Peter Fleischer: Privacy...?

Harsher data protection sanctions are coming

2012-01-02T16:08:00.001+01:00

When Apollo wanted to stop Laokoon from warning the Trojans that there were Greek soldiers in the famous Trojan Horse, he sent two giant snakes to kill Laokoon and his sons. Talk about sanctions! Have we considered using killer snakes to punish data protection violations and to discourage future bad practices?

Since 2012 has now begun, here's a prediction about the future: there's going to be a lot more privacy enforcement actions. By a lot of different government authorities, not just DPAs. And the sanctions/damages are going to go through the roof. Indeed, it's not easy to keep track of which government officials are in charge of data protection enforcement actions. There are a lot of them.

We all think of Data Protection Authorities, and similar bodies, like the Federal Trade Commission, as responsible for enforcing privacy laws. These bodies around the world have vastly different enforcement powers, investigative cultures, and sanctions traditions, even within Europe. Some, like the Spanish DPA, impose a lot of large fines. Others, like the French CNIL, imposed only 5 financial sanctions in an entire year. The largest fine the CNIL has issued in its entire history was 100,000 euros. And yet others, like the Belgian DPA, don't have the legal power to impose fines at all. Other DPAs hardly ever use sanctions at all, in the classic sense, other than press releases and "name and shame" tactics. Moreover, in recent years, the US Federal Trade Commission has been moving in a different direction, namely negotiating consent decrees that are forward-looking, 20-year commitments for particular companies to abide by certain privacy standards and be subject to regular audits.

But if the plethora of DPAs and their varied enforcement practices were not divergent enough, privacy enforcement is by no means limited to these specialist regulators. In the US, the individual State Attorneys General regularly bring privacy actions. There's also an entire industry of US privacy-based class actions which has sprung up in the last few years.

Moreover, in many countries, privacy laws have been inscribed into the penal codes. Consequently, any criminal prosecutor can bring such privacy penal actions. For example, my prosecution and conviction in Italy for a "privacy violation" was brought by a Milanese public prosecutor and imposed by a criminal judge.

In the future, the proliferation of the numbers of authorities who can bring privacy enforcement actions is likely to increase. First, more and more countries are creating data protection authorities, e.g., roughly a dozen new ones have been created across Latin America and Asia in the last year. And in Europe, where class actions generally don't exist and don't fit into the existing legal framework, there are now serious proposals to create mechanisms for "collective redress" of privacy claims. And of course, there have always been the normal judicial channels, where anyone can bring privacy claims against someone else if they feel their privacy has been violated. The numbers of such cases is also exploding around the world, especially as more and more data about people is collected, exchanged and published.

I regularly hear people claim that there's not enough legal enforcement of privacy. In some places, as a matter of practice, that may well be true. But there is no shortage of overlapping authorities with the power to bring or adjudicate privacy claims. Curiously, in privacy circles, most of the focus is on the enforcement actions of the DPAs. But in practice, the DPAs are just one of many different authorities who can and do bring privacy enforcement actions. And the trend is clearly going up, both in terms of the numbers of laws that can be violated, in terms of the severity of sanctions, in terms of the numbers of complaints that are brought, and in terms of the breadth of authorities who are involved in enforcing privacy.

The European Commission has proposed instituting new fines for data protection breaches ranging up to 5% of global turnover! To a global company, that's probably scarier than killer snakes.

Is that all that's left?

2011-12-20T16:09:00.002+01:00

2011 has come and almost gone, and I've already forgotten most of it. It's always been that way. I can barely remember my own life. No one else will remember it either. Most of humanity has lived and died and left little more lasting traces of its existence than crickets in a summer field.

Despite our collective social fears of data deluge and "the age of big data", the reality is that we're probably the last generation in human history that will disappear with relatively little trace. As I troll the web today, I don't find much about myself: a few dozen YouTube video clips, a few hundred photos, my blog postings, a few thousand media quotes. Frankly, it really doesn't amount to all that much. It's barely a sliver of my life. In the future, digital archeologists will try to understand our generation, making sense of these digital fragments of our generation, the last lost generation.

The current privacy debates about particular technologies will seem oddly quaint in a few years. I remember a time only a few years ago when serious people thought a spam filter in email must be an invasion of privacy, since a machine was doing the filtering. Now we're debating whether users should click on a pop-up screen for cookies. A decade from now, we'll laugh, I think, about the current fears of digital over-exposure, based on today's trivia: posting a photo to the web, or tweeting, or blogging, or sharing location info with friends, or whatever. Of course, some things shouldn't be published or shared, because they are hurtful or embarrassing. But the scale of data and technology is changing so fundamentally that the importance of a particular piece of data today is almost unknowable.

I'm sure that more and more data will be shared and published, sometimes openly to the Web, and sometimes privately to a community of friends or family. But the trend is clear. Most of the sharing will be utterly boring: nope, I don't care what you had for breakfast today. But what is boring individually can be fascinating in crowd-sourcing terms, as big data analysis discovers ever more insights into human nature, health, and economics from mountains of seemingly banal data bits. We already know that some data sets hold vast information, but we've barely begun to know how to read them yet, like genomes. Data holds massive knowledge and value, even, perhaps especially, when we do not yet know how to read it. Maybe it's a mistake to try to minimize data generation and retention. Maybe the privacy community's shibboleth of data deletion is a crime against science, in ways that we don't even understand yet.

Assuming I live a normal lifespan, I will live to be able to up-load my life memories to remote storage. I'll be able to start real-time recording of my experience of life, and to store it, share it, and edit it. My perceptions, thoughts, and memory, will be enhanced by machines guided by artificial intelligence. Perhaps it's human vanity, but I want to have the choice to store and share my life, before or after its biological limits are extinguished. I am already losing clear memories of my youth, and of places I've been, and people I've loved. What I've lost is lost forever. There was no back-up disk. That's not my idea of privacy, but privation. I suspect a future privacy debate will discuss whether "memory deletion" is a fundamental human right, or deeply anti-social.

I have no idea what this future will look like, or whether humans and society can adapt to it as quickly as the technology will enable it. But as the year draws to a close, I am grateful for a front row seat, hoping to live long enough to see a world of technologies that will stop me from just disappearing from the planet, without anything more than a few random photos and video clips, as part of the last human generation whose evanescent lives left almost no traces, disappearing from the earth like crickets at the end of summer.

Data Protection Officers: on solid ground?

2011-11-23T13:13:00.001+01:00

I've worked in the field of privacy long enough to remember a time when almost no companies in the world had privacy officers. Now, almost all big companies do. And soon, Europe's privacy laws are likely to be amended in a way to mandate them, or at least to provide strong incentives to appoint them, which will lead to massive growth in this profession.

But what is a data protection officer? Or can we even agree on what to call them? "Data Protection Officer" or "DPO" is a euro-centric title, since Europe long ago invented the concept of "data protection" as an alternative (not synonym) for "privacy". Personally, I have long used the title "Global Privacy Counsel", since I think it's useful to express three things that define my job, namely, the topic (privacy), the geographic scope (global) and the functional perspective (namely, counsel, or lawyer). But privacy leaders are often not lawyers, and hence, use different monikers, ranging from Chief Privacy Officer to Director of Privacy Engineering, or Director of Privacy Compliance, or Chief Privacy Evangelist, in each case stressing a different functional perspective.

For very large companies, privacy needs to be a cross-functional effort, representing security, engineering, legal, compliance, policy and communications. Personally, I focus on the legal/regulatory/policy sides of privacy. For very large information-based Internet companies, literally hundreds of people work on privacy, across these different functions. For smaller companies, in my opinion, there should be at least one person who is accountable for privacy, in some sense, even if it's not a full-time job.

As Europe is on the verge of mandating "data protection officers", we need to understand what exactly these people will be accountable for. First, it's important to note that the European proposal will probably be modeled on the existing functions in France ("correspondent") and Germany ("Datenschutzbeauftragte"). In these countries, the DPO is responsible for supervising their companies' creation and use of databases of personal data, liaising with government privacy regulators, and providing good privacy advice and guidance. In practice, DPOs in Germany and France are sometimes focused on the legal side, and sometimes on the technical/security side.

In the US, there is a different vision of privacy leaders. At most US companies, lawyers play this role, just as I came to privacy through the legal profession. And we play this role in our capacity as lawyers, namely, providing privacy legal advice to our companies. As privacy lawyers, we provide advice, but are not empowered to make final decisions about whether or not our companies will follow our advice. The companies' executives are the decision-makers, ultimately, not the privacy lawyers. There are of course other models at some US companies, but they're still in the minority.

So, as Europe institutionalizes the role of DPO, it will be important to define what exactly these people will be accountable for, seen from inside and outside their companies. For multinationals, it will take some time to work out how to support their privacy leaders under these different legal regimes as they straddle jurisdictions. And as DPOs are held accountable for certain areas, they too may need protection and indemnification from their companies for personal liability, just like other professions, such as chief financial officers who are mandated by various laws with specific areas of accountability.

I welcome laws in Europe that will help strengthen the role of DPOs in their companies, and will help make DPOs more prevalent across industry. This will be a practical step forward for privacy. But at the same time, it will be important to define what we're accountable for, internally and externally, especially in a field where the very notion of "privacy" is highly subjective, and where the visions of what a privacy leader is supposed to do diverge dramatically, by country, by industry, and by function.

My Italian Appeal

2011-09-08T07:16:00.001+01:00

A lot of you have wondered about the status of the appeal of my Italian conviction. So, here's a short update, just on some logistical points.

There have been some changes to my legal defense team. First, I'd like to congratulate one of the defense team's members, Giuliano Pisapia, on his recent election as Mayor of Milan. Sadly for me, of course, he will be withdrawing from the legal team. But I'm delighted that Giulia Bongiorno and Carlo Blengino have joined my team. Giulia will be fully on board once her work in the Amanda Knox/ Raffaele Sollecito appeal winds down.

Preliminary appeal briefs have been filed with the Milan appeals court, but the appeal has not yet been assigned to individual appeals court judges. Once that happens, the judges will decide on a hearing schedule. So, realistically, I am not expecting the hearings to begin until later this fall. I have no insights into how many hearings will be held, nor when they might be held.

September 11

2011-09-07T13:18:00.002+01:00

September 11, seen 10 years later, changed many things in the world, in geo-political terms. Some people also think it changed the nature of privacy too, since it gave rise to the Patriot Act.

I can't think of any topic in the field of privacy that has been more polemicized and politicized and distorted than discussions about the Patriot Act. Most discussions about it are simply factually and legally wrong. I respect Microsoft for blogging and explaining this. It takes courage to talk about this issue, since so many people around the world have passionate reasons to want to resist or restrict the power of (some, all, or just the US) governments to use valid legal process to access data.

Over and over again, I read about people and politicians around the world saying that they want their data to be stored in the cloud (i.e., in a data center) in their country/Continent, so that it's protected from American law enforcement under the Patriot Act. This is a common refrain, for example, in Europe and Canada. Indeed, it has given rise to an entire industry purporting to offer "euro-clouds".

Therefore, it's perhaps surprising for some people to learn that the location of storage of the data has no impact on this issue, with regards to US-headquartered companies. It has limited impact on this issue, with regards to non-US headquartered companies. I won't repeat the legal analysis, since Microsoft's blog did a good job in explaining it.

It's well-known that global cloud-service providers maintain data centers around the world, mostly to ensure that their services operate with efficiency, speed and reliability. But they don't, and can't, operate as tools to evade or circumvent valid US government access to information, whether under the Patriot Act or any of its related/predecessor laws, since the location of data within the cloud is simply not a relevant legal factor. I know that's controversial, but it's also a legal fact, so kudos to Microsoft for saying it publicly.

"The Right to be Forgotten", seen from Spain

2011-09-05T08:04:00.002+01:00

I'd like to share some personal musings about an interesting series of court cases pending in Spain, pitting the "right to be forgotten" against the right to freedom of expression. The New York Times reported on this debate recently. In a nutshell, the cases ask the question whether people can demand that search engines delete content from their indexes, even if the content is true and the third-party site that published it clearly has the right to publish it (e.g., newspapers).

Virtually everyone uses search engines to find information on the web. There are way over a trillion pages on the web today. To help people find what they're looking for in the vastness of the web, search engines create giant indexes of the web. Search engines are intermediaries, since they don't create, select or edit the content on the web sites they index. Search engines try to match a user's search query with the search results most likely to be relevant, using complex algorithms to rank the likely relevance of a particular webpage. The vast majority of websites want to appear in search engine indexes, but if they don't want to be included in the index, they can use a simple tool, called robots.txt, to opt-out of being indexed by all leading searching engines.

Many websites publish information about people, and sometimes this information can be hurtful to a person's sense of privacy or reputation. For example, government websites or newspapers may publish information about criminal convictions or accusations of medical malpractice. People who feel that information about them was wrongly published by these web sites can always ask them to correct or delete it. But newspapers and government websites usually have published this information legally, or indeed may even be legally obligated to publish it, or may be exercizing their rights of freedom of expression. As search engine intermediaries, Google and other search engines play no role in what these web sites publish, or in deciding whether they should revise or remove content based on someone's privacy claim against them.

That's why I think it's wrong that the Spanish Data Protection Authority has launched over a hundred different privacy suits against Google, demanding that Google delete web sites from its index, even though the original websites that published the information (including Spanish newspapers and Spanish official government journals) published that information legally and continue to offer it. The legal question is important: should search engines like Google be responsible for the content of the web sites that they index? Should Google be forced to remove links from its search index, in the name of privacy, even if the websites that published it want to be included in its search index and the content is legal? Should search engines be used to make information harder to find, even if the information is legally published?

I have great sympathy with people who feel their privacy has been invaded by a web site that publishes information about them. But search engines shouldn't be asked to delete links to legal content that is published by a third-party website. These cases have sometimes been referred to as about the "right to be forgotten". In fact, these cases are not about deleting or "forgetting" content, but just about making it harder to find content. These cases would make it impossible for users to use search engines to find content that otherwise continues to exist on the web.

It's not hard to imagine the negative consequences for freedom of expression, if search engines could be ordered to delete links to any website that publishes content about a person that is deemed to have invaded someone's privacy. The debate about privacy v freedom of expression is an important and timeless debate, which is becoming more urgent in the age of the Internet. But it's wrong to try to use search engines to try to make legal information harder to find. It's wrong to use search engines as a indirect tool of censorship, since European law rightly holds the publisher of material is responsible for its content. Requiring intermediaries like search engines to censor material published by others would have a profound chilling effect on freedom of expression.

There are better ways to protect privacy online, by remembering that it should be the publisher of content who is responsible for it. Interestingly, the Spanish Data Protection Authority seems to be coming around to this conclusion itself. It recently issued a resolution ordering a website to use the robots.txt protocol to exclude some of its pages from search engine indexes. That's exactly the right approach. Now, the debate will turn to the websites that receive such orders: should they exclude some of their pages from search engine indexes, in the name of privacy, or should they refuse, in the name of freedom of expression? Newspapers worldwide, and in particular their online archives, will soon be in the middle of this debate. I believe that Spanish papers, like El Pais, are now respecting such orders. I would wager that The New York Times wouldn't, based on their reporting on Two German Killers demanding Anonymity Sue Wikipedia's Parent.

This is a difficult debate, and I'm sure that different publishers will come to different conclusions about it. That's how it should be.

Trying to define “sensitive” data

2011-05-17T09:14:00.002+01:00

Privacy laws need to ensure that there is a higher level of privacy protection for everyone’s sensitive personal data. There's universal consensus on that. So, it’s very important for laws to do a good job defining what should be considered “sensitive personal data”. It’s quite instructive to compare Europe’s definition (from 1995) with India’s (from 2011).

The European Data Protection Directive defines them as:

“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.”

As I read this list, and having worked with its concepts for years, I find it quite unsatisfying. It is both far too broad, and far too narrow, at the same time. It’s far too broad, because it seems to extend exceptional privacy legal protection to banal and often public things, like “political opinions”, or “racial origin” when any photo of me will show I’m a white dude. And things like “trade union membership” or “racial origins” probably should not be protected by privacy laws, but rather by labor laws or anti-discrimination laws, as they generally already are. But it’s also far too narrow, because the European definition of sensitive personal data fails to include something as strikingly sensitive as, say, genetic data, or biometrics. Granted, the laws in some individual European countries got this right, like France, which already treats biometrics as sensitive. In my opinion, in the future, genetic/biometric data will become the most important category of what should be treated as sensitive, so laws that don’t include biometrics in the category of sensitive data have a big gap. Strangely, European law also does not include sensitive personal financial information in its list of “sensitive” categories.

Now, for comparison, here is India’s just revised categories of “sensitive” data:

“unless freely available in the public domain or otherwise available under law, SPDI under the Rules is personal information which consists of information relating to:

password,

financial information such as bank account, credit or debit card details as well as other payment instrument details,

physical, physiological and mental health condition,

sexual orientation,

medical records and history,

Biometric information (a defined term including fingerprints, eye retinas and irises, voice and facial patterns, hand measurements and DNA),

Any detail relating to the above when supplied for providing service, and

Any of the information described above received by an organization for processing, stored or processed under lawful contract or otherwise. “

When India drafted its privacy laws, it looked to Europe’s Directive, both for inspiration and to protect its out-sourcing industry. But Europe would do well to look to India for inspiration about how to modernize our data protection concepts. India's list of "sensitive personal data" strikes me as much more modern and relevant to privacy than the legacy of what we have in Europe.

France re-writes the rules of data retention

2011-03-11T10:05:00.002+01:00

When Europe introduced a Data Retention Directive in 2006, it struck a very very careful political and legal balance between the interests of privacy and the interests of Law Enforcement/ Government access to data. The core distinction of the laws was to impose an obligation on service providers to retain and produce traffic data relating to communications, but to exclude contents of communications. Notwithstanding this careful balance, the Directive has always been highly controversial. There has been a long debate about whether this Directive, and the balance it struck, is Constitutional under national privacy laws, and indeed, last year its German-implementation was held un-constitutional by the German Constitutional Court.

Surprisingly, very few people have noticed what just happened in France. The law (decree, technically) adopted a few days ago in France up-ended the careful political/legal balance of the Directive by inserting one little word: "passwords". In other words, passwords are added to the list of "traffic data" that ISPs have to retain and produce to the French police on demand. Interestingly, the version of the law that had been circulating for discussion in France for the last two years, and which was reviewed by the French privacy authority the CNIL and by industry associations, did not contain that little word "password". The word "password" was inserted at the last minute, with no public or privacy review, as far as I can tell.

Stop to reflect for just a minute. Why would police want a password and what would they do with it? Well, obviously, they would use it to look at "content" of communications. In other words, a password would grant them access to all the things that the Directive explicitly chose not to subject to Data Retention in the interests of privacy.

All the years of work by privacy advocates has been chucked aside, in one little word. Well, three in French: "mot de passe".

I'm sure legal challenges to this French law will not be far behind. Curiously, only a few lone voices in the press or advocacy community seem to have noticed all this.

Foggy thinking about the Right to Oblivion

2011-03-09T08:59:00.002+01:00

I was lucky enough to spend a few days in Switzerland working on Street View. And I treated myself to a weekend of skiing too. The weather wasn't great, we had a lot of mountain fog, but then, the entire privacy world seems to be sort of foggy these days.

In privacy circles, everybody's talking about the Right to be Forgotten. The European Commission has even proposed that the "right to be forgotten" should be written into the up-coming revision of the Privacy Directive. Originally, a rather curious French "universal right" that doesn't even have a proper English-translation (right to be forgotten? right to oblivion? right to delete?), le Doit a l'Oubli, is going mainstream. But, what on earth is it? For most people, I think it's an attempt to give people the right to wash away digital muck, or delete the embarrassing stuff, or just start fresh. But unfortunately, it's more complicated than that.

More and more, privacy is being used to justify censorship. In a sense, privacy depends on keeping some things private, in other words, hidden, restricted, or deleted. And in a world where ever more content is coming online, and where ever more content is find-able and share-able, it's also natural that the privacy counter-movement is gathering strength. Privacy is the new black in censorship fashions. It used to be that people would invoke libel or defamation to justify censorship about things that hurt their reputations. But invoking libel or defamation requires that the speech not be true. Privacy is far more elastic, because privacy claims can be made on speech that is true.

Privacy as a justification for censorship now crops up in several different, but related, debates: le droit a l'oubli, the idea that content (especially user-generated content on social networking services) should auto-expire, the idea that data collection by companies should not be retained for longer than necessary, the idea that computers should be programmed to "forget" just like the human brain. All these are movements to censor content in the name of privacy. If there weren't serious issues on both sides of the debate, we wouldn't even be talking about this.

Most conversations about the right to oblivion mix all this stuff up. I can't imagine how to have a meaningful conversation (much less write a law) about the Right to be Oblivion without some framework to dis-entangle completely unrelated concepts, with completely unrelated implications. Here's my simple attempt to remember the different concepts some people want to forget.

1) If I post something online, should I have the right to delete it again? I think most of us agree with this, as the simplest, least controversial case. If I post a photo to my album, I should then later be able to delete it, if I have second-thoughts about it. Virtually all online services already offer this, so it's unproblematic, and this is the crux of what the French government sponsored in its recent Charter on the Droit a l'Oubli. But there's a big disconnect between a user's deleting content from his/her own site, and whether the user can in fact delete it from the Internet (which is what users usually want to do), more below.

2) If I post something, and someone else copies it and re-posts it on their own site, do I have the right to delete it? This is the classic real-world case. For example, let's say I regret having posted that picture of myself covered in mud, and after posting it on my own site, and then later deleting it, I discover someone else has copied it and re-posted it on their own site. Clearly, I should be able to ask the person who re-posted my picture to take it down. But if they refuse, or just don't respond, or are not find-able, what can do I do? I can pursue judicial procedures, but those are expensive and time-consuming. I can go directly to the platform hosting the content, and if the content violates their terms of service or obviously violates the law, I can ask them to take it down. But practically, if I ask a platform to delete a picture of me from someone else's album, without the album owner's consent, and only based on my request, it puts the platform in the very difficult or impossible position of arbitrating between my privacy claim and the album owner's freedom of expression. It's also debatable whether, as a public policy matter, we want to have platforms arbitrate such dilemmas. Perhaps this is best resolved by allowing each platform to define its own policies on this, since they could legitimately go either way.

3) If someone else posts something about me, should I have a right to delete it? Virtually all of us would agree that this raises difficult issues of conflict between freedom of expression and privacy. Traditional law has mechanisms, like defamation and libel law, to allow a person to seek redress against someone who publishes untrue information about him. Granted, the mechanisms are time-consuming and expensive, but the legal standards are long-standing and fairly clear. But a privacy claim is not based on untruth. I cannot see how such a right could be introduced without severely infringing on freedom of speech. This is why I think privacy is the new black in censorship fashion.

4) The Internet platforms that are used to host and transmit information all collect traces, some of which are PII, or partially PII. Should such platforms be under an obligation to delete or anonymize those traces after a certain period of time? and if so, after how long? and for what reasons can such traces be retained and processed? This is a much-debated topic, e.g., the cookies debate, or the logs debate, the data retention debate, all of which are also part of the Droit a l'Oubli debate, but they completely different than the categories above, since they focus on the platform's traffic data, rather than the user's content. I think existing law deals with this well, if ambiguously, by permitting such retention "as long as necessary" for "legitimate purposes". Hyper-specific regulation just doesn't work, since the cases are simply too varied.

5) Should the Internet just learn to "forget"? Quite apart from the topics above, should content on the Internet just auto-expire? e.g., should all user posts to social networking be programmed to auto-expire? Or alternatively, to give users the right to use auto-expire settings? Philosophically, I'm in favor of giving users power over their own data, but not over someone else's data. I'd love to see a credible technical framework for auto-delete tools, but I've heard a lot of technical problems with realizing them. Engineers describe most auto-delete functionalities as 80% solutions, meaning that they never work completely. Just for the sake of debate, on one extreme, government-mandated auto-expire laws would be as sensible as burning down a library every 5 years. Even if auto-expire tools existed, they would do nothing to prevent the usual privacy problems when someone copies content from one site (with the auto-expire tool) and moves it to another (without the auto-expire function). So, in the real world, I suspect that an auto-expire functionality (regardless of whether it was optional or mandatory) would provide little real-world practical privacy protections for users, but it would result in the lose of vast amounts of data and all the benefits that data can hold.

6) Should the Internet be re-wired to be more like the human brain? This seems to be a popular theme on the privacy talk circuit. I guess this means the Internet should have gradations between memory, and sort of hazy memories, and forgetting. Well, computers don't work that way. This part of the debate is sociological and psychological, but I don't see a place for it in the world of computers. Human brains also adapt to new realities, rather well, in fact, and human brains can forget or ignore content, if the content itself continues to exist in cyberspace.

7) Who should decide what should be remembered or forgotten? For example, if German courts decide German murderers should be able to delete all references to their convictions after a certain period of time, would this German standard apply to the Web? Would it apply only to content that was new on the Web, or also to historical archives? and if it only applied to Germany, or say the .de domain, would it have any practical impact at all, since the same content would continue to exist and be findable by anyone from anywhere? Or to make it more personal, the web is littered with references to my criminal conviction in Italy, but I respect the right of journalists and others to write about it, with no illusion that I should I have a "right" to delete all references to it at some point in the future. But all of my empathy for wanting to let people edit-out some of the bad things of their past doesn't change my conviction that history should be remembered, not forgotten, even if it's painful. Culture is memory.

8) Sometimes people aren't trying to delete content, they're just trying to make it harder to find. This motivates various initiatives against search engines, for example, to delete links to legitmate web content, like newspaper articles. This isn't strictly speaking "droit a l'oubli", but it's a sort of end-run around it, by trying to make some content un-findable rather than deleted. This will surely generate legal challenges and counter-challenges before this debate is resolved.

Next time you hear someone talk about the Right to be Oblivion, ask them what exactly they mean. Foggy thinking won't get us anywhere.

Imagine if tennis had different rules in every country: Cookie Confusion comes to the Continent

2010-11-26T09:22:00.003+01:00

A decade ago, European policymakers debated the level of consent required for data protection purposes when a website uses a cookie. Common sense ultimately prevailed. Policymakers realized that an opt-in regime would drive users mad, as every website would be forced to serve up pop-ups asking users to opt-in, annoying everyone. Alternatively websites could just stop using cookies, but that's unworkable in basic technology terms. So, a Directive was adopted mandating an opt-out regime, together with clear notice in privacy policies of the use of cookies. All browsers introduced cookie controls too. After a decade more experience with the Web, rather than seeing more wisdom about the Web, we're seeing the status quo common-sense approach up-ended by contradictory policy agendas in Europe. So, the question is back on the policy agend: should interest-based advertising should be opt-in, or opt-out?

What are the rules now? The 2002 E-Privacy Directive was significantly changed in 2009 (Directive 2009/136/EC). Specifically, the wording for cookies was modified:

Article 5(3): Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing...
Recital 66 (non-binding): ...Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.

While non-binding, Recital 66 clearly indicates that the directive does not intend to make cookies opt-in. The guidance from the Commission on this question has, however, been ambiguous.

In a June 2010 opinion, the Article 29 Working Party contended that in the case of interest-based advertising, at least:

The Article 29 Working Party is of the view that prior opt-in mechanisms, which require an affirmative data subject's action to indicate consent before the cookie is sent to the data subject, are more in line with Article 5(3). In a reference to consent as legal grounds for processing, the Article 29 Working Party recently confirmed these views "The technological developments also ask for a careful consideration of consent. In practice, Article 7 of Directive 95/46/EC is not always properly applied, particularly in the context of the internet, where implicit consent does not always lead to unambiguous consent (as required by Article 7 (a) of the Directive). Giving the data subjects a stronger voice ‘ex ante’, prior to the processing of their personal data by others, however requires explicit consent (and therefore an opt-in) for all processing that is based on consent."

At a speech in September 2010, Neelie Kroes (European Commissioner for the Digital Agenda) acknowledged the value created by the online advertising sector and signalled that she was “open to all creative ideas” to develop self-regulation that works for the advertising industry. When directly asked, she also said she was "not in favour of opt-in" for interest-based ads.
Alberto Alvaro, the MEP who drafted the revised ePrivacy Directive, has written that it “does not require websites to obtain prior consent for cookies to be placed on users’ terminals.”
The Commission’s DG Legal Service has not yet expressed an opinion on whether the revised E-Privacy Directive requires explicit opt-in for interest-based ad cookies.

But this is only the start. The scope for confusion will increase exponentially as individual Member States transpose the law. With no clear guidance to Member States, it is inevitable that 27 different national parliaments will begin diverging in how they transpose these rules. All of which means that global websites will face far more policy and legal confusion in Europe in the years ahead, and users will be facing very different privacy "protections" across geographies. How all of this is supposed to work in the real world is anyone's guess. Messy and contradictory laws and regulations are nothing new in politics, but if you're an engineer, what are you supposed to code?

I always think transparency and user choice are the linchpins of privacy. But a legislated solution which forces people to click like mad on cookie consent pop-ups is hardly the right way forward. At least tennis has clear rules, and they're the same everywhere.

Privacy: a number's game?

2010-09-16T05:48:00.002+01:00

How do you measure privacy protections? There are many important questions that I ask, including these:

What data is collected?

Who has access to this data?

How is this data used?

Is this data transferred to third-parties?

Can the data subject see and control this data?

Is this data protected by adequate security safeguards?

How long is this data retained before it is either destroyed or anonymized?

In reviewing this list, I think the last one is the least important in terms of measuring meaningful privacy protections for data. But curiously, it's precisely this one that I hear the most as I move around Continental Europe listening to privacy media and regulatory concerns in the online debates in recent years. Why is that?

European privacy law has clear provisions that personal data should not be retained "longer than necessary". Naturally, this time period is left vague in the laws, since it would be impossible to prescribe precise time periods for myriads of different contexts, especially since retention is always justified by "legitimate purposes". I think there's a temptation to try to boil privacy down into something simple and numerical, and what could be simpler and more measurable than a time period? In practice, there's a vast spectrum of legitimate retention periods, even for similar services, if the retention periods were designed to respect the very different legitimate purposes for which they were retaining data. To take some Google services as examples: Search logs (9 months), Instant Search logs (2 weeks), Suggest logs (24 hours), etc. To me, it's absurd to think that the most important privacy issue in Search is whether Search logs are retained for 6 or 9 months.

To take a different example: data retention rules in Europe (for government and law enforcement access) range from 6 months to 24 months, with each country in Europe picking and debating different time periods. Germany for example picked 6 months (but the German Constitutional Court struck down its version of data retention on other grounds), while France picked 12.

Curiously, the time dimension of data retention is almost entirely a Continental European privacy concern. It rarely registers as a meaningful vector in other countries, even in countries with very intense privacy debates. Of course, the euro-time-period debate is also intimately tied up with the debate about the so-called "right to be forgotten", the "droit a l'oubli", a well-intentioned idea that people should somehow be able to have parts of their own past (presumably the disagreeable parts) edited out of their personal histories. And, not coincidentally, this debate is most intense in countries with historical chapters that many people consciously or unconsciously want to forget: like Spanish society's conflict between remembering or forgetting the crimes of the Franco era.

I've spent a fair amount of time engaging in the time period debate "how many months is ok." It's pretty repetitive after a while. Lots of people who can't be bothered to think about the issues will just say: "oh, that's too long". I strongly believe that personal data should not be retained for "longer than necessary", as required by European privacy law, and I generally believe that it's an important debate for data controllers to justify their retention according to "legitimate purposes". Beyond that, reducing the online privacy debate to a numbers' game risks focusing all the attention on only one aspect of the broader privacy debate (and in my opinion, on the least important aspect of the debate to boot). And I am very much not in the superficial privacy school of thinking that "shorter is always better".

To clear my head, I spent some time playing tennis this summer. Now that's a number's game. By the way, I lost.

Face recognition software

2010-09-07T18:25:00.002+01:00

How should we handle face recognition software?

Every so often a new technology comes along that has the ability to alter fundamentally the private/public balance, with profound implications for privacy. Face recognition is one of them, in my opinion.

We're already seeing highly accurate face recognition software provided by companies like face.com in the Facebook community. Some online photo albums also offer it, as a tool for users to tag one of their photos and allow the software to come back with face matches and propose auto-tagging them too.

But what will we do about face recognition software in the wild? Any Internet-connected smart phone with a camera could in theory do a real-time face recognition search on a person walking down the street, without their knowledge, and get web-based search results. Google declined to include face recognition in the version of Goggles that it launched a few months ago, precisely because of the unresolved privacy implications.

Over the last few months, I've spoken about face recognition with a number of privacy experts. Everyone quickly understands how it could be a useful tool, and how it could be a freaky tool, depending on how it's used. But essentially no one has a clue what to do about it. One could imagine a "solution" where users would upload their photos to a company offering this service, with either an opt-in or an opt-out, in other words, telling the company, "yes" you can can run searches against my photo, or "no", please do not run searches against my photo. In either case, the company has to maintain a central database of these people and their faces. Moreover, the database is essentially a biometric database, since the software runs against algorithmic "face prints". Neither of these "solutions", opt-in or opt-out, seems very palatable. In addition, it's hard to imagine how different countries might regulate such global services according to different standards, if, as one might realistically expect, one country wants to regulate an opt-in model, while another wants to take an opt-out model, while yet a third wants to prohibit such services entirely. How would that work?

Well, as we reflect, the technology is developing rapidly, and is already on the marketplace, offered by many different companies. Once again, the technology will evolve faster than our legal, political and sociological response to it. Hang on, this one will be interesting. If you have an idea about how to handle it, I'd welcome your comments, which you're free to submit, anonymously, of course.

Exhibitionism, or Self-Expression?

2010-09-06T17:11:00.001+01:00

In privacy circles, we all try to make sure that people are sensitive about what they post online. I remember a chat I had with a journalist at SFGate.com back in 2007 :

"Before posting anything online, Peter Fleischer asks himself: Is this something I want to make public forever? ...
he thinks a lot about the implications of sharing information with the world. As a result, in his private life, he takes a cautious approach...
But he's uncomfortable sharing photos online..."

I generally advise people not to post things publicly without thinking about whether they're likely to regret having posted it. I also advise people not to post anything about other people (like pictures or videos), unless those people agreed to have it posted. But that doesn't mean that I think people should stop posting stuff about themselves and their friends online. In fact, I'm wildly enthusiastic about these social platforms that empower people to publish things about themselves and their friends to the world. The interesting risk-debate is about stuff in a gray zone, where one person's self-expression is another person's exhibitionism. This sort of gets summed up as a question that helps kids understand the consequences of posting things online: "even if you think this photo/video etc is cool, what will a future employer think about it when you start looking for a job?"

Digital natives are creating a part of their identity online. What they publish, or don't publish, is a self-created, highly edited version of their "identity" that they'd like to project. Digital natives are used to seeing lots of stuff about themselves and their friends online. The older generation isn't. So, rather than a technology clash, this strikes me more as a classic generational clash. The older generation warns the younger generation about putting too much of themselves out there, because, well, they never did, didn't have the opportunity, and no one in their generation did either. Perhaps that's why some people are calling the younger crowd Generation Xhibitionists.

Curiously, every time I've done an image search on my own name (and hey, regular "vanity" searches on your own name are an essential part of privacy hygiene, to know what's out there about yourself), I see a highly-ranked image search result of a guy in a bathing suit...who isn't me. Since I'm a believer in the principle that the best answer to bad speech (or bad content) is to confront it with better content, I figure I might as well post a picture of myself in a bathing suit too. The other guy is younger and better-looking, but hey, at least this is me. And to all those people who say I'm never willing to share anything personal online, well, call me Gen X.

10 paths and they're all hard

2010-09-05T16:40:00.001+01:00

We spent a couple days on mountain bikes in Switzerland recently. We got lost a lot. We didn't use GPS or geo-location-apps. We didn't really know where we were going, but we sort of had faith in our legs and our bicycles that we'd somehow get up and back down.

It was good to get out on a mountain. It clears my head. I was trying to think of the big privacy challenges this year.

And like choosing a mountain path that you don't know, these privacy challenges may turn out to be easy, or they may turn out to be the hardest ride of your life.

Here's my list of this year's cliff-hangers. And like any good cliff-hanger, I'll be back to comment on all of them in the months ahead.

1. Location: who should know where you are and where you've been and how can you control it?

2. Face recognition: how to enable useful apps without creating a mass surveillance device?

3. Data minimization: can we (or should we) restrict some data collection in the age of data ubiquity?

4. Notice and consent in machine to machine processing: e.g., how can a user meaningful exercise control and consent when apps instantly share data?

5. Communicating with end users: everyone agrees privacy policies aren't human-friendly, but does anyone have a better idea?

6. Social graph: what can algorithms know or deduce from your public social graph and what can you do about it?

7. Online mapping: what's private in a public place?

8. Droit a l'Oubli: can a line be drawn between "forgetfulness" and censorship?

9. Conflicts of laws: how can sites on the global web comply with conflicting rules from country to country, and is the global web balkanizing?

10. Anonymization: in the age of data mining, what is "anonymous", or is everything somewhere on a spectrum to identifiability, and what does that mean for privacy practices?

Policy Frameworks for Protecting Privacy in the Cloud

2010-07-31T15:27:00.003+01:00

I had the privilege of sharing a podium in Dublin last week at the Institute of International and European Affairs with the Irish Data Protection Commissioner. We were invited to discuss policy frameworks for protecting privacy in the Cloud. The talks are posted here at the IIEA's site:

http://www.iiea.com/events/fleischer-hawkes-regulating-for-the-cloud

Berlin, and its ghosts

2010-06-21T18:23:00.001+01:00

I'm back from another few days in Berlin. As usual, I met some political leaders to talk about privacy. I also took a personal side trip to visit the villa where the Wannsee Conference took place in 1942 (the infamous "final solution" conference). The German privacy debate, which I think is the most intense in the world, simply makes no sense to my ears without the backdrop of Germany's two totalitarian traumas in living memory. Privacy is always a cultural concept, and it varies from country to country, based on history and self-perception. Hardly any country, thank heaven, has Germany's history.

Even so, it was a bit of a surprise when I heard a political leader tell me clearly: "in Germany, we want innovation, but we want you to ask for permission first". Innovation and permission. In fact, I wonder if they're oxymoron. I think of innovation as serendipitous, almost the opposite of bureaucratic/political process. But in a nutshell, there it was. I sensed the frustration of politicians and regulators who want (or feel the responsibility) to regulate the profoundly disruptive phenomenon of Internet innovation, but feel dis-empowered to do so. It's hard indeed to control a phenomenon like innovation on the Internet, especially if it happens outside your borders. You can't grab the Internet by the ears and shake it, but you can grab one guy, or one company, and shake them as hard.

Innovation requires you to take risks, to try new things, to accept failure, to iterate and to move on. They all depend on a culture that accepts novelty and failures as a necessary learning step on the way to success. "Launch and iterate" has become the innovation model for the Internet. Some people and countries are more comfortable with that than others, perhaps for very valid historical and cultural reasons. As one Berliner told me: "of course Americans think differently about privacy...so would we if we had had two centuries of stable democracy."

At the Wannsee Conference villa, the Nazi officials spent a lot of time discussing how to deal with "mixed race people", categorizing each permutation of people like me with one Jewish grand-parent into a box. I saw the memo that clarified how I would have been classified as a "second-degree mongrel", with a full catalog of the legal "rights" to which I was entitled. I think of my dad, "a first-degree mongrel", who amazingly lived in Berlin throughout those years. I have lots of pictures of him as a little boy, in the early 1930's, heading off for his first day in school, petting a tiger cub in the Berlin zoo, with his dog. But then nothing, not a single picture, no record at all, for the next decade.

There's a lot of debate about the potential evils that the Internet might enable in the future, as vast amounts of data are retained and publicly available. Those issues are serious, indeed, and I can't get my head around them. Many of the people who argue most passionately about the need for a "right to be forgotten" on the Internet are thinking about these potential evils. But at the same time, so much information also has a disinfectant quality for people who believe in free speech and transparency. There are no records that I can find of that missing decade of my dad's life. In many ways, I'm more a supporter of a "right not to be forgotten" than the opposite.

I doubt the horrors of Wannsee would have been possible in the age of the Internet. Imagine Anne Frank writing a daily blog. Or the Wannsee Conference proceedings leaked onto YouTube. Or maybe I have it all wrong, and the future will cook up evils using the same technologies that seem so benign to me now. I walk around Berlin shaking my head in incredulity, no matter how often I've been. I can understand the intense urge there to forget. Surely, that influences the concept of "privacy" too.

Which privacy laws should apply on the global Internet?

2010-05-07T09:48:00.000+01:00

Given the nature of the Internet, all web services are inherently global. All companies doing business on the Internet rely on the collection, storage and analysis of information generated by users, and all of them are confronted by the lack of consistency in the applicability and content of privacy laws across jurisdictions. So, I’ve struggled with the following three questions:

What are the current rules establishing the application of privacy laws around the world?

Do the current rules work?

How could we create clearer rules, to provide greater consistency and certainty?

There are three different jurisdictional approaches to determine the applicability of privacy and data protection laws around the world.

1.1 Location of the organization using the data

This is the principle under Article 4(1)(a) of the EU Data Protection Directive, which looks at the place of origin of the organization that makes decisions about the uses of the data and determines the applicability of the law on that basis. This approach is also used in Canada, where the Federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) controls the collection, use and disclosure of personal information in the course of the commercial activities of organizations that are federal works, undertakings or businesses.

In both cases, the law applies to an organization established in that particular jurisdiction irrespective of where in the world the actual processing takes place. In the EU where the organization is established in several EU countries, the organization must take the necessary measures to ensure that each of these establishments complies with local law obligations. Under PIPEDA, Canadian entities transferring data outside the country must have provisions in place to ensure a comparable level of protection to that granted by the law.

1.2 Location of the people whose data is being used

This is typically the USA approach under the Federal Children’s Online Privacy Protection Act (“COPPA”) and the data breach notification laws enacted by the majority of individual states. For example, COPPA will apply to operators of websites directed at children within the USA, while a serious data breach affecting a Californian resident must be notified to that person irrespective of who is responsible for the data or where the data breach occurred. This is also the approach in the laws of other jurisdictions like Australia and New Zealand where certain provisions apply in respect of Australian citizens and New Zealand residents respectively.

1.3 Place where the actual processing happens

The EU Data Protection Directive relies on this approach in Article 4(1)(c) to claim jurisdiction on the basis of the use of equipment situated in the EU where the organization is not located in the EU. Many other jurisdictions around the world follow this approach, like Argentina (i.e. law applies to any processing in the national territory), Israel (i.e. law applies to acts that occur in Israel) and even new laws like South Africa’s Protection of Personal Information Act which follows the EU Article 4 model (i.e. law applies both to when a party is domiciled in South Africa and when not domiciled but using means situated in South Africa).

As a result of the different approaches mentioned above (which are often combined - as in the EU), organizations using the Internet, multinational organizations and those engaging global service providers find themselves caught by the laws of many different jurisdictions. Examples of the practical problems caused by this include the following:

2.1 Multinational operations

Multinationals with established operations in many parts of the world face different rules affecting each subsidiary or affiliate. Since there is no international consistency determining the content and obligations under data protection and privacy laws, to be compliant a multinational must review the specific obligations under local law in each case. This is even the case within the EU despite the fact that EU data protection law at a local level emanates from the same source – the EU Data Protection Directive. The result is that a global company seeking to develop a consistent approach across all of its operations is required to create a tailored solution for specific jurisdictions according to the quirks of local law. This is not simple for companies operating standardized global web services.

Internet businesses which transact with individuals who are based in jurisdictions that claim jurisdiction when their citizens’ or residents’ data is being used, will find themselves subject to laws that bear no connection with the place of establishment of that business. For instance, an EU based internet business should be alert to any customers who are Californian residents since Californian data breach laws apply to an organization wherever it is located. Internet businesses must therefore anticipate the application of laws with which they have no real connection. Alternatively an Internet business might consider putting in place a defensive measure to ensure that it does not transact with individuals from those jurisdictions to protect itself from the application of foreign laws, but that approach violates the spirit of the open global Internet.

2.2 Use of equipment

Relying on the use of equipment in a particular jurisdiction (perhaps including the computers of end users) to determine the application of the law could mean that the laws of every single EU Member State will apply to every website operator in the world that uses cookies to gather browsing-related information. This result is due to the interpretation of the scope of ‘equipment’ under EU law and the view of EU regulators that website operators that place cookies on a user’s computer based in the EU without the control of the user, make use of equipment in a way that is caught by EU law. This shows that relying on ‘equipment’ to establish jurisdiction is unworkable.

2.3 Cloud computing: where the processing happens

Cloud computing is directly affected because the dynamic nature of this practice is at odds with the approach based on where the actual processing happens. Part of its agile functionality enables cloud computing to switch between processing data in one location to another location in order that customers are provided with an efficient, affordable and consistent service. Where the processing of data switches according to this technology this could have a knock on effect of changing which law applies to the processing thus introducing uncertainty.

2.4 Cloud computing: where the equipment is located

Another problem for cloud computing is that if the servers of the service provider are based in Europe, any overseas customer could be subject to EU law. Due to the structure of cloud computing technology and the network of servers that are used to deal with demand, a customer based outside the EU may find their data being stored on an EU server. Consequently, under EU rules the equipment (i.e. the server) is located in the EU and EU law applies even though the customer has no other connection with the EU.

Current models for determining the application of privacy law present complicated problems and unintended consequences which are unsuitable to deal with the changing pace of technology and the realities of global business. It is vital that more appropriate and flexible ways are found to address the practical problems created by the different jurisdictional approaches. Alternative approaches could include:

3.1 International privacy standards

The most obvious way of resolving the conflicts created by the different regulatory regimes would be to have just one global privacy regime. The initiative led by the AEPD and approved in Madrid during the International Privacy Commissioners’ Conference is a step in that direction. The initiative recognises that the current approaches in reality provide less protection for individuals and more complexity for businesses.

3.2 Treaty dealing with conflicts of law

As with other areas like contractual disputes, there could be an international treaty setting out which law would apply in the event of a potential conflict. Establishing such a treaty would help to provide certainty for businesses and individuals when situations of conflict arise.

3.3 Country of origin and accountability principle

A key rule to be established by an international treaty would be to apply the law of the country where the main operations reside (e.g. place of establishment of parent company, HQ, etc.) and make the provisions of that law follow the use of the data globally. Following a country of origin principle would bring data protection rules into line with the underlying principle governing e-commerce in the EU. Furthermore it would allow businesses to develop a coherent and consistent global compliance framework to deal with customers on the same terms wherever a customer is located. Adopting a consistent approach would also encourage greater accountability as the business would adopt one defined standard.

3.4 Voluntary submission to one regime

Governments and/or regulators could agree to allow organizations to choose one lead jurisdiction (based on objective, pre-established criteria). In the context of the EU, this is certainly viable as demonstrated by the "lead regulator" concept used in the area of Binding Corporate Rules applications. By submitting to one lead regime or jurisdiction, the organization would then abide by the rules of that regime enabling the business to be certain which law applies to its operations.

Transparency: now for government requests too

2010-04-22T08:51:00.002+01:00

This is my personal blog, and I try hard to keep my Google work-life out of it. I try to resist the temptation to turn this into a running daily diary of privacy at Google, since that would be a different blog. But sometimes, Google launches something that is so important in privacy terms that I can't resist some personal comments.

The most recent launch answers a basic question: how many requests does Google get from governments for user data? Take a look at the map and the country-by-country data.

This is an important step on the road to transparency. Users should be able to see their own data. And they should be able to get maximum information too about who else can see their data, including, perhaps more important than anyone else, governments. I haven't seen any other company provide this level of transparency. Hopefully some others will be inspired to do this too.

The data deluge

2010-04-21T12:55:00.001+01:00

One of the most provocative things a privacy geek can say is "data minimization is dying". Data minimization has been one of the foundations of traditional privacy-think. The idea is basic and appealing: privacy is better protected when less data is collected, when less data is shared, when data is kept for shorter periods of time. This explains the endless debates in privacy circles about how many months computer or phone logs or passenger-name records should be retained, as though a numbers game about retention was the key issue in privacy. It isn't, but a debate over numbers is simple and appealing, and can be relayed by the press in a simple manner.

But whether you like it or not, we're entering an age of data ubiquity. Clearly, technology trends are making this possible, computing power, storage capacity, Internet transmissions have all allowed this to happen. And like all trends in technology, it will have good and bad applications: the same ease of transmission of data that enables billions of people to access information from around the globe makes it easy to transmit malicious viruses as well.

Statistics about the scale of the data deluge are indeed sobering, even if they reflect scales that human brains can't really understand. There are over a trillion web pages now, growing by billions per day. I read that there are now over 40 billion photos on Facebook alone. YouTube users upload over 24 hours of video every minute. The Economist reported that the total amount of data in the world is growing by 60% per year. No matter where you turn on the web, the scale of data growth is stunning. Even if you find concrete steps to advance data minimization, you're just taking a few drops out of the ocean of the data deluge.

There's no doubt that the Information Age is doing a lot of great stuff with this data deluge. It's also true that this data deluge is posing unprecedented challenges to privacy. I've struggled with this conundrum for many years. I don't think there's a better solution than trying to create maximum transparency and putting control over data back into people's hands, as best as possible. Trying to stop the data deluge is either Sisyphean or chimerical. But trying to decide on behalf of people also undermines the fundamental dignity and choice that each individual should be able to exercize over his/her own data. Of course, not all people can or will exercize responsible control over their own data. But putting transparency and control into users' hands is much like democracy. It fundamentally empowers the individual to make choices and trade-offs about data: making choices between data benefits and privacy. It's not perfect, of course, but it's still better than putting someone else (like governments or companies) in charge of those decisions. I think companies, governments and privacy professionals should define success foremost by whether we contribute to putting people in charge of their own data. As Churchill said: It has been said that democracy is the worst form of government except all the others that have been tried.

To tweet or to delete?

2010-04-15T09:43:00.003+01:00

How would you resolve the conflict between the cultural imperative to archive human knowledge and the privacy imperative to delete some of it? To put this in perspective, compare the approaches of the US Library of Congress and the French Senate.

As reported by The New York Times, the "the Library of Congress, the 210-year-old guardian of knowledge and cultural history, ...will archive the collected works of Twitter, the blogging service, whose users currently send a daily flood of 55 million messages, all that contain 140 or fewer characters."

Meanwhile, the French Senate is moving in the opposite direction, as it explores a law to legislate "the right to be forgotten". The French Senate has been considering a proposed law which would amend the current data protection legislation to include, among other things, a broader right for individuals to insist on deletion of their personal information. The proposed law in France would require organisations to delete personal information after a specified length of time or when requested by the individual concerned.

To take another example, this time from Germany. A court there was recently asked to consider a legal action by two convicted murderers (now released from prison) seeking to force Wikipedia to remove their names from an article documenting their criminal past. While the case is ongoing (as far as I know), the German language version of Wikipedia has agreed to remove the names from the article in question. The two men are now seeking to force the Wikipedia Foundation to delete their names from the English language version as well.

Well, I think we'll be blogging and tweeting about this dilemma for some time, knowing that our tweets will be archived. I testified to French Senators recently that I could never support a privacy "right to be forgotten" that amounted to censorship. I wonder if they tweet in the French Senate, and if they know their tweets are being archived in the US Library of Congress?

Which photos reveal "sensitive" personal data?

2010-04-15T08:25:00.002+01:00

There are hundreds of billions of photos and videos online now. As a matter of common sense and common courtesy, users should not upload pictures or videos of other people to hosting platforms without their consent. Moreover, users should take particular care when uploading photos which might reveal "sensitive" personal data?

Privacy laws provide lots of extra legal protections to "sensitive" personal data. Trying to define what is "sensitive" is no easy task. The EU Data Protection Directive uses this definition: "personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life."

But what is "sensitive personal data" in the context of photos or videos? In one extreme logical sense, any photo of a person reveals "racial or ethnic origin". A picture of my face reveals that I am a middle-aged Caucasian male of European descent, revealing my racial or ethnic origin, as well as the fact that I usually wear glasses, indicative of the health issue of myopia. Does that mean that every photo or video of a person should be treated according to the legal standards of "sensitive personal data"? Most people would assume that is neither possible nor desirable, since it could require the explicit consent of data subjects (in writing, in some countries, and subject to prior approval by the DPA, in other countries) before their photos could be uploaded to the web. Clearly, this is not the way that the web works today, and indeed it would be completely unworkable.

I've discussed this issue with many people, in particular in the context of photos taken on public streets. Some privacy regulators have shared their (rather extreme) opinion with me that a photo or video of someone sitting in a wheel chair, or even someone walking in the vicinity of a hospital, should be treated as "sensitive", since it might reveal "health" status. Similarly, a photograph of a person appearing on a street near a mosque should be treated as "sensitive" since it might reveal "religious beliefs". But it's hard for me to imagine a crude solution like drawing a no-photograph zone around mosques and hospitals. It also seems wrong to me to apply the legal standard of "sensitive" personal data to situations which merely increase the likelihood of associations. So, many people take a more nuanced approach. A photo or video often lacks the context to make it meaningful: a photograph of myself in front of a cathedral doesn't automatically mean that I'm Catholic, and isn't necessarily revealing "sensitive" personal data. A photograph of people praying there maybe does. But does the fact that such photos are taken in a public place, and are widely considered banal, change the analysis of whether they should fit into the more restrictive categories of "sensitive" personal data?

All in all, it's very hard to know where to draw the lines. Hopefully, people who take photos and videos will be respectful of the very serious issues that the legal concept of "sensitive" personal data" is meant to protect. But the lines separating "sensitive" from "normal" personal data will usually be fuzzy and contextual. Think of the simple example of a photo of two people holding hands. Is this indicative of their sexual orientation, and hence, "sensitive" personal data, or really, just two people holding hands? I suppose it depends on the context. This is not something that photo or video hosting platforms or software filters are able to know. Ultimately, this is all about protecting people's human dignity, and that fundamentally, is a human judgment.

Privacy Audits

2010-03-18T15:23:00.001+01:00

In theory, privacy audits are a sensible and useful thing. Regardless of whether they're conducted internally or externally, they can provide insights into data handling systems, identify shortcomings, and help prioritize resources. They can provide external, independent validation of compliance with privacy laws and contractual commitments. And they can be a useful source of transparency. Sometimes, they're even mandated by privacy law, e.g., in some controller-processor outsourcing arrangements under EU data protection rules. Considering how many good reasons there are to conduct privacy audits, it's a bit of a mystery to me why there isn't more of an industry to provide them. Indeed, if you were looking to hire external experts to conduct privacy audits, and if you asked me for a recommendation, well, I'd be kind of stuck to give you a name. I've asked a bunch of my peers at other companies too, and privately, they're stumped too.

Lots of people purport to be able do privacy audits. Law firms, accounting firms, consulting firms are all ready to sell this service, at sometimes astronomical costs, but in practice, if you ask around amongst people who have tried to hire them, you often hear people complain about high-priced pay-as-you-learn tutorials for junior professionals. There are also a few "low-cost" versions floating around, but they are often rudimentary checklists (e.g., "do you have a written privacy policy in place? yes, check!") etc. There must be more room for the happy middle ground between the super-high-cost customized audit and the self-audit checklist models.

So, here's a business idea. Why don't some enterprising people work to establish a privacy auditing business, combining some deep technical understanding with process rigor, offer the service at a competitive cost, and help fill a vacuum? Almost everyone in the profession whom I know agrees that privacy audits are, in theory, a useful tool for privacy hygiene, but in practice, it's hard to find the right level of professional service.

There seems to be a clear market failing here. Over time, surely, the idea of privacy audits will become more integrated into good privacy practice. Whoever can figure out how to provide this service will be contributing to the privacy profession and probably end up making a lot of money. Good luck!

A new chance to get the Working Party to work better?

2010-03-10T10:31:00.002+01:00

I'm delighted to see a new Chairman, Jacob Kohnstamm, assume the helm at the Working Party, which is the group of all of Europe's national Data Protection Authorities, created to try to achieve common approaches to privacy across Europe. Mr. Kohnstamm is a privacy leader whom I've known for years, and whom I greatly admire, even when we find ourselves on the opposite sides of the debate. I'm confident he'll provide new leadership and relevance at the Working Party. I also think it's healthy for European institutions to break away from alternating franco-german leadership, which has so dominated the Working Party over many years.

As a privacy professional, people sometimes ask me why I take the Working Party seriously, and why I would want to see it play a greater role in privacy matters in Europe? The answer is simple: with all its institutional flaws, any body that contributes to a more harmonized data protection across Europe is better than the alternative, with 27 different approaches and inconsistent cacophony. Since the Working Party is the best instrument we've got in Europe to try to do things in a coherent way, I think it's worth taking a moment to make suggestions about how it could work better. My comments are strictly focused on only one aspect of its role, namely, the extent to which it interacts with the private sector in a semi-regulatory context. My critiques are offered in a spirit of constructive feedback.

So, what are the key issues that deserve attention to make the Working Party work better in the future?

Public Transparency: the Working Party operates behind closed doors. It rarely involves outsiders in its deliberations. It almost never publishes draft opinions for external review, and rarely (if ever) opens its meetings to the public. As far as I know, it never publishes the range of consenting/dissenting views with its opinions, and it publishes little more than a summary agenda and adopted Opinions. I strongly believe that transparent government is good government, and the Working Party is simply not transparent today.

Accountability and Review: the Working Party's opinions are not "binding" and therefore have never, to my knowledge, been subject to judicial review. Sometimes Working Party opinions make sense, sometimes not. Sometimes they're insightful, sometimes they're gibberish. External, objective, academic, technical, maybe even judicial review, is much needed.

Technical expertise: The Working Party has many times embarked on issues which turn on Internet technical architecture. There is not enough technical expertise at the Working Party level, which is unsurprising, considering that the members generally come from political or administrative backgrounds. But to have well-informed discussion about Internet regulation, a foundation of technical knowledge must be in place, or must be provided from the outside.

Confidentiality: To deal with confidential business matters in a semi-regulatory context, any regulatory body needs to be able to respect business secrets submitted to it. Maintaining confidentiality has not been a strong point of the Working Party, given that its documents are routinely distributed amongst 27 countries. But leaks damage the ability of the Working Party to be effective.

Speed: In tech circles, things move fast. This is an innovation business, after all. But a discussion with the Working Party can often take years, with rather stilted exchanges of letters, each exchange punctuated by multi-month pauses. Surely, there must be a faster, less formalistic, way to collaborate.

All in all, these critiques are meant to be constructive. I think privacy would be well-served by a more realistic and collaborative dialogue between the Working Party and industry. The old Working Party made some progress, but there's room for more. I'm hopeful about the future.

Billions of photos online, Billions of privacy offenders?

2010-03-05T17:34:00.004+01:00

With the proliferation of Internet platforms for user-generated content, people are increasingly seeing examples where one person's right to freedom of expression may infringe someone else's right to privacy, and vice-versa. If I upload my holiday pictures to the Internet, taken from a public place, and if they capture you lounging by your pool, does my freedom of expression trump your right to privacy, or the other way around? Whatever you think, there are already billions of such photos online and publicly accessible.

Both freedom of expression and privacy are fundamental human rights. But those rights are not both equally enforced, protected or policed. There are literally thousands of data protection bureaucrats in Europe whose job is to enforce European data protection regulations. As far as I can tell, there is not a single government official in all of Europe whose sole job is to do the same for freedom of expression. Curious, no?

As I go to privacy-centric conferences where people invariably talk about the problems and risks of social networking sites, I'm often the odd guy out who seems to think that they're also precious platforms for freedom of expression. Lots of guys in power lecture about how lives or careers or futures are jeopardized by a single embarrassing photo posted to a platform.

Well, I'm not so sure. I was thinking about what this guy showed when he was young, and he just got elected Senator, so maybe things are changing.

A privacy regulator in Europe told me the other day that he thought it was a data protection violation for anyone to post a photo online if it captured someone's face or property without their consent. I asked him whether he thought this restricted the right to freedom of expression. He didn't seem to understand the question.

Grazie! for your support

2010-03-02T17:58:00.003+01:00

I'm thinking about Italy a lot these days. Many of you have expressed your support, and I'm gratified by your concern and your solidarity.

I see this case has prompted an important debate and passionate expressions of support for the principles of freedom of expression that I have always felt are at stake in this prosecution. We'll get the Judge's written opinion within 90 days of last week's verdict, so probably around mid-May. Until then it's hard to speculate about his precise legal reasoning, even if the implications of this conviction are already being widely discussed in terms of the potential liability of employees working for internet platforms that host user-generated content. As for me, I'm not really at liberty to comment much publicly, because, anything I say about it can (and has!) been used against me.

Many thanks to you, my many friends in the privacy community who have reached out to me. Grazie!

Today's astonishing verdict in Milan

2010-02-24T16:23:00.000+01:00

Google has already reacted to today's astonishing verdict in Milan. I'd like to add a few personal words.

I will vigorously appeal today's verdict in Milan. The judge has decided I am criminally responsible for the actions of some Italian teenagers who uploaded a reprehensible video to Google Video. I knew nothing about the video until after it was removed by Google in compliance with European and Italian law. I was very saddened by the plight of the boy in the video, not least as I have devoted my professional life to preserving and protecting personal privacy rights. Despite this a public prosecutor in Milan has spent 3 years investigating, indicting and successfully prosecuting me and 2 other Google colleagues.

This ruling also sets a very dangerous precedent. If company employees like me can be held criminally liable for any video on a hosting platform, when they had absolutely nothing to do with the video in question, then our liability is unlimited. The decision today therefore raises broader questions like the continued operation of many Internet platforms that are the essential foundations of freedom of expression in the digital age. I recognize that I am just a pawn in a larger battle of forces, but I remain confident that today’s ruling will be over-turned on appeal.

Austrian insights

2010-02-22T18:39:00.002+01:00

I've been thinking about the conundrum of trying to fit all of the words data into two random black-and-white categories: "personal" data or "non-personal" data, or personally-identifiable information and non-PII if you prefer. The reason we're all trying to do this is because most of the world's legal regimes create these two categories, and only these two categories, even if it's obvious that many things sit uncomfortably in the gray zone between them. The big privacy debates generally turn on these gray-zone categories, which identify some things about an individual (e.g., speaks Spanish), but don't identify an actual human being. Think of the privacy debates around IP addresses, cookies, RFIDs etc, and you see that the debates can't be settled using only these two categories.

I think the way forward is the creation of a third-category, something we could call "indirectly identifiable data". Interestingly, Austrian law has already done that. Here are some insights into the Austrian law, the Austrian Federal Act concerning the Protection of Personal Data (Datenschutzgesetz 2000). Under Austrian Law, data is ‘only indirectly personal’ for a controller, a processor or recipient of a transmission when ‘the Data relate to the subject in such a manner that the controller, processor or recipient of a transmission cannot establish the identity of the data subject by legal means." In other words, the identity of the individual can be retraced but not by legal means.

When introducing the concept of indirectly personal data, the Austrian legislators referred on the face of the bill before Parliament to Article 2 (a) of the Directive and, in particular, to the phrase ‘…an identifiable person is one who can be identified, directly or indirectly…’. This suggests that a deliberate decision was made to distinguish between persons who can be identified directly (and for which the full force of the Austrian Law applies) and those persons who can only be identified indirectly – hence the concept of indirectly personal data. In the eyes of the legislators, indirectly personal data did not require the full range of protection that directly personal data required. There may additionally have been commercial and practical reasons considered by the legislators why to require organisations to treat indirectly personal data in the same way as directly personal data made no sense.

This is how I've been told Austrian Law treats indirectly personal data below:

*Section*	*Provision*
8 (2)	Use of only indirectly personal data shall not constitute an infringement of the fundamental interest in secrecy that deserves protection under s. 1 (1).
9 (1) (2)	Use of sensitive data does not infringe interests in secrecy deserving protection only and exclusively if data are used only in indirectly personal form.
12 (3)	Transborder data exchange shall not require authorisation if data are transferred or committed that are only indirectly personal to the recipient
17 (2)	There is no requirement to notify the Data Protection Commission where the data application only contains indirectly personal data.
24 (4)	There is no duty to provide information to data subjects when collecting data where such data is not subject to notification under s. 17 i.e. this would include the use of indirectly personal data.
29	The rights granted under s. 26 – 28 cannot be exercised insofar as only indirectly personal data are used. Section 26: right of access Section 27: right of rectification/ erasure Section 28: right to object
46 (1)	For the purpose of scientific or statistical research projects where the goal is not to obtain results in a form relating to specific data subjects, the controller shall have the right to use all data that are only indirectly personal for the controller.
46 (5)	Where the use of data in a form which permits identification of data subjects is legal for purposes of scientific research or statistics, the data shall be coded without delay so that the data subjects are no longer identifiable if specific phases of scientific or statistic work can be performed with indirectly personal data only

All of this is interesting, because I think privacy law will never adapt to the nuances of the real world if the entire real world has to be fit into only two black and white categories. Finding a legal category to deal with the gray zone is essential to getting privacy laws right, and the Austrian model is one of the most promising I've seen.

An American in Paris

2010-02-12T11:24:00.001+01:00

A year ago, in the early phases of thinking about how or whether to suggest revisions to the European Data Protection Directive, the European Commission created a little "group of experts" to provide ideas. This unpaid group was formed after a public call for applications, and had no mandate other than to produce some ideas. Expert groups are a common process at the Commission. Since I'm very interested in this topic, and since I represent a technical/global/Internet perspective on things, I was happy to apply and even happier to be accepted to join it. But the group was disbanded after only one meeting, as reported here.

As an American who has lived in Paris for many years, I was more than a little startled to see French politicians launch a campaign to get the European Commission to disband this group because it contained..."Americans". Naturally, I thought it was odd to hear this anti-American rhetoric applied to me. It's hard to find an American more Francophile than me. One of the other guys on the experts' group was an American of German origin who has lived in Brussels for many years and is universally recognized as one of the world's great legal experts on European data protection law.

Of course, it was distasteful for me to hear French government officials engaging in conventional French political rhetoric against "Americans", but this was the first time in my professional life that I was the explicit target of it. I don't like xenophobia in any guise, even if it's just public posturing. But I also remind myself that anti-Americanism has long been one of the common threads of European data protection rhetoric, such as the endless posturing of the EU Parliament on SWIFT.

Privately, things are different. Privately, these same French audiences regularly invite me to discussions or hearings on privacy issues. In recent months, I've had separate meetings with committees focusing on modernizing privacy laws in the French Senate, with French politicians, and with the French Data Protection Agency. Privately, there's a very thoughtful debate underway in many French government circles on these important questions, and I'm privileged to be invited to participate in them. Privately, we all understand that the privacy debate has become global, and only global solutions will work in the long run.

Anyway, here are some excellent ideas from the European Privacy Officers Forum about what needs to be modernized in this window of review of increasingly obsolete European privacy laws. Had our "experts' group" not been disbanded, we might have made similar recommendations...

The new rules for cookies in Europe

2010-02-01T16:10:00.002+01:00

Despite some inaccurate press, the revised text of the ePrivacy directive does not require an opt-in for cookies. However, the text of the revised directive may be misunderstood especially if the preamble of the new directive is not transposed into national law. So national governments need to take great care when implementing the new law, in order not to jeopardise the development of the Internet and the information society.

In its Article 5(3), the ePrivacy directive outlines strong safeguards to protect users from unwanted software such as adware, junk, or even viruses and spyware, requiring software vendors to seek their consent.

For cookies, the EU legislation's preamble specifically says that the control settings in a browser are sufficient to comply with the consent requirement. Even for cookies that cannot be controlled by browsers – for example, Silverlight and Flash cookies – the new law also recognises that the settings of specific control panels satisfy the consent requirement.

The directive’s new preamble contributes to legal certainty by clarifying that websites can rely on browser controls and similar applications to define the acceptance of cookies. This was not clear under the current law.

Member States will have 18 months to transpose the new ePrivacy directive into national law (i.e. until April 2011). It's important they take great care so as to avoid misinterpretations that would create new barriers to the EU's internal market, confuse consumers, and ultimately put Europe at a competitive disadvantage.

So now, if a user configures his or her browser to accept only cookies from certain websites, or automatically delete cookies when closing a browser, these settings will be sufficient as expressing the wish of the user. Websites technologically rely on browsers and other applications for cookie management. The current directive had a blind spot in this regard as it did not explicitly recognise cookie control tools as a way to comply with the law. The new directive clarifies this, but it's important that implementation into national laws follows the letter and spirit of this goal.

Photos to the Web

2010-01-22T10:25:00.003+01:00

I'm always amazed how many photos I find on the Web, of friends, family or myself, that none of us knew were there. Because things on the Web, in particular, photos, can last forever, forgetfulness is one of the big new themes in the privacy debate, particularly in Europe. There's lots of discussion about how to re-introduce a human concept of memory/forgetfulness/evanescence into a technical world of computers and websites and the Internet. I'll be joining a conference on this theme next week in Brussels.

I also joined a French government-sponsored conference on this theme recently in Paris. At the conference, much was said about the risks to people to having their photos posted online, without their knowledge or consent. With some sense of irony, I noticed a bunch of photos of me were published from that conference without my knowledge or consent, like the one here, in the online photo album of the Minister, no less,...I don't mind, and I would have happily consented, but it does make an interesting point, and I re-posted it to this blog, but that was my choice. If thoughtful people sitting in a conference about the problems of posting photos online are taking photos of people at the conference and posting them online, all without their knowledge or consent, well, maybe the sociology of online photo-sharing has developed beyond the state of the debate.

Happy 80th Birthday, Dad!

2010-01-18T18:17:00.001+01:00

The "adequacy" regime is inadequate

2010-01-18T10:41:00.002+01:00

There are many people in Europe who would rather eat their “chapeau” than admit that non-European countries like the United States might have adequate privacy protection, based on long-standing cultural or ideological bias. In my opinion, it’s the European “adequacy” regime that has become inadequate in today’s world. It’s near the top of my list of things that need to be modernized in European privacy law. It’s a political/bureaucratic fiction that some countries provide “adequate” data protection, while others don’t, because the decision is based on criteria that have almost nothing to do with the level of data protection on the ground, in the real world. A country can’t be deemed “adequate” if it doesn’t have an EU-style data protection authority. But the idea is ludicrous to me that privacy somehow couldn’t be protected in countries without such an agency, and in fact, the vast majority of countries in the world don’t have such an agency. And whatever labels are applied, the reality, in the age of the Internet, is that data is flowing around the globe. To take one topical example, cyber attacks do not respect borders, and take no note of whether or not a target is based in a country with “adequate” data protection.

So, recently, Israel and the Principality of Andorra have been added to the EU list of “adequate” countries. They join other countries already on the list, including: Argentina, Canada, Guernsey, Jersey, the Isle of Man, and Switzerland. Stop to read that list again, and ask yourself, really, this is the global list of “adequate” countries outside the EU? Really?

In privacy terms, what’s the right way forward for the future? As I’ve said before, follow the Canadian model, and make any company/government that collects personal data responsible and accountable for protecting it, regardless of where it happens to process it. If it can’t protect data adequately in a particular country, it shouldn’t send it there. If a company decides it can adequately protect its data in Japan, but not in Bulgaria, so be it, even if EU law would suggest the contrary. Common sense should prevail for the sake of privacy.

At the beginning of each year, I make a resolution to visit at least two new countries a year. If I’m lucky, I’ll have my wish and get to visit Andorra and Israel this year. They’re both on my adequacy list.

Privacy Officers with a French accent

2010-01-15T09:23:00.002+01:00

Since I’m based in France, I’ve recently been appointed as Google’s “Correspondant” for data protection with the French Data Protection Authority, the CNIL. The profession of privacy officers is generally less developed in Europe than the US, and indeed, the position of “correspondant” was first created in France in 2004. Like many things in France, even this private-sector role is defined and guided by the government, in the long French tradition of dirigisme:

“From now on, local authorities, public services and associations are allowed to appoint a "Correspondant Informatique et Libertés" (CIL). It is a major innovation in the application of the law, as prior pedagogy and advice are emphasized. Indeed, the data controller which appoints a CIL is exempted, in most cases, from the notification process to the CNIL. The CIL has the duty to ascertain that the information system of the organization will expand without harming the rights of the users, clients and employees.”

As a privacy professional, I’m very excited by anything that supports the development of meaningful empowerment and development for the profession. As long as the role of Correspondant avoids the trap of becoming a purely administrative function, I think it could prove to become a serious contribution to the growth of this profession in Europe.

Practice makes perfect

2010-01-11T18:07:00.004+01:00

I recently got away for a few days to play tennis in Florida. I left with a clear conscience, thinking that 2009 was a good year at Google in terms of privacy tools.

Google launched three major industry-leading privacy initiatives that implemented the key privacy principles of transparency and choice -- interest-based advertising, the data liberation front, and Google Dashboard.

It's a great tennis facility, on Key Biscayne, with grass courts, no less. Someone builds and maintains a grass court in that unlikely climate, and it must be a lot of work. And people pay a lot of money to live in "privacy", which usually means living in a place, like Key Biscayne, where they are secluded and protected from other people. So, now that there are online privacy tools, like the ones I just mentioned, I wonder if people will really use them more. I mean, to play tennis, you have to run and serve and swing. To protect your privacy, you should hustle a little too. Someone else can build the grass court, but it's up to you to play.

Watching people walk down the street

2010-01-08T10:08:00.001+01:00

It's just snowed in Paris, and I'm looking out my window, watching the children and the dogs play. Almost everyone walking down avenue Foch seems to be speaking on a cell phone. I doubt many of them are thinking about how their location data is being captured, stored or used.

EU countries began passing the Data Retention laws mandated by a European Directive. That means that massive databases of communications logs will now be collected and stored by communications service providers across Europe for 6 months to 2 years, for police and law enforcement purposes (France, for example, chose 12 months). This is the largest police surveillance database ever mandated in the history of humanity to date. The year ahead will define how all this is going to work in practice: who will be able to access them, for what purposes, under what controls, how should this work in a cross-border context, etc. Will other countries follow Europe down this path? For most people, I imagine, the most sensitive aspect of this is the idea that their physical movements can be tracked by the police over long periods of time.

But the mobile revolution is just starting. Think for a moment about the intersection of mobile and face recognition software. For some years, in small controlled contexts, the police have already been using face recognition software to find individuals in a crowd. Online photo albums already offer some face recognition software in the contexts of particular albums, or in the contexts of social networking sites: take a look at face.com. But reflect on the prospect of face recognition software that could be used from any Internet-connected smart phone that can photograph a face and return instant search results. Google already announced the launch of Goggles without face recognition and acknowledged the privacy concerns in applying similar technologies to identifiable human faces. There's a lot of work to do to think through the privacy design of image recognition software applied to faces. The more I think about it, the more complicated it gets.

The web is going mobile, and as Internet apps go mobile too, location-aware services will explode in 2010 and beyond. That means that location data will be captured and used. Location privacy will become a key new issue in the mainstream in the year ahead. It's been around for years in cell phones, of course, but the issues will grow exponentially in the age of proliferating third-party location aware apps. It's one thing for you to know (or be dimly aware) that your cell phone company knows where you are based on your cell phone's location, it's quite another to have a plethora of third-party apps know that too.

Mobile is where the next generation of tough privacy issues will come, I muse, as I watch people walk down a Paris street that hasn't changed much in a hundred years.

DC: discussing privacy in public

2010-01-06T10:25:00.002+01:00

I spent a few days in Washington DC in December. While I was there, I slipped into a public workshop hosted by the Federal Trade Commission on privacy. The content of the workshop has already been covered: http://blogs.wsj.com/digits/2009/12/07/ftc-takes-on-online-privacy/

Coming from Europe, I found this sort of transparency and public consultation by a privacy regulator novel and refreshing. The FTC regularly holds public workshops, where it invites stakeholders from many different sectors (academia, advocacy, government, private sector) to discuss problems in privacy and potential regulatory responses to them. This is meant to help the FTC staff understand the issues that it will grapple with. Moreover, the FTC often issues its guidelines in draft form, for the sake of public review and comment, before finalizing them, as it has done with its privacy guidelines for online behavioral advertising principles: http://www.ftc.gov/opa/2009/02/behavad.shtm

So, in my mind, I couldn't help but contrast all this with the practices of one of the world's other great bodies of privacy regulators, the EU Working Party. The Working Party has never, to my knowledge, held a public workshop. It has never opened any of its meetings to the public, and indeed, it is very rare that anyone from outside the closed world of Data Protection Authorities to be invited to attend one of its meetings. It publishes almost no information about its agendas, other than a few sentences to describe its annual work program. It never publishes its opinions in draft form for public review and comment before finalizing them. And finally, since it only issues "opinions", rather than enforceable decisions, its work has never, to my knowledge, been subject to judicial review. Seeing the transparency of the Federal Trade Commission's public workshop in action made me appreciate the benefits of transparent and open government.

On the sidewalk in Milan

2009-12-04T10:46:00.003+01:00

I was relaxing with a glass of chianti watching The Bourne Ultimatum on tv. The shadowy authorities use surveillance technologies to try to track down Jason Bourne.

So, I'm no Jason Bourne. Back in January 2008, as I've blogged before, I was surrounded on a sidewalk in Milan in front of the ancient University by 5 Italian policemen. Many confused thoughts went through my head at that moment, as I'm sure you can imagine: fear, confusion, surprise, indignation. But also, a nagging question: how did these policemen know that I would walk down this sidewalk at this moment in a foreign city and how did they recognize me on a crowded city sidewalk?

As anyone who's checked into a hotel in Italy knows, the first thing that Reception asks you for is a passport. This is also true in most European countries. It's for the police. There is zero transparency or choice in this process: no one I've ever met knows where this data goes or how long it's kept or what it's used for. Needless to say, if you're sharing a room with another person, the police will know this too. You do not have the option of checking into your hotel room anonymously.

In my case in Milan, I don't think there was any great use of police surveillance technology. I'm guessing the police were waiting on the sidewalk because there had been some minor press coverage before the privacy conference where I was scheduled to speak. I assume they downloaded a photo of me from the web and knew from the conference program roughly when I'd be arriving. Why five policemen were sent, I have no clue. Were they expecting me to make a run for it, like Jason Bourne?

According to independent reports, Italy leads the world with more wiretaps per capita than any other country. Wiretaps in the age of the cell phone now include location information.

http://www.theregister.co.uk/2007/03/07/wiretap_trends_ss8/

I've always enjoyed the freedom of walking down the streets of foreign cities with the liberating sense of anonymity. I feel a little less free now. I hope technology will find a way to put users in control of their location information. I'm off somewhere else now, but come to think of it, I'd rather you didn't know where.

Remembering and Forgetting in Berlin

2009-12-03T17:19:00.001+01:00

I've spent a few days in Berlin, and I've spoken with many interesting politicians and journalists about privacy. The most interesting case must surely be this one:

Two German Killers Demanding Anonymity Sue Wikipedia’s Parent

http://www.nytimes.com/2009/11/13/us/13wiki.html?_r=1&scp=3&sq=german%20wikipedia%20murder&st=cse

In some countries in Europe, like Germany and France, there are well-established principles about the "right to be forgotten", an awkward translation of the "Droit a l'Oubli." As a privacy-sensitive guy, I'm all for the idea that people ought to be able to walk away from some awkward facts at some point in their lives. But I have never heard anyone be able to tell me how the "right to be forgotten" does not quickly cross the line into censorship. If two German murderers can require German publishers to remove references to their names in articles after they have served their sentence, isn't that censorship? And wouldn't it be even worse if they tried to re-write news archives, which are now rapidly becoming instantly findable online? And in the real world what will be the consequences if German Wikipedia deletes content that English Wikipedia still publishes?

And while I was in Berlin, I visited the Holocaust memorial, as I always do when in Berlin, and I wondered about the "right to be forgotten" in the midst of the memorial to "never forget".

Madrid and Berlin, trying to find workable approaches

2009-11-27T15:49:00.003+01:00

Here’s an interesting article about the day-to-day challenges and contradictions of national laws in the context of the global Internet (ok, it does use some of us Google guys as unhappy examples, but just to make a valid point):

http://www.bloomberg.com/apps/news?pid=20601039&sid=aAv2iLcBnqtI

At the International Data Protection Commissioners' Conference in Madrid, I added my voice to support the development of global privacy standards, as I've done for several years. I can’t think of a better way forward than trying to develop a more global approach to privacy standards internationally. Here's one example (in Spanish):

http://www.expansion.com/2009/11/12/juridico/entrevistas/1258051264.html

I’m off to Berlin now. Germany is one of those places where I feel the need to listen more than talk. I'll blog about what I learn afterwards.

Thanksgiving

2009-11-26T11:17:00.001+01:00

Like most Americans, I woke this morning to one of my favorite days of the year, Thanksgiving. Unlike most Americans, I also woke this morning to news reports of an Italian prosecutor calling for me to be sentenced to one year in prison.

http://www.boston.com/business/technology/articles/2009/11/25/italian_prosecutors_seek_jail_for_google_execs/

But in the spirit of the day, now that I’ve skimmed the news and reassured friends that I’m not going to prison (I hope), I’ll go about my day:

I’ll do some planning for my Dad’s 80^th Birthday Party, do a kick-boxing class at gym, work on an academic privacy paper on the hotly-debated question of whether IP addresses should be considered “personal data” under EU law, give legal advice on some privacy questions, prepare for some meetings in Berlin, and, best of all, I’ll end the day with a candle-light dinner with the person I love in the city I love.

That’s a lot to be thankful for (well, not the Berlin or the Milan parts), but the rest anyway.

European law on hosting platforms

2009-11-25T10:34:00.002+01:00

As you can imagine, I've spent a lot of time researching European law on hosting platforms. International legislation recognizes that hosting platforms like Google Video are neither the creators nor the controllers of content. The European Union's Electronic Commerce Directive, enacted in 2000, sets a clear legal framework for establishing liability for unlawful content on the Internet. It provides a safe harbor for entities acting as intermediaries, drawing a clear line between those who create content, and those who, in their capacity as technological intermediaries, provide the tools to make this content publicly available. By establishing legal certainty and creating a single EU-wide standard, the E-Commerce directive allows the development of open platforms that promote free expression and the free flow of information on an unprecedented scale, and play a crucial role in the development of the new economy in Europe.

How does the E-Commerce prescription work in real life? Say an Internet user uploads a video filled with illegal hate speech, nudity, or violence. When notified of this illegal content, the hosting platform is obliged to take it down. The hosting platform, however, is not obliged to monitor and prevent the upload. The responsible party is the Internet user who posts the content. In this case, Google did exactly what the law requires - it removed the content upon notification, and took the further step of complying with law enforcement requests, helping to bring the wrongdoers to justice.

If Google and companies like it were responsible for every piece of content on the web, the Internet as we know it today – and all of the economic and social benefits it provides – would disappear. Without appropriate protections, no company would be immune: any potentially defamatory text, inappropriate image, bullying message or violent video would have the power to shut down the platform that had unknowingly hosted it. In the offline world, it would be like criminally prosecuting post office employees because someone mailed an inappropriate letter. European law recognizes the importance of providing limitations on the liability of hosting platforms.

The Directive applies horizontally across all areas of law which touch on the provision of information society services, regardless of whether it is a matter of public, private, or criminal law. This is confirmed in the first Report from the Commission to the European Parliament on the application of Directive 2000/31/EC dated 8 June 2000. See p. 4: "The Directive applies horizontally across all areas of law which touch on the provision of information society services, regardless of whether it is a matter of public, private, or criminal law. Furthermore, it applies equally both to business-to-business (B2B) and business-to-consumer (B2C) e-commerce." And see p. 12: "The limitations on liability provided for by the Directive are established in a horizontal manner, meaning that they cover liability, both civil and criminal, for all types of illegal activities initiated by third parties."

From a public policy perspective, it wouldn't make any sense if it didn't apply to criminal charges. The objective of the directive was to foster a competitive and dynamic knowledge-based economy in the EU. To provide an environment in which its citizens would have access to inexpensive, world-class communications infrastructure and a wide range of services. To create conditions for e-commerce and the internet to flourish. To enhance quality of life, to stimulate innovation and job creation, and to contribute to the free flow of information and freedom of expression. Those are words directly from the Commission. It wouldn't make any sense to apply these protections only to civil matters; doing so would permit criminal claims to eviscerate the very benefits the directive sought to achieve.

Today in Milan

2009-11-25T09:07:00.002+01:00

Today in Milan, the Milan Public Prosecutors’ Office will make their closing arguments why 4 Google employees including me should be held personally criminally liable for content created by four Italian high school students and uploaded to Google Video. I have no idea what the Prosecutors will say in court today, and my lawyers have told me not to set foot in Italy, so I wanted to provide some factual background on this case.

In terms of timeline, the Prosecutors present their case today, November 25. The Google employees' lawyers will present their defense on December 14 and a verdict should be issued on December 23.

The Judge hearing this case is Judge Magi, who recently convicted 23 Americans, mostly CIA agents, as reported by the New York Times:

In a landmark ruling, an Italian judge on Wednesday convicted a base chief for the Central Intelligence Agency and 22 other Americans, almost all C.I.A. operatives, of kidnapping a Muslim cleric from the streets of Milan in 2003.

http://www.nytimes.com/2009/11/05/world/europe/05italy.html

Today’s trial stems from an incident in 2006 when teenagers at a school in Turin filmed and then uploaded a video to Google Video that showed them bullying a disabled schoolmate. Google removed the video promptly after being notified. Even so, last summer, the Public Prosecutor brought the following criminal charges against four Google employees, including myself. All of us face one or two charges:

Charge A: Criminal defamation against the Vivi Down Association, an association that represents individuals with down syndrome

Charge B: Failure to comply with the Italian Privacy Code

It should be obvious, but none of us Google employees had any involvement with the uploaded video. None of us produced, uploaded or reviewed it.

The video, shot by a student in a classroom, depicts a boy being harassed by teenagers, including one who makes reference to the Vividown Association. A teacher was allegedly present during part of the filming. Four youths between the ages of 16 and 17 from the Technical Institute in Turin were involved in the creation and uploading of the video. One of these young men actually filmed the video. The teenagers who created the video uploaded it to Google Video, which at the time was Google’s online video-sharing service. Google Video was a host for user-generated content. The Vividown Association and later the family of the boy who was filmed filed a claim against Google in Milan, which is how Google was initially brought into the case. The family of the boy later withdrew from the case. Google complied with law enforcement requests to help identify the bullies, who were subsequently punished.

The Prosecutor then chose to charge individual Google employees. Today he will present his case.

Ciao, Italia!

2009-11-24T09:05:00.002+01:00

I won't be attending my trial in Milan in person. I'll be represented by outside counsel. I believe that each of my 3 co-defendants has reached the same conclusion. As for me, I'm under clear instructions from my outside counsel not to set foot in Italy, at all. That's a tragedy, since I love Italy. It means I won't be speaking at this privacy conference in Bologna in May, which still seems to be advertising me as a speaker:

http://www.sassuolo2000.it/2009/11/17/bologna-la-privacy-al-tempo-di-facebook-8-incontri-ad-alma-graduate-school/

It also means I won't go hiking with friends in the Dolomites this summer.

Why? Well, Italy has a legal concept which is unknown in Anglo-Saxon countries: namely, that an employee of a company can be held personally criminally liable for the actions or non-actions of the corporation he works for. Moreover, Italy has also criminalized much of its data protection laws, meaning that routine data protection questions can give rise to criminal prosecutions. As everyone in the field of privacy knows, data protection laws are full of sweeping statements that need to be interpreted with judgment and common sense. But imagine the consequences if every data protection decision made by a company can be second-guessed by a public prosecutor with little knowledge of privacy law. Does that mean that a data protection lawyer working for a company is running the risk of personal criminal arrest and indictment and prosecution for routine business practices? Well, I guess you can see why I've been advised not to set foot in Italy. I'm sure such prosecutions will remain rare, and perhaps my current prosecution will the be last of its type. But maybe not. And working for one of the world's most visible Internet companies puts me at more risk than most of my colleagues in the field of data protection, as the current prosecution has shown.

Italy is my favorite country in the world to visit. What a shame.

Ciao, Italia!

On Trial in Italy

2009-11-23T11:23:00.001+01:00

I'm relieved that the Google "privacy" trial in Italy is finally underway. This week, the Milan Public Prosecutor will make his case why four random Google employees should be held personally criminally liable for a video that some high-school kids in Turin made and uploaded to Google Video.

For me, I've lived under this Sword of Damocles for two years now. It began in January 2008 when I was invited to speak at a privacy conference at the University of Milan. I was approaching the University on foot, when I heard someone call my name. I turned around, and saw a guy in plain clothes, who told me to wait a minute, while he spoke into a cell phone, and within seconds, I found myself on the sidewalk surrounded by 5 Italian policemen. I had no idea what was going on. I was scared. I couldn't understand much, but I did understand that they wanted to take my passport, asked me to sign some documents, and wanted to escort me to a judge. I was allowed to put a call into my Italian colleagues at Google, who thankfully were able to rush to the scene and talk to the policemen. I was escorted by the policemen on foot through central Milan, with tourists and locals alike stopping to stare at the scene. My colleagues told the group of policemen that I was supposed to deliver a speech at the privacy conference shortly. After much discussion, it was agreed that I would be allowed to deliver the speech, after providing my passport and signing various documents that were being served on me, and that I would be interrogated by the Public Prosecutor afterwards.

And so, I was allowed to deliver this talk. If I look a little distracted, now you know why. [between us, I had to stop to vomit, but that part has been edited out.]

http://www.youtube.com/watch?v=ZkN12ZR9dvE

This whole Italian prosecution has been an ordeal. I just want it to be over soon. After two years, well, it's finally underway.

Guys in Ties, thinking about children and privacy

2009-11-23T09:28:00.002+01:00

First, thanks to a bunch of you for sending me notes, encouraging me to keep blogging. I will.

I recently joined a group of privacy experts working with a Spanish foundation dedicated to children's issues to think about how to help protect kids' privacy online, in particular in social networking services. We've just had one inaugural meeting, a brainstorming session. It's too early to say which approach the group will take. But for my part, I recommended a crowd-sourcing approach, where we encourage (sponsor?) an open-ended contest to invite people to create videos on YouTube where kids talk to other kids about privacy. I doubt a top-down approach would work, where governments or corporations lecture kids about what they should or should not do online. I think kids will react more to videos by other kids, who talk about sharing with their friends, what happens if they share personal stuff with the wrong people, how to make good choices.

If you have a better idea about how to approach the challenge of sensitizing kids about the privacy risks when they post stuff online, please let me know, and I'll take it to the group.

I've been taking a break

2009-11-22T15:38:00.003+01:00

I've been taking a break from blogging.

In case you wonder why, it's because I was rattled to see an Italian public prosecutor scour my blog and print out copies of it to help him indict and prosecute me and some of my Google colleagues for some "privacy" criminal theory. I'm all for free speech, and love a robust debate of privacy issues, but seeing your own words being combed through by a prosecutor who's looking for evidence to convict you in criminal court is enough to give anyone reason to pause from blogging.

I'll start blogging again soon. At least I know I have one reader.

The Cloud: policy consequences for privacy when data no longer has a clear location

2009-04-16T09:53:00.001+01:00

Cloud Computing has become one of the more influential tech trends of our day. The Cloud is roughly analogous to remote computing, where computing and storage move away from your personal device to servers run by companies. A simple example might be online photo albums, which allow users to move their pictures off personal computers and into a secure and accessible space on the Web. Some Cloud services, like Hotmail, have been around for roughly a decade. And others have appeared since; almost all of Google's services, for example, run in the Cloud. As these services become more widely used, it's important to ask how our privacy laws and regimes should deal with this new phenomenon.

Some privacy laws, such as in the EU Directive, base regulation in part on the location of data. If data is in the Cloud, where exactly is that? Data in the Cloud exists within the physical infrastructure of the Internet, in other words, on the servers of the companies offering these services, as well as on users’ own machines. Cloud services are built on the concept that data held in the Cloud enables users to access and share data from anywhere, anytime and from any Internet-enabled device.

To know the “location” of data in the Cloud, you’d need to understand the architecture of data centers, among other things. Some companies like Google have data centers in multiple locations. A data center is a building that houses many, many, computers-- not too different from the ones you may have in your home. Companies try to pick places that, among other things, have a skilled workforce, reasonable local business regulation and are near low-cost and abundant sources of electricity. They tend not to provide too many specific details about these data centers, for a couple reasons. First, the data center industry is highly competitive and companies try not to disclose too many details that may give competitors a leg up. Second, knowing that users' personal information is stored in these computers, companies take the privacy and security of this data seriously and ensure that these buildings are well secured so that no one could just walk out with a computer holding your credit card information. The geographical location of data centers can be optimized to enhance the speed of a service, e.g., serving European users from a European data center might be faster than having the data cross the Atlantic. Finally, having data centers in different locations allows companies to optimize computing power, automatically shifting work from one location to another, depending on how busy the machines are.

Moreover, cloud applications are architected not to lose users’ data and to respond to queries quickly. Applications therefore usually replicate users’ data in more than one place. No Internet user would be happy if they lost access to all their email or calendar information, for example, just because the power goes out in some data center location. Applications may dynamically load balance their users among different data centers, so that the location of a particular user's data may change over time.
For all these reasons, it’s actually very hard to answer the apparently simple question: “where’s my data?” Indeed, it's becoming problematic that existing EU data protection laws were largely written in an era when data had an easily-identifiable location. For example, EU laws impose restrictions on the transfer of personal data outside the EU to any jurisdiction where there is not "adequate" data protection. In the past, "transfer" was defined as the physical shipment of data, such as sending a computer tape or paper files to an office in a faraway location. However, nowadays almost any activity on the Internet involves a transfer of data outside of the EU. Sending a document to a colleague in New York, for example, can technically be considered a transfer of material outside of the EU. In today's era of connectivity, strict and literal application of these laws would cause more than just a headache for companies and regulators: it would cause the Internet to shut down.

In this Internet age, when data flows around the planet at the click of a mouse, everyone agrees we need to identify a better model of privacy protections. Data doesn't start and stop at national borders when it travels on the Information Super-highway. From a privacy perspective, the important question is not “where is my data?”, but rather “who holds my data, and what are their privacy policies?" For a user, the important thing is to research and understand the data protection policies of the company which holds the data, regardless of its location.

I’ve looked at various laws around the world, and I’m impressed by the far-sighted model adopted in Canada’s privacy laws. I can’t do better than just quote the Office of the Privacy Commissioner:

http://www.privcom.gc.ca/information/guide/2009/gl_dab_090127_e.asp

"European Union member states have passed laws prohibiting the transfer of personal information to another jurisdiction unless the European Commission has determined that the other jurisdiction offers "adequate" protection for personal information. In contrast to this state-to-state approach, Canada has, through PIPEDA, chosen an organization-to-organization approach that is not based on the concept of adequacy… [U]nder PIPEDA, organizations are held accountable for the protection of personal information transfers under each individual outsourcing arrangement…

Regardless of where the information is being processed - whether in Canada or in a foreign country - the organization must take all reasonable steps to protect it from unauthorized uses and disclosures while it is in the hands of the third party processor. The organization must be satisfied that the third party has policies and processes in place, including training for its staff and effective security measures, to ensure that the information in its care is properly safeguarded at all times. ... [O]rganizations must in their own best interests, as well as those of their customers, do what they can to protect the information."

Canada’s approach works to preserve privacy protections, and to hold data collectors accountable for privacy protections regardless of the location of data. Canada has blazed a trail that will help guide us in the age of the Cloud.

A picture of your house on the Internet for all to see

2009-03-06T17:49:00.004+01:00

I did a little OpEd in the French paper Liberation on Google's Street View and privacy. Only fair, I guess, to put a picture of my own house on this blog. I confess, I did hesitate a minute before posting it. In any case, I do believe in taking one's own medicine, or eating one's own dogfood, as the case may be.

D’ici une centaine d’années, quelles avancées auront marqué notre époque ? Nos progrès politiques comme la création de l’Union européenne ? Les avancées scientifiques ?
Selon nous, s’il y a un progrès en gestation depuis la fin du XXe siècle qui pourrait marquer le passage de notre génération sur terre, c’est bien celui du partage de la connaissance. Engendrée par Internet, la démocratisation de l’accès à l’information au tournant du millénaire est une révolution dont on se souviendra probablement très longtemps. Dans une tribune parue le 13 février dans Libération, Odile Belinga et Etienne Tête ont émis un certain nombre de critiques concernant Street View, la nouvelle fonctionnalité de Google Maps qui permet de naviguer virtuellement dans les grandes villes françaises. Les deux auteurs affirment que ce service ne respecte pas la vie privée des individus et le comparent à de la vidéosurveillance.
Street View permet quotidiennement à des milliers d’utilisateurs de naviguer à trois cent soixante degrés grâce à des photos prises dans la rue à hauteur d’homme. Les internautes du monde entier peuvent ainsi se déplacer virtuellement, préparer leur prochain voyage à Rome, descendre les Ramblas à Barcelone, explorer leur ville, ou tout simplement repérer l’adresse de leur prochain appartement. C’est aussi un formidable outil pour mettre en valeur le patrimoine d’une ville ou promouvoir l’activité d’un commerçant. Il s’agit ici de contribuer à l’écosystème ouvert et bénéfique permis par Internet. Les nombreux partenaires qui ont choisi de s’associer à ce service (Télérama, Cityvox, l’Office du tourisme et des congrès de Paris…) ne s’y sont pas trompés.
Le service Street View respecte-t-il la vie privée ? La question est tout à fait légitime. Et la réponse est oui. Rappelons tout d’abord une évidence : sur Internet, l’information, comme la concurrence, est toute proche, à un seul clic de souris. Autrement dit, sans l’intérêt et la confiance de l’internaute, un site ne vaut pas grand-chose. Et cette confiance, il s’agit de ne pas la bafouer.
Les photographies affichées dans Street View sont parfaitement licites. Elles ne contiennent que des images de voies publiques et ne dévoilent aucune information qui n’était déjà exposée à la vue des passants. Les arguments selon lesquels un service de cartographie comme le nôtre ne pourrait pas utiliser de telles images au nom du respect de «l’intimité» remettent fondamentalement en cause la notion d’espace public. Ils dénaturent au contraire cette sphère de l’intime à qui la loi accorde, à juste titre, une protection accrue.
Les images de Street View sont les mêmes que celles que pourrait prendre n’importe quel passant dans la rue avec son appareil photo. Des images de ce type, sur les villes du monde entier, sont déjà diffusées dans toutes sortes de formats sur la Toile mondiale. Conscient que ce service rassemblait ces images en un seul endroit, Google a volontairement décidé de prendre des précautions supplémentaires en créant une technologie de floutage automatique des visages et des plaques d’immatriculation, dont la Cnil a d’ailleurs salué la mise en œuvre. Pour aller plus loin, en cas de visage non flouté ou imparfaitement flouté, toute personne peut demander la suppression des images concernées en cliquant sur un simple bouton. Les photos ne sont pas datées (ni heure, ni jour) et ne sont pas des prises de vue en temps réel. Bref, tout sauf des caméras de surveillance !
Soyons curieux, doutons, c’est ce qui a animé nos échanges avec la Cnil avant le lancement de Street View en France. Mais n’ayons pas peur, par principe, du progrès et des avancées technologiques qu’il implique. Prenons l’exemple récent de «Google Flu Trends» : avant d’appeler leurs médecins, beaucoup d’internautes utilisent comme mot-clé «symptômes de la grippe» dans leur moteur de recherche. Cette requête, multipliée par des millions d’individus a permis à Google de développer un outil de prévision des foyers de grippe capable de devancer jusqu’à dix jours celui des autorités sanitaires. En observant simplement les zones géographiques renseignées par les rapports de connexion. Soyons curieux, soyons vigilants, mais n’ayons pas peur d’Internet.
Bien plus que le véhicule de menaces, aussi réelles sur Internet que dans le monde physique, c’est avant tout un outil extraordinaire qui facilite nos vies au quotidien

Lead Data Protection Authority

2009-02-09T08:49:00.006+01:00

Lead Data Protection Authority: how EU data protection regulation can catch up with other areas of European law

Being a global company means having employees, partners and users who interact on a worldwide basis without geographical or jurisdictional limitations. Maximising efficiency is a key driver so most global companies attempt to adopt a consistent way of doing business internationally. Whilst cultural differences may have an impact on some activities, economic globalisation encourages a uniform and coherent approach to most operations, from sales practices to compliance protocols. However, global companies still have to comply with diverse laws across jurisdictions and be accountable to many national regulators. All of these trends become even more pronounced for companies doing business over the Internet.

In the European Union, some industry sectors can benefit from regulatory regimes which are specifically aimed at simplifying the way in which players within those sectors comply with cross-jurisdictional rules. For example, pharmaceutical companies may rely on simplified procedures to have their products evaluated and authorised across the EU. One solution is called the “decentralised procedure”, by which companies can go directly to a national authority to obtain permission to market its products in that member state and then seek to have other member states accept the approval of the first member state. This procedure is applicable in cases where an authorisation for a pharmaceutical product does not yet exist in any member state.

Alternatively, pharmaceutical companies may in some instances rely on the mutual recognition procedure, by which the assessment and marketing authorisation of one member state should be mutually recognised by other concerned countries within the EU. Under the mutual recognition procedure, the pharmaceutical company submits its application to the chosen country, which will carry out the assessment work and approve or reject the application. The other countries then have 90 days to decide whether they approve or reject the decision made by the original country.

Similarly, financial services firms can seek authorisation in one member state and obtain “passport rights” to enable them to carry on financial services in other member states. When a financial services provider wishes to establish a branch or provide services in several EU countries, notification of such intention is submitted to the regulatory authority in the home member state. This notification is then forwarded to the regulator in the member states in which the operator intends to open the branch or provide its services. As a result, a particular product licensed in the home member state becomes automatically recognised in all other member states and may therefore be sold across borders free of undue bureaucratic controls.

Some areas of law – such as e-commerce – also follow the “country of origin” principle. This principle establishes that where an action or service is performed in one country but received in another, the applicable law is the law of the country where the action or service is performed. For example, if a company sells products online across Europe but it is formally established as a limited company under the laws of one member state, that commercial activity will normally be subject to the law of that country.

Data protection regulatory complexities

The jurisdictional rules under the EU data protection directive do not work like that. When a company handles personal information about employees, customers, suppliers and others, it will be subject to the different privacy and data protection regimes in force in each EU jurisdiction. In the European Union, data protection laws will establish a number of very specific requirements and compliance will be overseen by the data protection authorities of each member state. This means that the use of personal information by that company will be regulated in slightly different ways across the EU.

All European directives pursue the same overriding objective: achieving harmonisation across EU member states whilst respecting the national legislative power of each jurisdiction. This is normally achieved by establishing a set of principles that each member state incorporates into its own legislation within the parameters of the directive. When a directive, like the 1995 data protection directive, creates a complex regulatory regime involving an independent regulator, member states devise suitable structures that provide for the establishment and operation of that regulator.

This approach to data protection regulation has caused a number of complexities that diminish the two-fold aim of the directive, namely: protecting the fundamental rights and freedoms of natural persons and facilitating the free flow of personal data between member states. The fact that laws and regulators are different make pan-European compliance more difficult and hence less effective. At the same time, the existence of disjointed regulatory approaches creates inefficiencies, business barriers and unnecessary expense for those companies seeking to comply with all applicable laws and regulations.

The lead authority concept

Whilst legislative harmonisation may not be achieved without radical constitutional changes, the experience of simplified oversight in some industry sectors shows that adopting a lead regulator approach is not only possible but desirable. The most promising step in this direction within the data protection regime is the “lead authority” concept that was created for the purpose of assessing and approving Binding Corporate Rules (“BCR”) applications. In 2005, the Article 29 Working Party adopted a co-ordinated approval mechanism that allows companies seeking the approval of their BCR to fast-track their submissions through all of the relevant EU data protection authorities. This mechanism entails choosing an “entry point” data protection authority which will be the official point of contact with the candidate until the BCR are ready for approval in that country, and then will assist the relevant organisation to gain approval throughout the European Union. More recently, a group of data protection authorities within the Article 29 Working Party launched the BCR mutual recognition procedure, so that approval by one authority will automatically lead to approval of the same BCR by the others.

Whilst for some organisations it may be obvious which data protection authority should act as the lead authority, where it is not clear which authority should become the entry point, the co-ordinated approval mechanism establishes that organisations must consider the following factors to determine the most appropriate data protection authority:

· The location of the corporate group’s European headquarters or office with data protection responsibilities.

· The location of the company which is best placed to lead the BCR application and, if necessary, enforce compliance.

· The place where any key operational decisions in terms of the purposes and means of the data processing are made.

· The EU country from which most international transfers originate.

Extending the concept beyond BCR

Both the co-ordinated approval mechanism for BCR and the mutual recognition procedure are contributing to making BCR a much more credible and attractive option for organisations using personal data on a global basis. The fact that the approval stage itself focuses on meeting one single set of standards and expectations – even when these are high – allows those organisations to concentrate their compliance efforts in a consistent and effective way. In other words, companies can devote their attention to ensuring that they apply the right standards and achieve a workable level of privacy and data protection, rather than to dealing with the diverse expectations of a plethora of similar regulators.

Given that BCR systems include policies and procedures affecting the whole range of data protection obligations and rights, it should also be possible to take the lead authority concept beyond BCR and apply it to data protection compliance generally. The criteria to determine the most appropriate data protection authority for BCR applications could also be used to identify the most suitable authority overall. If the single regulator idea has worked in heavily regulated sectors like health care and banking, it is not inconceivable that the same idea could work very effectively in the area of data protection compliance.

If this were the case, global companies collecting, using and sharing data in the EU could not only benefit from the harmonisation of legal standards but from the simplification of regulatory activities across the EU. The national regulators themselves would be able to operate in a much more focussed way. These efficiency gains would ultimately translate into a greater and more realistic level of protection for individuals. So the case for a lead data protection regulator to oversee the data activities of pan-European organisations is one that the EU data protection authorities themselves, as well as the EU Commission, should be making their own.

Launching another "global" forum to talk about privacy

2009-01-15T15:16:00.003+01:00

There is a new buzz these days in privacy circles: the idea of global standards seems to be gaining momentum. On January 12, privacy commissioners, and a handful of invited academics, advocates and CPO's, met in Barcelona for an inaugural meeting to launch work on a "Joint Proposal for a Draft of International Standards for the Protection of Privacy and Personal Data." http://www.privacyconference2008.org/adopted_resolutions/STRASBOURG2008/resolution_international_standards_en.pdf

There have been several very serious attempts at developing international, or regional, privacy standards. The oldest, and perhaps most successful, was the OECD Privacy Guidelines from 1980. Essentially all privacy laws in the world today derive from the OECD's work. The OECD was so successful, because it maintained the privacy guidelines at a sufficiently high-level that they were not rendered obsolete by technological developments. And the OECD refrained from mixing implementation issues into its guidelines, wisely recognizing that its member countries have very different legal and regulatory regimes.

The EU Data Protection Directive of 1995 is probably the most complete and detailed set of regional privacy laws in the world. Because the Directive was very focused on European Common Market issues, it took great strides to harmonize pan-European regulatory and implementation issues. Since many of these implementation issues, such as the mandatory creation of an "independent" data protection authority, are unique to the European legal and regulatory context, the Directive itself is not suitable for broad global adoption, except in countries with European colonial traditions, like Hong Kong.

APEC continues its work on a Privacy Framework, building on the OECD Privacy Guidelines and adding new and effective concepts of "accountability" and "harm". APEC is the most exciting initiative underway anywhere in the world in terms of new thinking about how to move forward on global privacy standards. Singapore, as this year's revolving host country, will host further meetings to build on the strong progress that's been made in past years.

I attended most of this week's meeting in Barcelona. It's too early to tell if this initiative, sponsored by the Data Protection Commissioners, will have legs in terms of moving forward the debate. The inaugural meeting on January 12 was mostly attended by Europeans. The documents that it cited as reference points were mostly European. The overwhelming majority of participants were European data protection authorities, who naturally are very familiar with the EU Data Protection Directive, and come to the table imbued with the European approach. A sprinkling of North Americans rounded out the participants, which left me thinking that this "global" meeting represented countries with something like 10% of the global population. This particular initiative will sadly fail in the international arena, if it simply turns into an exercise of European commissioners to try to convince the rest of the world to adopt something like the EU Data Protection Directive. They've already been doing that for over a decade, so there's little incremental benefit from continuing down that path.

I think the world needs minimum international privacy standards, as I've blogged many times before. OECD and APEC are also promising forums to advance the debate. In parallel, Europe will continue its reflections on how to modernize its own data protection concepts, and perhaps, streamline some of its rather inefficient bureaucracy. Europe would certainly be more credible as a global leader, if it got its own data protection house more up to date and efficient. [I'll be contributing to that effort in a separate forum.] In the meantime, if I were from a country with no pre-existing tradition of privacy laws, I would be looking to the OECD and APEC for inspiration. In any case, competition is good, even in the sphere of privacy policy thinking.

Lessons from the failure of global financial regulation

2008-10-29T17:38:00.000+01:00

The financial crisis has everyone talking about global financial regulation. Why didn’t regulations work? And how can regulation be reformed to prevent future melt-downs? Who should regulate in a global context? In a sense, these are the same questions I’ve been pondering for years, in the context of global privacy regulation. Like many people in the privacy community, I’ve been calling for better global privacy standards now, so that we’re not faced with a crisis later.

What lessons have we learned from the financial regulatory crisis that are relevant for privacy?

The issues are global. The crisis is global. Financial and data flows are global. Money, in all its diverse forms, flows across borders, making all of finance inter-connected. Global financial flows are now essentially digital data traffic. When it comes to money, and data, countries are not islands, as Iceland has clearly demonstrated. And if there’s anything that flows globally even more quickly than money, it’s data.

You can identify problems before they turn into crises. In retrospect, the problems were pretty obvious, even if people were enjoying the party at the time too much to want to sober up enough to confront them. It’s fashionable to claim that you can only identify a bubble in retrospect. I think that’s nonsense: I knew Florida condos were a bubble when my house painter bought a condo there, on which the annual maintenance fees alone exceeded his annual income, as he proudly told me, but he was unworried, “because real estate prices only go up.” Similarly, in the world of privacy, we already know what the issues are… so, the only real question is whether we need to wait for a crisis to muster the willpower to drive change.

Regulations that are out-of-date are useless. The financial crisis is exposing lots of regulations from other eras that have proven useless. I hardly need to remind readers of the bizarre patchwork of regulations that apply differently, or not at all, to banks, to investment banks, to special financial vehicles, to hedge funds, etc. Similarly, much of the world’s privacy regulations were designed for a pre-Internet world. Having regulations that are out-of-date means that they are either not applied at all, or applied poorly, or simply “re-interpreted” according to the tastes of individual regulators, like the German “regulator” who blithely declared all search engines to be “illegal”, whatever that means. So, having European data protection regulations that require things like “prior authorizations” from “supervisory authorities” before an international transfer of data is quaint (at best), or dangerous (at worst), in the age of the Internet. In fact, I think it’s dangerous to base international data protection rules on obsolete fictions, like the fiction that data flows somehow stop at borders.

Solutions have to be global. Without global solutions, we create the risk of regulatory havens, like tax havens, where actors can engage in regulatory arbitrage, moving from highly-regulated to lightly-or non-regulated spheres, be they countries or industries (e.g., the move from banks to hedge funds). Much of the privacy debate in recent years has been almost exclusively trans-Atlantic. For example, if you read the work of the EU Working Party data protection regulators over the last decade, you would come away with the impression that they are obsessed with privacy issues of US companies and the US government, while almost completely ignoring any privacy issues relating to data flows to or from anywhere else on the planet, such as India, to cite but one example. But surely, even EU data protection authorities in the anti-American ideological camp (perhaps I should use the German word “Anti-Amerikanismus”) will recognize that the US provides much more solid legal protections for personal data than the vast majority of countries on the planet. So, the obsession with the trans-Atlantic data flows issues is actually becoming dangerous, if it blinds us to the global nature of data flows. That’s one reason why I’m so excited about the APEC initiative, a process where many countries with no tradition of privacy laws are coming together to define privacy standards that are up-to-date, multi-national, and forward-looking. APEC is the most positive thing to happen in the world of global privacy standards since the EU Data Protection Directive of 1995.

Enforcement has to be local. While regulations need to be thought of in global terms, enforcement has to be local, to remain anchored in local legal and regulatory traditions. Some have suggested that we should create “super-regulators” with global mandates, like a mini-UN agency. Personally, I think international bodies have a strong role to play in driving forward international standards, but I’ve watched too many international meetings descend into farce to have much hope that they can function as day-to-day regulators. Moreover, different countries cannot have the same regulatory structures, often because of fundamental constitutional reasons. The US simply cannot have an independent Federal Data Protection Authority in the French mode, because the US Constitution wouldn’t allow it. So, calls for global harmonization of regulatory structures are doomed. The French can try to convince French-speaking Ivory Coast of the need to create a French-style data protection authority, and they may succeed, but that’s not a formula for global success. Whether that’s good for the Ivory Coast is another question entirely. The Spanish can try to convince Spanish-speaking Colombia of the need to create a Spanish-style data protection authority, and they may succeed, but they can’t expect a country with a very different constitutional structure, like the US, to follow that lead. There are some people who honestly believe that you can’t have privacy without an EU-style data protection authority…well, hey, they might want to open their eyes wider.

Regulatory experimentation is a good thing. No one really has all the answers. The US experimented with Security Breach Notifications laws, and they generally seem to work, so Europe is adopting them too. Europe experimented with the creation of dedicated privacy Data Protection Authorities, and many countries around the world, from Argentina to New Zealand, have adopted them since. Maintaining some level of regulatory experimentation, even as we move towards global privacy standards, is a healthy foundation for the innovation in privacy frameworks that we need.

There’s no “Mission Accomplished” moment. Moving towards global privacy standards will be a multi-year process, with steps forward, and back, with vigorous debates, with ideology, with pragmatism, with passion. It’s a process, hopefully with progress in a more or less straight line, towards ensuring better privacy protections in our new global reality. Some people will stress the need for a legal framework and legal enforcement powers; others will stress the usefulness of self-regulatory standards. That’s fine, and it reflects traditions: some peoples expect the government to solve most of their problems; others expect the private sector to do most of the work. One thing is certain; we’ll need to carry on this debate virtually, without expensive global summits or conferences, since thanks to the global financial crisis, none of us can afford to travel anymore. Oh well: blogging is great and free.

Why would Germans claim their "privacy" laws prevents them from publishing a list of victims of Nazi terror?

2008-09-19T08:29:00.006+01:00

There was a short report in the BBC today which struck me, my highlights in red :

"The federal archive in Berlin has for the first time compiled a list of some 600,000 Jews who lived in Germany up to 1945 and were persecuted by the Nazis.

The names and addresses, which took four years to compile, will be made available to Holocaust groups to help people uncover the fate of relatives.

Archive officials from the Remembrance, Responsibility and Future Foundation said the list was not yet definitive and would require further work.

It will not be released to the public because of Germany's privacy laws, but will be passed on to museums and institutions, including Israel's national Holocaust memorial, Yad Vashem.

"In handing over this list, we want to make a substantial contribution to documenting the loss that German Jewry suffered through persecution, expulsion and destruction," said Guenter Saathof, the head of foundation."

I'm a privacy legal expert, and it's baffling to me why German "privacy" laws would prevent this list from being published to the Internet. This is a valuable historical document. Putting it on the Internet would allow people around the world to study it. I would like to see if my grandfather is on the list. I could check if his address in Berlin was indeed correct. I think this information belongs to humanity.

Now, of course, I can imagine certain privacy issues. A very very small number of people included in the list may still be alive. Privacy laws are only meant to protect living human beings, after all, not dead people or their reputations after death. Other laws, like libel laws, can apply after death, but privacy laws cannot. So, I would call on the Foundation to publish its work on the Internet. I think it is wrong to cite "privacy" laws as a reason not to make this information public.

Because, after all, whose "privacy" are we protecting now, for a list which includes names and addresses from something like 70 years ago, and most of whom have been dead for over half a century?

This is the sort of nonsense that gives German privacy law a bad name.

Relax: the Faroe Islands have adequate data protection

2008-08-29T14:54:00.000+01:00

Lots of people in Europe are trying to figure out how to reduce bureaucracy and red tape. Let's face it: we Europeans face some of the highest tax burdens in the world, with some of the highest numbers of public servants as a percentage of the general population anywhere on the planet. So, let me pick a little example, to make a point.

In this Internet age, when data flows around the planet at the click of a mouse, everyone agrees we need to be talking about global privacy standards. Data doesn't start and stop at national borders when it travels on the Information Super-highway. So, all the time and effort that has been spent in recent years, trying to segregate the world's countries into "adequate" and "not adequate" regimes in terms of data protection, has become largely obsolete and pointless. Data doesn't stop, take a look around, and wait to find out if the European Commission has categorized a country as having "adequate" data protection. The whole process is becoming a bit tired and irrelevant. Last year, the European privacy regulators adopted an opinion, concluding that Jersey and the Faroe Islands have "adequate" data protection.

http://ec.europa.eu/justice_home/fsj/privacy/news/docs/pr_11_10_07_en.pdf

Indeed, Jersey and the Faroe Islands. I haven't been to either. I'm sure they're lovely places. I think they do fishing in the Faroe Islands. As for Jersey, I have some sense of the kind of data that goes to places that are known as international tax havens. International tax havens as a rule have "privacy" laws, and it's pretty obvious why. I'm perfectly prepared to accept that these islands have solid data protection laws. But why aren't we talking about more important topics, like Japan, for example, to name a country that is widely viewed as having very strong data protection practices, even if they're different than Europe's?

Let's face it. This process, reviewing a country's data protection regime, to ensure that it exactly mirrors Europe's, before awarding it a bureaucratic seal of approval, is a process that is out-of-date. It doesn't reflect the realities in the world: under current opinions, Argentina, Romania and Bulgaria are "adequate", but Japan is not! Does anyone in the real world believe that personal data is better protected in Argentina, Romania or Bulgaria than in Japan? And if our taxpayer-paid government leaders are spending their time writing opinions about the adequacy of data protection in the Faroe Islands, it's fair to ask whether our taxes are being wisely spent.

Talking to Monsieur Tout-le-Monde

2008-06-16T07:42:00.002+01:00

I think privacy professionals need to get out more. I mean, talk to real people, average consumers, normal Internet users. Most of us privacy officers spend most of our time talking to each other, or to privacy regulators, or to privay advocates, or to company privacy department colleagues. But, at the end of the day, the people whose privacy we're trying to protect are not the specialists. So, I've made a personal resolution to try to spend less time engaging in abstruse academic privacy debates, and more time giving simple privacy advice, for general audiences, with practical tips. Anyway, I'm trying. Here's a radio interview for France Info, which, I'm told, reaches 4 or 5 million people. In French:

http://www.france-info.com/spip.php?article146650&theme=81&sous_theme=109

Talking about privacy

2008-05-18T13:33:00.002+01:00

I think it's really important to contribute to robust public debates about online privacy issues. And I think it's really important to use the YouTube video platform to bring these talks to the widest group of people who might be interested in them. So, here are some of my recent talks: at Harvard, at Google, and at the University of Milan, in that order.

http://youtube.com/watch?v=JNu1OtkWrOY

http://youtube.com/watch?v=2IKBke1puFw

http://youtube.com/watch?v=ZkN12ZR9dvE

Can a website identify a user based on IP address?

2008-02-15T16:49:00.002+01:00

There is a public debate about whether IP addresses should be considered to be “personally-identifiable data” (to use the US phrase) or “personal data” (to use the European phrase. The question is: when can a person be identified by an IP address? This is a question of significant import, since it’s relevant to every single web site on the planet, and indeed to every single packet of data being transferred on the Internet architecture. I’ve blogged about this before, but the debate has evolved:

http://peterfleischer.blogspot.com/2007/02/are-ip-addresses-personal-data.html

Last year, the Article 29 Working Party of EU data protection authorities published an official Opinion on the concept of personal information which included a thorough analysis of what is meant by “identified or identifiable” person. The Opinion pointed out that someone is identifiable if it is possible to distinguish that person from others. The recitals that precede the EU data protection directive explain that to decide which pieces of information qualify as personal information, it is necessary to consider all the means likely reasonably to be used to identify the individual. As the Working Party put it, this means that a mere hypothetical possibility to single out an individual is not enough to consider that person as identifiable. Therefore, if taking into account all the means likely reasonably to be used, that possibility does not exist or is negligible, a person should not be considered as identifiable and the information would not be considered as personal data.

Two recent decisions from the Paris Appeals Court followed this logic. The Court concluded that 'the IP address doesn't allow the identification of the persons who used this computer since only the legitimate authority for investigation (the law enforcement authority) may obtain the user identity from the ISP' (27 April ruling). The Court recognized in the same decision that 'it should also be reminded that each computer connected to the Internet is identified by a unique number called "Internet address" or IP address (internet protocol) that allows to find it among connected computers or to find back the sender of a message'. In its 15 May ruling, the Court considered that 'this series of numbers indeed constitutes by no means an indirectly nominative data of the person in that it only relates to a machine, and not to the individual who is using the computer in order to commit counterfeit.' The Court conclusion was then that this collection of IP addresses does not constitute a processing of personal data, and consequently was not subject to CNIL prior authorization, as required by the French Data Protection Act. The CNIL has protested loudly that these court decisions are incorrect, but the CNIL’s own position of declaring “all” IP addresses to be personal data, regardless of context, seems to be incorrect to me.

Paris Appeal Court decision - Anthony G. vs. SCPP (27.04.2007)http://www.legalis.net/jurisprudence-decision.php3?id_article=1954
Paris Appeal Court decision - Henri S. vs. SCPP (15.05.2007)http://www.legalis.net/jurisprudence-decision.php3?id_article=1955
IP address is a personal data for all the European DPAs (2.08.2007)http://www.cnil.fr/index.php?id=2244

Let’s take Google as an example. Like all websites, Google servers capture the IP addresses of its visitors. If a user is using non-authenticated Google Search (i.e., not using a Google Account to log in), then Google collects the user’s IP Address along with the search query and the date and time of the query. Can Google determine the identity of the person using that IP Address only on the basis of that information? No. The IP Address may locate a single computer or it may locate a computer network using Network Address Translation. Where the IP Address locates a single computer, can Google identify the person using that computer? The answer is still “no”. The IP Address enables to send data to one specific computer, but it does not disclose which actual computer that is, let alone who owns it. In order to get to that granular of a level, it would be necessary for Google to ask the ISP that issued the IP Address for the identity of the person that was using that IP Address. Even then, the ISP can only identify the account holder, not the person who was actually using the computer at any given time.

Also, the ISP is prohibited under US law from giving Google that information, and there are similar legal prohibitions under European laws. Surely, illegal means are not “reasonable” means in the terms of the Directive.

So the reality is that like any other web site on the Internet that logs the IP Address of the computer used to access that site, the chances of Google being able to combine an IP Address with other information held by the ISP that issued that IP Address in order to identify anyone are indeed negligible.

However, let’s hypothesize for now that Google could ask the ISP for that information. Could the ISP give Google the identity of the person? Again, the answer is “hardly.” Why is it so difficult? First, an ISP can only link an IP Address to an account. That means that if there are multiple people, like a family, logging into the same account, only the account holder’s name is associated with the IP Address.

Second, ISP’s are given a finite number of IP Addresses to assign to their subscribers. At this point there are not enough IP Addresses to cover the number of users that wish to access the Internet. So, many ISPs have resorted to the use of dynamic IP Addresses. This means that a user could be assigned a different IP Address as often as every time they access the Internet. In order for the ISP to track the account that is connected to an IP Address, the ISP may require the actual date and time of use.

Finally, almost all big organizations have their own private network that sits behind a firewall. They may use static or dynamic IP addresses, but in either case these are not visible outside the organization. They are using Network Address Translation (NAT). NAT enable multiple hosts on a private network to access the Internet using a single IP Address. NAT is also a standard feature in routers for home and small office Internet connections.

So again, on the balance of probabilities and taking into account any factors identified by the Working Party as relevant, the most obvious conclusion is that the IP Addresses obtained by Google and other websites are not sufficiently significant or revealing to qualify as personal data from the point of view of the EU data protection directive.

Some people have raised the question whether the government/law enforcement can identify an individual user from an IP address from Google’s logs. Google on its own cannot tie any IP to any specific ISP account or any specific computer. We simply know that the IP address locates a computer that is accessing our system. We don’t know who is using that computer. So, in order for someone to tie the IP to an account holder, there have to be at least two subpoenas issued: one to Google and a separate one to the ISP.

Others have suggested that IP addresses should be considered “personal data”, on the mistaken understanding that looking up an IP address in a “whois” directory allows IP addresses to be tied to identifiable human beings. But in reality, if you look up an IP address in a whois directory, you usually get the name of the organization that manages the IP address. So, normally, Google could determine that a user’s queries come from a particular IP address owned by, say, Comcast, but Google has no way of knowing the name or organization of the human being behind the IP address.

A different question altogether is whether identifiability should equate to individualization. As discussed above, identifiability is about the likelihood of an individual being distinguished from others. But for this distinction to merit the protection afforded by privacy laws, it must be necessary to establish a link between the person and their right to privacy. For example, during the course of an online transaction between a retail web site and a customer, that customer’s identity will be protected by data privacy laws that impose obligations on the website operator (like seeking the customer’s consent for ancillary uses of customer information) and give rights to the individual (like allowing the customer to opt out of direct marketing). However, if someone who visits the web site for the first time (therefore prior to any transaction taking place) is presented with a local language version of the web site as a result of the geographical identifier associated to the IP Address used to access the site, there will be an element of individualization that does not involve identifying the person. In other words, unless and until that user becomes a registered customer, the web site operator will not be able to identify that individual. But the language appearing on the pages accessed by anyone using that IP Address may be different from the language presented to those using an IP Address associated with a different geographic location.

Should privacy laws apply in this situation? There is an obvious danger in trying to apply privacy laws as we understand them today in terms of notice, choice, access rights or data transfer limitations, to these types of cases. For example, there is no way that websites can provide consumers with a so-called right of access to IP-address-based logs, since such databases provide no way of authenticating a user. Individualization of Internet users is a logical and beneficial result of the way in which Internet technology works and sometimes it is also indispensable in order to comply with legal obligations such as presenting or blocking certain information in certain territories. Attempting to impose privacy requirements to situations that do not affect someone’s right to privacy will not only hamper technological development, but will entirely contradict the common sense principles on which privacy laws were founded. Privacy laws should be about protecting identifiable individuals and their information, not about undermining individualization. No doubt some people think that the cause of privacy is advanced, if data protection is extended to ever-broader categories of numerical locators like IP addresses. But let’s think hard about when these numbers can identify someone, and when they can’t. Black and white slogans are usually wrong. The real world is more complicated than that.

Transparency, Google and Privacy

2007-12-05T16:31:00.000+01:00

A group called One World Trust sent a survey to Google. A lot of people ask us to fill out surveys. I’m not sure who at Google they sent it to. In fairness, until yesterday, I had never heard of One World Trust, and it’s possible that whoever received it hadn’t either. Since we didn’t respond to their request for a survey, though, Google was ranked bottom in terms of transparency, in particular with regards to privacy. And Robert Lloyd, the report’s lead author, went so far as to say Google “did not co-operate (with the report) and on some policy issues, such as transparency towards customers, they have no publicly available information at all.” All this according to the FT http://us.ft.com/ftgateway/superpage.ft?news_id=fto120420070313216545.

But filling out surveys is not how a company proves transparency to its customers. It does so by making information public. We’ve gone to extraordinary lengths to publish information for our users about our privacy practices. In many respects, I feel we lead the industry. Here are just a few examples:

We were the first search company to start anonymising our search records (a move the rest of the industry soon followed), and we published our exchange of letters with the EU privacy regulators, explaining these issues in great depth. http://googleblog.blogspot.com/2007/06/how-long-should-google-remember.html

We engineer transparency into our technologies like Web History, which allow users to see and control their own personal search history.
https://www.google.com/accounts/ServiceLogin?hl=en&continue=http://www.google.com/psearch&nui=1&service=hist

We’ve also gone to extraordinary lengths to explain our privacy practices to users in the clearest ways we can devise.
Our privacy policies: http://www.google.com/privacy.html
Our privacy channel on YouTube, with consumer-focused videos explaining basic privacy concepts:
http://googleblog.blogspot.com/2007/08/google-search-privacy-plain-and-simple.html http://googleblog.blogspot.com/2007/09/search-privacy-and-personalized-search.htmlOur Google blogs on privacy: http://googleblog.blogspot.com/2007/05/why-does-google-remember-information.html
Our Google public policy blogs on privacy: http://googlepublicpolicy.blogspot.com/

With each of these efforts, we were the first, and often the only, search engine to embrace this level of transparency and user control. And lots of people in Google are working on even more tools, videos and content to help our users understand our privacy practices and to make informed decisions about how to use them. Check back to these sites regularly to see more.

So, really, is it fair for this organization to claim that “on some policy issues, such as transparency towards customers, they have no publicly available information at all”? Perhaps next time, they can follow up their email with a comment on our public policy blog, or a video response on our Google Privacy YouTube channel. Or even send a question to our Privacy Help Site:
http://www.google.com/support/bin/request.py?contact_type=privacy . Well, so much for the report’s claim that Google doesn’t have a feedback link.

Online Advertising: privacy issues are important, but they don’t belong in merger reviews

2007-10-23T14:33:00.000+01:00

As the European Commission and the US Federal Trade Commission review Google’s proposed acquisition of DoubleClick, a number of academics, privacy advocates and Google competitors have argued that these competition/anti-trust authorities should consider “privacy” as part of their merger review. That’s just plain wrong, as a matter of competition law. It’s also the wrong forum to address privacy issues. If online advertising presents a “harm to consumers”, let’s try to figure out what exactly the harm is, figure out which online advertising practices to change, and then apply those principles to all the participants in the industry. But we shouldn’t bootstrap privacy concerns onto a merger review. That’s like evaluating a merger of automakers by looking at the gas mileage of their cars. We don’t invoke antitrust law to prevent a merger of car companies, because we think the industry should build cars that use less gas.

Some advocates state that online advertising “harms” consumers. So they reason that the merger of Google and DoubleClick would “harm” consumers more, to the extent that it enables more targeted advertising. But these same critics rarely cite specific examples of consumer “harms”, and indeed, I’m having trouble identifying what they might be. The typical use of ad impression tracking now is to limit the number of times a user is exposed to a particular ad. That is, after you have seen an image of a blue car for 6 or 7 times, the ad server will switch to an image of a red car or to some other ad. This means that a user will see different ads, rather than re-seeing the same ad over and over again. As someone who is sick of seeing the same ads over and over again on television, I think that’s good for both viewers and advertisers. There are also new forms of advertising that are enabled by the Internet that may allow for more effective matching between buyers and sellers. Again, I prefer to see relevant ads, if possible. I go to travel sites a lot, and I’m happy to see travel ads, even when I’m not on a travel site. I don’t want to see ads for children’s toys, and I dislike the primitive nature of television, when it shows me such blatantly irrelevant ads.

We all dislike unsolicited direct marketing by phone. So, we created a regulatory “do not call” solution. But without knowing which precise practices of online advertising create a “harm”, it’s impossible to discuss a potential solution. Moreover, a website that offers its services or content for free to consumers (e.g., a news site), tries to generate revenue from advertising to pay its journalists’ salaries and other costs. Shouldn’t such websites also have a say in whether they should be forced to offer their free content to consumers without the ability to match ads to viewers according to some basic criteria? It’s very clear (but worth reiterating) that free sites are almost always more respectful of privacy than paying sites, because of the simple fact that paying sites must collect their users’ real identities and real credit card numbers, while free sites can often be used anonymously.

Now, some legal observations relating to European laws on merger reviews. The overriding principle protected by those laws is consumer welfare: referring to those aspects of a transaction that affect the supply and demand for goods/services (i.e., that affect quantity, quality, innovation choice, etc.). The reference in Article 2(1)(b) ECMR to "the interests of the intermediate and ultimate consumers, and the development of technical and economic progress provided that it is to consumers' advantage and does not form an obstacle to competition" must therefore be read in this context – consumer interests are relevant to the merger assessment only for the purpose of assessing whether the degree of competition that will remain post-transaction will be sufficient to guarantee consumer welfare.

The fact that non-competition issues, such as privacy, fall outside the scope of ECMR is consistent with the general consensus that merger control should focus on the objective of ensuring that consumer welfare is not harmed as a result of a significant impediment to effective competition. Introducing non-competition related considerations into a merger analysis (e.g., environmental protection or privacy) would lead to a potentially arbitrary act of balancing competition against potentially diverging interests. Accordingly, policy issues, such as privacy, are not suitably addressed in a merger control procedure, but should be dealt with separately.

Indeed, privacy interests are addressed in Directive 95/468 and Directive2002/589 (both of which are based on Article 14 EC and Article 95 EC), Article 6 TEU and Article 8 ECHR, and Google must abide by its legal obligations under these instruments. Such instruments are also far more efficient in addressing privacy issues than the ECMR, as they are industry-wide in scope. Internet privacy issues are relevant to the entire industry as they are inextricably linked to the very nature of the technology used by every participant on the Internet. Information is generated in relation to virtually every event that occurs on the Internet, although the nature of the data, the circumstances in which it is collected, the entities from whom and by whom it is collected, and the uses to which it is put, vary considerably. This situation pre-dates Google’s proposed acquisition of DoubleClick and is not in any way specific to it. More importantly, any modification of the status quo in terms of the current levels of privacy protection must involve the industry as a whole, taking account of the diversity of participants and their specific circumstances.

Google has always been, and will continue to be, willing to engage in a wider policy debate regarding Internet privacy. Issues of privacy and data security are of course of great importance to Google, as maintaining user trust is essential for its success. As a large and highly visible company, Google has strong incentives to practice strong privacy and security policies in order to safeguard user data and maintain user trust. These concerns are one of the reasons why Google has thus far chosen not to accept display ad tags from third parties. The proposed transaction will not change Google's commitment to privacy, and Google is in fact currently developing a new privacy policy to address the additional data gathered through third-party ad serving. Similarly, a number of Google's competitors have announced new and supposedly improved policies to protect consumer privacy, highlighting the robustness of recent competition on privacy issues. There is no reason to suggest that such competition will diminish if Google acquires DoubleClick; to the contrary, such competition appears to be intensifying.

Privacy is an important issue in the world of online ads. But it is not an issue for a competition law review.

Can you “identify” the person walking down the street?

2007-10-23T13:05:00.000+01:00

I recently posted a blog on Google’s Lat Long Blog about Street View and privacy.

http://google-latlong.blogspot.com/2007/09/street-view-and-privacy.html

I’d like to add a few personal observations to that post.

Some people might have wondered why Google posted a blog about what a future launch of Street View would look like in some non-US countries, especially since, so far, it only includes images from 15 US cities. We felt the need to respond to concerns that we had heard recently, in particular concerns from Canada’s privacy regulators, that a launch of the US-style of Street View in Canada might not comply with Canadian privacy regulations. And we wanted to be very clear that we understood privacy regimes are different in some countries, such as Canada, and for that matter, much of Europe, compared to the US tradition of “public spaces.” And of course, that we would respect those differences, when/if we launched Street View in those countries.

Basically, Street View is going to try not to capture “identifiable faces or identifiable license plates” in its versions in places where the privacy laws probably wouldn’t allow them (absent consent from the data subjects, which is logistically impossible), in other words, in places like Canada and much of Europe. And for most people, that pretty much solves the issue. If you can’t identify a person’s face, then that person is not an “identifiable” human being in privacy law terms. If you can’t identify a license plate number, then that car is not something that can be linked to an identifiable human being in privacy law terms.

How would Street View try not to capture identifiable faces or license plates? It might be a combination of blurring technology and resolution. The quality of face-blurring technology has certainly improved recently, but there are still some unsolved limitations with it. As one of my engineering colleagues at Google explained it to me: “Face detection and obscuring technology has existed for some time, but it turns out not to work so well. Firstly, face recognition misses a lot of faces in practice, and secondly, a surprising number of natural features (bits of buildings, branches, signs, chance coincidence of all of the above) look like faces. It’s somewhat surprising when you run a face recognition program over a random scene and then look closely at what it recognises. These problems are also exacerbated by the fact that you have no idea of scale, because of the huge variations in distance that can occur.”

Lowering the quality of resolution of images is another approach to try not to capture identifiable faces or license plates. If the resolution is not great, it’s hard (or even impossible) to identify them. Unfortunately, any such reduction in resolution would of course also reduce the resolution of the things we do want to show, such as buildings. So, it’s a difficult trade-off.

Some privacy advocates raise the question of how to circumscribe the limits of “identifiability”. Can a person be considered to be identifiable, even if you cannot see their face? In pragmatic terms, and in privacy law terms, I think not. The fact is that a person may be identifiable to someone who already knows them, on the basis of their clothes (e.g., wearing a red coat), plus context (in front of a particular building), but they wouldn’t be “identifiable” to anyone in general. Others raise the issue of whether properties (houses, farms, ranches) should be considered to be “personal data” (so that their owners or residents could request them to be deleted from these geo sites, like Google Earth)? Last month, various German privacy officials made these arguments in a Bundestag committee hearing. They reasoned that a simple Internet search can often combine a property’s address with the names of the property’s residents. Others see this reasoning as a distortion of privacy concepts, which were not meant to be extended to properties. And the consequences of that reasoning would mean that satellite and Street View imagery of the world might be full of holes, as some people (disproportionately, celebrities and the rich, of course) would try to block their properties from being discoverable.

Google will have to be pragmatic, trying to solve privacy issues in a way that doesn’t undermine the utility of the service or the ability of people to find and view legitimate global geographic images. I personally would like to see the same standard of privacy care applied to Street View across the globe: namely, trying not to capture identifiable faces or license plates, even in the US, regardless of whether that’s required by law or not. But I recognize that there are important conflicting principles at play (i.e., concepts of “public spaces”), and “privacy” decisions are never made in a bubble.

We’re engaged in a hard debate, inside Google and outside: what does privacy mean in connection with images taken in “public spaces”, and when does a picture of someone become “identifiable”? Can we have a consistent standard around the world, or will we have to have different standards in different countries based on local laws and culture? This isn’t the first time (and I hope, not the last time) that Google has launched a new service, letting people access and search for new types of information. Those of us in the privacy world are still debating how to address it.

I think the decisions taken by the Street View team have been the right ones, even for the US launch, at least at this point in time, and given the current state of technology. But a more privacy-protective version in other countries (and someday, maybe in the US too?) would be a good thing, at least for privacy.

I like the anonymity of the big city

2007-10-16T18:19:00.000+01:00

For much of history, people lived in small communities, where everyone knew them, and they knew everyone. Identity was largely inherited and imposed, and the ability of people to re-invent themselves was quite limited. You were father, farmer, drunkard, and everyone knew it.

The big city changed all that, by offering anonymity and choice. Against the background of anonymity, people can choose their identity, or choose multiple identities, often by choosing the community of other people with whom they live, work or play. In the city, you can choose to cultivate multiple identities: to mingle with bankers or toddlers by day, to play rugby or poker by night, to socialize with rabbis or lesbians, and to do all this while choosing how anonymous to remain. Maybe you’re happy to use your real name with your bank colleagues, but delight in the anonymity of a large nightclub. And you can share different parts of your identity with different communities, and none of them need to know about the other parts, if you don’t want them too: work and home, family and friends, familiarity and exploration, the city allows you to create your identity against a background of anonymity.

Like the city, but on a much, much bigger scale, the Web allows people to create multiple digital identities, and to decide whether to use their “real” identity, or pseudonyms, or even complete anonymity. With billions of people online, and with the power of the Internet, people can find information and create virtual communities to match any interest, any identity. You may join a social networking site with your real names or your pseudonyms, finding common interests with other people on any conceivable topic, or exploring new ones. You may participate in a breast cancer forum, by sharing as much or as little information about yourself as you wish. You may explore what it means to be gay or diabetic, without wanting anyone else to know. Or you may revel in your passion to create new hybrids of roses with other aficionados. The Web is like the city, only more so: more people, more communities, more knowledge, more possibility. And the Web has put us all in the same “city”, in cyberspace.

Life is about possibilities: figuring out who you are, who you want to be. Cities opened more possibilities for us to create the identities we choose. The Web is opening even more.

Eric Schmidt on Global Privacy Standards

2007-09-19T13:40:00.000+01:00

Eric Schmidt, Google's CEO, added his voice to the debate on global privacy standards with this OpEd, published in a number of outlets around the world this week.

As the information age becomes a reality for increasing numbers of people globally, the technologies that underpin it are getting more sophisticated and useful. The opportunities are immense. For individuals, a quantum leap forward in their ability to communicate and create, speak and be heard; for national economies, accelerated growth and innovation.

However, these technological advances do sometimes make it feel as if we are all living life in a digital goldfish bowl. CCTV cameras record where we shop and how we travel. Mobile phones track our movements. Emails leave a trail of who we “talk” to, and what we say. The latest internet trends - blogs, social networks and video sharing sites - take this a step further. At the click of a mouse it’s possible to share almost anything – photographs, videos, one’s innermost thoughts - with almost anyone.

That's why I believe it's important we develop new privacy rules to govern the increasingly transparent world which is emerging online today – and by new rules I don’t automatically mean new laws. In my experience self regulation often works better than legislation – especially in highly competitive markets where people can switch providers simply by typing a few letters into a computer.

Search is a good example. Search engines like Google have traditionally stored their users’ queries indefinitely – the data helps us to improve services and prevent fraud. These logs record the query, the time and date it was entered, and the computer’s Internet Protocol (IP) address and cookie. For the uninitiated, an IP address is a number (sometimes permanent, sometimes one-off) assigned to a computer – it ensures the right search results appear on the right screen. And a cookie is a file which records people’s preferences - so that users don’t continually have to re-set their computers.

While none of this information actually identifies individuals, it doesn’t tell us who people are or where they live, it is to some extent personal because it records their search queries. That’s why Google decided to delete the last few digits of the IP address and cookie after 18 months – breaking the link between what was typed, and the computer from which the query originated. Our move created a virtuous dynamic, with others in the search industry following suit soon afterwards. In an industry where trust is paramount, we are now effectively competing on the best privacy practices as well as services.

Of course, that’s not to say privacy legislation doesn’t have its place in setting minimum standards. It does. At the moment, the majority of countries have no data protection rules at all. And where legislation does exist, it’s typically a hotchpotch of different regimes. In America, for example, privacy is largely the responsibility of the different states – so there are effectively 50 different approaches to the problem. The European Union by contrast has developed common standards, but as the UK’s own regulator has acknowledged these are often complex and inflexible.

In any event, privacy rules in one country, no matter how well designed, are of limited use now that personal data can zip several times around the world in a matter of seconds. Think about a routine credit card transaction – this can involve six or more separate countries once the location of customer service and data centres are taken into account.

The lack of agreed global privacy standards has two potentially damaging consequences. First, it results in the loss of effective privacy protections for individuals. How can consumers be certain their data is safe, wherever it might be located? Second, it creates uncertainty for business, which can restrict economic activity. How does a company, especially one with global operations, know what standards of data protection to apply in all the different markets where it operates?

That’s why Google is today calling for a new, more co-ordinated approach to data protection by the international community. Developing global privacy standards will not be easy – but it’s not entirely new ground. The Organization for Economic Co-operation and Development produced its Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data as far back as 1980.

More encouragingly recent initiatives in this area by the United Nations, the Asian-Pacific Economic Co-operation Forum and the International Privacy Commissioners’ Conference have all focussed on the need for common data protection principles. For individuals such principles would increase transparency and consumer choice, helping people to make informed decisions about the services they use as well as reducing the need for additional regulation. For business, agreed standards would mean being able to work within one clear framework, rather than the dozens that exist today. This would help stimulate innovation. And for governments, a common approach would help dramatically improve the flow of data between countries, promoting trade and commerce.

The speed and scale of the digital revolution has been so great that few of us can remember how life was before we had the ability to communicate, trade or search for information 24-hours a day, seven days a week. And the benefits have been so great that most people who do recall our analogue past would never want to return to the old days. The task we now face is twofold: to build trust by preventing abuse and to enable future innovation. Global privacy standards are central to achieving these goals. For the sake of economic prosperity, good governance and individual liberty, we must step up our efforts to implement them.

The Need for Global Privacy Standards

2007-09-14T19:39:00.000+01:00

Introduction

How should we update privacy concepts for the Information Age? The total amount of data in the world is exploding, and data flows around the globe with the click of mouse. Every time you use a credit card, or every time you use an online service, your data is zipping around the planet. Let’s say you live in France and you use a US company’s online service. The US company may serve you from any one of its numerous data centers, from the “cloud” as we say in technology circles, in other words, from infrastructure which could be in Belgium or Ireland – and which could change based on momentary traffic flows. The company may store offline disaster recovery tapes in yet another location (without disclosing the location, for security purposes). And the company may engage customer service reps in yet another country, say India. So, your data may move across 6 or 7 countries, even for very routine transactions.
As a consumer, how do you know that your data is protected, wherever it is located? As a business, how do you know which standards of data protection to apply? As governments, how do you ensure that your consumers and your businesses can participate fully in the global digital economy, while ensuring their privacy is protected?

The story illustrates the argument I want to make today. It is that businesses, governments but most of all citizens and consumers would all benefit if we could devise and implement global privacy standards. In an age when billions of people are used to connecting with data around the world at the speed of light, we need to ensure that there are minimum privacy protections around the world. We can do better, when the majority of the world’s countries offer virtually no privacy standards to their citizens or to their businesses. And the minority of the world’s countries that have privacy regimes follow divergent models. Today, citizens lose out because they are unsure about what rights they have given the patchwork of competing regimes, and the cost of compliance for businesses risks chilling economic activity. Governments often struggle to find any clear internationally recognised standards on which to build their privacy legislation.

Of course there are good reasons for some country-specific privacy legislation. The benefits of homogeneity must be balanced by the rights of legitimate authorities to determine laws within their jurisdictions. We don’t expect the same tax rules in every country, say some critics, so why should we expect the same privacy rules? But in many areas affecting international trade, from copyright to aviation regulations to world health issues, huge benefits have been achieved by the setting of globally respected standards. In today’s inter-connected world, no one country and no one national law by itself can address the global issues of copyright or airplane safety or influenza pandemics. It is time that the most globalised and transportable commodity in the world today, data, was given similar treatment.

So today I would like to set out why I think international privacy rules are necessary, and to discuss ideas about how we create universally respected rules. I don’t claim to have all the answers to these big questions, but I hope we can contribute to the debate and the awareness of the need to make progress.

Drivers behind the original privacy standards

But first a bit of history. Modern privacy law is a response to historical and technological developments of the second-half of the 20th century. The ability to collect, store and disseminate vast amounts of information about individuals through the use of computers was clearly chilling against the collective memories of the dreadful mass-misuse of information about people that Europe had experienced during WWII. Not surprisingly, therefore, the first data privacy initiatives arose in Europe, and they were primarily aimed at imposing obligations that would protect individuals from unjustified intrusions by the state or large corporations, as reflected in the 1950 European Convention for the Protection of Rights and Fundamental Freedoms.

Early international instruments

After a decade of uncoordinated legislative activity across Europe, the Organisation for Economic Co-operation and Development identified a danger: that disparities in national legislations could hamper the free flow of personal data across frontiers. In order to avoid unjustified obstacles to transborder data flows, in 1980 the OECD adopted its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. It’s worth underscoring that concerns about international data flows were already being addressed in a multinational context as early as 1980, with the awareness that a purely national approach to privacy regulation simply wasn’t keeping abreast of technological and business realities.

These OECD Guidelines became particularly influential for the development of data privacy laws in non-European jurisdictions. The Guidelines represent the first codification of the so-called ‘fair information principles’. These eight principles were meant to be taken into account by OECD member countries when passing domestic legislation and include: 1) collection limitation, 2) data quality, 3) purpose specification, 4) use limitation, 5) security safeguards, 6) openness, 7) individual participation, and 8) accountability.

A parallel development in the same area but with a slightly different primary aim was the Council of Europe Convention on the Automated Processing of Personal Data adopted in 1981. The Convention’s purpose was to secure individuals’ right to privacy with regard to the automatic processing of personal data and was directly inspired by the original European Convention on human rights. The Council of Europe instrument sets out a number of basic principles for data protection, which are similar to the ‘fair information principles’ of the OECD Guidelines. In addition, the Convention establishes special categories of data, provides additional safeguards for individuals and requires countries to establish sanctions and remedies.
The different origins and aims of both instruments result in rather different approaches to data privacy regulation. For example, whilst the Convention relies heavily on the establishment of a supervisory authority with responsibility for enforcement, the OECD Guidelines rely on court-driven enforcement mechanisms. These disparities have been reflected in the laws of the countries within the sphere of influence of each model. So, for example, in Europe, privacy abuses are regulated by independent, single-purpose bureaucracies, while in the US, privacy abuses can be regulated by many different government and private bodies (e.g., the Federal Trade Commission at the Federal level, Attorneys General at the State levels, and private litigants everywhere). It’s impossible to say which model is more effective, since each reflects the unique regulatory and legal cultures of their respective traditions. Globally, we need to focus on advocating privacy standards to countries around the world. But we should defer to each country to decide on its own regulatory models, given its own traditions.

Current situation

Today, a quarter century later, some countries are inspired by the OECD Guidelines, others follow the European approach, and some newer ones incorporate hybrid approaches by cherry-picking elements from existing frameworks, while the significant majority still has no privacy regimes at all.

After half a decade of negotiations, in 1995, the EU adopted the Data Protection Directive 95/46/EC. The EU Directive has a two-fold aim: to protect the right to privacy of individuals, and to facilitate the free flow of personal data between EU Member States. Despite its harmonisation purpose, according to a recent EU Commission Communication, the Directive has not been properly implemented in some countries yet. This shows the inherent difficulty in trying to roll out a detailed and strict set of principles, obligations and rights across jurisdictions. However, the Commission has also made it clear that at this stage, it does not envisage submitting any legislative proposals to amend the Directive.

In terms of core European standards, the best description of what the EU privacy authorities would regard as “adequate data protection” can be found in the Article 29 Working Party’s document WP 12. This document is a useful and detailed point of reference to the essence of European data privacy rules, comprising both content principles and procedural requirements. In comparison with other international approaches, EU data privacy laws appear restrictive and cumbersome, particularly as a result of the stringent prohibition on transfers of data to most countries outside the European Union. The EU’s formalistic criteria for determining “adequacy” have been widely criticized: why should Argentina be “adequate”, but not Japan? As a European citizen, why can companies transfer your data (even without your consent) to Argentina and Bulgaria and other “adequate” countries, but not to the vast majority of the countries of the world, like the US and Japan? In short, if we want to achieve global privacy standards, the European Commission will have to learn to demonstrate more respect for other countries’ approach to privacy regimes.

But at least in Europe there is some degree of harmonisation. In contrast, the USA has so far avoided the adoption of an all-encompassing Federal privacy regime. Unlike in Europe, the USA has traditionally made a distinction between the need for privacy-related legislation in respect of the public and the private sectors. Specific laws have been passed to ensure that government and administrative bodies undertake certain obligations in this field. With regard to the use of personal information by private undertakings, the preferred practice has been to work on the basis of sector-specific laws at a Federal level whilst allowing individual states to develop their own legislative approaches. This has led to a flurry of state laws dealing with a whole range of privacy issues, from spam to pretexting. There are now something like 37 different USA State laws requiring security breach notifications to consumers, a patchwork that is hardly ideal for either American consumer confidence or American business compliance.

The complex patchwork of privacy laws in the US has led many people to call for a simplified, uniform and flexible legal framework, and in particular for comprehensive harmonised Federal privacy legislation. To kick start a serious debate on this front, a number of leading US corporations set up in 2006 the Consumer Privacy Legislative Forum, of which Google forms part. It aims to make the case for harmonised legislation. We believe that the same arguments for global privacy standards should also apply to US Federal privacy standards: improve consumer protections and confidence by applying a consistent minimum standard, and ease the burdens on businesses trying to comply with multiple (sometimes conflicting) standards.
A third and increasingly influential approach to privacy legislation has been developing in Canada, particularly since the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) was adopted in 2000. The Canadian PIPEDA aims to have the flexibility of the OECD Guidelines – on which it is based – whilst providing the rigour of the European approach. In Canada, as in the USA, the law establishes different regimes for the public and private sectors, which allows for a greater focus on each. As has also been happening in the USA in recent years with state laws, provincial laws have recently taken a leading role in developing the Canadian model. Despite the fact that PIPEDA creates a privacy framework that requires the provincial laws to be "substantially similar" to the federal statute, a Parliamentary Committee carrying out a formal review of the existing framework earlier this year, recommended reforms for PIPEDA to be modelled on provincial laws. Overall, Canada should be praised for encouraging the development of progressive legislation which serves the interests of both citizens and businesses well.

Perhaps the best example of a modern approach to the OECD privacy principles is to be found in the APEC Privacy Framework, which has emerged from the work of the 21 countries of the Asia-Pacific Economic Cooperation forum. The Framework focuses its attention on ensuring practical and consistent privacy protection across a very wide range of economic and political perspectives that include global powerhouses such as the US and China, plus some key players in the privacy world (some old, some new), such as Australia, New Zealand, Korea, Hong Kong and Japan. In addition to being a sort of modern version of the old OECD Guidelines, the Framework suggests that privacy legislation should be primarily aimed at preventing harm to individuals from the wrongful collection and misuse of their information. The proposed framework points out that under the new “preventing harm” principle, any remedial measures should be proportionate to the likelihood and severity of the harm.

Unfortunately, the co-existence of such diverse international approaches to privacy protection has three very damaging consequences: uncertainty for international organisations, unrealistic limits on data flows in conflict with global electronic communications, and ultimately loss of effective privacy protection.

New (interconnected) drivers for global privacy standards

Against this background, we are witnessing a series of new phenomena that evidence the need for global privacy standards much more compellingly than in the 70s, 80s or 90s. The development of communications and technology in the past decade has had a marked economic impact and accelerated what is commonly known as ‘globalisation’. Doing business internationally, exchanging information across borders and providing global services has become the norm in an unprecedented way. This means that many organisations and those within them operate across multiple jurisdictions. The Internet has made this phenomenon real for everyone.

A welcome concomitant of the unprecedented technological power to collect and share all this personal information on a global basis is the increasing recognition of privacy rights. The concept of privacy and data protection regimes has moved from one discussed by experts at learned conferences to an issue that is discussed and debated by ordinary people who are increasingly used to the trade offs between privacy and utility in their daily lives. As citizens’ interest in the issue has grown, so, of course has politicians’ interest. The adoption of new and more sophisticated data privacy laws across the world and the radical legal changes affecting more traditional areas of law show that both law makers and the courts perceive the need to strengthen the right to privacy. Events which have highlighted the risks attached to the loss or misuse of personal information have led to a continuous demand for greater data security which often translates into more local laws, such as those requiring the reporting of security breaches, and greater scrutiny.

Routes to the development of global privacy standards

The net result is that we have a fragmentation of competing local regimes, at the same time as we the massively increased ability for data to travel globally. Data on the Internet flows around the globe at nearly the speed of light. To be effective, privacy laws need to go global. But for those laws to be observed and effective, a realistic set of standards must emerge. It is absolutely imperative that these standards are aligned to today’s commercial realities and political needs, but they must also reflect technological realities. Such standards must be strong and credible but above all, they must be clear and they must workable.

At the moment, there are a number of initiatives that could become the guiding force. As the most recent manifestation of the original OECD privacy principles, one possible route would be to follow the lead of the APEC Privacy Framework and extend its ambit of influence beyond the Asia-Pacific region. One good reason for adopting this route is that it already balances very carefully information privacy with business needs and commercial interests. At the same time, it also accords due recognition to cultural and other diversities that exist within its member economies.

One distinctive example of an attempt to rally the UN and the world’s leaders behind the adoption of legal instruments of data protection and privacy according to basic principles is the Montreux Declaration of 2005. This Declaration probably represents the first official written attempt to encourage every government in the world to do something like this and this is an ambition that must be praised. Little further was heard about the progress of the Montreux Declaration until the International Privacy Commissioners’ Conference took place in November 2006 and the London initiative was presented. The London Initiative acknowledged that the global challenges that threaten individuals’ privacy rights require a global solution. It focuses on the role of the Commissioners’ Conference to spearhead the necessary actions at an international level. The international privacy commissioners behind the London Initiative argue that concrete suggestions must emerge in order to accomplish international initiatives, harmonise global practices and adopt common positions.

One privacy commissioner who has expressed great interest in taking an international role aimed developing global standards is the UK Information Commissioner. The Data Protection Strategy of the Information Commissioner’s Office published at the end of June 2007 stresses the importance of improving the image, relevance and effectiveness of data protection worldwide and, crucially, recognises the need for simplification.

Way forward

The key priority now should be to build awareness of the need for global privacy standards. Highlighting and understanding the drivers behind this need – globalisation, technological development, and emerging threats to privacy rights – will help policymakers better understand the crucial challenge we face and how best to find solutions to address them.
The ultimate goal should be to create minimum standards of privacy protection that meet the expectations and demands of consumers, businesses and governments. Such standards should be relevant today yet flexible enough to meet the needs of an ever changing world. Such standards must also respect the value of privacy as an innate dimension of the individual. To my mind, the APEC Framework is the most promising foundation on which to build, especially since competing models are flawed (the USA model is too complex and too much of a patchwork, the EU model is too bureaucratic and inflexible).

As with all goals, we must devise a plan to achieve it. Determining the appropriate international forum for such standards would be an important first step, and this is a choice that belongs in the hands of many different stakeholders. It may be the OECD or the Council of Europe. It may be the International Chamber of Commerce or the World Economic Forum. It may be the International Commissioners’ Conference or it may be UNESCO. Whatever the right forum is, we should work together to devise a set of standards that reflects the needs of a truly globalised world. That gives each citizen certainty about the rules affecting their data, and the ability to manage their privacy according to their needs. That gives businesses the ability to work within one framework rather than dozens. And that gives governments clear direction about internationally recognised standards, and how they should be applied.

Data is flowing across the Internet and across the globe. That’s the reality. The early initiatives to create global privacy standards have become more urgent and more necessary than ever. We must face the challenge together.

Slowing down: 17 minutes for privacy

2007-08-30T16:46:00.001+01:00

In the era of the soundbite and the tabloid headline, it's almost startling to be invited to talk on radio about privacy at Google for 17 minutes. I don't normally believe in cross-posting media stuff into this blog, but it's not everyday that you get a chance to talk about things slowly, in depth. The audio link is here:

http://oe1.orf.at/highlights/107732.html

All this is in connection with the Ars Electronica Privacy Symposium in Linz, Austria.

IP Geolocation: knowing where users are – very roughly

2007-08-30T07:52:00.000+01:00

A lot of Internet services take IP-based geolocation into account. In other words, they look at a user's IP address to try to guess the user's location, in order to provide a more relevant service. In privacy terms, it's important to understand the extent to which a person's location is captured by these services. Below are some insights into how precise these are (or rather, are not), how it's done, and how they're used in some Google services.

The IP geolocation system Google uses (similar to the approach used by most web sites) is based primarily on third-party data, from an IP-to-geo index. These systems are reasonably accurate for classifying countries, particularly large ones and in areas far from borders, but weaker at city-level and regional-level classification. As measured by one truth set, these systems are off by about 21 miles for the typical U.S. user (median), and 20% of the time don't know where the user is located within less than 250 miles. The imprecision of geolocation is one of the reasons that it is a flawed model to use for legal compliance purposes. Take, for example, a YouTube video with political discourse that is deemed to be “illegal” content in one country, but completely legal in others. Any IP-based filtering for the country that considers this content illegal will always be over- or under-inclusive, given the imprecision of geolocation.

IP address-based geolocation is used at Google in a variety of applications to guess the approximate location of the user. Here are examples of the use of IP geolocation at Google:

Ads quality: Restrict local-targeted campaigns to relevant users
Google Analytics: Website owners slice usage reports by geography
Google Trends: Identifying top and rising queries within specific regions
Adspam team: Distribution of clicks by city is an offline click spam signal
Adwords Frontend: Geo reports feature in Report Center

So, an IP-to-geo index is a function from an IP address to a guessed location. The guessed location for a given IP address can be as precise as a city or as vague as just a country, or there can be no guess at all if no IP range in the index contains the address. There are many efforts underway to improve the accuracy of these systems. But for now, IP-based geolocation is significantly less precise than zip codes, to take an analogy from the physical world.

Do you read privacy policies, c'mon, really?

2007-08-28T08:28:00.000+01:00

What’s the best way to communicate information about privacy to consumers? Virtually all companies do this in writing, via privacy policies. But many are not easy to read, because they are trying to do two (sometimes contradictory) things, namely, provide consumers with information in a comprehensible format, while meeting legal obligations for full privacy disclosure. So, should privacy policies be short (universally preferred by consumers) or long (universally preferred by lawyers worried about regulatory obligations)? Perhaps a combination of the two is the best compromise: a short summary on top of a long complete privacy policy, the so-called “layered” approach. This is the approach recommended in a thoughtful study by the Center for Information Policy Leadership:
http://www.hunton.com/files/tbl_s47Details/FileUpload265/1405/Ten_Steps_whitepaper.pdf

But then I’m reminded of what Woody Allen said: “I took a speed reading course and read ‘War and Peace’ in twenty minutes. It involves Russia.” Yes, privacy summaries can be too short to be meaningful.

Indeed, maybe written policies aren’t the best format for communicating with consumers, regardless of whether they’re long or short. Maybe consumers prefer watching videos. Intellectually, privacy professionals might want consumers to read privacy policies, but in practice, most consumers don’t. We should face that reality. So, I think we have an obligation to be creative, to explore other media for communicating with consumers about privacy. That’s why Google is exploring video formats. We’ve just gotten started, and so far, we’ve only launched one. We’re working on more. Take a look and let me know what you think. Remember, we’re trying to communicate with “average” consumers, so don’t expect a detailed tech tutorial.

http://googleblog.blogspot.com/2007/08/google-search-privacy-plain-and-simple.html

Personally, I’ve also been trying to talk about privacy through other video formats, with the media. Below is just one example. I don’t know if all these videos are the right approach, but I do think it’s right to be experimenting.

http://www.reuters.com/news/video/videoStory?videoId=57250

Did you read the book, or watch the movie?

Data Protection Officers according to German law

2007-08-27T14:08:00.000+01:00

Some of you might be interested in German law on data protection officers. I’m going to give this to you in factual terms. [This isn’t legal advice, and it’s not commentary: so, I’m not commenting on how much or little sense I think this makes in practice.]

Since August 2006, according to the German Data Protection Act, the appointment of an Data Protection Officer (“DPO”) is compulsory for any company or organization employing more than nine employees in its automated personal data processing operations.

Anyone appointed as DPO must have the required technical and technical-legal knowledge and reliability (Fachkunde und Zuverlässigkeit). He or she need not be an employee, but can also be an outside expert (i.e., the work of the official can be outsourced). Either way, the official reports directly to the CEO (Leiter) of the company; must be allowed to carry out his or her function free of interference (weisungsfrei); may not be penalized for his or her actions; and can only be fired in exceptional circumstances, subject to special safeguards (but note that this includes being removed as DPO at the suggestion of the relevant DPA). The company is furthermore required by law to provide the official with adequate facilities in terms of office space, personnel, etc.

The main task of the DPO is to ensure compliance with the law and any other data protection-relevant legal provisions in all the personal data processing operations of his employer or principal. To this end, the company must provide the DPO with an overview of its processing operations that must include the information which (if it were not for the fact that the company has appointed a DPO) would have had to be notified to the authorities as well as a list of persons who are granted access to the various processing facilities. In practice, it is often the first task of the DPO to compile a register of this information, and suggest appropriate amendments (e.g., clearer definitions of the purpose(s) of specific operations, or stricter rules on who has access to which data). Once a DPO has been appointed, new planned automated processing operations must be reported to him or her before they are put into effect.

The DPO’s tasks also include verifying the computer programs used; and training the staff working with personal data. More generally, he has to advise the company on relevant operations, and to suggest changes where necessary. This is a delicate matter, especially if the legal requirements are open to different interpretations. The Act therefore adds that the official may, “in cases of doubt” contact the relevant DPA. However, except in the special context of a “prior check” issues, the Act does not make this obligatory.

It is important to note that the DPO in Germany is not just a cosmetic function, and it is important for the company and DPO to take his role seriously. Thus, the DPO must be given sufficient training and resources to do his job properly. Failure to take the DPO function seriously can have serious legal consequences, both for the company and the DPO.

When appointing a DPO, it is important to identify potential incompatibility and conflict of interests between this position and other positions of the person within the company. Non-compliance with the law is subject to an administrative offense which can be punished by a fine of up to € 25,000. Moreover, the DPA can order the dismissal of the DPO if he or she also holds a position which is incompatible with the role as DPO. Finally, non-compliance may give rise to liability under the Act.

Unfortunately, with regard to conflicts of interest there is no clear picture, and much depends on local requirements and views by local DPAs. In general, the following positions are considered to be incompatible with the position of a DPO:

CEO, Director, Corporate Administrators, or other managerial positions that are legally or statutory compulsory
Head of IT/ IT Administrator
Head of HR
Head of Marketing
Head of Sales
Head of Legal
Executives of corporate units processing massive or sensitive personal data

Employees in the administrative department and employees in the legal department are more likely considered to have no conflicts of interest. Finally, views differ considerably with regard to the position of an internal auditor and the head of corporate security. An IT security manager can be appointed if he is independent in the organization of the department.

Finally, German law does not provide for having a “Group DPO” that oversees a group of companies or a holding (Konzerndatenschutzbeauftragter). Such a DPO needs to be appointed by every single entity and also has to implement local data protection coordinators.

Safe Harbor: the verification problem

2007-07-17T08:16:00.000+01:00

A company that signs up to comply with the provisions of the Safe Harbor Agreement for the transfer of personal data from Europe to the US must have a process to verify its compliance. There’s very little in the way of “official” guidance on this question. I’ve spent some time trying to figure out how companies can verify compliance. Here are three options, and companies should choose the model that fits best with their corporate culture and structure.

Traditional Audits

A company can conduct a traditional audit of privacy practices company-wide. The problem with company-wide audits based on traditional checklists, however, is that no two people read the checklist the same way; and all the incentives are to be brief and forgetful when filling out a form. If the checklist is used by an interviewer, the return on investment of time goes up in terms of quality of information, but only so much as the interviewer has the knowledge of the product and the law to ask the right questions. The bigger and more diverse the company, the more daunting the task and the less consistent the information collected.

The traditional auditor approach to verification usually includes massive checklists, compiled and completed by a large team of consultants, usually driven by outputs that require formal corrective action reporting and documented procedures, and cost a fortune. To an auditor, verification means proof, not process; it means formal procedures that can be tested to show no deviation from the standard, and corrective action steps for procedures that fail to consistently deliver compliance.

Alternative Model – Data Flow Analysis

An alternative model involves a more simple procedure focusing on risk. It shows that a company is least at risk when it collects information, and that the risk increases as it uses, stores and discloses personal information to third parties. The collection risk is mitigated through notice of the company’s privacy practices; IT security policies that include authorizations for access and use of information mitigate the risks associated with storage and use; and strong contractual safeguards mitigate the risk on disclosure of personal information.

A sound privacy policy is built around understanding how data flows through an organization. Simply put, you ask the following four questions:

What personal information do you collect
What do you use it for
Where is it stored and how is access granted to it
To whom is it disclosed

The results must then be compared to the existing privacy policy for accuracy and completeness. The best way to do that is on the front-end of the interview, not after the fact. In other words, preparation for each interview should include a review and analysis of the product and the accompanying policy.

A disadvantage with the above approach is that it is somewhat labor intensive and time consuming. Note however that this procedure is not a traditional audit, which can take far longer, cost much more and generally is backward looking (i.e., what did you do with data yesterday?). Instead, the data flow analysis identifies what the company does with data on an ongoing basis and armed with that knowledge, permits the company to continuously improve its privacy policies – it is a forward-looking approach that permits new internal tools or products to be developed around the output. For example, one side benefit of this approach is that every service would yield up the data elements captured and where they are stored.

Sub-Certification Method

There is yet one more alternative – the use of SoX-like sub-certifications to verify the accuracy and completeness of product or service privacy statements. Sarbanes-Oxley requires the company CFO and CEO certify that the information provided to the public regarding the company’s financial matters is true. In order to make the certification, most companies have established a system of sub-certifications where those officers and employees with direct, personal knowledge of the underlying facts certify up that the information is correct.

The same could be done in regard to privacy. There is a two-fold advantage from this approach. First, it emphasizes the importance of the information collection by attaching to it the formality of a certification. Second, it can inform a training program as it forces periodic review of the policy and therefore attention to its existence and relevance.

How granular should the inquiry be at the product level? In a distributed model of verification, the manner and means of confirming the accuracy of the content can be left to the entrepreneurial talents of the managers. The key is to ensure that the information provided is complete and accurate, and that the product lead and/or counsel are willing to certify the results.

There is very little guidance publicly available that informs the process of an in-house review, but it is hard to criticize the very same process accepted for validation of a company’s financial statements upon which individual consumers and investors rely for financial decision-making.

Safe Harbor Privacy Principles

2007-07-16T09:34:00.000+01:00

Some privacy advocacy groups have made the claim (and others have repeated it) that Google doesn’t comply with any "well-established government and industry standards such as the OECD Privacy Guidelines." That’s just plain incorrect. Google complies with the robust privacy requirements of the US-EU Safe Harbor Agreement, as disclosed in its Privacy Policy. http://www.google.com/intl/en/privacy.html

The Safe Harbor privacy principles are generally considered to exceed the requirements of the OECD Privacy Guidelines, since they were designed to provide an equivalent level of privacy protection to the laws of the European Union. http://www.export.gov/safeharbor/
As a reminder, here are the privacy principles of the Safe Harbor Agreement:

WHAT DO THE SAFE HARBOR PRINCIPLES REQUIRE?

Organizations must comply with the seven safe harbor principles. The principles require the following:

Notice
Organizations must notify individuals about the purposes for which they collect and use information about them. They must provide information about how individuals can contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information and the choices and means the organization offers for limiting its use and disclosure.
Choice
Organizations must give individuals the opportunity to choose (opt out) whether their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive information, affirmative or explicit (opt in) choice must be given if the information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual.
Onward Transfer (Transfers to Third Parties)
To disclose information to a third party, organizations must apply the notice and choice principles. Where an organization wishes to transfer information to a third party that is acting as an agent(1), it may do so if it makes sure that the third party subscribes to the safe harbor principles or is subject to the Directive or another adequacy finding. As an alternative, the organization can enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles.
Access
Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated.
Security
Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.
Data integrity
Personal information must be relevant for the purposes for which it is to be used. An organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.
Enforcement
In order to ensure compliance with the safe harbor principles, there must be (a) readily available and affordable independent recourse mechanisms so that each individual's complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide; (b) procedures for verifying that the commitments companies make to adhere to the safe harbor principles have been implemented; and (c) obligations to remedy problems arising out of a failure to comply with the principles. Sanctions must be sufficiently rigorous to ensure compliance by the organization. Organizations that fail to provide annual self certification letters will no longer appear in the list of participants and safe harbor benefits will no longer be assured.

While the Safe Harbor Agreement principles were designed as a framework for companies to comply with European-inspired privacy laws, the OECD Guidelines from the year 1980 were designed as a framework for governments to create privacy legislation. http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html
The US has chosen to not (yet) implement those principles into its Federal legislation. As a public policy matter, in the US, Google is working with other leading companies to encourage the development of robust Federal consumer privacy legislation. http://googleblog.blogspot.com/2006/06/calling-for-federal-consumer-privacy.html
I’ll come back to the issue of US Federal and global privacy standards again soon. The global nature of data flows on the Internet requires renewed focus on the need for global privacy standards. I hope privacy advocates will work with us on that.

I know people who spent their entire childhood hiding from the German government

2007-07-09T17:05:00.000+01:00

Governments around the world are asking whether they should restrict anonymity on the Internet in the name of security. Take Germany as an example. Should Internet service providers be required to verify the identity of their users? Germany recently proposed – and then retreated – on requiring that providers of email services must verify the identity of their account holders. However, Germany is on the path to require that providers of VoIP services must verify the identity of their users. The debates about the proper limits of anonymity on the Internet are profound. In case you’re interested in the details, here is a history of the proposals in Germany, from the drafts of the telecommunicationsurveillance act. German outside counsel summarized these for me.

* 8. Nov. 2006 - First draft submitted to the GovernmentThe German Ministry of Justice put together the first draft of law designed to reform telecommunications monitoring and to implement the directiveadopted by the European Union on the retention of traffic and location data.This draft contained the proposal that email service providers should be obliged to COLLECT and to STORE account data, name, address, date of birth,start date of the contractual relationship (proposed changes to §111 TKG).

* 18 April 2007 - First Draft of the German Government - "Regierungsentwurf" The draft of the German Government did not include an obligation for emailservice providers to COLLECT personal information. It contained, however,the obligation to STORE a personal identifier as well as name and address of the account holder IF the provider collects such data (proposed changes to§111 TKG).
Text: http://www.bmj.bund.de/files/-/2047/RegE%20TK%DC.pdf

* 29. May 2007 - Recommendation ("Empfehlung") of different working groupsto the German Federal Assembly (Bundesrat)The text did not proposed additional requirements for email serviceproviders to collect or to store personal data. However, it recommended that telecommunication service providers should be obliged to verify via theofficial ID card if the telecommunication user is the person who signed upfor the service (proposed changes to § 95 sec. 4 sent. 1 TKG). German legal experts expressed the opinion that this might also be applicable for email services.

* 8. June 2007 - Statement of the German Federal Assembly (Bundesrat) -"Stellungnahme des Bundesrates" The Bundesrat did not follow the recommended wording and did not suggest anychanges to the First Draft of the German Government as of 18 April 2007 with regard to email services.

So, in conclusion, anonymous use of Internet services is very much up in the air, in Germany, as regards certain services, such as VoIP services like Google Talk, even if the proposal to limit anonymity for email users appears to be off the table. Fundamental rights are in play. The age-old trade-offs between government security and privacy is being re-debated. I know people who spent their entire childhood hiding from the German government.

The Working Party

2007-06-23T13:33:00.000+01:00

The Working Party is a group of representatives from every European country’s data protection authority plus the European Commission, dedicated to working on the harmonized application of data protection across Europe. I think I have the (perhaps dubious) distinction of being the private sector privacy professional who has worked the most with this group in the last decade. Most of my peers flee the Working Party like the plague, but I agree with Mae West, who said, “Too much of a good thing is wonderful.”

In my many years of privacy practice, I’ve always thought the best strategy is to work constructively with the Working Party. They are thoughtful privacy regulators, trying to improve privacy practices and to enforce often-unclear data protection laws. The companies I worked for are committed to improving their privacy practices and to complying with European laws. And the Working Party itself is committed to becoming more effective at working with the private sector, and in particular with the technology sector. So, based on my many years of experience, how could this all work better? And by the way, if you think I’ll be biased and self-serving in making these observations, feel free to stop reading here.

Here’s my golden rule: when regulators want to change practices across an entire industry, then they shouldn’t just work with one company. To make the point, here’s a little timeline summary of the recent Working Party exchanges with Google.

November 2006: the international data protection authorities issued a resolution calling on all search companies to limit the time periods during which they retain personally-identifiable data. No leading search company publicly disclosed a finite retention period at this time.

http://ec.europa.eu/justice_home/fsj/privacy/news/docs/pr_google_annex_16_05_07_en.pdf

March 2007: Google chose to lead the industry by announcing it would anonymize its search server logs after 18-24 months.

http://googleblog.blogspot.com/2007/03/taking-steps-to-further-improve-our.html

This generated considerable positive press, in my opinion quite justified, as the first such move by a leading search company.

May 2007: the Working Party sent Google a letter asking it to explain its retention decisions, and to justify whether this period was “too long” under European data protection principles. This set off a worldwide press storm, as hundreds of newspapers ran headlines like: “Google violates EU data protection laws.” And many of the EU privacy regulators added fuel to the media flames, as they issued comments expressing their concerns about “Google”, or even declaring Google’s practices to be “illegal”, without even waiting for Google to respond to their letter.

June 2007: Various privacy advocates jumped on the publicity bandwagon. One even went so far as to declare Google to be the “worst” in terms of privacy, due to the vagueness of its data collection and data retention practices. But since Google was the only one of the entire list of companies to have publicly stated a finite retention period, I would have thought Google should have been declared the “best.” Of course, that report was thoroughly de-bunked by more thoughtful industry observers, such as Danny Sullivan: “Google Bad on Privacy? Maybe it’s Privacy International’s Report that Sucks.” http://searchengineland.com/070610-100246.php

Nonetheless, the press damage was done. Even my dad called me after reading his small-town Florida newspaper to ask me why I was so bad at my job. Argh.

Then, I published a long open letter explaining the factors Google took into account while announcing a new retention period of 18 months: privacy, security, innovation, retention obligations. http://googleblog.blogspot.com/2007/06/how-long-should-google-remember.html
I wanted us to be transparent about our analysis and the factors that guided it. Of course, I couldn’t really describe all the security reasons for log retention: you can’t describe all your security practices publicly without undermining your security. And you can’t describe all your uses of data for search algorithm improvements without revealing trade secrets to your competitors. But nonetheless, I think we have been remarkably transparent throughout this process. Meanwhile, our competitors have been completely, studiously silent.

Finally, the Working Party realized how unfair all this had become for Google, and told the press that its sub-group, called the Internet Task Force, would consider these issues further in July, and include other search companies in the review.

I’m quite eager to hear from other search companies. I undertook a thorough and thoughtful analysis of Google’s need for logs for these various (sometimes conflicting) purposes. I am intellectually curious to understand whether our peer companies balance these factors in the same way as we did, or differently. Will they announce retention periods too? And will they announce periods that are longer or shorter than ours?

Privacy on the Internet concerns everyone, and all companies. The Working Party has got to learn how to engage with the industry. I continue to remain committed to working with the Working Party, but I fear that other companies in the industry will draw the opposite lesson: keep a low profile and try as hard as possible not to make it onto their radar screen. That would be bad for privacy. Well, the Working Party is a work in progress. And I hope someone tells my dad I’m not doing such a bad job… Or maybe my studiously-silent peers were right, and I was wrong…?

Server Logs and Security

2007-06-14T09:25:00.000+01:00

I recently posted a blog to explain why Google retains search server logs for 18 months before anonymizing them.
http://googleblog.blogspot.com/2007/06/how-long-should-google-remember.html
Security is one of the important factors that went into that decision. Google uses logs to help defend its systems from malicious access and exploitation attempts. You cannot have privacy without adequate security. I've heard from many people, all agreeing that server logs are useful tools for security, but some asking why 18 months of logs are necessary. One of my colleagues at Google, Daniel Dulitz, explained it this way:

"1. Some variations are due to cyclical patterns. Some patterns operate on hourly cycles, some daily, some monthly, and others...yearly. In order to detect a pattern, you need more data than the length of the pattern.

2. It is always difficult to detect illicit behavior when bad actors go to great lengths to avoid detection. One method of detecting _new_ illicit behaviors is to compare old data with new data. If at time t all their known characteristics are similar, then you know that there are no _new_ illicit behaviors visible in the characteristics known at time t. So you need "old" data that is old enough to not include the new illicit behaviors. The older the better, because in the distant past illicit behaviors weren't at all sophisticated.

3. Another way of detecting illicit behaviors is to look at old data along new axes of comparison, new characteristics, that you didn't know before. But the "old" data needs to run for a long interval because of (1). So its oldest sample needs to be Quite Old. The older the data, the more previously undetected illicit behaviors you can detect.

4. Some facts can be learned from new data, because they weren't true before. Other facts have been true all along, but you didn't know they were facts because you couldn't distinguish them from noise. Noise comes in various forms. Random noise can be averaged out if you have more data in the same time interval. That's nice, because our traffic grows over time; we don't need old data for that. But some noise is periodic. If there is an annual pattern, but there's a lot of noise that also has an annual period, then the only way you'll see the pattern over the noise is if you have a lot of instances of the period: i.e. a lot of years.

This probably isn't very surprising. If you're trying to learn about whether it's a good idea to buy or rent your house, you don't look only at the last 24 months of data. If you're trying to figure out what to pay for a house you're buying, you don't just look at the price it sold for in the last 24 months. If you have a dataset of house prices associated with cities over time, and someone comes along and scrubs the cities out of the data, it hasn't lost all its value, but it's less useful than it was."

Did you mean Paris France or Paris Hilton?

2007-06-04T19:46:00.000+01:00

Here's an OpEd I contributed to the Financial Times.
http://www.ft.com/cms/s/560c6a06-0a63-11dc-93ae-000b5df10621.html

Published: May 25 2007

There was a survey conducted in America in the 1980s that asked people a deceptively simple question: "Who was shot in Dallas?" For many who had lived through the national trauma of 1963, the deliberations of the Warren Commission, the theories about the grassy knoll and the magic bullet, there was only one answer: JFK. For others, who followed every twist of the Ewing family, the oil barons' ball and Cliff Barnes's drink problem, there was also only one answer: JR.

The point of the survey was to show how the same words can have very different meanings to different people depending on their background and their interests. It is the same idea that is driving Google's personal search service.

Our search algorithm is pretty sophisticated and most people end up with what they want. But there is inevitably an element of guesswork involved. When someone searches for "Paris" are they looking for a guide to the French capital or for celebrity gossip? When someone types in "golf" are they looking to play a round on the nearest course or to buy a Volkswagen car? An algorithm cannot provide all the answers.

But if an algorithm is built to take into account an individual's preferences it has much more chance of guessing what that person is looking for. Personalised search uses previous queries to give more weight to what each user finds relevant to them in its rankings. If you have searched for information about handicaps or clubs before, a search for "golf" is more likely to return results about the game than the car. If you have been checking out the Louvre, you are less likely to have to wade through all the details of a particular heiress's personal life.

This makes search more relevant, more useful and much quicker. But it is not for everybody. As the Financial Times has pointed out this week, personalised search does raise privacy issues. In order for it to work, search engines must have access to your web search history. And there are some people who may not want to share that information because they believe it is too personal. For them, the improved results that personalised search brings are not matched by the "cost" of revealing their web history.

The question is how do we deal with this challenge? Stop all progress on personalised search or give people a choice? We believe that the responsible way to handle this privacy issue is to ask users if they want to opt in to the service. That is why Google requires people to open an account and turn on their personalised search functionality. They do not have to give a real name to open a Google account, but even if they cannot be identified, we think they should have to give explicit consent before their web history is used. Unless they do, they will simply have the standard Google search service.

Our policy puts the user in charge. It is not something Google seeks to control. At any time they can turn off personal search, pause it, remove specific web history items or remove the whole lot. If they want, they can take the whole lot to another search engine. In other words personalised search is only available with the consent ofthe user.

If you think of search as a 300chapter book, we are probably still only on chapter three. There are enormous advances to be made. In the future users will have a much greater choice of service with better, more targeted results. For example, a search engine should be able to recommend books or news articles that are particularly relevant - or jobs that an individual user would be especially well suited to.

Developing more personalised search results is crucial given how much new data is coming online every day.The University of California Berkeley estimates that humankind createdfive exabytes of information in 2002 - double the amount generated in 1999. An exabyte is a one followed by 18 noughts. In a world of unlimited information and limited time, more targeted and personal results can really add to people's quality of life.

If you type "Who was shot in Dallas?" into Google today, the results are as divided as the survey's respondents a quarter of a century ago. But with personalised search you are more likely to get the "right" result for you. Giving users the chance to choose a search that is better for them as individualsis something we are proud of andwill continue to build on. After all, the web is all about giving people - you and me - more choice and more information.