Meg Leta Jones’s Viewpoint "Forgetting Made (Too) Easy" (June 2015) raised an important concern about whether the Court of Justice of the European Union’s Google Spain judgment created an extra burden for data controllers like Google and other search engines, though not clear is whether it is being borne out or outweighs the privacy gains for hundreds of millions of users. She wrote Google "…is without any guidance as to which interests should trump others, when, and why." This is not quite true. A number of guiding principles have been published, including from the Article 29 Working Party (the independent advisory body of representatives of the European Data Protection Authorities that would arbitrate disputes under data-protection law) and from Google’s own Advisory Council. The European Union’s Data Protection Directive also includes a number of defenses against and exemptions from data-protection complaints. There is no reason to believe a clear set of principles will not emerge, especially as Google remains in close touch with Data Protection Authorities, even if more complex cases demand close and exhaustive inspection.
Google is meanwhile developing its own jurisprudence; for example, along with 79 other Internet scholars, I helped write an open letter to Google in May 2015 (http://www.theguardian.com/technology/2015/may/14/dear-google-open-letter-from-80-academics-on-right-to-be-forgotten) asking for more transparency, precisely to increase the public’s understanding of how the process is administered, so researchers and other data controllers can learn from Google’s experience.
Moreover, there is no evidence of a flood of frivolous "de-indexing" requests. Individuals do not "enforce" their right directly with the data controller; rather, they submit requests that can be turned down, and are. Google has fairly consistently rejected about 60% of such requests, with few taken further; for example, in the U.K., out of some 21,000 rejected requests for de-indexing as of June 2015, only about 250 have been taken to the next step and referred to the U.K. Information Commissioner’s Office.
Also note the right to be de-indexed is not new but a right E.U. citizens have had since the Data Protection Directive was adopted by the European Union in 1995. Surely the pursuit of this right should not have to wait for jurisprudence to develop, especially as the jurisprudence will emerge only if people pursue the right.
Kieron O’Hara, Southampton, U.K.
Author’s Response:
The guidelines Article 29 Working Party produced six months after the Court of Justice of the European Union decision (while welcome) are still incredibly vague, point out how varied are the numerous criteria EU member states must follow, and raise additional sources of conflict that deserve more debate and public participation. As for terms like "Google jurisprudence," Google should have no jurisprudence. New rights in light of new technology must be shaped carefully in an international context, evolving through an open, democratic process instead of the dark corners of a detached intermediary.
Meg Leta Jones, Washington, D.C.
Who’s Digital Life Is It Anyway?
Serge Abiteboul et al.’s Viewpoint "Managing Your Digital Life" (May 2015) proposed an architecture for preserving privacy while consolidating the data social media users and online shoppers scatter across multiple sites. However appealing one finds this vision, which is similar to one I aired in an O’Reilly Radar article Dec. 20, 2010 (http://oreil.ly/eX2ztY), a deeper look at the ideal of personal data ownership turns up complications that must be addressed before software engineers and users alike can hope to enjoy implementation of such a personal information management system. These complications involve fairly well-known questions about who owns the data, particularly when it is shared in the interactions that characterize the modern Internet. Sales data and comments posted to friends’ social media sites constitute examples of such data where ownership is unclear, and even a photograph one takes can be considered personal data of the people in the photo. Moreover, while Abiteboul et al. mentioned the benefits of combining and running analyses on data in one’s personal repository, they did not address the more common task of how to combine and analyze data from millions of users of a service. Segregated data in repositories maintained by its individual owners would protect those owners from the privacy violations of bulk analyses but also introduce serious hurdles for researchers looking to perform them.
Andy Oram, Arlington, MA
Help Kill a Dangerous Global Technology Ban
Earlier this year, the Electronic Frontier Foundation launched "Apollo 1201," a project to reform Section 1201 of the 1998 Digital Millennium Copyright Act, which threatens researchers and developers with titanic fines (even prison sentences) for "circumventing" access restrictions (even when the access itself is completely lawful) that stifle research, innovation, and repair. Worse, digital rights management, or DRM, vendors claim publishing bug reports for their products breaks the law.
EFF has vowed to fix this.
Law must not stand in the way of adding legitimate functionality to computers. No technologist should face legal jeopardy for warning users about vulnerabilities, especially with technology omnipresent and so intimately bound up in our lives. People who understand should demand an Internet of trustworthy things, not an Internet of vuln-riddled things pre-pwned for criminals and spies.
Though the DMCA has been on the books since 1998, 1201 has hardly been litigated, giving courts few opportunities to establish precedents and provide clarity to computer scientists, engineers, and security researchers.
1201 advocates—mainly giant entertainment companies—pursue claims only against weak defendants. When strong defendants push back, the other side runs, as when a team led by Ed Felten (then of Princeton, now Deputy U.S. Chief Technology Officer) wrote a paper on a music-industry DRM called the Secure Digital Music Initiative (SDMI). The RIAA threatened Felten and USENIX, at whose August 2001 Security Symposium the paper was to be presented.
The Electronic Frontier Foundation took Felten’s case, and the RIAA dropped the threat and disavowed any intention to pursue Felten over SDMI. It knew the courts would reject the idea that record executives get a veto over which technical articles journals are able to publish and conferences can feature.
It is time to bring 1201’s flaws to court. EFF is good at it. One of its seminal cases, Bernstein v. United States, struck down the NSA’s ban on civilian access to crypto, arguing the code is a form of expressive speech entitled to First Amendment protection. EFF looks forward to proving that banning code still violates the First Amendment.
That is where ACM members come in. EFF is seeking academic researchers and professors whose work is likely to attract threats due to 1201. If someone in your lab or department is working on such a project (or gave it up over fear of litigation) EFF is interested in hearing about it.
The legitimacy and perceived efficacy of 1201 is an attractive nuisance, inviting others to call for 1201-like protections for their pet projects.
FBI Director James Comey has called for backdoors on devices with encrypted file systems and communications. As ACM members doubtless understand, there is no way to sustain a backdoor without some legal prohibition on helping people install backdoor-resistant code.
EFF is not just litigating against 1201; working with a global network of organizations, EFF is able to lobby the world’s governments to rescind their own versions of 1201, laws passed at the insistence of, say, the U.S. Trade Representative.
Time is running out. Please get in touch and help us help you kill 1201.
Cory Doctorow, London, U.K.
What Grounds for Jahromi Release?
Jack Minker’s letter to the editor "Bahrain Revokes Masaud Jahromi’s Citizenship" (Apr. 2015) cited "attending a rally on behalf of freedom" as an illegitimate reason for the imprisonment of someone he supports. All are in favor of "freedom," of course, and would happily attend rallies seeking such a universal goal. But not all those seeking freedom are laudable. Most prisoners and lawbreakers would like to have freedom. Many terrorists call themselves "freedom fighters." It is not enough to proclaim innocence by saying a person is seeking freedom. It is necessary to be more specific and comprehensive. Perhaps the person on whose behalf Minker advocates does indeed deserve to be free. But Minker’s description of the problem was insufficient to convince one that is the case.
Robert L. Glass, Brisbane, Australia
Author’s Response
Glass assumes peaceful protesters (and Jahromi perhaps imprisoned following a trial with due process), as might be expected in Australia. This is not the situation in Bahrain. For a description of the repressive and atrocious human rights situation in Bahrain, see U.S. Department of State Universal Periodic Reviews 2011–2015 (http://www.state.gove/j/drl/upr/2015) and the report of the Bahrain Independent Commission of Inquiry (http://www.bici.org.bh).
Jack Minker, College Park, MD
Validity Seal of Approval for Every Program
Lawrence C. Paulson’s letter to the editor "Abolish Software Warranty Disclaimers" (May 2015) on Carl Landwehr’s Viewpoint "We Need a Building Code for Building Code" (Feb. 2015) addressed only a minor factor in user-experienced angst. Any individual program includes few bugs on its own. But when a user invokes a suite of programs, it is the logic, arithmetic, and semantic incompatibilities among the programs that result in system-level errors and aborts. The purveyor of any of these programs cannot guarantee the progress and safety properties of the subsequent user-formed system will be valid. Software developers and users alike need the equivalent of the Good Housekeeping Seal of Approval for each vendor program, as well as a way for users to assess the risks they create for themselves when choosing to make programs interoperate. Moreover, users must be able to do this each and every time thereafter when anyone performs "maintenance" on a program or dataset in the user-specific ensemble.
Jack Ring, Gilbert, AZ
Join the Discussion (0)
Become a Member or Sign In to Post a Comment