Month: September 2014

The strange case of Cookies or the flimsy balance between convenience and privacy

All cookies have a dark side, and no, it's not the chocolate.

All cookies have a dark side, and no, it’s not the chocolate.

Once upon a time, visits to websites were discontinuous, weren’t recorded and each was treated as the first one. This would make any multi-step operation impracticable as any commercial transaction would thus have to be conducted from start to end in one visit. This was due to the fact that, being the HTTP a ‘stateless’ protocol 1)Web browsers and web servers communicate using the HTTP – Hyper Text Transfer Protocol. This is the mean by which websites can be accessed. , websites weren’t able to store information about their visitors activity.

All that changed with Cookies.

Cookies are small pieces of data, stored on internet users’ browsers, which record their online activity and which websites use to store information about visitors. Among the stored information one can find the operating system, the Web browser and its version, the webpages visited using that browser, the time and date of the visit and the IP address, username and password, and other types of order form information or personal information like e-mail, phone numbers and addresses.

The practical and pleasant outcome is that we are now able to surf the Web more enjoyably and efficiently, while saving significant amounts of time. For instance, cookies allow a persistent login to various online websites, as they recall your previously created session identifier for every website, hence, enabling to finalize an online purchasing transaction in several visits without having to start the operation from scratch. Cookies allow as well the showing of advertisements tied directly to the parts of the website a visitor has consulted.

All this is possible due to a unique identifier assigned anonymous and randomly to the user on the first connection to the website, which the browser will store and use in subsequent visits.

Cookies may be used to many ends, such as remembering behaviours or movements within the website pages in order to customize the visitors experience or convey more personalized advertisement according to those activities.

Without cookies, much of the Web as we know it would cease to exist… Frequent visits to websites would require constant registration and shopping online would be almost impossible.

But cookies came with a price…

Indeed, cookies are the main reason why internet users enjoy all kinds of apparent free online services, as Youtube, Facebook, Amazon. The thing is: they are not really for free. They cost us bits of our privacy.

While cookies provide a variety of benefits, they also raise some concerns regarding the potential for abusive invasion of privacy of users, due to fact that they might store personal or sensitive data.

One of the issues is, as a website’s owner compile databases of information about individual users through cookies, it can sell the users personal information to third parties to its own profit. For instance, the user’s search preferences and purchasing habits might be linked to its e-mail address and sold, within a list of other users with similar behaviour, to a company which offers related or not so related goods or services which can result in unwanted marketing.

Another issue is represented by third-party cookies—also known as “tracking cookies”. Mainly used by advertisers, they are able to track your browsing activity across multiple websites and compile surfing habits. The risk of a matching between user’s e-mail, home address, and other personal data to his surfing history – behavioural profile – is a risk to privacy.

So cookies are not dangerous in themselves. They do not contain viruses and they do not download malware (malicious software) or spyware in your computer. Most of the information it contains has been presented by the user to a website as part of a registration form, payment pages, and other online forms. So one must always consider which websites the information is given to, reading the privacy policy of the website before sharing any personal information. These policies serve as a contract with the user regarding what the company may and may not do with the user’s information.

If you are concerned about your privacy, you can disable cookies. Web browsers as Mozilla Firefox have options which allow you to decide whether or not you want to block cookies on your computer. You can choose, as well, to automatically delete cookies when the browser is closed. Another option is to corrupt the cookies of specific websites so no information could be get out of it and the cookie won’t be replaced by another.

What does the law have to state on this matter?

Well, EU law doesn’t prohibit the use of cookies. It recognizes their importance and usefulness for the functioning of modern Internet but warns about how intrusive they might be to privacy. Therefore the legislative strategy consisted in establishing some requirements regarding the information to be given by website operators to end-users about their purpose and the consent of the latters.

The Privacy and Electronic Communications (e-Privacy) Directive, in its 2002 version, was amended in 2009 and major changes were introduced, now foreseen under Directive 2009/136/EC.

Article 5(3) of the e-Privacy Directive was amended as follows:

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service. 2)Article 5(3) of the old law of 2002 provided as follows:
Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

That provision is complemented with recital 66, which states:

(…) The methods of providing information and offering the right to refuse should be as user-friendly as possible. (…) Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. (…)


The amended article 5(3) determines now that storing and accessing information on users’ computers would only be lawful on condition that the user concerned, having been provided with clear and comprehensive information about the purposes of the processing, has given consent to that end.

The meaning of ‘consent’ under the e-Privacy Directive is taken from the definition under the EU’s Data Protection Directive. Consent to personal data processing must therefore be “freely given, specific and informed”. It can be referred to as ‘opt-in’, meaning that the user must give his or her consent before cookies or any other form of data is stored in their browser.

This shall not prevent strictly necessary storage or access for the provision of a service “explicitly requested” by the user.

Considering the vast room for abuse associated with the use of cookies, and the concerns related to privacy that it raises, initiatives as the ‘Cookie Sweep Day’ announced by the French data protection agency (“CNIL”), whose director is the current chair of the Article 29 WP, and to which other European Data Protection Authorities (DPAs) adhered, might not come as a surprise. In order to assess the general level of compliance with the current legal framework, several random checks to websites were conducted.

Recently, Jean-Claude Juncker, the new President of the European Commission, recommended that the new EU Commissioner for Digital Economy and Society, Günther Oettinger, further the reforms to the e-Privacy Directive.

A new reform might be well needed as tech giants as Google, Microsoft and Apple are already developing new tracking technologies, which are intended to replace cookies, deemed to be inefficient.

Cookies might belong to the past anytime soon, but the privacy concerns are here to stay.

References   [ + ]

1. Web browsers and web servers communicate using the HTTP – Hyper Text Transfer Protocol. This is the mean by which websites can be accessed.
2. Article 5(3) of the old law of 2002 provided as follows:
Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

The Google Affair: Forget Me, Forget Me Not – Part II

I can forget you, you know?

I can forget you, you know?

Bad pictures, dire comments, past scandals. The internet never seems to forget. How convenient would be the possibility to suppress any registry of events of the past, which might adversely affect our honour and dignity or simply expose our private life in an undesirable way?

According to the recent ruling of the ECJ, someone wishing to delete personal information from a search engine’ index will have to request so to the search engines services provider.

This decision is undoubtedly good news to those who would like to suppress information about them from the internet, but is likely to cause problems in practice.

It is unquestionable that people have a right to privacy, and that that privacy extends to information about them. Thus they have the right to control their personal data and can ask for its deletion when no longer have interest in its processing or storage and there is no legitimate interest in being kept by a data controller.

The issues regarding the qualification of search engines services providers as ‘data controllers’ have already been raised here and here. Unfortunately, our concerns don’t end there.

According to this decision, search engines have to deal with individual complaints or they can be challenged before judicial courts or a supervisory authority.

In order to implement the decision, Google had to devise mechanisms (an online form available on its website) in order to receive requests for link removal and was submerged by the amount of requests for personal data deletion received from nationals of the 28 countries of the EU. This has been representing major additional administrative burden for Google and will affect as well all other web intermediaries, as the repercussions of this ruling extend well beyond Google.

Then, search engine services providers will decide on the balance of the rights at stake, weighing up whether it is in the public interest for that information to remain.

Does it make any sense to establish this principle when there is no evident and easy answer about what is privacy nowadays or where do we draw the line between what belongs exclusively to private sphere and what belongs to the public domain?

It is a fact that Google have been removing links which infringe copyrights content on demand of copyrights holders. In those cases, however, there is no individual assessment and the process is mostly automated, which is a very different scenario from what the ruling entails. Indeed, each request would have to be considered individually and demands an appraisal that is not fit for a search engine. Thus, complying with this ruling could end up very costly because making this kind of assessment is not possible through algorithms.

As much as I can agree with the motivation of the ruling, this just doesn’t make any sense. The ECJ thus passes the responsibility to find the right balance over to private entities, businesses, whose primordial concern is profits, although they have neither the expertise nor the legitimacy to act as a legal authority. As a general principle, deletion of websites, or search links, should be decided by a legitimate entity, entitled with public authority, ultimately a court.

Anyway, pertinent questions arise regarding the interpretation of the rules set out in the judgement. What exactly is a public figure? What is deemed to be qualified as public interest? How long has to pass before personal data is no longer relevant? How can a search engine determine if data is inaccurate or its processing is excessive or disproportionate? How will the rights of the publisher be safeguarded in the internal process of a private company?

In the absence of any rigorous criteria to balance the rights of the data subject against the search engine’s economic interests and the public interest, search engine services providers lack a precise test to apply when assessing requests from data subjects for removing links to websites containing their personal data.

The advisory committee set by Google might not be the most adequate solution. The agreement reached by national data protection authorities to form a subcommittee establish uniform handling of such requests is much welcome.

In order to avoid any likelihood of liability for breaching data protection law and of unlawful processing of data, search engine services providers might prudently remove links, despite any public interest in its disclosure, rather than consider the balance of rights in every request. And who would possibly blame them?

The most evident and worrying outcome is that our facility to find information about other individuals is substantially reduced.

But it leaves some room for other discrepancies as well. Will the links deleted from the specific index created especially for a country (e.g. specific national language required) be available within searches operated in other countries? Or only search engines with no connection to the EU will be able to serve the results?

We might be dangerously heading toward a tiered and fragmented internet, with searches results in Europe being less complete than elsewhere. What about the free and open internet, then?

And what about managing the potential interests of third parties, also concerned by the deleted information, who might have as well personal data published but, on the contrary, wish to be easily found online through the search engine set of results?

The Advocate General already alerted 1)Paragraph 134 of the Opinion that suppression of legitimate public domain information would amount to censorship . For the sake of the full access to information and freedom of expression, it is imperative that Google should remain a neutral platform. To that aim, empowering a search engine service provider with censor competences is a remotely desirable result.

The main search engines in Europe already met, in Brussels, with the Article 29 Working Party, which brings together data protection authorities from across the EU, which intends to issue some EU-wide guidelines in order to achieve a unified implementation of the ruling.

Considering the possible scenarios foreseen, these guidelines are very much welcomed. However, it just seems that we are now trying to correct a system that was wrongly built from scratch. Indeed, according to its press release, DPAs asked, for instance, the search engines to explain their de-listing process and what were the criteria applied to the balancing process of their economic interest, the public interest in accessing information and the right of the person who wants the search results de-listed.

Now Google has planned public hearings, in an alleged quest for transparency, in order to boost a debate on the implementation of the ruling.

More recently, at the WP29 Plenary meeting of 16 and 17 September, the European data protection authorities decided to put in place a network of contact persons in order to develop common case – handling criteria to handle complaints presented to the data protection authorities, resulting from search engines’ refusals to “de-list” links from their results.

Now that the confusion has started, one may wonder where will all this end?

References   [ + ]

1. Paragraph 134 of the Opinion

Open Competition or the Dominant Undertaking Crusade

Google vs EU?

Google vs EU?

Google is undergoing a rough time in the European Union, being pressured on diverse fronts. There’s the famous ECJ ruling, and the polemics surrounding the collecting of data by Street View cars. Some think that the company should be broken up. Others see it as a threat to their sovereignty. But maybe it is all about fear, as admitted by Mathias Döpfner, chief executive of Axel Springer, a German publishing giant, in an open letter to Eric Schmidt, Google’s executive chairman. Some worry that big companies will be disincentive to invest in Europe.

Thus said, what is the fuss now?

Well, actually it is an already an old question…Over the years, Google has been facing increasing criticism regarding its search business’ dominant position in Europe.

Google’s market share in Europe is up to 90%, so there is no doubt that it has a dominant position in the European market. According to settled case law of the CJEU, dominance is a position of economic strength enjoyed by an undertaking which enables it to prevent effective competition being maintained on the relevant market by affording it the power to behave to an appreciable extent independently of its competitors, its customers and ultimately of the consumers.1)See Case 27/76 United Brands Company and United Brands Continentaal BV v Commission [1978] ECR 207, paragraph 65, and Case 85/76 Hoffmann-La Roche & Co. AG v Commission (1979) ECR 461, paragraph 38

It is a well accepted principle that, having reached a dominant position, the concerned undertaking has a special responsibility not to allow its conduct to impair genuine undistorted competition on the market.2)See Case 322/81Michelin, ECR 3461 (1983) paragraph 57

Therefore, a dominant position is not in itself illegal. However, according to article 102 of the Treaty on the Functioning of the European Union (TFEU), if an undertaking exploits this position to eliminate competition, it is considered be an abuse, which is deemed to be an anti-competitive conduct.

One must be well aware that a competitive market is desirable for the competitive quality and price it offers, the choice it allows and the innovation it brings. The ultimate beneficiary of competition is the consumer of a good or a service, i.e., all of us. It might not come as a surprise that less successful competitors might try to reduce the market share of a dominant undertaking in their favour.  That is what competing is all about: to try to be better than your competitors, try to be the best at something. But one should expect that they will try to do so through competition! One should not be wary of a dominant position simply due to to its huge market share or to the amount of power it entails, although it shall not be left unrestrained either. A successful company shall not be ‘punished’ or persecuted for its success. The legitimacy of the dominant undertaking’ activities shall always be accessed according to the consumer’s interests.

Back in 2010, the European Commission opened an antitrust investigation into allegations that Google Inc. has abused a dominant market position, in violation of European Union rules (Article 102 TFEU), following 18 (eighteen) complaints presented by its competitors regarding Google’s online search and search advertising.

In short, despite the four areas of concern raised by European Commission, the focus of the case was Google’s vertical search results and the extent to which it favoured its own specialized search services, reducing the visibility of results from competing sites.

Late February, the European Commission announced (here) a settlement proposal from Google in the context of the ongoing antitrust investigation – the third from Google after the previous two were criticized as not going far enough – which it deemed satisfactory.

In this proposal, Google has committed to visibly display links of the services of three competitors, selected through an objective method, whenever it promotes its own specialized search services on its web page following a search query. Some of these links would require the competitors to pay Google.3)You can better understand the proposal from the screenshots as shown here

This proposal received a strong public backlash, namely, of course, from Google’s competitors, apparently very concerned with the users’ interest which is, as previously mentioned in the text, a valid point, however not as convincing as intended, coming as it comes from less successful competitors.

For instance, the FairSearch group, which Microsoft backs, argued that

[it]requires rivals to pay Google for placement similar to that of Google’s own material, undercutting the ability of other to compete and provide consumer choice. This will be done through an auction mechanism that requires participating companies to hand the vast majority of their profits to Google.

Several French and German publishers and companies, among which Axel Springer, created an initiative called the ‘Open Internet Project’, insisting that the commitments proposed by Google to bring this investigation to an end are not sufficient to safeguard a competitive online market. The claims can be accessed on the group’s website.

In June, the European Commission invited complainants to react to Google’s proposal and received a significant negative feedback from press publishers, pressing the European Commission to reject Google’s proposals and proceed to a formal charge with infringement, stating as follows:

(…) the most prominent areas of any search results pages would be reserved for Google’s own services, independent of their quality, while all rival services have to accept inferior visibility even if they are far more relevant to a search query.

And they added:

The only relevant “commitment” is the addition of three Rival Links’ whenever Google puts links to its own monetized services first. However, in the most relevant commercial areas rivals will have to bid for a Rival Link in an auction and pay Google the highest price for a click. As a result, websites would not be ranked by relevance anymore but primarily according to the price they are willing to pay Google. As a new type of ad, Rival Links are not a concession but a new revenue stream for Google. As rivals could always bid for AdWords-ads, their situation is not improved.

No one can blame the settlement’s critics for any lack of coherence as these reactions are in line with those of lead complainant Foundem, who sustained that the proposed rival links will consume the majority of rivals’ profits and will not be selected according to relevance, merit, or quality.

Eric Schmidt, Executive Chairman of Google, recently addressed this issue, under the title ‘We built Google for users, not websites’, stating:

To date, no regulator has objected to Google giving people direct answers to their questions for the simple reason that it is better for users.

Facing the described context, the European Commission might have to seek to obtain more concessions from Google.

As the current Commission’s will be replaced in November, it is very unlikely that Joaquín Almunia, Vice-President of the European Commission and Commissioner responsible for competition, will be able to attain a final consensus within the Commission by then and the decision will most certainly be postponed in order to be taken under the next Commission.

Thus being said, Google is obviously trying to avoid formal charges. Of course it has no interest in having to pay a high fine nor damaging its reputation. But one might wonder if any compromise will ever be sufficient for its competitors.

From the several points raised by complainants, it seems sometimes that the intention is to artificially propel traffic to websites that compete with Google. That should not Google’s obligation. That wouldn’t even be fair for Google, nor in the best interests of consumers. And it would imply a senseless and unjustified advantage for competitors at the expenses of Google and, ultimately, consumers.

What must be ensured is the effectiveness of competition on the merits in the areas of specialized search and search advertising and, more importantly, the desirable effectiveness of the principle of Open Internet. The principle of Open Internet is defined as the enabling of Internet users to access the content, applications and services of their choice. It is therefore closely linked to the principle of Net Neutrality, meaning the ability for consumers to access and distribute information or run applications and services of their choice.

But an Open Internet also closely linked to competition among network, services and content providers, as it implies that each provider have the opportunity to test the value of its projects in the online marketplace. The door shall remain wide open for the next big company that will shake the online world. One must not forget that back in the 90’s, in the heydays of the internet, search engines as AltaVista and Yahoo were as popular as Google is now. Google outran them due to users’ preferences. And it must be guaranteed that consumers will be able to know about and use other services in the future if they prefer so.

Therefore, as competition and the principles of an Open Internet and Net Neutrality serve and benefit ultimately the consumers, competitors are not the main aim in themselves. Although they undeniably benefit from that protection, any confusion between the interests of consumers and of competitors shall be avoided.

Google shall not be prevented from improving its own services because its competitors are not as successful or are unable to keep up. So the suggestion of German justice minister Heiko Maas for Google to reveal its ranking algorithm in order to be more transparent appears as senseless.

What must be guaranteed is that users are informed of the existence of the competing websites, their relevance to the search, and are given the possibility to access them, thus providing users with a genuine choice between competing services. This must be the core of the European Commission’s assessment regarding the further concessions it might demand from Google in the future.

References   [ + ]

1. See Case 27/76 United Brands Company and United Brands Continentaal BV v Commission [1978] ECR 207, paragraph 65, and Case 85/76 Hoffmann-La Roche & Co. AG v Commission (1979) ECR 461, paragraph 38
2. See Case 322/81Michelin, ECR 3461 (1983) paragraph 57
3. You can better understand the proposal from the screenshots as shown here

The Google Affair: Forget Me, Forget Me Not – Part I

Am I forgetting something?

Am I forgetting something?

The ruling better known as the ‘right to be forgotten’ decision won’t risk to be forgotten any time soon.

To make a long story short, the ECJ ruled that the operator of a search engine – in that particular case, Google – is obliged to remove from the list of search results displayed, according to a search made on the basis of a person’s name, links to web pages published by third parties and containing information relating to that person, even when its publication is otherwise lawful and the information is factually correct.

I understand (and welcome) the motivation behind the judgments. It is comforting to know that individuals, where there is no legitimate – and consequently stronger – public interest involved, may be able to move on from their past. As it is very difficult to restrict our lives to the offline world, Google and search engines in general are, nowadays, the primary instrument to find information about everything and anyone, to the point that ‘google’ is commonly used as a verb referring to an online search conducted on that search engine. Without search engines, information wouldn’t be, in the vast majority of cases, so easily accessible.

And that is certainly the main issue at stake. As stated by the Court:

(…) processing of personal data, such as that at issue in the main proceedings, carried out by the operator of a search engine is liable to affect significantly the fundamental rights to privacy and to the protection of personal data when the search by means of that engine is carried out on the basis of an individual’s name, since that processing enables any internet user to obtain through the list of results a structured overview of the information relating to that individual that can be found on the internet — information which potentially concerns a vast number of aspects of his private life and which, without the search engine, could not have been interconnected or could have been only with great difficulty — and thereby to establish a more or less detailed profile of him.  1)Paragraph 80th of the ruling

So a ‘right to be forgotten’ might as well be a necessary principle in an unforgetting world.

But, true to be told, the principle of giving citizens more control over their personal data – including its deletion – doesn’t come as the new right in town. It existed long before what was decided by the ECJ in several Member States’ legislation, although without such a sticky nickname. Furthermore, it is foreseen in the directive 95/46 on data protection which remains applicable to the Internet as it has developed since. And a related provision is expected to be included in the General Data Protection Regulation, intended to replace Directive 95/46/EC, currently being negotiated at the Council of the European Union. The principle of individuals being able to move on from their past therefore doesn’t come as an originality.

What was indeed a surprise, and not a good one I must admit, was the conclusion that Google, while processing information published by a third party, act and is liable as a controller, and shall delete links to articles lawfully published by third parties, which can remain available on the latter’s website.

One must admit that this conclusion is in line with the obligations that article 6(2) of the Directive foresees regarding controllers while processing personal data: the controller shall weigh its interests, those of the data controller, those of third parties and those of the data subject.

That conclusion is also in line with the observations of the Court in ASNEF and FECEMD ruling2)Joined Cases C 468/10 and C 469/10 ASNEF and FECEMD [2011] ECR I 0000, paragraphs 44–45, regarding the relevance of the data previous appearance in public sources.

And disregarding all the questions (as mentioned here and here) that unavoidably arise while considering a search engine as a ‘controller’, the ECJ tried to establish criteria for the removal of links and consecrated a balance to be achieved to that end.

Therefore, search engines shall erase data deemed inadequate, irrelevant or no longer relevant, or excessive in the light of the time that had elapsed.3)Paragraph 94th of the ruling According to the ECJ, even accurate data, despite lawfully published initially, can “in the course of time become incompatible with the directive”.4)Paragraph 93rd of the ruling These key criteria – “inadequate, irrelevant or no longer relevant, excessive in relation to the purposes of the processing” – shall be balanced with the economic interests of the operator of the search engine and the interest of the general public in finding that information upon a search relating to the data subject’s name.5)Paragraph 97th of the ruling

However, as rightly pointed out by the ECJ:

(…) that would not be the case if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of inclusion in the list of results, access to the information in question.6)Paragraph 97th of the ruling

The preponderant public interest is consequently the ultimate test to ensure that information which ought to continue widely available is not removed.

I personally doubt that the Court succeeded in defining the desirable rigorous criteria necessary to achieve a fair balance of rights to privacy and personal data against freedom of expression and information. In fact, the ECJ provides very little legal certainty as it merely portrays an unclear balancing act between the rights of the data subject against the search engine’s economic interests and the public interest, to be determined casuistically.

And this can have very serious repercussions considering that the removal of links from the list of results can have effects upon the legitimate interest of the publishers of the information and of internet users potentially interested in having access to that information.

As pointed out by the General Advocate:

The data protection problem at the heart of the present litigation only appears if an internet user types the data subject’s name and surnames into the search engine, thereby being given a link to the newspaper’s web pages with the contested announcements. In such a situation the internet user is actively using his right to receive information concerning the data subject from public sources for reasons known only to him.7)Paragraph 130 of the Opinion

And he added:

In contemporary information society, the right to search information published on the internet by means of search engines is one of the most important ways to exercise that fundamental right. This right undoubtedly covers the right to seek information relating to other individuals that is, in principle, protected by the right to private life such as information on the internet relating to an individual’s activities as a businessman or politician. An internet user’s right to information would be compromised if his search for information concerning an individual did not generate search results providing a truthful reflection of the relevant web pages but a ‘bowdlerized’ version thereof8)Paragraph 131 of the Opinion

It most certainly doesn’t help that the ECJ establishes that data subject’s rights protected by articles 7 and 8 of the Charter override, as a general rule, that interest of internet users.9)Paragraph 81st of the ruling Does this mean that the right to privacy is the general principle, only subjected to sporadic exemptions represented by the exceptional precedence of the freedom of expression and right to information?

This priority doesn’t seem to be established nor in the Charter nor in the European Convention of Human Rights. It is only expectable that a data subject’s right to protection of his private life must be balanced with other fundamental rights, namely with freedom of expression and freedom of information. Additionally, the conclusion according to which the inclusion in the list of results of a search engine constitutes a more significant interference with the data subject’s fundamental right to privacy than the publication on the web page, seems to forget that, nowadays, freedom of expression is not just about the right to publish, but also about being found online. We have attained a historic momentum where to not be found through a search engine or to no exist online is pretty much the same.10)Paragraph 87 of the ruling

Therefore, the applicability to search engines but not to news websites or other journalistic activities, due to exemptions for “media” under European data protection law, so the original information itself could remain, does not represent a satisfactory guarantee of the right to information at a time when people have access to both newsworthy information and publishing tools.

Considering the challenges at stake, it is very unlikely that a search engine service provider will satisfactorily balance all these conflicting interests. The general fear that the implementation of this ruling will entail sacrificing of freedom of expression and information might not come as a mere alarmism.

It is worth question whether and how this ruling will affect the negotiations for a General Data Protection Regulation currently ongoing at the Council of the European Union. The Italian Presidency circulated to the DAPIX working group a note entitled ‘Right to be forgotten and the Google judgment’ to examine how the future legislation on the right to deletion should be developed.

This raises some confusions considering that it is for the Council of the European Union and for the European Parliament, as co-legislators, to make the law as it will stand in the future and for the ECJ to interpret the law as it exists.

References   [ + ]

1. Paragraph 80th of the ruling
2. Joined Cases C 468/10 and C 469/10 ASNEF and FECEMD [2011] ECR I 0000, paragraphs 44–45
3. Paragraph 94th of the ruling
4. Paragraph 93rd of the ruling
5. Paragraph 97th of the ruling
6. Paragraph 97th of the ruling
7. Paragraph 130 of the Opinion
8. Paragraph 131 of the Opinion
9. Paragraph 81st of the ruling
10. Paragraph 87 of the ruling

Celebgate or The Cloud Conundrum

iCloudy with a chance of pictures.

iCloudy with a chance of pictures.

So, after women being already the main target of social engineering, street harassment, cyber harassment, workplace harassment, sexual harassment, or revenge porn, and all the other creepy forms of gender orientated attacks, the online world has recently assisted to the leak of hundreds of intimate pictures of celebrities, such as Jennifer Lawrence, Kristin Dunst, Rihanna and Kim Kardashian.

Well, the word ‘leak’ might not be the most suitable, considering the outlines of the situation… Theft, break-in, hacking, privacy violation, online assault or pirating are far more realistic expressions.

So what happened, really?

Someone – who I just cannot help but picturing as a disgusting and sexually frustrated slobbering pervert with no sense of civility – accessed the iCloud accounts of some targeted celebrities and disclosed their personal pictures online. 1)For those who might not be aware, the Cloud is a storage and back-up system which enables users to keep personal information. As the data is kept online, it allows users to save space in their computers, smartphones or tablets, while being able to access them from any device and from anywhere. Companies as Apple, Google, Microsoft and Amazon, just to name a few, all provide cloud-based storage.

What do all the victims have in common? Well, to start with, they all are worldly known for some reason… and all are women.

I really cannot understand why someone would be tempted to access intimate pictures of women against their consent, even celebrities, when the internet is full of websites with pictures of women who willingly or professionally display their naked selves.

It was an evident gender orientated attack, which seems to be a usual and sick practice on the Internet nowadays, intended to publicly expose and shame the victims. As far as I am aware, men are not usually targeted by such endeavours.

Anyway, the central hubs for the displaying and divulgation of the links to the pictures were the websites Reddit and 4chan. The photos then have spread across the Internet like wildfire and the case has been inimitably nicknamed as ‘Celebgate’.

This incident has leaded the public attention to an immediate question: how could attractive young women even dare to take pictures of them or let themselves to be photographed in erotic or sexual poses or situations? For a vast – and scary – amount of internet users, the victims are therefore the major culprits for their own violation. Being celebrities (or should I say women?) they should have known better than to take pictures intended to remain private or only to be shared with whoever they wanted.

On a second thought, this occurrence lead the internet users to reflect on how really private is our private information. A very legitimate concern considering the revelations of Edward Snowden, the recent data breaches news regarding American retailers, as Target and Home Depot, and the hacking conducted on Chinese hospitals’ medical record.

But the incident has put the spotlight on the online security in general. After all, it is very likely that hackers gained access to much more sensitive data than pictures and videos. And if celebrities’ accounts can be hacked, it can happen to anybody, right?

Apple denied having suffered a data security breach and insisted that none of the material was obtained from the company’s servers directly. In a released statement, it affirmed having discovered; instead, that the hacking seemed to be the result of a brute-force attack on users names, passwords and security questions.

Notwithstanding, while the poor choice in passwords and the non implementation of Apple’s two-factor authentication might have been a hinder in terms of security, the vulnerabilities on the security software were undeniable. For instance, iCloud specific backup system did not implement adequate safeguards against brute-force attacks. 2)Brute-force attacks refer to repetitive attempts to break into a user’s account by trying possible combinations of letters, numbers and symbols in order to discover the correct password.

Apple’s announcement that it will strengthen its security measures for its cloud storage platform iCloud thus might not come as a coincidence. Tim Cook informed that users will receive an alert when someone tries to change an account password, restore iCloud data to a new device, or when a device logs into an account for the first time. Moreover, Apple intends to broaden its use of an enhanced two-factor authentication security system.

Despite the unfortunate implications for the victims, it has drawn the very much needed attention and raised awareness – as no other incident so far – to how people share, store and secure their personal and sensitive data.

There are valuable lessons to learn from this incident. The apparent ugly truth is that if someone with the proper time, knowledge and means wants to access your personal data, they will try to and might get it if the proper security measures are not taken. So it is better to assume that nobody is safe from a similar assault.

It is therefore necessary to improve our personal security posture and implement all the available tools to prevent the success of potential future attacks.

To start with, you must be aware if you use services that automatically backup your data and choose if it is convenient for you to keep that feature on or to turn it off. If you intend to use a cloud service, choose one which will encrypt your data.

Secondly, it is very important to implement strong login credentials. A multifactor authentication and the use of a complex and unique password for each online account are usually highly recommended. You can go even further and use passphrases instead of passwords. A password manager will allow you to achieve a deeper protection. 3)The two factor authentication implies two elements: something you know and something you have. Therefore, besides the password (what you know), you will asked for a second form of identification the first time you log onto an account from a new device. It normally involves being sent a code by text message (what you have/can access).

These are some basic and well-known measures but the ‘Celebgate’ is here to remind us that everybody, and not only women, needs to take a better care of their online selves. Women might be the main target of hacking intended to publicly humiliate them, but anybody can be a target of hacking with all intends and purposes, with more or less serious and far-reaching consequences: to creepily spy on friends or family or the girl that rejected them; for ‘intellectual’ challenge; to steal services and valuable files, namely regarding intellectual propriety; to collect credit cards details or engage in other forms of credit card fraud; computer take-over; identity theft; mail hacking to disseminate spam…

Some might prefer to judge the victims and to look at their pictures. But the big picture to look at is: use whatever devices and services you want, but use them knowingly and safely. Nobody will protect you online better than yourself.

References   [ + ]

1. For those who might not be aware, the Cloud is a storage and back-up system which enables users to keep personal information. As the data is kept online, it allows users to save space in their computers, smartphones or tablets, while being able to access them from any device and from anywhere. Companies as Apple, Google, Microsoft and Amazon, just to name a few, all provide cloud-based storage.
2. Brute-force attacks refer to repetitive attempts to break into a user’s account by trying possible combinations of letters, numbers and symbols in order to discover the correct password.
3. The two factor authentication implies two elements: something you know and something you have. Therefore, besides the password (what you know), you will asked for a second form of identification the first time you log onto an account from a new device. It normally involves being sent a code by text message (what you have/can access).

The biaised path of Net Neutrality

Net Neutrality

Net Neutrality?

Network neutrality or Internet neutrality, commonly referred as ‘Net Neutrality’ is a principle according to which all the data trafficked on the Internet should be treated equally by governments and service providers, without discrimination, restriction nor interference.

It means that Internet Services Providers (ISPs), although their management systems enable them to prioritize, block, filter out content, artificially slow and degrade specific network traffic, shall not make a distinction nor charge differentially the different types of traffic, i.e., independently of the sender, receiver, user, content, device, service, site, platform, application, etc.,…

Net Neutrality is, therefore, an important element of an open Internet. Not only does it allow an easy and fast access to information, it boosts as well entrepreneurship through the creation of online services, such as Google, Facebook, Dropbox, Twitter, Skype, just to mention a few, who were able to develop online and freely compete with existent services. The direct and ultimate beneficiaries of all these innovative ideas and the competition it entails are, undoubtedly, the consumers.

So, having these benefits into consideration, what is the problem?

Well, there is indeed a reverse of the medal. Requiring broadband providers to treat equally all traffic makes networks less profitable. For that reason it can discourage investment in network infrastructures and the consequent beneficial innovation in favor of online services.

Managing the proper balance between these diverging interests represents an unsteady pathway, as well demonstrated by the tumultuous efforts at the EU level regarding the adoption of the regulation laying down measures to achieve a European single market for electronic communications.

On September 2013, the European Commission, represented by the former Commissioner for the Digital Agenda, Neelie Kroes, proposed an important legislative package, which contains the new rules for the telecoms industry, intended to achieve the Telecoms Single Market (TSM), namely by ending roaming charges, guaranteeing an open Internet, coordinating spectrum licensing for wireless broadband.

One of the most trumpeted and criticized measures concerned Net Neutrality as it contained very conflicting provisions. Indeed, it foresaw that providers of Internet access services shall not restrict the freedoms of communication by blocking, slowing down, degrading or discriminating against specific content, applications or services. However, it added some confusing exceptions that could undermine the open and neutral internet.

For instance, it allowed the evident differentiation and consequent prioritization between services though the provision of

specialized service […] with an enhanced quality of service

Moreover, in order to enable the provision of specialized services to end-users, it allowed providers of content applications and services and providers of electronic communications to

enter into agreements with each other to transmit the related data volumes or traffic […] with a defined quality of service or dedicated capacity

Furthermore, it stated the possibility to apply reasonable traffic management measures according to the internet access providers’ necessities.
This would open the door for telecommunications operators granting prioritized delivery through specialized services to the players who would be willing and financially able to engage in such agreements, while deprioritizing new entrants or existing players who wouldn’t have the capacity to engage in such agreements. It would also permit mobile networks and broadband providers to block services that compete with their own offerings. This would of course impair competition and undermine room for innovation and freedom of communication as we know it on the internet.

On late April, despite the tight schedule, the lobbying frenzy of civil society and telecommunications industry and the conflicting visions that have divided the MEPs, the European Parliament adopted, in first reading, the Regulation on the TSM.

Although, along the way, it has been proposed that Net Neutrality should be defined as the principle according to which only equivalent traffic should be treated equally, allowing for different quality of service (let’s remember the proposal of Pilar del Castillo Vera (ES – EPP), the ITRE rapporteur on this dossier, in her compromise amendments), the adopted text contains substantial amendments to the EC proposal, including a rigorous definition of Net Neutrality.

The adopted text provides a framework for ‘specialized services’, which are defined, in article 2(15) of the text, as

an electronic communications service optimized for specific content, applications or services, or a combination thereof, provided over logically distinct capacity, relying on strict admission control, offering functionality requiring enhanced quality from end to end, and that is not marketed or usable as a substitute for internet access service

Moreover, specialized services can be offered only in addition to Internet access services, provided that such offers are in addition to internet access services and are not to the material detriment of their availability or quality, thus ensuring non discrimination between providers of such applications.

The concept of network management has been narrowed to where it is necessary to apply reasonable traffic management measures to prevent or minimize the effects of network congestion, provided that equivalent types of traffic are treated equally, or to implement a court order.
Due to the divergent interests at stake, this outcome has not pleased everyone. While it has been perceived as a victory by the consumers’ advocates, the communications industry representatives have been manifesting some concerns over the vote, stating that this will prevent them from being able to offer enhanced services.

Considering the cost of infrastructure upgrades to cope with increasing data demands, one might ask if consumers should expect bigger bills from telecom and cable companies.

In addition, considering the prohibition of ISPs blocking content, concerns have been raised regarding WebPages containing images of child pornography, as a court order would be required in those cases in order to deter any further sharing. To avoid the undesirable consequences of any delay, it would be important to reflect on some exceptions.

The text is currently being discussed by the Council of the European Union, which includes representatives of each member state. The meeting of ministers which took place, on June 6, in Luxembourg, demonstrated that EU Member States might be far from reaching a common position. So the big question mark concerns the possibility of the Council to deviate from the position adopted by the European Parliament.

The path that lies ahead might continue to be hazardous. And only time will tell if the necessary safeguards to protect net neutrality and prohibit network discrimination in Europe will be maintained. At this point, looking at the other side of the Atlantic wouldn’t be of much help, considering the recent decision of the Federal Communications Commission regarding commercial discrimination on the Internet.

The Google Affair: To be or not to be a Data Controller – Part II

Data controller or Data processor?

Data controller or Data processor?

With an evident and unfortunate confusion between the roles of ‘data controllers’ and ‘data processors’, (as analysed previously) the European Court of Justice (ECJ) qualifies, in its famous ruling, Google as data controller, while simply reproducing existing information.

This has far reaching implications and raises a number of complex and problematic issues. In this post, we will only be able to address some questions.

Indeed, to consider search engines services providers as data controllers for the purposes of EU law entails that they are obliged to respect the rights and freedoms of the data subjects, comply with a set of principles and obligations as foreseen in Directive 95/46, when they process personal data, and be prepared for liability in case of failure in behaving accordingly.

This obviously forces a shift in search engines services providers’ responsibilities regarding the individuals whose information they process.

A very pertinent and practical question must be asked: how can search engines services providers fulfil the obligations impending on controllers, as provided in Articles 6, 7 and 8 of the Directive, in relation to the personal data sourced from web pages hosted by third-party servers?

If an internet search engine service provider is to be considered a controller, it must guarantee that the processed personal data is adequate, relevant, and not excessive in relation to the purposes for which it was collected, up to date, and no longer than is necessary for the purposes for which the data were collected.

Considering that the search engine merely locates information made available by third parties, indexes it automatically and makes it accessible to internet users according to a particular order of preference, it remains to be explained how a search engine service provider will be able to appraise its compliance with those requirements. Isn’t the publisher of the website concerned in a better position to conduct that assessment?

As to the criteria concerning the legitimacy of processing of data made available on the internet, including personal data, in the absence of a data subject’s consent, it is unquestionable that internet search engine serve legitimate interests. Indeed, it allows an easy and quick access to information and contributes to the dissemination of the information uploaded on the internet.

But what happens when the search engine processes information that is inserted in a special category of data (e.g. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and concerning health or sex life), which processing is prohibited, unless, for instance, data subject has given his explicit consent?

It is important to reflect on the hypothesis raised by the Advocate General, in its opinion:

if internet search engine service providers were considered as controllers of the personal data on third-party source web pages and if on any of these pages there would be ‘special categories of data’ referred to in Article 8 of the Directive (e.g. personal data revealing political opinions or religious beliefs or data concerning the health or sex life of individuals), the activity of the internet search engine service provider would automatically become illegal, when the stringent conditions laid down in that article for the processing of such data were not met.

Would the processing of special categories of data by search engines be deemed to be illegal if the requirements for the processing of such data on third-party source web pages were not met? Is that even a conceivable scenario?

Additionally, considering that, in order to be lawful, and if no other criterion is applicable, the processing of personal data must be carried out with the consent of the data subject, it is only legitimate to question how can search engines services providers ensure the consent from data subjects with whom they have never been in contact with?

Furthermore, one must wonder about the effectiveness of the exercise of the data subjects’ right to access to data, as foreseen in the above mentioned directive, and Google’s capabilities to satisfactorily comply with its obligation, attending to the fact that its activity of caching webpage’s for relevance index ranking depends on an algorithm that will perform the content analysis automatically. Attending to this notion of relevance, e.g., it will be impossible to distinguish in practice people who share the same name.

I guess we all just have to wait to see how all the implications will work in practice…

The Google Affair: To be or not to be a Data Controller – Part I

Is Google a Data Controller?

What am I?

It would be very difficult – and to some extent odd – to start a blog with the intention to express my viewpoints on privacy issues, and related matters, without mentioning the already thoroughly commented ruling, better known as the “right to be forgotten” decision, where the  European Court of Justice (ECJ) concluded that, in order to comply with the rights laid down in Directive 95/46:

the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.

It might not come as a surprise – after all, I just created a blog – but I have as well some comments that I would like to share in this (still) freedom of expression ever growing and globalized, yet interconnected, technological world.

However, I do not intend, at least today, to reflect on how the ‘right to be forgotten’ may or may not work in practice.

Instead, I would like to refer to a recent speech of  Martine Reicherts, who stated that internet search engine service providers, such as Google, have a big responsibility in ensuring that personal data is being handled properly.

And it is precisely this new notion of ‘responsibility’ regarding search engines services providers that I consider disturbing. After all, until very recently, the internet search engine service providers liability for the third-party content they transfer and/or store has always been quite restricted. I therefore have some doubts and concerns about this sudden and innovative understanding of the responsibility of internet search engine service providers as data ‘controllers’.

One should not forget that the role and legal position of internet search engine service providers has not been expressly regulated in EU legislation.
Their activity consists in locating information made available on the internet by third parties, indexing it automatically, storing it temporarily and finally, making it accessible to internet users according to a particular order of preference.

In this context, we agree with the understanding stated by the ECJ according to which an internet search engine provider processes personal data (if that data relate to an identified or at least identifiable subject) as foreseen in Directive 95/46, regardless of the fact that it also carries out the same operations in respect of other types of information and does not distinguish between the latter and the personal data.

However, in this same context, the internet search engine service provider cannot be automatically considered as ‘controller’ of the processing of such personal data!

A controller is, according to the aforementioned Directive:

the natural or legal person […] which alone or jointly with others determines the purposes and means of the processing of personal data.

A special reference to the processing of personal data by information society services that act as selection intermediaries is absent from the Data Protection Directive.

In this particular case, based on complete automated search algorithms which filters data and delivers results based on relevance and popularity, Google is not aware nor exercises any control over the data included in the publisher’s webpage. In this particular context, Google was not able to distinguish between personal data and other data. Moreover, it is not able to change the content in the host servers.

It is therefore evident that Google acted act as a data processor, i.e., an information society intermediary between content providers and internet users, only storing information and supplying an information location tool.

As stated by the Article 29 Data Protection Working Party:

[t]he principle of proportionality requires that to the extent that a search engine provider acts purely as an intermediary, it should not be considered to be the principal controller with regard to the content related processing of personal data that is taking place. In this case the principal controllers of personal data are the information providers.

I thus strongly support the view expressed by the Advocate General in his Opinion on this case.

Surprisingly, the ruling point out in the opposite direction, and Google was regarded as responsible, under data protection law, for the results which it returned. The fact that the processing of data is conducted entirely by complex algorithms, without any of its control, was absolutely disregarded by the ECJ.

Instead, the ECJ stated that search engines have a separate responsibility from publishers, consisting in loading those data on an internet page, to which is additional. Indeed, according to the ruling, search engines shall be liable to make accessible outdated information because it still is available in a publisher’s website:

that activity of search engines plays a decisive role in the overall dissemination of those data in that it renders the latter accessible to any internet user making a search on the basis of the data subject’s name, including to internet users who otherwise would not have found the web page on which those data are published.

This is just too far-fetched…

© 2019 The Public Privacy

Theme by Anders NorenUp ↑