Global Consent Requirements for Online Behavioral Advertising

For this year’s virtual IAPP Global Privacy Summit, I participated in a recorded panel discussion on Global Consent Requirements for Online Behavioral Advertising, to try to provide guidance on how to comply with applicable laws and offer the right user options for running a behavioral advertising campaigns.

While I remain skeptical that consent is the right paradigm for behavioral ad targeting, it is the one that we have. Since both the law and technology are rapidly changing, let’s revisit this next year and revise.

The Tyranny of the Rings

I like the Apple Watch. This surprises me, because I’ve never enjoyed wearing watches. Since I’m an old, I remember the times before the mass adoption of mobile phones when watches were necessary for telling time. Even though I had a couple of fun Swatch watches and a Canal Street Rolecks, I carried a pocket watch. This was not merely an affect, but it allowed me to have some semblance of timelines without strapping something to my wrist.  But, once I started biking, running, and occasionally swimming in triathlons, I craved more data and picked up a Garmin GPS watch, and liked the concept of a smartwatch enough that I bought an Apple Watch Series 2. I’ve since upgraded to a series 5. 

While I still prefer the Garmin Forerunner 935 and its physical controls as a GPS sports watch for running, biking, skiing, and hiking, I happily use the Apple Watch, as an everyday notifier and computer (and soon, iPhone) unlock token. Because it saves me from typing in my computer password as much throughout the day and its Taptic Engine notifications are subtle and useful, I wear the Apple Watch every day and use it as my daily activity tracker.

Apple recently launched their Fitness+ video workouts, and as much as I hate exercise classes, I’m actually really digging it. Having a coaching program for at-home strength training and structured treadmill workouts is just what I needed for pandemic winter without going to the gym. Since I already pay for iCloud storage and Apple Music and will pay for Apple TV+, the Apple One bundle is a no-brainer. (This could be its own post, but despite the lukewarm reception at launch, I think Apple TV+ has a good batting average — Ted Lasso, Dickinson, The Morning Show, and For All Mankind are all very good to great shows)

Unfortunately, Apple’s fitness offerings are not smart or social enough. 

1. Be Smarter

Unfortunately, the Apple Watch’s activity tracking remains decidedly not smart. 

Apple’s fitness tracking paradigm is based on closing rings — setting daily goals for standing (which measure having at least one minute of activity per hour), exercise, and overall movement. Generally, I think this is a helpful set of metrics. Be active, get consistent exercise, and don’t be sedentary. As you beat your overall goals, Apple Watch suggests that you increase your daily movement target.  

The drawback of the Apple Fitness paradigm is that it rewards consistent moderate exercise, but doesn’t account for the way that many people incorporate activity into our lives. If I train hard on Monday, I shouldn’t repeat the exact same workout on Tuesday so that I can rest and recover. But Apple Watch will just tell you that you did well and go beat it again. Apple could add the concepts of days off from counting the rings, but it needs to think long-term. After all, wearing a fitness tracker regularly creates a whole stream of activity data to use to make recommendations. 

The Move target needs a daily activity floor and a weekly target. After a big workout day, the next day should likely be a recovery day. If I set the Activity goal low enough that I’ll meet it even on a recovery day, closing the rings provides little motivation. If I set the Activity goal high, I won’t meet it, which provides negative feedback. But if I have a weekly activity target, Apple Watch should be smart enough to know that I should be taking a rest day, but may encourage me to meet that daily floor. It can push towards higher peak or sustained efforts. Apple Watch should use its data, machine learning, and programs designed by fitness experts to give you a dedicated coaching plan. 

A coaching plan could also tie into Fitness+. Instead of just making sessions available on demand to pick and choose, it should offer structured training plans. Adding goal-oriented programs, like a First 5K training plan, with a defined set of challenges per week would work well with the achievement paradigm of closing rings. 

2. Be More Social

Since Ping, Apple has failed miserably at integrating social aspects into any of its services other than pure communications tools. (iMessage and FaceTime are pretty great.) The Fitness+ coaches are encouraging, even though like all trainers, they toe the line of being cloying overbearing. But where cFitness+ falls down against Peloton or  Zwift as leading indoor training programs, is in having a complete lack of meaningful interaction and competition. With Peloton, you can compete against your friends. In Swift, you can actually race them live and in real time. I enjoy using Strava to see what my friends are doing. It’s not just competition, but also inspiration. 

If you’re doing the same workout as a friend who has opted-in, show their stats, too, not just the generic burn bar. Make it easy to start the same workout at the same time with someone else. Where Peloton and Zwift both succeed is in having the ability to create the feel of a group class, even if the participants are physically distant. Syncrhonous and asynchronous competition would be great additions to Fitness+. 

Apple Fitness does allow activity sharing, but I believe it is sharing the activity rings and does not have fine-grained sharing controls. With Strava, I can choose which activities I want to be public, shared with my friends, or entirely private. While I don’t expect Apple Fitness to include a Share to Strava option any time soon, it would be nice to be able to share with friends and family, even if they don’t already have an Apple Watch. (Strava already allows you to import Apple Watch workouts into its app). Adding a way to asynchronously share your activity achievements with other people, even those who don’t have an Apple Watch or iPhone, would make accomplishments in Apple Fitness more gratifying. The lack of social features in Apple’s own services makes them lonely and isolating, rather than allowing users to create community. (Apple’s lack of social acumen is also why I keep thinking about going back to Spotify, even though I strongly prefer Apple Music’s integration with local, non-Apple Music media. Not only does it seamlessly integrate, but it also uploads your music to Apple’s cloud, so it’s accessible across any device.)

So Apple Fitness, be smarter and be more social. Support a varied set of training and have more opinions on how Apple Watch users can train to improve their fitness. Allow us to share our accomplishments in a way that isn’t just for your other friends who track their endurance sports activities on the internet or own a $2,000 internet bike. 

Expect Nothing, Get Less

Over the last few years, the personal blog as a medium has largely been supplanted by social media platforms. And as someone who is a reader more than a writer and struggles to put pen to paper, 280 characters is often enough to hold the entirety of my thoughts. And a Twitter thread works well enough for slightly longer thoughts.

However, I do want to do more structured medium-form writing and force myself to write here regularly. And while all of the kids and middle-aged ex-bloggers are starting newsletters on Substack, I worry that asking people to subscribe to yet another Substack is like asking your friends and co-workers to come to your bringer comedy show. So, I’m back to kicking it old-school, free-form.

For a blog that’s dipped below the one post per year threshold over the last few years, writing something weekly feels ambitious, but overdue.

Is this thing on? Man, is it dusty here. I’m experimenting with setting this up with I’m now taking bets on whether I make another micro post here…

Safe Harbor in Choppy Waters

EU Court of Justice.

Why a Safe Harbor? (briefly)

The EU recognizes the right to privacy with respect to the processing of personal data as a fundamental right and freedom. Directive 95/46/EC. This guarantees EU citizens with the rights to their personal data, including the rights to have the collection of their personal data limited to the minimum extent required, that the data is correct and accurate, and to access their stored data. The US does not have a comparable overriding principle about personal data privacy. (The Fourth Amendment regulates government search and various state laws regulate other privacy concerns, but not with the same general principles that we apply to the freedoms of speech or religion guaranteed by the First Amendment.)

Because privacy is a fundamental right, controllers of personal data in the EU can not transfer personal data unless the individual personal data will be treated with an adequate level of protection. Consequently, transfers of personal data that do not provide an adequate level of protection for personal data are prohibited.

Articles 25 and 26 of the Directive set forth the following:

Article 25. Principles

  1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.
  2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.
  3. The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of paragraph 2.
  4. Where the Commission finds, under the procedure provided for in Article 31(2), that a third country does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question.
  5. At the appropriate time, the Commission shall enter into negotiations with a view to remedying the situation resulting from the finding made pursuant to paragraph 4.
  6. The Commission may find, in accordance with the procedure referred to in Article 31(2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.

Article 26. Derogations

  1. By way of derogation from Article 25 and save where otherwise provided by domestic law governing particular cases, Member States shall provide that a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25(2) may take place on condition that:
    1. the data subject has given his consent unambiguously to the proposed transfer; or
    2. the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject’s request; or
    3. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or
    4. the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or
    5. the transfer is necessary in order to protect the vital interests of the data subject; or
    6. the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.
  2. Without prejudice to paragraph 1, a Member State may authorise a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25(2), where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.
  3. The Member State shall inform the Commission and the other Member States of the authorisations it grants pursuant to paragraph 2.

While US domestic law and international commitments are not sufficient to protect the personal data of EU citizens, the European Commission had ruled that the transfer of personal data is permissible to companies that participate in the Department of Commerce Safe Harbor program. Participants in the Safe Harbor certify that their collection and use of personal data adheres to the standards required by the Directive. The Commission found this acceptable.

What happened to the Safe Harbor?
Max Schrems, an Austrian activist, lawyer, and Facebook user, filed a complaint with the Irish data protection authority to block the transfer of his personal information to the US. (Like many companies who take advantage of Ireland’s favorable tax laws, Facebook contracts with its users in the EU through its Irish subsidiary.) Schrems alleged that the transfer was unlawful, because the law and practice in force in the US did not ensure adequate protection of the personal data against surveillance activities by the public authorities, in particular the bulk collection practices of the National Security Agency.

The Irish Data Protection Commissioner ruled that because the European Commission found the Safe Harbor to provide an adequate level of protection, the transfer was lawful. Schemers appealed to the Irish High Court. In Schrems v. Data Protection Commissioner ([2014] IEHC 310), the Irish High Court ruled that under Irish privacy law, “a significant issue would arise as to whether the United States ‘ensures an adequate level of protection for the privacy and the fundamental rights and freedoms’ of data subjects, such as would permit data transfers to that country.” But, since Irish law has been pre-empted by EU law, the Commissioner must decide whether the EU Safe Harbor Regime remains valid and controlling, or whether individual data controllers have the authority to review transfers in light of the revelations about US data collection activities.

Today, the EU Court of Justice ruled in Schrems v. Data Protection Commissioner (C-362/14, 6 October 2015) that national data protection authorities have the authority to investigate whether the laws and practices of a country to where personal data is transferred provide an adequate level of protection for individual citizens. But the national supervisory authority does not have the authority to find an EU ruling invalid.

The Court finds a number of ways that the Safe Harbor is limited to misuse by the Safe Harbor participant, but fails to protect personal data from disclosure to any US Federal or state government. Because the safe harbor principles are applicable solely to self-certified United States organizations receiving personal data from the European Union, United States public authorities are not required to comply with them. Where US law imposes a conflicting obligation, US organizations whether in the Safe Harbor or not must still comply with the law.

While the Commission ruled that the Safe Harbor provides an adequate level of protection, the Court finds that the Commission did not properly establish that the Safe Harbor does in fact provide this level of protection:

“However, the Commission did not state, in Decision 2000/520, that the United States in fact ‘ensures’ an adequate level of protection by reason of its domestic law or its international commitments. …[It] does not contain any finding regarding the existence, in the United States, of rules adopted by the State intended to limit any interference with the fundamental rights of the persons whose data is transferred from the European Union to the United States, interference which the State entities of that country would be authorised to engage in when they pursue legitimate objectives, such as national security. Consequently, without there being any need to examine the content of the safe harbour principles, it is to be concluded that Article 1 of Decision 2000/520 fails to comply with the requirements laid down in Article 25(6) of Directive 95/46, read in the light of the Charter, and that it is accordingly invalid.”

The Court finds the Commission decision that considers the Safe Harbor to provide an adequate level of protection to be invalid.

What next for US Safe Harbor Companies?


While the Irish Data Protection Commissioner and High Court have found that data transfers to the US do not provide an adequate level of protection, they have yet to rule Facebook’s data practices to be unlawful. Yet. Expect the other national data protection authorities to receive complaints about US company data collection practices.

In addition to Safe Harbor participation, other options for data transfers outside of the EU exist, including model contractual clauses for EU data controllers transferring data and adopting Binding Corporate Rules for handling data.

See Also
CJEU Press Release The Court of Justice declares that the Commission’s US Safe Harbour Decision is invalid
“In today’s judgment, the Court of Justice holds that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the directive. The Court stresses in this regard the right, guaranteed by the Charter, to the protection of personal data and the task with which the national supervisory authorities are entrusted under the Charter.”

Mark Scott, New York Times, Data Transfer Pact Between U.S. and Europe Is Ruled Invalid “The ruling, by the European Court of Justice, could make it more difficult for global technology giants — including the likes of Amazon and Apple, Google and Facebook — to collect and mine online information from their millions of users in the 28-member European Union.”

EFF, No Safe Harbor: How NSA Spying Undermined U.S. Tech and Europeans’ Privacy “The spread of knowledge about the NSA’s surveillance programs has shaken the trust of customers in U.S. Internet companies like Facebook, Google, and Apple: especially non-U.S. customers who have discovered how weak the legal protections over their data is under U.S. law. It should come as no surprise, then, that the European Court of Justice (CJEU) has decided that United States companies can no longer be automatically trusted with the personal data of Europeans.”

Sebastian Anthony, Ars Technica, Europe’s highest court strikes down Safe Harbor data sharing between EU, US “It’s important to note that the CJEU’s ruling (PDF) will not immediately prevent US companies from sending data back to the motherland. Rather, the courts in each EU member state can now rule that the Safe Harbour agreement is illegal in their country. It is is very unlikely, however, that a national court would countermand the CJEU’s ruling in this case.”

Photo credit: European Court of Justice, EQRoy /

1The Directive defines ‘personal data’ as any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

‘processing of personal data’ means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

Concepts, shipping, and secrecy

At Vox, Matt Yglesisas posits that Apple is losing the innovation race to Google: Google wants to reinvent transportation, Apple wants to sell you fancy headphones

There were two striking pieces of business news this week from America’s leading technology brands. On the one hand, Google unveiled a prototype of an autonomous car that, if it can be made to work at scale, promises to end mass automobile ownership while drastically reducing car wreck fatalities and auto-related pollution. Meanwhile, Apple bought a company that makes high-end headphones.…

But that’s exactly why it’s so disappointing to see Apple focused overwhelmingly on small-ball extensions of its existing franchise while Google goes for big plays.

Yglesias posits that one of the reasons that Google can make this big plays and Apple is playing small ball is because Google’s complete control by Brin and Page  (or their lack of lack of accountability to shareholders) allows them the freedom to experiment with big ideas. Apple is beholden to activist traditional shareholders who want the company to release its huge cash reserves to shareholders. 

However, there is no way to actually know if Apple is in fact working on big ideas or just making iPhones in new colors. Apple doesn’t announce new product concepts or share their work in development. Apple creates products, Apple announces products, and Apple ships products. Since Jobs returned to Apple after the NeXT acquisition, it focused on creating and shipping products. See e.g. John Gruber  in 2011 The Type of Companies That Publish Future Concept Videos and Kontra in 2008 Why Apple doesn’t do “Concept Products”. I’m sure that Apple is irking on all kinds of product variations and new product ideas in house. But without signing Apple’s restrictive NDA, we’re not going to know about those new ideas. 

Apple has a culture of obsessive secrecy and Apple employees do not leak information. Last year, at the D10 conference, Tim Cook announced Apple’s plans to “double down on secrecy.” By all indications, this has been successful.  

Tomorrow, Tim Cook and Apple’s senior executives will step on stage at WWDC, their annual developer conference, to announce OS X 10.10, iOS 8, likely introduce Jimmy Iovine and the Beats team. But aside from a “flatter design” or Healthbook app, we have no leaks on what Apple plans to introduce. This could be because either Apple is not coming up with any major innovations, or because Apple doesn’t leak them. The Apple rumors community hasn’t seen screenshots from either operating system. Apple watching is like Kremlinology. Apple doesn’t announce what their plans will be, but analysts have to infer those plans from third party sources of information. This is mostly through the supply chain and potential partners. Under Jobs, Apple was not afraid to be vindictive if partners leaked details about Apple products before Apple announced them. 

The majority of releases about Apple hardware come from sources within its manufacturing partners in Asia, whose employees and contractors are not as strongly incented to protect Apple’s proprietary and confidential information as Apple’s own employees. (This is unfortunately, why I am not optimistic about a new Retina Thunderbolt display or Retina iMac release tomorrow. I really do want a full-sized Retina monitor, but more importantly, a 12” or 13” laptop that can drive a 4K panel.)

From the roundup of rumors reported by Macrumors likely to be announced at WWDC tomorrow, all involve the types of applications and APIs that will rely on integration with third party hardware and/or software: Healthbook (integrating with fitness tracking), song identification (partnering with Shazam), mobile payments (partnering with retailers), smart home integration (partnering with hardware and software). Where rumors seem unlikely (major new hardware announcements) it’s because of the lack of smoke from the hardware supply chain.  Apple’s own innovations do not leak. 

This doesn’t preclude Apple announcing a wholly new product type that is not yet ramped for production. But if Apple only announces products, why would it announce something that it’s not ready to ship? Because, regulatory approval.

The single biggest product announcement that Steve Jobs made was the 2007 introduction of the original iPhone at Macworld. (Back when Apple presented a keynote at Macworld.) Part of what made the keynote so surprising was the audacity of the product. Apple watchers had been expecting an iPhone for a number of years, expected to be some kind of hybrid iPod and mobile phone, maybe with a click wheel or hardware keyboard. Most people were floored by the device, which Jobs announced as three things: a “widescreen iPod with touch controls,” “a revolution mobile phone,” and a “breakthrough internet communications device,” which, by the way, were not three different devices, but just one. 

Even though Apple announced the iPhone in January 2007, the first iPhones didn’t ship until June 27. Apple’s hand was forced to announce before release because the FCC requires manufacturers of wireless devices to obtain regulatory approval of devices that will transmit over the public airwaves. If Apple submitted the iPhone for approval before announcing it, rumors sites and the tech press would have uncovered all of the product details before Apple itself announced. If nothing else, Apple wants to control its message. New categories that require regulatory approval won’t be ramped for production and so we won’t see leaks.

But regulatory approval is also the reason that we are hearing so much about Google’s self-driving cars and Amazon’s drones. These are not only products that would require regulatory approval, but that would require significant changes to rules or legislation in order to be legal to use or sell. Any commercial aircraft, including autonomous aircraft, requires FAA approval. NHTSA is evaluating guidance and regulations on self-driving cars. In addition, each state will have different regulations governing the use of roads and driving standards, multiplying the lobbying burden for obtaining regulatory approval. 

Between attempting to catalogue all the world’s knowledge, create self-driving cars, and by acquiring Boston Dynamics, the creator of various military robots, do we as a society need to worry that Google is building Skynet

Broadband Universal Service

This past weekend, I spent time with family in the beautiful Catskill mountains. On the rainy day, we all became quickly frustrated with the speed of our pokey DSL internet connection.

Speed testing revealed actual speeds of 1.5 Mbps downloads and 0.4 Mbps uploads.1

In the FCC’s sixth broadband deployment report from 2010, the Commission redefined broadband as a minimum of 4 Mbps down and 1 Mbps up. A report today indicates that the Commission is considering upping the threshold of broadband to 10 Mbps down or higher.

Being far from the central office, Verizon indicated that we are lucky to have DSL at all and can not offer more speed, due to the noise in the length of the copper run.

While cable service is available in the denser Village of Hunter, the local Time Warner franchised monopoly will not run cable to the more widely spread out houses in the Town of Hunter.

So, what options are available?

AT&T has 4G LTE service from a tower on Hunter Mountain. This provides solid speeds, at over 20 Mbps. However, it only offers that speed for a fraction of a month. All of AT&T’s LTE plans have bandwidth caps. 10 GB of data per month at 20 Mb/second is approximately 4000 seconds of peak bandwidth, or just over one hour per month.2

Satellite internet access from HughesNet offers 10 Mbps downloads and 1 Mbps uploads for $60 per month. But it is also capped, at 20 GB per month. At half the speed and twice the cap, HughesNet offers peak bandwidth for nearly four and a half hours per month.3

Of course, even streaming video and downloading files is unlikely to use the full bandwidth available in a connection, so the lowest tier data cap is usefully for more than that. But metered broadband limits the use of the internet, just like metered dial-up AOL access in the mid-90’s.

When you think about the cost of streaming a movie, you’re less likely to stream a movie if there is a marginal bandwidth cost. In the context of entertainment, it’s no big deal. But what about the student trying to access online research and learning resources? Doesn’t it disadvantage students who can not access unmetered broadband, since the more they use internet resources, the more money it costs?

I’m sure there are research studies from the mid-90’s talking about how the transition from hourly dialup AOL to unlimited dialup internet access made the early commercial internet thrive.

In the twentieth century, the federal government undertook the efforts to connect every house in America to the electrical grid and the telephone network. The local phone company is required to provide every house with a dial tone. The local power company is required to provide every house with a connection to the power grid. If we don’t create universal uncapped service for broadband, we will quickly strand rural America back in the twentieth century.

For now, unlimited service throttled to 10 Mbps on a reliable LTE connection is far more useful and productive than 30 Mbps LTE capped at 10 GB of traffic per month. Will the wireless providers have enough spectrum and backhaul to provide that? What about the next generation internet? When will wireless be able to deliver 100 Mbps or 1 Gbps to the home? This is why we need a national initiative — subsidized by federal government — to bring common carrier fiber to every home in America. Allow broadband providers to compete for customers on the network, but require that every home has access to a 100 Mbps connection within the next 5 years. It may not be universal health care or universal end to hunger, but it is what America needs to do to stay competitive and connected.

1I forgot to screen capture the speed test results. This post would have been more impressive with screen caps!)

2Some rough back of the envelope math: 10 GB/month = 80 Gb/month = approximately 80,000 Mb/month. At 20 Mb/second, that is approximately 4,000 seconds of peak bandwidth, or 66.67 minutes.

3Some rough back of the envelope math: 10 GB/month = 80 Gb/month = approximately 80,000 Mb/month. At 20 Mb/second, that is approximately 4,000 seconds of peak bandwidth, or 66.67 minutes.

Good Morning, WordPress

After more than 10 years running my blog on an increasingly outdated install of Movable Type, I’ve migrated over to use WordPress. Exciting, right?

Hopefully, it will spur my creativity to write more, because the words might look fresher, or at least bigger.

Google Book Search is a Fair Use

Back in 2005, I wrote that Google Print “may single-handedly keep the copyright-related blog world in business for the next few years.” Eight years later, the Southen District of New York decisively granted Google’s motion for summary judgment that the book scanning project is fair use. The Authors Guild v. Google (SDNY, Nov. 14, 2013)
The book search does not provide a competitive substitute for the actual book:

“An ‘attacker’ who tries to obtain an entire book by using a physical copy of the book to string together words appearing in successive passages would be able to obtain at best a patchwork of snippets that would be missing at least one snippet from every page and 10% of all pages.”

1. The Purpose and Character of the Use
Google use of the scanned books’ text to create a search index and display search result snippets is “highly transformative. Google Books digitizes books and transforms expressive text into a comprehensive word index that helps readers, scholars, researchers, and others find books.”
While books are used to convey information, Google uses the text differently:

“Google Books thus uses words for a different purpose — it uses snippets of text to act as pointers directing users to a broad selection of books.
Similarly, Google Books is also transformative in the sense that it has transformed book text into data for purposes of substantive research, including data mining and text mining in new areas, thereby opening up new fields of research. Words in books are being used in a way they have not been used before. Google Books has created something new in the use of book text — the frequency of words and trends in their usage provide substantive information.
Google Books does not supersede or supplant books because it is not a tool to be used to read books. Instead, it “adds value to the original” and allows for “the creation of new information, new aesthetics, new insights and understandings.” Leval, Toward a Fair Use Standard, 103 Harv. L. Rev. at 1111. Hence, the use is transformative.

Even though Google is a commercial enterprise, it isn’t using the book scans in a commercial manner: “Here, Google does not sell the scans it has made of books for Google Books; it does not sell the snippets
that it displays; and it does not run ads on the About the Book pages that contain snippets. It does not engage in the direct commercialization of copyrighted works.”
Thus, the first factor “strongly favors” a finding of fair use.
Would the outcome here be different is Google ran ads against book content and searches? If it sold books through its own book store?
2. The Nature of Copyrighted Works
Books are the paradigmatic protectable copyrighted works — after all, copyright wouldn’t exist but for books. But works of fiction are entitled to greater protection than non-fiction books. Most of the books scanned by Google are non-fiction. Further, the scanned books are published and available to the public, which favors a finding of fair use.
3. Amount and Substantiality of the Portion Used
Google does scan the entirety of the works. However, full-text copying is required in order to be able to index and search the books. “Significantly, Google limits the amount of text it displays in in response to a search.” Because Google scans the entire works, the third factor weighs slightly against a finding of fair use.
4. Effect of Use Upon Potential Market or Value
Google’s book search does not replace or compete with actual books.

“Google does not sell its scans, and the scans do not replace the books. While partner libraries have the ability to download a scan of a book from their collections, they owned the books already — they provided the original book to Google to scan. Nor is it likely that someone would take the time and energy to input countless searches to try and get enough snippets to comprise an entire book. Not only is that not possible as certain pages and snippets are blacklisted, the individual would have to have a copy of the book in his possession already to be able to piece the different snippets together in coherent fashion.
To the contrary, a reasonable factfinder could only find that Google Books enhances the sales of books to the benefit of copyright holders. An important factor in the success of an individual title is whether it is discovered — whether potential readers learn of its existence. Google Books provides a way for authors’ works to become noticed, much like traditional in-store book displays. Indeed, both librarians and their patrons use Google Books to identify books to purchase.”

The fourth factor weighs strongly in favor of a finding of fair use.
Finally, Judge Chin rules, “Google Books provides significant public benefits. It advances the progress of the arts and sciences, while maintaining respectful consideration for the rights of authors and other creative individuals, and without adversely impacting the rights of copyright holders.”
This is a decisive ruling that scanning book content for indexing, searching, and educational purposes is fair use.
Discussion and Commentary
Evan Brown, Information Law Group, What the Google Book Search Fair Use Decision Means For Innovators: “Google’s use of technology in this situation was disruptive. It challenged the expectation of copyright holders, who used copyright law to challenge that disruption. It bears noting that in the court’s analysis, it assumed that copyright infringement had taken place. But since fair use is an affirmative defense, it considered whether Google had carried its burden of showing that the circumstances warranted a finding that the use was fair. In this sense, fair use serves as a backstop against copyright ownership extremism. Under these particular circumstances — where Google demonstrated incredible innovation — that backstop provided room for the innovation to take root and grow. Technological innovators should be encouraged.”
Matthew Sag, Google Books held to be fair use: “Unless today’s decision is overruled by the Second Circuit or the Supreme Court — something I personally think is very unlikely –, it is now absolutely clear that technical acts of reproduction that facilitate purely non-expressive uses of copyrighted works such as books, manuscripts and webpages do not infringe United States copyright law. This means that copy-reliant technologies including plagiarism detection software, caching, search engines and data mining more generally now stand on solid legal ground in the United States. Copyright law in the majority of other nations does not provide the same kind of flexibility for new technology.”
Ali Sternburg, DisCo Project, Google Books Opinion is a Win for Fair Use and Permissionless Innovation: “One key takeaway from this case is validating that companies can invest resources into creating tools that benefit the public without seeking permission from gatekeepers, if their efforts are transformative, which can involve copying and digitizing entire works.”
Joe Mullin, Ars Technica, Google Books ruled legal in massive win for fair use “In the long term, the failure to settle may result in more scanning, not less. If Chin’s ruling stands on appeal, a clean fair-use ruling will make it easier for competitors to start businesses or projects based on scanning books—including companies that don’t have the resources, legal or otherwise, that Google has.”
Timothy B. Lee, The Washington Post, Google Books ruling is a huge victory for online innovation “If the ruling is upheld on appeal, it will represent a significant triumph for Google. More important, it would expand fair use rights, benefiting many other technology companies. Many innovative media technologies involve aggregating or indexing copyrighted content. Today’s ruling is the clearest statement yet that such projects fall on the right side of the fair use line.”
Adam L. Penenberg, The Google Books decision is good for authors and readers “Although the two litigants were the Authors Guild and Google, and the guild vows to appeal the decision, it doesn’t represent my views. I’m glad it lost. I don’t agree that Google robs authors of income, because the vast majority of us don’t make a cent off our books in the years after they are published. If Google is willing to take on the task of scanning each book and making them searchable, then setting up a way for people to be able to buy them right there and then, it should also get a cut of the action.”
Will Oremus, Slate, Google Books Ruling a Win for Fair Use … and Rich Tech Companies: “The trick, it seems, is to steal so aggressively and profit so much that by the time the lawsuits hit, you’re rich enough to fend them off.”
David Kravets, Wired, Google’s Book-Scanning Is Fair Use, Judge Rules in Landmark Copyright Case “Google’s massive book-scanning project that makes complete copies of books without an author’s permission is perfectly legal under U.S. copyright law, a federal judge ruled today, deciding an 8-year-old legal battle.”