Internet doit être défendu! (4)

I write this addition to my ongoing series of thoughts on the implications of the Wikileaks scandal, en Francais because according to Le Point, the the Assemblée Nationale has passed a bill, Loppsi 2, which, amongst other things, in its Article 4, allows the French government to ban particular websites, and essentially to ‘filter’ the Internet. The Bill of course has ‘good intentions’, in this case, it is aimed at paedophiles, but the wording is such that it allows a far wider use against “la cybercriminalité en général”. Regardless, as the article points out: “Les expériences de listes noires à l’étranger ont toutes été des fiascos,” in other words such bills have generally been a complete failure as in most cases the state’s technology and expertise cannot deliver what the law allows.

However, I am left wondering what makes this any different from what China does, and what moral right the French state now has to criticise Chinese censorship or indeed any other regime that is repressive of information rights. And of course, what other very reasonable ‘good intentions’ could be drawn upon for closing the Net – opposing ‘information terrorism’, par example?

Data Protection in Japan

Comprehensive data protection in Japan is fairly recent. Until 2003, data protection was still governed under much two earlier ‘ information society initiatives: firstly, the Act for the Protection of Computer Processed Personal Data Held by Administrative Organisation (1988) and secondly, the Protection of Computer Processed Personal Data Act (1990), which are based on the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. These laws were limited an applied only to the state, and within that, only to some national government organisations rather than all of them.

Lawyers and those concerned with privacy within and without government were well aware of these limitations, and in the late 90s, a special Privacy Issues Study Working Group was set upby the Electronic Commerce Promotion Council of Japan (ECom). This committee issued Guidelines Concerning Protection of Personal Data in Electronic Commerce in the Private Sector in March 1998. The Chair of that committee, Professor Masao Horibe, provides an account here.

Subsequently, a Personal Data Protection Legislation Special Committee was established in January 2000 under the Advanced Information and Telecommunications Society Promotion Headquarters (now the IT Strategic Headquarters), a body responsible directly to the Japanese cabinet. This body has issued all the laws and directions regarding IT, e-Japan etc.

The need to “protect personal data” (kojin deta) was mentioned in Article 22 of the Basic Law on the Formation of an Advanced Information and Telecommunications Network Society within the rubric of ‘security’. This was followed up by the e-Japan strategy of January 2001, which under the section on the Facilitation of E-Commerce, recommended that “Necessary legislative measures should be taken to win the confidence of consumers, including submission of a bill to protect personal data to the ordinary session of the Diet in 2001.”

The Bill was introduced in March 2001, but as a result of concerns about its effects on the freedom of the press, was left to fall by 2002. However the Personal Information Protection Bill was passed in 2003, one of five bills with implications for data protections to be passed in that Diet session.The bill came into force in 2005. I’ll discuss the content and operation of the bill later, but there’s a good summary in English from when the Bill was passed here.

The one particularly interesting thing to note here is that it doesn’t designate or establish any one body to oversee the operation of the law or the enforcement of rights, or deal with complaints as in European countries and Canada, for example, Instead it keeps data protection as an internal matter for designated government ministries (and for companies), with legal action an option if all else fails. The law is generally on the side of data flow and commercial / administrative convenience, which is not surprising given its origins in industry-led e-commerce promotion organisations.

Australia gives up net censorship plan

Some good news for once. The Sydney Morning Herald reports that the heinous plans that the Australian government had for surveilling and censoring the Internet have been iced. The plans would have introduced mandatory filtering of the Internet in Australia despite the technical impossibility and political and ethical objections. The fight over these proposals had been vicious with opponents even receiving death threats, but the side of both sense and liberty appears to have won an important victory.

Now, let’s see if similar good sense will prevail in other countries which are advocating similar, if not quite as extreme, China-style net-disabling proposals like the UK and Brazil

(Thanks to bOINGbOING who’ve been keeping us up to date on this one)

At the Departamento de Policia Federal

Both human rights advocates and the police seem to be strongly in favour of the new RIC system as a means of social inclusion and to replace the chaotic and corrupt identification system based in individual Brazilian states at present, which allows anyone with any other form of ID to get a state Registro Geral card in each different state.

Departemento de Policia Federal, Brasilia
Departamento de Policia Federal, Brasilia

I have just come back from a very productive interview with Romulo Berredo, from the Director-General’s office at the Departamento de Policia Federal (DPF), who are the Brazilian equivalent of the FBI. There was a lot covered and I couldn’t hope to reproduce it all here. There were however a number of immediately interesting aspects.

The first was more evidence that the whole basis on which identity cards and database issues are being considered here is entirely different from the UK. Now I know this represents a police, and a state, view, but so far, both Brazilian human rights advocates and the police seem to be strongly in favour of the new Registro de Identidade Civil (RIC) system. This is both as a means of social inclusion and to replace the chaotic and corrupt identification system based in individual Brazilian states at present, which allows anyone with any other form of ID to get a state Registro Geral card in each different state. It is fairly easy to acquire 27 different identities in Brazil at present. And identification is important here. The great fear that many people seem to have – indeed it was called a ‘cultural’ characteristic by Berredo – is not the use of identification by the state as a form of control or intrusion but as a guarantee against the anonymity that would allow abuses by the state or indeed by other malicious persons. It provides a metaphysical and material kind of certainty and stability. The legacy of the last dictatorship was not so much an East German-style nightmare of knowledge and order but of corrupt and arbitrary rule.

It is this latter legacy which also drives the divisions between the different police forces in Brazil. The states-based Policia Militar (Military Police) and Policia Civil are both tainted in different ways by associations with authoritarian rule, and the former particularly with extra-legal execution and torture, and they continue to be regarded with caution, suspicion or even hatred by many Brazilians. The other police forces are also suspicious of the growing role of the DPF, which is often seen in terms of a power struggle not rational subsidiarity. Ironically then it is the states-based police forces that are dragging their heels over plans to create the kinds of national databases of criminal information that the UK has, and not for any libertarian reasons. In fact the DPF seem far more concerned with protecting human rights and defending the idea of citizenship, and because they are tasked with anti-corruption investigations have even arrested Senators and Judges, something unheard of even ten years ago. Of course those very same Senators and Judges are now fighting back, in a manner rather similar to Berlusconi in Italy, trying to alter the law to give immunities and protections. For example, handcuffing of arrested suspects was always normal until it happened to a Senator arrested for corruption. The Senate suddenly became interested in the ‘human rights’ of arrested suspects and passed a law limiting the use of handcuffs! Corruption at every level is still an enormous problem here, though Berredo argued that it was largely associated with those who had retained power from the years of the dictatorship.

The concentration on inclusion and joining-up government where it is clearly much needed does however lead to some gaps in thinking. The creation of new databases brings with it new duties and new potential problems of data-handling. As the privacy and data-protection law expert, Danilo Doneda, pointed out to me the other day, Brazil is in an almost unique position in not having any kind of regulator for privacy and information / data rights. He argued it was because the authorities just don’t see the need. Berredo confirmed this. He claimed that the DPF were trusted by the public – and relative to other police forces, that is certainly true! – and that they had to carry out their duties appropriately or they would lose that trust. It sounds nice, but it isn’t a good-enough (or legally-sound) basis for the protection of data-rights.

It all confirmed once again that Brazil is not yet a surveillance society – the state does not yet have the capabilities. There is no national database of fingerprints (even for convicted criminals) for example. But as Berredo said, it is moving in that direction. He was keen that there should be be limits. I liked the fact that he used this word. ‘Limits’ is a word that I found that the neither the UK government nor the European Commission seem to like, and they seem very unwilling to say what limits might be. However Berredo was quite clear that a technologically-driven surveillance future in which individuals could be tracked – he used the example of Google Latitude – was not one which he wanted to see. He recognised that he was both a policemen (at work) and a private citizen (at home) and that he, as much as anyone else, valued his privacy.

(Thank-you very much to Delegado Romulo Barredo of the DPF, for his openness, time and patience, and also to Agent Alessandre Reis, for his help)

The loneliness of personal data

Surveillance like this harms us all: it makes our lives banal and reveals only the sadness and the pain.

Still from I Love Alaska
Still from I Love Alaska

There is something at once banal and heartbreaking about what is revealed through the examination of personal data. The episodic film, I Love Alaska, captures this beautifully. The film by Lernert Engelberts and Sander Plug is based on AOL’s accidental exposure of the search data of hundreds of thousands of its users, and focuses on just one, 711391. The film consists of an actress reading out the (unusually discursive and plain language) search terms of User 711391 like an incantation, with background sound from Alaskan locations and static camera shots that serve to emphasize her boredom, isolation and loneliness.

I was watching episode 5 of the film when two stories popped into my inbox that just happened to be related. The first was from the New York Times business section and dealt with the other side of the recent US sporting scandal over revelations that baseball player Alex Rodriguez has taken steroids. Like User 711391, Rodriguez had given up his data (in this case, a sample) in the belief that the data would be anonymous and aggregated. But it wasn’t.

So, then we come to how the state deals with this. The Toronto Globe and Mail comments on the way the Canadian federal government is, like so many others, proposing to introduce new legislation to monitor and control Internet use. The comment argues that there is no general need to store personal Internet use data (or Canada will end up like the UK…), and that Internet surveillance should be governed by judicial oversight. Quite so. But, as the NYT article points out, it isn’t just the expanding appetite of the state for data (frequently coupled in the UK with incompetence in data handling) that we should fear but the growth in numbers of, and lack of any oversight or control over, private-sector dataveillance operations.

Some people will argue that any talk of privacy here is irrelevant: User 711391 was cheating on her husband; Rodrguez was taking steroids; there are paedophiles and terrorists conspiring on the Internet. With surveillance the guilty are revealed. Surely, as Damon Knight’s classic short story, ‘I See You’, claimed, with everything exposed we are truly free from ‘sin’? But no. In its revelations, surveillance like this harms us all: it makes our lives banal and reveals only the sadness and the pain. For User 711391, her access to the Internet served at different times as her main source of entertainment, desire, friendship, and even conscience. The AOL debacle revealed all of this and demeaned her and many others in the process. Most of us deserve the comfort of our very ordinary secrets and the ability for things to be forgotten. This is the true value of privacy.

(Thanks to Chiara Fonio for letting me know about I Love Alaska)