About search engines, digital civil rights and more
In 2006, the AOL data release sparked the debate about search user privacy. Now two Dutch artists have made a movie inspired by the search queries of one of the users. The public broadcasting agency VPRO is funding a sequel, in which they hope to find user 711391.
You are about to access a Department of Homeland Security computer system. This computer system and data therein are property of the U.S. Government and provided for official U.S. Government information and use. There is no expectation of privacy when you use this computer system.
Opening lines of pop up from ESTA.
And yeah sure, it’s all great 
It looks like the European Commission takes the allegations that Phorm is inconststent with communications privacy seriously.
Interview in French here.
The Uk Government finished its consultation on P2P Filesharing and appropriate responses. I was struck by a quote of Audible Magic, a controversial p2p monitoring and filtering technology company. About the accuracy of its tracking technology it states:
Audible Magic’s technology has a 99% positive identification rate and zero false positives. This means that better than 99 % of actual copyrighted content is identified correctly as copyrighted content. With zero false positives, unknown content is not identified as copyrighted content when it is not.
With actual copyright protected content, Audible Magic means the set of content of its clients. It’s definition of a false positive is content that is not part of that set, but identified as such. In other words, the rights holders industry, not copyright owners are protected in this model. (I make music myself, which is copyright protected and shared freely on the Web) In Audible Magic’s world, copyright protected works are works that come from a certain source. (This excludes me and many others.) No limitations, exceptions or fair use apply. In fact that does make it a lot easier to come up with a technological solution to draw the line between legitimate and illegitimate filesharing.
From a press release by Microsoft, it appears that the Article 29 Data Protection Working Party held its hearings on search engine user privacy last Tuesday. Microsoft made this nice overview of the state of anonymisation. It’s good to note that de-identification is not a very meaningful concept under European data protection law. It means some kind of privacy by design but not anonymity.
Yes, the term extension is moving forward… The JURI Committee approved the term extension today (and extended its scope it seems). From its report:
“The extended term would also benefit the record producers.”
The Open Rights Group is trying to bring some sense into the discussion:
Today, the European Court of Justice issued its judgment in the case Ireland v. the European Parliament and Council. The Court concludes that the Data Retention Directive (2006/24/EC) relates predominately to the functioning of the internal market, so it was necessary to adopt it on the basis of Article 95 EC Treaty.
The Court makes clear at the outset that its judgment concerns not the question whether the Directive violates fundamental rights such as the right to privacy. It bases its judgment about the appropriateness of the legal base on three arguments, each of which seems enough (for the Court) to come to that conclusion:
UPDATE (COMMENTS):
It’s not too hard to comment on the ruling because I am not very impressed by its logic. Since I have already commented on some of the main arguments, which are informed by the Opinion of the Advocate General, I will restrict myself to one main point, that is the implications of this ruling for the question whether the directive is a violation of fundamental rights.
Although it is true that the Court was not asked directly to rule on the interference of blanket data retention with fundamental rights, the Court’s complete separation of that issue from this case is striking. In fact, Slovakia directly claimed the Directive could only be a third pillar measure because the interference could only be argued to be proportional in view of the fight against crime and terrorism.
It is questionable whether such far-reaching interference may be justified on economic grounds, in this case the enhanced functioning of the internal market. The adoption of an act outside the scope of Community competence, the primary and undisguised purpose of which is the fight against crime and terrorism, would be a more appropriate solution, providing a more proportionate justification for interference with the right of individuals to protection of their privacy.
The Court decides to separate these issues. The Commission had stated that “the reference to the investigation, detection and prosecution of serious crime falls under Community law because it serves to indicate the legitimate objective of the restrictions imposed by that directive on the rights of individuals with regard to data protection.” The Court does not address this specific question explicitly but states that “the action brought by Ireland relates solely to the choice of legal basis and not to any possible infringement of fundamental rights arising from interference with the exercise of the right to privacy contained in Directive 2006/24.” Implicitly, it seems to agree with the Commission and the AG (who had adopted the Commission’s position on this matter).
If we combine this argument with the Court’s conclusion that the directive is not about access to the data, the result is striking. The references to the investigation, detection and prosecution of serious crime in the directive no longer serves as a restriction with regard to the purposes of the retained data but merely as an indication that national law can legitimately retain these data for that purpose. Hence the directive does not obligate the member states to restrict lawful access to certain cases, but it also does not obligate them to provide access in certain cases. The preliminary ruling of the German Constitutional Court is thereby legal under European law.
However, it is clear that merely giving an indication of the purpose of an interference is not enough to respect the proportionality and subsidiarity required by Article 8 ECHR. Interferences need to be narrowly targeted. Thus access to the data need to be restricted in some manner, depending on the line that is drawn as a result of this test. The lack of access restrictions in the directive moves the burden to establish the proportionality and subsidiarity entirely to the member states. In my opinion this significantly weakens the already weak case for the proportionality and subsidiarity of the European legislature’s interference with fundamental rights through the enactment of the Directive.
Daniel Solove explains how criminal justice not only ends up punishing the innocent but can end up punishing them more harshly than the guilty (if they refuse to confess).
“This pattern suggests that the order in which Google returned the results was successful; most users found what they were looking for among the first two results and they never needed to go further down the page.”
I hope that internally, they discuss this conclusion a little bit more in depth.