Welcome back for another week of What's Next, where we report on the intersection of law and technology. We've got a Facebook-forward edition for you today as the company treads new legal, regulatory and technological ground. Following a video of a faux Mark Zuckerberg declaring his power over “billions of people's stolen data,” the Electronic Frontier Foundation's David Greene takes us on a deep dive into deepfakes. Also, lawyers foretell the regulatory drama ahead for Facebook's new cryptocurrency Libra. Plus, the social media colossus cannot squash a data breach class action.

Zuckerberg's Deepfake: The Blurred Line Between Art and Defamation

Did you catch the video of Facebook CEO Mark Zuckerberg proclaiming his control over our online secrets earlier this month? David Greene did, and his initial thought was “Ugh, another deepfake controversy.” For the last 22 years, Greene has specialized in First Amendment law on behalf of nonprofits and avant garde artists alike. As the senior staff attorney and civil liberties director for the Electronic Frontier Foundation, Greene's role is to help advocate for free speech in the digital world. However, greater calls to regulate emerging technologies like deepfakes has Greene wanting everyone to slow down and take a breath, so that new guidelines don't suppress online creative expression.

➤➤ What did you think when you saw the Mark Zuckerberg deepfake?  I think what was most striking to me about the Zuckerberg deepfake, and the Sen. Nancy Pelosi one, was that it very quickly became clear that these were not genuine depictions. There really wasn't a moment when there was a concern that there was a belief that these were true depictions. Perhaps there was more of a moment with the Pelosi one. So, we didn't have the concern here that this was misinformation—what this was, was a demonstration of the technology.

➤➤What do you think about the DEEPFAKES Accountability Act proposed in the U.S. House of Representatives?  When I look at laws like this, I want to see that they include an intent to deceive, so that somebody who innocently disseminates deepfakes or who does it for parody, comedy or commentary, is not captured by something like this. I also look for intent to harm, whether that's intent to harass, cause emotional distress or interfere with an election. This bill has those elements in terms of the criminal prosecution, but it's less clear that the bill requires an intent to deceive or harm with the civil rights of action. One of the other things I look for is a requirement that the work be highly realistic, so that a reasonable person would be deceived. I think that's in this bill.

The bill also includes an exception for artistic works, and I think that is insufficient. In the case of artistic expression, generally there's not an intent to permanently deceive somebody. It is a well established commentary and advocacy technique to have people be momentarily deceived, so we do want to be able to preserve that. One way this bill is legally problematic is it doesn't seem to require that any harm actually has occurred. The U.S. Supreme Court in the United States vs. Alvarez seemed to say that merely having a law against false statements would render the bill unconstitutional.

➤➤ What are your policy recommendations for deepfake laws?  The law has been dealing with harms caused by false information for a long time. Defamation is one of the oldest continuously enforced torts in the common law system. We can use these existing laws to address the harms caused by deepfakes instead of saying that the whole technology cannot exist. If we're going to have laws, these laws should be addressed at specific usage of deepfakes.

➤➤ Which existing laws would apply?  We have lots of torts, defamation being the big one that's going to focus on the reputational harm involved with deepfakes. Many states also recognize the tort of false light, which focuses on harm to someone because of an offensive false statement about them. Some states treat false light and defamation as the same tort. For a false statement, if it's utterance is extreme and outrageous conduct, it could be the basis of an intentional emotional distress lawsuit. In the criminal context, there's crimes like fraud. The reason I look to existing law is because the law has developed very carefully and slowly over the years to make sure free speech rights are properly considered when we look at punishing people for disseminating or creating false information.

What Can We Expect With Libra Launch?

Facebook officially revealed the plan for its Libra cryptocurrency last week. Users will be able to pseudonymously use the currency to make purchases with Facebook's Calibra wallet via Messenger, WhatsApp or a standalone app. But Calibra is just one tool built on top of the open source Libra blockchain. A collection of global businesses, nonprofit and multilateral organizations, and academic institutions called the Libra Association will initially govern the platform, and Facebook is merely one member of the Geneva, Switzerland-based body. But launching a low-volatility cryptocurrency to create a more inclusive financial ecosystem is bound to set off some regulatory alarms. Crypto lawyers predict which regulations will spell trouble for Libra.

Securities regulations:  The launch of Libra highlights the need for statutory or regulatory guidance in this area said Roger Royse, the founder of the Royse Law Firm in Menlo Park, California. Crypto experts are especially hungry for some concrete direction from the Securities and Exchange Commission.

The chairman of the SEC has indicated that bitcoin is not a security because it is a medium of exchange, Royse said. “However, the SEC has also said that bitcoin and ether are not securities (like tokens in an ICO) because they are decentralized, meaning that no central person or group sponsored the creation and sale of the asset or plays a significant role in its development and maintenance. Not many digital tokens can start out 'decentralized' and I am not sure that Libra can meet that standard either, at least initially.”

Tax regulations:  Under the current tax law and guidance, every time users make a purchase with a cryptocurrency, they have to calculate a capital gain or loss on the sale of that asset, said Andrew Gordon, managing attorney for Gordon Law Group in Chicago.

“Libra wants to be used in its platform and all these partner organizations want to be able to accept Libra, well, is the user going to have to calculate a gain or a loss every time they buy coffee or a donut?” Gordon said. “Under current guidance, I would say so. Even though it says Libra is intended to be a stable coin, it's pegged on different currencies. There's going to be fluctuations every day, every minute. And current guidance says that's a taxable event, which would mean the consumer would have to be concerned with tax compliance when using Libra. Is the IRS going to go to Facebook and ask them about transactions? That remains to be seen, too.”

AML regulations:  Facebook has not broken down how it will verify Libra users' identities, but regulators are going to be laser-focused on making sure any new cryptocurrency is not used as a funding mechanism for terrorism and other illicit activities, said J. Gray Sasser, an attorney at Frost Brown Todd in Nashville. Sasser advises his crypto clients to create an anti-money laundering (AML) and know-your-customer (KYC) program, including gathering copies of potential purchasers' passports or driver's licenses.

“This information is then checked against databases maintained by the U.S. Treasury and otherwise retained to comply with Bank Secrecy Act regulations,” Sasser said. “Facebook could find itself trying to straddle a fine line between complying with U.S. and European regulations designed to block terrorist funding and the marketplace's general suspicion on how Facebook has handled its users private information in the past.”

Ditching Data Breach Class Actions Just Got Harder

We saw big developments in two data breach cases this past week. First, the U.S. Court of Appeals for the D.C. Circuit reinstated a lawsuit in two consolidated cases against the Office of Personnel Management and its contractor KeyPoint Government Solutions over a data breach that compromised the personal information of 21 million federal employees. My colleague Amanda Bronstad reported that the revival is notable because the panel found the class can sue for future harm.

“The court's decision represents another strong endorsement for the growing recognition by courts that plaintiffs can establish Article III standing in data breach cases based upon the substantial risk of future identity theft, and the rejection of the narrow view that standing only exists in these cases where there are 'out-of-pocket' losses,” wrote Andrew Friedman, a Washington, D.C., partner at Cohen Milstein Sellers & Toll.

Meanwhile, on the opposite coast, Facebook failed to get its own data breach thrown out. After hackers gained access to data from nearly 30 million users, the company argued the sophistication of the attack and the fact that some stolen information was available on public Facebook profiles limits the company's liability. Judge William Alsup of the Northern District of California did not buy that argument.

“The lack of reasonable care in the handling of personal information can foreseeably harm the individuals providing the information,” Alsup wrote. “Further, some of the information here was private, and plaintiff plausibly placed trust in Facebook to employ appropriate data security. From a policy standpoint, to hold that Facebook has no duty of care here 'would create perverse incentives for businesses who profit off the use of consumers' personal data to turn a blind eye and ignore known security risks.'”

Mark Your Calendar

The U.S. House Committee on Financial Services is hosting a hearing this morning on how artificial intelligence could be wielded in the finance industry. Brooking's Nicol Turner-Lee and the World Economic Forum's R. Jesse McWaters will share their insights, as well as Douglas Merrill, the founder and CEO of ZestFinance, and Bonnie Buchanan, head of the school of finance and accounting for the University of Surrey's business school. Tune in at 10 a.m. EST to catch their testimony.

On the Radar

The Regulatory Hurdles Facing Facebook's Libra Regulators seem to already have a lot of questions for Facebook regarding its new Libra cryptocurrency. The U.S. Senate Committee on Banking, Housing and Urban Affairs has set a hearing on the digital asset for next month. Read more from Victoria Hudgins here.

SF Bay Area Prices Out Lawyers Turns out even lawyers cannot afford to live in Silicon Valley. Recruiters report that in-house candidates are increasingly noting the area's high cost of living as a reason to reject job offers. Read more from Caroline Spiezio here.

Bracing for California's Privacy Law The California Consumer Privacy Act is set to go into effect in January. The law allows consumers to file a claim even if they do not show actual damage from the data breach, and in-house lawyers are readying for the impact. Read more from Dan Clark here.

Thanks for reading. We will be back next week with more What's Next.