Wednesday, October 29, 2008

Lessons from the failure of global financial regulation

The financial crisis has everyone talking about global financial regulation. Why didn’t regulations work? And how can regulation be reformed to prevent future melt-downs? Who should regulate in a global context? In a sense, these are the same questions I’ve been pondering for years, in the context of global privacy regulation. Like many people in the privacy community, I’ve been calling for better global privacy standards now, so that we’re not faced with a crisis later.

What lessons have we learned from the financial regulatory crisis that are relevant for privacy?

The issues are global. The crisis is global. Financial and data flows are global. Money, in all its diverse forms, flows across borders, making all of finance inter-connected. Global financial flows are now essentially digital data traffic. When it comes to money, and data, countries are not islands, as Iceland has clearly demonstrated. And if there’s anything that flows globally even more quickly than money, it’s data.

You can identify problems before they turn into crises. In retrospect, the problems were pretty obvious, even if people were enjoying the party at the time too much to want to sober up enough to confront them. It’s fashionable to claim that you can only identify a bubble in retrospect. I think that’s nonsense: I knew Florida condos were a bubble when my house painter bought a condo there, on which the annual maintenance fees alone exceeded his annual income, as he proudly told me, but he was unworried, “because real estate prices only go up.” Similarly, in the world of privacy, we already know what the issues are… so, the only real question is whether we need to wait for a crisis to muster the willpower to drive change.

Regulations that are out-of-date are useless. The financial crisis is exposing lots of regulations from other eras that have proven useless. I hardly need to remind readers of the bizarre patchwork of regulations that apply differently, or not at all, to banks, to investment banks, to special financial vehicles, to hedge funds, etc. Similarly, much of the world’s privacy regulations were designed for a pre-Internet world. Having regulations that are out-of-date means that they are either not applied at all, or applied poorly, or simply “re-interpreted” according to the tastes of individual regulators, like the German “regulator” who blithely declared all search engines to be “illegal”, whatever that means. So, having European data protection regulations that require things like “prior authorizations” from “supervisory authorities” before an international transfer of data is quaint (at best), or dangerous (at worst), in the age of the Internet. In fact, I think it’s dangerous to base international data protection rules on obsolete fictions, like the fiction that data flows somehow stop at borders.

Solutions have to be global. Without global solutions, we create the risk of regulatory havens, like tax havens, where actors can engage in regulatory arbitrage, moving from highly-regulated to lightly-or non-regulated spheres, be they countries or industries (e.g., the move from banks to hedge funds). Much of the privacy debate in recent years has been almost exclusively trans-Atlantic. For example, if you read the work of the EU Working Party data protection regulators over the last decade, you would come away with the impression that they are obsessed with privacy issues of US companies and the US government, while almost completely ignoring any privacy issues relating to data flows to or from anywhere else on the planet, such as India, to cite but one example. But surely, even EU data protection authorities in the anti-American ideological camp (perhaps I should use the German word “Anti-Amerikanismus”) will recognize that the US provides much more solid legal protections for personal data than the vast majority of countries on the planet. So, the obsession with the trans-Atlantic data flows issues is actually becoming dangerous, if it blinds us to the global nature of data flows. That’s one reason why I’m so excited about the APEC initiative, a process where many countries with no tradition of privacy laws are coming together to define privacy standards that are up-to-date, multi-national, and forward-looking. APEC is the most positive thing to happen in the world of global privacy standards since the EU Data Protection Directive of 1995.

Enforcement has to be local. While regulations need to be thought of in global terms, enforcement has to be local, to remain anchored in local legal and regulatory traditions. Some have suggested that we should create “super-regulators” with global mandates, like a mini-UN agency. Personally, I think international bodies have a strong role to play in driving forward international standards, but I’ve watched too many international meetings descend into farce to have much hope that they can function as day-to-day regulators. Moreover, different countries cannot have the same regulatory structures, often because of fundamental constitutional reasons. The US simply cannot have an independent Federal Data Protection Authority in the French mode, because the US Constitution wouldn’t allow it. So, calls for global harmonization of regulatory structures are doomed. The French can try to convince French-speaking Ivory Coast of the need to create a French-style data protection authority, and they may succeed, but that’s not a formula for global success. Whether that’s good for the Ivory Coast is another question entirely. The Spanish can try to convince Spanish-speaking Colombia of the need to create a Spanish-style data protection authority, and they may succeed, but they can’t expect a country with a very different constitutional structure, like the US, to follow that lead. There are some people who honestly believe that you can’t have privacy without an EU-style data protection authority…well, hey, they might want to open their eyes wider.

Regulatory experimentation is a good thing. No one really has all the answers. The US experimented with Security Breach Notifications laws, and they generally seem to work, so Europe is adopting them too. Europe experimented with the creation of dedicated privacy Data Protection Authorities, and many countries around the world, from Argentina to New Zealand, have adopted them since. Maintaining some level of regulatory experimentation, even as we move towards global privacy standards, is a healthy foundation for the innovation in privacy frameworks that we need.

There’s no “Mission Accomplished” moment. Moving towards global privacy standards will be a multi-year process, with steps forward, and back, with vigorous debates, with ideology, with pragmatism, with passion. It’s a process, hopefully with progress in a more or less straight line, towards ensuring better privacy protections in our new global reality. Some people will stress the need for a legal framework and legal enforcement powers; others will stress the usefulness of self-regulatory standards. That’s fine, and it reflects traditions: some peoples expect the government to solve most of their problems; others expect the private sector to do most of the work. One thing is certain; we’ll need to carry on this debate virtually, without expensive global summits or conferences, since thanks to the global financial crisis, none of us can afford to travel anymore. Oh well: blogging is great and free.

Friday, September 19, 2008

Why would Germans claim their "privacy" laws prevents them from publishing a list of victims of Nazi terror?

There was a short report in the BBC today which struck me, my highlights in red :  

"The federal archive in Berlin has for the first time compiled a list of some 600,000 Jews who lived in Germany up to 1945 and were persecuted by the Nazis.

The names and addresses, which took four years to compile, will be made available to Holocaust groups to help people uncover the fate of relatives.

Archive officials from the Remembrance, Responsibility and Future Foundation said the list was not yet definitive and would require further work.

It will not be released to the public because of Germany's privacy laws, but will be passed on to museums and institutions, including Israel's national Holocaust memorial, Yad Vashem.

"In handing over this list, we want to make a substantial contribution to documenting the loss that German Jewry suffered through persecution, expulsion and destruction," said Guenter Saathof, the head of foundation."

I'm a privacy legal expert, and it's baffling to me why German "privacy" laws would prevent this list from being published to the Internet.   This is a valuable historical document.  Putting it on the Internet would allow people around the world to study it.  I would like to see if my grandfather is on the list.  I could check if his address in Berlin was indeed correct.  I think this information belongs to humanity.  

Now, of course, I can imagine certain privacy issues.  A very very small number of people included in the list may still be alive.  Privacy laws are only meant to protect living human beings, after all, not dead people or their reputations after death.  Other laws, like libel laws, can apply after death, but privacy laws cannot.  So, I would call on the Foundation to publish its work on the Internet.  I think it is wrong to cite "privacy" laws as a reason not to make this information public.   

Because, after all, whose "privacy" are we protecting now, for a list which includes names and addresses from something like 70 years ago, and most of whom have been dead for over half a century?

This is the sort of nonsense that gives German privacy law a bad name.     

Friday, August 29, 2008

Relax: the Faroe Islands have adequate data protection

Lots of people in Europe are trying to figure out how to reduce bureaucracy and red tape.  Let's face it:  we Europeans face some of the highest tax burdens in the world, with some of the highest numbers of public servants as a percentage of the general population anywhere on the planet.  So, let me pick a little example, to make a point. 
In this Internet age, when data flows around the planet at the click of a mouse, everyone agrees we need to be talking about global privacy standards.  Data doesn't start and stop at national borders when it travels on the Information Super-highway.  So, all the time and effort that has been spent in recent years, trying to segregate the world's countries into "adequate" and "not adequate" regimes in terms of data protection, has become largely obsolete and pointless.  Data doesn't stop, take a look around, and wait to find out if the European Commission has categorized a country as having "adequate" data protection.   The whole process is becoming a bit tired and irrelevant.  Last year, the European privacy regulators adopted an opinion, concluding that Jersey and the Faroe Islands have "adequate" data protection. 
Indeed, Jersey and the Faroe Islands.  I haven't been to either.  I'm sure they're lovely places.  I think they do fishing in the Faroe Islands.  As for Jersey, I have some sense of the kind of data that goes to places that are known as international tax havens.  International tax havens as a rule have "privacy" laws, and it's pretty obvious why.  I'm perfectly prepared to accept that these islands have solid data protection laws.  But why aren't we talking about more important topics, like Japan, for example, to name a country that is widely viewed as having very strong data protection practices, even if they're different than Europe's?  
Let's face it.  This process, reviewing a country's data protection regime, to ensure that it exactly mirrors Europe's, before awarding it a bureaucratic seal of approval, is a process that is out-of-date.  It doesn't reflect the realities in the world:  under current opinions, Argentina, Romania and Bulgaria are "adequate", but Japan is not!  Does anyone in the real world believe that personal data is better protected in Argentina, Romania or Bulgaria than in Japan?  And if our taxpayer-paid government leaders are spending their time writing opinions about the adequacy of data protection in the Faroe Islands, it's fair to ask whether our taxes are being wisely spent.

Monday, June 16, 2008

Talking to Monsieur Tout-le-Monde

I think privacy professionals need to get out more. I mean, talk to real people, average consumers, normal Internet users. Most of us privacy officers spend most of our time talking to each other, or to privacy regulators, or to privay advocates, or to company privacy department colleagues. But, at the end of the day, the people whose privacy we're trying to protect are not the specialists. So, I've made a personal resolution to try to spend less time engaging in abstruse academic privacy debates, and more time giving simple privacy advice, for general audiences, with practical tips. Anyway, I'm trying. Here's a radio interview for France Info, which, I'm told, reaches 4 or 5 million people. In French:

Sunday, May 18, 2008

Talking about privacy

I think it's really important to contribute to robust public debates about online privacy issues. And I think it's really important to use the YouTube video platform to bring these talks to the widest group of people who might be interested in them. So, here are some of my recent talks: at Harvard, at Google, and at the University of Milan, in that order.

Friday, February 15, 2008

Can a website identify a user based on IP address?

There is a public debate about whether IP addresses should be considered to be “personally-identifiable data” (to use the US phrase) or “personal data” (to use the European phrase. The question is: when can a person be identified by an IP address? This is a question of significant import, since it’s relevant to every single web site on the planet, and indeed to every single packet of data being transferred on the Internet architecture. I’ve blogged about this before, but the debate has evolved:

Last year, the Article 29 Working Party of EU data protection authorities published an official Opinion on the concept of personal information which included a thorough analysis of what is meant by “identified or identifiable” person. The Opinion pointed out that someone is identifiable if it is possible to distinguish that person from others. The recitals that precede the EU data protection directive explain that to decide which pieces of information qualify as personal information, it is necessary to consider all the means likely reasonably to be used to identify the individual. As the Working Party put it, this means that a mere hypothetical possibility to single out an individual is not enough to consider that person as identifiable. Therefore, if taking into account all the means likely reasonably to be used, that possibility does not exist or is negligible, a person should not be considered as identifiable and the information would not be considered as personal data.

Two recent decisions from the Paris Appeals Court followed this logic. The Court concluded that 'the IP address doesn't allow the identification of the persons who used this computer since only the legitimate authority for investigation (the law enforcement authority) may obtain the user identity from the ISP' (27 April ruling). The Court recognized in the same decision that 'it should also be reminded that each computer connected to the Internet is identified by a unique number called "Internet address" or IP address (internet protocol) that allows to find it among connected computers or to find back the sender of a message'. In its 15 May ruling, the Court considered that 'this series of numbers indeed constitutes by no means an indirectly nominative data of the person in that it only relates to a machine, and not to the individual who is using the computer in order to commit counterfeit.' The Court conclusion was then that this collection of IP addresses does not constitute a processing of personal data, and consequently was not subject to CNIL prior authorization, as required by the French Data Protection Act. The CNIL has protested loudly that these court decisions are incorrect, but the CNIL’s own position of declaring “all” IP addresses to be personal data, regardless of context, seems to be incorrect to me.

Paris Appeal Court decision - Anthony G. vs. SCPP (27.04.2007)
Paris Appeal Court decision - Henri S. vs. SCPP (15.05.2007)
IP address is a personal data for all the European DPAs (2.08.2007)

Let’s take Google as an example. Like all websites, Google servers capture the IP addresses of its visitors. If a user is using non-authenticated Google Search (i.e., not using a Google Account to log in), then Google collects the user’s IP Address along with the search query and the date and time of the query. Can Google determine the identity of the person using that IP Address only on the basis of that information? No. The IP Address may locate a single computer or it may locate a computer network using Network Address Translation. Where the IP Address locates a single computer, can Google identify the person using that computer? The answer is still “no”. The IP Address enables to send data to one specific computer, but it does not disclose which actual computer that is, let alone who owns it. In order to get to that granular of a level, it would be necessary for Google to ask the ISP that issued the IP Address for the identity of the person that was using that IP Address. Even then, the ISP can only identify the account holder, not the person who was actually using the computer at any given time.

Also, the ISP is prohibited under US law from giving Google that information, and there are similar legal prohibitions under European laws. Surely, illegal means are not “reasonable” means in the terms of the Directive.

So the reality is that like any other web site on the Internet that logs the IP Address of the computer used to access that site, the chances of Google being able to combine an IP Address with other information held by the ISP that issued that IP Address in order to identify anyone are indeed negligible.

However, let’s hypothesize for now that Google could ask the ISP for that information. Could the ISP give Google the identity of the person? Again, the answer is “hardly.” Why is it so difficult? First, an ISP can only link an IP Address to an account. That means that if there are multiple people, like a family, logging into the same account, only the account holder’s name is associated with the IP Address.

Second, ISP’s are given a finite number of IP Addresses to assign to their subscribers. At this point there are not enough IP Addresses to cover the number of users that wish to access the Internet. So, many ISPs have resorted to the use of dynamic IP Addresses. This means that a user could be assigned a different IP Address as often as every time they access the Internet. In order for the ISP to track the account that is connected to an IP Address, the ISP may require the actual date and time of use.

Finally, almost all big organizations have their own private network that sits behind a firewall. They may use static or dynamic IP addresses, but in either case these are not visible outside the organization. They are using Network Address Translation (NAT). NAT enable multiple hosts on a private network to access the Internet using a single IP Address. NAT is also a standard feature in routers for home and small office Internet connections.

So again, on the balance of probabilities and taking into account any factors identified by the Working Party as relevant, the most obvious conclusion is that the IP Addresses obtained by Google and other websites are not sufficiently significant or revealing to qualify as personal data from the point of view of the EU data protection directive.

Some people have raised the question whether the government/law enforcement can identify an individual user from an IP address from Google’s logs. Google on its own cannot tie any IP to any specific ISP account or any specific computer. We simply know that the IP address locates a computer that is accessing our system. We don’t know who is using that computer. So, in order for someone to tie the IP to an account holder, there have to be at least two subpoenas issued: one to Google and a separate one to the ISP.

Others have suggested that IP addresses should be considered “personal data”, on the mistaken understanding that looking up an IP address in a “whois” directory allows IP addresses to be tied to identifiable human beings. But in reality, if you look up an IP address in a whois directory, you usually get the name of the organization that manages the IP address. So, normally, Google could determine that a user’s queries come from a particular IP address owned by, say, Comcast, but Google has no way of knowing the name or organization of the human being behind the IP address.

A different question altogether is whether identifiability should equate to individualization. As discussed above, identifiability is about the likelihood of an individual being distinguished from others. But for this distinction to merit the protection afforded by privacy laws, it must be necessary to establish a link between the person and their right to privacy. For example, during the course of an online transaction between a retail web site and a customer, that customer’s identity will be protected by data privacy laws that impose obligations on the website operator (like seeking the customer’s consent for ancillary uses of customer information) and give rights to the individual (like allowing the customer to opt out of direct marketing). However, if someone who visits the web site for the first time (therefore prior to any transaction taking place) is presented with a local language version of the web site as a result of the geographical identifier associated to the IP Address used to access the site, there will be an element of individualization that does not involve identifying the person. In other words, unless and until that user becomes a registered customer, the web site operator will not be able to identify that individual. But the language appearing on the pages accessed by anyone using that IP Address may be different from the language presented to those using an IP Address associated with a different geographic location.

Should privacy laws apply in this situation? There is an obvious danger in trying to apply privacy laws as we understand them today in terms of notice, choice, access rights or data transfer limitations, to these types of cases. For example, there is no way that websites can provide consumers with a so-called right of access to IP-address-based logs, since such databases provide no way of authenticating a user. Individualization of Internet users is a logical and beneficial result of the way in which Internet technology works and sometimes it is also indispensable in order to comply with legal obligations such as presenting or blocking certain information in certain territories. Attempting to impose privacy requirements to situations that do not affect someone’s right to privacy will not only hamper technological development, but will entirely contradict the common sense principles on which privacy laws were founded. Privacy laws should be about protecting identifiable individuals and their information, not about undermining individualization. No doubt some people think that the cause of privacy is advanced, if data protection is extended to ever-broader categories of numerical locators like IP addresses. But let’s think hard about when these numbers can identify someone, and when they can’t. Black and white slogans are usually wrong. The real world is more complicated than that.