Joris van Hoboken

Last Monday, I visited the grand opening of the EIPSI in Eindhoven. They pulled together a remarkable list of speakers, including Whitfield Diffie and Bruce Schneier to celebrate the new center.

I first ran into the work of Whitfield Diffie when I was still studying mathematics. He did not speak about mathematics as much. Instead he focused on the practices of communications intelligence gathering, shortly SIGINT. He pointed to a few new trends, including actively seeking access (such as (online) IT system searches), and outsourcing (such as the NSA’s letting telcos solve the problem of accessing communications for them).

Bruce Schneier had a behavorial economics model for security, which was both enlightening and entertaining. He has been writing extensively about his ideas and is a much better communicator than me so I won’t try to summarize.

Ian Brown of the Oxford Internet Institute was there to talk about politics and privacy engineering. His presentation gave a terrific outline of recent developments in the UK. One of the central points he made about new initiatives for large scale IT system with a personal data component was that they did not solve the problem that they were supposed to solve.

Yesterday I finished the Russian dystopian classic We (Мы) by Yevgeny Zamyatin. It is an excellent book. I enjoyed it more than 1984 or Brave New World. I didn’t know about the book until recently, so I thought it wouldn’t hurt to promote it here.

An excerpt from the translation by Mirra Ginsburg:

“There are clay ideas, and there are ideas forever carved of gold or of our precious glass. And, in order to determine the material of which an idea is made, it is enough to pour upon it a single drop of strong acid. One of these acids was known to the ancients too: reductio ad finem. I believe this is what they called it. But they were afraid of this poison, they preferred to see even a day heaven, even a toy heaven, rather than blue nothing. But we, thanks to the Benefactor, are adults, we need no toys.

Well, then, suppose a drop of acid is applied to the idea of “rights.” Even among the ancients, the most mature among them knew that the source of right is might, that right is a function of power. And so, we have the scales: on one side, a grain, on the other a ton; on one side “I,” on the other “We,” the One State. Is it not dear, then, that to assume that the “I” can have some “rights” in relation to the State is exactly like assuming that a gram can balance the scale against the ton? Hence, the division: rights to the ton, duties to the gram. And the natural path from nonentity to greatness is to forget that you are a gram and feel yourself instead a millionth of a ton.“

This is a great documentary about shopping malls in Germany. It is made by Harun Farocki and I have taken it from http://www.ubu.com directly.

Emmanuel Asmar, a French lawyer, in a series of cases for its clients, has demonstrated that the French legal regime for online publishers that automatically include third party content is unworkable. See here, here, here and here.

The Dutch Minister of Justice has sent a letter with its policy framework for law enforcement in the context of Cybercrime to the Dutch Parliament. The framework consists of 5 pillars: public-private co-operation with regard to prevention of cybercrime(1), more and different deployment of police and justice authorities (2), strengthening of international co-operation (3), bringing up to date of legal instruments, and acknowledgement and signaling of developments.

I do hope the Dutch Parliament will seriously discuss this framework, because it is flawed on a number of points.

Of course, one of the pillars should be the respect for constitutional safeguards such as due process, freedom of expression and information and privacy. The framework does not take these issues serious enough. In fact it often ignores them or clearly advocates a reconsideration of their merits. A few examples:

1. The letter promotes filtering by internet service providers. It specifically declares the filtering of child pornography by ISP/Cable operator UPC a success. This is rather awkward. The effectiveness is currently being investigated by academic researchers. But more importantly, last week, a leading Dutch national newsshow showed that UPC does not block a range of horrible child pornography websites and it does block websites hosted by a Dutch provider. This provider should be easy to reach for the same police department (KLPD) that put the website on the list used by UPC. But it is worse. On top of that that the Dutch police declared in an email to LeaseWeb, the hosting provider of that particular site on the filtering list, that there was not enough evidence that the blocked site was unlawful.

In my opinion, the proposed public-private co-operation clearly introduces the wrong incentives. Instead of fixing the issue, the Justice department talks to all providers to make them do the same as UPC. Hopefully KPN and XS4All will stick to their demands that for any filtering to take place there has to be (1) judicial oversight over the list, (2) the content has to be outside the reach of Dutch law enforcement, and it has to be (3) restricted to child pornography.

2. With regard to the ‘balance between security and privacy‘, the report is rather vague, but it calls for a reconsideration of this balance nonetheless, or better to say an evaluation of the merits of a right to respect for private life in a society that is seen to be under constant and severe attack. Currently a commission is doing this analysis. Their assignment wasn’t very promising and I am not so sure that the results will be very balanced. Another official report that warned the government for being biased and disregardful of privacy and related issues has been professionally wiped off the table.

3. It completely ignores a recommendation adopted a few weeks ago by the Council of Europe’s Committee of Ministers. The recommendation deals with “measures to promote the respect for freedom of expression and information with regard to Internet filters”. The recommendation and the underlying report acknowledge the ways in which Internet filters can impact on freedom of expression and information and stipulate the requirements of Article 10 ECHR in this context. The recommendation calls upon the Member States to take measures with regard to Internet filters in line with a set of guidelines promoting user notification, awareness, and control of Internet filters and accountability of the private and public parties involved. The Dutch government should coordinate, because this filtering recommendation is rather relevant and could provide soem useful and hard needed guidance.

4. Its discussion of Notice and Takedown (NTD) is Kafkaesque. It first defines NTD as a voluntary act of making inaccessible by an internet service provider, at the request of a third party. It concludes that this type of self-regulation is favourable over coercion by the State. I would argue that penal law is all about state coercion and rightfully so. In case of Child pornography, who wouldn’t like to see the government take responsibility and act independently of other ’stakeholders’, if possible. So a bit further, the letter states that if necessary, the public prosecutor can issue an NTD-order on the basis of Article 54a of the Dutch Penal Code. This provision vaguely implements the criminal liability exceptions for intermediaries, an implementation of the horizontal safe harbours in Article 12-14 of the Directive on Electronic Commerce. Article 54a provides that an online intermediary such as a hosting provider is not liable if he takes down or prevents access to illegal content at the request of a public prosecutor, with judicial oversight. So why not use this privision? Because “this provision is not obviously an easy and quickly applicable way to realize the removal of undesirable (sic!) or illegal material. Also a legal analysis of the University of Tilburg points to bottlnecks. The researchers are of the opinion that there are questions about the legal basis of a NTD order.” (By the way, I cannot find that research report.) Summarizing, the justice department would rather see no coercive government involvement with regard to the Internet and illegal material. For as much as it has to, it would rather make it seem that the State is like any other private party pointing to illegal and UNDESIRABLE material that should be taken down, without any special applicable safeguards. It does not use its current powers so much because they are not easy and quick enough. It would rather put websites on a black list and have them filtered, than send a legal requests to (Dutch) hosting providers of publishers of illegal material.

Google has announced that it starts crawling HTML forms on webpages. The move has stirred up debate over the permissibility of the Googlebot moving into the deep Web. I can imagine some webmasters will have to update their bot instructions and some might be angry because of the extra work. The question about the legal status of the robots.txt and related instructions is more complex. Robots.txt is in some way replicating the so called ‘practical obscurity’ of public paper records. They do remain public though.

The Phorm debate in the UK has moved to another phase, now that it turned out the system was being tested on ten thousands of BT customers.

Richard Clayton has an extensive  technical report on the Phorm system.

As I wrote yesterday, the Article 29 Working Party has adopted an opinion on privacy, data protection and search engines. The opinion deals with a lot of issues, many of which have been publicly discussed in the last year. The first conclusion of the Working Party is that: “The Data Protection Directive (95/46/EC) generally applies to the processing of personal data by search engines, even when their headquarters are outside of the EEA.” The Working Party dismisses the claim that the Data Retention Directive could be an excuse for retaining search logs. This directive does not apply to providers of search services.

The opinion calls upon search engines to clarify the activities of their establishments in EU Member States in light of provisions with regard to jurisdiction of Member States over personal data processing (Article 4 of the Directive). Search engines have been particularly hesitant to admit such jurisdiction of European States. Instead, market leader Google has called for the development of global privacy standards and favours self-regulation, such as proposed by the FTC in December 2007.

Another conclusion relates to the retention periods of search engine logs. The Working Party concludes that they should be minimized to 6 months, which would amount to a significant reduction: “Retention periods should be minimised and be proportionate to each purpose put forward by search engine providers. In view of the initial explanations given by search engine providers on the possible purposes for collecting personal data, the Working Party does not see a basis for a retention period beyond 6 months.” The opinion also contains an extensive list of data typically processed by search engines in Annex I.

The above mostly relates to data protection and search logs, which the opinion refers to as ‘user privacy’. With regard to the privacy of the possible targets of a search and the issue of personal data in search results and a search engine’s cache the opinion comes to the following conclusion: “In their second role, as providers of content data (such as the data in the index), generally they are not to be held as primarily responsible under European data protection law for the personal data they process. Exceptions are the availability of a long-term ‘cache’ and value added operations on personal data (such as search engines aimed at building profiles of natural persons). When providing such services, search engines are to be held fully responsible under the Data Protection Directive and must comply with all relevant provisions.”

An issue which has been debated extensively already is whether or not ip-addresses should be considered personal data. Most of the confusion in the discussion seems to be a result of the transatlantic differences in what is personal data (for a short overview see here). In the United States there is a U.S. debate about what is personally identifiable information. In the EU, the question from a legal point of view is mainly whether a piece of information falls within the broad definition of personal data in the Data Protection Directive. The Article 29 Working Party issued an extensive opinion on the concept of personal data. Most of the discussion about whether or not ip addresses are personal data in the sense of the Data Protection Directive is a repetition on earlier discussions of the concept of personal data, such as the discussions about number plates and telephone numbers. Regardless of the merits of some of the arguments in this debate, the discussion on ip addresses will probably continue for a while. Google’s Peter Fleischer is correct in pointing out that there are a few important recent rulings in France on this issue, that at least do not follow the line of the French Data Protection Authority CNIL. One of the problems of these rulings is that they make the question about certain information being personal data depend on the holder of such data, the result of which seems predictable for data protection compliance and problematic from the point of view of access to personal data for law enforcement and national security purposes (the invisible handshake).

In the debate about ip addresses and personal data in the context of search logs, there is one element which deserves more attention. That is the fact that search engines usually log (much) more then ip addresses, for instance unique cookie data and date and time as well. The fact that they place a unique cookie on the computer of a user, and store search sessions over long periods of time are contextual elements that deserve to be taken into account.

(Disclaimer: I should note that I have advised the Dutch Data Protection Authority on its input for the Article 29 Working Party (a past commitment, which ended months ago). My writings on this blog are my personal contribution to the debate on search engine privacy and do not reflect in any way the points of view of the Dutch Data Protection Authority, or the Institute for Information Law, where I conduct my PhD research on Search engine regulation.)

Researchers of Nijmegen University have found a leak in the Dutch biometric passport. When targeted the passports can be physically localized and talk back in Dutch as well, thereby revealing the nationality of their owners. Via nu.nl (in Dutch)

The Article 29 Working Party has adopted its opinion on privacy, data protection and search engines. (The Dutch Data Protection Authority has published it on its website.)