thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Thursday, February 28, 2008

Germany: New Basic Right to Privacy of Computer Systems

The German Constitutional Court on 27 February 2008 published a landmark ruling about the constitutionality of secret online searches of computers by government agencies. The decision constitutes a new "basic right to the confidentiality and integrity of information-technological systems" as derived from the German Constitution.

The journalist and privacy activist Bettina Winsemann, the politician Fabian Brettel (Left Party), the lawyer and former federal minister for the interior Gerhart Baum (Liberal Party), and the lawyers Julius Reiter and Peter Schantz had challenged the constitutionality of a December 2006 amendmend to the law about the domestic intelligence service of the federal state of North-Rhine Westphalia. The amendmend had introduced a right for the intelligence service to "covertly observe and otherwise reconnoitre the Internet, especially the covert participation in its communication devices and the search for these, as well as the clandestine access to information-technological systems among others by technical means" (paragraph 5, number 11). Parts of the challenges also addressed other amendmends which are not covered here.

The decision of today is widely considered a landmark ruling, because it constitutes a new "basic right to the confidentiality and integrity of information-technological systems" as part of the general personality rights in the German constitution. The reasoning goes:

"From the relevance of the use of information-technological systems for the expression of personality (Persönlichkeitsentfaltung) and from the dangers for personality that are connected to this use follows a need for protection that is significant for basic rights. The individual is depending upon the state respecting the justifiable expectations for the integrity and confidentiality of such systems with a view to the unrestricted expression of personality." (margin number 181)
The decision complements earlier landmark privacy rulings by the Constitutional Court that had introduced the "right to informational self-determination" (1983) and the right to the "absolute protection of the core area of the private conduct of life" (2004).

Information-technical systems that are protected under the new basic right are all systems that

"alone or in their technical interconnectedness can contain personal data of the affected person in a scope and multiplicity such that access to the system makes it possible to get insight into relevant parts of the conduct of life of a person or even gather a meaningful picture of the personality." (margin number 203)
This includes laptops, PDAs and mobile phones.

The decision also gives very strict exceptions for breaking this basic right. Only if there are "factual indications for a concrete danger" in a specific case for the life, body and freedom of persons or for the foundations of the state or the existence of humans, government agencies may use these measures after approval by a judge. They do not, however, need a sufficient probability that the danger will materialize in the near future. Online searches can therefore not be used for normal criminal investigations or general intelligence work.

If these rare conditions are met, secret online searches may only be used if there are steps taken to protect the core area of the private conduct of life, which includes communication and information about inner feelings or deep relationships. These protections have to include technical measures that aim at avoiding the collection of data from this core area. The Court goes on:

"If there are concrete indications in the specific case that a certain measure for gathering data will touch the core area of the conduct of private life, it has to remain principally undone." (margin number 281)

If data from this core area is accidentially collected, it must be deleted immediately and can not be used or forwarded in any case.

Reactions to the decision were mixed. The opposition parties and many civil liberties groups acclaimed the birth of the new basic right with constitutional status and the high hurdles for any future use of governmental spyware. Others, among them many bloggers, were sceptical about the exception clauses and how far they can be stretched by the government in future legislation and practice.

Secret online searches of personal hard drives and other storage media had been subject to intense political debate in Germany over the last year after the federal government had to admit it had already tried online searches for criminal investigations without legal grounds and was stopped by the Federal High Court. The federal government as well as several states plan to enact similar possibilities for their intelligence and law enforcement agencies, while the opposition parties and parts of the ruling Social Democrats are strictly against it. Privacy activists have called the plan "Federal Trojan" ("Bundestrojaner"). A real-life sized model of a trojan horse in Germany's national colors which was built by activists from the Chaos Computer Club (CCC) and used at several protest marches will soon be exhibited in the Museum of German History in Bonn.

The "Federal Trojan" in front of the Constitutional Court during its hearing on the case on 10 October 2007. Picture by Leralle, licensed under Creative Commons BY-NC-SA 2.0 Germany.

Federal Minister for the Interior Wolfgang Schäuble (Christian Democrats) said he expects that the coalition will soon agree on a bill to give the Federal Criminal Agency (BKA) the legal possibility to use online searches in the fight against international terrorism. Privacy advocates pointed out that Schäuble now at least has to stick to a very narrow definition of fighting terrorist dangers and can not use this as a disguise for introducing general and far-reaching surveillance of personal computer systems.


This article also appeared in the "EDRI-gram" newsletter by European Digital Rights (EDRi), number 6.4, 27 February 2008.

Tuesday, February 26, 2008

Data Collection, not Data Handling is the Problem

Gerry Gebel from the Burton Group points out the relevance of the principle of data minimization. Nothing exactly new, but nicely phrased:
Typical privacy policies have two sections: the first section expresses the sincere concern of the internet property when handling your personal data and they share at least some of their intended uses of your data. The second part of the policy then goes on to say exactly how the internet property is going to violate your privacy by evaluating traffic patterns, sharing data with partners, etc. (...)

[I]t's not the privacy policy that is at issue. It's the data collection policy that must be examined - especially as it relates to transaction metadata. Now is the time to think about new data models that are better suited to 21st century commerce.

Thursday, February 21, 2008

IdentityCamp Bremen, 7-8 June 2008

We* are organizing IdentityCampBremen, the first German BarCamp that specifically focuses on issues like Identity 2.0, Single-Sign-On, reputation management, relationship management, Privacy 2.0 and related stuff. It will take place in the nice town of Bremen in Northern Germany on the weekend of 7th and 8th June 2008.

We just decided about this last night, so we are now looking for participants and thematic ideas, for a location, for sponsors and for volunteers. It is a bit unusual to go public with an event that not even has a venue and a programme yet, but hey, this is the whole idea of BarCamps.

So: Please spread the word and participate. The wiki page is where everything is collected. At the moment it is planned as a German-only event. If a significant number of non-German speaking people are intererested, we may think about a solution for that.

(*) Who is "we"? The idea emerged out of an interdisciplinary network of people interested in Identity 2.0 with a privacy perspective. We had three substantive workshops over the last few months and were looking for something more public to do next. Fortunately, the Bremen Agency for Innovation has offered support now, and we decided to prepare a BarCamp right away.

Tuesday, February 19, 2008

Facebook sceptical about Data Portability

Chris Kelly, Facebook's chief privacy officer, says:
We joined the Data Portability Workgroup because we want to show that we're serious about having that conversation. But to just say that you can have a completely open system ignores that there are serious privacy and security challenges about that.
You can now say that they understand the privacy problems of linking the silos and building interfaces for exchanging what is essentially personal information. You can also say that they just want to protect their business model and not share the Facebook user base with others. Or you can say that these arguments are not mutually exclusive. Bob Blakley has developed a similar privacy business argument around his model of an Identity Oracle last year.

The Economist on e-Identity and e-Government

The Economist has a special section on e-government around the world in its latest issue. One article is about e-identity in this context. Subtitle:
It's best for governments not to know too much.
Kim Cameron is quoted at length, but they also cover experiences from the UK and elsewhere about how little citizens trust their governments to handle their data with care.
The hard lesson for governments is that citizens will adopt technology when it is both optional and beneficial to them, but resist it strenuously when it is compulsory, no matter how sensible it may seem.
They also have intersting lessons from other experts:
Ross Anderson (...) argues that local systems are far more secure than national ones. Patient data held at a GP practice may be vulnerable to a security lapse on the premises, but the damage will be limited. “You can have security, or functionality, or scale—you can even have any two of these. But you can't have all three, and the government will eventually be forced to admit this.
And an interesting analogy to environmental protection:
Richard Clayton (...) says that personal information should be treated like plutonium pellets: “Kept in secure containers, handled as seldom as possible and escorted whenever it has to travel. Should it get out into the environment, it will be a danger for years to come. Putting it into one huge pile is really asking for trouble.”

Monday, February 18, 2008

Privacy in Social Networks: It's contextual, Stupid!

Moli is a new Social Networking Site that allows users to maintain different personae with different profiles, while still providing the ease-of-use of a single login and user name. I am happy to see that that companies are starting to experiment with the concept of privacy as contextual awareness, and Moli even has "control your privacy" as their corporate motto in the logo. This shows a growing awareness among SNS that (at least a significant portion of the) users get increasingly impatient witht the "give all information, share all, and with everybody" approach that many of the sites incorporate.

Michael Zimmer on the other hand points at a number of serious issues:
Moli, while pitching themselves as privacy-friendly, might actually pose a greater threat to user privacy than Facebook. Given that I have less control over who can see my profile at Facebook, there is some information I’m simply not willing to share on that platform. But since Moli provides me a simple way to manage multiple personae, it is perhaps more likely that I would divulge more personal information. If I can create 4 different personae (say, one highlighting my professional life, one detailing my music and cultural interests, one focusing on my sexual fetishes, and one for my family members), I certainly will be disclosing much more personal information than my single Facebook profile. And while I can set the privacy levels for each profile, Moli gets to see it all.
The general idea here is to have many silos on the same platform. Why can't we just maintain the silos un-linked? Part of the problem is not the front-end and what other users can see (there are already a number of SNS that allow me to fine-tune what each individual user can see about me), but the fact that all the different personae are linked by a single sign-on ID. And by the way: Nobody keeps me from setting up different personae at MySpace or Facebook anyway. The only difference seems to be the ease-of-use argument, and this will soon be non-existent if technologies like CardSpace with self-issued cards become more widely accepted.

More on this in Technology Review and a follow-up post by Michael, who was immediately contacted by Moli executives.

Wednesday, February 13, 2008

Webwide Reputation System seen as Killer App - but is it?

Techcrunch is holding an online survey to prepare for the upcoming Future of Web Apps conference in Miami.
If you could gather together some of the smartest Web developers and ask them to brainstorm a killer app for you, what would you ask them to build? Oh, and they will only have 45 minutes to do it.
Among the first roughly 1800 votes cast so far, a clear (relative) majority of readers was interested in a "webwide reputation system".

I also think managing your online reputation is one of the major challenges at the moment, and I recommend anybody interested in this to read Daniel Solove's book on "the future of reputation" and other literature around this. But I am not sure it can be addressed by hacking together some PHP scripts in 45 minutes. In fact, I am not sure the reputation problem can be "solved" like this at all. Reputation is much more complex to model than e.g. identity, which already has driven furious debates among developers, architects, users and privacy advocates.

The idea behind a webwide reputation system seems to be like this: "Wouldn’t it be cool to take my high reputation I earned on eBay and use it for Amazon? Or transfer my Slashdot karma to MySpace?" But you quickly figure that while some of these social networking and IdM platforms already have APIs, there is no real standard for interchanging reputation. In the end, it is because your reputation on MySpace does say as much about your reliability as an eBay seller as my reputation among the hacker community can convince my banker to raise my credit line. It's not a technology problem, but one of semantics and context-sensitivity.

The problem is similar to the "social graph" idea. My friends and social relations on Myspace are different than my professional contacts on XING or LinkedIn, and they are for a good reason. And so is my reputation in these different spheres, because reputation is also a relationship property. You don't have a reputation on your own, but only as a member of a more or less defined group of others. As you behave and move in different social groups and contexts, your reputations are very different across them. It does not make much sense to link these, I think. Insofar, the term "killer app" might be right: It would kill all social differentiation.

Update: Daniel Solove's book "The Future of Reputation" is now available online for free.

Saturday, February 09, 2008

Profiling, Surveillance Societies, and Privacy Advocacy Networks

This sounds like a lot of different things, but these topics were all covered by the presentations I was involved in at the Privacy&Security conference in Victoria/British Columbia over the last few days.

Colin Bennett and I shared a keynote on "Surveillance Societies and the emerging Anti-Surveillance Movement". I covered the "society" part, while Colin presented findings from his upcoming book on the privacy advocates. The slides are here.

I also introduced and moderated a panel with the nice title "Data Profiling - Do 'Where You Go' and 'What You Do' Become 'Who You Are'?". The slides are here.

The rest of the conference was pretty cool, with Lawrence Lessig and Simon Davies as featured keynote speakers, and other great folks like Daniel Solove also speaking. Biggest fun was the closing panel, where Richard Purcell grilled Chris Kelly, the chief privacy officer of Facebook. The conference attracts more than 1000 people nowadays, making it twice as big as the legendary "Computers, Freedom and Privacy" conference (to be fair, it is directed towards a slightly different audience - less geeks, more end-users in the government and private sector). I always like to come back here, even though it is quite a stretch from Europe. The weather could have been better this year, though.

Oh, and because so many people have asked me where to get the "Stasi 2.0" T-Shirts: You can order them here.

Tuesday, February 05, 2008

Privacy and Surveillance in the EU

I am in Victoria this week at the Privacy & Security 2008 conference that starts tomorrow.

Today, I am also updating the Canadian privacy commissioners on EU developments in this field. They asked my to address the latest developments in public sector and national security surveillance plans and projects, but also to give a short overview on the European privacy advocacy networks and the growing anti-surveillance movement.

Here are the slides. Feedback is of course welcome.