Habeas data: How to build an internet that forgets All it takes one tiny pinprick to burst a bubble. I think I've seen one pin that might pop two huge bubbles - and it may well be the most subversive idea you'll hear all year. Over at The Atlantic blog comes a report on a problem with the internet. You have to be a forgiving reader to wade through Megan Marber's meandering …
You can't destroy or restrict data that has gone public - as the record companies will testify.
No you are thinking this the wrong way around. The data is permanent but the 'individual' could be temporary. We might inhabiy different persona at different times in life - or indeed in parallel so one can keep our professional and personal lives seperate.
The point is to not fetter us with 'identifiers' .
Trouble is, people dig dirt. People recognize people even in different personae. Personae get connected. Secret lives get discovered, and virtual reality runs headlong into actual reality: the reality that there's only one real you despite there being maybe several virtual yous.
Someone might want to scrub their presence from the net, but if you make a right ass of yourself, it's hard to erase that from the wetware in people's skulls. Someone might even blog about it - or worse.
For example, about a month ago, one not-so-gentle-man by the name of George Tierney decided to get into a Twitter war with Sandra Fluke - the same woman who testified to US Congress about the Pill, why women take it, and why it should be covered by people's health plans [1, 2]. George started calling her rude names and four letter words beginning with "c". Other people took offense. Then he demanded they remove their observations. A small Twitterwar ensured, where he insulted many people, including Glenn Danzig at one point.
While the dude was a major league asshole, he probably had a few mental health issues, starting from anger mismanagement, and going up from there. Regardless of whether he deserves his presence to be scrubbed from the Net or not - it would be impossible to do so in the near future, because people will remember what he did. Ms. Fluke has grace enough to put it behind her, but a lot of her defenders weren't that generous. Perhaps in 10 years he'll be a footnote. This year he's a teaching moment for teachers:
http://www2.wspa.com/news/2012/may/23/upstate-mans-tweets-go-viral-real-world-impact-ar-3845986/
[1 In the absence of a NHS, of course.]
[2 I should point out that women don't just take the Pill for better sexytime, but - surprising as it may seem - ALSO as a health measure. While I think it would be redundant to educate the sophisticated, urbane, and worldly El Reg commentariat on this (especially females), I just want to prevent any "Rush Limbaugh" moments, if you know what I mean.]
Only bits of it saved on various places.
Stuff gets deleted by owners of sites all the time. One site recently deleted a huge part of its content against the wishes of its technical users. Some was dross and much was valuable.
Anyone using Twitter, Facebook, Linkedin, Google+, YouTube, Yahoo Groups, Google Groups should save important stuff, as these outfits WILL delete stuff when it suits them. Or when the suits say so.
There is nothing new in this article.
The inability to delete your own data is one thing, but what annoys me even more is non-expiry of data.
I get emails from recruiters whom I dealt with a good 8 years ago. IMHO most recruiters can go and hang themselves because basic politeness of getting back to people is obviously no longer required (guess who I will not pick now I am looking for people myself?), but I digress. What pisses me off is that they then email you on data that is so out of date they should not even have it - it is a formal obligation under the Data Protection Act to ensure information is current (it's part of information being correct). This means, in my opinion, that if you have not been able to establish communication with people for, say 4 years you should really stop spamming people, and realise that your database is full of crud.
Oh, hang on, that's how you sell, isn't it? "We have xxxx people in our database, that database we only use to spam people with because you rather pull in fresh CVs when you're seeking to fill a position".
I am seriously considering reporting every single one of them - I hereby assert not only the right to be forgotten, but also the right to serious screw around with those who won't let me.
- corporations count as people. So, if individuals have the right to control what's published about them, if it contains personal data, then that right will extend to companies in America. All of which may end up giving corporations even more power, unless the laws are carefully drafted
If it is "Personal Information" The Supreme Court has ruled - Does not apply to corporations.
My understanding of recent US politics is that supreme court *rulings* are quite hard to overturn, especially if they were based on a constitutional point rather than an ordinary legal one. Obviously if you just want to change the law, there's a senator or congressman who needs an election war-chest, but using the same approach on SC justices would be riskier.
But "person" and "personal" are two different, not-necessarily-related things. That was the point of the AT&T ruling. A corporation may be a "person" by act of Congress, but the COURTS can then interpret the word "personal" to apply only an individual since groups (like corporation) cannot under the English language be said to have "personal" experiences (the correct word would be "mutual", not "personal"). So IOW, a business cannot be said to possess "personal privacy". And the SCOTUS is usually reluctant to go back on its own previous rulings, as they prefer their rulings to be definitive. If an Act of Congress cannot circumscribe the interpretations put forth by the SCOTUS, the only resort left is Constitutional Amendment: in this day and age an impossible feat, given the sharply-divided nature of both houses (it can only be done by a Joint Resolution that passes by a clear 2/3 majority in both houses--neither party has even a 3/5 majority and the each is determined to poison the other).
This is something celebrities have had to put up with since the start of newspaper publishing. It's always been the custom for the press to keep files of clippings and "interesting" facts about people in the news. Whether the items of interest, or the unfortunate photograph was 6 months old, or 30 years ago never seemed to matter - it still got dragged out whenever an editor wanted to be petty and spiteful, or had a readership that responded well to hate, bile and jealousy.
The difference now is that the internet views everybody as a a celeb, but "ordinary people" haven't yet tumbled to that fact and therefore act as if everything they say and do is somehow private. There are two ways this could work itself out: a form of mutual blackmail where everyone can dig up something about everybody else - so the feeling of superiority cancels out, or a growing sense of maturity among internet users along the lines of "so what" when presented with some trivial lapse of judgement or taste. If history teaches us one thing, it's that the second option will never happen in Britain (some other countries have a much more relaxed attitude, but not us), - just as people won't stop posting things they'll later regret.
As a consequence, if the only defence of your own bad behaviour is the ability to drag up evidence of everyone else's, then maybe what we need are more and better sources of salacious material. Possibly putting all the country's surveillance cameras to good use and tagging every individual who ever puts a foot wrong, so they be seen to be just as "human" as the people they criticise.
Another option would be the national adoption of Bob Marley's classic commentary on the situation:
while you point your fingers someone else is judging you.
Is this different in kind from the position centuries ago? The indiscreet youthful letter that comes back to haunt the sender later in life was a staple of Victorian/Edwardian fiction (Oscar Wilde, Conan Doyle, etc). If I send you an email, do I have any right (as opposed to expectation of civilised behaviour, which may or may not be realised) to restrict what you choose to do with it?
I suppose that Twitter, Facebook et al are different in that there is no target audience, other than everyone (or no-one). But I think one could argue that Twitter is itself the recipient, and thus is free to choose what should happen to 'your' tweet.
The difference is technology. It was like that in the Victorian era because they had no choice. Now, if you believe in DRM, there is a choice.
The same technology that enables downloaded TV programmes to expire, could also be used to send emails that expire. People complain about DRM partly because it favours the content producer, but when you write an email, you are the producer. You are the artist. Omnipresent DRM would give you control over your data; it would enforce your ownership, your copyright.
I can't tell whether you're espousing this as a good idea or not.
Personally, I can't see how that solution could be tenable. Ignoring the fact there's nothing wrong with being held accountable for your own words/decisions (assuming people give up with the idea that changing your mind is somehow wrong), this would be the death-knell for FOSS, as it would require all email clients to implement and circumventing DRM when you have access to the result is trivial.
"If I send you an email, do I have any right (as opposed to expectation of civilised behaviour, which may or may not be realised) to restrict what you choose to do with it?
As I understand it, the long-established legal position is that letters belong to the recipient, but I vaguely recall muttering something to this effect on these forums some time ago and being put right. (Memory clearly doesn't serve, but I'm guessing that you retain the copyright on the words in the letter or some such thing.)
Anyway, posting this reply because the fastest way to learn on Usenet (RIP) was to post wrong information.
When the companies that own your data also own or provision the tools that let you manipulate that data - why on earth would they allow this utopia to happen? They would be cutting their own throat.
Simple answer they wont and moreover will never feel the need to until such time as the inconvience of having every internet indescretion outweights every element of percieved utility from the product and or service.
Even then all that will happen is people will move on to the next worse offender.
People as a mass are fundamentally lazy and as long as the user experience is 90% Yay/Meh and 10% Aarrrggh they will not change en mass.
When companies envisage making more money on Plan B than they do today on Plan A, they rapidly switch.
This applies to any business situation, there is nothing unique about this one.
The motivation for Facebook, Google today is fear: they perceive their short-term interest today to be the ad-driven, data-mining approach which also involves a huge consumer surplus (McKinsey puts this at €100bn a year btw) of stuff given away for "free". They like being big fish in a small pond. It's their comfort zone.
Eventually somebody (the shareholders, the markets, a CEO with a bit of vision) gets a clue.
I think part of the problem with copyright in the Internet is the speed and ubiquity of...well, COPYING. Not to mention the sheer ingenuity of what might best be described as "Genie corkscrews". One big reason data is said to have a near-permanent memory is because it gets copied so often. Every time someone downloads a web page, a copy is now present on the client. It only takes the right tools to commit that copy to disk, and enterprises can do this en masse--this is how places like the Wayback Machine work. It's become rather a habit to make a copy of noteworthy stuff--just in case it isn't there tomorrow. And it tend to actually get REINFORCED as sites and their secrets go down. It becomes a perpetual case of "Keep Passing The Tapes".
And the information explosion isn't just limited to the Internet. With increasingly-common technology, the average man becomes the public's eye to all sorts of interesting stuff. Sorta like the candid snapshot of a passing celebrity...only it's a movie camera. Very little the celebrity or whatever can do about it outside of a repressive regime (and even THEY have hiccups). The camera is hailed as the candid unblinking eye, the window into what's really happening in the world, so it feeds on itself in a cycle: people are inspired to dig dirt and take movies which in turn creates more footage with which to inspire more amateur photographers. And in the US it's protected by the Constitution (freedom of Speech and The Press), so people are ENCOURAGED to speak out, to air out dirty secrets around them. Forget the camera on the light pole. The one you should worry about is the one in the lady's purse. Big Brother isn't the government; it's the neighbors. And for the neighbors, it could well be you.
As for DRM...that's where the "corkscrews" come in. Just as you have hand-copiers in the past, you now have people who see DRM as a rule meant to be broken. Thing is, the Internet in turn makes passing on those secrets easier if they want (the most-professional illicit firms keep their trade secrets, but hobbyists and others will pass their stuff on).
IOW, while it may well be fine and dandy to dream of a world where information has a shelf life, that's not what the public wants. Sure they may want to keep THEIR information secret, but they want to be able to see EVERYONE ELSE's at the same time. It's a fundamental conflict, and since America is founded on distrust (the checks and balances were cooked up because each branch was assumed to distrust the other two), distrust wins out...and people will start prying and hoarding.
With total transparency into government and individuals we can progress as a species and accept each others flaws and mistakes knowing that we have made such mistakes ourselves and that similar mistakes are in everyone's past.
The problem at the moment is that all the intrusion and data gathering is one way, into the individuals and black walled by secretive government who are as transparent as their PR dictates in precisely the areas they want to be transparent.
"With total transparency into government and individuals we can progress as a species and accept each others flaws and mistakes knowing that we have made such mistakes ourselves and that similar mistakes are in everyone's past."
Yup. I've been a complete dick in my time and hardly anyone can remember, but if they do and they publish the embarrassing details here then I think my attitude would be "Yes, I did that. I'm sorry. I was young and stupid/selfish. I've never done it again.".
By and large, the feeling that you will be held accountable for your actions is a great civilising force. Religions have used this fact for centuries, but since we appear to be moving towards a society where God doesn't exist, it will perhaps be necessary to invent. (Before we do, mind, can I just point out that there is PRIOR ART for this idea, people!)
It's your data, so you have a responsibility to look after it.
That means keeping a log of EVERY website that you give that data to.
Every site you register your email address with, and your address for a delivery.
If you are prepared to do this, then part of the solution is simple. Its up to you to remove the information from sites that you no longer use. (If they let you) If they don't let you delete your account, then change it so that the information is valid, but irrelevant.
change your home address details. change the password to be something very tricky and different to everything else, change any mobile phone number you submitted to them to be something else (random) then change your email address and name.
Their big data gets very invalid very quickly, but it's ultimately your responsibility to badger companies that don't let you delete your own information until they get rid of it, or you make it invalid data that no longer applies to you.
Yeah, I'm paranoid about this sort of thing. and no, I don't do it all yet, but I'm on the way to getting this sort of thing all setup and separating things that really don't relate to me as a Physical Person (things like tumblr,youtube,twitter,el reg), to things that have to be tied to me, like credit cards, electricity bills and bank accounts.
"If they don't let you delete your account, then change it so that the information is valid, but irrelevant."
You will still have the problem of this information being audited. Although data stored in the audit logs won't be considered 'live' by [insert site] they will still have it on record.
Maybe the place to start is with data control laws mandating companies who collect information to show:
1) Exactly and completely the full extent of data collected,
2) To whom they sold, rented, leased, gave away or otherwise shared specifically which data,
3) How to delete certain or all data collected by that company,
4) Some sort of sworn testament that requests to delete data were completed.
Further, the laws regarding ownership of data need updating to clarify that collected data belongs to the source of the data, not the collector. Mailing lists, for example, might continue to be covered under some sort of trade secret law, but no longer under corporate property rights law.
The worst offenders, of course, are governments. They need to be held to an even higher standard.
Having outdated or inaccurate information about yourself removed is already a right. Just not an enforced one, or one seemingly ever likely to be enforced. Special DPA considerations apply to sensitive personal data, which includes anything relating to religion, political opinions, criminal past, medical history etc. retention or processing of which requires specific and proportionate justification.
The idea you can make the already impossible possible by recasting it into the greater quagmire of copyright problems is further unicorn chasing. A more rational approach would be to try to get existing data protection legislation more effectively enforceable.
I haven't seen anything this dumb for quite some time.
What exactly does the author of this piece think software developers are going to do about this? Magic? Believe me, the first developer to come up with a reliable way to prevent computers from copying some piece of information will be wealthy beyond his wildest dreams with one call to the RIAA/MPAA/insert here. So why hasn't that happened yet?
Simple--IT'S NOT POSSIBLE. In order to enter a usable form, information must, at some point, be decrypted and made available to the user. At that point, someone can make a copy, "do not copy" flagging aside. Once there are copies, there can be more copies, and so on.
You can no more erase information from the Internet, than you can erase it from the brain of someone who was actually witness to an event. You can't just command someone to "Forget I ever (said|did) that!" and actually expect them to obey you. What this author presents as something unique to the Internet is very much a feature of reality as well-once someone besides you knows something, they can pass it along, and you can't just reach out and grab it back. Information is not "owned", nor is it ownable. It multiplies.
The author of this piece isn't asking developers and engineers to get in tune with reality. He is asking them to defy reality. It won't happen, and as decades of research in an attempt to take machines designed to copy at breathtaking speed and stop them from copying demonstrate, it can't happen.
This one has no pretty solution. Every ditz that let someone photograph them nude (or did it themselves) and every major corporation that wants to change a position while insisting it never did will support an internet without a "wayback" capability. Copyright is now, and always was a stupid idea. The only safe place for IP is between your ears. Any place else is public at least latently. You can give up the credit for an idea or make it public. There are no other true options.
An intriguing dialectical position you have there - as the internet gets more pervasive, so it gets more public, and this reduces the domain of what is private to force it to become the personal, resulting in the final analysis in total solipsism. Jean Baudrillard meets Bishop Berkeley (in the hyperreal and not as simulation either - tho they may have met already, both being deceased like :-)
Andrew, please. You've been trying for years now to weld together the concepts of privacy, ownership, and copyright. It's not working. Please give it up.
The concept of the 'right to be forgotten' is interesting and worthy of discussion. Hell, you raise - or at least relay - some interesting points yourself. But this effort you keep making to weld it to your copyright bandwagon just isn't working. Hell, that's painfully evident from the article itself - you keep invoking copyright and ownership, but you're not quite sure wherethey fit and how they work together. You just invoke them and leave them dangling there.
"What's missing is the primacy of the individual, as the sovereign owner of the data, on our digital networks. In real life, things have clear ownership, even if their usage is assigned to the public."
"Privacy and copyright advocates are really on the same page. And so too is anyone worried about permanence of data. Once you 'own' your data, you can decide when it's revoked - when it expires."
Sorry...but your concepts just don't line up. Ownership is not always the answer to privacy, and copyright is not always the answer to ownership.
Let's take some examples from this 'real world' you love so much. Let's take banking. That's a great example of an arena where, broadly, everyone agrees on the right to privacy. Very few people stick their banking records on Facebook, or expect to be able to inspect their neighbours'. If your bank were to send your financial records to a bunch of other people you would almost certainly be pretty narked. So I'll assume we can all agree that's a good example of an arena where privacy is important.
Now, how does the concept of 'ownership' come in? Er, well, that seems a bit tricker, doesn't it? I've never heard anyone bring in the concept of 'ownership' to explain the mechanics of privacy when it comes to bank records (or, similarly, records any commercial organization has relating to you as its customer). I don't think many people would contend that they 'own' their bank records, or the cable company's record of their monthly PPV rentals, or any other kind of record held by a company from which they bought something. If you think about it at all, I'd expect most people would accept that the company 'owns' that record. But they would still contend that they have a legitimate right to privacy, i.e. that the company shouldn't divulge that record to others without their permission (unless something like a court order was issued).
So, we've already divorced privacy from ownership, and it only gets worse when you start to consider copyright. Even if we were to accept that we wanted to use the concept of 'ownership' to enforce privacy, and say that in some sense we 'own' the records held by companies on our relationships with those companies and this is the source of our right to privacy - which I don't think is the case, but let's just assume it for the sake of argument - is copyright the appropriate mechanism to implement that ownership? I'd say 'hardly'. Copyright is a specific form of legal expression intended to cover a clearly-defined sphere: creative works. You often seem to forget this. A record of my transactions with a company is not a creative work. Copyright just isn't the massive legal bludgeon you appear to want it to be, a one-size-fits-all mechanism to enforce any kind of 'ownership' of anything at all that's intangible. Please stop treating it as if it were.
To bring this back to the online realm - an actual creative work, like say this comment, is something that's appropriate to consider in the realm of copyright, sure. I'm happy to agree that the rights I have to this text and the rights you have and the rights anyone else has are to a significant extent defined by copyright law.
But, oh, say, the record my webserver makes of what site you were referred to my site by is not a 'creative work'. You can argue that I should be required to act in the interests of the privacy of my 'customers' - visitors to my website - in not divulging that information to others. I already think that asserting that I should do so because of a concept of 'ownership' - those visitors own that information, not me - is a stretch too far. But even if I conceded that, should the 'ownership' of the data be implemented by copyright law? I can't see any plausible basis for maintaining that it should.
Please take a few minutes to sit down and sort out in your head the relationship between the concepts of privacy, ownership and copyright. You seem to be using them almost interchangeably, and that's an insupportable position.
Suggest you consider the real world concept of 'privity of contract'. It's well-founded, and while IANAL it looks IMO one place where the law relating to data ownership could be moved forward without damaging contextually surrounding legal concepts and frameworks.
Adam, you've been writing essay-length comments on copyright for years and your position hasn't evolved since 1993 Wired-style sloganeering of your youth.
You still don't understand what it, is or how it works. This is now turning into a serious handicap for you. Very well established social and legal concepts exist that you wish away or say aren't important.
For example, you say that an information trail left by an individual isn't the individual's creative work covered by copyright. Well, duh. Of course it fecking well isn't. But it's an established principle that the individual owns it, and decides who does what with it. Habeas data.
"I've never heard anyone bring in the concept of 'ownership' to explain the mechanics of privacy when it comes to bank records (or, similarly, records any commercial organisation has relating to you as its customer)."
Time to get up to speed, I think.
Your problem is that early on you took a crude political stance on copyright, and are now rejecting evidence and arguments that undermine this position - a very selective and (ultimately) doomed approach.
Your problem is that early on you took a crude political stance on copyright, and are now rejecting evidence and arguments that undermine this position - a very selective and (ultimately) doomed approach.
---
Oh i dont know it seems to work for big business and politicians
I would like to know who owns the footage from security cameras capturing my picture when I walk around town, how long is the information kept, and what are the mechanisms to gain access to the footage, by the both government, e.g. police, and private individuals.
In a city like London, reportedly covered by more cameras than most cities, what happens with that data? It seems to me there are parallells with my travels across town and my travels through the internet.
So you "own" your data? Big deal. What data is that? Can you identify it it? Without collating it against another database (think traffic analysis)? What are you gonna do about it?
"Privacy and copyright advocates are really on the same page."
No they are not. Does "this database copyright by Google" tell you something important? Yes, it does.
For me the issue is that I cannot 'use' the internet without registering a real address and leaving real data. If I buy a book on Amazon I can't pay anonymously, if I buy tyres for the car or make a purchase of anything. As i do not read privacy statements from the likes of Google, Amazon, etc.. I end up with 50 different user accounts, credit card details etc.. and accept that another bit of my personal information is with total strangers.
My proposal, make it possible to have a separate legal identify, i.e. an avatar, issued with a credit card and shipping address etc.. This way if the legal system needs to know my real details, they can get a warrant and question the bank. Facebook and Google of the world still have my browsing data/habits so they are not significantly devalued.
For personal data, e.g. chatting with each other on facebook etc.. ( I dont use it), my guess is people have put their conversation (or profound/stupid monologue) into the public domain. Whoever the message was sent to (individual, or world + dog) have legal ownership of a copy of that data as well as the owner. same with pictures - if I publish to a group of friends, my guess is one of those friends has the right to archive it, some time before he/she becomes a non-friend.
For anonymous browsing - for me VPN performance drops my 100MB connection by 50% - so I dont think VPNs are great, unless I notch up my paranoia.
Email - I have given up. IMHO all email should be signed and encrypted by default - but it has been many years since I have bothered with that argument. It is a simple and solved technical problem of using a public key / private key pair.
The problem is legal, not technical, as per the article, we need property rights over our data, including expiry dates for browsing history etc.. The other choice is simply obfuscate data by having a few robots browse and click anywhere for us... Baffle them with bull...
Virtual identities have the greatest value when they can be connected to the real world. And yes, Facebook and Google want that, too, because the advertisers want it. People pay good money for that since that means they can migrate outside the e-mail box and into the snail mail box which is harder to ignore. Basically, the web companies DON'T WANT virtual avatars and the law is not really in a position to force it down their throats since they can counter with the Janus argument: people who can actually live double lives without anyone noticing. If the hidden life is criminal, well...
Part of e-mail's appeal (like the Internet's) is the potential for anonymity (via a different address). Registered e-mail would remove that angle but might also squelch whistleblowing which requires anonymity.
I have a different perspective to give to this. I spend a sizable amount of time contributing to and managing wikis. A wiki (generally speaking) is a website who's content is contributed and edited by users. The appeal of a wiki is that it grows organically to fill the needs of the community, it operates to organize, shape and inform the community as to it's own identity.
Bad things can happen when contributors sour to the community. Wiki contribution agreements need to read like suicide pacts but they rarely convey the sentiment properly, as a result people think they can back out and take their content with them. That is when the edit wars ensue, where users restore and delete content. Two bad results can happen: the content is permanently deleted or worse, the content is permanently locked.
When content is deleted, it's like the community suffers a stroke, the knowledge is just gone but there is the opportunity to rebuild it anew. On the other hand having the content locked is community brain damage. All you can do is route around the locked articles, delinking them and rebuilding them elsewhere, it leaves scars.
I'm not ok with content being deleted. It should be anonymized, it should be flagged as abandoned. Like an expired copyright left to go to seed it should fall into the public domain.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
