Pangloss's fevered response to just watching Jacqui Smith on BBC News at Ten:
Yeh, Jacqui Smith, you're not creating the giant super-database of all our calls, emails, IMs, Twitters etc, all in one place run by the state AFTER ALL because you respect our privacy so much. Riiight.
And it's got nothing at all to do with being told repeatedly that (a) data mining across that huge pile of material is so inaccurate the results are not remotely worth the costs and can't anyway be used in court (b) the costs of the super-database were going to be super enormous at a time when the country is nosediving into bankruptcy (a former Government minister told me point blank, some months ago, that the government simply didn't have the money for this) and (c) the chances of a giant super-data breach from this single-point-of-failure multiple-authorised-access super-database - which would make the HMRC data breach look like a drop in an ocean of , er, excrement - were higher than the odds-on chances of the Tories winning the next election.
Yehhh. Right.
Alternately JC has woken up and smelt the roses of privacy after her own and her hubbie's little recent pecadillos were exposed by the press. But mostly, yeh, right.
Showing posts with label data retention. Show all posts
Showing posts with label data retention. Show all posts
Monday, April 27, 2009
Tuesday, October 14, 2008
Ireland against the Data Retention Directive: AG nixes constitutional attack
From Digital Rights Ireland: (and thanks to Judith Rauhofer for the tip off)
"The Advocate General of the European Court of Justice has just given his Opinion (summary, PDF) on the Irish Government’s challenge and has recommended to the Court that the challenge should be rejected, holding that the Data Retention Directive was correctly dealt with as an internal market measure rather than a criminal justice measure (which would have required unanimity to pass). Opinions of the Advocate General aren’t binding but are generally followed by the Court, making it more likely that the Government’s challenge will now fail.
Pangloss is speaking tomorrow at a Parliamentary and ISPA event on the UK consultation on implementing the DRD by March 2009, so this is rather timely. However as DRI points out, to some extent this is almost a side issue: the real issue continues to be whether it is proportional to the aim of reducing crime and terrorism to retain all forms of e-communications by te entire UK population for up to two years. In the UK consultation, a year's retention is recommended for e- and telecoms traffic to help cut down on serious crime; yet almost every example but one given in the document relates to an investigation which was solved using data retained for a matter of hours, days or weeks, not a year. How thus is one year the "proportionate" response to the invasion of privacy sanctioned?
I think it was Ray Corrigan (though I can't seem to find the reference, sorry!) who pointed out the bad science involved in the much quoted statement in the consultation, that retention for a full year was justified because, in a trial month in 2005:
"there were 231 requests for data relating to communications that had taken place between 6
and 12 months earlier. 60% of these requests were in support of murder and terrorism investigations and 26% of the requests were in support of other forms of serious crime including armed robbery and firearms offences. "
But the key point for such stats is how many requests were made in 2005 in TOTAL? Privacy International quote that figure as 439,000, drawn from government stats. Thus assuming a similar rate of request across the year, the requests for data over 6 months old were only 0.006% of all requests made in 2005. Does that justify retention for a year for every type of communication data, given the privacy implications? (And given the anecdotal evidence so far that such data is being requested by local authorities for purposes other than catching serious criminals or terrorists??
A nice quote, also from DRI and via B2fXX: ""Laws requiring monitoring of the entire population are astonishing in a democracy."
"The Advocate General of the European Court of Justice has just given his Opinion (summary, PDF) on the Irish Government’s challenge and has recommended to the Court that the challenge should be rejected, holding that the Data Retention Directive was correctly dealt with as an internal market measure rather than a criminal justice measure (which would have required unanimity to pass). Opinions of the Advocate General aren’t binding but are generally followed by the Court, making it more likely that the Government’s challenge will now fail.
It’s important to point out, though, that this ruling only relates to the procedural way in which the Directive was passed. It doesn’t affect our case that the Directive breaches fundamental principles of human rights, and we still await a decision from the High Court referring these issues to the European Court of Justice."
Pangloss is speaking tomorrow at a Parliamentary and ISPA event on the UK consultation on implementing the DRD by March 2009, so this is rather timely. However as DRI points out, to some extent this is almost a side issue: the real issue continues to be whether it is proportional to the aim of reducing crime and terrorism to retain all forms of e-communications by te entire UK population for up to two years. In the UK consultation, a year's retention is recommended for e- and telecoms traffic to help cut down on serious crime; yet almost every example but one given in the document relates to an investigation which was solved using data retained for a matter of hours, days or weeks, not a year. How thus is one year the "proportionate" response to the invasion of privacy sanctioned?
I think it was Ray Corrigan (though I can't seem to find the reference, sorry!) who pointed out the bad science involved in the much quoted statement in the consultation, that retention for a full year was justified because, in a trial month in 2005:
"there were 231 requests for data relating to communications that had taken place between 6
and 12 months earlier. 60% of these requests were in support of murder and terrorism investigations and 26% of the requests were in support of other forms of serious crime including armed robbery and firearms offences. "
But the key point for such stats is how many requests were made in 2005 in TOTAL? Privacy International quote that figure as 439,000, drawn from government stats. Thus assuming a similar rate of request across the year, the requests for data over 6 months old were only 0.006% of all requests made in 2005. Does that justify retention for a year for every type of communication data, given the privacy implications? (And given the anecdotal evidence so far that such data is being requested by local authorities for purposes other than catching serious criminals or terrorists??
A nice quote, also from DRI and via B2fXX: ""Laws requiring monitoring of the entire population are astonishing in a democracy."
Wednesday, April 09, 2008
DP law and search engines
There is a truely remarkable amount happening right now on what one might very loosely call the "Web 2.0" privacy front. On top of the UK Byron report and the Ofcom report dealt with in last two posts to this blog, we also now have the EC Article 29 working party opinion on data protection issues related to search engines.
Very roughly, this report takes the long -expected, but not uncontroversial (especially if you're Google) stance that IP addresses are (mostly) personal data. This follows the view taken previously by the Art 29 WP in its WP 136 that"… unless the Internet Service Provider is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side". Basically even dynamic IP addresses can be connected to particular users given the cooperation of log-keeping ISPs. As such potentially all IP addresses must be viewed as "personal data".
It also argues that:
- the Data Retention Directive (2006/24/EC) is clearly highlighted as not applicable to search engine providers. This is because Article 2 sub c of the Framework Directive (2002/21/EC), which contains some of
the general definitions for the regulatory framework over "electronic communications services", explicitly excludes services providing or exercising editorial control over content. Notably, earch engines both filter out illegal content, provide safe search, and respect no-robots text tags on sites, all functions search engines should continue to exercise.
Search engine providers must thus delete or irreversibly anonymise personal data once they no longer serve the specified and legitimate purpose they were collected for, and be capable of justifying retention and the longevity of cookies deployed at all times. The DRD is NOT an excuse to retain data for longer (as Google have previously claimed.) The WP recommended retention for no more than 6 months. Similarly, if search engine providers use cookies, their lifetime should be no longer than demonstrably necessary.
- the DPD does however clearly apply to search engines which deposit cookies on the machines of EU resident users, even if the search engine is based economically or physically outside the EU eg the USA. European data
protection law also applies to search engines in specific situations, for example if they offer a caching service or specialise in building profiles of individuals based in the EU.
- on DP law, search engines generally fail to say exactly for what purposes they gather personal data of users. If it is used for purposes users might not reasonably have anticipated eg building profiles of users for advertisers, the search industry may be breaking DP law.
The WP also considered the new so-called "people search engines " such as PIPL and Rapleaf, which draw on data from a wide range of sites, often including blogs and SNSs as well as the general Web, to form indexed profiles of individuals. Such profiling may both reveal unexpected data, and throw up misleading correlations, and some have already drawn adverse comment. The WP emphasised that these sites "must have a legitimate ground for processing, such as consent, and meet all other requirements of the Data Protection Directive, such as the obligation to guarantee the quality of data and fairness of processing."
Pangloss is pleased to see this issue adressed: it provides a compulsory legal basis for what is emerging as good industry practice, namely (a) email the data subject whose profile is published (b) allow them to remove or correct or make private the data published. Of course we still need to make sites not based in the EU take notice of EU law. Eventually, what we desprately need is a technical fix, namely better multiple identity control - roll on the research into distributed identity management.
Very roughly, this report takes the long -expected, but not uncontroversial (especially if you're Google) stance that IP addresses are (mostly) personal data. This follows the view taken previously by the Art 29 WP in its WP 136 that"… unless the Internet Service Provider is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side". Basically even dynamic IP addresses can be connected to particular users given the cooperation of log-keeping ISPs. As such potentially all IP addresses must be viewed as "personal data".
It also argues that:
- the Data Retention Directive (2006/24/EC) is clearly highlighted as not applicable to search engine providers. This is because Article 2 sub c of the Framework Directive (2002/21/EC), which contains some of
the general definitions for the regulatory framework over "electronic communications services", explicitly excludes services providing or exercising editorial control over content. Notably, earch engines both filter out illegal content, provide safe search, and respect no-robots text tags on sites, all functions search engines should continue to exercise.
Search engine providers must thus delete or irreversibly anonymise personal data once they no longer serve the specified and legitimate purpose they were collected for, and be capable of justifying retention and the longevity of cookies deployed at all times. The DRD is NOT an excuse to retain data for longer (as Google have previously claimed.) The WP recommended retention for no more than 6 months. Similarly, if search engine providers use cookies, their lifetime should be no longer than demonstrably necessary.
- the DPD does however clearly apply to search engines which deposit cookies on the machines of EU resident users, even if the search engine is based economically or physically outside the EU eg the USA. European data
protection law also applies to search engines in specific situations, for example if they offer a caching service or specialise in building profiles of individuals based in the EU.
- on DP law, search engines generally fail to say exactly for what purposes they gather personal data of users. If it is used for purposes users might not reasonably have anticipated eg building profiles of users for advertisers, the search industry may be breaking DP law.
The WP also considered the new so-called "people search engines " such as PIPL and Rapleaf, which draw on data from a wide range of sites, often including blogs and SNSs as well as the general Web, to form indexed profiles of individuals. Such profiling may both reveal unexpected data, and throw up misleading correlations, and some have already drawn adverse comment. The WP emphasised that these sites "must have a legitimate ground for processing, such as consent, and meet all other requirements of the Data Protection Directive, such as the obligation to guarantee the quality of data and fairness of processing."
Pangloss is pleased to see this issue adressed: it provides a compulsory legal basis for what is emerging as good industry practice, namely (a) email the data subject whose profile is published (b) allow them to remove or correct or make private the data published. Of course we still need to make sites not based in the EU take notice of EU law. Eventually, what we desprately need is a technical fix, namely better multiple identity control - roll on the research into distributed identity management.
Subscribe to:
Posts (Atom)