- Righting the right to be forgotten
The F-T just published a piece I wrote about the implementation of the right to be forgotten in Europe. Here is a draft from which the op-ed was drawn:
Last week Google formally launched a blue-ribbon committee of advisors to help it implement the European Court of Justice’s new “right to be forgotten.” Its work is cut out for it, as the search giant processes more than 70,000 requests since May to decouple a claimant’s name from possibly true but still “irrelevant” (and presumably reputation-damaging) search results. Turning theory into practice has revealed unanswered questions – and some outright flaws – in the Court’s decision, regardless of where you might stand on the right’s philosophical merits.
The first puzzle is transparency. Other types of compelled redactions, such as for alleged copyright infringement, occasion a notification to searchers that results have been altered. But a specific notice that a search on someone’s name is missing something could lead to a negative inference about the person even worse than the substance of whatever has been removed. So how to report on compelled takedowns in a way that is neither Orwellian nor self-defeating?
One idea is for Google and other affected search engines to contribute to a database of takedowns that independent academics can analyze in order to produce credible insights about how the new right is working in practice. Are public figures looking to scrub their records to avoid scrutiny, or are the requestors more often private citizens? Are the takedowns focusing on content within obscure Web-originating message boards, or on archives of government records or newspaper articles? Without a record of takedowns, there will be no way to understand how the use and impact of the right are unfolding.
The second puzzle is accountability. With Google’s European market share around 90%, name-specific content that’s delisted might as well be gone entirely – indeed, it’s Google’s power that makes the assertion of the right meaningful. But here state power is being exercised without the involvement of the state: a request is made of Google for a redaction, and Google decides how to handle it. If the request is denied, the claimant might escalate the issue to his or her local data protection authority. But if the request is agreed to, there’s no means for review. Under the Court’s decision, the public’s right to know is to be balanced against a claimant’s right to privacy – but there’s no easy way for the public to remonstrate against poor balancing.
That should change, and there is an admirable start: Google has begun alerting affected sites when content has been taken down. Thus, BBC and Guardian reporters could disclose last week, disapprovingly, that some of their articles had been eliminated from some Google searches. The ensuing controversy resulted in Google restoring some of the links. The sites can thus stand in for the public, objecting to overly broad takedowns so long as they know that they’re taking place. That’s why Google’s decision to notify creators of content that’s at issue is vital to achieving the Court’s stated purpose, rather than a subversion of it, as some have alleged. But not every affected site enjoys the platform of a major newspaper or state-funded broadcaster. A more comprehensive solution would be for sites to be able to answer the original takedown request before Google even makes a decision, and to have standing to appeal an adverse determination the way that original claimants can – something that the Court itself would have to bless.
But once we’ve gone so far as to allow a properly adversarial process in deciding upon takedowns, we highlight the incongruity of having Google – or any private party, for that matter – as a decision maker about rights. To place Google in that role is to diminish Europe’s sovereign power, not enhance it, even if the role is compelled by European authorities. It turns a rights problem into a customer service issue, and one that Google and others in its position no doubt rightly disdain. If Google can process 70,000 requests, so can and should the data protection authorities. And not every public decision needs the full, lawyer-heavy trial format to be sufficient to the cause – any more than Google is using it now.
This would place decisions about rights in the public sphere where they belong, and limit the scope to the sovereign’s jurisdiction, so a European decision would still not affect use beyond the relevant country-specific Google portals.
Finally, the Court needs to recognize that the Web is protean. Sites and content change, including such ever-evolving pages as Wikipedia biographies, which means that a decision rendered at a point in time may lose its rationale later on – just as the Court acknowledges that something that was once relevant could become irrelevant over time, and thus subject to a takedown. Its argument cuts both ways. One way to deal with this is for redaction decisions to be limited in time. Successful claimants should register and maintain an email address for a reminder that a redaction is about to expire. Prior to expiration a claimant should have to seek to renew the redaction. That way the memory hole is temporary rather than permanent – and a redaction must be justified to account for changing circumstances.
Those who are against the right to forget in the first place should be cheered to see its first uncertain implementation pared back. And those who favor it should want to get it right – especially as, troublingly, there may be more types of requests, from more sources, to come. Such a treacherous path cannot be navigated without the transparency and accountability that we have come to demand of the sovereigns who govern us.
- Time capsule crypto can help us commit our secrets to history
More than a decade ago, researchers at Boston College interviewed people from both sides of the Troubles in Northern Ireland, promising each contributor to the “Belfast Project” that his or her interview recording wouldn’t be released until the contributor died. In the meantime, the tapes would be deposited at the College’s rare books library under lock and key. On the basis of those promises, some people spoke for the first time about painful actions that remain murky in the public eye, including unsolved murders arising from the conflict that they’d helped commit or cover up.
When the British government learned of the Belfast Project about ten years later, it invoked a mutual legal assistance treaty to demand immediate access to some of the tapes. After months of legal wrangling, some of the tapes were turned over, resulting in the arrest last month of Sinn Féin leader Gerry Adams for involvement in one of the killings discussed in the interviews. Adams was released, but Northern Ireland officials are now seeking the entire set of interviews – perhaps to balance inquiry into the Irish Republic Army with investigation of possible crimes by members of the Ulster Volunteer Force as well.
Libraries like Boston College’s are familiar with making promises about the “dark archiving” of materials like these, whether for the papers of a Supreme Court Justice, an interview with a soldier ready to give a sustained look at the conduct of war, or the records of the university’s own faculty and students. But just as it has become easier to quietly maintain such records, the reach of the subpoena has also increased. These records are more accessible and searchable than ever, whether for intelligence or law enforcement purposes, or to benefit a party to a divorce or other private lawsuit.
Those anxious about the increasing use and scope of legal pressure against archives include researchers, librarians, and journalists who point out the value of protecting sources who wish to make a record for posterity, and the difficulties of ever procuring documents and interviews from those sources if the fruits are only one subpoena away from disclosure. On the other side include those who simply want to solve awful crimes and have those behind them made to answer on the law’s timetable rather than their own.
Both sides of the debate around overriding a promise of confidentiality share an assumption: that there are records that can be accessed upon a judge’s order that might solve a crime or meet some other vital purpose – whether or not that access betrays a promise of confidentiality to the people who made those records possible. The Belfast Project is simply a sharp and high profile example of an issue that reaches into the lives of nearly every institution integrated into the digital world – and us, since we are those institutions’ users.
Corporations are increasingly aware of the fact that whatever they store is discoverable through judicial process – or all too leakable by a disgruntled employee. That’s why any business beyond mom and pop tends to have a formal document “retention” policy for its internal secrets – which is in fact a document destruction policy, intended to ensure that the business regularly deletes its mountains of accrued bits. It’s more complicated when those businesses are merely custodians of their customers’ data. Google, Facebook, and Microsoft are routinely caught in the middle when, for example, Brazilian authorities demand information about a subscriber and don’t want to use the cumbersome mutual legal assistance treaty process to get it. The Brazilians threaten penalties for holding back information that American law may insist not be disclosed – or vice versa. And the public has been inundated with descriptions of the U.S. government’s mining of digital databases for foreign intelligence – in large part thanks to a leak of the government’s own materials.
Are we stuck with either having to destroy our secrets or leave them exposed to near-instant disclosure? It might be possible to split the difference: to develop an ecosystem of contingent cryptography for libraries, companies, governments, and citizens. Instead of using new technologies to preserve for ready discovery material that might in the past never have been stored, nor deleting everything as soon as possible, we can develop systems that place sensitive information beyond reach until a specified amount of time has passed, or other conditions are met. There has been fitful research done on “time capsule cryptography,” by which something can be encoded so that not even its creator can access it until a certain amount of time – usually represented by the kinds of “proof of work” puzzles requiring vast computing power that undergird the operation of bitcoin and other cryptocurrencies. Cryptocurrencies uses these puzzles to prevent any one entity from taking over the distributed operation of the currencies, thereby falsifying the records of who’s given what to whom. What works to prevent any one party from subverting a currency could also place some of the data increasingly comprising our lives beyond the reach of a simple subpoena, by forcing the curious to wait a designated period of time before they can see what they want – whether or not they have legal paperwork purports to entitle them to it sooner.
Even without relying on such complicated technologies, sensitive material can be encrypted using a key that is split into fragments, the way that it can take two simultaneous keys to launch a missile. Imagine key fragments distributed around the world to, say, ten parties, requiring the cooperation of at least six of them to reassemble the key needed to get the documents. The parties would be instructed only to announce the keys when the original owner’s specified conditions are met. Early disclosure wouldn’t be impossible, but it would require a sustained effort that would only be worth undertaking if the access were a genuine priority, and one justifiable to the authorities of several countries who could each in turn pressure their respective keyholders. That kind of encryption is easy to do, and it can further be used to provide decent assurances that the material encrypted has not been altered in any way since it was first locked up.
The original conception of a trust company was as a firm that would solemnly represent the interests of its beneficiaries – which is why a bank worthy enough to entrust one’s savings to might also be worth entrusting decisions about a child’s college fund to in the event that the parents became incapacitated. Banks may not be among the most trusted institutions today, but libraries are – and they can together embrace a new generation of encryption technologies to safeguard materials that otherwise will never be created or saved for fear of early discovery. Imagine if the records of private firms, government agencies, and individuals from earlier eras were coming free now as trustees combined their keys to release them as time passed or other conditions were met. (In the case of Boston College’s promises, it might be that a keyholder would commit to publish its part of a key only upon the announcement of the death of a Belfast Project interviewee.) As a trust-restoring measure, secrets about government intelligence gathering could themselves be subject to time capsule accountability by those governments. Some actions today might reasonably remain secret – but with a guarantee that they will be revealed at a later date certain, even if the government in question feels later regret over entering into the bargain.
The last refuge of privacy cannot be placed solely in law or technology. It must repose in both, and a thoughtful combination of the two can help us thread a path between having all our secrets trivially discoverable and preserving nothing for our later selves for fear of that discovery.
[A version of this piece has been adapted for the Boston Globe.]
- The ten things that define you
I’ve written an op-ed for the New York Times about the European Court of Justice’s ruling finding a “right to be forgotten.” After that and my initial blog post in reaction to the court’s ruling, I wanted to share some further thoughts on this fascinating and potentially far-reaching development.
First, a refresher on the facts:
A man named Mario Costeja González objected that a Google search on his name turned up two foreclosure announcements published in a newspaper from 1998 seeking buyers of his property to satisfy unpaid debts — debts that were apparently genuine, but that were old enough that, in his view, they should remain obscure rather than a quick search away.
The court agreed, in a ruling and press release that noted, with his name, the very facts that Mr. González sought to bury. That oddity points to a subtlety in the court’s holding: for the first time, the legal problem isn’t in the availability of material on the Web, but rather in its searchability.
So the court implies that Google should be ready to remove links specific to searches on an objecting person’s name. How will it know whether to go ahead and remove the information? Well, says the court,
if it is found, following a request by the data subject [...], that the inclusion in the list of results displayed following a search made on the basis of his name of the links to web pages published lawfully by third parties and containing true information relating to him personally is, at this point in time[...] appears, having regard to all the circumstances of the case, to be inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue carried out by the operator of the search engine, the information and links concerned in the list of results must be erased.
Adds the court:
[I]t should in particular be examined whether the data subject has a right that the information relating to him personally should, at this point in time, no longer be linked to his name by a list of results displayed following a search made on the basis of his name. In this connection, it must be pointed out that it is not necessary in order to find such a right that the inclusion of the information in question in the list of results causes prejudice to the data subject. [...]
[These] rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in finding that information upon a search relating to the data subject’s name. However, that would not be the case if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of inclusion in the list of results, access to the information in question.
This is coherent in theory — the court is trying to balance competing values — but it seems nearly hopeless in practice. It’s tricky enough to ask that search engines eliminate links to allegedly copyright-infringing material — too often the party demanding the deletion isn’t really describing an infringement and isn’t even the party holding the copyright, and search engines are poorly positioned to judge. Figuring out what’s “inadequate, irrelevant or no longer relevant,” is an unanchored standard, and I imagine that, to be safe, Google will just start eliding nearly anything on request — especially if it will owe damages if a court later finds it blew the balancing. It’s even more complicated when the complexities of implementation of ECJ decisions throughout the EU’s respective state court systems is taken into account. That’s what makes me much less sanguine than, say, the author of this CNN opinion piece placing a lot of weight on the court’s balancing test to vindicate genuine free speech interests. If the court is serious about seeing this test applied, perhaps, as Alex Karman suggests, aggrieved people should make a stop at the courthouse first, having a judge review the request and then make an order to Google. That could also help create a formal record of takedowns — after all, as the ECJ decision says, something formerly relevant could become irrelevant, but the opposite is also true: something irrelevant could become relevant, such as when a private figure becomes a public one. How to restore those relevant disappeared search results?
Early reports suggest lots of understandable interest by Europeans seeking line item vetoes on search result pages. (Indeed, people in other countries will start wanting it, too.) As my colleague Samuel Klein points out, Google could even be caught in the middle as spurious requests are made for removal — what happens for those who discover that the search results that reflect best upon them have been removed at the request of a mischief-making imposter? If Google limits these redactions to those accessing it from Europe, will Americans need to codge access from a European IP address to check to see what’s been wrongly redacted in their name?
All of this might be reason to rue the court’s decision and be done with it.
Except: What are the ten things that most define you in the eyes of others? That would be the ten organic links at the other end of:
Google enjoys 93% market share in Europe. If you want to learn about a stranger, you search on his or her name, and if you’re searching, you’re using Google.
And that is why I found myself ruminating on the idea I unpack in the NYT op-ed. That landing page on a search for someone’s name has outsized importance. Our only solace in the status quo is that what appears there is largely untouched by human hands, for better or for worse — Google spits out whatever, in its inscrutable AI wisdom, is “relevant” to the words your name comprises. But given the special status of that page to the people whose names are represented by the search terms, there might be something worthwhile to appear there that isn’t just ten links out of the Google sorting hat. The second page — you know, the one with links 11-20 that might as well be in Siberia — could contain the unadulterated search. We’re already trained to expect some smarter processing by Google and Bing when we are searching for flights, or shoes, the weather, or even how many centimeters are in 42 inches. House ads can appear, and, of course, precious sponsored links.
To include a free”house ad” by the people implicated by a search on their name — like the free credit report they’re entitled to, along with a shot at correcting inaccurate information held by a credit bureau — would do far less violence to search engines’ business models, and more important, their integrity, than the court’s current decision. When a single corporate actor becomes the gatekeeper for our identities, using formulas it can’t fairly be asked to reveal, there’s reason to think something more might be offered. Without taking into account the meaning of that landing page to the identity and reputation of the person searched, the AI will simply get better on its own terms — and perhaps the next refinement of “relevance” will be to assemble political donations, arrests, home address, and kids’ names all on that first landing page. That public data is all typically available with a few searches, a level of practical obscurity we may realize we value only if it, too, vanishes. It’s worth thinking more broadly about this before that happens.
Additional recommend reading: Zeynep Tufekci on the controversy.
- Reconciling lifestreaming and privacy: tech-facilitated negotiations
I’ve long thought that, as tough as privacy against government intrusion and corporate surveillance are, the most novel and complex privacy challenges will be peer-to-peer. With gov’t and corporate privacy issues, the players to be affected are more known and manageable, and impinging on their freedom to collect on us — or report what they find — feel like “regular” regulation.
But what happens when the information being gathered about us is thanks to someone wearing a headset and simply streaming anything interesting that he or she sees, helpfully auto-tagged with our identities? Some bars and restaurants may try to ban Google Glass on the way in, but lessons from anything ranging from mobile phones to hats tell us who’s going to win that war in the longer term. Especially once the distribution of streaming devices has evened out, so it’s not just the occasional freak behaving anti-socially, but all of us doing so, we’ll need to look for other solutions if we don’t want to be stuck simply having to reconcile ourselves to no private moments in public.
One place to mine is the realm of digital rights management. DRM has not worked out so well for copyrighted material in the public mainstream, like movies and music. But what if the kind of tagging by which stuff can ask — if not require — “don’t copy me” could be deployed for privacy purposes, more in the spirit of Creative Commons than the ill-fated Macrovision VHS copy protection scheme.
How to do this? A start would be to allow people to set their expectations for a given environment, and to be able to broadcast them (without having to share their names, of course). If enough people in, say, a classroom, agree that the meeting is off the record, then recording devices will be alerted accordingly. They’ll still function, but they’ll show a message that the environment is expected to be off the record — and perhaps they’ll have a glowing LED or some other gentle indicator to tell others in the room that someone has chosen to record despite the norm. Perhaps, too, those recorded will be able to have some form of pseudonymous contact information embedded in the recording — so that if it should become public, they can choose to show that they were indeed the ones recorded (again without necessarily having to reveal identity) and then ask — not demand — some privilege in contextualizing or commenting upon the recording.
Many of us might appreciate an opportunity to know about others’ preferences and expectations in a quiet, low-impact way, and then to respect them — or if not, to realize that that choice entails overriding the preferences of others. The function of the technology is not to impede certain uses by fiat — the way the old DRM did — but rather to allow people to see that other people are implicated by what they do, permitting the moral dimension of our enthusiastic use of technology to become more apparent.
Update: PlaceAvoider appears to seek to implement some of this functionality.
- “The Big Brother Problem” WEF panel
“The Big Brother Problem” is a timely, difficult, and sweeping topic, at WEF ’14, covering digital surveillance by both public and private actors and its implications for human rights. I’ll be moderating the session for it this week, and I thought I’d share my thoughts on both process and substance as I prepare for it.
We have one hour on a very broad topic, including audience and online questions, with six participants. How to use that hour to make progress? Let’s start with the lineup. Since there won’t be prepared remarks, I’ll be looking for lead-off questions that allow each participant to highlight what he or she finds most important, while also answering something that might be a bit off the beaten path.
There’s Salil Shetty, Secretary-General of the Nobel Peace Prize-winning Amnesty International, which has been a beacon for human rights since its inception in 1961. For someone concerned about human rights, it may not make much sense to try to rank abuses: too often the observation that rights are abused “worse” elsewhere is an excuse for a particular government not to clean up its own practices. But it may be fair to ask generally how informational privacy ranks next to possibly more fundamental concerns about physical integrity – like freedom from arbitrary detention or torture.
Indeed, surveillance might be best understood metaphorically as a precursor chemical to an undesirable concoction: spying can facilitate human rights abuses. But it’s dual- or multiple-use. Good digital surveillance, particularly of places where there aren’t easily independent boots on the ground to understand what’s going on, could be a powerful tool for good. Intelligence agencies around the world may be able to understand what’s going on in, say, Syria, thanks to the tools and practices that have been splashed across global headlines since last June.
If surveillance is to be cut back, what’s the right blend of restrictions on the collection end – trying to raise the cost of knowing something secret across the board – versus on use. What bulwarks against abuse, as compared to limits on collection, would be sufficient to the cause of human rights and dignity? (For example, someone against nuclear weapons proliferation might focus on a regime limiting the use and transfer of nuclear arms; their elimination entirely; and at the end of the spectrum a restriction on peaceful nuclear power for fear that enrichment technologies are just too easily dual-purpose.)
Here, too, it may be helpful to explore what one might want in theory, and what is judged politically attainable. Is there room for compromise and negotiation here, or is a role of an organization like Amnesty to anchor and stick to what it perceives as the purest of truths?
Next up is U.S. Senator Patrick Leahy. Leahy is no stranger to an issue that will no doubt be prominent in the discussion: the activities of the U.S. National Security Agency that have been the subject of ongoing leaks originating most recently with Edward Snowden, and the topic of a U.S. Presidential address covering reform last week. Senator Leahy chairs the Senate Judiciary Committee, which has been a focus for debate over U.S. legislation like the PATRIOT Act, and has often weighed in as one of the chamber’s civil libertarians. He’s also a former prosecutor. It will be interesting to see how he views the situation: will it lean towards “I told you so” on certain activities having gone too far – perhaps precisely because authorized by U.S. law from which he dissented rather than as freelancing by a rogue agency – or will it emphasize a realpolitik defense of countries gathering whatever information they can to protect their security, something every country does? Many U.S. officials have expressed bemusement that the NSA has been in the spotlight so singularly, when counterpart agencies around the world are thought to conduct parallel activities, and few if any states can offer a clear map for satisfying (much less transparent) intelligence oversight.
It might be good to ask Senator Leahy whether he thinks there’s been an impact not only on the global reputation of the U.S. government, but of U.S. business. Should the fact that legal process can yield so much intelligence from “local” U.S. companies with significant global customer bases be a reason for forbearance on collection from them, lest that customer base go elsewhere, even understanding that elsewhere is still somewhere: if not in the U.S., there will be some other government empowered by the new presence of bits and activities in its jurisdiction.
Raising the business question might be a good time to turn to Augie Fabela and Brad Smith. Mr. Fabela is the former chairman of VimpelCom, a worldwide telecommunications provider that originated in Russia in the early 90’s and is now based in the Netherlands, with over 200 million mobile customers worldwide. Telecoms providers are natural places to seek to spy, and indeed some governments – including in Europe – have imposed data retention requirements upon them, so as to facilitate law enforcement or national security-based investigations on subjects that have not yet been conceived. How should we think about those requirements? Mr. Fabela may have a particular interesting view, as since leaving VimpelCom he’s honed an interest in public safety and law enforcement: in 2012 he was appointed to the rank of sheriff commander in Cook County, Illinois, USA, assisting with the restructuring of its intelligence center.
Brad Smith is the general counsel of Microsoft, and has been with the company for over twenty years. He’s contended with requests from law enforcement and intelligence agencies around the world, and will no doubt have strong and long-thought-through views on where to go from here. You can see some of his thinking in an interview he gave to Corporate Counsel magazine. There he makes the point that it’s difficult to ask companies to step in when governments fall short; governments are, he says, the “ultimate decisionmakers.” When we think of checks and balances in the gathering and use of data, what role, if any, can companies play versus public authorities exercising their power?
Orit Gadiesh is the chairman of global management consulting firm Bain & Company. She has some background in intelligence policy from a time before the Internet – and corresponding digital surveillance – had gone mainstream, but she may remind us that the Big Brother Problem, contra Orwell, is not limited to the State. Companies gather and maintain an enormous amount of data about us, and moreover have incentive – particularly if advertiser-supported – to use that data to influence our choices, even if those choices are as prosaic as what airline to fly or pet food to buy. As the cost of data gathering and processing goes down, what formerly was the province of massively-funded state intelligence operations can become the territory of “mere” companies – and ultimately, perhaps, individuals. Ms. Gadiesh’s participation on the panel may help round out the panel’s exploration to include private as well as public intelligence policy. Here, too, can we count on use restrictions as a hedge against abuse, or must safety lie in more limited collection?
Finally, what will happen as the power of surveillance devolves from governments and companies to individuals themselves? This very session, in an acknowledgement of the realities of the early 21st century, will be Webcast live. Others labeled off-the-record may seem increasingly quaint as anyone in the room is in a position to record – or stream live – what’s taking place. How can we contend with this when ubiquitous data gathering can happen not just at conferences, but truly anywhere? Shyam Sankar may have some thoughts on that. He’s a director of Palantir Technologies, which, in its own words, offers “a suite of software applications for integrating, visualizing and analyzing the world’s information.” Customers include the U.S. Government – which also invested in Palantir early on – and Palantir has made a point of emphasizing its claim that its data analytics are geared recognize and implement privacy protections. Mr. Sankar will no doubt have much to say about the relationship between the private and public sectors in data gathering and processing, and lately he’s been speaking a lot – including at TED – about “human-computer cooperation”: how algorithms alone aren’t the key to big data – presumably whether used for good or ill – but rather a “symbiosis” between person and machine.
There might be some solace in the centrality of people, rather than algorithms, to the infrastructure of surveillance: Big Brother ultimately will comprise people; fallible, yes, but constitutions and the rule of law were framed with those fallible people in mind. That may give promise that the challenges today posed by the ocean of data about us and our activities are difficult and new, but not entirely alien to what has come before, and for which there are models of successful vindication of our rights and dignity.
I hope you’ll join this session, whether in person or online. It’ll be streamed live at 10:30 am CET — that’s GMT+1 — on Wednesday, January 22nd, 2014. …JZ
Update: The video of the panel can be found here. And a related Berkman Center panel here.