Data Protection and Search Engines - The Article 29 Working Party Weighs In

The Article 29 Working Party has issued its long-awaited Opinion on Data Protection Issues Related to Search Engines. This is a substantial document and will need close consideration, but some highlights spring out and are worth excerpting.

The WP confirms that the Data Retention Directive (contrary to what has been claimed by some) does not apply to search engines:

Search engine services in the strict sense do not in general fall under the scope of the new regulatory framework for electronic communications of which the ePrivacy Directive is part. Article 2 sub c of the Framework Directive (2002/21/EC), which contains some of the general definitions for the regulatory framework, explicitly excludes services providing or exercising editorial control over content:

"Electronic communications service" means a service normally provided for remuneration which consists wholly or mainly in the conveyance of signals on electronic communications networks, including telecommunications services and transmission services in networks used for broadcasting, but exclude services providing, or exercising editorial control over, content transmitted using electronic communications networks and services; it does not include information society services, as defined in Article 1 of Directive 98/34/EC, which do not consist wholly or mainly in the conveyance of signals on electronic communications networks;

Search engines therefore fall outside of the scope of the definition of electronic communication services.

A search engine provider can however offer an additional service that falls under the scope of an electronic communications service such as a publicly accessible email service which would be subject to ePrivacy Directive 2002/58/EC and Data Retention
Directive 2006/24/EC.

Article 5(2) of the Data Retention Directive specifically states that “No data revealing the content of the communication may be retained pursuant to this Directive”. Search queries themselves would be considered content rather than traffic data and the Directive would therefore not justify their retention. Consequently, any reference to the Data Retention Directive in connection with the storage of server logs generated through the offering of a search engine service is not justified.

Consent cannot be implied in the case of anonymous users:

Consent cannot be construed for anonymous users of the service and the personal data collected from users who have not chosen to authenticate themselves voluntarily. These data may not be processed or stored for any other purpose than acting upon a specific request with a list of search results.

The "necessary for the performance of a contract" exception will seldom be available:

Processing may also be necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. This legal basis may be used by search engines to collect personal data that a user voluntarily provides in order to sign-up for a certain service, such as a user account. This basis may also be used, similar to consent, to process certain well-specified categories of personal data for well-specified legitimate purposes from authenticated users. Many internet companies also argue that a user enters into a de facto contractual relationship when using services offered on their website, such as a search form. However, such a general assumption does not meet the strict limitation of necessity as required in the Directive.

Personalised advertising raises particular problems:

Search engine providers that wish to provide personalised advertising in order to increase their revenues, may find a ground for the legitimate processing of some personal data in Article 7 (a) of the Directive (consent) or Article 7 (b) of the Directive (performance of a contract) but it is difficult to find a legitimate ground for this practice for users who have not specifically signed in based on specific information about the purpose of the processing. The Working Party has a clear preference for anonymised data.

Search engines may not store information purely on the basis that it may be useful in later criminal proceedings:

Law enforcement authorities may sometimes request user data from search engines in order to detect or prevent crime. Private parties may also try to obtain a court order addressing a search engine provider to hand over user data. When such requests follow valid legal procedures and result in valid legal orders, of course search engine providers will need to comply with them and supply the information that is necessary. However, this compliance should not be mistaken for a legal obligation or justification for storing such data solely for these purposes. Moreover, large amounts of personal data in the hands of search engine providers may encourage law enforcement authorities and others to exercise their rights more often and more intensely which in turn might lead to loss of consumer confidence.

A maximum retention period of six months is permissible, and users must be informed in advance:

In practice, the major search engines retain data about their users in personally identifiable form for over a year (precise terms vary). The Working Party welcomes the recent reductions in retention periods of personal data by major search engine providers. However, the fact that leading companies in the field have been able to reduce their retention periods suggests that the previous terms were longer than necessary. In view of the initial explanations given by search engine providers on the possible purposes for collecting personal data, the Working Party does not see a basis for a retention period beyond 6 months...

In case search engine providers retain personal data longer than 6 months, they will have to demonstrate comprehensively that it is strictly necessary for the service. In all cases search engine providers must inform users about the applicable retention policies for all kinds of user data they process.

Update: Lilian Edwards has more on the Opinion, including the problems it poses for people search services.

Filter or Else! Music Industry Sues Irish ISP

I've written a short update for the Society for Computers and Law on the music industry litigation against Eircom. Excerpt:

The music industry in Ireland started its campaign against peer-to-peer downloading and uploading in 2003/2004 when it started an education and awareness campaign. That campaign included national advertising aimed at end-users and specific warnings addressed to intermediaries such as companies and universities, as well as instant messages sent to users who were uploading particular songs.

In 2005 the music industry changed tack and brought the first action before the Irish courts (EMI and ors. v Eircom and ors. [2005] 4 IR 148) seeking to identify 17 individuals alleged to be illegally file-sharing. In that case the High Court granted disclosure of these identities under the Norwich Pharmacal [1974] AC 133 jurisdiction. Two further applications were made to the High Court in 2006 and 2007, identifying some 99 users in all. However, despite the significant publicity which these actions received, they do not appear to have any more than a short-term effect in deterring Irish users from sharing music.

At this point, and in line with the strategies pursued by the industry body IFPI elsewhere, the music industry in Ireland appears to have decided to shift the focus of its attention from the end-user towards the intermediary, and in particular towards seeking to compel ISPs to police the behaviour of their users.

The full text is available on the SCL site (no subscription required).

A public service announcement about public surveillance

This animated short by David Scharf is one of the best explanations I've seen as to why we should be worried about sleepwalking into a surveillance society, not to mention a beautifully crafted piece of visual art in its own right.



You can see larger, better quality versions of the video at http://www.huesforalice.com/bbs/.

Domain Name Registrars - The New Points of Control?

Jonathan Zittrain has pointed out that regulation of the internet has tended to proceed - whether by way of litigation or legislation - by identifying particular intermediaries and compelling them to act as points of control over user behaviour. The intermediaries targeted have included hosts, ISPs, search engines, hyperlinkers and financial intermediaries (which have been compelled, for example, to stop credit card payments to gambling sites). Some relatively recent developments suggest that domain name registrars are joining them in the firing line - and that this may result in some interesting cross-border legal issues.

An early example took place in the Rate Your Solicitor saga, where the plaintiff in an Irish defamation action succeeded in 2006 in persuading US registrar Godaddy to disable the rateyoursolicitor.com domain (apparently for false WHOIS data) notwithstanding that Godaddy would appear to have enjoyed immunity under section 230 CDA. (Not that this deterred the critics of Irish lawyers, who promptly moved to rate-your-solicitor.com where they remain today.)

At around the same time, the plaintiffs in the Spamhaus litigation set out to persuade an Illinois court to order ICANN (rather than the Canadian registrar!) to suspend the Spamhaus domain name - on the basis that Spamhaus (located in the UK) could not otherwise be made to comply with that court's order. (Ultimately, however, the court accepted that ICANN and the registrar were not involved in the defendant's actions nor able to control them, and consequently an order should not be directed towards them.)

The Spamhaus case didn't, however, deter the lawyers acting for Bank Julius Baer in its attempt to silence Wikileaks.org, who succeeded (albeit temporarily) last month in persuading the Californian courts to issue an interim order requiring the registrar (Dynadot) to disable the Wikileaks.org domain name and remove all DNS hosting records. (This despite the lack of any obvious role for the Californian courts in adjudicating on a dispute between a Cayman Islands bank, its Swiss parent company, a Swiss former employee, and the various individuals around the world responsible for Wikileaks, and despite the lack of any full hearing.) Daithi has a particularly good post on why this amounted, in effect, to an internet death penalty and was a disproportionate prior restraint on speech.

Now the New York Times reports that the US government has ordered domain name registrars to disable domain names which it alleges breach its ban on trade with Cuba:

Steve Marshall is an English travel agent. He lives in Spain, and he sells trips to Europeans who want to go to sunny places, including Cuba. In October, about 80 of his Web sites stopped working, thanks to the United States government.

The sites, in English, French and Spanish, had been online since 1998. Some, like www.cuba-hemingway.com, were literary. Others, like www.cuba-havanacity.com, discussed Cuban history and culture. Still others — www.ciaocuba.com and www.bonjourcuba.com — were purely commercial sites aimed at Italian and French tourists.

“I came to work in the morning, and we had no reservations at all,” Mr. Marshall said on the phone from the Canary Islands. “We thought it was a technical problem.”

It turned out, though, that Mr. Marshall’s Web sites had been put on a Treasury Department blacklist and, as a consequence, his American domain name registrar, eNom Inc., had disabled them. Mr. Marshall said eNom told him it did so after a call from the Treasury Department; the company, based in Bellevue, Wash., says it learned that the sites were on the blacklist through a blog.

Either way, there is no dispute that eNom shut down Mr. Marshall’s sites without notifying him and has refused to release the domain names to him. In effect, Mr. Marshall said, eNom has taken his property and interfered with his business. He has slowly rebuilt his Web business over the last several months, and now many of the same sites operate with the suffix .net rather than .com, through a European registrar. His servers, he said, have been in the Bahamas all along.

What's the significance of this? As in some of the other cases, it means that internet speech may be shut down without any prior notice to a party, and without any hearing. It also means that disputes which have no underlying connection with a particular jurisdiction may end up subject to the law of that jurisdiction:

Susan Crawford, a visiting law professor at Yale and a leading authority on Internet law, said the fact that many large domain name registrars are based in the United States gives the Treasury’s Office of Foreign Assets Control, or OFAC, control "over a great deal of speech — none of which may be actually hosted in the U.S., about the U.S. or conflicting with any U.S. rights."

"OFAC apparently has the power to order that this speech disappear," Professor Crawford said.

There's also a very important practical point here. Website owners are already acutely aware that hosting liability varies from jurisdiction to jurisdiction - and for that reason many chose to host in the US where section 230 CDA makes it less likely that a host will take down a site based on vague and unjustified threats. These cases illustrate that domain owners should be equally cautious in deciding which registrar to use - pick a registrar located in the wrong jurisdiction, or one which (as Dynadot appeared to do in the Wikileaks case) caves in too easily and you may find your domain name vanishes.

German Constitutional Court recognises a new right of "Confidentiality and Integrity of Computer Systems"

On 27 February the German Constitutional Court issued what's being described as a landmark ruling which recognises a new fundamental right of privacy, confidentiality and integrity in computer systems. The case was brought to challenge a law which, amongst other things, permitted government agencies to hack into computer systems, for example by using a Trojan Horse to monitor suspects' internet use. The reasoning of the Court was based on its finding that computer systems will often contain information presenting a complete picture of a person's most private life:

[Computer systems] alone or in their technical interconnectedness can contain personal data of the affected person in a scope and multiplicity such that access to the system makes it possible to get insight into relevant parts of the conduct of life of a person or even gather a meaningful picture of the personality.

Ralf Bendrath has detailed analysis of the decision and its background. Meanwhile, the IPKat suggests that this may have implications for the use of privacy invasive DRM and for disclosure of information held by ISPs in civil cases.

'Cause I'm the Taxman: Facebook and the Revenue

Now my advice for those who die,
Declare the pennies on your eyes.
'Cause I’m the taxman,
Yeah, I’m the taxman. - The Beatles

There's been a good deal of media coverage of the revelation by Evert Bopp that the Revenue is gathering information from Facebook and other social networking sites as part of its audits of individuals. There has been a tendency to present this as a privacy issue, leading to discussion of whether information on social networking sites should be treated as essentially in the public domain. This seems to me, however, to be the wrong way of looking at this question, not least because a definition of privacy remains elusive. Leaving privacy per se aside, are there other reasons why this sort of material should not be used?

There are, for me, at least two reasons. First, this material is often unreliable. As one Irish blogger demonstrated recently, it's quite easy to fake profiles in the name of others and to do so in a convincing way (Google cache). Consequently government agencies should be slow to use information derived in this way. Where they do so they should inform the individual concerned and offer an opportunity for that person to correct or challenge the material. (Something which would in any event be required by the Data Protection Rules.)

Secondly, and perhaps more importantly, this may lead to irrelevant criteria being used in a way which harms individuals. The legitimacy of bureaucracy is based, at least in part, on the impersonal application of general rules. Bureaucrats are not allowed to take other factors - such as the sexual orientation of the individual - into account, and indeed are expressly prohibited from inquiring about these factors. But where social networking profiles are being searched, it is likely that this principle may be undermined. For example, suppose that Blogger X is openly out on their blog. That is no business of the Revenue (for example) in dealing with him. But if an official is influenced by their search, we may find him being discriminated against in a way which would not have been likely otherwise.

Daniel Solove has considered some of the issues arising from what he describes as the "self exposure problem" in his fascinating new book The Future of Reputation: Gossip, Rumor and Privacy on the Internet - the full text of which is now available online under a non-commercial CC licence. It's required reading for anyone interested in this area.

Here comes another bubble...

Especially for those people who say that Web 2.0 equals Bubble 2.0:

An overview of ISP Voluntary / Mandatory Filtering

Irene Graham of Electronic Frontiers Australia has compiled an invaluable overview of ISP level filtering systems as part of the EFA campaign against mandatory filtering in Australia. What's most striking about her survey is that unlike much previous work which focused on countries such as China or Saudi Arabia, she looks at the systems put in place in various democracies (including Canada, the United Kingdom and Finland) but still finds the same problems - a lack of democratic legitimacy, opaque systems, overblocking, and indications of function creep.

Full Disclosure and the Law - a European Survey

Full disclosure - the practice of making security vulnerabilities public - is an area of uncertain legality. The companies whose products are shown to be insecure would like to suppress this information. In addition, new laws criminalising so-called hacking tools have caused security researchers to worry that simply possessing the tools of their trade or publishing their research may expose them to criminal liability. Legal certainty isn't helped by the fact that the laws on this point differ greatly from jurisdiction to jurisdiction. Federico Biancuzzi has now produced a very helpful survey of European laws in this area by interviewing lawyers (including myself) from twelve EU countries on their national laws. Most seem to agree that the law is unsettled. But some common themes do emerge. In particular, full disclosure is not being regulated by any specific law - instead, the consequences of full disclosure tend to be considered in a rather ad hoc way under a variety of different legal regimes. In addition, civil liability (imposed by general copyright law or by specific contractual or licensing restrictions) appears to be just as much a deterrent to research and publication as newer laws criminalising hacking tools.