I read with interest Professor Luciano Floridi’s report from the first two legs of what the Guardian described as ‘Google’s privacy ethics tour of Europe’. Floridi is Professor of Philosophy and Ethics of Information at the Oxford Internet Institute, and one of the experts appointed by Google to its ‘Advisory Council’ on the right to be forgotten.
As would be expected from such an expert, it is a well crafted report and explains very well some of the key ethical questions being addressed through this public consultation. As Floridi puts it:
“The two words most frequently used by all participants in the meetings were “complex” and “balance”, and they describe the situation well. The debate is complex because there are many elements interacting with each other.
The actual ruling, with its pro and contra, including its inconsistency with the advocate-general’s opinion; the role of search engines as intermediaries or data controllers; the difference between availability and accessibility of information online; the so-called rights (to be forgotten, to information), the real rights behind them (privacy and freedom of expression), and the ways in which they are interpreted on the two sides of the Atlantic; the concepts of relevance and of public interest, both very slippery; the procedural uncertainty about who should decide which links are rightfully removed and who should be informed about it.”
There is one element, however, conspicuous by its absence from Floridi’s analysis: a consideration of the power of Google. That power is considerable, and wielded in many different ways. Indeed, it could be said that the power of Google is at the heart of the whole debate over the right to be forgotten, and without taking it properly into account it will be impossible to come to sensible, practical and effective conclusions over how to deal with the right to be forgotten.
Power over what is found – and not found
The reason behind the Google Spain ruling, to start with, was connected with the power that Google wields: ‘Googling’ someone is probably the most important way to find out information about a person. The Spanish man about whom the ruling was concerned felt that when he was Googled the information was misleading and unfair. Google is at the heart of things: how they set their algorithms, how they index the web, what they include and exclude, what they rate highly – and what they rate as insignificant – matters in ways that are often hugely underestimated. And yet, if you read a lot of commentary – even the expert commentary of Professor Floridi – it seems as though Google are a mere conduit, their algorithm organic and their results generated purely in the interests of freedom of expression. If it’s interesting and relevant, those algorithms will find it for you. Google, in this view, are a purely neutral organisation, providing a service to the planet.
That’s a deeply naive assumption. Google is a business – and like all businesses, its bottom line is the bottom line. Google will do what is best for Google as a business. That may often turn out to be what serves freedom of expression best – if we can’t find what we need to find by using Google, we’ll find another way – but sometimes it won’t be. Google takes down masses of links on the basis of copyright claims – because its interests are best served by complying with the law of copyright and by keeping cordial relations with the rights-holders. That’s an infringement of freedom of expression – but in the eyes of the law and the eyes of Google, an acceptable one. Google doesn’t link to child abuse images – and quite rightly so – but that’s also an infringement of freedom of expression. Google complies with local laws and other considerations as and when Google finds it appropriate to do so – and there’s absolutely nothing wrong with that approach. Indeed, it’s an entirely appropriate approach – but it means that casting Google as the great champion of freedom of expression is only telling part of the story.
Power to set the agenda
The second aspect of power that needs to be taken into account is Google’s power to control the process and indeed to set the agenda. This whole roadshow was set up by Google – the advisory council was set up by Google, where they visit and when, who is called to give evidence, what the agenda of their meetings are and so forth is all, directly or indirectly controlled by Google. Again, there’s nothing wrong with this, and in some ways it’s entirely appropriate, but it does mean that it should be viewed in that context. This isn’t some neutral, independent body making an academic analysis of the ethics of the right to be forgotten – it’s a Google appointed body, somewhat akin to a board of trustees, taking soundings on Google’s terms. They wouldn’t have been appointed if they weren’t either predisposed to be on Google’s side, or at least seen to be malleable. It also reflects an apparent tactic that Google has employed in the internet governance and regulation space more generally. By giving individuals with high personal reputation positions of importance, flying them on private jets, and generally treating them like royalty, Google creates powerful external allies. Google’s eight experts are already acting in some ways as though they were more expert than the DPAs and other European organs: it gives Google a chance to blend its choices between the best of a set of alternatives. The DPAs do, at least, appear to have noticed this.
Google seems to have been setting the agenda over the reporting of the right to be forgotten since the day it came out – many (including myself) have wondered whether Google has been deliberately overreacting to the ruling, deleting links to stories when they really didn’t have to, to try to make the ruling look ridiculous. Those stories began very shortly after the ruling, but they continue to this day – the most recent being the story that links to a positive story about an artist being removed seemingly at the artist’s desire. It’s a deeply unconvincing story, and generally couched in terms that misunderstand the ruling. Suggestions that Google was ‘forced’ to remove the link are quite wrong: a request is made, and then Google can decide to delete or not to delete – deletions being if the information is old or irrelevant – and if they choose not to, the requester can either take legal action or ask the data protection authority to adjudicated. Even in the Guardian, which really should know better, it was suggested that “Google was required to enact the court’s decision”. No. Google was not required to do so. They could, and on the face of it they should, have refused to do so. If they were really the guardians of freedom of expression, they would have – but there are wheels within wheels here, and making the ruling look ridiculous seems, again, at least on the face of it, to matter more to them.
Power in other ways
Google’s immense resources mean that it can wield its power in many more ways. Lobbying, both open and hidden, is a big deal – the amount of effort put into shaping the reform of the data protection regime so it suits Google better has been colossal. Current and ex-Googlers are now in the House of Lords (Joanna Shields, appointed by David Cameron in August, used to run Google’s Europe division) and in the White House (Megan Smith, Google VP for Development is Obama’s new Chief Technology Officer and senior technology advisor, appointed earlier this month). Google provides funding to think tanks, and to academic organisations – indeed, they’re one of the biggest funders in these areas. Though this funding is given without strings attached, it is hard not to feel that there is at least some influence on the subjects that are researched, and the terms on which they are researched. No-one bites the hand that feeds them without at least thinking about it. Google has a critical role to play in how technology functions, how businesses function – and in how the media functions. The media in particular sometimes seems far less critical of Google than it might be – except in terms of its taxation policies.
None of this should detract from the way that Google does provide great products – and that things like its search engine do provide a huge amount of help for freedom of expression and so forth. That, however, should not prevent us from seeing the impact of the power that it wields – and taking that power into account when looking at things like privacy and freedom of expression. When trying, as Professor Floridi says, to find the right balance, with all those complex factors to deal with, that power must be taken into account. If it isn’t, that balance will never be found.
The video below is the slideshow of my presentation this morning at the Society of Legal Scholars conference in Nottingham – and what follows it are some brief notes to support it. Some of this is speculative and some of it is contentious – particularly in relation to the relative importance of corporate and governmental surveillance – and this is an early stage of this research, though it builds on the work in my book, Internet Privacy Rights. I should also note that this is a development of the paper I gave at BILETA earlier this year: ‘who killed privacy?’
The Resurrection of Privacy?
In 1999, Scott McNealy, then CEO of Sun Microsystems, famously said:
“You have zero privacy anyway. Get over it.”
Events and developments since 1999 have hardly improved the prospects for privacy: the growth of social networking, technological developments like smartphones, geo-location, business ideas such as behavioural tracking and, most recently, the revelations from Edward Snowden about the near universal surveillance systems of the NSA, GCHQ and others. If privacy was in trouble in 1999, the argument that it is at least close to death in 2014 is much stronger.
That brings two questions:
If privacy is dead, who killed it? Did we kill it ourselves? Is it the activities of government agencies like the NSA and GCHQ, or of businesses like Google and Facebook?
If if privacy is in fact dead, is there a possible route towards its resurrection?
Suspect 1: us!
On the face of it, it might appear as though we ourselves have simply given up on privacy. We’ve killed it ourselves by embracing all the privacy-invasive technology that’s offered to us, by failing even to read privacy policies, by allowing the intelligence services to do whatever they want, with barely a murmur of protest. More than a billion of us have joined Facebook, for example, a service based at least in some ways on giving up on privacy, sharing our most intimate information.
That, however, is not the whole story. In many ways it appears that what we have done has been through a lack of awareness rather than by deliberate decisions. The extent to which people understand how systems like Facebook work is hard to gauge – but the surprise that people show when bad things happen suggests that there isn’t a great deal of awareness. It also appears that people are becoming more aware – and as they become more aware, they’re making more privacy-based decisions, taking control of their privacy settings and so forth.
Further, when we’re given the chance to see how intelligence agencies work, we don’t seem to be happy about it – though less, it has to be acknowledged, in the UK than in many other countries. Even so, when the Communications Data Bill was put under full scrutiny, it was rejected – in part because of the public reaction. Further, studies show that people don’t like behavioural advertising – and dislike it more when they learn more about how it works.
All this suggests that we aren’t really the key to the death of privacy: we’re more like unwitting accomplices.
Suspect 2: the NSA and GCHQ
The revelations of Edward Snowden about the surveillance activities sent shockwaves through the internet. Many people had already believed that the NSA, GCHQ and other agencies performed surveillance on the internet – Snowden’s revelations seemed to prove it, and to suggest that the level of surveillance was greater even than that feared by the more extreme of conspiracy theorists. Not just had they been gathering telephony and internet data and building (in the US) massive data centres, but they’d been accessing the servers of the big commercial internet providers, tapping into undersea cables, intercepting traffic between server sites and undermining encryption systems – and much more. The level of privacy invasion is extreme.
However, until Edward Snowden revealed all of this, the agencies were working largely in secret – and while this still constitutes a major invasion of privacy, the impact on people’s behaviour is much smaller. If we don’t know we’re being watched, our actions aren’t chilled – and our beliefs about privacy are not changed. Moreover, the kind of harms done to people by surveillance by the NSA and GCHQ are indirect, at least for most people. Finally, and most importantly, if it were not for the commercial operators’ surveillance, the NSA and GCHQ would have far less to ‘feed’ on.
All this is not to dismiss the role of the intelligence services or indeed the impact of their surveillance activities – they should be resisted with the utmost vigour – but in terms of the death of privacy, they can be seen more as opportunist accomplices, rather than instigators.
Suspect 3: businesses like Facebook and Google
The role of the commercial operators on the internet, on the other hand, is both deeper and more significant either than is often believed or than the role of governments and government agencies on their own. The commercial entities have contributed to the decline of privacy in three kinds of ways:
Systematic – commercial entities have undermined privacy both in technological and business model senses, developing technologies to invade privacy and business models that depend on systematic and essentially covert gathering of personal data. Businesses have also lobbied strongly to reduce the effectiveness of legal privacy protection. In Europe they have done their best to undermine and weaken data protection – including the on-going reform process. They continue to do so, for example in relation to the right to be forgotten. In the US, they have contributed to the effective scuppering of the Do Not Track initiative.
Cooperative – businesses have been working with governments, sometimes willingly, sometimes unwillingly, sometimes knowingly and sometimes unknowingly. The extent of this cooperation and the extent to which is has been willing is unclear – though recent statements from the NSA have suggested that they did know about it and did cooperate willingly. Further, they kept this cooperation secret – until it was revealed by the Snowden leaks.
Normative – businesses have been attempting to undermine the idea that privacy is something to value and something of importance. Mark Zuckerberg’s suggestion that ‘privacy is no longer a social norm’ is reflected not just words but actions, encouraging people to ‘share’ information of all kinds rather than consider the privacy impact. Further, they continue to develop technologies that invade privacy inherently – from geo-technology to wearable health monitoring and things like Google Glass.
All this combines to make the role of the businesses look most significant – if anyone is guilty of killing privacy, it is Facebook and Google rather than the NSA and GCHQ. Moreover, the harms to most people possible from corporate surveillance are both tangible and more likely than harms from the NSA and GCHQ: impact on things like insurance, credit ratings, employability, relationships and so forth are not just theoretical.
As Bruce Schneier put it:
“The NSA didn’t wake up and say, ‘Let’s just spy on everybody.’ They looked up and said, ‘Wow, corporations are spying on everybody. Let’s get ourselves a copy.’”
And as Timothy Garton Ash said when considering the Stasi:
“…the Minister for State Security observed that the results achieved by his ministry ‘would be unthinkable without the energetic help and support of the citizens of our country’. ‘For once,’ I comment, ‘what the Minister says is true.’”
Where the Stasi needs the citizen informers, the new surveillance programmes need the ISPs and the internet giants – the Googles, Facebooks, Microsofts, Yahoo!s, Apples and so forth. That is what makes their role in the reverse so important.
The resurrection of privacy
In the post-Snowden environment, at least on the surface, businesses have started to take a more ‘pro-privacy’ stance. Whether that meaningful, or they are just paying lip service to it, has yet to be seen. Their role, however, is crucial.
Reversing the three roles noted above – systematic, cooperative and normative – could produce a positive impact for privacy, effectively being a part of the ‘resurrection’ of privacy:
Systematic – businesses could play a part by building more robust technology and developing more privacy-friendly business models
Cooperative – and Resistant. Businesses could cooperate more with civil society and academia in working towards privacy – and could do more to resist being co-opted by governments, not just being more transparent in their dealings with governments but acting as a barrier and protection for their users in their dealings with governments.
Normative – businesses could play a part in changing the message so that it becomes clearer that privacy is a social norm.
At the moment it seems unlikely that businesses will do very much of this – but there are a few signs that are positive. Real names policies have been relaxed on Google +, and even Facebook has shown some moves in that direction. All the big companies are doing more to secure their systems – encryption is more common, both in the infrastructure and in user systems. Google does at least seem to be making some attempt to cooperate with the right to be forgotten – though whether these attempts are being done in good faith has yet to be seen.
It will probably take a miracle – resurrections generally do – but miracles do sometimes happen.
I was introduced to Dave Eggers’ novel, The Circle, by Professor Andrew Murray – one of the pre-eminent scholars in IT Law in the UK, and also on of my PhD supervisors. I know I’m very late to this game – the book came out in 2013, and all the cool people will already have read it or reviewed it, but in this case I think it’s worth it. And the fact that someone like Andrew Murray would recommend it should give pause for thought: this isn’t just an entertaining piece of science fiction, it’s a book that really makes you think. It’s not just a dystopian vision of the future, it’s one that is far, far closer to reality than almost any I’ve read – and dystopian novels and films are pretty much my favourite genre.
It’s a book that reminded me why, unlike most of my schoolmates, I always preferred Brave New World to 1984 – and why, of the various privacy stories of the last few months I suspect, ultimately, the Facebook Experiment and the ruling over the Right to be Forgotten will matter more than the passing of the deeply depressing DRIP. In the end, as The Circle demonstrates graphically, we have more to fear from corporate domination of the Internet than we do from all the spooks and law enforcement agencies.
The Circle from which the novel gets its name is a technology company that combines a great deal of Google and Facebook with a little dash of Apple and a touch of Twitter. It dominates search and social media, but also makes cool and functional hardware. Egger’s triumph in the Circle is that he really gets not just the tech but the culture that surrounds it – little details like sending frowns to paramilitaries in Guatemala echo campaigns like #BringBackOurGirls in their futility, superficiality and ultimate inanity. The lives portrayed in the Circle should send shivers down the spines of any of us who spend much time on Twitter or Facebook: that I read the book whilst on a holiday without much Internet access made the point to me most graphically.
Privacy is theft
Eggers echoes both 1984 and Brave New World in using slogans to encapsulate concepts – exaggerating to make the point. For the Circle, these are:
Secrets are lies Sharing is caring Privacy is theft
All three are linked together – and connected to the idea that there’s something almost mystical about data. We don’t just have no right to privacy, we have a duty to disclose, a duty to be transparent. A failure to disclose means we’re depriving others of the benefits of our information: by claiming privacy, we’re stealing opportunities and advantages that others have the right to. If we care about others, we should share with them. This is Facebook, this is Google Flu Trends – and it’s the philosophy that implies that those of us who oppose the care.data scheme through which all our health data will be shared with researchers, pharmaceutical companies and many others, are selfish Luddites likely to be responsible for the deaths of thousands.
It is also the philosophy behind a lot of the opposition to the right to be forgotten. That opposition is based on the myth – one that Eggers exposes excellently – that the records on the Internet represent ‘the truth’ and that tampering with them, let alone deleting anything from them, is tantamount to criminality. Without spoiling the plot too much, one of the characters is psychologically and almost physically destroyed by the consequences of that. Eggers neatly leaves it unclear whether the key ‘facts’ that do the damage are actually real – he knows that this, ultimately, isn’t the point. Even if it all were true, the idea that maintaining it and exposing it would be a general good, something to be encouraged and fought for, is misguided at best.
It’s about power – and how it’s wielded
In the novel, The Circle has the power – and it wields it in many ways. Emotional manipulation, keeping people happy and at the same time keeping them within the Circle, is the key point – and the echoes of the Facebook Experiment, about which much has been written, but much has missed the deeper points, are chilling here. One of the real functions of the experiment was for Facebook to find ways to keep people using Facebook…
Another of the key ways that the Circle wields power is through its influence over lawmakers – and the same is sadly evident of Google and Facebook, in the UK as much as in the US. In the UK in particular the influence over things like opposition to data protection reform – and the right to be forgotten – are all too clear. It would be great if this could change, but as in the novel, the powers and common interests are far too strong for much chance. More’s the pity.
As a novel, The Circle is not without fault. I guessed the main plot twist less than half-way through the book. There’s a good deal of hyperbole – but this is dystopian fiction, after all – and the tech itself is not exactly described convincingly. What’s more, the prose is far from beautiful, the characters are mostly rather two-dimensional, and often they’re used primarily to allow Eggers to make his points, often through what amount to set speeches – but Huxley was guilty of that from time to time too. Those speeches, however, are often worth reading. Here, one of the dissidents explains his objections:
“It’s the usual utopian vision. This time they were saying it’ll reduce waste. If stores know what their customers want, then they don’t overproduce, don’t overship, don’t have to throw stuff away when it’s not bought. I mean, like everything else you guys are pushing, it sounds perfect, sounds progressive, but it carries with it more control, more central tracking of everything we do.”
“Mercer, the Circle is a group of people like me. Are you saying that somehow we’re all in a room somewhere, watching you, planning world domination?”
“No. First of all, I know it’s all people like you. Individually you don’t know what you’re doing collectively. But secondly, don’t presume the benevolence of your leaders.”
In that brief exchange Eggers shows how well he gets the point. A little later he nails why we should care much more about this but don’t, focussing instead on the spooks of the NSA and GCHQ.
“Here, though, there are no oppressors. No one’s forcing you to do this. You willingly tie yourself to these leashes.”
That’s the problem. We don’t seem to see the risk – indeed, just as in the novel, we willingly seem to embrace the very things that damage us. Lawmakers, too, seem not to see the problem – and as noted all too often allow themselves to be lobbied into compliance. The success of Google’s lobbyists over the right to be forgotten is testimony to this. Even now, people who really should know better are being persuaded to support the Circle sorry, I mean Google’s business model rather than address a real, important privacy issue.
Coming to a society near you…
We’re taking more and more steps in the direction of the Circle. Not just the Facebook experiment and the reaction to the ‘right to be forgotten’ ruling – but even in the last week or two a House of Lords committee has recommended an end to online anonymity, effectively asking service providers to require real names before receiving services. This is one of the central planks of the way the Circle takes control over people’s lives, and one which our lawmakers seem to be very happy to give them. There are also stories going around about government plans to integrate various databases from health and the DVLA to criminal records… another key tenet of the Circle‘s plans… The ‘detailed’ reasons for doing so sound and seem compelling – but the ultimate consequences could be disastrous…
Anyway, that’s enough from me. Read the book. I’ll be recommending it to
my Internet Law and Privacy students, but I hope it’s read much more widely than that. It deserves to be.
This last week has emphasised the sheer power and influence of the internet giants – Facebook and Google in particular.
The Facebook Experiment
First we had the furore over the so-called ‘Facebook Experiment’ – the revelation that Facebook had undertaken an exercise in ’emotional contagion’, effectively trying to manipulate the emotions of nearly 700,000 of its users without their consent, knowledge or understanding. There were many issues surrounding it (some of which I’ve written about here) starting with the ethics of the study itself, but the most important thing to understand is that the experiment succeeded, albeit not very dramatically. That is, by manipulating people’s news feeds, Facebook found that they were able to manipulate peoples emotions. However you look at the ethics of this, that’s a significant amount of power.
Google and the Right to be Forgotten
Then we’ve had the excitement over Google’s ‘clumsy’ implementation of the ECJ ruling in the Google Spain case. I’ve speculated before about Google’s motivations in implementing the ruling so messily, but regardless of their motivations the story should have reminded us of the immense power that Google have over how we use the internet. This power is demonstrated in a number of ways. Firstly, in the importance we place in whether a story can be found through Google – those who talk about the Google Spain ruling being tantamount to censorship are implicitly recognising the critical role that Google plays and hence the immense power that they wield. Secondly, it has demonstrated Google’s power in that, ultimately, how Google decides to interpret and implement the ruling of the court is what decides whether we can or cannot find a story. Thirdly, the way that Google seems to be able to drive the media agenda has been apparent: it sometimes seems as though people in the media are dancing to Google’s tune.
Further, though the early figures for takedown requests under the right to be forgotten sound large – 240,000 since the Google Spain ruling – the number of requests they deal with based on copyright is far higher: 42,324,954 since the decision. Right to be forgotten requests are only 0.5% of those under copyright. Google deals with these requests without the fanfare of the right to be forgotten – and apart from a few internet freedom advocates, very few people seem to even notice. Google has that much control, and their decisions have a huge impact upon us.
Giants vs. Little People
Though the two issues seem to have very little in common, they both reflect the huge power that the internet giants have over ordinary people. It is very hard for ordinary people to fight for their rights – for little people to be able to face up to giants. Little people, therefore, have to do two things: use every tool they can in the fight for their rights, and support each other when that support is needed. When the little people work together, they can punch above their weight. One of the best ways for this to happen, is through civil society organisations. All around the world, civil society organisations make a real difference – from the Open Rights Group and Privacy International in the UK to EDRi in Europe and the EFF in the US. One of the very best of these groups – and one that punches the most above its weight, has been Digital Rights Ireland. They played a critical role in one of the most important legal ‘wins’ for privacy in recent years: the effective defeat of the Data Retention Directive, one of the legal justifications for mass surveillance. They’re a small organisation, but one with expertise and a willingness to take on the giants. Given that so many of those giants – including Facebook – are officially based in Ireland, Digital Rights Ireland are especially important.
Europe vs. Facebook
There is one particular conflict between the little people and the giants that is currently in flux: the ongoing legal fight between campaigner Max Schrems and Facebook. Schrems, who is behind the ‘Europe vs. Facebook’ campaign, has done brilliantly so far, but his case appears to be at risk. After what looked like an excellent result – the referral by the Irish High Court to the ECJ of his case against Facebook (which relates to the vulnerability of Facebook data to US surveillance via the PRISM program) – Schrems is reported as considering abandoning his case, as the possible costs might bankrupt him if things go badly.
This would be a real disaster – and not just for Schrems. This case really matters in a lot of ways. The internet giants need to know that we little people can take them on: if costs can put us off, the giants will be able to use their huge financial muscle to win every time. It’s a pivotal case – for all of us. For Europeans, it matters in protecting our data from US surveillance. For non Europeans it matters, because it challenges the US giants at a critical point – we all need them to fight against US surveillance, and they’ll only really do that wholeheartedly if it matters to their bottom line. This case could seriously hit Facebook’s bottom line – so if they lost, they’d have to do something to protect their data from US surveillance. They wouldn’t just do that for European Facebook users, they’d do it for all.
Referral to the ECJ is critical, not just because it might give a chance to win, but because (as I’ve blogged before) recently the ECJ has shown more engagement with technological issues and more willingness to rule in favour of privacy – as in the aforementioned invalidation of the Data Retention Directive and in the contentious ruling in Google Spain. We little people need to take advantage of those times when the momentum is on our side – and right now, at least in some ways, the momentum seems to be with us in the eyes of the ECJ.
So what can be done to help Schrems? Well, the first thing I would suggest to Max is to involve Digital Rights Ireland. They could really help him – and I understand that they’ve been seeking an amicus brief in the case. They’re good at this kind of thing, and they and other organizations in Europe have experience in raising the funds for this type of case. Max has done brilliant work, but where ‘little people’ have to face up to giants, they’re much better off not fighting alone.
In one of my original reactions to the Google Spain ruling on the Right to be Forgotten, which I wrote for The Justice Gap, I said this, about Google’s response to the ruling.:
“How they respond to the ruling will be interesting – for the moment they’re saying very little. They have creative minds working for them – if they can rise to the challenge and find a way to comply with the ruling that enables ordinary people to take back a little control, that could be a very good thing. If, instead, they retrench and withdraw – or go over the top in allowing censorship too easily, it could be very bad.”
From what I’ve seen so far, it looks as though they’ve taken the ‘over the top’ approach, and are allowing censorship too easily. Two particular stories have come out today, one from the Guardian (here), the other from the BBC (here). In both cases, the journalists concerned are high profile, influential and expert – James Ball at the Guardian and Robert Peston at the BBC – and the stories, to be frank, do not seem to fall within the categories that the CJEU ruling in the Google Spain case suggested might be suitable for the right to apply. James Ball’s stories were mostly pretty recent – from 2010 and 2011 – as well as being fairly easy to argue as being ‘relevant’ in terms of public interest. Robert Peston’s stories are not so recent, but even more clearly relevant and in the public interest.
So why have they been caught by Google’s net as appropriate for the ‘right to be forgotten’? It looks very much as though this is the intentional overreaction that I was concerned about in my original posting for the Justice Gap. They’re trying to say, I think, ‘you know, we were right! This ruling means censorship! This is dangerous!’ They’re also trying to get journalists like James Ball and Robert Peston to be on their side, not on the side of the CJEU – and in Ball’s case, at least, they seem to be succeeding to an extent. Peston is more critical, saying that Google’s implementation of the ruling ‘looks odd, perhaps clumsy.’
Clumsy or intentional?
I’m not convinced that it’s clumsy at all, but intentional. I hope I’m wrong, and that, as Google themselves have said, they will be refining the method and sorting out the details. If they’re really trying to fight this, to prove that the ruling is unworkable, we’re in for some serious trouble, because the ruling will not be at all easy to reverse. Rather the opposite – and the wheels of the European legal system grind very slowly, so the fight and the mess could be protracted.
What’s more, what this should really highlight for people is not just the problem with the Google Spain ruling, but the huge power that Google already wields – because, ultimately, it is Google that is doing this ‘censorship’, not the court ruling. And Google does similar things already, though without such a fanfare, in relation to copyright protection, links to things like obscene content and so forth. Google already are acting like censors, if you see it that way, and without the drama of the right to be forgotten.
What can we do now?
In the meantime, people will develop coping mechanisms – or find ways to bypass Google’s European search systems, either going straight to google.com or using alternatives like duckduckgo, or even not using search at all, because there are other ways to find information such as crowdsourcing via Twitter. The more people use these, the more they’ll like them, and the more they’ll move away from Google. I hope that Google see this, and find a more productive way forward than this excessive, clumsy implementation of the ruling. What’s more, I hope they engage positively and actively with the reform process for the Data Protection Regime – because a well executed reform, with a better written and more appropriate version of the right to be forgotten (or even better, the right to erasure) is the ultimate solution here. If that can be brought in soon – rather than delayed or undermined – then we can all move on from the Google Spain ruling, both legally and practically. I think everyone might benefit from that.
…for those of us interested in the right to be forgotten. I’ve found myself writing and talking to people about it unlike any time before. Privacy is becoming bigger and bigger news – and I have a strong feeling that the Snowden revelations influenced the thinking of the ECJ in last week’s ruling, subconsciously if nothing else. That should not be viewed as a bad thing – quite the opposite. What we have learned through Edward Snowden’s information should have been a wake-up call for everyone. Privacy matters – and the links between the commercial gathering and holding of data and the kind of surveillance done by the authorities are complex and manifold. If we care about privacy in relation to anyone – the authorities, businesses, other individuals, advertisers, employers, criminals etc – then we need to build a more privacy-friendly infrastructure that protects us from all of these. That means thinking more deeply, and considering more radical options – and yes, that even means the right to be forgotten, for all its flaws, risks and complications. More thought is needed, and more action – and we must understand the sources of information here, the nature of those contributing to the debate and so forth.
Anyway, this isn’t a ‘real’ blog post about the subject – I’ve done enough of them in the last week. What I want to do here is provide links to what I’ve written and said in the last week, as well as to my academic contributions to the subject, both past and present, and then to link to Julia Powles’ excellent curation of the academic blogs and articles written by many people in the aftermath of the judgment.
This last piece may in some ways be the most important – because already there’s a huge about of hype being built up, and scare stories are being leaked to the media at a suspiciously fast rate. There are huge lobbies at play here, particularly from the ‘big players’ on the internet like Google, who will face significant disruption and significant costs as a result of the ruling, and seem to want to make sure that people view the conflict as one of principle, rather than one of business. People will rally behind a call to defend freedom of expression much more easily than they will behind a call to defend Google’s right to make money, particularly given Google’s taxation policies.
Then here are my academic pieces on the subject.
‘A right to delete?’ from 2011, for the European Journal of Law and Technology. This is an open access piece, suggesting a different approach.
‘The EU, the US and the Right to be Forgotten’, published in early 2014, a chapter in a Springer Book on data protection reform, arising from the CPDP conference in Brussels 2013. This, unfortunately, is not open access, but a chapter in an expensive book. This does, however, deal directly with some of the lobbying issues.
The right to be forgotten – and my particular take on it, the right to delete, is also discussed at length in my recently released book, Internet Privacy Rights. There’s a whole chapter on the subject, and it’s part of the general theme.
Finally, here’s a link to Julia Powles’ curation of the topic. This is really helpful – a list of what’s been written by academics over the last week or so, with a brief summary of each piece and a link to it. Some of the academics contributing are from the very top of the field, including Viktor Mayer-Schönberger, Daniel Solove and Jonathan Zittrain. All the pieces are worth a read.
This subject is far from clear cut, and the debate will continue on, in a pretty heated form I suspect, for quite some time. Probably the best thing that could come out of it, in my opinion, is some more impetus for the completion of the data protection reform in the EU. This reform has been struggling on for some years, stymied amongst other things by intense lobbying by Google and others. That lobbying will have to change tack pretty quickly: it’s no longer in Google’s interests for the reform to be delayed. If they want to have a more ‘practical’ version of the right to be forgotten in action, the best way is to be helpful rather than obstructive in the reform of the data protection regime. A new regime, with a well balanced version of the right incorporated, would be in almost everyone’s best interests.
“If you can meet with triumph and disaster And treat those two imposters just the same”
Those are my two favourite lines from Kipling’s unforgettable poem, ‘If’. They have innumerable applications – and I think another one right now. The Right to be Forgotten, about which I’ve written a number of times recently, is being viewed by some as a total disaster, others as a triumph. I don’t think either are right: it’s a bit of a mess, it may well end up costing Google a lot of time, money and effort, and it may be a huge inconvenience to Data Protection Authorities all over Europe, but in the terms that people have mostly been talking about it, privacy and freedom of expression, it seems to me that it’s unlikely to have nearly as big an impact as some have suggested.
Paedophiles and politicians – and erasure of the past
Within a day or two of the ruling, already the stories were coming out about paedophiles and politicians wanting to use the right to be forgotten to erase their past – precisely the sort of rewriting of history that the term ‘right to be forgotten’ evokes, but that this ruling does not provide for. We do need to be clear about a few things that the right will NOT do. Where there’s a public interest, and where an individual is involved in public life, the right does not apply. The stories going around right now are exactly the kind of of thing that Google can and should refuse to erase links to. If Google don’t, then they’re just being bloody minded – and can give up any claims to be in favour of freedom of speech.
Similarly, we need to be clear that this ruling only applies to individuals – not to companies, government bodies, political parties, religious bodies or anything else of that kind. We’re talking human rights here – and that means humans. And, because of the exception noted above, that only means humans not involved in public life. It also only means ‘old’, ‘irrelevant’ information – though what defines ‘old’ and ‘irrelevant’ remains to be seen and argued about. There are possible slippery slope arguments here, but it doesn’t, at least on the face of it, seem to be a particularly slippery kind of slippery slope – and there’s also not that much time for it to get more slippery, or for us to slip down it, because as soon as the new data protection regime is in place, we’ll almost certainly have to start again.
We still can’t hide
Conversely, this ruling won’t really allow even us ‘little people’ to be forgotten very successfully. The ruling only allows for the erasure of links on searches (through Google or another search engine) that are based on our names. The information itself is not erased, and other forms of search can still find the same stories – that is, ‘searches’ using something other than a search engine, and even uses of search engines with different terms. You might not be able to find stories about me by searching for ‘Paul Bernal’ but still be able to find them by searching under other terms – and creative use of terms could even be automated.
There already are many ways to find things other than through search engines – whether it be crowdsourcing via Twitter or another form of search engine, employing people to look for you, or even creating your own piece of software to trawl the web. This latter idea has probably occurred to some hackers, programmers or entrepreneurs already – if the information is out there, and it still will be, there will be a way to find it. Stalkers will still be able to stalk. Employers will still be able to investigate potential employees. Credit rating agencies will still be able to find out about your ancient insolvency.
…but ‘they’ will still be able to hide
Some people seem to think that this right to be forgotten is the first attempt to manipulate search results or to rewrite history – but it really isn’t. There’s already a thriving ‘reputation management’ industry out there, who for a fee will tidy up your ‘digital footprint’, seeking out and destroying (or at least relegating to the obscurity of the later pages on your search results) disreputable stories, and building up those that show you in a good light. The old industry of SEO – search engine optimisation – did and does exactly that, from a slightly different perspective. That isn’t going to go away – if anything it’s likely to increase. People with the power and knowledge to be able to manage their reputations will still be able to.
On a slightly different tack, criminals and scammers have always been able to cover their tracks – and will still be able to. The old cat-and-mouse game between people wanting to hide their identity and people wanting to uncover those hiding them will still go on. The ‘right to be forgotten’ won’t do anything to change that.
But it’s still a mess?
It is, but not, I suspect, in the terms that people are thinking about. It will be a big mess for Google to comply, though stories are already going round that they’re building systems to allow people to apply online for links to be removed, so they might well already have had contingency plans in place. It will be a mess for data protection agencies (DPAs), as it seems that if Google refuse to comply with your request to erase a link, you can ask the DPAs to adjudicate. DPAs are already vastly overstretched and underfunded – and lacking in people and expertise. This could make their situation even messier. It might, however, also be a way for them to demand more funding from their governments – something that would surely be welcome.
It’s also a huge mess for lawyers and academics, as they struggle to get their heads around the implications and the details – but that’s all grist to the mill, when it comes down to it. It’s certainly meant that I’ve had a lot to write about and think about this week….
Over the weekend, I was asked by CNN if I would be able to write something about the ruling that was due on the right to be forgotten – it was expected on Tuesday, they told me. I said yes, partly because I’m a bit of a sucker for a media gig, and partly because I thought it would be easy. After all, we all knew what the CJEU was going to say – the Advocate-General’s opinion in June last year had been clear and, frankly, rather dull, absolving Google of responsibility for the data on third party websites and denying the existence of the right to be forgotten.
On Monday, which was a relatively free day for me, I drafted something up on the assumption that the ruling would follow the AG’s opinion, as they generally do. On Tuesday morning, however, when the ruling came out, all hell broke loose. When I saw the press release I was doing a little shopping – and I actually ran back from the shops straight home to try to digest what the ruling meant. I certainly hadn’t expected this – and I don’t know anyone in the field who had. The ruling was strong and unequivocally against Google – and it said, clearly and simply, that we do have a right to be forgotten.
I rewrote the piece for CNN – it’s here – and the main feeling I had was that this would really shake things up. I still think that – but that this isn’t the end of the world as we know it, despite some pretty apocalyptic suggestions going around the internet.
On the positive side, the ruling effectively says that individuals (and only individuals, not corporations, government bodies or other institutions) can ask Google to remove links (and not the stories themselves) that come up as a result of searches for their names. It’s a victory for the individual over the corporate – in one way. The most obvious negative side is that it could reduce our ability to find information about other individuals – but there are other risks attached too. Most of those concern what Google does next – and that’s something which, for the moment, Google seem to be keeping very close to their chest.
On the surface, Google’s legal options seem very limited – there’s no obvious route of appeal, as the CJEU is the highest court. If they don’t comply, they could find themselves losing case after case after case – and there could be thousands of cases. There are already more than 200 in Spain alone, and this ruling effectively applies throughout Europe. If they do choose to comply, how will they do so? Will they create a mechanism to allow individuals to ask for things to be unlinked automatically? Will they ‘over-censor’ by taking things down at a simple request – they already do something rather like that when YouTube videos are accused of breaching copyright?
My suspicion that one thing they will do is to tweak their algorithm to reduce the number of possible cases – they will look at the kinds of search results that are likely to trigger requests, and try to reduce those automatically. That could mean, for example, setting their systems so that older stories have even less priority than before – producing an effect similar to Viktor Mayer-Schönberger’s ‘expiry dates’ for data, something that in my opinion might well be beneficial in the main. It could also mean, however, placing less priority on things like insolvency actions (the specific case that the ruling arose from was about debts) or other financial events, which would not have such a beneficial effect. Indeed, it could well be seen as detrimental.
The bigger risk, however, is to Google’s business model. Complying with this ruling could end up very costly – it effectively asks Google to make a kind of judgment call of privacy vs public interest, and making those kinds of calls is very difficult algorithmically. It might mean employing people – and people are expensive and slow… and reduce profits. Threatening Google’s business model doesn’t just threaten Google’s shareholders – it threatens the whole ‘free services for data’ approach to the net, and that’s something we all (in general) benefit from. I don’t currently think this threat is that big – but we’re still digesting the possibilities, I think.
One other possible result – in the longer term – which I would hope to see (though I’m not holding my breath) is less of a reliance on search, and on Google in particular. There are other ways to find information on the internet, ways that this ruling would not have an impact on. One of the most direct is crowdsourcing via something like Twitter – these days I get more of my information through Twitter than I do through Google. If you have a body of informed, intelligent and helpful people out there who are scouring the internet for information in their own particular way, they can supply you in a very different way to Google. They can bypass the filters that Google already put in place, and the biases that Google has (but pretends not to have) – with your own connections there are of course other biases but they’re more obvious and out in the open.
Indeed, I would also hope that this ruling is the start of our having a more objective view of what Google is – though the reactions of some that this ruling is the end of the world suggest rather the opposite. Further, we should start to think more about the kind of internet we want to have – and how to get it. I would hope that those bemoaning the censorship that this ruling might bring are equally angry about the censorship that our government in the UK, and many others around the world, have already brought in inside the Trojan Horse of ‘porn filters’. That kind of censorship, in my opinion, offers far more of a threat to freedom of expression than the idea of a right to be forgotten. If we’re really keen on freedom of expression, we should be up in arms about that – but we mostly seem to be acquiescing to it with barely a murmur.
What this ruling actually results in is yet to be seen – but if we’re positive and creative it can be something positive rather than something negative. It should be seen as a start, and not an end.