Category Archives: Privacy Law

The Communications Data Bill: Bogeymen and Blanket Surveillance

Despite warnings from digital rights groups, privacy advocates and experts in the tech world, the government has gone ahead with their plans for blanket surveillance measures on the internet, including controversial practices such as deep packet inspection (DPI).

The draft Communications Data bill published yesterday proposes that individuals’ data is stored using so called “black boxes” tracking their detailed internet use i.e. every website they visit, Google search terms, emails etc. A vast amount of data can be stored in these devices and using specialist software this data can be analysed using search functions and selection methods.

Currently Government Central Head Quarters (GCHQ) can access a large amount of data and conduct surveillance of specific suspects, the difference in the CCDP bill is that this data would be accessible in relation to any member of the public. The idea behind this seems to be that by conducting “blanket surveillance” the authorities could catch criminals who are not yet suspects.

Throwing such a wide net however would also consequently entangle innocent people and breach their privacy, while most likely only finding those criminals who lack basic internet skills. The issue here is rather who the authorities actually wish to target and where they plan to concentrate their resources, than assuming everyone is a suspected criminal. Apart from a terrifying intrusion into people’s private information this would be an arduous task for police, who currently are lacking the resources to analyse comparatively low levels of data already.

This brings me on to the next issue – costs. The proposed cost for the implementation of the bill is over a billion pounds. Judging by experience on spending for the Olympics this figure is likely to rise by quite a lot. At a time when there are cuts to essential services in the NHS, legal aid and right across the public sector, where will the government manage to drum up the money for implementing a misguided and ludicrous piece of legislation – which looks to only benefit the security industry itself.

While the security industry may prove lucrative for the government, the harm that this bill will cause to the public greatly overrides any government-business relations. Such an outright invasion of individuals’ privacy and the breach of personal freedoms and basic human rights cannot be justified by the government in any way whether it is business-motivated or not.

Analysing internet use can paint a very intimate picture of someone’s private life such as their health, financial situation and their personal relationships. It is not only an extreme breach of a person’s privacy but it is also completely unnecessary. Most of those affected will be innocent members of the public who may be unaware of the full extent of the bill and who do not know how to encrypt websites. Furthermore, the criminals that the government is referring to, can easily bypass the surveillance measures, thus making them even more difficult to catch.

While the government insists it will not read the data, it claims that it must have access to it for the purpose of catching criminals. Charles Farr – the head of the Home Office’s of security and counter-terrorism office, was extremely defensive when questioned about the bill and merely stated “trust us, we know”. On the contrary, it appears that any sensible person with expertise in the field of internet security would know that the proposals in the bill make very little practical or financial sense. Therefore trusting the government to “know what it’s doing” seems more and more naive on this issue.

It appears that this is just one of several bills the government is putting forward which seeks to take away fundamental personal freedoms and infringe basic human rights. Only on Sunday, Theresa May criticised judges for “not qualifying” Article 8 of the European Convention on Human Rights (ECHR) and being too lenient on criminals who use Art.8 to remain in the UK (even though only 2% of foreign nationals facing deportation after criminal proceedings successfully apply Art.8 to remain in the UK). These recent policies proposed by the government are particularly worrying as they may have severe consequences for basic human rights in the UK.

The government has taken the line that this is an effective way of catching the usual bogeymen – terrorists and paedophiles. What they are still failing to consider, is that the system is relatively easy to bypass and simply requires the use of encrypted pages – in simple terms this means that websites using “https” rather than “http” cannot be tracked.

German Agency Wants to Snoop Social Networks to Analyse Creditworthiness

A German credit agency in is planning to analyse the creditworthiness of individuals by using information gathered from online sources such as Facebook and other social networking sites.

Schufa, Germany’s  largest credit agency intends to assess peoples ability to make repayments by using “crawling techniques,”  such as those used by Google, for the purpose of “identifying and assessing the prospects and threats.” A spokesman for Schufa told Spiegel Online that “everything is happening within the legal frameworks in Germany.”

Nevertheless, the proposal raises serious concerns over assessing a person’s reputation from information found on the web. Schufa is planning to analyse automatically recorded information on the Internet such as on social networks, and this can then be linked to the stored data gathered by the credit agency. Although Facebook pointed out that according to its terms and conditions, automatic registration of members was actually not permissible.

For a country with some of the strictest privacy laws in Europe, it is no surprise that the proposal has come under a strong criticism. Analysing data related to personal relationships which can be found on Facebook and Twitter in order to judge a persons creditworthiness is a severe invasion of privacy.

Since the German broadcaster NDR reported on the research project last  Thursday there has been a public outcry. Numerous privacy advocates and politicians have strongly criticised the proposal.

Sabine Leutheusser-Schnarrenberger,  the German Justice Minister, was quick to condemn the credit agency’s plans. She told the Spiegel that Facebook “friends and preferences” should not prevent an individual from, for example, being able to obtain a mobile phone contract. Leutheusser-Schnarrenberger stated “Schufa and other credit agencies should disclose their full intentions of using Facebook data to check creditworthiness.” She said that the data used to determine someone’s credit report is already controversial and called for the process to be made “fully transparent.”

On Thursday, the Justice Minister was joined by Consumer Protection Minister Ilse Aigner in warning Schufa and HPI about tracing individuals on social networks, and requested further information on the research plans. Rainer Brüderle a parliamentary member of the Free Democrats (FDP) stated that “Schufa’s plans go too far…social networks, like a circle of friends, are part of a person’s private life, and should therefore not be tapped.”

However, the Hasso Plattner Institute (HPI) which was to be commissioned by Schufa to develop a proposal for the project, has now pulled out due to mounting criticism from politicians and privacy advocates. The privately-funded information technology institute was going to explore the extent to which information from the Internet can help in evaluating the creditworthiness of individuals. HPI  announced that it has withdrawn from the contract with Schufa.

In a statement, the institute claimed there had been some “misconceptions” by the general public about their research approach. HPI Director Christoph Meinel stated that the project could no longer be carried out with the ease and in the “unburdened” conditions necessary.

The move by HPI, a clear blow for Schufa, has been welcomed by critics of the proposal, but it is unclear whether the credit agency intends to pursue the project regardless. The proposal could be hugely damaging to the privacy of individuals, linking their private relationships and their online reputation to their creditworthiness seems hugely invasive. Schufa’s plans could have detrimental effects on a person’s everyday life and further highlight the dangers of disclosing personal information on the internet. It is unclear whether Germany, a country with some of the most sophisticated privacy laws in the world would be able to justify such actions in accordance with its legal framework.

Tweet Your Victim/Facebook Your Perpetrator

While the appalling behaviour of Twitter users in the Ched Evans case has caused an uproar in the UK, there is a contrary case taking place in Germany. The recent social media use in the UK saw a rape victim being named on Twitter, whereas the German case involved a woman naming a man who had been harassing her by sending her sexually explicit messages. Ariane Friedrich an olympic high jumper who trained as a police officer, posted the name and location of the man who had been sending her the messages on Facebook. This has caused a huge discussion in Germany, where privacy laws are known to be particularly stringent.

The man allegedly sent her images of his genitals with the sexually explicit/suggestive message stating that he had “just showered and shaved”. Ms Friedrich became enraged and posted his name and location on Facebook, adding that she will be filing a complaint with the police shortly.

Since she posted the message 2200 people have clicked the “like” button under the post along with 400 comments. In a later post Ms Friedrich explained  that she has “carefully read” through both supportive and critical comments. She added that “of course it had been a big step to make such a vulgar e-mail public”, but she said that this is not the first time she has been insulted and sexually harassed. She also stated that she had previously had a stalker. She claimed that she now felt it was time for her to act and to defend herself, even this posting sparked a huge reaction leading to a further 1100 comments. While some argue that her behaviour was completely justifiable, others claim that her self-administered justice amounts to an erosion of the law.

Her liability would depend on whether her claims are genuine or not and whether the named man actually sent those messages. If her assertion is proven to be true, then she will not be liable for defamation or libel. However if this is not the case, the situation could become more complex. In a well known German tabloid, the man (described in the German media as ‘a man with the same name as the alleged author to the messages’) claimed he had been hacked and has closed his Facebook account as a result. However it is probably unlikely that a judge would make the assumption that Ms Friedrich is accusing an innocent person. Therefore seems unlikely that she will be charged in relation to defamation. However she could be liable under civil law as she breached his right to privacy by making his personal details public. If the named man went to court over the issue he could possibly win in a civil claim, if the circumstances surrounding the publication of his details had sufficient gravity.

While the Friedrich case is very different to the Ched Evans/Twitter case, one case infringing the victims privacy while the other concerns the alleged perpetrator.  Germany has much stricter privacy law than the UK, mainstream media are much more restricted than in the UK. Naming a rape victim, when they should have anonymity for life raises serious concerns about protecting victims. The contrast between these two cases highlights different aspects of privacy law and the ethical minefield surrounding social media.