panGloss
A UK-based cyberlaw blog by Lilian Edwards. Specialising in online privacy and security law, cybercrime, online intermediary law (including eBay and Google law), e-commerce, digital property, filesharing and whatever captures my eye:-) Based at The Law School of Strathclyde University . From January 2011, I will be Professor of E-Governance at Strathclyde University, and my email address will be lilian.edwards@strath.ac.uk .
Thursday, June 30, 2016
How to Solve a Problem Like Brexit (no cats)
Im briefly reviving Pangloss to publicise something I think important that just came out as a broad hint from the Research briefing team at the House of Lords.
This just came out: http://researchbriefings.parliament.uk/ResearchBriefing/Summary/LLN-2016-0034
It contains the usual stuff about art 50 (no one knows if Parl has to agree or not, or if it falls with the PM's prerogative) but then..
"Parliament would have a statutory role in ratifying an eventual withdrawal agreement and any other international agreements arising from the negotiations if they were subject to the usual procedure for ratifying treaties. The House of Commons potentially has the power to block the ratification of a treaty indefinitely;the House of Lords does not. Under the terms of Article 50, the UK’s membership would cease two years after it gave formal notification of its intention to leave, if no withdrawal agreement had come into force by that point, although the two-year period could be extended on the unanimous agreement of all EU member states."
In other words, Gove (say) could call art 50, negotiate EEA or something else and then find Parl would not pass it.
The EU wouldn't care (or might not anyway - we'd be out) : but it would cause chaos here. Any attempts to stay in the Single market would fail.
This HAS to be a "golden rule" argt to interpret art 50 the Pannick way ie Parl having to say yes before an art 50 notification is given. If a provision interpreted literally does not make sense in UK law - as here, allowing the PM to start something which he would be incapable of finishing - then it has to be interpreted in a more purposive way.
ie in a way that respects existing law on division of power between Parl and PM. And then we re introduce Pannick's ev that there is a basic rule the preorgative should not be used to disempower established Parliamentary competence. Only this time it is non controversial as no one can argue Parl does NOT have the prior and established right to ratify a treaty even if PM has negotiated it.
Any thoughts?
Thursday, August 07, 2014
Three myths that need nailed about the right to be forgotten (and one question)
1 Everyone thinks it’s a bad idea, so why hasn’t
it gone yet, already.
No they don’t, actually. Just the people who get to write in mass
media. Few people in Europe, and fewer still in the US, realise that a
surreptitious propaganda war is being fought around the simple idea that if personal
information has been distributed about you, which is erroneous, outdated,
incomplete or in some way unreasonably harms you, then you should have the right to have that
information rectified or take down. All that is new about the Google Spain decision is that it extends
this right from people or hosts who publish the data, to search engines that
link to it.
But this basic concept worries Google, a
lot. Partially because it might cost them money and reduce credibility in the integrity
of their database, but mostly on principle : because it implies that states and
courts – and worse still European states and courts – have a right
to have a say in regulating Google’s business activities. And the right to be forgotten also worries the
media, a lot : because they fear it might interfere with their freedom to write
lucrative stories hostile to the subject of the piece. (This fear is,
incidentally, misguided – see myth 2 below).
As a result Google and the media are in an unholy, and very successful, alliance to blacken the name of a simple consumer right. Google feeds scare stories about obviously apalling take downs they have made to the media (see also myth 3 below) and the media gleefully publicise them. As of yesterday, Wikimedia have also got in on this act, so successfully that one Independent piece manages to suggest that the right to be forgotten is giving apes the right to take down their selfies from Wikipedia. (Next: dolphins ask for their image to be taken off John West tuna cans.)
As a result Google and the media are in an unholy, and very successful, alliance to blacken the name of a simple consumer right. Google feeds scare stories about obviously apalling take downs they have made to the media (see also myth 3 below) and the media gleefully publicise them. As of yesterday, Wikimedia have also got in on this act, so successfully that one Independent piece manages to suggest that the right to be forgotten is giving apes the right to take down their selfies from Wikipedia. (Next: dolphins ask for their image to be taken off John West tuna cans.)
So if you honestly think the right to be
forgotten is a bad idea, then that is your (sic) right. But don’t believe the
hype.
2 Well, whoever’s pushing the opposition to
the right to be forgotten, it’s clearly a bad idea because it destroys free
speech.
No it doesn’t. The foundational idea of EC
data protection law – that you should have the right to control the processing
of data about yourself - has been uncontroversial in Europe since 1995, or earlier. Imagine that outdated bad debt information still
scars your credit record; or you posted a stupid picture of yourself drunk on Facebook when you were 13 and now it haunts
your applications for responsible jobs; or perhaps you shared an intimate
picture of yourself with your ex-boyfriend when you were young and in love and now
he has posted it on a revenge porn site.
Is it such an unreasonable idea to be able
to clear the slate in these circumstances? And is there really a compelling public
interest in ephemeral quotidian details about ordinary people, which in a pre-digital
world would have long faded into obscurity?
Of course there needs to be a balance with
the public interest, if such rights are not to become a whitewash for public
figures disguising their shady dealings
or bolstering their PR-created reputations. But this has never been doubted. The Google Spain decision very clearly reads
in an exception that if a data subject played a role in “public life”, then the “preponderant
interest of the general public” – their right to know – would win out. The draft
Data Protection Regulation, which would reform data protection law and put the
right to be forgotten on a clearer, statutory basis goes further, including extensive
reference to the need to balance both “freedom of expression” and the “historical,
statistical and scientific” record.
Finally, both existing and new law recognise the rights of journalists to report on the public record by giving them exemption from DP law almost entirely. Google argued it was a journalist in the Google Spain case, and failed: but for conventional media , the right to be forgotten is simply not a threat. (Arguably it might even be good for it to incentivise journalists to investigate more using professional skills, and rely on flaky Google and Wikipedia data less.)
Finally, both existing and new law recognise the rights of journalists to report on the public record by giving them exemption from DP law almost entirely. Google argued it was a journalist in the Google Spain case, and failed: but for conventional media , the right to be forgotten is simply not a threat. (Arguably it might even be good for it to incentivise journalists to investigate more using professional skills, and rely on flaky Google and Wikipedia data less.)
3 This can’t be right. If that’s so, why are
Google removing links about murderers,
gangsters and Muslim
brothers of George Osborne?
There are two possible
answers to this.One, it might be hypothesised that Google are occasionally ignoring the clear instructions of the court to take the public record into account, and sometimes allowing delinking when they should have refused, so as to generate scare take down stories that discredit the right to be forgotten. On this, like Francis Urquart in House of Cards, I couldn’t possibly comment.
Second, there is a popular misconception that any Google takedown means the content disappears from the Web. This again is a myth that needs shot. First, the content stays up on the original page – only the link disappears. This is obvious, though often ignored. But, secondly, and rather more subtly, only the link from the name of the person making the take down request to the story that name appears in disappears.
So, in one of the much publicised Guardian stories allegedly removed by Google, it turned out the person making the erasure request was not the public figure the article was about (let’s say X), but an obscure person who’d been named in comments (let’s call him/her Y). You say, but the article still disappears, right? No. Only if you search on Y, will the link not come up. A journalist searching on X (as is rather more likely) however would still find the information right there. (And since I can find numerous stories about Adam Osborne’s Muslim wedding on page 1 of the Google results by searching on “Adam Osborne Muslim”, including the original 2011 Guardian story, it looks quite likely that’s what was going on there.)
4 A question : Jimmy Wales of Wikipedia says we
have “a
right to remember”. Do we?
What people are waking up to, and are rightly horrified at, is that the world as delivered by Facebook or Google is not the “real” world (whatever that means) they thought they saw. Google’s algorithm already arguably dispatches search competitors to the lurking bowels of its search results, while FB famously gamed their Newsfeed algorithm to make people feel happier. In this new world of a curated or constructed digital world, the right to be forgotten is the tiniest tip of the iceberg-sized issue.
Tuesday, July 15, 2014
Open letter on data retention and investigatory powers Bill ("DRIP") from UK privacy law academics
Tuesday 15th July 2014
To all Members of Parliament,
Re: An open letter from UK internet law academic experts
Re: An open letter from UK internet law academic experts
On Thursday 10 July the Coalition Government (with support from
the Opposition) published draft emergency legislation, the Data Retention and
Investigatory Powers Bill (“DRIP”). The Bill was posited as doing no more than
extending the data retention powers already in force under the EU Data
Retention Directive, which was recently ruled incompatible with European human
rights law by the Grand Chamber of the Court of Justice of the European Union
(CJEU) in the joined cases brought by Digital Rights Ireland (C-293/12) and
Seitlinger and Others (C-594/12) handed down on 8 April 2014.
In introducing the Bill to Parliament, the Home Secretary framed
the legislation as a response to the CJEU’s decision on data retention, and as
essential to preserve current levels of access to communications data by law
enforcement and security services. The government has maintained that the Bill
does not contain new powers.
On our analysis, this position is false. In fact, the Bill
proposes to extend investigatory powers considerably, increasing the British
government’s capabilities to access both communications data and content. The
Bill will increase surveillance powers by authorising the government to;
·
compel any person or
company – including internet services and telecommunications companies –
outside the United Kingdom to execute an interception warrant (Clause 4(2));
·
compel persons or
companies outside the United Kingdom to execute an interception warrant
relating to conduct outside of the UK (Clause 4(2));
·
compel any person or
company outside the UK to do anything, including complying with technical
requirements, to ensure that the person or company is able, on a continuing
basis, to assist the UK with interception at any time (Clause 4(6)).
·
order any person or
company outside the United Kingdom to obtain, retain and disclose
communications data (Clause 4(8)); and
·
order any person or
company outside the United Kingdom to obtain, retain and disclose communications
data relating to conduct outside the UK (Clause 4(8)).
The legislation goes far beyond simply authorising data
retention in the UK. In fact, DRIP attempts to extend the territorial reach of
the British interception powers, expanding the UK’s ability to mandate the
interception of communications content across the globe. It introduces powers
that are not only completely novel in the United Kingdom, they are some of the
first of their kind globally.
Moreover, since mass data retention by the UK falls within the
scope of EU law, as it entails a derogation from the EU's e-privacy Directive
(Article 15, Directive 2002/58), the proposed Bill arguably breaches EU law to
the extent that it falls within the scope of EU law, since such mass
surveillance would still fall foul of the criteria set out by the Court of
Justice of the EU in the Digital Rights and Seitlinger judgment.
Further, the bill incorporates a number of changes to
interception whilst the purported urgency relates only to the striking down of
the Data Retention Directive. Even if there was a real emergency relating to
data retention, there is no apparent reason for this haste to be extended to
the area of interception.
DRIP is far more than an administrative necessity; it is a
serious expansion of the British surveillance state. We urge the British
Government not to fast track this legislation and instead apply full and proper
parliamentary scrutiny to ensure Parliamentarians are not mislead as to what
powers this Bill truly contains.
Signed,
Dr Subhajit Basu, University of Leeds
Dr Paul Bernal, University of East Anglia
Professor Ian Brown, Oxford University
Ray Corrigan, The Open University
Professor Lilian Edwards, University of Strathclyde
Dr Theodore Konstadinides, University of Surrey
Professor Chris Marsden, University of Sussex
Dr Karen Mc Cullagh, University of East Anglia
Dr. Daithà Mac SÃthigh, Newcastle University
Professor David Mead, University of East Anglia
Professor Andrew Murray, London School of Economics
Professor Steve Peers, University of Essex
Julia Powles, University of Cambridge
Professor Burkhard Schafer, University of Edinburgh
Professor Lorna Woods, University of Essex
Dr Paul Bernal, University of East Anglia
Professor Ian Brown, Oxford University
Ray Corrigan, The Open University
Professor Lilian Edwards, University of Strathclyde
Dr Theodore Konstadinides, University of Surrey
Professor Chris Marsden, University of Sussex
Dr Karen Mc Cullagh, University of East Anglia
Dr. Daithà Mac SÃthigh, Newcastle University
Professor David Mead, University of East Anglia
Professor Andrew Murray, London School of Economics
Professor Steve Peers, University of Essex
Julia Powles, University of Cambridge
Professor Burkhard Schafer, University of Edinburgh
Professor Lorna Woods, University of Essex
Friday, May 30, 2014
Google remembers, after only two weeks
Google has implemented the "right to be forgotten" imposed by Google Spain on 13 May 2014. At slightly over two weeks for a response, this puts most actual governments to shame :-) Having failed totally to comment on the original document due to overwork swamp, I'll say a few things about the response.
The form allows EU users to ask search engines to remove results for queries that include their name where those results are “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed.”.
This is clearly narrower than the full scope of the right granted by the judgment.
Art 12 (b) actually specifies that rectification, erasure or blocking can be obtained, inter alia, if data is "incomplete or inaccurate" (the word "incomplete" not cited by ECJ) and more generally as noted above if it is "incompatible with the Directive".
What does this mean?
I would argue these are all possible claims to Google to ask to have links removed-
In short Google are, perhaps, currently (understandably) attempting to dodge the bullet of implementing a full blown EU image right (for countries many of which have no such thing, or not in clear statutory terms) by dressing up their offering with the language of history, reputation and freedom of expression. One can understand why. There will be many other edge cases to come.
The form itself is mainly pretty sane. A few points are worth pointing out:
Again I thought they might choose path of least resistance, which would have been simple take down on request, and wait for someone else to complain and then demand adjudication to put back, as with DMCA take downs, but no. The problem of course with applying the DMCA "put back"model to the right to be forgotten is that here there is no-one who has a clear agenda (or funding) to oppose take down. As I noted on Twitter with privacy even in Europe there is no relevant organisation: the role of the DP authority is to protect privacy rights, not freedom of speech and they have no training or aptitude, or , again, funding, to take on a kind of historical assessment or investigatory role.
We don't have any indication how many people will be in the evaluation team, how far the investigation will be done solely by automated means (maybe) and if the results will go in the Transparency Report (probably).
Fun times ahead!
The form allows EU users to ask search engines to remove results for queries that include their name where those results are “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed.”.
This is clearly narrower than the full scope of the right granted by the judgment.
" As regards Article 12(b) of Directive 95/46, the application of which is subject to the condition that the processing of personal data be incompatible with the directive, it should be recalled that, as has been noted in paragraph 72 of the present judgment, such incompatibility may result not only from the fact that such data are inaccurate but, in particular, also from the fact that they are inadequate, irrelevant or excessive in relation to the purposes of the processing, that they are not kept up to date, or that they are kept for longer than is necessary unless they are required to be kept for historical, statistical or scientific purposes." [emphasis added][italics added][para 92]Only the parts of the judgment in italics above have currently been implemented. Strange that the form does not specify "inaccuracy" as a ground which is clearly signposted by the judgment, though was not true in the actual case of Mr Costeja Gonzalez.
Art 12 (b) actually specifies that rectification, erasure or blocking can be obtained, inter alia, if data is "incomplete or inaccurate" (the word "incomplete" not cited by ECJ) and more generally as noted above if it is "incompatible with the Directive".
What does this mean?
I would argue these are all possible claims to Google to ask to have links removed-
- a celebrity who has changed their image since a picture was put online ("inaccurate")
- a celebrity who has not changed their image but for whom the picture is unflattering in relation to the whole corpus of their online photos eg taken from a bad angle or on a bad hair day ("incomplete")
- a celebrity who at one point contractually agreed to have pictures taken and posted but who has now changed their mind about their dissemination on the Internet (after having been paid in full?) , Because they have withdrawn consent as a ground for processing , processing is now "incompatible with the Directive"
In short Google are, perhaps, currently (understandably) attempting to dodge the bullet of implementing a full blown EU image right (for countries many of which have no such thing, or not in clear statutory terms) by dressing up their offering with the language of history, reputation and freedom of expression. One can understand why. There will be many other edge cases to come.
The form itself is mainly pretty sane. A few points are worth pointing out:
- they are choosing not to roll the right out to non EU citizens. I thought there was a chance in the interests of harmonisation/efficiency they might have done. Since Google is a private company not the government, my view is this would have simply been a private choice, not a breach in any way of First Amendment, and so viable (see CyberPromotions v AOL, waaay back in l996, though have we had the judicial discsusion since as to whether Google is more like a "traditional public form" now than AOL was?) That would have been unlikely given the likely shrieks of tarnishing of free speech in the US but would have made the process of identifying an EU citizen uneccessary (see below) and would have been extremely fun to watch:) (Plus, recall that California is rolling out the right to be forgotten to minors anyway from 2015 - though whether this survives Constitutional challenge is also as yet unclear.) Wouldn't Google have got lots of brownie points for offering US citizens extra privacy rights in the post Snowden backlash era? or would the civil rights lobby for speech make their lives not worth willing? maybe one to watch for the future if the EU experience pans out well?
- they are choosing to (they say) do an initial assessment in-house of privacy claim vs public interest in freedom of expression and historical record.
"When evaluating your request, we will look at whether the results include outdated information about you, as well as whether there’s a public interest in the information—for example, information about financial scams, professional malpractice, criminal convictions, or public conduct of government officials."
Again I thought they might choose path of least resistance, which would have been simple take down on request, and wait for someone else to complain and then demand adjudication to put back, as with DMCA take downs, but no. The problem of course with applying the DMCA "put back"model to the right to be forgotten is that here there is no-one who has a clear agenda (or funding) to oppose take down. As I noted on Twitter with privacy even in Europe there is no relevant organisation: the role of the DP authority is to protect privacy rights, not freedom of speech and they have no training or aptitude, or , again, funding, to take on a kind of historical assessment or investigatory role.
- Identification of claimant was going to be the toughest one. The routes chosen are the obvious ones and can of course be easily faked but should mainly do the job; choosing a digital signature would have been v onerous. Will we see US citizens faking up EU credentials to get stuff removed? Of course in most cases Google's own database would provide the evidence of the true national identity (needed of course to serve the right ads, and in the right language) - but will they set their investigatory algorithms up to find this out? Probably.
We don't have any indication how many people will be in the evaluation team, how far the investigation will be done solely by automated means (maybe) and if the results will go in the Transparency Report (probably).
Fun times ahead!
Friday, April 04, 2014
Can You Criticise Your Boss on Twitter and Keep your Job?
I was
interviewed yesterday by the Metro free newspaper on this point, following the onlineprotest tweets by many Mozilla employees in the US that they did not want a
boss who had donated money to an anti-gay marriage fighting fund. In the US
where freedom of speech is prized, employees not only successfully ousted their new boss, but kept their jobs. In the UK, it might have gone the other
way, with disconduct proceedings or dismissal not impossible! The Metro were keen on me making a blanket statement that you either were or weren't sacked if you dissed your booss online but Pangloss was not so foolish. Instead I advised users out there not to vent about their work on open to air
Twitter accounts but to save it for Friends locked Facebook, and if possible,
to make sure you trusted everyone on that Friends list (including fellow
workers who might clipe on you – or move them to a special no-read-work-stuff
list).
Think
about putting a disclaimer on your Twitter account that your tweets are
not
those of your employers, and even then, if possible avoid defamation, racist or
hate
speech or harassment, especially of co-workers. Remember the fate of the
specially appointed 17 year old youth Police Commissioner who lost her £15K a year job when the press started looking at her racist tweets! (Pangloss herself just went and guiltily put a
long overdue disclaimer on her public Twitter feed @lilianedwards (to
which co-writer Dr Ian Brown of the OII, said, what, would ANYONE EVAH think
I represent the views of the University of Oxford? Only the employment
tribunals , I replied..)
For employers, be absolutely sure to have a fair and
balanced Acceptable Use of Social Media policy in place; courts have
already refused to back the sacking of a housing trust manager who made
derogatory comments about gay marriage (again! Just avoid the topic online perhaps)
when the in-house policy did not clearly tell him not to do this. Blanket
policies forbidding all use of social media are also likely to be disregarded
by the courts, since they ignore fundamental rights of freedom of expression
and private life. Some professions have particular difficulties about giving away details of the job on Twitter or FB - try looking at ACPO's heavyweight guidance on use of social media for the police, for example.
Pangloss coincidentally had been writing (as usual) an overlong tome with @mooseabyte on police surveillance of social media when the Metro rang, and it has certainly opened her already jaundiced eyes. Absolutely everyone using public social media should always be aware
that while it may feel like only you and your mates care about what you
had for breakfast, in fact 100s if not 1000s of people may be listening to
, monitoring and data mining you – including not only those who pay per tweet to attach the Twitter data firehose to their Hadoop servers, but , increasingly , the police. SOCMINT - social media intelligence - is the shiniest thing on the block and as yet the general consensus seems to be that anything that is said on unlocked social media, however small the intended audienbce, is fair game for the Old Bill. In fact the legal situatuion is a bit more uncertain, with recent ECHR case law pointing to the existnece of areasonable expectation of privacy even in public spaces - which seems to apply by extension to things said or done on public social media. A rather more nuanced treatment of the subject can be found in the recent Demos report on how police may sometimes need covert surveillance authorisation - eg when constructing fake profiles to gain access to locked profiles on facebook - but for an even more critical perspective , await Lachlan and my paper at the SSN Conf in sunny Barcelona!
Thursday, September 26, 2013
GikII in New Scientist! and went to the beach!
New Scientist, the
leading UK magazine on science and technology, recently covered GikII, the world’s first law, technology and
popular culture workshop, which has run annually for 8 years and is chaired by Professor Pangloss ie
Lilian
Edwards of Strathclyde’s Centre for Internet Law and Policy .
The New Scientist piece (behind a paywall,
but extract
available here) covers questions raised at GikII such as whether a robot
can libel you and what the legal and societal effects of teleportation might
be, and reports in detail ongoing
research by Lachlan Urquhart,
now a PhD candidate at Nottingham co-supervised from CILP, into legal regulation
of drones, as well as asking if in the future lawyers will be replaced by
computers. Thankfully, the article concludes this is unlikely to happen any
time soon!
Meanwhile, the most recent GikII, in Bournemouth
in September 2013, failed to provide the much looked forward to sun, but there was sea, sand and salty deep fried objects to die for, as well as the usual intellectual frolics. I finally gave the paper "Slave to the Algo-Ryhthm" I'd been mulling on for what seems like years on Google, algorithms, competition, libel
and data protection (only a week after reading a piece by Ute Kohl in IJLIT which does it all much better. Go thou and read it. )
Other papers I really enjoyed this year included newbie Andy Phippen's rant, sorry, treatise on why wi fi filters in Starbucks are not really the best way to "think of the children"; Anna Ronkainen on whether its better to print human organs in animals, via stem cells or just using lego, sticky back plastic and a 3d printer (I paraphrase, but not much); Andelka Phillips (also a newbie) on DIY genetic testing by email (the consumer protection issues! trading standards will not know what has hit it - my mind reeled), Heather Bradshaw-Martin (ditto, and also Oxford) on the ethics of driverless cars (how would a Kantian car deal with the trolley problem? a Hegelian car?) ; Lachlan Urquhart on the persistence of memory in a synchronic society (featuring "spimes" a word whose time has surely come); Chris Marsden on telegraphs, TEMPORA, the decline of the British Empire, Russian cablecutters, and something about silkworms and zemblanity (oh don't even ask). And it was marvellous to have Technollama back in the fold.
Despite strong competition from Andres however, the winner of the Daithi MacSithigh Memorial Prize for Most Amusing Powerpoint (come back Daithi all is forgiven!) was Paul Bernal for combining privacy, autonomy and Disney Princesses - congrats Paul!
In short it was a vintage GikII. Next year you should all come!
Other papers I really enjoyed this year included newbie Andy Phippen's rant, sorry, treatise on why wi fi filters in Starbucks are not really the best way to "think of the children"; Anna Ronkainen on whether its better to print human organs in animals, via stem cells or just using lego, sticky back plastic and a 3d printer (I paraphrase, but not much); Andelka Phillips (also a newbie) on DIY genetic testing by email (the consumer protection issues! trading standards will not know what has hit it - my mind reeled), Heather Bradshaw-Martin (ditto, and also Oxford) on the ethics of driverless cars (how would a Kantian car deal with the trolley problem? a Hegelian car?) ; Lachlan Urquhart on the persistence of memory in a synchronic society (featuring "spimes" a word whose time has surely come); Chris Marsden on telegraphs, TEMPORA, the decline of the British Empire, Russian cablecutters, and something about silkworms and zemblanity (oh don't even ask). And it was marvellous to have Technollama back in the fold.
Despite strong competition from Andres however, the winner of the Daithi MacSithigh Memorial Prize for Most Amusing Powerpoint (come back Daithi all is forgiven!) was Paul Bernal for combining privacy, autonomy and Disney Princesses - congrats Paul!
In short it was a vintage GikII. Next year you should all come!
Subscribe to:
Posts (Atom)