Google's Transparency Tool: some thoughts

Google has released a tool , to much media and legal interest, which allows the public to see what requests are made by governments for information about users and, in particular, what requests were made to "take down" or censor content altogether. We have therefore one of the first reliable indices of the extent of global government censorship of online content as laundered through private online intermediaries.

This for eg is the data currently disclosed, for the last 6 months, for the UK:

1343 data requests

48 removal requests, for a total of 232 items

62.5% of removal requests fully or partially complied with

• Blogger
• 1 court orders to remove content
• 1 items requested to be removed
• Video
• 3 court orders to remove content
• 32 items requested to be removed
• Groups
• 1 court orders to remove content
• 1 items requested to be removed
• Web Search
• 8 court orders to remove content
• 144 items requested to be removed
• YouTube
• 6 court orders to remove content
• 29 non-court order requests to remove content
• 54 items requested to be removed

and by comparison here is the data for Germany

668 data requests

124 removal requests, for a total of 1407 items

94.3% of removal requests fully or partially complied with

• Blogger
• 8 court orders to remove content
• 11 items requested to be removed
• Video
• 1 court orders to remove content
• 2 items requested to be removed
• Google Suggest
• 2 court orders to remove content
• 3 items requested to be removed
• Web Search
• 47 court orders to remove content
• 1 non-court order requests to remove content
• 1094 items requested to be removed
• Book Search
• 2 court orders to remove content
• 2 items requested to be removed
• YouTube
• 17 court orders to remove content
• 46 non-court order requests to remove content
• 295 items requested to be removed

and for the US

4287 data requests

128 removal requests, for a total of 678 items

82.8% of removal requests fully or partially complied with

• AdWords
• 1 court orders to remove content
• 1 items requested to be removed
• Blogger
• 8 court orders to remove content
• 45 items requested to be removed
• Geo (except Street View)
• 2 court orders to remove content
• 2 items requested to be removed
• Video
• 1 court orders to remove content
• 1 items requested to be removed
• Groups
• 7 court orders to remove content
• 394 items requested to be removed
• Web Search
• 30 court orders to remove content
• 2 non-court order requests to remove content
• 66 items requested to be removed
• YouTube
• 31 court orders to remove content
• 46 non-court order requests to remove content
• 169 items requested to be removed

There is an enormous wealth of data here to take in. I was asked to comment on it to the BBC at a time when I had not yet had a chance to examine it in any depth, so this is an attempt to give a slightly more reflective response. Not that I'm in any way reneguing on my first gut response: this is a tremendous step and a courageous one for Google to take and deserves applause. It should be a model for the field and as Danah Boyd and others have already said on Twitter, it raises serious questions of corporate social responsibility if Facebook, the various large ISPs, and other platforms do not now follow suit and provide some form of similar disclosure. If Google can do it, why not the rest?

Pangloss has some appreciation of the difficulty of this step for a service provider. Some years back I attempted to do a small scale survey of notice and take down practices in the UK only, asking data from a variety of hosts and ISPs, including large and small, household names and niche enterprises, major industry players and non profit organisations. It was, it became quickly clear, an impossible task to conduct on any methodologically sound research level. Though many managers, IT folk and sysadmins we spoke to were sympathetic to the need for public research onto private non transparent censorship, nearly all were constrained not to disclose details by "business imperatives", or had no such details to hand in any reliable or useful format, which often came to the same thing. (Keeping such data takes time and labour: why bother when there is only trouble arising from doing so? See below..)

The fact is the prevalent industry view is that there are only negative consequences for ISPs and hosts to be transparent in this area. If they do reveal that they do remove content (or block it) or give data about users, they are vilified by both users and press as censors or tools of the police state. They worry also about publicly taking on responsibility for those acts disclosed- editorial responsibility of a kind, which could involve all kinds of legal risk including tipping off, breach of contract and libel of the authors of content removed or blocked. It is a no win game. This is especially true around two areas : child pornography, where any attempt after notice to investigate a take down or block request may involve the host in presumptive liability for possession or distribution itself; and intercept and record requests in the UK under the Regulation of Investigatory Powers Act 2000 where (inter alia) s 19 may make it a criminal offence to even disclose that the government has asked for certain kinds of interceptions of communications.

Now imagine these legal risks and uncertainties, coupled with the possibility of a PR disaster - coupled with potential heavy handed government pressure - multiplied by every legal jurisdiction for which Google has disclosed data. This gives you some idea of the act of faith being undertaken here.

Google of course have their own agendas here: they are not exactly saints. Good global PR this may accrue among the chattering (or twittering) classes will help them in their various current wars against inter alia the DP authorities of Europe over Google Street View, the Italian state over Google Video and the US content industry over YouTube. But it still remains true as they say that "greater transparency will give citizens insight into these kinds of actions taken by their governments".

Criticisms

The legal risks I talk about above also partly explain some of the failings of the tool so far, some of which have been cogently pointed out already by Chris Soghoian. Notably, it is not yet granular enough, something Google themselves have acknowledged. We have numbers for data requests made (ie information about Google users) , for takedown requests, and which services were affected (Blogger, YouTube etc). We have some idea that Google sometimes received a court order before disclosing or blocking, and sometimes didn't, but we do not know how often they gave in specifically to the latter - only that it is claimed such requests were granted only where Google's own abuse policies were breached eg on Blogger.

Crucially we do not know, for the UK say, if these requests were made under RIPA or the Communications Act s 127 or more generic policing & investigation powers or what. Or how many related to terror material or pro islamic websites, and how many to scam or spam sites or illegal pharma shops or adult porn sites, say. Or even to defamation (this is apparently responsible for a high number of the requests in Germany, according to the FAQ.) Defamation is an odd one here because it is a private law not a criminal matter in the UK at least (some states do have criminal defamation, but it is fairly rarely tried); but it leads to court orders to remove content and disclose IDs, and Google, slightly confusingly, say they count these court orders in with the "governmental" stats. (They don't however include court orders for take down of copyright material, since these almost all come from private parties - and pragmatically, would probably overwhelm the figures.)

(Another important point buried in the FAQ is that these figures don't include removals for child pornography since Google's systems don't distinguish here, they say, between requests received from government, and from private parties - so eg all the take downs and blockings ordered by the IWF in the UK are presumably not included. This also means that those already high figures for Brazilian government requests for take down on Orkut are actually in reality probably a lot higher (?) since Orkut is renowned as a haven for hosting child porn.)

Splitting up requests and takedowns by type of content is critical to understanding the validity of state action, and the more data we get in future on this will be good. Once requests and removals are divided up by type (and legitimate authority), we can also find out what percentage of take down requests in which category were acceded to, still without Google needing to disclose at the possibly dodgy level of individual requests. And also where acceded to with or without court order.

Global comparisons and free speech

Looking at the data on a global comparison basis will be a daunting but fascinating task for commentators for the future, especially as the data grows across time. It is noticeable even from just the 3 countries quoted above that it is really, really complicated to make simplistic comparisons. (This is why few if any commentators yesterday were being dragged into easy condemnations and quicky league table comparisons. )

For example, the UK government made a lot of user data requests (a helluva lot if correlated to population actually - the US has six times the population of the UK but made much less than 4 times as many requests; Germany is a quarter bigger than the UK by population and made c 50% less requests) . By that figure, the UK is the most interrogatory government in Europe.

But Germany by contrast made more requests for take down of content than the UK - and got 94% of its requests accepted, compared to 62% of the UK's such requests). What does this say about the claim to validity of the UK requests overall? Are our LEAs more willing to try it on than Germany's, or was their paperwork just more flawed?? Do we try to get more take down without court orders and Google thus tells us to bog off more? Do we actually censor less content than Germany, or just fail to ask for removal of lots of stuff via one efficient takedown message rather than in a trickle of little ones? Needs further citation, as they say.

Google do interestingly say in the useful FAQ that the number of global requests for removal of speech on "pure" political grounds was "small" . Of course one country's politics is another's law. So approximately 11% of the German removal requests related to pro-Nazi content or content advocating denial of the Holocaust, both of which are illegal under German law - but which would be seen as covered by free speech in say the US.

Non governmental disclosure and take down requests

Finally of course these figures say nothing about requests for removal of content or disclosure of identities made by private bodies (except in the odd case of defamation court orders, noted above) - notably perhaps requests made for take down on grounds of coopyright infringement. There will be a lot of these and it would really help to know more about that. As recent stories have shown, copyright can also be used to suppress free speech too, and not just by governments.

Finally finally..quis custodiet ipse Google?

...a reader on Twitter said to me, yes, it's great but why should we believe Google's figures? He has a point. Independent audit of these figures would help. But it is difficult to know without technical info from an insider (hello Trev!) how far this is technically possible given the need for this kind of information capture on such a huge scale to be automated. (At least if we had the categories of requests broken down by legal justification, we could conceivably check them against any official g9vernmental stats - so, eg, in the UK checking RIPA requests against the official figures?? - though I doubt those currently disclose enough detail and certainly not who the requests were made against? (A. Nope! surprise - see 2009 Interception of Communications Commizssioner's report, eg para 3.8.))

Google Makes TM Changes to Adwords Across EU

Google have issued an interesting press release today about changes they are making to follow up on the recent ECJ Adwords decision.

We defended our position in a series of court cases that eventually made their way up to the European Court of Justice, which earlier this year largely upheld our position. The ECJ ruled that Google has not infringed trade mark law by allowing advertisers to bid for keywords corresponding to third party trade marks. Additionally, the court ruled that advertisers can legitimately use a third party trademark as a keyword to trigger their ads

Today, we are announcing an important change to our advertising trademark policy. A company advertising on Google in Europe will now be able to select trademarked terms as keywords. If, for example, a user types in a trademark of a television manufacturer, he could now find relevant and helpful advertisements from resellers, review sites and second hand dealers as well as ads from other manufacturers.

This new policy goes into effect on September 14. It brings our policy in Europe into line with our policies in most countries across the world. Advertisers already have been able to use third party trademarked terms in the U.S. and Canada since 2004, in the UK and Ireland since 2008 and many other countries since May, 2009.

The most interesting bit for Pangloss is that what accompanies this is a new type of notice and takedown procedure.

In the affected European countries after September 14, 2010, trademark owners or their authorized agents will be able to complain about the selection of their trademark by a third party if they feel that it leads to a specific ad text which confuses users about the origin of the advertised goods and services. Google will then conduct a limited investigation and if we find that the ad text does confuse users as to the origin of the advertised goods and services, we will remove the ad. However, we will not prevent use of trademarks as keywords in the affected regions.

This is an interesting way of implementing the caveats in the ECJ decision. Google have generally sought to automate all their processes as far as possible, whereeas this will create a lot of manual work in processing what will no doubt be a storm of cease and desist notices - compare the Content ID approach on YouTube where take down exists and is faithfully followed, but there is also a push towards persuading IPholders to submit their own works for pre emptive filtering. However in this case they clearly think the work involved in implementing this new scheme will make more money for them in advertising revenue, than it will lose in costs of manual take down. And take down should fend off most future litigation, though not, I suspect, all. For businesses , a harmonised policy through all EU is always a boon.

It would be interesting to see some empirical data emerging on how this affects the choice of keywords, click-through and text of AdWords ads in future, and how this does or not benefit the public interest in access to information in advertising. Google's usual approach to open data should be helpful here. (Will takedown notices under this scheme go to Chilling Effects website, as linking-to-content take down requests do? I hope so.)

Annoyed now: Google & Italy

Lots of the blogosphere exploded in indignation yesterday at the revelation that an Italian court had found Google execs, including privacy chief Fleisher, criminally liable for publishing an amateur vid on You Tube which invaded the privacy of the special needs child depicted being bullied therein. Charges of criminal libel were however dismissed. Lawyers amongst us wondered if someone had forgotten to tell Italy about the safe harbours for hosting intermediaries of the E-Commerce Directive , arts 12-15 which apply throughout Europe. Richard Thomas, the UK's former Information Commissioner, despaired that this verdict was giving privacy a bad name. Americans, used to the total (and one might say, over-wide) immunity given online intermediaries in relation to publication torts by the Communications Decency Act were even more flabbergasted. Google, understandably slightly over egging it a tad, called it a serious threat to the very freedom of the Internet, well, at least in Italy. Peter Fleischer, awarded a six month suspended sentence, sounded about as genuinely outraged as a top corporate exec can sound on his blog, and threatened appeals, hellfire and a boycott of pasta.

Pangloss was surprised but also a little smug, as she'd covered this story as far back as May last year and in detail here. While we're waiting for an opinion to come from the Italian court (apparently required within 90 days, and is there an Italian translator out there please?) it is maybe worth refreshing the reader's memory for the only four ways I saw this case could go against Google, assuming Google did plead the ECD (bit of a no brainer that).

1. Italy may not have at all, or properly implemented the ECD. In which case Google has a claim for damages against Italy and the case may eventually to end up in the ECJ to hilarious embarrassment.

2. Italy may not think the ECD applied to Google/You Tube as a host, because of doubts about the "independence" of YT as an intermediary from its users . This argument has prevailed in some high profile French cases, but has largely been rubbished in most the rest of the EU. In particular the "YouTube complicit with users" argument may have some legs when we are talking about YT making money from ads next to popular copyright videos eg MTV clips, and thus, conceivably, being seen to profit from copyright infringement (cf current Viacom US litigation); but has absolutely none in the case of a video of this kind. Basically, YT provided a platform and got nothing out the deal except trouble.

3. Italy may not think the ECD applied to Google/You Tube as a host, because the ECD may only apply to commercial operators. This is almost entirely exploded as a theory, and will be when the Google Adwords case gets its full judgment from the ECJ next month. The Advocate-General's preliminary Opinion, as I noted in November, already plainly agrees that a search engine like Google which makes money indirectly from adverts while free to users can fall within the ECD. The UK courts have also so agreed.

4. The ECD safe harbour for hosts says basically that they are immune from liability for what they publish until they receive "notice" of illegal content. It does not say either that they have to pre-vet videos, nor that they have to read all the comments below a video. Pangloss suspects this, if anything, is the legal ambiguity in the case. Google says they took down as soon as the police gave them notice; Gooogle's opponents say "but the video was up for two months and people complained in comments". Should those "comments" have been regarded as notice then? In which case, did Google have a duty to pro-actively read them?

This is the bit that gets me annoyed. Google's success, as the Guardian's Charles Arthur explained cogently the other day, is built on automating everything. This doesn't mean that Google should be free of all responsibility for what goes on on its watch, but it does mean that exercising that responsibility should be practicable, or we lose Google and all its free chocolate factory offerings. Reviewing every comment under the millions of videos on YouTube - and in a multiplicity of languages - and in real or near real time - is impossible. It is a human task. It is not automatable. You can design algorithms to compare copyright works to "watermark" versions of the same - an approach Google is working on to cut down on YT piracy - but you cannot design a computer programme which can work out what videos - or text or images - are libellous or privacy-invasive. You just can't; well maybe not until artificial intelligence has finally gone Singularity, and possibly not even then - human judges find it hard enough a task.

The ECD was actively designed to set up that kind of practical responsibility for hosts. Receive notice of illegality; take down, or else become liable for it. It raises other issues about kneejerk censorship (we'll come back to that), but it is at least a good start. So when a freak case like this undermines the notice and take down system, it really is time to get our facts straight.

One way out here is to provide an easy way for the worried to flag a video as "inappropriate". That definitely would be notice, to which a takedown response could be automated. Malcolm Coles accuses Google's systems for alert of not working here, so I went and had a look. YT puts a "Flag" button below every video, fairly obviously, but it seems you can only use it if logged in. This means setting up a YT account; a process convoluted enough to put off a casual viewer, especially a one time viewer alerted by some one saying "look have you seen this, isn't it terrible?" This might explain why people left comments rather than gave "notice" on the YT site in the Italian case.

In which case, should Google be liable for failure to design robust systems of notice?? If so we're setting a very, very high bar for ECD immunity. Every host - which includes nearly every ISP and business in Europe with a website - would have to design obvious and accessible notice and take down buttons for the public, or fear legal liability. I can tell you from informal survey research I did myself a while back that most sites have far, far less information (if any) on how to give notice than YT. And in the UK, there is nothing in our law that requires this degree of specificity.

But there is another , more profound reason why automating takedown is not only impossible but undesirable. Google's complaints policy on privacy (for the UK) says:

"We don't act on all privacy complaints. The complaints we do act on usually involve videos, comments, or other text that contain your image or private information (such as social security number, government I.D., or credit card information). These days there's a good likelihood that you might get caught on camera if you're in a public place - whether it be a security camera or a tourist who inadvertently captures your image in their video. If you're complaining about a video that shows you in passing while you're in a public place, chances are we won't take action on your complaint unless you're clearly identified or identifiable in the video."

As a semi expert in the field, that reads to me like a true outline of the law. It may not be true of Italy. However it shows the dangers of accepting any claim of privacy invasion lightly, from anyone, without checking. Human checking that is - possiby even a human lawyer, if that isn't a contradiction in terms. Do we want to live in a world where anyone can censor any online content simply by claiming some kind of abuse of rights - privacy, libel, copyright - and demanding automatic take down? It would be an easier world for Google, to be sure - and an appealing world for those who want, understandably, videos of their children being abused or bullied online removed as as fast as possible - but bad news overall for the public interest in free speech and the public domain.

So how do we square this circle? If Google - and its competitors - can't primarily automate what they do, they cease to be able to function. Yet notice and take down is a process which if automated is inherently either impossible or undesirable. Is there a solution? I'm only a lawyer, not a computer scientist. I'm not sure. But if the Google Italy fracas is to do any good, it should inspire a debate , between science, business, law and the public about what that solution might be.

EDIT: ta to Charles Arthur at the Guardian for the nice link.

Google and China: the fallout continues

Since I wrote my last post suggesting (rather speculatively) that Google's apparent willingness to pull out of China might be linked to US state fears of (and pressure concerning?) cyber espionage against data held by Google about US citizens instead of/as well as Chinese dissidents, the world has become very interested in the succeeding revelation by Google that they are now working with the NSA to improve their cyber defenses.

This raises all kinds of further questions: doesn't Google have as much expertise in computer security itself as the Spooks? Or as someone put it even more conspiratorially on Twitter: hadn't we always assumed Google was working with the spooks? In which case what drove a public admission of it now?

All fun stuff and clearly far beyond the ken of a mere academic lawyer. But t0day's Grauniad has an interesting quote:

"Google is unlikely to be turning to the NSA for technical advice. Why then is it calling in the spooks? One reason could be that the world's dominant internet company is now in the crossfire of early skirmishes of the next cold war.

This thought was reinforced by Financial Times columnist Gideon Rachman. He'd been to the International Institute for Strategic Studies for a briefing on its annual survey, Military Balance. "The thing I found most interesting," he said, "was the confirmation that cyber-security is the hot issue … John Chipman, the head of the IISS, says the institute is about to launch a study of cyber-security which raises all sorts of issues. What if a country's infrastructure could be destroyed as effectively by a cyber-attack as by an invasion of tanks? How do you defend against that? How do you identify the culprits? What does international law have to say – might we have to revise our definitions of what constitutes an act of war?"

"Chipman argues, plausibly, that we are now at an equivalent period to the early 1950s. Just as strategists had to devise whole new doctrines to cope with the nuclear age, so they will have to come up with new ideas to cope with the information age."

I've noted before that I find it difficult to see how current international law can define cyber attacks and especially cyber espionage as armed attacks justifying, eg, the doctrine of self defense. But I've also now been to several events where military lawyers seemed to be if not saying then at least moving toeards exactly that. It is clear we are entering the era of what is sometimes called "justificatory discourse" regarding cyber war, or PR in less elevated circles. (The irony of the fact this is playing out as the Iraq inquiry goes on is not lost on Pangloss. Nor that MI5 appears to be trying to get in on the action by revealing what bad stuff Chinese cyber spies have been doing inthe UK too.) The same thing, is, of course, happening in China too: one report from there notes that the average Chinese citizen is mostly apathetic to the loss of Google but Chinese news coverage has " focused not on Google but on what is perceived as US "information imperialism." "

And meanwhile, the ever excellent Ray Corrigan points out (I think - lots of interesting stuff packed in here) that cyberwar may be becoming the latest bogeyman, following hard on pedophiles and alQuaeda to justify incursions into our civil liberties. And that we are hardly ones to condemn China's Great Firewall, when we do an awful lot of net censorship ourselves. (See further, dare I say, my own chapter here, which is the basis of the paper on cyber filtering and free speech I'm giving in a few days.)

OT: Looking at B2fxx reminds me I have been derelict of duty not to mention my collague Chris Marsden's much awaited book on 'Net neutrality: towards a co-regulatory solution' is not only just published by Bloomsbury but also available for free download under a creative commons licence at http://www.bloomsburyacademic.com/pdf%20files/NetNeutrality.pdf . Lordy lordy such wondrous times we live in!!

Google and China: Interesting Times?

So what do we think about the Google China affair then? For anyone who has been hiding under a rock on Pluto lately, Google announced on January 13th that it "may end its operations in China following a "sophisticated and targeted" cyber attack originating from the country." aimed apparently at gathering intelligence from Gmail accounts etc on human rights activits, dissidents and the like in China, and adding that in response they would no longer self censor their search database as they had since starting up in China in 2006. China, unsurprisingly, insisted that hacking was illegal in China and Google would have to toe the line and enforce local laws like other companies. Then perhaps slightly more surprisingly, the US government itself got involved in the form of a swinging speech by Hilary Clinton demanding that Beijing that should investigate the hack attacks on Google, and les directly, implying that China had a duty, like also-mentioned Tunisia, Uzbekistan, Vietnam and Egypt to stop restricting freedom of expression on the Internet. One commentator has compared this to Reagan demanding the pulling down of the Berlin Wall - only this time it was the Chinese Great Firewall. For China to back down wouldbe almost unprecedented; so at least China insider has said that in six months he expects there to be no Google.cn. Meanwhile information filters out that similar espionage hacks seem to have been mounted by Chinese hackers on other US companies in recent months , seeking economic espionage intelligence; two of the companies were major US oil companies.

The main response to this has been huzzah! In a world apparently dominated by bankers taking as many undeserved bonuses as they can sweep up, one can sense the eagernness of the world to believe that a big company can still want to do the right thing. Certainly even if Google's "Do no evil" motto has tarnished a little lately they do stand out as appearing in the world of corporate politics to give a damn about human rights. A Grauniad columnist wrote perhaps a little over excitedly yesterday:
"

we can now again unreservedly identify, politically as well as aesthetically, with Google. This is the spirit of liberal universalism. It says that there are some universal rights it is not the prerogative of any state or "civilisation" to curb; and that, as the Universal Declaration of Human Rights states, the right to information freedom is among them."

But is anything in life really this simple? As many have pointed out, China is a market where Google is not dominant, having only around 30% of the market. But pulling out of the world's largest emergent economy is still rather a bold step. Unless perhaps you consider the rather less publicised fact that Google only makes money by click through on ads; and reportedly, the Chinese don't yet bother to click through (Google don't reveal the turnover of their Chinese business as they do their US profits). Still it seems like either a very brave or a very foolhardy endeavour. (Bill Thompson comments that "Threatening to pull out of China is like threatening to spit on a whale".) (Unless you think it's all merely a very successful PR stunt.)

A braver woman than Pangloss might even sail into the world of conspiracy theories, and consider the Google response and the Clinton speech as part of a combined PR drive. China expert Orville Schell in this video recorded at Davos, notes that

"Google has become more like a nation than a company. By this he means that not only is Google closely connected to the Obama administration, but the company has a high resonance in the western world. Only a company like Google could take such a stance against China".

Why would the US want Google out of China, or at least, a very public fuss about the hack attacks on Gmail accounts by China? Well cybersecurity experts have long privately admitted that although rather more fuss has been publicly made about "cyberwar" denial of service attacks on critical infrastructure (as , famously, against Estonian and Georgian banks and media sites, etc), the foremost worry is actually about cyber espionage. Chinese keylogger code has been found before now on military computers; it is known that it is almost impossible to 100% protect against this. Google store invaluable information not just about Chinese dissidents but US citizens - and companies. If you were a Chinese espionage officer would you target the unprotected Gmail user or the more protected Google servers, or the very well protected servers carrying confidential military or corporate secrets?

For a cyber lawyer, the interest here is whether we are approaching the point where cyber espionage might begin to be characterised as "cyberwar". Just as with DDOS attacks, the current law is badly equippd, perhaps quite properly, to make this conceptual leap. I spoke on this in Estonia last summer, at the NATO backed CyberSecurity Centre. International treaties demand an "armed attack" by a "state" before rights of self defence or international humanitarian law can begin to apply. Is use of code to find out information an "armed attack"? Difficult to see (although there was some discussion of this back in the good ol' days of Star Wars defence.)

More significant still is the pained matter of attribution. No one can prove that attacks by Chinese hackers came from and with the authority of the Beijing government - and circumstantial evidence simply cannot be regarded as decisive here given the easy obfuscation of Internet traffic and addresses, and the flourishing private enterprise cyber black market. Much of the cybercrime in the world originates from networks of zombie machines run (apparently:-) by Russians with the machines scattered through every country from the UK to Brazil; this does not mean (necessarily) that Russia, the UK or Brazil is responsible as a state aggressor. The question of attribution will have to be far better discussed before we can go any further down this line. In the meantime however, it is interesting to note that there are reported American stirrings of interest in a cyberwar treaty to reduce cyber-attacks, as with munitions or poison gas weapons: such a treaty has long been resisted by the US, but now that position seems to be shifting - why?*

And meanwhile today brave little Twitter, hero of the Iran dissidents, announces they are sub contracting research to avoid being blocked by China. All in all very interesting times - in the Chinese sense?

*Well perhaps because as I discover the minute I finish writing this, 37% of US critical infrastructure firms think cyber attacks are growing and 2/5 expct a majot cyber security incient within the year - say McAfee at Davos.

The DEB amendments; 1 in a series..

You might wonder where I've been this time. Well, Pangloss is currently signed off work with a prolapsed disc. Yes it's Ok, it wsn't fun, but I'm getting better now, thanks. Anyway, one thing I plan to do for **fun** this week now I have time on my hands is sit down and have a look at the hundreds of DEB amendments. Yes I know; I'm that sad.

As a starter, it's important to remember not all the DEB is about disconnection of filesharers and neither are all the amendments.

One amendment Pangloss might draw attention to in particular has had quite a warm reception in parts of the press, odd perhaps given recent Google/Murdoch fracas (or not so odd?:). The Telegraph note

Lord Lucas, a Conservative peer, has tabled several amendments to the Digital Economy Bill

that would settle a number of copyright and electronic publishing arguments once and for all.

The one that’s been catching the headlines is immunity for search engines from prosecution under copyright laws as they go about their normal business of searching the web. Every provider of a publicly-accessible website shall be presumed to give a standing and non-exclusive licence to search engines to copy their content for the purposes of searching. A machine-readable file (robots.txt, for example) can be used to demonstrate that such a licence is not granted, should the owners of the website prefer not to be indexed.

Brilliant. Immediately all of the rows and back-and-forth between ill-advised newspapers and publishers is given a clear legal footing. It would be legal to be a search engine, and you can tell them to keep out if you wish. A few sentences saves millions of pounds of court costs and clears the headaches of everyone involved."

while the Guardian adds

" it would, for example, give Google legal immunity with which to index News Corp content, settling that thorny topic once and for all. But all would not be lost for publishers who want to retain control. Lucas's amendment does make provision…

The presumption (of having an automatic license) may be rebutted by explicit evidence that such a licence was not granted. Such explicit evidence shall be found only in the form of statements in a machine-readable file to be placed on the website and accessible to providers of search engine services.

In other words, Google would be free to copy everything - but a publisher blocking search spiders with a robots.txt file would be taken as withholding that right. An explicit "fair use" provision, which Google often cites against copyright-abuse claims, does not exist in UK law."

Interesting stuff?

NOTE: fun summary of this week's first debate at the Register

Something Different for the Midweek: Google and Criminal Liability

Yesterday Pangloss was very happy to have a guest lecture for her Internet Law class given by Trevor Callaghan, Managing Product Counsel of Google UK. Trev gave a hilarious lecture on the law relating to search and copyright, which conbined legal insight, practical tips, and social responsibility with some Glasgow humour that would have put Armando Iannuci of The Thick Of It fame to shame (albeit with (slightly) less swearing). I enjoyed it, lots, and i think the students did too.

Anyway, this all reminded me that actually quite a few things are going on I should be talking about as well as (or perhaps even in combination with) the Digital Economy Bill. One of these, which has received suprisingly little press (even wonderful OUT-LAW hasn't mentioned it since February) , is that right now, four Google executives - including Privacy CEO Peter Fleischer- are on trial - yes, criminal trial - in Italy, in relation to a short phonecam video made by some school children of a bullying incident involving a child with learning disabilities, and then posted on Google Video.

In Italy, it appears that libel and , possibly, infringement of privacy laws, can be a matter of criminal as well as civil law. Google took down the video on notice within a day of receiving an official complaint from a consumer group, although the video had been online for about 2 months before that. Italian prosecutors investigated for two years but then decided to proceed.

For Pangloss this seems a not very difficult case that ought to be easily decided under the EC E-Commerce Directive safe harbours in Art 14 and 15, as often discused in this blog. If these aren't implemented into Italian law, then it would seem Italy must be in breach of EC law itself. Google was clearly a host here, and Art 14 provides that such sites are protected from criminal liability for the activity of users of the service, unless they receive actual notice, and fail to take down expediently. This is a case about criminal liability so there is no need even to move to the second branch of Art 14 (which is far more controversial) and discuss whether Google should have known - ie had constructive knowledge - of the activity or content. Injunctions would have been relevant, despite the safe harbours, but these are not the issue as Google already took down straightaway on notice.

So why on earth is this case coming to trial? Pangloss is perplexed. One possibility as noted above is that simply that Italy's domestic law is in breach of EC law (in which case Google should have a Francovich claim for damages against the Italian government, though that may not be much comfort to the men awaiting trial.) Another possibility, though rather an unlikely one, is that the Italian prosecutors have confused the activities of Google as a search engine, with Google as a host. The ECD does not give search engines , or hyperlinkers , a special immunity from liability as it does hosts and "mere conduits" : though a number of EC countries have in fact decidd to extend such an immunity, either under Art 12 or 14, or both. However in this case case it seems pretty clear Google was a host not a hyperlinker in terms of liability. So, what on earth quid iuris?

Another remote possibility is that the suggestion is that Google as a provider of free services does not gain the benefit of the Art 14 safe harbour. This uncertainty has been around for a long time, since only providers of "information society services"(ISSPs) get the benefit of Arts 12-15 and that definition is of an online service "normally provided for remuneration" (see recitals 17 and 18). Yet majority opinion has long felt that this particular point is no obstacle to the likes of Google (or Facebook, or Hotmail?) claiming safe harbours.

First, while renumeration might not come directly from users, it certainly does come in the form of the adverts Google place alongside its services. Second, search services are certainly something that would "normally" be paid for if they weren't, happily, often provided for free: they are of huge commercial value . Thirdly, it seems a strange policy in terms of public interest which would discriminate against services of great public value provided for free, in favour of those given purely for direct consideration.

There is no clear ECJ ruling on this yet but there is likely to be soon: in the upcoming Adwords conjoined referrals to the ECJ (Google France v Louis Vuitton, etc), the Advocate-General has already given a preliminary opinion in which he found:

"There is nothing in the wording of the definition of information society services to exclude its application to the provision of hyperlinks and search engines, that is to say, to Google’s search engine and AdWords. The element ‘normally provided for remuneration’ may raise some doubts as regards Google’s search engine, but, as has been pointed out, the search engine is provided free of charge in the expectation of remuneration under AdWords. (68) Since both services are also provided ‘at a distance, by electronic means and at the individual request of the recipient of services’, they fulfil all the requirements necessary to be regarded as information society services."(para 131)

And for what it is worth, a roughly similar finding was reached, albeit obiter and with an admission of some possibility of doubt , in the recent English libel case of Metropolitan v Designtechnica, where Eady J opined: "it would appear on balance that the provisions of the 2002 Regulations [defining an ISSP] are apt to cover those providing search engine services." (para 84)

So what does that leave? Well there is perhaps a clue in the New York Times account.

"Google and the prosecutors agree the video was uploaded Sept. 8 and removed Nov. 7, 2006. The prosecutors presented evidence showing that in early October, a month before the video’s removal, there were comments posted saying that it should be taken down. One of those messages read, “This is shameful! This should be taken down immediately.”

“It is reasonable to imagine that comments like this were followed by requests by these same people that the video be removed,” the prosecutors wrote in the document they presented to the judge."

So when are such shocked responses or "requests", "actual notice" as required by Art 14? Do comments on a video hosting site cut it, as opposed to an official request for takedown? To put it another way: does a hosting service have a duty to read comments about videos posted by, and probably of interest only to, their creators and viewers? Surely not.

Compare the situation to the original world Art 14 was designed to deal with, that of web 1.0. If Demon Internet hosted a basic site for (let's say) Anglers Magazine, and it contained a chatroom where libellous remarks were made about particular fly-fishers, would Demon be expected to monitor that chatroom for explicit or implied requests to take down those comments? Again, surely not. It would be up to the aggrieved angler to send his request for take down direct to Demon. The whole point of Art 14 was to reassure host providers they had no need to monitor the activities of those to whom they provided hosting services. Not only would this involve huge expenditure of effort and cost, but it might also be privacy invasive and chilling of free speech. Art 15 states this absolutely explicitly:

"Member States shall not impose a general obligation on providers, when providing the services covered by Articles 12, 13 and 14, to monitor the information which they transmit or store, nor a general obligation actively to seek facts or circumstances indicating illegal activity."

Still another way to put this is to ask , what are the minimum requirements for notice? This is a perennial problem. The US DMCA largely gets it right, with a statutory form which requires a complainant to give clear details including their own address and status as rightsholder, and provides sanctions for false accusations. The ECD, being a EC wide framework, is hopelessly vague. The UK's own regs help a little but not much - there is no DMCA type statutory notice but Reg 22 of our E Commerce Regulations does state that

"In determining whether a service provider has actual knowledge ... a court shall take into account all matters which appear to it in the particular circumstances to be relevant [including] whether a service provider has received a notice through a means of contact made available in accordance with regulation 6(1)(c)" - ie, their official contact email address .

This stuff should be simple law (compared at least to issues like eBay and Louis Vuitton, Google and AdWords) but even it is not. The ECD deperately needs revised to get a few simple things right and harmonised across Europe: what form should "actual notice" take; what does "expediently" mean; what is constructive notice; when, if ever, can an obligation to filter proactively be placed on ISSPs; what immunities should search engines (and hyperlinkers and aggregators) have. Pangloss loves this stuff but even she is tired of writing the same stuff over and over again. It is time to review the ECD.

PS and in the interest of public policy but with just a hint of minx-itude, I have helped draft a proposed amendment to the Digital Economy Bill for ORG which would aim to clarify some of these very matters, at least for the UK. See you in the House of Lords! :-)

Google 1: Luxury Brands 0!

Pangloss is pretty bushed after the excellent SCL Policy Forum (thanks to co-chairs Chris Reed, Judith Rauhofer, and gracious hosts Herbert Smith) but just has to bring this breaking news; the Advocate General's opinion has come out (via Joris Hoboken), in the hotly awaited ECJ reference in Luxury Brands plc (OK, see real parties below) vs Google, on whether Google is liable for trademark infringement as a result of its keyword based "AdWords" service. The meat of the opinion is that Google is not liable for selling keywords to advertisers which correspond to trade marks owned by others, since the use of the TM, such as it is, is restricted to the relationship between Google and the advertiser, and is not aimed "outwards" at the user, thus not causing customer confusion.

TM lawyers will have plenty to say on that part but for Pangloss, the real excitement is what this says about search engines as immune or liable intermediaries under the EC Electronic Commerce Directive. The AG opinion (available in full now, since I started writing!) is not binding on the court but often predicts the likely result :

Advocate General’s Opinion in Joined Cases C-236/08, C-237/08 and C-238/08
Google France & Google Inc. v Louis Vuitton Malletier, Google France v Viaticum & Luteciel and Google France v CNRRH, Pierre-Alexis Thonet, Bruno Raboin & Tiger, franchisée Unicis

"..Mr. Poiares Maduro also rejects the notion that Google's actual or potential contribution to a trade mark infringement by a third party should constitute an infringement in itself. He opines that instead of being able to prevent, through trade mark protection, any possible use – including many lawful and even desirable uses –, trade mark owners would have to point to specific instances giving rise to Google’s liability in the context of illegal damage to their trade marks. [bold added]

In this context, the Advocate General finds that both Google's search engine and AdWords constitute information society services. He adds that service providers seeking to benefit from a liability exemption under the E-Commerce Directive should remain neutral as regards the information they carry or host.[bold added]

However, whilst the search engine is a neutral information vehicle applying objective criteria in order to generate the most relevant sites to the keywords entered, that is not the case with Adwords where Google has a direct pecuniary interest in internet users clicking on the ads' links.

Accordingly, the liability exemption for hosts provided for in the E-Commerce Directive should not apply to the content featured in AdWords."

Pangloss Sez: Wow that is interesting. So, it seems we have a clear and defiant rejection of the content industry-lead idea that IP holders can command online intermediaries - or just search engines? - to undertake prior blanket filtering to prevent alleged infringement of their rights. The context of AdWords is very different from that of Viacom v YouTube (for example) of course, but does this point to how we may see an upcoming ECJ reference panning out on liability of web 2.0 sites, like eBay, and in particular, whether they can be compelled by the likes of LVM to proactively filter out content, rather than run, as now, on a post factum notice and take down paradigm? See discusion of conflicting cases in US, Continental Europe and recently England on this controversial point, here.

On the other hand we also have a clear steer from the AG that where ISSPs like Google make money out of their "neutral" activities in hosting or linking to content by monetising them via connected advertising, they remain ISSPs but nonetheless become fair game for liability, and are no longer "neutral intermediaries". Would this mean that YouTube, who perhaps occasionally host IP infringing user generated content :-) and monetise this hosting via ads, could be commandedby a court to filter proactively, as opposed to simply wait for NTD; while, par contraire, eBay, who also sometimes host infringing content, but make their money from unconnected user commissions, not ads, would not be so susceptible and could continue to depend on expedient NTD to retain immunity?

Oh this is going to be fun :-)

France v eBay, part deux & the future of online intermediary immunity

France continues to be an entertaining source of Internet law. The Guardian reports (13 May 2009) that

"The world's largest online auctioneer, eBay, was today claiming a "victory for consumers" after a court in Paris ruled that it was not liable for counterfeit L'Oreal perfumes for sale on its website.

The perfume and cosmetics company has taken legal action against eBay in four other countries, but today's ruling is a major victory in France for eBay, which was fined €38.6million (£34.7million) in a similar case against the luxury goods manufacturer LVMH (Moet Hennessy Louis Vuitton) group and €20,000 against Hermès. The ruling reflects a Belgian court's decision last August, and a ruling is expected shortly on a similar case being brought in the UK.

L'Oreal has claimed that the eBay website profits from the sale of fake products and that brand owners are expected to help police online auctions. The cosmetics company told the hearing in Paris it believed that as many as 60% of the perfumes sold on eBay under its luxury brand names were fakes.

But the court ruled that eBay was meeting its obligations to combat the sale of fake products, and urged the companies to use mediation to develop a plan which would enable them to work together on the issue."

This is fascinating as yet another example of how completely the hosting immunity provisions of Art 14 of the EC E-Commerce Directive are failing to be interepreted in a harmonised manner across Europe. As the Guardian report notes, only a few months ago we saw a completely opposite ruling emerging from the French courts, which are regarded as the toughest courts in Europe on intermediaries "assisting" in IP violation (see eg previous DailyMotion and MySpace cases).

The problem is also not only about IP; in Italy, Google is being sued for allowing the posting of defamatory videos on its site, while in France also, several cases have held user-generated content sites liable for posting of private photos. Only in the UK, of the large commercial EU countries, are we yet to see a case holding a major web 2.0 intermediary liable in respect of user generated content.

The immunity provisions of the ECD in Arts 12-15 desperately need reviewed and reformed, yet the Comnmission shows no signs of wishing to initiate such a process. Pangloss, suprise, suprise, is currently rewriting her chapter on this whole area for Law and the Internet 3rd edn. My provisional conclusions are that a bright line of no liability on intermediaries for content provided by third party content providers, unless or until notice is given to take down (as in Art 14) can no longer be sustained.

We are seeing instead a move towards a new system, by court if not legislative creation, which

• uncouples the current horizontal scheme of immunities to reflect the very different pressures in the fields of , notably, copyright and pornographic material, as opposed to defamatory or private material
• recognises the increased demands both of IP rightsholders and law enforcement agencies for pre emptive filtering rather than ex ante takedown, possibly by taking advantage of the ECD's exemption of injunctive relief from the immunity provisions
• responds to the increased blurring between the notions of "intermediary" and "content provider", especially in the world of web 2.0 intermediaries such as eBay and YouTube etc, by removing immunity from such hybrid intermediaries, or imposing extra obligations
  
• in particular, relies heavily on looking at what financial gain an intermediary makes from hosting or linking activities, thus moving to a far more case by case assessment of immunity, which will be difficult to predct for intermediaries and hard to implement in automated take down or filtering systems
  
• finally, regulatory intervention may be needed to bolster public interest values like freedom of speech and privacy against defensive or industry-required take down, monitoring and/ or filtering by intermediaries.
  

Pirate Bay climbs aboard Google!

Well, kinda.

As Boing-Boing says:

"When The Pirate Bay was ordered shut down by the Swedish courts because it linked to infringing torrents on the Internet, many people pointed out that Google links to whole mountains' -- whole planets' -- worth of infringing stuff. Now, to make the point, comes The Pirate Google, a Google mashup that finds torrent files:"

The Pirate Google (via Everything is Miscellaneous).

Pangloss sez: clever stuff. What it emphasises is how much is in the signals about intention that emerge about a site. The Pirate Bay case was a foregone conclusion, in practice if not in law, once it became apparent the defendants were not actually anarchic hippies but clever people making a living from the advertising on the site AND had had the audacity for several years to ignore and mock the recod industry's efforts to stop them connecting to torrent files, and generally made it plain they had no respect for the law of copyright.

Google, on the other hand, has consistently shown a willingness to be a business partner who stands by the rule of law. It is certainly trying to shift the law of copyright into channels more appropriate for the 21st century (essentially getting the rightsholders to opt into copyright protection, not out (see Google Library passim) and take some share of the work involved in getting copyright monetised (see the still running Viacom/You Tube debate) ) - but both of these strategies show an intelligence about how copyright could still operate successfully in a digitused world, rather than an intent to destroy the revenues of the content providers per se. In fact one might dare to say , it shows more intelligence than most the content providers themselves have:)

And incidentally for those out there who have decided Google is just as "evil" as the Pirate Bay or before it Napster or KaZaa , consider that exactly the same mash up trick could have been dome , sans the actual search engine, with any big news site , like the BBC; they have all had multiple links to the Pirate Bay and other torrent and P2P sites over the years.

Wonder if anyone will try to get the "Google" Pirate Bay site taken down, especially in Sweden? Now that would be interesting..

Also from various places: The judge in the case seems to have ties to the copyright industry. The lawyer for one of the defendants is calling for a new trial. Will this really happen? Pangloss doubts it, but watch this space..

Google times are here again

Pangloss has found (via Google, how else!?) a rather interesting blog called http://blogoscoped.com/.

It contains a little gem called Google Robot which certainly makes you wonder just how sensible our current legal interpretations of the Google spider are.

"Frequently Asked Questions

Last update: November 1st, 2030

What are Google Robots?

Google Robots are our human-like machines that walk the earth to record information. They do no harm, and they do not invade your privacy.

What are Google Robots good for?

Our Google Life search website is powered by the Google Robot crawler program. On the Google Life website at life.google.com, you can:

• Find out what menus the local restaurant offers at what prices
• See a perfect 3D shape of all houses in your city
• Know how crowded the bar is you want to go to tonight
• Know what items to find at your local mall
• Find out if your library has a certain book available (Also see: What's a book?)
• Know what you said and who you met 3 weeks ago (this feature is available only to My Public Life™ subscribers)
• Locate your friends (this feature is only available if your friends subscribed to My Public Life™)
• And much more!

I saw a Google Robot entering a library and reading books in it. Is that legal?

Our Google Robots do not record private information. As the books in a library are considered to be public, our Google Robots reserve the right to scan them. However, we do respect the copyright of individual works, and will only show a "fair use" portion on our website." "

Another story off this site is that the German Federal Department for Media Harmful to Young Persons has put a pro anorexia blog hosted on Google’s Blogspot on the index of youth-harming media. It is already well known that Google censors its search in countries like Germany and France according to local laws which prohibit spech often legal in other states (such as the USA). The interest for Pangloss is that this follows on from the news that Germany's Communications Minister is pushing for a UK IWF-style Cleanfeed system. (So is Belgium - bad week for free speech huh - oh and Romania. ) If the German scheme transpires, would URLs like this go on to it? That is pushing censorship past child porn, and an exact example of what I'm worrying about in the upcoming pornography chapter from Law and the Internet (3rd edn ) I quoted earlier.

John Ozimek of the Register whose coverage has lately been excellent, says "Undoubtedly, 2009 is going to be the year of the internet filter." Hmm.

DP law and search engines

There is a truely remarkable amount happening right now on what one might very loosely call the "Web 2.0" privacy front. On top of the UK Byron report and the Ofcom report dealt with in last two posts to this blog, we also now have the EC Article 29 working party opinion on data protection issues related to search engines.

Very roughly, this report takes the long -expected, but not uncontroversial (especially if you're Google) stance that IP addresses are (mostly) personal data. This follows the view taken previously by the Art 29 WP in its WP 136 that"… unless the Internet Service Provider is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side". Basically even dynamic IP addresses can be connected to particular users given the cooperation of log-keeping ISPs. As such potentially all IP addresses must be viewed as "personal data".

It also argues that:

- the Data Retention Directive (2006/24/EC) is clearly highlighted as not applicable to search engine providers. This is because Article 2 sub c of the Framework Directive (2002/21/EC), which contains some of
the general definitions for the regulatory framework over "electronic communications services", explicitly excludes services providing or exercising editorial control over content. Notably, earch engines both filter out illegal content, provide safe search, and respect no-robots text tags on sites, all functions search engines should continue to exercise.

Search engine providers must thus delete or irreversibly anonymise personal data once they no longer serve the specified and legitimate purpose they were collected for, and be capable of justifying retention and the longevity of cookies deployed at all times. The DRD is NOT an excuse to retain data for longer (as Google have previously claimed.) The WP recommended retention for no more than 6 months. Similarly, if search engine providers use cookies, their lifetime should be no longer than demonstrably necessary.

- the DPD does however clearly apply to search engines which deposit cookies on the machines of EU resident users, even if the search engine is based economically or physically outside the EU eg the USA. European data
protection law also applies to search engines in specific situations, for example if they offer a caching service or specialise in building profiles of individuals based in the EU.

- on DP law, search engines generally fail to say exactly for what purposes they gather personal data of users. If it is used for purposes users might not reasonably have anticipated eg building profiles of users for advertisers, the search industry may be breaking DP law.

The WP also considered the new so-called "people search engines " such as PIPL and Rapleaf, which draw on data from a wide range of sites, often including blogs and SNSs as well as the general Web, to form indexed profiles of individuals. Such profiling may both reveal unexpected data, and throw up misleading correlations, and some have already drawn adverse comment. The WP emphasised that these sites "must have a legitimate ground for processing, such as consent, and meet all other requirements of the Data Protection Directive, such as the obligation to guarantee the quality of data and fairness of processing."

Pangloss is pleased to see this issue adressed: it provides a compulsory legal basis for what is emerging as good industry practice, namely (a) email the data subject whose profile is published (b) allow them to remove or correct or make private the data published. Of course we still need to make sites not based in the EU take notice of EU law. Eventually, what we desprately need is a technical fix, namely better multiple identity control - roll on the research into distributed identity management.

IP Addresses are Personal Data - official

Brief but important note, via the Asociated Press: the EU Art 29 Working Party group working on privacy, DP and Internet search engines (notably Google) has issued an early press release.

"Germany's data protection commissioner, Peter Scharr, leads the EU group preparing a report on how well the privacy policies of Internet search engines operated by Google Inc., Yahoo Inc., Microsoft Corp. and others comply with EU privacy law.

He told a European Parliament hearing on online data protection that when someone is identified by an IP, or Internet protocol, address "then it has to be regarded as personal data." "

Some may think this an obvious conclusion, but in fact a report on Personal Data commissioned by the UK ICO office a year or two back (and very sadly, no longer available on the ICO site) revealed considerable disparity on this across Europe; in many cases whether an IP adress was regarded as "identifying" depended on context, in the view of various Information Commissioners.

The significance is crucial; if IP addresses are personal data, then services which collect IP addresses but not actual names - as Google does when it collects search terms typed in by users from IP adresses - are still regulated by DP law.

Google's privacy chief Peter Fleischer has previously insisted IP addresses are should only be seen as personal data, if it is likely that a person can be identified from an IP address . (Despite this, Google recently caved in to EU pressure and reducing the duration of Google cookies from 30 years to 2 years.) He may now have to think again, at least in Europe. This should be no surprise however, as , as Fleischer himself admits, the ART 29 Working party gave the answer as far back as 2002, that if an IP address can be connected to a person (eg by the person's ISP), then it should be seen as personal data for all purposes, including use by other companies.

The UK's current law , by the way, is in Pangloss's opinion , rather nearer to Fleischer's interpretation than to Scharr's - see s 1 of the DPA 1998. So bad news may be coming not only for Google but for UK drafters and advisers.

Facebook and privacy returns

Facebook are opening up their site to being Google-searchable. Hark! I hear a million privacy activists screaming.

But wait - they're actually doing it RIGHT.

a. They're only allowing name and profile pictures to appear in search results - not all the rest which tends to include highly personal material.

b. everyone appears to be getting prominent notice IN ADVANCE that they can opt out of their info being released onto Google

c. most impressively, if like me (and I imagine rather rarely) you'd already opted to "hide" on facebook, ie, not be searchable by name in their listing, you are automatically opted out of the Google release.

This appeared at the top of my FB profile this morning:

"Facebook now enables anyone to search for Facebook users who have public search listings from our Welcome page. In a few weeks we will allow users to make these public search listings visible to search engines like Google. Public Search Listings only include names and profile pictures.

Because you have restricted your search privacy settings your public search listing will not be shown. If you want friends who are not yet on Facebook to be able to search for you by name, you can change your settings on the Search Privacy page.

No privacy rules are changing; if you do choose to make this public search listing available, anyone who discovers your public search listing must sign up and login to contact you via Facebook. "

This strikes me as for once a good example of how privacy on line in web 2.0 ought to be handled - congrats to FB.

You could argue that a site like FB should not open itself to Google at all (in the interests of default privacy, etc etc) but the fact is that sites like Spock.com are already begining to scrape social networking sites like FB and make the data they contain searchable with no user opt-out or notice, and dubious supervision - so this at least pre-empts such attention, and gives the user some control.

It's also interesting that this is a case of the market dovetailing with privacy-enhancing code. FB WANT you to sign up for FB and go to their site to read that highly personal stuff - not read it on Google away from their adverts and apps (or on Spock.com).

LiveJournal, by comparison, an open source blogging site normally regarded as fairly privacy conscious, don't care (much) about ads (they make money from paid subs and are run by volunteers), so they also don't stop you allowing spiders to grab your whole blog. User choice prevails and as we all know by now, user choice when the default is no privacy, usually means disclosure by inertia. (You can opt out of spiders on LJ too, of course - but the option is distinctly not that obvious.)

Google Pot Shots

As has been true for some time, it seems to be open season on Google. With great innovation, comes great.. um.. legal liability? Here's a very quick round up..

OUT-LAW restrainedly report "Google's Street View could be unlawful in Europe".

"Well, you can't say fairer than that " said an unamed source at Google..

The question here seems to be whether you view Google Street View as more like looking at the world with your own eyes, say from the top of a double decker bus (unconditionally legal) or as more like CCTV (regulated, at least in the EU, by DP law, and also by some case law of the ECHR, such as Peck). AS OUT-LAW note, if the latter paradigm is applied, then Google need to give adequate notice that surveillance is in operation to anyone who might be caught on STreet View and identifiable a a living person. Will we see 40 feet high billboards over London announcing "YOu are now on Google Maps. Be very afraid."? It reminds Pangloss of the old suggestion that London streets should be painted with the squares of the London A-Z for easy navigation.. One way out of this not identified by the otherwise excellent Struan Robertson, is the Durant v FSA get-out - it might be argued that no particular person is the focus of the attention of Google Street View and therefore no particular person has DP rights. Of course, Durant may not last forever:-)

More seriously, Google's privacy practice is apparently worse than Microsoft's. Yes, really Jemima - at least according to the much respected Privacy International, who surveyed a variety of Internet businesses. Results:

Privacy-friendly and privacy-enhancing. Nobody...

Generally privacy-aware: BBC, Ebay, last.fm, LiveJournal, Wikipedia

Notable lapses of privacy: Amazon, Bebo, Friendster, Linkedin, Myspace, Skype

Serious Lapses: Microsoft, OrKut, Xanga, YouTube

Substantial Threat to privacy: AOL, Apple, Facebook, Hi5, Reunion.com, Windows LiveSpaces, Yahoo

Hostile to privacy, comprehensive consumer surveillance: Google

Not everyone is convinced - see rebuttal at http://searchengineland.com/070610-100246.php .

(With thanks to Pete Fenelon for tip off.)

Google faces EU Regulation?

FInally today (honest), the Art 29 WP has issued a significant letter criticising Google's privacy protection of personal data. Google is now to be the subject of an Art 29 report.

Google's recent olive branch of increasing privacy protection by anonymising server logs older than 18-24 months old is dismissed as insufficient data minimisation for EU law. In particular the 30 year duration of a Google cookie (!) is mentioned as disproportionate.

Interesting to compare our cousins over the pond.. where this blogger is suggesting that Google can be seen as the Transparent Society in action. Since everyone, including commerce and the state already collects far more data about us than we know of or can control, isn't a way to fight back to have all that data openly available to everyone not just the state - as collected by a private and semi neutral organisation, ie Google?

"On the one side is that massive data integration by the State - and if you think you'll see much data from that, you'll be waiting a long time. On the flip side all the other data, just put out there for people to use. The State's default mode is to hide everything, Google's is to put it out there for everyone to use.

I know which society I'd prefer to live in."

I don't agree, at all, but it's an interesting angle. Especially in the age of the shadow of the ID database..

Back at market regulation, Web 2.0 is already beginning to provide us with companies whose business model is to allow you to track down what data people hold about you (a right you have in law under DP but how the hell do you do it in aggregate in practice) - try looking at Garlik for example.

ps More from the Beeb on this with an emphasis on Google's recent acquisition of DoubleClick.