Aiming to save privacy, jeopardizing freedom of speech: The "Right to be forgotten"

Google strives to make every kind of information searchable. A fascinating, and to some somewhat sinister goal. Now, the European Court of Justice has decided that every citizen of the EU has a "Right to be forgotten" that is enforceable against Google (press release, .pdf – En, Ger). Surely, that is for the better, no?

No, it is not. Not at all. Except for one detail: The ECJ ruled that European Privacy laws are applicable to Google's services offered in the EU, even though it's incorporated in California. That makes sense. Ok.
Let's take a closer look at the ECJ's decision.

No balance

If an individual wishes for links to be removed from the results for a search for their name, Google has to do so. While there are exceptions for public figures, the rule is that privacy trumps freedom of speech and freedom of information. That's it. There's no balancing by the ECJ, as there ought to be whenever fundamental values like these collide. That is the most fundamental problem.

Invisible information

A very, very disturbing consequence of that lack of balance is that the ECJ separates information itself from its discoverability. I'll give an example: An individual requests the removal of a newspaper article about themself. Google complies with the request. The article, on the newspaper's website, stays online. Technically, the article is still "out there". The point is that nowadays, what Google doesn't find also doesn't exist, as far as the general public is concerned. And the ECJ explicitly knows that.
Just a reminder: We're talking about perfectly correct and lawful content here. Mr. Masing, judge with the German Constitutional Court, hits the nail on the head: He points out (Ger) (I'm paraphrasing) that in a free society, it would suggest itself that a statement covered by freedom of speech can also be distributed freely.
The ECJ seems to disagree on that very point, arguing with the "effective and complete protection of data subjects".

One caveat: As soon as your search query doesn't contain that person's name, the newspaper article will show up in the results. How do you find information about a person without using their name, though? Managing that will become some sort of "skill" or something along those lines.

Trusting the cat to keep the cream

That's not the end of it. Google itself is obliged to make the decision about which request to grant. There's all kinds of problems with this. As just described, the ECJ's decision bases on the very premise that people won't find what Google doesn't list. Hereby, it acknowledges Google's gatekeeper position to the Internet. Instead of carefully working with this though, the ECJ goes on and hands Google the holy grail: The decision over what information is to be "forgotten" and what information is to be preserved.
You don't like Google's power that lies in managing all the information in the world? Better make sure to let them decide which website to remove from search results!

Google's impossible task

I was part of a small group of law students that visited Google's in-house counsel here in Germany, shortly after the ruling. He told us that Google definitely doesn't want the burden of having to make these decisions. Not only because it costs them a ton of money, but also because Google aims to make information available instead of doing the opposite, so the very idea to selectively de-list websites repulses them. But of course they would comply with the law. It was also said that Google, in case of doubt, would risk litigation in the name of freedom of speech.
Whether or not you believe all parts of that statement: They don't want the burden of the process, that's for sure. They are puzzled, and rightfully so, since the ECJ didn't give too much guidance on how to make these decisions. Google simply isn't capable (and really nobody would be) of making tough decisions like these with a lack of information about the specific case – on a massive scale, let's not forget that.

So, to somehow deal with this appropriately, Google seems to want to assemble some form of "council" to come up with some rules for the decision process. Now, it is understandable that Google wants to show that they're on top of this.
The problem is that any body of people picked by Google will always lack democratic legitimization. If this is to be "proper" co-regulation, there have to be requirements for the regulation process. Coming up with those would be the European legislator's task, not that of a group of people assembled by Google, however qualified they might be. The ECJ also misses the opportunity to lay these requirements out.
Getting privacy advocates into the process also wouldn't work. There is a danger of them becoming "Communication regulation Agencies", as Masing puts it (Ger).

In case you're in doubt that the current model can't work: We've already seen how it works out. Google de-lists specific search results, in compliance with the judgment. Then the Guardian complains about Google not making the right call, playing the censorship card, and legitimately so. Google reverses its decision, also justifiably.
Nobody could blame Google for defaulting to make the decisions so that there's the least complaints, meaning granting all requests except the ones demanding de-listing of a Wikipedia page or a newspaper article. There's some hope that there will be litigation at some point, resulting from Google not complying with a removal request (or defending a specific de-listing, but I honestly think the other way around is much more likely). That means trusting Google with going to court in the name of the freedom of speech. I'm not entirely convinced that's what the ECJ intended.

Privacy who?

A side note: This is supposed to be about privacy. Well, I have to be honest: I’m a law student, and not since yesterday. But "privacy" for me was more the kind of thing that allowed you to go to Deutsche Telekom and request all of the information they have about you, like Malte Spitz did. Search results are nothing more than links to publicly available websites. "Privacy" wouldn't have come to my mind in a thousand years. And, at least before the ECJ’s decision, many others wouldn’t have thought of it either. Now, of course, nobody can afford to even express this thought.
The decision's severe consequences come from the inapt application of "full effect" privacy principles to an information and communication context.

Inconsistencies and backfiring

On top of that, there are several weirdnesses and inconsistencies.
Normally, you're redirected to a Google page with a TLD according to the country you're located in, for example google.de in Germany. On Google's main page though, you can switch to google.com (link in the bottom right corner) and hereby get to unaltered search results. Yes, it is that easy.
On one hand that is good, because that means all of the stuff I described above is easy to circumvent. On the other hand: The fact that wrong regulation is easy to circumvent doesn't make it right or even less dangerous. Even more dangerous actually, because it makes the slippery slope that this is seem more harmless.

Alluding to Google's position as a gatekeeper: Any search engine operator with meaningful market share will be obliged to do the same. Remember, due to the massive scale, this requires significant infrastructure and therefore raises the bar of entry into this market even further. Maybe Microsoft will get annoyed with all of the EU's regulation and just leave the search engine business altogether. Who knows? Anyway, this is another way the ECJ further reinforces Google's position.

Another point, seemingly small but even more weird, is that publisher-run and for-pay databases will keep all the links (Ger) that are de-listed from Google search results. This, accidentally, makes freedom of information some kind of a media privilege.

Jeopardizing freedom of speech

There's no other way to put this: This is really, really concerning. Freedom of information and freedom of speech are fundamental values, especially in the information society we live in today. All of this for prohibiting you from finding anything not entirely positive about your new neighbor online?
We simply can't afford undifferentiated, trigger-happy and blanket-style approaches that endanger these values, be it in the fight against child pornography, copyright infringement or for the protection of minors (meaning porn filters).

All of this is not to say that I don't see the problem with information living online, possibly forever. But I honestly think that's a societal, not a technical one. Managing an online persona will only become an ever more important skill, and we have to acknowledge that. Making people compete for being the best private "censor" can't be the way. I, for one, don't want to live in that kind of society.

Mr. Masing, the judge of the German Constitutional Court heavily criticizes the judgment in an essay (Ger), letting me look forward to a decision of the German Constitutional Court concerned with any of the relevant aspects. The majority of law-savvy bloggers (Ger) also have many complaints.
The Electronic Frontier Foundation's take is also quite interesting.

I'm anxious to see how this will play out.

ungeheuerlich eschoofierend


My pal Timo and me are doing a podcast again!

After a first attempt two years ago that lasted for an unbelievable amount of four episodes, we're not getting ahead of ourselves this time. However, the name stays the same: ungeheuerlich eschoofierend, and we're still talking in German, but we're not rambling about whatever comes to our minds anymore (at least not all the time). Instead, there's one big topic per episode. For now, we're on a 2-week-schedule.

Find our very nice site here: ungeheuerlich.org – or just get the RSS Feed for the podcast app of your choice.

The first episode was about Craft Beer, the next one's about Religion and will be published next Wednesday. You should consider liking ungeheuerlich eschoofierend on Facebook. Cheers!

"For me, it's real"

Say what you will about Russel Brand, I do like his attitude. He's authentic and is saying something meaningful in an interview. He totally gets that he's not the leader of a revolution, but also that he doesn't have to act dumb because he's an actor.
Check out the short piece on gawker about the interview.


Weirdly fitting words by Mark Sample:

"Low point" is the term for when the worst part of a disaster has come to pass. Our disasters increasingly have no low point.

After the low point of a disaster is reached, things begin to get better. When there is no clear low point, society endures chronic trauma.

Disasters with no clear low point: global warming, mass extinction, colony collapse disorder, ocean acidification, Fukushima.

Hm.

via kottke.org

The Brewer

I smiled all through the second half of this video. The excitement about one product and the craft it takes to get there is really something beautiful.

via hopshysteria.de

On Touch ID

A room within a room
A door behind a door
Touch, where do you lead?
I need something more
Paul Williams, "Touch"

Naturally, Touch ID was defeated (By the CCC, yay Germany!) only in a matter of hours after the iPhone 5S was available. And people are all over it. Bottom line: This end-user product doesn't provide military-grade security. No shit.

See!? Using biometric for security doesn't make sense!

Duh, of course it's hackable, but it's better than nothing, and pin codes are a pain in the ass!

But it's so easy!

Only if you're the FBI!

Or a private eye!

Dude, nobody's saying it's perfect, but it's better than a pin code nobody is using!

A level of security that is annoying and therefore not used is weaker than weak security, got it? Apparently not:

For those who continue to use Touch ID, Graham suggested a simple step for minimizing the success of Starbug's attack: use only pinky or ring fingers to unlock your device.

No offense, but somebody's in need of a reality check here.

Spending quite some time in university libraries, I see people leaving their laptops unattended, user accounts logged in and sure as hell with all their passwords (pardon: the one password) readily available in Chrome's preferences.

Considering that, I can't believe we're having a discussion about somebody going to the lengths of obtaining and forging your finger print. I can't remember where I‘ve read it, but: If you're facing that, you have way more to worry about than your phone's contents.

Naivité, Security and Surveillance

"NSA does not have the ability to do that"

Why wasn't there an outrage about the NSA and their domestic spying just over a year ago, in early 2012? Hard to say. I mean, there was this:

All of this is credible journalism by Laura Poitras, published by the New York Times, with William Binney as a competent and credible source. To learn more about Poitras' key role in the Snowden part of all this, check out theexcellent portrait of Julian Assange in Vanity Fair.

Back to 2012. From the Wired story on the NSA's activities and the datacenter in Utah:

it chose to put the wiretapping rooms at key junction points throughout the country—large, windowless buildings known as switches—thus gaining access to not just international communications but also to most of the domestic traffic flowing through the US

These domestic activities were readily denied by General Keith Alexander, head of the NSA:

Alexander said “No,” adding that the “NSA does not have the ability to do that in the United States.” Elaborating, Alexander added: “We don’t have the technical insights in the United States. In other words, you have to have [...] some way of doing that either by going to a service provider with a warrant or you have to be collecting in that area. We’re not authorized to do that, nor do we have the equipment in the United States to collect that kind of information.”

This was, now so very obviously, not true. But who cares about a government official lying to the Congress? Only naive people, I guess. More on that in a bit.

However: Since Snowden, there are more details out there. We know about the UK's GCHQ doing the same or even more than the NSA and over all of Europe. There is no denying anymore, by anyone.

"You're naive"

Some people, like Matt Gemmell, say that "any sane person had already assumed" this was happening.

Better yet, objecting to the lack of privacy, specifically NSA's direct access to the major tech companies' data is supposed to be (quoting Gemmell again) "incredibly naive". Worse yet: It's not only naive, it's also unjustified, because we shouldn't change anything:

So what do we do about it? Probably not a lot, if we don’t want to sacrifice effective national security.

This attitude, to me, is just as dangerous as the NSA's actions itself. Effectiveness is conservatism's favourite justification for excessive and invasive actions of the executive branch since forever. Don't get me wrong: I do want government agencies and the police and all of that to protect me from... yes, a bomb maybe, or some big assault somewhere in the public transportation system of say... Hamburg or whatever by "evil people". And still, effectiveness is such a non-argument. Nobody argues that more data for the NSA gives them more of a free hand. But if effectiveness was the only variable in this game, there wouldn't be a discussion.

It's not called "naiveté", it's called "democracy"

It's just that the "naive" people disagree with the current imbalance of security and privacy.

Only because everything can be intercepted doesn't mean that's what should be done. However that's exactly what made Edward Snowden leak these documents, the sheer blanket eavesdropping, on everything. He had hoped things would change with the Obama administration, but they got even worse, he told the Guardian in the second video interview that was published (from 06:20) – thanks, Obama!

Eben Moglen, in 2012, relating to the Utah datacenter:

It's more than just the permanence of data. It's the relentlessness of living after the end of forgetting. Nothing ever goes away anymore. What isn't understood today will be understood tomorrow. The encrypted traffic you use today in relative security is simply waiting until theres enough of it for the cryptoanalysis to work, for the breakers to succeed in breaking it. We are going to have to redo all of our security, all the time, forever, because no encrypted packet is ever lost again.

Everything. Surveilling on a scale like this (well, there's no scale anymore) is by definition not a justifiable action the executive branch can take. Not here and not in the US. I know that it is possible – but that doesn't mean it should be done or is allowed to be done. The Economist sums it up:

Having once spied on a small number of specific targets, [the NSA] now conducts online surveillance on a vast scale. It has spied on drug dealers, tax evaders and foreign firms, none of which pose a threat to national security. NSA employees have used its systems to spy on their former lovers.

It seems like General Alexander is in need of a reality check. If it is necessary to establish a system with tremendous staff and judges and courts and whatnot to give out warrants that don't violate the Constitution, then you have to do so. It's as simple as that. Just because with digital communication, you can access a backbone and tap in on everything, very easily, it doesn't mean you're allowed to.
However, according to a recent piece in Foreign Policy, this is exactly what Keith Alexander disagrees with:

“He said at one point that a lot of things aren’t clearly legal, but that doesn’t make them illegal,” says a former military intelligence officer who served under Alexander at INSCOM.

Later on, Alexander is even called naive himself (whoop!):

“But I think he has a little bit of naiveté about this controversy. He thinks, ‘What’s the problem? I wouldn’t abuse this power. Aren’t we all honorable people?’ People get into these insular worlds out there at NSA. I think Keith fits right in.”

What could possibly go wrong?

It's not just that FP found one or two people within the NSA who were willing to discredit Alexander here. Michael Hayden, Alexander's predecessor as head of the NSA, officially complained about Alexander's craving for raw data before his superior, according to the same FP article.

And there's more. A cryptography professor was asked to pull a blog post from his university's servers, a scandal in itself. Anyway, he had posted thoughts about the recent revelation that the NSA had sabotaged the consolidation of encryption protocols:

Not only does the worst possible hypothetical I discussed appear to be true, but it's true on a scale I couldn't even imagine. I'm no longer the crank. I wasn't even close to cranky enough. [...] The one reason I would have ruled it out a few days ago is because it seems so obviously immoral if not illegal, and moreover a huge threat to the checks and balances that the NSA allegedly has to satisfy in order to access specific users' data via programs such as PRISM.

What's left to say? I guess this cryptography expert professor guy was just too damn naive as well.

Lessons from history

Not only is it simply wrong, as shown above (if that's possible). I also find the naiveté accusations extremely disturbing in the light of what we're talking about. Think about what it meant if this attitude really was naive? That stateside surveillance only serves the greater good? That abuse is impossible? That more intense surveillance means greater security?
If one truly believes that, then you have to ask: Have you heard of this thing called history? I'm not die-hard left wing, I'm not protesting on the streets every other week for this or against that, but I cannot accept any authority pursuing totalitarian tendencies. And I wouldn't have thought this counted as naive or idealistic. On a side note: Being a realist doesn't mean accepting everything as it is or inventing justifications for the status quo.

Anyway: I am German and I kinda have to know this, but I thought Nazi Germany and the other totalitarian regime in Eastern Germany with the Stasi and all of that weren't unheard of in the US. There's also novels like 1984, they even made one or two movies from that. So there's not really an excuse not to have heard of the downside of an all-too powerful government. Despite all this, it seems like Jacob Appelbaum was right when he said that Germans need to be the history teacher in this affair (great statement by Edward Snowden he reads out, you should watch the whole thing).

In more recent history, the detention of David Miranda at London Heathrow shows that competencies will be abused.
Looking into it, I can't believe that schedule 7 of that anti terrorism law – eliminating the right to remain silent, and in Miranda's case being blatantly abused (despite the lack of a link to terrorist activities), was actually passed in the UK.

What now?

Here I am, a German citizen living in Germany complaining about the NSA's domestic activities. Well, the GCHQ's activites as well as all the government agencies' cooperation with German agencies demands a holistic approach to this. As Matt Gemmell points out correctly, we can't allow government agencies to circumvent civil rights by doing domestic spying for each other.

We need to have a global discussion about what privacy means to us, and how it can be maintained in this digital day and age, that is just not compatible with the concept of borders.
The first step, however, has to be that domestic surveillance in the US goes back to a level that is reconcilable with their Constitution.


Thanks to Matt Gemmell, whose post was the trigger I needed to write this.

Suicide

“I’m walking to the bridge,” begins a Golden Gate Bridge suicide note [...] “If one person smiles at me on the way, I will not jump.”

Suicide is fascinating to me. On the one hand, I feel like we should respect somebody's decision or assumption that, overall, they won't come out of their life "ahead". A line from an Editors song comes to mind:

In the end all you can hope for // Is the love you felt to equal the pain you've gone through

I mean, who are you to tell somebody "No, no. You have to suffer at least 30 more years before I allow you to die"?

On the other hand, it's not as simple as that. Suicide can't really be looked at isolated from depression or mental illness in general. I also ask myself if – aside from people who are terminally ill and don't want to suffer anymore – every person commiting suicide is by defintion mentally ill.

Anyway, this piece on the dramatic surge of suicides is well worth a read:

Around the world, in 2010 self-harm took more lives than war, murder, and natural disasters combined, stealing more than 36 million years of healthy life across all ages. In more advanced countries, only three diseases on the planet do more harm.