Wednesday, 8 December 2010

Some random thoughts on Wikileaks and Assange

Christmas is coming ever closer and with it the overload of work that Santa seems to have in his bag these days, Matron's brain is fried from trying to get to grips with teaching, government consultations, job interviews and an excess of travel. As a result she has - to the best of her abilities - tried to inure herself from the wall-to-wall coverage of WikiLeaks, the US Embassy cables and the allegations against Julian Assange if only to allow her to get on with some stuff.

But it is getting harder to escape all that coverage and woman is a processing, pattern-making animal, so random, if often rather conflicting, thoughts on this have arisen and are taking up valuable brain space. Each of them longer than 140 characters but not really enough for a coherent blog post, they still want to be released. To make it more interesting, Matron has given them "Yes Minister" titles. Feel free to ignore; normal service will be resumed in the new year.
  1. The Right to Know: While the disclosure of the documents on Iraq took the public interest hurdle with some ease, Matron can't help feeling that a lot of what came out of the Embassy cables is just a smidgen, if at all, above the tabloid newsworthiness threshold. Most of it seems to concern statements made by the No-surprise-there-department (sub-section Duh!) that inhabits a basement in the Ministry of the Bleeding Obvious. Yes, it is lovely to have your prejudices about Prince Andrew, the Rich and Powerful and those stupid, arrogant Americans confirmed, but beyond that Matron would pay good money for someone that pre-selects from those cables the things that will really make a difference to our perception of the way things are done and our willingness to do something about them. They are probably there, buried within a mountain of information, but it is terribly difficult to find them in all that gratuitous gossip. So, here's an idea for the movement: rather than going for the shock and awe effect (you've done that now and the whole world bought the bloody t-shirt), maybe next time it would be more useful to concentrate on selectively disclosing the things that really matter.
  2. Power to the People: Having said all that, Matron completely agrees with many of the punters that by far the more interesting aspect of this whole affair is not what WikiLeaks has done, or even what the people whose behaviour has been exposed have done, but how the US and other countries reacted to it. Even discounting the hysterical reactions of US senators (which are unlikely to be taken seriously by many on this side of the Atlantic), the steps taken against WikiLeaks say more about the state we're in than a million indiscrete cables. It is quite clear that those whose actions have been disclosed by WikiLeaks are far more upset about the fact of disclosure than the content that has been made public. It's the paradigm change in relation to the way in which information is, can be or should be controlled that is the real issue here. As one very sensible blogger put it, being told by our masters that we can't handle the truth just doesn't wash any longer.
  3. A Conflict of Interest: But at the same time, with great power comes great responsibility and Matron can't help feeling that WikiLeaks and those who support it currently get carried away just an itsibitsi tiny bit on a wave of their own omnipotency. As a privacy advocate, Matron has always fought the corner of those who argue that while transparency and freedom of speech are among the most important rights in a democratic society, they are not the only rights. They have to be balanced against other rights, freedoms and interests and figuring out how that balance should be achieved is a difficult and time-consuming process that we may just be by-bassing when pressing a button to disclose another 250,000 documents whose full contents we will not have been in a position to fully know or appreciate. Taking just the privacy argument as one example, there may be stuff in those cables that relates to private matters that the public really has no right, nor a need, to know.
  4. The Smoke Screen: With the combined coverage of the WikiLeaks and Assange affairs seeimingly taking up every available inch of colunm space at the moment, is Matron the only one thinking that this would be a great time for governments the world over to bury bad news? In fact, here's a conspiracy scenario to think about while we're at it: imagine someone in the US government thinking, "Wouldn't it be great if we fed an organisation like WikiLeaks a lot of mindless chitchat that won't disclose a lot about us that people aren't already thinking anyway but that will keep the hacks and the geeks and pretty much anyone with a halfway functioning brain gainfully employed for weeks on end? Just imagine what we could get away with while they are all busy loooking the other way." In the area of IT and Cyberlaw alone, we currently have a plethora of really rather alarming proposals on the table that may change the way in which we can live, work and play, in which we can interact with each other and our governments, the extent to which those governments can exercise control over us and our actions and the extent to which we can resist that control. Yet, pretty much ALL the good brains Matron knows in this area are currently using most of their processing power on exchanging URLs for WikiLeaks mirror sites. I'm not saying that you're not doing an important job, boys and girls. But you know what? Job share! We need some of you for other stuff!
  5. A Question of Loyalty: Matron admits it: when the sexual assault allegations against Assange first made the press, her immediate gut reaction was to think, "Now that suits the powers that be a little bit too much to be mere coincidence". We leftie liberals are hard-wired for conspiracy theories; the more outlandish the better. There is something about us that loves the feeling, as Technollama put it on Twitter recently, that we live in a Stieg Larsson novel. And maybe we do. But in the same way that we should try very hard not to suspect conspiracy when incompetence will do, we should not loose sight of the fact that good people sometimes do bad things. And that, consequently, we should not automatically assume that someone like Assange couldn't possibly be involved in something like a sexual offence, or that the laws of a country that allege such a thing must by defintion by wrong and illiberal and that the US must obviously have exerted great pressure on that country to bring down the full force of the law on one it now clearly views at its enemy no.1. That may all be the case, but it is no more likely than the alternative, because, at this stage, we don't know. If this had not been the founder of WikiLeaks, those allegations may still have been made and the appropriate judicial procedure might still have been employed and the people making the allegations would have been given the opportunity to prove them without being vilified as instruments of state oppression and the accused in this case would have been given the right to defend himself without his private conduct being closely linked to his professional role. While we do not know an awful lot about the charges that have been brought and the evidence available to prosecutors at this point, we should not fall into the trap of canonizing an individual in ALL areas of his life because we feel that he has acted like a saint in ONE of them. And we should not make feminist leftie liberal women feel like traitors to the cause if they cannot subsume their instinctive feeling that allegations of sexual misconduct need to be taken seriously whoever the alleged perpetrator. Julian Assange is innocent until proven guilty, but the two Swedish women and the Swedish prosecutors have every right to try to prove his guilt.
  6. The Bishop's Gambit: Finally, to all those people who cannot distinguish between the charges against Assange and the charges against WikiLeaks: be concerned, be very concerned about the dangers of personificating a movenment. As many others more familiar with the ins and outs of how WikiLeaks functions have already pointed out, WikiLeaks is more than Assange and will and should continue regardless of what happens to him. Those who tie his lot together with that of the movement he helped found play into the hands of those who try to argue that the discreditation of the man will automatically discredit the movement. If he is found guilty, and at this stage this is as likely as the possibility that he will be acquitted, because WE JUST DON'T KNOW, then there will be no shortage of people saying that WikiLeaks is irrevocably tainted by his actions and that his failures in one area of his life must mean that there is no moral justification for the work he has done in others. Don't do their work for them! Make sure you separate the man from the mission.

And so on to all the other things on Matron's to-do list that are not WikiLeaks. Which, sadly, is still most of them. In the meantime, have a merry festive season!

Monday, 15 November 2010

Research is vital!

Those of Matron's readers who are citizens of academia and/or members of the Twitterati will undoubtedly be aware of the hashtag #scienceisvital and the related campaign -fought by, among others, former LibDem MP Dr. Evan Harris - that was aimed at convincing the government to "lay out a supportive strategy for UK science and engineering" by "maintaining a level of investment at least in line with economic growth ".

The petition was signed by 36290 people - among them the names of many of the most eminent figures currently working in UK Higher Education - and ultimately led to science funding being treated rather more benevolently in the context of the recent comprehensive spending review (CSR) than many other areas.

A successful strategy, therefore, from which we could all learn? Certainly! And yet, despite the fact that Matron has followed the campaign with interest while it was in its most active phase, she could not bring her self to add her name to the pledge. Why is that?

The reason is that the petition, commendable as it was in its attempt to defend the science budget, focused merely on the funding for "science" in its most narrow definition, namely "the intellectual and practical activity encompassing the systematic study of the structure and behaviour of the physical and natural world through observation and experiment". Natural sciences, in other words, or "science and technology" in more modern parlance.

Indeed, the petition itself mentions as the particular areas for which funding must be preserved "energy, medicine, infrastructure and computing". Although, many of the signatories came from the social sciences, arts and humanities communities, no mention was made of those disciplines in the petition and - as has become clear - they did not benefit in any way from the government's rethink in the CSR.

In Matron's opinion, the petition and the related campaign can therefore also be seen as an example for another development that was easily predictable and widely expected when news of severe cuts to the HE budget first came out: that rather than coming together and ganging up on a reluctant government in an attempt to convince it of the shortsightedness of its plans, the sector would engage in a divisive struggle in which each party would attempt to secure the biggest piece of an ever smaller cake. In this context we have seen old universities work against new universities, higher education versus further education and one discipline against the other. The only winner in this game has been the coalition government which has found it all to easy to get savage cuts to the arts and social sciences budgets through with minimum fuss while at the same time being able to point towards the science budget it (largely) maintained.

Make no mistake, science IS vital! Without it, we will not be able to overcome the challenges arising from threats like climate change and overpopulation. It's funding should be preserved and, if possible, increased.

But when asked by scientists to support the petition, Matron felt a little like she felt when, back in the early 90s, she moved to the UK from Germany as a (then more than now) politically active lesbian. Whereas in Germany, this group was politically more aligned with the feminist movement, in the UK, lesbians were part of the gay rights or queer movement. In practical terms this meant that, at the time, the political goals lesbians fought for and were expected to support included not only the fight against AIDS but also gay marriage. This was in open disregard of the fact that lesbians, with their "moving-in-on-the-second-date" kind of relationships were in the group least likely to be infected with the HIV virus and that feminism had worked on a critique of the institution of marriage for at least the last century.

In the end, Matron became an active volunteer for an HIV/AIDS charity - not because she was directly affected but because it was the right thing to do at the time with thousands of people dying alone and without the necessary support. But she always refused to go to any length to support the call for gay marriage. In the words of the inimitable Alison Bechdel, comic artist extraordinaire and observant chronicler of lesbian live throughout the 80s, 90s and noughties, there was no way she was going to be complicit in the enshrinement of coupledom as a privileged civil status given that there were, in her view at least, better ways to achieve equal treatment for everyone (for example, by abandoning, and not re-introducing, dear Mr Cameron, all solely marriage-related state benefits).

Matron's most interesting experience during that time was a conference ca. 1994 when she was on a panel with a high profile (female) member of gay rights group Stonewall. When asked about her views on why the lesbian movement in Germany preferred to align itself with feminist heterosexual women rather than gay men, Ms. Stonewall's responded that maybe the lesbian movement in Germany wasn't as far advanced yet as it was in the UK and the US. It was the simple arrogance of that statement which completly dismissed a political strategy on the basis of "backwardness" and which negated the many rational reasons its proponents may have had for choosing it, that took Matron's breath away then and that still appalls her now.

Because asking someone else to support your cause because it is the right thing to do, is one thing. Asking them to support it despite the fact that doing so may actively harm their own interests or political goals - and be that only because those interests or goals will be forgotten about or set aside while time and engery is spent on fighting for yours - is quite another.

So, coming back to the point Matron was trying to make:

Science is an important area of research that deserves our support and government funding. At the same time, as every HE researcher knows only too well, science has had a better deal in public funding compared to any other area of research for these past 10 years at least because science gets good PR and politicians up and down the country seem to feel that they can support spending money on the development of a new widget much more easily than, say, the teaching of drama, philosophy or sociology. How is any of the latter to compete with research to find a cure for cancer or Alzheimer's?

But demanding that the science budget should be maintained will almost inevitably mean that the budget of other research areas will suffer. Areas that are equally vital, like:
  • The social sciences that will ultimately have to figure out how and to what extent society will be able to absorb, integrate and adapt to the new technologies that the scientist will come up with with.
  • Economics that will enable us to "follow the money" and to figure out who benefits from new research and developments and how that benefit can be distributed in a more equitable and socially beneficial fashion.
  • The arts because - as Winston Churchill is alleged to have said when asked to cut arts funding in favour of the war effort - if not for the arts, then what are we fighting for?
It is openly known in the research discipline of which Matron is a member, that over the next five to ten years at least, research funding will either have to come from Europe or from collaborative projects with members of STEM disciplines, which will allow us access to their funding pots. This will be easier for those who, like Matron and her ilk, are research active in technology law than it will be for those of her colleagues who specialise in family law or criminology or constitutional law. But that does not mean that these subjects are any less important for society or that they deserve any less support.

This is a game of divide and conquer and by singling out one area, venue or means of research over another we are playing directly into the government's hands.

So, dear scientists, Matron would love to support your petition, because she thinks it is the right thing to do. But if you ever re-open it for new signatories, would you mind changing its title?

From "Science is vital" to "Research is vital"?

Thursday, 11 November 2010

A rather phormulaic proposal

Following yesterday's mini-rant on the failure to publicise this and the rather short consultation period, Matron has now had the opportunity for a more intimate heart-to-heart with the ever-so-under-the-radar Home Office proposals on changes to RIPA. The verdict: while there doesn't seem to be anything particularly offensive in there, she can't help feeling that we are once more bearing witness to the UK government trying very hard to comply with the nagging of those pesky Europeans while, really, not changing things all that much in practice.

By way of background, the changes to RIPA became necessary because the European Commission - following, among other things, a letter writing campaign by that excellent Open Rights Group - referred the UK to the European Court of Justice because it felt that it had not fully implemented rules on the confidentiality of electronic communications contained in the E-Privacy Directive (2002/58/EC). That Directive provides that member states must adopt provisions which prohibit the unlawful interception and surveillance of electronic communications unless the users concerned have given their consent. According to the Data Protection Directive, that consent must be "freely given, specific and informed". Member states must also establish appropriate sanctions where these prohibitions are infringed and independent authorities must be charged with supervising this are to prevent any unlawful interception.

As per usual, the UK has watered down these draconian requirements a little to make life easier for the folks in the interception trade. Section 1(1) RIPA only prohibits intentional interceptions - accidents do happen, don't they?; section 3(1) RIPA lets offenders off the hook if they had "reasonable grounds for believing that consent has been given" and as for establishing a proper supervising authority, well, there was that minor issue of a gap between the supervisory powers of the Information Commissioner (who doesn't do interceptions) and the Interception of Communications Commissioner - or IoCC - (who doesn't concern himself with the conduct of private entities).

All this left said private entities in the fairly comfortable and almost entirely unregulated sphere in which companies like Phorm and their ISP partners then thought that it might be a good idea secretly to analyse people's web surfing habits the better to determine their interests so that targeted advertising can be delivered to their screens. Let's face it, folks, cheap broadband doesn't pay for itself.

When the Phorm, sorry storm, broke loose, however, many of those people figured they'd rather not have every single one of their online moves recorded - albeit, according to Phrom's PR, in the most privacy-friendly way possible - and many of the CSPs had to beat a hasty retreat. Phorm itself has, for them time being, left the building, although it is still flogging its technology in other countries.

But back to the European Commission, the ECJ and the UK's urgent need to do something to avoid further costly proceedings. The consultation paper proposes, in essence, three things:
  1. The government, acknowledging that section 3(1) of RIPA does not provide the required clarity the CSPs need to determine whether or not their customers have consented to their weird schemes, wants to "remove the ambiguity" and thereby "ensure that the provision is consistent with the definition of consent" contained in the Data Protection Directive. It doesn't say, exactly how it wants to do this. Whether it will simply remove the offending "reasonable grounds" passage or whether it will come up with something more roundabout is one of the things we will have to look out for when the draft legislation is published. But for the time being this does not sound to bad. However, there is a problem with the use of consent in this context and this is one of the points that Matron wants to look at in a little more detail later.
  2. The government also wants to expand the functions of the IoCC so that, in the future, he can - following a complaint by a user - investigate CSPs in cases of unlawful, unintentional interceptions. Again, this seems to address the European Commission's concerns to a certain extent, but even the work of the IoCC in his natural habitat of supervising the interception activities of public bodies is not without question, and the same issues do arise here. Of that, too, more below.
  3. Finally, the governments wants to introduce a new civil monetary penalty of up to £10,000 that the IoCC can impose on anyone violating the prohibition on unintentional interceptions. He may also be given the power to issue a notice requiring the unintentional unlawful interception to cease. Any penalty or enforcement notice may be appealed to the First-tier Tribunal and the proposal includes comprehensive provisions governing such an appeals process.

So far, so business-as-usual. The procedures proposed here came pretty much straight out of the regulatory textbook and bear many a resemblance to the procedures that apply in the context of complaints to the Information Commissioner about data protection breaches. There is no reason why it shouldn't work in this context. Except...


As in all cases where consent is used in a relationship between businesses and individuals, there is actually a pretty big questionmark both over the "informed" and over the "freely given" part. Informed consent should mean, as the very minimum, that she who consents to something, should be aware of what she is consenting to. As we all know, in an online context this is little more than a legal fiction because UK law allows providers to hide consent provisions deep in the recesses of their privacy policies or terms of use which no one in their right mind ever reads unless they are mentally disturbed or a privacy lawyer or both.

This means that on the basis of these new rules, there is nothing stopping CSPs to include relevant implied consent provisions in their business terms, from which point forward they will no longer have to worry about their customers' consent at least, if they want to carry out interceptions for the purpose of behavioural advertising.

As many people wiser and more knowledgeable in this area than Matron have pointed out, this may still not actually allow them to intercept those communications because the consent of both participants to the communication is needed under RIPA. But if that communication concerns, for example, a user visiting a website for some online shopping, that website - as the other participant - could possibly be persuaded by the CSP to agree to the monitoring of that traffic in return for a small cut of the advertising revenue thus created. Stranger things have happened at sea and there are probably no limits to the length to which most online businesses would go when developing new monetisation strategies.

But coming back to the user who is, normally, the CSP's customer. Will this user have the right not to consent to the interception of her communications by her CSP without loosing the ability to use the CSPs service? Online business terms are usually take-it-or-leave-it, my-way-or-the-highway kinda terms. CSPs may well be of the opinion that targeted advertising, which is after all used to co-finance cheap broadband access, is a necessary revenue stream in a competitive environment and that any user who doesn't play ball is free to find another provider. The problem is that, if all CSPs think that way, there will be no other provider to go to. And what then?

For this sort of thing we have two analogies in the law which we may want to draw upon. The first is the way in which the law deals with cookies. Now as we all know, there is some change coming in this area, but the one thing that remains unchanged is the fact that website operators that wish to use cookies can prevent users who refuse them from accessing certain parts of their website. CSPs could therefore argue that it should be the same in the case of targeted advertising and the related interceptions of users' communications. Is that justifiable, though?

The other analogy is employment law, where the use of consent is very limited becauses it is widely accept that in an employer-employee relationship it will rarely be freely given.

If, therefore, as a stubborn user who does not want to have her communications intercepted, Matron would, in practice, no longer longer be able to find an ISP that will have her, she would possibly no longer be able to access the internet. However, as Matron and many others of her persuasion have long argued, by now the internet is such an important part of everyone's life - it facilitates not only economic and social activities but also education and political participation - that to be without internet access is tantamount to the violation of a human right.

Now, some readers might think that this is a bit of an exaggeration, and maybe it is, but if "choice", that famous holy grail of the free marketeers, comes down to a choice between one ISP who will intercept your communications and another who will do the same, is that not a clear case of market failure? And shouldn't the government anticipate this situation and do something about it, now that it has the chance?


The government did apparently consider introducing criminal sanction rather than a civil penalty, but it decided against it in the end because it feared that the enforcement of such sanctions would be impractical and impose undue strain on the UK's police forces.

As a card carrying, bleeding-heart liberal, Matron is no great friend of potentially increasing the country's prison population for non-violent offences (although, as a practicing lawyer, it has been her experience that the threat of criminal sanctions tends to focus the CEO's mind) and for that reason she will not criticise the government from shying away from this step.

However, realistically, the penalty of "up to £10,000" is unlikely to be a major deterrent for CSPs as this is the sort of amount that many companies view as beer money. Unfortunately, one of the viable alternatives - giving the user whose communications have been intercepted a right to claim damages - already doesn't work in the area of data protection because in the absence of punitive damages it is actually terribly difficult to prove financial loss in these circumstances.

Which makes Matron think that maybe something along the lines of the recently introduced data security breach notification system should be put in place instead. That system, for those who do not know, requires providers of electronic communications services to notify any breach of data security to the Information Commissioner and, if the Commissioner thinks that this is appropriate, to the affected data subjects.

As we are largely talking about unintentional interceptions when we are talking about sanctions, should we suggest a similar procedure here? Where the CSPs, if they find out that they accidentally intercepted someone's communications, would be required to send an "oops" notice to the IoCC who, if the breach was grave enough, might also force them to send a similar notice to their customers? As we know, bad publicity is a much stronger incentive not to do wrong than a monetary slap on the wrist. It may just work.


However, even this last proposal overlooks the main issue with this new procedure, namely that, as a rule, the IoCC will act in response to a complaint by a user who suspects that her communications have been intercepted. We already have this right in relation to interceptions by public authorities and it has gotten us exactly nowhere. That is largely because most of us will never realise or suspect that our communications have been intercepted. It doesn't show up on our screens and, by and large, we will never find out about it unless the interceptor is very open or very stupid.

This is borne out by the figures in relation to state interceptions:

  • In 2008, the Information Tribunal received 176 complaints about suspected interception. In 2009 it was a mere 156. Now bearing in mind that this was round about the time that the Phorm story broke in the press, which may or may not have increased sensibility, it makes sense to look at the earlier figures and, lo and behold, in 2007, it was only 66, 86 in 2006, and 80 in 2005.
  • Since RIPA came into force, the Information Tribunal has upheld exactly four, yes FOUR, of these complaints. Hardly a result that has the national security services quaking in their boots.

So if the IoCC's duty to act is merely based on him receiving a complaint, then I think we can all rest assured that CSPs will not have an awful lot to fear when it comes to their murky online dealings. Commissionary legal protection in this area is not effective, it never has been. In relation to state interceptions this has nonetheless been accepted because of the need to keep interception activities of the security services secret. Whether one agrees with that approach or not, this is certainly not an argument that can or should be applied to interceptions by private entities. Individuals whose communications have - even unintentionally - been intercepted, should be made aware of this and should be given appropriate judicial relief. The IoCC, if it is him who is charged with oversight over this area, should be given full auditing powers - including dawn raid powers, if necessary - to ensure that private interceptions are detected and the legal sanctions enforced.

The confidentiality of our communications is not only an individual right, it is a public good that gives people the confidence to act freely and without fear in the online environment. We endanger it at our peril.

Wednesday, 10 November 2010

Seek and ye shall find!

Despite the fact that at the time of writing (10 November, PM)

it seems that the government has published a consultation document on changes to RIPA which became necessary after the European Commission referred the UK to the ECJ over the Phorm case.

While Matron has not yet had time to look at the document in detail, she can't help noticing that the consultation period (responses must be in by 7 December) is extremely short by anyone's standards.

Those who feel that they have something to say on the laws governing the interception of electronic communications therefore better get their skates on. Just saying...

Tuesday, 9 November 2010

Tunnel! Light! Action?

Is there any connection between the EU's Common Agricultural Policy (CAP) and data retention? You wouldn't have thought so, would you? And yet there might be.

After spending the day reading the European Court of Justice's decision in the case of Volker und Markus Schecke GbR v Land Hesse, Cases C-92/09 and C-93/09, Matron is intrigued by the pin-sized point of light that this judgement may shine on the question of how that court might deal with the question of whether the blanket retention of traffic data complies with the provisions of the European Convention on Human Rights (ECHR) and the EU's Charter of Fundamental Rights. If it ever gets to decide on that question, that is. But that is another matter entirely and for the moment lets not go there.

The ECJ decision in question relates to a reference to the ECJ from a German court, in which it was asked to consider whether EU legislation which requires the disclosure and publication on a publicly available and searchable website of the amounts awarded to farmers from CAP funds, together with their names, municipality of residence and postcode, was invalid. The applicants in the main proceedings clearly thought that it was because it enabled third parties to deduce the applicants' income of which 30-70% came from CAP funds.

The court - sort of - came down on the side of the applicants when it held that the wide-ranging publication requirement imposed by the relevant EU legislation violated their right to privacy and data protection because it was disproportionate to the EU's stated aim of increasing transparency of the use of funds in the context of the CAP. Whether this will actually help the applicants in practice remains to be seen as the ECJ did not entirely condemn the publication of that data. It merely concluded that it should be published in a more privacy friendly way that draws a distinction based on relevant criteria such as the periods during which recipients received CAP aid, the frequency of such aid or the nature and amount of aid. Which probably means that any halfway competent internet surfer will still be able to find out what amount of CAP aid an individual has received in any given period.

However, the decision is interesting for a number of other reasons:

  1. For a start, the ECJ made some very encouraging comments on the status of the Charter of Fundamental Rights both within the EU legal framework and within the framework governing the protection of fundamental rights and freedoms. This is one of the first decisions looking at questions of human rights compliance of EU legislation since the Lisbon Treaty - and with it the Charter - came into force, and the ECJ seems to use this decision to set out its stall on how it intends to apply the Charter in its interpretation of EU secondary legislation in the future. To this end, it confirms that the validity of such legislation must now be assessed in the light of the provisions of the Charter.
  2. The ECJ also confirms the Charter's premise (in Article 52) that insofar as rights guaranteed in the Charter correspond to rights contained in the ECHR, the meaning and scope of those Charter rights as well as any limitations placed on them must be interpreted in line with the corresponding rights in the ECHR. This creates a neat little connection between the Charter and the ECHR which will allow the ECJ to draw heavily upon the entire body of case law created by the European Court of Human Rights in Strasbourg (although, to an extent the ECJ has, of course, frequently referred to that case law already and the really interesting question is what will happen if the two courts disagree. But that question, too, is for another day).
  3. The ECJ confirms that a provision requiring the "general publication" of personal data on a website prima facie constitutes an interference with the applicants' right to privacy and data protection and that this interference, while "as provided by law" is disproportionate to the aim of increasing transparency that the EU seeks to achieve. The ECJ held that the EU institutions must balance the EU's interests with those of the affected individuals when adopting provisions that interfere with the rights to privacy and data protection. In particular, the decision makes it clear that the EU's objectives do not enjoy an automatic priority over the rights of the individuals and that the mere failure by the EU institutions to consider less intrusive methods of interference will lead to the invalidity of the contested provisions.

So why does this give Matron hope when it comes to data retention? Well, the situation there is actually very similar to the present case. Opponents of data retention have argued for a long time (including during the very brief legislative process that led to the adoption of the Data Retention Directive) that the blanket retention of communications data of the entire population is disproportionate to the aim of improving public and national security on the grounds that, among other things, the less intrusive means of data preservation or data freeze (where providers are required to retain traffic data relating to a specific event for a specific period of time AFTER the event) exist. Many countries are using this form of data preservation quite successfully.

And yet, that method has never been properly considered by the EU institutions as a viable alternative to the current regime, no empirical evidence has ever been collected as to why the blanket retention we now all have to live with is necessary (or even more likely than data preservation) to achieve the stated objective. On the basis of the ECJ's contention that even the mere failure to consider less intrusive means could render a provision invalid, one could clearly argue that the EU institutions' rushed adoption of Data Retention Directive should be examined in this light.

So a hundredth of a smidgen of a glimmer of hope here? Time will tell. One institution that should certainly take note is the European Commission which is still dragging its feet on the publication of its report on the current regime. Unless the member states come up with very good statistical proof that data retention actually works, it becaomes more and more difficult to see how a reasonable claim could be made that the provisions of the Directive are human rights complaint.

"Reasonable" being the operative word here, of course.

Thursday, 16 September 2010

How to dunk a cookie

Matron just spent another day reviewing the odious consultation paper on the UK implementation of the Telecoms Package, a task for which she will surely be rewarded with free access to a bunch of delectable virgins in the afterlife. Today it was all about cookies (no, not the chocolate covered ones - she wishes!) and the government’s plans on how to deal with them.

Let us recap, dear reader: a "cookie" is a small text file implanted by a website on the hard disks of visitors to the site (often without their knowledge) which collects information about the visitors, such as their names, addresses, e-mail details, passwords and user preferences. It can be set by the visited website itself or by third parties like online advertising companies. They can be used to track a user’s movement around the web and the information they collect will usually be used to serve targeted behavioural advertising to the user as s/he goes along. Although cookies provide web users with some convenience (pre-completion of online forms, recognition by online retailers), they also enable website operators to build up user-profiles without the knowledge or consent of the individuals concerned. Such profiles are immensely valuable and form part of the personal data currency with which we all pay for our access to “free” online content.

Under the current regime, users only have a right to object to the use of cookies provided they have been provided with information about the fact that they are used in the first place and on how to block/remove them. In the UK, in typical fashion (we call it pragmatism and are very proud of it), we managed to combine this laissez faire approach with our even more laissez faire rule on implied consent, so that, in practice, it works roughly like this:

1. Almost all browsers have default settings which allow cookies to be set unless the user changes those settings. Changing those settings isn't exactly difficult, but it is still a task which is beyond most people over the age of 45. Plus those who would be capable of doing this, often can't be arsed. Plus, changing the setting usually means that the user will not be able to access some web pages that require a cookie to load (this state of affairs is perfectly lawful, even the revised E-Privacy Directive permits this to happen).

2. The website owner complies with the Directive (and the national laws implementing it) by including an inocuous little provision in its privacy policy that explains what a cookie is and how it can be blocked. The policy will also usually warn the user that blocking cookies might result in a "loss of their user experience". Apart from us hardcore privacy lawyers no one actually reads privacy policies, so the normal internet user will never see this information. Which is all in a good day’s work for those who set cookies, because if we knew about this, we might actually try to change the settings. And if we all suddenly decided to block cookies, the web would come to a veritable standstill.

This point was forcefully made by Struan Robertson on Out-Law in May 2009, when he publicly requested the EU powers that be to “kill this cookie monster”. Because the European Parliament, you see, had insisted, as part of the Telecoms Package, on changing the requirement from the oh-so-convenient opt-out mechanism to an opt-in approach. And that is what came to pass – albeit with a twist, but more of that later.

Article 5(3) of the revised E-Privacy Directive now requires member states to ensure that cookies may only be set “on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing”. “But this will mean annoying pop-up windows galore and the end of online civilisation as we know it!” shouted the website owners. "Oh, cue the violins!", replied the European Parliament. The measure was passed, the European Parliament was happy, web users’ privacy will be properly protected and web services will go bust in their thousands.

But wait a minute! This can’t be, can it? Surely they wouldn’t allow this to happen? Of course, they wouldn’t! Because the cavalry, in the form of Recital 66 of the Citizen’s Rights Directive, is already on its way. It provides that the user's will to accept cookies "may be expressed by way of using the appropriate settings of a browser or other application". Aaah, Matron nodded sagely at the time, this is what’s going to happen: all UK website owners will re-phrase their privacy policies, stating that by NOT changing the default setting in their browser from "accept" to "reject" users will be deemed to have given their informed and voluntary consent to the setting of cookies. Implied consent rules mean that those policies will be binding on the users, who will continue to live in blissful ignorance of their existence and no one needs to be any the wiser about the use of those pesky cookies. So, when Struan and others started jumping up and down about how terrible this new law was, Matron was just a little bewildered.

However, turns out she wasn’t the only one who had an idea of how the UK government was likely to deal with this minor inconvenience. It seems a copy of the “UK Minister’s Handbook on how to handle undesirable EU laws” (Section 1: “transposition” means “copy the text of the Directive into a statutory instrument and then interpret it to within an inch of its life through codes of practice and regulatory guidance documents”) has made it all the way to Brussels. How else could one explain the pre-emptive strike that was the Article 29 Working Party’s opinion on online behavioural advertising in which it demanded strict opt-in requirements for cookies? If you want to use browser settings to get your opt-in, so the Working Party, the browser default setting must be “block all cookies”. Only then would users wanting to accept cookies be able to signal their affirmative consent. "Go away, browser owners!", it said. "Change your default settings! We’ll speak again when you’ve done that."

One would think that those were pretty clear words, but it seems they were not heard on this side of the Channel. The BIS consultation paper (and more importantly, the impact assessment) unsurprisingly does not agree with the Working Party’s position. Instead the UK government fears that any form of opt-in procedure would lead to a permanent disruption of services and to online providers potentially suffering substantial losses, both in relation to the costs they would incur in programming pop-up windows or changing browser settings, and in directly lost revenue from users choosing not to allow cookies (how dare they?). Reassuringly for website owners and online advertisers, the government quite openly admits that, in its opinion, the balance of interest between user privacy and the need to secure providers' revenue streams is quite heavily weighed in favour of the latter. As it points out, “online behavioural or interest based advertising made up roughly 50% of display advertising revenue in 2009, which was equivalent to £350 million”. Matron does not dispute that to take that sort of money out of the web may indeed cause some serious disruption and that we might have to start thinking about other ways of financing all that "free" online content.

But there is a, admittedly semi-heretic, question to be asked here: does it have to be like that? Isn’t it just a bit of a self-fulfilling prophecy to treat as widely accepted gospel the claim that “the internet as we know it today would be impossible without the use of these cookies” (BIS consultation paper, page 57)? We have witnessed unbelievable technological achievements in the last three decades. Does the industry really expect us to believe that if it were no longer allowed to use cookies, developers would not come up with a different (and hopefully more privacy-enhancing) way of generating revenue out of advertising? Of course, as long as it can get away with using cookies, business will have no incentive to finance research into an alternative. Maybe Matron is just stubborn, but sometimes this whole “privacy-is too-expensive” argument really p…es her off.

More interestingly, though, at this point, is this: how does the UK government expect to get away with this? As Matron explained above, under normal circumstances she would have expected nothing less. But surely, the fact that the Working Party has laid down the law as it sees it even before the Directive's implementation deadline runs out must change things? Even if the WP’s opinions are not binding, they are read, and largely adhered to, by national data protection authorities and the European Commission. Practicing lawyers take them into account when drafting documents and policies and, in most cases, businesses would know that they act in contravention of them at their peril.

So what is happening here? Does the government just play the long game, given that the Commission already thinks the UK in breach of several provisions of the Data Protection Directive and nothing bad has happened yet? Does it intend to buy UK businesses some time by adopting laws in full knowledge of the fact that that infraction proceedings might be issued against it (because those proceedings will take years to come to fruition)? Does it intend to sit this one out until the wind has changed?

As Matron said: remarkable chutzpah! Or maybe it's just that no one at the BIS actually read the WP opinion. After all, they have been busy lately…

Wednesday, 15 September 2010

Assessing the impact

Having spent more than three weeks trying to overcome the post-holiday blues, Matron was abruptly dragged back into the grey skies of coalition government Britain yesterday when she worked her way through the fresh-from-the-press consultation paper on "Implementing the revised EU Electronic Communications Framework". That framework (also known as the "Telecoms Package") was adopted by the EU at the end of last year after a considerable period of legal and political wrangling between the Commission, Council members, MEPs and lobbists.

Now, Matron feels a little about the Telecoms Package how she feels about reading the works of Judith Butler or Stephen Hawking. If she applies razorsharp, quasi-transcendental focus she manages - for the length of one heartbeat - to understand what it is all about. But then the kitchen door slams shut with a bang or the cats loudly demand their dinner and - whoosh - it is gone. The reason for this, she feels, is that the Packages tries to wrap up all the legal issues that are somehow expected to affect the internet now or in the near future - regulators' powers, spectrum allocation, infrastructure, network security, interoperability, universal service obligations, quality of service, net neutrality, consumer protection and online privacy, to name but a few - into one neat little parcel, thereby creating something very much like a packet of Licorice Allsorts. There's something in there for everone; but because there is also so much in there that you don't fancy, it makes you want to head for a packet of winegums instead.

Nonetheless, needs must, so yesterday afternoon, Matron banned the cats to the bedroom, closed the kitchen door as a preventative measure, and sat down to read. The consultation paper itself is only (!) a concise 74 pages long, but it is accompanied by a rather lengthy impact assessment. Now, impact assessments are funny things, written by administrators to satisfy the beancounters, and most lawyers - Matron included - tend to avoid them like the plague. However, the sections in the consultation paper that Matron was scrutinising - the bit that dealt with the changes to the E-Privacy Regulations, data security breach notifications, information requirements, the cookie wars v2.0 etc. - referred to the impact assessment rather more often than usual. So, with an audible groan Matron gave it a go. And found some truly surprising stuff.

Hidden between "E-Privacy Directive: Annex 1: Data Breach Notification" and "E-Privacy Directive: Annex 3: Cookies" one can find an innocous little document titled "Information Provisions" which, under the heading "What is the problem under consideration? Why is government intervention necessary?", addresses a completely different policy objective from those set out in the Telecoms Package.

After pointing out that "[p]olice and security services will continue, under the amended E-Privacy Directive, to be able to request information from the providers of electronic communications services in order to aid in the protection of national security and following criminal cases", it then explains that the government must take steps "to increase the investment service providers put into being able to provide this information". To this end, the government wants to require those providers to "have a procedure in place to be able to respond to request for information from the police or security services" quickly and with a minimum of fuss. It also wants to impose the duty of checking that such procedures are in place on the Information Commissioner's Office. The intended effect of the government's policy is, apparently, "to increase the availability of suitable information for use by the police and security services" so as to enable them to provide "a high level of protection to citizens".

Like many of her ilk, Matron gets very nervous when it comes to laws that facilitate the "availability of suitable information for use by the police and the security services", particularly when there is no defintion of what actually constitutes such "suitable information". As the controversies over communications data retention and interception of communications under RIPA have shown, there is something of a chasm between what those service feel might be suitable and what civil liberties campaigners as well as many ordinary people feel those service should have access to. So what is funny about this new policy is this:

1. Access by public authorities of communications data and intercepted electronic communications are already laid down in the Acquisition and Disclosure of Communications Data Code of Practice and the Interception of Communications Code of Practice. They cover in quite some detail what the service providers must do in order to assist the authorities in relation to disclosure requests. Why then does the government feel that it must use this consultation to impose even more structured requirements on providers? Did the old system not work? Do they want to cover requests for data that are not yet covered by RIPA and its codes of practice? Would this make it easier to access data held by CSPs for other purposes, say the prosecution of copyright infringement?

2. The government somehow wants to hang this one on Article 15 of the E-Privacy Directive (as revised by the Telecoms Package) which, it concludes, gives an ‘opt-out’ from the Directive's provisions that prohibit the listening, tapping, storage or other kinds of interception of communication "in cases where these methods of information gathering are a necessary, appropriate and proportionate measure within a democratic society in order to safeguard national security, defence, public security, or for the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communications system". Although this is a fairly true description of the law as it stands (one could argue about the use of the word "opt-out"), it is surprising that this new requirements is included in this implementation proposal because - to Matron's knowledge - there is nothing in the Telecoms Package that requires the establishment of such procedural rules or, indeed, this level of micromanagement of the ways in which CSPs must comply with their duties under RIPA.

3. Why drag the ICO into this? It's not that Matron wouldn't be grateful, if the ICO had some power to inspect and review whether the disclosure of personal data by CSPs to the police under RIPA actually complied with data protection principles and the right to privacy. As the whole Phorm debacle has shown, there are some worrying gaps in regulatory oversight between the role of the ICO and that of the Interception of Communications Commissioner. But that is not what the ICO is asked or authorised to do. Instead, it is used as an enforcement agent whose duty seems to be to ensure that the police get their data in the most efficient way. That is surely not the ICO's job and it should not have to use its already meagre resources to play fetch for the security services.

4. There is nothing - nothing at all - said about this proposal in the main consultation document. This reminds Matron - as almost everything seems to these days - of yet another "Yes Minister" episode which mischievously dwells on the civil service's habit of hiding the important documents that it doesn't want the Minister to find, er see, "at the bottom of the fifth red box". Of course, Matron knows that one should never suspect conspiracy where mere incompetence will do, and maybe the good folks at the BIS did just forget to mention their plans in the place where everyone might read about them. But page 138 of a 180-page impact assessment seems to her as good a place as any to bury a proposal that might otherwise attract some negative headlines - particularly if it is published on the same day as another proposal which condemns ISPs to pay for 25% of the cost of pursuing illegal fileshares under the much-reviled Digital Economy Act. As the government itself admits, "there will be costs associated with service providers needing to implement internal procedures to respond to information requests" although it judges these costs to be "minimal". The government's rationale for imposing such extra costs at a time when it publicly touts that it wishes to liberate industry from overburdening regulation, is that the benefits for the general public from the police having access to that information outweigh the CSPs' business interests. They must therefore increase their level of investment to be able to provide this information (again - which information is that exactly?) "to the socially optimal level".

The BIS invites responses to the consultation by 3 December with plans to submit draft statutory instruments to Parliament in April 2011. Given that the Telecoms Package must be transposed by 25 May 2011, this seems to suggest that they do not expect there to be much parliamentary resistance to their plans or that they plan to overcome that resistance pretty sharpishly. After all, the old Labour government has provided them with a blueprint on how to do just that when it rushed the DEA through the wash-up with no regard for reason or democratic decorum. This approach is, of course, made much easier by the fact that the blasted thing is so complicated that - like with DEA - most MPs will not understand it anyway and are likely to follow their Whips' directions out of a desire to protect their poor brains from intellectual overload.

But this sort of stuff IS important and at a time when the new government still pretends that it intends to clean up the Augean stable that is the previous government's civil liberties record, this is a proposal to take note off.

Is Matron just her normal paranoid self and is blowing this completely out of proportion? She would love to be convinced that that is the case. Any volunteers out there?

Thursday, 29 July 2010

A licence to print money?

My oh my, the good people that make up the Article 29 Working Party have been busy bunnies recently. Data retention, RFID, standard contractual clauses – it’s enough to give any serious privacy blogger repetitive strain injury.

Their latest offering goes by the innocent name of “Opinion on the principle of accountability” and Matron would surely have dismissed it (and hence missed it) as some sort of administrative porn had the term not cropped up recently in a number of submissions to the European Commission’s online consultation on the future of the EU data protection framework. And indeed, the opinion is designed to put ideas into the heads of those folks at the Commission who are currently trying to figure out what needs to be done to bring the existing EU data protection regime into the 21st century. Since Matron closely follows everything relating to the long-promised review of the EU Data Protection Directive, she decided to take a peek and what a revelation it has been.

Accountability, you see, describes (very inadequately, Matron feels) what could well be a completely new way of “doing” data protection. As the Working Party itself readily admits, the term has real meaning only in the English language, so heaven knows what the EU translators will make of it. But, in essence, it is the very simple idea that if you are supposed to do something, you should not only do it, but also put processes in place that ensure that you do it well and provide evidence to prove that you have done it properly and in accordance with those processes. In practice, this usually amounts to a whole lot of dead trees and I am sure that, if this blog is read by any members of the health, social services or teaching professions, they will by now sagely nod their heads.

Matron has always had a difficult relationship with the whole accountability concept, partly on account of the dead tree issue, but partly because she can’t help thinking that the time spent on recording what one has done would, in most cases, be better spent on actually doing more of it. At the very real risk of sounding like a Big Society Tory, noting on a patient file – as has happened in the case of Mrs. Matron's grandmother – that “Lily Rose is dehydrated” is not much help when there is then no one who has the time to bring her a glass of water and make sure she drinks it. But putting such petty prejudices aside for the moment let us look at what the Working Party actually has to say.

It starts with making a few salient points that we would all do well to remember even though they are, to the informed privacy wonk at least, rather obvious. Namely, that the growth of information and communication systems and the increasing capability for individuals to use and interact with technologies has changed the rules of the game for the processing of personal data. In a digital world where more and more companies hold more and more of our data and in an on-line environment where personal data has “become the de facto currency in exchange for on-line content” we have to make sure more than ever before that those who use personal data implement “real and effective internal mechanisms” to protect that data. So far, so much Matron is in agreement.

Also, data protection breaches have the potential to be much more devastating in a networked environment where – as Matron's pal Pangloss once put it – it is no use shutting the stable door once the data has bolted. And it is by no means only the data subjects who should worry. With increased penalties (both monetary and custodial) coming into force in many EU member states, data controllers should have a good enough incentive to play by the rules. And that says nothing about the potential damage to their reputation.

However, despite these threats, experience has actually shown that many data controllers pay little or no attention to data protection provisions. In fact, by and large they seem to rely on the –possibly correct - notion that the national data protection authorities are so underfunded and so overworked that the odds of them ever being caught are miniscule. Rogue data controllers are all too often able to vanish in the crowd and unless our cash-strapped governments pump vast amounts of money into enforcement activities (a likely event!), we will all have to live with the consequences.

Which is why, for example, the Information Commissioner’s Office here in the UK has long been engaged in what can only be described as a battle for the “hearts and minds” of data controllers. Publication after publication was produced intended to convince data controllers that there is some commercial or economic benefit to be had from implementing data protection rules. Their latest attempt, a document called “The Privacy Dividend”, makes this point on a seam-busting 93 pages. That’s almost as long as the iPhone Privacy Policy and that’s saying something. No matter, the CEOs aren’t buying it! Data protection costs money, and money is what we all have too little of at the moment.

So, if they won’t come by crook, maybe it is indeed time for the hook, in this case in the form of a “revised legal architecture of accountability-based mechanisms”. But what should these systems look like? Well, for a start they are supposed to consist of a two-tier system with the first tier comprising a legally binding statutory accountability requirement and the second tier including a number of additional, but voluntary accountability systems. Ignoring for the moment the point that any “voluntary” systems are likely to go the way of all St Augustine dilemmas (“make me pure, but not yet”), Matron wishes to pay particular attention to the general accountability principle which, so the Working Party, should be inserted into the revised directive as an additional principle with which data controllers have to comply. It has even proposed concrete wording for such a new Article, which Matron is happy to share with you:

Article X - Implementation of data protection principles
1. The controller shall implement appropriate and effective measures to ensure that the principles and obligations set out in the Directive are complied with.
2 The controller shall demonstrate compliance with paragraph 1 to the supervisory authority on its request.

As the legally astute will quickly divine, the new principle has two elements: a requirement to take appropriate and effective measures to implement data protection principles and a requirement to demonstrate upon request that appropriate and effective measures have been taken (sound familiar yet?).

Although the Working Party shies away from postulating the incorporation of specific types of measures into the revised directive, it’s reticence does not go so far as to prevent it from making a number of suggestions. Among other things, it thinks that in the future data controllers should:

  • adopt internal policies and processes necessary to implement data protection principles;
  • appoint personal data protection officials;
  • map procedures to ensure proper identification of all data processing operations and maintain an inventory of data processing operations;
  • set up procedures to manage access, correction and deletion requests which should be transparent to data subjects;
  • establish an internal complaints handling mechanism;
  • set up internal procedures for the effective management and reporting of security breaches; and
  • perform privacy impact assessments.

And here is where Matron is in two minds about this noble endeavour. On the face of it, all these activities sound very useful and, indeed, if fully embraced by data controllers they would vastly improve the way in which personal data is processed in this country. This is what data controllers should be doing anyway and Matron is forever frustrated, if she comes across a company that happily goes ahead with some harebrained business scheme without giving any thought to the potentially disastrous data protection implications (in fact, in some cases, the term “harebrained” is an insult to the proud species of hare!). But the way Matron sees it, the introduction of such a principle would in no way solve what is the real problem here: the complete lack of oomph behind the enforcement actions by national data protection authorities.

Admittedly, some of this enforcement would be “outsourced” to the data controllers themselves through an additional requirement to have the effectiveness of the accountability measures verified regularly through monitoring and internal and external audits. The Working Party also, possibly correctly, claims that these requirements would strengthen the position of data protection authorities which would have the power to request evidence of compliance from the data controller. This, so the Working Party, would provide the authorities with “very relevant compliance related information”. And if such information was not forthcoming, data protection authorities would have an immediate cause of action against data controllers, independently of the alleged violation of any underlying data protection principles. All true, no doubt, BUT IT WOULDN'T GIVE THEM ANY MORE MONEY TO DO THIS VASTLY MORE DEMANDING JOB!

Also, the latter argument sticks in Matron’s craw. In fact it reminds her (yet again! Does life forever imitate art?) of a particular Yes Minister episode, where an Under-Secretary patiently explains to Hacker that a local council which failed to return its annual statistics was nevertheless highly effective (virtually all its children could read and write, even though they had a progressive education!). They just didn’t like sending bits of blue paper to Whitehall.

Maybe Matron is unfair in this instance (if so, please make coherent arguments as to why this is so in the comments section). Maybe this would turn out to be more than just a paper exercise. But, as the Working Party itself admits, compliance with an accountability requirement does not automatically ensure compliance with the actual data protection principles. And surely that is what counts? But for that to be achieved, we need people to take ownership of data protection, to realize what insufficient protection could mean for them as individuals, to close the gap between the privacy haves and have-nots.

Is this plan going to help achieve that objective? Maybe. Is it going to make a lot of lawyers a lot of money? Almost certainly. Matron, who make a living out of drafting the sort of documents companies would be required to adopt is already secretly compounding a portfolio of materials in her head that might allow her to retire to some place warm and appealing rather earlier than she had previously hoped. In fact, this almost seems to be one of the Working Party’s desired side effects when it states that the introduction of the accountability principle will “contribute to the development of legal and technical expertise in the area of implementing data protection requirements as highly knowledgeable individuals with technical and legal understanding in the field of data protection, with abilities to communicate, train staff, set up and implement policies, and audit will be indispensable in this area”. You’re not wrong there mates! Just let me get a shovel for all that dosh.

Overall, the whole approach seems to owe a lot to the concepts already tried in relation to Binding Corporate Rules (BCRs) (see here for the Working Party’s guidance on those to verify this statement). To date, the uptake of BCRs has been spectacularly slow because the immense effort and cost involved in putting them into place has meant that they were only ever economically viable for big global groups of companies. Is it really a proportionate approach to extend these sort of requirements to all data controllers in the EU? And will it win those hearts and minds or will in alienate data controllers further? Answers on a postcard, please!

Thursday, 15 July 2010

An opening salvo?

After many weeks of joyful distractions, Matron just spent a few days concentrating on the day job and, among other things, dutifully worked her way through the EU Working Party’s Report on the implementation of the Data Retention Directive. At the risk of teaching grandmothers to suck the proverbial eggs, that is the small innocuous piece of EU legislation that requires EU member states to impose an obligation on its telco providers and ISPs to retain all data relating to the telephone call made and e-mails sent by us, the Great Unwashed. Sender, addressee, time of transmission, location of transmission – you get the picture. As will the law enforcement authorities and selected others who may access that data. The full picture. Of all of us.

While the WP’s report does not include the comprehensive condemnation of the Directive that many were hoping for, it makes for interesting reading. Of course, the easy explanation for the lack of condemnation may possibly be that there was nothing to condemn as yet. According to the report, only a few member states did provide the requested information regarding the number of requests submitted to providers, the cases where the requested information was provided and those where the provider was unable to make available the requested data. Nor is data available about the time elapsed between the date on which the data were stored and the date on which the authorities requested transmission of said data. As the WP rightly points out, this lack of information makes it somewhat difficult to evaluate a) whether the prescribed retention periods are realistic and b) whether the mandatory retention of traffic data is actually necessary to combat crime and terrorism. In an ideal world both of these questions should obviously have been asked before the Directive was adopted, but when did evidence-based policy making last get in the way of a good lobbying campaign (the British DEAct debacle is a point in case)?

The fact that the questions are asked only now, when the Commission is seriously considering either revoking or at least substantially amending the Directive, may make for some amusing debates. Matron wonders in whose favour this lack of information will be interpreted. Will member states pipe up that it is far too early to even consider a revocation, given that we do not yet know, whether the sodding thing worked in the first place? Or will the Commission - as it should properly do - remind law enforcement authorities that the burden of proof of showing that retention is necessary is on them. No statistics, no further retention? That would be the day.

But while we wait for this issue to resolved, here’s a short summary of what Matron considers to be the highlights of today’s report:

1. Very interestingly, the WP interprets the DR Directive as a derogation from the general requirement on providers to erase all traffic data when it is no longer required for billing purposes. It takes this to mean that the list of data to be retained under Article 5 of the Directive is exhaustive and that member states must not require ISPs to retain any additional data categories not mentioned in the Directive. This is likely to come as a bit of a shock to those member states which, like the UK, have shown an interest in using domestic law to impose retention requirements for traffic data generated by users of social networking services and search engines. Of course, things have changed even in the UK and we live in an entirely new political environment now. But Matron seems to remember the write up of a meeting of a parliamentary committee circa 2008 where laws of that nature were demanded by a number of Tory MPs and peers. Despite the coalitions promise that it “will end the storage of internet and email records without good reason”, it all depends – as better minds than Matron’s have already pointed out – on how you define “good reason”.

2. Although, the DR Directive gives member states a choice to impose retention periods from 6 to 24 months, 78% of member states actually require the retention for 12 months or longer. The WP seems quite concerned about the discrepancies in retention periods between the different member states as this impacts on the principle whereby EU citizens “can enjoy throughout the European Union the same level of protection”. It also means that the costs to be borne by providers can differ considerably from country to country which, in turn, may affect competition. Matron is sure that this fact was pointed out to the law makers when the Directive was first adopted but, of course, she may be wrong here.

The interesting question arising from all this is this: if the WP favours a harmonised (i.e. applying in all member states), single (applying to all data categories) and shorter retention term and given that the German Constitutional Court has already quite categorically stated that it deems anything above six months to be unconstitutional under German law, is this the best indication yet that we are heading for a harmonised 6 months retention period? Not ideal, but definitely “bird-in-the-hand” material.

Scarily, the WP also found that there were some serious violations of existing laws by the provider. First, it found that in some cases data is actually stored for longer periods than those set forth in the DR directive. In some cases data was retained for as long as 36 months, and in one case the storage period was found to amount to 10 years. Secondly, the WP found that one EU member state (which was not named) actually used DR Directive to retain the content of SMS messages to which the security services were then given access. Matron can only hope that infringement procedures will be commenced against that member state forthwith.

3. It seems that the security measures taken by individual providers vary wildly with bigger providers generally found to employ higher security measures. No surprise there, given the cost of putting in place such measure, but it’s nice to see that conclusion in black and white nonetheless.

4. The extent to which, and the way in which, access is granted to law enforcement and other public authorities also seems to vary. So much so that the WP calls for inclusion of provisions in a revised Directive that would regulate the modalities of access. Among other things, it recommends that:

a) data should only be accessed by duly authorised staff

b) strong access control to the retained data should be maintained; and

c) detailed tracking of accesses and processing operations by way of log retention, via logs recording at least user identity, access time, file acceded should be carried out.

Another announcement from the Department of the Bleedin' Obvious then but - in the WP’s defence - it has always advocated that access to retained data should be addressed in the same legal instrument as retention. But on this, as on many other issues, opponents were outmanoeuvred during what is still the shortest EU legislative procedure on record. Which plays no small part in the current problems those opponents have in persuading a court – any court – to accept the Directive and its implementing laws for judicial review to establish once and for all its human rights credentials. Maybe, just maybe, the EU institutions will see sense when negotiations of the Directive are opened up once again. And maybe the porcupine flying squad will presently take off at the back of Matron’s garden.

5. We all felt it on some level of inner consciousness, but now we know for sure: the definition of what constitutes “serious crime” (for the prevention of which data may be retained) is different in each member state. Which means that different member states have taken different approaches to the purposes for which retained data may be accessed (unless, of course, you live in the UK or in Germany, both of which have dispensed with the “serious” bit altogether – albeit that Germany was told “nonononono” by its Constitutional Court. No such luck in Britain). The WP recommends that, at the very least, each member state should have an exhaustive list of crimes that it considers to be “serious” and that, at best, this list should be harmonised at European level.

6. The WP thinks that the decision of whether or not law enforcement authorities should be given access to retained data should be up to judicial authorities. It seems a reasonable demand, but, of course, it would generally exclude all those members of the executive (like ministers, police superintendents, senior officers and duty managers) that are currently persons designated to request access to traffic data under the UK Regulation of Investigatory Powers (Communications Data) Order 2010. So what are the chances of this finding its way into a revised Directive? Who knows.

Overall, Matron can't help thinking that the WP’s report reads like a giant exercise in “I told you so”. Will it be enough? Do we have the right narrative this time round? Matron isn't sure. But it’s a start. An opening salvo. Next!

Thursday, 8 July 2010

Kylie cocktails all round!

It must be National Common Sense Week. In the last two days, Matron has noted not one but two positive developments in the area of civil liberties.

Today, the Home Office came out with the surprise announcement that it would suspend the dreaded section 44 of the Terrorism Act 2000 under which police officers were able to stop anyone in a designated area without having to show reasonable suspicion. According to the Guardian, the powers were used on more than 148,798 occasions which leads Matron to believe that this includes more than it's fair share of "driving-while-black" incidents. Admittedly, the decision follows a decision by the European Court of Human Rights in January that the powers were too extensive and therefore unlawful. What is particularly heartening, however, is that the announcement was made only a day after the fifth anniversary of the London bombings, normally - Matron would expect - a trigger for the introduction of more security theatre like measures.

Not wanting to be outdone, the Supreme Court then decided yesterday that gay and lesbian asylum seekers have the right to remain in the UK, if there is a danger that they would be persecuted for their sexuality in their home countries. The Home Office has apparently accepted the ruling and has confirmed that the policy would be changed with immediat effect. Of course, the proof of the pudding will be in the eating, but such a quick and humble reaction is sure to be commended. Long may the civil liberties honeymoon of the coalition government continue.

Matron first read about this development in the Guardian, a paper she can generally read without the risk of increasing her blood pressure to dangerous levels. However, even as she read it she wondered what the Daily Mail would make of this. Today she checked and in true form the country's most cherished chip wrapper has its priorities dead right. Gays can stay, it quotes one of the judges (who surely should have known better) because "they must be free to enjoy Kylie concerts and cocktails". Nothing to do with the threat to their life and liberty in countries like Uganda and

On the other hand, Matron cannot shake off the feeling that we are paying a rather high price for these victories. With news of ever more asinine spending cuts, she fears that things in her part of the country will become very unpleasant very soon as a growing number of people experience the direct fallout of policy measures deviced by peole who have no real experience of life on the breadline. So while we still can: Kylie cocktails all round!

Monday, 5 July 2010

Pointing out the GRINDRingly obvious

Matron was happy to see that despite the England defeat, Germany’s victory against Argentina prompted much of British media to heap praise on “die Mannschaft” for the quality of their game, their organisation and their efficiency. This idea of quality, organisation and efficiency is one that Matron often encounters when talking about German virtues to her British neighbours (“German cars are the best”), handimen (“I would always only recommend a German [boiler][washing machine][shower]”) and colleagues (“I timed every stop and the train was always on time”). Surely, were we to think of an animal that best represent the national stereotype, it would have to be an ant colony.

Of course, that sort of organisation and efficiency has its downsides when put to the wrong use. Many of the atrocities against the Jews and other minorities were substantially facilitated by the well organised nature of the German authorities’ citizens archives. The totalitarian regime in the former GDR was made possible throught the giant surveillance machinery with which the Stasi controlled ever aspect of the citizens’ life. Many of the documents from the Stasi archives were shredded by the Stasi just before the Wall came down and the remains of those shredded files have been collected in thousands of black bin bags. For the last few years, the documents have been reassembled in a warehouse in Nuremberg in a painfully slow manual process that is expected to take a few more centuries unless current plans to develop a system for virtual reconstruction are successful. Such is the sheer scale of the information held by the regime.

Matron has always wondered what would have happened if both the Nazis and the Stasi had had access to modern day information and communication systems. Centralised or fully networked systems that would have allowed instant access to information to almost ever member of the regime. What would it have meant for German citizens, and what for those who dissented?

Matron – in one of the weird cross-species jumps that her mind sometimes performs - was reminded of this when she read an article in yesterday’s Observer about the rise among gay men in the use of Grindr. Grindr, for those who , like her, are hopelessly out of the popular culture loop, is a “free downloadable iPhone app” which uses GPS technology to permit its members to locate “gay, bi, curious guys for free near you!". It invites you to download its app onto your iPhone and to “upload your pic and build a profile”. After that, each time you switch on the app, up pop the pictures and profiles of any other Grindr user in your immediate vicinity. The app then lets to you chat to them or approach them in person.

Matron strongly suspects that the social encounters resulting from this groundbreaking technology will not take place over a cup of coffee (at least not in the first instance). But before coming over all Daily Mail-ish, let her assure you that it is not the corruption of sexual mores or the leading astray of impressionable young children that she is concerned with.

No, Matron’s initial as-per-usual Luddite reaction was “Are these people insane?” The privacy implications of “proximity dating” technologies like this are mind-boggling in any case. Combine that with the fact that these guys are effectively broadcasting their sexuality to the nation and this should be enough to bring anyone with a slightly above average level of paranoia out in hives.

So, before everyone lines up in an orderly queue to follow Stephen Fry over a cliff (God knows, Matron loves the guy, but his gadget obsession and his love for all things Apple make her despair sometimes), here’s a few questions, Matron would like Grindr users to ask themselves:
  1. How much do you actually know about the guys you’re about to meet? It’s a free app that requires little in terms of identity verification, least of all verification of the fact that they are actually “gay, bi, curious”. It can be used by anyone. That hot guy coming on to you? His mates could be waiting around the corner and their sole aim of using Grindr may be to kick your head in. According to the BBC, homophobic crime in London has risen by nearly a fifth in 2008/09 with gangs attacking people outside gay bars in east London on a number of occasions. In the US, which in these things - as with most new technologies - is a step ahead of us, LGBT groups have already voiced concern about an increase in “pick-up violence” targeting gay men “who use websites, chatlines and phone applications to meet other men for dates”. Of course one could argue that you take a similar risk by using other gay dating services. But at least those services do not require you to emit a rainbow coloured beeping signal to every passing thug looking for a bit of fun on a Saturday night.
  2. How long is it going to take until technology like this is used by younger people, particularly those still in school? And how much longer, again, until it becomes a tool for homophobic bullying? Cyber bullying is on the rise in the UK. A recent survey showed that 20% of Year 6 students had experienced some form of online harassment from other students. At the same time, according to Stonewall, “almost two thirds (65 per cent (75% in Faith schools)) of young lesbian, gay and bisexual people experience homophobic bullying in Britain’s schools”. Put the two together and you have a potentially explosive combination.
  3. What is Grindr going to do with your data? And who might be interested in that data in the future? Remember, you are effectively adding yourself to a giant list of gay people that is held in a database owned by someone over whom you have no control. Grindr, Matron repeats, is a free service. How does it make money? It will most likely be able to track with whom you have been chatting, thus building up a picture of your social network that it may be able to exploit commercially. It may decide to sell that information (have you read the Terms & Conditions?). Its database might be hacked. The police, security services or other public authorities may decide that they should have access to it (there are already developments under foot to force social media providers to retain, and provide public authorities with access to, certain traffic data generated by their members). It’s the sort of information, for which homophobe totalitarian governments would literally kill. Imagine how convenient this would be for a government in a place like Uganda?
Of course one could argue that the existence of an app like this is also a sign that we may finally have reached a point where gay people feel able to live openly in a society that has become more acceptable of homosexuality. It is true, homosexual acts are no longer criminalised, we have anti-discrimination laws and the straight community has at long last agreed to share their constitutional right to state-sanctioned misery with us by granting us the right to enter into civil unions (and to dissolve them pronto, as we see fit). Some of us may feel a slight feeling of unease at the thought of the ConDem Alliance, but very few seriously believe that the new coalition will try to turn back the tide on gay equality. But it ain’t all cavorting bluebirds and melting lemon drops yet, folks. We are still a long way from Emerald City. Religious fundamentalism is on the rise in Britain. Certain employers can still sack you or refuse to employ you because of your sexuality. The social stigma prevails in many communities. In the US, gay men are still not allowed to give blood. And the number of people who are too afraid to be out to their families remains far too high.

And we none of us have a chrystal ball to show us what the future brings either. Things have gotten better for so long now, that we have forgotten that there may come a time where they get worse again. It seems unlikely now but shouldn't we at least be prepared for the possibility? So this is a reminder to all gay men out there to not let yourself be ruled by your appendage to a point where it clouds your sense of caution and self-preservation. It’s a brave new world out there. Be safe, don’t be stupid!

Saturday, 26 June 2010

Notes from under a virtual stone

With the inevitability of English summer rain the footballing scenario that Matron most feared has come to pass. On Sunday, England will once more play Germany in the World Cup and for Matron this means that the time has arrived where it is prudent for members of her national persuasion to hide under a stone. Despite manifold assurances by her English chums that not everyone will be filled with feelings of hostility towards her breed (though, bless you all for saying it and keep’em coming) those of us who have lived here for a while know that this is no time to be an out and proud Kraut in these parts (and if anyone could tell Beckenbauer to shut up, that would also help).

However, while dwelling on the good fortunes (or not) of the 11 “Lions” is bound to be the water cooler moment of choice until at least Monday, the yearning to hide under a stone actually reminded Matron that this is a concept she has mentally employed for some time in another context, namely her online existence. Those of her readers who paid attention (all three of them then) will have noted that Matron blogs under a pseudonym and that her blogger profile includes exactly zero information about her real life persona. She has taken the same approach to her Twitter existence where she has so far admitted a total of two followers – both of them known to her in real life - to her otherwise strictly private account. In other word, she lurks.

Now, the question of online anonymity (or pseudonimity) is an interesting one. Does it serve a purpose or is it a hindrance to fame, fortune and lucrative consultancy contracts? Should all online activity be open, transparent and accountable or is there something to be said for reticence and inscrutability? Matron wonders and ponders and has done so for some time. While many of her academic friends have made names for themselves as bloggers and Twitter power users (and encouraged her to do likewise), she has chosen to remain shrouded in obscurity - largely out of a nagging feeling of unease about what this particular “coming out” would mean for her. So what is the problem? Well, as far as she can tell there are several:
  1. As Daniel Solove pointed out in his excellent book “The Future of Reputation”, all online information is ubiquitous and permanent. Once it’s out there, it cannot be recalled nor can access to it be properly limited. With powerful search engines and information aggregators working to their own rules and algorithms, individuals no longer have any control over the way in which information about them is presented to the inquisitive onlooker, how it is prioritised and what it will be used for. This means that there is a real risk that a false or distorted picture is painted of an individual which is then accessible to an audience of millions, and based on which others (like employers or potential dating partners) will make value judgements. We all do it, and yet, Matron asks herself, is there not a moral question in there somewhere that needs to be answered. At what point does our ability to freely access information about other people make us incapable of judging them in an unbiased fashion, particularly if someone’s online persona is not actually representative of the person that they really are. When does “googling someone” turn into a human rights violation, for example because our accumulated prejudice means we don’t grant them equal treatment? Matron can’t help thinking that until rules or social mores are established that limit the way in which and the purposes for which information available online is used, any attempt to minimise the information available about oneself online seems a sane approach.
  2. Blogging under a pseudonym creates a feeling of relative freedom. The blogger may work in a position where his or her opinions would not be well received or they may actually enjoy being someone completely different online. A pseudonym makes this possible. It also encourages playfulness. Using her pseudonym, Matron can try out ideas that she may not always be ready to discuss online under her real name yet. It allows her to have a full and frank exchange of opinion with others that often help her clarify specific issues in her mind which she then addresses in her academic writing. But what about accountability, some may ask. Shouldn’t people who sound off on things have the courage of their convictions and don’t others, when they engage in discourse with them, have a right to know who they are talking to? Matron would answer “what does it matter?”. If the discussion is on a specific topic, why is it important who the discussants are? As long as both stick to acceptable standards of human interaction, arguments can be made, examined and countered without one person necessarily knowing who the other person is. Of course, the identity of the speaker may weigh either in favour (if they are a known expert) or against (if they are a renowned crank) the argument they are making. But doesn’t this knowledge also (again) lead to bias and prejudice? Don’t we sometimes find that the best ideas come from people from whom we did not expect them? Should we not be able to examine a statement on its merits, rather have our judgement clouded because we know it was made by a particular person? But what if people hide behind their pseudonym while distributing hate speech or false or defamatory statements? Well, this is where the difference between a pseudonym and full anonymity comes into play. Matron is fully aware that if she made, say, a defamatory statement, the person so defamed would probably have a right to find out her identity from the online provider whose service she used. Matron has not made up a fake identity for this blog and she does (she thinks) support a level of online traceability rather than a right to full anonymity. The reasons for this are simple: while the bloggosphere and the Twitterverse are relatively new developments, the right to free speech (and its limitations) are established legal concepts in the offline world. There are very few offline scenarios, where speech, in order to be free, would have to be made anonymously. In most contexts, the speaker would be, if not immediately identified, then identifiable and the right to participate in public discourse is, in most cases, subject to an understanding that commonly accepted norms (whether legal or social) will be in place which enable the detection and prevention of the kind of speech that is not covered by the human right. (Advocating a traceability requirement does, of course, only work if the relevant statement is made within a liberal democratic context. Citizen journalists operating in countries with autocratic or totalitarian governments will hardly be able to do their job properly, if they are traceable.)
  3. Social media have managed to blur the distinction in the heads of many users of what is public and what is private space. As the recent furore around Facebook’s privacy settings shows, providers have created platforms that feel intimate, yet are often accessible by many more people than the individual is aware of. It seems that most users have not yet found a way to deal with the resulting confusion when sharing information about themselves and others. Twitter is a point in case. Unbeaten as a modern form of news feed cum commentary tool, many people have started to use their open tweets rather than the direct messaging function for direct communication with other users. This means that – with a few extra clicks - the “conversation” between those two users can be followed by all their followers, of whom there may be hundreds if not thousands. Are we always aware when we’re doing it? Heck, no! Do we care? Well, in some cases we may. In some cases, we probably should, particularly if we don’t at all times personally know all of our followers. Members of social networking sites also distribute far more and far more intimate information about themselves and others than they would ever be willing to share offline. At this point, we still seem to lack social norms equivalent to those in the offline realms that govern the sharing of information about each other. Matron believes that we do not yet have an internal censor that tells us that certain information “is not for the internet” or social sanctions enforced by our friends if we violate an unwritten code of online conduct (she may be wrong here and, particularly younger, people may well feel that they are well on their way to such norms. If that ewere the case, Matron would be happy to receive examples). Nor do we have a proper understanding of just how widely the information we disclose about others is being distributed or the speed with which that can be done. A pseudonym that is only known by people we know and trust ( and that is respected by them, see below) enables us to protect ourselves against the worst effects of compulsory over-sharing until the necessary social norms have developed and are properly enforced. Gossip about something that happened to “X” remains gossip about the event rather than the individual.
  4. A pseudonym provides limited protection from trolls. Of which there are many in the online world. Indeed, it seems to Matron that one of the bigger problems with the regulation and governance of online social spaces is that – despite all the attempts at netiquette - there is as yet no common understanding regarding the social norms with which individuals should comply. Things are commonly said on online discussion boards that would never be said, if the people involved were making those statements face-to-face (by the same token, we wouldn’t send a double-glazing sales man round to a friend’s house, but we give him their e-mail address for the chance to win a competition). What is the reason for that? Well, Matron would hazard a guess that the online medium removes us from the immediate vicinity of the other person. We do not have the unmediated experience of witnessing the effect our actions have on them first hand. Naturally, unqualified comments can be made even if the blogger’s real identity is unknown. But a pseudonym is at least likely to deter those who play the person rather than the ball.
A pseudonym does, of course, only work if it is effective. And herein, as they say, lies the rub. With every piece of information that Matron discloses about herself - her nationality, her gender, her profession and her whereabouts at any given time - she makes it easier for those who know her in “real” life (and any halfway talented private eye, where they to make it their business to look for her) to identify her as the person behind the blog. She expects that, over time, the anonymity that the pseudonym provides will simply melt away and with it some of its protection. However, Matron is not actually too worried that friends, colleagues and even passing acquaintances may know who she is. Many do already and include references to her pseudonym in their online conversations. What Matron – admittedly very subjectively - is concerned about is the transition of that knowledge from (wo)man to machine, that is the creation of an online link between her real name and her pseudonym which would make it possible for the search engines and information brokers mentioned above to incorporate anything she says in this blog into the profile they create for her real life identity. This will only be possible if one of the people in the know makes that connection public or if the provider of the blogging platform makes Matron’s personal information accessible for that purpose. Should either her friends or her service provider be permitted to do this? Matron thinks not. Some people like to blog openly and benefit from the reputation they build, some prefer to remain anonymous and enjoy the freedom and the feeling of safety this gives them. It’s about choice and it’s about control. It’s about what the Germans call informational self-determination. They protect in their Constitution and we over here enjoy some protection through existing data protection laws. However, what we also need is an equivalent social norm that requires each of us to respect the other’s choice. We do it offline, because there'd be hell to be pay from our friends if we didn't. By and large social pressures keep us in line. We need to work on an online version of that subtle control mechanism.

For as long as powers imbalances exist between different individuals, individuals and companies and individuals and the state, most of us will prefer to keep some information about ourselves private or within the domain of a few trusted individuals. Everybody has something to hide. Information about ourselves and others is not something with which we do, or should should, part unthinkingly. In our networked society we are now all data controllers so the responsibility falls on all of us. Within the realms of free speech, press freedom and the public interest we must begin the discussion of how to establish and enforce online social norms that respect individual's freedom to choose their own level of openness. If we don't, we may at some stage feel like the England goal keeper as he watched that ball slowly finding its way into his own goal.