Who benefits when today’s courts designate digital data as expressive speech? Who then can claim their own First Amendment rights to sell our “speech”? When I want to ask such questions, I pose them to Ramya Krishnan. This present conversation focuses on Krishnan’s recent work as lead counsel developing an amicus brief for Columbia University’s Knight First Amendment Institute in ACA Connects v. Frey — a challenge brought to a Maine law requiring Internet service providers to obtain consent before using, selling, or disclosing their customers’ personal information. Krishnan, a staff attorney at the Knight Institute, works on topics related to government transparency, political protest, and social media. She has been at the forefront of litigation challenging “prepublication review,” which prohibits millions of former public servants from writing or speaking about their government service without first obtaining official approval. She also has led advocacy efforts calling on Facebook to create a “safe harbor” for digital journalism and for research focused on its platform. Krishnan has worked in the Australian Attorney General’s Department, where she litigated several high-profile constitutional and administrative cases, including in the High Court of Australia. Her writing and legal work have appeared in The New York Times, The Wall Street Journal, The Washington Post, and The Intercept.


ANDY FITCH: Let’s say that an everyday consumer basically has no choice but to interact with some quasi-monopolistic Internet service provider (or ISP). Let’s say this Internet user needs to present the ISP with personal data about her digital engagements and interests, so that the ISP can properly connect her to the Web. And let’s say that, along the way, the ISP also vacuums up any unencrypted data it wishes to grab, then claims First Amendment protections: First Amendment protections for the user, as the “speaker” “expressing” herself through this data; and First Amendment protections for the ISP, to sell this data to unspecified third parties. Somewhere in that complex exchange, most LARB readers will have lost the thread on how any of this relates to First Amendment free-speech concerns. So could you begin by offering ISPs’ own motive and rationale for claiming speech protections in such circumstances? And could you then offer a couple quick counterexamples of commonplace situations in which we perhaps communicate data through an external infrastructure (such as the postal service, or a cellular telephone network), but without expressly communicating to the entity that provides this delivery service?

RAMYA KRISHNAN: ISPs have extraordinary visibility into customers’ web habits. They can see the websites a customer visits, the length and time of her visits, her location, the device she is using, and any unencrypted data sent or received by her device. This information gives ISPs an intimate window into a customer’s life. For example, an ISP can infer a customer’s medical condition from her visits to personal-health websites, or her annual family income and investment choices from her visits to financial websites.

Increasingly, ISPs want to monetize this information. They want to use this information to target ads to their customers. They also want to sell this information to other businesses, to enable these clients to target their own ads. Using customers’ information in this way has become highly profitable. A 2019 Wall Street Journal article reports that by combining users’ browsing histories with voter-registration data, a provider “could theoretically identify households with a 25-year-old on the cusp of needing health insurance, and show those households ads for coverage.” As the article notes, marketers generally will pay a premium for such hyper-targeted ads.

ISPs claim that using customer data in this way is speech within the meaning of the First Amendment — and, as a consequence, that the courts should subject any law restricting this use to a rigorous standard of review known as “heightened scrutiny.” But this claim elides entirely the context in which ISPs first obtained such data. Customers share data with ISPs solely to facilitate the provision of a contracted service, namely broadband Internet service. By requiring customers to consent before ISPs can use this data, privacy laws like Maine’s regulate the terms of this commercial data exchange. While these requirements also burden ISPs’ later use of customer data, the law itself focuses on the terms of this initial exchange.

Certain exchanges of data can be expressive. But not every commercial data exchange is expressive, so not every law regulating such exchanges should be understood as a law regulating speech. We provided some examples in our brief. A person who mails a letter through the post office does not intend for this transfer to express anything directly to the post office — although she does of course intend to express a message to the letter’s recipient. The transfer of the letter is a purely functional one, meant to facilitate a service. Similarly, a person who carries a cell phone must turn over information about her physical location to her cellular-service provider, but she does not intend to express anything through this transfer of data, and no one would infer that she does. This transfer, like the transfer of the letter to the post office, is a purely functional one, meant to facilitate the provision of a service. A law requiring the cellular provider or post office to obtain consent before using customer data for purposes unrelated to the service should not raise any First Amendment concern.


So if “distinguishing regulations of economic activity from regulations of protected speech” remains a murky yet unavoidable legal task, how might we first parse data from speech — say by applying prevailing conceptions of protected speech’s “social meaning”? Which criteria can best help us to clarify where, in our modern world of endless data exchanges, speech does and does not occur?

The Supreme Court has long recognized regulations of commercial activity as distinct from regulations of protected expression. Regulations of commercial activity, it has said, generally don’t implicate the concerns that animate the First Amendment — and accordingly don’t usually warrant First Amendment review.

This principle applies even to commercial regulations that restrict “speech” as we colloquially understand the term. Nearly all commercial activity takes place through communication or expression, and thus nearly all commercial regulation touches on communication or expression in one way or another. As prominent First Amendment scholar Frederick Schauer has noted: “That the boundaries of the First Amendment are delineated by the ordinary language meaning of ‘speech’ is simply implausible.”

Once one accepts that proposition, the question becomes how to determine whether an activity is speech in the First Amendment sense. Here’s where the idea of social meaning comes in. As our brief explains, the Supreme Court has never categorically held that every commercial data exchange is speech protected by the First Amendment. To determine whether an activity is protected expression, the Court has looked to the activity’s social meaning. It has considered a number of factors, including: whether the activity belongs to a recognized medium of expression; whether it reflects an intent to convey a message, and whether the message is likely to be understood; whether it takes place within a relationship of relative symmetry, rather than within one of trust or reliance; whether it performs a function unrelated to expression; and whether it is intended to filter important information to the public.

Concentrating on social meaning enables courts to distinguish between commercial exchanges of data that do and do not merit First Amendment protection. For example, by asking whether an activity belongs to a recognized medium of expression, courts consider whether the activity plays an important role in informing and sustaining public discourse. By asking whether the activity in question filters new information into the public domain, courts consider whether the activity plays an important informational function in society.

To get a concrete sense of how one might apply this framework in practice, let’s take up the example of ISPs again. As our brief explains, the exchange of data between Internet users and ISPs obviously does not constitute a significant medium for the communication of ideas. In fact, the exchange does not serve any expressive function at all. When an Internet user wishes to connect to a website, her computer must send that website’s address to her ISP’s network. When she wants to deliver data to the website, a similar process takes place. She does not intend the data exchanges to convey a message to the ISP, to promote public discussion, or to filter new information into the public domain. As in the other examples we’ve discussed, she exchanges data solely to obtain a service, and she has no choice but to rely on the ISP to handle her data for the purposes of this service. No ordinary person would recognize that as speech in the First Amendment sense.


So if our courts did drop these criteria of “social meaning” in distinguishing data from speech, how might this compromise what legal theorist Laurence Tribe has referred to as: “The entire commercial speech doctrine…an accommodation between the right to speak and hear expression about goods and services and the right of government to regulate the sales of such goods and services”? And what sorts of intolerable personal-privacy consequences could you foresee in, say, financial, medical, educational, and telecommunications sectors? What barriers would still exist, for instance, before some firm could consider the biometric data my body emits all the time, or my DNA code, as protected “speech” — not just for me to “express,” but for them to sell?

While assessing an activity’s social meaning can be challenging, dispensing with the inquiry would be far worse. As our brief explains, it would unmoor the First Amendment from the values it is meant to serve, and transform it into a general-purpose deregulatory tool.

While the Supreme Court has held that “commercial speech” merits First Amendment protection, it has carefully defined this category of speech so that it doesn’t undermine the government’s ability to regulate economic activity. The Court has held that commercial speech includes “speech proposing a commercial transaction,” or advertising — on the ground that such speech plays a crucial “informational function” for consumers. At the same time, the Court has recognized the general principle that the government can regulate commercial transactions, despite the elements of communication or expression inherent in such transactions. For this reason, a law banning cigarette ads would receive First Amendment review, but a law banning cigarette sales to children generally wouldn’t, even though it would affect cigarette manufacturers’ ability to target ads at that demographic.

In the new digital economy, data is not merely information but a highly prized commodity — which some have called the “new oil.” If courts designated every commercial data exchange as speech within the First Amendment’s meaning, this would threaten the government’s ability to regulate an ever-growing swath of economic activity.

It would also call into question the constitutionality of a broad range of existing confidentiality rules and consumer-protection laws. We expose our sensitive data to others as an unavoidable consequence of living in the modern world. Because of this inevitable exposure, countless laws, regulations, and rules require recipients of data to safeguard it. Financial institutions get subject to restrictions on the disclosure of consumer information. Hospitals get subject to restrictions on the disclosure of patients’ medical information. Schools and universities have to comply with restrictions on the use of student records. Telecom companies have to comply with restrictions on the disclosure of information provided by their subscribers.

If courts treated every such exchange of data as protected speech, and every restriction on the exchange of data as suspect, all of these regulations would be imperiled. Regulated entities could challenge each of the restrictions I just mentioned, on First Amendment grounds. It’s doubtful many of these restrictions would survive. Many of these restrictions have come about through the messy give and take of democratic politics. They often rely on complicated schemes, riddled with exceptions. They would survive heightened scrutiny only if the courts diluted the strength of that review — an outcome that might end up weakening free-speech protections far beyond the commercial context.

In the face of this new reality, firms could (and maybe even would) claim a First Amendment right to sell the biometric data our bodies emit. Let’s take an example. Suppose you buy a wearable device that tracks your heart rate before and after a run. You provide this data so that the device can gauge your cardiovascular health, not so that the device manufacturer can use this data to target fitness ads to you — or can sell it to health-insurance companies for the purpose of better calculating premiums. Clearly, this isn’t the kind of exchange the First Amendment should care about. But if courts abandoned the exercise of assessing social meaning, and designated every data exchange as speech, then they may well apply heightened scrutiny when analyzing the constitutionality of a law requiring wearable-device manufacturers to obtain consent before using or selling customer data. And for the reasons I’ve just mentioned, this law may not survive.


Finally then, ISPs, like other prominent stewards of our digital infrastructure, might wish to present themselves as principled civil libertarians, more than profit-seeking scavengers. But here could you also sketch how today’s intrusive corporate data-mining already has a powerful chilling effect on our own potential exercise of freedoms of speech, inquiry, and association?

There’s plenty of evidence to suggest that corporate surveillance chills free speech online. In 2010, the FCC released a survey of broadband adoption, showing that 57 percent of Americans who had not yet signed up for broadband access worried about digital privacy. That same year, the FCC released its “National Broadband Plan,” which described privacy concerns as a barrier to the adoption and use of broadband. The National Telecommunications and Information Administration, a Commerce Department agency, has reached similar conclusions. In 2016, and again in 2018, this agency found that privacy and security concerns had caused a substantial percentage of Internet users to hold back from economic and other online activities, such as posting on social-media platforms, and expressing opinions on controversial or political issues.

This evidence boils down to the very simple fact that people behave differently when they sense somebody watching them. As Daniel J. Solove, a leading privacy scholar, has observed: “Being watched can destroy a person’s peace of mind, increase her self-consciousness and uneasiness to a debilitating degree, and can inhibit her daily activities.”

If we want to protect free speech in the digital age, we will need to safeguard online privacy. If we treat every commercial data exchange as protected speech, however, legislatures will find it much more difficult to enact new privacy protections. And as one ominous possibility for digital service providers, few of us may end up putting on that wearable device.