iamsteve.in

Category: Internet Law

Everything related to the world of law online.

  • Thoughts on the DMCA Reform Draft Proposal

    The DMCA is one of the most significant laws on the Internet, as it is the de-facto standard process which governs the removal of content which allegedly infringes on copyright. That might sound mind-numbingly boring, but it’s a topic which has increasingly come into the cultural spotlight, as automated takedown mechanisms have impacted folks on Twitch, YouTube, etc – for a whole variety of arguably spurious reasons.

    It’s no secret that the DMCA has significant problems (it’s a topic I’ve written about at length) – and there has been an ongoing review of the statute to try bring it up to date. Earlier this year we saw the US Copyright Office publish their recommendations on the future for the DMCA, and just this last week, a draft proposal for change was put forward for comments by Senator Tillis. The full thing is pretty long and complicated, especially if you aren’t familiar with the statute, but the accompanying summary doesn’t really give a full picture of the changes.

    I’ve had a look through the proposals (specifically in relation to the notice and takedown process), and noted some specific areas of interest below. Note that this is nowhere near exhaustive, and based on first impressions. Caveat Emptor.

    1. s.512(b) – Qualifications added to the notice requirements. Here we see a bunch of different language added to the section detailing the requirements of a notice. This in of itself is not a bad thing, but the changes here make the statute much more difficult to both interpret and apply. The law is already vague and unclear in a number of areas, and this makes that worse. See s.512(b)(1)(C)(i)-(ii) specifically.
    2. s.512(a)(2)(C)(ii)Notice and Stay Down. This section introduces a requirement that material which is the subject of a DMCA takedown ‘stays down’ when a ‘complete or near complete copy’ is identified. In essence, this means that platforms will have to implement some kind of filtering technology to ensure that content is not re-uploaded. This comes despite the warnings from the USCO and others that this approach (following the European Copyright Directive) would be problematic (to say the least). It also isn’t clear at all whether this would apply retrospectively to content which has already been uploaded, or what a ‘near complete copy’ would entail. Again, this opens up issues of interpretation around the threshold for removal, and platforms would inevitably need to err on the side of caution to avoid liability. The impact of this would be that far more content would be taken down than users would expect. It also doesn’t address the question of fair use, in any way. In other words… not all unauthorised uses of copyrighted material constitute infringement (or where they do, there can be a fair use rebuttal).
    3. s.512(b)(1)(E)Good Faith Belief now subjective. The requirement for the copyright holder to make a statement that they have a good faith belief that the material is not authorised for use […] has been updated to include a ‘subjective’ qualifier. This will make it much more difficult for any claims to be brought against those who submit bogus takedown notices on the basis of their good faith statement. This directly relates to the hard-fought concession in the Dancing Baby case (Lenz v. Universal).
    4. s.512(b)(5)Anonymous Notices. This section allows for complainants to have their personal information redacted from notices, based on as-of-yet non-existent guidance from the Register of Copyrights. On the face of it this seems sensible. However, the DMCA already allows various ways for complainants to remain largely anonymous, or to have their details protected – something which is not afforded to users when submitting counter notices. Complainants can simply provide an e-mail address as the minimum contact information required, or submit through a third party agent. There is no similar provision or update given for counter notices. This is something which we have seen abused by abusive complainants to gain information on those who are critical of them.
    5. Counter Notification Challenges – Again on counter notices, this section essentially gives the complainant the final right to reply on the statutory process, before resorting to legal action. In other words, if a counter notice is submitted, complainants would be able to challenge this within the statute, and not have to show evidence that they have pursued the matter in court (as they do under the current provisions). This adds another step to the ‘complicated game of tennis’ which is the back-and-forth of the notice and takedown system, and one which benefits the complainants massively. The burden of proof is essentially reversed, and means that any users who have the right to use material will be forced to take legal action to show that the material was wrongfully removed – rather than the rights holders taking action against the infringement.
    6. s.512(f)(2)List of Abusive Complainants – This is the one positive from the list of changes. Essentially, this updates the penalties section of the DMCA to allow for those that consistently send invalid notices to be placed on a list which would allow service providers to disregard these notices for a set period of time. However, there are no real details about what the threshold for abuse would be, or about what the appeal process (if any) would be if someone was included on this list. Without these details, one suspects that the threshold would be set so high, and be subject to so much legal challenge, that it would in effect be worthless.

    General Thoughts

    This draft proposal is disappointing (at least with regards to the notice and takedown provisions), as it seems to ignore many of the key issues that have been consistently raised about the DMCA. Rather than correcting the imbalances that exist, the proposed changes further strengthen and entrench the position of rights holders, as well as the statute’s utility as a powerful unilateral censorship tool.

    The provisions relating to counter notification are particularly troubling, as the data collected over the 20-odd year life-span of the DMCA shows that the number of counter notices which are actually filed is miniscule. There are already so many barriers and disincentives for people to challenge takedown notices (on valid grounds) that adding in more hurdles seems to be completely at odds with all of the established literature on the topic.

    Despite its many flaws and criticisms, the DMCA has become a system which at least provided consistent results. These proposals bring some of the worst parts of the statute, and combine them with the very worst parts of the European Copyright Directive to give far greater takedown powers to rights holders, with seemingly no consideration of users, or the cultural importance of online expression.

    This is just a draft proposal, and open for stakeholder comments. If we are going to avoid a similar disaster to the approach taken in Europe, major changes need to be made.

  • Book Recommendation – “The Twenty-Six Words That Created the Internet”

    The latest book I have to recommend comes from law professor Jeff Kosseff, in which he examines one of the laws that have been most crucial to the development of the Internet: s.230 of the Communications Decency Act. For those not familiar with the CDA, it is a piece of American jurisprudence that has essentially enabled businesses such as Twitter and YouTube to develop platforms built on user generated content, without themselves becoming liable for everything that those users may say or do.
    Jeff Kosseff - Twenty Six Words That Created the Internet - Book Cover

    Understanding the CDA is increasingly important – not just for lawyers or academics focussed on intermediary liability – but for anybody with an interest in the future of the Internet. This book provides a comprehensive explanation of the law’s history and original aims, as well as its development through case law. Whilst it isn’t necessarily an ‘easy’ read due to the subject matter, Kosseff’s narrative style means that it remains engaging throughout, never letting things run dry, or too theoretically abstract.

    The Twenty-Six Words That Created the Internet‘ was published in April of 2019. Given the impact of the CDA, it is almost hard to believe that such a complete study hasn’t come around before now. Either way, if you want to learn (a lot) about one of the most important laws underpinning the Internet as we know it, read this.

    Disclaimer: I am not being paid to review or recommend this book, but if you click on the Amazon links above and buy a copy, Jeff Bezos might send me a few pennies to say thanks. 

  • Book Recommendation – “Speech Police: The Global Struggle to Govern the Internet”

    ‘Speech Police: The Global Struggle to Govern the Internet’ is the latest publication from speechpoliceUN Special Rapporteur on Freedom of Expression, David Kaye. Following on from his 2018 report on content regulation, this book looks at the issue of who decides what kind of speech is acceptable online, and the potential implications of the increasing expectations placed on platforms to regulate certain kinds of content.

    Kaye’s narrative style is both thoughtful and engaging, covering difficult concepts in a clear and concise fashion, but also exploring aspects of the debate that are often overlooked. Coupled with a relatively low page count, this means that Speech Police is not only a valuable read for those already familiar with the questions around content moderation and freedom of expression, but is also extremely accessible for those new to the topic. As a result, this book is a must read for anybody currently studying or working in tech policy, or those who are simply concerned about the future of the Internet.

    You can get a copy of Speech Police from Amazon here.

    Disclaimer: I am not being paid to review or recommend this book, but if you click on the Amazon link above and buy a copy, Jeff Bezos might send me a few pennies to say thanks. 

  • Freedom of Speech and the DMCA: Abuse of the Notification and Takedown Process

    Last month, my first academic journal article was published by the leading international publication on IP law: the European Intellectual Property Review from Thomson Reuters.

    From the abstract:

    The Digital Millennium Copyright Act’s “notice and takedown” process is increasingly referred to as a model solution for content removal mechanisms worldwide. While it has emerged as a process capable of producing relatively consistent results, it also has significant problems—and is left open to different kinds of abuse. It is important to recognise these issues in order to ensure that they are not repeated in future legislation.

    To that end, this article examines the DMCA with reference to its historical context, and the general issues surrounding the enforcement of copyright infringement claims. It then goes on to discuss the notice and takedown process in detail—along with its advantages, disadvantages, criticisms and praise. Specific examples of the kinds of abuse reported by online service providers are outlined, along with explanations of the statutory construction that allows these situations to continue. To finish, the viability of potential alternatives and proposed changes are discussed.

    The article itself is available on WestLaw, citation: E.I.P.R. 2019, 41(2) at 70However, you can also get a copy of the PDF below.

    Freedom of Speech and the DMCA: Abuse of the Notification and Takedown Process (PDF)

    This material was first published by Thomson Reuters, trading as Sweet & Maxwell, 5 Canada Square, Canary Wharf, London, E14 5AQ, in European Intellectual Property Review as ‘Freedom of speech and the DMCA: abuse of the notification and takedown process’.
    E.I.P.R. 2019, 41(2) at 70 and is reproduced by agreement with the publishers. This download is provided free for non-commercial use only. Further reproduction or distribution is prohibited.

  • Home Office Data Subject Access Request: Part Two.

    Back in May I wrote about the data subject access request I had submitted to the Home Office, and how they required a ‘written confirmation of likeness’ signed by a very particular list of people before providing any information. This is purportedly to verify your identity, but as I noted at the time, the requirements are stricter than those that the same organisation sets for processing passport applications. One may reasonably surmise that this could be an attempt to put people off from making these requests.

    I am following up with this post to document what happened after I submitted the request, for those interested in the reach and limits of data protection law.

    Objection to the Home Office’s disproportionate requirements

    At the time, I objected to the unusually stringent verification requirements, as well as that these would not be accepted online. Extract below:

    As you will be aware, data controllers are required to undertake ‘reasonable measures’ to verify the identity of the person making the Data Subject Access Request. I submit that by providing a copy of my passport, and the passport number, that this more than satisfies the legal requirement.

    Further, I submit that since the list of those who are considered appropriate to provide this written confirmation is less extensive than those who can act as a counter-signatory for a passport application in the first place, that this requirement is demonstrably disproportionate, and as such not required to respond to my request.

    The Home Office responded simply to reiterate that the verification must be done via post:

    We require that you send in a copy of your ID via the post, please have your photographic ID certified and sent to us at the address below.

     [address omitted]

    We request certified ID in this method for security to reduce the chances of fraudulent data requests.

    ‘To reduce the chances of fraudulent data requests’? Aye, right. They did not address my questions about inconsistency.

    I responded to press them on this:

    I understand that you are obliged to take ‘reasonable measures’ to verify the identity of the person making the subject access request. However,

    1. I do not see how requiring this to come via the post makes any difference whatsoever.

    2. The requirements for certification are far stricter in terms of who can make such a certification than those who can counter-sign a passport (https://www.gov.uk/countersigning-passport-applications). This is not ‘reasonable’, or ‘proportionate’ within the meaning of the relevant law.

    I am prepared to send in a certified copy of my ID to verify my identity, but I reject the requirement to have the certification made by one of the following:

    * a legal representative, registered with the Office for the Immigration Services Commissioner (OISC)
    * a solicitor, barrister or chartered legal executive
    * a commissioner for oaths
    * a registered charity

    Instead, I ask you again to confirm that you will accept a ‘written confirmation of true likeness’ from someone on the same list that you accept for passport counter-signatories (detailed in the URL above).

    If you refuse this, then your requirements would appear designed solely to prevent people from getting access to their data by implementing unreasonable stipulations, and I will be making a formal complaint to the ICO.

    They did not respond to this, or my follow up e-mail a few weeks later, so on the 20th of June I reported them to the UK’s Information Commissioner (ICO).

    ICO Complaint

    Specifically, I drew attention to the inconsistency in the listed requirements for ID verification when it came to passport applications versus data subject access requests, and that it appeared that those that related to the latter were therefore disproportionate.

    They replied in just over a week:

    The DPA 1998 and DPA 2018 do not state what identification or verification data controllers may request. Data controllers must be satisfied as to the identity of the requester to ensure personal data is not inappropriately disclosed. This also helps prevent fraud. The ICO therefore reviews concerns regarding this matter on a case-by-case basis.

    The ICO is satisfied that generally, the level of identification and verification requested by the HO for SARs is both reasonable and proportionate. This is because the HO must be certain of a requester’s identity before releasing any personal information.

    In light of the above, we would advise that you provide the HO with the requested documents and verification of these documents to allow the organisation to process your SAR.

    Basically, they just reiterated that data controllers have to take steps to verify the identify of those requesting data before processing a subject access request – choosing not to address the specific questions I had raised around proportionality.

    I pressed them on this, and after about a month the ICO responded:

    I understand that you are concerned about the level of identification requested by the Home Office for subject access requests, as it requires more identification for this than for passport applications.

    As stated previously, this is not a matter that is of concern to the ICO at this time. I understand that it appears there is inconsistency within the Home Office in regards to identification requested. However, due to the nature of information held by the Home Office, it must satisfy itself as to the identity of a requester before disclosing personal data.

    As it is not up to the ICO as to what the Home Office requests for different applications, and if you are concerned about inconsistencies within the Home Office, we suggest you raise this with the organisation.

    I apologise the ICO can’t be of further assistance at this time. However, please note that the concerns you have raised will be kept on file. This will help us over time to build a picture of the Home Office’s information rights practices.

    What this tells us

    This process was informative as it demonstrates the barriers that organisations such as the Home Office will place in the way of those who seek to exercise their rights under data protection law. By making the process as difficult and cumbersome as possible, it locks out all but the most determined and able.

    It also tells us a bit about the ICO’s role and reach in these cases: Namely, that it is extremely limited – at least when it comes to making assessments of proportionality. Rather than taking a holistic view of the data protection practices and requirements of an organisation, the ICO simply looks at each portion in isolation. In other words, it doesn’t matter whether the Home Office’s approach is entirely inconsistent, and demonstrates a clear lack of proportionality on any reasonable assessment of all the facts. The ICO only has to be satisfied that the requirements relating to a very narrow and immediate situation are proportionate, irrespective of the wider context.

    This makes no sense except in the most literal of readings, and makes a mockery of the spirit of data protection legislation. We shouldn’t be too surprised that this is the approach of the Home Office though, given the appalling state of the UK’s immigration law.

    I am currently debating whether or not to proceed with the formal ID verification process to see what they will provide once you get through the barriers. Watch this space.

  • UN Special Rapporteur’s Report on Content Regulation (2018)

    With the news that the United States are to withdraw from the UN’s Human Rights Council, it seemed poignant to highlight one of their recently published Special Rapporteur’s reports, in which they looked at the state of online ‘content regulation’, and the impact on freedom of expression.

    [It] examines the role of States and social media companies in providing an enabling environment for freedom of expression and access to information online.

    The report itself is one of the better publications from an official entity, and talks about a lot of important issues that other bodies tend to ignore (willingly or otherwise). As a result, the whole thing is worth reading, but a few portions in particular stood out for me, and are worth sharing:

    Counter Speech

    One of the current major questions in the realm of intermediary liability is how platforms should deal with ‘extremist’ content. In an attempt to find a compromise between ‘doing nothing’, and total removal of anything questionable (with all of the resultant implications for freedom of expression), the concept of ‘counter speech’ is often brought up as a solution. In principle the idea is that instead of silencing disagreeable expression, people should instead seek to directly counter the ideas. This avoids the problem of subjective censorship, protecting free speech, and also ‘shines light into the dark’, rather than driving people underground where there is little or no critical dissent.

    As well intentioned as this approach may be, it is one that is now unfortunately being misconstrued as an obligation for platforms to incorporate, rather than interested individuals or groups. For example, there are suggestions that the likes of YouTube should place an interstitial banner on disputed content to warn viewers of its nature. In the case of pro-ISIS videos, this notice would include links to anti-extremism programs, or counter narratives. As the report wisely notes:

    While the promotion of counter-narratives may be attractive in the
    face of “extremist” or “terrorist” content, pressure for such approaches runs the risk of transforming platforms into carriers of propaganda well beyond established areas of legitimate concern.

    Despite the fact that there is little evidence that such an approach would do anything but bolster the already established beliefs of those viewing the content in question, there would inevitably be calls for it to be extended to any particularly contentious content. Ostensibly, pro-choice campaign websites could be overlaid with arguments from conservative religious groups; McDonalds.com with a link to the Vegan association. This may seem far fetched, but the danger is clear: as soon as we replace our own critical faculties with an obligation on intermediaries to provide ‘balance’ (even with the most extreme of content), we open the door to the normalisation of the practice. There is scant analysis of this particular issue out there at the moment, and I’m especially pleased to see it highlighted by the UNHRC.

    Trusted Flaggers

    Many companies have developed specialized rosters of “trusted” flaggers, typically experts, high-impact users and, reportedly, sometimes government flaggers. There is little or no public information explaining the selection of specialized flaggers, their interpretations of legal or community standards or their influence over company decisions.

    Lack of definition of terms

    You can’t adequately address challenges if the terms aren’t defined. For that reason, crusades against vague concepts such as ‘hate speech’, ‘fake news‘, etc are at best, doomed to failure, and at worst, a serious threat to freedom of expression. This isn’t a problem limited to the issues surrounding intermediary liability, but one which is made more visible by the globalised, cross jurisdictional nature of the Internet.

    The commitment to legal compliance can be complicated when relevant State law is
    vague, subject to varying interpretations or inconsistent with human rights law. For
    instance, laws against “extremism” which leave the key term undefined provide discretion to government authorities to pressure companies to remove content on questionable grounds.

    This is pretty self explanatory, but something which is often overlooked in discussions around the responsibilities of intermediaries in relation to content regulation. We should not accept the use of terms which have not been properly defined, as this allows any actor to co-opt them for their own purposes. Tackling ‘online abuse’, for example, is a grand aim which can easily garner much support, but which remains empty and meaningless without further explanation – and thus, open to abuse in of itself.

    Vague rules

    Following on from the previous section, platforms (perhaps partly as a direct result of the contemporary political rhetoric) adopt vague descriptors of the kind of content and/or behaviour which is unacceptable, in order to cover a variety of circumstances.

    Company prohibitions of threatening or promoting terrorism, supporting or praising leaders of dangerous organizations and content that promotes terrorist acts or incites violence are, like counter-terrorism legislation, excessively vague. Company policies on hate, harassment and abuse also do not clearly indicate what constitutes an offence. Twitter’s prohibition of “behavior that incites fear about a protected group” and Facebook’s distinction between “direct attacks” on protected characteristics and merely “distasteful or offensive content” are subjective and unstable bases for content moderation.

    Freedom of expression laws (generally) do not apply to private entities. In other words, Facebook et al are more or less free to decide on the rules of engagement for their platform. However, as these intermediaries increasingly control the spaces in which we as a society engage, they have a responsibility to ensure that their rules are at least transparent. The increasing multi-jurisdictional legal burdens and political pressures placed upon them to moderate content reduces the likelihood of this significantly. It also provides little to no stability or protection for those who hold views outside of the generally accepted cultural norms – a category that includes political activists and dissidents. In many parts of the world, having a homosexual relationship is considered ‘distasteful’ and ‘offensive’, as are the words of the current President of the United States – which demonstrates the problem with allowing (or expecting) a technology company to make such distinctions.

    ‘Real name’ policies

    For those not familiar, this refers to the requirement from certain platforms that you must use your actual, legal name on their service – as opposed to a username, pseudonym, nickname, or anonymity. Officially the reason is that if someone is required to use their ‘real’ name, then they are less likely to engage in abusive behaviour online. We can speculate as to the real motives for such policies, but it seems undeniable that they are often linked to more accurate (aggressive) marketing to a platform’s user base. Either way, the report notes:

    The effectiveness of real-name requirements as safeguards against online abuse is
    questionable. Indeed, strict insistence on real names has unmasked bloggers and activists using pseudonyms to protect themselves, exposing them to grave physical danger. It has also blocked the accounts of lesbian, gay, bisexual, transgender and queer users and activists, drag performers and users with non-English or unconventional names. Since online anonymity is often necessary for the physical safety of vulnerable users, human rights principles default to the protection of anonymity, subject only to limitations that would protect their identities.

    Within traditional digital rights circles (if there is such a thing), there appears to be a growing belief that anonymity is a bad thing. I’ve even heard suggestions that the government should require some kind of official identification system before people can interact online. This is clearly a terrible idea, and may seem utterly laughable, but when you consider that this is exactly what will be law for adult websites in the UK later this year, it seems like it might not be completely out of the realms of possibility after all. We need to better educate ourselves and others on the issues before the drips become a wave.

    Automated decision making

    Automated tools scanning music and video for copyright infringement at the point of upload have raised concerns of overblocking, and calls to expand upload filtering to terrorist-related and other areas of content threaten to establish comprehensive and disproportionate regimes of pre-publication censorship.

    Artificial intelligence and ‘machine learning’ are increasingly seen as some kind of silver bullet to the issues of moderating content at scale, despite the many and varied issues with the technology. Bots do not understand context, or the legal concept of ‘fair use’; frequently misidentify content; and are generally ineffective, yet the European Union is pressing ahead with encouraging platforms to adopt automated mechanisms in their proposed Copyright Directive. Rather than just trying to placate lawmakers, intermediaries need to recognise the problems with such an approach, and more vigorously resist such a solution, instead of treating it as a purely technological challenge to overcome.

    Finally…

    Companies should recognize that the authoritative global standard for ensuring
    freedom of expression on their platforms is human rights law, not the varying laws of States or their own private interests, and they should re-evaluate their content
    standards accordingly.

    This is a pretty strong statement to make, and demonstrates an approach that I strongly resonate with. In principle, at least. In practice however, companies are obliged to follow the legal obligations of the jurisdictions in which they are based (and sometimes even beyond, given the perceived reach of the GDPR). The extent and application of ‘human rights law’ varies significantly, and there are no protections for intermediaries that rely on mythical ‘global standards’ – even the UN Declaration of Human Rights.

  • Issues with Article 17 (‘Right to be Forgotten’) of the GDPR

    Issues with Article 17 (‘Right to be Forgotten’) of the GDPR

    With the GDPR’s deadline now almost upon us, one of the most talked about provisions has been the ‘Right to Erasure’ contained within Article 17.

    Significantly expanding the ‘Right to be Forgotten’ doctrine established in the Google Spain case, Article 17 allows data subjects (i.e. you and I) to submit takedown requests to any organisation that collects and controls information on them.

    There are a number of grounds under which people may seek to have data deleted, which cover a broad variety of circumstances. These include situations where the data is no longer necessary for the reasons it was collected; where it was unlawfully processed; where the subject withdraws their consent; as well as some others. The right is not unlimited, with exceptions where the collection and processing of the data is necessary in the exercise of the right to freedom of expression; where there is a specific legal obligation to retain the information; for reasons of public interest; etc.

    Issues with Article 17

    Despite some initial reservations, the GDPR (and Article 17 in particular) has generally been lauded as a victory for European citizens, who will gain far more control over what information companies hold on them than they ever previously have had. This is especially true given the arguably extra-territorial applicability, where any organisation that handles European data will be expected to comply.

    However, there are a few specific issues arising from the construction of Article 17 that bear some further scrutiny. Rather than analyse the philosophical criticisms of the Right to Erasure, below I briefly look at some of the practical considerations that will need to be taken by data controllers when they receive such a Request for Erasure:

    1. Verification.
    2. Abuse, and a lack of formal requirements for removal requests.
    3. Article 85: Freedom of expression.

    Verification of the Data Subject

    Before giving effect to an Article 17 request, the controller must use all ‘reasonable measures’ to identify the identity of the requesting party. It is perhaps obvious that an organisation should not be deleting the accounts or other data of somebody without checking first to make sure that the person making that request is authorised to do so. However, this leaves open a number of questions about what this kind of verification will look like. In other words, what steps will be considered ‘reasonable’ under the terms of the law? Will courts begin to see arguments over online platforms account recovery procedures as a result of a denial of access to the fundamental right of privacy via the GDPR? What metrics will a data subject be able/expected to provide in order to discover their associated data? i.e. while it might be easy to request information relating to your e-mail address, what about other identifiers such as IP addresses, or names? These are questions that do not have clear answers, and will inevitably lead to an uneven application of the law, dependent on the situation.

    Abuse, and a Lack of Formal Procedural Requirements for Erasure Requests

    It should be self-evident at this stage that any statutory removal mechanisms will be open to abuse by parties determined to have content removed from the Internet, and in that regard, Article 17 is no different. However, there is a common misconception that the Right to Erasure gives people the right to stop any mention of them online – especially speech that is critical of them, or that they disagree with. This is not the case, and Article 17 is not crafted as a dispute resolution mechanism for defamation claims (that would be the E-Commerce Directive). These facts don’t stop people from citing the GDPR incorrectly though, and it can quickly become difficult to deal with content removal demands as a result.

    The problem is compounded by the fact that there are no formal procedural requirements for an Article 17 request to be valid, unlike the notice and takedown procedure of the DMCA, or even the ECD. Requests do not have to mention the GDPR, or even Right to be Erasure specifically, and perhaps even more surprisingly, the requests don’t have to be made in writing, as verbal expressions are acceptable.

    While the reasons for the lack of specific notice requirements is clearly in order to give the maximum amount of protection to data subjects (the lack of requirement for writing was apparently in order to allow people to easily ask for the removal of their data from call centres over the phone), it seems to ignore the accompanying problems with such an approach. The lack of clarity for the general public around what exactly the Right to Erasure includes, along with the lack of procedural checks and balances means that it will be increasingly difficult for organisations to identify and give effect to legitimate notices. This is especially true for online platforms that already receive a high number of reports. While many of these are often nonsense or spam, they will require far greater scrutiny in order to ensure that they aren’t actually badly worded Article 17 requests that might lead to liability.

    If we look at the statistics on other notice and takedown processes such as that in the DMCA (the WordPress.com transparency report, for example), we can see that the levels of incomplete or abusive notices received are high. The implementation of even basic formal requirements would provide some minimum level of quality control over the requests, and allow organisations identifiers to efficiently categorise and give effect to legitimate Article 17 requests, rather than the prospect of having to consider any kind of report received through the lens of the GDPR.

    Article 85: Freedom of expression

    As mentioned earlier, a controller is not obliged to remove data where its continued retention is ‘necessary for reasons of freedom of expression and information’. The obvious question then becomes under what grounds this should be interpreted, and we find some guidance in Article 85 of the GDPR. Unfortunately however, it doesn’t say all that much:

    ‘Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.’

    This appears to leave the task of determining how the balance will be made to individual Member States. Whilst this isn’t unusual in European legislation, it means that the standard will vary depending on where the organisation is based, and or where the data subject resides. At the time of writing, it isn’t clear how different Member States will address this reconciliation. Despite freedom of expression’s status as a fundamental right in European law, it is afforded scant consideration, and thus weak protection under the GDPR, preferring to defer to national law, which simply isn’t good enough. Far stronger statements and guarantees should have been provided.

    Over Compliance

    Unfortunately, the amount of extra work required to analyse and deal with these requests as a result of the law’s construction – along with the high financial penalties detailed in Article 83 – mean that it is likely that many organisations will simply resort to removing data, even where there is no lawful basis for the request, or requirement for them to do so.

    We may fairly confidently speculate that the response from many data controllers will be to take a conservative approach to the GDPR’s requirements, and thus be less likely to push back on any potentially dubious requests as a result. Insistent complainants may find that they are able to have speech silenced without any legitimate legal basis simply out of fear or misunderstanding on the part of third party organisations.

    With a well publicised and generally misunderstood right to removal, lack of procedural requirements, and a reliance on intermediaries to protect our rights to freedom of expression, we may find ourselves with more control over our own data, but with far less control over how we impart and receive information online.

    Header image by ‘portal gda‘ on Flickr. Used under CC BY NC-SA 2.0 license.

  • Shopify, Breitbart, and Freedom of Speech.

    Shopify, Breitbart, and Freedom of Speech.

    Tonight I came across an article on TechCrunch in response to an open letter from Tobias Lütke, CEO of e-commerce platform Shopify, in which he defends the company’s decision to continue hosting Breitbart’s online shop. Breitbart being the infamous far right publication of which Steve Bannon was heavily involved with.

    After sustained criticism, Lütke explains in the post entitled ‘In Support of Free Speech’ that based upon a belief that ‘commerce is a powerful, underestimated form of expression’, it would be wrong to effectively censor merchants by shutting down their shops as the result of differing political views.

    Reporting on the letter, TechCrunch shared their post to Facebook with the text: ‘Shopify’s CEO thinks his platform has a responsibility to continue hosting Breitbart’s store – here’s why he’s wrong.’

    Screen Shot 2017-02-10 at 02.29.57.png

    I was curious to see the arguments that would be proffered as to why the decision was wrong, but was ultimately left wanting. Here are the reasons given, as far as I could make out:

    1. Lütke is grossly overestimating the role of a private e-commerce platform in providing and protecting freedom of expression.
    2. Shopify cannot ‘censor’ anybody, as they are not an emanation of the State.
    3. Justifying the continued hosting of merchants who have extreme views for freedom of speech reasons is wrong, as freedom of speech does not apply to private organisations.
    4. As a private company, Shopify are not legally required to provide a platform to anybody.
    5. Shopify’s Terms of Service allow them to terminate the account of any user at any time.

    In response, here’s why TechCrunch are wrong:

    None of the reasons given actually explain why Shopify shouldn’t continue to host Breitbart.

    Read over them again, then check out the full article here. Despite heavily criticising Shopify, and stating that Lütke is ‘wrong’, TechCrunch don’t engage at all with the heart of the issue. No, Shopify are not legally required to host the Breitbart shop, and yes, quite obviously their Terms of Service are quite obviously worded in such a way to give them that discretion in the event of any legal challenge, but that’s hardly a surprise.

    Here’s the big question that went unanswered: why should Shopify not host Breitbart?Lütke hits the nail on the head with the following challenge, which the TechCrunch article completely fails to even acknowledge:

    When we kick off a merchant, we’re asserting our own moral code as the superior one. But who gets to define that moral code? Where would it begin and end? Who gets to decide what can be sold and what can’t?

    Rather than attempt to address this fundamental issue, TechCrunch essentially just argue that Shopify should kick Breitbart off of their platform because, er, well, legally there’s nothing to stop them. A pretty poor argument at best.

    Protecting freedom of speech isn’t just down to the State.

    Firstly, I’m not sure where this idea that censorship is only something that the State can give effect to comes from. It means to forbid or to ban something; to suppress speech. The source doesn’t have anything to do with it.

    Screen Shot 2017-02-10 at 03.24.28.png

    Secondly, there is a lot of confusion surrounding freedom of speech and the relation to the State, even from those who purport to understand the dynamic. To clear some things up, the following are true:

    • Freedom of speech law (generally) only protects citizens from the acts of State actors.
    • Private online service providers (generally) have no obligation to protect the freedom of speech rights of their users, or to give them a platform for expression.

    However, to assert that a platform cannot justify their actions based on freedom of speech considerations, or to willingly strive to uphold those principles on the basis of the above is a non sequitur. Additionally, just because you can’t threaten legal action on a freeedom of speech argument against Facebook if they take down your status update, that doesn’t mean it is wrong to argue that Facebook should be doing more to consider and protect those values.

    Just as we would not expect a hotel owner to be able to refuse to allow a same sex couple to share a bed, or a pub to knock back someone based purely on the colour of their skin, it is nonsense to pretend that we have no expectations of private organisations to abide by certain shared societal values.

    Without touching on the claims around the importance of e-commerce as a vehicle for expression, it seems that in a world where we are increasingly reliant on private entities to provide our virtual town square equivalents, and where we expect certain values to be upheld, arguably platforms such as Shopify have an increasing moral obligation to protect (as far as is possible) the principles that are the cornerstone of our Democracies.

     

     

  • Trump, Prostitutes, and 4chan. Still want to ban sites that publish fake news?

    Today the big story on the web is that a story leaked from a ‘British intelligence officer’ about Russia blackmailing Donald Trump, published by BuzzFeed, and then dutifully re-posted by other major established media outlets was allegedly made up by posters on 4chan.

    Whilst the articles state that the claims are ‘unverified’, and ‘contain errors’, it appears that there has been very little in the way of fact checking or corroboration of sources going on. Indeed, publishing allegations without due dilligence is exactly the operational basis of other sites that don’t fall under the banner of ‘credible’ media. The fact is that the outcome in either case is the same: either willingly or blindly (through a desire to publish content first to drive advertising revenue), these sites are spreading misinformation. Looking at the Mirror’s coverage, one would be forgiven for thinking that the info was at least partially credible:

    Screen Shot 2017-01-11 at 12.46.40.png

    It’s all too easy to scoff at the Mirror, or BuzzFeed. Nobody takes them seriously after all; everybody knows that! That clearly isn’t actually the case, and it demonstrates the problem with the reactionary drive towards ‘banning’ or filtering sites that publish fake news from online platforms.

    Of course, these claims to have made up the story could very well be made up themselves… but that doesn’t invalidate the criticism. If anything, it highlights the issue with asking or expecting third parties such as online service providers to filter out untrue content.

    To echo the questions I raised in my previous post on this topic: Exactly what constitutes fake news, where do we draw the line, at what point do ‘credible’ news sources lose that credibility, and who makes those determinations? Should BuzzFeed articles be removed from Facebook? What about The Mirror? What about CNN? Maybe only articles claiming to have made up fake news should be treated as fake news. Where does it stop?

    For an interesting read on this that was shared by my colleague Davide recently, check out this page:

    https://www.theguardian.com/commentisfree/2017/jan/08/blaming-fake-news-not-the-answer-democracy-crisis

    It only gets worse when charges of fake news come from the media, which, due to the dismal economics of digital publishing, regularly run dubious “news” of their own. Take the Washington Post, that rare paper that claims to be profitable these days. What it has gained in profitability, it seems to have lost in credibility.

    Edit: I published this earlier today before Trump’s press conference, and felt compelled to update it as a result of what he said. Responding to questions from the media, he apparently decided to pick up the ‘fake news’ mantle:

    When Jim Acosta, Senior White House Correspondent for CNN, attempted to ask Trump a question, the President-elect refused to answer. “Not you. Your organization is terrible,” Trump said. “I’m not going to give you a question, you are fake news.”
    So now Trump has appropriated the term ‘fake news’ to thwart off any criticism without response. That’s what happens when you set up an empty vessel as something that is inherently wrong with no real definition. This should have been easy to avoid. – (source)

    This is precisely why setting up a straw man term such as ‘fake news’ is so dangerous, because an empty vessel that is inherently bad without any clear definition leaves the power in the hands of those who want to wield it for their own ends. If we want to try and combat ‘fake news’, we first need to understand what it is we are fighting against. Otherwise, the question becomes whether it is our version of fake news that is bad, or Donald Trump’s?

  • Censoring ‘Fake News’ is the real threat to our online freedom

    As the results of the US Presidential election began to sink in, the finger of blame swung around to focus on ‘fake news’ websites, that publish factually incorrect articles with snappy headlines that are ripe for social media dissemination.

    francis-fake.png
    A ‘fake’ headline. Via the Independent.

    Ironically, the age of propaganda has previously thought to have died out with the proliferation of easy access to the Internet, with people able to cross-reference and fact check claims from their bedroom, rather than having a single domestic point of information. Instead, what it appears we are seeing is the opposite; people congregating around a single funnel of sources (Facebook), which filters to the top the most widely shared (read: most attention grabbing) articles.

    Almost immediately, the socially liberal-leaning technology giants Google and Facebook announced that they would be taking steps to prevent websites from making use of their services. This has sparked a ream of discussion about the ‘responsibility’ of other online platforms to take steps to prevent the spread of these so-called ‘fake news’ sites on their networks.

    Here, probably for the first time I can remember, I find myself in agreement with what Zuckerberg has (reportedly) said in response:

    The suggestion that online platforms should unilaterally act to restrict ‘fake news’ websites is one of the biggest threats to free speech to face the Internet.

    Those are my words, not his – just to be clear. Click through to see what he actually said (well, as long as the source can be trusted).

    It is unclear exactly what ‘fake news’ is supposed to be. Some sites ‘outing’ publishers that engage in this sort of activity have included The Onion in their lists, which in of itself demonstrates the problem of singling out websites that publish ‘fake’ news.

    • Where is the line drawn between ‘fake news’ and satire?
    • At what point do factually incorrect articles become ‘fake news’?
    • At what point do ‘trade puffs’ and campaign claims become ‘fake news’ rather than just passionate advocacy?
    • If the defining factor is intent, rather than content, who makes that determination, and based on what set of values?

    It is not the job of online platforms to make determinations on the truth of the articles that their users either share, or the content that they themselves publish. There is no moral obligation or imperative on them to editorialise and ensure that only particular messages reach their networks. In fact, it is arguably the complete opposite: they have an ethical obligation to ensure that they do not interfere in the free speech of users, and free dissemination of ideas and information; irrespective of their own views on the ‘truth’ or otherwise of them.

    The real challenge to free speech isn’t fake news; it’s the suggestion that we should ban it.

    Misinformation is a real issue, and the lazy reliance culture facilitated by networks such as Facebook and Google where any article with a catchy headline is taken at face value is a huge problem, but the answer is not for these networks to take things into their own hands and decide what set of truths are acceptable for us to see, and which are not.

    We have reached a position where half of our societies are voting one way, whilst the other half can’t believe that anybody would ever make such a decision, precisely because we have retreated into our own echo chambers – both in the physical world as well as the virtual. The solution to the political struggles we on the left face is not to further restrict the gamut of speech that is open to us in our shared online spaces, or to expect service providers to step up and act as over-arching publishers; it is to get out there and effectively challenge those ideas with people that we would normally avoid engaging with. Curtailing the free speech of others through the arbitrary definition of ‘fake news’ is not only not the answer, but it’s a terrifying prospect to the very freedoms that we are arguing to protect.

    The real challenge to free speech isn’t fake news; it’s the suggestion that we should ban it.

    Disclaimer: It should go without saying that these are my views, and not necessarily those of WordPress.com, or anybody else.