The right to forget or the right to spin?

Viviane Reding has been publicising one of the more poetic planks of the upcoming Data Protection Directive reforms, the so-called "right to forget" or from the French (who dreamt it up), the droit a d'oubli.

The right to forget is intriguing and seems to have caught the public attention of more than geeks and DP nerds. In boring Anglo-Saxon, it sounds much less exciting. The right to delete your personal data, wherever it is held - eg on Facebook - is what it's about. Put that way it doesn't sound that new. After all the DPD already gives you the right in art 14 to

" object at any time on compelling legitimate grounds relating to his particular situation to the processing of data relating to him, save where otherwise provided by national legislation. Where there is a justified objection, the processing instigated by the controller may no longer involve those data;"

In the UK DPA 98, s 10, that gets translated as the right to stop processing where it is "causing or is likely to cause substantial damage or substantial distress to him or to another" and this is "unwarranted". As often the case, there is an argument that this is a rather limited expression lof the DPD, especially when case law is considered. There's also a connected right to demand your personal data is not processed for the purposes of direct marketing.

But this doesn't add up to an unqualified right to have data deleted nor to have this done for no reason at all, except it's your data. This is what the "right to forget"or "delete" movement is about.

Pangloss initially found the right to forget very appealing, but has got more conflicted as time has gone on. The trouble most often cited is that your personal data is very often also someone else's personal data. If I post a picture of both of us at a party on FB, do you have the right to delete it? What about my freedom of expression, my right to tell my own story? With pictures, you can imagine solutions - pixellate out the person objecting or crop it. Perhaps the compromise is that I have the right to post the photo but you have the right to untag yourself from it. (Though this will not suit some.)

But what about where I say "I was at Jack's last night and he was steaming drunk?" Does Jack have the right to delete this data, even if it's on my profile? This is where the Americans start indeed to get steamed up - since their culture and legal system has repeatedly preferred free speech to privacy rights.

Unsurprisingly this is one of the the scenarios Peter Fleischer, chief privacy officer of Google, had in mind when he described the right to forget last week as "foggy thinking ", claimed that "this raises difficult issues of conflict between freedom of expression and privacy" and more or less implied that this could be dealt with perfectly well by traditional laws of libel. In an ideal world this might be so: but we don't live in that world, but one where ordinary citizens as opposed to celebrities, almost never get to use laws like libel because they're simply far too costly and scarey.

Would Jack sue for libel in the above example? No, almost never. But he might ask FB to take it down (if he was aware it existed). This is another of Fleischer's worries - that intermediaries like ISPs and hosts would get inextricably and expensively involved in the "right to forget". Here his real agenda becomes fairly apparent - Google's success is entirely based on their right to remember as much as possible about us. We are back here in another version of the cookie and data retention wars, passim.

I am a fan of the Google chocolate factory, as anyone reading this blog will surely have gathered - but it is a mite disingenous to read Fleisher's (beautifully written) post without bearing in mind what seems to be Google's real worry, as cited at the bottom of his list, that search engines will find themselves called on to implement what people often want far more than a right to delete, namely a "right for their data not to be found" - ie, for it to be expunged from Google's web results.

Fleisher says correctly (and commendably under-statedly) that "This will surely generate legal challenges and counter-challenges before this debate is resolved. ". Imagine the reaction of Trip Advisor for example when 1000s of people who run hotels and restaurants try to have the site removed from Google rankings because it has personal data about them that they're not overly fond of..? More sympathetically, many readers of this blog will know decent people who have tried for years to get results removed from Google - unfair and illegitimate reviews, catty remarks from ex partners, professionals whose working life is blighted by abusive remarks by disgruntled ex clients. There should I think be clear remedies for them not dependent on the ad hoc discretion of the sitein question, depending on what mood it's in that day. On the other other hand, I don't want a world where politicians or demagogues can get their dodgy past involvements with fascism or the BNP or whatever quietly deleted or rendered unfindable on Google (this is a turf war which already goes on day in day out on the edits on Wikipedia).

A big problem (as with all DP issues) is the cross border, applicable law or jurisdiction aspects. Fleisher's column cites a rather sensationalist example - when a German court ordered references to a murder by a German citizen removed from a US based Wikipedia page because those convictions under German law were "spent". In fact rules about rehabilitation of offenders and spent convictions are common - certainly the UK has similar - and all that is unusual about this case is the attempt of the German courts to extend jurisdiction to publications hosted abroad. Indeed as some US states have "rights of publicity" protecting celebrity image and some don;t, one imagines they must already have evolved a degree of expertise in the international private law of privacy/publicity rights. (What if Elvis's image on tee shirts is protected in Tennessee but not in Virginia? can the Tennessee estate sue the Virginia t shirt factory that uses his image without paying?)

But certainly an EU right to forget will almost invariably engage us in the same kind of angst and threats of "data wars" over extraterritoriality that the Eighth DP Principle on export of personal data already has - not something to look forward to. It is noticeable that Reding fires off an early salvo on this when her spokesperson says , not for the first time, that companies "can't think they're exempt just because they have their servers in California or do their data processing in Bangalore. If they're targeting EU citizens, they will have to comply with the rules."

In reality , Pangloss suspects any right to forget that makes it through the next few years of horse trading will look much more limited and less existential than most of the ideas in the blogoverse - more like the right FB has already conceded, to delete rather than simply deactivate your profile, for example. Reding's speech itself seems to be in practice more about how FB sets its defaults than anything else: a default opt out from letting third parties tag your photos, rather than opt in, would seem a pretty limited and sensible demand.

Being more aspirational, Pangloss still has a soft spot for one interpretation of the "right to forget" which Fleischer rather derides as technically impossible - self expiring data. I'd love to hear from any techies who know more about this topic.

But the debate that has caught the public imagination goes wider than just DP law, and it is about whether we want to live in an online spin society.

There has been a certain amount of information coming out lately about how the Internet is not what it once was. Once we thought the Web was a conduit to unmediated news and opinions from real people, that it would enable direct democracy and change the world. But recent evidence has been that when it really matters - in matters of politics and revolutions and celebrities and ideology - a lot of what seems to be the "honest bloggers" or commenters or posters are actually paid spinners, employed and trained in the blogging and astro turfing schools of China and Russia and Iran and now, we hear this week, the US.

The right to forget can in some ways be used as the individual, non corporate, non state version of this. Rewriting history has been described by many people as Orwellian: we are at war with Eastasia, we have always been at war with Eastasia. That is chilling (in all senses of the word, including speech :-). The reality, as I already said, is likely to be consideringly less overwhelming (or effective). But this is still a debate we need to start having.

Filtering round up: French filtering, Ireland backs off, UK sidesteps?

Bit of a round up here on some interesting stories of last few weeks on aspects of filtering that I've been accumulating.

Increasingly, stories as to filtering out illegal content such as child porn; blocking infringing downloads of copyright material by deep packet inspection and disconnection; and filtering to fight the "war on terror" are converging. For all of these, the same issues come up again and again: privacy; proof, transparency and other aspects of due process; and scope creep. These 3 stories illustrate this well. For my own recent take on the issue of Net filtering, as I said before, see my Internet pornograohy chapter on SSRN, which suggests the need for a Free Speech Impact Assessment before non transparent stateNet filtering schemes are introduced, for whatever purpose.

Filtering of illegal content in France

Thanks to @clarinette on Twitter (whose real name I am not absolutely sure of!!) for pointing me to another important European move towards non transparent Internet filtering - this time in France. From La Quadrature de Net:

Paris, February 11th, 2010 - During the debate over the French security bill (LOPPSI), the government opposed all the amendments seeking to minimize the risks attached to filtering Internet sites. The refusal to make this measure experimental and temporary shows that the executive could not care less about its effectivity to tackle online child pornography or about its disastrous consequences. This measure will allow the French government to take control of the Internet, as the door is now open to the extension of Net filtering.

The refusal to enact Net filtering as an experimental measure is a proof of the ill-intended objective of the government. Making Net filtering a temporary measure would have shown that it is uneffective to fight child pornography.

As the recent move1 of the German government shows, only measures tackling the problem at its roots (by deleting the incriminated content from the servers; by attacking financial flows) and the reinforcement of the means of police investigators can combat child pornography.

Moreover, whereas the effectivity of the Net filtering provision cannot be proven, the French government refuses to take into account the fact that over-blocking - i.e the "collateral censorship" of perfectly lawful websites - is inevitable2. Net filtering can now be extended to other areas, as President Sarkozy promised to the pro-HADOPI ("Three-Strikes" law) industries3."

LQN are never exactly ones to mince their words:-) so the strong nature of this statement should perhas be taken with some care - but Pangloss intends to go investigate this story further.

Ireland, Eirecom, disconnection and DP

Meanwhile in a surprising twist, Eirecom have apparently pulled out of the negotiated settlement they reached in January 2009 to disconnect subscribers "repeatedly" using P2P for (alleged) illicit downloading. This was the result of the Irish court case brought against them by various parts of the music industry for hosting illegal downloads, and appeared to open up a route to "voluntary" notice and disconnection schemes on the part of the ISP industry; a worrying trend both for advocates of free speech, privacy, due process, ISP immunity and net neutrality.

Now however according to the Times:

As part of the agreement, Irma said it would use piracy-tracking software to trace IP addresses, which can identify the location of an internet user, and pass this information to Eircom. The company would then use the details to identify its customer, and take action.

But the office of the Data Protection Commissioner (DPC) has indicated that using customers’ IP addresses to cut off their internet connection as a punishment for illegal downloading does not constitute “fair use” of personal information. Irma and Eircom have asked the High Court to rule on whether these data-protection concerns mean the 2009 settlement cannot be enforced.

This is very, very interesting. A court case on this might settle a number of outstanding DP legal issues: whether IP addresses are "always" personal data (on which see also a recent EU study demonstarting the disharmny across Europe on this) and if not, when; what the scope of the exemmptions for preventing and investigating crime are; and what"fair" means in the whole context of the DP principles, purpose limitation and notice for processing.

Not only that but as the Times indicate, the human rights issues which have been repeatedly aired in debate around "three strikes" generally, would also come into play as well, as the straight DP law. Is use of a customer's personal data to cut them off from the Internet a proportionate response to a minor civil infringement? Does it breach a fundamantal right of freedom of expression or association? Does it breach due process? This could be the DP case of the decade. Pangloss is geekily excited. If anyone out there is involved in this case, do let me know.

UK cops don't terrorise the IWF?

Finally , as widely reported, the UK Home Office has introduced a website hotline for the public to report suspected terrorist or hate speech sites. Reports are then vetted by ACPO, the Association of Chief Police Officers, who it appears can then take action, not only by investigating in normal way, but also by asking the relevant host site to take down. The official press release notes : "If a website meets the threshold for illegal content, officers can exercise powers under section 3 of the Terrorism Act 2006 to take it down." Indeed on serving such a notice, the host only has 2 days to take down or loss immunity under the UK ECD Regs.

As TJ McIntyre also notes, this is a rather significant development, not just in itself but for sidestepping use of the Internet Watch Foundation (IWF). There have been persistent rumours since and before then-Home Sec Jacqui Smith's famous speech in Jan 2008, that theUK government was attempting to pressurise the IWF into adding reports of hate speech/terror to its block- or black-list; and that the IWF was as strongly resisting this, hate speech being a somewhat more ambiguous and controversial matter than adjudicating on child sexual imagery.

It seems then that the IWF has held fast and the Home Office have backed off and created their own scheme, which embraces only take down in the UK, not access blocking to sites abroad (?). Whether this is ideal remains to be seen. The IWF, at least until recently had the services of esteemed law prof Ian Walden as well as a lot of accumulated experience, and may have been a better informal legal tribunal, than a bunch of chief constables, to decide on the illegality of sites under terror legislation. Who knows. On the other hand , adding alleged terror URLs to an invisible, encrypted, non public blocklist defeats every concept of transparency and public debate regarding restrictions on freedom of political speech, and Pangloss is glad to see it avoided.

Pangloss's view remains that such difficult non-objective issues are best decided by the body long set up to deal with questions of hazy legal interpretation: namely, the courts. The definition of "terrorist" material for the urposes of s 3 of the 2006 Act is as follows (s 3(7)):

"(a) something that is likely to be understood, by any one or more of the persons to whom it has or may become available, as a direct or indirect encouragement or other inducement to the commission, preparation or instigation of acts of terrorism or Convention offences; or

(b) information which—

(i) is likely to be useful to any one or more of those persons in the commission or preparation of such acts; and

(ii) is in a form or context in which it is likely to be understood by any one or more of those persons as being wholly or mainly for the purpose of being so useful."

Well I hope that clears everything up :-) Still confused? Try s 3(8)).

"(8) The reference in subsection (7) to something that is likely to be understood as an indirect encouragement to the commission or preparation of acts of terrorism or Convention offences includes anything which is likely to be understood as—

(a) the glorification of the commission or preparation (whether in the past, in the future or generally) of such acts or such offences; and

(b) a suggestion that what is being glorified is being glorified as conduct that should be emulated in existing circumstances."

Er give me that last line again?

As with previous contested IWF rulings, the same questions come up again: what is the appeal from a take down notice under s 3 to the regular courts? What notice if any is given to the site owner and the public of therfact of and reasons for take down? What safeguards are there for freedom of speech? None of these are mentioned in ss 1-4 of the 2006 Act. Nor does there seem to be a general provision in the Act for Part 1 or the whole of the 2006 Act for appeals or review. Since the police are a public body however, one imagines that judicial review might be competent. EDIT However I am helpfully informed that ACPO is a company limited by giuarantee and regards itself as not a public body at least for the purpose of FOI requests. Clarity on this would be very desirable. And as noted above record keeping of take down for terror reasons seems to be poor due to voluntary compliance by ISPs.

Finally why introduce these powers if they are to be circumvented anyway? The Register reported on 12 November 2009 that so far no notices had been issued under s 3 anyway, because the UK ISPs involved had agreed to take down voluntarily, and no record has been kept of how many sites this involved. Furthermore if a site is taken down in the UK it won't be hard to resurrect it in a foreign country, where most extremist sites will be based anyway: El Reg reports that one site the police allegedly have their eye on, al-Fateh, a Hamas anti-Jewish kids site, is in fact hosted in Russia. One imagines this will continue to increase pressure on the IWF to expand the block list despite the latest moves.

New DP blog

Another useful discovery - DP Thinker - Pangloss isn't sure to whom we owe the pleasure though. Of course it's clearly a matter of privacy :-) but anyone want to own up?

A Very Peculiar Scottish Practice & fin de Festival muscellany

Pangloss is in Estonia where she hopes to blog more tomorrow, but in meanwhile, while desperately trying to catch up post far too much Edin Festival indulgence, was delighted to see this tartan trivia below on Lawrence Eastham's excellent blog for the Society for Computers and Law:

"Solicitors on YouTube

Are Scottish solicitors Inksters the first firm to have a dedicated YouTube channel?

The Glasgow-based firm Inksters hope to ‘keep ahead of the legal technology curve with the launch of a YouTube channel’. The channel contains an initial five films which are also available at inksters.com. These include films on The Home Report, one about windfarming on croft land and another on the House of Lords case: Moncrieff v Jamieson (featuring SSCL Chair Iain G Mitchell QC). Brian Inkster said ‘putting these films on YouTube will bring them to a wider audience. It is a natural extension of the Web 2.0 policy we have been pursuing at Inksters. We were the first Scottish law firm to Twitter earlier this year and we are perhaps now the first Scottish law firm with a dedicated YouTube channel’.

The YouTube videos are at www.youtube.com/inksterssolicitors

Not only that but I *think* I've scooped venerable Scots Law News here! Drag your eyes away from Ally Megrahi (that well known footballer), team.. (Opps EDIT: no! See here.)

I've also very belatedly updated my blog roll a little to include a few excellent newer blogs including Datonomy, on personal data with a stellar UK practitioner line up, and Simon Deane-Johns's useful round up of consumer law,Pragmatist, including some very pithy comments on the seemingly endles revision of EC online consumer law.

From Datonomy, I learn that the UK ICO rather quietly commissioned research in August to price a business case for businesses to invest in privacy; effectively aiming to find out how much businesses might save by proactively investing in privacy rather than waiting for the security breach headlines to hit the fan. How interesting, and how topical, but it certainly seems to move us a long way from privacy-as-a-human-right to commodified privacy-as-property doesn't it?

Oddly enough Pangloss will be speaking on this very topic at the upcoming special-value one-time-only credit crunch SCL Policy Forum in September (fee payable with 6 months 0% credit - no not really) , so if anyone else wants to comment or has interesting worked examples (please show figures:-) of the (alleged) value of privacy to either consumers or businesses, please do comment!

So for me upcoming on the intergalactic talk schedule (just call me Cyber Wogan), it's Estonia for cyberwar, Amsterdam for death (2.0 variety), and London for poverty and privacy. The Three Horsemen of the IT Law Apocalypse. What does that leave? Rains of frogs I suppose..

SoGikII and DP reform

Before HK, Pangloss was in lovely Sydney enjoying the hospitality of the Cyberspace Law and Policy Centre at University of New South Wales at SoGikii, aka the conference on the beach at Coogee :-))

SoGikII was bijoux but very interesting. Graham Greenleaf and Ian Brown swapped multi Continental ideas, helped by the audience, on how to reform personal data protection laws, calling on current moves to reform of the EU DPD, the evolving APEC privacy principles, Graham's work on comparative Asian privacy law and the far famed (everyone in Oz spoke about it in hushed tones) 2000 pages AU$2 m ALRC report on privacy.

The general emerging ideas seem to be:

• one size does NOT fit all : more prior privacy impact assessment and privacy engineered in ("privacy by design") needed for large data bases and other such projects, especially in public sector;
  
• in the EU the effect of Lindqvist needs rolled back for small data processors such as the millions of user generated content providers. A stronger domestic purposes exemption might meet these needs, linked to stronger obligations on platforms to take down on complaint (though Pangloss wonders about the free speech impact of this?) and industry codes on privacy protective default settings on social networks.
  
• for all data processors, more emphasis on data minimisation - collecting less data ab initio, by code means and by reliance on principles such as the Australian rule that systems must be designed to allow an anonymity option if practical (eg London't Oyster system is designed for identifying users; Singapore's Octopus is not). This is all the more important as security of large multiple access dbs is increasingly unreliable.
  
• more concern for the merging human rights protection for privacy not just under DPD rules - eg the recent UK ECHR defeat in the DNA database case.
• DP export laws must be maintained despite business opposition
  

On remedies and enforcement some ideas were

• better remedies for users including class action rights for consumer organisations
• replace boilerplate registration of purposes with online subject access rights and tracking of use of data (PG sez: could semantic web data help here??)
• penalties for abusive use of "DP" by companies to restrict access to info by consumers
  
• security breach notification was controversial with some complaining in US it had done little or nothing to stop malware breaches.

Very much stuff to think about there. Other great papers involved Will Uther, Senior Lecturer (School of Computer Science and Engineering, UNSW) on Patent Law in the Federation: Replicators and Piracy which relied on 23rd century Star Trek Federation law to assess how future technology might disturb patent law :)); and Andrea Matwyshwn (Wharton, Penn) on Bourdieu, privacy and social capital. (Book of the week, btw, has definitely been Lanham's Economics of Attention.)

Pangloss herself argued gloomily (in both HK and Oz) that rights to control and bequeath digital assets after death (such as eBay reputations and Facebook profiles as well as the much discussed virtual world/MMORPG assets) would become increasingly important as digital natives age and die, and life logging expands. the key problems are the intermediation of the assets, leading to a loss of control by both creator and heirs, and the lack of any locus to consider societal interests in access to and preservation of digital cultural/literary heritage. This builds on my previous work suggesting that regulation of virtual assets generally is incoherent and ad hoc, as well as my FB /SNSs and property in VWs work. I'll get the new ppt up shortly!

ICO Speaks Total, Utter Sense

No irony meant, honest.

OUT-LAW again say: "Organisations must not use the Data Protection Act as a smokescreen for not giving out information, privacy regulator the Information Commissioner's Office (ICO) has warned.The ICO has identified the most common data protection myths which it says are used to avoid transparency or that have just developed through ignorance of the actual law.

Deputy Commissioner David Smith said that "The Data Protection Act does not impose a blanket ban on the release of personal information. What it does do is require a common sense approach," he said. "It should not be used as an excuse by those reluctant to take a balanced decision."

Too bloody true. Unfortunately the examples given by the ICO are mainly related to the public sector: universities refusing to send results to anyone but the students themselves, schools refusing to let people take photos of children in school plays. In Pangloss's experience these bodies are usually fairly reasonable; eg there are often good reasons not related to DP law to reveal results to no-one but students in person, to do with confidentiality, trust and over demanding relatives, and as a bright line it still seems the best policy. Most universities will however send results to a student's home address on request, which deals with the "student off abroad and parents desperate to know" problem.

Those who really choose to use the DPA as the Don't Tell Anyone Anything Act are notoriously not non profits like schools, but the commercial sector and in particular, communications, banking and utility companies who cynically use the slice of lime factor of " it's against DP law" to cynically get rid of annoying customers and minimise customer service. Pangloss, eg, has spent many an unhappy hour trying to pay money INTO various accounts to pay for TV, cable, Internet and other bills and been told this wasn't possible "because of the data protection act". What possible release of personal data to the payer need this involve?

Another problem is what happens when one member of a couple has set up an account eg for telephone, and they then split up acrimoniously. It is hardly sensible, and potentially even dangerous, to advise the other partner that they cannot later acces or alter the details of their account without getting the estranged partner to ring. Indeed in some seperations, communication may have entirely broken down and it may be vital to change details eg if the matrimonial home is rented to a new tenant. All utility and similar companies should have sensible procedures in place to deal with such situations (an, crucially, which are trickled down to call centre level).

Should using the DPA to repel honest enquiries or non-privacy-invasive transations be regarded as a kind of corporate fraud? So long as there is effectively no real hard infringement of DPA law, large companies will continue to use the DP as a stonewalling excuse, because the nature of bureacracy is to gather as much data and reveal as little of it to others as possible. the evaporation of personal service in favouir of anonymised call centres with pre written scripts also has a great deal to answer for.

Future Strategy of the ICO

As the final part of Pangloss's catch up of vital reports on privacy and DP that all seem to have emerged while I was on holiday (sigh), the ICO's own report on its future strategy on DP enforcement needs read. I refer you in the meantime to cogent comments at Naked Law.

Very broadly, the ICO propose that they "will not focus on enforcement, but on reducing the risk to UK residents of misuse of personal information about them. " This may of course however be all subject to change given the expectation that the current Commisioner Richard Thomas will retire in the not too far distant future.

Thanks also to IMPACT blog who (inter alia) drew to my attention to the large ICO survey on attitudes to privacy which preceded the issue of the strategy paper and came out March 19 08. It's all go :) One of the most remarkable and yet not unexpected findings is that after the HMRC data scandal the British public has officially lost faith in the public sector: "The ICO poll of 1,000 people found that 53% of those asked no longer had confidence in the way banks, local authorities and government departments handled personal information." See Beeb summary here.

More on 3 Strikes & Phorm: the ISP Strikes Back, but still true to Phorm

3 Strikes, semper passim :)

Technollama has a good post on Carphone Warehouse's opposition (in its guise as ISP TalkTalk) to the idea of "3 strikes and you're out", and the BPI's response of threatening court action. According to the Telegraph, CW received the following warning by fax from the BPI:

""... unless we receive your agreement in writing that within 14 days Carphone Warehouse will implement procedures set out above [bold added], we reserve our right to apply to court for injunctions and other relief without further notice to protect our members' rights."

Which leaves one wondering: WHAT procedures? Last Pangloss heard, negotiations were going on between the ISPA and the MPA as to a protocol for "progressive" discouragement of filesharing by eventual disconnection, but no agreement had been struck; certainly if the BPI has fomed a binding contract or even voluntary code of practice on similar lines with some or all UK ISPs, this is something the public should know about surely?

If, as seems more likely, no agreement exists, the BPI seem to be making some wrong assumptions about the remedies available to them. As it stand the common consensus is that ISPs are protected from liability for the actionable or illegal activity of their users unless they are shown to have actual or constructive knowledge of material they host fo rnusers (E Commerce Directive, Art 14). If the liability relates to the ISP's role as a mere conduit (Art 12) then ISP's are immune whether or not they receive notice. In all other circumstances, the BPI are limited merely to seeking an injunction against the ISP; although they are of course free to sue the actual users. "Other relief" - which can surely only be construed as implying either the imposotion of a filtering obligation or damages - does not prima facie seem to be available.

Of course in Ireland, also in apparent contradiction to both Arts 14 and 15 of the ECD, the music industry are currently attempting to impose an obligation to filter out pirate tracks on Ireland's biggest ISP, Eircom.Various Irish legal commentators notably TJ Macintyre and the unpronounceable Daithi McSigh have already pointed out the major policy and legal objections to such a claim. But it appears to be saber rattling season on both sides of the Irish Sea, presumably in anticipation of the consultation paper on 3 Strikes we are promised by BERR sometime between now and the autumn.

Phorm

Talk Talk/CW themselves should not be regarded too quickly as heroes of the hour though. Remember Talk Talk is one of the ISPs already signed up for the currently rather controversial Phorm system. Since it seems unlikely UK ISPs are going to go down the 3 Strikes route without legislation, CW/TT have good PR to gain, and nothing much to lose, by speaking out against the BPI :)

On Phorm, matters currently appear to be running against the pioneering or invasive new ISP-level adware system (depending on your side of the fence.) The ICO amended their postition on Phorm yesterday after considerable pressure by inter alia, ORG and FIPR:

"Ad-targeting system Phorm must be "opt in" when it is rolled out, says the Information Commissioner Office (ICO)

European data protection laws demand that users must choose to enrol in the controversial system, said the ICO in an amended statement.

The decision could be a blow to Phorm which before now has said it would operate on an "opt out" basis.

The ICO will monitor the trials and commercial rollout of Phorm to ensure data protection laws are observed."

EDIT: there is a rather sensible comment on the Beeb site about the likely implications of opt-in for Phorm.

This statement, interestingly, still leaves untouched the question of whether Phorm is not only potentially in breach of DP law but an illegal interception of communications under RIPA. The ICO of course has an interest in surveillance, but does not oversee it; interception is technically supervised by the Interception of Communications Commissioner . Home Office communications have indicated they think Phorm legal in this respect, but other commentators such as Nicholas Bohm, differ.

IP Addresses are Personal Data - official

Brief but important note, via the Asociated Press: the EU Art 29 Working Party group working on privacy, DP and Internet search engines (notably Google) has issued an early press release.

"Germany's data protection commissioner, Peter Scharr, leads the EU group preparing a report on how well the privacy policies of Internet search engines operated by Google Inc., Yahoo Inc., Microsoft Corp. and others comply with EU privacy law.

He told a European Parliament hearing on online data protection that when someone is identified by an IP, or Internet protocol, address "then it has to be regarded as personal data." "

Some may think this an obvious conclusion, but in fact a report on Personal Data commissioned by the UK ICO office a year or two back (and very sadly, no longer available on the ICO site) revealed considerable disparity on this across Europe; in many cases whether an IP adress was regarded as "identifying" depended on context, in the view of various Information Commissioners.

The significance is crucial; if IP addresses are personal data, then services which collect IP addresses but not actual names - as Google does when it collects search terms typed in by users from IP adresses - are still regulated by DP law.

Google's privacy chief Peter Fleischer has previously insisted IP addresses are should only be seen as personal data, if it is likely that a person can be identified from an IP address . (Despite this, Google recently caved in to EU pressure and reducing the duration of Google cookies from 30 years to 2 years.) He may now have to think again, at least in Europe. This should be no surprise however, as , as Fleischer himself admits, the ART 29 Working party gave the answer as far back as 2002, that if an IP address can be connected to a person (eg by the person's ISP), then it should be seen as personal data for all purposes, including use by other companies.

The UK's current law , by the way, is in Pangloss's opinion , rather nearer to Fleischer's interpretation than to Scharr's - see s 1 of the DPA 1998. So bad news may be coming not only for Google but for UK drafters and advisers.

FaceBook Brought to Book?

My colleague Ian Brown of Blogzilla reports on an interesting post on why Facebook may be violating European privacy law.

The article reveals that creating an "exploit" in FaceBook - ie hacking the privacy of unsuspecting users - is trivially easy. All you have to do is use Advanced Search and you can search across controversial (and in European DP language, "sensitive") pieces of data such as Religion and Sexuality in apparently unlimited numbers of profiles. This is true even if the user has taken steps to protect the privacy of their data (see below). As Ian comments this is a security failure on FB's part, which should have been trivially easy to fix in their code.

Having just returned from the SCL Conference where it was revealed that over 3 million people in the UK are on Facebook (including apparently nearly every corporate lawyer in the UK.. and definitely at Allen and Overy :-) and it is growing in the UK at 6% per WEEK, this is serious, er, excrement.

Pangloss's own experimentation proves that in fact hacking FaceBook is even easier than this. Suppose you want to stalk person X who you know lives in London. All you have to do is set up an FB profile, join the London network - which requires NO validation, certainly not a University of London email address or the like - and suddenly you can see all their personal details - some of which (on brief inspection) are highly revealing , of social and sexual data that many people would not want public. Of course they may not have joined the London network - but very often it will be very easy to guess what network the stalkee is in.

Of course, will say FaceBook, you, the stalkee, can stop this. You can in fact change all your privacy defaults on FB so no one can see ANYTHING on your profile site unless they are people you have accepted as "Friends". (Pangloss has just gone and done this, with a vengeance.) Fair enough, except that the default privacy settings on FB are almost entirely in favour of disclosure and there is very little direction or instruction on the site to "change these defaults for heaven's sake, 300,000 people can see who you want to sleep with".

As the blogger above, Quiet Paranoia (great name) comments, "Users cannot be expected to know that the contents of their private profiles can be mined via [advanced] searches, and thus, very few do set the search permissions associated with their profile."

I agree. If an er um respected professor of privacy law can take some while to realise how exposed her data is on FaceBook, then it is unreasonable to expect children of 16 or 17 (FB is associated with high school students but the T & C say 13 up) to make these kind of difficult judgment calls, when what they are really concerned about is popularity and finding out about the good parties?

FB will say that they have provided opt-in to privacy, and anyone who does not avail themselves of the tools available is impliedly giving consent to processing of their data. They wil also point to their privacy policy which does not give the impression of overwhelming concern about the remarkably weak default privacy protection and indeed, security, offered by FaceBook.

"You post User Content (as defined in the Facebook Terms of Use) on the Site at your own risk. Although we allow you to set privacy options that limit access to your pages, please be aware that no security measures are perfect or impenetrable. We cannot control the actions of other Users with whom you may choose to share your pages and information. Therefore, we cannot and do not guarantee that User Content you post on the Site will not be viewed by unauthorized persons. We are not responsible for circumvention of any privacy settings or security measures contained on the Site. You understand and acknowledge that, even after removal, copies of User Content may remain viewable in cached and archived pages or if other Users have copied or stored your User Content."

Even Pangloss, who is no privacy fundamentalist, does not think this is good enough, particularly in relation to "sensitive personal data" where "explicit consent" to processing by third parties is required. (Is searching via key words "processing"? Almost certainly - see Art 2 of the Data Protection Directive which includes "retrieval" whether or not by automatic means. )

But FB will again say : Everyone who signs up to FB assents to the T & C. Does that mean they have given the requisite explicit consent to processing of sensitive data even by "unauthorised third parties"? Even if in pure contract law the T & C can be read this way, at this point both DP law and the Unfair Contract Terms Directive should surely both converge to make such a clause either void or unenforceable?

In comparison, another social networking site where Pangloss hangs out, Live Journal, has not only very sophisticated privacy controls, but also a culture of discussion and awareness that privacy and openness can be manipulated by the software. Of course privacy breaches do still occur (via "cut and paste fairies" for example) but they are pretty rare.

Do we need a legal solution? Is there a case for extension of DP law to cover the setting of defaults on social network sites? Should privacy not be the default, by law (perhaps with some exceptions to preserve functionality, such as name and network) and openness the opt-out, rather than the reverse? Maybe. Maybe all that is needed is an Industry Code of Practice combined with some upping of awareness of the issue. However with the number of people - especially young pre-employment proto-citizens - involved in web 2.0 sites rising by the minute, this really does seem an issue which is not merely knee jerk alarmism and should not be swept under the carpet. First year students may not care now about spilling their sexuality and contacts to the world: they may when they are older, wiser and looking for employment :)

Another suggestion might be the automatic expiry of social networking data after say six months unless the user chooses to opt in to keeping their data out there. Viktor Mayer-Schoenberger has made this kind of suggestion recently. In social networking sites where the whole business model is based around large databases of personal data, data is routinely retained apparently forever. Data retention is another area where the DPO authorities might want to have a bit of a look at whether the law needs tweaked.

Want to be a Porn Star?

.. no? well who said you got a choice?

"A 17-year-old college student is taking legal action against a pornographic film company after it "stole" a photograph of her and used it on the front cover of one of its productions."

One wonders what her threatened cause of action is. Data processing without consent? Breach of confidence? Or breach of publicity rights in the US where the porn company is based (now THAT would be a fun choice of law case under Rome II if action raised in the UK..)?

Ah if only these cases didn't always settle ! :-)

The porn film company optimistically opine that they were "entitled to use the picture because Lara had put it in the ''public domain'' ". Would be nice to see that one laid to rest in UK case law.

(Thanks to Steve Green for the tip.)