Tuesday, July 15, 2014

Open letter on data retention and investigatory powers Bill ("DRIP") from UK privacy law academics

Tuesday 15th July 2014
To all Members of Parliament,
Re: An open letter from UK internet law academic experts
On Thursday 10 July the Coalition Government (with support from the Opposition) published draft emergency legislation, the Data Retention and Investigatory Powers Bill (“DRIP”). The Bill was posited as doing no more than extending the data retention powers already in force under the EU Data Retention Directive, which was recently ruled incompatible with European human rights law by the Grand Chamber of the Court of Justice of the European Union (CJEU) in the joined cases brought by Digital Rights Ireland (C-293/12) and Seitlinger and Others (C-594/12) handed down on 8 April 2014.
In introducing the Bill to Parliament, the Home Secretary framed the legislation as a response to the CJEU’s decision on data retention, and as essential to preserve current levels of access to communications data by law enforcement and security services. The government has maintained that the Bill does not contain new powers.
On our analysis, this position is false. In fact, the Bill proposes to extend investigatory powers considerably, increasing the British government’s capabilities to access both communications data and content. The Bill will increase surveillance powers by authorising the government to;
·         compel any person or company – including internet services and telecommunications companies – outside the United Kingdom to execute an interception warrant (Clause 4(2));
·         compel persons or companies outside the United Kingdom to execute an interception warrant relating to conduct outside of the UK (Clause 4(2));
·         compel any person or company outside the UK to do anything, including complying with technical requirements, to ensure that the person or company is able, on a continuing basis, to assist the UK with interception at any time (Clause 4(6)).
·         order any person or company outside the United Kingdom to obtain, retain and disclose communications data (Clause 4(8)); and
·         order any person or company outside the United Kingdom to obtain, retain and disclose communications data relating to conduct outside the UK (Clause 4(8)).
The legislation goes far beyond simply authorising data retention in the UK. In fact, DRIP attempts to extend the territorial reach of the British interception powers, expanding the UK’s ability to mandate the interception of communications content across the globe. It introduces powers that are not only completely novel in the United Kingdom, they are some of the first of their kind globally.
Moreover, since mass data retention by the UK falls within the scope of EU law, as it entails a derogation from the EU's e-privacy Directive (Article 15, Directive 2002/58), the proposed Bill arguably breaches EU law to the extent that it falls within the scope of EU law, since such mass surveillance would still fall foul of the criteria set out by the Court of Justice of the EU in the Digital Rights and Seitlinger judgment.
Further, the bill incorporates a number of changes to interception whilst the purported urgency relates only to the striking down of the Data Retention Directive. Even if there was a real emergency relating to data retention, there is no apparent reason for this haste to be extended to the area of interception.
DRIP is far more than an administrative necessity; it is a serious expansion of the British surveillance state. We urge the British Government not to fast track this legislation and instead apply full and proper parliamentary scrutiny to ensure Parliamentarians are not mislead as to what powers this Bill truly contains.
Dr Subhajit Basu, University of Leeds
Dr Paul Bernal, University of East Anglia
Professor Ian Brown, Oxford University
Ray Corrigan, The Open University
Professor Lilian Edwards, University of Strathclyde
Dr Theodore Konstadinides, University of Surrey
Professor Chris Marsden, University of Sussex
Dr Karen Mc Cullagh, University of East Anglia
Dr. Daithí Mac Síthigh, Newcastle University
Professor David Mead, University of East Anglia
Professor Andrew Murray, London School of Economics
Professor Steve Peers, University of Essex
Julia Powles, University of Cambridge
Professor Burkhard Schafer, University of Edinburgh
Professor Lorna Woods, University of Essex

Friday, May 30, 2014

Google remembers, after only two weeks

Google has implemented the "right to be forgotten" imposed by Google Spain on 13 May 2014. At slightly over two weeks for a response, this puts most actual governments to shame :-) Having failed totally to comment on the original document due to overwork swamp, I'll say a few things about the response.

The form allows EU users to ask search engines to remove results for queries that include their name where those results are “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed.”.

This is clearly narrower than the full scope of the right granted by the judgment.

" As regards Article 12(b) of Directive 95/46, the application of which is subject to the condition that the processing of personal data be incompatible with the directive, it should be recalled that, as has been noted in paragraph 72 of the present judgment, such incompatibility may result not only from the fact that such data are inaccurate but, in particular, also from the fact that they are inadequate, irrelevant or excessive in relation to the purposes of the processing, that they are not kept up to date, or that they are kept for longer than is necessary unless they are required to be kept for historical, statistical or scientific purposes." [emphasis added][italics added][para 92]
Only the parts of the judgment in italics above have currently been implemented. Strange that the form does not specify "inaccuracy" as a ground which is clearly signposted by the judgment, though was not true in the actual case of Mr Costeja Gonzalez.

 Art 12 (b) actually specifies that rectification, erasure or blocking can be obtained, inter alia, if data is "incomplete or inaccurate"  (the word "incomplete" not cited by ECJ) and more generally as noted above if it is "incompatible with the Directive".

What does this mean?
I would argue these are all possible claims to Google to ask to have links removed-

  • a celebrity who has changed their image since a picture was put online ("inaccurate")
  • a celebrity who has not changed their image but for whom the picture is unflattering  in relation to the whole corpus of their online photos eg taken from a bad angle or on a bad hair day ("incomplete")
  • a celebrity who at one point contractually agreed to have pictures taken and posted but who has now changed their mind about their dissemination on the Internet (after having been paid in full?) , Because they have withdrawn consent as a ground for processing , processing is now "incompatible with the Directive"

In short Google are, perhaps, currently (understandably) attempting to dodge the  bullet of implementing a full blown EU image right (for countries many of which have no such thing, or not in clear statutory terms) by dressing up their offering with the language of history, reputation and freedom of expression. One can understand why.  There will be many other edge cases to come.

The form itself is mainly pretty sane. A few points are worth pointing out:

  • they are choosing not to roll the right out to non EU citizens. I thought there was a  chance in the interests of harmonisation/efficiency they might have done. Since Google is a private company not the government, my view is this would have simply been a private choice, not a breach in any way of First Amendment, and so viable  (see  CyberPromotions v AOL, waaay back in l996, though have we had the judicial discsusion since as to whether Google is more like a "traditional public form" now than AOL was?) That would have been unlikely given the likely shrieks of tarnishing of free speech in the US but would have made the process of identifying an EU citizen uneccessary (see below) and would have been extremely fun to watch:) (Plus, recall that California is rolling out the right to be forgotten to minors anyway from 2015 - though whether this survives Constitutional challenge is also as yet unclear.) Wouldn't Google have got lots of brownie points for offering US citizens extra privacy rights in the post Snowden backlash era? or would the civil rights lobby for speech make their lives not worth willing? maybe one to watch for the future if the EU experience pans out well?

  • they are choosing to (they say) do an initial assessment in-house of privacy claim vs public interest in freedom of expression and historical record. 

"When evaluating your request, we will look at whether the results include outdated information about you, as well as whether there’s a public interest in the information—for example, information about financial scams, professional malpractice, criminal convictions, or public conduct of government officials."

Again I thought they might choose path of least resistance,  which would have been simple take down on request, and wait for someone else to complain and then demand adjudication to put back, as with DMCA take downs, but no. The problem of course with applying the DMCA "put back"model to the right to be forgotten is that here there is no-one who has a clear agenda (or funding) to oppose take down. As I noted on Twitter with privacy even in Europe there is no relevant organisation: the role of the DP authority is to protect privacy rights, not freedom of speech  and they have no training or aptitude, or , again, funding, to take on a kind of historical assessment or investigatory role.

  • Identification of claimant was going to be the toughest one. The routes chosen are the obvious ones and can of course be easily faked but should mainly do the job; choosing a digital signature would have been v onerous. Will we see US citizens faking up EU credentials to get stuff removed? Of course in most cases Google's own database would provide the evidence of the true national identity (needed of course to serve the right ads, and in the right language) - but will they set their investigatory algorithms up to find this out? Probably.

We don't have any indication how many people will be in the evaluation team, how far the investigation will be done solely by automated means (maybe) and if the results will go in the Transparency Report (probably).

Fun times ahead!

Friday, April 04, 2014

Can You Criticise Your Boss on Twitter and Keep your Job?

was interviewed yesterday by the Metro free newspaper on this point, following the onlineprotest tweets by many Mozilla employees in the US that they did not want a boss who had donated money to an anti-gay marriage fighting fund. In the US where freedom of speech is prized, employees not only successfully ousted their new boss,  but kept their jobs. In the UK, it might have gone the other way, with disconduct proceedings or dismissal not impossible!  The Metro were keen on me making a blanket statement that you either were or weren't sacked if you dissed your booss online but Pangloss was not so foolish. Instead I advised users out there not to vent about their work on open to air Twitter accounts but to save it for Friends locked Facebook, and if possible, to make sure you trusted everyone on that Friends list (including fellow workers who might clipe on you – or move them to a special no-read-work-stuff  list). 

  Think about putting a disclaimer on your Twitter account that your tweets are not those of  your employers, and even then, if possible avoid defamation, racist or hate speech or harassment, especially of co-workers. Remember the fate of the specially appointed 17 year old youth Police Commissioner who lost her £15K a year  job when the press started looking at her racist tweets! (Pangloss herself just went and guiltily put a long overdue disclaimer on her public Twitter feed @lilianedwards (to which co-writer Dr Ian Brown of the OII, said, what, would ANYONE EVAH think I represent the views of the University of Oxford? Only the employment tribunals , I replied..)

 For employers, be absolutely sure to have a fair and balanced Acceptable Use of Social Media policy in place; courts have already refused to back the sacking of a housing trust manager who made derogatory comments about gay marriage (again! Just avoid the topic online perhaps) when the in-house policy did not clearly tell him not to do this. Blanket policies forbidding all use of social media are also likely to be disregarded by the courts, since they ignore fundamental rights of freedom of expression and private life. Some professions have particular difficulties about giving away details of the job on Twitter or FB - try looking at ACPO's heavyweight guidance on use of social media for the police, for example.

 Pangloss coincidentally had been writing (as usual) an overlong tome with @mooseabyte on police surveillance of social media when the Metro rang,  and it has certainly opened her already jaundiced eyes. Absolutely everyone using public social media should always be aware that while  it may feel like only you and your mates care about what you had for breakfast,  in fact 100s if not 1000s of people may be listening to , monitoring and data mining you – including not only those who pay per tweet to attach the Twitter data firehose to their Hadoop servers, but , increasingly , the police. SOCMINT - social media intelligence - is the shiniest thing on the block and as yet the general consensus seems to be that anything that is said on unlocked social media, however small the intended audienbce, is fair game for the Old Bill. In fact the legal situatuion is a bit more uncertain, with recent ECHR case law pointing to the existnece of  areasonable expectation of privacy even in public spaces - which seems to apply by extension to things said or done on public social media. A rather more nuanced treatment of the subject can be found in the recent Demos report  on how police may sometimes need covert surveillance authorisation - eg when constructing fake profiles to gain access to locked profiles on facebook - but for an even more critical perspective , await Lachlan and my paper at the SSN Conf in sunny Barcelona!

Thursday, September 26, 2013

GikII in New Scientist! and went to the beach!

New Scientist, the leading UK magazine on science and technology, recently covered GikII, the world’s first law, technology and popular culture workshop, which has run annually for 8 years and is chaired by Professor Pangloss ie  Lilian Edwards of  Strathclyde’s Centre for Internet Law and Policy . The New Scientist piece (behind a paywall, but extract available here) covers questions raised at GikII such as whether a robot can libel you and what the legal and societal effects of teleportation might be, and reports in detail ongoing research by Lachlan Urquhart, now a PhD candidate at Nottingham co-supervised from CILP, into legal regulation of drones, as well as asking if in the future lawyers will be replaced by computers. Thankfully, the article concludes this is unlikely to happen any time soon!

Meanwhile, the most recent GikII, in Bournemouth in September 2013,  failed to provide the much looked forward to sun,  but there was sea, sand and salty deep fried objects to die for, as well as the usual intellectual frolics. I finally gave  the paper "Slave to the Algo-Ryhthm"  I'd been mulling on for what seems like years on Google, algorithms, competition, libel  and data protection  (only a week after reading a piece by Ute Kohl in IJLIT which does it all much better. Go thou and read it. )

Other papers I really enjoyed this year included newbie Andy Phippen's rant, sorry, treatise on why wi fi filters in Starbucks are not really the best way to "think of the children";  Anna Ronkainen on whether its better to print human organs in animals, via stem cells or just using lego, sticky back plastic and a 3d printer (I paraphrase, but not much); Andelka Phillips (also a newbie) on DIY genetic testing by email  (the consumer protection issues! trading standards will not know what has hit it - my mind reeled), Heather Bradshaw-Martin  (ditto, and also Oxford)  on the ethics of driverless cars (how would a Kantian car deal with the trolley problem? a Hegelian car?) ;  Lachlan Urquhart on the persistence of memory in a synchronic society (featuring "spimes" a word whose time has surely come); Chris Marsden on telegraphs, TEMPORA, the decline of the British Empire, Russian cablecutters,  and something about silkworms and zemblanity (oh don't even ask). And it was marvellous to have Technollama back in the fold.

Despite strong competition from Andres however, the winner of the Daithi MacSithigh Memorial Prize for Most Amusing Powerpoint (come back Daithi all is forgiven!) was Paul Bernal for combining privacy, autonomy and Disney Princesses - congrats Paul!

In short it was a vintage GikII. Next year you should all come!

Tuesday, July 30, 2013

What are the police for? Twitter, abuse and reporting buttons

Like most UK women of any sense, my first reaction on reading some of the vicious threats of rape tweeted at the likes of Caroline Criado Perez and Stella Creasy was a heartfelt desire to track down the perpetrators myself and slowly castrate them. In the real world however, such an approach is nearly as impractical as the suggestion by Andy Trotter, head of social media for the police, that Twitter sort itself out using its magic technology powers, so the police can go back to more important stuff.

"We want social media companies to take steps to stop this happening. It's on their platforms this is occurring. They must accept responsibilty for what's happening on their platforms," said Trotter, chair of the Association of Chief Police Officers (Acpo) communications advisory group.
"They can't just set it up and walk away. We don't want to be in this arena. They are ingenious people, it can't be beyond their wit to stop these crimes, particularly those particularly serious allegations we have heard of over the weekend."

What exactly do we have police for, then, if not to investigate specific, repeated and documented crimes? Giving up on policing Twitter is no more defensible than abandoning  a town like, say, Walthamstow to the criminal elements.

For a senior policeman, Mr Trotter also seems sadly ignorant of the law. Even leaving aside the issue of threat of rape as a common law crime, which might involve some difficult issues of sufficiently proving intention (though not many), the Protection Against Harassment Act 1997, especially s 4(1) makes it very clear that two attempts to "cause another to fear that violence will be used against him [sic] " form a course of conduct which is a crime. In the Perez and Creasy cases there are apparently hundreds of such threatening tweets, many retweeted or screencapped.

 It is impossible to understand how police who went ahead with investigating cases which involved poorly framed jokes on Twitter can now say they do not have the money to take on genuine, vicious  and entirely humorless threats of rape. It seems much more likely that they fear  they do not have the technical ability to understand how to police the Net , or the resources, and are terrified, and also worried that having destroyed their credibility on the Net once (see below), things can only get worse. But in that case the remedy is to acquire expertise, not to retreat to a pre 1996 position of declaring the social Internet terra incognita where elephantine trolls roam.

The police want to offload the responsibility in its entirety  - and  the cost - on to Twitter.  But what exactly can Twitter do, even with the much demanded "Report Abuse" button, which they are now rolling out faster than planned? It can close accounts, but the trolls will simply open new ones, which can rarely be traced to their predecessor, as consumer Internet access uses different IP addresses every time, so IP blocking will merely remove some poor innocent from Twitter.

Blocking tweets with the word rape in them (or similar) will also block millions of innocent tweets, many by the very women embroiled in this debate. Blocking algorithms are not some magic Harry Potter like ward-spell, able to discern the evil in the hearts of men from 140 characters. Spam, for example, is relatively well blocked because it, and the bot accounts from which it comes, have certain very obvious  characteristics which can be easily made into automated filters: repeated words and URLs, accounts which have arisen very recently and have no or few followers. This is not true of the very wide range of abusive tweets. Machines don't understand natural language very well, let alone legalities like intention. And even counting abuse reports is likely to be used against the very women who are currently asking for it to to be brought in to protect them. And, finally, blocking threats of violence doesn't block those men, sometimes, actually carrying them out in real life. For this reason Twitter are right to still say that  :

"Twitter will investigate every report received, but if something has gone beyond the point of a personal conflict and has turned into credible threats, whether it be online or offline, you should contact your local authorities as they are in the best position to assess the threat and intervene or assist as necessary. "

FInally, the police are not the only ones at fault here. Over the last few days much of the media has seemed determined to pin the blame on Twitter alone - as an aside, could this be because Twitter is a danger to the failing industry that is broadsheet journalism? It is unclear - with the greatest respect to the women who have been through the mill in these cases - why they ever expected Twitter to be their main conduit to justice here . Twitter itself, even with its US free speech-oriented heritage,  has never asserted these tweets were protected or defensible speech. But for the reasons cited above it cannot do much. And it certainly cannot prosecute, caution, fine or jail.

So reports of real, serious online crimes, both in practice and on principle, should be made to the police who can investigate, prosecute and secure exemplar prosecutions - not left to private and erratic justice. The police have lost credibility on the Internet due to their bad handling of the Twitter joke trials and similar - now is their time to regain the trust of the online public, not to abandon them. Jane Fae sensibly suggests that Twitter implement the Report Abuse button to go straight to the police, as well as Twitter . This is a good idea, though Mr Trotter will not like it much.

But in the end the solution to all this is not the magic technology wand, nor, much, police crackdowns on the limitless swell of semi-anonymous trolls. It is to create a less misogynistic society where it does not occur to men, even a small minority of men, to try to silence uppity women by making vile threats to them, comforted and applauded by their bully boys supporters club . There are all kinds of issues here that need debated much more than a tweak to Twitter's reporting system: lad's mags with tits out, non reporting of rape, prevalence of  violent or objectified pornographic images of women (see last post!), education, the glass ceiling, the relativing silencing of women and girls in many public meetings, in schools, on TV, as presenters on serious media if not beautiful enough, even the portrayal of Parliament itself as necessarily full of braying, rude and ill mannered men. It's not an easy problem to start to address but waiting for the technology magic bullet is not helping anyone.

NOTE: I wrote here, as someone will no doubt remind me, that the police should be careful not to stifle free speech on social media by hasty prosecutions  using inappropriate laws which fail to correctly assess the norms of debate of the online world. There is no contradiction here. A tasteless but hasty one-off tweet to the world that (say) that British soldiers “should die and go to hell” is not hard to distinguish from a pattern of repeated specific and violent threats targeted at a particular woman. In the first the debate is about individual freedom of speech  and  norms as to w how we want discussion to be waged in public spaces, within a political context of discussion; in the second, the matter is of crime, violence, hate and fear, and in no way, in my view, having seen sample tweets re tweeted, about debate, or free speech. 

The recently released DPP's Social Media Guideliness recognise exactly this distinction and give clear instructions as to the prosecution of "credible threats of violence to the person or damage to property". .

Tuesday, July 23, 2013

The Death of Data Protection

While I'm reviving Pangloss, people might be interested to take a look at work in progress lecture I gave recently at the  University of Goettingen in Germany on "The Death of Data Protection" exploring ideas drawn from the failure of consent online; the rise of ubiquitous computing ; and the rise of Big Data. The video of  the presentation  (c 1 hour)  is now online  here, as well as on the university's YouTube channel here."  Comments welcome as this is fast becoming the central part of my upcoming (ha) book on European privacy law.


(NB above not = my book!)

The full slideset  is available on Slideshare.http://www.slideshare.net/lilianed/the-death-of-data-protection