of the user's presence on the site must be erased? And does the scope of this type of "forgetting request" mean that the site owner has to scour all caches and backups when "forgetting" a piece of information, or is it sufficient for a site to render the information inaccessible to other users?

In the second scenario, where a user posts information to someone else's space and then seeks to make it forgotten, the questions get more complicated. How far out in the margin should this request be taken? Should users have a "right" to disappear their half of a conversation that takes place in the public comment field to a news article? (If you're inclined to answer "yes," then I'd ask if your answer changes if the user is, for example, a politician who comes to regret the statements he's made or the photos he's tweeted.) Some user-generated content platforms do allow their users to delete every trace of their communications from the site when the user deletes their account. When this type of policy is decided by a site individually, and voluntarily (rather than through a legal mandate), it raises far fewer First Amendment questions.

Free expression issues also abound in the third situation, when users want to remove information about themselves that has been re-posted to a third-party. A "right" to this kind of forgetting implicates news reporting, quoting for purposes of commentary and discussion, and fair use of another's work. In addition, there is the challenge of the third party site having to verify that the user requesting the "forgetting" is actually the subject of that data. This set-up lends itself to the kind of abuse stemming from a classic "heckler's veto" scenario. This asserted "right" would put website operators in the untenable position of making fine-grained judgments about users' identity, the truth or falsity of allegedly defamatory claims, and a host of other determinations necessary to protect users' free expression rights that no entity short of a court is equipped to make.

Your Online Mistakes: Should There Be a Law to Protect You?

And these are just the edge cases. As being discussed in Europe today, the "right to be forgotten" could extend to any information about a person, whether they originally published it or not. Should a politician be able to tell a blog not to report truthful information that he deems unsavory or inconvenient? Should a popular athlete be able to tell the paparazzi not to reveal an embarrassing (but real) affair? Such an approach would run headlong into the fundamental free speech principles enshrined in our Constitution and law.

Instead of trying to implement a broad "right to be forgotten" that would trample the rights of other users, we would be better off working to create comprehensive privacy protections for users based on long-recognized principles such as transparency, data minimization, and individual access to data. If users better understand and have meaningful control over how their information is collected and shared in the first place, there would be certainly be less of a need to try to retroactively remove personal information after the fact. A narrowly-scoped "right to be forgotten" could even be part of such a framework, if clearly limited to a profile or account that a person had herself created and posted online (though, as noted above, there are messy complications even with that).

On the other hand, simply giving people the power to remove any unwanted information about them online would violate our fundamental values of freedom of speech and the press. People in this country want and deserve stronger privacy protections, but an all-encompassing "right to be forgotten," while alluring, would be unworkable, and unconstitutional to boot.

Leslie Harris is President and CEO of the Center for Democracy & Technology.