Information Law Possum (discontinued)

Please read the following message: 

“Karen McCullagh, PhD student at the Cathie March Center for Census and Survey Research, University of Manchester, is doing a survey on privacy attitudes and behavior of bloggers. Besides, some of the questions also deal with copyright issues.

This empirical work is very important because it will enable me to critically assess whether I’m on the right track with privacy legislation, especially in Europe!

So please take the survey if you have your own blog.

Thanks,

The Law.”

An anonymous source provided me today with the latest Wall Street gossip: A Russian Yale college student entrusted his resumé plus motivational video to a well-know Swiss bank.  The resume sounds impressive, and so looks the video, especially the scene where the job applicant smashes a pile of bricks with his hand.  What’s even more impressive is the idea that thousands of investment bankers in New York, London, Frankfurt, Zurich or elsewhere are taking the time to share this information despite their 18 hour days, which arguably adds anecdotal evidence to the informational signaling theory. Anyway, the job applicant deservedly got his fifteen minutes of fame, which will save him a lot of introductory talk once he starts working in the business.

From this perspective, he seems a bit ungrateful, as he announced a host of lawsuits for public disclosure of private facts, which might not be a better idea than adding the ballroom dance scenes to his video.

In the meantime, some compliance officers might wonder whether they should recommend that the whole investment branch of their bank be fired or just the guy who forwarded the information first.  Seriously, this incident shows us that email usage policies are extremely difficult to enforce:  Firing a scapegoat HR staff assistant won’t likely scare the wits out of those who forwarded the information in the 1+nth instance, and I don’t think it should because gossip of that kind, as annoying as it may be for the subject, is part of everyday social life and much more harmless than many (or most) other forms of social interaction, such as mobbing, intrigues, and what we name in German “the use of elbows” to bring forward one’s carreer.

So, to terminate “Ivygate”, I suggest that the bank which leaked the information give the student the job he wants and let him use his elbows (only figuratively, please, we don’t want a bloodbath!) against all the guys who already made his acquaintance online.

By the way, if Switzerland had jurisdiction over the case, the person who initially forwarded the resumé to his or her friends would face imprisonment of up to 90 days and a fine of up to USD 30.000.  I don’t think it’s necessary to comment on the appropriateness of this legal solution to the problem.

My wonderful colleague Silke just gave me a pointer that a biometrical search engine, www.riya.com, already exists. Thus, you can replace the potential mood used in my previous post by the present mood and start re-thinking your image publication strategy …

Here’s a statement from Riya’s developers:

“Riya is a new kind of visual search engine. We look inside the image, not only at the text around it.

Use Riya to:

• Find similar faces and objects on many images across the web.

• Refine the results, using color, shape and texture.

Riya also has a personal search service that does face and text recognition in your photos. You can use our face and text recognition technology to:

• Train the system to recognize the main characters in the story of your life.

• Share photos with friends and family.

We believe the time has come to truly make photos searchable, to let people say I want “more like this” and get what they want, and to eventually allow every public photo in the world to be found.”

Riya’s beta version doesn’t work particularly well yet, but I wouldn’t be surprised if Google & friends had already offered to buy the company.

P.S. Guess where Riya’s CEO and co-founder, Munjal Shah has obtained his Master’s degree in computer science?

After Alberto Gonzales vs. Google (order, summary), AOL’s publication of user search queries is the second big case which raises issues on the proper handling of user search queries collected by search engiens, and it seems to boost the bill for an Eliminate Warehousing of Consumer Internet Data Act (EWOCID).

The case beautifully demonstrates a couple of basic characteristics of information and their legal relevancy. In the following, I will in a sketchy way try to describe and outline some of them, even if they seem trivial. In doing so, I largely draw upon Jean Nicolas Druey’s seminal work on information law (available only in print and in German).

1. Information (as content) is entirely context-specific

• First, only its context gives information meaning. E.g., the words “cocaine”, “marijuana”, “crack”, “lsd” create the context (more precisely: a super-category) “drugs” by the mere fact that they are in a sequence. And if we know that they are search queries by AOL user # 1234, this tells us something about that person.
• Second, where information is stripped of its context, we strongly tend to make up a context, and we can never be sure whether our image is accurate. Some of you readers may have imagined that our user # 1234 may have a drug problem; others may have thought that the person could be a teacher preparing a class on the subject.
• Third, the context of information is distributed: I like the metaphor of information as an infinite jigsaw where people may have any number of pieces in their hands, bot don’t know what pieces the other persons have. To most of us, even dozens of search queries for user # 1234 are not sufficient to find out who he or she is, even if they contain local information. (That is, we might find out the sex of the user.) But there will be a couple of people who have enough pieces in their hands, including user # 1234’s name, to find out. Unfortunately, the impact of these people seeing user # 1234’s search queries has the potential of being much more unpleasant for that user than would be the case if I found out his real name, because the people who will find out will be his friends or family members.

These characteristics have, among others, the following normative consequences:

• The de-contextualization of information doesn’t necessarily make the information harmless. In the AOL case, even pseudonymity doesn’t prevent attribution of the search queries to a particular individual in every case. European data protection law tries to deal with the issue by defining as “personal data” (i.e., information subject to data protection laws) only data which can be attributed to an individual with reasonable effort. This leaves everything to the context, which seems hardly convincing as a general legal rule.
• False attribution of information to an individual can have the same negative consequences as proper attribution. This puts into question the notion of “personal data” as used in Europe. If, e.g., the mother of 15 year old user # 5678 attributes user # 1234’s search queries on drugs to her son, the latter won’t be able to prove to her that he is not in danger of trying drugs.
• The competence for the decision whether information is relevant – especially: whether the concerned person has an interest in keeping the secret – ought to be distributed: either to the said individual or to a neutral party. Certainly, it is not up to the person who publishes a search query to decide on this, as has happened in the blogosphere (the Crimson Ninja Girl gives an example here).

2. The relevance of information (as content) runs in parallel

Usually, the more relevant – or “interesting” – information is for a receiver, the greater is the interest for the person who wants to keep it secret. User # 1234 certainly wouldn’t mind if his wife knows that he searched for “google.com”, nor would she (ore any of his friends, or a blogger) find this noteworthy. In contrast, if he had typed in “divorce lawyer”, his wife would rightly be alarmed, his friends would react to him, and probably a blogger would mention this, musing about the consequences of AOL’s disclosure for user # 1234’s poor wife …

For this reason, balancing the interests of keeping information secret or disclosing it simply doesn’t work: such an endeavor, if properly conducted, would end in a race to the ceiling of the hall, as between the Great Dictator Hynkel and his colleague Napoloni in the barber’s chairs.

3. Information (as an act or status) is not undoable.

While in the analog world, oblivion mitigates this characteristic, information is particularly “promiscuous” on the internet, likely because the cost for finding and sharing information are so low in cyberspace. Jean Nicolas Druey calls the dissemination of illegally (or unethically) obtained information “information laundering”, analogous to money laundering. This is what happened in the AOL case, where the data have been quickly mirrored multiple times, and many bloggers have extensively cited from the file.

The Crimson Ninja Girl passionately argues that information laundering is ethically objectionable, and I cannot but agree with her. Yet, prohibiting this is not the best idea: First, legal action against the publication of information online, e.g. by seeking an injunction against a content provider, has proven to be counterproductive, as the story of the late German hacker Tron teaches us. Second, I feel in a very general – and probably irrational – way uncomfortable with the law meddling with communication by and amongst individuals.

The issues outlined above seem to be rather “don’ts” than “dos” for lawmakers and courts, and many of the problems seem to be largely unsolved in contemporary information law. Any suggestion is thus more than welcome.