Thursday, August 07, 2014

Three myths that need nailed about the right to be forgotten (and one question)

1      Everyone thinks it’s a bad idea, so why hasn’t it gone yet, already.

No they don’t, actually.  Just the people who get to write in mass media. Few people in Europe, and fewer still in the US, realise that a surreptitious propaganda war is being fought around the simple idea that if personal information has been distributed about you, which is erroneous, outdated, incomplete or in some way unreasonably harms you, then  you should have the right to have that information rectified or take down. All that is new about the Google Spain decision is that it extends this right from people or hosts who publish the data, to search engines that link to it.  

But this basic concept worries Google, a lot. Partially because it might cost them money and reduce credibility in the integrity of their database, but mostly on principle : because it implies that states and courts –  and worse still European states and courts – have a right to have a say in regulating Google’s business activities.  And the right to be forgotten also worries the media, a lot : because they fear it might interfere with their freedom to write lucrative stories hostile to the subject of the piece. (This fear is, incidentally, misguided – see myth 2 below).

As a result Google and the media are in an unholy, and very successful, alliance to blacken the name of a simple consumer right. Google feeds scare stories about obviously apalling  take downs they have made to the media (see also myth 3 below) and the media gleefully publicise them. As of yesterday, Wikimedia have also got in on this act, so successfully that one Independent piece manages to suggest that the right to be forgotten is giving apes the right to take down their selfies from Wikipedia.  (Next: dolphins ask for their image to be taken off John West tuna cans.)

So if you honestly think the right to be forgotten is a bad idea, then that is your (sic) right. But don’t believe the hype.

2   Well, whoever’s pushing the opposition to the right to be forgotten, it’s clearly a bad idea because it destroys free speech.
No it doesn’t. The foundational idea of EC data protection law – that you should have the right to control the processing of data about yourself - has been uncontroversial in Europe  since 1995, or earlier.  Imagine that outdated bad debt information still scars your credit record; or you posted a stupid picture of yourself  drunk on Facebook when you were 13 and now it haunts your applications for responsible jobs; or perhaps you shared an intimate picture of yourself with your ex-boyfriend when you were young and in love and now he has posted it on a revenge porn site.
Is it such an unreasonable idea to be able to clear the slate in these circumstances? And is there really a compelling public interest in ephemeral quotidian details about ordinary people, which in a pre-digital world would have long faded into obscurity?

Of course there needs to be a balance with the public interest, if such rights are not to become a whitewash for public figures disguising their shady dealings  or bolstering their PR-created reputations.  But this has never been doubted. The Google Spain decision very clearly reads in an exception that if a data subject played a role in “public life”, then the “preponderant interest of the general public” – their right to know – would win out. The draft Data Protection Regulation, which would reform data protection law and put the right to be forgotten on a clearer, statutory basis goes further, including extensive reference to the need to balance both “freedom of expression” and the “historical, statistical and scientific” record.

Finally, both existing and new law recognise the rights of journalists to report on the public record by giving them exemption from DP law almost entirely. Google argued it was a journalist in the Google Spain case, and failed: but for conventional media , the right to be forgotten is simply not a threat. (Arguably it might even be good for it to incentivise journalists to investigate more using professional skills, and rely on flaky Google and Wikipedia data less.)

3   This can’t be right. If that’s so, why are Google removing links about murderers, gangsters and Muslim brothers of George Osborne?
There are two possible answers to this.

One, it might be hypothesised that Google are occasionally  ignoring the clear instructions of the court to take the public record into account,  and sometimes allowing delinking when they should have refused, so as to generate scare take down stories that discredit the right to be forgotten. On this, like Francis Urquart in House of Cards, I couldn’t possibly comment.

Second, there is a popular misconception that any Google takedown means the content disappears from the Web. This again is a myth that needs shot. First, the content stays up on the original page – only the link disappears.  This is obvious, though often ignored. But, secondly, and rather more subtly, only the link from the name of the person making the take down request to the story that name appears in disappears.  

 So, in one of the much publicised Guardian stories allegedly removed by Google, it turned out the person making the erasure request was not the public figure the article was about (let’s say X), but an obscure person who’d been named in comments (let’s call him/her Y).  You say, but the article still disappears, right?  No. Only if you search on Y, will the link not come up. A journalist searching on X (as is rather more likely)  however would still find the information right there. (And since I can find numerous stories about Adam Osborne’s Muslim  wedding on page 1 of the Google results by searching on “Adam Osborne Muslim”, including the original 2011 Guardian story, it looks quite likely that’s what was going on there.)

4    A question : Jimmy Wales of Wikipedia says we have “a right to remember”. Do we?

If you want to worry about invisible censorship on the Internet, try looking at copyright rather than privacy for a moment. Jimmy Wales says (as of 6 August 2014) that Google have received over 91,000 removal requests under the right to be forgotten since 13 May 2014, when the Google Spain decision was delivered. In that time, Google will probably have received 81 million requests for URLs to be taken down on copyright grounds. Many of these are known to be sometimes completely spurious, and while a few of these are protested, most are completely unnoticed.   Are these not also part of our history?

What people are waking up to, and are rightly horrified at, is that the world as delivered by Facebook or Google is not the “real” world (whatever that means) they thought they saw. Google’s algorithm already arguably dispatches search competitors to the lurking bowels of its search results, while FB famously gamed their Newsfeed algorithm to make people feel happier. In this new world of a curated or constructed digital world, the right to be forgotten is the tiniest tip of the iceberg-sized issue.

But more fundamentally, what exactly is this “right to remember”? Remember what? Do you have a right to remember that I bit my brother when I was 8, and he broke my front tooth in revenge? I am a law professor and he is a lawyer. This sentence may now be spidered by Google. Is this banal anecdote therefore now part of the “public record” – the all-encompassing true historical account Jimmy Wales defends so severely (I do after all have a Wikipedia page)  – or is it valueless gossip that in a pre-Googlified world would have vanished outside of my immediate family within days?

In Dave Eggers The Circle, a satire that is fast becoming fact, keeping any information to yourself is seen as so selfish and so threatening that a sheer desire for solitude instead of being “live” on the Internet becomes antisocial behaviour, with brief moments free of the omnipresent public gaze snatched in toilet cubicles. In this world, “secrets are lies”, “sharing is caring” and “privacy is theft”. Is this where we want the “right to remember” to take us?

Tuesday, July 15, 2014

Open letter on data retention and investigatory powers Bill ("DRIP") from UK privacy law academics

Tuesday 15th July 2014
To all Members of Parliament,
Re: An open letter from UK internet law academic experts
On Thursday 10 July the Coalition Government (with support from the Opposition) published draft emergency legislation, the Data Retention and Investigatory Powers Bill (“DRIP”). The Bill was posited as doing no more than extending the data retention powers already in force under the EU Data Retention Directive, which was recently ruled incompatible with European human rights law by the Grand Chamber of the Court of Justice of the European Union (CJEU) in the joined cases brought by Digital Rights Ireland (C-293/12) and Seitlinger and Others (C-594/12) handed down on 8 April 2014.
In introducing the Bill to Parliament, the Home Secretary framed the legislation as a response to the CJEU’s decision on data retention, and as essential to preserve current levels of access to communications data by law enforcement and security services. The government has maintained that the Bill does not contain new powers.
On our analysis, this position is false. In fact, the Bill proposes to extend investigatory powers considerably, increasing the British government’s capabilities to access both communications data and content. The Bill will increase surveillance powers by authorising the government to;
·         compel any person or company – including internet services and telecommunications companies – outside the United Kingdom to execute an interception warrant (Clause 4(2));
·         compel persons or companies outside the United Kingdom to execute an interception warrant relating to conduct outside of the UK (Clause 4(2));
·         compel any person or company outside the UK to do anything, including complying with technical requirements, to ensure that the person or company is able, on a continuing basis, to assist the UK with interception at any time (Clause 4(6)).
·         order any person or company outside the United Kingdom to obtain, retain and disclose communications data (Clause 4(8)); and
·         order any person or company outside the United Kingdom to obtain, retain and disclose communications data relating to conduct outside the UK (Clause 4(8)).
The legislation goes far beyond simply authorising data retention in the UK. In fact, DRIP attempts to extend the territorial reach of the British interception powers, expanding the UK’s ability to mandate the interception of communications content across the globe. It introduces powers that are not only completely novel in the United Kingdom, they are some of the first of their kind globally.
Moreover, since mass data retention by the UK falls within the scope of EU law, as it entails a derogation from the EU's e-privacy Directive (Article 15, Directive 2002/58), the proposed Bill arguably breaches EU law to the extent that it falls within the scope of EU law, since such mass surveillance would still fall foul of the criteria set out by the Court of Justice of the EU in the Digital Rights and Seitlinger judgment.
Further, the bill incorporates a number of changes to interception whilst the purported urgency relates only to the striking down of the Data Retention Directive. Even if there was a real emergency relating to data retention, there is no apparent reason for this haste to be extended to the area of interception.
DRIP is far more than an administrative necessity; it is a serious expansion of the British surveillance state. We urge the British Government not to fast track this legislation and instead apply full and proper parliamentary scrutiny to ensure Parliamentarians are not mislead as to what powers this Bill truly contains.
Dr Subhajit Basu, University of Leeds
Dr Paul Bernal, University of East Anglia
Professor Ian Brown, Oxford University
Ray Corrigan, The Open University
Professor Lilian Edwards, University of Strathclyde
Dr Theodore Konstadinides, University of Surrey
Professor Chris Marsden, University of Sussex
Dr Karen Mc Cullagh, University of East Anglia
Dr. Daithí Mac Síthigh, Newcastle University
Professor David Mead, University of East Anglia
Professor Andrew Murray, London School of Economics
Professor Steve Peers, University of Essex
Julia Powles, University of Cambridge
Professor Burkhard Schafer, University of Edinburgh
Professor Lorna Woods, University of Essex

Friday, May 30, 2014

Google remembers, after only two weeks

Google has implemented the "right to be forgotten" imposed by Google Spain on 13 May 2014. At slightly over two weeks for a response, this puts most actual governments to shame :-) Having failed totally to comment on the original document due to overwork swamp, I'll say a few things about the response.

The form allows EU users to ask search engines to remove results for queries that include their name where those results are “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed.”.

This is clearly narrower than the full scope of the right granted by the judgment.

" As regards Article 12(b) of Directive 95/46, the application of which is subject to the condition that the processing of personal data be incompatible with the directive, it should be recalled that, as has been noted in paragraph 72 of the present judgment, such incompatibility may result not only from the fact that such data are inaccurate but, in particular, also from the fact that they are inadequate, irrelevant or excessive in relation to the purposes of the processing, that they are not kept up to date, or that they are kept for longer than is necessary unless they are required to be kept for historical, statistical or scientific purposes." [emphasis added][italics added][para 92]
Only the parts of the judgment in italics above have currently been implemented. Strange that the form does not specify "inaccuracy" as a ground which is clearly signposted by the judgment, though was not true in the actual case of Mr Costeja Gonzalez.

 Art 12 (b) actually specifies that rectification, erasure or blocking can be obtained, inter alia, if data is "incomplete or inaccurate"  (the word "incomplete" not cited by ECJ) and more generally as noted above if it is "incompatible with the Directive".

What does this mean?
I would argue these are all possible claims to Google to ask to have links removed-

  • a celebrity who has changed their image since a picture was put online ("inaccurate")
  • a celebrity who has not changed their image but for whom the picture is unflattering  in relation to the whole corpus of their online photos eg taken from a bad angle or on a bad hair day ("incomplete")
  • a celebrity who at one point contractually agreed to have pictures taken and posted but who has now changed their mind about their dissemination on the Internet (after having been paid in full?) , Because they have withdrawn consent as a ground for processing , processing is now "incompatible with the Directive"

In short Google are, perhaps, currently (understandably) attempting to dodge the  bullet of implementing a full blown EU image right (for countries many of which have no such thing, or not in clear statutory terms) by dressing up their offering with the language of history, reputation and freedom of expression. One can understand why.  There will be many other edge cases to come.

The form itself is mainly pretty sane. A few points are worth pointing out:

  • they are choosing not to roll the right out to non EU citizens. I thought there was a  chance in the interests of harmonisation/efficiency they might have done. Since Google is a private company not the government, my view is this would have simply been a private choice, not a breach in any way of First Amendment, and so viable  (see  CyberPromotions v AOL, waaay back in l996, though have we had the judicial discsusion since as to whether Google is more like a "traditional public form" now than AOL was?) That would have been unlikely given the likely shrieks of tarnishing of free speech in the US but would have made the process of identifying an EU citizen uneccessary (see below) and would have been extremely fun to watch:) (Plus, recall that California is rolling out the right to be forgotten to minors anyway from 2015 - though whether this survives Constitutional challenge is also as yet unclear.) Wouldn't Google have got lots of brownie points for offering US citizens extra privacy rights in the post Snowden backlash era? or would the civil rights lobby for speech make their lives not worth willing? maybe one to watch for the future if the EU experience pans out well?

  • they are choosing to (they say) do an initial assessment in-house of privacy claim vs public interest in freedom of expression and historical record. 

"When evaluating your request, we will look at whether the results include outdated information about you, as well as whether there’s a public interest in the information—for example, information about financial scams, professional malpractice, criminal convictions, or public conduct of government officials."

Again I thought they might choose path of least resistance,  which would have been simple take down on request, and wait for someone else to complain and then demand adjudication to put back, as with DMCA take downs, but no. The problem of course with applying the DMCA "put back"model to the right to be forgotten is that here there is no-one who has a clear agenda (or funding) to oppose take down. As I noted on Twitter with privacy even in Europe there is no relevant organisation: the role of the DP authority is to protect privacy rights, not freedom of speech  and they have no training or aptitude, or , again, funding, to take on a kind of historical assessment or investigatory role.

  • Identification of claimant was going to be the toughest one. The routes chosen are the obvious ones and can of course be easily faked but should mainly do the job; choosing a digital signature would have been v onerous. Will we see US citizens faking up EU credentials to get stuff removed? Of course in most cases Google's own database would provide the evidence of the true national identity (needed of course to serve the right ads, and in the right language) - but will they set their investigatory algorithms up to find this out? Probably.

We don't have any indication how many people will be in the evaluation team, how far the investigation will be done solely by automated means (maybe) and if the results will go in the Transparency Report (probably).

Fun times ahead!

Friday, April 04, 2014

Can You Criticise Your Boss on Twitter and Keep your Job?

was interviewed yesterday by the Metro free newspaper on this point, following the onlineprotest tweets by many Mozilla employees in the US that they did not want a boss who had donated money to an anti-gay marriage fighting fund. In the US where freedom of speech is prized, employees not only successfully ousted their new boss,  but kept their jobs. In the UK, it might have gone the other way, with disconduct proceedings or dismissal not impossible!  The Metro were keen on me making a blanket statement that you either were or weren't sacked if you dissed your booss online but Pangloss was not so foolish. Instead I advised users out there not to vent about their work on open to air Twitter accounts but to save it for Friends locked Facebook, and if possible, to make sure you trusted everyone on that Friends list (including fellow workers who might clipe on you – or move them to a special no-read-work-stuff  list). 

  Think about putting a disclaimer on your Twitter account that your tweets are not those of  your employers, and even then, if possible avoid defamation, racist or hate speech or harassment, especially of co-workers. Remember the fate of the specially appointed 17 year old youth Police Commissioner who lost her £15K a year  job when the press started looking at her racist tweets! (Pangloss herself just went and guiltily put a long overdue disclaimer on her public Twitter feed @lilianedwards (to which co-writer Dr Ian Brown of the OII, said, what, would ANYONE EVAH think I represent the views of the University of Oxford? Only the employment tribunals , I replied..)

 For employers, be absolutely sure to have a fair and balanced Acceptable Use of Social Media policy in place; courts have already refused to back the sacking of a housing trust manager who made derogatory comments about gay marriage (again! Just avoid the topic online perhaps) when the in-house policy did not clearly tell him not to do this. Blanket policies forbidding all use of social media are also likely to be disregarded by the courts, since they ignore fundamental rights of freedom of expression and private life. Some professions have particular difficulties about giving away details of the job on Twitter or FB - try looking at ACPO's heavyweight guidance on use of social media for the police, for example.

 Pangloss coincidentally had been writing (as usual) an overlong tome with @mooseabyte on police surveillance of social media when the Metro rang,  and it has certainly opened her already jaundiced eyes. Absolutely everyone using public social media should always be aware that while  it may feel like only you and your mates care about what you had for breakfast,  in fact 100s if not 1000s of people may be listening to , monitoring and data mining you – including not only those who pay per tweet to attach the Twitter data firehose to their Hadoop servers, but , increasingly , the police. SOCMINT - social media intelligence - is the shiniest thing on the block and as yet the general consensus seems to be that anything that is said on unlocked social media, however small the intended audienbce, is fair game for the Old Bill. In fact the legal situatuion is a bit more uncertain, with recent ECHR case law pointing to the existnece of  areasonable expectation of privacy even in public spaces - which seems to apply by extension to things said or done on public social media. A rather more nuanced treatment of the subject can be found in the recent Demos report  on how police may sometimes need covert surveillance authorisation - eg when constructing fake profiles to gain access to locked profiles on facebook - but for an even more critical perspective , await Lachlan and my paper at the SSN Conf in sunny Barcelona!