Saturday 26 November 2011

Heroes and villains?

I wrote a piece a little while ago about Julian Assange - you can find it here - which amongst other things suggested that just because you consider someone a hero for one part of their lives doesn't mean that they're necessarily something other than a hero in another way. Events this week have reminded me of the other side of that coin: that just because someone might be seen as a villain in one way, doesn't mean that everything about them is despicable. What's more, if we  believe in human rights, it doesn't mean that 'villains' shouldn't have those human rights. One particular such 'villain' has been in the news these last few days: Max Mosley.

Before I say anything more, I need to make it clear that my background is very left wing - I have grandparents, step-grandparents and great aunts who were communists. I myself had the nickname 'commie bastard' at college - though all that really meant is that I was the only member of the Labour Party at what was then the extremely right-wing Pembroke College Cambridge. As such, Max Mosley is someone who I 'instinctively' look on with extreme distaste. His father, Oswald Mosley, was a particular figure of hate for my family - in case anyone is unaware, Oswald Mosley was the founder and leader of the British Union of Fascists, and a supporter of Hitler. Hitler was a guest at his wedding. I still consider myself to be very much on the political left. Max Mosley, not just as his father's son, but as someone who represents extreme wealth and the excesses connected with it, is not someone that I have anything but instinctive dislike for.

...but just as even 'heroes' like Assange need to be subject to the law when appropriate (as I argued before), even those you dislike intensely need to be accorded rights. Indeed, one of the key tests of whether you really believe in human rights is whether you really grant them to those you dislike. Many people have been tested on those grounds over the last months and hardly come up smelling of roses - the attitude to the death of Gaddafi is perhaps the most extreme example. For Max Mosley, the test is simpler and should be less taxing. However much I might dislike what he seems to represent, he still deserves privacy. What the newspapers did to him was, in my view, unacceptable - and he was right to fight against them. Personally I thought he came across well in the Leveson inquiry. It wasn't Mosley that looked like the villain here - and his work in supporting other victims of phone hacking is something to be applauded too.

...which brings me onto the other 'heroes' and 'villains' of the last week: the press. If you listened as I did to the testimony of the many witnesses to the Leveson inquiry, from Mosley himself to the celebs like Hugh Grant, Steve Coogan and Sienna Miller, to JK Rowling, to the families of Milly Dowler and Madelaine McCann, and to Margaret Watson, it's hard not to see the press as venal, vicious, unprincipled and unfair. The instinctive reaction again is to punish them, to clamp down on them, to restrict them. And yet that's not the whole story either - because we also have to remember how the story itself broke, though the work of the Guardian. We have to remember how the MPs' expenses scandal was revealed by the Telegraph. How the cricket match-fixing scandal was uncovered by the now-departed News of the World. Just as Assange and Mosley could be heroes in one way and might be villains in another, so are the press. We need to look at the balance, and remember both sides to all their stories.

How is that balance maintained? The most important thing to remember is that it's a dynamic balance, and that we have to remain vigilant. Don't overreact - and that's an easy temptation particularly in relation to the press, and if the stories about Max Mosley planning to sue Google are true, they would be a prime example of such overreaction, and something I plan to write about separately - but don't be afraid of action either. Even in terms of the press, there are two currently very different things going on right now. At the same time as any action emerging from Leveson might produce restrictions on press activity in relation to privacy, the potential changes to the draft defamation bill might produce greater freedom for the press in relation to defamation. Instinctively, again, that might be right for people of my political perspective - defamation law has often been seen as a tool for the rich, while privacy should (though often isn't, as I've argued before) be something of as much interest to the 'insignificant' as the rich and famous. Both the potential shifts in balance, from Leveson and from changes to libel law, could well be appropriate. Let's hope it works out that way.

Saturday 19 November 2011

Whose data? Our data!!!


There’s a slogan echoing around the streets of major cities around the globe at the moment: ‘Whose streets – our streets!’ It’s the mantra of the ‘occupy’ movement, expressing the frustration and injustice – particularly economic injustice – and the sense that all kinds of things that should be ‘ours’ have been taken out of ‘our’ control.

The same could – and should – be said about personal data. The mantra of the occupy movement has a very direct parallel in the world of data, which is why I think we should be saying, loud and proud, ‘Whose data – our data!’

Just as for the occupy movement (which I’ve written about before), the chances of getting everything that we want in relation to data are slim – but the chances of changing the agenda in relation to data are not, and the chances of bringing about some real changes in the medium and long term even less so. The occupy movement, particularly in the US, have brought some ideas that previously were hardly talked about in the media, like wage and wealth inequality, close to the top of the agenda. They may even have moved it high enough that politicians feel the need to do something about it – I certainly hope so.

The personal data agenda.

Can we do the same for personal data? One of the current points of discussion is the idea of a ‘right to be forgotten’ – something that relates directly to the question of whether personal data is ‘ours’ in any meaningful way. I’ve spoken and written about it a lot before – my academic article on my take on it, ‘a right to delete?’ can be found online here, while I’ve also blogged on the subject on the INFORRM blog. It’s currently under discussion as part of the forthcoming revision to the Data Protection Directive, to great resistance from the UK. The latest manifestation of this resistance has come from the ICO, suggesting that the right to be forgotten should not be included as it would be unenforceable, and that the inclusion would give people unrealistic expectations, as well as potentially interfering with free speech. Effectively, they seem to be suggesting that including it would send out the wrong message. This pronouncement echoes previous statements by Ken Clarke in May, and Ed Vaizey a couple of weeks ago – it looks like part of a campaign to rein in the attempts by Europe to give more weight to privacy and user rights in the balancing exercise with business use of personal data.

Are the ICO right?

I believe that the ICO are wrong about this in a number of ways. First of all, I think they’re wrong about the unenforceability issue – at least to a great extent. In the Mexico City conference on data protection earlier this month, even Google admitted that they could do their part, but that it would be expensive. That's very different from saying that it is unenforceable. What’s more, it doesn’t have to be perfectly implemented in order to have a benefit to people – if, for example, the right to be forgotten would allow people to easily, simply and quickly delete their Facebook profiles, or the data held on them by Tesco, that could be significant. It could also, as I’ve argued in my article, help persuade businesses to develop business models less dependent on the gathering and holding of massive amounts of personal data – if they know that such data might be ‘deletable’.

Secondly, I believe they’re quite wrong about the free speech issue – again, as I outline in my paper, if proper exceptions are put in place to allow archives to be kept, then free speech isn’t affected at all. The idea is not to be able to delete a record of what school you went to – but to be able to delete records of what breakfast cereal you bought, or profiles created based on surveillance of your internet activity.

Thirdly, and perhaps most importantly, I think they’re wrong about the message being sent out – profoundly wrong. The message that the ICO is sending out is that business matters more than people’s rights – and it’s a message that has echoes throughout the world at the moment, echoes that are what has provoked the anger in so many people that lies being the ‘occupy’ movement.  It’s the same logic as that which supports bankers bonuses over benefits for the disabled, and looks for tax cuts for the rich whilst enforcing austerity measures that cut public services to the bone and beyond. Even more importantly, it suggests that the ICO does not see its role as protecting individual rights over data – but as supporting the government’s business agenda.

Whose data – our data!

The actions and messages of the ICO are essentially saying that this is too difficult to do, so we shouldn’t even try. It reminds me very much of the arguments against the idea of having smoke-free restaurants and pubs – a lot of people said it would be impossible, would drive the restaurants and pubs out of business. Further back, there have been similar stories throughout history – most dramatically, they were made against the abolition of slavery. We shouldn’t let this kind of logic stop us from doing what is right – we should find a way. And we can find a way, if only we can find the will. The ICO needs to be stronger, to understand that it has to serve us, not just business or the government. Privacy International asked in February whether the ICO was fit for purpose – and the answer increasingly seems to be clearly not. We need to remind them what their purpose should be – and that, more than anything else, is to represent us, the people. We need to remind them whose data they’re supposed to be protecting. Whose data? Our data!

Tuesday 15 November 2011

The significance of the insignificant

I watched yesterday’s parliamentary committee session on Privacy and Injunctions with some interest – after all, privacy is one of my subjects. The excellent David Allen Green (of Jack of Kent fame) gave the committee a number of lessons both in law and technology, and Guido Fawkes (Paul Staines) tormented them with the reality of the modern world. It was entertaining stuff – and yet the more I watched, the less it seemed to be connected with what I see as the biggest and fastest growing problem that the internet in particular represents in terms of privacy.

That came to a head when Guido Fawkes made the remark that ‘privacy is just a euphemism for censorship’.  It was a good soundbite – and fitted some excellent subsequent tweets – and he certainly had a point when considering the way that privacy has been used to protect the rich, the famous and the influential, particularly in relation to super-injunctions, one of the key subjects being discussed by the committee. As a football fan, I’ve hardly been able to blink this year without hearing another piece of gossip that I’m not allowed to know, let alone talk about. However, there’s another side to privacy, one to which neither the committee nor the witnesses before them seemed to pay any attention. The side of the insignificant.

Insignificant people have the right to privacy too

The focus of both the committee and the witnesses, entirely understandably given their remit, was on the privacy of what might loosely be described as ‘significant’ people. And yet ordinary people, ‘insignificant’ people, have a right to privacy too. Protecting their privacy, except in unusual circumstances, isn’t anything to do with censorship. It’s about autonomy. It’s about the right, as Warren and Brandeis put it so long ago, to be left alone. The right to live, to enjoy the fruits of our modern society freely and without excessive interference.

By focussing on privacy as protecting significant information about ‘significant’ people, we miss what is, in many ways the far more important issue of the lack of control over the gathering of insignificant information about ‘insignificant’ people.

The result is that what is seen as ‘privacy’ – insofar as it is protected by law (and David Allen Green gave yesterday’s committee an excellent exposition of the inadequacies of that law) very often ends up protecting the ‘wrong’ people in the wrong ways, and failing to protect the right people in the right ways.

Insignificant invasions of privacy matter

Protections against the significant stuff, particularly for significant people is already provided. The law protects against defamation – perhaps excessively, at least in the eyes of the supporters of libel reform – and ‘significant’ people can and have used that law to provide that protection, but provides little in the way of protection for ‘insignificant’ invasions of privacy.

Why is this? To a great extent it is because these ‘insignificant’ breaches of privacy are seen as, well, insignificant. On their own, that may even be appropriate. What does it matter if someone knows what I had for breakfast this morning, or what kind of music I’m listening as I type this blog? Each individual fact gathered this way doesn’t seem to matter at all – and yet they do matter. They matter philosophically – they’re really my business, and no one else’s – but they also matter in a much more important way. In this digital world of ours, they’re used to profile me, to categorise me, to determine what advertisements I receive on the internet, perhaps what content I’m shown, what links I’m provided with. They might determine what prices I’m offered for insurance, for plane tickets and so forth. They might be used to ‘rate’ me (I’m not even going to start on Klout) in other ways. They might be used to assess my likely political leanings – perhaps just for advertising at the moment, but after that….

…and yet far less attention is paid to them than the ‘obvious’ side of privacy. Even on social networking sites like Facebook, attention is paid to the ‘significant’ privacy problems – compromising or clearly embarrassing photographs for example, rather than the much more financially important detailed profiling and social mapping data that are the basis of Facebook’s business model. Do the compromising photos matter? Yes, of course they do, but ways are already being found to deal with them, through education of the users, or at least greater understanding from the users, something which has at least some chance of succeeding. As for the profiling data, few people seem to care that much at all.

Changes are needed

There are all sorts of legal problems with dealing with insignificant stuff. There is a need to show damage – and individually insignificant facts aren’t damaging, and even profiling isn’t necessarily directly ‘damaging’ in financial terms. There is the thorny issue of consent – do we consent to all this data gathering and use through the various terms and conditions we never read? Do we, as the recent Wikileaks/Twitter ruling suggests, have no real expectation of privacy in our internet dealings?

As it stands, there is little to help. Law doesn’t seem to cut it – for all the valiant efforts of the Article 29 Working Party and others. Politicians in general seem neither to understand nor to care. Business models, particularly on the internet, almost rely on these invasions of privacy. We need to change that. To protect the insignificant, we need a change in approach, a change in infrastructure, and a change in business plans. We need to understand and control online tracking. We need opt-in, not opt-out, we need explanations that actually explain, and we need a whole lot more. Most of all, we need better understanding that privacy is more than just a way for the rich and powerful to protect themselves. It's about all of us.

The privacy of the insignificant hasn’t needed protecting before – only in this digital age can their insignificant events be gathered, or processed into something significant – so the law hasn’t been needed to protect them, and hasn’t developed a form that can protect them. It needs to now.

Thursday 10 November 2011

The beginning or the end of cyberlaw?


From time to time I have described myself as a ‘cyberlawyer’. When I’ve done so, I’ve had three kinds of reaction: the positive, the negative and the dumbfounded. Some people find the idea of cyberlaw almost exciting – looking to the future in a kind of William Gibson-esque way. Others look at it with derision – Easterbrook’s comparison of it with the non-existent law of the horse back in 1996 is one that echoes still. Some simply don’t understand what cyberlaw is, or what it might be.

For a long time I’ve taken the side of the first – indeed, my enjoyment of science fiction was certainly part of what led me down the path of cyberlaw – but I’m beginning to think that the other two reactions are perhaps more appropriate – though not necessarily for the reasons that proponents of either argument might have made. It’s not, as Easterbrook suggested, that cyberlaw is too much of a niche subject, nor that ‘cyberspace’ is something only of interest to geeks and nerds. The opposite. Increasingly it seems that almost all lawyers will have to learn cyberlaw – and that almost all people are becoming citizens of cyberspace.

The significance of cyberlaw within the legal community seems to be growing. The first time I went to the cyberlaw section of the Society of Legal Scholars conference, at the LSE in 2008, I sat through sessions with just a handful of other scholars – making even a small seminar room feel empty. This year, at Downing College Cambridge, it was standing room only as pretty much every session was packed beyond the capacity of the room. We had to borrow chairs from other far less popular sessions, and even thought of moving to one of the bigger venues. In other ways, too, cyberlaw seems to be becoming more mainstream. Over the last month or so I’ve been lucky enough to make contributions to two high-quality blogs well outside the realms of cyberspace – most recently writing about web-blocking for the UK Constitutional Law Group blog, and before that writing about the ‘right to be forgotten’ for the excellent INFORRM media law blog. Whilst I would like to pretend that I’ve been asked to make these contributions because of my individual brilliance, I have a feeling it’s much more of a reflection of the way that cyberlaw now impacts upon almost every aspect of law – and not just media and constitutional law.

Media lawyers need to understand the ‘new media’. Constitutional lawyers need to think about the impact of the cross-border nature of the internet on sovereignty, and the way that rights function online. Employment lawyers need to consider how social media impacts upon things like hiring and firing. Commercial lawyers need to understand electronic contracting. Intellectual property lawyers may well spend more time dealing with digital IP than anything else.  Tax lawyers have to grapple with the complex issues of jurisdiction and so forth. Criminal lawyers have to look at how the rules of evidence apply to digital records, and think carefully about the legality of electronic investigatory methods. Human rights lawyers – and I consider my field to be as much human rights as cyberlaw – need to understand both the opportunities for and threats to human rights that arise as a result of the internet. And for each branch of law these are just some of the more obvious and superficial ways in which the digital world has to be taken into account – there are few areas of law where the internet doesn’t have a significant impact.

So what does this mean? Does the increasing importance of cyberlaw mean that we all have to become cyberlawyers – and hence that the whole idea of cyberlaw disappears? Will every lawyer be a cyberlawyer? Ultimately that may be so – but there’s a long way to go before that happens. The law is still finding it hard to come to terms with the internet, for all the efforts of the pioneering cyberlawyers – and the politicians are even further behind, with a few honourable exceptions. There’s also a significant rump of the legal ‘establishment’ that may have to be dragged kicking and screaming into the brave new world where ‘reality’ and ‘cyberspace’ are increasingly integrated. It’s coming, though, and faster, I suspect, than even people like me imagine.

Thursday 3 November 2011

Assange - keeping the issues separate


Yesterday, as most people interested in the subject know, Assange lost his appeal against extradition to Sweden to face accusations of sexual misconduct. He lost on all four counts of his appeal, and lost so convincingly that many commentators have suggested that his chances of success in one, final appeal to the Supreme Court are very slim indeed. He has not yet, at the time of writing, decided whether or not to make such an appeal.

It’s not the facts of what happened yesterday that matters to me, but the implications – and in particular, the reactions from so many people interested in Assange, in Wikileaks, in freedom of information, in combating secrecy, in the potential liberating power of the internet and so forth. For far too many of them, in my opinion, all these issues have been far to closely linked. We need to separate out the different issues. Julian Assange is not Wikileaks, and Wikileaks is not Julian Assange. Freedom of information and the fight against government and corporate secrecy and power is not dependent on Wikileaks, let alone on Julian Assange himself. We need to be able to separate the issues, and to think clearly about them. We need to be able to fight the right battles, not the wrong ones.

There are many people who, like me, are very much in support of the aims of Wikileaks, and who see the liberating potential of the internet as one of the most important things to emerge in recent times (without understating the reverse – the potential for the internet to be used for oppression and control, as so ably set out by Evgeny Morozov and others), but who, at the same time, support the concept of the rule of law, where that law is both appropriate and proportionate. I want open government, liberal government, accountable government – not no government at all. I don’t want personality cults, I don’t want anyone to be above the law, whether they are ‘good guys’ or ‘bad guys’. For me, that means I want Assange to face his accusers, and I want to be able to find out whether he is guilty or not.

Assange has already lost a lot of supporters in Sweden – as this Swedish commentator points out – by attacking both their legal system in relation to sexual offences and their apparent willingness to extradite easily to the US. For me, both of these accusations need to be looked at very carefully. Most people who have studied the way that sexual offences – and in particular accusations of rape – have been treated historically in the courts should recognise that women have generally got a very raw deal indeed. The way that the Swedish system has attempted to at least to start to rectify this balance is one that should be applauded and supported, not attacked or even vilified, in the way that some supporters of Assange seem to have done – ‘the Saudi Arabia of Feminism’ is one of the descriptions put forward. Such attacks are not justified or in any way appropriate – at least not to me.

And are Sweden really more likely to extradite Assange to the US than we are in the UK? It seems unlikely, as Andy Greenberg’s report in Forbes suggests. The UK doesn’t have a good record in resisting such requests – and given all the publicity it seems highly unlikely that the Swedish would let such a thing happen on their watch. Moreover, the Swedish system would require dual criminality for an extradition to occur – that is, the offence committed has to be a crime both in the country seeking extradition and in Sweden itself. Assange’s ‘offenses’ would not easily be shoehorned into that description. Either way, it’s hard to see an extradition occurring from Sweden – extradition from the UK seems far more likely.

There's one further point about the Swedish system - one that seems to have been missed by many of his supporters. It’s not really true that ‘no charges’ have been brought. As the judge pointed out in yesterday’s ruling, the Swedish system is different to that in the UK, and ‘charges’ are only brought at a very late stage, with a trial to follow almost immediately. The Swedish investigation has gone past the point where, in the UK, US or Australian investigation, charges would have been brought. Implications that the opposite true are really not helpful.

When I’ve suggested either that Assange was likely to get a fair trial in Sweden or that extradition to the US was unlikely, many people have shot me down, suggesting that there would be a stitch up between the Swedish and US authorities, that the charges were trumped up to start with – ultimately that there is a great conspiracy to bring Assange down. I don’t find the latter that difficult to believe – there are certainly some very bad things happening in relation to Wikileaks, and the approach used to try to squeeze the life out of them through the financial blockade is one of the most reprehensible and dangerous developments of recent years. However, if that conspiracy extends to ‘trumped up’ charges of rape and sexual assault on Assange, then for me that actually provides an opportunity, not a threat.

That’s where the rub comes. If Assange is guilty, then he should face the charges and receive appropriate punishment. If he’s innocent – and in particular if he’s the victim of a conspiracy-based set-up – then by facing the charges, by going through a legal process, he can prove that, and even expose the conspiracy. I’m not saying that I believe either way – neither I, nor the vast majority of either his supporters or his enemies know enough to know that. If he’s guilty, he wouldn’t be the first man to have abused his position of celebrity and power to behave inappropriately. If he’s innocent, he wouldn’t be the first innocent man accused in this way – or the first set up by his enemies.

For me, though, if you support the kinds of things that Wikileaks supports – exposing the truth, holding the powerful to account, moving towards a better, more open, more liberal future – you should want all this to be out in the open too. That means letting Assange go to Sweden, and it means refraining from the very smear tactics that his opponents use in relation to the Swedish judicial system. There are many, many things to be concerned about in relation to the treatment of Wikileaks, and indeed of Assange – but yesterday’s ruling, almost certainly correct from a legal perspective as bloggers like the excellent Adam Wagner have made clear, is not one of them.

Whether Assange is guilty or not, and whether he’s found guilty or not, supporters of freedom of information – and supporters of Wikileaks – should try not to tie his personal issues with the broader, more important issues that Wikileaks has raised. They’re not intrinsically and inextricably linked – and if we let them be, we’re playing into the hands of the very groups that we should be opposing.