Monday 15 November 2010

Research is vital!

Those of Matron's readers who are citizens of academia and/or members of the Twitterati will undoubtedly be aware of the hashtag #scienceisvital and the related campaign -fought by, among others, former LibDem MP Dr. Evan Harris - that was aimed at convincing the government to "lay out a supportive strategy for UK science and engineering" by "maintaining a level of investment at least in line with economic growth ".

The petition was signed by 36290 people - among them the names of many of the most eminent figures currently working in UK Higher Education - and ultimately led to science funding being treated rather more benevolently in the context of the recent comprehensive spending review (CSR) than many other areas.

A successful strategy, therefore, from which we could all learn? Certainly! And yet, despite the fact that Matron has followed the campaign with interest while it was in its most active phase, she could not bring her self to add her name to the pledge. Why is that?

The reason is that the petition, commendable as it was in its attempt to defend the science budget, focused merely on the funding for "science" in its most narrow definition, namely "the intellectual and practical activity encompassing the systematic study of the structure and behaviour of the physical and natural world through observation and experiment". Natural sciences, in other words, or "science and technology" in more modern parlance.

Indeed, the petition itself mentions as the particular areas for which funding must be preserved "energy, medicine, infrastructure and computing". Although, many of the signatories came from the social sciences, arts and humanities communities, no mention was made of those disciplines in the petition and - as has become clear - they did not benefit in any way from the government's rethink in the CSR.

In Matron's opinion, the petition and the related campaign can therefore also be seen as an example for another development that was easily predictable and widely expected when news of severe cuts to the HE budget first came out: that rather than coming together and ganging up on a reluctant government in an attempt to convince it of the shortsightedness of its plans, the sector would engage in a divisive struggle in which each party would attempt to secure the biggest piece of an ever smaller cake. In this context we have seen old universities work against new universities, higher education versus further education and one discipline against the other. The only winner in this game has been the coalition government which has found it all to easy to get savage cuts to the arts and social sciences budgets through with minimum fuss while at the same time being able to point towards the science budget it (largely) maintained.

Make no mistake, science IS vital! Without it, we will not be able to overcome the challenges arising from threats like climate change and overpopulation. It's funding should be preserved and, if possible, increased.

But when asked by scientists to support the petition, Matron felt a little like she felt when, back in the early 90s, she moved to the UK from Germany as a (then more than now) politically active lesbian. Whereas in Germany, this group was politically more aligned with the feminist movement, in the UK, lesbians were part of the gay rights or queer movement. In practical terms this meant that, at the time, the political goals lesbians fought for and were expected to support included not only the fight against AIDS but also gay marriage. This was in open disregard of the fact that lesbians, with their "moving-in-on-the-second-date" kind of relationships were in the group least likely to be infected with the HIV virus and that feminism had worked on a critique of the institution of marriage for at least the last century.

In the end, Matron became an active volunteer for an HIV/AIDS charity - not because she was directly affected but because it was the right thing to do at the time with thousands of people dying alone and without the necessary support. But she always refused to go to any length to support the call for gay marriage. In the words of the inimitable Alison Bechdel, comic artist extraordinaire and observant chronicler of lesbian live throughout the 80s, 90s and noughties, there was no way she was going to be complicit in the enshrinement of coupledom as a privileged civil status given that there were, in her view at least, better ways to achieve equal treatment for everyone (for example, by abandoning, and not re-introducing, dear Mr Cameron, all solely marriage-related state benefits).

Matron's most interesting experience during that time was a conference ca. 1994 when she was on a panel with a high profile (female) member of gay rights group Stonewall. When asked about her views on why the lesbian movement in Germany preferred to align itself with feminist heterosexual women rather than gay men, Ms. Stonewall's responded that maybe the lesbian movement in Germany wasn't as far advanced yet as it was in the UK and the US. It was the simple arrogance of that statement which completly dismissed a political strategy on the basis of "backwardness" and which negated the many rational reasons its proponents may have had for choosing it, that took Matron's breath away then and that still appalls her now.

Because asking someone else to support your cause because it is the right thing to do, is one thing. Asking them to support it despite the fact that doing so may actively harm their own interests or political goals - and be that only because those interests or goals will be forgotten about or set aside while time and engery is spent on fighting for yours - is quite another.

So, coming back to the point Matron was trying to make:

Science is an important area of research that deserves our support and government funding. At the same time, as every HE researcher knows only too well, science has had a better deal in public funding compared to any other area of research for these past 10 years at least because science gets good PR and politicians up and down the country seem to feel that they can support spending money on the development of a new widget much more easily than, say, the teaching of drama, philosophy or sociology. How is any of the latter to compete with research to find a cure for cancer or Alzheimer's?

But demanding that the science budget should be maintained will almost inevitably mean that the budget of other research areas will suffer. Areas that are equally vital, like:
  • The social sciences that will ultimately have to figure out how and to what extent society will be able to absorb, integrate and adapt to the new technologies that the scientist will come up with with.
  • Economics that will enable us to "follow the money" and to figure out who benefits from new research and developments and how that benefit can be distributed in a more equitable and socially beneficial fashion.
  • The arts because - as Winston Churchill is alleged to have said when asked to cut arts funding in favour of the war effort - if not for the arts, then what are we fighting for?
It is openly known in the research discipline of which Matron is a member, that over the next five to ten years at least, research funding will either have to come from Europe or from collaborative projects with members of STEM disciplines, which will allow us access to their funding pots. This will be easier for those who, like Matron and her ilk, are research active in technology law than it will be for those of her colleagues who specialise in family law or criminology or constitutional law. But that does not mean that these subjects are any less important for society or that they deserve any less support.

This is a game of divide and conquer and by singling out one area, venue or means of research over another we are playing directly into the government's hands.

So, dear scientists, Matron would love to support your petition, because she thinks it is the right thing to do. But if you ever re-open it for new signatories, would you mind changing its title?

From "Science is vital" to "Research is vital"?

Thursday 11 November 2010

A rather phormulaic proposal

Following yesterday's mini-rant on the failure to publicise this and the rather short consultation period, Matron has now had the opportunity for a more intimate heart-to-heart with the ever-so-under-the-radar Home Office proposals on changes to RIPA. The verdict: while there doesn't seem to be anything particularly offensive in there, she can't help feeling that we are once more bearing witness to the UK government trying very hard to comply with the nagging of those pesky Europeans while, really, not changing things all that much in practice.

By way of background, the changes to RIPA became necessary because the European Commission - following, among other things, a letter writing campaign by that excellent Open Rights Group - referred the UK to the European Court of Justice because it felt that it had not fully implemented rules on the confidentiality of electronic communications contained in the E-Privacy Directive (2002/58/EC). That Directive provides that member states must adopt provisions which prohibit the unlawful interception and surveillance of electronic communications unless the users concerned have given their consent. According to the Data Protection Directive, that consent must be "freely given, specific and informed". Member states must also establish appropriate sanctions where these prohibitions are infringed and independent authorities must be charged with supervising this are to prevent any unlawful interception.

As per usual, the UK has watered down these draconian requirements a little to make life easier for the folks in the interception trade. Section 1(1) RIPA only prohibits intentional interceptions - accidents do happen, don't they?; section 3(1) RIPA lets offenders off the hook if they had "reasonable grounds for believing that consent has been given" and as for establishing a proper supervising authority, well, there was that minor issue of a gap between the supervisory powers of the Information Commissioner (who doesn't do interceptions) and the Interception of Communications Commissioner - or IoCC - (who doesn't concern himself with the conduct of private entities).

All this left said private entities in the fairly comfortable and almost entirely unregulated sphere in which companies like Phorm and their ISP partners then thought that it might be a good idea secretly to analyse people's web surfing habits the better to determine their interests so that targeted advertising can be delivered to their screens. Let's face it, folks, cheap broadband doesn't pay for itself.

When the Phorm, sorry storm, broke loose, however, many of those people figured they'd rather not have every single one of their online moves recorded - albeit, according to Phrom's PR, in the most privacy-friendly way possible - and many of the CSPs had to beat a hasty retreat. Phorm itself has, for them time being, left the building, although it is still flogging its technology in other countries.

But back to the European Commission, the ECJ and the UK's urgent need to do something to avoid further costly proceedings. The consultation paper proposes, in essence, three things:
  1. The government, acknowledging that section 3(1) of RIPA does not provide the required clarity the CSPs need to determine whether or not their customers have consented to their weird schemes, wants to "remove the ambiguity" and thereby "ensure that the provision is consistent with the definition of consent" contained in the Data Protection Directive. It doesn't say, exactly how it wants to do this. Whether it will simply remove the offending "reasonable grounds" passage or whether it will come up with something more roundabout is one of the things we will have to look out for when the draft legislation is published. But for the time being this does not sound to bad. However, there is a problem with the use of consent in this context and this is one of the points that Matron wants to look at in a little more detail later.
  2. The government also wants to expand the functions of the IoCC so that, in the future, he can - following a complaint by a user - investigate CSPs in cases of unlawful, unintentional interceptions. Again, this seems to address the European Commission's concerns to a certain extent, but even the work of the IoCC in his natural habitat of supervising the interception activities of public bodies is not without question, and the same issues do arise here. Of that, too, more below.
  3. Finally, the governments wants to introduce a new civil monetary penalty of up to £10,000 that the IoCC can impose on anyone violating the prohibition on unintentional interceptions. He may also be given the power to issue a notice requiring the unintentional unlawful interception to cease. Any penalty or enforcement notice may be appealed to the First-tier Tribunal and the proposal includes comprehensive provisions governing such an appeals process.

So far, so business-as-usual. The procedures proposed here came pretty much straight out of the regulatory textbook and bear many a resemblance to the procedures that apply in the context of complaints to the Information Commissioner about data protection breaches. There is no reason why it shouldn't work in this context. Except...

Consent

As in all cases where consent is used in a relationship between businesses and individuals, there is actually a pretty big questionmark both over the "informed" and over the "freely given" part. Informed consent should mean, as the very minimum, that she who consents to something, should be aware of what she is consenting to. As we all know, in an online context this is little more than a legal fiction because UK law allows providers to hide consent provisions deep in the recesses of their privacy policies or terms of use which no one in their right mind ever reads unless they are mentally disturbed or a privacy lawyer or both.

This means that on the basis of these new rules, there is nothing stopping CSPs to include relevant implied consent provisions in their business terms, from which point forward they will no longer have to worry about their customers' consent at least, if they want to carry out interceptions for the purpose of behavioural advertising.

As many people wiser and more knowledgeable in this area than Matron have pointed out, this may still not actually allow them to intercept those communications because the consent of both participants to the communication is needed under RIPA. But if that communication concerns, for example, a user visiting a website for some online shopping, that website - as the other participant - could possibly be persuaded by the CSP to agree to the monitoring of that traffic in return for a small cut of the advertising revenue thus created. Stranger things have happened at sea and there are probably no limits to the length to which most online businesses would go when developing new monetisation strategies.

But coming back to the user who is, normally, the CSP's customer. Will this user have the right not to consent to the interception of her communications by her CSP without loosing the ability to use the CSPs service? Online business terms are usually take-it-or-leave-it, my-way-or-the-highway kinda terms. CSPs may well be of the opinion that targeted advertising, which is after all used to co-finance cheap broadband access, is a necessary revenue stream in a competitive environment and that any user who doesn't play ball is free to find another provider. The problem is that, if all CSPs think that way, there will be no other provider to go to. And what then?

For this sort of thing we have two analogies in the law which we may want to draw upon. The first is the way in which the law deals with cookies. Now as we all know, there is some change coming in this area, but the one thing that remains unchanged is the fact that website operators that wish to use cookies can prevent users who refuse them from accessing certain parts of their website. CSPs could therefore argue that it should be the same in the case of targeted advertising and the related interceptions of users' communications. Is that justifiable, though?

The other analogy is employment law, where the use of consent is very limited becauses it is widely accept that in an employer-employee relationship it will rarely be freely given.

If, therefore, as a stubborn user who does not want to have her communications intercepted, Matron would, in practice, no longer longer be able to find an ISP that will have her, she would possibly no longer be able to access the internet. However, as Matron and many others of her persuasion have long argued, by now the internet is such an important part of everyone's life - it facilitates not only economic and social activities but also education and political participation - that to be without internet access is tantamount to the violation of a human right.

Now, some readers might think that this is a bit of an exaggeration, and maybe it is, but if "choice", that famous holy grail of the free marketeers, comes down to a choice between one ISP who will intercept your communications and another who will do the same, is that not a clear case of market failure? And shouldn't the government anticipate this situation and do something about it, now that it has the chance?

Sanctions

The government did apparently consider introducing criminal sanction rather than a civil penalty, but it decided against it in the end because it feared that the enforcement of such sanctions would be impractical and impose undue strain on the UK's police forces.

As a card carrying, bleeding-heart liberal, Matron is no great friend of potentially increasing the country's prison population for non-violent offences (although, as a practicing lawyer, it has been her experience that the threat of criminal sanctions tends to focus the CEO's mind) and for that reason she will not criticise the government from shying away from this step.

However, realistically, the penalty of "up to £10,000" is unlikely to be a major deterrent for CSPs as this is the sort of amount that many companies view as beer money. Unfortunately, one of the viable alternatives - giving the user whose communications have been intercepted a right to claim damages - already doesn't work in the area of data protection because in the absence of punitive damages it is actually terribly difficult to prove financial loss in these circumstances.

Which makes Matron think that maybe something along the lines of the recently introduced data security breach notification system should be put in place instead. That system, for those who do not know, requires providers of electronic communications services to notify any breach of data security to the Information Commissioner and, if the Commissioner thinks that this is appropriate, to the affected data subjects.

As we are largely talking about unintentional interceptions when we are talking about sanctions, should we suggest a similar procedure here? Where the CSPs, if they find out that they accidentally intercepted someone's communications, would be required to send an "oops" notice to the IoCC who, if the breach was grave enough, might also force them to send a similar notice to their customers? As we know, bad publicity is a much stronger incentive not to do wrong than a monetary slap on the wrist. It may just work.

Complaints

However, even this last proposal overlooks the main issue with this new procedure, namely that, as a rule, the IoCC will act in response to a complaint by a user who suspects that her communications have been intercepted. We already have this right in relation to interceptions by public authorities and it has gotten us exactly nowhere. That is largely because most of us will never realise or suspect that our communications have been intercepted. It doesn't show up on our screens and, by and large, we will never find out about it unless the interceptor is very open or very stupid.

This is borne out by the figures in relation to state interceptions:

  • In 2008, the Information Tribunal received 176 complaints about suspected interception. In 2009 it was a mere 156. Now bearing in mind that this was round about the time that the Phorm story broke in the press, which may or may not have increased sensibility, it makes sense to look at the earlier figures and, lo and behold, in 2007, it was only 66, 86 in 2006, and 80 in 2005.
  • Since RIPA came into force, the Information Tribunal has upheld exactly four, yes FOUR, of these complaints. Hardly a result that has the national security services quaking in their boots.

So if the IoCC's duty to act is merely based on him receiving a complaint, then I think we can all rest assured that CSPs will not have an awful lot to fear when it comes to their murky online dealings. Commissionary legal protection in this area is not effective, it never has been. In relation to state interceptions this has nonetheless been accepted because of the need to keep interception activities of the security services secret. Whether one agrees with that approach or not, this is certainly not an argument that can or should be applied to interceptions by private entities. Individuals whose communications have - even unintentionally - been intercepted, should be made aware of this and should be given appropriate judicial relief. The IoCC, if it is him who is charged with oversight over this area, should be given full auditing powers - including dawn raid powers, if necessary - to ensure that private interceptions are detected and the legal sanctions enforced.

The confidentiality of our communications is not only an individual right, it is a public good that gives people the confidence to act freely and without fear in the online environment. We endanger it at our peril.

Wednesday 10 November 2010

Seek and ye shall find!

Despite the fact that at the time of writing (10 November, PM)

it seems that the government has published a consultation document on changes to RIPA which became necessary after the European Commission referred the UK to the ECJ over the Phorm case.

While Matron has not yet had time to look at the document in detail, she can't help noticing that the consultation period (responses must be in by 7 December) is extremely short by anyone's standards.

Those who feel that they have something to say on the laws governing the interception of electronic communications therefore better get their skates on. Just saying...

Tuesday 9 November 2010

Tunnel! Light! Action?

Is there any connection between the EU's Common Agricultural Policy (CAP) and data retention? You wouldn't have thought so, would you? And yet there might be.

After spending the day reading the European Court of Justice's decision in the case of Volker und Markus Schecke GbR v Land Hesse, Cases C-92/09 and C-93/09, Matron is intrigued by the pin-sized point of light that this judgement may shine on the question of how that court might deal with the question of whether the blanket retention of traffic data complies with the provisions of the European Convention on Human Rights (ECHR) and the EU's Charter of Fundamental Rights. If it ever gets to decide on that question, that is. But that is another matter entirely and for the moment lets not go there.

The ECJ decision in question relates to a reference to the ECJ from a German court, in which it was asked to consider whether EU legislation which requires the disclosure and publication on a publicly available and searchable website of the amounts awarded to farmers from CAP funds, together with their names, municipality of residence and postcode, was invalid. The applicants in the main proceedings clearly thought that it was because it enabled third parties to deduce the applicants' income of which 30-70% came from CAP funds.

The court - sort of - came down on the side of the applicants when it held that the wide-ranging publication requirement imposed by the relevant EU legislation violated their right to privacy and data protection because it was disproportionate to the EU's stated aim of increasing transparency of the use of funds in the context of the CAP. Whether this will actually help the applicants in practice remains to be seen as the ECJ did not entirely condemn the publication of that data. It merely concluded that it should be published in a more privacy friendly way that draws a distinction based on relevant criteria such as the periods during which recipients received CAP aid, the frequency of such aid or the nature and amount of aid. Which probably means that any halfway competent internet surfer will still be able to find out what amount of CAP aid an individual has received in any given period.

However, the decision is interesting for a number of other reasons:

  1. For a start, the ECJ made some very encouraging comments on the status of the Charter of Fundamental Rights both within the EU legal framework and within the framework governing the protection of fundamental rights and freedoms. This is one of the first decisions looking at questions of human rights compliance of EU legislation since the Lisbon Treaty - and with it the Charter - came into force, and the ECJ seems to use this decision to set out its stall on how it intends to apply the Charter in its interpretation of EU secondary legislation in the future. To this end, it confirms that the validity of such legislation must now be assessed in the light of the provisions of the Charter.
  2. The ECJ also confirms the Charter's premise (in Article 52) that insofar as rights guaranteed in the Charter correspond to rights contained in the ECHR, the meaning and scope of those Charter rights as well as any limitations placed on them must be interpreted in line with the corresponding rights in the ECHR. This creates a neat little connection between the Charter and the ECHR which will allow the ECJ to draw heavily upon the entire body of case law created by the European Court of Human Rights in Strasbourg (although, to an extent the ECJ has, of course, frequently referred to that case law already and the really interesting question is what will happen if the two courts disagree. But that question, too, is for another day).
  3. The ECJ confirms that a provision requiring the "general publication" of personal data on a website prima facie constitutes an interference with the applicants' right to privacy and data protection and that this interference, while "as provided by law" is disproportionate to the aim of increasing transparency that the EU seeks to achieve. The ECJ held that the EU institutions must balance the EU's interests with those of the affected individuals when adopting provisions that interfere with the rights to privacy and data protection. In particular, the decision makes it clear that the EU's objectives do not enjoy an automatic priority over the rights of the individuals and that the mere failure by the EU institutions to consider less intrusive methods of interference will lead to the invalidity of the contested provisions.

So why does this give Matron hope when it comes to data retention? Well, the situation there is actually very similar to the present case. Opponents of data retention have argued for a long time (including during the very brief legislative process that led to the adoption of the Data Retention Directive) that the blanket retention of communications data of the entire population is disproportionate to the aim of improving public and national security on the grounds that, among other things, the less intrusive means of data preservation or data freeze (where providers are required to retain traffic data relating to a specific event for a specific period of time AFTER the event) exist. Many countries are using this form of data preservation quite successfully.

And yet, that method has never been properly considered by the EU institutions as a viable alternative to the current regime, no empirical evidence has ever been collected as to why the blanket retention we now all have to live with is necessary (or even more likely than data preservation) to achieve the stated objective. On the basis of the ECJ's contention that even the mere failure to consider less intrusive means could render a provision invalid, one could clearly argue that the EU institutions' rushed adoption of Data Retention Directive should be examined in this light.

So a hundredth of a smidgen of a glimmer of hope here? Time will tell. One institution that should certainly take note is the European Commission which is still dragging its feet on the publication of its report on the current regime. Unless the member states come up with very good statistical proof that data retention actually works, it becaomes more and more difficult to see how a reasonable claim could be made that the provisions of the Directive are human rights complaint.

"Reasonable" being the operative word here, of course.