Our knowledge about the past shouldn’t be restricted, says former UN free speech rapporteur

Photo: Janwikifoto/Wikimedia Commons/Creative Commons)

Frank La Rue (above). Credit: Janwikifoto/Wikimedia Commons/Creative Commons)

Freedom of expression is more in danger today than in 2008 because of “the right to be forgotten”, the United Nation’s former free expression rapporteur Frank La Rue told an internet conference.

At the event La Rue told Index: “The emphasis on the ‘right to be forgotten’ in a way is a reduction of freedom of expression, which I think is a mistake. People get excited because they can correct the record on many things but the trend is towards limiting people’s access to information which I think is a bad trend in general.”

La Rue, who was the UN’s rapporteur between 2008 and 2014, addressed lawyers, academics and researchers at the Institute of Advanced Legal Studies in London, in particular covering the May 2014 “right to be forgotten” ruling from the Court of Justice of the European Union, and its impact on free speech following a Spanish case involving Mario Costeja Gonzalez.

The Google Spain vs. Mario Costeja Gonzalez case involved the Spanish citizen challenging Google and a Spanish newspaper in the courts to remove articles that appeared on the search engine relating to a foreclosure notice on his house. Gonzalez won the case against Google, but not the newspaper, which has now set a precedent for users to challenge search engines to de-list information.

Frank La Rue (right) spoke at a (Photo: Max Goldblart for Index on Censorship)

Frank La Rue (right) spoke at the Institute of Advanced Legal Studies in London (Photo: Max Goldbart for Index on Censorship)

On the  ruling, La Rue said: “I would want to know the past. It is very relevant information. Everyone should be on the record and we have to question who is making these decisions anyway?” LaRue’s main issue with the “right to be forgotten” is the fact that a private company can have such a say on information being accessed by the public. “The state is accountable to the people of a nation so should be accountable here. Not private companies and especially not those with commercial interests,” he added.

While in London for the conference, he also told Index on Censorship there were “many reasons” for this reduction in freedom of expression: “One is because a breach of privacy has a chilling effect so people are more worried about that, but also there are more and more regulations being enacted in many countries which worry me. Politicians are getting scared of the power of the internet because the internet has made the world more knowledgeable so there is an increase in the way the authorities are trying to reduce criticisms.”

La Rue, now executive director of the charity Robert F. Kennedy  Human Rights Europe, felt that commercial organisations such as Google have been given too much power.

Ray Corrigan, senior lecturer in maths and computing at the Open University, said: “We carry the greatest tracking device around with us absolutely willingly, our phones. We don’t think about the costs.”

This article was posted on June 26 2015 at indexoncensorship.org

Judith Vidal-Hall: Taking on the giant

Artists-impressions-of-Lady-Justice,_(statue_on_the_Old_Bailey,_London)

On 27 March 2015, a group of claimants in the United Kingdom, including myself, won what is being called a “landmark victory” against Google Inc. It handles three billion searches a day globally, exercises a virtual monopoly and is valued at around £250 billion. It is also among the world’s biggest advertising agencies with revenue in 2013 of some £49 billion.

After fighting the claim for over two years, Google has been ordered to appear in court in the UK to answer the charges of invasion of privacy by the tracking and collation of browser generated information (BGI) via Apple’s Safari browser. In other words, “hacking” computer searches by getting behind the protections built into Safari on Apple devices – iPhone, iPad and Mac computers – in order to track the user’s browsing preferences. Google is thereby able to determine private information such as age, health issues, gender, sexual interests and preferences, and to sell this information to advertisers who can target the users. This is no different from what is commonly called “stalking”, only on a global scale.

But let’s begin at the beginning. In 2012, Simon Davies, one of the UK’s leading voices on the virtues of privacy, contacted me about the possibility of suing the internet search giant for the invasion of privacy. Three years later, after much to-ing and fro-ing in the British courts, what began as a speculative long-shot has taken wing in the legal imagination, becoming an important test case for the boundaries of privacy law in the UK and, by extension, the EU. This concerns not only the nature of privacy as understood in the context of Article 8 of the European Convention on Human Rights, but the definition of the term “damages’ in the context of the Data Protection Act (DPA) of 1988. For many in the legal profession, the chief significance of the case is in the possibility it opens up of suing non-resident companies and individuals in English courts on privacy-related grounds. This is a game changer and could set a precedent in UK law.

“You have a Mac, don’t you?” said Simon. “Yes, and an iPhone,” I replied. “Have you done much searching on Safari recently?” “More than usual as it happens. My car insurance, driving license and road tax were all up for renewal in November. And I’ve been shopping online, not something I usually do, but with grandchildren’s very specific Christmas demands only available there, I’ve been more active than usual in territory I don’t normally venture into.” All this in addition to my standard use of the internet in pursuit of facts, figures and data-checking familiar to any journalist or editor.

He went on to ask if I’d had been receiving an unusual amount of targeted advertising. Indeed I had! Given that Apple boasts of the superior security of its Safari browser, this was not only unusual, it was alarming. What had been going on? It seemed that Google had circumvented Safari’s default setting whereby cookies – small chunks of text with unique information such as the time of a user’s visit to a site – are accepted only if they come directly from the sites that users are browsing.

According to The Guardian, “Google wanted to use its DoubleClick and other ad systems to track where people go online, so that it can serve ‘relevant’ ads. It also wanted to be able to integrate its Google+ data into that information.” As the US-based Electronic Frontier Foundation (EFF) noted: “That had the side effect of completely undoing all of Safari’s protections against doubleclick.net.” It was, it added, “Like a balloon popped with a pinprick, all of Safari’s protections against DoubleClick were gone.”

Playing catch-up

The thought of making a claim, any claim, against Google was laughable. This was several years before Edward Snowden’s revelations of the NSA and GCHQ snooping activities in June 2013 raised privacy issues to a new level and put them squarely on the public agenda. It also preceded Google’s subsequent settlement with the US Federal Trade Commission (FTC) for the same offence. But it coincided with the revelation of News International’s massive phone hacking of celebrities, politicians, the Royal Family and, above all, of the murdered schoolgirl Millie Dowler. It was this that excited the public imagination and raised the matter of privacy to a new level. Suddenly it mattered in a different way; more personal, more threatening to the ordinary person in the street. The Leveson Inquiry kept the issue on the front pages through much of 2011 and 2012.

What is at stake here? How should we understand privacy in the different contexts in which we live and interact online? What powers should consumers have over their data? How can the power of corporations and advertisers be reined in? We are urgently in need of new definitions and concepts; those that served us even a decade ago are no longer adequate given the exponential advance of digital technology. What does “territoriality” or “residence” mean when Google can stretch out its hand from California and rifle through our data as we sit at our computers thousands of miles away? How can “jurisdiction” be confined to a geographical entity in the age of cyber crime and the global reach of search engines and browsers? What do we mean by “privacy” online when people are giving it away freely, not to say promiscuously, on social networking sites such as Facebook, Instagram and YouTube? And finally, though the case was not brought with this in mind, can “damages” be limited to pecuniary loss alone as apparently determined by the DPA?

The case against Google is not only about holding Google to account, but about beginning to clarify and modernise rules and definitions. Most important, it is about creating the laws needed to hold Google et. al. to account. As Guy Aitchison wrote in Open Democracy: “We are to a great extent playing catch-up. The rapidity of technological change has vastly outpaced the development of our laws, institutions and regulatory systems, along with the articulation of the ethical categories and principles with which to understand and evaluate them.”

Or, as Tim Berners Lee, inventor of the World Wide Web, put it: we need an “online Magna Carta” to protect the web. His “Web We Want” campaign was launched on UN Human Rights Day last year and calls on “ordinary people” to take control of the web and challenge “those who seek to control [it] for their own purposes”. It is within that context that we decided to pursue the present case.

A landmark judgment

It was not until June 2013 that we were allowed to serve our claim on Google to appear in a UK court to answer our accusations. Google was quick to point out that since it was not domiciled in the UK and did not pay taxes here, the courts had no authority to try the case and it would not answer our summons. We were, it said dismissively, entirely welcome to confront them on its home ground in California and set about getting this decision reversed. It did not deny the charges; on the contrary, Google admitted in February 2012 in the US that it had done precisely what we claimed. For this it had been fined by the FTC a record 22.5 million dollars for breaching the privacy of US users. In 2013, it paid a further 17m dollars to 37 US states plus the District of Columbia for the same offence. Following these judgements, Google promised not to repeat the activity and said it was taking all necessary measures to put right the damage it had caused.

In August 2013, Google was granted permission to challenge the decision and in January 2014 appeared before London’s High Court. Mr Justice Tugendhat rejected all Google’s arguments, namely that:

1. the cause of action was not a “tort” (see below);
2. there was no serious issue to be tried in relation to the claim in misuse of private information/breach of confidence;
3. there was no serious issue to be tried in relation to the claim for breach of the Data Protection Act 1998;
4. the claimants had not shown that England was clearly the most appropriate forum for the trial of the claims;
5. “damage’ means significant physical or economic harm and no such damage was alleged by the claimants.

Under the UK’s complex legal system, Google was able up the stakes and go one higher in its effort to evade UK justice. In the hope that it would reverse Tugendhat’s ruling, it went to the Court of Appeal.

And, for almost a year we waited; the courts of England are second only to the “mills of God” in the speed of their actions. Finally, in December 2014, we returned to court, but the single day allowed for the hearing proved inadequate and again we waited. It was not until March 2015 that the Appeal hearing was concluded over a further two days. Listening to the legal jargon, the citation of innumerable precedents and the complexities of the technical issues involved was mind-numbing: a six-hour-long address by the counsel for Google on the definition of the word “tort” came close to watching the proverbial paint dry. On later investigation, this word so crucial to the case turned out to mean a civil wrong causing damage to the persons involved and demanding redress in court. Because the invasion of privacy had previously never been considered a tort, Google argued that it could not be tried as a civil offence in a UK court.

Once again, the judge dismissed all Google’s claims, leaving us open to pursue the case. Announced on 27 March, it was a famous victory or, in the words of the lawyers involved, “a landmark judgment”. The Master of the Rolls, the Right Honourable Lord Dyson concluded in brief that:

On the face of it, these claims raise serious issues which merit a trial. They concern what is alleged to have been the secret and blanket tracking and collation of information, often of an extremely private nature, as specified in the confidential schedules, about and associated with the claimants’ internet use, and the subsequent use of that information for about nine months. The case relates to the anxiety and distress this intrusion upon autonomy has caused.

In addition to determining the matter of “serving out” on non-residents, it clarifies some important issues – the nature of privacy and its definition in law, the definition of damages – and prepares the ground for the determination of future law in this area, a change that reflects the changing nature of “privacy” in the world of global information technology.

What next?

Yet the so-called “landmark judgment” aroused little excitement in the UK media. Could it be that everyone is simply waiting for the next chapter? Or do the suspicions in some quarters that even the media is running scared of Google have some traction?

Much depends on what Google does next. Will it choose to up the ante once more by going to the Supreme Court? Or will it acknowledge the error of its ways and face trial? In the event that the Supreme Court refuses an appeal, will it settle out of court to avoid a potentially damaging judgement?

We shall see. Meanwhile, it’s only fair to acknowledge that Google is not entirely the monster this case presents it as. Not only does it provide a service without which most of us would be ineptly fumbling our way around the web, it is an employer of 50,000. Their terms and condition of employment are such as to foster the envy of their peers. But the utopian dystopia of Dave Eggers 2013 novel The Circle, whose inhabitants lead an isolated cult-like existence reminiscent of some of the more bizarre sects in the US might be nearer the mark.

And it can acknowledge fault, even though it has defended its record on privacy by claiming that much of its illicit information gathering was “by mistake”. As Google’s head of “people operations”, aka human resources, Lazlo Bock admitted in an interview in The Guardian: “There’s a lot of responsibility that comes with having a global brand and the kind of footprint we have and the kind of impact we have and we need to live up to that.”

Corporate responsibility is one thing, however, and abiding by the law another. The days when Google was free to roam the unregulated territories of the internet are slowly, but surely, coming to an end.

A full account of the appeal judgement in Vidal-Hall et al. v Google, including technical and legal terms and definitions, plus details of the claim are available at: www.bailii.org/ew/cases/EWCA/Civ/2015/311.html

Editor’s Note: Google is a funder of Index on Censorship

This article was originally posted at Eurozine

When Google tripped: Forgetting the right to be forgotten

right-to-be-forgotten-screengrab

On May 13, the Court of Justice of the European Union (CJEU) held in Google Spain v AEPD and Mario Costeja González that there was a “right to be forgotten” in the context of data processing on internet search engines. The case had been brought by a Spanish man, Mario Gonzáles, after his failure to remove an auction notice of his repossessed home from 1998, available on La Vanguardia, a widely-read newspaper website in Catalonia.

The CJEU considered the application of various sections of Article 14 of EU Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 covering the processing of personal data and the free movement of such data.

A very specific philosophy underlines the directive. For one, it is the belief that data systems are human productions, created by humans for humans.  In the preamble to Article 1 of Directive 95/46, “data processing systems are designed to serve man; … they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms notably the right to privacy, and contribute to … the well-being of individuals.”

Google Spain and Google Inc.’s argument was that such search engines “cannot be regarded as processing the data which appear on third parties’ web pages displayed in the list of search results”.  The information is processed without “effecting the selection between personal data and other information.”  Gonzáles, and several governments, disagreed, arguing that the search engine was the “controller” regarding data processing. The Court accepted the argument.

Attempts to distinguish the entities (Google Inc. and Google Spain) also failed. Google Inc. might well have operated in a third state, but Google Spain operated in a Member State.  To exonerate the former would render Directive 95/46 toothless.

The other side of the coin, and one Google is wanting to stress, is that such a ruling is a gift to the forces of oppression.  A statement from a Google spokesman noted how, “The court’s ruling requires Google to make difficult judgments about an individual’s right to be forgotten and the public’s right to know.”

Google’s Larry Page seemingly confuses the necessity of privacy with the transparency (or opacity) of power.  “It will be used by other governments that aren’t as forward and progressive as Europe to do bad things.  Other people are going to pile on, probably… for reasons most Europeans would find negative.”  Such a view ignores that individuals, not governments, have the right to be forgotten.  His pertinent point lies in how that right might well be interpreted, be it by companies or supervisory authorities. That remains the vast fly in the ointment.

Despite his evident frustrations, Page admitted that Google had misread the EU smoke signals, having been less involved in matters of privacy, and more committed to a near dogmatic stance on total, uninhibited transparency. “That’s one of the things we’ve taken from this, that we’re starting the process of really going an talking to people.”

A sense of proportion is needed here.  The impetus on the part of powerful agencies or entities to make data available is greater in the name of transparency than private individuals who prefer to leave few traces to inquisitive searchers.  Much of this lies in the entrusting of power – those who hold it should be visible; those who have none are entitled to be invisible.  This invariably comes with its implications for the information-hungry generation that Google has tapped into.

The critics, including those charged with advising Google on how best to implement the EU Court ruling, have worries about the routes of accessibility.  Information ethics theorist Luciano Floridi, one such specially charged advisor, argues that the decision spells the end of freely available information.  The decision “raised the bar so high that the old rules of Internet no longer apply.”

For Floridi, the EU Court ruling might actually allow companies to determine the nature of what is accessible.  “People would be screaming if a powerful company suddenly decided what information could be seen by what people, when and where.” Private companies, in other words, had to be the judges of the public interest, an unduly broad vesting of power.  The result, for Floridi, will be a proliferation of  “reputation management companies” engaged in targeting compromising information.

Specialist on data law, Christopher Kuner, suggests that the Court has shown a lack of concern for the territorial application, and implications, of the judgment.  It “fails to take into account the global nature of the internet.”  Wikipedia’s founder, Jimmy Wales, also on Google’s advisory board, has fears that Wikipedia articles are set for the censor’s modifying chop.  “When will a European court demand that Wikipedia censor an article with truthful information because an individual doesn’t like it?”

The Court was by no means oblivious to these concerns.  A “fair balance should be sought in particular between that interest [in having access to information] and the data subject’s fundamental rights under Articles 7 [covering no punishment without law] and 8 [covering privacy] of the Charter.”  Whether there could be a justifiable infringement of the data subject’s right to private information would depend on the public interest in accessing that information, and “the role played by the data subject in private life.”

To that end, Google’s service of removal is only available to European citizens.  Its completeness remains to be tested.  Applicants are entitled to seek removal for such grounds as material that is “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed.”

An explanation must accompany the application, including digital copies of photo identification, indicating that ever delicate dance between free access and anonymity.  For Google, as if it were an unusual illness, one has to justify the assertion of anonymity and invisibility on the world’s most powerful search engine.

Others have showed far more enthusiasm. Google’s implemented program received 12,000 submissions in its first day, with about 1,500 coming from the UK alone.  Floridi may well be right – the age of open access is over. The question on who limits that access to information in the context of a search, and what it produces, continues to loom large.  The right to know jousts with the entitlement to be invisible.

This article was published on June 2, 2014 at indexoncensorship.org

Both Google and the European Union are funders of Index on Censorship

 

Index urges court to rethink ruling on “right to be forgotten”

Index reiterates its concern at the ruling on the so-called “right to be forgotten” and its implications for free speech and access to information. Index urges the court to put a stay on its ruling while it pursues a regulatory framework that will provide legal oversight, an appeals process and ensure that private corporations are not the arbiters of public information.

While it is clearly understandable that individuals should want to be able to control their online presence, the court’s ruling fails to offer sufficient checks and balances to ensure that a desire to alter search requests so that they reflect a more “accurate” profile does not simply become a mechanism for censorship and whitewashing of history.

Issued without a clearly defined structure to police the requests, the court ruling has outsourced what should be the responsibility of publicly accountable bodies to private corporations who are under no obligations to protect human rights or act in public interest. Index will be monitoring very closely the processes and procedures used by Google and others to make decisions.

Although Google has devised an advisory committee to support its decision-making, the fact remains that we are in a situation in which search engines will be making decisions about what is deemed “irrelevant and inappropriate” – and a situation that fails to take into account the fact that information deemed “irrelevant” now may become extremely relevant in future.

Index urges the court to go back and reconsider its directions to search engines. It must devise a clear structure for managing requests that balances the public’s right to information, freedom of expression and privacy rights.

For more information call: +44 (0) 207 260 2660

****

Both Google and the European Union are funders of Index on Censorship