Urs: “The internet has a memory like an elephant.”

Yep.

So here’s an attempt for a synthesis:

• If a company has a sound information security policy, and has taken the necessary steps to enforce it, self-erasing paper creates an additional security risk, which can be tackled without difficulty, given the company’s information security culture.

• If information security isn’t a big issue for the management of a company (i.e. if a company has a bad management), self-erasing paper might well lower the company’s risk exposure.

To conclude, this isn’t just a question of whether the glass is half-full or half-empty, but self-erasing paper adds to the complexity of corporate information management, but — luckily — not in a way that is necessarily detrimental for those who are unable to manage that complexity.

 ”Dear Mr. Haeusermann,
We have taken over the ____ portal beginning of November, which included an address database. We wrote to the people in the database once, and at the same time deleted the addresses.
[apologies]“

So far so good.

The conference on data protection was a big success, as the organizers were able to gather the crème of Swiss data protection lawyers. One of the lessons learned from the keynotes of Prof. Herbert Burkert (President of the FIR-HSG), Prof. Rainer J. Schweizer (President of the Federal Data Protection and Transparency Commission and member of the board of the FIR-HSG), Sig. Tiziana Mona (Member of the Federal Data Protection and Transparency Commission), and Hanspeter Thür (the Federal Data Protection and Information Commissioner) is that individual enforcement of data protection law (e.g. what I did vis-à-vis the spammer) is important, but other regulatory instruments can be more effective.

• As a first example, the Data Protection Commissioner may publish recommendations which are directed at the private sector and have covered fields such as the collection of data by property management companies, spamming, or the use of biometrical access controls by recreational facilities. Mr. Thür explained that these recommendations, though not binding, regularly provoke intense reactions (both positive and negative) from the public. He also has the impression that the recommendations have a much broader impact than court decisions (which are quite rare, btw).
• Second, in the fields of national security and the war on organized crime, the access right of individuals cannot but hamper these (largely) legitimate ends. In a recent judgment, which is currently on appeal with the Federal Supreme Court, the Data Protection and Transparency Commission decided on the basis of the European Convention on Human Rights that the access right has to prevail. That case is extremely interesting, and I’ll get back to it next year after the verdict of the Supreme Court. In essence, the Commission found the statutory mechanisms, by which individuals can have the lawfulness of data processing checked, ineffective and thus unconstitutional. Where the necessity of enforcement of data protection law by individuals results in crippled information rights, it seems to be a better idea to create institutional safeguards, for instance regular data protection audits with law enforcement and national security agencies by an independent, but trustworthy institution (e.g. the Data Protection Commissioner).

My first example is spamming, one of the digital scourges of mankind, and a phenomenon which has become recently under suspicion of deepening the digital divide between digital natives and older people (twenty-something +).

Lately, I received one of the few “domestic” spam emails, that is, one from a Swiss million pixel website. As spamming is not clearly illegal in Switzerland yet–an anti-spam amendment to the Unfair Competition Act is under way–, I decided to test that company’s data protection compliance:

Under Swiss (and European) law, every person whose data (i.e. information on an identifiable person) are processed, has an unconditional right of access ot these data, including the right to know the purpose of processing, the categories of data processed, the persons involved in the processing of data, the source of their data, etc. (Art. 8 of the Swiss Data Protection Act [in English]–its EU equivalent, though with a different scope, is Art. 12 of the Data Protection Directive 95/46/EC.)

The data controller has thirty days to respond to a request; the information must be given free of charge (with very narrow exceptions); and a violation of the right of access by the controller is punishable by a fine and/or up to 90 days of imprisonment.

This morning, I sent the spammer a request pursuant to Art. 8 Data Protection Act, mainly because I wonder how he got my email address, but also because requests like mine are apt to make spamming horribly expensive: It is hardly conceivable that these requests can be processed automatically. So, if only a small percentage of spammees “ask back”, they can make spamming prohibitively expensive, and probably even drive a SME out of business.

To conclude: the regulatory burden Art. 8 Data Protection Act creates can be a very effective weapon, which can be used against legitimate and illegitimate businesses.

“Karen McCullagh, PhD student at the Cathie March Center for Census and Survey Research, University of Manchester, is doing a survey on privacy attitudes and behavior of bloggers. Besides, some of the questions also deal with copyright issues.

This empirical work is very important because it will enable me to critically assess whether I’m on the right track with privacy legislation, especially in Europe!

So please take the survey if you have your own blog.

Thanks,

The Law.”

From this perspective, he seems a bit ungrateful, as he announced a host of lawsuits for public disclosure of private facts, which might not be a better idea than adding the ballroom dance scenes to his video.

In the meantime, some compliance officers might wonder whether they should recommend that the whole investment branch of their bank be fired or just the guy who forwarded the information first.  Seriously, this incident shows us that email usage policies are extremely difficult to enforce:  Firing a scapegoat HR staff assistant won’t likely scare the wits out of those who forwarded the information in the 1+nth instance, and I don’t think it should because gossip of that kind, as annoying as it may be for the subject, is part of everyday social life and much more harmless than many (or most) other forms of social interaction, such as mobbing, intrigues, and what we name in German “the use of elbows” to bring forward one’s carreer.

So, to terminate “Ivygate”, I suggest that the bank which leaked the information give the student the job he wants and let him use his elbows (only figuratively, please, we don’t want a bloodbath!) against all the guys who already made his acquaintance online.

By the way, if Switzerland had jurisdiction over the case, the person who initially forwarded the resumé to his or her friends would face imprisonment of up to 90 days and a fine of up to USD 30.000.  I don’t think it’s necessary to comment on the appropriateness of this legal solution to the problem.

Here’s a statement from Riya’s developers:

“Riya is a new kind of visual search engine. We look inside the image, not only at the text around it.

Use Riya to:

• Find similar faces and objects on many images across the web.

• Refine the results, using color, shape and texture.

Riya also has a personal search service that does face and text recognition in your photos. You can use our face and text recognition technology to:

• Train the system to recognize the main characters in the story of your life.

• Share photos with friends and family.

We believe the time has come to truly make photos searchable, to let people say I want “more like this” and get what they want, and to eventually allow every public photo in the world to be found.”

Riya’s beta version doesn’t work particularly well yet, but I wouldn’t be surprised if Google & friends had already offered to buy the company.

P.S. Guess where Riya’s CEO and co-founder, Munjal Shah has obtained his Master’s degree in computer science?

The case beautifully demonstrates a couple of basic characteristics of information and their legal relevancy. In the following, I will in a sketchy way try to describe and outline some of them, even if they seem trivial. In doing so, I largely draw upon Jean Nicolas Druey’s seminal work on information law (available only in print and in German).

1. Information (as content) is entirely context-specific

• First, only its context gives information meaning. E.g., the words “cocaine”, “marijuana”, “crack”, “lsd” create the context (more precisely: a super-category) “drugs” by the mere fact that they are in a sequence. And if we know that they are search queries by AOL user # 1234, this tells us something about that person.
• Second, where information is stripped of its context, we strongly tend to make up a context, and we can never be sure whether our image is accurate. Some of you readers may have imagined that our user # 1234 may have a drug problem; others may have thought that the person could be a teacher preparing a class on the subject.
• Third, the context of information is distributed: I like the metaphor of information as an infinite jigsaw where people may have any number of pieces in their hands, bot don’t know what pieces the other persons have. To most of us, even dozens of search queries for user # 1234 are not sufficient to find out who he or she is, even if they contain local information. (That is, we might find out the sex of the user.) But there will be a couple of people who have enough pieces in their hands, including user # 1234’s name, to find out. Unfortunately, the impact of these people seeing user # 1234’s search queries has the potential of being much more unpleasant for that user than would be the case if I found out his real name, because the people who will find out will be his friends or family members.

These characteristics have, among others, the following normative consequences:

• The de-contextualization of information doesn’t necessarily make the information harmless. In the AOL case, even pseudonymity doesn’t prevent attribution of the search queries to a particular individual in every case. European data protection law tries to deal with the issue by defining as “personal data” (i.e., information subject to data protection laws) only data which can be attributed to an individual with reasonable effort. This leaves everything to the context, which seems hardly convincing as a general legal rule.
• False attribution of information to an individual can have the same negative consequences as proper attribution. This puts into question the notion of “personal data” as used in Europe. If, e.g., the mother of 15 year old user # 5678 attributes user # 1234’s search queries on drugs to her son, the latter won’t be able to prove to her that he is not in danger of trying drugs.
• The competence for the decision whether information is relevant – especially: whether the concerned person has an interest in keeping the secret – ought to be distributed: either to the said individual or to a neutral party. Certainly, it is not up to the person who publishes a search query to decide on this, as has happened in the blogosphere (the Crimson Ninja Girl gives an example here).

2. The relevance of information (as content) runs in parallel

Usually, the more relevant – or “interesting” – information is for a receiver, the greater is the interest for the person who wants to keep it secret. User # 1234 certainly wouldn’t mind if his wife knows that he searched for “google.com”, nor would she (ore any of his friends, or a blogger) find this noteworthy. In contrast, if he had typed in “divorce lawyer”, his wife would rightly be alarmed, his friends would react to him, and probably a blogger would mention this, musing about the consequences of AOL’s disclosure for user # 1234’s poor wife …

For this reason, balancing the interests of keeping information secret or disclosing it simply doesn’t work: such an endeavor, if properly conducted, would end in a race to the ceiling of the hall, as between the Great Dictator Hynkel and his colleague Napoloni in the barber’s chairs.

3. Information (as an act or status) is not undoable.

While in the analog world, oblivion mitigates this characteristic, information is particularly “promiscuous” on the internet, likely because the cost for finding and sharing information are so low in cyberspace. Jean Nicolas Druey calls the dissemination of illegally (or unethically) obtained information “information laundering”, analogous to money laundering. This is what happened in the AOL case, where the data have been quickly mirrored multiple times, and many bloggers have extensively cited from the file.

The Crimson Ninja Girl passionately argues that information laundering is ethically objectionable, and I cannot but agree with her. Yet, prohibiting this is not the best idea: First, legal action against the publication of information online, e.g. by seeking an injunction against a content provider, has proven to be counterproductive, as the story of the late German hacker Tron teaches us. Second, I feel in a very general – and probably irrational – way uncomfortable with the law meddling with communication by and amongst individuals.

The issues outlined above seem to be rather “don’ts” than “dos” for lawmakers and courts, and many of the problems seem to be largely unsolved in contemporary information law. Any suggestion is thus more than welcome.

I’m not sure how sci-fi this scenario is, but here are two use cases:

• If there’s only one website that (legitimately and with your consent) displays your full name next to your image, anyone could find out your name based on a picture of you. In other words, the picture-name link, which is unidirectional in present image search engines, would become bidirectional.
• Anyone could reconstruct a considerable portion of your social network based on previously anonymous (or pseudonymous) pictures of you that somebody uploaded to FlickR and the like.

The legal consequences of this are pretty obvious (tags: privacy, data protection, digital identity, national security). In my opinion, the most problematic aspect of biometrical search would be its retroactivity, as the huge number of “legacy” pictures on the web would become unique identifiers of us against our reasonable expectation at the time of their upload.

So, if biometrical search is/were more than science fiction, should it be banned? — I don’t think so: The problem is not the technology itself, but a lack of information control by the person the information is about. Therefore, a better remedy would be to offer citizens a tool which enables them to have their biometrical data removed from the (biometrical) search index, similar to Google’s existing tools to remove content from its cache.