Surveillance and Austerity

One of the most depressing aspects of the passing of the Data Retention and Investigatory Powers Act (DRIP)  this week was the level of political consensus. All three major parties backed it, aside from a few mavericks in Tory and Labour ranks. Despite some excellent speeches in the Lords, it passed through there in double-quick time, without their Lordships even deeming it worthy of a vote.  It got me thinking, what else has a similar level of consensus? The obvious answer, sadly, was austerity. Ed Miliband is due to give a speech today to Labour’s National Policy Forum which, it seems, will confirm Labour’s commitment to it.

There is no alternative…

There are more parallels between surveillance and austerity than we should feel comfortable with. Our main political parties view both surveillance and austerity as ‘given’, and as though there are no alternatives even worth considering, let alone exploring in any detail. Both, we are told, are for our own good. Those who resist both, we are told, are unrealistic dreamers or worse. If we don’t embrace both, we are told, there will be disasters, and the future is bleak.

Divisive and simplistic…

Both also rely on divisive and simplistic assumptions.

The essence of the drive to welfare ‘reform’, in particular, is the idea that there are ‘strivers’ and ‘scroungers’, and that the former are being made to suffer by the latter. The former, the ‘good’ people, don’t need welfare, and won’t suffer from the results of austerity.

The essence of the drive for surveillance is that there are ‘good’ people and ‘bad’ people – and that the ‘good’ people are being made to suffer by the ‘bad’. The former, the ‘good’ people, don’t need privacy, and won’t suffer from the results of surveillance.

In neither case are the divisive and simplistic assumptions true. As anyone who studies the details knows, the majority of people on benefits are also in work. People shift from being in work to being out of work, from being in need to being able to do without it. The whole idea of ‘scroungers’ is overplayed and divisive, particularly in relation to people with disability. Similarly, the idea that ‘good’ people have nothing to hide, so don’t need privacy, is one of the classic misunderstandings of privacy. We all need privacy – it’s part of what we need as humans, part of our dignity, our autonomy. It’s a pragmatic necessity too, as those in power do not always use their powers for good – the latest of the Snowden revelations, that the NSA pass around naked pictures of ordinary people that they find through their snooping is just another example of how this works. Privacy isn’t about hiding – it’s about what we need as people.

It’s all about power

Ultimately, though, the thing that surveillance and austerity really have in common is power. They’re ways that those with power can keep control over those without it. Keep poor people poor and desperate, and they’re more malleable and controllable. They’ll take jobs on whatever conditions those offering them suggest. Surveillance is ultimately about control – the more information those in power have, the more they can wield that control, whether it’s monitoring social media in order to stop protests or manipulating it to make people happy and like particular products or services.

What we can do about it is another question. The real point about the people in power is that they have power…. and reducing that power is hard. We should, however, at least do our best not to have the wool pulled over our eyes. This isn’t for our benefit. It’s for theirs.

DRIP: normalising the surveillance state.

Yesterday’s shameful passing of the Data Retention and Investigatory Powers Act, nodded through without amendment and without even the perceived need for a vote in the House of Lords, was not just very bad news for the UK, it was bad news for the world. The ease with which it was passed, the speed with which it was passed, and the breadth of the powers granted send signals around the world. Some of us have been warning about this effect for a long time - what we do in the UK is being watched around the world. If we, as a supposedly mature, liberal democracy believe that mass surveillance is OK, then that means that anyone could do it. Indeed, that any sensible state should do it.

I’ve been accused of paranoia by making such a suggestion. After all, this is just ‘emergency’ legislation, a mere stop-gap while a proper review of investigatory powers and data gathering goes on. Well,  within a few short hours of the passing of DRIP, its echoes were already being heard the other side of the world. Australia’s Attorney-General, George Brandis, used DRIP as an example, seemingly to help push forward his own proposals for data retention. As reported in ZDNet, he said:

“The question of data retention is under active consideration by the government. I might point out to you as recently as yesterday, the House of Commons passed a new data retention statute. This is very much the way in which western nations are going,”

This is how it goes – and one of the many reasons that the passing of DRIP yesterday was so shameful. If the UK does it, Australia does it. Then New Zealand and Canada.  Each new country adds to the weight of the argument. Everyone’s doing it, why not us? If the UK thinks it needs this to keep its citizens safe, we need it too? By the time the long-distant sunset clause kicks in, the end of 2016, every new country that’s added a data retention law to its books, however temporary, will be another reason to extend our own security services’ powers. It’s a vicious or virtuous circle, depending on your perspective.

Of course the normalisation works in different ways too. Less scrupulous nations will be able to say that if the Brits do it, so can we – and we won’t be able to claim that they’re oppressing their population, if we do the same to our own. Further, our security services will require more and more technology to do the surveillance – and the people who develop that technology will be looking for new markets. They may sell them to the Australians – but more likely they’ll find ready markets in governments with less of a tradition of liberalism and democracy. There’s a fine selection of such nations all around the world. They’ll also find markets of other kinds – businesses wishing to use surveillance for their own purposes… whether scrupulous or not. The very criminals that the supporters of DRIP like to scare us with will be looking too – there are so many uses for surveillance that it’s hard to know where to start.

Well, actually, it should have been easy to know where to start. To make a stand. To try to normalise freedom and privacy, respect for citizens fundamental rights and a willingness for open, honest debate on the subject. That, however, would have required rejecting DRIP. We didn’t do that. Shame on us.

 

DRIP: Parliament in disrepute?

I watched and listened to the parliamentary debate on the Data Retention and Investigatory Powers bill (DRIP) with a kind of grim fascination. The outcome was always inevitable – I knew that, as, I think did all opponents of the bill – but the debate itself seemed to me to be worth paying attention to. Not really in terms of the result, but in terms of the process, and in terms of the way in which parliament was engaging with the issues. There were, it has to be said, some quite wonderful speeches in opposition to the bill, and from many different directions. MPs like John McDonnell, Dominic Raab, Caroline Lucas, Diane Abbott, Pete Wishart, David Winnick, Duncan Hames, Clive Betts, Charles Walker, Dennis Skinner and of course Tom Watson and David Davis were all excellent. Indeed, as someone said at the time, the opponents didn’t lose the debate, they lost the vote.

Therein lies the problem – what was the point of the debate? The chamber was all-but empty for most of it. In the middle of the debate, I got so angry I tweeted a picture of the chamber – with a comment attached. The tweet went a bit wild…. retweeted 870 times at the last count, and included by Liberty in their summary of the debate.

Screen Shot 2014-07-16 at 07.32.41

I did, however, also get some serious criticism for the tweet. Some suggested I had faked it, because I missed out the caption at the bottom. Fair enough – I was too angry to get the screen capture right, but I don’t fake things. I satirise and parody, tease and joke – but I don’t fake. For avoidance of doubt, I took another soon after, this time with the caption:

Screen Shot 2014-07-15 at 16.36.42

Another criticism I received, quite aggressively, was that it was misleading to tweet the picture, and that most of the MPs were likely to be in their offices or their committee rooms, working hard, but following and listening to the debate as it was being broadcast throughout the house. That may well be true – and in no way was I suggesting that MPs don’t work hard. They do – well, a great many of them do – but at this particular moment, and on this particular issue, their attention was elsewhere, as was their physical presence.

I don’t blame the MPs for that part of it. Of course their attention was elsewhere – after all, they’d had this emergency debate foisted upon them at the last minute, and they already have busy lives and huge amounts of work to do, particularly with the parliamentary recess coming up, and with a reshuffle happening at that very moment. Naturally, MPs are distracted by the reshuffle – coalition MPs because their jobs are on the line, Labour MPs because they have to be ready to respond to the reshuffle. Naturally their jobs, their careers, their responsibilities come first.

That, though, is really where my tweet comes in. I said ‘This is how seriously our MPs take our privacy’. I meant it. They showed disrespect to the issue not just by not listening to the debate, but by accepting a process that meant that they only had a few hours of debate to listen to, and almost nothing to read or discuss about it. They accepted an unnecessary fast-tracking, effectively on trust – because they don’t really take our privacy seriously.

Frankly, I’m not convinced that they were listening to the debate – but if they were, that makes their voting even worse. If they listened to the debate and still voted the way they did, in a way that’s even more depressing than the more natural assumption that they were largely ignoring the debate and voting according to the whip. It would mean that they either didn’t understand the strong arguments against the bill, both analytical and impassioned – or they dismissed them as unimportant. Either way, it suggests they didn’t take our privacy seriously. At least, not seriously enough to think it needed proper, lengthy, public debate bringing in expert opinions and analysis. I’m a legal academic, specialising in internet privacy. I’ve written a book on the subject, and I’m one of the signatories of this open letter concerning DRIP – and frankly I haven’t had nearly enough time to properly analyse and understand this bill and its implications. We’ve only had a chance for the most basic of analyses – and if I can’t, how much understanding can MPs have of it?

As David Winnick, a veteran MP and member of the Home Affairs Select Committee put it:

“I consider this to be an outright abuse of parliamentary procedure. Even if one is in favour of what the home secretary intends to do, to do so in the manner in which it is intended, to pass all stages in one go, surely makes a farce of our responsibilities as MPs”

He’s right. It does. It brings parliament into disrepute. MPs should be ashamed of themselves.

Open letter from UK legal academic experts re DRIP

I’m one of the signatories to the letter below – not just a few, but many very serious legal academics, some of the most distinguished in the field.


 

Tuesday 15th July 2014

To all Members of Parliament,

Re: An open letter from UK internet law academic experts

On Thursday 10 July the Coalition Government (with support from the Opposition) published draft emergency legislation, the Data Retention and Investigatory Powers Bill (“DRIP”). The Bill was posited as doing no more than extending the data retention powers already in force under the EU Data Retention Directive, which was recently ruled incompatible with European human rights law by the Grand Chamber of the Court of Justice of the European Union (CJEU) in the joined cases brought by Digital Rights Ireland (C-293/12) and Seitlinger and Others (C-594/12) handed down on 8 April 2014.

In introducing the Bill to Parliament, the Home Secretary framed the legislation as a response to the CJEU’s decision on data retention, and as essential to preserve current levels of access to communications data by law enforcement and security services. The government has maintained that the Bill does not contain new powers.

On our analysis, this position is false. In fact, the Bill proposes to extend investigatory powers considerably, increasing the British government’s capabilities to access both communications data and content. The Bill will increase surveillance powers by authorising the government to;

  • compel any person or company – including internet services and telecommunications companies – outside the United Kingdom to execute an interception warrant (Clause 4(2));
  • compel persons or companies outside the United Kingdom to execute an interception warrant relating to conduct outside of the UK (Clause 4(2));
  • compel any person or company outside the UK to do anything, including complying with technical requirements, to ensure that the person or company is able, on a continuing basis, to assist the UK with interception at any time (Clause 4(6)).
  • order any person or company outside the United Kingdom to obtain, retain and disclose communications data (Clause 4(8)); and
  • order any person or company outside the United Kingdom to obtain, retain and disclose communications data relating to conduct outside the UK (Clause 4(8)).

The legislation goes far beyond simply authorising data retention in the UK. In fact, DRIP attempts to extend the territorial reach of the British interception powers, expanding the UK’s ability to mandate the interception of communications content across the globe. It introduces powers that are not only completely novel in the United Kingdom, they are some of the first of their kind globally.

Moreover, since mass data retention by the UK falls within the scope of EU law, as it entails a derogation from the EU’s e-privacy Directive (Article 15, Directive 2002/58), the proposed Bill arguably breaches EU law to the extent that it falls within the scope of EU law, since such mass surveillance would still fall foul of the criteria set out by the Court of Justice of the EU in the Digital Rights and Seitlinger judgment.

Further, the bill incorporates a number of changes to interception whilst the purported urgency relates only to the striking down of the Data Retention Directive. Even if there was a real emergency relating to data retention, there is no apparent reason for this haste to be extended to the area of interception.

DRIP is far more than an administrative necessity; it is a serious expansion of the British surveillance state. We urge the British Government not to fast track this legislation and instead apply full and proper parliamentary scrutiny to ensure Parliamentarians are not mislead as to what powers this Bill truly contains.

Signed,

 

Dr Subhajit Basu, University of Leeds

Dr Paul Bernal, University of East Anglia

Professor Ian Brown, Oxford University

Ray Corrigan, The Open University

Professor Lilian Edwards, University of Strathclyde

Dr Andres Guadamuz, University of Sussex

Dr Theodore Konstadinides, University of Surrey

Professor Chris Marsden, University of Sussex

Dr Karen Mc Cullagh, University of East Anglia

Dr. Daithí Mac Síthigh, Newcastle University

Professor Viktor Mayer-Schönberger, Oxford University

Professor David Mead, University of East Anglia

Professor Andrew Murray, London School of Economics

Professor Steve Peers, University of Essex
Julia Powles, University of Cambridge

Judith Rauhofer, University of Edinburgh

Professor Burkhard Schafer, University of Edinburgh

Professor Lorna Woods, University of Essex

Theresa May – even more reason to worry about DRIP….

Screen Shot 2014-07-14 at 19.00.29I watched and listened to the session of the Home Affairs Select Committee this afternoon: Home Secretary Theresa May was being questioned about a number of things, including DRIP. The session was, I suspect, intended to reassure us that everything was OK, and that we needn’t worry about DRIP. The result, for me at least, was precisely the opposite: it left me feeling even more concerned.

Theresa May is the minister responsible for DRIP, and her performance before the committee suggested neither competence in managing the process nor an understanding of what the issues were or why people would be concerned. It was a performance that mixed the incompetent with the contemptuous, not just failing to provide answers but suggesting that she didn’t think the questions were even worth asking.

Many things about it were poor. May failed to explain why the legislation had to be rushed through – she could not (or would not) explain why nothing had happened publicly since the ECJ ruling in April, and she could not (or would not) provide details as to why there was pressure now. Next, she could not answer the key question on extraterritoriality – whether the powers in DRIP were in fact new. She claimed to have had advice that the powers did exist before – but couldn’t say whether or not they had ever been used.

Most importantly, though, when pushed by David Winnick on the key point – compliance with the ECJ ruling that struck down the Data Retention Directive, she fumbled and obfuscated when asked about the ruling. She either did not understand or deliberately pretended not to understand that the key point of the ruling was that blanket gathering of data was in conflict with fundamental rights. Ultimately, that’s the real point here – and she either could not or would not answer it.

To put it directly, the ruling said that blanket gathering of data, gathering data on everyone, regardless of suspicion, guilt or innocence, or any particular reason, was not appropriate. That is what the Data Retention Directive (DRD) did, and why the ECJ struck it down. They’re right, too. This isn’t some esoteric or obscure point, it’s a fundamental one, parallel to the idea of the presumption of innocence. The DRD did it, and DRIP does it – which is why at the very least we need to discuss it in much more depth. The session with Theresa May left me thinking that she either didn’t understand it or she dismissed it as unimportant. Now you may disagree on proportionality, and believe that mass surveillance is a proportionate response, but to dismiss the issue as unimportant and unworthy of discussion is indefensible.

Mind you, I don’t think people will be talking that much about this – because Theresa May’s performance when questioned about the appointment and subsequent resignation of Lady Butler-Sloss was even worse, if that can be believed. All in all, Theresa May looked neither trustworthy nor competent. It’s hard to imagine someone less appropriate to trust with the open-ended and extensive powers granted by something like DRIP.

DRIP: a shabby process for a shady law.

[An earlier version of this post appeared at The Justice Gap, here]

Thursday’s announcement by David Cameron and Nick Clegg that the coalition was going to expedite emergency surveillance legislation is something that should concern all of us, not just privacy activists. The speed with which the Data Retention and Investigatory Powers bill (‘DRIP’) is being brought into play, the lack of consultation and the breadth of its powers should matter to everyone. There is a reason that legislation usually requires time and careful consideration – and with a contentious issue like surveillance this is especially true. This is a shabby process, for what seems to be a very shady law. And, as David Davis MP has suggested, the ‘emergency’ is theatrical, not real. The need for new legislation was entirely predictable – and politicians and civil servants should have known this.

A predictable emergency

The trigger for the legislation was the ruling by the ECJ, on 8th April, that the Data Retention Directive was invalid – more than three months ago – but the signs that new legislation was needed have been there for far longer. The ruling by the ECJ exceeded the expectations of privacy advocates – but not that significantly, and the declaration that the directive was invalid should have been an outcome that civil servants and politicians were prepared for. Indeed, the Data Retention Directive has been subject to significant challenge since its inception in 2005. Peter Hustinx, the European Data Protection Supervisor in 2010 called it:

“…without doubt the most privacy invasive instrument ever adopted by the EU in terms of scale and the number of people it affects.”

Across Europe there have been protests and legal challenges to data retention throughout its history, from 30,000 people on the streets of Germany in 2007 to the declaration that data retention itself was unconstitutional in Romania. The challenge that eventually brought down the directive began in 2013.

The signs have been there in the UK too, and for far longer than three months. The Communications Data Bill – more commonly and appropriately known as the Snoopers’ Charter – was effectively abandoned well over a year ago, after a specially set-up parliamentary committee, after taking detailed evidence, issued a damning report. At that stage, even before the revelations of Edward Snowden reared their ugly head, the need for further legislation was evident.

So why, given all these warnings, has this emergency been manufactured, and why is legislation being pushed through so quickly? Is it that those behind the bill are concerned that if it received full and detailed scrutiny, the full scale and impact of the bill will become evident and, like the Snoopers’ Charter before it, it will fail? It is hard not to think that this has played some part in the tactics being employed here. What would there be to lose by delaying this a few months?

Companies like data too…

The suggestion that if the legislation isn’t pushed through this quickly then companies will suddenly start deleting all their communications data is naïve to say the least. Firstly, it’s hardly in most communications providers’ interest to delete all that data – actually, rather the opposite. Back in 2007, Google attempted to use the existence of data retention legislation as an excuse not to delete search logs – companies generally like having more data, as they (just like the authorities) believe they can get value from it. Moreover, businesses don’t often change their practices at the drop of a hat, even if they want to. They might, however, if they’re required to by law – and that may well be the real key here. Legal challenges to specific practices by specific companies in terms of data retention may well be in the offing – but this would take time, far more time than the few days – less than a week – that MPs are being given to pass this legislation.

Fundamental Rights

The underlying point here is that there is a reason that the Data Retention Directive was declared invalid by the ECJ, and a reason that both privacy advocates and academics have been concerned about it from the very beginning. The mass collection of communications data breaches fundamental rights – and DRIP, just like the Communications Data Bill before it, does authorise the mass collection of this data. It has the same fundamental flaws as that bill – and a few extras to boot. With the very limited time available to review the bill so far, it appears to extend rather than limit the powers available through the contentious Regulation of Investigatory Powers Act (RIPA) rather than limit them or modernise them (see for example the analysis by David Allen Green in the FT here – registration needed), and attempt to extend powers outside the UK in a way that is at the very least contentious – and in need of much more scrutiny and consideration.

Most importantly, it still works on the assumption that there is no problem with collecting data, and that the only place for controls or targeting is at the accessing stage. This is a fundamentally flawed assumption – morally, legally and practically. At the moral level, it treats us all as suspects. Legally it has been challenged and beaten many times – consistently in the European Court of Human Rights, in cases from as far back as Leander in 1987, and now in the ECJ in the declaration of invalidity of the Data Retention Directive. Practically, it means that data gathered is vulnerable in many ways – from the all too evident risks of function creep that RIPA has demonstrated over the years (dog-fouling, fly-tippers etc) to vulnerability to leaking, hacking, human error, human malice and so forth. Moreover, it is the gathering of data that creates the chilling effect – impacting upon our freedom of speech, of assembly and association and so forth. This isn’t just about privacy.

Safeguards?

Nick Clegg made much of the concessions and safeguards in the new bill, emphasising that this isn’t a Snoopers’ Charter Mark 2, but it is hard to be enthusiastic about them at this stage. There is a sunset clause, meaning that DRIP will expire in December 2016 – but there is nothing in the bill itself to say that it won’t be replaced by similar ‘emergency’ legislation, railroaded through parliament in a similar way. Moreover, December 2016 is well after the election – and the Lib Dems are currently unlikely to still have any influence at that stage. Julian Huppert in particular, my MP in Cambridge, is in a very precarious position. Without him, it’s hard to see much Lib Dem resistance to either the Tories or the Labour Party who set the ball rolling on mass surveillance state in the Blair years.

The rest of the safeguards are difficult to evaluate at this stage – they were originally said to be contained in secondary legislation that was not published with the bill itself, but when that secondary legislation was actually released, at around 4pm on Friday afternoon, it contained almost none of what had been promised. For example, the suggestion that the number of bodies able to use RIPA was to be restricted, was entirely absent. This list doesn’t just include the police and intelligence services, but pretty much all local authorities, and bodies like the food standards agency and the charities commission – another part of the function creep of RIPA. The breadth and depth of the surveillance that this bill, in combination with RIPA, would not only allow but effectively normalise, is something that should be of the deepest concern to anyone who takes civil liberties seriously.

The shabbiest of processes

This is just one part of the shabbiness of the process. Two more crucial documents,  ‘Impact Assessments’ performed by the Home Office concerning the data retention and interception aspects of the bill, were also released – but without even a mention, so that the first that was heard of them by most concerned people was early on Saturday morning, when vigilant investigators found them all but hidden on the Home Office website. Two documents, full of technical details looking at why the laws were ‘needed’ and what the risks and benefits of the laws would be, the alternatives and so forth, pretty much hidden away. These, together with the Bill itself and the Regulations, combine to produce something with a serious level of both legal and technical complexity – something that needs very careful study and expert analysis. And to do this analysis, we are given essentially one weekend, and no warning.

How serious this is was highlighted by a brief twitter conversation between David Allen Green and MP Julian Huppert this morning:

Screen Shot 2014-07-12 at 18.53.05

 

David Allen Green (@JackofKent) is asking a straight and direct, technical and legal question – and Julian Huppert can’t answer it. Julian is perhaps the most technically expert of the entire House of Commons – if he doesn’t understand the bill, its impact and how it changes the current situation, how much less can other MPs? And yet they are expected to debate the bill on Monday, and pass it almost immediately. This is patently wrong – and highlights exactly why parliament generally has significant time for analysis and for debate, and parliamentary committees call experts to give testimony, to tease out these kinds of answers. Julian Huppert should not be criticised for not knowing the answer to the question – but he should be criticised for supporting a bill without allowing the time for these questions to be asked, investigated and answered. They need to be.

This is an wholly unsatisfactory state of affairs. Indeed, the whole thing is highly unsatisfactory, and in a democratic society, it should be unacceptable. That our MPs seem willing to accept it speaks volumes.

——————–

The key documents can be found here:- study them if you have time!

The draft bill

The draft regulations

The impact assessment for interception

The impact assessment for data retention.

Facebook, Google and the little people….

This last week has emphasised the sheer power and influence of the internet giants – Facebook and Google in particular.

The Facebook Experiment

First we had the furore over the so-called ‘Facebook Experiment’ – the revelation that Facebook had undertaken an exercise in ‘emotional contagion’, effectively trying to manipulate the emotions of nearly 700,000 of its users without their consent, knowledge or understanding. There were many issues surrounding it (some of which I’ve written about here) starting with the ethics of the study itself, but the most important thing to understand is that the experiment succeeded, albeit not very dramatically. That is, by manipulating people’s news feeds, Facebook found that they were able to manipulate peoples emotions. However you look at the ethics of this, that’s a significant amount of power.

Google and the Right to be Forgotten

Then we’ve had the excitement over Google’s ‘clumsy’ implementation of the ECJ ruling in the Google Spain case. I’ve speculated before about Google’s motivations in implementing the ruling so messily, but regardless of their motivations the story should have reminded us of the immense power that Google have over how we use the internet. This power is demonstrated in a number of ways. Firstly, in the importance we place in whether a story can be found through Google – those who talk about the Google Spain ruling being tantamount to censorship are implicitly recognising the critical role that Google plays and hence the immense power that they wield. Secondly, it has demonstrated Google’s power in that, ultimately, how Google decides to interpret and implement the ruling of the court is what decides whether we can or cannot find a story. Thirdly, the way that Google seems to be able to drive the media agenda has been apparent: it sometimes seems as though people in the media are dancing to Google’s tune.

Further, though the early figures for takedown requests under the right to be forgotten sound large – 240,000 since the Google Spain ruling – the number of requests they deal with based on copyright is far higher: 42,324,954 since the decision. Right to be forgotten requests are only 0.5% of those under copyright. Google deals with these requests without the fanfare of the right to be forgotten – and apart from a few internet freedom advocates, very few people seem to even notice. Google has that much control, and their decisions have a huge impact upon us.

Giants vs. Little People

Though the two issues seem to have very little in common, they both reflect the huge power that the internet giants have over ordinary people. It is very hard for ordinary people to fight for their rights – for little people to be able to face up to giants. Little people, therefore, have to do two things: use every tool they can in the fight for their rights, and support each other when that support is needed. When the little people work together, they can punch above their weight. One of the best ways for this to happen, is through civil society organisations. All around the world, civil society organisations make a real difference – from the Open Rights Group and Privacy International in the UK to EDRi in Europe and the EFF in the US. One of the very best of these groups – and one that punches the most above its weight, has been Digital Rights Ireland. They played a critical role in one of the most important legal ‘wins’ for privacy in recent years: the effective defeat of the Data Retention Directive, one of the legal justifications for mass surveillance. They’re a small organisation, but one with expertise and a willingness to take on the giants. Given that so many of those giants – including Facebook – are officially based in Ireland, Digital Rights Ireland are especially important.

Europe vs. Facebook

There is one particular conflict between the little people and the giants that is currently in flux: the ongoing legal fight between campaigner Max Schrems and Facebook. Schrems, who is behind the ‘Europe vs. Facebook’ campaign,  has done brilliantly so far, but his case appears to be at risk. After what looked like an excellent result – the referral by the Irish High Court to the ECJ of his case against Facebook (which relates to the vulnerability of Facebook data to US surveillance via the PRISM program) – Schrems is reported as considering abandoning his case, as the possible costs might bankrupt him if things go badly.

This would be a real disaster – and not just for Schrems. This case really matters in a lot of ways. The internet giants need to know that we little people can take them on: if costs can put us off, the giants will be able to use their huge financial muscle to win every time. It’s a pivotal case – for all of us. For Europeans, it matters in protecting our data from US surveillance. For non Europeans it matters, because it challenges the US giants at a critical point – we all need them to fight against US surveillance, and they’ll only really do that wholeheartedly if it matters to their bottom line. This case could seriously hit Facebook’s bottom line – so if they lost, they’d have to do something to protect their data from US surveillance. They wouldn’t just do that for European Facebook users, they’d do it for all.

Referral to the ECJ is critical, not just because it might give a chance to win, but because (as I’ve blogged before) recently the ECJ has shown more engagement with technological issues and more willingness to rule in favour of privacy – as in the aforementioned invalidation of the Data Retention Directive and in the contentious ruling in Google Spain. We little people need to take advantage of those times when the momentum is on our side – and right now, at least in some ways, the momentum seems to be with us in the eyes of the ECJ.

So what can be done to help Schrems? Well, the first thing I would suggest to Max is to involve Digital Rights Ireland. They could really help him – and I understand that they’ve been seeking an amicus brief in the case. They’re good at this kind of thing, and they and other organizations in Europe have experience in raising the funds for this type of case. Max has done brilliant work, but where ‘little people’ have to face up to giants, they’re much better off not fighting alone.

Are Google intentionally overreacting to the Right to be Forgotten?

In one of my original reactions to the Google Spain ruling on the Right to be Forgotten, which I wrote for The Justice Gap, I said this, about Google’s response to the ruling.:

“How they respond to the ruling will be interesting – for the moment they’re saying very little. They have creative minds working for them – if they can rise to the challenge and find a way to comply with the ruling that enables ordinary people to take back a little control, that could be a very good thing. If, instead, they retrench and withdraw – or go over the top in allowing censorship too easily, it could be very bad.”

From what I’ve seen so far, it looks as though they’ve taken the ‘over the top’ approach, and are allowing censorship too easily. Two particular stories have come out today, one from the Guardian (here), the other from the BBC (here). In both cases, the journalists concerned are high profile, influential and expert – James Ball at the Guardian and Robert Peston at the BBC – and the stories, to be frank, do not seem to fall within the categories that the CJEU ruling in the Google Spain case suggested might be suitable for the right to apply. James Ball’s stories were mostly pretty recent – from 2010 and 2011 – as well as being fairly easy to argue as being ‘relevant’ in terms of public interest. Robert Peston’s stories are not so recent, but even more clearly relevant and in the public interest.

So why have they been caught by Google’s net as appropriate for the ‘right to be forgotten’? It looks very much as though this is the intentional overreaction that I was concerned about in my original posting for the Justice Gap. They’re trying to say, I think, ‘you know, we were right! This ruling means censorship! This is dangerous!’ They’re also trying to get journalists like James Ball and Robert Peston to be on their side, not on the side of the CJEU – and in Ball’s case, at least, they seem to be succeeding to an extent. Peston is more critical, saying that Google’s implementation of the ruling ‘looks odd, perhaps clumsy.’

Clumsy or intentional?

I’m not convinced that it’s clumsy at all, but intentional. I hope I’m wrong, and that, as Google themselves have said, they will be refining the method and sorting out the details. If they’re really trying to fight this, to prove that the ruling is unworkable, we’re in for some serious trouble, because the ruling will not be at all easy to reverse. Rather the opposite – and the wheels of the European legal system grind very slowly, so the fight and the mess could be protracted.

What’s more, what this should really highlight for people is not just the problem with the Google Spain ruling, but the huge power that Google already wields – because, ultimately, it is Google that is doing this ‘censorship’, not the court ruling. And Google does similar things already, though without such a fanfare, in relation to copyright protection, links to things like obscene content and so forth. Google already are acting like censors, if you see it that way, and without the drama of the right to be forgotten.

What can we do now?

In the meantime, people will develop coping mechanisms – or find ways to bypass Google’s European search systems, either going straight to google.com or using alternatives like duckduckgo, or even not using search at all, because there are other ways to find information such as crowdsourcing via Twitter. The more people use these, the more they’ll like them, and the more they’ll move away from Google.  I hope that Google see this, and find a more productive way forward than this excessive, clumsy implementation of the ruling. What’s more, I hope they engage positively and actively with the reform process for the Data Protection Regime – because a well executed reform, with a better written and more appropriate version of the right to be forgotten (or even better, the right to erasure) is the ultimate solution here. If that can be brought in soon – rather than delayed or undermined – then we can all move on from the Google Spain ruling, both legally and practically. I think everyone might benefit from that.

The Facebook Experiment: the ‘why’ questions…

Facebook question markA great deal has been written about the Facebook experiment – what did they actually do, how did they do it, what was the effect, was it ethical, was it legal, will it be challenged and so forth – but I think we need to step back a little and ask two further questions. Why did they do the experiment, and why did they publish it in this ‘academic’ form.

What Facebook tell us about their motivations for the experiment should be taken with a distinct pinch of salt: we need to look further. What Facebook does, it generally does for one simple reason: to benefit Facebook’s bottom line. They do things to build their business, and to make more money. That may involve getting more subscribers, or making those subscribers stay online for longer, or, most crucially and most directly, by getting more money from its advertisers. Subscribers are interesting, but the advertisers are the ones that pay.

So, first of all, why would Facebook want to research into ‘emotional contagion’? Facebook isn’t a psychology department in a university – they’re a business. There are a few possible reasons – and I suspect the reality is a mixture of them. At the bottom level, they want to check whether emotions can be ‘spread’, and they want to look at the mechanisms through which this spreading happens. There have been conflicting theories – for example, does seeing lots of happy pictures of your friends having exciting holidays make you happier, or make you jealous and unhappy – and Facebook would want to know which of these is true, and when. But then we need to ask ‘why’ they would want to know all this – and there’s only one obvious answer to that: because they want to be able to tap into that ability to spread emotional effects. They don’t just want to know that emotional contagion works out of academic interest – they want to be able to use it to make money.

This is where the next level of creepiness comes in. If, as they seem to think, they can spread emotional effects, how will they use that ability. With Facebook, it’s generally all about money – so in this case, that means that they will want to find ways to use emotional contagion as an advertising tool. The advertising possibilities are multiple. If you can make people associate happiness with your product, there’s a Pavlovian effect just waiting to make them salivate. If you can make people afraid, they’ll presumable be more willing to spend money on things or services to protect themselves – the lobbying efforts of those in the cybersecurity industry to make us afraid of imminent cyberwarfare or cyberterrorism are an example that springs to mind. So if Facebook can prove that emotional contagion works, and prove it in a convincing way, it opens up a new dimension of possible advertising opportunities.

That also gives part of the answer to the ‘why did they do this in this academic form’ question. An academic paper looks much more convincing than an internal, private research report. Academia provides credibility – though as an academic I’m all too aware of how limited, not to say flimsy, that credibility can be. Facebook can wave the academic paper in the faces of the advertisers – and the government agencies – and say ‘look, it’s not just us that are claiming this, it’s been proven, checked and reviewed, and by academics’.

So far, so obvious – isn’t emotional contagion just like ordinary advertising? Isn’t this all just making a mountain out of a molehill? Well, perhaps to an extent, so long as users of Facebook are aware that the whole of Facebook is, as far as Facebook is concerned, about ways to make money out of them. However, there are reasons that subliminal advertising is generally illegal – and this has some of the feeling of subliminal advertising to it, and it does have a ‘whiff of creepy’ about it. We don’t know how we’re being manipulated. We don’t know when we’re being manipulated. We don’t know why we’re seeing what we’re seeing – and we don’t know what we’re not seeing. If people imagine their news feed is just a feed, tailored perhaps a little according to their interests and interactions, a way of finding out what is going on in the world – or rather in their friends’ worlds – then they are being directly and deliberately misled. I for one don’t like this – which is why I’m not on Facebook and suggest to others to leave Facebook – but I do understand that I’m very much in the minority in that.

That brings me to my last ‘why’ question (for now). Why didn’t they anticipate the furore that would come from this paper? Why didn’t they realise that privacy advocates would be up in arms about it? I think there’s a simple answer to that: they did, but they didn’t mind. I have a strong suspicion, which I mentioned in my interview on BBC World News, that they expected all of this, and thought that the price in terms of bad publicity, a little loss of goodwill, a few potential investigations by data protection authorities and others, and perhaps even a couple of lawsuits, was one that was worth paying. Perhaps a few people will spend less time on Facebook, or even leave Facebook. Perhaps Facebook will look a little bad for a little while – but the potential financial benefit from the new stream of advertising revenue, the ability to squeeze more money from a market that looks increasingly saturated and competitive, outweighs that cost.

Based on the past record, they’re quite likely to be right. People will probably complain about this for a while, and then when the hoo-haa dies down, Facebook will still have over a billion users, and new ways to make money from them. Mark Zuckerberg doesn’t mind looking like the bad guy (again) for a little while. Why should he? The money will continue to flow – and whether it impacts upon the privacy and autonomy of the people on Facebook doesn’t matter to Facebook one way or another. It has ever been thus….