Wednesday, 6 May 2009

Gordon Brown's been "Jim Hackered"

On a topic entirely unrelated to privacy, Matron wonders if she is the only one who thinks that Gordon Brown has been completely "Jim Hackered" by Joanna Lumley on the Gurkha issue. Watch this video of the statement she gave after her meeting with the Prime Minister today and compare her strategy with that used by the famous TV Minster at the end of the "Big Brother" episode when he finally gets one over on Sir Humphrey. To quote young Bernard Woolley: "I'd say, 'Checkmate!'"

Friday, 1 May 2009

Principiis obsta et finem respice!

After a long conference and work induced absence, Matron's blogging reflexes were triggered today not by the big important developments of the day (RIPA and IMP consultations, ICO RAND report etc. - maybe more about those later, time permitting), but by a small news piece in the Guardian, which reports that a Brazilian MP has just proposed draft legislation that would force Rio de Janeiro's state government to publish an online list of all HIV carriers. The reasoning behind this proposal is, apparently, a wish to protect medical staff and other citizens from contamination.

It reminded Matron of an ongoing discussion she has with the inimitable Lilian Edwards (currently a pleased-as-punch and fully paid-up member of the "hydra-headed gang of online privacy pirates" whose purpose is to damage behavioural advertising company Phorm. But that, again, is another story.) about the merits - or not - of a general right of disclosure of other people's personal information on the internet. The discussion centred largely on such disclosures by individuals on social networking sites, so, obviously, this potentially state-sponsored Brazilian proposal would go far beyond that and raises a completely different set of issues. But Matron can't help wondering whether some of the same considerations do apply in this context as well.

If we do accept that individual privacy can be restricted to protect some other common good (like a perceived notion of public safety) or individual right (like freedom of speech, expression and opinion), what are the limits? Indeed, are there any limits or should we be able to expose everything about another person, strip them digitally naked so-to-speak, if it serves a justifiable purpose?

As she often does, Matron looks to the German Constitutional Court's for an answer. It's case law defines individual behaviour as falling into three separate "spheres": the public, the private and the intimate sphere. Interference with an individual's privacy in the interest of competing rights is permitted, subject to certain limitations like necessity and proportionality, in the public and the private sphere, but not in the intimate sphere. The Court recognises that in relation to each individual there exists a "core area" of privacy - arising from individuals' human dignity and their right to self-determination and self-development - that must not be touched or interfered with by anyone for any purpose, however well-meaning.

In this day and age, it's a controversial concept with security-conscious state protectors on the one side and freedom of speech advocates armed with "floodgate" arguments on the other, both questioning its legitimacy.

But can there really be a right to information about another individual - and a right to spreading that information - in the same way as there should be a right to information - both collecting and disclosing it - about the activities of governments and public authorities (the latter, of course, being the notions that underpin Freedom of Information legislation and the right to the freedom of the press)?

But governments supposedly work for us and the transparency and accountability that are the ultimate objective of these rights of information gathering and disclosure are necessary to even out the unequal power relationship between the state and the individual. They are part of the system of checks and balances that is meant to stabilise our democratic political system.

Can the same really be said about our relationship with other individuals and can there be a right to gather and disclose information about our friends, acquaintances, enemies as well as people we barely know or don't know at all? Again, what would be the limits of such a right? Indeed, is there, should there be, a limit at all? Where does citizen journalism end and -seemingly inconsequential but potentially damaging - gossip begin? And what new power relationships - some open, some hidden from view - are we creating or re-creating in this brave new online world?

So resist the beginnings and consider the end. Or should it be the other way around?

Friday, 27 March 2009

Of geeks and men

Matron just returned from a few days in Athens where she attended the inaugural WebSci'09 conference. For the blissfully ignorant, web science is the latest project of WWW Godfather Tim Berners-Lee and the newly made up Dame Prof. Wendy Hall (yes, this really is the correct title, there's nothing like a dame, as we all know). A few years ago, they got together to create the Web Science Research Initiative (WSRI - apparently pronounced Woozri according to Dame Wendy) with a view to bring several research areas together to form a new academic discipline.

Matron was warned before she travelled that she would meet some hardcore geeks there. Real geeks that is, not like the ones she normally meets who are actually interested in things like law and policy and society and stuff. And indeed, the place was packed to the rafters with creatures who quite clearly may not be able to survive in bright sunlight. But very interesting it was too.

Now, Matron is not sure herself if "a new new discipline was born" in Athens as Dame Wendy apparently claimed during her closing address (Matron could be wrong about the attribution of that statement as by then she was already back in her hotel room, all conferenced out). But the interdisciplinary opportunities are certainly worth pursuing.

What was almost touching, though, was the way in which the hardcore geeks were going about discovering as "new" a number of subjects (privacy for a start) that have been discussed by social scientists, Internet lawyers et al. for more than a decade. Apparently, "web science" is all about the way in which the existence of the web affects society as a whole, as individuals live more and more of their life online. Matron wants to be neither patronising nor scathing, but it seems to her that that particular wheel may already have been invented. Or at the very least been designed in some detail. Nonetheless, the more the merrier. And as the general consensus among tech lawyers and social scientists seems to be that we need computer scientist to think about the issues close to our hearts ab initio, that is when they first inventi new technologies rather than as an afterthought (see, for example, in the area of privacy-enhancing technologies), any cross-fertilisation between disciplines has to be a good thing. So here's to the success of the project - plus Athens certainly was a very nice place to wet the babies head.

Sunday, 15 March 2009

Geeks of the world, rejoice!

On a much more cheerful note, Matron was very happy to see that the announcement for this year's GikII conference finally went up this week. For the uninitiated, GikII is a conference on the intersections between law, technology and popular culture. It is now in it's forth year and very rightly so, as it is - in the oft quoted words of a regular attendee - "like a normal conference, just without the boring papers".

It has become so popular in the legal geek community that it will also be transported to the Southern Hemisphere this summer: SoGikII will take place ("in a beach hut in Sydney" according to some of its organisers) on 9 June. What's not to love about that prospect? Matron, who has not been able to find the small pot of gold at the end of the rainbow that it would take to fly her to Oz and back is very, very jealous of those who will attend. But then the fact that Northern GikII will take place in trendy Amsterdam this year (17/18 September) is some compensation.

So, in the words of GikII co-founder panGloss, get your geek on and respond to the Call for Papers for either Holland or Australia. The only rule is that "you must not be boring", because, Toto, this ain't Kansas!

The hour draweth nigh...

Matron just looked at the calendar and noticed that today is the day when all EU member states must have fully implemented the Data Retention Directive into domestic law - "fully" in this context meaning transposition for internet data as well as for telephony data.

The UK has not yet made that deadline although transposition is probably imminent following the recent publication of the government's response to the relevant consultation (see Matron's previous post on the issue). The good news is that other countries are also still dragging their feet, many of them having waited for the recent ECJ decision in relation to the Ireland challenge (again, see Matron's previous rant on the decision) before deciding whether they should implement the Directive at all, given it's dubious human right credentials.

What with all the excitement, Matron isn't quite sure whether to be pleased or disappointed at a piece of news she picked up at a conference in Salzburg last month, namely that the Austrian government, so far a stern resister of data retention, has now invited the Ludwig Bolzmann Institute for Human Rights in Vienna under the leadership of Prof. Hannes Tretter to draft the Austrian law concerning the implementation of the directive. Now, Matron has had the good fortune to participate in a seminar hosted by Prof Tretter last year, and he did not seem to her to be the kind of chap who would take the human rights issues arising from these measures lightly. On the other hand, the fact that the Austrian government does now seriously consider transposition seems a bit of a drawback for civil rights campaigners.

In a press release (in German), the Institute confirms that it is itself doubtful about the compatibility of the directive with human rights and that it expects further legal actions to be brought in the future, both before the ECJ and the ECtHR. However, in view of the fact that these actions could take years to be resolved and that the member states' obligation to implement the directive continues to exist in the meantime, the Institute is restricted to pursuing a course of damage limitation while, at the same time, considering the potential consequences, both in domestic and EU law, of transposing a legal measure that may violate human rights.

So there may be a smidgen of light at the end of the tunnel, but it remains a very long tunnel!

Friday, 13 March 2009

Should some pigs be more equal than others?

The Guardian, among others, reports today that the BBC programme makers might have been breaching the Computer Misuse Act 1990 when they bought themselves a botnet on the internet as part of a programme showing how easy it is for criminals to use those botnets for sending spam or carrying out distributed denial of service attacks.

Well, duh! Of course it is. As Struan Robertson, editor of and legal director at solicitors Pinsent Masons explains, never mind the newly revised section 3 offence of "unauthorised access with intent to impair" (which is apparently what security firm Sophos wants to charge the BBC with). Using computers that form part of a botnet to send e-mails or website access requests without the owners' knowledge or consent is likely to fulfill the criteria of a plain-vanilla section 1 offence of unauthorised access. Section 1 requires no mens rea in excess of the knowledge that the access is unauthorised, knowledge which - presumably - the BBC hacks will have had.

But wait a minute, the BBC did it to do good, not bad. Apparently,

"...following its demonstration, it warned users that their PCs had been compromised, and it had closed down the botnet.

If the users pay attention and secure their PCs, they should be better off than if the BBC had not become involved."

That's alright then, case closed, all is well. Robertson again:

"The maximum penalty for this offence is two years' imprisonment. But it is very unlikely that any prosecution will follow because the BBC's actions probably caused no harm. On the contrary, it probably did prompt many people to improve their security."

Hmm, that's all well and good and Matron is the last person to deny that there should maybe be room in the world for a bit of "benevolent" or "ethical" hacking. However, historically, the courts have taken a dim view of such arguments, most notably in the US, where Robert Lyttle, a member of hacker group The Deceptive Duo was jailed for four months in 2005 after he was convicted of hacking a number of US government websites , allegedly with the intention of highlighting security failures. OK, the fact that his partner-in-crime, Benjamin Stark, was also convicted of online credit card fraud makes pleas that they acted in the interest of online security, patriotism and world peace sound a wee bit hollow.

But the fact remains that hackers the world over have been been on notice for years, most notably since the adoption of the Cybercrime Convention, that the intention with with they gain unauthorised access to someone else's computer is neither here nor there. Which means, presumably, that the integrity of the computer system itself is seen as the protected good here and not a woolly notion of some abstract good or evil that will be achieved by hacking the system (a point, incidentally, which was made beautifully in a completely different context by the German Constitutional Court last year, when it created the new basic right of "security and confidentiality of information technology systems").

So, should we really have one law for the BBC and one for the rest of us? Matron wonders...

Wednesday, 11 March 2009

Hail the forces of light!

It is always a pleasure to agree with Tim Berners-Lee and the forces of light...

Google calling - again!

And while we're on the subject of Google, the BBC reported today that Google has become the latest provider to serve up behaviour-based advertising. Under its Adsense program, Google will serve ads based on the content of the sites users view. It will associate their browsers with certain "interest categories" based on behavioural data collected through a cookie it places in users' browsers. Cookies will be placed in the browsers of all Google and You Tube users from today unless the user opts-out. Advertisers will be able to start serving ads using the new system from April.

The move follows the publication of guidelines on behavioural advertising by the Internet Advertising Bureau which are supposed to ensure that such advertising does not breach individuals' right to privacy (see last week's report by Out-Law). Google as well as Microsoft Advertising, Yahoo! SARL and Phorm have all committed to following them. However, the guidelines have already been criticised by the good people at the Open Rights Group for the opt-out approach and the cookie technology.

"Any ‘opt out’ would be stored by a cookie. So each time a user deletes their cookies, or changes browser or machine, they have to opt out. This makes opting out a repeated procedure, such that which would make all but the most stubborn user simply give their consent. This is not how consent should work, and a system that ‘pesters’ users into opting in is in our view an illegitimate attempt to substitute acquiescence for consent, whereas nothing but consent is acceptable."

There have been lots of discussions about whether most users would prefer targeted advertising to the current "random" kind. The prospect of making - as Lilian Edwards called it at last year's GikIII conference - "every ad a wanted ad" seems tempting, but at what cost? Matron is fairly relaxed about being served with relevant advertising when using the internet. But she baulks at the mass of data that Google will collect in the process, the other purposes for which that data may be used and the people who might want to use it. If the data security breaches of the last two years have taught us anything, it is that the only way to prevent the abuse of large databases is to prevent those databases from being established in the first place.

On that note, this is how you opt-out of the Google Adsense cookie.

Can you see me now?

Matron, having long suspected that in less than ten years' time all children of this great country will be micro chipped, has pondered on more than one occasion what her own youth would have looked like if her dad had known at all times where she was (bleak is the answer to that, very bleak).

But as we all know, there will now be no need for invasive surgery due to the versatility of the GPS enabled mobile phone which is, of course, the ideal tracking device. And while we are blissfully becoming more and more dependent on the darn things, services have sprung up all over the country that allow others to track our whereabouts by triangulating our coordinates. As far as children are concerned, this has to be an almost fail safe method as no one over the age of 8 will want to be seen dead without a shiny high spec mobile device. So far, so 1984.

But at least, until now, a large number of people (including even some pesky parents) have not actually been all that aware of the tracking properties of their toys so that their potential for surveillance has not really been fully explored.

Enter the dragon, in the shape of Google Latitude, the latest offering of they who must not be evil. The service allows users to register their mobile phone number with Google, which will then track their location as they go about their daily business. Now while this may be a good things if one wants to be found after being buried by an avalanche, Matron thinks that the use Google envisages is decidedly a little creepy. Because Google wants you to use this as a social networking tool so that, as with other social networking applications, users can determine who will be able to follow their movements. Google's examples for people you may want to give that level of access to your life include the loving husband who can use it to see if his wife has left work yet (so that he knows when to start cooking dinner - very PC, if Matron may say so) and your friends who may want to check if you're in the neighbourhood at the moment, so that they can meet you for a beer.

Apart from the obvious privacy issues, Matron can't help thinking that this could make for a lot of very embarrassing incidents. It may just be her, but there are many situations where Matron does not really want to be found. Like last weekend, when she and her partner pretended to have a prior engagement to get out of having to attend a hen do. It was bad - and embarrassing enough that we then ran into the bride-to-be in a local shopping centre on the very night, but imagine that the bride could sit there and determine the location of everyone who had denied her invitation. With Google Latitude, the end of the little white lie could very well be nigh, with dire consequences for human interaction.

Of course, it could be argued, that you can always limit other people's access to the tracking function when you don't want to be found. But gosh, another thing to think about before leaving the house, when Matron is already at an age where she needs to check three times if she turned the gas off? Also, never mind that this could be a stalkers dream, there is such a thing as social pressure. If this takes off, not only will your "friends" bully you into allowing them access - so will your mother. Or, later in life, possibly your boss.

This scenario was not lost on a group of MPs who, according to The Register signed an Early Day Motion on Monday expressing their concern about the new service. Of course, early day motions being what they are, nothing will come of this. So, would it be presumptuous for Matron to suggest that this may be one the Information Commissioner should take a closer look at?

Tuesday, 10 March 2009

Just because we can - must we ?

After a fairly unproductive day (the reasons for which will become clear presently) Matron feels another rant of a technophobic nature coming on. The trigger is Twitter, apparently the latest craze in online communication sweeping the globe.

Now, Matron has so far resisted tweeting, largely - as her friends will confirm - because she is physically incapable of saying anything in 140 characters. But today her boss attended the FT Digital Media Conference (which was Twitter streamed, apparently) and suggested that the same should be done during an upcoming event that Matron co-organises.

Twittering an event - Matron has learned - means that the conference delegates post live tweets even as they listen to what the speakers have to say. Highly sophisticated and immensely useful for non-attendees, for sure, but Matron, who is a frequent speaker at conferences herself and already fights homicidal urges when she has to talk to a line-up of laptops while their owners are checking their e-mails, can't help thinking that we are loosing some valuable social skills in the process. Like the ability to show someone a minimum amount of professional courtesy.

But in order to be able to comment on an informed basis, Matron duly succumbed and today opened a Twitter account. Not to tweet, never fear, but see what it's all about by following the tweets of the ubiquitous Stephen Fry, famous technophile-in-chief, who probably did more to promote the service than even the site's owners.

Now, Matron is a great fan of Mr Fry, who is and always has been the thinking woman's crumpet. She likes his books, his films and TV series (including - much to her partner's chagrin -the fabulous QI), his readings of the Harry Potter books, which help her go to sleep every night, and his long rambling blessays (blog-essays) about nothing much in particular. So, by all accounts there could be worse impositions than reading his Twitter timeline. And fairly amusing it was too. It turns out that Stephen Fry is currently in New York after having spend a few weeks in Mexico to film. Just over an hour ago he has taken receipt of his new Kindle e-book reader, about which he is very excited and no doubt he will treat his followers to a detailed description and review of his latest gadget before the day is out.

Because he is Stephen Fry, he now has more than half a million of them (followers, that is, not e-book readers, although Matron won't vouch for the latter, given his level of geekness), all of whom presumably join Matron in her admiration of the man and like the fact that he shares so much about his daily life with them. He even regularly responds to their tweets making this a two-way conversation of a kind that ordinary humans do not often get the chance to have with a bona-fide celebrity.

But let us consider two points: first, in the case of lesser mortals (i.e. almost all people who are not Stephen Fry or Barack Obama), what is the point of much of the mindless drivel some people put on there? Matron can see the allure for your average extrovert of announcing to the world that they spent their Sunday afternoon putting up shelves, but who, in the name of Merlin, wants to read about it?

Secondly, and much as it pains her to admit it, it can't be much fun to actually BE AROUND Stephen Fry in the flesh when he is in one of his Twittering moods. Matron imagines it a bit like having lunch with the high octane city banker (a dying species, of course, but hey) who - instead of talking to his lunch date - constantly makes mobile phone calls to other people. "That's what the OFF button is there for, mate!"

Of course, like blogging, Twitter can be enourmously useful for distributing information around the globe in next to no time at all. It is well known that the plane crash landing in the Hudson River was first reported on Twitter. Citizen journalism at its best which, as was said at the FT Digital Media Conference apparently, it could render news organisations wholly redundant.

It can also be a force for good, again personified by Mr Fry, who blacked out his Twitter picture in support of the New Zealand Internet Blackout organised in protest against the notice and disconnection laws for the purpose of enforcing copyright infringments recently adopted by the New Zealand government.

So, Matron does not so much object to the technology and the way it is used per se, but to the effect it has on the life of the average twittering individual. In particular, she objects to the time-wasting properties of this and most other "killer apps". In the two hours she spent virtually following Mr. Fry across two continents, what else could she have done? Write that overdue learned article for a start. Or go out for a walk in that rare-as-hens-teeth English sunshine. Or call the friends that she vowed she would definitely call this week, or else. But she hasn't. Instead she was glued to the screen for yet a few hours more (and, of course, it is not lost on her that she has now wasted another hour or so with this rant) without really achieving all that much. Apart from teenagers, students and silver surfers, who has that sort of time?

During Matron's misspent youth, in the pre-modern, feminist world of the 1980s, the - only half-joking - answer to the question "Why do men pee standing up?" would be "Because they can!"

But just because we can - must we?

To good to be true?

A, so far unconfirmed, rumour is doing the rounds that the Ministry of Justice is about to drop the data-sharing provisions contained in the Coroners and Justice Bill.

The Register and the Telegraph both quote "a spokesman" for Jack Straw and even the ICO's website links to an article on the Yahoo news page. With so much coverage it's bound to be true, but Matron is with Simon Davies of Privacy International on this one. The leopard may be temporarily licking its wounds but it is unlikely to change its spots. So it will probably only be a matter of time until the data-sharing provisions reappear in a different form - possibly slightly more intelligently drafted.

But as Dumbledore remarks to Harry Potter when the latter voices his frustration over the fact that he may have only delayed, rather than prevented, Lord Voldemort's return to power:

"It will merely take someone else who is prepared to fight what seems a loosing battle next time - and if he is delayed again, and again, why, he may never return to power."

And on that note Matron recommends the excellent dissection of the Bill prepared by the worthy folks at PI as a little light bedtime reading in preparation for the next battle. Right on, right on!

Saturday, 21 February 2009

Of peer-reviews, checks and balances

Matron still isn't really ready to revisit the Telecoms Package, so by way of an appetizer, she's decided to veer off-topic for a moment. The trigger for today's musings is the exquisite grilling Jack Straw, the Secretary of State for Justice, received at the hands of the Joint Committee on Human Rights last month. Now the evidence given by the Right Honorable Member for Blackburn was interesting enough. Among other things, he talked about his widely publicised interview in the Daily Mail and the plans which had been announced in that context, including the appointment of a select committee to look into the need for a statutory framework for a UK privacy law (rather than leaving it up to the much maligned judiciary to interpret Art. 8 of the European Convention on Human Rights) and his unfinished project of a new Bill of Rights and Responsibilities.

However, Matron does not wish to talk about either of those plans today (in any case, letting her off the leash in relation to politicians' pronouncements on the Human Rights Act (HRA) is really not a good idea for anyone involved). Instead, she would like to share her impressions on the workings of the British constitutional system. For those of you not interested, feel free to go straight to the commercial...

Matron herself originates from a country with a strong written constitution, and the idea that that constitution - particularly the fundamental human rights contained in it - should be enforced by the courts against the politically motivated government of the day is second nature to her, part of her cultural make-up - one of those things that "go without saying". It is for this reason that Matron has always found it difficult to accept that the UK constitutional system largely seems to be based on a feeling of trust by the population in their elected officials that "they wouldn't do that". "That" being all the bad things an autocratic or totalitarian government might want to do - and has been shown to do in other countries - in the way of infringing its citizens' civil and human rights. Now, admittedly, this trust seems to be well founded in history and experience -after all Britain is one of the few European countries that has not gone through a period of political tyranny or dictatorship for at least a few centuries. But ask yourselves whether you really trust the average individual politician, and you see that the phenomenon of trust in them as a collective body at least merits thinking about. There is such widespread cynicism about individual politicians and their wheeler-dealing that nobody will even feign surprise at reports of inflated expense claims, lying to Parliament and the forging of official reports. The 1980's TV series "Yes Minister" was not only such a big success because of its writers and actors (although both were superb) but because people felt that it portrait fairly accurately the way in which the Whitehall and Westminster machineries work in practice. Even today, when a particularly juicy political scandal comes to light, it is difficult to not think back to a particular "Yes Minister" episode that targets just that sort of behaviour.

So, why is it, that if we don't trust individual politicians as far far as we can throw them, that we trust them as a collective to act in the country's best interest? The answer Matron usually get when raising this with her British chums is that there is indeed a feeling that a system of checks and balances exists that keeps the buggers honest. This system is said to include the judiciary, the media and the House of Lords. So lets look at each of those in turn.

Since the introduction of the HRA, the judiciary has admittedly been given much greater power to review laws made by Parliament and to make declarations of incompatibility where it feels that those laws do not come up to scratch, i.e. where they may violate the fundamental human rights of British (and other countries') citizens. Now it has been said before, but Matron will say it again, that - contrary to the views expressed by Daily Mail editor Paul Dacre - this isn't really a new way of doing things. Ever since the UK ratified the ECHR (and let us not forget that it was one of the first states to ratify the Convention in 1951) , its laws were supposed to be in line with Convention rights. The difference between then and now is merely that before the adoption of the HRA, the right to review of the compatibility of UK laws with Convention rights rested with the European Court of Human Rights in Strasbourg. What the HRA did, was to "bring rights home" as Labour put it at the time, which - most importantly - meant that citizens could now enforce Convention rights before the English courts. Let me repeat this again, more slowly: the HRA gave UK citizens no new rights. It merely brought jurisdiction over those rights to the UK courts.

Now Matron might be naive, but isn't that generally something that the Daily Mail should be happy about? English judges having a say before the European Court gets a look in? The problem, from the Mail's point of view is, of course, that British citizens can still appeal to the European Court once all domestic remedies have been exhausted. So, after all that, British rights may still be determined by foreigners.

But the point that worries most human rights campaigners - and where their views come into conflict with those of the Mail - is actually, that despite being given jurisdiction to review parliamentary laws, English courts do not have the right to declare those laws null and void if they find that they infringe human rights. In essence, this means that English judges can tell Parliament that it has done wrong when enacting a particular law, but they cannot force Parliament to repeal the law and adopt a new one. The fact that Parliament almost inevitably will repeal a law found incompatible by the Courts, is again nothing more than a constitutional convention - another expression of this country's charming naivety and trust in the system.

As for the controlling powers of the media, Matron will try to limit her rant to the bare minimum. The British media works well in some cases but not so well in others and because much of the media's power seems to be with the tabloids rather than the broadsheets, one could argue that the influence of media power on legislation could work for or against the protection of human rights (again, the Paul Dacre story is a point in case). Also, while the media did a good job in relation to cases like the Attorney General's report on the existence of weapons of mass destruction in Iraq, Matron continues to be stupefied by the almost complete absence of proper commentary on legislative proposals on data retention. There is some, but compared to what is going on in, say, Sweden, Austria and Germany, coverage has been laughable. So the best Matron can do in this case is a verdict of "must do better", which - given the increased centralisation of media in the hands of only a few players - is unlikely. Having said that, this development is not only a British problem but seems to apply to almost all developed Western nations.

Which brings us to the House of Lords. Now, if anything, to Matron this is them most perplexing control instrument of them all. As a lawyer trained in constitutional theory, the principles of democracy and the state and the separation of powers, she cannot but look at the Upper Chamber with a certain amount of incredulity and irritation. Unelected, appointed for life and not particularly accountable to anyone themselves, members of this elite circle do not seem to her the best way of ensuring successive governments' compliance with common values of freedom, equality and human decency. And indeed, the recent cash-for-amendments allegations seem to be proof that the system may have some inherent flaws. And yet, it is the House Lords that human rights campaigners increasingly look to as an ally, when it comes to curbing the government's worst excesses in the human rights arena (most recently largely seen in the context of anti-terrorism laws). And it seems to work, as the recent dismissal of plans to extent to 42 days the period for which police could hold a suspect without charge, seems to show.

So why does it work? The most entertaining explanation Matron has ever heard was given by Lord Lester of Herne Hill during a conference a few years ago. His Lordship mused that most members of the House of Lords seem to have been barristers at one time or other in their life. Barristers, he argued, are an eccentric bunch and trying to control them is a bit like trying to herd cats.

So lets get this straight: the well-being of the British people is ultimately protected by its eccentrics? Now this is an explanation that Matron - a bit of an eccentric herself according to those who know her in the flesh - would love to believe and trust in. But is it enough? After 15 years' residence in this great country, Matron is no loser to answering this question than she was when she first taught English constitution law to undergraduates in 1997 - which she did with an undeniable air of anxiety and moral panic. The best she can come up with even today, is that constitutional checks and balances seem to draw their validity from, and seem to work within, their own cultural and historical context. Until they don't, that is.

Thursday, 19 February 2009

The Facebook conundrum - do we need to be protected from ourselves?

Gosh, what a week it's been. Matron just spent all day wading through the European Council's common position on the Telecoms Package. So much so that she simply can't face writing any more about it and is rather looking for some light relief. Cue, the popular media which yesterday took FaceBook to task for clandestinely trying to introduce Terms of Business that would give it the right to use content uploaded by its users even after those users had moved on to greener pastures. Well, that sort of behaviour came as a big surprise to all of us, didn't it?

Now, Matron is not exactly what one would call an early adopter. That much can probably be deduced from the fact that she starts a blog at a time when everybody else is socially networking their little socks off. It has to be said that, for a tech lawyer, Matron is really rather technophobic. She also decided - after a short spell of online addiction back in the mid-nineties, largely related to a certain e-mail list which shall remain nameless (but lets just say that it led to a communal holiday in a cottage in Scotland with a number of people who were - unusal) - that she prefers face-to-face relationships to the virtual variety.

So, like everybody else over the age of 35, she has been following the FaceBook phenomenon with some interest and trepidation. So far, she has firmly rejected her students' untoward online advances, has lectured them, moaned at them, threatened to physically restrain them and, on one occasion, blackmailed them into engaging all possible privacy settings by telling them that she would openly display any of their publicly accessible profiles to attendees of an academic conference. She is also a paid up member of the "FaceBook Moral Panic Support Group" loudly lamenting the fact that things are not what they used to be.

So, although it is highly unfashionable in cyberlaw circles to call for increased legal regulation - technological solutions are still all the rage - Matron sticks by her guns and the points she made previously. What we need is a consumer protection approach that ensures that the purposes for which providers may use their users' personal data are limited in some way. And before all the Americans throw the First Amendment book at her, Matron is not talking about the abandonment of personal responsibility, user autonomy and free speech. She is merely appealing to common sense. Users of "my-way-or-the-highway" adhesion contracts should be subject to some sort of statutory framework.

Hopefully, the more stories are published about the blatant way that some providers abuse their users' data, the more political will there will be to do something about it. For that reason, last night's TV coverage of the FaceBook c***up was chicken soup for the soul. But even better than that, the BBC today published an article about a study that "proves" that online networking harms your health.

Isn't it great when scientific research confirms what you want to believe anyway?

Wednesday, 18 February 2009

Data retention and the incredible duplicity of events

You wait for ages for an irrational and totally see-through official position on data retention and then two come along at once. Following hot on the heels of last week's ECJ decision on the validity of the Data Retention Directive, the Home Office has now published its response to the consultation on the transposition of the Directive into English law. And what a response it is!

Matron isn't quite sure what to commend them on first. That they managed to gloss over the extension of the retention period for internet data from currently six months (under the Voluntary Industry Code) to 12 months, blatantly ignoring the point made by a number of respondents (including the SCL and Liberty) that they have yet to present a business case for any retention of communications data?

That they managed to find and quote the one sentence in a highly critical submission by Liberty that acknowledges that "communications data records can prove a valuable crime detection and prevention tool” (in its submission, Liberty then goes on to say, that the recently reported use of communications data by local authorities for the purpose of enforcing laws against flytipping and benefit fraud hardly fall within the definition of serious crime and terrorism)?

But the most worrying part of the response has to be the government's refusal to even engage with the argument that the retention of internet data for 12 months may very well be disproportionate under Article 8 of the European Convention on Human Rights.

As a general rule, Matron loves to be right as much as the next know-it-all, but in some cases she really doesn't. And the fact that the Home Office - less than a week after the ECJ made a similar point - also seems to suggest that the retention of communications data is somehow separate from access to the data so retained is one of those cases.

But first things first. Let us first look at the changes to the draft Regulations that the Home Office wishes to introduce as a result of the consultation:

Application of the Regulations
Because the UK government has agreed to reimburse CSPs for the costs they incur in implementing the Directive, it has long tried to keep those costs to a minimum by avoiding duplicate storage of data. In practice, this is difficult as many CSPs are using networks operated by other CSPs so that communications data are often held by both the upstream and the downstream provider. In the original draft Regulations the government therefore proposed that they should not apply to a CSP to the extent that the data concerned are already retained by another UK CSP. However, CSPs were very unhappy with this provision as they feared it would create both uncertainty and market distortion. They also argued that third parties interested in accessing retained data (for example, copyright owners) might bring actions for breach of statutory duty against those CSPs ostensibly not required to retain data under the Regulations.

The revised Regulations published by the Home Office last week provide that they will only apply to a CSP if the Secretary of State issues a notice to that CSP requiring it to retain data. No statutory duty to retain data will exist on the part of the CSP in the absence of such a notice. At the same time, under revised regulation 10(2), the Secretary of State must issue such a notice to a CSP unless the data to which the Regulations apply are retained in the UK in accordance with the Regulations by another CSP. In the words of President Truman: "the buck stops with the Home Secretary". Meaning that even if the Home Office gets it wrong, it is now likely that third parties who feel aggrieved that a particular CSP has not retained communications data will probably have to bring an action against the UK government under the Francovich principles rather than have a case against the individual CSP. Directives do not have direct effect and from a CSPs point of view, their statutory duty is what English law says it is. So, that's good news. Or is it?

Well, it depends on whether or not you generally agree with the right of third parties to access data retained for crime prevention and anti-terrorism purposes for their own commercial purposes in the first place. Quite a few respondents raised this issue in their submission. It seems that the CSPs are mainly concern that this may net them lots of Norwhich Pharmacal orders from the already prolific film and music industry. But those of us, who feel that the use of CSP data for the purpose of enforcing copyright has already gone far enough, the Home Office's response to this issue is worrying indeed. It merely states that the Home Office is working with the Ministry of Justice and the Interception of Communications Commissioner to provide guidance for the courts on how these cases should be handled, and that, separately, the government intends to provide more effective remedies for rights holders. So, unsurprisingly, the government is still refusng to consider other solutions to the problem of filesharing and illegal downloads.

Data to be retained
Many ISPs have pointed out that the majority of communications data to be retained relates to unsolicited marketing e-mails ("spam") that is filtered by CSPs and that in most cases is never delivered to the intended recipient. Excluding that data from the retention requirement (along the lines of the Directive's exclusion of data relating to unconnected telephone calls) could save the government millions of £££ but did common sense prevail? Did it heck!

Coming back to the mystery of the missing business case, the government was caught with a small amount of egg on its face, when it had to admit that the orginal draft Regulations had omitted a requirement of the Directive that statistics relating to the time elapsed between the date on which the data were retained and the date on which a lawful request for data was made should be collected. That sort of data is obviously essential for establishing whether or not a retention period of 12 months is actually necessary and, hence, proportionate under Art. 8 ECHR (other views that have been mooted include the suggestion that the police only needs a retention period of 12 months because it is so unorganised that it will need at least six months to actually make the request and that long retention periods are really there to cover incompetence and inefficieny. Matron prudently reserves judgment on that).

Apparently, the omission was an "oversight" and the necessary requirement has now been inserted in draft regulation 9, but as they say, just because you're paranoid, doesn't mean they're not after you.

Human rights considerations
But returning to the above mentioned duplicity of events, most notably of all the Home Office has indeed managed to dismiss any suggestions that the retention provisions may actually be disproportionate under Art. 8 ECHR, reasoning that respondents who made those suggestions largely focused on the proportionality of access to the retained data rather than its retention. However, access, the Home Office argues, is governed by RIPA not the Regulations, so arguments relating to disproportionality should be made in a RIPA context. Wait a minute! Isn't that what the ECJ just said?

It is, of course, complete baloney, particularly when you look at the recent judment by the European Court of Human Rights in S. and Marper v United Kingdom, where the court decided that the blanket and indiscriminate retention of DNA records by the UK government, regardless of whether the data subject was convicted of an offence after collection, failed to strike a fair balance between the competing public and private interests. The court concluded that the UK government had overstepped any acceptable margin of appreciation in this regard and it could be argued that similar considerations should apply in relation to the retention of personal data of millions of innocent individuals.

But leaving that aside for the moment, Matron continues to be worried about strategy. If both the UK government and the ECJ are trying to separate the retention of data from access to that data, it may really be time to take note. As Matron suggested before, data retention opponents, particularly in the UK, should start to seriously plan for a fight on two fronts, namely they should think about lodging actions for judicial review of both the Regulations (once they are in force) and the access provisions under RIPA.

Friday, 13 February 2009

You turn if you want...

Matron was slightly amused to learn that the European Commission decided to disband the Data Protection Expert Group it set up as recently as last year. Although the Commission allegedly denies any connection, rumour has it that the reason for its decision is a complaint lodged by Alex Tuerk, the French chairman of the Article 29 Working Group, that four of the five members of the group "represented American interests".

Indeed, the group included Peter Fleischer, Google's global privacy counsel; David Hoffman, Intel's director of security policy and global privacy officer; as well as two privacy lawyers working for US law firms. The group was originally set up to provide independent expert advice to the Commission in relation to any specific or emerging issues relating to the current legislative framework for data protection. However, the Commission refused to confirm that this finally signalled the long awaited review of the 1995 Data Protection Directive. On the contrary, it emphasised that it did not envisage submitting any legislative proposal to amend the Directive in the short to medium term.

This attitude at least seems to have changed in the wake of the group's dismantling. There is now talk that the group will be disbanded into a wider consultation which is due to be launched at a conference organised by the Commission in May of this year.

The majority of privacy experts agree the that the Commission has been dragging its feed on this one and that a fresh look at the Directive is long overdue, particularly in light of the fact that changes to the framework are now being discussed - inappropriately many think - as part of the Telecoms Reform Package. So, as U-turns go, this one would be quite welcome. However, Matron worries that in this case a review may actually be used to water down the existing protection. If the negotiations relating to the proposed changes to the E-Privacy Directive are anything to go by, this concern does not seem to be entirely far fetched.

Thursday, 12 February 2009

Is time running out for privacy notices?

After launching a consultation on a draft code of practice for privacy notices last month, the ICO has now published the results of an online survey where over 2000 adults were asked how they felt about the "small print" contained in standard privacy notices. Apparently, 71% of participants admitted to not properly reading or understanding the small print (a lower number than Matron would have expected!) and 47% believe that small print is "purposely designed to be as woolly as possible". Indeed! Having spent several years in private practice advising corporate clients that the privacy policy is their friend not their enemy, Matron certainly feels that this message has hit home with CEOs and inhouse legal counsel quite some time ago .

As someone who for a very long time predictably, boringly and (in the opinion of her partner) embarrassingly read all small print before signing, Matron has found that over the last few years she too has become more complacent. While she will still search for the tick boxes that will (hopefully) prevent her from being inundated with adverts for Viagra and penis enlargements, she no longer reads the privacy statements with the same sort of youthful vigour.

That has partly to do with the problem identified by the ICO - they are getting longer and more impenetrable. But also - and therein, as they say, lies the rub - she makes a plain old profit/loss analysis. As her esteemed friend and colleague Prof. Lilian Edwards points out in one of her articles, the majority of privacy statements, particularly those used by online providers, are effectively adhesion contracts - not subject to negotiation, take it or leave it. If you want the service, you have to agree with the terms, so reading them could often be seen as an utter waste of time. And because most consumers - again in Lilian's words - prefer "jam today" - goods and services, fun and frivolity - over "jam tomorrow" - safety and security of their personal information - it has become easy for online providers progressivley to expand the purposes for which they may use their customers' personal data - ostensibly with their consent.

Consequently, and without wanting to criticise the ICO's commendable move to initiate a discussion of this subject, Matron cannot help thinking that the ICO stopped a bit short of what may actually be required. Instead of simply joining the plain English campaign, may it not now be time to revisit the entire concept of fair processing notices, particularly where the purposes for which the data can be used by businesses become binding on their customers on the basis of their IMPLIED consent (as is possible in the UK)? Should we start thinking about these isssues in terms of consumer protection and should we be looking into the possiblity of legislating for "unfair privacy terms" along the lines of the Unfair Terms in Consumer Contracts Regulations 1999?

It seems that for the time being the ICO wants to stick with the "educational approach": getting companies to simplify their privacy statements so that consumers can understand them better and make better choices. But extensive permissions to use consumer data are still extensive permissions by any other name and the concept of choice - as in all adhesion contracts - may be illusionary.

Wednesday, 11 February 2009

The imagery of surveillance

Has anyone else noticed the increasing pervasiveness of surveillance imagery that is cropping up all around us? It started with the most recent TV Licensing advert that reminded us in a creepy, slightly threatenting tone of voice that you can run but you can't hide, because "it's all in the database".
And a few weeks ago I encountered this at a bus stop on my way to work. So even the cows need watching now to make sure that - what? - they give enough milk? Don't eat the wrong kind of grass?
Matron cannot help feeling scared that in the homeland of CCTV, these images seem to become part of the wallpaper. So much so that no one notices them any more. Despite all evidence to the contrary, individuals in the UK continue to believe that being captured on film up to 300 times a day will successfully protect them from becoming victims of criminal activity and resistance to widespread public surveillance is minimal. Matron is afraid that these images might be doing their bit in habitualising us all to the normality of constant observation.
Three cheers therefore for the House of Lords Constitution Committee which last week published a report entitled "Surveillance: Citizens and the State" that looked at the impact that government surveillance and data collection have upon the privacy of citizens and their relationship with the State. Among other things, it recommends that the government should introduce a statutory regime for the use of CCTV by both the public and private sectors and that a Parliamentary joint committee on surveillance and data powers of the state should be established to which any proposed legislation which would expand surveillance or data-processing powers should be referred. With the upcoming consultation on the Interception Modernisation Programme and the implementation of the Data Retention Directive for internet data just around the corner, this reminder does not come a minute too soon.
Whether anyone in this increasingly arrogant government will take any notice of it, is another matter entirely. For recent examples of sheer pig-headedness, see the government's response to the House of Lords report on personal internet security and it's notification to the European Commission stating that it wants to extend its existing derogation from the artist's resale right for the work of deceased artists for a further two years. This does not mean that Matron is necessarily in favour of copyright terms that exceed the artist's own lifespan. But the decision to extent the derogation was taken despite the fact that, as part of an IPO consultation on the matter, only 10% of respondents were in favour of such an extension. Little wonder that the majority of people in this country are starting to feel a smidgen ill at ease with their elected representatives. But unlike the people in the US, do we have a viable alternative?

Tuesday, 10 February 2009

When Irish eyes are smiling - NOT

The waiting is over and the ECJ has finally delivered its decision on the validity of the Data Retention Directive. Unsurprisingly, it followed the Advocate General's opinion earlier last year and held that the Directive was adopted on the correct legal basis. While this is a short term bummer - member states will still have to implement the Directive by the 15 March 2009 deadline - Matron can't help thinking that in the long term this was the correct approach. Beware the turncoats among the Directive's opponents who lobbied for the involvement of the European Parliament back in September 2005 when it looked like the only way to prevent the worst from happening and who were now hoping that the Irish government would be successful (notwithstanding that it is a stout data retention supporter) for the very same reason. Hard cases make bad law, as they say, and a confirmation of the Irish position may very well have opened a Pandorra's Box more viscious than we would currently be able to foresee.

Yes, it is true that adopting harmonised European provisions under the third pillar requires unanimity in the European which is difficult to achieve. Difficult but not impossible and the proposers of the original Framework Decision on the subject (including Ireland and the UK) had made some headway in that regard back in September 2005 when both the European Parliament started to kick off. Also - and this is probably more important in the short term - in the absence of harmonising EU law, every member state would have been able to adopt its own data retention laws. That would have been great news for human rights organisations in places like Austria, whose government has long opposed data retention on principle, and Germany, where the Constitutional Court may very well have put a stop to it. But in places like Ireland, Italy and, not least, the UK we may well have ended up with laws which require providers to retain more types of data for longer than the maximum of 24 months allowed under the directive. Furthermore, much of the Council decisions come about as a result of horse-trading behind closed doors. At least, the involvement of the European Parliament guarantees some sort of political transparency, even though - as in this case - this will not always protect us from undesirable outcomes. So right on, ECJ, you did well.

But what does it all mean for individuals' right to privacy? Well, the bad news is that ISPs and telecommunication providers will now initially have to retain communications data for between 6 and 24 months. The technology and the infrastructure for this will have to be set up, costed and funded. And we know how it goes - once that infrastructure is in place, both the state and the providers will most probably manage to find a use for it even of the Directive is eventually binned. A frightening thought!

However, the ECJ has not yet examined the question of the Directive's compatibility with fundamental human rights, in particular with the right to privacy under Article 8 of the European Convention of Human Rights (ECHR). Indeed, it has very clearly stated that the action brought by Ireland - and consequently its own decision - relates solely to the choice of legal basis and not to any possible infringement of fundamental rights arising from interference with the exercise of the right to privacy by the Directive. That, in a way, is a good thing, because it leaves the door open for a future challenge by data retention opponents who hope to be able to prove that blanket data retention is wildly disproportionate to the objective the Directive is set to achieve. Judicial or constitutional reviews relating to the compatibility with the right to privacy of national laws implementing the Directive are already pending in a number of member states including Germany and Ireland. The relevant courts may now refer any of those cases to the ECJ for preliminary ruling. The German Constitutional Court - bound as it is by its own "Solange II" principles (that it will not review the compatibility of EC legislation with the German Constitution as long as ("solange") the European Communities, and in particular the judicature of the ECJ, secure the protection of fundamental rights) - are the most likely suspect for such a reference. The Court has repeatedly postponed its own decision in the pending case - likely because of the impending ECJ ruling.

But the ECJ also made another interesting point: namely, it emphasised that the Directive merely relates to activities of communication service providers (the retention of communications data) and not to the activities of public and law enforcement authorities (access to the retained data). While factually correct, this could suggest that when the ECJ eventually receives a reference from a national court, it may limit its own jurisdiction to a review of the question whether the mere retention of data infringes fundamental rights rather than taking a "big-picture-view" of the matter and taking into account the effect that law enforcement's access to that data will have on those rights. It could argue that the mere retention of data does not infringe individual rights provided that access to that data is limited and subject to sufficient safeguards. As the access provisions and safeguards are currently contained in national law (here in the UK, access is governed by Part I Chapter II of the Regulation of Investigatory Powers Act 2000 (RIPA) and a host of secondary regulation), the ECJ could rule itself out completely as a competent court to review the matter from that point of view leaving it instead to national courts to decide.

On the one hand, this could mean that data retention will come to be seen as be a beautiful example for a judicial game of "pass-the-parcel" where data retention provisions are quietly implemented all across Europe while the courts are sorting out their own compentency between themselves. On the other hand, such an approach by the ECJ could open up an opportunity for opponents provided they grasp it quickly and strongly enough.

Data retention opponents should now also consider the judicial review of national access provisions by the national courts as well as, ultimately, by the European Court of Human Rights in Strasbourg. To a varying extent, all EU member states are also signatories to the ECHR which means that their national laws are subject to that Court's jurisdiction once all national judicial remedies have been exhausted. In a UK context this could mean, that even if the ECJ, in a future action referred to it, determines that

  • data retention alone is not enough to infringe people's fundamental rights
  • it is not competent to review the access provisions that may be so infringing,
the access provisions under RIPA could be attacked separately.

Like many others, lawyers advising data retention opponents have so far been puzzeld by the fact that the demarcation line between the jurisdiction of the ECJ and the ECtHR has never been clearly defined. Ever since the ECJ, in the case of Internationale Handelsgesellschaft v. Einfuhr und Vorratsstelle Getreide, confirmed that it would protect fundamental rights as general principles of EU law, the scene was set for a clash between the two courts, albeit that to date this clash has never materialised. It was thought, that data retention could have been the case, where this might finally happen.

However, unless the European Council adopts harmonised provisions on access to retained data which would bring the matter squarely within the ECJ's jurisdiction (probably unlikely, given how difficult it was to achieve consensus even on the retention of the data), civil rights organisations across the EU should now probably review their strategies and start planning for a two-pronged attack:

  1. Continue the judicial review of national laws implementing the Data Retention Directive with a view to a reference to the ECJ. Cross your fingers and hope.
  2. At the same time commence separate actions for judicial review of the related national access provisions arguing that they violate Art. 8 ECHR and that it would be inappropriate to refer those cases to the ECJ for preliminary decision, as they do not concern EU laws. If the national courts decide that those provisions do indeed violate Art. 8 ECHR, then - depending on the constitutional procedures of the relevant country - the provisions will either be void immediately or be declared "incompatible with human rights" leaving the legislator to amend the law. If the national court finds that access to retained data does not breach Art. 8 ECHR, the path to Strasbourg is clear. And it light of the court's most recent decision in the area of privacy and state surveillance, Matron can't help feeling that the chances of success in that court would be much better than before the ECJ.

However, even if a challenge before the ECtHR was successful, the problem of data retention may remain. Would the ECtHR assume jurisdiction on the retention provisions given that they are subject to review by the ECJ? If not, would national legislators, the European Institutions and/or the ECJ revise their position on data retention, if the ECtHR decided that access to the retained data breaches individuals' human rights? Data retention is expensive. National governments will (hopefully) not want to bear those cost or impose them on businesses operating from their territory if they cannot then access the data retained. An ECtHR decision condemning the right to access could therefore be a roundabout way to make them change their mind. But it's tricky. So "as long as" we don't know how best to tackle this we should probably tackle it any which way we can.