Joris van Hoboken

Chris Soghoian’s research about law enforcement access to customer records in the United States, made it to the Cobert Report:

This is a really great lecture! Julie Cohen manages to touch upon almost everything I am interested in, in about half an hour.

Decide for yourself. Via the guardian.

What does it mean to be a privacy pirate anyway?

Seth Finkelstein and Daniel Brandt both warn against Google’s recent move towards further profiling of Internet end-users.

Daniel Brandt makes some interesting points about the data processing that is going on, and in particular the possibility of integration of DoubleClick and AdSense data collection. Seth Finkelstein makes a great point about the cleverness of Google’s pr about its ‘surveillance as a service‘:

If Google can convince people its surveillance is merely a warm and fuzzy way of helping you shop, while ISPs’ surveillance is akin to warrantless wiretapping, that gives Google an enormous advantage in collecting information to sell to advertisers

Last week, Google announced it will start to offer what it calls interest-based advertising through its network of AdSense partners and on YouTube. With the move, Google taps further into its unequaled database of Web behavioral data by end-users, aiming to increase the economic value of the advertisement space for its AdSense partners, and using the same to monetize traffic on YouTube. The use of the database for YouTube is maybe least remarkable considering Google’s problems to make money on the leading global video platform. Some of the features of the program for end-users are remarkable and positive from the end-user’s perspective but it is important to acknowledge their limitations.

Relation with acquisition of DoubleClick

The move is partly a result of Google’s acquisition of DoubleClick, one of the biggest players in the field of online advertising that used behavioral targeting for many years. The new service seems to use some of DoubleClicks technology, including the cookie that is used to track end-user behavior. Google has been less clear about the data collection architecture. Does the use of one cookie for tracking imply that the underlying database of click-streams on the Google AdSense network and on DoubleClick customers have been integrated or are ready to be integrated?

Users in control

Google’s interest-based advertising service has been praised because it offers end-users access and control over their profiles and offers an opt-out. True, this is a remarkable move, as no competitor in behavioral targeting was doing this yet. Most competitors do not place as much emphasis on their relation with end-users as Google does. By putting users in control, Google strikes a new balance between the interests of advertisers and content producers on the one hand, and end-users on the other hand. It will be interesting to see if DoubleClick will make a similar move towards end-users.

Still, I am skeptical how substantial these controls really are. First, end-users only get access to the tip of the iceberg of the technological and behavioral data-processing architecture. Consider this quote from Search Engine Land about a Q&A with Google:

[C]an an advertiser pass along a specific ad to a specific user? For example, can I show an ad for the Sony HDR-XR200V if this user added the Sony HDR-XR200V to their shopping cart on my site but did not check out? Bender said yes, but ultimately it is up to the advertiser how specific they want to get with those ads.

That means that advertisers have more control over targeting than end-users do. I would be able to access and control my interest categories, such as the category “Video Players & Recorders”. Advertisers and e-commerce sites that use the program can reach me through much more granular controls facilitated by Google. To some extent, the control and transparency is merely a façade, behind which a (for the end-user) opaque sophisticated data processing architecture is doing the real work.

Opting out - of what?

Of course, there is the option of opting out through a special cookie and Google has designed (with the help of EFF) a browser plug-in to ensure that opt-outs are persistent for end-users that regularly delete their cookies. An opt-in model is not considered to be economically feasible. I would not be surprised if research would show that expected opt-out numbers would be around the same level as expected opt-in. The large majority of end-users will simply not notice anything of the targeting based on their browsing. You can make as many videos as you want, there is a limit to the number of people you will be able to reach if you do not force them to listen before making them subject to certain treatment.

Apart from the many shades of gray between an opt-in and an opt-out, we should ask ourselves what the offered opt-out really means. Does it mean that Google stops to target ads based on a profile of the interests of end-users, which is derived from the navigational history of end-users? Yes, it does. Does it mean that Google will stop to collect those same click streams? No, I do not think so. These click streams will still end-up in Google’s database, (without a unique cookie id). Google will still show ads, and it will still need logs for its AdSense accounting, click fraud prevention, service management and research. In addition, it’s hard to imagine opting out of Google’s immense network of services in way that does not allow these logs to be correlated with individual end-users. In other words, the opt-out only touches a tip of the iceberg of data processing that is taking place.

In 2006, the AOL data release sparked the debate about search user privacy. Now two Dutch artists have made a movie inspired by the search queries of one of the users. The public broadcasting agency VPRO is funding a sequel, in which they hope to find user 711391.

It looks like the European Commission takes the allegations that Phorm is inconststent with communications privacy seriously.

From a press release by Microsoft, it appears that the Article 29 Data Protection Working Party held its hearings on search engine user privacy last Tuesday. Microsoft made this nice overview of the state of anonymisation. It’s good to note that de-identification is not a very meaningful concept under European data protection law. It means some kind of privacy by design but not anonymity.

Today, the European Court of Justice issued its judgment in the case Ireland v. the European Parliament and Council. The Court concludes that the Data Retention Directive (2006/24/EC) relates predominately to the functioning of the internal market, so it was necessary to adopt it on the basis of Article 95 EC Treaty.

The Court makes clear at the outset that its judgment concerns not the question whether the Directive violates fundamental rights such as the right to privacy. It bases its judgment about the appropriateness of the legal base on three arguments, each of which seems enough (for the Court) to come to that conclusion:

UPDATE (COMMENTS):

It’s not too hard to comment on the ruling because I am not very impressed by its logic. Since I have already commented on some of the main arguments, which are informed by the Opinion of the Advocate General, I will restrict myself to one main point, that is the implications of this ruling for the question whether the directive is a violation of fundamental rights.

Although it is true that the Court was not asked directly to rule on the interference of blanket data retention with fundamental rights, the Court’s complete separation of that issue from this case is striking. In fact, Slovakia directly claimed the Directive could only be a third pillar measure because the interference could only be argued to be proportional in view of the fight against crime and terrorism.

It is questionable whether such far-reaching interference may be justified on economic grounds, in this case the enhanced functioning of the internal market. The adoption of an act outside the scope of Community competence, the primary and undisguised purpose of which is the fight against crime and terrorism, would be a more appropriate solution, providing a more proportionate justification for interference with the right of individuals to protection of their privacy.

The Court decides to separate these issues. The Commission had stated that “the reference to the investigation, detection and prosecution of serious crime falls under Community law because it serves to indicate the legitimate objective of the restrictions imposed by that directive on the rights of individuals with regard to data protection.” The Court does not address this specific question explicitly but states that “the action brought by Ireland relates solely to the choice of legal basis and not to any possible infringement of fundamental rights arising from interference with the exercise of the right to privacy contained in Directive 2006/24.” Implicitly, it seems to agree with the Commission and the AG (who had adopted the Commission’s position on this matter).

If we combine this argument with the Court’s conclusion that the directive is not about access to the data, the result is striking. The references to the investigation, detection and prosecution of serious crime in the directive no longer serves as a restriction with regard to the purposes of the retained data but merely as an indication that national law can legitimately retain these data for that purpose. Hence the directive does not obligate the member states to restrict lawful access to certain cases, but it also does not obligate them to provide access in certain cases. The preliminary ruling of the German Constitutional Court is thereby legal under European law.

However, it is clear that merely giving an indication of the purpose of an interference is not enough to respect the proportionality and subsidiarity required by Article 8 ECHR. Interferences need to be narrowly targeted. Thus access to the data need to be restricted in some manner, depending on the line that is drawn as a result of this test. The lack of access restrictions in the directive moves the burden to establish the proportionality and subsidiarity entirely to the member states. In my opinion this significantly weakens the already weak case for the proportionality and subsidiarity of the European legislature’s interference with fundamental rights through the enactment of the Directive.

“This pattern suggests that the order in which Google returned the results was successful; most users found what they were looking for among the first two results and they never needed to go further down the page.”

I hope that internally, they discuss this conclusion a little bit more in depth.