Matron

Of mice and elephants

2011-08-10T15:55:00.002+01:00

As those who know her may have noticed, Matron has been severely overworked and underplayed for the last six months. So much so, that she was beginning to wonder herself what on Earth would have to happen to make her blog again. Having blissfully ignored all manner of exciting and infuriating developments ranging from Hacking enquiries to calls for the re-introduction of capital punishment (it turns out that all that needs to said about these, can be said on Twitter - although that may, in the end, apply to everything, really), the rioting on UK streets proves to be the straw the breaks the camel's writer's block or some such thing.

Because a lot has been written on this by all and sundry already (most interestingly Michael White in the Guardian on the blame games that have now commenced, David Allen Green in his New Statesman blog on the need to keep the riots in proportion and the entertaining comments of bloggers everywhere on Boris Johnson's - of all people - suggestion that the riots are to blame on an excessive sense of entitlement) Matron will try (most likely unsuccessfully) to keep it to a brief soul searching operation. Two thoughts strike her in the midst of all this.

First, the description of the tactics employed by rioters in their endeavours to redistribute private property and the tactics of the police used to prevent such redistribution puts her in mind of the "mice and elephants" analogy Swine made when he described the changes the internet underwent over the last 15 years. Swine said that in the olden days, the internet, and access to it, was controlled by a few big players which were easy to regulate and could act as gatekeepers. They were, to all intends and purposes, elephants, slow moving and relying on their size. However, in the current era of social media and user generated content, internet users and the platforms that allow them to interact with each other, are like mice. The can pop up and under at a moment's notice, react quickly to events and dissipate when they are threatened.

To matron, this model seems to apply both to the way rioters used social media to organise themselves these past few days and to the actual way in which they operated on the streets. Reports from Manchester describe the way in which groups of young people (Matron really, really loathes the word "youths") played a game of cat and mouse with the police in that they broke the window of one particular shop, scarpered when the police arrived on that site, then created a distraction at another location and quietly returned to the site of the original offence to clear out the shop while the police were patrolling the second site. They may be disaffected, but they ain't stupid.

Which brings us to the question of what can be done in these cases and whether anything can be done, really. At which point Matron is getting very impatient with all the politicians' posturing about criminality v protest, strong enforcement and/or the moral vacuum that prevails in this country. Because, all discussions of morality aside, what these event show most clearly is that no state other than a completely authoritarian or totalitarian one, can control all parts of its population against its wishes for long. We can put 16,000 elephants on the streets of London for a time but this will become unsustainable eventually at which point cries for more efficient - and by their nature more oppressive - measures will be aired (and yes, Matron knows, those calls are being made already, but she chooses to ignore things like this YouGov poll - particularly the bit about using live ammunition - for the time being, for her own sanity).

All of which means that those of us who do not want to live in a police state where security forces are given ever increasing powers that they will then have the right - lets not forget that for a moment - to use on the rest of us, really have no alternative to at least trying to understand the underlying reasons for why this situation could get out of hand so badly so quickly. If we do not want to counter force with sheer force (like deploying the army in domestic conflict, which for someone like Matron who comes from a country where there is still a constitutional ban on that type of thing - for good historical reasons) or submit to a level of surveillance - online and offline - never before encountered in a free society, what else can we do?

The second thought that occurred to Matron as she was sitting on a train from all-quiet-now London to just-about-to-kick-off Manchester last night, was that, like it or not, it really does make a difference if it happens close to you or to your own. Like in 1999, when the activities of nail bomber David Copeland really only hit home when he targeted the Admiral Duncan pub in gay Soho. Like in July 2005 when the much publicised photo of a destroyed number 26 London bus was the most disturbing of all images because this was the line that Matron had taken to get home for more than four years.

So when watching the reports on the London riots on TV on Monday night or listening to the updates fellow-travellers got from friends and family in Manchester on the train last night, it was the events in Mare Street in Hackney, which is close to were she had lived way back when, and the news of the destruction of the Manchester shops she frequents now, that touched her most.

So, eat your liberal heart out, she is as shocked as the next person about what happened. Which is why - like many another bleeding-heart Guardian reader - she currently starts her sentences with the prefix "this is not an excuse, but may explain things". Because in all honesty, there can be no excuse for the gangs of rampaging bullies she and Mrs Matron passed on their way home last night. And bullies they are, no matter how you look at it.

But - as has been explained to Matron patiently on many occasions by said Missus (who holds a PGCE no less and is experienced in all matters pedagogical) - most bullies have been bullied themselves. And therein, as they say, lies the rub.

When the UK map of child poverty was posted a while back, Matron found to her entertainment (but not surprise) that three of the four places of residence she ever held in the UK (Toxteth in Liverpool, Hackney in London and Cheetham Hill in Manchester) were in areas where more than 50% of children come from low income families. In fact the figures were closer to 75% in all cases, but ">50%" was the worst category they used. This brought with it the joys and pleasures of living in a multicultural society, but it also brought with it certain facts of live one either got used to or - if one had the choice, and many don't - which meant one moved elsewhere.

In Liverpool in the 1990s it was car crime: Matron's car was broken into four times and stolen twice and the trip to the local police station for the crime reference number became a part of normal life. As did the knowledge that the police would not have the man power or the inclination to actually search for and prosecute the perpetrators. During her stint in the capital in the early naughties she mourned the theft of four bikes in as many years. Police advised her to go to a market near Brick Lane on a Sunday morning to see if she could buy it back. In Manchester, about six years ago, she witnessed the stabbing of a man outside her front door. It was followed up but never came to court because invisible forces persuaded the suspect to return to whatever country he had come from. Realities like these happen all over the country every day. Millions of people live with them even though they don't see them portrayed on the 10 o'clock news.

None of these experiences were pleasant, but none of them particularly came as a shock and none of them made Matron call for stricter sentencing and the deployment of military force either. And most importantly, none of them made her leave those respective communities (in fact it was unsustainable house prices that forced her to move to the quiet little village where she lives now, so blame the real criminals, the bankers and speculators, for that). Because, for all their faults, they were communities and bad things that happened in them were things committed by people who where the exceptions and not the rule. That is why for every hooded bully helping him or herself to a free pair of trainers last night, there were three people cleaning up the mess they made this morning. Lets not forget that.

But what of the hooded bullies? Well, why not look at it like this? Yes, the events of the last few days were terrible. They raise a lot of questions about the society we live in and the values we pass from one generation to another. We have to discuss these questions openly and we have to address the underlying issues, like excessive consumerism and greed, and maybe even a prevailing sense of entitlement, at ALL levels of society. But they also show us that if you create a level of social inequality similar to that in certain third world countries, you are likely to get a level of social unrest that mirrors that in those countries. We all live in the society we deserve and pay for. And lets be honest, all of us - including those of us who, like Matron, belong to the category of the "not-really-rich-but-don't-have-to-worry-much-either-despite-the-cuts": we have been shopping in the bargain basement of that particular store for a long time now. Like with the organic produce that many of us are still happy to fork out for, it might be a good idea to start paying a little more for a better product.

Some random thoughts on Wikileaks and Assange

2010-12-08T09:22:00.003Z

Christmas is coming ever closer and with it the overload of work that Santa seems to have in his bag these days, Matron's brain is fried from trying to get to grips with teaching, government consultations, job interviews and an excess of travel. As a result she has - to the best of her abilities - tried to inure herself from the wall-to-wall coverage of WikiLeaks, the US Embassy cables and the allegations against Julian Assange if only to allow her to get on with some stuff.

But it is getting harder to escape all that coverage and woman is a processing, pattern-making animal, so random, if often rather conflicting, thoughts on this have arisen and are taking up valuable brain space. Each of them longer than 140 characters but not really enough for a coherent blog post, they still want to be released. To make it more interesting, Matron has given them "Yes Minister" titles. Feel free to ignore; normal service will be resumed in the new year.

The Right to Know: While the disclosure of the documents on Iraq took the public interest hurdle with some ease, Matron can't help feeling that a lot of what came out of the Embassy cables is just a smidgen, if at all, above the tabloid newsworthiness threshold. Most of it seems to concern statements made by the No-surprise-there-department (sub-section Duh!) that inhabits a basement in the Ministry of the Bleeding Obvious. Yes, it is lovely to have your prejudices about Prince Andrew, the Rich and Powerful and those stupid, arrogant Americans confirmed, but beyond that Matron would pay good money for someone that pre-selects from those cables the things that will really make a difference to our perception of the way things are done and our willingness to do something about them. They are probably there, buried within a mountain of information, but it is terribly difficult to find them in all that gratuitous gossip. So, here's an idea for the movement: rather than going for the shock and awe effect (you've done that now and the whole world bought the bloody t-shirt), maybe next time it would be more useful to concentrate on selectively disclosing the things that really matter.
Power to the People: Having said all that, Matron completely agrees with many of the punters that by far the more interesting aspect of this whole affair is not what WikiLeaks has done, or even what the people whose behaviour has been exposed have done, but how the US and other countries reacted to it. Even discounting the hysterical reactions of US senators (which are unlikely to be taken seriously by many on this side of the Atlantic), the steps taken against WikiLeaks say more about the state we're in than a million indiscrete cables. It is quite clear that those whose actions have been disclosed by WikiLeaks are far more upset about the fact of disclosure than the content that has been made public. It's the paradigm change in relation to the way in which information is, can be or should be controlled that is the real issue here. As one very sensible blogger put it, being told by our masters that we can't handle the truth just doesn't wash any longer.
A Conflict of Interest: But at the same time, with great power comes great responsibility and Matron can't help feeling that WikiLeaks and those who support it currently get carried away just an itsibitsi tiny bit on a wave of their own omnipotency. As a privacy advocate, Matron has always fought the corner of those who argue that while transparency and freedom of speech are among the most important rights in a democratic society, they are not the only rights. They have to be balanced against other rights, freedoms and interests and figuring out how that balance should be achieved is a difficult and time-consuming process that we may just be by-bassing when pressing a button to disclose another 250,000 documents whose full contents we will not have been in a position to fully know or appreciate. Taking just the privacy argument as one example, there may be stuff in those cables that relates to private matters that the public really has no right, nor a need, to know.
The Smoke Screen: With the combined coverage of the WikiLeaks and Assange affairs seeimingly taking up every available inch of colunm space at the moment, is Matron the only one thinking that this would be a great time for governments the world over to bury bad news? In fact, here's a conspiracy scenario to think about while we're at it: imagine someone in the US government thinking, "Wouldn't it be great if we fed an organisation like WikiLeaks a lot of mindless chitchat that won't disclose a lot about us that people aren't already thinking anyway but that will keep the hacks and the geeks and pretty much anyone with a halfway functioning brain gainfully employed for weeks on end? Just imagine what we could get away with while they are all busy loooking the other way." In the area of IT and Cyberlaw alone, we currently have a plethora of really rather alarming proposals on the table that may change the way in which we can live, work and play, in which we can interact with each other and our governments, the extent to which those governments can exercise control over us and our actions and the extent to which we can resist that control. Yet, pretty much ALL the good brains Matron knows in this area are currently using most of their processing power on exchanging URLs for WikiLeaks mirror sites. I'm not saying that you're not doing an important job, boys and girls. But you know what? Job share! We need some of you for other stuff!
A Question of Loyalty: Matron admits it: when the sexual assault allegations against Assange first made the press, her immediate gut reaction was to think, "Now that suits the powers that be a little bit too much to be mere coincidence". We leftie liberals are hard-wired for conspiracy theories; the more outlandish the better. There is something about us that loves the feeling, as Technollama put it on Twitter recently, that we live in a Stieg Larsson novel. And maybe we do. But in the same way that we should try very hard not to suspect conspiracy when incompetence will do, we should not loose sight of the fact that good people sometimes do bad things. And that, consequently, we should not automatically assume that someone like Assange couldn't possibly be involved in something like a sexual offence, or that the laws of a country that allege such a thing must by defintion by wrong and illiberal and that the US must obviously have exerted great pressure on that country to bring down the full force of the law on one it now clearly views at its enemy no.1. That may all be the case, but it is no more likely than the alternative, because, at this stage, we don't know. If this had not been the founder of WikiLeaks, those allegations may still have been made and the appropriate judicial procedure might still have been employed and the people making the allegations would have been given the opportunity to prove them without being vilified as instruments of state oppression and the accused in this case would have been given the right to defend himself without his private conduct being closely linked to his professional role. While we do not know an awful lot about the charges that have been brought and the evidence available to prosecutors at this point, we should not fall into the trap of canonizing an individual in ALL areas of his life because we feel that he has acted like a saint in ONE of them. And we should not make feminist leftie liberal women feel like traitors to the cause if they cannot subsume their instinctive feeling that allegations of sexual misconduct need to be taken seriously whoever the alleged perpetrator. Julian Assange is innocent until proven guilty, but the two Swedish women and the Swedish prosecutors have every right to try to prove his guilt.
The Bishop's Gambit: Finally, to all those people who cannot distinguish between the charges against Assange and the charges against WikiLeaks: be concerned, be very concerned about the dangers of personificating a movenment. As many others more familiar with the ins and outs of how WikiLeaks functions have already pointed out, WikiLeaks is more than Assange and will and should continue regardless of what happens to him. Those who tie his lot together with that of the movement he helped found play into the hands of those who try to argue that the discreditation of the man will automatically discredit the movement. If he is found guilty, and at this stage this is as likely as the possibility that he will be acquitted, because WE JUST DON'T KNOW, then there will be no shortage of people saying that WikiLeaks is irrevocably tainted by his actions and that his failures in one area of his life must mean that there is no moral justification for the work he has done in others. Don't do their work for them! Make sure you separate the man from the mission.

And so on to all the other things on Matron's to-do list that are not WikiLeaks. Which, sadly, is still most of them. In the meantime, have a merry festive season!

Research is vital!

2010-11-15T08:19:00.003Z

Those of Matron's readers who are citizens of academia and/or members of the Twitterati will undoubtedly be aware of the hashtag #scienceisvital and the related campaign -fought by, among others, former LibDem MP Dr. Evan Harris - that was aimed at convincing the government to "lay out a supportive strategy for UK science and engineering" by "maintaining a level of investment at least in line with economic growth ".

The petition was signed by 36290 people - among them the names of many of the most eminent figures currently working in UK Higher Education - and ultimately led to science funding being treated rather more benevolently in the context of the recent comprehensive spending review (CSR) than many other areas.

A successful strategy, therefore, from which we could all learn? Certainly! And yet, despite the fact that Matron has followed the campaign with interest while it was in its most active phase, she could not bring her self to add her name to the pledge. Why is that?

The reason is that the petition, commendable as it was in its attempt to defend the science budget, focused merely on the funding for "science" in its most narrow definition, namely "the intellectual and practical activity encompassing the systematic study of the structure and behaviour of the physical and natural world through observation and experiment". Natural sciences, in other words, or "science and technology" in more modern parlance.

Indeed, the petition itself mentions as the particular areas for which funding must be preserved "energy, medicine, infrastructure and computing". Although, many of the signatories came from the social sciences, arts and humanities communities, no mention was made of those disciplines in the petition and - as has become clear - they did not benefit in any way from the government's rethink in the CSR.

In Matron's opinion, the petition and the related campaign can therefore also be seen as an example for another development that was easily predictable and widely expected when news of severe cuts to the HE budget first came out: that rather than coming together and ganging up on a reluctant government in an attempt to convince it of the shortsightedness of its plans, the sector would engage in a divisive struggle in which each party would attempt to secure the biggest piece of an ever smaller cake. In this context we have seen old universities work against new universities, higher education versus further education and one discipline against the other. The only winner in this game has been the coalition government which has found it all to easy to get savage cuts to the arts and social sciences budgets through with minimum fuss while at the same time being able to point towards the science budget it (largely) maintained.

Make no mistake, science IS vital! Without it, we will not be able to overcome the challenges arising from threats like climate change and overpopulation. It's funding should be preserved and, if possible, increased.

But when asked by scientists to support the petition, Matron felt a little like she felt when, back in the early 90s, she moved to the UK from Germany as a (then more than now) politically active lesbian. Whereas in Germany, this group was politically more aligned with the feminist movement, in the UK, lesbians were part of the gay rights or queer movement. In practical terms this meant that, at the time, the political goals lesbians fought for and were expected to support included not only the fight against AIDS but also gay marriage. This was in open disregard of the fact that lesbians, with their "moving-in-on-the-second-date" kind of relationships were in the group least likely to be infected with the HIV virus and that feminism had worked on a critique of the institution of marriage for at least the last century.

In the end, Matron became an active volunteer for an HIV/AIDS charity - not because she was directly affected but because it was the right thing to do at the time with thousands of people dying alone and without the necessary support. But she always refused to go to any length to support the call for gay marriage. In the words of the inimitable Alison Bechdel, comic artist extraordinaire and observant chronicler of lesbian live throughout the 80s, 90s and noughties, there was no way she was going to be complicit in the enshrinement of coupledom as a privileged civil status given that there were, in her view at least, better ways to achieve equal treatment for everyone (for example, by abandoning, and not re-introducing, dear Mr Cameron, all solely marriage-related state benefits).

Matron's most interesting experience during that time was a conference ca. 1994 when she was on a panel with a high profile (female) member of gay rights group Stonewall. When asked about her views on why the lesbian movement in Germany preferred to align itself with feminist heterosexual women rather than gay men, Ms. Stonewall's responded that maybe the lesbian movement in Germany wasn't as far advanced yet as it was in the UK and the US. It was the simple arrogance of that statement which completly dismissed a political strategy on the basis of "backwardness" and which negated the many rational reasons its proponents may have had for choosing it, that took Matron's breath away then and that still appalls her now.

Because asking someone else to support your cause because it is the right thing to do, is one thing. Asking them to support it despite the fact that doing so may actively harm their own interests or political goals - and be that only because those interests or goals will be forgotten about or set aside while time and engery is spent on fighting for yours - is quite another.

So, coming back to the point Matron was trying to make:

Science is an important area of research that deserves our support and government funding. At the same time, as every HE researcher knows only too well, science has had a better deal in public funding compared to any other area of research for these past 10 years at least because science gets good PR and politicians up and down the country seem to feel that they can support spending money on the development of a new widget much more easily than, say, the teaching of drama, philosophy or sociology. How is any of the latter to compete with research to find a cure for cancer or Alzheimer's?

But demanding that the science budget should be maintained will almost inevitably mean that the budget of other research areas will suffer. Areas that are equally vital, like:

The social sciences that will ultimately have to figure out how and to what extent society will be able to absorb, integrate and adapt to the new technologies that the scientist will come up with with.
Economics that will enable us to "follow the money" and to figure out who benefits from new research and developments and how that benefit can be distributed in a more equitable and socially beneficial fashion.
The arts because - as Winston Churchill is alleged to have said when asked to cut arts funding in favour of the war effort - if not for the arts, then what are we fighting for?

It is openly known in the research discipline of which Matron is a member, that over the next five to ten years at least, research funding will either have to come from Europe or from collaborative projects with members of STEM disciplines, which will allow us access to their funding pots. This will be easier for those who, like Matron and her ilk, are research active in technology law than it will be for those of her colleagues who specialise in family law or criminology or constitutional law. But that does not mean that these subjects are any less important for society or that they deserve any less support.

This is a game of divide and conquer and by singling out one area, venue or means of research over another we are playing directly into the government's hands.

So, dear scientists, Matron would love to support your petition, because she thinks it is the right thing to do. But if you ever re-open it for new signatories, would you mind changing its title?

From "Science is vital" to "Research is vital"?

A rather phormulaic proposal

2010-11-11T15:52:00.003Z

Following yesterday's mini-rant on the failure to publicise this and the rather short consultation period, Matron has now had the opportunity for a more intimate heart-to-heart with the ever-so-under-the-radar Home Office proposals on changes to RIPA. The verdict: while there doesn't seem to be anything particularly offensive in there, she can't help feeling that we are once more bearing witness to the UK government trying very hard to comply with the nagging of those pesky Europeans while, really, not changing things all that much in practice.

By way of background, the changes to RIPA became necessary because the European Commission - following, among other things, a letter writing campaign by that excellent Open Rights Group - referred the UK to the European Court of Justice because it felt that it had not fully implemented rules on the confidentiality of electronic communications contained in the E-Privacy Directive (2002/58/EC). That Directive provides that member states must adopt provisions which prohibit the unlawful interception and surveillance of electronic communications unless the users concerned have given their consent. According to the Data Protection Directive, that consent must be "freely given, specific and informed". Member states must also establish appropriate sanctions where these prohibitions are infringed and independent authorities must be charged with supervising this are to prevent any unlawful interception.

As per usual, the UK has watered down these draconian requirements a little to make life easier for the folks in the interception trade. Section 1(1) RIPA only prohibits intentional interceptions - accidents do happen, don't they?; section 3(1) RIPA lets offenders off the hook if they had "reasonable grounds for believing that consent has been given" and as for establishing a proper supervising authority, well, there was that minor issue of a gap between the supervisory powers of the Information Commissioner (who doesn't do interceptions) and the Interception of Communications Commissioner - or IoCC - (who doesn't concern himself with the conduct of private entities).

All this left said private entities in the fairly comfortable and almost entirely unregulated sphere in which companies like Phorm and their ISP partners then thought that it might be a good idea secretly to analyse people's web surfing habits the better to determine their interests so that targeted advertising can be delivered to their screens. Let's face it, folks, cheap broadband doesn't pay for itself.

When the Phorm, sorry storm, broke loose, however, many of those people figured they'd rather not have every single one of their online moves recorded - albeit, according to Phrom's PR, in the most privacy-friendly way possible - and many of the CSPs had to beat a hasty retreat. Phorm itself has, for them time being, left the building, although it is still flogging its technology in other countries.

But back to the European Commission, the ECJ and the UK's urgent need to do something to avoid further costly proceedings. The consultation paper proposes, in essence, three things:

The government, acknowledging that section 3(1) of RIPA does not provide the required clarity the CSPs need to determine whether or not their customers have consented to their weird schemes, wants to "remove the ambiguity" and thereby "ensure that the provision is consistent with the definition of consent" contained in the Data Protection Directive. It doesn't say, exactly how it wants to do this. Whether it will simply remove the offending "reasonable grounds" passage or whether it will come up with something more roundabout is one of the things we will have to look out for when the draft legislation is published. But for the time being this does not sound to bad. However, there is a problem with the use of consent in this context and this is one of the points that Matron wants to look at in a little more detail later.
The government also wants to expand the functions of the IoCC so that, in the future, he can - following a complaint by a user - investigate CSPs in cases of unlawful, unintentional interceptions. Again, this seems to address the European Commission's concerns to a certain extent, but even the work of the IoCC in his natural habitat of supervising the interception activities of public bodies is not without question, and the same issues do arise here. Of that, too, more below.
Finally, the governments wants to introduce a new civil monetary penalty of up to £10,000 that the IoCC can impose on anyone violating the prohibition on unintentional interceptions. He may also be given the power to issue a notice requiring the unintentional unlawful interception to cease. Any penalty or enforcement notice may be appealed to the First-tier Tribunal and the proposal includes comprehensive provisions governing such an appeals process.

So far, so business-as-usual. The procedures proposed here came pretty much straight out of the regulatory textbook and bear many a resemblance to the procedures that apply in the context of complaints to the Information Commissioner about data protection breaches. There is no reason why it shouldn't work in this context. Except...

Consent

As in all cases where consent is used in a relationship between businesses and individuals, there is actually a pretty big questionmark both over the "informed" and over the "freely given" part. Informed consent should mean, as the very minimum, that she who consents to something, should be aware of what she is consenting to. As we all know, in an online context this is little more than a legal fiction because UK law allows providers to hide consent provisions deep in the recesses of their privacy policies or terms of use which no one in their right mind ever reads unless they are mentally disturbed or a privacy lawyer or both.

This means that on the basis of these new rules, there is nothing stopping CSPs to include relevant implied consent provisions in their business terms, from which point forward they will no longer have to worry about their customers' consent at least, if they want to carry out interceptions for the purpose of behavioural advertising.

As many people wiser and more knowledgeable in this area than Matron have pointed out, this may still not actually allow them to intercept those communications because the consent of both participants to the communication is needed under RIPA. But if that communication concerns, for example, a user visiting a website for some online shopping, that website - as the other participant - could possibly be persuaded by the CSP to agree to the monitoring of that traffic in return for a small cut of the advertising revenue thus created. Stranger things have happened at sea and there are probably no limits to the length to which most online businesses would go when developing new monetisation strategies.

But coming back to the user who is, normally, the CSP's customer. Will this user have the right not to consent to the interception of her communications by her CSP without loosing the ability to use the CSPs service? Online business terms are usually take-it-or-leave-it, my-way-or-the-highway kinda terms. CSPs may well be of the opinion that targeted advertising, which is after all used to co-finance cheap broadband access, is a necessary revenue stream in a competitive environment and that any user who doesn't play ball is free to find another provider. The problem is that, if all CSPs think that way, there will be no other provider to go to. And what then?

For this sort of thing we have two analogies in the law which we may want to draw upon. The first is the way in which the law deals with cookies. Now as we all know, there is some change coming in this area, but the one thing that remains unchanged is the fact that website operators that wish to use cookies can prevent users who refuse them from accessing certain parts of their website. CSPs could therefore argue that it should be the same in the case of targeted advertising and the related interceptions of users' communications. Is that justifiable, though?

The other analogy is employment law, where the use of consent is very limited becauses it is widely accept that in an employer-employee relationship it will rarely be freely given.

If, therefore, as a stubborn user who does not want to have her communications intercepted, Matron would, in practice, no longer longer be able to find an ISP that will have her, she would possibly no longer be able to access the internet. However, as Matron and many others of her persuasion have long argued, by now the internet is such an important part of everyone's life - it facilitates not only economic and social activities but also education and political participation - that to be without internet access is tantamount to the violation of a human right.

Now, some readers might think that this is a bit of an exaggeration, and maybe it is, but if "choice", that famous holy grail of the free marketeers, comes down to a choice between one ISP who will intercept your communications and another who will do the same, is that not a clear case of market failure? And shouldn't the government anticipate this situation and do something about it, now that it has the chance?

Sanctions

The government did apparently consider introducing criminal sanction rather than a civil penalty, but it decided against it in the end because it feared that the enforcement of such sanctions would be impractical and impose undue strain on the UK's police forces.

As a card carrying, bleeding-heart liberal, Matron is no great friend of potentially increasing the country's prison population for non-violent offences (although, as a practicing lawyer, it has been her experience that the threat of criminal sanctions tends to focus the CEO's mind) and for that reason she will not criticise the government from shying away from this step.

However, realistically, the penalty of "up to £10,000" is unlikely to be a major deterrent for CSPs as this is the sort of amount that many companies view as beer money. Unfortunately, one of the viable alternatives - giving the user whose communications have been intercepted a right to claim damages - already doesn't work in the area of data protection because in the absence of punitive damages it is actually terribly difficult to prove financial loss in these circumstances.

Which makes Matron think that maybe something along the lines of the recently introduced data security breach notification system should be put in place instead. That system, for those who do not know, requires providers of electronic communications services to notify any breach of data security to the Information Commissioner and, if the Commissioner thinks that this is appropriate, to the affected data subjects.

As we are largely talking about unintentional interceptions when we are talking about sanctions, should we suggest a similar procedure here? Where the CSPs, if they find out that they accidentally intercepted someone's communications, would be required to send an "oops" notice to the IoCC who, if the breach was grave enough, might also force them to send a similar notice to their customers? As we know, bad publicity is a much stronger incentive not to do wrong than a monetary slap on the wrist. It may just work.

Complaints

However, even this last proposal overlooks the main issue with this new procedure, namely that, as a rule, the IoCC will act in response to a complaint by a user who suspects that her communications have been intercepted. We already have this right in relation to interceptions by public authorities and it has gotten us exactly nowhere. That is largely because most of us will never realise or suspect that our communications have been intercepted. It doesn't show up on our screens and, by and large, we will never find out about it unless the interceptor is very open or very stupid.

This is borne out by the figures in relation to state interceptions:

In 2008, the Information Tribunal received 176 complaints about suspected interception. In 2009 it was a mere 156. Now bearing in mind that this was round about the time that the Phorm story broke in the press, which may or may not have increased sensibility, it makes sense to look at the earlier figures and, lo and behold, in 2007, it was only 66, 86 in 2006, and 80 in 2005.
Since RIPA came into force, the Information Tribunal has upheld exactly four, yes FOUR, of these complaints. Hardly a result that has the national security services quaking in their boots.

So if the IoCC's duty to act is merely based on him receiving a complaint, then I think we can all rest assured that CSPs will not have an awful lot to fear when it comes to their murky online dealings. Commissionary legal protection in this area is not effective, it never has been. In relation to state interceptions this has nonetheless been accepted because of the need to keep interception activities of the security services secret. Whether one agrees with that approach or not, this is certainly not an argument that can or should be applied to interceptions by private entities. Individuals whose communications have - even unintentionally - been intercepted, should be made aware of this and should be given appropriate judicial relief. The IoCC, if it is him who is charged with oversight over this area, should be given full auditing powers - including dawn raid powers, if necessary - to ensure that private interceptions are detected and the legal sanctions enforced.

The confidentiality of our communications is not only an individual right, it is a public good that gives people the confidence to act freely and without fear in the online environment. We endanger it at our peril.

Seek and ye shall find!

2010-11-10T13:51:00.002Z

Despite the fact that at the time of writing (10 November, PM)

it is not actually displayed on the Home Office's list of consultations;
or its webpage on RIPA; and that
Matron has been unable to find an official press release or news item referring to the event

it seems that the government has published a consultation document on changes to RIPA which became necessary after the European Commission referred the UK to the ECJ over the Phorm case.

While Matron has not yet had time to look at the document in detail, she can't help noticing that the consultation period (responses must be in by 7 December) is extremely short by anyone's standards.

Those who feel that they have something to say on the laws governing the interception of electronic communications therefore better get their skates on. Just saying...

Tunnel! Light! Action?

2010-11-09T16:38:00.002Z

Is there any connection between the EU's Common Agricultural Policy (CAP) and data retention? You wouldn't have thought so, would you? And yet there might be.

After spending the day reading the European Court of Justice's decision in the case of Volker und Markus Schecke GbR v Land Hesse, Cases C-92/09 and C-93/09, Matron is intrigued by the pin-sized point of light that this judgement may shine on the question of how that court might deal with the question of whether the blanket retention of traffic data complies with the provisions of the European Convention on Human Rights (ECHR) and the EU's Charter of Fundamental Rights. If it ever gets to decide on that question, that is. But that is another matter entirely and for the moment lets not go there.

The ECJ decision in question relates to a reference to the ECJ from a German court, in which it was asked to consider whether EU legislation which requires the disclosure and publication on a publicly available and searchable website of the amounts awarded to farmers from CAP funds, together with their names, municipality of residence and postcode, was invalid. The applicants in the main proceedings clearly thought that it was because it enabled third parties to deduce the applicants' income of which 30-70% came from CAP funds.

The court - sort of - came down on the side of the applicants when it held that the wide-ranging publication requirement imposed by the relevant EU legislation violated their right to privacy and data protection because it was disproportionate to the EU's stated aim of increasing transparency of the use of funds in the context of the CAP. Whether this will actually help the applicants in practice remains to be seen as the ECJ did not entirely condemn the publication of that data. It merely concluded that it should be published in a more privacy friendly way that draws a distinction based on relevant criteria such as the periods during which recipients received CAP aid, the frequency of such aid or the nature and amount of aid. Which probably means that any halfway competent internet surfer will still be able to find out what amount of CAP aid an individual has received in any given period.

However, the decision is interesting for a number of other reasons:

For a start, the ECJ made some very encouraging comments on the status of the Charter of Fundamental Rights both within the EU legal framework and within the framework governing the protection of fundamental rights and freedoms. This is one of the first decisions looking at questions of human rights compliance of EU legislation since the Lisbon Treaty - and with it the Charter - came into force, and the ECJ seems to use this decision to set out its stall on how it intends to apply the Charter in its interpretation of EU secondary legislation in the future. To this end, it confirms that the validity of such legislation must now be assessed in the light of the provisions of the Charter.
The ECJ also confirms the Charter's premise (in Article 52) that insofar as rights guaranteed in the Charter correspond to rights contained in the ECHR, the meaning and scope of those Charter rights as well as any limitations placed on them must be interpreted in line with the corresponding rights in the ECHR. This creates a neat little connection between the Charter and the ECHR which will allow the ECJ to draw heavily upon the entire body of case law created by the European Court of Human Rights in Strasbourg (although, to an extent the ECJ has, of course, frequently referred to that case law already and the really interesting question is what will happen if the two courts disagree. But that question, too, is for another day).
The ECJ confirms that a provision requiring the "general publication" of personal data on a website prima facie constitutes an interference with the applicants' right to privacy and data protection and that this interference, while "as provided by law" is disproportionate to the aim of increasing transparency that the EU seeks to achieve. The ECJ held that the EU institutions must balance the EU's interests with those of the affected individuals when adopting provisions that interfere with the rights to privacy and data protection. In particular, the decision makes it clear that the EU's objectives do not enjoy an automatic priority over the rights of the individuals and that the mere failure by the EU institutions to consider less intrusive methods of interference will lead to the invalidity of the contested provisions.

So why does this give Matron hope when it comes to data retention? Well, the situation there is actually very similar to the present case. Opponents of data retention have argued for a long time (including during the very brief legislative process that led to the adoption of the Data Retention Directive) that the blanket retention of communications data of the entire population is disproportionate to the aim of improving public and national security on the grounds that, among other things, the less intrusive means of data preservation or data freeze (where providers are required to retain traffic data relating to a specific event for a specific period of time AFTER the event) exist. Many countries are using this form of data preservation quite successfully.

And yet, that method has never been properly considered by the EU institutions as a viable alternative to the current regime, no empirical evidence has ever been collected as to why the blanket retention we now all have to live with is necessary (or even more likely than data preservation) to achieve the stated objective. On the basis of the ECJ's contention that even the mere failure to consider less intrusive means could render a provision invalid, one could clearly argue that the EU institutions' rushed adoption of Data Retention Directive should be examined in this light.

So a hundredth of a smidgen of a glimmer of hope here? Time will tell. One institution that should certainly take note is the European Commission which is still dragging its feet on the publication of its report on the current regime. Unless the member states come up with very good statistical proof that data retention actually works, it becaomes more and more difficult to see how a reasonable claim could be made that the provisions of the Directive are human rights complaint.

"Reasonable" being the operative word here, of course.

How to dunk a cookie

2010-09-16T19:06:00.003+01:00

Matron just spent another day reviewing the odious consultation paper on the UK implementation of the Telecoms Package, a task for which she will surely be rewarded with free access to a bunch of delectable virgins in the afterlife. Today it was all about cookies (no, not the chocolate covered ones - she wishes!) and the government’s plans on how to deal with them.

Let us recap, dear reader: a "cookie" is a small text file implanted by a website on the hard disks of visitors to the site (often without their knowledge) which collects information about the visitors, such as their names, addresses, e-mail details, passwords and user preferences. It can be set by the visited website itself or by third parties like online advertising companies. They can be used to track a user’s movement around the web and the information they collect will usually be used to serve targeted behavioural advertising to the user as s/he goes along. Although cookies provide web users with some convenience (pre-completion of online forms, recognition by online retailers), they also enable website operators to build up user-profiles without the knowledge or consent of the individuals concerned. Such profiles are immensely valuable and form part of the personal data currency with which we all pay for our access to “free” online content.

Under the current regime, users only have a right to object to the use of cookies provided they have been provided with information about the fact that they are used in the first place and on how to block/remove them. In the UK, in typical fashion (we call it pragmatism and are very proud of it), we managed to combine this laissez faire approach with our even more laissez faire rule on implied consent, so that, in practice, it works roughly like this:

1. Almost all browsers have default settings which allow cookies to be set unless the user changes those settings. Changing those settings isn't exactly difficult, but it is still a task which is beyond most people over the age of 45. Plus those who would be capable of doing this, often can't be arsed. Plus, changing the setting usually means that the user will not be able to access some web pages that require a cookie to load (this state of affairs is perfectly lawful, even the revised E-Privacy Directive permits this to happen).

2. The website owner complies with the Directive (and the national laws implementing it) by including an inocuous little provision in its privacy policy that explains what a cookie is and how it can be blocked. The policy will also usually warn the user that blocking cookies might result in a "loss of their user experience". Apart from us hardcore privacy lawyers no one actually reads privacy policies, so the normal internet user will never see this information. Which is all in a good day’s work for those who set cookies, because if we knew about this, we might actually try to change the settings. And if we all suddenly decided to block cookies, the web would come to a veritable standstill.

This point was forcefully made by Struan Robertson on Out-Law in May 2009, when he publicly requested the EU powers that be to “kill this cookie monster”. Because the European Parliament, you see, had insisted, as part of the Telecoms Package, on changing the requirement from the oh-so-convenient opt-out mechanism to an opt-in approach. And that is what came to pass – albeit with a twist, but more of that later.

Article 5(3) of the revised E-Privacy Directive now requires member states to ensure that cookies may only be set “on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing”. “But this will mean annoying pop-up windows galore and the end of online civilisation as we know it!” shouted the website owners. "Oh, cue the violins!", replied the European Parliament. The measure was passed, the European Parliament was happy, web users’ privacy will be properly protected and web services will go bust in their thousands.

But wait a minute! This can’t be, can it? Surely they wouldn’t allow this to happen? Of course, they wouldn’t! Because the cavalry, in the form of Recital 66 of the Citizen’s Rights Directive, is already on its way. It provides that the user's will to accept cookies "may be expressed by way of using the appropriate settings of a browser or other application". Aaah, Matron nodded sagely at the time, this is what’s going to happen: all UK website owners will re-phrase their privacy policies, stating that by NOT changing the default setting in their browser from "accept" to "reject" users will be deemed to have given their informed and voluntary consent to the setting of cookies. Implied consent rules mean that those policies will be binding on the users, who will continue to live in blissful ignorance of their existence and no one needs to be any the wiser about the use of those pesky cookies. So, when Struan and others started jumping up and down about how terrible this new law was, Matron was just a little bewildered.

However, turns out she wasn’t the only one who had an idea of how the UK government was likely to deal with this minor inconvenience. It seems a copy of the “UK Minister’s Handbook on how to handle undesirable EU laws” (Section 1: “transposition” means “copy the text of the Directive into a statutory instrument and then interpret it to within an inch of its life through codes of practice and regulatory guidance documents”) has made it all the way to Brussels. How else could one explain the pre-emptive strike that was the Article 29 Working Party’s opinion on online behavioural advertising in which it demanded strict opt-in requirements for cookies? If you want to use browser settings to get your opt-in, so the Working Party, the browser default setting must be “block all cookies”. Only then would users wanting to accept cookies be able to signal their affirmative consent. "Go away, browser owners!", it said. "Change your default settings! We’ll speak again when you’ve done that."

One would think that those were pretty clear words, but it seems they were not heard on this side of the Channel. The BIS consultation paper (and more importantly, the impact assessment) unsurprisingly does not agree with the Working Party’s position. Instead the UK government fears that any form of opt-in procedure would lead to a permanent disruption of services and to online providers potentially suffering substantial losses, both in relation to the costs they would incur in programming pop-up windows or changing browser settings, and in directly lost revenue from users choosing not to allow cookies (how dare they?). Reassuringly for website owners and online advertisers, the government quite openly admits that, in its opinion, the balance of interest between user privacy and the need to secure providers' revenue streams is quite heavily weighed in favour of the latter. As it points out, “online behavioural or interest based advertising made up roughly 50% of display advertising revenue in 2009, which was equivalent to £350 million”. Matron does not dispute that to take that sort of money out of the web may indeed cause some serious disruption and that we might have to start thinking about other ways of financing all that "free" online content.

But there is a, admittedly semi-heretic, question to be asked here: does it have to be like that? Isn’t it just a bit of a self-fulfilling prophecy to treat as widely accepted gospel the claim that “the internet as we know it today would be impossible without the use of these cookies” (BIS consultation paper, page 57)? We have witnessed unbelievable technological achievements in the last three decades. Does the industry really expect us to believe that if it were no longer allowed to use cookies, developers would not come up with a different (and hopefully more privacy-enhancing) way of generating revenue out of advertising? Of course, as long as it can get away with using cookies, business will have no incentive to finance research into an alternative. Maybe Matron is just stubborn, but sometimes this whole “privacy-is too-expensive” argument really p…es her off.

More interestingly, though, at this point, is this: how does the UK government expect to get away with this? As Matron explained above, under normal circumstances she would have expected nothing less. But surely, the fact that the Working Party has laid down the law as it sees it even before the Directive's implementation deadline runs out must change things? Even if the WP’s opinions are not binding, they are read, and largely adhered to, by national data protection authorities and the European Commission. Practicing lawyers take them into account when drafting documents and policies and, in most cases, businesses would know that they act in contravention of them at their peril.

So what is happening here? Does the government just play the long game, given that the Commission already thinks the UK in breach of several provisions of the Data Protection Directive and nothing bad has happened yet? Does it intend to buy UK businesses some time by adopting laws in full knowledge of the fact that that infraction proceedings might be issued against it (because those proceedings will take years to come to fruition)? Does it intend to sit this one out until the wind has changed?

As Matron said: remarkable chutzpah! Or maybe it's just that no one at the BIS actually read the WP opinion. After all, they have been busy lately…

Assessing the impact

2010-09-15T10:02:00.005+01:00

Having spent more than three weeks trying to overcome the post-holiday blues, Matron was abruptly dragged back into the grey skies of coalition government Britain yesterday when she worked her way through the fresh-from-the-press consultation paper on "Implementing the revised EU Electronic Communications Framework". That framework (also known as the "Telecoms Package") was adopted by the EU at the end of last year after a considerable period of legal and political wrangling between the Commission, Council members, MEPs and lobbists.

Now, Matron feels a little about the Telecoms Package how she feels about reading the works of Judith Butler or Stephen Hawking. If she applies razorsharp, quasi-transcendental focus she manages - for the length of one heartbeat - to understand what it is all about. But then the kitchen door slams shut with a bang or the cats loudly demand their dinner and - whoosh - it is gone. The reason for this, she feels, is that the Packages tries to wrap up all the legal issues that are somehow expected to affect the internet now or in the near future - regulators' powers, spectrum allocation, infrastructure, network security, interoperability, universal service obligations, quality of service, net neutrality, consumer protection and online privacy, to name but a few - into one neat little parcel, thereby creating something very much like a packet of Licorice Allsorts. There's something in there for everone; but because there is also so much in there that you don't fancy, it makes you want to head for a packet of winegums instead.

Nonetheless, needs must, so yesterday afternoon, Matron banned the cats to the bedroom, closed the kitchen door as a preventative measure, and sat down to read. The consultation paper itself is only (!) a concise 74 pages long, but it is accompanied by a rather lengthy impact assessment. Now, impact assessments are funny things, written by administrators to satisfy the beancounters, and most lawyers - Matron included - tend to avoid them like the plague. However, the sections in the consultation paper that Matron was scrutinising - the bit that dealt with the changes to the E-Privacy Regulations, data security breach notifications, information requirements, the cookie wars v2.0 etc. - referred to the impact assessment rather more often than usual. So, with an audible groan Matron gave it a go. And found some truly surprising stuff.

Hidden between "E-Privacy Directive: Annex 1: Data Breach Notification" and "E-Privacy Directive: Annex 3: Cookies" one can find an innocous little document titled "Information Provisions" which, under the heading "What is the problem under consideration? Why is government intervention necessary?", addresses a completely different policy objective from those set out in the Telecoms Package.

After pointing out that "[p]olice and security services will continue, under the amended E-Privacy Directive, to be able to request information from the providers of electronic communications services in order to aid in the protection of national security and following criminal cases", it then explains that the government must take steps "to increase the investment service providers put into being able to provide this information". To this end, the government wants to require those providers to "have a procedure in place to be able to respond to request for information from the police or security services" quickly and with a minimum of fuss. It also wants to impose the duty of checking that such procedures are in place on the Information Commissioner's Office. The intended effect of the government's policy is, apparently, "to increase the availability of suitable information for use by the police and security services" so as to enable them to provide "a high level of protection to citizens".

Like many of her ilk, Matron gets very nervous when it comes to laws that facilitate the "availability of suitable information for use by the police and the security services", particularly when there is no defintion of what actually constitutes such "suitable information". As the controversies over communications data retention and interception of communications under RIPA have shown, there is something of a chasm between what those service feel might be suitable and what civil liberties campaigners as well as many ordinary people feel those service should have access to. So what is funny about this new policy is this:

1. Access by public authorities of communications data and intercepted electronic communications are already laid down in the Acquisition and Disclosure of Communications Data Code of Practice and the Interception of Communications Code of Practice. They cover in quite some detail what the service providers must do in order to assist the authorities in relation to disclosure requests. Why then does the government feel that it must use this consultation to impose even more structured requirements on providers? Did the old system not work? Do they want to cover requests for data that are not yet covered by RIPA and its codes of practice? Would this make it easier to access data held by CSPs for other purposes, say the prosecution of copyright infringement?

2. The government somehow wants to hang this one on Article 15 of the E-Privacy Directive (as revised by the Telecoms Package) which, it concludes, gives an ‘opt-out’ from the Directive's provisions that prohibit the listening, tapping, storage or other kinds of interception of communication "in cases where these methods of information gathering are a necessary, appropriate and proportionate measure within a democratic society in order to safeguard national security, defence, public security, or for the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communications system". Although this is a fairly true description of the law as it stands (one could argue about the use of the word "opt-out"), it is surprising that this new requirements is included in this implementation proposal because - to Matron's knowledge - there is nothing in the Telecoms Package that requires the establishment of such procedural rules or, indeed, this level of micromanagement of the ways in which CSPs must comply with their duties under RIPA.

3. Why drag the ICO into this? It's not that Matron wouldn't be grateful, if the ICO had some power to inspect and review whether the disclosure of personal data by CSPs to the police under RIPA actually complied with data protection principles and the right to privacy. As the whole Phorm debacle has shown, there are some worrying gaps in regulatory oversight between the role of the ICO and that of the Interception of Communications Commissioner. But that is not what the ICO is asked or authorised to do. Instead, it is used as an enforcement agent whose duty seems to be to ensure that the police get their data in the most efficient way. That is surely not the ICO's job and it should not have to use its already meagre resources to play fetch for the security services.

4. There is nothing - nothing at all - said about this proposal in the main consultation document. This reminds Matron - as almost everything seems to these days - of yet another "Yes Minister" episode which mischievously dwells on the civil service's habit of hiding the important documents that it doesn't want the Minister to find, er see, "at the bottom of the fifth red box". Of course, Matron knows that one should never suspect conspiracy where mere incompetence will do, and maybe the good folks at the BIS did just forget to mention their plans in the place where everyone might read about them. But page 138 of a 180-page impact assessment seems to her as good a place as any to bury a proposal that might otherwise attract some negative headlines - particularly if it is published on the same day as another proposal which condemns ISPs to pay for 25% of the cost of pursuing illegal fileshares under the much-reviled Digital Economy Act. As the government itself admits, "there will be costs associated with service providers needing to implement internal procedures to respond to information requests" although it judges these costs to be "minimal". The government's rationale for imposing such extra costs at a time when it publicly touts that it wishes to liberate industry from overburdening regulation, is that the benefits for the general public from the police having access to that information outweigh the CSPs' business interests. They must therefore increase their level of investment to be able to provide this information (again - which information is that exactly?) "to the socially optimal level".

The BIS invites responses to the consultation by 3 December with plans to submit draft statutory instruments to Parliament in April 2011. Given that the Telecoms Package must be transposed by 25 May 2011, this seems to suggest that they do not expect there to be much parliamentary resistance to their plans or that they plan to overcome that resistance pretty sharpishly. After all, the old Labour government has provided them with a blueprint on how to do just that when it rushed the DEA through the wash-up with no regard for reason or democratic decorum. This approach is, of course, made much easier by the fact that the blasted thing is so complicated that - like with DEA - most MPs will not understand it anyway and are likely to follow their Whips' directions out of a desire to protect their poor brains from intellectual overload.

But this sort of stuff IS important and at a time when the new government still pretends that it intends to clean up the Augean stable that is the previous government's civil liberties record, this is a proposal to take note off.

Is Matron just her normal paranoid self and is blowing this completely out of proportion? She would love to be convinced that that is the case. Any volunteers out there?

A licence to print money?

2010-07-29T18:41:00.002+01:00

My oh my, the good people that make up the Article 29 Working Party have been busy bunnies recently. Data retention, RFID, standard contractual clauses – it’s enough to give any serious privacy blogger repetitive strain injury.

Their latest offering goes by the innocent name of “Opinion on the principle of accountability” and Matron would surely have dismissed it (and hence missed it) as some sort of administrative porn had the term not cropped up recently in a number of submissions to the European Commission’s online consultation on the future of the EU data protection framework. And indeed, the opinion is designed to put ideas into the heads of those folks at the Commission who are currently trying to figure out what needs to be done to bring the existing EU data protection regime into the 21st century. Since Matron closely follows everything relating to the long-promised review of the EU Data Protection Directive, she decided to take a peek and what a revelation it has been.

Accountability, you see, describes (very inadequately, Matron feels) what could well be a completely new way of “doing” data protection. As the Working Party itself readily admits, the term has real meaning only in the English language, so heaven knows what the EU translators will make of it. But, in essence, it is the very simple idea that if you are supposed to do something, you should not only do it, but also put processes in place that ensure that you do it well and provide evidence to prove that you have done it properly and in accordance with those processes. In practice, this usually amounts to a whole lot of dead trees and I am sure that, if this blog is read by any members of the health, social services or teaching professions, they will by now sagely nod their heads.

Matron has always had a difficult relationship with the whole accountability concept, partly on account of the dead tree issue, but partly because she can’t help thinking that the time spent on recording what one has done would, in most cases, be better spent on actually doing more of it. At the very real risk of sounding like a Big Society Tory, noting on a patient file – as has happened in the case of Mrs. Matron's grandmother – that “Lily Rose is dehydrated” is not much help when there is then no one who has the time to bring her a glass of water and make sure she drinks it. But putting such petty prejudices aside for the moment let us look at what the Working Party actually has to say.

It starts with making a few salient points that we would all do well to remember even though they are, to the informed privacy wonk at least, rather obvious. Namely, that the growth of information and communication systems and the increasing capability for individuals to use and interact with technologies has changed the rules of the game for the processing of personal data. In a digital world where more and more companies hold more and more of our data and in an on-line environment where personal data has “become the de facto currency in exchange for on-line content” we have to make sure more than ever before that those who use personal data implement “real and effective internal mechanisms” to protect that data. So far, so much Matron is in agreement.

Also, data protection breaches have the potential to be much more devastating in a networked environment where – as Matron's pal Pangloss once put it – it is no use shutting the stable door once the data has bolted. And it is by no means only the data subjects who should worry. With increased penalties (both monetary and custodial) coming into force in many EU member states, data controllers should have a good enough incentive to play by the rules. And that says nothing about the potential damage to their reputation.

However, despite these threats, experience has actually shown that many data controllers pay little or no attention to data protection provisions. In fact, by and large they seem to rely on the –possibly correct - notion that the national data protection authorities are so underfunded and so overworked that the odds of them ever being caught are miniscule. Rogue data controllers are all too often able to vanish in the crowd and unless our cash-strapped governments pump vast amounts of money into enforcement activities (a likely event!), we will all have to live with the consequences.

Which is why, for example, the Information Commissioner’s Office here in the UK has long been engaged in what can only be described as a battle for the “hearts and minds” of data controllers. Publication after publication was produced intended to convince data controllers that there is some commercial or economic benefit to be had from implementing data protection rules. Their latest attempt, a document called “The Privacy Dividend”, makes this point on a seam-busting 93 pages. That’s almost as long as the iPhone Privacy Policy and that’s saying something. No matter, the CEOs aren’t buying it! Data protection costs money, and money is what we all have too little of at the moment.

So, if they won’t come by crook, maybe it is indeed time for the hook, in this case in the form of a “revised legal architecture of accountability-based mechanisms”. But what should these systems look like? Well, for a start they are supposed to consist of a two-tier system with the first tier comprising a legally binding statutory accountability requirement and the second tier including a number of additional, but voluntary accountability systems. Ignoring for the moment the point that any “voluntary” systems are likely to go the way of all St Augustine dilemmas (“make me pure, but not yet”), Matron wishes to pay particular attention to the general accountability principle which, so the Working Party, should be inserted into the revised directive as an additional principle with which data controllers have to comply. It has even proposed concrete wording for such a new Article, which Matron is happy to share with you:

“Article X - Implementation of data protection principles
1. The controller shall implement appropriate and effective measures to ensure that the principles and obligations set out in the Directive are complied with.
2 The controller shall demonstrate compliance with paragraph 1 to the supervisory authority on its request.

As the legally astute will quickly divine, the new principle has two elements: a requirement to take appropriate and effective measures to implement data protection principles and a requirement to demonstrate upon request that appropriate and effective measures have been taken (sound familiar yet?).

Although the Working Party shies away from postulating the incorporation of specific types of measures into the revised directive, it’s reticence does not go so far as to prevent it from making a number of suggestions. Among other things, it thinks that in the future data controllers should:

adopt internal policies and processes necessary to implement data protection principles;
appoint personal data protection officials;
map procedures to ensure proper identification of all data processing operations and maintain an inventory of data processing operations;
set up procedures to manage access, correction and deletion requests which should be transparent to data subjects;
establish an internal complaints handling mechanism;
set up internal procedures for the effective management and reporting of security breaches; and
perform privacy impact assessments.

And here is where Matron is in two minds about this noble endeavour. On the face of it, all these activities sound very useful and, indeed, if fully embraced by data controllers they would vastly improve the way in which personal data is processed in this country. This is what data controllers should be doing anyway and Matron is forever frustrated, if she comes across a company that happily goes ahead with some harebrained business scheme without giving any thought to the potentially disastrous data protection implications (in fact, in some cases, the term “harebrained” is an insult to the proud species of hare!). But the way Matron sees it, the introduction of such a principle would in no way solve what is the real problem here: the complete lack of oomph behind the enforcement actions by national data protection authorities.

Admittedly, some of this enforcement would be “outsourced” to the data controllers themselves through an additional requirement to have the effectiveness of the accountability measures verified regularly through monitoring and internal and external audits. The Working Party also, possibly correctly, claims that these requirements would strengthen the position of data protection authorities which would have the power to request evidence of compliance from the data controller. This, so the Working Party, would provide the authorities with “very relevant compliance related information”. And if such information was not forthcoming, data protection authorities would have an immediate cause of action against data controllers, independently of the alleged violation of any underlying data protection principles. All true, no doubt, BUT IT WOULDN'T GIVE THEM ANY MORE MONEY TO DO THIS VASTLY MORE DEMANDING JOB!

Also, the latter argument sticks in Matron’s craw. In fact it reminds her (yet again! Does life forever imitate art?) of a particular Yes Minister episode, where an Under-Secretary patiently explains to Hacker that a local council which failed to return its annual statistics was nevertheless highly effective (virtually all its children could read and write, even though they had a progressive education!). They just didn’t like sending bits of blue paper to Whitehall.

Maybe Matron is unfair in this instance (if so, please make coherent arguments as to why this is so in the comments section). Maybe this would turn out to be more than just a paper exercise. But, as the Working Party itself admits, compliance with an accountability requirement does not automatically ensure compliance with the actual data protection principles. And surely that is what counts? But for that to be achieved, we need people to take ownership of data protection, to realize what insufficient protection could mean for them as individuals, to close the gap between the privacy haves and have-nots.

Is this plan going to help achieve that objective? Maybe. Is it going to make a lot of lawyers a lot of money? Almost certainly. Matron, who make a living out of drafting the sort of documents companies would be required to adopt is already secretly compounding a portfolio of materials in her head that might allow her to retire to some place warm and appealing rather earlier than she had previously hoped. In fact, this almost seems to be one of the Working Party’s desired side effects when it states that the introduction of the accountability principle will “contribute to the development of legal and technical expertise in the area of implementing data protection requirements as highly knowledgeable individuals with technical and legal understanding in the field of data protection, with abilities to communicate, train staff, set up and implement policies, and audit will be indispensable in this area”. You’re not wrong there mates! Just let me get a shovel for all that dosh.

Overall, the whole approach seems to owe a lot to the concepts already tried in relation to Binding Corporate Rules (BCRs) (see here for the Working Party’s guidance on those to verify this statement). To date, the uptake of BCRs has been spectacularly slow because the immense effort and cost involved in putting them into place has meant that they were only ever economically viable for big global groups of companies. Is it really a proportionate approach to extend these sort of requirements to all data controllers in the EU? And will it win those hearts and minds or will in alienate data controllers further? Answers on a postcard, please!

An opening salvo?

2010-07-15T20:18:00.002+01:00

After many weeks of joyful distractions, Matron just spent a few days concentrating on the day job and, among other things, dutifully worked her way through the EU Working Party’s Report on the implementation of the Data Retention Directive. At the risk of teaching grandmothers to suck the proverbial eggs, that is the small innocuous piece of EU legislation that requires EU member states to impose an obligation on its telco providers and ISPs to retain all data relating to the telephone call made and e-mails sent by us, the Great Unwashed. Sender, addressee, time of transmission, location of transmission – you get the picture. As will the law enforcement authorities and selected others who may access that data. The full picture. Of all of us.

While the WP’s report does not include the comprehensive condemnation of the Directive that many were hoping for, it makes for interesting reading. Of course, the easy explanation for the lack of condemnation may possibly be that there was nothing to condemn as yet. According to the report, only a few member states did provide the requested information regarding the number of requests submitted to providers, the cases where the requested information was provided and those where the provider was unable to make available the requested data. Nor is data available about the time elapsed between the date on which the data were stored and the date on which the authorities requested transmission of said data. As the WP rightly points out, this lack of information makes it somewhat difficult to evaluate a) whether the prescribed retention periods are realistic and b) whether the mandatory retention of traffic data is actually necessary to combat crime and terrorism. In an ideal world both of these questions should obviously have been asked before the Directive was adopted, but when did evidence-based policy making last get in the way of a good lobbying campaign (the British DEAct debacle is a point in case)?

The fact that the questions are asked only now, when the Commission is seriously considering either revoking or at least substantially amending the Directive, may make for some amusing debates. Matron wonders in whose favour this lack of information will be interpreted. Will member states pipe up that it is far too early to even consider a revocation, given that we do not yet know, whether the sodding thing worked in the first place? Or will the Commission - as it should properly do - remind law enforcement authorities that the burden of proof of showing that retention is necessary is on them. No statistics, no further retention? That would be the day.

But while we wait for this issue to resolved, here’s a short summary of what Matron considers to be the highlights of today’s report:

1. Very interestingly, the WP interprets the DR Directive as a derogation from the general requirement on providers to erase all traffic data when it is no longer required for billing purposes. It takes this to mean that the list of data to be retained under Article 5 of the Directive is exhaustive and that member states must not require ISPs to retain any additional data categories not mentioned in the Directive. This is likely to come as a bit of a shock to those member states which, like the UK, have shown an interest in using domestic law to impose retention requirements for traffic data generated by users of social networking services and search engines. Of course, things have changed even in the UK and we live in an entirely new political environment now. But Matron seems to remember the write up of a meeting of a parliamentary committee circa 2008 where laws of that nature were demanded by a number of Tory MPs and peers. Despite the coalitions promise that it “will end the storage of internet and email records without good reason”, it all depends – as better minds than Matron’s have already pointed out – on how you define “good reason”.

2. Although, the DR Directive gives member states a choice to impose retention periods from 6 to 24 months, 78% of member states actually require the retention for 12 months or longer. The WP seems quite concerned about the discrepancies in retention periods between the different member states as this impacts on the principle whereby EU citizens “can enjoy throughout the European Union the same level of protection”. It also means that the costs to be borne by providers can differ considerably from country to country which, in turn, may affect competition. Matron is sure that this fact was pointed out to the law makers when the Directive was first adopted but, of course, she may be wrong here.

The interesting question arising from all this is this: if the WP favours a harmonised (i.e. applying in all member states), single (applying to all data categories) and shorter retention term and given that the German Constitutional Court has already quite categorically stated that it deems anything above six months to be unconstitutional under German law, is this the best indication yet that we are heading for a harmonised 6 months retention period? Not ideal, but definitely “bird-in-the-hand” material.

Scarily, the WP also found that there were some serious violations of existing laws by the provider. First, it found that in some cases data is actually stored for longer periods than those set forth in the DR directive. In some cases data was retained for as long as 36 months, and in one case the storage period was found to amount to 10 years. Secondly, the WP found that one EU member state (which was not named) actually used DR Directive to retain the content of SMS messages to which the security services were then given access. Matron can only hope that infringement procedures will be commenced against that member state forthwith.

3. It seems that the security measures taken by individual providers vary wildly with bigger providers generally found to employ higher security measures. No surprise there, given the cost of putting in place such measure, but it’s nice to see that conclusion in black and white nonetheless.

4. The extent to which, and the way in which, access is granted to law enforcement and other public authorities also seems to vary. So much so that the WP calls for inclusion of provisions in a revised Directive that would regulate the modalities of access. Among other things, it recommends that:

a) data should only be accessed by duly authorised staff

b) strong access control to the retained data should be maintained; and

c) detailed tracking of accesses and processing operations by way of log retention, via logs recording at least user identity, access time, file acceded should be carried out.

Another announcement from the Department of the Bleedin' Obvious then but - in the WP’s defence - it has always advocated that access to retained data should be addressed in the same legal instrument as retention. But on this, as on many other issues, opponents were outmanoeuvred during what is still the shortest EU legislative procedure on record. Which plays no small part in the current problems those opponents have in persuading a court – any court – to accept the Directive and its implementing laws for judicial review to establish once and for all its human rights credentials. Maybe, just maybe, the EU institutions will see sense when negotiations of the Directive are opened up once again. And maybe the porcupine flying squad will presently take off at the back of Matron’s garden.

5. We all felt it on some level of inner consciousness, but now we know for sure: the definition of what constitutes “serious crime” (for the prevention of which data may be retained) is different in each member state. Which means that different member states have taken different approaches to the purposes for which retained data may be accessed (unless, of course, you live in the UK or in Germany, both of which have dispensed with the “serious” bit altogether – albeit that Germany was told “nonononono” by its Constitutional Court. No such luck in Britain). The WP recommends that, at the very least, each member state should have an exhaustive list of crimes that it considers to be “serious” and that, at best, this list should be harmonised at European level.

6. The WP thinks that the decision of whether or not law enforcement authorities should be given access to retained data should be up to judicial authorities. It seems a reasonable demand, but, of course, it would generally exclude all those members of the executive (like ministers, police superintendents, senior officers and duty managers) that are currently persons designated to request access to traffic data under the UK Regulation of Investigatory Powers (Communications Data) Order 2010. So what are the chances of this finding its way into a revised Directive? Who knows.

Overall, Matron can't help thinking that the WP’s report reads like a giant exercise in “I told you so”. Will it be enough? Do we have the right narrative this time round? Matron isn't sure. But it’s a start. An opening salvo. Next!

Kylie cocktails all round!

2010-07-08T16:29:00.002+01:00

It must be National Common Sense Week. In the last two days, Matron has noted not one but two positive developments in the area of civil liberties.

Today, the Home Office came out with the surprise announcement that it would suspend the dreaded section 44 of the Terrorism Act 2000 under which police officers were able to stop anyone in a designated area without having to show reasonable suspicion. According to the Guardian, the powers were used on more than 148,798 occasions which leads Matron to believe that this includes more than it's fair share of "driving-while-black" incidents. Admittedly, the decision follows a decision by the European Court of Human Rights in January that the powers were too extensive and therefore unlawful. What is particularly heartening, however, is that the announcement was made only a day after the fifth anniversary of the London bombings, normally - Matron would expect - a trigger for the introduction of more security theatre like measures.

Not wanting to be outdone, the Supreme Court then decided yesterday that gay and lesbian asylum seekers have the right to remain in the UK, if there is a danger that they would be persecuted for their sexuality in their home countries. The Home Office has apparently accepted the ruling and has confirmed that the policy would be changed with immediat effect. Of course, the proof of the pudding will be in the eating, but such a quick and humble reaction is sure to be commended. Long may the civil liberties honeymoon of the coalition government continue.

Matron first read about this development in the Guardian, a paper she can generally read without the risk of increasing her blood pressure to dangerous levels. However, even as she read it she wondered what the Daily Mail would make of this. Today she checked and in true form the country's most cherished chip wrapper has its priorities dead right. Gays can stay, it quotes one of the judges (who surely should have known better) because "they must be free to enjoy Kylie concerts and cocktails". Nothing to do with the threat to their life and liberty in countries like Uganda and
Malawi.

On the other hand, Matron cannot shake off the feeling that we are paying a rather high price for these victories. With news of ever more asinine spending cuts, she fears that things in her part of the country will become very unpleasant very soon as a growing number of people experience the direct fallout of policy measures deviced by peole who have no real experience of life on the breadline. So while we still can: Kylie cocktails all round!

Pointing out the GRINDRingly obvious

2010-07-05T16:36:00.002+01:00

Matron was happy to see that despite the England defeat, Germany’s victory against Argentina prompted much of British media to heap praise on “die Mannschaft” for the quality of their game, their organisation and their efficiency. This idea of quality, organisation and efficiency is one that Matron often encounters when talking about German virtues to her British neighbours (“German cars are the best”), handimen (“I would always only recommend a German [boiler][washing machine][shower]”) and colleagues (“I timed every stop and the train was always on time”). Surely, were we to think of an animal that best represent the national stereotype, it would have to be an ant colony.

Of course, that sort of organisation and efficiency has its downsides when put to the wrong use. Many of the atrocities against the Jews and other minorities were substantially facilitated by the well organised nature of the German authorities’ citizens archives. The totalitarian regime in the former GDR was made possible throught the giant surveillance machinery with which the Stasi controlled ever aspect of the citizens’ life. Many of the documents from the Stasi archives were shredded by the Stasi just before the Wall came down and the remains of those shredded files have been collected in thousands of black bin bags. For the last few years, the documents have been reassembled in a warehouse in Nuremberg in a painfully slow manual process that is expected to take a few more centuries unless current plans to develop a system for virtual reconstruction are successful. Such is the sheer scale of the information held by the regime.

Matron has always wondered what would have happened if both the Nazis and the Stasi had had access to modern day information and communication systems. Centralised or fully networked systems that would have allowed instant access to information to almost ever member of the regime. What would it have meant for German citizens, and what for those who dissented?

Matron – in one of the weird cross-species jumps that her mind sometimes performs - was reminded of this when she read an article in yesterday’s Observer about the rise among gay men in the use of Grindr. Grindr, for those who , like her, are hopelessly out of the popular culture loop, is a “free downloadable iPhone app” which uses GPS technology to permit its members to locate “gay, bi, curious guys for free near you!". It invites you to download its app onto your iPhone and to “upload your pic and build a profile”. After that, each time you switch on the app, up pop the pictures and profiles of any other Grindr user in your immediate vicinity. The app then lets to you chat to them or approach them in person.

Matron strongly suspects that the social encounters resulting from this groundbreaking technology will not take place over a cup of coffee (at least not in the first instance). But before coming over all Daily Mail-ish, let her assure you that it is not the corruption of sexual mores or the leading astray of impressionable young children that she is concerned with.

No, Matron’s initial as-per-usual Luddite reaction was “Are these people insane?” The privacy implications of “proximity dating” technologies like this are mind-boggling in any case. Combine that with the fact that these guys are effectively broadcasting their sexuality to the nation and this should be enough to bring anyone with a slightly above average level of paranoia out in hives.

So, before everyone lines up in an orderly queue to follow Stephen Fry over a cliff (God knows, Matron loves the guy, but his gadget obsession and his love for all things Apple make her despair sometimes), here’s a few questions, Matron would like Grindr users to ask themselves:

How much do you actually know about the guys you’re about to meet? It’s a free app that requires little in terms of identity verification, least of all verification of the fact that they are actually “gay, bi, curious”. It can be used by anyone. That hot guy coming on to you? His mates could be waiting around the corner and their sole aim of using Grindr may be to kick your head in. According to the BBC, homophobic crime in London has risen by nearly a fifth in 2008/09 with gangs attacking people outside gay bars in east London on a number of occasions. In the US, which in these things - as with most new technologies - is a step ahead of us, LGBT groups have already voiced concern about an increase in “pick-up violence” targeting gay men “who use websites, chatlines and phone applications to meet other men for dates”. Of course one could argue that you take a similar risk by using other gay dating services. But at least those services do not require you to emit a rainbow coloured beeping signal to every passing thug looking for a bit of fun on a Saturday night.
How long is it going to take until technology like this is used by younger people, particularly those still in school? And how much longer, again, until it becomes a tool for homophobic bullying? Cyber bullying is on the rise in the UK. A recent survey showed that 20% of Year 6 students had experienced some form of online harassment from other students. At the same time, according to Stonewall, “almost two thirds (65 per cent (75% in Faith schools)) of young lesbian, gay and bisexual people experience homophobic bullying in Britain’s schools”. Put the two together and you have a potentially explosive combination.
What is Grindr going to do with your data? And who might be interested in that data in the future? Remember, you are effectively adding yourself to a giant list of gay people that is held in a database owned by someone over whom you have no control. Grindr, Matron repeats, is a free service. How does it make money? It will most likely be able to track with whom you have been chatting, thus building up a picture of your social network that it may be able to exploit commercially. It may decide to sell that information (have you read the Terms & Conditions?). Its database might be hacked. The police, security services or other public authorities may decide that they should have access to it (there are already developments under foot to force social media providers to retain, and provide public authorities with access to, certain traffic data generated by their members). It’s the sort of information, for which homophobe totalitarian governments would literally kill. Imagine how convenient this would be for a government in a place like Uganda?

Of course one could argue that the existence of an app like this is also a sign that we may finally have reached a point where gay people feel able to live openly in a society that has become more acceptable of homosexuality. It is true, homosexual acts are no longer criminalised, we have anti-discrimination laws and the straight community has at long last agreed to share their constitutional right to state-sanctioned misery with us by granting us the right to enter into civil unions (and to dissolve them pronto, as we see fit). Some of us may feel a slight feeling of unease at the thought of the ConDem Alliance, but very few seriously believe that the new coalition will try to turn back the tide on gay equality. But it ain’t all cavorting bluebirds and melting lemon drops yet, folks. We are still a long way from Emerald City. Religious fundamentalism is on the rise in Britain. Certain employers can still sack you or refuse to employ you because of your sexuality. The social stigma prevails in many communities. In the US, gay men are still not allowed to give blood. And the number of people who are too afraid to be out to their families remains far too high.

And we none of us have a chrystal ball to show us what the future brings either. Things have gotten better for so long now, that we have forgotten that there may come a time where they get worse again. It seems unlikely now but shouldn't we at least be prepared for the possibility? So this is a reminder to all gay men out there to not let yourself be ruled by your appendage to a point where it clouds your sense of caution and self-preservation. It’s a brave new world out there. Be safe, don’t be stupid!

Notes from under a virtual stone

2010-06-26T09:37:00.003+01:00

With the inevitability of English summer rain the footballing scenario that Matron most feared has come to pass. On Sunday, England will once more play Germany in the World Cup and for Matron this means that the time has arrived where it is prudent for members of her national persuasion to hide under a stone. Despite manifold assurances by her English chums that not everyone will be filled with feelings of hostility towards her breed (though, bless you all for saying it and keep’em coming) those of us who have lived here for a while know that this is no time to be an out and proud Kraut in these parts (and if anyone could tell Beckenbauer to shut up, that would also help).

However, while dwelling on the good fortunes (or not) of the 11 “Lions” is bound to be the water cooler moment of choice until at least Monday, the yearning to hide under a stone actually reminded Matron that this is a concept she has mentally employed for some time in another context, namely her online existence. Those of her readers who paid attention (all three of them then) will have noted that Matron blogs under a pseudonym and that her blogger profile includes exactly zero information about her real life persona. She has taken the same approach to her Twitter existence where she has so far admitted a total of two followers – both of them known to her in real life - to her otherwise strictly private account. In other word, she lurks.

Now, the question of online anonymity (or pseudonimity) is an interesting one. Does it serve a purpose or is it a hindrance to fame, fortune and lucrative consultancy contracts? Should all online activity be open, transparent and accountable or is there something to be said for reticence and inscrutability? Matron wonders and ponders and has done so for some time. While many of her academic friends have made names for themselves as bloggers and Twitter power users (and encouraged her to do likewise), she has chosen to remain shrouded in obscurity - largely out of a nagging feeling of unease about what this particular “coming out” would mean for her. So what is the problem? Well, as far as she can tell there are several:

As Daniel Solove pointed out in his excellent book “The Future of Reputation”, all online information is ubiquitous and permanent. Once it’s out there, it cannot be recalled nor can access to it be properly limited. With powerful search engines and information aggregators working to their own rules and algorithms, individuals no longer have any control over the way in which information about them is presented to the inquisitive onlooker, how it is prioritised and what it will be used for. This means that there is a real risk that a false or distorted picture is painted of an individual which is then accessible to an audience of millions, and based on which others (like employers or potential dating partners) will make value judgements. We all do it, and yet, Matron asks herself, is there not a moral question in there somewhere that needs to be answered. At what point does our ability to freely access information about other people make us incapable of judging them in an unbiased fashion, particularly if someone’s online persona is not actually representative of the person that they really are. When does “googling someone” turn into a human rights violation, for example because our accumulated prejudice means we don’t grant them equal treatment? Matron can’t help thinking that until rules or social mores are established that limit the way in which and the purposes for which information available online is used, any attempt to minimise the information available about oneself online seems a sane approach.
Blogging under a pseudonym creates a feeling of relative freedom. The blogger may work in a position where his or her opinions would not be well received or they may actually enjoy being someone completely different online. A pseudonym makes this possible. It also encourages playfulness. Using her pseudonym, Matron can try out ideas that she may not always be ready to discuss online under her real name yet. It allows her to have a full and frank exchange of opinion with others that often help her clarify specific issues in her mind which she then addresses in her academic writing. But what about accountability, some may ask. Shouldn’t people who sound off on things have the courage of their convictions and don’t others, when they engage in discourse with them, have a right to know who they are talking to? Matron would answer “what does it matter?”. If the discussion is on a specific topic, why is it important who the discussants are? As long as both stick to acceptable standards of human interaction, arguments can be made, examined and countered without one person necessarily knowing who the other person is. Of course, the identity of the speaker may weigh either in favour (if they are a known expert) or against (if they are a renowned crank) the argument they are making. But doesn’t this knowledge also (again) lead to bias and prejudice? Don’t we sometimes find that the best ideas come from people from whom we did not expect them? Should we not be able to examine a statement on its merits, rather have our judgement clouded because we know it was made by a particular person? But what if people hide behind their pseudonym while distributing hate speech or false or defamatory statements? Well, this is where the difference between a pseudonym and full anonymity comes into play. Matron is fully aware that if she made, say, a defamatory statement, the person so defamed would probably have a right to find out her identity from the online provider whose service she used. Matron has not made up a fake identity for this blog and she does (she thinks) support a level of online traceability rather than a right to full anonymity. The reasons for this are simple: while the bloggosphere and the Twitterverse are relatively new developments, the right to free speech (and its limitations) are established legal concepts in the offline world. There are very few offline scenarios, where speech, in order to be free, would have to be made anonymously. In most contexts, the speaker would be, if not immediately identified, then identifiable and the right to participate in public discourse is, in most cases, subject to an understanding that commonly accepted norms (whether legal or social) will be in place which enable the detection and prevention of the kind of speech that is not covered by the human right. (Advocating a traceability requirement does, of course, only work if the relevant statement is made within a liberal democratic context. Citizen journalists operating in countries with autocratic or totalitarian governments will hardly be able to do their job properly, if they are traceable.)
Social media have managed to blur the distinction in the heads of many users of what is public and what is private space. As the recent furore around Facebook’s privacy settings shows, providers have created platforms that feel intimate, yet are often accessible by many more people than the individual is aware of. It seems that most users have not yet found a way to deal with the resulting confusion when sharing information about themselves and others. Twitter is a point in case. Unbeaten as a modern form of news feed cum commentary tool, many people have started to use their open tweets rather than the direct messaging function for direct communication with other users. This means that – with a few extra clicks - the “conversation” between those two users can be followed by all their followers, of whom there may be hundreds if not thousands. Are we always aware when we’re doing it? Heck, no! Do we care? Well, in some cases we may. In some cases, we probably should, particularly if we don’t at all times personally know all of our followers. Members of social networking sites also distribute far more and far more intimate information about themselves and others than they would ever be willing to share offline. At this point, we still seem to lack social norms equivalent to those in the offline realms that govern the sharing of information about each other. Matron believes that we do not yet have an internal censor that tells us that certain information “is not for the internet” or social sanctions enforced by our friends if we violate an unwritten code of online conduct (she may be wrong here and, particularly younger, people may well feel that they are well on their way to such norms. If that ewere the case, Matron would be happy to receive examples). Nor do we have a proper understanding of just how widely the information we disclose about others is being distributed or the speed with which that can be done. A pseudonym that is only known by people we know and trust ( and that is respected by them, see below) enables us to protect ourselves against the worst effects of compulsory over-sharing until the necessary social norms have developed and are properly enforced. Gossip about something that happened to “X” remains gossip about the event rather than the individual.
A pseudonym provides limited protection from trolls. Of which there are many in the online world. Indeed, it seems to Matron that one of the bigger problems with the regulation and governance of online social spaces is that – despite all the attempts at netiquette - there is as yet no common understanding regarding the social norms with which individuals should comply. Things are commonly said on online discussion boards that would never be said, if the people involved were making those statements face-to-face (by the same token, we wouldn’t send a double-glazing sales man round to a friend’s house, but we give him their e-mail address for the chance to win a competition). What is the reason for that? Well, Matron would hazard a guess that the online medium removes us from the immediate vicinity of the other person. We do not have the unmediated experience of witnessing the effect our actions have on them first hand. Naturally, unqualified comments can be made even if the blogger’s real identity is unknown. But a pseudonym is at least likely to deter those who play the person rather than the ball.

A pseudonym does, of course, only work if it is effective. And herein, as they say, lies the rub. With every piece of information that Matron discloses about herself - her nationality, her gender, her profession and her whereabouts at any given time - she makes it easier for those who know her in “real” life (and any halfway talented private eye, where they to make it their business to look for her) to identify her as the person behind the blog. She expects that, over time, the anonymity that the pseudonym provides will simply melt away and with it some of its protection. However, Matron is not actually too worried that friends, colleagues and even passing acquaintances may know who she is. Many do already and include references to her pseudonym in their online conversations. What Matron – admittedly very subjectively - is concerned about is the transition of that knowledge from (wo)man to machine, that is the creation of an online link between her real name and her pseudonym which would make it possible for the search engines and information brokers mentioned above to incorporate anything she says in this blog into the profile they create for her real life identity. This will only be possible if one of the people in the know makes that connection public or if the provider of the blogging platform makes Matron’s personal information accessible for that purpose. Should either her friends or her service provider be permitted to do this? Matron thinks not. Some people like to blog openly and benefit from the reputation they build, some prefer to remain anonymous and enjoy the freedom and the feeling of safety this gives them. It’s about choice and it’s about control. It’s about what the Germans call informational self-determination. They protect in their Constitution and we over here enjoy some protection through existing data protection laws. However, what we also need is an equivalent social norm that requires each of us to respect the other’s choice. We do it offline, because there'd be hell to be pay from our friends if we didn't. By and large social pressures keep us in line. We need to work on an online version of that subtle control mechanism.

For as long as powers imbalances exist between different individuals, individuals and companies and individuals and the state, most of us will prefer to keep some information about ourselves private or within the domain of a few trusted individuals. Everybody has something to hide. Information about ourselves and others is not something with which we do, or should should, part unthinkingly. In our networked society we are now all data controllers so the responsibility falls on all of us. Within the realms of free speech, press freedom and the public interest we must begin the discussion of how to establish and enforce online social norms that respect individual's freedom to choose their own level of openness. If we don't, we may at some stage feel like the England goal keeper as he watched that ball slowly finding its way into his own goal.

Q: When is a fine not a fine? A: When it’s legal fees.

2010-05-25T12:49:00.002+01:00

Although she is late off the mark with this, Matron can’t help being somewhat irked about the level of cross-cultural misinformation surrounding the German Supreme Court’s decision on open wi-fi networks. A number of commentators, including Outlaw and the SCL Editor’s blog reported that the court has "fined" the owner of a wi-fi network because he did not secure it with a password and it was used to download music without the copyright holder's permission. Even though Outlaw then makes it clear that the “fine” consisted in the payment of legal fees, this does little to divert from the sense of uproar instilled by the article’s headline. So what actually happened?

A musician had sued the owner of a (private) unsecured wi-fi connection because his connection was used to illegally download that musician’s music. The owner of the wi-fi network could prove that he had been away on holiday at the relevant time and was understandably upset at being held responsible for that unlawful activity. As far as Matron could ascertain (the full decision has not yet been published), the musician sued the owner on two counts: (1) for payment of damages in respect of the unlawful use of his music and (2) for omission of the behaviour that enabled the unlawful activity to take place (that is, leaving his wi-fi open). The claimant's lawyers, who had been instructed to enforce the claim, also requested payment of their legal fees, incurred in relation to the sending of the letter requesting payment of damages and omission.

The court held that:

1. The owner of an open wi-fi network did not have to pay damages unless the claimant could prove that the owner himself was involved in the unlawful activity (rather than just enabling it by leaving his wi-fi network unsecured).

2. The owner of an open wi-fi network was under an obligation secure his wi-fi network by taking the technical steps deemed adequate at the time of installation.

3. The owner of an unsecured wi-fi connection was liable for the legal fees of a claimant who could prove that this enabled behaviour that damaged the claimant’s rights. However, the court capped the fees that a claimant can claim in this respect at 100 Euro.

There has been a lot of huffing and puffing about this decision from all corners of the internet with many predicting that this is going to be the thin end of the wedge as far as online copyright enforcement is concerned. But before we all jump to that conclusion, lets put the judgement into its proper legal and cultural context.

To start with, the fact that the defendant in this case was not found liable to pay damages to the claimant is surely a positive and well-reasoned step in the right direction. The owner of a wi-fi network may be under an obligation to secure that network, but he will not become vicariously liable for any unlawful activity that other people use it for. Claims that the court has created a new intermediate liability for private individuals are therefore wildly exaggerated.

Of course, the decision is not without its problems. In this particular case, the defendant could prove that he was on holiday when the illegal activity took place. But what happens in cases where that isn’t possible? What level of proof will be required from the claimant? Might there even be, heaven forbid, a reversal of the burden of proof whereby the owner of an unsecured wi-fi network will have to exculpate himself? For the answer to those questions we will have to wait for the next judgement, I’m afraid. But stranger things have happened at sea and in German case law and we would do well to keep a watchful eye on developments.

Secondly, the German court has unequivocally stated that he who runs a wi-fi network must secure it. This is the point that many find disturbing, but given the existence of certain longstanding private law concepts (in particular the concept of “Störerhaftung”), it will not come as a surprise to anyone qualified in German law. “Störerhaftung” effectively means that if you create or operate something that is likely to infringe the rights of a third party, then that third party has the right to request you to stop creating or operating that something (the right to claim an omission).

Other examples for this type of claim include the right of a property owner to stop someone from building a factory next door which emits dangerous fumes or preventing the owner of a neighbouring property to set up a building that blocks all his light or television reception. In relation to online activity, this concept has long been the basis of intermediary liability of ISPs, website hosts and platform owners (whose liability is then in turn limited through the provisions implementing Articles 12 to 14 of the E-commerce Directive). We may not appreciate the end result, but like the courts in other countries German courts must enforce and interpret statute law (in this case section 1004 of the German Civil Code), and with a lot of interpretative history in this area, it is relatively easy to see why the Supreme Court decided as it did.

At the same time, one could argue that the court has also set the bar for avoiding this sort of liability fairly low. All it requires is that, at the time of installation, owners install the most recent form of security (which should normally be what the router comes with anyway) and change the factory-set password to a personal one. If they do that, owners can run the thing for as long as they want, security measures can improve vastly during that time, but they are under no obligation to upgrade or even check it. They only have to do it once.

Now, this comes as no relief to:

people like Matron’s mother who would not know how to install security if it hit her in the face with a large stick (fortunately the nice man from Deutsche Telekom did it for her, and Matron expects that ISPs will take this judgement as an opportunity to widen their service offerings in this area),
cafes and other outlets who run open wi-fi systems (although the question here is whether the court will accept other ways to secure those networks, like an additional requirement to sign in), or
individuals who believe in open wi-fi.

However, maybe we should put our preconceptions aside here for a bit and ask ourselves whether, all things being equal, it is not a fairly rational demand to ask people to secure their wi-fi? Matron is all for an open network, but the fact of the matter is that that network can be used for good or ill. We are not only talking unlawful downloads here, but other things like the organisation of criminal networks, terrorist activity and the distribution of child pornography (and if readers could please take a moment here to comprehend Matron’s pain at having to play the kiddie porn card).

It is very nice that we may want to share. Sharing is good and fun and kind and we should all do it more often. But if we left our car unlocked with the keys in the ignition, knowing that any passer-by could help himself to it, would we really expect to escape liability if that passer-by turned out to be someone without a driving licence who then causes an accident? Of course we wouldn't! We accept that we are expected to take certain precautionary measures, both to protect our own property (and lets not forget that an unsecured wi-fi is also an open door to our own information) and that of others. Why should things be different online? Go on folks, move with the time!

Finally, let us turn to the small question of the “fine”. Of course, if you categorically believe that owners should be allowed to run unsecured wi-fi networks, then having to pay someone else’s legal fees just adds (financial) injury to (ideological) insult. However, those of us who see some wisdom in a requirement to secure a wi-fi network must try to evaluate this part of the judgement more reasonably. For this Matron has to dig a little deeper into the way German lawyers are paid.

Lawers’ fees are generally calculated on the basis of the “case value”. A fee table exists which sets out the amount a lawyer can charge for a particular action (for example, sending a letter before action or serving a writ) relative to the case value. The way that case value itself is calculated is relatively easy in cases like debt collection (the amount of the debt owed) but more complicated in relation to other situations. Before 2008, the way in which the case value of copyright cases was calculated had more to do with the premise of “what-can-I-get-away-with?” than any comprehensible tabulation and the courts in fact accepted case values of 10,000 Euro (proposed by the lawyers for the claimant, of course) for relatively minor infringements. This meant that potential infringers of copyright who received a lawyer’s letter requesting them to cease their infringing behaviour were, at the same time, asked to pay hundreds if not thousands of Euro in legal fees for the pleasure. This, is turn, led to something that can only be described as “fee-farming” with law firms sending hundreds of similarly phrased letters to people accused of infringement (for example, if they displayed photographs of a protected mark on eBay to sell their old household goods) just for the money it brought in. In September 2008, a new law was adopted to counteract this practice. It limited the fee that lawyers can charge for such letters to 100 Euros. The “fine” the court imposed in our wi-fi case was therefore nothing more than the application of a new law that was brought in specifically for the purpose of consumer protection.

This doesn’t change the fact that 100 Euro is still a lot of money for some people. But it beats the hell out of the threatening effect that a bill for 1,000 Euro would have had. And - Matron must come back to this fact - it can be avoided by taking a few simple security measures when you first set up your wi-fi network.

So here we are then. Was this a scary and dreadful judgement? Matron doesn’t think so. In an ideal world we could of course all leave our windows open and our front doors unlocked while we swan off for a three-week holiday in the Caribbean. But that ideal world we have yet to create. Back in the real world, we make damn sure that we have left our car in a secure car park, engaged our five-lever mortice locks and switched on the alarm. It’s common sense, really, and maybe we could do with a bit more of that online.

Drove my Chevy to the levy but the levy was dry...

2010-04-08T11:20:00.005+01:00

It's almost laughable that it took two evenings of BBC Parliament coverage to get Matron out of her work-induced hibernation. But having watched the whole sorry spectacle of the "committee stage" of the Digital Economy Bill last night she is not sure who she despises more: the (many) MPs who did not turn up at all or the ones who allowed themselves to be herded in from the pub like cattle for the final division by a defunct, decrepit government.

For those who do not know yet, the Digital Economy Bill, a most complex piece of legislation which even highly specialised experts in the field of law and IT have difficulty to understand in its entirety, was rushed through Parliament last night in a dubious process called "Wash-up" and approved in third reading by 189 to 47 votes. During the entire debate, both last night and the night before, the number of MPs present in the Chamber never seemed to veer above 40 when suddenly, around 10.30 pm, it seemed to be kick-out time in the neighbouring, alcohol-serving establishments and hordes of people streamed into the hallowed halls, laughing, joking and generally seeming to enjoy what may very well have been the last time they all got together in this format. Then they locked the doors and the backroom deal negotiated between the front benches of the two biggest parties became enshrined in Hansard history.

The problems with this Bill have been described in mind-boggling detail by brains more engaged with the subject matter that Matron's (for some of the best coverage, see the blog of the formidable Pangloss), but now that another battle against a Parliament which acts in blatant disregard of its constituency - safe in the knowledge that the constitutional concept of parliamentary supremacy (combined with modern party discipline, money-saturated lobbyists and procedural tools such as Standing Order 14) gives the governing party the right to do almost anything for as long as they are in power - it is time for the both the electorate and the elected to learn some uncomfortable lessons.

Riddle me this, dear political representative, if the signature of 23 "business leaders" on an open letter requesting the scrapping of a national insurance increase is enough to get all parties putting out endless press releases, why do 20,000 letters written by ordinary citizens to their MP about the risks and dangers of unpopular piece of legislation not have the same effect?

A look at the division list of shame should be compulsory for every media journalist and some names deserve to be mentioned in particular:

Derek Wyatt, LAB, who should know better having chaired the All Party Parliamentary Internet Group for years and who was instrumental in setting up the Oxford Internet Institute, inexplicably voted for the bill. He has nothing to fear from his front bench since he is not standing for re-election, so why?

John Redwood, CON, who harshly criticised the government in second reading for rushing the bill through wash-up, then failed to let his vote follow his political point-scoring. He did not turn up at third reading and vote against the bill as his comments would have suggested (he was in the HC in the afternoon during the debate of the Finance Bill where he made similar comments).

The 44 LIB DEM MPs who, despite their party leaders' assurance that the party would take a stand against the passage of the bill, apparently did not hear the division bell ringing: Nick Clegg, Danny Alexander, Norman Baker, Annette Brooke, Des Browne, Malcolm Bruce, Lorely Burt, Vince Cable, Ming Campbell, Tim Farron, Andrew George, Sandra Gidley, Julia Goldsworthy, Nick Harvey, David Heath, Paul Holmes, Martin Horwood, Chris Huhne, Mark Hunter, Charles Kennedy, Susan Kramer, Norman Lamb, David Laws, Michael Moore, Greg Mulholland, Mark Oaten, John Pugh, Alan Reid, Willie Rennie, Dan Rogerson, Paul Rowen, Adrian Sanders, Robert Smith, Andrew Stunell, Jo Swinson, Matthew Taylor, Sarah Teather, Steve Webb, Roger Williams, Stephen Williams, Mark Williams, Phil Willis, Jenny Willott and Richard Younger-Ross. They may not have been able to add much to the debate, but their presence (and vote against) would have made the government's victory much less impressive.

The Tory and Labour backbenchers (of whom there are to many for Matron to list them all) who will have received full postbags and e-mail inboxes from their constituents begin them to intervene and who did not feel it necessary to do the one part of their job (for which - as we all now know - they are handsomely paid) that surely is the raison d'etre for their existence: turn up, debate and vote for or against legislation. Anyone in the private sector would be sacked for such behaviour.

On the plus side, as many others have observed before, this bill has probably done more to bring the shortcomings of the UK's parliamentary procedure to the attention of the silent majority than any other in recent history. Thousands of people will have watched the debates on television and via the internet and it is to be hoped that those people, rather than return to their normal lives in frustration and resignation, will use their pent-up anger to come together and demand constitutional change.

The next step has to be to identify all those who did not attend or who did vote in favour of this insidious bill and who stand for re-election in May and to inform them in no uncertain terms that they will not get our vote unless they give some guarantees that they will what is necessary to ensure that the Bill is revisited as soon as possible in the next Parliament. If the ballot box is really the only way in which ordinary citizens can hope to have any effect on the political decisions made in this country, make sure that you do not pass on that right.

Here's to a hung Parliament and a lively and much needed debate about proportional representation!

Gordon Brown's been "Jim Hackered"

2009-05-06T22:36:00.005+01:00

On a topic entirely unrelated to privacy, Matron wonders if she is the only one who thinks that Gordon Brown has been completely "Jim Hackered" by Joanna Lumley on the Gurkha issue. Watch this video of the statement she gave after her meeting with the Prime Minister today and compare her strategy with that used by the famous TV Minster at the end of the "Big Brother" episode when he finally gets one over on Sir Humphrey. To quote young Bernard Woolley: "I'd say, 'Checkmate!'"

Principiis obsta et finem respice!

2009-05-01T09:55:00.010+01:00

After a long conference and work induced absence, Matron's blogging reflexes were triggered today not by the big important developments of the day (RIPA and IMP consultations, ICO RAND report etc. - maybe more about those later, time permitting), but by a small news piece in the Guardian, which reports that a Brazilian MP has just proposed draft legislation that would force Rio de Janeiro's state government to publish an online list of all HIV carriers. The reasoning behind this proposal is, apparently, a wish to protect medical staff and other citizens from contamination.

It reminded Matron of an ongoing discussion she has with the inimitable Lilian Edwards (currently a pleased-as-punch and fully paid-up member of the "hydra-headed gang of online privacy pirates" whose purpose is to damage behavioural advertising company Phorm. But that, again, is another story.) about the merits - or not - of a general right of disclosure of other people's personal information on the internet. The discussion centred largely on such disclosures by individuals on social networking sites, so, obviously, this potentially state-sponsored Brazilian proposal would go far beyond that and raises a completely different set of issues. But Matron can't help wondering whether some of the same considerations do apply in this context as well.

If we do accept that individual privacy can be restricted to protect some other common good (like a perceived notion of public safety) or individual right (like freedom of speech, expression and opinion), what are the limits? Indeed, are there any limits or should we be able to expose everything about another person, strip them digitally naked so-to-speak, if it serves a justifiable purpose?

As she often does, Matron looks to the German Constitutional Court's for an answer. It's case law defines individual behaviour as falling into three separate "spheres": the public, the private and the intimate sphere. Interference with an individual's privacy in the interest of competing rights is permitted, subject to certain limitations like necessity and proportionality, in the public and the private sphere, but not in the intimate sphere. The Court recognises that in relation to each individual there exists a "core area" of privacy - arising from individuals' human dignity and their right to self-determination and self-development - that must not be touched or interfered with by anyone for any purpose, however well-meaning.

In this day and age, it's a controversial concept with security-conscious state protectors on the one side and freedom of speech advocates armed with "floodgate" arguments on the other, both questioning its legitimacy.

But can there really be a right to information about another individual - and a right to spreading that information - in the same way as there should be a right to information - both collecting and disclosing it - about the activities of governments and public authorities (the latter, of course, being the notions that underpin Freedom of Information legislation and the right to the freedom of the press)?

But governments supposedly work for us and the transparency and accountability that are the ultimate objective of these rights of information gathering and disclosure are necessary to even out the unequal power relationship between the state and the individual. They are part of the system of checks and balances that is meant to stabilise our democratic political system.

Can the same really be said about our relationship with other individuals and can there be a right to gather and disclose information about our friends, acquaintances, enemies as well as people we barely know or don't know at all? Again, what would be the limits of such a right? Indeed, is there, should there be, a limit at all? Where does citizen journalism end and -seemingly inconsequential but potentially damaging - gossip begin? And what new power relationships - some open, some hidden from view - are we creating or re-creating in this brave new online world?

So resist the beginnings and consider the end. Or should it be the other way around?

Of geeks and men

2009-03-27T11:56:00.003Z

Matron just returned from a few days in Athens where she attended the inaugural WebSci'09 conference. For the blissfully ignorant, web science is the latest project of WWW Godfather Tim Berners-Lee and the newly made up Dame Prof. Wendy Hall (yes, this really is the correct title, there's nothing like a dame, as we all know). A few years ago, they got together to create the Web Science Research Initiative (WSRI - apparently pronounced Woozri according to Dame Wendy) with a view to bring several research areas together to form a new academic discipline.

Matron was warned before she travelled that she would meet some hardcore geeks there. Real geeks that is, not like the ones she normally meets who are actually interested in things like law and policy and society and stuff. And indeed, the place was packed to the rafters with creatures who quite clearly may not be able to survive in bright sunlight. But very interesting it was too.

Now, Matron is not sure herself if "a new new discipline was born" in Athens as Dame Wendy apparently claimed during her closing address (Matron could be wrong about the attribution of that statement as by then she was already back in her hotel room, all conferenced out). But the interdisciplinary opportunities are certainly worth pursuing.

What was almost touching, though, was the way in which the hardcore geeks were going about discovering as "new" a number of subjects (privacy for a start) that have been discussed by social scientists, Internet lawyers et al. for more than a decade. Apparently, "web science" is all about the way in which the existence of the web affects society as a whole, as individuals live more and more of their life online. Matron wants to be neither patronising nor scathing, but it seems to her that that particular wheel may already have been invented. Or at the very least been designed in some detail. Nonetheless, the more the merrier. And as the general consensus among tech lawyers and social scientists seems to be that we need computer scientist to think about the issues close to our hearts ab initio, that is when they first inventi new technologies rather than as an afterthought (see, for example, in the area of privacy-enhancing technologies), any cross-fertilisation between disciplines has to be a good thing. So here's to the success of the project - plus Athens certainly was a very nice place to wet the babies head.

Geeks of the world, rejoice!

2009-03-15T19:35:00.002Z

On a much more cheerful note, Matron was very happy to see that the announcement for this year's GikII conference finally went up this week. For the uninitiated, GikII is a conference on the intersections between law, technology and popular culture. It is now in it's forth year and very rightly so, as it is - in the oft quoted words of a regular attendee - "like a normal conference, just without the boring papers".

It has become so popular in the legal geek community that it will also be transported to the Southern Hemisphere this summer: SoGikII will take place ("in a beach hut in Sydney" according to some of its organisers) on 9 June. What's not to love about that prospect? Matron, who has not been able to find the small pot of gold at the end of the rainbow that it would take to fly her to Oz and back is very, very jealous of those who will attend. But then the fact that Northern GikII will take place in trendy Amsterdam this year (17/18 September) is some compensation.

So, in the words of GikII co-founder panGloss, get your geek on and respond to the Call for Papers for either Holland or Australia. The only rule is that "you must not be boring", because, Toto, this ain't Kansas!

The hour draweth nigh...

2009-03-15T18:53:00.002Z

Matron just looked at the calendar and noticed that today is the day when all EU member states must have fully implemented the Data Retention Directive into domestic law - "fully" in this context meaning transposition for internet data as well as for telephony data.

The UK has not yet made that deadline although transposition is probably imminent following the recent publication of the government's response to the relevant consultation (see Matron's previous post on the issue). The good news is that other countries are also still dragging their feet, many of them having waited for the recent ECJ decision in relation to the Ireland challenge (again, see Matron's previous rant on the decision) before deciding whether they should implement the Directive at all, given it's dubious human right credentials.

What with all the excitement, Matron isn't quite sure whether to be pleased or disappointed at a piece of news she picked up at a conference in Salzburg last month, namely that the Austrian government, so far a stern resister of data retention, has now invited the Ludwig Bolzmann Institute for Human Rights in Vienna under the leadership of Prof. Hannes Tretter to draft the Austrian law concerning the implementation of the directive. Now, Matron has had the good fortune to participate in a seminar hosted by Prof Tretter last year, and he did not seem to her to be the kind of chap who would take the human rights issues arising from these measures lightly. On the other hand, the fact that the Austrian government does now seriously consider transposition seems a bit of a drawback for civil rights campaigners.

In a press release (in German), the Institute confirms that it is itself doubtful about the compatibility of the directive with human rights and that it expects further legal actions to be brought in the future, both before the ECJ and the ECtHR. However, in view of the fact that these actions could take years to be resolved and that the member states' obligation to implement the directive continues to exist in the meantime, the Institute is restricted to pursuing a course of damage limitation while, at the same time, considering the potential consequences, both in domestic and EU law, of transposing a legal measure that may violate human rights.

So there may be a smidgen of light at the end of the tunnel, but it remains a very long tunnel!

Should some pigs be more equal than others?

2009-03-13T09:34:00.006Z

The Guardian, among others, reports today that the BBC programme makers might have been breaching the Computer Misuse Act 1990 when they bought themselves a botnet on the internet as part of a programme showing how easy it is for criminals to use those botnets for sending spam or carrying out distributed denial of service attacks.

Well, duh! Of course it is. As Struan Robertson, editor of out-law.com and legal director at solicitors Pinsent Masons explains, never mind the newly revised section 3 offence of "unauthorised access with intent to impair" (which is apparently what security firm Sophos wants to charge the BBC with). Using computers that form part of a botnet to send e-mails or website access requests without the owners' knowledge or consent is likely to fulfill the criteria of a plain-vanilla section 1 offence of unauthorised access. Section 1 requires no mens rea in excess of the knowledge that the access is unauthorised, knowledge which - presumably - the BBC hacks will have had.

But wait a minute, the BBC did it to do good, not bad. Apparently,

"...following its demonstration, it warned users that their PCs had been compromised, and it had closed down the botnet.

If the users pay attention and secure their PCs, they should be better off than if the BBC had not become involved."

That's alright then, case closed, all is well. Robertson again:

"The maximum penalty for this offence is two years' imprisonment. But it is very unlikely that any prosecution will follow because the BBC's actions probably caused no harm. On the contrary, it probably did prompt many people to improve their security."

Hmm, that's all well and good and Matron is the last person to deny that there should maybe be room in the world for a bit of "benevolent" or "ethical" hacking. However, historically, the courts have taken a dim view of such arguments, most notably in the US, where Robert Lyttle, a member of hacker group The Deceptive Duo was jailed for four months in 2005 after he was convicted of hacking a number of US government websites , allegedly with the intention of highlighting security failures. OK, the fact that his partner-in-crime, Benjamin Stark, was also convicted of online credit card fraud makes pleas that they acted in the interest of online security, patriotism and world peace sound a wee bit hollow.

But the fact remains that hackers the world over have been been on notice for years, most notably since the adoption of the Cybercrime Convention, that the intention with with they gain unauthorised access to someone else's computer is neither here nor there. Which means, presumably, that the integrity of the computer system itself is seen as the protected good here and not a woolly notion of some abstract good or evil that will be achieved by hacking the system (a point, incidentally, which was made beautifully in a completely different context by the German Constitutional Court last year, when it created the new basic right of "security and confidentiality of information technology systems").

So, should we really have one law for the BBC and one for the rest of us? Matron wonders...

Hail the forces of light!

2009-03-11T18:32:00.002Z

It is always a pleasure to agree with Tim Berners-Lee and the forces of light...

Google calling - again!

2009-03-11T13:56:00.003Z

And while we're on the subject of Google, the BBC reported today that Google has become the latest provider to serve up behaviour-based advertising. Under its Adsense program, Google will serve ads based on the content of the sites users view. It will associate their browsers with certain "interest categories" based on behavioural data collected through a cookie it places in users' browsers. Cookies will be placed in the browsers of all Google and You Tube users from today unless the user opts-out. Advertisers will be able to start serving ads using the new system from April.

The move follows the publication of guidelines on behavioural advertising by the Internet Advertising Bureau which are supposed to ensure that such advertising does not breach individuals' right to privacy (see last week's report by Out-Law). Google as well as Microsoft Advertising, Yahoo! SARL and Phorm have all committed to following them. However, the guidelines have already been criticised by the good people at the Open Rights Group for the opt-out approach and the cookie technology.

"Any ‘opt out’ would be stored by a cookie. So each time a user deletes their cookies, or changes browser or machine, they have to opt out. This makes opting out a repeated procedure, such that which would make all but the most stubborn user simply give their consent. This is not how consent should work, and a system that ‘pesters’ users into opting in is in our view an illegitimate attempt to substitute acquiescence for consent, whereas nothing but consent is acceptable."

There have been lots of discussions about whether most users would prefer targeted advertising to the current "random" kind. The prospect of making - as Lilian Edwards called it at last year's GikIII conference - "every ad a wanted ad" seems tempting, but at what cost? Matron is fairly relaxed about being served with relevant advertising when using the internet. But she baulks at the mass of data that Google will collect in the process, the other purposes for which that data may be used and the people who might want to use it. If the data security breaches of the last two years have taught us anything, it is that the only way to prevent the abuse of large databases is to prevent those databases from being established in the first place.

On that note, this is how you opt-out of the Google Adsense cookie.

Can you see me now?

2009-03-11T12:15:00.003Z

Matron, having long suspected that in less than ten years' time all children of this great country will be micro chipped, has pondered on more than one occasion what her own youth would have looked like if her dad had known at all times where she was (bleak is the answer to that, very bleak).

But as we all know, there will now be no need for invasive surgery due to the versatility of the GPS enabled mobile phone which is, of course, the ideal tracking device. And while we are blissfully becoming more and more dependent on the darn things, services have sprung up all over the country that allow others to track our whereabouts by triangulating our coordinates. As far as children are concerned, this has to be an almost fail safe method as no one over the age of 8 will want to be seen dead without a shiny high spec mobile device. So far, so 1984.

But at least, until now, a large number of people (including even some pesky parents) have not actually been all that aware of the tracking properties of their toys so that their potential for surveillance has not really been fully explored.

Enter the dragon, in the shape of Google Latitude, the latest offering of they who must not be evil. The service allows users to register their mobile phone number with Google, which will then track their location as they go about their daily business. Now while this may be a good things if one wants to be found after being buried by an avalanche, Matron thinks that the use Google envisages is decidedly a little creepy. Because Google wants you to use this as a social networking tool so that, as with other social networking applications, users can determine who will be able to follow their movements. Google's examples for people you may want to give that level of access to your life include the loving husband who can use it to see if his wife has left work yet (so that he knows when to start cooking dinner - very PC, if Matron may say so) and your friends who may want to check if you're in the neighbourhood at the moment, so that they can meet you for a beer.

Apart from the obvious privacy issues, Matron can't help thinking that this could make for a lot of very embarrassing incidents. It may just be her, but there are many situations where Matron does not really want to be found. Like last weekend, when she and her partner pretended to have a prior engagement to get out of having to attend a hen do. It was bad - and embarrassing enough that we then ran into the bride-to-be in a local shopping centre on the very night, but imagine that the bride could sit there and determine the location of everyone who had denied her invitation. With Google Latitude, the end of the little white lie could very well be nigh, with dire consequences for human interaction.

Of course, it could be argued, that you can always limit other people's access to the tracking function when you don't want to be found. But gosh, another thing to think about before leaving the house, when Matron is already at an age where she needs to check three times if she turned the gas off? Also, never mind that this could be a stalkers dream, there is such a thing as social pressure. If this takes off, not only will your "friends" bully you into allowing them access - so will your mother. Or, later in life, possibly your boss.

This scenario was not lost on a group of MPs who, according to The Register signed an Early Day Motion on Monday expressing their concern about the new service. Of course, early day motions being what they are, nothing will come of this. So, would it be presumptuous for Matron to suggest that this may be one the Information Commissioner should take a closer look at?

Just because we can - must we ?

2009-03-10T16:45:00.008Z

After a fairly unproductive day (the reasons for which will become clear presently) Matron feels another rant of a technophobic nature coming on. The trigger is Twitter, apparently the latest craze in online communication sweeping the globe.

Now, Matron has so far resisted tweeting, largely - as her friends will confirm - because she is physically incapable of saying anything in 140 characters. But today her boss attended the FT Digital Media Conference (which was Twitter streamed, apparently) and suggested that the same should be done during an upcoming event that Matron co-organises.

Twittering an event - Matron has learned - means that the conference delegates post live tweets even as they listen to what the speakers have to say. Highly sophisticated and immensely useful for non-attendees, for sure, but Matron, who is a frequent speaker at conferences herself and already fights homicidal urges when she has to talk to a line-up of laptops while their owners are checking their e-mails, can't help thinking that we are loosing some valuable social skills in the process. Like the ability to show someone a minimum amount of professional courtesy.

But in order to be able to comment on an informed basis, Matron duly succumbed and today opened a Twitter account. Not to tweet, never fear, but see what it's all about by following the tweets of the ubiquitous Stephen Fry, famous technophile-in-chief, who probably did more to promote the service than even the site's owners.

Now, Matron is a great fan of Mr Fry, who is and always has been the thinking woman's crumpet. She likes his books, his films and TV series (including - much to her partner's chagrin -the fabulous QI), his readings of the Harry Potter books, which help her go to sleep every night, and his long rambling blessays (blog-essays) about nothing much in particular. So, by all accounts there could be worse impositions than reading his Twitter timeline. And fairly amusing it was too. It turns out that Stephen Fry is currently in New York after having spend a few weeks in Mexico to film. Just over an hour ago he has taken receipt of his new Kindle e-book reader, about which he is very excited and no doubt he will treat his followers to a detailed description and review of his latest gadget before the day is out.

Because he is Stephen Fry, he now has more than half a million of them (followers, that is, not e-book readers, although Matron won't vouch for the latter, given his level of geekness), all of whom presumably join Matron in her admiration of the man and like the fact that he shares so much about his daily life with them. He even regularly responds to their tweets making this a two-way conversation of a kind that ordinary humans do not often get the chance to have with a bona-fide celebrity.

But let us consider two points: first, in the case of lesser mortals (i.e. almost all people who are not Stephen Fry or Barack Obama), what is the point of much of the mindless drivel some people put on there? Matron can see the allure for your average extrovert of announcing to the world that they spent their Sunday afternoon putting up shelves, but who, in the name of Merlin, wants to read about it?

Secondly, and much as it pains her to admit it, it can't be much fun to actually BE AROUND Stephen Fry in the flesh when he is in one of his Twittering moods. Matron imagines it a bit like having lunch with the high octane city banker (a dying species, of course, but hey) who - instead of talking to his lunch date - constantly makes mobile phone calls to other people. "That's what the OFF button is there for, mate!"

Of course, like blogging, Twitter can be enourmously useful for distributing information around the globe in next to no time at all. It is well known that the plane crash landing in the Hudson River was first reported on Twitter. Citizen journalism at its best which, as was said at the FT Digital Media Conference apparently, it could render news organisations wholly redundant.

It can also be a force for good, again personified by Mr Fry, who blacked out his Twitter picture in support of the New Zealand Internet Blackout organised in protest against the notice and disconnection laws for the purpose of enforcing copyright infringments recently adopted by the New Zealand government.

So, Matron does not so much object to the technology and the way it is used per se, but to the effect it has on the life of the average twittering individual. In particular, she objects to the time-wasting properties of this and most other "killer apps". In the two hours she spent virtually following Mr. Fry across two continents, what else could she have done? Write that overdue learned article for a start. Or go out for a walk in that rare-as-hens-teeth English sunshine. Or call the friends that she vowed she would definitely call this week, or else. But she hasn't. Instead she was glued to the screen for yet a few hours more (and, of course, it is not lost on her that she has now wasted another hour or so with this rant) without really achieving all that much. Apart from teenagers, students and silver surfers, who has that sort of time?

During Matron's misspent youth, in the pre-modern, feminist world of the 1980s, the - only half-joking - answer to the question "Why do men pee standing up?" would be "Because they can!"

But just because we can - must we?

To good to be true?

2009-03-10T10:56:00.004Z

A, so far unconfirmed, rumour is doing the rounds that the Ministry of Justice is about to drop the data-sharing provisions contained in the Coroners and Justice Bill.

The Register and the Telegraph both quote "a spokesman" for Jack Straw and even the ICO's website links to an article on the Yahoo news page. With so much coverage it's bound to be true, but Matron is with Simon Davies of Privacy International on this one. The leopard may be temporarily licking its wounds but it is unlikely to change its spots. So it will probably only be a matter of time until the data-sharing provisions reappear in a different form - possibly slightly more intelligently drafted.

But as Dumbledore remarks to Harry Potter when the latter voices his frustration over the fact that he may have only delayed, rather than prevented, Lord Voldemort's return to power:

"It will merely take someone else who is prepared to fight what seems a loosing battle next time - and if he is delayed again, and again, why, he may never return to power."

And on that note Matron recommends the excellent dissection of the Bill prepared by the worthy folks at PI as a little light bedtime reading in preparation for the next battle. Right on, right on!

Of peer-reviews, checks and balances

2009-02-21T11:36:00.002Z

Matron still isn't really ready to revisit the Telecoms Package, so by way of an appetizer, she's decided to veer off-topic for a moment. The trigger for today's musings is the exquisite grilling Jack Straw, the Secretary of State for Justice, received at the hands of the Joint Committee on Human Rights last month. Now the evidence given by the Right Honorable Member for Blackburn was interesting enough. Among other things, he talked about his widely publicised interview in the Daily Mail and the plans which had been announced in that context, including the appointment of a select committee to look into the need for a statutory framework for a UK privacy law (rather than leaving it up to the much maligned judiciary to interpret Art. 8 of the European Convention on Human Rights) and his unfinished project of a new Bill of Rights and Responsibilities.

However, Matron does not wish to talk about either of those plans today (in any case, letting her off the leash in relation to politicians' pronouncements on the Human Rights Act (HRA) is really not a good idea for anyone involved). Instead, she would like to share her impressions on the workings of the British constitutional system. For those of you not interested, feel free to go straight to the commercial...

Matron herself originates from a country with a strong written constitution, and the idea that that constitution - particularly the fundamental human rights contained in it - should be enforced by the courts against the politically motivated government of the day is second nature to her, part of her cultural make-up - one of those things that "go without saying". It is for this reason that Matron has always found it difficult to accept that the UK constitutional system largely seems to be based on a feeling of trust by the population in their elected officials that "they wouldn't do that". "That" being all the bad things an autocratic or totalitarian government might want to do - and has been shown to do in other countries - in the way of infringing its citizens' civil and human rights. Now, admittedly, this trust seems to be well founded in history and experience -after all Britain is one of the few European countries that has not gone through a period of political tyranny or dictatorship for at least a few centuries. But ask yourselves whether you really trust the average individual politician, and you see that the phenomenon of trust in them as a collective body at least merits thinking about. There is such widespread cynicism about individual politicians and their wheeler-dealing that nobody will even feign surprise at reports of inflated expense claims, lying to Parliament and the forging of official reports. The 1980's TV series "Yes Minister" was not only such a big success because of its writers and actors (although both were superb) but because people felt that it portrait fairly accurately the way in which the Whitehall and Westminster machineries work in practice. Even today, when a particularly juicy political scandal comes to light, it is difficult to not think back to a particular "Yes Minister" episode that targets just that sort of behaviour.

So, why is it, that if we don't trust individual politicians as far far as we can throw them, that we trust them as a collective to act in the country's best interest? The answer Matron usually get when raising this with her British chums is that there is indeed a feeling that a system of checks and balances exists that keeps the buggers honest. This system is said to include the judiciary, the media and the House of Lords. So lets look at each of those in turn.

Since the introduction of the HRA, the judiciary has admittedly been given much greater power to review laws made by Parliament and to make declarations of incompatibility where it feels that those laws do not come up to scratch, i.e. where they may violate the fundamental human rights of British (and other countries') citizens. Now it has been said before, but Matron will say it again, that - contrary to the views expressed by Daily Mail editor Paul Dacre - this isn't really a new way of doing things. Ever since the UK ratified the ECHR (and let us not forget that it was one of the first states to ratify the Convention in 1951) , its laws were supposed to be in line with Convention rights. The difference between then and now is merely that before the adoption of the HRA, the right to review of the compatibility of UK laws with Convention rights rested with the European Court of Human Rights in Strasbourg. What the HRA did, was to "bring rights home" as Labour put it at the time, which - most importantly - meant that citizens could now enforce Convention rights before the English courts. Let me repeat this again, more slowly: the HRA gave UK citizens no new rights. It merely brought jurisdiction over those rights to the UK courts.

Now Matron might be naive, but isn't that generally something that the Daily Mail should be happy about? English judges having a say before the European Court gets a look in? The problem, from the Mail's point of view is, of course, that British citizens can still appeal to the European Court once all domestic remedies have been exhausted. So, after all that, British rights may still be determined by foreigners.

But the point that worries most human rights campaigners - and where their views come into conflict with those of the Mail - is actually, that despite being given jurisdiction to review parliamentary laws, English courts do not have the right to declare those laws null and void if they find that they infringe human rights. In essence, this means that English judges can tell Parliament that it has done wrong when enacting a particular law, but they cannot force Parliament to repeal the law and adopt a new one. The fact that Parliament almost inevitably will repeal a law found incompatible by the Courts, is again nothing more than a constitutional convention - another expression of this country's charming naivety and trust in the system.

As for the controlling powers of the media, Matron will try to limit her rant to the bare minimum. The British media works well in some cases but not so well in others and because much of the media's power seems to be with the tabloids rather than the broadsheets, one could argue that the influence of media power on legislation could work for or against the protection of human rights (again, the Paul Dacre story is a point in case). Also, while the media did a good job in relation to cases like the Attorney General's report on the existence of weapons of mass destruction in Iraq, Matron continues to be stupefied by the almost complete absence of proper commentary on legislative proposals on data retention. There is some, but compared to what is going on in, say, Sweden, Austria and Germany, coverage has been laughable. So the best Matron can do in this case is a verdict of "must do better", which - given the increased centralisation of media in the hands of only a few players - is unlikely. Having said that, this development is not only a British problem but seems to apply to almost all developed Western nations.

Which brings us to the House of Lords. Now, if anything, to Matron this is them most perplexing control instrument of them all. As a lawyer trained in constitutional theory, the principles of democracy and the state and the separation of powers, she cannot but look at the Upper Chamber with a certain amount of incredulity and irritation. Unelected, appointed for life and not particularly accountable to anyone themselves, members of this elite circle do not seem to her the best way of ensuring successive governments' compliance with common values of freedom, equality and human decency. And indeed, the recent cash-for-amendments allegations seem to be proof that the system may have some inherent flaws. And yet, it is the House Lords that human rights campaigners increasingly look to as an ally, when it comes to curbing the government's worst excesses in the human rights arena (most recently largely seen in the context of anti-terrorism laws). And it seems to work, as the recent dismissal of plans to extent to 42 days the period for which police could hold a suspect without charge, seems to show.

So why does it work? The most entertaining explanation Matron has ever heard was given by Lord Lester of Herne Hill during a conference a few years ago. His Lordship mused that most members of the House of Lords seem to have been barristers at one time or other in their life. Barristers, he argued, are an eccentric bunch and trying to control them is a bit like trying to herd cats.

So lets get this straight: the well-being of the British people is ultimately protected by its eccentrics? Now this is an explanation that Matron - a bit of an eccentric herself according to those who know her in the flesh - would love to believe and trust in. But is it enough? After 15 years' residence in this great country, Matron is no loser to answering this question than she was when she first taught English constitution law to undergraduates in 1997 - which she did with an undeniable air of anxiety and moral panic. The best she can come up with even today, is that constitutional checks and balances seem to draw their validity from, and seem to work within, their own cultural and historical context. Until they don't, that is.

The Facebook conundrum - do we need to be protected from ourselves?

2009-02-19T17:18:00.006Z

Gosh, what a week it's been. Matron just spent all day wading through the European Council's common position on the Telecoms Package. So much so that she simply can't face writing any more about it and is rather looking for some light relief. Cue, the popular media which yesterday took FaceBook to task for clandestinely trying to introduce Terms of Business that would give it the right to use content uploaded by its users even after those users had moved on to greener pastures. Well, that sort of behaviour came as a big surprise to all of us, didn't it?

Now, Matron is not exactly what one would call an early adopter. That much can probably be deduced from the fact that she starts a blog at a time when everybody else is socially networking their little socks off. It has to be said that, for a tech lawyer, Matron is really rather technophobic. She also decided - after a short spell of online addiction back in the mid-nineties, largely related to a certain e-mail list which shall remain nameless (but lets just say that it led to a communal holiday in a cottage in Scotland with a number of people who were - unusal) - that she prefers face-to-face relationships to the virtual variety.

So, like everybody else over the age of 35, she has been following the FaceBook phenomenon with some interest and trepidation. So far, she has firmly rejected her students' untoward online advances, has lectured them, moaned at them, threatened to physically restrain them and, on one occasion, blackmailed them into engaging all possible privacy settings by telling them that she would openly display any of their publicly accessible profiles to attendees of an academic conference. She is also a paid up member of the "FaceBook Moral Panic Support Group" loudly lamenting the fact that things are not what they used to be.

So, although it is highly unfashionable in cyberlaw circles to call for increased legal regulation - technological solutions are still all the rage - Matron sticks by her guns and the points she made previously. What we need is a consumer protection approach that ensures that the purposes for which providers may use their users' personal data are limited in some way. And before all the Americans throw the First Amendment book at her, Matron is not talking about the abandonment of personal responsibility, user autonomy and free speech. She is merely appealing to common sense. Users of "my-way-or-the-highway" adhesion contracts should be subject to some sort of statutory framework.

Hopefully, the more stories are published about the blatant way that some providers abuse their users' data, the more political will there will be to do something about it. For that reason, last night's TV coverage of the FaceBook c***up was chicken soup for the soul. But even better than that, the BBC today published an article about a study that "proves" that online networking harms your health.

Isn't it great when scientific research confirms what you want to believe anyway?

Data retention and the incredible duplicity of events

2009-02-18T17:45:00.013Z

You wait for ages for an irrational and totally see-through official position on data retention and then two come along at once. Following hot on the heels of last week's ECJ decision on the validity of the Data Retention Directive, the Home Office has now published its response to the consultation on the transposition of the Directive into English law. And what a response it is!

Matron isn't quite sure what to commend them on first. That they managed to gloss over the extension of the retention period for internet data from currently six months (under the Voluntary Industry Code) to 12 months, blatantly ignoring the point made by a number of respondents (including the SCL and Liberty) that they have yet to present a business case for any retention of communications data?

That they managed to find and quote the one sentence in a highly critical submission by Liberty that acknowledges that "communications data records can prove a valuable crime detection and prevention tool” (in its submission, Liberty then goes on to say, that the recently reported use of communications data by local authorities for the purpose of enforcing laws against flytipping and benefit fraud hardly fall within the definition of serious crime and terrorism)?

But the most worrying part of the response has to be the government's refusal to even engage with the argument that the retention of internet data for 12 months may very well be disproportionate under Article 8 of the European Convention on Human Rights.

As a general rule, Matron loves to be right as much as the next know-it-all, but in some cases she really doesn't. And the fact that the Home Office - less than a week after the ECJ made a similar point - also seems to suggest that the retention of communications data is somehow separate from access to the data so retained is one of those cases.

But first things first. Let us first look at the changes to the draft Regulations that the Home Office wishes to introduce as a result of the consultation:

Application of the Regulations
Because the UK government has agreed to reimburse CSPs for the costs they incur in implementing the Directive, it has long tried to keep those costs to a minimum by avoiding duplicate storage of data. In practice, this is difficult as many CSPs are using networks operated by other CSPs so that communications data are often held by both the upstream and the downstream provider. In the original draft Regulations the government therefore proposed that they should not apply to a CSP to the extent that the data concerned are already retained by another UK CSP. However, CSPs were very unhappy with this provision as they feared it would create both uncertainty and market distortion. They also argued that third parties interested in accessing retained data (for example, copyright owners) might bring actions for breach of statutory duty against those CSPs ostensibly not required to retain data under the Regulations.

The revised Regulations published by the Home Office last week provide that they will only apply to a CSP if the Secretary of State issues a notice to that CSP requiring it to retain data. No statutory duty to retain data will exist on the part of the CSP in the absence of such a notice. At the same time, under revised regulation 10(2), the Secretary of State must issue such a notice to a CSP unless the data to which the Regulations apply are retained in the UK in accordance with the Regulations by another CSP. In the words of President Truman: "the buck stops with the Home Secretary". Meaning that even if the Home Office gets it wrong, it is now likely that third parties who feel aggrieved that a particular CSP has not retained communications data will probably have to bring an action against the UK government under the Francovich principles rather than have a case against the individual CSP. Directives do not have direct effect and from a CSPs point of view, their statutory duty is what English law says it is. So, that's good news. Or is it?

Well, it depends on whether or not you generally agree with the right of third parties to access data retained for crime prevention and anti-terrorism purposes for their own commercial purposes in the first place. Quite a few respondents raised this issue in their submission. It seems that the CSPs are mainly concern that this may net them lots of Norwhich Pharmacal orders from the already prolific film and music industry. But those of us, who feel that the use of CSP data for the purpose of enforcing copyright has already gone far enough, the Home Office's response to this issue is worrying indeed. It merely states that the Home Office is working with the Ministry of Justice and the Interception of Communications Commissioner to provide guidance for the courts on how these cases should be handled, and that, separately, the government intends to provide more effective remedies for rights holders. So, unsurprisingly, the government is still refusng to consider other solutions to the problem of filesharing and illegal downloads.

Data to be retained
Many ISPs have pointed out that the majority of communications data to be retained relates to unsolicited marketing e-mails ("spam") that is filtered by CSPs and that in most cases is never delivered to the intended recipient. Excluding that data from the retention requirement (along the lines of the Directive's exclusion of data relating to unconnected telephone calls) could save the government millions of £££ but did common sense prevail? Did it heck!

Statistics
Coming back to the mystery of the missing business case, the government was caught with a small amount of egg on its face, when it had to admit that the orginal draft Regulations had omitted a requirement of the Directive that statistics relating to the time elapsed between the date on which the data were retained and the date on which a lawful request for data was made should be collected. That sort of data is obviously essential for establishing whether or not a retention period of 12 months is actually necessary and, hence, proportionate under Art. 8 ECHR (other views that have been mooted include the suggestion that the police only needs a retention period of 12 months because it is so unorganised that it will need at least six months to actually make the request and that long retention periods are really there to cover incompetence and inefficieny. Matron prudently reserves judgment on that).

Apparently, the omission was an "oversight" and the necessary requirement has now been inserted in draft regulation 9, but as they say, just because you're paranoid, doesn't mean they're not after you.

Human rights considerations
But returning to the above mentioned duplicity of events, most notably of all the Home Office has indeed managed to dismiss any suggestions that the retention provisions may actually be disproportionate under Art. 8 ECHR, reasoning that respondents who made those suggestions largely focused on the proportionality of access to the retained data rather than its retention. However, access, the Home Office argues, is governed by RIPA not the Regulations, so arguments relating to disproportionality should be made in a RIPA context. Wait a minute! Isn't that what the ECJ just said?

It is, of course, complete baloney, particularly when you look at the recent judment by the European Court of Human Rights in S. and Marper v United Kingdom, where the court decided that the blanket and indiscriminate retention of DNA records by the UK government, regardless of whether the data subject was convicted of an offence after collection, failed to strike a fair balance between the competing public and private interests. The court concluded that the UK government had overstepped any acceptable margin of appreciation in this regard and it could be argued that similar considerations should apply in relation to the retention of personal data of millions of innocent individuals.

But leaving that aside for the moment, Matron continues to be worried about strategy. If both the UK government and the ECJ are trying to separate the retention of data from access to that data, it may really be time to take note. As Matron suggested before, data retention opponents, particularly in the UK, should start to seriously plan for a fight on two fronts, namely they should think about lodging actions for judicial review of both the Regulations (once they are in force) and the access provisions under RIPA.

You turn if you want...

2009-02-13T23:08:00.003Z

Matron was slightly amused to learn that the European Commission decided to disband the Data Protection Expert Group it set up as recently as last year. Although the Commission allegedly denies any connection, rumour has it that the reason for its decision is a complaint lodged by Alex Tuerk, the French chairman of the Article 29 Working Group, that four of the five members of the group "represented American interests".

Indeed, the group included Peter Fleischer, Google's global privacy counsel; David Hoffman, Intel's director of security policy and global privacy officer; as well as two privacy lawyers working for US law firms. The group was originally set up to provide independent expert advice to the Commission in relation to any specific or emerging issues relating to the current legislative framework for data protection. However, the Commission refused to confirm that this finally signalled the long awaited review of the 1995 Data Protection Directive. On the contrary, it emphasised that it did not envisage submitting any legislative proposal to amend the Directive in the short to medium term.

This attitude at least seems to have changed in the wake of the group's dismantling. There is now talk that the group will be disbanded into a wider consultation which is due to be launched at a conference organised by the Commission in May of this year.

The majority of privacy experts agree the that the Commission has been dragging its feed on this one and that a fresh look at the Directive is long overdue, particularly in light of the fact that changes to the framework are now being discussed - inappropriately many think - as part of the Telecoms Reform Package. So, as U-turns go, this one would be quite welcome. However, Matron worries that in this case a review may actually be used to water down the existing protection. If the negotiations relating to the proposed changes to the E-Privacy Directive are anything to go by, this concern does not seem to be entirely far fetched.

Is time running out for privacy notices?

2009-02-12T16:28:00.010Z

After launching a consultation on a draft code of practice for privacy notices last month, the ICO has now published the results of an online survey where over 2000 adults were asked how they felt about the "small print" contained in standard privacy notices. Apparently, 71% of participants admitted to not properly reading or understanding the small print (a lower number than Matron would have expected!) and 47% believe that small print is "purposely designed to be as woolly as possible". Indeed! Having spent several years in private practice advising corporate clients that the privacy policy is their friend not their enemy, Matron certainly feels that this message has hit home with CEOs and inhouse legal counsel quite some time ago .

As someone who for a very long time predictably, boringly and (in the opinion of her partner) embarrassingly read all small print before signing, Matron has found that over the last few years she too has become more complacent. While she will still search for the tick boxes that will (hopefully) prevent her from being inundated with adverts for Viagra and penis enlargements, she no longer reads the privacy statements with the same sort of youthful vigour.

That has partly to do with the problem identified by the ICO - they are getting longer and more impenetrable. But also - and therein, as they say, lies the rub - she makes a plain old profit/loss analysis. As her esteemed friend and colleague Prof. Lilian Edwards points out in one of her articles, the majority of privacy statements, particularly those used by online providers, are effectively adhesion contracts - not subject to negotiation, take it or leave it. If you want the service, you have to agree with the terms, so reading them could often be seen as an utter waste of time. And because most consumers - again in Lilian's words - prefer "jam today" - goods and services, fun and frivolity - over "jam tomorrow" - safety and security of their personal information - it has become easy for online providers progressivley to expand the purposes for which they may use their customers' personal data - ostensibly with their consent.

Consequently, and without wanting to criticise the ICO's commendable move to initiate a discussion of this subject, Matron cannot help thinking that the ICO stopped a bit short of what may actually be required. Instead of simply joining the plain English campaign, may it not now be time to revisit the entire concept of fair processing notices, particularly where the purposes for which the data can be used by businesses become binding on their customers on the basis of their IMPLIED consent (as is possible in the UK)? Should we start thinking about these isssues in terms of consumer protection and should we be looking into the possiblity of legislating for "unfair privacy terms" along the lines of the Unfair Terms in Consumer Contracts Regulations 1999?

It seems that for the time being the ICO wants to stick with the "educational approach": getting companies to simplify their privacy statements so that consumers can understand them better and make better choices. But extensive permissions to use consumer data are still extensive permissions by any other name and the concept of choice - as in all adhesion contracts - may be illusionary.

The imagery of surveillance

2009-02-11T17:52:00.010Z

Has anyone else noticed the increasing pervasiveness of surveillance imagery that is cropping up all around us? It started with the most recent TV Licensing advert that reminded us in a creepy, slightly threatenting tone of voice that you can run but you can't hide, because "it's all in the database".

And a few weeks ago I encountered this at a bus stop on my way to work. So even the cows need watching now to make sure that - what? - they give enough milk? Don't eat the wrong kind of grass?

Matron cannot help feeling scared that in the homeland of CCTV, these images seem to become part of the wallpaper. So much so that no one notices them any more. Despite all evidence to the contrary, individuals in the UK continue to believe that being captured on film up to 300 times a day will successfully protect them from becoming victims of criminal activity and resistance to widespread public surveillance is minimal. Matron is afraid that these images might be doing their bit in habitualising us all to the normality of constant observation.

Three cheers therefore for the House of Lords Constitution Committee which last week published a report entitled "Surveillance: Citizens and the State" that looked at the impact that government surveillance and data collection have upon the privacy of citizens and their relationship with the State. Among other things, it recommends that the government should introduce a statutory regime for the use of CCTV by both the public and private sectors and that a Parliamentary joint committee on surveillance and data powers of the state should be established to which any proposed legislation which would expand surveillance or data-processing powers should be referred. With the upcoming consultation on the Interception Modernisation Programme and the implementation of the Data Retention Directive for internet data just around the corner, this reminder does not come a minute too soon.

Whether anyone in this increasingly arrogant government will take any notice of it, is another matter entirely. For recent examples of sheer pig-headedness, see the government's response to the House of Lords report on personal internet security and it's notification to the European Commission stating that it wants to extend its existing derogation from the artist's resale right for the work of deceased artists for a further two years. This does not mean that Matron is necessarily in favour of copyright terms that exceed the artist's own lifespan. But the decision to extent the derogation was taken despite the fact that, as part of an IPO consultation on the matter, only 10% of respondents were in favour of such an extension. Little wonder that the majority of people in this country are starting to feel a smidgen ill at ease with their elected representatives. But unlike the people in the US, do we have a viable alternative?

When Irish eyes are smiling - NOT

2009-02-10T23:24:00.010Z

The waiting is over and the ECJ has finally delivered its decision on the validity of the Data Retention Directive. Unsurprisingly, it followed the Advocate General's opinion earlier last year and held that the Directive was adopted on the correct legal basis. While this is a short term bummer - member states will still have to implement the Directive by the 15 March 2009 deadline - Matron can't help thinking that in the long term this was the correct approach. Beware the turncoats among the Directive's opponents who lobbied for the involvement of the European Parliament back in September 2005 when it looked like the only way to prevent the worst from happening and who were now hoping that the Irish government would be successful (notwithstanding that it is a stout data retention supporter) for the very same reason. Hard cases make bad law, as they say, and a confirmation of the Irish position may very well have opened a Pandorra's Box more viscious than we would currently be able to foresee.

Yes, it is true that adopting harmonised European provisions under the third pillar requires unanimity in the European which is difficult to achieve. Difficult but not impossible and the proposers of the original Framework Decision on the subject (including Ireland and the UK) had made some headway in that regard back in September 2005 when both the European Parliament started to kick off. Also - and this is probably more important in the short term - in the absence of harmonising EU law, every member state would have been able to adopt its own data retention laws. That would have been great news for human rights organisations in places like Austria, whose government has long opposed data retention on principle, and Germany, where the Constitutional Court may very well have put a stop to it. But in places like Ireland, Italy and, not least, the UK we may well have ended up with laws which require providers to retain more types of data for longer than the maximum of 24 months allowed under the directive. Furthermore, much of the Council decisions come about as a result of horse-trading behind closed doors. At least, the involvement of the European Parliament guarantees some sort of political transparency, even though - as in this case - this will not always protect us from undesirable outcomes. So right on, ECJ, you did well.

But what does it all mean for individuals' right to privacy? Well, the bad news is that ISPs and telecommunication providers will now initially have to retain communications data for between 6 and 24 months. The technology and the infrastructure for this will have to be set up, costed and funded. And we know how it goes - once that infrastructure is in place, both the state and the providers will most probably manage to find a use for it even of the Directive is eventually binned. A frightening thought!

However, the ECJ has not yet examined the question of the Directive's compatibility with fundamental human rights, in particular with the right to privacy under Article 8 of the European Convention of Human Rights (ECHR). Indeed, it has very clearly stated that the action brought by Ireland - and consequently its own decision - relates solely to the choice of legal basis and not to any possible infringement of fundamental rights arising from interference with the exercise of the right to privacy by the Directive. That, in a way, is a good thing, because it leaves the door open for a future challenge by data retention opponents who hope to be able to prove that blanket data retention is wildly disproportionate to the objective the Directive is set to achieve. Judicial or constitutional reviews relating to the compatibility with the right to privacy of national laws implementing the Directive are already pending in a number of member states including Germany and Ireland. The relevant courts may now refer any of those cases to the ECJ for preliminary ruling. The German Constitutional Court - bound as it is by its own "Solange II" principles (that it will not review the compatibility of EC legislation with the German Constitution as long as ("solange") the European Communities, and in particular the judicature of the ECJ, secure the protection of fundamental rights) - are the most likely suspect for such a reference. The Court has repeatedly postponed its own decision in the pending case - likely because of the impending ECJ ruling.

But the ECJ also made another interesting point: namely, it emphasised that the Directive merely relates to activities of communication service providers (the retention of communications data) and not to the activities of public and law enforcement authorities (access to the retained data). While factually correct, this could suggest that when the ECJ eventually receives a reference from a national court, it may limit its own jurisdiction to a review of the question whether the mere retention of data infringes fundamental rights rather than taking a "big-picture-view" of the matter and taking into account the effect that law enforcement's access to that data will have on those rights. It could argue that the mere retention of data does not infringe individual rights provided that access to that data is limited and subject to sufficient safeguards. As the access provisions and safeguards are currently contained in national law (here in the UK, access is governed by Part I Chapter II of the Regulation of Investigatory Powers Act 2000 (RIPA) and a host of secondary regulation), the ECJ could rule itself out completely as a competent court to review the matter from that point of view leaving it instead to national courts to decide.

On the one hand, this could mean that data retention will come to be seen as be a beautiful example for a judicial game of "pass-the-parcel" where data retention provisions are quietly implemented all across Europe while the courts are sorting out their own compentency between themselves. On the other hand, such an approach by the ECJ could open up an opportunity for opponents provided they grasp it quickly and strongly enough.

Data retention opponents should now also consider the judicial review of national access provisions by the national courts as well as, ultimately, by the European Court of Human Rights in Strasbourg. To a varying extent, all EU member states are also signatories to the ECHR which means that their national laws are subject to that Court's jurisdiction once all national judicial remedies have been exhausted. In a UK context this could mean, that even if the ECJ, in a future action referred to it, determines that

data retention alone is not enough to infringe people's fundamental rights
it is not competent to review the access provisions that may be so infringing,

the access provisions under RIPA could be attacked separately.

Like many others, lawyers advising data retention opponents have so far been puzzeld by the fact that the demarcation line between the jurisdiction of the ECJ and the ECtHR has never been clearly defined. Ever since the ECJ, in the case of Internationale Handelsgesellschaft v. Einfuhr und Vorratsstelle Getreide, confirmed that it would protect fundamental rights as general principles of EU law, the scene was set for a clash between the two courts, albeit that to date this clash has never materialised. It was thought, that data retention could have been the case, where this might finally happen.

However, unless the European Council adopts harmonised provisions on access to retained data which would bring the matter squarely within the ECJ's jurisdiction (probably unlikely, given how difficult it was to achieve consensus even on the retention of the data), civil rights organisations across the EU should now probably review their strategies and start planning for a two-pronged attack:

Continue the judicial review of national laws implementing the Data Retention Directive with a view to a reference to the ECJ. Cross your fingers and hope.
At the same time commence separate actions for judicial review of the related national access provisions arguing that they violate Art. 8 ECHR and that it would be inappropriate to refer those cases to the ECJ for preliminary decision, as they do not concern EU laws. If the national courts decide that those provisions do indeed violate Art. 8 ECHR, then - depending on the constitutional procedures of the relevant country - the provisions will either be void immediately or be declared "incompatible with human rights" leaving the legislator to amend the law. If the national court finds that access to retained data does not breach Art. 8 ECHR, the path to Strasbourg is clear. And it light of the court's most recent decision in the area of privacy and state surveillance, Matron can't help feeling that the chances of success in that court would be much better than before the ECJ.

However, even if a challenge before the ECtHR was successful, the problem of data retention may remain. Would the ECtHR assume jurisdiction on the retention provisions given that they are subject to review by the ECJ? If not, would national legislators, the European Institutions and/or the ECJ revise their position on data retention, if the ECtHR decided that access to the retained data breaches individuals' human rights? Data retention is expensive. National governments will (hopefully) not want to bear those cost or impose them on businesses operating from their territory if they cannot then access the data retained. An ECtHR decision condemning the right to access could therefore be a roundabout way to make them change their mind. But it's tricky. So "as long as" we don't know how best to tackle this we should probably tackle it any which way we can.